Computer Security Articles

Andreas Marx at AV-Test has shared some more information which highlights the significance of the malware problem.

The numbers are staggering — AV-Test processed an average of 54k samples per day in 2010, up from an average of 33k in 2009 — and up from 426 samples per day just a decade ago.

Stats below, source data here  (xls), all courtesy of AV-Test.

Alex Eckelberry

Full story: GFI Labs blog

It’s now January 2011. Which means the Brain virus is now 25 years old

Brain, spreading on 5.25″ floppy disks was the first PC virus.

Which means that the PC virus is now 25 years old.

So, what did brain do? Let’s look at our virus description database, which – of course – has a description of the virus.

As you can see, the Brain virus contains contact information for “Basit and Amjad” in Lahore, Pakistan.

Due to this 25 year milestone, I’ve decided to go to Lahore, Pakistan. I’ll go there to find Basit and Amjad, and I’ll speak with them about how they feel about the phenomenon they started.

Of course, writing a boot sector virus in 1986 was a completely different thing than writing, say, a banking trojan in 2011. For one, writing viruses was not illegal in 1986. People did not know at the time if writing viruses was a bad idea. We learned that later.

But it just boggles to mind to think about how much has happened in these 25 years.

So, what would you like to ask from the writers of the very first PC virus?

Post your suggestions to our blog comments. I’ll take the best ones with me to Lahore.

Yours,
Mikko

On 24/01/11 At 01:52 PM

Full story: F-Secure Antivirus Research Weblog

Take a look at a couple of email messages Sophos intercepted earlier today.

Firstly, the great guys at Google have been in touch. Their message, entitled “Thank you from Google!”, says that they have received my job application and are investigating whether they have the right position inside their company for me.

If I’ve forgotten the details of my job application (which I clearly have, as I can’t for the life of me remember applying for a job at the Googleplex) then they’ve handily attached it as CV-20100120-112.zip.

And here’s a message from Facebook. They’ve dropped me a note as well – with the title “You have got a new message on Facebook!” – to say that I’ve received a personal message from an unnamed friend.

Rather than visiting the Facebook site (which is such a pain, isn’t it?), Facebook have kindly attached the personal message to the email as a file called Facebook message.zip.

Hopefully none of you would be foolish enough to click on the attachments, because they are – of course – malicious.

Sophos products detect the ZIP files in both cases as Troj/ZipMal-AM and their contents as the W32/AutoRun-BHX worm.

Always be suspicious of unsolicited email attachments, and ensure that your anti-virus protection is up-to-date. Malware campaigns can take different disguises and users must learn to be on their guard.

In fact, just as I finish writing this I see there’s another campaign spreading the same malware.

The subject line this time?

"Laura would like to be your friend on hi5!"

Full story: Naked Security – Sophos

With our recent update of the engine we added generic protection against exploitation of the thumbnail vulnerability in all current Microsoft Windows operating systems. Microsoft warned of this security hole in a security advisory. On the January Patchday, no update was available for this vulnerability, even though there is proof-of-concept code publicly available in the Metasploit framework.

Also, we released another generic detection for exploits against the Microsoft Office security vulnerability in processing manipulated .rtf documents, which is already exploited in a limited fashion. The Update MS10-087 from last November fixes this vulnerability, so it is advised to install the Microsoft Updates anyways.

The Avira update is delivered and installed automatically. In case the next update is still too far away, start the Product Update in the Update-menu of the Avira ControlCenter manually!

Dirk Knop
Technical Editor

Full story: Avira – TechBlog

A California man has pleaded guilty to charges that he broke into the e-mail accounts of thousands of women, scouring them for nude photos that he then posted to the Internet.

Full story: Computerworld Security News

Excuse me for typing breathlessly, faithful Naked Security reader, but I have some incredible news to share.

I have just been informed that I have won three million Euros from none other than the Bill Gates Foundation!

I had no idea that the Bill and Melinda Gates Foundation, which normally fights poverty around the world and promotes healthcare, even ran a lottery – let alone that I had entered. But clearly, I did and now one of their representatives has been in touch to tell me the good news.

Bill and Melinda Gates are renowned around the world for their incredible generosity – they’re not only planning to give millions away to me, but they’re also happy to employ staff who spells the boss’s surname incorrectly. It’s great that Bill and Melinda are not adverse to employing people with literacy problems.

Counting isn’t this emailer’s strong point either. He’s managed to attach a grand total of 69 files to this email telling me about my windfall. Eventually I found the right one, entitled LOTTERY BILL GATES FOUNDATION.docx

All that they require is for me to share some personal information with them.. and then riches will be mine!

So, this is probably going to be the last article that you’ll see me writing on Naked Security. I’ll be picking up my winnings and riding off into the sunset. I can’t tell you how much fun it’s been, but this is goodbye..

.. unless this is a scam, of course. But that couldn’t be the case… could it??

Full story: Naked Security – Sophos

PC World – Android-based smartphones are more vulnerable to attacks by hackers and electronic viruses than the iPhone, according to the chairman of the world’s largest provider of security software for corporate servers. The remarks were made less than a week after the company, Trend Micro, released its Mobile Security software for Android devices.

Full story: Yahoo! News: Security News

The e-mail spam panorama is definitely showing an interesting trend lately. If you follow the news you may have noticed that a drop in e-mail spam activity was reported in the last couple of months; however, evil is never really defeated, and it is now back with new weaponry. We have already mentioned how a new wave of Waledac (also known as the Storm botnet) is back along with its spam activity since the 1st of January.

The timing of all this does not seem to be coincidental: the drop in spam e-mails began back in October, when the Spamit operation seemed to have shut down for good. This event has been suggested as the cause of the spam drop, together with the drop of botnet activities.

Rebirth, death and re-rebirth of Waledac

With the new year, Waledac resurrected and started a new spam campaign by distributing itself and installing a misleading application into compromised computers. The botnet was observed to be composed of about slightly less than a thousand computers. Suddenly, between the 5th and the 6th of January the botnet appeared to have died: all the domains used by the botnet were not resolving to any IP address anymore, and its activity seemed to have vanished. The reason of this blackout are not clear, however, about five days later (between the 10th and 11th of January) the botnet was up and spamming again. This is the same time as another old friend seems to have resurrected: the Rustock botnet has been reported to be back online with pharmaceutical spam. And guess what? Waledac is now spamming out pharmaceutical-related emails too! A suspicious coincidence indeed.

What and who?

After the downtime, the botnet came back up and an update followed: the binary executable of the bot was updated, the code itself showed small changes, and the network messages exchanged by the botnet peers showed a new message containing a spam job involving pharmaceutical spam rather than misleading applications. The spam activity is quite similar to the one we already described when the Waledac first came out.

Figure 1:Example of pharmaceutical spam sent by Waledac

The spammed links will redirect the user on a domain controlled by the botnet, which in turn is a redirector to a domain owned by the “Trusted Tabs” branding, a notorious pharmaceutical spam operation group.

Although we mentioned Rustock, it is worth saying that this branding is not the one that is known to be associated with Rustock (which is the Canadian Pharmacy branding). It is unclear if there is any link between the two; the issue is currently under investigation.

Figure 2: The website of the Trusted Tabs pharmaceutical branding

The newly updated botnet seems to have grown a bit: about 1400 bots observed in the last 24 hours, with its main distribution being in the United States and Europe.

Figure 3: Distribution of the malware

Details on the latest updated version

A deep analysis of the botnet has been already performed in a previous blog entry. This new variant (named W32.Waledac.B) works the same way: it implements the ANMP protocol in order to organize all the bots in a peer-to-peer network that has the characteristics of a fast-flux network. This kind of network is resistant to bots going online and offline, and it can reconfigure itself very quickly, rendering it a very dangerous botnet.

The peers communicate with each other through messages, and all the communications use strong encryption and digital signing.We analyzed the network messages being exchanged among the peers before and after the downtime, and we could see an update in the version numbers (from 0.0.49 to 0.0.51) and in the spam job message, which was now including also the pharmaceutical spam messages (as opposed to the previous spam job, which contained spam related to e-cards).

Figure 4: Two messages being passed before and after the downtime, suggesting an update

Interestingly, the binary executable also has been updated, and it doesn’t show too many changes from its predecessor, except for some interesting bits:

Figure 5:Two pieces of code that were added in the last update

This new added code seems to be simply validating a parameter (the size of the send queue); perhaps the previous version of the bot had a bug that caused it to malfunction in case the size of the queue was not properly set. Perhaps this bug caused the botnet downtime that we observed? We don’t know, maybe the botnet herders were just waiting for the next strike, but this was definitely a curious detail on the software side!

The best protection from this threat is, as usual, common sense. Do not open email from unknown senders, do not open emails that contain spam about pharmaceutical products, and if you want to click a link, double check what website the link is pointing to. In most cases the links that arrive through spam have gibberish names, so be careful and always double check what you are clicking on.

Full story: Symantec Connect – Security Response – Blog Entries

Happy new year from Prevx Research Labs!

2010 is behind us and we already started this new exciting year strongly focused on Prevx4 development. However, today we’re going to write again about the Microsoft Patch Day which has been scheduled on Tuesday 11 January.

We’ve ended up the last year with two public 0day exploits already freely available on the web, two exploits that have not been fixed by Microsoft on December patch day. In a previous blog post I already showed how these two exploits, if used together, could be potentially more dangerous than expected.

During first days of this month another 0day exploit has been published on the web – again on the metasploit framework. This time the flaw is located inside the shimgvw.dll library – a stack overflow when the library tries to parse malformed thumbnail bitmaps containing a negative “biClrUsed” value.

With this last exploit we have a total of three 0day exploits, already documented along with their relative source code publicly available on the net: two remote code execution exploits and an Elevation of Privilege exploit. The Internet Explorer’s mshtml.dll exploit has CVE-2010-3971 id and Microsoft Security Advisor 2488013 id. The Microsoft Graphics Rendering Engine flaw has CVE-2010-3970 id and Microsoft Security Advisor 2490606 id. The win32k.sys Elevation of Privilege exploit has CVE-2010-4398 id and still no Microsoft Security Advisor – remember that we have reported the flaw on 24th November 2010.

We were expecting Microsoft to have patched them on the first patch day of the year, which was scheduled on yesterday. Unfortunately, Microsoft decided to not patch any of them.

In my opinion Microsoft’s choice to not patch these open flaws is questionable. While I must say that some workarounds have been posted by Microsoft to mitigate these two remote code execution exploits, I think this is not a good way to handle the problem, by increasing the gap between the uncovered flaw and the released patch. Publishing workaround solutions is good as a temporary solution to mitigate the flaw. It shouldn’t be any more acceptable if the flaw is already known and documented on the web for more than a month. Moreover, we’re assuming that every user is able to apply the workaround patch by themselves and we’re already quite optimistic when we say that the user is aware of a workaround to be applied. Most of users just run their Windows Update and automatically download the needed patches.

The Elevation of Privilege flaw we have talked about in November 2010 is publicly available on the internet for more than 40 days. And the flaw doesn’t even have a security advisor from Microsoft yet. Someone could object that there isn’t any reports that show us the vulnerability is being used in the wild. Well, we should have a closer look at what the history teaches us.

This situation should ring a bell: When Stuxnet has been discovered, we have found it was using four 0day exploit. Or maybe we should say it was using just three real 0day exploits?

Actually one of the 0day exploit was already known since April 2009, when the Security Magazine Hakin9 released details of the flaw that has been later identified in Stuxnet and tagged by Microsoft as MS10-061. The exploit has been fixed by Microsoft in September 2010, 17 months later.

Perhaps the flaw had not been used widely in the wild, but it turned out it has been used in the most sophisticated targeted attack ever seen. So, the question is: is it a good strategy to delay releasing some patches just because there isn’t any evidence that the flaw is being used in the wild?

At the moment – even with the operating system fully patched – if a malicious code manages to get into your PC – e.g. through a removable device or some specific exploit – and it’s able to run as a medium integrity level process, then it can easily get administrative privileges – no matter if you are running it in a limited account or in a Admin Approval Mode account.

If you want to be protected from the elevation of privilege exploit, you can install Prevx for free which will prevent the flaw to be exploited – and it will give you another layer of protection along with your existing security solution.

Full story: Prevx Blog

Due to the artistic nature of cybercriminals, they never run out of ideas. After using social media, popping up fake-av, hacking into websites… what’s more?

We’ve discovered a rogueware campaign using “useable apps” to distribute rogueware. When the victim runs the binary, this rogueware will run and pop up “Installing Flash FLV Player”:

Right after we spotted that, we found another rogueware doing almost the same thing. This is more interesting and colorful. We shall name it, the updated version:

No doubt, this is a more colorful version, and maybe XVID means something more interesting ?

Our final word? Most of the common media players will be able to play most of the video formats. You don’t need a “Special Player” to play yet another video format.

Full story: PandaLabs Blog

Since Monday, my colleagues and I have been attending the annual Chaos Communication Congress 27C3 in Berlin. For the past 27 years, the Chaos Computer Club has organised this four day conference for hackers from all over the world.

Full story: Securelist / All Updates

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

PC World – New online privacy measures proposed by the U.S. Department of Commerce Thursday fall short of the action that’s needed to protect Internet users, several privacy advocates said. – on Yahoo! News: Security News

Macworld – Last week, blogger and insatiable hacker Erica Sadun turned your Mac into an AirPlay receiver with AirPlayer. Now she’s turned the tables with AirFlick, a companion utility that lets your Mac stream content to an Apple TV from apps besides iTunes. – on Yahoo! News: Security News

December 23, 2010

Dear friends and colleagues! Happy Holidays and Happy New Year!

May the year to come bring you many joyful moments and success in all your endeavours. Make the most of the celebrations to come, keep up your good humour and Doctor Web will see to your anti-virus security!

A special little gift from Doctor Web for your holiday spirit – the 2011 calendar wallpaper available for downloading here and now.

1024×768 1280×1024 1680×1200

Happy Holidays!

Doctor Web

– on News of Doctor Web

The recent Gawker media hack is probably related to a spate of malicious activity from 174.132.178.37, trying to log into forums, according to a couple of different reports on the web -  [1] [2] -  and my own experience of someone trying to get into a forum, presumably with Gawker harvested credentials. The purpose is unknown, but the person behind it may well be trying to use established – on Dynamoo’s Blog

Here is a site that looks serious and legitimate: ecurrencynews.org It has some good stories, and some not so good… Following certain links will lead to a ‘Java Update’ page. It’s the kind of update you want to avoid at all costs! Notice the security window shows that this update comes from a site other [...] – on Malware Diaries