Computer Security Articles

Today there are many social networks on the internet and everyday new ones are being introduced with new and better features. They have unique and useful features, which makes it easy for users to remain updated with friends. They also offer apps for different smartphones providing even easier access to friends and other useful information. But at the same time these contacts and important details are also at risk with compromised security features.

Google Vs Facebook

Google and Facebook are two popular corporations offering online social networks and other useful applications. Over the past few years Facebook has gain significant recognition and has received large amount of users from around the world. These users share their private information on the web. There are security features that restrict strangers from accessing personal information but exposing personal data online is still a risk.

On the other hand Google is a popular search engine, which is now stepping in the world of social networks and has started offering new products such as +1, Hangouts and more.

But if you compare these two popular corporations a widely asked question is about their safety. Personal information can be fatal if it gets in wrong hands. Users can restrict others from viewing information by changing their privacy setting. For instance Facebook offer users to set “friends only” and “friends of friends” setting to files, which users can select according to their requirements.

Facebook users can also make groups and set privacy settings to it, and add friends and family to these groups. For instance if someone want to allow a group of people to view “photo album”, then it is good to create a group and allow only this group to view photos or albums.

Google+ Project

Google Corporation launched a project named Google+, which comprises of different smaller projects such as Google Circle. It is a social network and offers same security features of Facebook as “circle”. Google+ project comprises of number of projects such as Hangouts, +1, Circles, Sparks and more. All these applications are interconnected with each other all over the web such as with Google search engines, social networks, likes and video chat. With such a large online project users are more exposed to risk of information getting into wrong hands.

To coup with security risks Google launched different panels to advice users about secured content sharing such as Google Family Safety Center, which allow parents to have control on their children activities. Parents can also contact Google advice board and find the help they want. It is also important to remain cautious from malicious invitations and software downloads. For instance Google Hangout requires installing Adobe Air on the system. It is important to download such applications from authentic or official websites.

Facebook Risks

Facebook is a great way to connect with friends and family, but at the same time there are also band guys getting social on Facebook. An IT security firm reports that users are being spammed or sent malicious codes. Facebook offer good security features to restrict strangers from accessing personal information but unethical activities are still on the rise.

If you are a regular user of Google’s search engine you might have noticed that poisoned search results have practically become a common occurrence.

Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results.

ISC’s Bojan Zdrnja took it upon himself to explain how the attackers actually do it, and shows that it is actually rather simple.

For one, they attack and compromise a great variety of legitimate websites – usually those which use WordPress, since it often has vulnerabilities that can be easily exploited and the legitimate users are often lax when it comes to updating it.

Then, they introduce PHP scripts in the sites’ source code. “These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content ? if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content,” he explains.

They also harvest other sites for images, and embed them into the site. When the scripts detect Google’s crawlers, they deliver to them pages containing the automatically generated content, and the pictures end up in the image search database.

“The exploit happens when a user clicks on the thumbnail,” says Zdrnja. “Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background.”

Google displays all of this in an iframe, and the browser automatically sends the request to the compromised page. The PHP script inserted in it checks if the user has come from a Google results page, and if he did, it displays another script – this time it’s a JavaScript one – that redirects the browser to another compromised site that serves malware.

Users should be careful on what they click, but sometimes it is hard to detect malicious links. Zdrnja advises the use of browser add-ons such as the NoScript for the Firefox browser, but believes that Google could help by not using an iframe to display the results.

Dutch GPS and navigation software giant, Tom Tom, recently took what I consider to be a small privacy step for the company, but a giant privacy step for mankind.

Faced with evidence that the Dutch police have been using anonymised trip data from Tom Tom users to assist in enforcing speeding laws, Tom Tom CEO Harold Goddijn last week published an official comment on YouTube.

In the video, Goddijn said:

We learned today…that the police in the Netherlands are using [our] information to identify road stretches where people in general, and on average, are driving too fast. They use [our data] to put up speed cameras and speed traps. And we don’t like that, because our customers don’t like it. We will prevent that type of usage of our data in the future.

Tom Tom seems to be recognising some potential privacy-eroding issues which other companies don’t or haven’t concerned themselves with in the past. (Not all viewers of the YouTube video agree with me – there are currently 34 dislikes but only 26 likes.)

Even so-called anonymous data, collected in good faith, may end up being anything but.

Possibly the most infamous, and outrageous, anonymity gaffe in recent history was perpetrated by AOL nearly five years ago. The company published some 20 million search terms – supposedly for web research purposes – with usernames replaced with arbitrary numbers.

The problem was that each username was replaced with the same number every time it appeared. The result ought to have been foreseen.

As you accumulate more and more search terms tied to specific individuals, you can make ever-more accurate deductions about their identities from the search terms alone.

After all, over months of searching, you probably give away multiple hints about your identity. You might narrow down where you live by repeatedly searching for businesses in your neighbourhood. You might search for cohorts from your school or college. You might check garbage collection dates in your street. You might even do a vanity search for your own name or property, which, in the AOL data, would have been the privacy-erosion equivalent of “Bingo!”

Indeed, the New York Times famously traced Thelma Arnold, and her dog Dudley, right to her home in Georgia by reversing the AOL search data to remove her anonymity altogether.

Google, too, is no stranger to controversy over its definition of anonymise. Google is proud of the fact that it “anonymises” IP addresses in its search logs after nine months, even though this involves simply blanking out the bottom eight bits of your IP address.

This just about sneaks into the definition of anonymise given in my New Oxford American Dictionary, namely: to “remove identifying particulars from test results for statistical or other purposes”. But it might not meet your definition. You probably assume that an anonymised log entry can’t be connected with you at all.

Keeping the actual details of every search term – even ones which actually include your name, or your address, or some sort of personally identifiable information – isn’t really anonymous. Tying these searches together with an IP identifier which narrows you down to 1 in 256 people (at the very best – many /24 networks are only sparsely populated, after all), and which probably identifies your ISP, your suburb and your phone exchange, is even worse.

So, be careful out there. Anonymised data may not be as anonymous as you thought. And anonymised data which you share with a vendor – such as your average speed across the Sydney Harbour Bridge, where you’re supposed to keep below 70km/hr – might end up getting used for purposes you wouldn’t consider “anonymous”.

Unless you are absolutely certain what will be shared, and how, and for what purpose, I recommend that you turn such sharing features off. And if a product or service requires data sharing to work at all, don’t buy into it in the first place.

At the very least, before enabling any “share data with vendor” option, ask yourself, and the vendor, what’s in it for you – in other words, work out the best result you can ever expect from the sharing. Contrast that value with what’s in it for the vendor, or for the intelligence services and law enforcement authorities in that vendor’s jurisdiction.

Make sure there is an obvious positive balance in your favour.

If there isn’t, then the vendor simply isn’t paying you enough for your data. It really is a commercial transaction!

Google has released a video showing at least some of the security and data protection techniques used in its worldwide network of data centers.

The video plays like a souped-up advertisement for the search giant and its Google Apps suite of online business applications – there are more than a few visual allusions to the Tom Cruise vehicle, Mission Impossible – and Google has previously discussed its security practices in a Google Apps white paper (PDF). But the video does provide a small glimpse into the operation of the nearly 40 server facilities Google has erected over the past several years. It focuses on a Google data center in Moncks Corner, South Carolina, but also gives a nod to a new facility in Hamina, Finland.

In additional to protecting the grounds with around-the-clock security personnel, cameras, and fences, Google controls access to facilities, the video says, using badges encoded with a lenticular printing mechanism designed to prevent forgeries. Some facilities also use iris scanners and other biometric devices. Once employees are inside the facility, there’s a second line of badge readers and in some cases biometric devices restricting access to the actual data center floor.

Only certain Google employees are allowed inside the data center, and as Google is fond of pointing out, all data is sharded and spread across myriad machines and facilities, so if an unauthorized person did gain access to a hard drive, the data could not be read by the human eye.

Nonetheless, when a hard drive fails or no longer exhibits prime performance and must be disposed of, Google uses multiple techniques to ensure that the data can’t be read at all. It overwrites the data, and then it uses a complete disk read to verify that all data has been removed. When disk reaches the end of its life, Google will then destroy it. This involves pushing a steel piston through the center of the drive and then shredding it into relatively small pieces. The remains of the drives are then sent to recycling centers.

The Crusher: Google gives hard drives the piston treatment

The video also alludes to Google’s ability to shift data access to a new data center in the event of fire or other major failure. The company says that this process is “seamless” and “automatic”, but no details are provided. This is apparently a reference to a Google-designed platform known as Spanner, which was described in a public presentation by Google fellow Jeff Dean in 2009.

Google still won’t confirm the use of Spanner, but a company spokeswoman did tell us that data access shifts across “almost all” of its data centers.

According to a PowerPoint file that accompanied Dean’s presentation, Spanner handles automated allocation of resources across Google’s “entire fleet of machines,” moving and replicating loads between its mega-data centers based on “constraints and usage patterns.” This includes constraints related to bandwidth, packet loss, power, resources, and “failure modes”.

Earlier that year, Google senior manager of engineering and architecture Vijay Gill appeared to describe Spanner when discussing a Google data center that had been built without chillers. “Sometimes there’s a temperature excursion,” Gill said, “and you might want to do a quick load-shedding – a quick load-shedding to prevent a temperature excursion because, hey, you have a data center with no chillers. You want to move some load off. You want to cut some CPUs and some of the processes in RAM.”

He indicated Google could do this automatically and near-instantly, meaning without human intervention. “How do you manage the system and optimize it on a global level? That is the interesting part,” he said. “What we’ve got here [with Google] is massive – like hundreds of thousands of variable linear programming problems that need to run in quasi-real-time. When the temperature starts to excurse in a data center, you don’t have the luxury to sitting around for a half an hour . You have on the order of seconds.”

Apparently, this chillerless data center is the one Google’s operates in Saint-Ghislain, Belgium.

Dean describes Spanner as a “single global namespace,” and names are completely independent of the location of the data. The design is similar to BigTable, Google’s distributed database platform, but it organizes data in hierarchical directories rather than rows. Dean also indicates that Google splits its distributed infrastructure into various subsections that provide redundancy by operating independently of each other. The aim, he said, is to provide access to data in less than 50 milliseconds, 99 per cent of the time.

In the video released today, Google goes on to say that its facilities are closely monitored not only with traditional video cameras, but also with video-analytics software designed to automatically detect anomalies in the video feeds. Some facilities are also equipped with thermal imaging cameras that work to detect intruders.

For years, Google provided no information about the operation of data centers. But in the spring of 2009, it released a video that showed the inside of its first “containerized” data center, and just before this, it held a small event where it detailed at least some of its custom server and data-center designs. On Friday, when we asked Google about Spanner and the Linux distro used in its data center, it declined to provide specifics. R

There are a couple of ways to locate Search Engine Poisoning networks: you can locate sites serving payloads (especially those of the Fake AV variety) and trace backwards to find the link-farm network that feeds them, or you can look for the link-farms and trace forward. (We use several variations on both methods.)

Recently, as I was tracing an SEP attack, I came across an interesting juxtaposition of two very distinct cultures: anime and hip-hop.

I had been looking for “link-farmish” URLs in our logs, and I saw that someone had done a Google image search for some anime-themed images, and the URLs looked like possible candidates for SEP. For fun, I did one of the same searches:

I immediately noticed a couple of anomalies: one of the pictures was lacking the trademark red eye design that characterizes this anime; and four of the images in this set (and many others sprinkled through the search results) showed a source that was very much out of place with all of the anime-fan blog sites (that I’ve blacked out, since they’re not involved in the attack): hiphopblog.com.

Talk about a culture clash! I see a lot of weird stuff on the Web, but I couldn’t ever recall seeing a hip-hop site that was into anime in a big way…

Sure enough, all of the images sourced from hiphopblog.com in this search lead to malware, courtesy of background links to a hacked subdirectory there.

 

Looking through the full traffic logs for one of our datacenters, it appears that about half of the traffic headed toward hiphopblog.com is related to the SEP attacks. The logs also yielded other fun culture-clash search examples. For instance, here’s one that showed up in an image search for a character from the recent Disney film Tangled (and while Flynn could reasonably be described as “hip” — at least in his own mind — I have a hard time picturing hip-hop fans wanting to post pictures of him on their site):

 

Another worlds-colliding example came from the Indian Google site (google.co.in), and wasn’t an image search, but a traditional text search — for a particular Bollywood actress kissing. Again, not something that typical hip-hop fans would likely be interested in…

But I persevered, and finally found an example search in our logs that returned images a bit more reasonable for hiphopblog.com (although they still led to malware):

It’s worth noting that each of these four examples used a different location within hiphopblog.com to host the link-farm pages, so the site is what I would classify as “heavily compromised”…

These examples also illustrate how hard it is for search engines to keep link-farms out of their search result pages when those link-farms are hosted on legitimate sites that have been hacked. While a human like you or me can look at these image results and recognize that some of them seem out of place in the world of hip-hop, how should a computer algorithm figure that out?

–C.L.

 

P.S. Here’s a bonus example for loyal readers who took time to read this far. I saw that one of the searches in our logs was for fattest cat. Here’s one of several images that showed up, courtesy of this link-farm:

While here is the mental image I conjured up for a “fattest cat” picture on a hip-hop site:

Does anyone else remember this classic Joe Piscopo commercial for Miller Lite beer?

Okay, now I’m showing my age…

We are getting reports that the CBS Money Watch and some ZDNet web sites are currently distributing malware and blacklisted by Google. We are still investigating it, but if you try to visit the CBS Money watch site (moneywatch.com), you will get a warning from Google:

What is the current listing status for moneywatch.bnet.com/investing?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What is interesting is the web site being used to distribute the malware (zdnet.com – i.zdnet.com):

Of the 142 pages we tested on the site over the past 90 days, 76 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-04-19, and the last time suspicious content was found on this site was on 2011-04-19.

Malicious software includes 130 exploit(s).

Malicious software is hosted on 1 domain(s), including zdnet.com/.

If we check the diagnostic page for zdnet.com, it also says the following:

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 5 domain(s), including bnet.com/, smartplanet.com/, findarticles.com/.

So something is definitely going on there. We will post more details as we investigate this issue.

Google search results have traditionally been the target of black hat SEO campaigns. WebsenseR Security LabsT has identified a new trend in which cyber criminals take advantage of Google Image search rankings to spread malware.

Websense Security Labs ThreatseekerR network has detected that Google Image search returns poisoned pictures when searching on celebrity child “Presley Walker”. We first found on Monday that all the image search results took users to a notorious exploit kit – Neosploit. Later, it changed to redirecting users to rogue AV sites. As we publish this blog, the search results are still poisoned and are leading to Neosploit again. Websense customers are protected from both types of attack by ACE, our Advanced Classification Engine.

The search results for “Presley Walker” through Google Image:

Let’s take a look at the first attack case. When a user clicks the pictures on the top line, the user will be redirected to a Neosploit exploit page.

Below is one of the redirection chains used by this exploit kit:

From the chain, we see the third URL is the malicious site holding the exploit code. We found that all the exploited sites are hosted on the same IP 66.235.180.91, and interestingly, they constructed it with the same path named TF19, which looks like a pattern of this campaign. At last it will trigger appropriate vulnerabilities targeted by this exploit kit according to the user’s operating system and browser. From the chain above we see it downloaded a PDF file that targeted three Adobe Reader vulnerabilities. This PDF file is heavily obfuscated and has a relatively low VirusTotal detection.

The list of URLs hosted on the IP, as shown from our Threatseeker network:

Neosploit is a well-known exploit kit in the black market. The authors reportedly stopped supporting and updating the exploit kit due to financial problems, but variants of Neosploit have been updated frequently. The variants may contain MDAC (CVE-2006-0003), ActiveX (CVE-2008-2463, CVE-2008-1898), and three Adobe Reader (Collab.getIcon, Util.Printf, Collab.collectEmailInfo) vulnerabilities, among others.

The second case is one of the common tricks black hat SEO campaigns always use: luring users to download fake antivirus software called InstallInternetProtectionXXX.exe. From the VirusTotal scan result, only 20% of antivirus engines detected this malware.

 The rogue AV page when using Firefox to surf the Web:

You’ve been asking for it… so here it is: As of the latest update to our avast! 6.0 series (earlier this week), avast! WebRep is now available in the Google Chrome browser.

 

Screenshot of WebRep results, for the searched term "warez"

avast! WebRep is based on information received from the global avast! user community related to the content and security of visited websites. When you open your web browser, you will see that all links are accompanied by a color-coded icon that gives you intelligence on how the avast! community has rated that particular domain.

Since the release of avast! 6.0 on 23 February, this feature had been available only in IE and Firefox browsers, but the most recent version of avast! 6.0 included this functionality as well for Chrome.

Surf safely… and enjoy.

Security researchers from around the world are digesting the weekend’s fare at Infiltrate2011, organized by security outfit Immunity. “No policy or high-level presentations, just hardcore thought-provoking technical meat” was promised, and presenters served it up sizzling.

The sessions folded in a variety of topics slicing up current offensive security issues with some defensive interest mixed in. Discussions spread from technical wizardry attacking hardened linux kernels to general network exploration and reconnaisance. Infiltrate2011 itself follows somewhat on the Blackhat/Defcon conference model, but reduces the corporate marketing at those conferences. The peer reviewed set of presentations and research sponsored by one of the best known offensive security/penetration testing groups in the business sets the bar high and undistracted for the level of technical content. The final agenda is listed here.

There are too many interesting sessions from the two days to mention in this space, some are mentioned here. Nico Waisman began the conference with a discussion of strategic surprise, understanding the exploitation domain, and a review of the past couple decades of offensive security research. He discussed the lack of novelty and the sloppiness in many attacks today driven by money and politically motivated interests and compared them against elegant, artistic pursuits of researchers like Solar Designer and others from the 90s. And when the going gets tough, the tough got EIP – Chis Velasek and Ryan Smith carved up exploitation development details for the recent overflow bug in Microsoft’s FTP server reported as “unexploitable” as a limited but usable 0day enabling remote code execution. Tarjei Mandt dished out Windows kernel attack technique details that most likely will be with us for years, and Cesar Cerrudo fired up Windows service protection flaws and attacks that have been present for years and should be present for some time to come. On the mobile side, Bas Albert and Massimiliano Oldani poured over the Android attack surface while Sean Heelan and Agustin Gianni stirred up some tricks in attacking the WebKit browser heap. Instead of the common big corporation names, breaks were sponsored by SADMIND, MS09-050 and LSASS.

Some of the talks were preceded with “we assume that you read and understand our last 80 page paper published on heap exploitation” or similar, leading to the in-depth technical meat you would expect from a quality group.

Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents.

Adobe said on Wednesday night that it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel. A separate patch for Adobe Acrobat X for Windows and Mac, Reader X for Mac and Reader 9.x for Windows and Mac on April 25.

The company is planning to wait until June to release a patch for the Flash Player bug in Reader X for Windows because the sandbox in that application prevents exploitation of the vulnerability. The patch for Chrome will be available earlier than the others thanks to Adobe’s relationship with Google.

“During our response to any zero-day vulnerability, Adobe seeks to protect as many users as quickly as possible. As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing. Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism. Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris and Android (more than 60 platforms/configurations altogether) to ensure the fix works across all supported configurations. Typically, this process takes slightly longer and, in this case, is expected to complete on April 15 for Flash Player for Windows, Macintosh, Linux and Solaris,” the company said in a statement.

When they disclosed the vulnerability earlier this week, Adobe officials warned customers that the vulnerability was already being used in targeted attacks that were leveraging malicious Flash files embedded in Microsoft Word documents. Microsoft security engineers analyzed the attacks and found that the attackers are using a complex exploit routine to build shellcode and then inject the exploit code into the Flash Player.

Google has boosted the security features on its Android operating system to allow stolen Android smartphones to be secured and reseted remotely.

Google said its new Google Apps Device Policy for enterprise users allows employees to quickly secure lost or stolen phones running Android 2.2 and up.

With the new version of the Google Apps Device Policy app, employees can quickly secure a lost or stolen Android 2.2+ device by locating it on a map, ringing the device, and resetting the device PIN or password remotely via the new My Devices website.

Android 2.2 and up is used on mobile phones, while Android 3.0 is for tablets, such as the Motorola Xoom. To make Android tablets more business friendly, Google Apps customers will now be able to require encrypted storage on tablets running Android 3.0.

The tablet encryption requirement is achieved through an API that lets administrators enforce policies such as encryption and the aforementioned PIN reset. As with Android phones, it appears that Android tablets will support software-level encryption but not the more robust hardware-level encryption.

The PIN reset and encryption features, as well as a new tool for looking up corporate contacts, will be rolled out to Google Apps business and education customers.

Managing multiple types of devices will be key for any mobile management platform because the smartphone market is not dominated by any one single vendor.

Google has introduced a new feature for its Chrome browser that will display a warning if a user attempts to download a suspected malicious executable file.

The Chrome team are enhancing the implementation of their Safe Browsing API service to include downloaded files.

What is the Safe Browsing API?
The Safe Browsing API is an experimental API that enables client applications to check URLs against Google’s constantly updated blacklists of suspected phishing and malware pages. Your client application can use the API to download an encrypted table for local, client-side lookups of URLs that you would like to check.

The new feature will be integrated with Google Chrome and will display a warning if a user attempts to download a suspected malicious executable file:

This warning will be displayed for any download URL that matches the latest list of malicious websites published by the Safe Browsing API. By adding support for these known malware destinations they will reduce the number of infections for users using Chrome.

This is something new: Google managed to release a new Chrome version 10.0.648.134 for Windows, Mac and Linux. It only includes a new version of the Flash Player where the recently found zero day vulnerability is already fixed. This is some days ahead of the official Adobe release, which is planned for next week.

Thus it is a good idea to at least temporarily switch to the Google Chrome webbrowser for safer surfing on the Internet! Users of Chrome can check whether the most recent version is installed already by clicking on the tool symbol and clicking on the  “About Chrome” entry.

Dirk Knop
Technical Editor

Over the weekend Google released the Android Market Security Tool to help clean up  devices infected with the DroidDream malware. The Android/DrdDream family of malware used a pair of exploits (Expoit/LVedu and Exploit/DiutesEx) to gain root access on vulnerable Android devices.  More than 50 Android applications were reported to be infected; all were pulled from the Android Market. The applications were all versions of legitimate programs that were repackaged by the malware authors with malicious code.

Android/DrdDream sends a collection of information (IMEI, IMSI, OS version, etc.) to the attacker and also attempts to download additional payloads. Although the malware uses the pair of root exploits, it doesn’t actually need root access to send the data to the attacker.

Inside the Android Market Security Tool

Google has its official statement on the the tool on the Android Market help site. They list a number of steps they’ve taken to remedy Android/DrdDream (“March 2011 Security Issue”):

• Suspending the developer accounts (three users) and removing the malicious applications from Android Market
• Remotely uninstalling the malicious apps from infected devices
• Pushing out the Android Market Security Tool to infected devices

Disabling accounts, taking apps out of the store, and hitting the remote-app kill switch were already well known ways for handling bad Android apps. Sending a security application to a phone is a whole new addition to the toolbox.

As a security researcher I find it interesting to see how new security tools are put together, more so when they come from an operating system developer. Normally I dig into the internals of malware; this time I got to see inside a mobile malware removal tool. Google’s security tool is available on the Android Market, so I was able to grab a copy for analysis.

The Android Market Security Tool is an Android app that also has a non-Dalvik native application component called droidreamclean. Android/DrdDream drops a few additional files (native binaries, an additional APK, etc.) on an infected phone. Because the files are located outside of the app directory, simply uninstalling the app won’t remove them from the phone. Really cleaning the phone requires access to the file system at a level that standard Android applications can’t reach. The security app  launches droiddreamclean to delete the additional files and restore some security settings.

After it gains root access, Android/DrdDream attempts to copy a second payload from its assets directory to the application directory (/system/apps/DownloadProviderManager.apk). This is a manual installation that completely bypasses the Android Market and because the Market doesn’t record the installation, it can’t be remotely killed. droiddreamclean doesn’t have this problem and instead tries a couple of uninstallation methods: using the “pm” package manager or manually deleting the APK.

The malware copies a renamed “su” executable (/system/bin/profile) to a directory of other system commands. This allows the attacker or updated malware to gain root access in the future. The Security Tool gives that executable the same treatment as the downloader component of Android/DrdDream.

In case the remote kill does not work, the security tool includes a list of apps that are removed using the command-line package manager. The Android/DrdDream authors definitely are not going to be able to slip one through.

After droiddreamclean finishes, the Android Market Security Tool informs Google that your phone is now clean. It then uninstalls itself. At the end of all this, you get an email from Google telling you that it has removed the malware and that no issues remain.

Is the Android Market Security Tool enough?

The Android Market Security Tool is a pretty comprehensive tool, but it’s really designed only to clean up Android/DrdDream and its side effects. The tool itself doesn’t patch or reflash the operating system, so the vulnerabilities exploited by Android/DrdDream will remain. Updating the operating system will require help from the manufacturers of the various affected Android devices.

For similar infections, Google might have to follow the route that other security software takes and provide regular updates. The creation of the security tool and the work put into handling the Android/DrdDream issue shows that Google understands the need for mobile security software.

As announced last Friday, Microsoft released 3 Security Bulletins which deal with patches for 4 security vulnerabilities. One of them is rated critical and resides within the DirectShow framework for the Windows Media Player and Windows Media Center. Other security vulnerabilities which allow for remote code execution affect the Remote Desktop Client and Microsoft Groove. Users and administrators should make sure to install the updates soon.

Also, Google released yet another stable version of its Chrome webbrowser, version 10.0.648.127. In this release, 23 security holes get closed by the developers – past week, they already fixed 18 vulnerabilities. This time, 15 of them are rated “high”ly critical, 3 medium and 5 low.Some additional features make the new version even more interesting: A new version of the JavaScript interpreter which is said to be faster, sandboxed Adobe Flash Player in the Windows version of Chrome, and GPU accelerated video playback, to name a few.

The new release is available via automatic update and thus should be installed already. To make sure to use the latest version, click on the Tool symbol in Chrome and click on “About Chrome”.

As the Mozilla developers also rushed out with a new browser version a short time ago too, one could assume that this may have to do with the upcoming Pwn2Own contest at the CanSecWest security conference where hackers can win cash prizes by hacking into a PC – for example via the webbrowser. Anyhow, since the new versions close security vulnerabilities that cyber crooks can abuse to hijack the computer, it is a good idea to install them ASAP!

Dirk Knop
Technical Editor

Search engine redirection is usually one of the side effects of malicious software. This problem remains even after Trojans or fake antivirus are removed from the infected system.  No matter what site they search for, users experience a redirection of search results and web pages to affiliated websites.

In the infected system shown below, all the results from Google searches redirect to one of these domains:

• “00ee.r.google.com”
• “cbdd.r.google.com”
• “cab7.r.google.com”
• “99db.r.google.com”

Note that the redirection also affects other search engines such as Yahoo, Bing and others.

Users who notice the Google link will probably assume that this is some form of legitimate Google redirect.  In addition most URL filtering solutions will allow access to any URL that is part of the Google domain.  The links lead to sites hosting malware or spam.

How does this work?

The remnants of the Trojan infections found in the computer are the following registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ <CLSID of the network card>
• NameServer = 93.188.163.130,93.188.160.80
• DhcpNameServer = 93.188.163.130,93.188.160.80

Effectively all domains are resolved into IP addresses by the rogue DNS server defined in the registry entries above.  The DNS server IP address above belongs to Promnet Ltd. in the Ukraine.  We recommend blocking DNS traffic to: 93.188.163.0 – 93.188.164.255 and 93.188.160.0 – 93.188.160.255.

The search redirection process happens like this:

1. User does a search at Google.com
2. The “rogue DNS” causes the search request to go to “bad server”
3. “Bad server” does a real Google search on behalf of the original requesting PC
4. “Bad server” sends back the real Google results page but switches the real URLs with fake destination URLs like 00ee.r.google.com
5. User clicks on link and goes to 00ee.r.google.com (resolved by “rogue DNS”).  On this page there is malware or spam

The URLs listed above such as 00ee.r.google.com do not really exist and will not be resolved by genuine DNSs.

Querying the Google public DNS shows no result:

• ;; QUESTION SECTION:
• ;00ee.r.google.com.             IN      A
• ;; Got answer:
• ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16615
• ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

But, querying the rogue DNS (93.188.163.130) does provide a result:

• ;; QUESTION SECTION:
• ;00ee.r.google.com.             IN      A
• ;; Got answer:
• ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58738
• ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
• ;; ANSWER SECTION:
• 00ee.r.google.com.      600     IN      A       67.210.15.54

In other words the rogue DNS entry results in:

• “Damaged” search results with fake URLs
• Resolution of those fake URLs to send users to sites with malware or spam

Restoring the DNS setting is the solution to the problem:

1.  Go to the “Network Connections” window

For Windows 7

• Go to Start > Control Panel > Network and Internet > Network and Sharing Center.
• In the left-hand column, click Change adapter settings.
• A new screen will open with a list of network connections.

For Windows Vista

• Go to Start > Control Panel > Network and Internet > Network and Sharing Center.
• In the left-hand column, click Manage network connections.
• A new screen will open with a list of network connections.

For Windows XP

• Go to Start > Control Panel > Network Connections.

2.  Right-click Local Area Connection or Wireless Network Connection and select “Properties”.

3.  Select Internet Protocol (TCP/IP), and then click Properties.

4.  If you want to obtain DNS server addresses from a DHCP server, click “Obtain DNS server address

automatically”.

5. If you want to manually configure DNS server addresses, click “Use the following DNS server

addresses”, and then type the preferred DNS server and alternate DNS server IP addresses in the

“Preferred DNS server” and “Alternate DNS server” boxes.

May 12, 2010

The Russian anti-virus vendor Doctor Web warns users as cyber-criminals start spreading malicious programs over the Google Groups service. In particular user systems may get infected with different modifications of Trojan.Fakealert.

First a user receives a spam message containing a link to a file that can be downloaded in a Google group created by criminals. Various social engineering tricks can be applied to lure the user into downloading this file. For instance, the message may inform you that e-mail access parameters have been changed and you need to download a manual before your proceed with editing your account information. You may also be notified that your e-mail account has been compromised and the instructions file will provide you with information on how to deal with this situation.

Once a user clicks on the link, he gets to the page containing a download link to the file. The file can contain modifications of Trojan.Fakealert (fake anti-viruses).

If you try to follow such a link in several hours after the bulk of spam messages has been sent out, Google Group will inform you that the page you are about to open may contain spam. However, choosing “I would like to view this content” will allow you to access the download page. Therefore access to the malicious file is not disabled.

Doctor Web recommends users of Dr.Web software to use caution whenever you get a message from an unfamiliar sender especially if such a message concerns your e-mail account information or other personal data.

Google announced earlier that they are now offering two-factor authentication to all of their users. More information is available at the Google Blog. This is an extension to the service offered to their Apps customers last month. While normally I would think that advertising a service wouldnt fit in this diary, this is a little more then the regular new feature. In mind opinion, its a big change in how people think about two-factor authentication.

We have known for years that passwords are one of the weakest points in our security controls. Users pick weak ones or share them with anyone who asks nicely. Even security consulting firms will fall for simple social engineering attacks and reveal them. One answer that has been proposed often, but is shot down almost as often. Clients often tell me that the cost is to high to roll out a solution, which I have always felt was the wrong answer. Of course, I am the paranoid security nerd. When this happens, I propose one of two solutions that try to help lower the cost.

The first is where the site or organization passes on the cost to the user. Blizzard does this for their Battle.net accounts. If the user feels that they should use two-factor authentication, they can either pay for a fob (the token generator) or install a smart-phone application. Of course I always laugh that my virtual gold in my World of Warcraft account is safer then my real gold in my bank account.

The second route is the one Google has chosen. When a user activates the system, their log on process has an extra step. After entering their password, they receive a phone call or an SMS that has the token. They enter this into the form and if its correct, they gain access to their account. This lowers the cost of deployment because it removes the needs for a fob to be sent to every user.

So the questions are pretty simple. First, how do you think two-factor authentication should be implemented and how do you deal with the cost?-)

Kevin Johnson

Secure Ideas

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Our rogue researcher (and that’s “rogue” in all senses of the word) Patrick Jordan found this over the weekend. We’re not sure how.

Somebody — hopefully with legitimate site access — appears to be having some fun with some potty humor:

(Click on graphic to enlarge)

It has a discussion forum too:
 
(Click on graphic to enlarge)

Thanks Patrick

Tom Kelchner

Update:

We just discovered that this was a Google April Fools Day joke some years ago. They apparently have a history of jokes like this.

Google has updated its Chrome Web browser and fixed nine of the browser’s security vulnerabilities in the process.

The updated Chrome version 9 was rolled out last week, and includes patches for nine defects, including faulty PDF software and secure sockets layer (SSL) libraries that left Chrome open to cyberattack.

The Chrome update also addressed an error in the browser’s audio handling program that could have allowed a hacker to escape Chrome’s built-in sandbox technology, a feature that isolates computer infections and prevents them from spreading, according to Computerworld.

Chrome’s quick fix comes at a good time for Google, who announced it would pay $20,000 to anyone who could hack into Chrome at next month’s CanSecWest conference.

To automatically update Chrome, users can go to the wrench icon in the browser’s upper right corner and select “About Google Chrome.” Chrome will check for security updates and inform you if any are available.

Last Friday, Google announced a new warning for hijacked sites displayed within search results. The new warnings say “This site may be compromised”. Such results represent legitimate sites that have likely been hijacked to host spam which redirect users to another malicious domain

It is another step forward for Google in their battle to combat blackhat spam SEO, but this is not entirely new. Google was already displaying warnings for some of the hijacked sites, but not all of them. “This site may harm your computer.”, was already previously displayed by Google for certain sites. In fact, several hijacked sites still have this warning. This particular warning appears for all pages within a potentially compromised domain, including hijacked sites, legitimate pages and spam. I don’t know if Google plans to change these warnings to their new, and more accurate, warning.

Hijacked site with old warning

Google seems to be very hesitant to blacklist entire sites, and I can understand why. However, I hope they will be willing to add more warnings to their search results. This should result in webmasters being aware their website has been hijacked and Google users in turn should will become more aware of the Blackhat spam SEO issue.

Google has not however implemented this new warning correctly. I did a search for one the hijacked site, bizfarm.net. The warning is shown for http://bizfarm.net/ only and not for other compromised pages on the domain.

Warning about hijacked site

The home page does not actually redirect to a malicious page. But the spam pages, which are redirecting users to a fake AV page, do not have any warning in the Google search results. I tried other domains and saw the same type of issues.

No warning from Google about the actual malicious pages

Overall, very few domains have this new warning. Many hijacked domains continue to display no warning whatsoever. I have also checked  search results for the recent popular search “mary lou henner”. On December 19th, there were 10 malicious spam pages redirecting to a fake AV page, but only 3 of the results included warnings. These 3 warnings were the old “This site may harm your computer”. No warnings were displayed, stating that the results may represent hijacked pages.

Finally, my biggest disappointment is that this new warning does not help users as much as it could, even if Google fixes the problems described above. When a user clicks on a link that Google showed as “may harm your computer”, he is redirected to a warning page. Then the user has to enter the URL manually in the browser address bar to actually go the dangerous page. This means that the Referer header does not show “google.com”, so in most cases the user will not be redirected to the malicious domain. However, when Google shows the new warning, the search result link points directly to the malicious spam page. The Referer shows that the user is coning from a Google search, and the spam page will redirect the user to a malicious domain.

This new warning has the potential to be a significant step forward in the fight against Blackhat spam SEO. More webmasters and more users will be aware of the issues over time, but first, Google has to display the warnings in the right place, below the actual malicious links, and extend their list of hijacked sites. Hopefully they will consider changing the malicious links as well, so that users have to do more than clicking on a single link to put themselves at risk.

Google on Thursday patched nine bugs in Chrome and upgraded the most stable edition of the browser to version 9.

Full story: Network World on Security

Google is trying to figure out a tweak for its search algorithm that will stop junk web sites — “content farms” — from achieving high search rankings, according to a great article in Technology Review.

In the Review, Tom Simonite wrote: “Speaking this week at Farsight 2011, a one-day event in San Francisco on the future of search, the firm’s (Google’s) principal search engineer, Matt Cutts, said that Google is considering tweaks to the algorithms that guide its search results. It’s also considering more radical tactics, such as letting users blacklist certain sites from the results they see.”

This is going to be a very big issue. Marketing departments and the people who design and maintain their web sites center their efforts on search engine optimization. High ranks in Google search results are worth money – a load of money since advertisers pay by the click. We’ve all seen worthless sites that have learned to game the search algorithm and deliver junk content. Some are so bad they’re almost a form of click fraud. It is possible to go through dozens of these in the course of a search before you find a site that actually gives you some significant information on the topic you’re searching for.

I suspect it isn’t going to be an easy “tweak” to make. The crappy sites will continue to tweak their content to evade the changes so they continue to make money on the clicks.

Tom Kelchner

Full story: GFI Labs blog

The Redmond company today announced that it plans to release 12 security bulletins on the upcoming Patch Tuesday. The according updates close 22 security holes within the Windows operating systems, Internet Explorer and Microsoft Office. Of those, 3 bulletins cope with critical rated vulnerabilities and the rest are rated important. Be prepared to test and roll out the updates as soon as possible! 5 of the bulletins deal with vulnerabilities which allow attackers to remotely execute code on affected computers.

According to a blog post in Microsoft’s Security Response Center, the February Patchday updates will fix the MHTML processing vulnerability as well as the thumbnail rendering security hole.

And then there is version 9.0.597.84 of the Google Chrome browser available which fixes 9 security vulnerabilities. One of those is rated critical, 2 high and the last 6 get the rating ‘low’ by the Google developers. As usual, the update is installed automatically in the background. But to be sure to have the latest version already installed and active, go into the Chrome menu and check the ‘About Chrome’ entry. If the update wasn’t installed yet, it will be done by doing so.

Dirk Knop
Technical Editor

Full story: Avira – TechBlog