From: http://debtconsolidation.topnewsdigest.com/2009/12/12-things-computer-users-should-fear-in-2010/
About once a year, computer security news leaps out of the technology section and onto the front page and the top of network news broadcasts. This year, the day was April Fools' Day, as the Conficker worm became the latest malicious program with the power to eat the Internet. Somehow, we soldiered on, most of us without ever having to kick on the emergency power generators or dig into that can of spam in the basement shelter.
But Conficker, while no dramatic outbreak, was also no laughing matter to the hundreds of thousands of Web users who were infected. The problem with the hype cycle in computer security news is that it can have an incremental "cry wolf" effect on computer users. The odds that the Internet will topple over in 2010 are, once again, quite low. But serious threats abound and bad guys are mostly still outpacing good guys in our virtual world, which will be slightly more dangerous than this year. Here are 12 reasons why:
1. E-mail attachments are back
The LoveBug and Melissa virus, which did bring the Web to its knees 10 years ago, both used the simplest of delivery mechanisms — an e-mail attachment. Sure enough, that method stopped working after companies banned attachments and users wised up. Attachment viruses nearly dried up. Then, a new generation of users came online who hadn't learned the Melissa lesson and older users forgot. So this year, virus writers began dusting off their old methods and — surprise! — they worked again. Next year, be on guard for unexpected attachments, says Carl Leonard, head of the Websense threat lab.
"Sometimes you think this stuff has gone away and then it comes back," he said. "We're definitely seeing an uptick in Trojans that come through e-mail."
2. Anti-virus products less effective
Old-fashioned virus screening tools now catch only about three out of every four viruses through what's called "signature-based" detection, says Martin Lee of Symantec. Basic anti-virus tools scan all programs using a list of known malicious programs, looking for electronic "signatures." Virus writers now generate so much malicious software that the good guys just can't keep up. To make matters worse, virus writers are employing a technique known as "polymorphism," so the virus can electronically mutate and evade detection. That means about 25 percent of viruses can evade detection by scanners. New "heuristic" antivirus software detects malicious programs by watching what they do rather than inspecting what they are, but these products are far from perfect.
Making matters worse, viruses are now more stealthy after infections. Once upon a time, an infection was obvious, thanks to a dramatic slowdown in performance or some other obvious symptom. Not true today.
"It's become increasingly difficult for people to be aware they've become infected," Lee said. "Often, end users just will not realize something has happened."
With few guarantees for protection, it's more important than ever to keep the kids off music piracy sites and for you to avoid other unsavory Web places — and you know the ones I mean.
3. Fake anti-virus software
Knowing that your antivirus product might not be doing the job, you might be tempted to look online for an alternative, or to try one that surprisingly pops up on your desktop. That’s a bad idea: It's probably a criminal trying to extort you for money. The art of selling rogue anti-virus software was perfected in 2009. Leonard says consumers shelled out $150 million for fake antivirus programs last year.
"People are selling malicious software and dressing it up as an antivirus product," he said. "It surprises me the volume that they are selling. You would think people have become used to seeing these things."
Obviously not. The Federal Trade Commission did shut down two rogue sellers last year, but not until they allegedly tricked nearly 1 million consumers into downloading their software.
The technique, which works like a charm, will expand next year.
4. Social networking
Facebook-based attacks grew dramatically in 2009, and will continue to increase in the coming year.
There are basically two flavors — viruses that take advantage of the platform's liberal rules for information sharing among applications; and impersonation/identity theft, where a criminal hijacks an innocent user's account and tricks trusted friends and family. But other variations are certain to appear. Criminals can use publicly available information to personalize attacks ("Hey, check out these pictures from Paramus Catholic's Class of 1986!"). Facebook is easily farmed for password-generating information such as "What was your high school mascot?" And all those "click here" e-mails from Facebook are a Christmas present for would-be phishers, who can easily imitate them.
"People are getting comfortable in social networking situations and I think that they should really re-examine their level of trust and interaction," said Mary Landesman, senior security researcher at ScanSafe.
And remember, even if Facebook old-timers are too smart for all these tricks, the service is teeming with older newbies. If you've been friended by mom (or grandma) you know what I mean. They'll have to endure the Facebook privacy learning curve, too. Be generous. Spend a few minutes with older relatives this holiday getting them to tighten up their privacy settings.
5. Botnets
The bane of the Internet for the past five years — botnets, or armies of compromised home computers — will remain a problem this year. And they it may be even worse: botnets have become much more resilient. Once upon a time, botnets could be disrupted by "cutting off their head," or disabling their command and control computers. But now, criminals are "building disaster recovery" into the networks, Symantec's Lee said. That makes them even more difficult to knock off line.
"You must have grudging respect for them and their techniques," Lee said.
6. Spam
Spammers took a body blow during 2009 when the notorious McColo Internet Service Provider was kicked off-line. The volume of spam plummeted from around 80 percent of all e-mail to 20 percent. Temporarily. By year's end, nine out of 10 e-mails were spam, and the number keeps climbing.
"Can it get to 95 percent?," Lee asked, rhetorically. "It never ceases to amaze me how much we put up with this."
7. Finally, Apple gets respect - from cybercriminals
For years, the worst-kept secret in the computer security world was the safety of using Macintosh computers. It seemed that criminals didn't bother trying to attack Macs. This was no political statement, however. It was merely pragmatism: Apple products were a small target. But with the uptick in Mac market share, the increasingly popularity of Apple's Safari Web browser and the ubiquity of the iPhone, expect criminals to target Steve Jobs’ products, says Leonard. Already, he says, there have been a handful of iPhone attacks.
"Malware authors know where people are going," he said. "It's more worthwhile for them to go after these platforms."
8. Cell phones
Speaking of iPhones, 2010 might be the year that we see a significant attack against cell phone or smart phone users. Such an attack has been predicted for years, and has not yet materialized. But each year, cell phones become more powerful, contain more personal information and are used for more financial transactions. In other words, they become "juicier targets" for criminals, says Lee. An obvious attack — like something that wipes out phone books — might not be the breakthrough cell phone virus. Lee says consumers should be on the lookout for a simple automated way to use mobile phones to steal cash. One possibility: some TV shows urge consumers to send text messages at $1 apiece. What happens when a criminal figures out how to redirect such messages, or initiate them?
9. SEO poisoning
You have probably noticed that companies can "game" Google and other search engines, puffing up their search engine results using a series of tricks such as creating fake pages that link heavily to each other. Annoying, but relatively harmless. Unfortunately, bad guys have perfected this method and use it to mercilessly attack information seekers every time a large news event occurs. Perhaps hundreds of thousands of users were infected after the death of Michael Jackson through this technique — getting a booby-trapped Web page to rank 5th or 6th on a Google "Michael Jackson" search, even for just a few minutes, is probably the most effective malicious program attack used today.
"We see this sort of attack daily and especially when a signature event occurs, like Michael Jackson's death," said Leonard. Expect much more next year. When the next big news hits — however self-serving this may sound — stick with news Web sites you trust.
10. WINDOWS 7
Naturally, as the year progresses, criminals will set their sights on the increasing install base of Windows 7. Microsoft has continued to improve security and delivery of updates to its flagship operating system. But there will be problems, no doubt. And then there's this troubling notion: Eight out of 10 existing Windows viruses will run on Windows 7, says Leonard. Impressive forward-compatibility from the bad guys. For consumers, it means there's no time to be complacent.
11. URL shorteners
Services like bit.ly make sending links through Twitter and e-mail infinitely easier. Unfortunately, it also means criminals can turn obvious troublesome URLs, like https://RomanianDarkLords.Ro/$$$eBay.com into friendly-sounding links like http://bit.ly/5uuWwo.
That makes life easier for criminals, and harder for you, as it takes away one possible hint that a link is trouble.
Websense recently partnered with Bit.ly to help make the process safer. But you should stick with the old rule: Never click on a link you didn't expect, and always manually type URLs into your browser's address bar.
12. Gumblar
Last but not least, Landesman says the most troublesome development of 2009 could be the breakout security problem of 2010. The so-called Gumblar worm used an advanced technique to build a new kind of botnet. Rather than target thousands of home computers, Gumblar attacked Web hosts (Web sites) and turned them into "carriers." The program managed to download a Web site’s code, inject a hidden malicious program, then reload the now booby-trapped site.
Because Web sites act as a kind of hub online, they have the potential to spread a serious attack much more quickly. And 10,000 compromised Web sites are much harder to shut down than 10,000 compromised home computers, Landesman said.
Worse yet, a seriously successful Gumblar-style attack could undermine Web users' trust in the Internet. Sites that are one day safe and trustworthy may the next day be dangerous. That would severely hamper security systems that are based on "trusted" sites.
"When you have compromised sites acting as the host itself, the notion of good vs. bad is completely gone," Landesman said. "Users will find that fewer and fewer sites that they can trust whatever trust they do have could be very fleeting."
Already, Gumblar-infected sites have transmitted code to visiting PCs that redirected all Google searches to pay-per-click Web sites, netting a tidy sum for creators.
Gumblar was declared a bigger problem than Conficker in May by Scansafe, and even though its network of compromised Web sites was eventually tamed during the year, Landesman is convinced that the technique will see many copycats.
"It's one of the attacks we are assured of seeing in large quantities in 2010," she said.
Wednesday, December 23, 2009
Tuesday, December 22, 2009
Business Use of Social Media Surges
From: http://www.marketingprofs.com/charts/2009/3267/business-use-of-social-media-surges
The use of Facebook, Twitter, and blogs for business purposes has skyrocketed in the last six months—with indications of wider adoption and more frequent sessions, according to research by Palo Alto Networks into application traffic patterns of computer networks.
Facebook is the dominant social networking site in the workplace: 94% of companies used Facebook over the past six months (ended September 2009), compared with 37% six months ago, finds the Application Usage and Risk Report (Fall Edition, 2009).
Sessions consumed per organization by Facebook users increased 192% during the period, while bandwidth consumption jumped 294% to 6.3GB per organization, indicating more frequent or longer periods of use, Palo Alto Networks found.
Below, additional findings from the study.
The prevalence of LinkedIn among business users increased to 89%, compared with 35% six months ago. Bandwidth consumption declined 42%, however, and session consumption declined 22%, indicating less frequent or shorter periods of use.
Twitter is the most popular instant messaging application in the workplace: 89% of companies used Twitter, compared with 35% six months ago.
Sessions consumed per organization by Twitter users increased 252% over the previous six months, indicating more frequent periods of use, while bandwidth consumption jumped 775% to 184 MB per organization, even though tweets are limited to just 140 characters.
Facebook Mail and Facebook Chat applications have become the fourth most commonly used applications within their respective categories. Interestingly, though Facebook Chat was released in April 2008, in a mere 18 months it has become more widely used than Yahoo IM and AIM (within this sample).
Business users are significantly more active than six months ago in their blogging and posting activity. In addition to the frequency with which these applications were found, overall activity increased from several perspectives. The number of application variants found more than doubled to 23, from 11 just six months ago. In addition, total session activity increased by a factor of 39 while total bandwidth consumption increased by a factor of 48.
The adoption of these applications and other enterprise 2.0 applications, in general, is driven by end users rather than IT departments, while pace of adoption is a result of the ease with which they can be accessed, the study finds.
Other key findings:
* 82% of companies use Google Docs, Google's Internet-based suite of document programs, compared with 33% of companies in six months ago.
* Not only was Google Docs found more frequently, both the sessions and bandwidth consumed per organization increased approximately 290% over the previous six months.
* 82% of companies use Adobe-Connect for Internet conferencing compared with 35% six months ago.
* 59% of companies use WebEx conferencing, up from 33% six months ago.
About the data: Published by Palo Alto Networks, the Application Usage and Risk Report (Fall Edition, 2009) summarizes the application traffic patterns, between March and September 2009, of more than 200 organizations' systems networks worldwide, across nine industry categories.
The use of Facebook, Twitter, and blogs for business purposes has skyrocketed in the last six months—with indications of wider adoption and more frequent sessions, according to research by Palo Alto Networks into application traffic patterns of computer networks.
Facebook is the dominant social networking site in the workplace: 94% of companies used Facebook over the past six months (ended September 2009), compared with 37% six months ago, finds the Application Usage and Risk Report (Fall Edition, 2009).
Sessions consumed per organization by Facebook users increased 192% during the period, while bandwidth consumption jumped 294% to 6.3GB per organization, indicating more frequent or longer periods of use, Palo Alto Networks found.
Below, additional findings from the study.
The prevalence of LinkedIn among business users increased to 89%, compared with 35% six months ago. Bandwidth consumption declined 42%, however, and session consumption declined 22%, indicating less frequent or shorter periods of use.
Twitter is the most popular instant messaging application in the workplace: 89% of companies used Twitter, compared with 35% six months ago.
Sessions consumed per organization by Twitter users increased 252% over the previous six months, indicating more frequent periods of use, while bandwidth consumption jumped 775% to 184 MB per organization, even though tweets are limited to just 140 characters.
Facebook Mail and Facebook Chat applications have become the fourth most commonly used applications within their respective categories. Interestingly, though Facebook Chat was released in April 2008, in a mere 18 months it has become more widely used than Yahoo IM and AIM (within this sample).
Business users are significantly more active than six months ago in their blogging and posting activity. In addition to the frequency with which these applications were found, overall activity increased from several perspectives. The number of application variants found more than doubled to 23, from 11 just six months ago. In addition, total session activity increased by a factor of 39 while total bandwidth consumption increased by a factor of 48.
The adoption of these applications and other enterprise 2.0 applications, in general, is driven by end users rather than IT departments, while pace of adoption is a result of the ease with which they can be accessed, the study finds.
Other key findings:
* 82% of companies use Google Docs, Google's Internet-based suite of document programs, compared with 33% of companies in six months ago.
* Not only was Google Docs found more frequently, both the sessions and bandwidth consumed per organization increased approximately 290% over the previous six months.
* 82% of companies use Adobe-Connect for Internet conferencing compared with 35% six months ago.
* 59% of companies use WebEx conferencing, up from 33% six months ago.
About the data: Published by Palo Alto Networks, the Application Usage and Risk Report (Fall Edition, 2009) summarizes the application traffic patterns, between March and September 2009, of more than 200 organizations' systems networks worldwide, across nine industry categories.
Monday, December 21, 2009
Beware of bad Google search results
From: http://www.eastvalleytribune.com/story/148583
Q. Someone told me that I can't trust Google search results anymore because of hackers. Is this true? - Randal
A. Google has built its empire on a very simple concept: be relevant.
When you search for something on Google, their system for weeding out irrelevant Web sites for any given search phrase has been their "secret sauce" and allowed them to dominate in the world of search.
They process more than 150 million search requests per day, making them far and away the most popular search engine on the planet.
But any technology that attracts that many users will attract those with malicious intent who will focus all their energies on finding ways to exploit those users.
Google is constantly working on ways to deal with something called "SEO poisoning" that is allowing hackers to get malicious Web sites listed, sometimes on the first page of popular Google searches.
SEO stands for "search engine optimization" and is a process used to optimize a Web site for the highest possible ranking in search engines. The closer to the first position in the search results you can get, the more people who will click on it.
Most folks feel comfortable with the search results from Google, never giving any thought to whether a link is safe or not. Most assume that if Google presents it as a result, it must be safe.
Unfortunately, those days are long gone. The bad guys have figured out how to sneak malicious Web sites into Google's results - and they've been doing it for some time.
The most common search terms that are being targeted (but not the only ones) are very current events - things like "swine flu" or "Tiger Woods mistress" that generate a large number of searches in a very short period of time.
The scammers either quickly create Web sites that are rigged with hidden malware and are optimized to rank highly for these breaking events, or they will compromise a legitimate Web site that is highly optimized for these types of searches.
Researchers have found that as many as 50 percent of the top search results on the first few pages of a Google search for fast-breaking stories are laced with malicious links.
And just recently, the malware writers started targeting folks that click on the Google "Doodle," which is usually a date-specific image that graces the Google logo above the search box. It could be an image of Santa Claus on Christmas, Christopher Columbus on Columbus day, etc., which if clicked generates a search for the subject being represented by the imagery.
Most recently, the "Esperanto flag" displayed on the 150th anniversary of founder L.L. Zamenhoff's birthday was targeted and resulted in 27 of the first 50 results containing some form of malware, according to a research scientist at Barracuda Networks.
As a result of these tricks, a number of companies have created programs such as McAfee's Site Advisor or Norton's Site Safety that can help the average user avoid being exploited by stepping in and warning them. Two of my favorites are actually free and easy to use. The first is K9 Web Protection (www.K9WebProtection.com), which is a solid parental control program that also does a great job of blocking access to Web sites that have suspicious coding on them. If you don't want or need the parental controls, you can turn them off and just use the malware protection, which is one of the best I've tested.
The other is a plug-in to most popular browsers called Web Of Trust (www.mywot.com) that uses the entire community of users to help warn others of suspicious sites. The warnings extend beyond malware to warn against sites that might have adware, phishing attacks, browser exploits, Internet fraud and spam. But because the ratings are user-based, it will have more false positives.
Households with children - especially teenagers who tend to have no fear of clicking on anything - should strongly consider using one of the many tools for warning against or blocking malicious sites and have a frank discussion about this fast-growing way of getting infected online.
Q. Someone told me that I can't trust Google search results anymore because of hackers. Is this true? - Randal
A. Google has built its empire on a very simple concept: be relevant.
When you search for something on Google, their system for weeding out irrelevant Web sites for any given search phrase has been their "secret sauce" and allowed them to dominate in the world of search.
They process more than 150 million search requests per day, making them far and away the most popular search engine on the planet.
But any technology that attracts that many users will attract those with malicious intent who will focus all their energies on finding ways to exploit those users.
Google is constantly working on ways to deal with something called "SEO poisoning" that is allowing hackers to get malicious Web sites listed, sometimes on the first page of popular Google searches.
SEO stands for "search engine optimization" and is a process used to optimize a Web site for the highest possible ranking in search engines. The closer to the first position in the search results you can get, the more people who will click on it.
Most folks feel comfortable with the search results from Google, never giving any thought to whether a link is safe or not. Most assume that if Google presents it as a result, it must be safe.
Unfortunately, those days are long gone. The bad guys have figured out how to sneak malicious Web sites into Google's results - and they've been doing it for some time.
The most common search terms that are being targeted (but not the only ones) are very current events - things like "swine flu" or "Tiger Woods mistress" that generate a large number of searches in a very short period of time.
The scammers either quickly create Web sites that are rigged with hidden malware and are optimized to rank highly for these breaking events, or they will compromise a legitimate Web site that is highly optimized for these types of searches.
Researchers have found that as many as 50 percent of the top search results on the first few pages of a Google search for fast-breaking stories are laced with malicious links.
And just recently, the malware writers started targeting folks that click on the Google "Doodle," which is usually a date-specific image that graces the Google logo above the search box. It could be an image of Santa Claus on Christmas, Christopher Columbus on Columbus day, etc., which if clicked generates a search for the subject being represented by the imagery.
Most recently, the "Esperanto flag" displayed on the 150th anniversary of founder L.L. Zamenhoff's birthday was targeted and resulted in 27 of the first 50 results containing some form of malware, according to a research scientist at Barracuda Networks.
As a result of these tricks, a number of companies have created programs such as McAfee's Site Advisor or Norton's Site Safety that can help the average user avoid being exploited by stepping in and warning them. Two of my favorites are actually free and easy to use. The first is K9 Web Protection (www.K9WebProtection.com), which is a solid parental control program that also does a great job of blocking access to Web sites that have suspicious coding on them. If you don't want or need the parental controls, you can turn them off and just use the malware protection, which is one of the best I've tested.
The other is a plug-in to most popular browsers called Web Of Trust (www.mywot.com) that uses the entire community of users to help warn others of suspicious sites. The warnings extend beyond malware to warn against sites that might have adware, phishing attacks, browser exploits, Internet fraud and spam. But because the ratings are user-based, it will have more false positives.
Households with children - especially teenagers who tend to have no fear of clicking on anything - should strongly consider using one of the many tools for warning against or blocking malicious sites and have a frank discussion about this fast-growing way of getting infected online.
Sunday, December 20, 2009
Zero-day vulnerability threatens Adobe users
From Network World this week:
Adobe is investigating possible vulnerabilities in its Reader and Acrobat applications that could allow an attacker to execute malicious code on Windows machines and completely compromise them.
Adobe issued a notification on a blog signaling it's preparing a response regarding claims that its Reader and Acrobat versions 9.2 and earlier are vulnerable to an attack via a malicious PDF. Symantec senior researcher Ben Greenbaum has been in touch with Adobe since Monday on the issue, adding Symantec has updated its security software to defend against this latest threat.
"We were contacted by a researcher who discovered the attack being exploited in the wild," Greenbaum says. "It's mostly targeted e-mail.”
The attack would include the malicious PDF as an e-mail attachment to the victim, and the malicious code would execute on any unprotected Windows machine when the recipient clicked on it.
A successful attack could entirely compromise the victim's machine, and it's likely this is being used to try and spread botnet code, Greenbaum notes. He adds that there are other possible methods that could be used to disseminate the malicious PDF attack code, including downloading the code from the Internet.
Adobe Tuesday indicated it will make statements related to Adobe Reader and Adobe Acrobat and this latest threat at its security information alert blog.
Adobe is investigating possible vulnerabilities in its Reader and Acrobat applications that could allow an attacker to execute malicious code on Windows machines and completely compromise them.
Adobe issued a notification on a blog signaling it's preparing a response regarding claims that its Reader and Acrobat versions 9.2 and earlier are vulnerable to an attack via a malicious PDF. Symantec senior researcher Ben Greenbaum has been in touch with Adobe since Monday on the issue, adding Symantec has updated its security software to defend against this latest threat.
"We were contacted by a researcher who discovered the attack being exploited in the wild," Greenbaum says. "It's mostly targeted e-mail.”
The attack would include the malicious PDF as an e-mail attachment to the victim, and the malicious code would execute on any unprotected Windows machine when the recipient clicked on it.
A successful attack could entirely compromise the victim's machine, and it's likely this is being used to try and spread botnet code, Greenbaum notes. He adds that there are other possible methods that could be used to disseminate the malicious PDF attack code, including downloading the code from the Internet.
Adobe Tuesday indicated it will make statements related to Adobe Reader and Adobe Acrobat and this latest threat at its security information alert blog.
Saturday, December 19, 2009
3 Basic Steps to Avoid Joining a Botnet
Network World recently ran an article title "3 Basic Steps to Avoid Joining a Botnet". Their recommendations were:
While all these are good tips, they are all targeted at your end-user. As an IT admin, we all know how difficult it is to convince an end-user to follow tips like these.
That's why it's also important to have a proxy in the network acting as secure web gateway to protect end-users from as much malware as possible. It's just as important to keep the proxy up to date with the latest anti-malware software and OS versions.
Tip 1: Have work AND home machines regularly updated with patches and antivirus software
Tip 2: Use the latest browser versions
Tip 3: Be a little more careful when you get a link or an attachment.
While all these are good tips, they are all targeted at your end-user. As an IT admin, we all know how difficult it is to convince an end-user to follow tips like these.
That's why it's also important to have a proxy in the network acting as secure web gateway to protect end-users from as much malware as possible. It's just as important to keep the proxy up to date with the latest anti-malware software and OS versions.
Friday, December 18, 2009
Chinese ISP hosts 1 in 7 Conficker infections
From Network World:
China Telecom's Chinanet seems to have been hit hardest, says Shadowserver
By Robert McMillan, IDG News Service
December 17, 2009 03:41 AM ET
Security experts have known for months that some countries have had a harder time battling the Conficker worm than others. But thanks to data released Wednesday by Shadowserver, a volunteer-run organization, they now have a better idea of which Internet Service Providers have the biggest problem.
In terms of the total number of infected computers, China Telecom's Chinanet seems to have been hardest hit by the worm, which began spreading late last year.
The Chinese ISP had more than 1 million infected systems within its massive 94 million IP address network. That amounts to just over 1 percent of the company's network. But while Chinanet has the most total infections -- amounting to about 14 percent of all known copies of the worm -- it doesn't have the highest percentage of infected systems. Other, smaller ISPs show up on Shadowserver's list with infection rates as high as 25 percent.
"There's definitely a challenge at the ISP level with remediation," said Andre DiMino one of Shadowserver's founders.
Conficker got a lot of attention earlier in the year, including a late March segment on the 60 Minutes television program warning of an April 1 upgrade to the worm. Because Conficker is the most widespread botnet ever reported, security experts worry that it could be used to launch an unprecedented denial of service attack.
But, despite its size, the network of hacked computers has been associated with very little malicious activity. That's given computer users a false sense of security, DiMino said.
"The rate of remediation is not as good as we would have liked," he said. "The awareness and the alarm about Conficker kind of faded out after April 1st because nothing really dramatic happened."
Some ISPs, such as U.S.-based Comcast have taken to notifying users when their computers are infected or offering them free security software so they can get cleaned up. Comcast had a 0.05 percent infection rate, according to Shadowserver's numbers. AT&T was measured at 0.02 percent.
The top two ISPs on Shadowserver's list, China Telecom and China Unicom (with 472,892 infected IPs) did not have any immediate official comment on the Conficker infections, but customer support reps for both companies said that helping customers with virus problems is outside of the scope of their service.
China Telecom's Chinanet seems to have been hit hardest, says Shadowserver
By Robert McMillan, IDG News Service
December 17, 2009 03:41 AM ET
Security experts have known for months that some countries have had a harder time battling the Conficker worm than others. But thanks to data released Wednesday by Shadowserver, a volunteer-run organization, they now have a better idea of which Internet Service Providers have the biggest problem.
In terms of the total number of infected computers, China Telecom's Chinanet seems to have been hardest hit by the worm, which began spreading late last year.
The Chinese ISP had more than 1 million infected systems within its massive 94 million IP address network. That amounts to just over 1 percent of the company's network. But while Chinanet has the most total infections -- amounting to about 14 percent of all known copies of the worm -- it doesn't have the highest percentage of infected systems. Other, smaller ISPs show up on Shadowserver's list with infection rates as high as 25 percent.
"There's definitely a challenge at the ISP level with remediation," said Andre DiMino one of Shadowserver's founders.
Conficker got a lot of attention earlier in the year, including a late March segment on the 60 Minutes television program warning of an April 1 upgrade to the worm. Because Conficker is the most widespread botnet ever reported, security experts worry that it could be used to launch an unprecedented denial of service attack.
But, despite its size, the network of hacked computers has been associated with very little malicious activity. That's given computer users a false sense of security, DiMino said.
"The rate of remediation is not as good as we would have liked," he said. "The awareness and the alarm about Conficker kind of faded out after April 1st because nothing really dramatic happened."
Some ISPs, such as U.S.-based Comcast have taken to notifying users when their computers are infected or offering them free security software so they can get cleaned up. Comcast had a 0.05 percent infection rate, according to Shadowserver's numbers. AT&T was measured at 0.02 percent.
The top two ISPs on Shadowserver's list, China Telecom and China Unicom (with 472,892 infected IPs) did not have any immediate official comment on the Conficker infections, but customer support reps for both companies said that helping customers with virus problems is outside of the scope of their service.
Thursday, December 17, 2009
Cisco / Ironport integration goes one step further
Ironport has announced that its support website has moved under Cisco's support website today. Anyone using the Ironport website for support will now have to get a Cisco support login, and visit the support resources at that location.
It appears the Ironport acquisition is now almost fully complete at Cisco.
It appears the Ironport acquisition is now almost fully complete at Cisco.
Wednesday, December 16, 2009
Blue Coat starts a security blog
Blue Coat Systems, started up a new security blog, in addition to the security alerts they already send out to their customers. For those that are interested in hearing what Blue Coat's top engineers and product managers have to say about the latest security threats, you can visit their security landing page to read the blog, see the security alerts, and view some graphical information about the latest malware threats.
Sunday, December 13, 2009
Vulnerability Management: The Missing Link In Mobile Device Security
From: Dark Reading
If you're not in the office these days, then chances are you've brought the office with you. From laptop computers to smartphones, mobile devices are becoming standard issue in business. But the security of those devices is a lot less certain.
According to market analysis firm Gartner, global smartphone sales in the first quarter of 2009 were 36.4 million units, an increase of 12.7 percent compared to the same quarter in 2008. For many organizations, though, enterprise adoption of smartphones as an application platform has been slowed by concerns about basic security -- and the absence of clearly defined methods for performing vulnerability management on the small devices.
"We have seen huge interest from customers who are interested in protecting smartphones so they can deploy them as IP phones or terminals -- and the only reason they aren't [deploying the devices] is vulnerability management," says Ravi Varanasi, vice president of engineering with security system vendor Sipera.
Varanasi, who was one of the developers of Cisco's network access control (NAC) technology, says vulnerability management is the missing piece in mobile device security. "If we can solve the problem, I think it will be a free-for-all in the marketplace," he says. If technologists can improve solutions for mobile device user identity, authentication, and encryption, Varanasi adds, then the smartphone market could skyrocket even faster.
For most organizations, one of the issues in vulnerability management is that a relationship with a network service provider is usually required for deployment. Jonathon Gordon, director of marketing for Allot Communications, notes "providers are starting to be able to provide clean lines, cleaned of spam and viruses, and behind a firewall. This is starting to be offered to corporations, and down the line, these will be available with a [service-level agreement] attached."
Gordon says a growing reliance on smartphones, in particular, will lead to more comprehensive security partnerships with the network providers.
"There is a case for pushing some security features up the line, so the enterprise doesn't have to deal with them itself. They would be ubiquitous, whether [the service is] on the mobile or the fixed side," he says. "If [enterprises] rely on mobile devices as much as fixed devices, they assume they get the same service whether it's fixed or mobile. That's the underlying assumption going forward -- the expectations for mobile are that more and more people will expect it to work just as fixed wired networking does."
Choosing Their Battles
For now, however, most organizations are more worried about protecting the data on their devices than about the devices themselves, says Derek Brink, vice president and research fellow in the IT security practice at market research firm Aberdeen.
"From previous studies, I've seen it be much more about the data than about the vulnerabilities on a platform basis," Brink says. "These mobile devices are platforms in their own rights, and I think in the long term they'll be just as vulnerable to attacks as the desktop. The data that flows out to the device and is stored on the device is the highest priority."
Ultimately, though, Brink says traditional concepts of vulnerability management will become an important part of managing mobile devices. "The vulnerabilities are starting to appear, and it's not as big as the traditional platform market, but the data issue is here today, and people are concerned," he says. "In the future and ongoing, it will be the same group of issues dealt with -- whether the network is wireless or cable-connected."
Sipera's Varanasi says as the concerns of mobile and fixed assets converge, there will also be special security issues for mobile devices.
"It's not just the status of security software, but an application awareness that we need to know before we allow the phone on the network," he says. "If [the user is] running Skype, for example, we want to know about it before we allow the phone onto the network. The span of the application is very critical for the network asset. Essentially we call it CAC [call admission control], and we assess the posture of the phone, make sure it runs the proper SIP stack, and make sure it's enabled for secure and authenticated communication."
The process of managing vulnerabilities in mobile devices will become increasingly complex, just as it did in the wired world, experts say. The question for many organizations today is whether the process will grow to cover a fleet of devices that expands slowly -- or explodes as employees are allowed to bring their own phones into the corporate fold.
If you're not in the office these days, then chances are you've brought the office with you. From laptop computers to smartphones, mobile devices are becoming standard issue in business. But the security of those devices is a lot less certain.
According to market analysis firm Gartner, global smartphone sales in the first quarter of 2009 were 36.4 million units, an increase of 12.7 percent compared to the same quarter in 2008. For many organizations, though, enterprise adoption of smartphones as an application platform has been slowed by concerns about basic security -- and the absence of clearly defined methods for performing vulnerability management on the small devices.
"We have seen huge interest from customers who are interested in protecting smartphones so they can deploy them as IP phones or terminals -- and the only reason they aren't [deploying the devices] is vulnerability management," says Ravi Varanasi, vice president of engineering with security system vendor Sipera.
Varanasi, who was one of the developers of Cisco's network access control (NAC) technology, says vulnerability management is the missing piece in mobile device security. "If we can solve the problem, I think it will be a free-for-all in the marketplace," he says. If technologists can improve solutions for mobile device user identity, authentication, and encryption, Varanasi adds, then the smartphone market could skyrocket even faster.
For most organizations, one of the issues in vulnerability management is that a relationship with a network service provider is usually required for deployment. Jonathon Gordon, director of marketing for Allot Communications, notes "providers are starting to be able to provide clean lines, cleaned of spam and viruses, and behind a firewall. This is starting to be offered to corporations, and down the line, these will be available with a [service-level agreement] attached."
Gordon says a growing reliance on smartphones, in particular, will lead to more comprehensive security partnerships with the network providers.
"There is a case for pushing some security features up the line, so the enterprise doesn't have to deal with them itself. They would be ubiquitous, whether [the service is] on the mobile or the fixed side," he says. "If [enterprises] rely on mobile devices as much as fixed devices, they assume they get the same service whether it's fixed or mobile. That's the underlying assumption going forward -- the expectations for mobile are that more and more people will expect it to work just as fixed wired networking does."
Choosing Their Battles
For now, however, most organizations are more worried about protecting the data on their devices than about the devices themselves, says Derek Brink, vice president and research fellow in the IT security practice at market research firm Aberdeen.
"From previous studies, I've seen it be much more about the data than about the vulnerabilities on a platform basis," Brink says. "These mobile devices are platforms in their own rights, and I think in the long term they'll be just as vulnerable to attacks as the desktop. The data that flows out to the device and is stored on the device is the highest priority."
Ultimately, though, Brink says traditional concepts of vulnerability management will become an important part of managing mobile devices. "The vulnerabilities are starting to appear, and it's not as big as the traditional platform market, but the data issue is here today, and people are concerned," he says. "In the future and ongoing, it will be the same group of issues dealt with -- whether the network is wireless or cable-connected."
Sipera's Varanasi says as the concerns of mobile and fixed assets converge, there will also be special security issues for mobile devices.
"It's not just the status of security software, but an application awareness that we need to know before we allow the phone on the network," he says. "If [the user is] running Skype, for example, we want to know about it before we allow the phone onto the network. The span of the application is very critical for the network asset. Essentially we call it CAC [call admission control], and we assess the posture of the phone, make sure it runs the proper SIP stack, and make sure it's enabled for secure and authenticated communication."
The process of managing vulnerabilities in mobile devices will become increasingly complex, just as it did in the wired world, experts say. The question for many organizations today is whether the process will grow to cover a fleet of devices that expands slowly -- or explodes as employees are allowed to bring their own phones into the corporate fold.
Saturday, December 12, 2009
Malware Threats Double in 2009
Trend Micro and AVTest.org are both reporting a huge increase in malware.
Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger.
TrendLabs has seen this continued growth of malware. The effects on users is clear: in the first six months of 2008, the Trend Micro World Virus Tracking Center (WTC) recorded that 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million.
While not a welcome development, this wasn’t unexpected either. The official 2009 Trend Micro forecast pointed out that malware threats had been growing for years, and 2009 was going to see more of the same.
It’s not just limited to Trend Micro, either. AV-Test.org has released their findings for the first half of the year recently, with similar results. Both organizations expect the growth to continue, with little relief in sight.
Malware threats have undergone many, many stages of evolution over the years. First it was DOS viruses, then macro viruses, then mass-mailers, then botnets, then Web threats… the only constants seem to be that these are growing both in number and in danger.
TrendLabs has seen this continued growth of malware. The effects on users is clear: in the first six months of 2008, the Trend Micro World Virus Tracking Center (WTC) recorded that 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million.
While not a welcome development, this wasn’t unexpected either. The official 2009 Trend Micro forecast pointed out that malware threats had been growing for years, and 2009 was going to see more of the same.
It’s not just limited to Trend Micro, either. AV-Test.org has released their findings for the first half of the year recently, with similar results. Both organizations expect the growth to continue, with little relief in sight.
Friday, December 11, 2009
Cyber-criminals cashing in with online pharmacies
From: http://technology.timesonline.co.uk/tol/news/tech_and_web/article6935651.ece
Thousands of Britons are putting their health and bank accounts at risk by going online to buy drugs from bogus internet pharmacies run by Russian cyber-criminals, according to a new report.
Despite repeated warnings, people eager to protect themselves against a range of diseases, such as swine flu, are shopping at fake online pharmacies with names such as Canadian Pharmacy or European Pharmacy.
The sites, which even carry forged copies of certificates supposedly guaranteeing their authenticity, are run by Russian criminal gangs that are making millions by flooding the internet with billions of spam messages selling drugs including Tamiflu and Viagra.
Those who are tempted by the offers of cheap drugs risk receiving potentially harmful prescriptions and could be putting their credit card and other personal details in the hands of conmen, according to an investigation by Sophos, an internet security company.
Research by Sophos into one criminal network found that fears over the spread of swine flu has sent demand for Tamiflu soaring in the US, Germany, the UK, Canada and France.
The Department of Health has said that more than three million healthy British children will be offered vaccinations against swine flu after a “striking rise” in the number of under-fives requiring hospital treatment.
However, the deaths of 214 people in Britain have been connected with the virus. Graham Cluley, of Sophos, said: “It is essential that we all resist the panic-induced temptation to purchase Tamiflu online. The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers’ health, personal information and credit card details at risk.
“They have no problem breaking the law by spamming millions of people to promote these websites, so you can be sure they’ll have no qualms in exploiting your confidential data or selling you medications, which may put your life in danger. If you think you need medication go to your real doctor and stay away from quacks on the internet,” he added.
Sophos found that criminal networks of marketing “affiliates” or “partnerka” were driving online shoppers to virtual pharmacies in return for a share of the profits. Investigators believe tens of thousands of fraudsters, mostly based in Russia, are promoting the illegal goods with millions of spam messages and malicious software programmes.
The partnerka operate as well-run businesses. Organisers are known to put on expensive parties for their members, send generous gifts and even run lotteries in which the top producer wins a luxury car.
Sophos’s research discovered that in one of the most well-established affiliate networks operating out of Russia, called Glavmed, affiliate members can make $16,000 a day promoting pharmaceutical websites giving them potential annual earnings of £5.8 million. The criminals can be members of more than one affiliate network and some have boasted of earning more than $100,000 a day. Glavmed is associated with more than 120,000 fake drug websites, the majority branded “Canadian Pharmacy”, taking advantage of Canada’s reputation in the US, the biggest market for online medications, for cheap prescription drugs.
Criminals also infect computers with software that directs those searching for Tamiflu on search engines to the fake sites. Other techniques include inserting spam comments in blogs and on social networks. Those who do order Tamiflu or other drugs from these sites often receive nothing.
However, those who see their orders filled run an additional risk. When security researchers at Cisco’s IronPort ordered pills and had them analysed they found that two thirds of the shipments, which came from India, contained the correct active ingredient but in the wrong dosages, others were placebos. “Consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors,” the researchers said.
The new warning came after hundreds of websites were shut down last week for selling fake or illicit drugs around the world. Interpol and the UK Medicines and Healthcare Products Regulatory Agency co-ordinated raids in 24 countries, confiscating thousands of orders linked to more than 750 illegal websites.
A Department of Health spokesman said: “There is no need to pay for antivirals. They are free on the NHS and being offered to all who need them. Anyone who buys medicines from internet sites could be in danger of receiving counterfeit or substandard medicines.”
• There are more than 200 genuine online pharmacies in Canada, which has a reputation for providing cheap, safe medications. Consumers should only use an online pharmacy if it is licensed, offers security and privacy of information, provides an address and phone number, requires a valid prescription and medical data.
Thousands of Britons are putting their health and bank accounts at risk by going online to buy drugs from bogus internet pharmacies run by Russian cyber-criminals, according to a new report.
Despite repeated warnings, people eager to protect themselves against a range of diseases, such as swine flu, are shopping at fake online pharmacies with names such as Canadian Pharmacy or European Pharmacy.
The sites, which even carry forged copies of certificates supposedly guaranteeing their authenticity, are run by Russian criminal gangs that are making millions by flooding the internet with billions of spam messages selling drugs including Tamiflu and Viagra.
Those who are tempted by the offers of cheap drugs risk receiving potentially harmful prescriptions and could be putting their credit card and other personal details in the hands of conmen, according to an investigation by Sophos, an internet security company.
Research by Sophos into one criminal network found that fears over the spread of swine flu has sent demand for Tamiflu soaring in the US, Germany, the UK, Canada and France.
The Department of Health has said that more than three million healthy British children will be offered vaccinations against swine flu after a “striking rise” in the number of under-fives requiring hospital treatment.
However, the deaths of 214 people in Britain have been connected with the virus. Graham Cluley, of Sophos, said: “It is essential that we all resist the panic-induced temptation to purchase Tamiflu online. The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers’ health, personal information and credit card details at risk.
“They have no problem breaking the law by spamming millions of people to promote these websites, so you can be sure they’ll have no qualms in exploiting your confidential data or selling you medications, which may put your life in danger. If you think you need medication go to your real doctor and stay away from quacks on the internet,” he added.
Sophos found that criminal networks of marketing “affiliates” or “partnerka” were driving online shoppers to virtual pharmacies in return for a share of the profits. Investigators believe tens of thousands of fraudsters, mostly based in Russia, are promoting the illegal goods with millions of spam messages and malicious software programmes.
The partnerka operate as well-run businesses. Organisers are known to put on expensive parties for their members, send generous gifts and even run lotteries in which the top producer wins a luxury car.
Sophos’s research discovered that in one of the most well-established affiliate networks operating out of Russia, called Glavmed, affiliate members can make $16,000 a day promoting pharmaceutical websites giving them potential annual earnings of £5.8 million. The criminals can be members of more than one affiliate network and some have boasted of earning more than $100,000 a day. Glavmed is associated with more than 120,000 fake drug websites, the majority branded “Canadian Pharmacy”, taking advantage of Canada’s reputation in the US, the biggest market for online medications, for cheap prescription drugs.
Criminals also infect computers with software that directs those searching for Tamiflu on search engines to the fake sites. Other techniques include inserting spam comments in blogs and on social networks. Those who do order Tamiflu or other drugs from these sites often receive nothing.
However, those who see their orders filled run an additional risk. When security researchers at Cisco’s IronPort ordered pills and had them analysed they found that two thirds of the shipments, which came from India, contained the correct active ingredient but in the wrong dosages, others were placebos. “Consumers take a significant risk of ingesting an uncontrolled substance from overseas distributors,” the researchers said.
The new warning came after hundreds of websites were shut down last week for selling fake or illicit drugs around the world. Interpol and the UK Medicines and Healthcare Products Regulatory Agency co-ordinated raids in 24 countries, confiscating thousands of orders linked to more than 750 illegal websites.
A Department of Health spokesman said: “There is no need to pay for antivirals. They are free on the NHS and being offered to all who need them. Anyone who buys medicines from internet sites could be in danger of receiving counterfeit or substandard medicines.”
• There are more than 200 genuine online pharmacies in Canada, which has a reputation for providing cheap, safe medications. Consumers should only use an online pharmacy if it is licensed, offers security and privacy of information, provides an address and phone number, requires a valid prescription and medical data.
Thursday, December 10, 2009
A Separate AV/Malware Box?
For those admins who are looking to refresh their proxy architecture, and looking at the various vendors out there for Secure Web Gateways, you may be wondering whether there's a benefit to having the AV (anti-virus) and malware scanning on a separate box. The 600 lb gorilla in the marketplace for web gateway appliances, Blue Coat Systems uses a two box architecture, while most of the competitors, use a single box design running the AV and malware scanning on the same box as the gateway.
What's the advantage to the second box? In reality the big gain is scale and throughput. By offloading to a second box, you can handle much bigger throughput and you can handle many more connections. If neither of these is a concern for you, you should also consider when an AV or malware engine goes into a CPU usage storm, whether you want it to affect the other users using the web gateway. There are files designed to cause AV engines to go into infinite processing loops and if your AV or malware engine hasn't been tuned to detect these, an AV CPU spike will cause web downtime for your end-users if you aren't using a separate box for AV and malware scanning.
If web access isn't mission critical to your organization, and you aren't concerned with scale and throughput, a single box solution may be the answer. But before you go that route, make sure you price out the two box solution, and make the right decision based on all the factors and features available to you.
What's the advantage to the second box? In reality the big gain is scale and throughput. By offloading to a second box, you can handle much bigger throughput and you can handle many more connections. If neither of these is a concern for you, you should also consider when an AV or malware engine goes into a CPU usage storm, whether you want it to affect the other users using the web gateway. There are files designed to cause AV engines to go into infinite processing loops and if your AV or malware engine hasn't been tuned to detect these, an AV CPU spike will cause web downtime for your end-users if you aren't using a separate box for AV and malware scanning.
If web access isn't mission critical to your organization, and you aren't concerned with scale and throughput, a single box solution may be the answer. But before you go that route, make sure you price out the two box solution, and make the right decision based on all the factors and features available to you.
Wednesday, December 9, 2009
Hackers Exploit Tiger Woods Car Accident to Spread Malware
From: http://blogs.pcmag.com/securitywatch/2009/11/hackers_exploit_tiger_woods_ca.php
Unless you've been in a cave or working or something like that, you know that famed golfer Tiger Woods was in a car accident recently. News outlets, respectable and otherwise, have been hard at work filling us in on every available detail, genuine and otherwise, about the incident.
Cybercriminals are not being left out of the act according to security firm Sophos. The threat comes in the form of a web page claiming to have video content related to the accident. If you're a regular reader of this blog, the rest is predictable: Click to play the video and you are taken to another web page which pushes a file (Movie_HD_Plugin_Update.40014.exe) claiming to be a video plug-in necessary to watch the video. Sophos detects it as Troj/Proxy-JN.
Unless you've been in a cave or working or something like that, you know that famed golfer Tiger Woods was in a car accident recently. News outlets, respectable and otherwise, have been hard at work filling us in on every available detail, genuine and otherwise, about the incident.
Cybercriminals are not being left out of the act according to security firm Sophos. The threat comes in the form of a web page claiming to have video content related to the accident. If you're a regular reader of this blog, the rest is predictable: Click to play the video and you are taken to another web page which pushes a file (Movie_HD_Plugin_Update.40014.exe) claiming to be a video plug-in necessary to watch the video. Sophos detects it as Troj/Proxy-JN.
Tuesday, December 8, 2009
Cloud security service looks for malware
Webroot Tuesday announced it has extended its cloud-based Web security service, adding a way to filter outbound as well as inbound Web traffic, monitoring for threats in order to detect and block malware such as botnets that have infected computers.
"We already have inbound filtering and now we're adding outbound," says Brian Czarny, vice president of solutions marketing at Webroot about the Web Security Service that can now monitor for signs of malware-infected corporate computers trying to "call home" for more instructions, a common practice among criminally run botnets. If the cloud-based Webroot service detects malware such as botnet code calling out to get instructions or otherwise perform an activity, it will block that request, though not all traffic on the user's machine. The Webroot service would then notify the systems administrator of the security event via e-mail and the Web-based administrative console where reports can be obtained.
Czarny says there is no additional charge for the outbound monitoring now available through the Webroot Web Security Service, which also includes some basic URL filtering for productivity purposes. The service works by having the corporation proxy its Web traffic through Webroot’s data centers where a variety of security methods can clean malware and ward off phishing attacks.
Webroot is also announcing on Tuesday an in-the-cloud e-mail archiving service that lets customers store e-mail to be searched and retrieved whether from on-site corporate mail servers or Google Apps.
The pricing for the e-mail archiving is $6 per month per user for unlimited storage and retention; the Web Security Serivce costs $5 per user per month, with discounts based on volume.
"We already have inbound filtering and now we're adding outbound," says Brian Czarny, vice president of solutions marketing at Webroot about the Web Security Service that can now monitor for signs of malware-infected corporate computers trying to "call home" for more instructions, a common practice among criminally run botnets. If the cloud-based Webroot service detects malware such as botnet code calling out to get instructions or otherwise perform an activity, it will block that request, though not all traffic on the user's machine. The Webroot service would then notify the systems administrator of the security event via e-mail and the Web-based administrative console where reports can be obtained.
Czarny says there is no additional charge for the outbound monitoring now available through the Webroot Web Security Service, which also includes some basic URL filtering for productivity purposes. The service works by having the corporation proxy its Web traffic through Webroot’s data centers where a variety of security methods can clean malware and ward off phishing attacks.
Webroot is also announcing on Tuesday an in-the-cloud e-mail archiving service that lets customers store e-mail to be searched and retrieved whether from on-site corporate mail servers or Google Apps.
The pricing for the e-mail archiving is $6 per month per user for unlimited storage and retention; the Web Security Serivce costs $5 per user per month, with discounts based on volume.
Monday, December 7, 2009
Climategate Hack Used Open Proxies
An interesting story about using an open proxy to hack a website...
From: http://erratasec.blogspot.com/2009/11/climate-hack-used-open-proxies.html
More details are emerging about the "Climategate" hack. It appears that the hacker used an "open proxy" in order to hide the origin of the attack. However, the hacker may have made a mistake, and a review of the logs at RealClimate and ClimateAudit may reveal his/her identity.
As this post describes, the hacker made a comment to a ClimateAudit blog post from IP address 82.208.87.170. If we Google that IP address, we see that it is indeed an open proxy. We don't know the hacker's real IP address.
An "open proxy" is a machine that has been misconfigured to forward requests back out to the Internet. Hackers constantly rescan the Internet looking for these open proxies, usually HTTP proxies at ports 80, 8080, and 3127, or SOCKS at port 1080. Hacker websites maintain lists of active misconfigured proxies. When hackers want to be anonymous, they choose one of these proxies at random, they configure their web browser to go through the proxy. In this manner, anything they do appears to come from the proxy's IP address, and not from the hacker's IP address.
You can use this open proxy yourself to hide your identity. In Firefox, go to "Tools", "Options", "Adanced", "Network", "Settings" to open the proxy dialog box. Then do a "Manual proxy configuration", setting the "HTTP Proxy" to 82.208.87.170, and the port to 8080.
After that, you should be able to browse the Internet just fine (albeit slowly). I went to the Google search page, but was redirected to the Russian version. Open proxies are a great way to see how the rest of the world browses the Internet.
However, there is a flaw. Most proxies also forward the original IP address as a separate field in the web request. I set my browser to the above proxy, and looked at the resulting HTTP request headers. I found the proxy added the header "X-Forwarded-For:" with my original IP address.
Most web server logs ignore the "X-Forwarded-For:" header, which means that this information is lost forever. However, if RealClimate or ClimateAudit has some advanced logging enabled, then they might be able to discover the original IP address.
The RealClimate website (which was attacked by the hacker) makes this claim:
The use of a turkish computer would seem to imply that this upload and hack was not solely a whistleblower act, but one that involved more sophisticated knowledge.
This is not true. Using open proxies requires no sophisticated knowledge at all - as this blog post shows.
So, the timeline appears to be:
•Oct 12: somebody sends the same e-mails to BBC journalist Paul Hudson.
•Nov 12: sometime after this data, the hacker grabs the files and puts them into a ZIP.
•Nov 17 6:20am: Hacker uploads the file to http://www.realclimate.org/FOIA.zip from an IP address "somewhere in Turkey".
•Nov 17 7:24am: Hackers posts a comment to the ClimateAudit blog saying "A miracle just happened" with a link back to the RealClimate ZIP file. Hacker proxied through 82.208.87.170:8080.
•Nov 17 "a few hours later": RealClimate admins discover the hack and remove the file.
•Nov 19: Hackers posts file to open FTP server in Russia.
•Nov 19: Hacker posts to Air Vent blog pointing to the FTP ZIP. Hacker uses proxy 212.116.220.100:443, an open proxy in Saudi Arabia.
RealClimate hasn't said exactly how their website was "hacked into". I'm guessing a PHP bug found by an average webapp scanner. Their Archive page appears broken, giving the following raw PHP code instead. I assume that's where the hacker broke in:
UPDATE: Commenters at ClimateAudit point out a simpler explanation of the RealClimate hack: several of the people at CRU post at RealClimate. The hacker could simply have pretended to be one of those people requesting to reset the password, then intercepted the e-mail with the new password. This is a common hack: once you have access to a person's e-mail account, you can probably get the password an every other account (banking, blogging, facebook, twitter, etc.) that uses that e-mail address.
From: http://erratasec.blogspot.com/2009/11/climate-hack-used-open-proxies.html
More details are emerging about the "Climategate" hack. It appears that the hacker used an "open proxy" in order to hide the origin of the attack. However, the hacker may have made a mistake, and a review of the logs at RealClimate and ClimateAudit may reveal his/her identity.
As this post describes, the hacker made a comment to a ClimateAudit blog post from IP address 82.208.87.170. If we Google that IP address, we see that it is indeed an open proxy. We don't know the hacker's real IP address.
An "open proxy" is a machine that has been misconfigured to forward requests back out to the Internet. Hackers constantly rescan the Internet looking for these open proxies, usually HTTP proxies at ports 80, 8080, and 3127, or SOCKS at port 1080. Hacker websites maintain lists of active misconfigured proxies. When hackers want to be anonymous, they choose one of these proxies at random, they configure their web browser to go through the proxy. In this manner, anything they do appears to come from the proxy's IP address, and not from the hacker's IP address.
You can use this open proxy yourself to hide your identity. In Firefox, go to "Tools", "Options", "Adanced", "Network", "Settings" to open the proxy dialog box. Then do a "Manual proxy configuration", setting the "HTTP Proxy" to 82.208.87.170, and the port to 8080.
After that, you should be able to browse the Internet just fine (albeit slowly). I went to the Google search page, but was redirected to the Russian version. Open proxies are a great way to see how the rest of the world browses the Internet.
However, there is a flaw. Most proxies also forward the original IP address as a separate field in the web request. I set my browser to the above proxy, and looked at the resulting HTTP request headers. I found the proxy added the header "X-Forwarded-For:" with my original IP address.
Most web server logs ignore the "X-Forwarded-For:" header, which means that this information is lost forever. However, if RealClimate or ClimateAudit has some advanced logging enabled, then they might be able to discover the original IP address.
The RealClimate website (which was attacked by the hacker) makes this claim:
The use of a turkish computer would seem to imply that this upload and hack was not solely a whistleblower act, but one that involved more sophisticated knowledge.
This is not true. Using open proxies requires no sophisticated knowledge at all - as this blog post shows.
So, the timeline appears to be:
•Oct 12: somebody sends the same e-mails to BBC journalist Paul Hudson.
•Nov 12: sometime after this data, the hacker grabs the files and puts them into a ZIP.
•Nov 17 6:20am: Hacker uploads the file to http://www.realclimate.org/FOIA.zip from an IP address "somewhere in Turkey".
•Nov 17 7:24am: Hackers posts a comment to the ClimateAudit blog saying "A miracle just happened" with a link back to the RealClimate ZIP file. Hacker proxied through 82.208.87.170:8080.
•Nov 17 "a few hours later": RealClimate admins discover the hack and remove the file.
•Nov 19: Hackers posts file to open FTP server in Russia.
•Nov 19: Hacker posts to Air Vent blog pointing to the FTP ZIP. Hacker uses proxy 212.116.220.100:443, an open proxy in Saudi Arabia.
RealClimate hasn't said exactly how their website was "hacked into". I'm guessing a PHP bug found by an average webapp scanner. Their Archive page appears broken, giving the following raw PHP code instead. I assume that's where the hacker broke in:
Archives by Month: Archives by Category:
UPDATE: Commenters at ClimateAudit point out a simpler explanation of the RealClimate hack: several of the people at CRU post at RealClimate. The hacker could simply have pretended to be one of those people requesting to reset the password, then intercepted the e-mail with the new password. This is a common hack: once you have access to a person's e-mail account, you can probably get the password an every other account (banking, blogging, facebook, twitter, etc.) that uses that e-mail address.
Friday, December 4, 2009
The Latest in Trojan Attacks
From http://www.webhostingfan.com/2009/12/the-latest-in-trojan-attacks/
Just when it seems as though malware and Trojan attacks could not get much worse, along comes yet another to toss a monkey wrench into the works. The latest Trojan horse program to be released on the Web is the URLzone Trojan that attacks banks.
Is that your bank?
The URLzone Trojan horse program was discovered by Finjan Software at the end of September, 2009 and has been reported as being extremely advanced. The program rewrites bank pages in such a way that unsuspecting victims have no idea that their bank accounts are being emptied. With an integrated command-and-control interface, nefarious types can set specific amounts they would like to remove from their victims accounts.
Slippery little bugger
Not only has this bit of malicious coding gathered the interest of Finjan but RSA Security has been tracking and researching URLzone. Thus far the Trojan horse program has proven to be a bit of a slippery one to catch. The malware uses several techniques to peg machines being used by law enforcement and investigators in attempts to catch URLzone. The one good thing to come of is the creators of the program know they are now being watched and reacting.
Just how slippery is this Trojan? Once it has detected it is being monitored, it continues to force a money transfer. Instead of using one of its own people, it grabs a legitimate and innocent victim who has been part of legal money transfers in the past and makes it appear as though that person is generating the transaction. The end result is a bunch of very confused investigators.
To date, over 400 unsuspecting accounts have been used as mules, over 6,400 computers have been infected with URLzone, and the total amount cleared on a daily basis has been in excess of $17,500.
How does it work?
How does URLzone work its way onto unsuspecting computers? Once the malware executes, a copy is made of itself to c:\uninstall02.exe. An ID is created and this is sent along with a version ID of URLzone to the command-and-control interface. This effectively sends a confirmation that the machine in question is now infected with the Trojan. The command-and-control interface then logs the information, downloads a new executable, and copies itself to the SYSTEM32 directory with a random and hidden name. The program does not change any existing system files and needs to add itself to the startup registry each time the machine in question is rebooted.
At this point, URLzone hooks itself to the svchost.exe process and quietly checks with the command-and-control interface for new updates and commands while simultaneously watching for web browsers to open. Once a web browser is opened, the Trojan horse program goes to work and the unsuspecting computer user is completely unaware anything is happening.
Final Thoughts
All in all, the URLzone Trojan horse program is one nasty piece of work. The best defense any computer user can take is ensuring that their operating system is up to date with the latest security updates and their anti-virus protection software has been recently updated with all the latest information.
Once again, you should also make sure you're protecting your end-users from browsing malware sites, and your proxy is scanning for malware, with the latest anti-malware updates.
Just when it seems as though malware and Trojan attacks could not get much worse, along comes yet another to toss a monkey wrench into the works. The latest Trojan horse program to be released on the Web is the URLzone Trojan that attacks banks.
Is that your bank?
The URLzone Trojan horse program was discovered by Finjan Software at the end of September, 2009 and has been reported as being extremely advanced. The program rewrites bank pages in such a way that unsuspecting victims have no idea that their bank accounts are being emptied. With an integrated command-and-control interface, nefarious types can set specific amounts they would like to remove from their victims accounts.
Slippery little bugger
Not only has this bit of malicious coding gathered the interest of Finjan but RSA Security has been tracking and researching URLzone. Thus far the Trojan horse program has proven to be a bit of a slippery one to catch. The malware uses several techniques to peg machines being used by law enforcement and investigators in attempts to catch URLzone. The one good thing to come of is the creators of the program know they are now being watched and reacting.
Just how slippery is this Trojan? Once it has detected it is being monitored, it continues to force a money transfer. Instead of using one of its own people, it grabs a legitimate and innocent victim who has been part of legal money transfers in the past and makes it appear as though that person is generating the transaction. The end result is a bunch of very confused investigators.
To date, over 400 unsuspecting accounts have been used as mules, over 6,400 computers have been infected with URLzone, and the total amount cleared on a daily basis has been in excess of $17,500.
How does it work?
How does URLzone work its way onto unsuspecting computers? Once the malware executes, a copy is made of itself to c:\uninstall02.exe. An ID is created and this is sent along with a version ID of URLzone to the command-and-control interface. This effectively sends a confirmation that the machine in question is now infected with the Trojan. The command-and-control interface then logs the information, downloads a new executable, and copies itself to the SYSTEM32 directory with a random and hidden name. The program does not change any existing system files and needs to add itself to the startup registry each time the machine in question is rebooted.
At this point, URLzone hooks itself to the svchost.exe process and quietly checks with the command-and-control interface for new updates and commands while simultaneously watching for web browsers to open. Once a web browser is opened, the Trojan horse program goes to work and the unsuspecting computer user is completely unaware anything is happening.
Final Thoughts
All in all, the URLzone Trojan horse program is one nasty piece of work. The best defense any computer user can take is ensuring that their operating system is up to date with the latest security updates and their anti-virus protection software has been recently updated with all the latest information.
Once again, you should also make sure you're protecting your end-users from browsing malware sites, and your proxy is scanning for malware, with the latest anti-malware updates.
Thursday, December 3, 2009
Koobface using new tricks to infect this holiday season
The criminals behind Koobface are gearing up for some malicious holiday fun according to reports from Websense and McAfee. The Malware, which has been seen online in various formats for a while now, is using Google Reader to spread itself and offers a few other tricks this time around.
First detected in December last year (with a more powerful version emerging in March of this year), the Koobface worm targets users of social networking sites like Facebook, MySpace, Twitter and most recently Skype. In recent days the security industry has noted increased activity of the Koobface attack, which spreads by delivering messages to people who are ‘friends’ of social network users whose computers have already been infected by the worm.
McAfee is warning about a version of a Koobface run that mirrors the report from Websense that The Tech Herald received recently. Both vendors are seeing attacks from the Malware that linkup to a “video” of a cute little baby dressed up as Santa. The tiny tike has no idea his image is being used to spread Malware, but anyone who attempts to load the video (named SantA in some cases) is sent a message that they need to load a codec to play the movie. However, as in previous Koobface attacks, the codec is malicious and does nothing but infect the system.
Moreover, McAfee notes that some of the attacks will push users to another site when they attempt to watch the movie when it appears in Google Reader as a link. This secondary site is made up to look like a Facebook page that ironically warns users about Koobface and offers a link to download a virus scanner. This scanner is the Malware delivery method, and once downloaded and installed, more malicious files are sent to the infected system.
In addition to the false Facebook page, McAfee noted that infected users will be lured into cracking CAPTCHA codes so that those behind Koobface can register more junk Facebook profiles. The CAPTCHA trick will appear as a Windows warning that the system will be shut down unless they enter the CAPTCHA code displayed. If the shutdown timer hits zero, the system is locked until the code is entered. Once entered, the code is sent to a server where the information is later used for account creation.
In the past, The Tech Herald has talked about malicious wall posts on Facebook thanks to Koobface, and this latest wave of attacks appears to us to be an attempt to further the reach of those posts. More information on those attacks can be accessed here.
Websense, adding to the attack information, reports that there is a Social Engineering tactic being used, where the periods in the malicious URL are replaced by commas. Speculating, Websense said that the commas are used in the hope that the user will copy and paste the URL into their browser and replace them with the correct character, thinking that the friend who sent them made a mistake when entering the URL information.
Both vendors expressed the need for users to use caution when they see random Facebook wall posts, and that they should not download files from untrusted sources. In addition to that advice, we’ve noticed that some of the false video pages misspell the “You” in YouTube, which is a clear sign something is wrong, aside from the fact the video isn’t being hosted on YouTube itself.
And of course, if you haven't already, you should consider putting a proxy into your network to help protect end-users from malware and spyware.
First detected in December last year (with a more powerful version emerging in March of this year), the Koobface worm targets users of social networking sites like Facebook, MySpace, Twitter and most recently Skype. In recent days the security industry has noted increased activity of the Koobface attack, which spreads by delivering messages to people who are ‘friends’ of social network users whose computers have already been infected by the worm.
McAfee is warning about a version of a Koobface run that mirrors the report from Websense that The Tech Herald received recently. Both vendors are seeing attacks from the Malware that linkup to a “video” of a cute little baby dressed up as Santa. The tiny tike has no idea his image is being used to spread Malware, but anyone who attempts to load the video (named SantA in some cases) is sent a message that they need to load a codec to play the movie. However, as in previous Koobface attacks, the codec is malicious and does nothing but infect the system.
Moreover, McAfee notes that some of the attacks will push users to another site when they attempt to watch the movie when it appears in Google Reader as a link. This secondary site is made up to look like a Facebook page that ironically warns users about Koobface and offers a link to download a virus scanner. This scanner is the Malware delivery method, and once downloaded and installed, more malicious files are sent to the infected system.
In addition to the false Facebook page, McAfee noted that infected users will be lured into cracking CAPTCHA codes so that those behind Koobface can register more junk Facebook profiles. The CAPTCHA trick will appear as a Windows warning that the system will be shut down unless they enter the CAPTCHA code displayed. If the shutdown timer hits zero, the system is locked until the code is entered. Once entered, the code is sent to a server where the information is later used for account creation.
In the past, The Tech Herald has talked about malicious wall posts on Facebook thanks to Koobface, and this latest wave of attacks appears to us to be an attempt to further the reach of those posts. More information on those attacks can be accessed here.
Websense, adding to the attack information, reports that there is a Social Engineering tactic being used, where the periods in the malicious URL are replaced by commas. Speculating, Websense said that the commas are used in the hope that the user will copy and paste the URL into their browser and replace them with the correct character, thinking that the friend who sent them made a mistake when entering the URL information.
Both vendors expressed the need for users to use caution when they see random Facebook wall posts, and that they should not download files from untrusted sources. In addition to that advice, we’ve noticed that some of the false video pages misspell the “You” in YouTube, which is a clear sign something is wrong, aside from the fact the video isn’t being hosted on YouTube itself.
And of course, if you haven't already, you should consider putting a proxy into your network to help protect end-users from malware and spyware.
Wednesday, December 2, 2009
New malware scam targets Twilight fans
PC Tools' Malware Research Center is warning web users of another online scam that hopes to piggyback on hype surrounding the new Twilight New Moon film.
The security software developer says the latest trick tempts movie fans by promising them they can watch the film for free, before installing malware on their computer.
PC Tools said fans are baited with the text websites, chat rooms and blogs that read: 'Watch New Moon Full Movie.'
Meanwhile, comment posts are filled with related keywords to attract search engines. Then, when fans search for the film they find links to stolen images from the movie itself, convincing the fan the movie is only one click away.
However, after clicking on the 'movie player', users are told to run a 'streamviewer' which installs malware on their computers.
This is the second malware scam targeting Twilight New Moon in a week. Last week, PC Tools warned that malicious websites that claim to feature interviews with the author of the books, Stephanie Meyer, were ranking high in a number of search engines.
Instead of providing a video clip of Meyer, those visiting the site were directed to a window informing them they were infected with malware and then encouraged to download an antivirus solution to clean their PC.
This latest malware scam is a good reminder to have security for end-users via a proxy architecture, and the latest anti-malware installed on your proxy.
The security software developer says the latest trick tempts movie fans by promising them they can watch the film for free, before installing malware on their computer.
PC Tools said fans are baited with the text websites, chat rooms and blogs that read: 'Watch New Moon Full Movie.'
Meanwhile, comment posts are filled with related keywords to attract search engines. Then, when fans search for the film they find links to stolen images from the movie itself, convincing the fan the movie is only one click away.
However, after clicking on the 'movie player', users are told to run a 'streamviewer' which installs malware on their computers.
This is the second malware scam targeting Twilight New Moon in a week. Last week, PC Tools warned that malicious websites that claim to feature interviews with the author of the books, Stephanie Meyer, were ranking high in a number of search engines.
Instead of providing a video clip of Meyer, those visiting the site were directed to a window informing them they were infected with malware and then encouraged to download an antivirus solution to clean their PC.
This latest malware scam is a good reminder to have security for end-users via a proxy architecture, and the latest anti-malware installed on your proxy.
Subscribe to:
Posts (Atom)
Posts
