Computer Security Articles

Today there are many social networks on the internet and everyday new ones are being introduced with new and better features. They have unique and useful features, which makes it easy for users to remain updated with friends. They also offer apps for different smartphones providing even easier access to friends and other useful information. But at the same time these contacts and important details are also at risk with compromised security features.

Google Vs Facebook

Google and Facebook are two popular corporations offering online social networks and other useful applications. Over the past few years Facebook has gain significant recognition and has received large amount of users from around the world. These users share their private information on the web. There are security features that restrict strangers from accessing personal information but exposing personal data online is still a risk.

On the other hand Google is a popular search engine, which is now stepping in the world of social networks and has started offering new products such as +1, Hangouts and more.

But if you compare these two popular corporations a widely asked question is about their safety. Personal information can be fatal if it gets in wrong hands. Users can restrict others from viewing information by changing their privacy setting. For instance Facebook offer users to set “friends only” and “friends of friends” setting to files, which users can select according to their requirements.

Facebook users can also make groups and set privacy settings to it, and add friends and family to these groups. For instance if someone want to allow a group of people to view “photo album”, then it is good to create a group and allow only this group to view photos or albums.

Google+ Project

Google Corporation launched a project named Google+, which comprises of different smaller projects such as Google Circle. It is a social network and offers same security features of Facebook as “circle”. Google+ project comprises of number of projects such as Hangouts, +1, Circles, Sparks and more. All these applications are interconnected with each other all over the web such as with Google search engines, social networks, likes and video chat. With such a large online project users are more exposed to risk of information getting into wrong hands.

To coup with security risks Google launched different panels to advice users about secured content sharing such as Google Family Safety Center, which allow parents to have control on their children activities. Parents can also contact Google advice board and find the help they want. It is also important to remain cautious from malicious invitations and software downloads. For instance Google Hangout requires installing Adobe Air on the system. It is important to download such applications from authentic or official websites.

Facebook Risks

Facebook is a great way to connect with friends and family, but at the same time there are also band guys getting social on Facebook. An IT security firm reports that users are being spammed or sent malicious codes. Facebook offer good security features to restrict strangers from accessing personal information but unethical activities are still on the rise.

Just a few days ago, two major web browsers have been updated to fix security vulnerabilities which may allow attackers to infect the computer with malware just by visiting a hacked website.

Google released version 11 of the Chrome web browser. 18 of the more than 20 security holes which get closed with this release are rated “high”ly critical by the Google developers.

The Mozilla developers also were busy fixing security issues within the Firefox webbrowser (and in the Thunderbird mail program, too). Firefox 4.0.1, 3.6.17 and 3.5.19 fix at least 3 security vulnerabilities.

The updates are either installed automatically or can be obtained with the integrated update mechanism of the software. As the security holes are rated critical, users and administrators should install them as soon as possible!

Dirk Knop
Technical Editor
techblog.avira.com

As we have seen with many major events in the past, news of the British Royal Wedding is currently being used by cyber criminals to bolster their spam campaigns and push rogue antivirus software through black hat search engine optimization (SEO) techniques.
 

Spam campaigns

We have blogged previously about “snowshoe” spammers targeting the upcoming British Royal Wedding of Prince William and Kate Middleton. Spam email messages advertising a replica of Princess Diana’s engagement ring that were observed in February are still making the rounds on the Internet, and the eve of the royal wedding is now upon us. Furthermore, as we had anticipated, we have recently observed additional spam campaigns making use of this significant event to promote various products.

In one such recent spam campaign, email promoting a “limited edition Buckingham Mint Royal Wedding Commemorative Coin” at a discounted rate is being observed:

 
The IP address involved in this particular spam attack is from a domain owned by an email marketing company based in the UK. The link in the body of the email at first briefly redirects to the domain lpmtrk.info-created on January 14, 2011-before redirecting to the final destination site. This domain was registered using a domain privacy service to obscure its identity so it could be used for spamming activities.

In another spam campaign, limited edition customizable mugs and t-shirts are being promoted at a discounted rate:
 

 

Sample “From” and “Subject” lines observed in these and related spam attacks are listed below:

From: Sovenir <souvenir@yahveh.permissionalert.com>
From: Sovenir souvenir@ardent.informationfoot.com
From: “Timeless Royal Ring” <royalring@yinstenarm.com>
From: “British Heirloom Ring” <royalring@yinstenarm.com>

Subject: Get a limited-edition royal wedding mug now
Subject: Get A Limited Edition Royal Wedding T-Shirt Now
Subject: Share in the most anticipated wedding of the century
Subject: A Beautiful Simulated Sapphire Ring

The domains that are linked to the above email addresses are spammer-owned domains created recently, most likely for spamming purposes. The two domains used in the email addresses above were registered on April 7, 2011, to the same registrant. The links in the above spam emails first redirect to the domain linked to the email address before redirecting to the actual spam website. Spammers have also included opt-out links (not included in the screenshots above), which are most likely bogus.

The IP addresses involved in the above spam messages are traced back to the United States. These IP addresses have been blacklisted due to their past involvement in spam campaigns. Rest assured, Symantec Brightmail filters are in place to block these and related spam email attacks.
 

Black hat SEO

With only one day left before the “big day,” searches related to the Royal wedding are gaining momentum on the Web. Black hat SEO techniques are being used in “fake” pages to lure people looking for news related to the royal wedding.

At one point, a search for “william and kate movie imdb” returned 61 malicious links in the first 100 search results. Fifty-eight of the first 100 results for the search term “princess diana death photos” and 45 of the first 100 results for the search term “royal wedding guest list kanye” also led to malicious sites.

Screenshots of the search results for the term “royal wedding gown sketches” are shown below, in which Norton Safe Web indicates 6 of the 8 links are malicious:

 
Some of these poisoned pages receive very high search engine rankings, and appear in the first page of search results. The following screenshot shows a malicious URL appearing as the first link in the results (right below the news links) for the term “Royal wedding time.”

The Norton Safe Web site reports at safeweb.norton.com provide a detailed threat report for sites rated red or yellow:

Here are some other search terms currently returning poisoned links:

.    william and kate movie cast
.    prince charles age
.    princess diana death facts
.    prince harry last name
.    william and kate movie on lifetime
.    royal wedding guest list bush
.    royal wedding guest list snubs
.    prince charles siblings
.    the royal wedding date and time

We have seen over 500 compromised sites being used in this campaign over the past few days. Attackers create multiple fake pages on each site and use unethical SEO techniques-such as keyword stuffing, cloaking, and link farming-to “game” the search engine algorithms to achieve high search engine rankings.

These poisoned links generally have the following pattern:

hxxp://<domain name>/<random 2 character string>-<search keyword>

Most of these poisoned links redirect (307 Temporary Redirect) to co.cc domains that host rogue antivirus software. We came across 11 different co.cc domains being used in this campaign so far.

The screenshot below shows the usual fake scanning/rogue antivirus activity that claims a whole bunch of serious errors and threats need to be cleaned from your computer:

When searching for information on the Internet, make sure your legitimate antivirus software is updated and be wary of scam pages asking you to download “antivirus” software.

Symantec’s multilayered protection technologies provide coverage for all of these attacks. The Norton Safe Web toolbar identifies and blocks poisoned search results.

 

Norton survey results

Our Norton team at Symantec recently conducted a Royal Wedding survey. The results of the survey were released on April 18, 2011, and they exhibit some interesting facts as listed below-as well as some that were quite shocking:

* 62% of Americans surveyed are likely to follow the British royal wedding.

* 87% of those surveyed responded that, as of March 25, they were already following the news about the upcoming wedding.

* Moreover, one-third of respondents will seek their royal wedding news online, making them more susceptible to online scams and other threats.

* One-quarter of respondents said they are interested in the royal wedding primarily because they love the notion of royalty with all its pomp and ceremony.

* Nearly 1 in 4 said their primary reason for following the wedding is because they want to see the lavish decorations, food, and clothing.

Royal Wedding 2.0 – The first “e-royal wedding”

* Nearly 40% of all respondents will seek their royal wedding information online.

* 67% of 18-34 year olds will seek their royal wedding information online.
            
* 87% of 18-24 year olds will seek their royal wedding information online.

* More than a quarter of respondents will be watching the wedding on a computer, laptop, or mobile device, either live or recorded.

* 53% of respondents will potentially share their thoughts about the royal wedding online (e.g., social networks, micro-blogs, and blogs).

People are unaware and unprotected from cybercriminal “wedding crashers”

* 18-34 year olds are more than twice as likely to not have security software (or not know if they do) on their laptop or computer than those 45 or older.

* 87% of 18-24 year olds seek their royal wedding information through online channels, and-shockingly-that same amount of 18-24 year olds don’t know what search engine optimization (SEO) poisoning is, or how it affects them.

—————————————

Note: This blog has been researched and written by Symantec’s Suyog Sainkar, Nithya Raman, and Helen Malani.

Communication in the today’s world is dominated by email, instant messaging, and social networking. However, for making any formal statement or announcement, hard-copy letters are still sent using postal services. In both mediums, unwanted, unsolicited letters are not new; however, it may still be surprising if a spam message is sent over using postal services – somewhat low tech, but perhaps most effective way to bypass all kinds of online security. In a letter shared by a recipient, we found familiar text seen in emails associated with scams. We confirmed the hard-copy letter to be a 419 scam.

Here is the scanned copy of the letter (where the identity and address of the recipient have been blurred):

Text inside the letter has everything that we commonly see with email scams, except that we do not find any reply-to email addresses. Also, the scammer stresses that recipients must only fax the information (direct telephone and fax number), even if that means buying a new fax machine.

Such spam campaigns are already known to be widespread online and quite possibly had been seen in the past in letter form as well. As always, Symantec is committed to provide maximum security to its online users. However, with this particular incident, we would like to remind users to be careful of these hand-delivered scams also.

In our previous FAKEAV whitepaper, we presented how Trend Micro researchers tracked down the evolution of FAKEAV and classified its development, behavior-wise, according to generations. One of the early generations listed in the paper can be recalled as the DLL-based FAKEAV (4th Generation) – a FAKEAV group that uses a DLL file to perform all the malicious routines, primarily to avoid being terminated easily. A few months ago, however, we saw this particular generation again making its rounds in the wild, one of which we detect as TROJ_FAKEAV.BTV.

In terms of appearance, 4th generation FAKEAV does not have any particular difference from other FAKEAV generations. However, in the background, can be characterized with the considerably big file size of the DLL component (samples of TROJ_FAKEAV.BTV are around 1.50MB in size). This is because the fake pop-ups, GUIs, and other scareware modules are all contained in the DLL.

FAKEAV as a Whole

Understanding how FAKEAV progressed over the years, it isn’t particularly surprising to see variants of 4th Generation FAKEAV back in the wild. For the most part we see them updating visually, rather than evolving technically. The bad guys knew that all it takes to maintain their steady supply of victims is to update the (rogue) antivirus software name and do some re-designing in their GUIs – a reason why we see so many FAKEAV GUIs today.

In parallel with these software name updates, FAKEAV also updates its registry, file, and folder names in order to evade string-based AV solutions. Nevertheless regardless of how they update, strings will continue to be a weak point of the FAKEAV family. From it, antivirus researchers can craft generic rules/patterns for memory, process, file, and registry scanning/cleaning.

As such, we will continue to devote our time and effort to closely monitor prominent threats like the FAKEAV family, as well as provide adequate solutions to users. We advise users to keep themselves informed of the developments concerning threats such as FAKEAV, as well as to familiarize themselves with the nature of attacks. Users may refer to the guide we published last year, FAKEAV 101: How To Tell If Your Antivirus Is Fake.

Also,more information on the 4th Generation FAKEAV, as well as the other generations, is available in our report, The Dangers Rogue Antivirus Threats Pose.

A little earlier as announced, Adobe released updated versions of Adobe Acrobat and Reader. These programs were vulnerable to the Flash Player zero-day-vulnerability as well, which was fixed last week already. As the vulnerability is rated critical, users of Acrobat and Reader should download and install the updates as soon as possible.

The updated version for Adobe Reader is available in the Download Center. For Acrobat, the new releases are linked in the refreshed security advisory.

Dirk Knop
Technical Editor
techblog.avira.com

Some time ago, a security researcher, Alex Levinson, found out the iPhone was keeping a SQLite database of the iPhone’s location (wifi-based location, cell-based or GPS) and a few other information.

The file, located in /private/var/root/Library/Caches/locationd/consolidated.db, is easily accessible on jailbroken phones (ssh or any file transfer tool) and readable by any SQLite3 tool.

This issue has recently re-surfaced as two researchers, Pete Warden and Alasdair Allan, wrote a MacOS tool to generate maps from the locations recorded in that database, and are presented this at Where 2.0 in San Francisco today.

If you don’t have a Mac, then there is an online tool here (in French) or you can use Firefox4 SQLiteManager plugin + Google Fusion to do the trick (which actually the solution I used for the maps below).

I would also encourage you read Mikko Hypponen’s post. It offers an interesting explanation as to why Apple designed such a database. In short, Hypponen’s idea is that it reduces the costs of renting an external location database.

The few things I would like to add to the story are:

• the consolidated.db is a ‘standard’ SQLite3 database, so you can query it like any SQLite database, there is no need for sophisticated tools (but they are cool). Data is directly usable:

  sqlite> .dump CellLocation
  PRAGMA foreign_keys=OFF;
  BEGIN TRANSACTION;
  CREATE TABLE CellLocation (MCC INTEGER, MNC INTEGER,
  LAC INTEGER, CI INTEGER, Timestamp FLOAT,
  Latitude FLOAT, Longitude FLOAT, HorizontalAccuracy FLOAT,
  Altitude FLOAT, VerticalAccuracy FLOAT, Speed FLOAT, Course FLOAT,
  Confidence INTEGER, PRIMARY KEY (MCC, MNC, LAC, CI));
  INSERT INTO "CellLocation" VALUES(208,10,49802,21036492,314034125.866114,
  43.60604608,7.06016272,1211.0,0.0,-1.0,-1.0,-1.0,70);
  ...

• The WifiLocation table tries to make up your location based on the wifi access points your iPhone sees, and for which Apple knows the location. If your iPhone sees a wifi access point known to be located by the Eiffel Tower, well, you probably are located close to the Eiffel Tower. This is done without using GPS.
• The CellLocation table does basically the same, but based on the GSM access points your phone sees.

  Now, in my case, I noticed neither table mentioned I had gone to Poland with the iPhone. Why ? Well, obviously, when you restore an old image of your phone, you overwrite the database By the way, the iPhone also made a poor estimation of my altitude and thinks I work at seal level (which is not the case).

• Comparing the cell location with the wifi location (see maps below) may release interesting information. First of all, it shows that Apple does successfully associate our workplace wifi with its physical location (I believe the several locations in Sophia Antipolis – where we are located – are just various approximations). It also shows that our lab iPhone (well, the backup I restored) only accessed wifi from our office , that we did a trip to Toulon, but that we did not use wifi there.
  

  CellLocation

  WifiLocation

• On a security point of view, it should be noted [thanks Guillaume for raising the point] that consolidated.db’s integrity is not guaranteed at all. It is easy to modify it to say I was in Greenland last month. Or I could hack into someone’s else iPhone and alter it so as to show that this person was on a crime scene when the crime happened. Thus, this should be handled carefully by forensics experts.
• The ‘untrackerd‘ application cleans the database regularly.
• Finally, you might have noted the iPhone stores the MCC (Mobile Country Code) and MNC (Mobile Network Code) of the SIM. It is interesting to note it did notice I sometimes use a fake SIM (208/30). This is when I use a local OpenBTS replication jail I will talk about at VB 2011 – patience In that case, it is unable to locate my position as it is not aware of this fake operator (as it is only valid within the walls of our lab)

  INSERT INTO "CellLocation" VALUES(208,30,1000,10,314034365.532726,
  0.0,0.0,-1.0,0.0,-1.0,-1.0,-1.0,0);

Microsoft has issued a security patch for Silverlight KB2526954. It fixes several security issues. However, the Microsoft link to KB2526954 is still not live. If you have Microsoft update running, it is ready to install. This is rated as important and will auto install.

Direct download http://go.microsoft.com/fwlink/?LinkID=149156

[1] http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx

– Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

While the number of threats targeting mobile devices is increasing, web browsers for mobile devices are still lacking the security features of their Desktop counterparts. For example, Firefox 4 Mobile (also known as Fennec), does not include Google Safe Browsing to prevent users from navigating to known malicious sites.

Zscaler has released 3 Firefox add-ons to protect users, such as Search Engine Security, BlackSheep and Zscaler Safe Shopping. I have now ported Search Engine Security to the mobile version of Firefox 4, and will release Zscaler Safe Shopping for mobile devices later on.



Search Engine Security

The add-on behaves the same as the desktop version. It protects users from malicious search results in Google, Bing and Yahoo!, by modifying the Referer and User Agent headers, when the users leave these sites.

You can turn enable/disable Search Engine Security for any specific search engine. The add-on will show it’s status in the search results.

Search Engine Security protection for Google

The settings are the same as those used for the desktop version. You can specify which Referer header to use (none by default) and whether or not to modify the user agent (choose Yes for better protection). Because of restrictions in Firefox Mobile, the whitelist, used to prevent header changes for particular sites, is restricted to a single URL.

Search Engine Security options for Mobile

How to test it

Search Engine Security works transparently and most users will not notice the change of HTTP headers. The equivalent of Live HTTP Headers for Fireofx Mobile is Mobile Tools. Unfortunately, this extension shows HTTP before they are modified by Search Engine Security. To see the changed Referer and User Agent headers, look for “referer mobilefish” in Google. Click on the first search result. The page from mobilefish.com shows your User Agent string as well as Referer. You can try it with Search Engine Security truned on and off for Google to see the different values.

User Agent and Referer headers modified by Search Engine Security

Don’t forget to restart Firefox after you install this add-on. It does not yet take advantage of the restartless feature introduced in Firefox 4.



– Julien

On April 20, for the first time ever, gold rose above $1,500 an ounce as worries over the U.S. economic outlook boosted demand for the metal as a haven. Within hours, Symantec observed this spammer’s response: a hit-and-run spam attack with the Subject line “Subject: Is Gold Your Ticket To A Golden Future?”

Hit-and-run spam (or snow-shoe spam) is a threat known for its large volumes of spam messages in short bursts, where domains are quickly rotating and the sending IP hops within a certain /24 IP range.

Key characteristics include:

• The message is in HTML
• There is some type of word salad or word obfuscation injected between various tags and/or in the URL by means of multiple directories
• The message is typically sent within the same /24 IP range
• Domains are rotated quickly

The call to action for this particular attack is a URL in the message body which directs the recipient to a Web site where the recipient can request a “free” investor kit. In order to receive the investor kit, personal contact information is requested. Certain personalities are used in the image for this spam campaign including Glenn Beck. A Google search reveals an interesting angle about Glenn Beck promoting gold investments. It seems that the spammer did some research in order to know about the association before propagating this spam campaign.

Symantec has known for some time now that spammers stay on top of current events and adapt their economically focused pitches towards the news headlines. In the midst of the economic gloom, for example October 2007, Symantec reported several spam emails with subject lines such as “Looking to sell your house fast?” and “Get the dough out of your house.” This gold-rush spam attack of April 2011 adds more credence to the argument discussed in a blog post published April 2010, which was written to explore whether the focus of spam email could be used as an economic indicator.

More than ever before, smartphones are keeping us connected both personally and professionally. Because most of us have a preference as to the ideal smartphone, IT departments are increasingly being tasked with managing a mix of business-liable and employee-liable devices. This trend has become known as the consumerization of IT.

Symantec has developed a short survey to get smartphone end users’ perspectives on this trend. We’d also like to learn more about how your employer is managing the growing use of smartphones, especially those being purchased and brought into the organization by employees. The quick five minute survey can be found here: http://bit.ly/gsdgmX

Once you’ve taken the survey, please stay tuned to the original post that resides in the Security Community Blog. We’ll be sharing the results once the survey is complete.

Statistics related to spam levels feature prominently in this Internet Threats Trend Report, as they did in the report about the fourth quarter of 2010. This is due to the wide variations observed during the first three months of 2011, and the takedown of the Rustock botnet – which we calculated as responsible for sending around 50 billion spam messages daily. We have also included zombie data which shows the effects of the takedown as well as the huge UPS outbreak at the end of March.

Some highlights from the report:

• Spam levels averaged 149 billion spam/phishing messages per day during Q1, compared to the 142 billion spam/phishing messages per day in Q4 2010 and 198 billion in Q3 2010.
• Approximately 258,000 zombies were activated daily during Q1, a decrease compared to the 288,000 zombies in Q4 2010 and 339,000 during Q3 2010.
• The most popular spam topic in Q1 was again pharmacy ads representing 28% of all spam, down from 42% in Q4 2010.
• India keeps its title for the third quarter in a row as the country with the most zombies – 17% of all zombies worldwide.
• Parked domains were the website category most likely to contain malware.
• Streaming media/downloads continues to be the most popular topic for blog creators in the Web 2.0 sphere of user-generated content, with 21% of the generated content.

A brief SlideShare presentation summarizing the report is available here

SLAAC is a mnemonic for IPv6 StateLess Address AutoConfiguration, which follows attempts at obtaining router information that happens only after the interface has established an IPv6 address for the local link. IPv6 does not use Ethernet broadcasting, which imposes scaling limitations on the devices supported on a local link. Instead, IPv6 multicasting divides devices into 16.7 million isolated Solicited-Node groups based on the last 3 bytes of their IPv6 address. Multicasting represents a significant departure from the way networks previously worked using the blunt method of broadcasting.

IPv4 and MAC Address Relationship with Network Interface Unverified

Under IPv4, IP addresses are determined using the ARP [RFC826] to request MAC addresses associated with a specific IPv4 address by using a broadcast (all one’s) destination for the MAC address recognized by switches and interfaces and replicated or flooded across all switch ports. ARP can also announce an address by setting both source and destination IPv4 addresses to the same value or to probe by setting the source to a null IP address.

The inverse of ARP was BootP described in [RFC951] back in 1985. BootP requests an IP address for the MAC address by using a broadcast (all one’s) destination IP address. BootP was superseded by DHCP. Those new to IPv6 are often surprised to find how multicasting rather than broadcasting changed the way networks, switches, and routers operate.

Router Advertisements Define the Local Network with IPv6

Customer premises equipment (CPE) shipped by Free, a subsidiary of Iliad and the second largest Internet service provider in France, provides DNS configuration in their router advertisements, which eliminates a need for DHCP for most environments. This feature was a modification that included DNS configurations in router advertisements made by [RFC5006] back in 2007 that was replaced by [RFC6106] in 2010. Having this feature removed the need to use DHCP, which was important because neither Windows XP or Mac OS X included a DHCP client able to talk over IPv6.

Untrustworthy Network Interface Assignments

Rather than worrying about an attack somehow associated with SLAAC, the issue is really related to spoofing router advertisements. This problem is similar to spoofing either ARP or DHCP responses. IT managers may imagine there are practical controls able to limit the extent of this risk with IPv4. There are not. Even secure switch ports restricting the use of MAC addresses offer limited protection for either IPv4 or IPv6 protocols. These restrictions will not mitigate the ARP spoofing risk that exists with IPv4, for example. There is still significant risk when a compromised system is within the local network where it is free to tamper with traffic. So, consider RA spoofing the same problem having similar outcomes. Don’t be confused and react to the use of different terminologies that express the perennial local network spoofing threat.

Verifiable Address Assignments

However, unlike IPv4, IPv6 does not really need a labyrinthine arrangement of device- and protocol-specific restrictions when Secure Neighbor Discovery (SeND) is supported. Although the major OS vendors do not support SeND, major networking equipment manufactures do and can enforce this protocol within their equipment as well. One alternative is to try ACL-based methods at restricting which devices are allowed to play the role of router.

Reacting to this concern by disabling IPv6 overlooks many features and applications that depend on IPv6 being made available using various methods within the OS. Not having IPv6 running on the local network will likely increase the number of unseen tunnels enabled by OSs reverting to their “interim” strategy behaviors. IPv6 represents the future growth of the Internet where it is prudent to enable this architecture and to keep it out in the open where traffic can be better monitored.

Easter is a Christian holiday centered on the death of Jesus Christ and His subsequent resurrection several days later. Hence Easter is an important holiday for Christians. But what gets associated with Easter is beautifully decorated Easter eggs found on every decorated shop window this season, and of course the Easter Bunny! To celebrate Easter, people exchange Easter eggs and, with the evolution of time, today we have personalized e-cards and personalized gifts. Spammers have begun to exploit the season by sending personalized e-cards, gift cards, and replica-spam emails.

Here is a screenshot of a personalized Easter e-card:

Here are some of the headers used in Easter e-card spam:

Subject: Give your child the gift of amazement A Package from The Easter Bunny.

Subject: The Most Popular Gift for Kids this Easter 2011

Subject: Send A Personalized Easter Bunny Letter

Subject: How To Make This Your Childs Best Easter Ever.

Subject: This is the secret to making your kids happy this Easter.

Subject: Personalized Easter Bunny Letters

From: “The Easter Bunny” <The.Easter.Bunny@removed.com>

From: “Easter Bunny” <Easter.Bunny@removed.com >

Where personalized Easter gifts are concerned, spammers have targeted replica products offers at unimaginable discounts (as shown in the image below). To create a frenzy, they have also suggested that they have limited stock and therefore one must “HURRY”! But do not get carried away with such false promises. This could be bait used by the spammers to get a hold of the user’s personal information.

Screenshot of the Web site selling fake replica watches:

As Symantec wishes all our readers a very happy Easter, we also advise you to be cautious when handling unsolicited or unexpected emails, especially during this Easter season. Updating antispam signatures regularly protects your personal information from being compromised.

Thanks to Anand Muralidharan for contributed content.

Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages.

This convenience, however, was also leveraged by cybercriminals in a recent spam run wherein users were urged to download an application called Facebook Messenger. This would supposedly make it easier for them to access messages sent to their Facebook accounts.

The attack starts with spammed messages that look like a Facebook notification. The email message alerts the users about a message that has been sent to their Facebook accounts. It tells the users to click a link to view the said message. Clicking the message, however, displays a download page for an application called Facebook Messenger.

The downloaded file named FacebookMessengerSetup.exe is malicious and detected as BKDR_QUEJOB.EVL. BKDR_QUEJOB.EVL opens TCP port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. It also queries the system for information such as installed antivirus products and OS version then sends the data it gathers to a certain SMTP.

More Attacks Targeting Facebook Users

It seems like cybercriminals have their eyes particularly set on Facebook users these days, as this is not the only attack we’ve seen in the past couple of days.

In another spam run, recipients were told that their Facebook passwords were unsafe and that they should open an attached document, which contains their new passwords and information on how they can further secure their accounts. Ironically, the said document was actually a malware detected as TROJ_DOFOIL.VI.

We’ve also seen similar attacks to previously reported ones, which exploit the Facebook Events feature. This time, however, the social engineering lure used was yet another popular Facebook feature-Credits.

Users were notified of a supposed glitch in Facebook’s system that could be fixed by simply following a set of given instructions. Similar to the technique used in the Facebook Stalker Tracker attack, users were told to copy a piece of code and to paste it into their Web browser. Executing the said script results in the creation of an event and in the invitation of the affected users’ contacts to the said event. The “event” contains spammy information such as links to the Canadian Pharmacy.

The script used to create the spam event is now detected as JS_OBFUS.PB.

Trend Micro product users are already protected from the above-mentioned threats through the Trend MicroT Smart Protection NetworkT. Facebook users need to be aware that such schemes, among others, are very rampant on the network. Extreme caution before clicking links is strongly advised. Users may check out our comprehensive report, Spam, Scams, and Other Social Media Threats for more information.

Additional text and further analysis by Dhan Praga and Harry Reynoso

Just a short notice on the now available Adobe Flash Player Update: Version 10.2.159.1 has been released which fixes the critical security vulnerability which allow attackers to infect computers with malware – just with luring victims onto hacked websites, for example. The update is available for Windows, Mac, Linux and Solaris in Adobe’s Download Center. Users and administrators should install the new version immediatly!

Dirk Knop
Technical Editor
techblog.avira.com

Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents.

Adobe said on Wednesday night that it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel. A separate patch for Adobe Acrobat X for Windows and Mac, Reader X for Mac and Reader 9.x for Windows and Mac on April 25.

The company is planning to wait until June to release a patch for the Flash Player bug in Reader X for Windows because the sandbox in that application prevents exploitation of the vulnerability. The patch for Chrome will be available earlier than the others thanks to Adobe’s relationship with Google.

“During our response to any zero-day vulnerability, Adobe seeks to protect as many users as quickly as possible. As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing. Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism. Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris and Android (more than 60 platforms/configurations altogether) to ensure the fix works across all supported configurations. Typically, this process takes slightly longer and, in this case, is expected to complete on April 15 for Flash Player for Windows, Macintosh, Linux and Solaris,” the company said in a statement.

When they disclosed the vulnerability earlier this week, Adobe officials warned customers that the vulnerability was already being used in targeted attacks that were leveraging malicious Flash files embedded in Microsoft Word documents. Microsoft security engineers analyzed the attacks and found that the attackers are using a complex exploit routine to build shellcode and then inject the exploit code into the Flash Player.

Google has boosted the security features on its Android operating system to allow stolen Android smartphones to be secured and reseted remotely.

Google said its new Google Apps Device Policy for enterprise users allows employees to quickly secure lost or stolen phones running Android 2.2 and up.

With the new version of the Google Apps Device Policy app, employees can quickly secure a lost or stolen Android 2.2+ device by locating it on a map, ringing the device, and resetting the device PIN or password remotely via the new My Devices website.

Android 2.2 and up is used on mobile phones, while Android 3.0 is for tablets, such as the Motorola Xoom. To make Android tablets more business friendly, Google Apps customers will now be able to require encrypted storage on tablets running Android 3.0.

The tablet encryption requirement is achieved through an API that lets administrators enforce policies such as encryption and the aforementioned PIN reset. As with Android phones, it appears that Android tablets will support software-level encryption but not the more robust hardware-level encryption.

The PIN reset and encryption features, as well as a new tool for looking up corporate contacts, will be rolled out to Google Apps business and education customers.

Managing multiple types of devices will be key for any mobile management platform because the smartphone market is not dominated by any one single vendor.

A few months ago, at least prior to February 7th, Sality operators pushed a new malware onto their P2P network of infected bots. The malware in question hooks into Internet Explorer using its standard COM interface, and gathers credentials submitted via web forms. February’s variant treated Facebook, Blogger, and Myspace logon information differently: on top of stealing and sending the username/password to a Command and Control (C&C) server, the information was also dumped to an encrypted file, onto the user’s compromised computer. At that time, the plausible guess was that these credentials would be used by upcoming malware – the Sality programmers are very imaginative.

This was confirmed last weekend. The newest Sality package contained a new malware, on top of their usual spam/web relays. The malware searches for encrypted files containing either Facebook or Blogger credentials (Myspace is left aside). If such files are found and contain credentials, the malware then connects to a C&C server (74.50.119.59, hosted in Florida) to request an “action script”. Such scripts look like C programs and are interpreted by the malware itself. The main goal is to automate Internet Explorer actions. On Monday, April 11th, the script sent when Facebook credentials were found on the local machine was the following:

 

 

The function names are self-explanatory. The script, when executed, performs the following actions:

• Create a visible instance of Internet Explorer.
• Navigate to facebook.com.
• Log in.
• Go to the Facebook app #119084674184 page: this application, named VIP Slots, has been around for a few years.
• Grant access to this application.
• Close the browser instance.

The permission required by VIP Slots is only “Basic information”, meaning your name and gender, profile picture, networks, and list of friends. The application itself does not seem to exhibit malicious behavior, but the fact that a malicious program interacts with it is very troubling. The end-goal is not determined at this stage: registering the user could serve as aggressive spamming (application posts appearing on your news feed), or a way to get more users to use the app, for monetary purpose (by buying virtual credits). The application could simply be an innocent party.

Another script was also distributed. The actions taken by this generic script were the following:

• Create an invisible instance of Internet Explorer.
• Go to google.com.
• Search for “auto insurance bids”.
• Close the browser instance.

This script could serve experimentation purposes. It could also be a very convoluted way to measure the propagation of their creation: Google Trends report a recent peak for this search term.

As of today, it appears script distribution has stopped. However, new scripts could be distributed in the future as the C&C server is still up and running.

Our latest definitions detect this malware as Trojan.Gen. Facebook users may see which applications they are currently subscribed to by checking their Privacy settings > Apps and Websites page.

Servers belonging to Automattic, which makes the popular WordPress blogging software, say that their servers were hacked and that the company’s source code is believed to have been “exposed and copied,” according to a company blog post Wednesday.

The post, by Matt Mullenweg, Automattic’s co-founder, said that the company had a “low-level (root) break-in to several of our servers.” Whi While the company doesn’t know the exact target of the hackers, “potentially anything on those servers could have been revealed.”

Mullenweg said the company was operating under the assumption that its source code was copied and, while much of it is open source, the copied data did contain “bits of our and our partners’ code” that are sensitive.

Automattic has taken “comprehensive steps to prevent an incident like this from occurring again,” but Mullenweg declined to speculate on whether the hundreds of thousands of blog operators that use WordPress need to be concerned about security vulnerabilities. He encouraged blog owners to make sure they are using strong passwords to secure their WordPress installations, and to refrain from reusing passwords – generic “good housekeeping” advice that wasn’t specific to the breach.

This isn’t the first time Automattic has found itself in the crosshairs. In March, the company was the target of a large denial of service attack. WordPress installations hosted on infrastructure managed by Network Solutions were also the target of attacks in April, 2010 that redirected thousands of WordPress blogs to malware-laden drive by download Web sites.

When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Those attacks are using malicious Flash files buried in Word documents and Microsoft’s security engineers have analyzed the exploits and found some interesting details.

This is the second serious Flash vulnerability in recent weeks that attackers have targeted through the use of malicious Office files. In a previous round of attacks, hackers were going after an earlier Flash zero day with rigged Excel files. This time, Microsoft officials said, not only is the bug different, but so is the attack. Though both attacks use malicious Office files to trick users, the details are dissimilar.

The attack presents to the user via a spam message, often with a subject line referencing the Fukushima nuclear disaster, and carrying a malicious Word document as an attachment.

“Once a user opens the document, Flash Player will load the malicious
file and exploitation will occur. Unlike the previous vulnerability, a
bug in the ActionScript Virtual Machine version 1 is now used in the
exploitation process. Another difference is that this is not a result of
fuzzing clean files. We won’t disclose any detail on what triggers the
vulnerability, for security reasons, obviously,” Marian Radu, Daniel Radu and Jaime Wong of the Microsoft Malware Protection Center wrote in an analysis of the Flash exploit attempts.

“In order to exploit this vulnerability the attackers packaged the
AVM1 code inside an AVM2 based Flash file. The latter is embedded inside
the Word document and assigned with setting up the exploitation
environment. Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled.”

The next step is the construction of the shellcode, which in turn then loads the Flash exploit code inside the Flash Player.

“The AVM1 code that triggers this vulnerability is loaded as a separate
SWF file, converted from a hex-encoded embedded string and executed,” the researchers said.

The shellcode performs some other tasks, as well, including installing a benign Word document on the compromised machine as a way of hiding the original malicious file.

This attack method is essentially the one that the attackers used to compromise RSA last month and steal some data related ot the company’s SecurID product line.

There is a surprising number of title variations among people who work in the field that I call “information security.” I browsed through various job-search sites to get a feel for the more frequently-seen titles and created a random information security job title generator. Just for fun.

The titles I encountered were generally a permutation of the following terms:

This word set can produce over 6,000 titles such as:

• Senior Security Systems Architect
• Principal Application Security Operations Engineer
• Chief Information Security Manager
• Enterprise Risk Consultant
• Information Security Program Officer

Not all word combinations make sense, but you get the idea. I used a subset of these words to create the random information security job title generator. It can produce a couple of thousand titles, displaying 8 of them at a time.

Have you seen any other words used in “information security” titles? Have you encountered any weird ones in the wild? Leave a comment.

— Lenny Zeltser

Another popular and widespread software receives an update to eliminate security vulnerabilities today: The media player VLC has been released in version 1.1.9. In older versions cyber crooks could smuggle in malware like Trojans by making possible victims play specially crafted S3M (modtracker) music files or manipulated MP4 files. As VLC also comes with a plug-in for web-browsers, this was possible just by visiting a hacked web site, for example.

Users of VLC media player should install the new version immediately! It can be downloaded from the project homepage.

Dirk Knop
Technical Editor

There has been a lot of talk in the security industry surrounding the recent data breach experienced by database marketing vendor Epsilon. As detailed in the reports, the company’s email system was broken into, enabling the attacker to obtain information such as names and email addresses associated with Epsilon’s customers. Trend Micro Researcher Rik Ferguson listed a number of the affected customers in his CounterMeasures blog entry here.

Last year, I talked about how users are not fully aware of the consequences of getting their email account compromised, as well as how such instances could lead to information and identity theft, and I think that the points I raised then are things that users — especially those affected by the breach — should fully understand. While this breach did not contain user passwords as well as email accounts, a number of risk still exist.

In many ways, our email account is like the backbone of our online profile. Regardless of how much we favor social media in terms of communicating (as opposed to email), most if not all social media channels require users to sign up using an email account before being able to communicate at all. More importantly, transactions related to online banking, online shopping, and booking for flights or hotel accommodations are all dependent on the user having a valid email account to which important information can be sent. Needless to say, email accounts contain valuable and personal information and should be secured appropriately.

Now, considering the nature of information exposed by the breach, its effect is quite comparable to an attacker getting a sneak peek of the contents of users’ inboxes. While the attacker is not able to directly access the victims email account, they do know some of the types of email the users typically receive (in relation to whichever Epsilon customer the user is associated with). This places the affected users at greater risk of being victimized by many known web threats such as spear phishing, and spam attacks.

Under such circumstances, users — whether affected by the breach or not — are strongly recommended to take action and apply means to secure their email addresses as soon as possible. Steps to do so may include:

• Make sure you don’t use publicly available information in the password-recovery process of your email provider — it was mentioned that “only” names and email addresses were acquired by the attackers during the breach. However, this may not stop them from trying to break into the email addresses through different means, one of the likely means being the password-recovery process.
• Do not reuse passwords for different accounts, be they email, social networks or anything else — in relation to the first tip, if an attacker is successfully able to break into the user’s email account, the attacker may try to use the credentials to log into other accounts such as social networks, in the hope of accessing them as well.
• Make sure your password is complex enough to prevent casual brute-forcing, and change them regularly — using brute-force attacks to break into accounts is a technique commonly used by criminals. Thus, using fairly complex passwords can provide added protection, and prevent attackers from easily breaking into users’ accounts.
• Be extra cautious of email messages asking to click links or confirm personal information. Phishing attacks, in particular the email components, are crafted to make them appear legitimate and to persuade you to follow their instructions. A better alternative is to go directly to a trusted website and conduct your business there.
• Use a password manager to store passwords securely. This has the additional benefit of allowing you to use extremely complex passwords with all sorts of random letters, numbers and symbols that you might not be able to memorize.

Most importantly, users should always follow online behavior best practices. Bear in mind that similar threats are out there and are likely to appear again. It is just when we think everything is safe that we may fall victim to yet another malicious scheme.

Post from: TrendLabs | Malware Blog – by Trend Micro

Email Security After the Epsilon Incident