CyberInsecure.com

Archive for September, 2009

Microsoft first released a public beta of its Security Essentials antivirus suite back in June and it was met with mostly positive reviews. Today Microsoft has released the final version of Security Essentials and anyone running Windows XP, Windows Vista, or Windows 7 can download it for free.

Microsoft Security Essentials offers basic antivirus, spyware, and malware protection. It also offers real-time protection and regularly updated malware signature files via Microsoft’s Dynamic Signature Service.

Since Microsoft Security Essentials provides the bare minimum protections for a Windows-based machine, other niceties such as a firewall and multi-PC management are not available. This should appease Microsoft’s competitors in the anti-malware software segment.

Microsoft Security Essentials replaces the Onecare offering and the free Defender installation standard on Vista installations. It will provide you with malware detection and removal ONLY. So do not rely on this as your one stop shop for security. It does not have the features and functionality that many of the AV vendors provide in their products. Think of this as the AV as it used to be in 2000 or so. Detect rates seem to be quite good according to testers reports.

Those who wish to try out the software can download it directly from the Microsoft Security Essentials website. The download requires that your PC pass Windows Genuine Advantage checks, so only legit Windows users will have access to the software.

Shortly after the release of Microsoft Security Essentials, Websense Security Labs has reported that search engine results related to Microsoft’s Security Essentials are returning links to Web sites that serve rogue AV.

Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher’s Web site and the British Travel Health Association.

When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31.

An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe. If the user downloads the application, a file with extension .tif is downloaded in the “program files\TS” directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split). The payload then executes “tsc.exe -dltest” apparently connects to a NASA Web site, to check internet connectivity. Finally, “tsc.exe” is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted).

According to Websense, it appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today. Screenshot of Google search results:

Screenshot of rogue AV Web site:

Screenshot of download prompt:

Credit: DailyTech.com, SANS ISC, Websense Security Labs

Some of the web’s bigger websites were flooded with a torrent of malicious banner ads after cyber crooks managed to sneak them onto syndication services operated by Google, Yahoo, and a third company, according to a security firm.

The ads - which attacked previously-patched vulnerabilities in Adobe’s PDF Reader and Microsoft’s DirectShow - starting appearing on sites such as the DrudgeReport, horoscope.com and lyrics.com last Friday, according to ScanSafe researcher Mary Landesman. They were delivered over networks belonging to Google’s DoubleClick; Right Media’sYield Manager (owned by Yahoo); and Fastclick, owned by an outfit called ValueClick.

End users visiting sites that used the ad syndication services often saw nothing more than a brief flash as the malware-laced ads caused their browsers to open - and then close - a booby-trapped PDF file. But behind the scenes, the payload installed Win32/Alureon, a trojan that drops a backdoor on infected machines.

The malicious ads, which also appeared on slacker.com, ended on Monday, when the website used by the malware purveyors abruptly vanished. During their three-day stint, the attacks accounted for 11 percent of pages blocked by ScanSafe, a service used by businesses to prevent employees from visiting malicious sites.

The report, issued Wednesday, came the same day a Google executive called on internet service providers, website operators, and others to do more to combat malicious ads. Over the past few years, so-called malvertisements - which employ social-engineering and exploit code targeting vulnerabilities in operating systems and applications - have become an increasingly common way of spreading malware to the masses.

Of course, none of this would be possible without the help of the ad syndication services, which provide the software and services webmasters use to display ads to hundreds of millions of end users. DoubleClick, Right Media, and other networks have repeatedly been found to distribute malware-laced banner ads on of the net’s most popular sites.

A spokesman for Google said the content of ads are up to websites that use the service.

“With DoubleClick ad management, publishers are in control of what content they are serving and are therefore ultimately responsible for determining what advertising appears on their site,” a Google spokesman, who asked that his name not be included in this article, wrote in an email. “The publisher sells the space to the advertiser and must approve the content that goes on the site before it is introduced into DoubleClick’s servers.”

No doubt, The DrudgeReport, horoscope.com, lyrics.com, and slacker.com should be called to account for the attacks on their users. And so far, none of those websites has responded to requests to comment. And neither did representatives for Yahoo or ValueClick, either. That doesn’t inspire confidence that any of those companies are doing nearly enough to protect their visitors from a growing threat.

Credit: The Register

A researcher has unearthed fresh evidence of cyber criminals’ growing attraction to Apple’s OS X platform with the discovery of a now-disbanded group that offered 43 cents for every infected Mac.

Mac-codec.com was just one of hundreds well-organized affiliate networks that pay a small bounty each time their malware is installed on an unsuspecting end user’s computer. What makes this one stand apart is its dedication to the Mac platform.

The site advertised various promotional materials Mac-based “video players” and offered “webmasters” the fee in exchange for each installation on Macs that visited their exploit sites. The 43-cent fee is slightly lower than the 50 cents to 55 cents the codec-partnerka pay for infections of Windows-based machines.

The outfit was holding out the offer in January and February of this year, but has since closed its doors, said Samosseiko, who is manager of Sophoslabs in Canada, a research arm of anti-virus firm Sophos. He presented his findings as part of a larger discussion about codec-partnerka presented at this week’s Virus Bulletin conference in Geneva. The groups’ malware typically masquerades as legitimate video codecs or anti-virus software.

“I suspect that it wasn’t as profitable to target the Mac platform at that point,” he explained. Mac-codec.com “probably closed because it wasn’t commercially viable for them to conduct business.” “I suspect there are others targeting other Mac users,” he said.

Infiltrating the highly secretive networks is by no means an easy task. Most of them are based in Russia or elsewhere in Eastern Europe, and interlopers must first gain the trust of other members. Although Mac-codec.com is no longer active, Samosseiko doesn’t believe that’s the end of the bounty program for infected OS X systems.

Credit: The Register

A Pakistan-based carder site has dropped off the net, after white hat hackers broke into the forum and posted details of the hack on a full disclosure mailing list.

Pakbugs.com provided a forum for ne’er do wells to discuss hacking tactics and trade malware, bank logins details and stolen credit card credentials. However this activity was interrupted after login details for the forum and email addresses were posted online following a break-in.

A previously unknown group called War Against Cyber Crime claimed credit for the hack. The group expressed the hope that law enforcement agents will begin an investigation against individuals named on the leaked list.

Meanwhile, the Pakbugs.com site remains unavailable. Net security firm F-Secure, which was among the first to record the takedown hack, said it reckons the forum is unlikely to reappear.

Credit: The Register

Eastern European hackers are offering to crack into any Facebook,  Myspace and ICQ account for a fee of $100, payable online through Western Union, though circumstantial evidence suggests that the scheme might just as easily be geared towards ripping-off potential clients while delivering nothing.

The Facebook hacking service, offered by Ukrainian hackers via a domain registered in Moscow, offers to provide clients with the login and password credentials of any account. Potential clients are offered a money-back promise in cases where a targeted profile (which might belong to celebrities, politicians, or well-known companies as well as ordinary users) proves unhackable.

Hackers claim they’ve been offering the service for four years, during which time they’ve enjoyed a 99 per cent success rate. However, the domain via which the service is offered is only a few days old, raising doubts about the authenticity of the service.

“The system’s real purpose may be hacking Facebook accounts as they say, or profiting from those that want to try the service,” said Luis Corrons, Technical Director of PandaLabs. “In any case, the Web page is very well designed. It is easy to contract the service and become, either the victim of an online fraud, or a cyber-criminal and accomplice in identity theft.”

Corrons, who explored the service without handing over a fee to the cybercrooks behind it, concludes that it’s very probably a scam. “This is all about taking the money from users. And at the end, as the user wanted to hack an account, he won’t call the police,” he concludes.

Compromised social networking profiles in general might be used to distribute spam or malware or as stepping stones towards attacks on a mark’s webmail or online banking accounts.

Credit: The Register
Credit: PandaLabs

Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits, according to researchers at Purewire. Attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe.

The malicious JavaScript was found on the “Curious George” page that provides content on the popular animation series. A look at the code on the hijacked site shows malicious activity coming from a third-party qxfcuc.info domain.

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.”

The URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

Purewire said the exploit site is part of a malware campaign that includes tens of similar Web sites hosted off of a handful of common IP addresses.

PBS.org has already removed the malicious javascript from its site.

Credit: ZDnet.com Security Blogs

An alleged copy of the UK postcode list has tipped up on WikiLeaks which claims to currently be hosting a database containing 1,841,177 Blighty postcodes “together with latitude and longitude, grid references, country, district, ward, NHS codes and regions, Ordnance Survey reference, and date of introduction”.

The list is a 241MB plain text file that runs to more than 100,000 pages and was last updated on 8 July. WikiLeaks has zipped the database up to 20MB and made it available for download via the site as well as providing a fast BitTorrent version of the file that can be grabbed over at The Pirate Bay.

According to the Guardian the Royal Mail made about £1.6m from licensing the Postcode Address File (PAF) database in 2007. This leak online isn’t that significant, however, given that it doesn’t contain the names and/or addresses of houses in each postcode that the PAF holds.

On the other hand, online availability of the PAF could prove a big blow to the Royal Mail, which has repeatedly ignored requests from freedom of information campaigners to publish the postcode database free of charge.

Campaigners have long argued that the PAF should be freely available to help businesses create services around the taxpayer-funded data, and while this leak might get a few wannabe-web entrepreneurs mildly excited, the real juicy postcode stuff remains locked behind closed doors - for now.

Royal Mail statement should be available soon.

Credit: The Register

White-hat hackers have released reliable code that remotely exploits a critical vulnerability in Microsoft’s Windows Vista operating system.

The exploit code, released Wednesday by security firm Immunity, came as separate researchers with the Metasploit penetration testing project said they were close to releasing their own software targeting the network file-sharing technology known as SMB2, or Server Message Block version 2. It was first added to Vista and has since been put into other operating systems.

The progress of ethical researchers in exploiting the bug is important because it’s an indication of how other, less scrupulous hackers are likely faring. It shows that the bug, which affects newer operating systems built under a program designed to prevent such security flaws, is far from being a mere theoretical risk to the millions of people who use the products. Rather, it means attackers can use the internet to take over vulnerable machines located half-way around the globe.

“This is the kind of vulnerability that hits everybody who is sharing files with other users,” Dave Aitel, CTO of Immunity, told El Reg. “It affects the most secure operating system Microsoft has put out other than Windows 7.”

The vulnerability, which is the result of the SMB2’s failure to adequately parse network negotiation requests, affects all versions of Vista, versions of Server 2008 other than R2 and the release candidate (but not the release to manufacture) version of Windows 7. Microsoft has said it plans to release updates patching the vulnerability as soon as they’re ready.

Members of the Metasploit project, which produces an open-source program that tests networks for a comprehensive list of vulnerabilities, indicated they are close to releasing exploits of their own. Team member Stephen Fewer has identified the exploit identification pointer needed to remotely exploit the vulnerability in Service Pack 1 version of Windows. Once an exploit is released, they expect it to work on other vulnerable platforms as well.

Beginning with Vista, Microsoft introduced a variety of counter measures designed to make it harder for hackers to exploit bugs that inevitably escape notice during development. Address space layout randomization, data execution prevention are just two of them. While they clearly making exploitation harder, Wednesday’s release by Immunity shows they are by no means foolproof.

Credit: The Register

Hackers have programmed a Trojan that uses Google Groups newsgroups to distribute commands. Trojan distribution via newsgroups has existed for more than a decade, but using newsgroups as a command and control channel is a new innovation.

The Grups Trojan itself is quite simple and is only noteworthy for the command and control structure it deploys. The malware is programmed to log into a Chinese language newsgroup to receive commands, Symantec security researcher Gavin O’Gorman writes.

When successfully logged in, the Trojan requests a page from a private newsgroup, escape2sun. The page contains commands for the Trojan to carry out. The command consists of an index number, a command line to execute, and optionally, a file to download. Responses are uploaded as posts to the newsgroup using the index number as a subject.

The post and page contents are encrypted using the RC4 stream cipher and then base64 encoded. The attacker can thus issue confidential commands and read responses. If no command is received from the static page, the infected host uploads the current time.

Miscreants need to maintain communications with backdoor Trojans to order them to distribute spam, launch denial of service attacks or upload compromised data, for example. Traditionally IRC channels have been used to carry out this function. More recently black hats have experimented with different control channels such as Google Groups, as in the latest incident, and a few weeks ago, Twitter.

Using Google Groups has advantages in anonymity but leaves a record of Trojan activity for security researchers to analyze. For example, the growth of the Trojan can be tracked by the volume of posts. The information targeted can also be discerned.

Examining the Trojan itself provides more clues. Several debug strings in the Trojan code provide evidence that the malware may be a prototype, testing the use of newsgroups for botnet/Trojan command and control. Commands issued though the newsgroup refer to actions involving actions involving .tw (Taiwanese) domains. This, along with the simplified Chinese language of the newsgroup in question, provide evidence that the malware was cooked up in either Taiwan or mainland China.

Only a small number of samples of Grups Trojan have appeared in the wild, leading to Symanec’s classification of the malware as a low risk threat.

Credit: The Register

The New York Times was co-opted into pushing fake anti-virus malvertisements after hackers broke into its banner ad feed over the weekend. Surfers visiting the site were confronted by malicious pop-up window that falsely warned that their systems were infected. The ruse was designed to scare people into buying a clean-up utility of little or no value.

The NYT issued a warning on the front page of the website and via its Twitter feed on Sunday. The paper explained that the pop-ups were the result of an “unauthorized advertisement”:

Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to webeditor@nytimes.com.

Trend reports that the scareware involved in the attack was served up by German ISP Hetzner AG. Similar attacks have hit media outlets including The Daily Mail and ITV of recent months. Sophos reckons that the prime responsibility in defending against the attack relies on ad-serving networks rather than media outlets.

Credit: The Register