CyberInsecure.com

Archive for the ‘Spam’ Category

Hackers and pranksters began exploiting a newly discovered scripting flaw on YouTube on Sunday, provoking rumours that a virus was spreading on the site.

The cross-site scripting flaw (XSS) on the video-sharing website created a means for hackers to post JavaScript code in the comments sections of videos. The flaw meant that this JavaScript code was run on the machines of surfers viewing the same video clip.

Predictable enough, pranksters at 4Chan have begun using the vulnerability to redirect surfers looking for Justin Bieber video clips to goatse or false reports that the irksomely clean-cut Canadian singer had died in a car crash. Denizens of 4Chan are separately trying to rig an online poll to encourage Beiber to play North Korea in an upcoming tour.

In other cases the flaw has become the fodder of comment spam. Google iced the problem hours after it first appeared, techie-buzz.com reports.

“We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com that was discovered several hours ago,” said Google. “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.”

The appearance of the vulnerability sparked rumours on Twitter and elsewhere that a virus was spreading across YouTube. A blog post by Chris Boyd of Sunbelt charts the genesis of this rumour, which is just the sort of thing that’s likely be used in new anti-virus (scareware) scams.

Security watchers at the Internet Storm Centre note that the vulnerability on YouTube might potentially have been used for all manner of hacking attacks, including password stealing scams.

“They [hackers] could steal your YouTube cookies, which probably doesn’t mean much to them, but they could also post various JavaScript code that will execute in your browser, in the context of YouTube,” an ISC handler writes. “I’ve seen nasty XSS attacks that are used to fake whole login screens and we know how many people use [the] same passwords for multiple accounts.”

Credit: The Register

Banks in Russia and Ukraine are under continued siege by criminal gangs wielding a sophisticated, next-generation exploitation kit that hacks the financial institutions’ authentication system and then hits it with a denial-of-service attack.

The attacks are being carried out with the help of a top-to-bottom revision of BlackEnergy, a popular hack-by-numbers toolkit that until recently was used primarily to launch DDoS, or distributed denial-of-service, attacks. Eastern European criminal gangs are using the expanded capabilities of BlackEnergy 2 to siphon funds out of electronic bank accounts and then assault the financial institutions with more data than they can handle, said Joe Stewart, a researcher with security firm SecureWorks’ Counter Threat Unit.

The attacks, which also use a BlackEnergy 2 module to bypass a Java-based application the banks use to authenticate customers online, began near the end of 2009. They show no signs of letting up, said Stewart, who observed the same modus operandi earlier this week.

“Over the months that I’ve been monitoring this botnet, it’s attacked probably a dozen or more banks with the same type of pattern of attacking the java authentication app,” Stewart told The Register. “All we see is, yes, this group has the plug-in that does the banking theft and then we see them also hacking that same banking authentication with the DDoS attack.”

BlackEnergy came to prominence in 2008 when it was reportedly used to disrupt internet communications in Georgia during the armed conflict between the former Soviet republic and Russia. It quickly became a major staple among Eastern European thugs, selling online for about $40 until free, pirated copies became widely available.

BlackEnergy 2, which Stewart first began monitoring in 2009, greatly expands what the software can do. It brings modular functionality to the tool, so separate programmers can write plug-in programs in much the way developers do for the Firefox browser. The gangs Stewart is monitoring are combining BlackEnergy’s core DDoS functionality with an add-on to hack the Java authentication application, said Stewart, who presented his findings at this week’s FIRST, or Forum of Incident Response and Security Team, conference in Miami.

“It’s a good technique to keep [bank employees] distracted while they get the money moved out,” Stewart said. It also “keeps people whose money is in transfer from logging on and seeing what’s happening.”

Bank customers victimized in the attacks are being targeted by trojans disguised as pay-per-install applications

In a major break from previous methods, the gangs are exclusively attacking banks in Russia and Ukraine. Previously, they went out of their way to avoid attacking banks in the region, presumably out of fear of attracting attention of law enforcement agents in the criminals’ own backyard. Stewart said he’s seen at least two unrelated bank fraud scams exclusively targeting banks in Russia and Ukraine, including the Bredavi trojan.

Credit: The Register

A clickjacking worm that forced hundreds of thousands of unsuspecting Facebook users to unknowingly post spam messages on their profiles, rapidly spread through the social networking website over the weekend. The worm used catchy news headlines to lure its victims into the trap.

Clickjacking is a Web attack technique that involves hijacking users’ mouse clicks on a page (hence its name) and using them to trigger unauthorized actions. The attack is technically known as user interface (UI) redressing because it hides a clickable object, such as a button, by making it transparent and superimposing it over a non-dangerous looking one.

Though not new, the technique was only brought into the public attention last year, when reputed Web security researchers Jeremiah Grossman and Robert Hansen disclosed some critical attacks based on it. One of them allowed ill-intent hackers to turn on a computer’s Web camera and microphone by exploiting a bug in the Flash Player Settings Manager.

The latest Facebook worm seems to be a proof of concept, because it does nothing destructive and its only purpose is to propagate. The offending messages posted on its victims’ profiles are based on real and catchy news topics from the past several months. “LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE”, “This man takes a picture of himself EVERYDAY for 8 YEARS!!”, “The Prom Dress That Got This Girl Suspended From School”, or “This Girl Has An Interesting Way Of Eating A Banana, Check It Out!” are some of the examples.

Clicking on the messages takes users to external pages hosted at blogspot.com, which only display a text that reads “Click here to continue.” However, clicking anywhere on the page abuses a user’s active Facebook session to publishing a spam message back to his profile.

“The trick, which uses a clickjacking exploit, means that visiting users are tricked into ‘liking’ a page without necessarily realising they are recommending it to all of their Facebook friends. […] If you believe you may have been hit by this attack, view the recent activity on your news feed and delete entries related to the above links. Furthermore, you should view your profile, click on your Info tab and remove any of the pages from your ‘Likes and interests’ section,” advises Graham Cluley, senior technology consultant at Sophos, who’s antivirus products detect this threat as Troj/Iframe-ET.

To protect themselves, Mozilla Firefox users can install and use NoScript, a browser extension, which includes protection against clickjacking attacks, amongst others.

Credit: Softpedia.com News

Miscreants have created a Trojan that poses as a Google Chrome extension. Spammed messages attempt to dupe prospective marks into trying an add-on that “helps you better organize your documents received in your email”.

Interested parties are pointed towards a counterfeit Google Chrome Extensions page, which offers a malware executable. More observant punters will notice that the download is offered in an .exe file and not a .crx Google Chrome extension. Such markers are easily missed, however.

The Trojan horse malware on offer (identified by Romanian security firm BitDefender as the Agent-20577) blocks access to Google and Yahoo webpages. Attempts to reach these sites on infected machines are hijacked and redirected to counterfeit sites. Such trickery is commonly a prelude to either phishing attacks or a technique by the hackers behind the trick to gain affiliate income from scareware slingers or other undesirables.

The appearance of the attack shows that cybercrooks have begun targeting Google Chrome users, something that only tends to happen when a product or service becomes widely used among end users and is therefore a compliment (of sorts) to the success of Google’s browser technology.

Credit: The Register

Miscreants have begun creating malware that overwrites software update applications from Adobe and others. Email malware that poses as security updates from trusted companies is a frequently used hacker ruse. Malware posing as update utilities, rather than individual updates, represents a new take on the ruse.

Vietnam-based anti-virus firm Bkis said the tactic is a logical follow-on from earlier approaches where viruses replace system-files and startup-program files.

Nguyen Minh Duc, director of Bkis Security, writes that the recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package.

Variants of the malware also pose as updaters for Java and other software applications.

Duc explains: “From analysis, we found that malware is written in Visual Basic, faking such popular programs as Adobe, DeepFreeze, Java, Windows, etc. In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands.”

Credit: The Register

Sophos has apologised after a third-party marketing agency hired by the anti-virus and anti-spam specialist sprayed link spam on the blog of security expert Gunter Ollmann.

Multiple auto-generated comments submitted to Ollmann’s technicalinfo.net blog containing hyperlinks to the anti-malware portal on the Sophos website. The posts were made by tools designed to automate spam and SEO attacks. The blog spam tactic was an attempt to boost the search engine ranking of the Sophos site.

Although Ollmann caught the messages before they made it onto his site he was understandably unimpressed by the ruse. “I find this a pretty unsavory tactic, especially if it’s initiated by a security company looking to be trusted by its customers”, Ollmann, CTO of security firm Damballa and who previously worked in IBM’s ISS security tools division, wrote on Thursday.

“Sophos - if you’re listening - stop your comment spam campaign and end your SEO attacks. It’s unprofessional.”

Sophos distanced itself from the blog spamming tactics. The approach was the idea of a marketing agency hired by Sophos, which the security firm promised will be taken to task over its tactics.

“I am mortified, as is everyone in our marketing team, that this has happened,” a Sophos spokesman said. “The messages were not posted on that guy’s blog by an employee of Sophos, but by a worker at an external company hired by our marketing department.”

Sophos has offered an apology to Ollmann, who has accepted it, and promised a review of its processes to make sure the incident does not get repeated.

“We have called the [marketing] company concerned in for a meeting today, and will be reading the riot act to them,” Sophos explained in a statement. “Furthermore, we will be ensuring that this kind of activity stops immediately, as it runs counter to everything we believe in as a computer security company.”

“There’s enough junk on the internet already - we don’t need firms representing computer security companies adding to the problem with such inane and unprofessional posts,” it added.

Ollmann is far from alone among security bloggers in facing the irksome chore of fending off blog comment spam. Similar comment spam also hit the anti-virus-rants blog but in that case the comment spam promoted both Sophos and rival Kaspersky Lab. One of these comments actually made it onto the site of Canadian blogger Kurt Wismer.

Credit: The Register

The prolific Pushdo spam botnet has found a new way to penetrate Microsoft’s Live.com by exploiting weaknesses in the audio captchas designed to prevent automated scripts from accessing the popular email service.

A new version of the bot causes infected PCs to pull down Live.com audio captchas and return the correct response within 10 seconds, according to a researcher at anti-virus firm Webroot. The attack allows the zombi machines to send email through accounts with a Live.com address, which are whitelisted by many spam filters. The technique offers spammers an alternative to sending spam through open mail relays, which are often blacklisted.

“In one seven minute test period where I permitted the bot to operate freely, the bot demonstrated [a] remarkable capability to bypass the audio captchas,” Webroot researcher Andrew Brandt wrote Monday Morning. “In most cases, it was able to submit the correct answer within two tries, though in one instance, the bot tried six times before it could proceed, and once it gave the correct answer the first time.”

The attack is the latest to target captchas, the puzzles that websites use to ensure that email and forms are completed by humans rather than automated scripts. Captchas require a person to recognize a series of distorted characters that are hard for computers to read using optical character recognition programs. Audio captchas, which are available in event the user is visually impaired, work in much the same way except that characters are verbally recited amid background static and other noise.

Over the past few years, cybercrooks have used devised attacks on captchas protecting Google, Live.com, sites selling concert tickets and various other web properties. Web masters usually respond by tweaking the puzzles, forcing attackers to find new bypass techniques.

Webroot’s Brandt said it’s the first time he’s heard of an audio captcha being targeted. It remains unclear if the attackers are sending the WAV files to sweat shops where humans then decode the audio puzzles, or if the technique works with the help of speech recognition software.

Once the captcha is solved, the botnet uses a Live.com email address to send spam with a variety of come-ons written with poor English grammar and usage. Our favorite one was “Mamma mia! your grandmother is doing so strange things here! Look at these delineations!”

The spam includes a link to a Yahoo Groups page that uses offers for free porn to coax people into giving up financial information.

A botnet primarily used to spend spam, Pushdo goes by several other names, including Cutwail, Diehard, and Rabbit. Some of the IP addresses used by the audio-captcha buster have been used in the past by the Russian Business Network.

Credit: The Register

The name of the popular file analysis service VirusTotal is being abused by cyber-crooks to infect users with scareware. A recent forum spam campaign tries to trick people into visiting a malicious website hosted at virus-total.in.

VirusTotal.com has been well known as free virus and malware online scan service which allows submitters to test a particular file against a multitude of malware scanners. So, it’s not highly surprising that malware authors would try to use that name to further their gain.

Security researchers from Sophos reported a spam run promoting the rogue virus-total domain, as a private message on a forum. The message employs scare tactics in order to frighten users into visiting the scareware-pushing website.

The message looks like this:

Subject: Warning!

DO NOT REPLY TO THIS EMAIL!
***************************

Dear [Redacted forum user name],

You have received a new private message at [Redacted] Forum from [Redacted], entitled “Warning!”.

To read the original version, respond to, or delete this message, you must log in here:
http://[Redacted]

This is the message that was sent:
***************
Dear, [Redacted forum user names]

There are viruses’ activities from your computer! Highly recommend you to scan your computer for malicious and potentially unwanted software. If you do not follow this, I will have to make a complaint to your Internet Service Provider with attached log file (your IP address, etc.). If you want to find a report about your computer’s security and solve every problem with it, please click here: http://www.virus-total.[TLD removed]/detected/[Redacted] This is an online service that you can use for free spyware removal. Use it to scan your computer to help protect, clean, and keep your computer running at its best. Use the free scan to check for and remove viruses, spyware, and other potentially malicious software and to find vulnerabilities or shortcomings in your Internet security.

Thank you. Yours truly, [Redacted].
***************

This attack clearly targets VirusTotal.com, a popular free service which allows users to scan suspicious files with over 40 antivirus engines and other tools. Julio Canto, VirusTotal’s project manager, issued an alert about the rogue virus-total.in website via Twitter.

The site displays bogus security warnings and fake antivirus scans to unsuspecting visitors, tricking them into installing a scareware program called SecurityTool. Rogue security programs such as these are commonly used by cyber-criminals to charge money for useless licenses and steal credit card details.

The above popup would follow by the loading of a fake scanning page inside the browser:

One of the interesting parts of this fake page is that the “Windows Security Alert” pop-up is actually a time-delayed object inside the page. Even though the box looks like a window box from Windows XP, it is not moveable at all.

When the fake scanning completes, another pop-up will be generated asking the user to download a file called security_tool_setup.exe. Needless to say, this file is malicious and is yet another one of the Fake Antiviruses.  This executable has already been proactively detected by Sophos as Mal/FakeVirPk-A.

“An unfortunate side effect of a scam like this is that the real VirusTotal could start to receive emails from irate victims of the fake site claiming they’ve ‘infected my PC’ – fingers crossed it doesn’t get to that stage. Remember: the REAL domain for VirusTotal is Virustotal.com. Don’t fall for this scam!” Sunbelt’s Chris Boyd advises.

Another unusual aspect of this attack is the threat of filing a complaint with a user’s ISP about the virus activity alleged in the spam message. This statement comes at a time when ISPs have announced initiatives to identify compromised computers on their networks and take proactive measures to clean them.

Credit: Softpedia.com News, SophosLabs Blog

Researchers from Atlanta-based security vendor SecureWorks have discovered a new information-stealing trojan facilitating ACH and wire fraud. The trojan has all the capabilities of malware commonly used to steal money from SMBs and non-profits.

An unprecedented wave of Automated Clearing House (ACH) and wire fraud started in 2009, resulting in small and medium-sized companies, public institutions and non-profit organizations losing millions of dollars to cyber-criminals. The problem prompted the FBI and the American Bankers Association to recommend that online banking operations be performed from dedicated computers only.

These attacks start by infecting computers on an organization’s network with the purpose of stealing online banking credentials. The Clampi and Zeus (Zbot) families of trojans have so far dominated this aspect of cyber-crime and positioned themselves as the leading information-stealing computer trojans.

However, it seems other groups are willing to challenge that supremacy, especially since antivirus products are getting better at generically detecting modified Clampi and Zeus variants, which significantly reduces their success rate. The trojan discovered by SecureWorks back in January, which was dubbed Bugat, appears to be one of these new competitors.

“In mid-January, the installer for Bugat had moderate coverage (20/40), according to VirusTotal. The most commonly identified name (Bredolab) corresponds to a family of trojan downloaders. However, its runtime behavior did not match what one would expect from Bredolab. The installed mspdb30.dll file had almost no AV recognition (2/41),” Jason Milletary, SecureWorks’ technical director for malware analysis, explains on the company’s research blog.

Bugat is capable of capturing information entered in Web forms, altering the content of targeted websites or stealing browser cookies, as well as FTP and POP3 credentials. Additionally, the malware can function as a SOCKS proxy server, upload files from the infected computer to a remote server or download and execute programs.

The trojan communicates with a command and control (C&C) server from where it receives instructions and updates to the list of financial websites it targets. This communication can be encrypted in order to thwart traffic inspection tools.

“The emergence of Bugat reinforces that there is a strong demand for new malware to commit financial credential theft and that ACH and wire fraud remains a profitable venture for criminals,” Mr. Milletary concludes. Indeed, just last week, Symantec warned of a new Zeus-like crimeware toolkit called SpyEye.

Credit: Softpedia.com News

Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat.

Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has has caused major disruptions for almost a month.

“Huge numbers of users of the Freenode network ended up getting banned themselves because they would click the link and then they would join the network and flood the network,” one of the hackers, who goes by the moniker Weev, said. “We get his huge rollover effect.”

He added: “We got the the people who run Freenode to actually k-line each other,” a reference to the process of banning a user from an IRC server for spamming or other inappropriate actions.

The malicious javascript exploits a feature that allows Firefox to send data over a variety of ports that aren’t related to web browsing. By relaying the scripts over port 6667, users who click on the link automatically connect to the IRC server and begin spewing a tirade of offensive text and links. The attack doesn’t work with Internet Explorer or Apple Safari, but “might” work with other browsers, Weev said.

IRC channels such as Efnet and OFTC have managed to block the attacks, but at time of writing Freenode operators were still struggling to repel them.

“While we are doing what we can to mitigate the spam, we would ask that you take a careful look at any unusual sites or URLs you might visit in the near future to be sure you are not being tricked into visiting such a site,” a note on Freenode’s website read. Representatives of the network didn’t respond to an email seeking comment.

Security researchers have long known that it’s possible to abuse features designed to make browsers work seamlessly with other internet applications. Web security expert Robert “RSnake” Hansen calls the technique “interprotocol exploitation.”

“It’s the first time I’ve actually seen it used in the wild,” he said. “We’ve been theorizing this attack was possible for some time. Browsers absolutely should not be able to connect to ports unrelated to HTTP.”

Hansen said other internet technologies, such as the Sip protocol for voice over IP, are also ripe for abuse.

Credit: The Register