Computer Security Articles

Google has introduced a new feature for its Chrome browser that will display a warning if a user attempts to download a suspected malicious executable file.

The Chrome team are enhancing the implementation of their Safe Browsing API service to include downloaded files.

What is the Safe Browsing API?
The Safe Browsing API is an experimental API that enables client applications to check URLs against Google’s constantly updated blacklists of suspected phishing and malware pages. Your client application can use the API to download an encrypted table for local, client-side lookups of URLs that you would like to check.

The new feature will be integrated with Google Chrome and will display a warning if a user attempts to download a suspected malicious executable file:

This warning will be displayed for any download URL that matches the latest list of malicious websites published by the Safe Browsing API. By adding support for these known malware destinations they will reduce the number of infections for users using Chrome.

Published by Blanca Carton, Abril 2011

How many times you wished you could have accessed documents stored in your home PC when you were out? In my case, many. And I hate to say “I cannot send it right now”

This situation has changed. My Panda Global Protection 2011 integrates the BeAnywhere technology which allows remote access to my home computer from any other machine through the Internet. It does not matter whether it is done from work or from a cyber-café. Now, everything is at hand.

Installing it is really easy.

1. Go to Start / Programs / Panda Global Protection 2011 / Additional tools.
2. Select Install remote access.
3. The program installation wizard will give you two installation options:
   • Install to this computer. This option installs the program on your computer.
   • Install to a pen drive (any USB removable storage device). This option lets you store the file on a USB drive so that you can install the Remote Access program on other computers later on.
4. Finally, click Next.

Once you have installed the product, you need to create a remote access administrator account. To do this:

1. Open the program from Start/ Programs / Remote Access (BeAnywhere) / Beanywhere Drive.
2. Select a language from those available: English, Portuguese, Spanish, French, German and Dutch.
3. Create a login account for using the program. This account consists of an email address and password.
4. You will receive a confirmation email to activate your account by clicking the link in the message.
5. Once you have completed these steps you will have an administrator access account to manage computers remotely.

With these steps, you can remotely access all the documentation and files available. Easy and safe

Remember that if you have queries during the installation and activation of your antivirus you can always find help in the Technical Support forum.

MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign, since yesterday, by email with the subject “Welcome to Facebook Goods”. These messages are sent from the spoofed email addresses in the format that Facebook is using on the domain facebookmail.com. Some examples:

update+bscts2qxhedj@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
update+6i8mlfxn1svw@facebookmail.com
…

This is the body of the email:

Notice that the Facebook looks are used to disguise the real purpose of the message.

4 different URLs are used in each message with the format: http://www.domainhere.tld/s/h/o/p/ that will redirect you to the Canadian Pharmacy at hxxp://midiclxic.ru/.

MX Lab, http://www.mxlab.eu, started to intercept a new trojan variant distribution campaign by email with the subject “United Parcel Service notification 48161”, where the number in the subject may vary, with more or less the same email characteristics of the previous campaign MX Lab posted earlier this week but with with a very low detection rate at the time of writing: only 5 of the 43 AV engines did detect the trojan at Virus Total!

The email is send from the spoofed addresses “United Parcel Service <****@ups.com>” where *** is filled in with various combinations like:

infoads@ups.com
infoad111@ups.com
infoad@ups.com
infosec@ups.com
infosec1@ups.com
infosec3@ups.com
infosec4@ups.com
infoser@ups.com
infoser1@ups.com
infoser2@ups.com
infoser3@ups.com
infoser4@ups.com
infosec8@ups.com
…

The message has the following body:

Dear customer.

The parcel was sent your home address.
And it will arrive within 3 business day.

More information and the tracking number are attached in document below.

Thank you.
© 1994-2011 United Parcel Service of America, Inc.

The attached ZIP file has the name UPS-document.zip and contains the 20 kB large file UPS-document.exe.

The trojan is known as Artemis!08BA3C182674 (MacAfee), Trj/CI.A (Panda).

Virus Total permalink and MD5: 08ba3c182674398cd2190cad5dc327ef.

The trojan will install itself on an infected computer and will obtain data from the following URLs:

• http://109.94.220.52/lol2.exe
• http://109.94.220.52/pod.exe
• http://109.94.220.52/spm.exe
• http://91.213.29.175/lol2.exe
• http://91.213.29.175/pod.exe
• http://91.213.29.175/spm.exe

For each of the files we have the following report:

lol2.exe:

FakeAlert-CN.gen.h (MacAfee), FraudTool.Win32.FakeRean.b (Vipree)
Virus Total permalink – MD5: 43b84209a37ebdee99996b073562203e

Will install the file %AppData%\pux.exe, modify registry, connects to IP 69.50.209.138 on port 80 and will request URL hxxp://vogunemymyko.com/1017000412

pod.exe:

Worm/Rorpian.A (AntiVir), W32/Worm-FAO!1B984534DCC8 (McAfee)
Virus Total permalink – MD5: 1b984534dcc8d761703437f10a9cf179

Will install the file %Temp%\srvB8.tmp, connects to IP 188.138.48.178 on port 80 and will request URL hxxp://188.138.48.178/service/listener.php?affid=50039

spm.exe:

Artemis!CCB935935C60 (MacAfee), W32/Spammer.AQZ.worm (Panda)
Virus Total permalink – MD5: ccb935935c60b7c931201daa9efd6af4

Will install the files %System%\mhmhbrog.dll and %System%\tmp.tmp, modify the registry, and make connections to the following IPs:

124.108.116.109, on port 25
67.195.168.31, on port 25
98.137.54.237, on port 25
98.139.54.60, on port 25
46.4.10.7, on port 8000 and 8001

This malware will also generate SMTP traffic from the spoofed email addresses:

• <info1goyoy@ups.com>
• <info47dynu@ups.com>
• <info42s@ups.com>
• <info2yu@ups.com>

This malicious payload will create the following files:

%CommonAppData%2v34rbtx7a80t655b4m22u3yx11w233mh156g3
%AppData%2v34rbtx7a80t655b4m22u3yx11w233mh156g3
%Temp%2v34rbtx7a80t655b4m22u3yx11w233mh156g3
%Templates%2v34rbtx7a80t655b4m22u3yx11w233mh156g3
%AppData%\Microsoft\conhost.exe
%AppData%\xbr.exe
%Temp%\srvC8.tmp
%System%\mtcaqnbx.dll
%System%\musawolc.dll

The following processes will be created:

conhost.exe: %AppData%\Microsoft\conhost.exe
xbr.exe: %AppData%\xbr.exe

The following hostnames are requested from the host database:

• ponel.biz
• itisformebaby.biz
• zuzosahule.com
• dafatesomyz.com
• jumonevetode.com
• gokuzajylot.com
• lukofymela.com
• jebuponip.com
• quxovasuced.com
• laqoduhisegu.com
• xyseditacif.com
• dihemehypuq.com
• wylyxaqunowy.com
• qepovexidysopy.com
• bebecebyt.com
• rumesexyzobuz.com
• kyxiteruk.com
• kexigulat.com
• jarynokab.com
• lefurasacaveta.com
• cicabijyni.com
• ridibasofetevi.com
• sihorarofiqiha.com
• ropunonic.com
• xyxukinasacujo.com
• tapahagupaji.com
• zonotunev.com
• raxukakudumow.com
• vogunemymyko.com
• zufonabubi.com
• bynoripuqoxyl.com
• kytelaticik.com
• qyvexyhun.com
• myhofociv.com
• dalebihyku.com
• kijyjajutava.com
• decufysohyh.com
• sezixalekur.com
• lolypositole.com
• hohimedag.com
• hikiniribep.com
• fyxinolydima.com
• gonifyzadiby.com
• wavupinycom.com
• xykecolun.com
• hisepelihyzex.com
• xixeriwihat.com
• vetidicawisos.com
• dijipabamefuw.com
• naxucerybaqecy.com
• hegylocimemyja.com
• roboralipijago.com
• samykacagatet.com
• fusipemura.com
• sazulipum.com
• fuxawekugygil.com

A connection attempt to itisformebaby.biz on port 8000 is executed and a connection is established to the IP 188.138.48.178 on port 80 with the request service/listener.php?affid=50039.

The following HTTP URLs were started reading:

• hxxp://vogunemymyko.com/1017000412
• hxxp://zufonabubi.com/1017000412
• hxxp://bynoripuqoxyl.com/1017000412
• hxxp://kytelaticik.com/1017000412
• hxxp://qyvexyhun.com/1017000412
• hxxp://myhofociv.com/1017000412
• hxxp://dalebihyku.com/1017000412
• hxxp://kijyjajutava.com/1017000412
• hxxp://decufysohyh.com/1017000412
• hxxp://sezixalekur.com/1017000412
• hxxp://lolypositole.com/1017000412
• hxxp://hohimedag.com/1017000412
• hxxp://hikiniribep.com/1017000412
• hxxp://fyxinolydima.com/1017000412
• hxxp://gonifyzadiby.com/1017000412
• hxxp://wavupinycom.com/1017000412
• hxxp://xykecolun.com/1017000412
• hxxp://hisepelihyzex.com/1017000412
• hxxp://xixeriwihat.com/1017000412
• hxxp://vetidicawisos.com/1017000412
• hxxp://dijipabamefuw.com/1017000412
• hxxp://naxucerybaqecy.com/1017000412
• hxxp://hegylocimemyja.com/1017000412
• hxxp://roboralipijago.com/1017000412
• hxxp://samykacagatet.com/1017000412
• hxxp://fusipemura.com/1017000412
• hxxp://sazulipum.com/1017000412
• hxxp://fuxawekugygil.com/1017000412

MX Lab, http://www.mxlab.eu, started to intercept a new spam campaign by email with the subject ”Delivery Notification”. What appears at first as a simple email notification is in fact a spam campaign for the Canadian Pharmacy.

The message is sent from a spoofed email addresses like:

Notification-15955 <lwnfc@vowyg2kynvx4.veridomlegal.net>
Notification-07997 <cwujg@fgoorlgaxle7.veridomlegal.net>
…

The body of the email only contains a link to a web site:

http://www-48023.outdomnovolume.net

http://www-35051.outdomnovolume.net

….

The 5 numbers inside the web site address change with every email but always shows the web site of the Canadian Pharmacy:

The domain outdomnovolume.net is registered a few days ago according to a WHOIS is with the following details:

Domain name: outdomnovolume.net

Registrant Contact:
   Xicheng
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Administrative Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Technical Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

Billing Contact:
   Zhongguancun Si Zhongguancun@yahoo.com
   01066569226 fax: 01066569226
   Huixindongjie
   Beijing Chaoyang 101400
   cn

DNS:
ns1.dnsfopiq.com
ns2.dnstow.ru

Created: 2011-03-19
Expires: 2012-03-19

In an earlier post, I wrote about the use of the powerful Windows feature called mandatory integrity levels (MIC) to protect processes from spyware. In this follow-up note, I’d like to explore how integrity levels can offer additional safeguards for files of malware victims.

Windows Integrity Levels for Files

Windows integrity levels, such as Low, Medium, and High, take precedence over the traditional discretionary access controls, such as those that might prevent one user from accessing another user’s files. The idea of integrity levels is to restrict a less-trusted operating system objects to more-trusted objects.

To observe and manipulate some aspects of integrity level labels on the file system, Windows includes the icacls command-line tool. However, a tool called Chml—which is distributed for free by Mark Minasi—is a more powerful alternative.

Protecting Files from Malware Using Integrity Levels

Let’s say a user wishes to exercise extra care for protecting a particularly sensitive file. For our example, we’ll call it secret.txt:

By default, a file created by a Windows user, even if the person is logged in with administrative privileges, is assigned the Medium integrity level:

Integrity policies, shown by Chml, show that an object with a lower integrity level will be able to read and execute the file. That’s because “no read up” and “no execute up” policies are disabled by default. However, the object will be unable to write to the file, because the “no write up” policy is enabled.

To make it harder for malware to read the sensitive file, the user can set the integrity level of the file to High and also enable to “no read up” policy. Chml can do this with the parameters “-i:h” (sets the integrity level to high) and “-nr” (enabled the “no read up” policy).

Since by default Windows launches processes under the Medium integrity level, user-mode malware running on the victim’s host will be prevented from accessing the file that was assigned the High integrity level. (You can look at integrity levels of processes using Process Explorer.)

In the screenshot above, I used Notepad to simulate malware attempting to access the sensitive file

If the user wishes to access this file, he or she will need to run the program under the High integrity level. This can be accomplished by selecting “Run as administrator” when launching the program:

Using Windows integrity levels at the file system level provides another way of protecting victims from malware, in addition to the process-based integrity levels approach I discussed earlier. You can also use Windows integrity levels to limit capabilities of exploits.

If this topic interests you, consider the Combating Malware in the Enterprise course I co-authored, which discusses Windows integrity levels among numerous other relevant topics. Also, take a look at the Integrity Levels and DLL Injection write-up by Didier Stevens.

— Lenny Zeltser

MX Lab, http://www.mxlab.eu, started to intercept a large spam campaign with the subject “Twitter – You have X unread message(s)”, where the X is a number from 1 to 3,  that leads to the U.S. Drugs web site. This campaign is slightly different from the previous campaign at the end of February 2011 but leads to the same pharmacy site.

The campaigns is send from the spoofed email address “Twitter <twitter-message-RECIPIENT=DOMAIN@postmaster.twitter.com>” where the recipients email address is included in the from address.

An example of the email:

The final destination of the URL:

More information regarding this site can be found at http://spamtrackers.eu/wiki/index.php/US_Drugs.

While we wait for the Japanese Earthquake scams to begin, we noticed another on-going spam campaign. We wrote about the ACH Transaction Rejected spam back in February, but another round is active, with another 350+ freshly registered domains.

The body of the email this time around reads:

The ACH transfer (ID: 65388185980), recently sent from your checking account (by you or any other person), was cancelled by the other financial institution.

Please click here (link) to view details

If you have any questions or comments, contact us at info@nacha.org. Thank you for using http://www.nacha.org.

/This messages is intended for use by addressee only and may contain privileged and confidential information. If you are not the intended recipient, dissemination of this communication is prohibited. If you have received this communication in error, please delete all copies of the message and attachments and notify the sender immediately. /

The spam has one of the following ten subject lines:

ACH payment canceled
ACH payment rejected
ACH transaction canceled
ACH Transfer canceled
ACH transfer rejected
Rejected ACH payment
Rejected ACH transaction
Rejected ACH transfer
Your ACH transaction
Your ACH transfer

Each claims to be from “nacha.org” – the National Automated Clearing House Association – the people who handle electronic payments between banks.

The from addresses are:

ach@nacha.org
admin@nacha.org
alert@nacha.org
alerts@nacha.org
info@nacha.org
payment@nacha.org
payments@nacha.org
risk@nacha.org
risk_manager@nacha.org
transactions@nacha.org
transfers@nacha.org

Here are the domain names we are seeing this time around. I haven’t checked all of them, but the ones I checked were GoDaddy. (GoDaddy and Affilias have been notified, and many of the domains are already disabled.)

machine
———————————–
ACHDESCRIBES.INFO
ACH-DETAILS-EMERGE.INFO
ACHDETAILSEMERGE.INFO
ACH-DETAILS.INFO
ACHDETAILS.INFO
ACH-DETAILS-MAGAZINE.INFO
ACHDETAILSMAGAZINE.INFO
ACHDETAILSNOW.INFO
ACHDETAILSONLINE.INFO
ACHDETAILSSHOP.INFO
ACHDETAILSSITE.INFO
ACHDETAILSSTORE.INFO
ACHDETAILSTODAY.INFO
ACHELEMENTS.INFO
ACH-INFORMATION-ARCHITECTURE.INFO
ACHINFORMATIONASSURANCE.INFO
ACHINFORMATIONBLOG.INFO
ACH-INFORMATION.INFO
ACHINFORMATION.INFO
ACHINFORMATIONLITERACY.INFO
ACHINFORMATIONNOW.INFO
ACHINFORMATIONONLINE.INFO
ACH-INFORMATION-SCIENCES.INFO
ACHINFORMATIONSCIENCES.INFO
ACH-INFORMATION-SHARING.INFO
ACHINFORMATIONSHARING.INFO
ACHINFORMATIONSHOP.INFO
ACHINFORMATIONS.INFO
ACHINFORMATIONSITE.INFO
ACHINFORMATIONSTORE.INFO
ACHINFORMATIONTODAY.INFO
ACHINFORMATIONWARFARE.INFO
ACHINFORMS.INFO
ACHREPORTBLOG.INFO
ACH-REPORT-CARD.INFO
ACHREPORTCARD.INFO
ACH-REPORT-CARDS.INFO
ACHREPORTCARDS.INFO
ACH-REPORT-COVERS.INFO
ACHREPORTCOVERS.INFO
ACH-REPORT.INFO
ACHREPORT.INFO
ACHREPORTNOW.INFO
ACHREPORTONLINE.INFO
ACHREPORTSHOP.INFO
ACHREPORTS.INFO
ACHREPORTSITE.INFO
ACHREPORTSTORE.INFO
ACHREPORTTODAY.INFO
ACHREVIEW.INFO
ATRANSFERADMISSION.INFO
ATRANSFERAGENT.INFO
ATRANSFERAPPLICANTS.INFO
A-TRANSFERBLOG.INFO
ATRANSFERFILES.INFO
ATRANSFERGUIDES.INFO
ATRANSFER.INFO
A-TRANSFERNOW.INFO
A-TRANSFERONLINE.INFO
ATRANSFERPRICING.INFO
ATRANSFERREQUEST.INFO
A-TRANSFERSHOP.INFO
A-TRANSFERS.INFO
A-TRANSFERSITE.INFO
A-TRANSFER-STATION.INFO
ATRANSFERSTATION.INFO
A-TRANSFERSTORE.INFO
A-TRANSFERTODAY.INFO
B-ACH-ACCOUNTS.INFO
BACHACCOUNTS.INFO
B-ACHBLOG.INFO
B-ACH.INFO
B-ACHNOW.INFO
B-ACHONLINE.INFO
B-ACH-PAYMENT.INFO
BACHPAYMENT.INFO
B-ACH-PAYMENTS.INFO
BACHPAYMENTS.INFO
B-ACHSHOP.INFO
B-ACHS.INFO
B-ACHSITE.INFO
B-ACHSTORE.INFO
B-ACHTODAY.INFO
B-ACH-TRANSACTIONS.INFO
BACHTRANSACTIONS.INFO
BESTACHDETAILS.INFO
BESTACHINFORMATION.INFO
BESTACHREPORT.INFO
BESTA-TRANSFER.INFO
BESTB-ACH.INFO
BESTD-PAYMENT.INFO
BESTG-PAYMENT.INFO
BESTP-ACH.INFO
BESTQ-ACH.INFO
BESTQ-PAYMENT.INFO
BESTQ-TRANSFER.INFO
BESTR-TRANSFER.INFO
BESTT-TRANSFER.INFO
BESTV-ACH.INFO
BESTW-ACH.INFO
BESTZ-PAYMENT.INFO
D-PAYMENTBLOG.INFO
D-PAYMENT.INFO
DPAYMENT.INFO
DPAYMENTMETHOD.INFO
DPAYMENTMETHODS.INFO
D-PAYMENTNOW.INFO
D-PAYMENTONLINE.INFO
DPAYMENTOPTION.INFO
DPAYMENTPROCESSING.INFO
DPAYMENTPROCESSOR.INFO
D-PAYMENTSHOP.INFO
D-PAYMENTS.INFO
D-PAYMENTSITE.INFO
DPAYMENTSOLUTION.INFO
DPAYMENTSOLUTIONS.INFO
D-PAYMENTSTORE.INFO
DPAYMENTTERMINAL.INFO
D-PAYMENTTODAY.INFO
DPAYMENTTRANSACTION.INFO
ELECTRONIC-ACH-DETAILS.INFO
ELECTRONICACHDETAILS.INFO
ELECTRONIC-ACH-REPORT.INFO
ELECTRONICACHREPORT.INFO
FREEACHDETAILS.INFO
FREEACHINFORMATION.INFO
FREEACHREPORT.INFO
FREEA-TRANSFER.INFO
FREEB-ACH.INFO
FREED-PAYMENT.INFO
FREEG-PAYMENT.INFO
FREEQ-ACH.INFO
FREEQ-PAYMENT.INFO
FREEQ-TRANSFER.INFO
FREER-TRANSFER.INFO
FREET-TRANSFER.INFO
FREEV-ACH.INFO
FREEW-ACH.INFO
FREEZ-PAYMENT.INFO
G-PAYMENTBLOG.INFO
G-PAYMENT.INFO
GPAYMENT.INFO
GPAYMENTMETHOD.INFO
GPAYMENTMETHODS.INFO
G-PAYMENTNOW.INFO
G-PAYMENTONLINE.INFO
GPAYMENTPROCESSING.INFO
GPAYMENTPROCESSOR.INFO
G-PAYMENTSHOP.INFO
G-PAYMENTS.INFO
G-PAYMENTSITE.INFO
GPAYMENTSOLUTIONS.INFO
G-PAYMENTSTORE.INFO
GPAYMENTTERMINAL.INFO
G-PAYMENTTODAY.INFO
GPAYMENTTRANSACTION.INFO
MASTER-P-ACH.INFO
MASTERPACH.INFO
MYACHDETAILS.INFO
MYACHINFORMATION.INFO
MYACHREPORT.INFO
MYA-TRANSFER.INFO
MYB-ACH.INFO
MYD-PAYMENT.INFO
MYG-PAYMENT.INFO
MYP-ACH.INFO
MYQ-ACH.INFO
MYQ-PAYMENT.INFO
MYQ-TRANSFER.INFO
MYR-TRANSFER.INFO
MYT-TRANSFER.INFO
MYV-ACH.INFO
MYW-ACH.INFO
MYZ-PAYMENT.INFO
NEWACHDETAILS.INFO
NEWACHINFORMATION.INFO
NEWACHREPORT.INFO
NEWA-TRANSFER.INFO
NEWB-ACH.INFO
NEWD-PAYMENT.INFO
NEWG-PAYMENT.INFO
NEWP-ACH.INFO
NEWQ-ACH.INFO
NEWQ-PAYMENT.INFO
NEWQ-TRANSFER.INFO
NEWR-TRANSFER.INFO
NEWT-TRANSFER.INFO
NEWV-ACH.INFO
NEWW-ACH.INFO
NEWZ-PAYMENT.INFO
P-ACH-ACCOUNTS.INFO
PACHACCOUNTS.INFO
P-ACHBLOG.INFO
P-ACH.INFO
P-ACHNOW.INFO
P-ACHONLINE.INFO
P-ACH-PAYMENT.INFO
PACHPAYMENT.INFO
P-ACH-PAYMENTS.INFO
PACHPAYMENTS.INFO
P-ACHSHOP.INFO
P-ACHS.INFO
P-ACHSITE.INFO
P-ACHSTORE.INFO
P-ACHTODAY.INFO
P-ACH-TRANSACTIONS.INFO
PACHTRANSACTIONS.INFO
Q-ACH-ACCOUNTS.INFO
QACHACCOUNTS.INFO
Q-ACHBLOG.INFO
Q-ACH.INFO
QACH.INFO
Q-ACHNOW.INFO
Q-ACHONLINE.INFO
Q-ACH-PAYMENT.INFO
QACHPAYMENT.INFO
Q-ACH-PAYMENTS.INFO
QACHPAYMENTS.INFO
Q-ACHSHOP.INFO
Q-ACHS.INFO
Q-ACHSITE.INFO
Q-ACHSTORE.INFO
Q-ACHTODAY.INFO
Q-ACH-TRANSACTIONS.INFO
QACHTRANSACTIONS.INFO
Q-PAYMENTBLOG.INFO
Q-PAYMENT.INFO
QPAYMENTMETHOD.INFO
QPAYMENTMETHODS.INFO
Q-PAYMENTNOW.INFO
Q-PAYMENTONLINE.INFO
QPAYMENTOPTION.INFO
QPAYMENTPROCESSING.INFO
QPAYMENTPROCESSOR.INFO
QPAYMENTSCHEDULE.INFO
Q-PAYMENTSHOP.INFO
Q-PAYMENTS.INFO
Q-PAYMENTSITE.INFO
QPAYMENTSOLUTION.INFO
QPAYMENTSOLUTIONS.INFO
Q-PAYMENTSTORE.INFO
QPAYMENTTERMINAL.INFO
Q-PAYMENTTODAY.INFO
QPAYMENTTRANSACTION.INFO
QTRANSFERADMISSION.INFO
QTRANSFERAGENT.INFO
QTRANSFERAPPLICANTS.INFO
Q-TRANSFERBLOG.INFO
QTRANSFERFILES.INFO
QTRANSFERGUIDES.INFO
Q-TRANSFER.INFO
QTRANSFER.INFO
Q-TRANSFERNOW.INFO
Q-TRANSFERONLINE.INFO
QTRANSFERPRICING.INFO
QTRANSFERREQUEST.INFO
Q-TRANSFERSHOP.INFO
Q-TRANSFERS.INFO
Q-TRANSFERSITE.INFO
Q-TRANSFER-STATION.INFO
QTRANSFERSTATION.INFO
Q-TRANSFERSTORE.INFO
Q-TRANSFERTODAY.INFO
RTRANSFERADMISSION.INFO
RTRANSFERAGENT.INFO
RTRANSFERAPPLICANTS.INFO
R-TRANSFERBLOG.INFO
RTRANSFERFILES.INFO
RTRANSFERGUIDES.INFO
R-TRANSFER.INFO
RTRANSFER.INFO
R-TRANSFERNOW.INFO
R-TRANSFERONLINE.INFO
RTRANSFERPRICING.INFO
RTRANSFERREQUEST.INFO
R-TRANSFERSHOP.INFO
R-TRANSFERS.INFO
R-TRANSFERSITE.INFO
R-TRANSFER-STATION.INFO
RTRANSFERSTATION.INFO
R-TRANSFERSTORE.INFO
R-TRANSFERTODAY.INFO
TERMINAL-B-ACH.INFO
TERMINALBACH.INFO
THEACHDETAILS.INFO
THEACHINFORMATION.INFO
THEACHREPORT.INFO
THEA-TRANSFER.INFO
THEB-ACH.INFO
THED-PAYMENT.INFO
THEG-PAYMENT.INFO
THEP-ACH.INFO
THEQ-ACH.INFO
THEQ-PAYMENT.INFO
THEQ-TRANSFER.INFO
THER-TRANSFER.INFO
THET-TRANSFER.INFO
THEV-ACH.INFO
THEW-ACH.INFO
THEZ-PAYMENT.INFO
TTRANSFERADMISSION.INFO
TTRANSFERAGENT.INFO
TTRANSFERAPPLICANTS.INFO
T-TRANSFERBLOG.INFO
TTRANSFERFILES.INFO
TTRANSFERGUIDES.INFO
TTRANSFER.INFO
T-TRANSFERNOW.INFO
T-TRANSFERONLINE.INFO
TTRANSFERPRICING.INFO
TTRANSFERREQUEST.INFO
T-TRANSFERSHOP.INFO
T-TRANSFERS.INFO
T-TRANSFERSITE.INFO
T-TRANSFER-STATION.INFO
TTRANSFERSTATION.INFO
T-TRANSFERSTORE.INFO
T-TRANSFERTODAY.INFO
V-ACH-ACCOUNTS.INFO
VACHACCOUNTS.INFO
V-ACHBLOG.INFO
V-ACH.INFO
V-ACHNOW.INFO
V-ACHONLINE.INFO
V-ACH-PAYMENT.INFO
VACHPAYMENT.INFO
V-ACH-PAYMENTS.INFO
VACHPAYMENTS.INFO
V-ACHSHOP.INFO
V-ACHS.INFO
V-ACHSITE.INFO
V-ACHSTORE.INFO
V-ACHTODAY.INFO
V-ACH-TRANSACTIONS.INFO
VACHTRANSACTIONS.INFO
W-ACH-ACCOUNTS.INFO
WACHACCOUNTS.INFO
W-ACHBLOG.INFO
W-ACH.INFO
W-ACHNOW.INFO
W-ACHONLINE.INFO
W-ACH-PAYMENT.INFO
WACHPAYMENT.INFO
W-ACH-PAYMENTS.INFO
WACHPAYMENTS.INFO
W-ACHSHOP.INFO
W-ACHS.INFO
W-ACHSITE.INFO
W-ACHSTORE.INFO
W-ACHTODAY.INFO
WACHTRANSACTIONS.INFO
WARRENGPAYMENT.INFO
ZPAYMENTARRANGEMENT.INFO
Z-PAYMENTBLOG.INFO
ZPAYMENTCARD.INFO
ZPAYMENTCARDS.INFO
ZPAYMENTDATES.INFO
ZPAYMENTDEADLINE.INFO
ZPAYMENTDEFINITION.INFO
ZPAYMENTINSTRUMENTS.INFO
ZPAYMENTLOCATIONS.INFO
Z-PAYMENTONLINE.INFO
ZPAYMENTPLATFORM.INFO
ZPAYMENTPROTECTION.INFO
Z-PAYMENTSHOP.INFO
Z-PAYMENTS.INFO
Z-PAYMENTSITE.INFO
Z-PAYMENTSTORE.INFO
Z-PAYMENTTODAY.INFO

The ability to log keystrokes is a common feature in malicious programs. Endpoint security tools, including anti-virus software typically include anti-keylogger capabilities to combat this threat, but they don’t always work. Fortunately, Windows Vista, 7 and Server 2008 include a feature called mandatory integrity levels (MIL) that, if used correctly, can reduce the risk of users’ keystrokes being logged.

Keylogger in Action

Malware authors can be very creative in coming up with approaches to spy on the victim’s activities. One way to experiment with such capabilities is to use non-malicious anti-spyware test programs that Zemana offers as a free download. For instance, the KeyLogger Test Program was able to capture the victim’s password even though the user had a modern Internet security suite installed:

Windows Integrity Levels for Processes

Microsoft incorporated integrity levels into Windows to restrict “the access permissions of applications that are running under the same user account.” These mandatory access controls assign trust labels, such as Low, Medium and High, to operating system objects, such as files and processes. The goal, according to Tony Bradley, is to:

“Ensure that only objects with an integrity level equal to or greater than the target object are allowed to interact with it. Essentially, if an object is less trustworthy, it is prohibited from acting on, or interacting with more trustworthy objects.”

Integrity levels take precedence over traditional discretionary controls, which continue to exist in Windows at NTFS and registry levels.

Even when users are logged into Windows with administrative privileges, the processes they launch are assigned, by default, the Medium integrity level. You can view process’ integrity levels using Process Explorer. (To enable this column, go to View > Select Columns… > Integrity Level.)

In the keylogger example above, both the “spyware” process (keyboard.exe) and the “victim” process (KeePass.exe) were running under the same integrity level (Medium). This is party why the keylogger was able to capture the victim’s password.

Note that Process Explorer (procexp.exe) was running under the High integrity level to have full visibility into all aspects of the system. To accomplish this, the user selected “Run as administrator” when launching its shortcut. This presented the user with the User Access Control confirmation screen, which is another feature for making it more difficult for malware to escalate its privileges (e.g., run with the High integrity level) without the user’s acknowledgement.

Using Windows Integrity Levels to Combat Spyware

Since Windows assigns the Medium integrity level to processes by default even if the user has administrative privileges, there’s a good chance that user-mode spyware will be running at the Medium integrity level. To make it harder for the malicious program to spy on the victim, users can launch the processes they need to protect from spyware under the High integrity level.

For instance, the user can select “Run as administrator” when launching KeePass. Process Explorer shows that in this case, the sensitive process runs under the High integrity level:

Because Windows doesn’t allow objects from a lower integrity level to access objects from a higher level, the keylogger is no longer able to capture the person’s keystrokes:

Windows integrity levels, when actually put to use, provide victims with some level of protection against malware. This mechanism is a powerful add-on to the traditional way of combating spyware by relying solely on anti-virus tools.

Note that my recommendation to run certain processes under the High integrity level only applies to the tools that are not frequently at the risk of being targeted by exploits, such as as a password vault application. Programs that are at high risk of exploitation, such as web browsers, should be run with lower integrity levels to limit the capabilities of the exploit’s payload.

If this topic interests you, consider the Combating Malware in the Enterprise course I co-authored, which discusses Windows integrity levels among numerous other relevant topics. Also, take a look at the Integrity Levels and DLL Injection write-up by Didier Stevens and at chml and regil utilities by Mark Minasi.

— Lenny Zeltser

As announced last Friday, Microsoft released 3 Security Bulletins which deal with patches for 4 security vulnerabilities. One of them is rated critical and resides within the DirectShow framework for the Windows Media Player and Windows Media Center. Other security vulnerabilities which allow for remote code execution affect the Remote Desktop Client and Microsoft Groove. Users and administrators should make sure to install the updates soon.

Also, Google released yet another stable version of its Chrome webbrowser, version 10.0.648.127. In this release, 23 security holes get closed by the developers – past week, they already fixed 18 vulnerabilities. This time, 15 of them are rated “high”ly critical, 3 medium and 5 low.Some additional features make the new version even more interesting: A new version of the JavaScript interpreter which is said to be faster, sandboxed Adobe Flash Player in the Windows version of Chrome, and GPU accelerated video playback, to name a few.

The new release is available via automatic update and thus should be installed already. To make sure to use the latest version, click on the Tool symbol in Chrome and click on “About Chrome”.

As the Mozilla developers also rushed out with a new browser version a short time ago too, one could assume that this may have to do with the upcoming Pwn2Own contest at the CanSecWest security conference where hackers can win cash prizes by hacking into a PC – for example via the webbrowser. Anyhow, since the new versions close security vulnerabilities that cyber crooks can abuse to hijack the computer, it is a good idea to install them ASAP!

Dirk Knop
Technical Editor

This time a new security vulnerability has been found and already fixed with an updated version within the alternative PDF reader from Foxit.With providing manipulated PDF files for example via email or web sites, users of outdated versions Foxit PDF Reader can get their PC infected with a Trojan, for example.

The updated version is available via the company’s web site or via the integrated update mechanism – go to the “help” menu and click on “Check for updates”, there choose the new version, click “Add” and then “Install”.

Dirk Knop
Technical Editor

In the last few days we’ve seen a rise in the number of people contacting us in relation to “work from home” scams, and were curious as to whether – as we’ve seen before on Twitter – dubious job opportunities were being promoted via social networking sites.

We certainly found a sizable number of Facebook pages, which appeared to have been created specifically to target mothers of young children, who might want to earn some extra dollars without having to leave their homes. In some cases, the pages include videos of “success stories”, giving case studies of how much money has been made by taking part in the schemes.

Of course, things are rarely that straightforward.

Here’s an exchange on Facebook between a couple of users, one of whom has signed up for a “work at home mom” scheme, and another who is somewhat more wary.

The site in question – called WS6Daily – looks like a genuine news website, but it’s far from it.

Because if you scroll down the page, you’ll find the small print:

It is important to note that this site and the stories depicted above is to be used as an illustrative example of what some individuals have achieved with this/these products. This website, and any page on the website, is based loosely off a true story, but has been modified in multiple ways including, but not limited to: the story, the photos, and the comments. Thus, this blog, and any page on this website, are not to be taken literally or as a non-fiction story. This blog, and the results mentioned on this blog, although achievable for some, are not to be construed as the results that you may achieve on the same routine. I UNDERSTAND THIS WEBSITE IS ONLY ILLUSTRATIVE OF WHAT MIGHT BE ACHIEVABLE FROM USING THIS/THESE PRODUCTS, AND THAT THE STORY DEPICTED ABOVE IS NOT TO BE TAKEN LITERALLY. This page receives compensation for clicks on or purchase of products featured on this site.

In other words, the story of how Kelly Richards made a pile of money is fiction. I guess it’s nice of them to explain that the story has been “modified” as are the photos and the comments that appear to have been left by other customers. It’s good that they say that “the story depicted.. is not to be taken literally”. And very honest of them to admit that they make money by getting people to click on the page and from purchasing their products.

But wouldn’t it have been better if they hadn’t hidden this – rather important detail – at the bottom of the page in a tiny font?

If you’re nervous and try to move away from the bogus news site, you’re given the hard sell again – and urged to take up your amazing opportunity.

And why is it if you click on any of the navigation tabs (to subjects like “SciTech”, “Entertainment” and “Politics) you don’t see any news content but are instead taken to an affiliate page encouraging you to sign up for the last few spaces on the ‘get-rich-quick by working from home’ scheme?

Amusingly, as soon as I tried to quit that page it told me that I was qualified for a further £10 reduction, and offered the work from home scheme to me for just £9.97. They’re certainly desperate for people to sign up at any cost.

You have to wonder, has this organisation really been featured on MSNBC, ABC, USA Today, CNN and the BBC? And if they were, can we be sure it was in a positive way?

As an aside, in late 2009 we reported on how Google was suing companies who produced very similar-looking websites to WS6Daily, after work-at-home sites presented their “news” as though it was the search engine giant that was doing the hiring.

There are plenty of people who are looking after young children who would probably love to spend a couple of hours each day, working from home, to earn a crust. But be careful who you choose – some of the online schemes are undoubtedly scams – either just running off with your sign-up money or giving you no real prospect of ever generating a decent return for your time and hard work.

Check out this good FAQ on Work at Home scams if you want to learn more about the topic, and stay secure.

Like my colleagues, I also attended RSA 2011 Conference in San Francisco last week. As they have shared in their posts on the hackers and threats sessions, I would like to share some of my experiences and learnings on sessions involving social media, spies and security.

Mapping an Organization’s DNA Using Social Media

Abhilash Sonwane of Cyberoam discussed the findings of their research involving 20 random small and medium companies across the globe. His team tracked the social media activities of these companies’ employees via Facebook, Twitter and LinkedIn streams. This was done without employing any malicious tactics such as spear phishing or malware infection.

It is interesting to know that by simply correlating the employees’ social media presence, the researchers were able to map the DNA of the company. By DNA, we pertain to a collection of data like the morale of employees and the company as a whole. This includes sensitive information such as who makes the buying decisions. While such information per se may not be directly related to any kind of threat, it can be used by competitors (and potentially, the bad guys) to their advantage.

My key takeaway from this session is that it is very important for companies to strive to create a balance between the benefits and risks of social media. Companies should have solid social media policies to raise awareness among employees about its proper use and corresponding challenges. Furthermore, to cover both internal and external risks, social media policies should be aligned with technology solutions that security companies offer.

How to Recruit Spies on the Internet

In his presentation, Ira Winkler of Internet Security Advisors Group debunked the typical James Bond stereotype that the general population has with spies. He briefly discussed the usual motivation behind espionage—MICE (Money Ideology Coercion and Ego)—and how potential operatives can use these motivations in conjunction with social media information mining to get confidential information. Social media is a huge goldmine of information and he outlined a possible scenario wherein a foreign operative can easily get to a target and extract classified information without revealing his spy status.

My key takeaway from this session reiterates my learnings from the other session. That is, social media has its corresponding risks and rewards. As security professionals, we need to have a strong security mindset and integrate it well with our social media. Everybody can become a victim here and social media security awareness is a key contributor in mitigating this risk. It is also advisable to share this with our less-techie friends from our social circles so that they will be better informed.

Conclusion

The scenarios presented by Abhilash and Ira seem to be easy to do. And if we include malware and other malicious activities from the cybercriminals to the equation (take for example ZeusiLeaks), the information and intelligence gathering will take less effort. The security industry needs to adapt to the challenges in the threat landscape, which the Trend Micro™ Smart Protection Network™ aims to do with its multi-later protection via its File, Email and Web Reputation Services. But more importantly, organizations need to protect themselves both from internally- and externally-driven threats through proper user awareness and strong security policies.

Post from: TrendLabs | Malware Blog – by Trend Micro

From RSA 2011: Security, Social Media and Spies

It’s 8:30am. You stumble into work half asleep and slouch at your desk. You boot up your computer.. tick tick tick. It runs its system diagnostics and you see the Windows logo lurch into view.

Umpteen programs (half of which you’ve forgotten what they do) start up in your system tray, and you automatically click on your email inbox. More whirring, wheezing and hissing..

Slowly your inbox comes into view and you find an email, from a young woman called Emily.

Subject: nake pics as you've requested

Message body:
I am hungry for sex. If you feel the same then take a look at my picture I am attaching to this email and reply back so we could hook up.

Attached file: pic.scr

Suddenly you perk up! Bonjour!

It’s a trick as old as time, of course. Unsolicited emails, arriving out of the blue, offering you pictures of the sender’s naked wife, a nude picture of Jennifer Lopez or a school sweetheart with pigtails, but really delivering a sting in the tail.

In this latest case, the attachment carries a Trojan horse – Troj/FakeAV-IU – which attempts to scare you into buying a fake anti-virus product.

Come on guys, it’s 2011. We should all be smart enough not to fall for tricks like this anymore. You should always be asking yourself why is someone sending this to me? Do I seriously imagine that a complete stranger is going to seek me out as a sexual partner over the internet, sending me photos of herself naked, despite never having communicated with me before?

Computer technology is becoming more sophisticated all the time, but it seems that their users are still neanderthals when it comes to being duped by simple social engineering tricks like the promise of naked pictures.

Last year, I wrote several Naked Security articles about computer security problems which can put travellers in harms’ way. The topics I covered were:

* The free WiFi service at San Francisco airport with Terms and Conditions which authorised the network operator to access your device and the information stored on it.

* The no-responsibility-for-your-property attitude of the private security company at Canberra airport – a company which nevertheless insists on separating you from your laptop for an indeterminate amount of time during screening.

* The chap at Sydney airport who used a kiosk computer in the the Qantas lounge and left behind a veritable audit trail of personal email information – including his name, employer, job and details of recent business meetings.

* Paul Craig’s live demonstration at Kiwicon of the woeful insecurity of many internet kiosks, even if you avoid the self-inflicted data leakage problems of the previous story by clearing browser history and logging out when you’re finished.

I’m now on my way back from the RSA conference in San Francisco – where I can tell you that the WiFi Terms and Conditions at the airport are still as onerous as they were last year – with an amusing fifth anecdote to add to my Travellers Beware series.

The crumpled-up PostIt note you see above was dropped in the lobby of one of the big hotels near the Moscone Center, the outsized conference venue near Union Square at which the RSA event is held.

The note doesn’t record the name of the person whose BlackBerry Enterprise Server connection it relates to. But conference delegates have a habit of leaving their nametags on, even back at the hotel. This seems to be a subcultural nicety of the conference circuit.

So you can often tie discarded data fragments – such as the pictured PostIt – back to a company, and in many cases, to an individual. (It’s not even rude if you’re caught trying to make out someone’s nametag across the lobby. That’s what nametags are for, after all.)

Making that sort of connection converts raw data into PII, or Personally Identifiable Information. And PII really needs to be kept private.

Don’t let yourself fall into bad data leakage habits whilst you’re on the road. And data doesn’t just leak from electronic devices such as laptops and phones. Hastily scribbled notes, memos to yourself and carelessly discarded invoices and tickets can help identity thieves to accumulate PII which they can abuse or sell on at a later stage.

And please choose decent passwords. If you’re a sysadmin, don’t fall into the habit of choosing trivial passwords because they’re easier to read out to users when they’re on the road. (As an aside, teach yourself and your fellow administrators the NATO Phonetic Alphabet and you’ll find it much easier to describe arcane command lines and to read out complex passwords.)

The password in the pictured example is especially amusing. It brings a whole new excitement to the concept of a dictionary attack, since a (and not aardvark, as popularly imagined) is always the very first entry in any dictionary of the English language.

Watch how to choose a decent password here:

_{(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)}

If you’re concerned about privacy – your own and that of your valued customers – why not download our free Data Security toolkit?

For the last two decades, the RSA Conference has enabled some of the best minds in the security industry to gather and engage in valuable discussions. For engineers like me, however, one goes to security conferences to watch and soak up the industry talk and see real, compelling security issues as they are inspected from all sides. Here, new technologies and technology applications are dissected, connections are made, secret stories are revealed.

Is AV really, truly dead?

Thus, considering some truths already well-known to security practitioners, it might appear quite strange to see a panel entitled, “The Death of Signature-Based AV: How to Stop Today and Tomorrow’s Malware.” We already know that malware volume is growing exponentially, and that just as technology has evolved, the number of threats and the means by which they are delivered have also changed over the years, so one-is-to-one signatures are no longer effective overall.

The panel’s title perhaps expresses a final poke at the issue, because we do know that the question about whether AV is dead has been summed up time and again by several security experts, including our very own Eva Chen in 2008, with a strong yes. Or maybe a qualified yes: after all, signature-based AV will continue to be a necessary but insufficient element of security measures, but insofar as using it as the singular strategy to combat malware in the foreseeable future, its heyday is very much over.

The panel was comprised of executives from some of today’s top security companies (Raimund Genes, Nikolay Grebennikov, George Kurtz, and Stephen Trilling), so anything that was to come out of the discussion would more or less carry some weight. True enough: all panelists were in agreement that a silver bullet solution for threats no longer exists. As Trend Micro CTO Raimund Genes said, signature-based technology is only good for system cleanup and in identifying the specific system modifications made in order to restore the system to its original state. Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.

Enter: the Cloud, etc.

This similar thinking was evident in the overall theme of the tracks for this year’s conference. With cloud computing, virtualization and their various models and implementations, and the consumerization of mobile devices as the industry’s current major ‘new frontiers,’ security experts and users alike need to keep up and take full responsibility for the what, when, where, how (and even why) data is transmitted. Consider the entry to the cloud as an opportunity to challenge existing notions about security, and to build security from the ground up, instead of bolted on as an afterthought.

The discussion ended with the host asking the panelists if they think that after five years they will still be talking about the same topic. All agreed that malware will still be discussed however, it will focus more on malware that uses different technologies and attack vectors.

As Arthur Coviello said in his keynote speech, we are only as good as the last attack we have withstood. Cloud computing works and it will continue to work as it becomes further integrated into the industry. It is no longer a question of whether the cloud can be trusted to do its job. The real challenge is protecting the cloud so it can do its job securely and enable an effective ecosystem of trust.

Post from: TrendLabs | Malware Blog – by Trend Micro

From RSA 2011: Last Nail in the Coffin for Signature-Based AV

The Anonymous attack on HBGary Federal may have amused some who enjoyed the sight of a security firm left embarrassed and exposed, but it should send a shiver down the spine of any IT administrator responsible for securing their own company.

Because can you honestly put your hand on your heart and say a hack like the one against HBGary Federal couldn’t happen at your organisation too?

As Ars Technica explains, a weakness in a third-party CMS product used by HBGary’s website allowed Anonymous hackers to steal passwords that employees used to update the webpages.

Unfortunately they were passwords that weren’t encrypted strongly enough, and were possible to crack with a rainbow-table based attack. Amongst those exposed were CEO Aaron Barr and COO Ted Vera.

Worse still, it appears that Aaron Barr and Ted Vera were using the same passwords for their Twitter and LinkedIn accounts, and even for an account which administered the entire company’s email.

By exploiting software vulnerabilities, poor passwords and even some tried-and-trusted social engineering (see below) it was trivial for the hackers to steal the entire company’s email and deface its website.

As Chet explained in an earlier article, an employee not seeking proper verification when a company executive apparently asks for help can result in a corporate disaster.

But more than that, it’s also essential that all staff learn about how to use passwords properly.

For instance, don’t use easy-to-crack or obvious passwords. If you do, you’re asking for trouble.

And it’s critical that different passwords are used for different accounts. That way if your password gets exposed in one place, there won’t be a domino effect as a series of other accounts are unlocked by criminals using the same credentials.

Unconvinced by the scale of the problem? Well, Sophos’s research has found that 33% of people use the same password on every single website.

In wake of the attack, HBGary withdrew from the RSA Conference taking place in San Francisco this week, and replaced their booth with a sign:

Read the in-depth piece by Ars Technica now, investigating how the HBGary Federal occurred, and learn lessons which you can apply inside your own company. After all, you don’t want to be the next firm to have to put up a sign like that.

HBGary sign image credit: Colbinator on TwitPic.

““It is amazing how quickly mobile communications has gone from the most secure to the least anonymous form of communication.””

– Boaz Gelbord, reflecting upon the current state of mobile device security in the context of the June 2010 iPad AT&T breach.

Scam clue #1: FBI personnel can probably write proper English

Alert reader Brian in GFI Business Customer Support forwarded this gem:

From: Sean Dean. [mailto:Sean.Dean@Fbi.gov.us]
Sent: Thursday, February 10, 2011 5:00 AM
To: xxxxxxxx
Subject: Payment Codes: R5109176K

Steven M. Dean (Assistant Special Agent-in-Charge)

One hopes the hilariously bad spelling, punctuation, grammar and capitalization in this thing warn any recipient that it just might not be genuine.

Tom Kelchner

German researchers say that they have found a way to steal passwords stored on a locked Apple iPhone in just six minutes.

And they can do it it without cracking the iPhone’s passcode.

Researchers from the Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) say that the attack targets Apple’s password management system – known as the keychain.

Here’s a YouTube video where the German researchers demonstrate their attack in action:

The only hint of a silver lining is that the attack can not be done remotely – the attackers need physical access to your iPhone to steal information.

But if the attacker only needs to have his hands on your iPhone for six minutes, how much of a comfort is this really? Don’t forget, it’s not unusual for people to lose their mobile phones or leave them unattended on their desk while they pop off to the coffee machine.

According to material published by Fraunhover Insitute SIT, sensitive password information can be extracted from a user’s iPhone without needing to know the passcode.

The researchers claim that all iPhone and iPad devices containing the latest firmware are vulnerable. At a time when Apple and its fans are pushing hard for more companies to bring iPhones into the enterprise there will undoubtedly be concerns if these vulnerability claims are found to be true.

All eyes must now turn to Cupertino to see what Apple has to say about this.

Now that a new month is upon us, I wanted to highlight several posts I wrote on this security blog in January 2011:

• Resisting the Gentle Pull of Mediocrity – A Reminder
• When Bots Chat With Social Network Participants
• Metrics for Measuring Enterprise Malware Defenses
• The Worrisome State of the Information Security Industry
• Teens on Formspring Are Redefining Privacy Norms

Last month my posts covered a number of topics, including malware on social networking sites and IT risk management.

Let’s see what the new month will bring!

— Lenny Zeltser

December 3, 2010

In November cyber-criminals demonstrated even greater creativity than before. As a result, anti-virus vendors and users were confronted with new fraud techniques involving bootkit technologies. New modifications of encoder Trojans targeted European users. Criminals seeking the biggest gains attacked online banking systems.

Windows boot blocker

As soon as Trojan.MBRlock.1 appeared in the wild in November, it was employed by cyber-fraudsters. This malicious program is unlike any other malware used to implement fraud schemes.

It bypasses the UAC protection mechanism, so its installation goes unnoticed by users. Once installed, the Trojan writes its code into the MBR and into other nearby disk sectors.

The code, written to the MBR, loads information from the neighbouring disk sectors. The result is a message to users demanding that they pay $ 100 to unlock their systems.

The message also informs a user that all of the files located on all of the computer’s disks are encrypted. This is not true.

In any event curing the Trojan-compromised system can’t be done from inside the system since it wouldn’t boot.

Entering a correct password restores the MBR after which the installed operating system boots normally.

Currently several modifications of Trojan.MBRlock.1 are known, but Dr.Web detects them as the same piece of malware.

To cure the system, enter an ekol or jail unlock code. If neither works, contact the free Doctor Web technical support service for victims of cyber-fraud.

Certain modifications of Trojan.MBRlock.1 had been detected by the Dr.Web heuristic analyzer as MULDROP.Trojan before a corresponding entry was added to the Dr.Web virus database. Dr.Web users were protected from the Trojan even when no virus definitions for this malicious program were available.

New Trojan encoder

Encoder Trojans drew the public’s attention once again in November. This time criminals targeted European users.

Trojan.Encoder.88 uses the AES-256 encryption algorithm to encrypt documents in many popular formats which complicates decryption. To search all possible decryption keys for one that would help restore files on a single computer, 2^256 operations are required. The resulting number exceeds the number that ends in 77 zeros.

A unique encryption key is generated for each compromised machine. It is encrypted using the RSA algorithm and saved to a disk as a text file.

Origins Tracing technology enabled Dr.Web to detect Trojan.Encoder.88 as Trojan.Encoder.origin even before an entry for this program was added to the database.

Fraud in November: winlocks returned

In November the free technical support service received around 4,700 requests from cyber-fraud victims which constituted 42% of all requests. The daily average of requests amounted to 146 which exceeded the October figure by one third.

Trojan.Winlock became the most widely spread malicious program used for fraud (73% of all requests). A significant number of fraud incidents were related to Trojan.Hosts that blocked access to popular web resources.

Criminals also changed routines for converting their profit into actual money. Malicious programs demanding that users send paid short messages were less popular in November, and the number of requests related to such programs reached only 31% of the total. Meanwhile the option that involves paying criminals via terminals became more appealing to fraudsters (60% of all requests).

Banking Trojans on the offensive

November saw the emergence of new Trojans targeting users of online banking systems, both individuals and businesses.

In particular, several modifications of Trojan.PWS.Ibank.213 were added to the Dr.Web virus database.

Variations of the Trojan serve as containers of malicious payloads. Their most harmful feature is their ability to disable security software components. The Trojan can detect whether it is being launched in a virtual environment where it can be safely analyzed. Disabling the system restore service is also among its malicious capabilities.

To collect the information required to access bank accounts online, the Trojan intercepts certain system routines as well as functions of online banking systems, and stores information entered by a user with a keyboard. The fact that Trojan.PWS.Ibank.213 can communicate with a remote server, and download and launch executable files, shows that systems compromised by this program become nodes of a botnet.

November 2010 showed that criminals can make use of various malicious programs to accomplish a wide variety of tasks. When it comes to neutralizing them, anti-viruses capable of protecting a system from all kinds of malware and of curing it proved to be the most efficient. Yet, it is users who still remain the weakest element of the computer defense system. Doctor Web would like to emphasize once again that following basic information security rules dramatically reduces the probability of system infection.

Viruses detected in e-mail traffic in November

Viruses detected on user machines in November

<

We’ve just published a video going through the last 25 years of PC malware history in 9 minutes.

The video contains several demos of what old viruses used to look like.

Check it out here.

On 09/02/11 At 07:57 AM

Malvertizing featuring “Gilt Man” has been seen coming from facilitatedigital.net – note that facilitatedigital.net was mentioned in my earlier blog post.

facilitatedigital.net
ICANN Registrar: TODAYNIC.COM, Inc
Created 29 July 2010

IP: 72.9.236.172 – Global Net Access Llc

Shares IP with trueffects.net

Registrant: Harold A Mcconville (haroldamcconville@gmail.com)

*****

trueffects.net
ICANN Registrar: TODAYNIC.COM, Inc
Created 29 July 2010

Registrant: Edward L Hill (edwardlhill@gmail.com)