CyberInsecure.com

Archive for the ‘Spam’ Category

The name of the popular file analysis service VirusTotal is being abused by cyber-crooks to infect users with scareware. A recent forum spam campaign tries to trick people into visiting a malicious website hosted at virus-total.in.

VirusTotal.com has been well known as free virus and malware online scan service which allows submitters to test a particular file against a multitude of malware scanners. So, it’s not highly surprising that malware authors would try to use that name to further their gain.

Security researchers from Sophos reported a spam run promoting the rogue virus-total domain, as a private message on a forum. The message employs scare tactics in order to frighten users into visiting the scareware-pushing website.

The message looks like this:

Subject: Warning!

DO NOT REPLY TO THIS EMAIL!
***************************

Dear [Redacted forum user name],

You have received a new private message at [Redacted] Forum from [Redacted], entitled “Warning!”.

To read the original version, respond to, or delete this message, you must log in here:
http://[Redacted]

This is the message that was sent:
***************
Dear, [Redacted forum user names]

There are viruses’ activities from your computer! Highly recommend you to scan your computer for malicious and potentially unwanted software. If you do not follow this, I will have to make a complaint to your Internet Service Provider with attached log file (your IP address, etc.). If you want to find a report about your computer’s security and solve every problem with it, please click here: http://www.virus-total.[TLD removed]/detected/[Redacted] This is an online service that you can use for free spyware removal. Use it to scan your computer to help protect, clean, and keep your computer running at its best. Use the free scan to check for and remove viruses, spyware, and other potentially malicious software and to find vulnerabilities or shortcomings in your Internet security.

Thank you. Yours truly, [Redacted].
***************

This attack clearly targets VirusTotal.com, a popular free service which allows users to scan suspicious files with over 40 antivirus engines and other tools. Julio Canto, VirusTotal’s project manager, issued an alert about the rogue virus-total.in website via Twitter.

The site displays bogus security warnings and fake antivirus scans to unsuspecting visitors, tricking them into installing a scareware program called SecurityTool. Rogue security programs such as these are commonly used by cyber-criminals to charge money for useless licenses and steal credit card details.

The above popup would follow by the loading of a fake scanning page inside the browser:

One of the interesting parts of this fake page is that the “Windows Security Alert” pop-up is actually a time-delayed object inside the page. Even though the box looks like a window box from Windows XP, it is not moveable at all.

When the fake scanning completes, another pop-up will be generated asking the user to download a file called security_tool_setup.exe. Needless to say, this file is malicious and is yet another one of the Fake Antiviruses.  This executable has already been proactively detected by Sophos as Mal/FakeVirPk-A.

“An unfortunate side effect of a scam like this is that the real VirusTotal could start to receive emails from irate victims of the fake site claiming they’ve ‘infected my PC’ – fingers crossed it doesn’t get to that stage. Remember: the REAL domain for VirusTotal is Virustotal.com. Don’t fall for this scam!” Sunbelt’s Chris Boyd advises.

Another unusual aspect of this attack is the threat of filing a complaint with a user’s ISP about the virus activity alleged in the spam message. This statement comes at a time when ISPs have announced initiatives to identify compromised computers on their networks and take proactive measures to clean them.

Credit: Softpedia.com News, SophosLabs Blog

Researchers from Atlanta-based security vendor SecureWorks have discovered a new information-stealing trojan facilitating ACH and wire fraud. The trojan has all the capabilities of malware commonly used to steal money from SMBs and non-profits.

An unprecedented wave of Automated Clearing House (ACH) and wire fraud started in 2009, resulting in small and medium-sized companies, public institutions and non-profit organizations losing millions of dollars to cyber-criminals. The problem prompted the FBI and the American Bankers Association to recommend that online banking operations be performed from dedicated computers only.

These attacks start by infecting computers on an organization’s network with the purpose of stealing online banking credentials. The Clampi and Zeus (Zbot) families of trojans have so far dominated this aspect of cyber-crime and positioned themselves as the leading information-stealing computer trojans.

However, it seems other groups are willing to challenge that supremacy, especially since antivirus products are getting better at generically detecting modified Clampi and Zeus variants, which significantly reduces their success rate. The trojan discovered by SecureWorks back in January, which was dubbed Bugat, appears to be one of these new competitors.

“In mid-January, the installer for Bugat had moderate coverage (20/40), according to VirusTotal. The most commonly identified name (Bredolab) corresponds to a family of trojan downloaders. However, its runtime behavior did not match what one would expect from Bredolab. The installed mspdb30.dll file had almost no AV recognition (2/41),” Jason Milletary, SecureWorks’ technical director for malware analysis, explains on the company’s research blog.

Bugat is capable of capturing information entered in Web forms, altering the content of targeted websites or stealing browser cookies, as well as FTP and POP3 credentials. Additionally, the malware can function as a SOCKS proxy server, upload files from the infected computer to a remote server or download and execute programs.

The trojan communicates with a command and control (C&C) server from where it receives instructions and updates to the list of financial websites it targets. This communication can be encrypted in order to thwart traffic inspection tools.

“The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals,” Mr. Milletary concludes. Indeed, just last week, Symantec warned of a new Zeus-like crimeware toolkit called SpyEye.

Credit: Softpedia.com News

Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat.

Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has has caused major disruptions for almost a month.

“Huge numbers of users of the Freenode network ended up getting banned themselves because they would click the link and then they would join the network and flood the network,” one of the hackers, who goes by the moniker Weev, said. “We get his huge rollover effect.”

He added: “We got the the people who run Freenode to actually k-line each other,” a reference to the process of banning a user from an IRC server for spamming or other inappropriate actions.

The malicious javascript exploits a feature that allows Firefox to send data over a variety of ports that aren’t related to web browsing. By relaying the scripts over port 6667, users who click on the link automatically connect to the IRC server and begin spewing a tirade of offensive text and links. The attack doesn’t work with Internet Explorer or Apple Safari, but “might” work with other browsers, Weev said.

IRC channels such as Efnet and OFTC have managed to block the attacks, but at time of writing Freenode operators were still struggling to repel them.

“While we are doing what we can to mitigate the spam, we would ask that you take a careful look at any unusual sites or URLs you might visit in the near future to be sure you are not being tricked into visiting such a site,” a note on Freenode’s website read. Representatives of the network didn’t respond to an email seeking comment.

Security researchers have long known that it’s possible to abuse features designed to make browsers work seamlessly with other internet applications. Web security expert Robert “RSnake” Hansen calls the technique “interprotocol exploitation.”

“It’s the first time I’ve actually seen it used in the wild,” he said. “We’ve been theorizing this attack was possible for some time. Browsers absolutely should not be able to connect to ports unrelated to HTTP.”

Hansen said other internet technologies, such as the Sip protocol for voice over IP, are also ripe for abuse.

Credit: The Register

Cybercrime affiliates of unlicensed pharmaceutical websites have begun moving on from attacks purely designed to poison Google search engine results, and are now targetting Microsoft’s web properties.

Search engine poisoners are actively making use of Microsoft’s Windows Live Spaces blog hosting environment, net security firm eSoft reports. Miscreants are creating accounts which they use only to push links to the pharma-fraud sites. As a result the search engine ranking of these spamvertised sites is pushed up.

In addition, spam emails contain the URLs of fake blogs, from which surfers are redirected onto penis pill sites. The tactic is designed to evade spam filters that might already have blacklisted the fraudulent website.

The misuse of fake blogs on Live Spaces is a refinement of the well established practice of link spamming: posting “comments” on legitimate blogs that supply links to dodgy pharmaceutical websites and the like.

Attacks similar to the Live.com blogspamming for fraudulent pharmacy sites have also recently been thrown against both Yahoo and Blogger sites, eSoft adds. The security firm adds that the recent Google job spam scam also infiltrated Microsoft’s Life Space environment.

Whatever the distribution method, its clear these cybercriminals will continue to evolve new ways of advertising their bogus sites. An alert by eSoft containing screen shots of the fake pharma punting blogs that have begun affecting Live Spaces can be found here.

Credit: The Register, Threat Center Live Blog

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.

And that’s the way it’s supposed to work everywhere. Applicants who can’t show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don’t have the resources to investigate every application as fully as they’d like.

The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they’ve taken a layer of potential problems out of the equation.

“It’s gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,” said Alex Lanstein, senior security researcher at FireEye, an antimalware and anti-botnet vendor. “It takes one more level out of it: You own your own IP space and you’re your own ISP at that point.

“If there’s a problem, who are you going to talk to? It’s a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren’t going to push back if you say you need a /24 or /16. They’re not the Internet police,” Lanstein said.

The most famous example of this is the Russian Business Network case, in which a group of criminals was able to get a large amount of IP space by using an LIR to get an allocation from RIPE, the European RIR. The LIR gave RIPE documentation that supposedly showed a need for the allocation, and that’s as far as it went.

“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case. But the allocation was made in 2006 and it wasn’t until May 2008 that RIPE was able to close down the LIR and get the IP space back.

In most regions, a new organization requesting a large allocation will have to go through a fairly rigorous process to show the need for the address space. The RIR staff often will request a listing of each machine the organization has and may go as far as to request purchase receipts for the machines, as well, said John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), which is responsible for the U.S., Canada and parts of the Caribbean.

Criminals subverting this process has become a major problem in some regions, particularly parts of Europe and the Caribbean, where there are dozens of jurisdictions and multiple languages, which can lead to confusion and difficulty in tracking down exactly who is doing what online, security experts say.

“There are a lot of instances where they don’t go past the letter of justification,” Lanstein said. “There are plenty of IP allocations I can pull up and look at the domains and see that they’re total BS. U.S. data centers are much better, but in Europe there are so many languages and countries, it’s impossible for them to check everyone. And the bad guys know this.”

This set-up has become a useful tactic for the criminals running botnets and large spam and carding operations. Attackers who own their own large blocks of IP space have a much easier time hiding their activities than do criminals who have to go through legitimate ISPs or hosting providers. There’s no abuse desk to complain to, no recourse for people who find themselves being attacked by a given range of IP addresses.

“The policies for handing out IP space and verifying the people behind and application are global, they apply to all of the RIRs. But within that framework, there’s room for RIRs to set their own local policies too,” said Curran. “The bad news is, those policies are very local. How does someone verify an organization when in some regions they may only have written records and it’s a town of 2,000 people? It’s very difficult in Africa, parts of Europe, parts of the Caribbean. It’s very much the case that parts of our process are very hard to implement in other regions. Other regions have different ways of recording how a company is formed and they recognize very informal structures. The record-keeping is decentralized and it might take a while to determine who is behind a company.”

And once the IP space has been allocated, getting it back can be a long and arduous process. Criminals often will use a certain IP block for as long as it’s useful and profitable for them. But if security researchers and ISPs notice suspicious activity in a certain block, they will sometimes stop accepting traffic from it and block any traffic from their own networks to that block. This can be an effective tactic, but once the criminals abandon the IP space, it can take a long time for a legitimate business to be able to get traffic flowing there again.

“This is part of the problem that’s causing the IPv4 shortage,” Lanstein said, referring to the imminent exhaustion of the IPv4 address space, forecasted to occur in less than two years. “They stop paying the bills, the space gets null-routed and then it’s a mess. There’s clear fraud going on, but who can do something about it?”

Credit: ThreatPost.com

Cybercrooks have begun punting World Cup ticket and HD TV viewing scams as a successor to earlier lottery-based cons.

The revision of earlier fraud follows the final draw for the 2010 World Cup last Friday. Now, in addition to the opportunity to “claim cash prizes” in a draw by South African Football Association they have never entered, prospective marks are also getting offers to “watch live games online”.

Victims of this particular scam pay to download a HD video player, which will supposedly come into its own next year, but actually receive only a rogue security (AKA scareware) product, net security firm McAfee warns. In addition, fake club offers, which promise desperate fans a chance to win match day tickets but are solely geared towards collecting subscriptions, have also begun springing up.

A blog post by McAfee illustrates these varied threats.

Football fans looking to buy tickets are advised to book through fifa.com, or obtain packages via local football association or reputable travel agents. Unsolicited online offers are almost inevitably going to be fake, while offers through auction sites are also fraught with risk.

Credit: The Register

A Swiss iPhone developer has released a new application that is capable of harvesting huge amounts of personal data from iPhones, including geolocation data, passwords, address book entries and email account information, all using just the public API.

The application, called SpyPhone, uses the public iPhone API that Apple made available for application developers, and does not need any exploits or hardware attacks in order to access the iPhone’s data. Instead, SpyPhone relies on using the iPhone’s usability and depth of features to its advantage. Once an application is on an iPhone, it has unfettered access to much of the data and settings on the device, a circumstance that SpyPhone’s developer, Nicolas Seriot, exploited.

Seriot has posted the source code for SpyPhone online and gave a talk about SpyPhone’s capabilities at a security conference this week. All of SpyPhone’s operations are conducted in the background, without the knowledge of the iPhone’s user, and the application can be set to email reports on each infected phone back to the attacker.

Once on the iPhone, the application begins looking at the stored data that’s available in various other programs, such as the email address book and the keyboard cache, which keeps a record of every keystroke the user enters in a non-password field, Seriot said. This data normally is used for the iPhone’s autocomplete feature, but can be a gold mine of information for an attacker searching for intelligence on the iPhone’s owner.

By default, the iPhone will tag any photos taken with the device with the date and location of the picture. The user can turn this feature off, but if it’s enabled, SpyPhone can access that data, as well as the log of which WiFi hotspots the device has connected to. All of this gives the attacker a better picture of the iPhone’s owner, his location and his interests, which is valuable data.

Apple has taken pains to keep strict control over what applications can run on the iPhone, but malicious apps have been found in the company’s AppStore in the past. And while Apple has to approve all of the programs in the AppStore, users who have jailbroken iPhones can run any app they choose on their devices. That leaves plenty of opportunity for seemingly innocuous apps that contain malicious components.

Credit: Threatpost.com

The Koobface botnet has pushed out a new component that automates the following routines:

Registering a Facebook account
Confirming an email address in Gmail to activate the registered Facebook account
Joining random Facebook groups
Adding Facebook friends
Posting messages to Facebook friends’ walls

Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

Facebook users are advised to be careful and security conscious. For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages: http://www.facebook.com/safety and http://www.facebook.com/security.

Credit: Trend Micro Malware Blog

A botnet that was once responsible for an estimated third of the world’s spam has been knocked out of commission thanks to researchers from security firm FireEye.

After carefully analyzing the machinations of the massive botnet, alternately known as Mega-D and Ozdok, the FireEye employees last week launched a coordinated blitz on dozens of its command and control channels. The channels were used to send new spamming instructions to the legions of zombie machines that make up the network.

Almost immediately, the spam stopped, according to M86 Security blog. Last year, the email security firm estimated the botnet was the leading source of spam until some of its servers were disabled.

The body blow is good news to ISPs that are forced to choke on the torrent of spam sent out by the pesky botnet. But because many email servers already deployed blacklists that filtered emails sent from IP addresses known to be used by Ozdok, end users may not notice much of a change, said Jamie Tomasello, an abuse operations manager at antispam firm Cloudmark.

The takedown effort is significant because it shows that a relatively small company can defeat a for-profit network that took extraordinary measures to ensure it remained operational. Not only did Ozdok reserve a long list of domain names as command and control channels, it also used hard-coded DNS servers. When all else failed, its software was able to dynamically generate new domain names on the fly.

With head chopped off of Ozdok, more than 264,000 IP addresses were found reporting to sinkholes under FireEye’s control, an indicated of the massive number of zombies believed to have belonged to the botnet. FireEye researchers plan to work with the ISPs to identify the owners of the orphaned bots so their owners can clean up the mess.

FireEye researchers said the key to dismantling the giant ring was a coordinated effort that worked in multiple directions all at once so that bot herders didn’t have a chance to counteract. “As it turns out, no matter how many fallback mechanisms are in place, if they aren’t all implemented properly, the botnet is vulnerable,” they wrote.

Credit: The Register

Facebook and MySpace have closed gaping security holes in their sites that gave attackers full access to accounts that had automatic-login features enabled.

The vulnerabilities were significant. Because the unauthorized access would be mapped to the victim’s IP address and website cookie, the intrusions would be virtually untraceable. Attackers were then free to upload photos and messages designated as private with no indication at all to the victim.

Facebook and MySpace closed the backdoors shortly after being notified, a marked improvement from the past, when the sites sometimes allowed serious security holes to persist for months. Still, it probably shouldn’t have taken an outsider to discover the bug. This is the latest episode to demonstrate that the only sure way to ensure that data is private is to keep it off social networking sites altogether.

The backdoors were the result of a misconfiguration of a crossdomain.xml, a file websites use to share content using Adobe Flash across domains. Some of the domains that were accessible exposed authentication tokens for accounts that had the auto-login feature turned on.

Facebook developers had blocked access from the main domain, but didn’t bother to notice the sensitive data was accessible when Facebook subdomains were used. MySpace similarly locked its front door but left a window at farm.sproutbuilder.com, which had full access to the data.

The holes could be exploited by luring victims to sites that had a Flash application installed designed to grab the authentication information, the developer said.

Credit: The Register