CyberInsecure.com

Archive for the ‘Malware’ Category

Two Firefox add-ons available for months on Mozilla’s website infected users with malware that stole passwords and opened a backdoor on Windows machines, the open-source browser maker has confirmed.

The add-ons, available on an experimental section of Mozilla’s official add-on download site carried trojans that have been detected since 2008 by commercial anti-virus products. And yet they weren’t removed until late January and earlier this week because a scanning tool used to vet add-ons during upload failed to catch the malicious files.

“If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan,” a note on Mozilla’s add-on blog stated. “Uninstalling these add-ons does not remove the trojan from a user’s system.”

Instead, infected users will need to thoroughly scan their machines with an anti-virus program. Or better yet, use multiple scanners, or simply reinstall the operating system to be on the safe side.

This isn’t the first time Mozilla has served malware-laced add-ons to its loyal base of users. In May 2008, a Vietnamese language pack for Firefox 2 contained a viral infection that resulted in users seeing unwanted ads. The add-on was downloaded almost 17,000 times before it was pulled.

In the most recent case, version 4 of the Sothink Web Video Downloader add-on installed a password sniffer dubbed Win32.LdPinch.gen and was downloaded about 4,000 times between February 2008 and May 2008. A separate add-on called Master Filer was laced with a backdoor trojan known as Win32.Bifrose that was downloaded 600 times between September 2009 and January of this year.

Mozilla removed Master Filer on January 25 and nixed Sothink on Tuesday.

The blog post said Mozilla added two new scanners to its validation chain. It was this change that allowed the organization to detect version 4 of the Sothink Web Video Downloader.

Versions greater the 4.0 of the video downloader add-on were not infected, Mozilla’s blog post stated. Both infections affected only Windows users of the open-source browser.

Credit: The Register

The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that’s bombarding their websites with millions of compute-intensive requests.

The “massive” flood of requests is made over the websites’ SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo.

“What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses,” Shadowserver’ Steven Adair wrote. “This might be a big deal if you’re used to only getting a few hundred or thousands of hits a day or you don’t have unlimited bandwidth.”

It’s not clear why Pushdo has unleashed the torrent. Infected PCs appear to initiate the SSL connections, along with a bit of junk, disconnect and then repeat the cycle. They don’t request any resources from the website or do anything else.

“We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn’t quite look like a DDoS either,” Adair wrote.

Security mavens aren’t sure what targeted sites can do to thwart the attacks. Changing IP addresses may provide a temporary reprieve.

Shadowserver has identified 315 websites that are the recipients of the SSL assault. In addition to cia.gov and paypal.com, other sites include yahoo.com, americanexpress.com, and sans.org. Here is the full list of attacked addresses:
(more…)

Initially perhaps conceived as a prank targeting a small community of bikers in central Slovakian region, the worm Win32/Zimuse.A and Win32/Zimuse.B has achieved worldwide notoriety. It is a type of threat that overwrites MBR (Master Boot Record) of all available drives with its own data, making the data stored on the user’s computer inaccessible. Moreover, the restoration of the corrupted data is complicated, requiring specialized software or a provider.

Since the worm’s inception, ESET has detected it on hundreds of computers of its users. Initially after the outbreak, only users in Slovakia were affected – accounting for over 90% of all infections. Presently, the greatest number of infected computers is in the United States, followed by Slovakia, Thailand and Spain, followed with Italy, Czech Republic and other European countries.

The worm uses two ways to spread – either via embedding in legitimate websites, in the form of a self-unpacking ZIP file or as an IQ test program, or via Exchangeable media, such as USB devices. The fact that it relies on USB devices to propagate is responsible for its rapid dissemination, which is likely to increase even further.

To date, the worm’s two variants - Win32/Zimuse.A and Win32/Zimuse.B differ in the method of spread and the timing of activation. While the A-variant needs 10 days to start spreading via USB devices, its B-variant needs only 7 days since infiltration. Moreover, the time needed for the execution of the destructive routine is shortened in the B-variant from the original 40 days to 20.

Moreover, if the right removal method is not used, the worm shifts to its destructive mode. This is similar to making the right choice on which wire to cut, and in what sequence in a bomb-defusing operation.

There is a widely held suspicion that the worm was intended to infect the computers of fans of a motorcycle club in the central Slovakian Liptov region, however, it has spread beyond this target group once it started attacking company networks. What’s more, the infiltration was reminiscent of the well-known OneHalf threat in the worm’s behavior, the country of origin (both originating in Slovakia), and the inflicted damage – causing the total paralysis of the system it attacks.

The infiltration does not posses a degree of sophistication that would encrypt the data on the disk, instead it was designed to corrupt the MBR (Master Boot Record) of physical disk drives. It emulates the old-time threats in that it is timed to go off – in this case in 40 days since the infiltration.

Credit: ESET.eu

Domestic appliance manufacturer Whirlpool has come under fire for failing to clean up a malware infection on one of its sites, months after it was notified of a problem by UK anti-virus firm Sophos.

Sophos tried for months to clean-up its Kitchenaid.com website, without success, before going public on the problem on Friday. The kitchen utensil selling site remains infected with the Badsrc-C (AKA Asprox) strain of malware five months after a Sophos customer reported a problem, which the security firm forwarded to the white goods firm.

The malicious script points towards nowhere at present, so there isn’t an immediate risk. The problem is that this may change at any time, hence the need for remedial action that Whirlpool seems reluctant to take.

“I and several of my colleagues have been trying to talk to contacts at KitchenAid and Whirlpool to inform them of the issue and offer assistance. We have consistently hit brick walls,” reports senior Sophos threat analyst Paul Baccas.

Whirlpool’s lack of action is symptomatic of a wider problem. Reports of malware problems on websites are hard even for security firms to send to the right person, are often disregarded and sometimes met with indignation, Baccas writes.

The Asprox strain of malware still lingering on Kitchenaid.com’s website has been linked to phishing spam. SQL injection attacks on vulnerable website have been a preferred method for spreading malware.

Credit: The Register

After taking a long hiatus, trojan dialers that can rack up thousands of dollars in charges are back by popular demand.

According to researchers at CA Security’s malware analysis lab, a new wave of malicious dialers is hitting users of mobile phones. The trojans are built on the Java 2 Micro Edition programming language and cause infected handsets to send SMS messages to high-cost numbers, at great expense to the victim.

“As soon as the application is loaded, this malicious software starts to send premium text messages,” CA warned on Tuesday. “The messages sent out are in the typical format to invoke premium services and land the mobile user with heavy mobile bills without the user’s knowledge and consent.”

Malware that automatically dials pricey premium numbers was all the rage a decade ago, when dial-up internet services required computers to connect to a phone line. With the growth of broadband connections the frequency of dialers waned.

When malware application, which is a JAD file, is loaded on the mobile device, a typical user interface screen is displayed:

The JAD application however is packaged with a data file (load.bin) that has a list of high-cost destination numbers. The malicious application uses this bin file to form the text messages with the desired premium destination. As soon as the application is loaded, this malicious software starts to send premium text messages.

The explosion of smart phone that can run software made by anyone has given malicious dialers a new lease on life. And as was the case in the days of yore, they mostly tap into porn services.

Credit: The Register, CA Security

Websense Security Labs has detected that search results on office.microsoft.com can lead users to a Rogue AV page.

Users looking for information related to help with Office products on Microsoft’s own site are being targeted. Users may be unaware that, when they type in search queries on the site, Microsoft scours its own Web site for results, but also pulls in results from the broader Web. As the URL for the search results begins with http://office.microsoft.com, this is particularly troubling for users who trust sites simply because of their reputation.

The malicious URL is a redirect to a very real-looking virus scan and warning page presented by a Rogue AV program (SHA1: 6489c54e30af18801a9e83a5855fa639f3bae0b8). The executable used in the exploit is currently recognized by 1 of the 41 AV engines on Virus Total.

Credit: Websense Security Labs

Cybercrooks managed to transfer over three million dollars out of the bank accounts of the Duanesburg Central School District over the course of three days in December. The bank managed to recover $2,5 million of the stolen funds, but $500,000 are still missing.

Duanesburg is a town in Schenectady County, New York, with a population of under 6,000. The Duanesburg Central School District serves around 1,000 students and has an annual budget of under $15 million.

District officials learned of the fraudulent transfers when a NBT Bank employee called them on Dec. 22 to confirm several pending overseas transfers totaling $759,000. After stopping the unauthorized transactions, the bank also notified the district that an additional $1,190,400 was transferred out of its accounts on the previous day and another $1,862,400 on December 18.

The district contacted the FBI and the New York State Police, who immediately opened an investigation into the incident. Meanwhile, the bank got in touch with overseas financial institutions and was able to recover $2.5 million of the illegally transferred money.

“Thanks to NBT Bank’s aggressive pursuit of the stolen funds, we are fortunate that the vast majority of the money has been recovered. However, $497,200 of Duanesburg taxpayers’ money is still missing, and we are committed to doing everything in our power to recover the remaining funds,” the district officials wrote in a letter to parents and community members.

The circumstances that led to the compromise of the bank account are yet to be determined, but chances are that it started with a malware infection, like in many similar cases reported last year. However, there are certain aspects of this incident that suggest the fraudsters are not very skilled in such hits.

For starters, the money was transferred in high amounts. In previous cases, the attackers kept transfers under $10,000 to avoid automated systems flagging them. Furthermore, the money was transferred directly to overseas accounts, which made it possible for the bank to recall it. Skilled fraudsters transfer the stolen money to the accounts of local individuals known as “money mules,” who then withdraw and wire it outside of the country. Wire transfers cannot be reversed.

As a precaution, the district closed all of its accounts and opened new ones with restrictions for online access. It is not clear what these restrictions are, but the FBI and the American Bankers Association recently recommended that online banking be made from dedicated computers.

Credit: Softpedia News

Hackers on Thursday exploited a vulnerability on Ain’t It Cool News (http://aintitcool.com) that redirected anyone visiting the movie review site to a server containing a malicious Adobe Reader file.

The attack targeted a vulnerable PHP script on one of AICN’s servers that automatically appended the malicious link to banner ads served on the site, its publisher, Roland De Noie, said. As a result, anyone visiting the site over a 90-minute period on Thursday morning was silently redirected to speedconnection.cn which served a malicious file named annonce.pdf.

The booby-trapped PDF, according an analysis by researchers at Praetorian Prefect, exploited two vulnerabilities in Adobe Reader that the company has already fixed. When the file is opened by unpatched versions of Reader, it launches malicious shell code that hijacks the machine. Only 12 of the 41 major anti-virus programs currently detect the trojan, according to VirusTotal analysis.

In September, Mozilla found that more than half of Firefox users used insecure versions of Adobe Flash. It wouldn’t be surprising to find a similarly large proportion of the population using out-of-date versions of Reader, too.

“The point of weakness was actually our own ad server,” De Noie said. The unknown attackers “had cracked through a PHP server flaw and appended this link to all the ads.”

AICN has yet to warn its users that they may have been attacked. De Noie said his staff was still collecting information. The attack came as a shock to some AICN readers, many who consider themselves enthusiasts of science-fiction, fantasy and horror films.

Credit: The Register

Scareware slingers have begun hiding links to rogue anti-virus sites behind Google Doodle. The development leaves surfers who click on Google’s picture of the day at risk of being exposed to sites that run fake security scans, before strong-arming users into buying worthless software in order to clean-up non-existent security risks

Scammers have been manipulating the search engine ranking of terms in the news to promote scamware portals for months. In the latest twist to this wheeze, fraudsters poisoned the sites offered up to surfers who clicked on Google’s front-page Doodle sketch, dedicated to the 150th anniversary of birth of the creator of the Esperanto language, L. L. Zamenhof, on Tuesday.

The latest variant to previous black hat search engine optimisation techniques resulted in links to hacked pages on legitimate websites, including a hair Salon in New Jersey and a science fiction site. Users visiting these sites via Google (and only via Google) are redirected towards scareware scam portals.

Tainted results appeared among the top five to 10 search results for people who clicked on the Google doodle link on Tuesday, according to security researchers at Barracuda Networks. “Poisoning as a trend is nothing new, but in this particular case, it’s a search where you actually click on Google’s logo and you get results back from sites where half of the links have been compromised,” Dave Michmerhuizen, said a research scientist at Barracuda Networks.

Google, which stated other search engines are also targeted by black hat search engine optimisation techniques, said most of the tainted links were quickly removed from its index. Google uses a combination of continuously-refined automated and manual processes to clean-up its index, a spokesman for the search engine giant added.

Google and security researchers are in a continuous battle against distributors of rogue anti-virus scanners, one of the most prevalent information security threats contaminating the internet at present. FBI estimates out this week suggest that the scareware market brought in $150m in illicit income over an unspecified period.

Credit: The Register

Malware purveyors are exploiting web vulnerabilities in appleinsider.com, lawyer.com, news.com.au and a dozen other sites to foist rogue anti-virus on unsuspecting netizens.

The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites. That’s something application security expert Mike Geide doesn’t see often. As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected.

“What’s interesting … is the fact that it’s embedding iframes to redirect people,” said Geide, who is a senior security researcher at Zscaler. “Typically, cross-site scripting is just that - it embeds script tags so it will embed javascript to run.”

The malicious links are blasted out on web forums and typically look something like:

hxxp://lawyers.com/find_a_lawyer/content_search/results.php?sCHRISTINA%AGUILERA%20ANOREXIC%20PICS%3C%2F%74%69%74%6C%65%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%2F%2F%61%73%6B%35%2E%65%75%3E

The last chunk of test is hexadecimal-encoded HTML that redirects users to ask5.eu (do not visit). A series of redirect links ultimately leads to a site that looks similar to a Microsoft Windows screen with a popup claiming the PC is overrun with malware. The user is prompted to download rogue anti-virus to fix the imaginary problem.

While it’s not the most convincing attack we’ve ever seen, there’s nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that’s now circulating in the wild.

The links work because appleinsider.com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. Here are a few examples with some of the malicious XSS advertisements (do not follow these or other “hxxp” URLs below):

Credit: The Register, Zscaler.com