Computer Security Articles

How many clicks does it take to get to the malicious code of an infected Web site? The answer is usually just two, as reported in our previous blog. And how many clicks does it take to get to a scam? More surprisingly in some instances, all you need is just one click.

Websense Security Labs™ ThreatSeeker™ Network has observed that banner advertisements from established e-marketing firms have become more questionable. Phishing and scam contents are potentially being published to any name sites carrying these ad banners. Websense customers have been protected against this trend with our Advanced Classification Engine – ACE.

Example 1:

Example 2:

While researching the dynamic ad banners, we found the link to the ad source was specifically catering for a regional audience.

By isolating the ad source, we are able to reproduce and retrieve similar ads:

By clicking on the various ads, we were redirected to English and Chinese versions of the same work-at-home scams. Both claim you can easily work and receive large paychecks from Google.

Internet users are finding themselves ever closer to threats, with third-party ad services distributing advertisements literally anywhere. This then increases the chances of someone falling victim to such scams. In particular, these scam advertisements can be targeted to a specific audience with regional or demographical reach, and there is very limited control beyond that one click when you are redirected to an external site. 

The smh.com.au site is most likely unaware this is happening, as Doubleclick, a subsidiary of Google, are the ones serving the ads. In addition, we can deduce Google is not in any sense offering these jobs with such huge payouts but rather are falling victim to the scam and consequently name tainting.  An earlier blog in 2009 proves these scam adverts specifically offering jobs are not new, except for the change in being able to target an audience.

Full story: Security Labs

I wanted to share what I learned while I implementing Net::Google::SafeBrowsing2, a Perl library for Google Safe Browsing v2. I have put together “Google Safe Browsing v2 API: implementation notes“, a collection of notes and real-world numbers about the API. This is intended for people who want to learn more about the API, whether as a user or to make their own implementation.

This is not another description of the API. Rather, it provides information about what you should expect from the API:

• how many updates does it take to get the full database initially
• how many updates there are per day on average
• how many add chunks and sub chunks you should expect
• how to test a library
• key differences between version 1 and 2
• etc.

The DOC and PDF versions can be downloaded from our website:

– Julien

Full story: Zscaler Research

In their earnings call last week, Google announced a record 2010 third-quarter revenue of $ 7.29 billion (up 23% from last year). The market rejoiced and Google shares shot past $ 615 giving the company a market cap of more than $ 195 billion.

This month, Google broke an equally impressive Internet traffic record — gaining more than 1% of all Internet traffic share since January. If Google were an ISP, as of this month it would rank as the second largest carrier on the planet.

Only one global tier1 provider still carries more traffic than Google (and this ISP also provides a large portion of Google’s transit).

In the graph below, I show a weighted average percentage of Internet traffic contributed by the search / mobile OS / video / cloud giant. As in earlier posts, the Google data comes from 110+ ISPs around the world participating in ATLAS. The multiple shaded colors represent different Google ASN and reflect ongoing global traffic engineering strategies.

Google now represents an average 6.4% of all Internet traffic around the world. This number grows even larger (to as much as 8-12%) if I include estimates of traffic offloaded by the increasingly common Google Global Cache (GGC) deployments and error in our data due to the extremely high degree of Google edge peering with consumer networks. Keep in mind that these numbers represent increased market share — Google is growing considerably faster than overall Internet volumes which are already increasing 40-45% each year. More data on general Internet growth trends is available in some of our earlier papers and blog posts.

While its not news that Google is Big, what is amazing is how much bigger Google continues to get.

A quick analysis of the data also shows Google now has direct peering (i.e. not transit) with more than 70% of all providers around the world (an increase of 5-10% from last year). In fact, the only remaining major group of ISPs without direct Google peering are several of the tier1s and national PTTs — many of whom will not settlement-free peer with Google due to regulatory prohibitions or commercial strategy.

While the business press may debate Google’s future (i.e. can it expand beyond search and continue its earnings growth?), for now Google’s traffic growth continues apace with massive corresponding impact on the network topology, peering arrangements and the overall Internet infrastructure.

 
- Craig
 
 

Full story: Security to the Core | Arbor Networks Security » 2010

AFP – Mozilla and Google on Monday took steps toward giving people more online privacy but each said hurdles remain to creating simple “Do Not Track” buttons for Web browsing software.

Full story: Yahoo! News: Security News

Take a look at a couple of email messages Sophos intercepted earlier today.

Firstly, the great guys at Google have been in touch. Their message, entitled “Thank you from Google!”, says that they have received my job application and are investigating whether they have the right position inside their company for me.

If I’ve forgotten the details of my job application (which I clearly have, as I can’t for the life of me remember applying for a job at the Googleplex) then they’ve handily attached it as CV-20100120-112.zip.

And here’s a message from Facebook. They’ve dropped me a note as well – with the title “You have got a new message on Facebook!” – to say that I’ve received a personal message from an unnamed friend.

Rather than visiting the Facebook site (which is such a pain, isn’t it?), Facebook have kindly attached the personal message to the email as a file called Facebook message.zip.

Hopefully none of you would be foolish enough to click on the attachments, because they are – of course – malicious.

Sophos products detect the ZIP files in both cases as Troj/ZipMal-AM and their contents as the W32/AutoRun-BHX worm.

Always be suspicious of unsolicited email attachments, and ensure that your anti-virus protection is up-to-date. Malware campaigns can take different disguises and users must learn to be on their guard.

In fact, just as I finish writing this I see there’s another campaign spreading the same malware.

The subject line this time?

"Laura would like to be your friend on hi5!"

Full story: Naked Security – Sophos

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

Google has taken a step to stop legitimate e-mail messages sent by its Apps customers from getting caught in spam filters.

Full story: Computerworld Security News

Mashable – In its quest to fight malware and spammers, Google is now informing users when a website listed in its search engine has been compromised. – on Yahoo! News: Security News

PC World – One of the easiest ways for attackers to lure victims is by planting malware on seemingly innocent-looking Web sites, or actually compromising legitimate Web sites. Google is doing its part to help users make informed decisions about the sites they visit, and avoid having their PCs infected with a new hacked site identification feature being added to Google search results. – on Yahoo! News: Security News

Ads served by DoubleClick (Google) and MSN (Microsoft) were distributing drive-by malware last week after attackers were able to trick the networks using a ploy from the phishers’ playbook: they masqueraded as a legitimate advertising provider by using a domain name that looked the same as the provider’s.

AdShuffle.com is a legitimate company selling ads to various ad networks, including DoubleClick and MSN. AdShufffle.com—three fs—is not, but it looks close enough to AdShuffle.com that the networks were tricked. These banner ads attempted to use a range of exploits (two Internet Explorer, one Java, and four Adobe Reader flaws—all which are currently patched), to install the HDD Plus malware. HDD Plus is bogus disk diagnostic software; it warns of impending failures, and says that to avoid trouble you should buy the full version.

Analysis of the attacks suggests that various obfuscation techniques were used to disguise the exploitation, and that as a result, antivirus software was having a hard time detecting and trapping the attacks. The offending ads have been pulled by the networks in question, but the people behind the attack have registered more domains and similar attempts are likely to occur in the future.

Phishing attacks aimed directly at end-users have long used this kind of look-alike URL to trick users into trusting content that they shouldn’t, and typo-squatting, relying on users misspelling URLs when they type them into their browser, is a long-standing phenomenon. Clearly these techniques work, but it’s a little disappointing that the gatekeepers at both DoubleClick and MSN fell for the same trick. The broad reach of these advertising networks means that exposure to the bad ads may have been significant, though neither network has disclosed exactly how many people were exposed to the ads in question.

In addition to exposing human flaws, the attacks show that the automated procedures used by the networks aren’t good enough; though the networks do claim to have malware filtering that detected the malware in question, this was not sufficient to prevent real-world exploitation.

This is not the first time that a company has been tricked into running malicious ads; last year, the New York Times‘ Digital Advertising department ran Vonage ads that included drive-by malware. Tricking an advertising network like DoubleClick and MSN allows for even more widespread distribution, making it likely that other networks will be similarly targeted—indeed, they may have been targeted already.

Read the comments on this post

– on Security

Google has started notifying its search engine users of sites in their list of query results that may have been compromised by hackers. – on Computerworld Security News

PC World – For a brief period this week, cybercriminals managed to infect Google’s and Microsoft’s online ad networks with malicious advertisements that attacked users’ PCs, according to security consultancy Armorize. – on Yahoo! News: Security News

For a brief period this week, cybercriminals managed to infect Google’s and Microsoft’s online ad networks with malicious advertisements that attacked users’ PCs, according to security consultancy Armorize. – on Computerworld Security News

PC World – For a brief period this week, cybercriminals managed to infect Google’s and Microsoft’s online ad networks with malicious advertisements that attacked users’ PCs, according to security consultancy Armorize. – on Yahoo! News: Security News

We have been seeing such odd emails lately, to many known people. The following is what you see: Delivered-To: contact.fingers@gmail.com Received: by 10.216.231.225 with SMTP id l75cs370150weq; Mon, 18 Oct 2010 17:32:08 -0700 (PDT) Received: by 10.150.189.4 with SMTP id m4mr1016538ybf.418.1287448326586; Mon, 18 Oct 2010 17:32:06 -0700 (PDT) Return-Path: Received: from ariel.nocdirect.com (ariel.nocdirect.com [69.73.170.16]) by [...] – PhishMaster on KaffeNews

The State Department cable referred to last week in reports as alleging that the Chinese Politburo ordered the attacks on Google a year ago has been released.

The actual text of the cable is available from the Guardian, a UK paper. The relevant excerpt follows:

XXXXXXXXXXXX told PolOff that the closely held Chinese government operations against Google had been coordinated out of the State Council Information Office XXXXXXXXXXXX It was not until Google’s public announcement of the intrusions into its systems that the issue had been discussed more widely within the Party. (Note: It is unclear whether President Hu Jintao and Premier Wen Jiabao were aware of these actions before Google’s going public.) As a result of Google’s announcement, the PBSC had taken up the issue of Internet controls and the Google case in a series of meetings (reftel). XXXXXXXXXXXX stated that PRC operations against Google were “one hundred percent” political in nature and had nothing to do with removing Google, with its minority market share, as a competitor to Chinese search engines. Separately, XXXXXXXXXXXX told ECON MinCouns that he believed PBSC member XXXXXXXXXXXX was working actively with Chinese Internet search giant Baidu against Google’s interests in China.

XXXXXXXXXXXX is the redacted name of the source. It appears that Wikileaks redacted it. The State Council Information Office is not exactly, as the New York Times reports, the Politburo. The Office describes itself, on their own site china.org.cn, as:

…the State Council’s office equivalent to the Publicity Department which reports to the Party Central Committee. While not normally involved in media regulation, the Information Office of the State Council has influence on Ministry of the Information Industry (MII), the General Administration of Press and Publications (GAPP) and the State Administration of Radio, Film and Television (SARFT) in addition to its propaganda role.

The cable covers related topics, mostly having to do with reactions in the state-controlled Chinese press to Google’s revelation of the attacks and their demand at the time not to perform censorship anymore. The Chinese press reactions, unsurprisingly, defended government regulations and accused the US government of collusion with Google and other US companies and of hypocrisy.

– on Security Watch

Google on Thursday patched 13 vulnerabilities in Chrome as it shifted the most stable edition of the browser to version 8. – on Computerworld Security News

There’s been a lot of news related to software sandboxing in the last week, but one event in particular: Google has moved version 8 of Chrome (specifically 8.0.552.21) into the “Stable” channel, making it the release-level version.

Version 8 adds a PDF reader built into the browser and moves the already integrated Adobe Flash Player into the Chrome sandbox. Thus two of the biggest attack targets for Windows users become substantially neutered.

At the same time Google announced 12 vulnerabilities fixed in the new version and, as usual, the importance of the severity ratings is being ignored in most reports. 4 of the vulnerabilities are rated “High,” less than the maximum of “Critical,” largely because High vulnerabilities don’t get out of the sandbox. As you can see from Google’s severity guidelines, High vulnerabilities can be quite serious, such as cross-site scripting bugs, but all four of these High bugs appear to be memory management bugs which won’t allow any abuse out of the sandbox, and therefore won’t allow anything all that serious to happen to the PC.

I’ve been using the PDF reader in the Beta channel for some time and functionally it’s basic. What it does is to read the PDF and render it in the browser DOM, not in a control, so all the rendering is within the security of the browser engine. But browser rendering and UI are not as powerful or flexible as a native program like Adobe Reader, so you do run into things that don’t work, or don’t work as well as in Reader. Still, most of the time all you’re doing is reading the document and that usually works fine. If you need to do more, you can download the file and use another reader.

Google and Adobe each released their own blog entries announcing the incorporation of the integrated Flash player into the sandbox. In fact, Flash is already substantially sandboxed in many environments, such as on Windows Vista and Windows 7 where it runs as a low integrity process, but only in Chrome is it sandboxed in Windows XP. And since Chrome’s Flash Player is updated automatically, fixes to any vulnerabilities in Flash are easiest to get there too. These are major reasons why Chrome is my default browser now.

But there are limits to sandboxes. Thanks to Ryan Naraine on ZDNet for pointing me to analysis done by security software firm Invincea describing the limitations in the Adobe Reader X sandbox. Invincea calls sandboxing such as Reader’s “a step in the right direction.”

Even Adobe’s engineers (and Microsoft’s and Google’s, as they all use the same basic sandbox architecture) concede certain limitations:

• Protected Mode will not prevent unauthorized read access to the file system or registry.
• Protected Mode will not restrict network access.
• Protected Mode will not prevent reading or writing to the clip board.

So a “successful” exploit in the sandbox could, for example, read files or registry data to which the user in whose context the program ran has access and send them over the network. Invincea proposes protections against these and other attacks and, no surprise, their own products claim to provide them.

– on Security Watch

Among the many revelations in the new massive leak of secret government communications from Wikileaks is the claim that the attacks against Google in China about one year ago were directed by China’s Politburo, the group which supervises the Communist Party of China.

The actual text of the document seems not to be available yet, but has been provided to certain news organizations and has been reported on by them. The New York Times report states:

A global computer hacking effort: China’s Politburo directed the intrusion into Google’s computer systems in that country, a Chinese contact told the American Embassy in Beijing in January, one cable reported. The Google hacking was part of a coordinated campaign of computer sabotage carried out by government operatives, private security experts and Internet outlaws recruited by the Chinese government. They have broken into American government computers and those of Western allies, the Dalai Lama and American businesses since 2002, cables said.

Without the actual text of the cable referred to it is hard to comment on the claim,

Wikileaks has been the target of a massive DDOS (distributed denial of service attack) since the release of the documents and one report says they have moved their operations to the Amazon EC2 cloud.

– on Security Watch

Remember when I said that Google Instant was a potential security disaster? Well, it turns out that Google’s new Instant Preview feature can help lure innocent victims over to malware campaigns.  Blackhat SEO campaigns work by tricking search engines into displaying malicious search results.  Criminals achieve this a few ways, but the most common way is to generate thousands of related text, images, and videos.  I recommend reading Steve Ragan’s in depth deconstruction of Blackhat SEO for more information about how these attacks work.

Yesterday, we talked about a Blackhat SEO scam targeting various Black Friday keywords.  If you take a look at the Google Instant Preview pane on the right, you’ll see that actual Best Buy ads are shown!  This could very well convince someone to click on the malicious link!

Black Friday Instant Preview (CLICK FOR FULL SIZE)

Clicking on the link will cause your computer to redirect to the following fake Firefox update website or a fake antivirus scan page (depending on which browser you are using):

Fake Firefox Update

Installing the “update” will infect your computer with the Adware/SecurityTool Rogueware:

Adware/SecurityTool

Adware/SecurityTool Warning

I’ve said it before and will say it again.  You simply cannot trust search engines to provide safe and accurate search results.  Use extreme caution when searching for hot topics, as they are actively targeted by cyber criminals each and every day.

Source: PandaLabs Blog

Here's some news – we've made some changes to AVG's Security Toolbar. 

We have just announced a deal that means that from now on we will be using Google search technology as the integral search service for our anti virus and security products.

This deal is good news for AVG users because it will broaden the toolbar’s reach and appeal to those who prefer to use Google as their search engine and at the same time will make their searching safer. 

The AVG Security Toolbar already offers real-time protection against malicious links and downloads while users search the web and social network by incorporating AVG LinkScanner technology and now it combines Google’s best-in-class search as well.

Latest US search figures for October by comScore, the digital marketing agency, show by just how much Google dominates the market with 66.1% share, making 11 billion search queries in the month. 

Its nearest rival is Yahoo with 16.5% market share and 2.7 billion searches. 

The deal also continues AVG's philosophy that everyone is entitled to protection from internet threats.

Our CEO JR Smith reiterated this point: “AVG is committed to providing our users with intuitive technology that allows them to proactively prevent computer infections while they search the Web."  

This agreement, which kicked off on midnight 14 November, means that users who install any of AVG’s security products will be offered the opportunity to use the security toolbar with Google search functionality.

Those existing Yahoo users can keep the Yahoo search engine for another six months. 

Image credit: Image used under creative commons license with thanks to Tiger Pixel 

Source: AVG Blogs | AVG Product Team

Internet giants Google and Facebook have been having a war of words this week over user data portability.

View full post on Network World on Security

PC World – Millions of Google Buzz users were contacted Tuesday by Google regarding a class-action lawsuit settlement stemming from an online privacy debate sparked by the search giant.

View full post on Yahoo! News: Security News

NewsFactor – Google has reached a settlement in the class-action suit over privacy issues relating to its Buzz social-networking program. Under terms of the settlement, the search giant will establish an $8.5 million Common Fund to support organizations focusing on Internet privacy policy or privacy education, in addition to covering lawyers’ fees.

View full post on Yahoo! News: Security News