Since our previous blog post, we continued to investigate whether or not SpyEye 1.3.x is indeed the result of the ZeuS-SpyEye merger. So far, we realized that the included documentation doesn’t say much about ZeuS. It only compared the behaviors of several options/configurations of the two malware families.

At present, we have only been able to identify three different versions in the wild:

• 1.3.04
• 1.3.05
• 1.3.09

As you can see, these versions are minor releases. Our underground research tells us that some minor bug fixes have been made in these versions though these are typically the same. If you are wondering if the SpyEye Toolkit comes with three control panels (two SpyEye control panels [CN1 and SYN1] and one ZeuS control panel), I can confirm that it does not do so. It only comes with the regular two SpyEye control panels. The database structures of SpyEye and ZeuS were different prior to 1.3.x and are still so. As such, a modification of the ZeuS panel is needed so both can share a single database. ZeuS and SpyEye malware are thus not registering themselves to the same control-and-command (C&C) server in the same way.

The SpyEye 1.3.x binary still behaves like previous SpyEye versions. The call-home request remains the same, except for the communication mode shown below.

[domain_name]/[folder]/gate.php?guid=5.1.2600[computer_name]&ver=10305&ie=6.0.2900.2180&os=
5.1.2600&ut=Admin&ccrc=88CFDFC7&md5=273c725a57e35b1e263d4f1
8fe21c5c7&plg=customconnector;mngr1_1&stat=online

The customconnector plug-in tells the bot which C&C server to communicate with. This plug-in was likely offered so cybercriminals can have several C&C servers listed for backup. In previous versions, this was not included in a plug-in but was part of a file named maincps.txt, which was part of the config file.

Obtaining the new version of SpyEye also differs from getting previous versions. You first get an email with a set of instructions. This is a form of two-factor authentication from the author. The email requires the interested party to send the nickname and email address he used to purchase SpyEye via Jabber. After sending this information, the SpyEye creator then sends the buyer a message that contains download links.

Several links are sent from which the buyer can download the different components of the toolkit. The following components have been uploaded to a free hosting site, each of which has been protected with a very strong password:

• !default pack.7z: Contains the main control panel (CN1), the builder, three plug-ins (bugreport, customconnector, and webfakes), and the documentation in Russian.
• Sedeb.7z: A .vdi file (VirtualBox). This is a Linux Debian system that has the formgrabber panel (SYN 1) installed for testing.
• !socks pack.7z: Contains a SOCKS 5 plug-in.
• !ftp pack.7z: Contains an FTP plug-in.
• !ffcertgrabber pack.7z: Contains a Firefox certificate grabber plug-in.
• !ccgrabber pack.7z: Contains a CC grabber plug-in.

While the SpyEye changes may be minor, the way Gribodemon communicates with his clients has drastically changed. He no longer communicates much through ICQ and prefers Jabber. He also talks less and has become more secretive. The changes in his behavior are probably due to how much press SpyEye is now getting. SpyEye has changed and evolved to adapt to the security industry, along with its author’s behavior.

With added text from senior threat researcher Kevin Stevens.

Post from: TrendLabs | Malware Blog – by Trend Micro

SpyEye/ZeuS Toolkit v1.3.05 Beta Part 2

In the third and final part of my series on OS X security I will cover system security. If you missed out previous articles, check out part one on hardware security and part two which covers user security.

Simply using a Macintosh computer is not enough to guarantee your security. If you would like some help beyond the advice in these articles you can download our free Sophos Anti-Virus for Mac Home Edition product to alert you of any threats.

System security

1. Properly configure your firewall

Having a modicum of control over what network traffic is allowed in and out of your machine, and by which applications, is essential is running a secure system. To do this you want to run a Firewall.

Apple were nice enough to include a firewall in OS X, and the version in 10.6 is almost useful. It is comprised of two main parts, the Application Firewall and ipfw, a FreeBSD packet filtering firewall that Apple has inherited in OS X.

The Application Firewall is what you see when you open System Preferences and click on Security -> Firewall. You can control which Services are allowed to accept incoming connections, as well as which Applications.

To begin with, make sure the firewall is switched on. Apple may have been kind enough to include the firewall, but they didn’t switch it on for you *sigh*.

Next, click on Advanced and review any applications that are listed and showing that they are currently allowed to accept incoming connections. Decide if they really should be allowed to.

For example, i use iTunes to listen to my music, but i don’t share out my library, so there is no need for iTunes to accept incoming connections on my machine, therefore i have iTunes set to ‘Block incoming connections’.

The default setting in the application firewall on 10.6 will allow all ‘signed’ applications to automatically accept incoming connections once you have switched on the firewall.

Signed applications are those that have been built by the developer with code signing enabled. This provides a means by which the operating system can verify that the application is what it says it is.

Code signing provides some level of security, however it is not a flawless system by any stretch of the imagination. You shouldn’t blindly rely on the fact that an application is ‘signed’ to mean that you should allow it to accept incoming connections. You should review all of the applications you have on your system and decide whether they should accept incoming connections or not.

The second part to the firewall solution in OS X is ipfw, a packet filtering firewall that is built into the sub-system of OS X. Ipfw is immensely powerful, but can be confusing to a lot of people. It is hidden away from most users unless you go looking for it in terminal.

There are a few applications available that provide a GUI to ipfw which makes things far easier for those that are not used to configuring a firewall from the command line. Two that are particularly good, and free, are WaterRoof and NoobProof.

The Ready Rule Sets in WaterRoof are especially good and provide a very quick way to add additional security to your system very quickly.

2. Secure Safari

When it comes to browsers, I actually like Safari. I tend to use it more than Firefox or Chrome on my Mac. One option that I always disable as soon as i set up a new machine though is ‘Open “safe” files after downloading’.

This can be found in the Safari Preferences and means that while it is enabled files deemed to be “safe” are automatically opened or mounted by Safari after they have been downloaded.

This is hideously insecure, and can lead to malicious code being run without the user having to do anything.  If you visit an infected website, and that site causes your browser to download an infected zip file, once it is downloaded Safari will automatically unzip that zip file, causing the malicious code to be run! Disable this option now.

Anything you download can easily be accessed using either the Finder, or by double clicking on the item in the Safari Downloads window.

Having the Safari browser or any browser for that matter, automatically fill in forms for you can be potentially dangerous.  Vulnerabilities have been found that allow websites to grab this auto-fill data without ever showing a form on the page.  The data that is normally shared by auto-fill is an identity thief’s idea of heaven.

Either Disable ‘Autofill web forms’ in the Safari Preferences, or use a secure application for auto-filling this sort of information like 1Password.
m Preferences | Sharing.

3. Only run the services that you really need

Many users have services running on their systems that they either rarely use, or, more often than not, dont even know are running.

Only run services that you really need, and for those that you rarely use only switch them on when you need them and then switch them off once your finished.

Leaving services running opens up areas for attack over the network. By only running those services that you need you reduce your risk.

To review the services that are running on your system look in System Preferences -> Sharing.

Conclusion

To stay current on the latest Mac threats check out the Sophos Mac Security Hub. Until next time, stay secure.

It’s been a while since the previous post discussed commercial “intelligence gathering tool”.

It would have seemed ridiculous, if this time it wasn’t UK government who thinks it’s acceptable to hack into home computers, spread malware via email, log users’ keystrokes, or sniff users’ traffic, if it “believes” that it is “proportionate” and necessary to prevent or detect serious crime.

Whoever came up with this idea is apparently the follower of Niccolò Machiavelli (1469–1527), a strong believer that “the ends justify the means”. Especially when it comes to the fight with paedophiles and terrorists, as if the last two words were doing exceptional job in shutting down one’s intellect.

Considering these news follow other ridiculous reports that the UK military will now run nuclear-missile submarines under Windows XP (no, it’s not April 1st), one could fairly ask “What exactly is going on in that part of the world?”.

Blackhat spam SEO was very prevalent in 2010 and it is not likely to disappear in 2011. I’ve compiled a few statistics on Blackhat spam SEO pages found in Google search results during December 2010:

• Number of spam pages:  4,814
• Number of spam domains: 428
• Number of malicious sites: 483

I usually limit my Google scans to the first 10 pages of results, so there are likely many more spam pages in Google’s full index.

Malicious sites

Fake AV pages are still the most popular type of attack, accounting for 85% of all malicious sites. Next in line are fake software stores, with 6% of the sites. I’ll give more details about this type of attack in a future blog post.

5% of the malicious sites were unreachable, and could not be classified.

Types of malicious sites: mostly fake AV

44% of the malicious sites use a .IN domain name. 25% use a .COM extension, and 16% use an IP address without a domain name. .CC domains represent only 4% of all malicious domains. .CO.CC used to be the most popular TLD for fake AV pages, but it is now .IN

Malicious sites by domain extension

Spam pages

I found 428 legitimate sites hosting 4,814 spam pages in Google search results. That’s an average of 11 spam links per domain within the top ranks for popular searches.

The spam sites are found all over the world: 31 different TLDs were found amongst spam sites. The international .COM extension was found in 58% of the sites, .ORG in 8% and .NET in 6%. The .EDU TLD represents 10% of the total. HJacked college websites were mostly to lead to fake software stores.

Spam sites by domain extension

Most dangerous searches

356 Google searches contained at least one malicious spam link in December 2010.

The most dangerous searches relate to buying software online, and lead to a fake store. The most dangerous popular search (shown in Google Hot Trends) was for “sherwood blount” with 63 spam links amongst the first 100 search results!

Top-10 most dangerous Google searches in December 2010

I am still compiling the numbers and will do another post on the topic shortly. It looks like malicious Blackhat spam SEO will still be a major threat, if not the most significant threat to users in 2011.

– Julien

I recently needed to look at some Alexa data related to their tracking of the top web domains visited for a side project that I was working on.

During my investigation of their data, I found it interesting to see a number of suspicious / malicious domains included in their daily top 1M list.

In this first blog section, I want to show that FakeAV / scareware malware has infiltrated the top websites according to Alexa. To begin with, there are 150 domains in the top list that contain the string “virus.” This illustrates the popularity and the potential profitability of distributing software that cleans (or claims to clean) infected systems.
It could be inferred then, that there are a lot of systems on the Internet that users are trying to clean and/or protect from infection. Unfortunately, looking at the domains / sites in the list, it is difficult to determine if the wares being peddled on the site are legitimate or malicious. From my experience, most legit A/V products don’t include the word “virus” within their domain name. The volume and sometimes “pushy” nature of anti-virus related sites further adds to the confusion of what are real or fake / malicious. Many of these sites appear to be affiliate sites (whether authorized or not), but there are malicious sites sprinkled in the results as well…

For example, a top scareware site in Alexa is hxxp://antivirus-defender.ru/. This site shows the typical scareware scanning screen (in Russian):

But with one twist- after the fake scanning is completed to scare the victim to purchase / download / install the wares, they are presented with a screen to enter a code that they purchase over SMS in order to download:

This translates to English as:

Unlike other scareware campaigns where the install is allowed first, and then pop-ups and warnings entice the victim to pay- this campaign preempts payment before installation and payment is done over SMS, which is a bit unique.

There are a handful of other malicious A/V sites within the Alexa results as well- e.g., antivirus-scanonline.com (is listed in Alexa and Google Safe Browsing) and virus-scanonline.com (a known malware site which is now dead). Looking up other key strings within Alexa, such as “scann”, uncovered a few more malicious results: onlinescannerxp.com, best-guardinscanner.in, thebestscan-scanner.com, best-scan-scanner.in, smart-securityscanner.net, etc.

FakeAV was just one example of malware within the Alexa list. Doing SURBL and Google SafeBrowsing lookups of the Alexa domains showed a number of other results. For example, the domain freefilesoft.net is listed at position number 3378 in Alexa, but is also listed in SURBL.

It appears to offer up a Fake Codec that installs Adware.Hotbar software:

(hxxp://www.freefilesoft.net/xvid_dl/)

In the next section I will analyze the results from my scans of the top 1M sites and identify other threats / drive-by-downloads that are included within the most popular sites according to Alexa.

The story
continues. Microsoft released their Security Advisory with workarounds
regarding the „ .lnk vulnerability “ described in our previous blog post.  To help you protect your systems, here are
the two official workarounds, or you can visit the official Microsoft website
to find the whole article:

Microsoft Security Advisory (2286198)

http://www.microsoft.com/technet/security/advisory/2286198.mspx

Disable the
displaying of icons for shortcuts

Note Using Registry Editor incorrectly
can cause serious problems that may require you to reinstall your operating
system. Microsoft cannot guarantee that problems resulting from the incorrect
use of Registry Editor can be solved. Use Registry Editor at your own risk. For
information about how to edit the registry, view the "Changing Keys And
Values" Help topic in Registry Editor (Regedit.exe) or view the "Add
and Delete Information in the Registry" and "Edit Registry Data"
Help topics in Regedt32.exe.

Impact of
workaround.Disabling
icons from being displayed for shortcuts prevents the issue from being exploited
on affected systems. When this workaround is implemented, shortcut files and
Internet Explorer shortcuts will no longer have an icon displayed.

Disable the
WebClient service

Disabling
the WebClient service helps protect affected systems from attempts to exploit
this vulnerability by blocking the most likely remote attack vector through the
Web Distributed Authoring and Versioning (WebDAV) client service. After
applying this workaround, it will still be possible for remote attackers who successfully
exploited this vulnerability to cause Microsoft Office Outlook to run programs
located on the targeted user's computer or the Local Area Network (LAN), but
users will be prompted for confirmation before opening arbitrary programs from
the Internet.

To disable
the WebClient Service, follow these steps:

Impact of
workaround. When
the WebClient service is disabled, Web Distributed Authoring and Versioning
(WebDAV) requests are not transmitted. In addition, any services that
explicitly depend on the Web Client service will not start, and an error
message will be logged in the System log. For example, WebDAV shares will be
inaccessible from the client computer.

These were
the official Microsoft workarounds.

However,
there seems to exist also another solution: deploying a GPO that denies running the executable files from all but C
drive. This should solve the problem, however, it could be largely
uncomfortable (but safe) for users and is recommended only for experienced
administrators.

Thanks to Peter
Gramantik

I wanted to circle back and close the loop from my original post on this. First- not surprisingly I’m not the only one to have taken note at malicious sites landing in Alexa (reference sucuri.net blog).

I wrote some scripts to check a number of the domains listed in the Alexa top 1 million against Google SafeBrowsing (GSB), SURBL, and to cross-reference with MalwareDomainsList (MDL). In the previous post, I mentioned a few of my findings related to GSB and SURBL lookups – particularly FakeAV. Additionally, a number of the sites listed included porn sites that were listed in SURBL due to their advertisements within spam links. Snippet of some of the results.
While the GSB and SURBL lookups for 1 million sites aren’t very quick repeatable processes, it is a fairly quick process to do the cross-reference with the MDL (MDL list here). The results from today’s Alexa and MDL intersection include 87 sites. However, several of the listed sites are overly aggressive listings on MDL’s part- for example: hotfile.com, rapidshare.com, and stashbox.org are free file hosting services that are listed. Free file hosting services are frequently abused to store malware- however, the sites themselves are legitimate and should not be blocked at the domain level.

Some of the more interesting sites listed, include:

• bulletproof-web.com – as the name suggests, it’s a bullet-proof hosting provider

• bloggoogle.info, domaingoogle.info, hostinggoogle.info, datagoogle.info, businessgoogle.info – NeoSploit exploit kit (reference example)
• gdfgdfgdgdfgdfg.in.ua – FakeAV drive-by redirect related to Twitter spam campaign (reference example)
• protect-pc-2011.co.cc, multy-protect.co.cc, fastperot.co.cc – TDSS rootkit / FakeAV

Seeing these Alexa results further illustrates the threat of FakeAV and the recent come-back of NeoSploit in 2011 that others have highlighted with the release of its version 4 (reference example).

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

In the first part of this series I covered OS X tips related to physical security, in part two I will focus on the user.

These simple steps are things every Mac user should do. They provide a large improvement in the security of your computer and data, while imposing an imperceptibly small price.

User security

1. Be smart with your passwords

Your Password is more or less the one thing that keeps your system and your data safe from others. It makes sense to invest in making it as hard to crack as possible.

Apple provides a tool to help select a secure password called Password Assistant. To use the Password Assistant open System Preferences -> System -> Accounts -> Create a user or Change Password -> Click the key icon.

The Password Assistant provides several options to help you generate a password (Memorable, Letters & Numbers, Numbers Only, Random, FIPS-181 compliant), or you can manually enter a password.

Whichever you choose Password Assistant will show you the Quality (or strength) of your password. Watch this video for advice on choosing a complex password you can remember.

2. Securing your Keychain

It is a good idea to make sure that your Keychain has a different password to that of your user account.

The Keychain stores internet passwords, SSL Certificates, notes and more in a nice convenient encrypted store. By default your Keychain has the same password as your user account, which is great as it means your Keychain automatically unlocks and allows any running application to request data from it!

Its like SSO (Single Sign On) gone bad. . . Changing your Keychain password will mean that when an application wants some data you will have to enter your Keychain password.

This is a little inconvenient but means that anyone that cracks your account password doesn’t get instant access to everything in your Keychain, and that you will know whenever an application is trying to gain access to your secured data.

To change your Keychain password open up the Keychain Access application in the Utilities directory. Then click on the Edit menu and select Change Password for Keychain “login”.

3. Never run as an administrative account

If you talk to any Linux or Unix user you will quickly find out that they rarely login as a user that has administrative privileges. The reason for this? If your account is compromised, the attacker has only gained access to your data, but hasn’t gained access to the entire system.

Running as a normal user on any operating system is a sensible thing, and OS X is no different.

Make your everyday account a Standard user, and then authenticate as an Admin account when the system requests it.

Conclusion

Combined with my physical security tips, securing your user profile is a critical part of having a happy and secure Mac. It goes without saying that you should run anti-virus on your Mac as well.

If you are a home user you can get Sophos Anti-Virus for Mac Home Edition for free! Come back to Naked Security soon for the final part in this series system security.

Full story: Naked Security – Sophos

This is the second half of our 2-part report about how cybercrime kits aid cybercriminals in conducting malicious attacks. The first post primarily discussed how the Phoenix Exploit Kit is used to exploit many possible bugs on a user’s system, thus leading to system compromise. This second part discusses the employment of the DLoader toolkit, and how the earlier mentioned compromise escalates further to the installation of multiple malware into the user’s system.

DLoader and the Botnet Business Model

The distribution of malware is typically conducted within partnerships and affiliate programs. One model used to monetize botnet operations is known the pay-per-install (PPI) model wherein affiliate programs pay malware distributors whenever the distributor installs a specific piece of malware onto a victim’s computer.
DLoader is a Web-based administration tool that allows botnet operators to manage the malware that they force the bots under their control to install. For each installation, the botnet operator receives payment from partners or affiliates.

DLoader is advertised on underground forums for approximately US$ 250. While it primarily serves to install other malware, it can also come with additional modules such as an FTP GRABBER that steals FTP credentials and a POKER ACCOUNT GRABBER that steals login information for popular online poker sites. These cost up to US$ 200. The FTP stealer is important because it allows the botnet operators to inject legitimate websites with malicious code that directs users to an exploit kit. This way, the botnet operator is able to maintain a steady supply of victims. These modules are detected by Trend Micro as TROJ_XORPE.JAN.

Country-specific Malicious Payloads

We analyzed several instances of DLoader on the server. One of the instances had 7,957 bots, primarily from Vietnam and Indonesia. Another had 10,726 bots, primarily from Germany and Russia. The instances of DLoader on this server contained a variety of executable malware that were distributed based on the bot’s country of origin.

For example, bots in Germany were exclusively directed to download a version of SpyEye (TSPY_SPYEYE.ATC). Targets in the United States, Canada, United Kingdom, Australia, and France were also directed to download SpyEye, albeit a different variant (TROJ_SPYEYES.JAN).

Meanwhile, Russian victims received a Meredrop variant (TROJ_MEREDROP.TG). The default downloads were various fake antivirus products.

To appreciate the variety of malware that was distributed via this server, here are our detection names for the files we analyzed:

• TROJ_FRAUDL.SMMZ
• TROJ_HILOTI.SMAE
• TSPY_SPYEYE.ATC
• TSPY_ZBOT.PB
• TROJ_FAKEAV.SMT1
• TROJ_SPYEYES.JAN
• TROJ_SPYEYES.AE
• TROJ_MEREDROP.TG
• TROJ_FAKEAV.SMDF
• TSPY_SPYEYE.TRF
• TROJ_KRYPTK.XFX

While small-scale botnets often escape detailed scrutiny, they are still important components of the malware underground. Their operators act as consumers of malicious toolkits as well as suppliers of victims to larger botnet operators and fake antivirus suppliers. The malicious toolkits that are available allow aspiring cybercriminals with limited technical know-how to access exploits and malware that would otherwise be beyond their own capabilities.

Post from: TrendLabs | Malware Blog – by Trend Micro

DIY Cybercrime: Exploits, Loaders, and Affiliates Part 2

Full story: TrendLabs | Malware Blog – by Trend Micro

Smartphones, such as iPhones, Androids and BlackBerrys, are a hot topic right now. Most of us have one, or we are desperate to get our hands on a newer, snazzier model.

On the street, you can spot a smartphone user at a hundred paces. They stumble along hesitantly, echoing the drunkard shuffle. Rather than sporting a vacant inebriated look, “smartphoners” stare at their hands with possessed concentration, their fingers flying about a tiny screen at lightning speed.

Indeed, it seems I am not the only one who has noticed this condition. New York is currently considering a bill that would effectively ban pedestrians from using mobile phones when crossing the road.

Thing is, smartphones are pretty amazing devices: you can basically run your entire social and business life from them. And therein lies the catch.

Many of us have two phones: one for work AND one for personal stuff. Would it not be better just to have one?

Join the smartphone debate!

We want to know where you stand on this issue, so we slapped together the smartphone debate. It is a short survey, which takes about 90 seconds to complete.

And to thank you for your efforts, we are giving away five very exclusive, very desirable (let’s be honest, very sexy) Naked Security t-shirts.

Naked Security t-shirt winners will be contacted on International Looooove day: Monday February 14. Who knows, instead of a valentine, you might find out you have won the coolest t-shirt in town!

So what are you waiting for? Take the survey now.

Photo source: San Francisco Chronicle

Full story: Naked Security – Sophos

This post is the first of a two-part report about how cybercrime kits such as exploit toolkits enable even the less technical of cybercriminals to build botnets and conduct malicious attacks.

Large-scale botnets that compromise hundreds of thousands of systems around the world receive plenty of attention and deservedly so. However, there are many smaller botnets that often escape such scrutiny. The tools and services required to create, maintain, and profit from a botnet are widely available in the cybercrime underground for a price. These do-it-yourself (DIY) cybercrime kits enable those with limited technical skills to create botnets of their own.

The tools available include exploit kits that attempt to deliver various exploits to a visitor’s system based on the availability of vulnerable software on the said system as well as on the traffic direction systems that divert visitors to other websites or that direct them to download additional malware.

Sophisticated Malware Distribution Schemes

These tools allow botnet operators to form partnerships or to participate in affiliate programs. These programs allow distributors to pay to have their own malware installed by the botnet operator. A single botnet may be used to distribute a wide variety of malware such as SpyEye, ZeuS, or fake antivirus software.

Cybercriminals need to generate traffic to their malicious websites so they can attempt to install malware onto the visitor’s computer. In order to generate traffic, botnet operators often purchase FTP credentials for legitimate websites in underground chat rooms and forums. In addition, once their botnets are operational, their operators can extract FTP credentials from the systems that they managed to compromise. These stolen credentials are then used to compromise legitimate websites, which are then modified to redirect users to servers under the control of the criminals themselves.

This post analyzes the operation of a single malicious server that is used to receive traffic from compromised websites. Visitors are then redirected to an exploit kit. If a visitor’s system is compromised, the visitor’s computer then connects to a loader, which pushes a wide variety of malware onto the visitor’s computer, depending on the visitor’s geographic origin. All of these tools and methods are available to prospective cybercriminals in the cybercrime underground.

Phoenix Exploit Kit

In this specific case, three malicious iframes were inserted into a legitimate website. These cause a visitor’s computer to load external websites that are under the control of botnet operators. One of the iframes silently connects visitors to a server that hosts instances of the Phoenix Exploit Kit.

The exploit kit attempts to determine the OS and browser version of the visitor and serves an appropriate exploit designed to execute malware on the visitor’s computer. It contains exploits for popular software packages such as Adobe Flash Player, Adobe Reader, and Java.

In total, this instance of the Phoenix Exploit Kit received 17,628 visitors and successfully exploited 850 (4.82 percent) of them. The exploit kit found the most success targeting vulnerable versions of Java . After successful exploitation, a malicious executable (detected as TROJ_RENOS.NRT) is dropped onto the visitor’s computer then connects to a completely different set of command-and-control (C&C) servers.

Connections to Other Toolkits

Nearly all of the visitors to this instance of the Phoenix Exploit Kit originated from the United Kingdom. This suggests that the botnet operators may have purchased UK-specific traffic from other cybercriminals or managed to compromise websites that are popular in Britain.

This same server also contained other instances of the Phoenix Exploit Kit. In all cases (in addition to the one discussed above), the kit dropped payloads that connected to instances of DLoader hosted on the same server. For example, other instances received 5,871 visitors. These were primarily from Germany and Russia. Of these, 360 (6.13 percent) were successfully exploited with Java exploits again proving the most successful.

The malicious payload forced the visitor’s computer to connect to instances of DLoader hosted on the same server. The payloads of these Phoenix Exploit Kit copies are detected by Trend Micro as TROJ_INJECT.XSI, TROJ_DLOADER.TEP, TROJ_BAMITAL.AJ, and TROJ_OBFUS.CJ.

For the second part of this report, which we will release in the near future, we will further discuss the DLoader toolkit, and how it is used for the pay-per-install botnet business model.

Post from: TrendLabs | Malware Blog – by Trend Micro

DIY Cybercrime: Exploits, Loaders, and Affiliates Part 1

Full story: TrendLabs | Malware Blog – by Trend Micro

http://3.bp.blogspot.com/_wICHhTiQmrA/TUPgagiKx-I/AAAAAAAAE0c/wxcM0dZCpFY/s72-c/mule_recruitment_test_1.bmp With money mule recruitment continuing to represent the most actively used risk-forwarding tactic within the cybercrime ecosystem for the purpose of securely distribution fraudulently obtained funds, part five of the “Keeping Money Mule Recruiters on a Short Leash” series are here to stay.

What’s particularly interesting about the money mule recruitment domain portfolio that I’ll expose, is the

Full story: Dancho Danchev’s Blog – Mind Streams of Information Security Knowledge

In the first part of this Mobile Forensics Basics series, we had a look on how to collect and preserve digital evidences. This time we will focus on the general methodology related to the acquisition process. Differently from a normal digital device such as a computer, there are many factors that play an important role [...]

Full story: KaffeNews

This article is the first part of a three part series on Mac OS X security tips. As the additional articles are posted, we will update this post with links to the others.

I am certainly not the first person to write an article like this, and to be honest, I surely won’t be the last. So why am I bothering to write this down? Well ‘repetitio est mater studiorum’…

Physical Security

1. Disable Automatic Login

Most Mac users only have one account on their systems, so having the system automatically login for them makes perfect sense. Doesn’t it?

NO!

Think about it, if anyone gets hold of your precious Mac, all they’d have to do is switch it on, and within seconds they can be rifling through all your documents and dirty secrets.

Turning off automatic login is a simple yet effective way of adding a small amount of security to your system. To turn off automatic login open System Preferences and go to Accounts. Find the option called “Login Options”, choose this and set automatic login to off.

2. Set a Firmware Password

An easy way to bypass security measures on any machine is to boot the system using a Live CD (for example). In the case of OS X, boot from an OS X Installation disk which allows you to make changes like reseting the administrator password, or make changes to partitions and disks.

By setting a firmware password you help to prevent attackers from:

• Booting a Live CD
• Running any applications from an OS X Installation disk
• Booting the machine into Target Disk mode and accessing data without logging in

Rather than trying to cover all the ins and outs of setting a firmware password I’ll point you to the Apple support article on the subject: http://support.apple.com/kb/ht1352.

3. Encryption is a good idea

Encrypting all of your personal and private files means that if your computer is stolen it becomes far far harder for anyone to access your data.

Apple provides functionality to encrypt your entire home directory called FileVault. This will encrypt everything inside of your home directory, but will not encrypt anything outside of it. For those that only want to protect the data inside their home directory this may be a good solution.

If there is sensitive data outside of the home directories that you need to protect then a full disk encryption solution is worth looking into. This will encrypt everything on a disk, and means that data stored in temp files, and application directories are also secured.

Sophos offers a business class full disk encryption product for Mac OS X called SafeGuard Disk Encryption for Mac. An additional benefit of full disk encryption is that it prevents someone from booting the system and reading the memory through the FireWire interface.

Encrypting the virtual memory on your system is a wise choice, and something that Apple does turn on by default in 10.6 Snow Leopard.

For older versions of OS X it is strongly recommended that you turn on ‘secure virtual memory’ in System Preferences. This will prevent others from connecting to your physical machine and reading the data in the virtual memory.

Conclusion

Those of you who are concerned about security on your personal Macs can take advantage of free anti-virus from Sophos. If you have a iPhone/iPad/iPod Touch we also have a free application in the App Store to provide the latest security information.

Full story: Naked Security – Sophos

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

I didn’t expect a part 5, but here it is! Adobe has announced that they will be making some significant changes to Flash. In a blog post http://blogs.adobe.com/flashplatform/2011/01/on-improving-privacy-managing-local-storage-in-flash-player.html Adobe’s marketing machine really pours it on thick, but there appears to be some good news.
In the blog it is stat4ed that a future release of Flash … Read More.

Full story: ESET ThreatBlog

The importance of Mobile Forensics is raising every day as the presence of mobile devices in the market increases exponentially. In fact, it becomes every day more common to find personal digital devices such as PDA, multimedia device (iPod, PSP, digital cameras), portable navigation systems, smart phones, etc, the analysis of which gives access to [...]

Full story: KaffeNews

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.

CSA DISCLAIMER: This video taken from YouTube. As well as any other video found on this site is not hosted here, it just embedded, and it taken randomly by our system from video hosting services like YouTube, Metacafe, and others. Therefore, we are not responsible for any copyright violations, video materials, hacking or cracking activities, or any other. If you have any legal issues, please contact the appropriate host site.