Security Blogs

Strong passwords: deja vu all over again

I was at the CFET conference in Canterbury last week, then took a weekend off – quite a novelty… That's the city of Canterbury in the UK, by the way, not the region in New Zealand. (By the way, the papers I presented there will be available shortly.) Coming back to the office after a few ... Read More.

Privacy is not in the Cards

I decided to download the card game Solitaire (by ZenTech Labs) on my Android based phone. Being a free app it is paid for by advertising. When you play the game there is always a banner ad at the bottom of the screen. One of the ads caught my eye. It said “Leslie2088 is .7 ... Read More.

Earthquake in New Zealand likely to bring cybershocks

[UPDATE #1 at 12:15PM: Added more information about location of earthquake and prior scams. AG] We have just heard about the early September 4 (Saturday morning) earthquake near Christchurch, New Zealand, currently estimated at a Richter magnitude of 7.4. Our New Zealand distributor in Auckland is unaffected, but communications with the area are difficult. As with any tragedy ... Read More.

How Do You Find 200,000 Unique Samples a Day?

I recently received a couple of questions about signatures from a reader. 1- You said that ESET receives around 200000 unique malware samples daily, so does ESET detect most of them or detect only the malwares that their signatures are listed here: http://www.eset.com/threat-center/threatsense-updates ? 2- Nowadays why signatures are written? Are they written to detect malwares initially, ... Read More.

Email Scam Resource

Yesterday I came across a nice governmental resource at On Guard Online, listing some common email scams. Security gurus might not learn a lot from it, but as @SecurityGarden has pointed out, it's a good place to steer your less knowledgeable friends and family. The same site has a number of other useful-looking pages, though I ... Read More.

MotoSpeak and Sing and Run Random Apps?

In addition to recently getting a Droid 2, I purchased a Motorola H17txt Bluetooth headset. When used with a Blackberry or an Android based phone you can download and install an application called MotoSpeak that will read text messages and emails through the H17TXT. Before you go looking for such a headset be warned, there ... Read More.

x64 TDL3 rootkit - follow up

We have already written in a previous blog post about the new TDL3 rootkit able to hit 64 bit Windows operating systems. We will try to check more in depth how it is actually working.

The dropper is being dropped by usual crack and porn websites, but we soon expect to see it dropped by exploit kits too, as happened to current TDL3 infections.

As already written in the first blog post, the dropper uses two different infection techniques. If the system is a 32 bit build of Windows, the dropper will use the common technique already used by old TDL3 rootkit, by loading its driver through AddPrintProvidor API trick. After the driver is loaded, the rootkit will overwrite the master boot record with its own code.

If the system is a 64 bit build of Windows, the dropper is not able to load its own unsigned driver because of Windows security checks. The dropper needs to get its driver loaded by using the MBR trick. As said in the previous blog post, the dropper infects the drive's MBR and immediately reboot the system to get its code loaded at the following system startup.

The dropper is using a non conventional - though well known - way to patch the drive's master boot record. It opens an handle to PhysicalDrive0 and then overwrites the MBR by using SCSI commands. It make uses of IOCTL_SCSI_PASS_THROUGH_DIRECT command, well documented by Microsoft in its MSDN.

After the MBR has been overwritten, the rootkit needs to immediately restart the system. To do so, it needs SeShutdownPrivilege privilege before calling ExitWindowsEx API. So it sets up the specified privilege by calling RtlAdjustPrivilege API exported by ntdll.dll and then calls ExitWindowsEx API using EWX_REBOOT | EWX_FORCEIFHUNG parameters to immediately reboot the system.

On both 32 and 64 bit builds the dropper stores all the other components of the infection inside last unused sections of the hard drive. These components will be then called at next system restart.

After the system is restarted, the new MBR installed by the rootkit is executed. Before it could start its own payload, it decrypts itself with a simple ROR loop. After the MBR has been decrypted, the code flow is passed to one of the infection components that is named ldr16.

Ldr16 is a small 16bit loader used by the rootkit to intercept Windows startup routine and patch configuration data so that it can disable driver signing and load the rootkit driver loader in the system. To intercept disk I/O ldr16 hooks int 13h handler by alterating the Interrupt Vector Table. The old handler is stored in a variable for later use and the new hook function is stored in the IVT.

Ldr16 is then responsible to run the right rootkit driver loader by looking at what operating system build is being loaded. In fact the rootkit stores both ldr32 and ldr64 loaders at the end of the hard drive. Ldr16 choices then ldr32 or ldr64 by looking at what Windows build is being loaded.

To detect whether 32 or 64 bit build of Windows is installed, the ldr16 code checks PE files header, looking at the NT header OptionalHeader's Magic value. If it is IMAGE_NT_OPTIONAL_HDR32_MAGIC, then ldr32 loader will be loaded, otherwise it will load ldr64 loader.

Both loaders are responsible to load the real rootkit driver - drv32 or drv64, stored at the end of the hard drive - in the system by using an unconventional way. They manually allocate kernel memory needed to store the specific driver code and set up all the stuff before calling IoCreateDriver kernel API.

The driver is now loaded, bypassing signature check and bypassing by design Microsoft PatchGuard (KPP). The main rootkit driver code itself is not changed too much from the last 3.273 build we saw months ago. It alterates disk I/O by injecting itself in the disk drivers's chain. We already explained the technique used by the rootkit in a blog post we published last year. Since that blog post, we didn't see any major change, just minor code changes. It is possible to spot the infection by analyzing disk drivers's stack. This technique always detected TDL3 infection in the system.

MBR code is filtered by the advanced rootkit disk I/O filtering engine. This is the only real MBR code self-defense at the moment.

Besides this, the rootkit has a user mode component too, injected inside user mode processes by the kernel mode driver. The driver sets up a load image notify routine to intercept every process which loads kernel32.dll module. If so, the driver injects the user mode infection component inside that process. The infection component is called cmd.dll.

The same applies to 64 bit builds of Windows. The rootkit driver sets up the same load image notify routine and inject its 64 bit compatible user mode dll component.

The user mode component analyze the process, by looking if any hook is found in one of following libraries: kernel32, mswsock, ws2_32, wsock32, dnsapi, wininet. Every hook found is deleted and original code is restored. Then, the tdl3 module hooks ZwProtectVirtualMemory, ZwWriteVirtualMemory and KiUserExceptionDispatcher native API from ntdll.dll.

As already written in previous blog posts, this user mode component is able to poison search requests inside browser processes, redirect websites and communicate to remote C&C server.

If this release of TDL3 rootkit x64-compatible will spread as the older TDL3 rootkit, there are no doubts it will quickly become a serious threat. The doors to the heart of 64 bit are officially opened. If MBR patching technique was only one among many infection techniques used by rootkits to infect 32 bit builds of Windows operating systems, it will probably become the most used way to hit 64 bit builds of Windows.

Transition period from 32 bit to 64 bit operating systems is started years ago. Malware development is tightly following it. They of course don't wanna get caught unprepared.

On a side note: the dropper won't infect the system if it runs in a limited account or in an account with UAC activated. Does social engineering ring a bell?

TDL3 rootkit x64 goes in the wild

It took some time but now x64 Windows operating systems are officially the new target of rootkits.

We talked about TDL3 rootkit some months ago as the most advanced rootkit ever seen in the wild. Well, the last version of TDL3 was released months ago and documented as build 3.273. After that, no updates have been released to the rootkit driver. This was pretty suspicious, more so if you've been used to seeing rebuild versions of TDL3 rootkit every few days to defeat security software.

Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system. Still though, the dropper needed administrator rights to install the infection in the system. Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.

They actually built a nice gift for every security vendor, because TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.

Why this is a worrying and important news? x64 versions of Windows are considered much more secure than their respective 32 bit versions because of some advanced security features which are intended to make it more difficult getting into kernel mode and hooking the Windows's kernel.

Windows Vista 64 bit and Windows 7 64 don't allow every driver to get into kernel memory region due to a very strict digital signature check. If the driver has not been digitally signed, Windows won't allow it to be loaded. This first technique allowed Windows to block every kernel mode rootkit from being loaded, because malwares aren't usually signed - at least, they shouldn't be.

The second technique used by Microsoft Windows to prevent kernel mode drivers from alterating Windows kernel behavior is the infamous Kernel Patch Protection, also known as PatchGuard. This security routine blocks every kernel mode driver from alterating sensitive areas of the Windows kernel - e.g. SSDT, IDT, kernel code.

These two techniques combined together allowed x64 versions of Microsoft Windows to be much better protected against kernel mode rootkits.

The first attempts of breaking this Windows security had been run by Whistler bootkit, a framework bootkit sold in the underground and able to infect both x86 and x64 versions of Microsoft Windows.

But this TDL3 release can be considered as the first x64 compatible kernel mode rootkit infection in the wild. Our Prevx community spotted the infecting dropper more than 9 days ago and we are now seeing new samples reported every day. This means the infection is spreading on the web, by using both porn websites and exploit kits.

Speaking about the infection itself, we are still analyzing the infection. Though at first glance we don't feel it could be considered as a brand new TDL3.

It looks like someone got TDL3 sources and added bootkit infection to it. This is because the TDL3 rootkit is now targetting the Master Boot Record, as MBR rootkit did years ago and as Whistler Bootkit is currently doing.

To bypass both Kernel Patch Protection and Driver Signature verification, the rootkit is patching the hard drive's master boot record so that it can intercept Windows startup routines, owns it, and load its driver. Both Windows security mechanisms are bypassed.

While on x86 versions of Windows it doesn't need to immediately restart the system because it can load the driver as it wants, on x64 versions the infection steps are different.

The rootkit needs administrative privileges to infect the Master Boot Record. Even then, it still cannot load its own 64 bit compatible driver because of Windows's kernel security. So, the dropper forces Windows to immediately restart. This way, the patched MBR can do the dirty work. The infected MBR code itself is encrypted by using a simple ROR loop.

Even the rootkit build version changed from 3.273 to 0.02. It looks like a beta build. We say this because from our first internal tests, the rootkit didn't always fully work.

Our current idea is that TDL3 sources could have been sold and the new team who owns them has started adapting the rootkit to x64 platform by adding to it a bootkit infection technique already showed by Whistler bootkit and Stoned v2 bootkit.

What is more important is that with this new TDL3 release a new era is officially dawned; the era of x64 rootkits. How this develops, we're not sure.

We will keep you updated as soon as we have more informations. In-depth analysis is undergoing.

An old-new 0day Windows flaw on the horizon?

Looks like there are clouds on the horizon. Another new 0day flaw has been discovered after the last one related to Windows Shell which Microsoft fixed this month. At least this is what we can read from some articles that are quickly spreading on the web.

From what we can read looks like this vulnerability allows an attacker to execute arbitrary code by forcing some applications loading malicious files. We currently aren't aware of any more detail about this flaw, and looks like Rapid7 company is going to release further details about it during next week. So we could just do some speculation about this 0day flaw.

The article explains that Apple iTunes software was vulnerable to such flaw and it has been fixed by Apple. It's enough to read Apple security bulletin to realize that this kind of 0day attack maybe is not all that new.

Apple security bulletin writes:

A path searching issue exists in iTunes. iTunes will search for a specific DLL in the current working directory. If someone places a maliciously crafted file with a specific name in a directory, opening another file in that directory in iTunes may lead to arbitrary code execution. This issue is addressed by removing the code that uses the DLL

This reminds me so much an old injection trick used by malware since years. The key word looks like is: Dynamic-Link Library Search Order.

What we are talking about? When an application tries to load a specific module into the address space of the calling process, it usually uses the Windows APIs LoadLibrary / LoadLibraryEx - at least if you want to follow the documented way.

One of the parameters accepted by these APIs is the path to the library that is wanted to be loaded. If the developer just specifies module name without a path, the operating system starts searching this module by looking in a number of known paths.

This list of known paths is called Dynamic-Link Library Search Order, and it is clearly documented on Microsoft's MSDN. The list depends on the operating system settings, anyway the most common is the one below:

- The directory from which the application loaded.

- The system directory. Use the GetSystemDirectory function to get the path of this directory.

- The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.

- The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.

- The current directory.

- The directories that are listed in the PATH environment variable.

So, if the application is loading a module by specifying only its name, the operating system at first check if the wanted module is a known module (they are listed inside KnownDLLs registry key). If not, it starts looking at each one of the paths listed above, starting from the first till the last.

For instance, if the module is found in the directory from which the application loaded, Windows stops the search and loads this module.

Now, it should become clear how this Windows feature could be abused by malicious attackers.

While it could be questionable the implementation of such search order, I don't think it's a Windows operating system problem itself. The logic behind runtime module loading is well documented by Microsoft and explained on MSDN. Moreover, both search order and LoadLibrary/LoadLibraryEx functions are well documented. This become then a problem of software developers, whether they decided to follow Microsoft's development guidelines or not. Actually this Windows behavior has been exploited since years by malwares and it has been discussed online many times.

We actually don't know if this is the flaw discussed in the article, we only know that it would be in case an old-new 0day flaw.

But, again,it's only speculation. We have just to wait for someone releasing more details about it.

Isolated first worm using LNK vulnerability

It was just a matter of time, everyone here at Prevx was expecting this. Too much noise around the Microsoft 0-day flaw allowed malware writers to use it as another way to spread malware . First the public proof of concept published by french security expert Ivanlef0u, then the module added to the metasploit project. Everything was just too ready to not be (ab)used by malware writers.

Early today we have isolated a new variant of Autorun worm, detected as Autorun:Worm-LNK and able to spread through USB removable storage devices by using LNK vulnerability. After the system has been infected, this malware is able to drop to every plugged USB removable storage device various LNK exploit files along with its executable files.

The first problem when using LNK exploit is that the crafted LNK shortcut file must point to the exact path where the malware file is located. This is the only way to get it working. This could be a problem, because the drive letter assigned to the plugged USB removable storage device is different on every PC. The malware tries to fix this problem by dropping more LNK crafted files on the infected USB removable storage device, each one of them pointing to a different drive letter - i.e. from D: to J:. Then, the executable file that should be called is put in the drive root directory. It is a kind of bruteforce attempt to guess the exact drive letter where the USB removable storage device is mapped to. Moreover, the malware still uses the old autorun.inf trick, which is, sadly, still effective.

Signature detection for LNK flaw is still unreliable, as the malware newly generated LNK files are recognized on VirusTotal by only 5 vendors out of 41. Writing generic detection signatures for this exploit could easily cause false positives, being it a design flaw and not a code flaw.

We expect to see more malwares using this technique, even because this flaw is working on every version of Windows operating system, from Windows 2000 to Windows 7, both x86 and x64. Users running Windows 2000, Windows XP, Windows XP Service Pack 1 and Windows XP Service Pack 2 must be more careful, as they will not receive security updates from Microsoft because these operating systems are out of support.

The best workaround at the moment is disabling the displaying of icons for LNK and PIF shortcuts, as reported by Microsoft in its security advisor. Microsoft released a Fix-It tool able to automatically apply this workaround until the company releases an official patch - we hope as fast as possible, because malware writers already started playing with this flaw.

This variant of Autorun worm is actually spreading very quickly, we are receiving reports of it almost constantly from Prevx community since yesterday morning.

Prevx already detects, blocks and cleans this malware infection from the infected PC.

0-day flaw discovered in Microsoft Windows

The nightmare of infected USB pen drives is back. Until now the source of infections was the Autorun feature embedded in Windows. Now the problem resides in a Windows flaw (or feature?) when handling LNK shortcut files.

When some years ago new worms started using the autorun feature to spread themselves through USB removable devices, they became a serious problem because every Windows operating system had the autorun feature enabled.

This is still a security flaw, because a lot of Windows XP systems still have this feature enabled, while in the last Windows 7 the feature has been disabled by default. Microsoft chose to follow this path to protect their customers from this vehicle of infections.

This is one of the techniques the Conficker worm used to spread inside a companies's LAN, where USB devices are often used by employees to share data. Sadly, a lot of machines are still unprotected from this kind of attack. It is enough to plug the infected device on the machine and leave the autorun feature doing the rest, executing the malware.

Disabling the Autorun feature is a good security choice, but is it enough to stop malware from being executed without user interaction?

This is not the case, because a new Windows security 0-day flaw has been discovered that is able to execute malware without user interaction. The flaw, that looks like it has been used on some targeted attacks against Siemens WinCC SCADA systems, allows malware to get executed through a malformed (?) shortcut LNK file.

The flaw, first discovered by our colleagues at VirusBlokAda Ltd. security company, has been reported to Microsoft who have released security advisor 2286198, addressing this security flaw. The flaw is still being analyzed.

The flaw is triggered by just surfing to the directory where the malformed lnk shortcut file is present. It is enough to surf the directory from within Windows Explorer or with any other file manager. The flaw is triggered and the file is linked by the shortcut and automatically loaded into memory.

If you are wondering why I've put some question marks near the malformed and feature words, I'm going to explain the reason.

After our initial analysis, it looks like the flaw is not exploiting any coding error. There is no buffer/heap overflow, null-pointer dereference or use-after-free errors that you would usually expect from a 0-day flaw. It is just exploiting a feature used in Windows to handle some kind of libraries, and it is actively used more times inside Windows internals.

This allow us to think it is more a feature that has not been correctly hardened and it has been abused than a security bug. In fact, this behavior has probably been discovered by attackers while monitoring Windows behaviors when loading specified libraries, because it is easily reproducible.

I'm not allowed to disclose further details about the vulnerability, we have just to wait for Microsoft releasing a security update to patch this issue.

Microsoft, as said before, has released a security advisor to address this security flaw. In the security advisor there are some workarounds that should be really applied by everyone to protect their systems from this attack, by disabling the displaying of icons for shortcuts and disabling WebDAV. The flaw affects every Windows operating system from Windows XP to Windows 7.

Link to the security advisor is the following: Security Advisor 2286198

We will post further updates as soon as we have them.

Facebook Spam Worm Links to "Mobile Entertainment"

The survey spam worm that spread across Facebook yesterday was posted to profile Walls "via Mobile Web".

In here the lab, we're always interested in all things mobile, so we took another look at All Facebook's post. In an update, they show that the spam was also spreading via messages.

And there is a link visible in the screenshot pointing to artcentertransportation.com:

That site is registered to a "Jane Doe" and is hosted in the USA by Dynamic Dolphin. Visiting the URL from Finland simply redirects to another site called Wixawin (via tracklead.net) which offers "Mobile Entertainment". And what kind of entertainment do they offer?

The kind that could cost you upwards of 17.50 per month in subscription fees.

This is what you'll see if you attempt to visit Wixawin with our Mobile Security Browsing Protection enabled.

The affiliate ID that appears to be behind much of this mischief is: "affiliateid=WANE". Perhaps the spam was being posted via Mobile Web so that it included the necessary referrer?

In any case, let's hope that the affiliate network revokes whatever leads this spammer may have made.

On 07/09/10 At 11:59 AM

New Spam Worm on Facebook

A clever spammer has discovered a Facebook vulnerability that allows for auto-replicating links. Until now, typical Facebook spam has required the use of some social engineering to spread.

But clicking on any of these application spam links is enough to "share" the application to the user's Wall.

See the search results below:

Note that each of search results were posted "via Mobile Web", which suggests that a common bug is being exploited. Or perhaps the spammer is posting via m.facebook as it's generally more responsive than the main site.

It's also interesting that the application links seem almost polymorphic or Captcha-like.

All of the links that we tested resulted in a page not found, so Facebook appears to have halted the worm's progress.

Tip hat to All Facebook, read more here.

On 06/09/10 At 11:46 PM

Fake Passports

In today's episode of What Can You Find On the Web, we give you an online store for purchasing fake passports that we ran into.

Prices of these range from $650 to $1000. They don't seem to (yet?) offer passports with embedded RFID chips.

Some screenshots:

On 06/09/10 At 02:20 PM

Twitter Spam and the OAuthcalypse

Twitter discontinued support for basic user authentication in third-party applications yesterday morning.

Good. It's always best to never share your password with a third-party. Even if you trust them, their database could be compromised, and your password along with it. The discontinuation of basic user authentication also removes the vector of brute force password attacks via Twiter's API.

All third-party applications must now use Twitter's OAuth.

So, that being the case… we have a feature request.

The other day, we came across some Twitter spam using a bit.ly link that pointed to an application called "Lady Gaga photos".

If you "Allow" the application, two things will happen: the account tweets spam and follows two new accounts (emoboyxx3 and BoyGeorge).

We don't suspect Boy George is behind this…

Okay, so it's a spam application. Time to visit Settings/Connections and revoke its access.

And here's our feature request, we want a "Revoke Access and report as a spam application" as well as the "Revoke Access" option.

Cheers!

On 01/09/10 At 03:36 PM

When do 258 tweets equal nearly half a million dollars?

Wikipedia's affiliate marketing entry includes the following sentence: "Although many affiliate programs have terms of service that contain rules against spam, this marketing method has historically proven to attract abuse from spammers."

This is very true — affiliate marketing methods definitely attract abuse from spammers.

Our recent posts on Facebook and YouTube spam linked to cost per action (CPA) affiliate networks. We've come across affiliates from several CPA incentive networks while investing social networking spam, and one of the more interesting companies that we frequently see abused is CPAlead.com.

CPAlead claims to be to be one of the largest affiliate networks with nearly 11 thousand members in its Facebook Group. They also have an interesting Twitter profile that lists their daily top earners.

They've tweeted 258 times since June 18th and the total amount of daily top earnings is $485,188.34.

There were 281+ thousand leads (completed surveys) and 3.7+ million clicks. That's a 7.5% conversion rate for the top earners.

With numbers such as that… there's little wonder why spammers are attracted.

On 31/08/10 At 09:44 PM

Phishing Attempt Alert!

Someone has been trying to pose as us again, and is sending out an e-mail that looks like this:

From: Account Support
Date: Saturday, August 28, 2010 4:33 AM 
To: none
Subject: Account Alert!!!

An HTK4S virus has been detected in your Email Account, and your email account has to be upgraded immediately to our new F-Secure HTK4S anti-virus/anti-Spam version 2010 to prevent damage to the email and important files in your email account. You are therefore required fill the columns below to enable us verify your email account or your email account will be suspended temporarily from our services. 

Username:
Password:
Date of Birth:
Telephone Number: 

Copyright© Customer Care Center 2010 All Rights Reserved.

You can safely ignore that e-mail and please do not reply with the requested details. We don't have a product called F-Secure HTK4S anti-virus/anti-Spam, and we certainly wouldn't let such a badly written e-mail to be sent out to customers.

On 30/08/10 At 04:13 AM

Fake Flash Update Needs Flash to Work

By Andrew Brandt If you live in the US, you may have played sports, barbequed, or enjoyed the last long weekend of the summer outside doing something fun outdoors. Unfortunately, that wasn’t an option here in Boulder, where a large wildfire generated a thick plume of smoke and ash. So, what’s a malware analyst to [...]

PHP Backdoor Has Another Backdoor Inside

By Andrew Brandt Is there no honor among thieves anymore? The other day I was looking at a remote access Trojan written in the PHP scripting language. The bot loads into memory on a victim’s computer when an unsuspecting user, for example, stumbles upon an iframe pointing to the PHP script embedded in a Web [...]

Pro-Israel Website Receives Passwords Stolen by Koobface

By Andrew Brandt Is the team behind the Koobface worm taking a stance on the Israeli-Palestinian peace talks, or is this notorious worm’s most recent, bizarre twist just a coincidence? We’ve seen Koobface hijack legitimate Web sites for more than a year, using them not only to host malicious payload files, but also to work [...]

A Cave Monster from Hell Wants Your Financial Data

By Andrew Brandt A novel and pretty sneaky Trojan designed to steal financial data appeared on our radar screen last week. The Trojan, once installed on a victim’s computer, rootkits itself to prevent detection, then watches the victim’s browser for any attempt to connect to the secured, HTTPS login page of several online banks. When [...]

Subscription Renewal Spam Points to Drive-by

By Andrew Brandt Dear Customers: Please be aware that a crew of Russian malware distributors are circulating a spam message which looks like a subscription renewal confirmation from Best Buy, allegedly for one of our products. The linked text in the message, however, leads to a Web site which performs a drive-by download. Please don’t [...]

Blackhat SEO of Google Images Links to Rogue AV

By Andrew Brandt Yesterday, a few of the Threat Research folks and I had a little fun playing with a hack that had, for one day at least, pretty much decimated Google’s Image Search feature. One researcher, who stumbled into the attack purely by chance, found that a Google Images link to a map of [...]

Attackers Exploiting New Acrobat/Reader Flaw

Adobe warned today that hackers appear to be exploiting a previously unknown security hole in its PDF Reader and Acrobat programs. In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical vulnerability is being actively exploited in the [...]

Revisiting Secunia’s Personal Software Inspector

Security vulnerability research firm Secunia has released a public beta of its Personal Software Inspector tool, a program designed to help Microsoft Windows users keep their heads above water with the torrent of security updates for third-party applications. The new beta version includes the promised auto-update feature that can automatically apply the latest patches for a growing number of widely-used programs.

VISA Blocks ePassporte

Company owner Christopher Mallick broke the news to ePassporte customers in an e-mail sent Thursday, saying Visa International had suspended the company's ePassporte Visa program, which is processed through St. Kitts Nevis Anguilla National Bank.

Toward a Culture of Security Measurement

"Our dependence on all things cyber as a society is now inestimably irreversible and irreversibly inestimable."Yeah, I had to re-read that line a few times, too. Which is probably why I've put off posting a note here about the article from which the above quote was taken, a thought-provoking essay in the Harvard National Security Journal by Dan Geer, chief information security philosopher officer for In-Q-Tel, the not-for-profit venture capital arm of the Central Intelligence Agency.

Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College

Cyber crooks stole just shy of $1 million from a satellite campus of The University of Virginia last week, KrebsOnSecurity has learned.

MS Fix Shores Up Security for Windows Users

Microsoft has released a point-and-click tool to help protect Windows users from a broad class of security threats that stem from a mix of insecure default behaviors in Windows and poorly written third-party applications.

Adobe Reader zero-day attack – now with stolen certificate

Today Adobe put out an advisory for a previously unknown zero-day in its PDF Reader/Acrobat software.
This vulnerability is actively being exploited in the wild.

The exploit is pretty basic. What’s interesting about it is that it makes use of Return Oriented Programming to bypass the ASLR and DEP mitigation technologies in Windows Vista and 7.

More widespread usage of ROP for exploits is something I’ve been expecting for a while. Why? Because Windows 7 is gaining more and more traction in both the consumer and corporate space.

While most malicious PDFs download their payload, this time the PDF has malicious content embedded. The PDF drops an executable into the %temp% directory and tries to execute it.

The file it drops is digitally signed with a valid signature from a US-based Credit Union!

Take a close look at the screenshots and you'll see that not only is the certificate valid, but it really does belong to Vantage Credit Union. This means that the cybercriminals must have got their hands on the private certificate. Remind you of anything? If you say Stuxnet (where compromised Realtek and JMicron certificates were used to sign files) then we're clearly thinking on the same lines.

It'll be interesting to see if Stuxnet has started a trend or if these cases are just a flukey coincidence. I suspect they're not - I think the use of valid, stolen certificates to sign malware will really take off in 2011.

Both Verisign and Vantage Credit Union have been notified so that they can take action.

Android SMS Trojan Now Being Delivered via SEO Techniques

Android users searching for pornography on their smart phones could be in for a costly surprise.

During the course of researching the origin for the first SMS Trojan for Android devices, I found a new Android package masquerading as a porn media player but which instead sends SMS messages to premium rate numbers.

The SMS messages cost $6 each and are sent silently in the background without the user's knowledge.

The latest Android malware (detected as Trojan-SMS.AndroidOS.FakePlayer.b) is being distributed via clever search engine optimization (SEO) techniques, a clear sign that cyber-criminals are making every effort to infect mobile devices. The use of SEO is a significant development that confirms our belief that mobile malware - especially on Android devices - is a potentially lucrative business for malicious hackers.

A Web Defacer Turns to $$ Spam Fraud

Cyber-criminals in Brazil and the wider
Latin America region almost always use social engineering tricks to
launch attacks. Sometimes, they send fake bank e-mails or
e-mails from popular Internet services. The e-mail databases of the
potential victims are being compiled based on the stolen e-mail
addresses from the infected machines and particularly from the
addresses stored in e-mail clients.

Once the e-mail addresses are compiled, the fraudsters use several
external tools like PHP shells on hacked Web servers.

During my daily analysis, I found an interesting shell for mass
mailing. The code shows it was developed locally in Brazil:

By editing the original PHP code, the criminal can fake the
"original headers" of the messages they
send. Very interesting.

Now let’s check the original IP address of the mentioned
domain:

As you see in this case, the criminals are sending fake e-mails using
the identity of IG (www.ig.com.br) a very popular Internet resource in
Brazil. They fake the mailer, the original IP address and even the Spam
scoring. So, there is a big probability this e-mail will be delivered
usefully to the victim, bypassing anti-spam filters. Even the
most experienced IT people can be tricked into believing that the
message came from IG.

During analysis of the code, I discovered another interesting bit of
information related to the shell. The server was hacked by a famous
defacer from Brazil (name withheld during this investigation) who is
quiet active and notorious around the world. On
September 7th alone, he/she defaced 42 different domains.

In the past, we’ve seen Web defacers act with only with
political motivation. That has now changed. The Web defacers are being
used by the online money gangs as a part of outsourced services.

Twitter XSS in the wild

A new Twitter XSS exploit was identified in the wild as it started to be used by cybercriminals overnight.

The malicious JavaScript payload that's being distributed is rather simple. It uses an XSS (Cross-Site Scripting) vulnerability to steal the cookie of the Twitter user, which is transferred to two specific servers. Essentially, any account which clicked on the malicious links is compromised.

But how many people clicked the link? The bit.ly statistics for one of the malicious links are more than worrying, showing an alarming number: more than 100.000.

All clues point to Brazil as the originating country for this attack. First, the 2 domain names used to get the stolen cookies are registered under Brazilian names. More than that, one of them is actually also hosted in Brazil. Last, but not least, just take a look at the tweet used in distributing this malicious payload:

Pe Lanza da banda Restart sofre acidente tragico - it's a short tweet in Portugese about the Brazilian pop band Restart suffering a "tragic accident". I'd say there's not much doubt about the origins of this attack.

We've added detection for the malicious scripts as Exploit.JS.Twetti.a and also made sure the URLs used in this attack are blacklisted. We are currently working on taking down the malicious URLs and minimizing the damage as much as possible. Twitter along with other significant industry peers have of course been notified.

UPDATE: Twitter has confirmed the vulnerability is fixed now.

The Winlock numbers, the Winlock laws

While Eugene’s busy taking bets (wonder how much he’s going to make?), I’ve been having a think about the Winlock case.

Russian law enforcement is estimating that the bad guys could have raked in as much as $1 billion. While it’s difficult to be certain about the exact amounts involved (obviously they spread their money across a lot of different accounts to avoid attracting attention), a little bit of simple math makes me think this figure isn’t as crazy as it might sound.

Our statistical analysis tells us there could be around a million people who’ve been infected. 10 cybercriminals, each getting a cut of a ransom between $10 and $30 - even though they were paying out $3 per infection to the people willing to spread this malware, the numbers add up pretty quickly.

Understanding Current Trends in the Fake Anti-Virus/Scareware Ecosystem

The cyber-criminal groups behind fake anti-virus (scareware/rogueware) infections have run into some significant roadblocks over the last few years, but there is much more to the overall story.

Some groups have been arrested. Some have had their operations and entire call support centers
shut down.

Some groups attracted too much attention, picked off
the low hanging fruit and eventually walked away from their botnets.

In some cases, the groups just weren't very skilled
at developing anti-anti-malware techniques, blackhat SEO, and malware distribution. They couldn't keep up with the changes in anti-malware technologies,
weren't exactly dedicated to the effort, and simply fell off the map.

However, some of the remaining scareware distribution gangs upped the ante and are aggressively developing difficult-to-detect polymorphic installers and difficult-to-remove support components. And the newest of these malware components include some of the first ITW 64-bit malware components to be taken seriously. But, for the most part, the scareware program itself remains the same. The development continues to change and progress, all for the purpose of evading anti-malware solutions and helping coerce the end-user to pay for the fake product, including support/rootkit components like TDSS (and its extreme complexities) or the more recent Black Internet (also known as "Trojan-Clicker.Win32.Cycler") support/rootkit components. These complex Mbr infectors and other rootkit components meant to maintain money-making scareware on the system are signs of this somewhat extreme development effort.

visit feedkiller and make your own rss merged feed.

feedkiller.com is a free tool that allows you to merge rss feeds into your own rss mix made up of your favorite feeds.