Computer Security Articles

Most abused TLDs

The trend we observed in the last months when the non “classical” TLD increased massively continued in December as well. Contrary to November, where the .com has seen a slight increase, we are noticing this month that it decreased by more than 76%. The measures taken in November and December by the registrars of .org and .net finally show results: The usage of these two domains decreases, this month with an astonishing 151% for .org.

Spam category statistics

The spam levels decreased slightly from November, but still a lot of mixed spam has been sent. The “Others” category means all kind of spams which can’t be automatically sorted in one of the categories below. This was also expected, considering that we’ve had the holiday season where a lot of things were advertised for selling.

Extension statistics for malware URLs

As expected, the level of malware dropped significantly this month because of the fact that the spammers sent out more commercial driven messages than normal.
We are, however, seeing in January a comeback of the spam advertising malware. Interestingly, we see for the second month a significant increase of the .gif extension.

Most phished brands statistics

The most attacked brand is – as usual – PayPal. Strangely, despite the fact that we see a lot of PayPal phishing emails, we received a lot less phishing overall than in the previous months. I think that the reason for this has to do with the fact that the attacks are becoming more targeted than before. So, the phishers are improving the quality of the spam campaigns now and no longer try to flood the mailboxes blindly. This is why we see that many smaller brands (category Others) increasingly started to get phished for the second month in a row.

URL Shorteners used in malicious activities

The URL shorteners are used in emails to hide the final location of a malware file. It is not surprising to see the same trend here as in the distribution of the malware extensions (see above) because of this. The most used shorteners, bit.ly and goo.gl, have seen significant decrease in December.

Sorin Mustaca
Data Security Expert

Full story: Avira – TechBlog

Again the independent testing organisation PC Security Labs reviewed 30 famous security products, including Emsisoft Anti-Malware. The platform for this test was Windows XP SP3 Professional Simplified Chinese, comparing the On-demand scanners of the contestants with default settings. 1004 samples were used this time, representing the top threats in China.

For the first time since a longer period, Emsisoft Anti-Malware did not place first in a detection test, but second out of 30 is still a very good result.

The top 15:

The complete results and more detailed information can be found here.

Full story: Anti-Malware Reviews

Blended Threats by EvilFingers NoVa Hackers December 2010 (by Georgia Weidman) In the previous month’s NoVA Dec 2010, I presented a paper on Blended Threats (Intelligence: Data Acquisition). Enjoy!

Full story: KaffeNews

January 11, 2010

Last year could be called “the year of cyber fraud.” Today there are few users who’ve never heard of it. While developers of security software keep working to improve their products, and law enforcement agencies keep cracking down on fraudsters, new fraud schemes continue to surface. The only solution to the problem is comprehensive countermeasures on the part of anti-virus vendors, the financial institutions through which victims are making payments to cyber criminals, law enforcement agencies, and the victims of cyber fraud themselves. Valuable information about new fraud techniques received by vendors from users may contribute significantly to the anti-fraud campaign.

Fraud techniques—2010’s “Top Ten”

Below you can find information about the malicious programs used in fraud schemes during 2010. Following the long-standing tradition of top ten charts, we’ll start from the bottom. Next to the name of each scheme or malware type involved, you’ll see the corresponding name given to it by Dr.Web.

10. Pseudo-services

Offering interesting and often illegally acquired information for a small fee is a common fraud scheme. Users pay for such services with short messages that cost around 10 USD. Promised secrets range from private information about social network users to intelligence information from top-secret archives The quality of such services is questionable. Moreover, promises of this sort are often no more than bluffs — the criminals provide nothing in exchange for the money they receive. Links to bogus sites where such services are offered are usually spread over banner networks on sites providing access to free content.

9. Fake archives. Trojan.SMSSend

Criminals set up fake torrent trackers and file storages that supposedly contain popular music, movies, and e-books. As a consequence, such bogus resources top the results returned by search engines for popular queries. Victims believe that the files they download when using such resources are archives containing information they need, while, in fact, the files are executables that look like self-extracting archives. As the user tries to decompress the archive contents, they are informed at a certain point in the data extracting process that a payment must be made to complete the process. Ultimately users are deceived twice — they send money to criminals and never obtain any useful information. The archives contain nothing but the graphic shell and junk data, while their large size (apparently aiming to put users off guard) may exceed 70 MB.

8. Boot blockers. Trojan.MBRlock

In November 2010 virus analysts registered a blocker in the wild that rewrote the MBR code to prevent the installed operating system from loading. When victims turned on their computers, ransom demands appeared on their screens.

7. IM-client blockers. Trojan.IMLock

Over the course of several months in 2010, criminals spread a malicious program that blocked the launch of popular instant-messaging clients. The malware targeted users of ICQ and Skype. Instead of the messenger window, the Trojan displayed a window that mimicked the design of the blocked software. The user was offered the opportunity to regain access to the instant-messaging service by sending a paid short message.

6. Fake anti-viruses. Trojan.Fakealert

Fake anti-viruses have a look and feel similar to those of popular anti-virus software, and their design often combines the UI features of several anti-virus programs. However, such malicious programs and anti-viruses have nothing in common. Once installed, the fakes immediately notify users that the system is infected (and to some extent, this is true) and prompt users to purchase a commercial version of the product to cure the infection.

5. Redirection to malicious websites. Trojan.Hosts

Such malicious programs modify the host file, thus a user attempting to go to a popular website (e.g. a popular social networking site) gets redirected to a fake site that copies the design of the legitimate web resource. A user may be ordered to pay the criminals to re-gain full access to the original site.

4. Redirection to a local web server. Trojan.HttpBlock

Unlike Trojan.Hosts, these programs redirect a user to web pages generated by the web server installed on the compromised machine. With this approach, criminals save themselves the trouble of finding a hoster that wouldn’t take down their bogus site as soon as its malicious nature is exposed.

3. Data encryption. Trojan.Encoder

Last year saw the appearance of a multitude of new modifications of encryption Trojans targeting user documents. Once files are encrypted, these Trojans notify users that they have to pay criminals to decrypt the documents. In most cases Doctor Web releases corresponding decryption utilities in a timely manner, but since sometimes no quick decryption is possible and the ransom can be rather large, Trojan.Encoder comes in at No. 3 in the chart.

2. Windows blockers. Trojan.Winlock

Most common Windows blockers have had users and virus analysts on guard since late 2009, and so they rightfully take the second position. Blockers are malicious programs that display a window containing the criminals’ demands on top of all other windows, making those windows inaccessible until the victim pays a ransom. In 2010, Doctor Web virus analysts registered several surges of Winlock, and yet many new modifications of such programs are found in the wild at present.

1. Banking Trojans. Trojan.PWS.Ibank, Trojan.PWS.Banker, Trojan.PWS.Multi

The top spot in Doctor Web’s 2010 Malware Hit Parade goes to banking Trojans. These are malicious programs that help criminals gain unauthorized access to bank accounts over online banking systems. In 2011, we are likely to witness a shift in the criminals’ attention away from home users and towards companies which keep far greater sums of money in their accounts.

Statistics on user requests

Below you can see several graphs showing the history of user requests related to cyber fraud in 2010.

The first graph shows how the number of requests made to Doctor Web technical support, which is free for victims of cyber-fraud, varied throughout 2010. You can see that in June, when free support became available to users, the number of requests reached 400. By August when fewer variations of fraud malware were found in the wild, the number went down too. However, by the end of the year it increased again as criminals adopted more reliable methods to convert their virtual income into actual money.

The second graph shows the percentage ratio between the numbers of requests related to fraud schemes incorporating different methods for converting criminal income into money. The blue line represents requests related to malware that demanded paid short messages from users, while the red line represents fraudware that demanded a balance refill. You can see that after a breaking point in November 2010, criminals shifted their preferences towards the second scheme.

The third graph shows the percentage ratio between the total number of requests and the number of incidents when criminals demanded a balance refill over a payment terminal. The red and blue lines stand for different mobile operators. By December, fraudsters had adopted a new variant of the balance refill scheme which is represented on the graph by the green line. In the latter case, users refill balances for criminals by sending paid short messages. This scheme is as convenient as the standard short message scheme, but here criminals don’t need to deal with short code aggregators.

Other notable events in 2010

Other significant events of the last year include the emergence of the first 64-bit BackDoor.Tdss rootkit for Windows featuring bootkit technologies used to infect systems. The number of multi-component malicious programs incorporating bootkit technologies is growing.

It is also worth mentioning that the number of viruses for Android and other mobile platforms has increased as well. Doctor Web responds to emerging threats with prompt releases of new anti-viruses for most popular mobile OSs.

A standing recommendation for users is to follow the basic rules of information security: Ensure that your operating system and frequently used applications are updated regularly, install an anti-virus that is updated automatically, use alternative web-browsers, and do not use a system, especially one connected to the Internet, with administrator rights.

Full story: News of Doctor Web

If you’re looking for high-quality free software, here are some of 2010′s best-reviewed and most-popular programs from our Downloads library.

Full story: Network World on Security

To provide free antivirus security means making the product available for people to download.  Obviously, the number of downloads is then a good indication of how popular the product is (well, it needs to be taken with grain of salt… there is more to it than just one number … but it’s a good indication, nonetheless )

First, we got a note from CNet a week or so ago that avast! was the 2^nd most-downloaded antivirus on download.com in 2010 (behind AVG).  Moreover, avast! has the highest editors’ and users’ ranking, which naturally put smiles on our faces.  Download.com is the single biggest downloading site in the world, so to be second there is a great achievement. (BTW, all the best to AVG for the top spot and we hope we will switch places with them this year )

Yesterday, a story from PC World popped-up via the alert notification… advising users “…looking for high-quality free software…“ to check out the “…best-reviewed and most-popular program…”. Yes, avast! Free Antivirus is their TOP choice and download for 2010.  Thank you, PC World!

Btw, both articles are here:

http://download.cnet.com/8301-2007_4-20024438-12.html

http://www.pcworld.com/downloads/collection/collid,1660-order,4/files.html

That got me thinking:  how did we do overall in 2010?   Download.com is the biggest and PC World is certainly influential, but there are more downloading sites out there.  Aside from Download.com, we monitor and have the stats for:   Softpedia.com, Brothersoft.com, Softonic.com, 01net.com in France, Html.it in Italy,   Chip.de in Germany, Dobreprogramy.pl in Poland, Softportal.com in Russia, Superdownloads.com.br and Baixaki.com.br in Brazil, and several others in smaller countries.

In total, we did really well in 2010! Combining all downloads from the sites we measure,  avast! is the MOST downloaded free antivirus with a total of 141,320,488 downloads.   AVG came second with 132 million, followed by 105 million downloads of Avira.

Not a bad year

Full story: avast! blog

2011 has just started, so it is time to look back at what has happened in the last year. Today we publish the 2010 Annual Security Report covering an extremely interesting year with regard to cyber-crime, cyber-war and cyber-activism.

In 2010, cyber-criminals have created and distributed a third of all existing viruses. That is, in just 12 months, they have created 34 percent of all malware that has ever existed and has been classified by the company. Furthermore, the Collective Intelligence system, which automatically detects, analyzes and classifies 99.4 percent of all malware received, currently stores 134 million unique files, out of which 60 million are malware (viruses, worms, Trojans and other computer threats).

Trojans still dominate the ranking of new malware that has appeared in 2010 (56 percent of all samples), followed by viruses and worms. It is interesting to note that 11.6 percent of all the malware gathered in the Collective Intelligence database is rogueware or fake antivirus software, a malware category that despite appearing only four years ago is creating much havoc among users.

The list of countries with the most infections is topped by Thailand, China and Taiwan, with 60 to 70 percent of infected computers (data gathered from the free scanning tool Panda ActiveScan in 2010).

Regarding infection methods, 2010 has seen hackers exploit social media, the positioning of fake websites (BlackHat SEO techniques) and zero-day vulnerabilities.

Spam has kept its position as one of the main threats in 2010, despite the fact that the dismantling of some botnets (like the famous Operation Mariposa or Bredolab) has prevented many computers from being used as zombies to send spam, which has had a positive effect in spam traffic worldwide. Last year, around 95 percent of all email traffic globally was spam, yet this figure dropped to an average of 85 percent in 2010.

2010: A year marked by cyber-crime, cyber-war and cyber-activism

Besides the above data, this has been the year of cyber-crime, cyber-war and cyber-activism. Cyber-crime is nothing new, as the security industry has been warning against it for many years now: Every new malware specimen is part of a business aimed at financial profit.

As for the second protagonist of the year, we have seen many examples of cyber-war in 2010, the most notorious being Stuxnet. This was a new worm that targeted nuclear power plants and actually managed to infect the Bushehr plant, as confirmed at least by the Iranian authorities. Simultaneously, a new worm appeared –“Here you have”–that spread using old-school methods and was created by a terrorist organization known as “Brigades of Tariq ibn Ziyad”. According to this group, their intention was to remind the United States of the 9-11 attacks and call for respect for the Islamic religion as a response to Pastor Terry Jones’ threat of burning the Quran.

And even though some aspects are still to be clarified, Operation Aurora has also been in the spotlight. The attack, allegedly launched from China, targeted employees of some large multinationals by installing a Trojan on their PCs that could access all their confidential information.

The year 2010 has also seen the appearance of a new phenomenon that has forever changed the relationship between society and the Internet: cyber-protests or hacktivism. This phenomenon, made famous by the Anonymous group, is not actually new, but has grabbed the headlines in 2010 for the coordinated DDoS attacks launched on copyright societies and their defense of Wikileaks founder Julian Assange.

Social networks, in the spotlight

Besides offering information about the main security holes in Windows and Mac, the 2010 Annual Security Report also covers the most important security incidents affecting the most popular social networking sites. Facebook and Twitter have been most affected, but there have also been attacks on other sites like LinkedIn or Fotolog, for example.

There are several techniques for tricking users: hickjacking Facebook’s “Like” button, stealing identities to send out messages from trusted sources, exploiting vulnerabilities in Twitter to run javascript code, distributing fake apps that redirect users to infected sites, etc.

The full report is available at http://press.pandasecurity.com/press-room/reports/.

Full story: PandaLabs Blog

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

PC World – Welcome to 2011. Usually around this time of year, pundits guess what we’ll be seeing in the year ahead. On the computer security front, we’re hearing that 2011 will be the year of mobile malware, that criminals will take to the cloud, and that social network security is destined to become a bigger and bigger problem.

Full story: Yahoo! News: Security News

The tactics used by the cybercriminals remained the same. Surfing the web is still a dangerous pastime, while social engineering is routinely used to entice users into opening malicious links or downloading malicious or fraudulent programs.

Full story: Securelist / All Updates

2010 has been an active year both for spammers and anti-spammers alike. No new spamming techniques or tricks were used in 2010. However, the spammers kept the spam threat alive and kicking by recycling old tricks and combining popular spamming techniques seen in the past. Here are some of the notable spam types and techniques that continued to circulate this past year.

Pharmaceutical and other health-related spam remained the most notorious type throughout the year. This spam type was not limited to selling pharmaceutical products online, the spammers also used these messages to disguise their phishing and malware attacks.

Phishing attacks not only targeted banks. Phishers gradually switched their focus to target popular social networking sites such as Facebook, Twitter, MySpace, and the like. Sometimes, links in email messages redirected users to fake sites where their credentials were stolen. At other times, the links led to affiliate marketing sites such as online pharmacies or replica product websites.

Social engineering was on the rise all year long using different noteworthy events and topics like the tax season, Wikileaks, and social networking sites to spread malware.

Online gambling and casino-related spammed messages were especially prevalent in Europe where such activities were less strictly regulated than in North America. This spam type was frequently seen written in Spanish. Similarly, German was used in many spammed messages selling replicas in the third quarter as well. Other non-English spammed messages contained dating, adult, and commercial content.

Nigerian scams and fake lottery notifications also continued to proliferate in 2010. We saw multiple variants presented in different styles and used varying techniques.

Spam that carried malicious files or links to malware were also seen in 2010 with the proliferation of malware-related spam or “mal-spam” outbreaks. These frequently used conversational sentences such as “Thanks! Best Regards” with a personal signature at the end of email. The malware were attached to such messages.

Breaking news events—real or otherwise—were also used such as a popular actor/actress supposedly getting into a car accident with a link or attachment that led to malware. Other mal-spam also used online postcard greetings to get users to go to malicious links or to download malicious attachments.

Another type of spam that was frequently seen this year was salad word spam. The content of this type was noncommercial, non-advertising, and not related to any business in nature. It could be an article or extracted from a website or even a paragraph from a biography. Some salad spam had no meaning while others were written with poor grammar. Some contained as few as 2–3 random characters. It’s possible, in fact, that these messages were sent more to gather “live” email addresses rather than to actually conduct attacks.

Some of the most common spamming techniques in 2010 were:

• Embedded images in messages were actually downloaded from URLs. Salad words were added at the end of the main mail body.
• Messages were made to resemble legitimate email messages from well-known sites such as Amazon but the link actually led to Canadian pharmacy sites.
• The messages’ body contained salad words while .ZIP file attachments contains an image that linked to a site where the actual content was located.
• Spammed messages with only one URL in the message body and very few or no other words.
• Using HTML tricks to make large numbers of salad words at the bottom of the email message invisible.

One fact we noticed last year was that more spammed messages were prone to present their messages not only in the email body but also in the attachment. Examples of these include:

• Medical spam with a .ZIP file attachment that contained an image
• Fake lottery notification messages that also used .DOC and .PDF files
• Scam mail that used .DOC files for actual messages

Overall, there wasn’t much change in 2010 as far as spam was concerned. What we did see were tweaks and relatively minor changes to what we saw in previous years.

Post from: TrendLabs | Malware Blog – by Trend Micro

2010 in Review: Same Old Spammers

Full story: TrendLabs | Malware Blog – by Trend Micro

As 2010 comes to a close, here’s a list of the riskiest items we encountered in the past year:

• Hardware The riskiest hardware device used in 2010 was the German identification card reader. These cards contain encoded private information such as fingerprints. Unfortunately, the information on them can be quite easily stolen by using certain card readers.
• Website Software The riskiest software used by websites in 2010 was the popular blogging platform WordPress. Tens of thousands of unpatched WordPress blogs were used by cybercriminals for various schemes, primarily as part of redirection chains that led to various malware attacks or other blackhat search engine optimization (SEO)-related schemes.
• IP The most dangerous Internet Protocol used in 2010 was Internet Relay Chat (IRC). Thirty percent of all botnets used IRC to communicate with infected machines and their command-and-control (C&C) servers. Fortunately, blocking IRC use in networks reliably stops botnets.
• OS The riskiest OS used was Apple’s Mac OS X. In November, Apple sent users a massive maintenance release that weighed in at at least 644.48 MB. The weighty upgrade included fixes for multiple security vulnerabilities since the previous update released in mid-June. Apple’s penchant for secrecy and longer patch cycles also increased the risk for users.
• Website The most dangerous website in the world was Google. Its tremendous popularity led cybercriminals to target it specifically for blackhat SEO-related schemes, which in turn led users to significant malware threats, particularly FAKEAV. In addition, Google’s ad network was also frequently victimized by malvertisements.
• Social Network In another case wherein popularity led to danger, Facebook could be considered the most dangerous social networking site around. Everything from survey scams to KOOBFACE malware proliferation ensued on the site, as cybercriminals went where the people were, that is, Facebook.
• Top-Level Domain The most dangerous top-level domain in the world was CO.CC, which allowed cybercriminals to register thousands of domains on the fly with very little in the way of verification. This, along with Russian ISPs that routinely refused to shut down malicious sites, made for a very dangerous combination.
• File Format PDF was the riskiest file format in 2010, as Adobe Acrobat and Reader vulnerabilities routinely became part of exploit toolkits.
• Runtime Environment The most dangerous runtime environment for users in 2010 was Internet Explorer (IE) with scripting enabled. Even today, most browser exploits specifically target IE. However, Java is quickly becoming a more prominent target and could become the prime target in 2011.
• Infection Channel The most common infection channel was still the browser, as more than two-thirds of all infections used this as infection vector. Previous infection methods like flash disks and spammed messages were still around but were less prominent than before.

Post from: TrendLabs | Malware Blog – by Trend Micro

2010 in Review: 2010′s Most Dangerous List

Full story: TrendLabs | Malware Blog – by Trend Micro

One of the key functions of the PC Advisor website is to help technology users. We offer free tech support in the Helproom Forum, and hundreds of technology tutorials both big and small. Search around on PC Advisor and you’ll find advice on everything from ultra-techie niche problems, through simple home entertainment setup to tips on keeping your PC in tip-top condition.

Full story: Network World on Security

As we look back on 2010, I’d like to thank our 132,325 Visitors who read more than 214,000 stories on the blog which is a bit more than a 10% increase over our 2009 readership. I thought it might be interesting to go through the year month by month and review what stories were most interesting to our readers, based on the number of times each article was read.

January

USAA Bank Latest Avalanche Scam

Iranian Cyber Army returns – target: Baidu.com

China Iran Cyberwar???

February

Fake Photo version of Zeus

Conficker.B Microsoft Warning Spam

March

Most Dangerous Cities for Cyber Crime

PKK Hackers Arrested in Turkey

April

70 Romanian Phishers & Fraudsters Arrested

Fake AV In the News

May

I actually didn’t blog in May between grading finals and getting ready for several firsts at UAB, including our first Computer Foreniscs Camp for high schoolers, and our first National Science Foundation Research Experiences for Undergraduates in Cybercrime Investigations.

(Note: We are already taking applications for the UAB Crime REU which has three tracks, Criminal Justice, Forensic Science, and Computer Forensics. If you know an undergrad with a passion for Cybercrime investigation who would like to earn $ 450 per week, plus room and board, have them follow that link for an application!)

So, instead of giving you a CyberCrime & Doing Time story, let’s look at MY favorite Security Blog, Krebs On Security.com.

My top story in May was probably the Fraud Bazaar Carders.cc Hacked.

June

Anna Chapman and Mikhail Semenko vs. the FBI

Pro-Gaza Hackers Target Israeli Websites

IRS Malware: “Notice of Underreported Income” spam

Four Russian Spay Couples (& Two Solo Acts)

Russian Spies – Tradecraft and Follow the Money

178 International Credit Card Fraudsters Arrested

July

PakBugs Hackers Arrested

Stealing $ 10 Million, 20 cents at a time

The Future of Cyber Attack Attribution

ICE Operation In Our Sites

August

New Facebook Attack gives a One-Two Punch

Major Fraud Ring Busted in Largest Chinese Cybercrime Operation

September

17 Zeus Money Mules wanted by New York FBI

“Here You Have” spam spreads email worm

“Here You Have” Hype & Electronic Jihad

October

FBI’s Operation ACHing Mule

November

Lin Mun Poo: Hacker of the Federal Reserve Bank and . . . ?

USAA Phish: Avalanche Uses many “Redirectors”

Another M00P Group Member Arrested

December

Oleg Nikolaenko, Mega-D Botmaster, to Stand Trial

Operation: Payback Origins

Internet Anarchy: Anonymous Crowds Flex Their Muscles

Full story: CyberCrime & Doing Time

The end of 2010 is near and I thought I’d take the time out to recap how the year has been malware-wise. This is my list of the top 10 most remarkable malware families that surfaced in 2010:

1. STUXNET. It was remarkable because of its sophistication and use for espionage. It was thought to have been programmed to halt Iran’s nuclear program. I don’t think it will be the last malware family that will be used to spy on others and/or for industrial sabotage. It was a big deal also because of its heavy use of previously undiscovered software vulnerabilities in Windows.
2. Aurora. It hit Google and other big software companies last Christmas and it was remarkable because it managed to steal sensitive information from these giants.
3. ZeuS. It’s a Do-It-Yourself (DIY) botnet toolkit that has become very popular in the underground. It has spawned lots of different botnets that have stolen millions of dollars from home users and companies alike. The fact that it’s an off-the-shelf piece of software hints at the current state of malware as a multipurpose weapon.
4. SpyEye. Touted as ZeuS’s successor, recent accounts tell how it will carry ZeuS’s source code into a more sophisticated code base. It has a similar concept to ZeuS and also comes in the form of a DIY toolkit.
5. KOOBFACE. It was remarkable because it spread through social networks from Facebook to Twitter. It caused enough headaches for Facebook that the social networking giant finally decided to add a CAPTCHA to its link-submitting form.
6. BREDOLAB. A botnet that was used to spread other malware, it acted as some sort of malware-deploying platform. It was remarkable because it was taken down by the Dutch police in September 2010 after its Georgian creator amassed millions of dollars thanks to it.
7. TDSS/Allurion. A very sneaky rootkit that managed to cause bluescreen errors on a lot of computers in February 2010 when a new Microsoft update changed the files that it used to infect the systems. It had one of the most complex rootkit components ever seen and apparently a very shrewd development team behind it.
8. Mebroot. A spamming botnet that used a rootkit that could survive Windows re-installation. It hides very deep in a system so it loads even before Windows does. It’s responsible for a big percentage of all of the spam traffic worldwide.
9. FAKEAV. Though strictly not a virus, it’s the scam of choice of most of modern malware so all infections have a fake antivirus scam as a visible payload. The creation of Russian partnerkas (or affiliation programs) let third parties get money for every successful scam job performed. This enabled fake antivirus groups to become the con artists of the year helped by virus creators everywhere.
10. Boonana. The Mac version of KOOBFACE in the sense that it copied KOOBFACE’s method of spreading via social networks. It was remarkable because it brought most of KOOBFACE’s functionality to the Mac platform, making it a whole different beast that could open a new can of worms in the growing platform.

Have a great 2011 and stay safe.

Post from: TrendLabs | Malware Blog – by Trend Micro

2010 in Review: 10 Most Remarkable Malware in 2010

Full story: TrendLabs | Malware Blog – by Trend Micro

In the past few weeks, my colleagues and I have been exchanging views about the changes we’ve seen in the threat landscape in 2010.

It didn’t come as a surprise therefore that Web threats dominated the threat landscape throughout the entire year. As the general public further integrated Internet usage into their everyday lives, so did cybercriminals with their malicious attacks. The prevalence of Web threats was further amplified by the rampant use of malicious toolkits, which enabled even less-technically savvy malicious users to come up with fairly sophisticated schemes. We expect to see more of similar threats in 2011 and aim to keep users protected with the help of the Trend Micro™ Smart Protection Network™.

So, just to bring everyone up to speed, here is a complete list of our “2010 in Review” posts:

• 2010 in Review: The Hype and Reality of STUXNET: To help users better understand the most talked-about threat in 2010, Ivan Macalintal puts the STUXNET threat in proper context, at least in terms of what is considered a real and present danger for users today.
• 2010 in Review: New and Better Ways of Stealing Information: ZeuS’ success undeniably continued into 2010, allowing it to remain one of the most serious threats throughout the year.
• 2010 in Review: The Vulnerability Landscape: The continued and effective usage of vulnerabilities by cybercriminals in launching attacks is a clear indication of how important it is for users to keep their systems updated, especially third-party applications.
• 2010 in Review: No Recession for Cybercrime: It was business as usual for the cybercrime underground in 2010 even amid the economic problems that affected most of the world.
• 2010 in Review: Same Old Spammers: No new spamming techniques or tricks emerged in 2010. However, the spammers kept the spam threat alive and kicking by recycling old tricks and by combining popular techniques seen in the past.
• 2010 in Review: 2010′s Most Dangerous List: From infected hardware to social networks, users were plagued by threats from different vectors in 2010.
• 2010 in Review: 10 Most Remarkable Malware in 2010: Several malware families made headlines in 2010, all with their own noteworthy characteristics. Senior threat researcher David Sancho listed down 10 of the most remarkable malware in 2010.

Post from: TrendLabs | Malware Blog – by Trend Micro

A Look Back at 2010

Full story: TrendLabs | Malware Blog – by Trend Micro

Malware Research Group started conducting quick tests in Q3 of this year, using single zero day / early life malware samples. Of course individual tests were not presented as efficacy assessments of the security applications being tested, but would serve to give some representation of performance when looked at over time. An overall number of 22 security programs has been tested this way.

The tests were based on a Windows 7 32 Ultimate virtual machine with all updates, of course every single application got its own VM. Samples came directly from MRG honeypots and were then uploaded to a certain URL so that it could be downloaded to the VM by using Internet Explorer.

The final results:

Once again Emsisoft Anti-Malware was able to proof its great detection rate together with Defense Wall V3. It is very interesting that well established programs like Kaspersky Antivirus 2011, AVG Antivirus or Avira Antivir Premium show strong weaknesses in detecting current threats. You can find the complete test here.

Full story: Anti-Malware Reviews

Computer and network security is a perpetual game of cat and mouse. Attackers are often adept at both following technology and social trends, and adapting attacks to exploit weak points. As 2010 comes to a close, let’s take a look back at some of the biggest security trends from the year. –
Tony Bradley on Network World on Security

The number of software vulnerabilities (as measured by entries in the Common Vulnerabilities and Exposures (CVE) database) went down in 2010, although due to the complexity of modern programs they can never be completely eliminated. Criminals take advantage of this to drop their malware onto the systems of victims everywhere.

Because of this, there is a continued need for vulnerability defense solutions like Intrusion Defense Firewall (IDF), a plug-in for OfficeScan™ and Deep Security.

In recent years, both vulnerability researchers and criminals have been focusing their attacks on third-party applications. This is quite natural, as both Internet-exposed services (such as Web servers) and the OSs themselves have been made more secure. This focus on third-party applications increases the risk for typical end users, as they tend to ignore third-party programs as primary attack vectors. In addition, no common patching platform like Windows Update is provided, raising the risk of having vulnerable versions on user systems.

Let’s examine the number of publicly disclosed proof-of-concept (POC) exploits that allowed remote code execution in several applications that users commonly utilize (these are based on exploits posted on the Exploits Database site):

Out of these critical vulnerabilities in 2010, the ones which had the most impact in the wild were:

• Internet Explorer iepeer.dll code execution vulnerability (MS10-018; CVE-2010-0806)
• Java Web start vulnerability (CVE-2010-1423)
• Microsoft Windows Help and Support Center vulnerability (MS10-042; CVE-2010-1885)
• Windows LNK vulnerability (MS10-046; CVE-2010-2568)
• Adobe Acrobat/Reader cooltype.dll buffer overflow vulnerability (APSB10-21; CVE-2010-2883)
• DLL preloading attacks via remote network shares (Microsoft Security Advisory 2269637)

It’s also worth noting that the DOWNAD/Conficker threat, which dates back to late 2008, was still quite active during the first half of the year. DOWNAD isn’t quite dead yet.

What kind of malware are dropped or downloaded onto user’s systems by exploits? Variants of the ZeuS family of malware were favored payloads throughout 2010. In particular, exploits using .PDF files and ActiveX controls as infection vectors were frequently used for this purpose.

These threats highlight how important it is for users to properly protect themselves against vulnerabilities by patching their software. For that, readers should consult the previous blog post “Have You Patched Your System Lately?” The CTO Insights blog also talked about it in the video “Zero Day Vulnerabilities Risk Overblown.”

Post from: TrendLabs | Malware Blog – by Trend Micro

2010 in Review: The Vulnerability Landscape

– Abhishek Bhuyan (Senior Security Researcher) on TrendLabs | Malware Blog – by Trend Micro

The cybercrime underground saw relatively few really revolutionary developments in 2010. However, while the rest of the world was in the economic doldrums, the cybercrime underground kept growing.

Researchers who monitored the cybercrime underground noted that the number of Trojans targeting information and credential theft significantly rose in 2010. This was not surprising, as we noted earlier that the number of new information-stealing malware families was on the rise.

One development in 2010, however, was the complete failure of certain domain registrars to properly police their customers. This allowed certain top-level domains to be heavily abused and used to host hundreds of thousands of malicious domains. Because of this, blocking a single domain name has been of limited value, as the domains became essentially disposable for the criminals using them.

While, in theory, these registrars are “legitimate”, their lax policies allow widespread abuse of their services by cybercriminals. To illustrate the scale of the problem, one of these registrars claimed on its front page that it had more than 7.5 million domains, very few of which are actually legitimate.

On a more positive note, there were some high-profile arrests and takedowns of cybercrime networks in 2010. In March, the Spanish authorities arrested the ringleaders of what was called the Mariposa botnet, which stole information from approximately 12.7 million users around the world. An even bigger operation codenamed Trident Breach led to arrests in the United States, Britain, and the Ukraine of more than 50 individuals involved in a ZeuS gang that targeted small and medium-sized businesses. In late October, Armenian and Dutch law enforcement agencies worked together to arrest a 27-year-old man that was behind the Bredolab botnet.

Those arrests were noteworthy in large part because they arrested actual ringleaders of the gangs involved and not just low-ranking money mules. More than arresting mules or shutting down servers, arresting the criminals behind these attacks was necessary to stop these activities.

The futility of takedowns was seen when Pushdo/Cutwail was taken down earlier this year. Within days, it was back in business. Similarly, security researchers were able to take down the Waledac botnet in March, but as we noted at the time, spam levels remained unchanged.

The lesson is that shutting down a botnet by purely technical means doesn’t do anything in the long term; arresting the people responsible is key to fixing the cybercrime threat.

Trend Micro partners with many law enforcement agencies around the world. Together with these partners, we continuously work to help bring those responsible for today’s online threats to a court of law. We expect these partnerships to be busier than ever in the upcoming year.

Post from: TrendLabs | Malware Blog – by Trend Micro

2010 in Review: No Recession for Cybercrime

– Paul Ferguson (Senior Threat Researcher) on TrendLabs | Malware Blog – by Trend Micro

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

Hello and welcome to this month’s blog on the Microsoft patch release. This is another large release —the vendor is releasing 17 bulletins covering a total of 40 vulnerabilities.

Eight of the issues are rated ‘Critical’ and they affect Internet Explorer and the OpenType Font (OTF) format driver. The remainder of the issues are rated ‘Important’ or ‘Moderate’ and affect Publisher, Office, SharePoint, Windows, Windows kernel, Exchange, and Hyper-V. Included in this patch release is a fix for the last of the vulnerabilities Stuxnet was exploiting, the Windows Task Scheduler issue.

 As always, customers are advised to follow these security best practices:

-     Install vendor patches as soon as they are available.

-     Run all software with the least privileges required while still maintaining functionality.

-     Avoid handling files from unknown or questionable sources.

-     Never visit sites of unknown or questionable integrity.

-     Block external access at the network perimeter to all key systems unless specific access is required.
 
Microsoft’s summary of the December releases can be found here:

http://www.microsoft.com/technet/security/bulletin/ms10-dec.mspx

The following is a breakdown of the ‘Critical’ bulletins being addressed this month:

1. MS10-090 Cumulative Security Update for Internet Explorer (2416400)

CVE-2010-3340 (BID 45255) Microsoft Internet Explorer Uninitialized Object CVE-2010-3340 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6 and 7

CVE-2010-3342 (BID 45256) Microsoft Internet Explorer CVE-2010-3342 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate / Symantec Rating: 5.7/10)

A cross-domain information-disclosure vulnerability affects Internet Explorer because it incorrectly allows cached content to be rendered as HTML across domains. An attacker can exploit this issue by tricking an unsuspecting victim into visiting a Web page containing malicious content. A successful exploit will result in the disclosure of potentially sensitive information. Information obtained may aid in further attacks. Affects: Internet Explorer 6, 7, and 8

CVE-2010-3343 (BID 45259) Microsoft Internet Explorer Uninitialized Object CVE-2010-3343 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6

CVE-2010-3345 (BID 45260) Microsoft Internet Explorer Uninitialized HTML Element CVE-2010-3345 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 8

CVE-2010-3346 (BID 45261) Microsoft Internet Explorer Uninitialized HTML Element CVE-2010-3346 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when it handles an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6, 7, and 8

CVE-2010-3348 (BID 45263) Microsoft Internet Explorer CVE-2010-3348 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate / Symantec Rating: 5.7/10)

A cross-domain information-disclosure vulnerability affects Internet Explorer because it incorrectly allows cached content to be rendered as HTML across domains. An attacker can exploit this issue by tricking an unsuspecting victim into visiting a Web page containing malicious content. A successful exploit will result in the disclosure of potentially sensitive information. Information obtained may aid in further attacks. Affects: Internet Explorer 6, 7, and 8

CVE-2010-3962(BID 44536) Microsoft Internet Explorer CSS Tags Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.3/10)

A previously public (Nov 3, 2010), remote code-execution vulnerability affects Internet Explorer when storing a certain combination of Cascading Style Sheet (CSS) tags, resulting in a use-after-free condition. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Internet Explorer 6, 7, and 8

2. MS10-091 Vulnerabilities in the OpenType Font (OTF) Format Driver Could Allow Remote Code Execution (2296199)

CVE-2010-3956 (BID 45311) Microsoft Windows OpenType Font (OTF) Driver Invalid Array Index Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems

CVE-2010-3957 (BID 45315) Microsoft Windows OpenType Font (OTF) Driver Double-Free Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code-execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems

CVE-2010-3959 (BID 45316) Microsoft Windows OpenType Font (OTF) Driver CMAP Table Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code-execution vulnerability affects the Windows OpenType Font (OTF) format driver when handling specially crafted OpenType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page, previewing an email, or opening a file containing malicious fonts. A successful exploit will result in the execution of arbitrary attacker-supplied code in kernel-mode; this may facilitate a complete compromise of an affected computer. Affects: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based systems, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows Server 2008 for 32-bit systems, Windows Server 2008 for 32-bit systems SP2, Windows Server 2008 for x64-based systems, Windows Server 2008 for x64-based systems SP2, Windows Server 2008 for Itanium-based systems, Windows Server 2008 for Itanium-based systems SP2, Windows 7 for 32-bit systems, Windows 7 for x64-based systems, Windows Server 2008 R2 for x64-based systems, Windows Server 2008 R2 for Itanium-based systems

More information on these and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

– Robert Keith on Symantec Connect – Security Response – Blog Entries

The volume of spam continues to drop.  We have been monitoring the decline in overall spam volume over the last few months, and the downtrend continued in November.  The average daily volume in November dropped 17.4 percent month-over-month.  Compared to August, spam volume was down over 56 percent.  This drop in overall spam volume also brought down the overall spam percentage.  Spam made up 84.31 percent of all messages in November, compared with 86.61 percent in October.

In addition to discussing the volume decline, this month’s report contains interesting predictions for 2011.

Click here to download the December 2010 State of Spam & Phishing Report, which highlights the following trends:

·         What’s Happening to Spam Volume?

·         2011 – Spam Predictions

·         Buyers Beware! Holiday Do’s and Don’ts

·         Fake Security for Indonesian Facebook Users

·         Phishers’ Roving Eyes Target Indian Educational Institutions

– Eric Park on Symantec Connect – Security Response – Blog Entries

The Pushdo/Cutwail and Bredolab botnet command centers have been shut down; the SpamIt partner program went out of business; and a criminal case has been brought against Igor Gusev who is believed to be the world’s No.1 spammer. – on Securelist / All Updates