From: http://www.thetechherald.com/article.php/200911/3206/ScanSafe-Credit-crunch-is-fueling-data-theft
ScanSafe, an SaaS security vendor based in London and San Francisco, has released its Annual Global Threat report. According to the stats collected from 240 billion Web requests in 2008, the credit crunch being felt all over the world is fueling a surge in Web-based attacks. The report details growth like no other, with attack vectors such as Iframe-related attacks jumping over 1000 percent.
ScanSafe used 240 billion Web requests from corporate customers, spread out over 80 countries, to track the data used in its report. According to the data, there was an explosive growth in Malware throughout 2008.
For example, 582 percent growth between like quarters in 2007 and 2008 and a 300 percent volume ratio increase from January 2008 through to December 2008. Exploits and Iframes were up 1731 percent in 2008, while data-theft Trojans increased by 1559 percent.
“We saw a continued acceleration of Web-delivered malware in 2008, reaching significant peaks in both October and November. The numbers are staggering,” said Mary Landesman, senior security researcher at ScanSafe.
“There is a high correlation of increased online crime with the decline in the global economy. It could be that the increasing levels of job loss and uncertainty are fueling the surge in criminal activity. It is also likely that cyber crime is proving to be a viable business opportunity in a climate where legitimate opportunities are becoming increasingly more limited.”
The credit crunch is fueling this growth, the report says, as 14 percent of all ScanSafe’s blocks were the result of encounters with data theft Trojans, compared to six percent in 2007. Towards the end of 2008, when the credit crunch was in full swing, the report details the largest growth in this category. Not only did October and November 2008 show the highest levels of blocks, but they also showed a heavy saturation of data theft Malware.
According to one section of the report, there was a change of intent in 2008. Criminals are now shifting their focus to the targeting and harvesting of sensitive data. Most of the Malware delivered through the Web provided remote customization and configurability, enabling attackers to target specific data and manage how that data is obtained.
For home users, the targets were game-related credentials and credit card numbers. For businesses, it was intellectual property and the potential to eavesdrop on all network transmissions via ARP poisoning or other man-in-the-middle attacks.
Trusted sites also posed a substantial risk. In April 2008, ScanSafe said it counted an excess of 780,000 malicious Web pages from only five vertical segments because of a single SQL injection attack.
“Today’s malware is all about stealing and harvesting data. Cyber criminals have moved away from defacing sites or merely designing malware as a prank and it is now created with commercial and criminal intent,” added Landesman. “Online crime has become a lucrative business and both commercial and personal data fetch a significant sum on black markets.”
Thursday, May 27, 2010
Wednesday, May 26, 2010
Security firms warn of bogus job search emails
From: http://www.infosecurity-us.com/view/9409/security-firms-warn-of-bogus-job-search-emails/
Security vendors – including Websense and Sophos – have sent up a red flag about suspect emails targeting human resources staff. The messages apparently contain zip files that, when opened, infect users’ PCs with rouge anti-virus.
Websense Security Labs reports that the attached ZIP is an executable malware file directing to the Oficla bot. “This connects to a URL in the davidopolko.ru domain for its [command-and-control] functions”, the firm noted in a security blog posting. Once downloaded, the malware brings up a warning box telling users their machine has been infected by a trojan, followed by the download and installation of a rouge anti-virus called ‘Security essentials 2010’.
Malware tracking website VirusTotal shows a detection rate for this attack at just over 50% for the major anti-virus vendor engines.
Websense said the spam is quickly proliferating, as its security lab saw more than 230 000 samples in just four hours this morning.
Graham Cluley, Sophos senior technology consultant , warns staff to be cautious if receiving an unexpected email with what appears to be a resume/CV attached.
Cluley says the emails, which are short and to the point, have the following characteristics:
Subject: New resume
Attached file: Resume_document_459.zip
Message body: Please review my CV, Thank you!
"Hmm.. hardly the most convincing job application I've ever seen – they haven't even given any clues as to which role they might be applying for", said Cluley in his security blog posting last night. "However, you or some of your users might still be tempted to open the attached CV to see if it sheds any more clues as the point of the communication", he added.
Sophos' Cluey went on to say that, if you do make the mistake of opening the attached Resume_document_459.zip file, you run the risk of infecting your Windows computer with malware.
Sophos' research teams, he says, are intercepting the threat proactively as Troj/Invo-Zip and Mal/EncPk-NS.
“HR departments are used to receiving CVs over email and this kind of malicious activity is indicative of the modern-day hacker”, added Carl Leonard, EMEA security research manager for Websense. “The broad-brush approach to seeding malware is now out of favor; fraudsters know they can infect more computers, and steal more data, if they use techniques that fit the target.”
Security vendors – including Websense and Sophos – have sent up a red flag about suspect emails targeting human resources staff. The messages apparently contain zip files that, when opened, infect users’ PCs with rouge anti-virus.
Websense Security Labs reports that the attached ZIP is an executable malware file directing to the Oficla bot. “This connects to a URL in the davidopolko.ru domain for its [command-and-control] functions”, the firm noted in a security blog posting. Once downloaded, the malware brings up a warning box telling users their machine has been infected by a trojan, followed by the download and installation of a rouge anti-virus called ‘Security essentials 2010’.
Malware tracking website VirusTotal shows a detection rate for this attack at just over 50% for the major anti-virus vendor engines.
Websense said the spam is quickly proliferating, as its security lab saw more than 230 000 samples in just four hours this morning.
Graham Cluley, Sophos senior technology consultant , warns staff to be cautious if receiving an unexpected email with what appears to be a resume/CV attached.
Cluley says the emails, which are short and to the point, have the following characteristics:
Subject: New resume
Attached file: Resume_document_459.zip
Message body: Please review my CV, Thank you!
"Hmm.. hardly the most convincing job application I've ever seen – they haven't even given any clues as to which role they might be applying for", said Cluley in his security blog posting last night. "However, you or some of your users might still be tempted to open the attached CV to see if it sheds any more clues as the point of the communication", he added.
Sophos' Cluey went on to say that, if you do make the mistake of opening the attached Resume_document_459.zip file, you run the risk of infecting your Windows computer with malware.
Sophos' research teams, he says, are intercepting the threat proactively as Troj/Invo-Zip and Mal/EncPk-NS.
“HR departments are used to receiving CVs over email and this kind of malicious activity is indicative of the modern-day hacker”, added Carl Leonard, EMEA security research manager for Websense. “The broad-brush approach to seeding malware is now out of favor; fraudsters know they can infect more computers, and steal more data, if they use techniques that fit the target.”
Tuesday, May 25, 2010
A Look at a Russian "Fake AV" Scam
From: http://www.bluecoat.com/blog/look-russian-fake-av-scam
I am not sure whether this is the same as you already have seen, but anyway...while reading my Google Reader, I got a popup opening av-scann.com (still not sure where it came from) and got all the usual rogue AV "scans", except that this time it was completely in Russian.
(C.L.: The screenshot he sent is almost identical to this one, so I won't reproduce it here. As to where it came from: probably a "malvertisement" -- we've seen a lot of Fake Scanner pages piggybacking on ad networks lately, so they can pop up on almost any legitimate web site.)
The Russian looks a little bit strange. There are no grammatical errors, but the chosen vocabulary looks a little bit odd.
A funny thing (haven`t noticed this before, so I guess it appeared only in this "version") - if you scroll down a little, you`ll see: Эмуляция работы программы ("program emulation") and Пользовательское соглашение ("user agreement"). The user agreement is shown when the user clicks Вылечить всё ("cure all"), and explains the payment system.
When the user clicks it again, the usual "send SMS to this short number" window is shown. (BTW, they have Latvia, Lithuania, Estonia, Russia, Finland, etc. in the list of supported countries.)
First interesting thing in the agreement - it is for the site net-virusam.com ("no to viruses" in Russian), not for the opened av-scann.com.
(C.L.: When I checked, net-virusam.com didn't exist. av-scann.com was trying to hide behind a page that said Сайт заблокирован! -- "site blocked!" -- but was still serving pages. Nice try.)
User Agreement 5th paragraph - to get access to the site`s resources, the user needs to send them 3 SMSs. Cost of one SMS is 300 RUR (~10$) without Value Added Tax (which is usually around 20-25% in European countries), that is, the user pays around 12$ for one SMS, which gives us 36$ for the access to the site, which is comparable to 40-100$ for English rogue AVs. The agreement says the user is paying for downloads from their sites - 15 RUR for each. 3x300 means that user can order a block of 60 downloads at once. From the same agreement: "...After activation, user gets access to FREE version of Avira antivirus. The user interface of the downloaded program can be extremely different from the one you`ve seen in emulation...". So I guess that is why they are charging for downloads - selling free software is clearly illegal, but selling their bandwidth, on the other hand...
User Agreement 6th paragraph - "...Our service does not provide any guarantees of quality of our services or compliance with user expectations... We do not have money-back guarantees... We will not refund any losses you could experience..."
(C.L.: So, no malware, just a scam -- unless, of course, that Avira download you get isn't a clean version!)
I am not sure whether this is the same as you already have seen, but anyway...while reading my Google Reader, I got a popup opening av-scann.com (still not sure where it came from) and got all the usual rogue AV "scans", except that this time it was completely in Russian.
(C.L.: The screenshot he sent is almost identical to this one, so I won't reproduce it here. As to where it came from: probably a "malvertisement" -- we've seen a lot of Fake Scanner pages piggybacking on ad networks lately, so they can pop up on almost any legitimate web site.)
The Russian looks a little bit strange. There are no grammatical errors, but the chosen vocabulary looks a little bit odd.
A funny thing (haven`t noticed this before, so I guess it appeared only in this "version") - if you scroll down a little, you`ll see: Эмуляция работы программы ("program emulation") and Пользовательское соглашение ("user agreement"). The user agreement is shown when the user clicks Вылечить всё ("cure all"), and explains the payment system.
When the user clicks it again, the usual "send SMS to this short number" window is shown. (BTW, they have Latvia, Lithuania, Estonia, Russia, Finland, etc. in the list of supported countries.)
First interesting thing in the agreement - it is for the site net-virusam.com ("no to viruses" in Russian), not for the opened av-scann.com.
(C.L.: When I checked, net-virusam.com didn't exist. av-scann.com was trying to hide behind a page that said Сайт заблокирован! -- "site blocked!" -- but was still serving pages. Nice try.)
User Agreement 5th paragraph - to get access to the site`s resources, the user needs to send them 3 SMSs. Cost of one SMS is 300 RUR (~10$) without Value Added Tax (which is usually around 20-25% in European countries), that is, the user pays around 12$ for one SMS, which gives us 36$ for the access to the site, which is comparable to 40-100$ for English rogue AVs. The agreement says the user is paying for downloads from their sites - 15 RUR for each. 3x300 means that user can order a block of 60 downloads at once. From the same agreement: "...After activation, user gets access to FREE version of Avira antivirus. The user interface of the downloaded program can be extremely different from the one you`ve seen in emulation...". So I guess that is why they are charging for downloads - selling free software is clearly illegal, but selling their bandwidth, on the other hand...
User Agreement 6th paragraph - "...Our service does not provide any guarantees of quality of our services or compliance with user expectations... We do not have money-back guarantees... We will not refund any losses you could experience..."
(C.L.: So, no malware, just a scam -- unless, of course, that Avira download you get isn't a clean version!)
South America's New Growth Industry is Malware
From: http://it.toolbox.com/blogs/talk-to-the-hand/south-americas-new-growth-industry-is-malware-38897
Malware syndicates in China have been implicated in a number of recent high-profile, targeted cyber attacks against American companies and organizations, but the latest data from security software vendor Zscaler indicates a new and equally dangerous threat is emerging in South and Central America.
In its first-quarter "State of the Web" report, Sunnyvale, Calif.-based Zscaler aimed to provide some meaningful analysis and context for enterprises struggling to safeguard their data networks from organized groups of hackers and phishers who are exploiting both lax local enforcement and a laissez-faire attitude by international hosting companies to steal identities, assets and intellectual property.
To no one's surprise, the Zscaler report pegs the U.S. as the leading source of malicious traffic including botnets, worms and aggravating SQL-injection attacks. Of course, that's to be expected because the U.S. is also the runaway leader in generating and serving up Internet traffic of all types.
What's interesting is that when Zscaler analyzed each country based on the largest percentage of malicious versus benign servers, seven of the top 10 countries with high saturations of malware-distributing servers were South and Central American nations.
Honduras checked in with a ratio of 7.5 percent, good enough (or bad enough, depending on how you view it) for second in the world behind only the Cayman Islands (10.2 percent).
The rest of the Malware Top 10 included Bolivia (6.25 percent); Peru (6.11 percent); Argentina (6 percent); Paraguay (5.13 percent); Ecuador (5.05 percent); Columbia (4.54 percent); Luxembourg (4.47 percent) and Turkey (3.94 percent).
Meanwhile, China checked in at just 2.96 percent, meaning that the concentration of malicious servers in countries like Honduras, Bolivia, Peru and Argentina is at least double that of those servers based in China.
"While the U.S. and China may have a large number of Web servers used to host malicious content, they have a much larger percentage of servers that host benign content when compared to other countries," Mike Geide, co-author of the report and a senior security analyst at Zscaler, told InternetNews.com.
"Many of the countries noted are emerging markets, and with economic growth comes an increase in technology," he added. "The security of this technology is often an after-thought or maybe a skill that has yet to be developed within these countries."
Another troubling issue to emerge from the study is the fact that Microsoft's Internet Explorer 6, bugs and all, is still the de facto enterprise browser for more than 25 percent of Zscaler's customers.
Despite the devastating consequences of Operation Aurora, a zero-day vulnerability that left corporate networks naked and vulnerable for almost three weeks earlier this year, companies are still reluctant to upgrade to IE8 despite Microsoft's own efforts to persuade customers to install more recent, and more secure, versions of its browser.
The report also noted a significant spike in botnet activity, bogus antivirus software scams and blackhat search engine optimization (SEO) schemes.
"As we have seen in the past, attackers are not resting on their laurels," the report said. They continue to innovate and target each and every opportunity that comes their way."
"At the same time, the malicious infrastructures that they’ve created continue to thrive, requiring only regular maintenance and periodic updates to deliver impressive value to their owners," it concluded.
Malware syndicates in China have been implicated in a number of recent high-profile, targeted cyber attacks against American companies and organizations, but the latest data from security software vendor Zscaler indicates a new and equally dangerous threat is emerging in South and Central America.
In its first-quarter "State of the Web" report, Sunnyvale, Calif.-based Zscaler aimed to provide some meaningful analysis and context for enterprises struggling to safeguard their data networks from organized groups of hackers and phishers who are exploiting both lax local enforcement and a laissez-faire attitude by international hosting companies to steal identities, assets and intellectual property.
To no one's surprise, the Zscaler report pegs the U.S. as the leading source of malicious traffic including botnets, worms and aggravating SQL-injection attacks. Of course, that's to be expected because the U.S. is also the runaway leader in generating and serving up Internet traffic of all types.
What's interesting is that when Zscaler analyzed each country based on the largest percentage of malicious versus benign servers, seven of the top 10 countries with high saturations of malware-distributing servers were South and Central American nations.
Honduras checked in with a ratio of 7.5 percent, good enough (or bad enough, depending on how you view it) for second in the world behind only the Cayman Islands (10.2 percent).
The rest of the Malware Top 10 included Bolivia (6.25 percent); Peru (6.11 percent); Argentina (6 percent); Paraguay (5.13 percent); Ecuador (5.05 percent); Columbia (4.54 percent); Luxembourg (4.47 percent) and Turkey (3.94 percent).
Meanwhile, China checked in at just 2.96 percent, meaning that the concentration of malicious servers in countries like Honduras, Bolivia, Peru and Argentina is at least double that of those servers based in China.
"While the U.S. and China may have a large number of Web servers used to host malicious content, they have a much larger percentage of servers that host benign content when compared to other countries," Mike Geide, co-author of the report and a senior security analyst at Zscaler, told InternetNews.com.
"Many of the countries noted are emerging markets, and with economic growth comes an increase in technology," he added. "The security of this technology is often an after-thought or maybe a skill that has yet to be developed within these countries."
Another troubling issue to emerge from the study is the fact that Microsoft's Internet Explorer 6, bugs and all, is still the de facto enterprise browser for more than 25 percent of Zscaler's customers.
Despite the devastating consequences of Operation Aurora, a zero-day vulnerability that left corporate networks naked and vulnerable for almost three weeks earlier this year, companies are still reluctant to upgrade to IE8 despite Microsoft's own efforts to persuade customers to install more recent, and more secure, versions of its browser.
The report also noted a significant spike in botnet activity, bogus antivirus software scams and blackhat search engine optimization (SEO) schemes.
"As we have seen in the past, attackers are not resting on their laurels," the report said. They continue to innovate and target each and every opportunity that comes their way."
"At the same time, the malicious infrastructures that they’ve created continue to thrive, requiring only regular maintenance and periodic updates to deliver impressive value to their owners," it concluded.
Monday, May 24, 2010
The Branch Office Network Form Factor Debate
From: http://www.insecureaboutsecurity.com/2010/05/13/the-branch-office-network-form-factor-debate/
There is an interesting debate happening in the networking industry that centers around branch office equipment. ESG Research points out that branch office servers and applications are moving to the data center and this move is driving more investment in WAN optimization technologies from Blue Coat, Cisco, Citrix, and Riverbed. At the same time, cheap bandwidth and cloud services are changing the network infrastructure. Large organizations are moving away from back-hauling all traffic through the data center and setting up a real network perimeter at the branches themselves.
While networking changes continue, there is also another trend happening. Lots of legacy networking and IT functionality (WAN optimization, firewall, IDS/IPS, file servers, print servers, domain controllers, etc.) is now available as a virtual machine. A single device can now take on multiple functions.
The debate centers on the “hybridization” of networking and server functionality at the branch office. Should branches deploy edge networking devices packaged with Intel processors for running VMs, or should they simply implement Intel blade servers from Dell, HP, and IBM at the network perimeter and then use VMs for all networking and server needs?
The answer to this question could really impact the industry. For example, Fortinet is the king of UTM devices for branch offices but what if these appliances are suddenly replaced with standard Intel servers and virtual appliance software? Obviously this wouldn’t be good news for Fortinet.
For the most part, leading vendors are not pushing one model or another. Cisco WAAS equipment comes packaged with a Windows server while the Riverbed Service Platform (RSP) can run a Check Point firewall, a Websense gateway, an Infoblox DNS/DHCP server, or basic Windows services.
So which model wins? Both (Yeah, I know it is a cop out, but I truly believe this). It’s likely that smaller branches go with Intel servers and VMs while larger remote offices stick with networking gear. Large organizations will also lean toward their favorite vendors. Cisco’s networking dominance means it wins either way while Riverbed will likely do well in its extensive installed base and succeed at the expense of second-tier WAN optimization guys like Silver Peak.
In truth, there is no right or wrong way at the branch office network, but the vendor debate ought to be very entertaining.
[Ed. Note: For completeness, it should be noted that Blue Coat has gone the Intel server and VM route, with a virtual appliance available]
There is an interesting debate happening in the networking industry that centers around branch office equipment. ESG Research points out that branch office servers and applications are moving to the data center and this move is driving more investment in WAN optimization technologies from Blue Coat, Cisco, Citrix, and Riverbed. At the same time, cheap bandwidth and cloud services are changing the network infrastructure. Large organizations are moving away from back-hauling all traffic through the data center and setting up a real network perimeter at the branches themselves.
While networking changes continue, there is also another trend happening. Lots of legacy networking and IT functionality (WAN optimization, firewall, IDS/IPS, file servers, print servers, domain controllers, etc.) is now available as a virtual machine. A single device can now take on multiple functions.
The debate centers on the “hybridization” of networking and server functionality at the branch office. Should branches deploy edge networking devices packaged with Intel processors for running VMs, or should they simply implement Intel blade servers from Dell, HP, and IBM at the network perimeter and then use VMs for all networking and server needs?
The answer to this question could really impact the industry. For example, Fortinet is the king of UTM devices for branch offices but what if these appliances are suddenly replaced with standard Intel servers and virtual appliance software? Obviously this wouldn’t be good news for Fortinet.
For the most part, leading vendors are not pushing one model or another. Cisco WAAS equipment comes packaged with a Windows server while the Riverbed Service Platform (RSP) can run a Check Point firewall, a Websense gateway, an Infoblox DNS/DHCP server, or basic Windows services.
So which model wins? Both (Yeah, I know it is a cop out, but I truly believe this). It’s likely that smaller branches go with Intel servers and VMs while larger remote offices stick with networking gear. Large organizations will also lean toward their favorite vendors. Cisco’s networking dominance means it wins either way while Riverbed will likely do well in its extensive installed base and succeed at the expense of second-tier WAN optimization guys like Silver Peak.
In truth, there is no right or wrong way at the branch office network, but the vendor debate ought to be very entertaining.
[Ed. Note: For completeness, it should be noted that Blue Coat has gone the Intel server and VM route, with a virtual appliance available]
Thursday, May 20, 2010
Banking Malware uses PAC file
From: http://research.zscaler.com/2010/05/banking-malware-uses-pac-file.html
There have been a few recent posts (1, 2) of malware that set and use proxy auto-config (PAC) files to steal victim banking credentials. I thought this was interesting and decided to write a quick post on this. PAC files provide the ability to auto configure proxy settings for your browser, including the ability to configure proxy settings on a per URL basis. DNS Changer malware has been around for awhile, in which victim's hosts file and/or DNS server settings are altered to have banking and other sites resolve to attacker controlled servers hosting malicious or phishing content. In the PAC malware, the victim's browser uses a proxy setting for the targeted URLs to the attacker controlled server.
Here is a malware report from today that conducts PAC configuration on a victims machine. It sets the registry key:
Software\Microsoft\Windows\CurrentVersion\Internet Settings with an AutoConfigURL value.
This malware example, configures the victim to use the PAC file on:
hxxp://dns.configdeskwork.com:8099/workwindows.pac
FQDN resolution:
dns.configdeskwork.com. 1800 IN A 208.64.66.170
As previously mentioned, PAC files enable proxy settings on a per URL basis. This particular PAC file redirects traffic to the attacker's host (208.64.66.170) for a number of Brazilian sites and American Express.
There have been a few recent posts (1, 2) of malware that set and use proxy auto-config (PAC) files to steal victim banking credentials. I thought this was interesting and decided to write a quick post on this. PAC files provide the ability to auto configure proxy settings for your browser, including the ability to configure proxy settings on a per URL basis. DNS Changer malware has been around for awhile, in which victim's hosts file and/or DNS server settings are altered to have banking and other sites resolve to attacker controlled servers hosting malicious or phishing content. In the PAC malware, the victim's browser uses a proxy setting for the targeted URLs to the attacker controlled server.
Here is a malware report from today that conducts PAC configuration on a victims machine. It sets the registry key:
Software\Microsoft\Windows\CurrentVersion\Internet Settings with an AutoConfigURL value.
This malware example, configures the victim to use the PAC file on:
hxxp://dns.configdeskwork.com:8099/workwindows.pac
FQDN resolution:
dns.configdeskwork.com. 1800 IN A 208.64.66.170
As previously mentioned, PAC files enable proxy settings on a per URL basis. This particular PAC file redirects traffic to the attacker's host (208.64.66.170) for a number of Brazilian sites and American Express.
Tuesday, May 18, 2010
Huge 'sexiest video ever' attack hits Facebook
From: http://www.computerworld.com/s/article/9176905/Huge_sexiest_video_ever_attack_hits_Facebook
[Ed. note: Blue Coat's 2009 Security report mentions this type of attack is not new, and what's interesting about this is that this type of attack and the malware behind it has been around for years, yet continues to do so much damage]
A huge attack by a rogue Facebook application last weekend infected users' PCs with popup-spewing adware, a security researcher said Monday.
On Saturday, AVG Technologies received more than 300,000 reports of the malicious Facebook app, said Roger Thompson, AVG's chief research officer. AVG came up with its tally by counting the number of reports from its LinkScanner software, a free browser add-on that detects potentially poisoned pages.
"It was stunning, really, the number," said Thompson in an interview via instant message late Monday. "And stunning that it was not viral or wormy [but that] Facebook did it all by itself."
The volume of reports on Saturday's rogue Facebook software was highest during the nine-hour period between midnight and 9 a.m. Eastern, with spikes of approximately 40,000 per hour coming at 7 a.m. and noon. For the day, AVG received more than 300,000 reports, triple that of AVG's second-most-reported piece of spyware.
According to Thompson, Facebook eradicated the rogue application about 15 hours after the attack started. Facebook's only acknowledgment of the attack came on its security page, where a "Tip of the Week" Monday morning read: "Don't click on suspicious-looking links, even if they've been sent or posted by friends."
But other security firms also noted the attack. Both U.K.-based Sophos and U.S. security company Websense dubbed the attack "Sexiest video ever," based on the message that appeared on Facebook users' walls, seemingly from their Facebook friends.
Clicking on the link lead users to a Facebook application installation screen, where users were asked to allow the software to access their profiles and walls. Once approved, the application claimed that users had to download an updated version of FLV Player, a popular free Windows video player.
The download was nothing of the sort, but instead the notorious Hotbar adware, a toolbar that inserts itself into Internet Explorer, then starts displaying pop-up ads and links.
The attack spread as the malicious Facebook app posted the same "Sexiest video ever" message on the walls of victims' friends.
According to Thompson, the massive attack demonstrates the power of large social networking sites.
"Facebook is very responsive to threats when we identify them, and removing these applications as soon as they find them, but they're still able to generate huge traffic, just because of the viral nature of social networks," he said in a statement earlier Monday. "It is staggering how many threats were propagated before they were stopped."
Criminals have recognized the value of abusing Facebook to spread adware, launch identity theft attacks or plant malware on users' PCs. Kaspersky Lab, for example, recently estimated that almost 6% of all identity theft attacks originated from Facebook in the first three months of the year, putting the site in fourth place behind PayPal, eBay and the London-based bank, HSBC.
"This was the first time since we started monitoring that attacks on a social networking site have been so prolific," Kaspersky's report said.
[Ed. note: Blue Coat's 2009 Security report mentions this type of attack is not new, and what's interesting about this is that this type of attack and the malware behind it has been around for years, yet continues to do so much damage]
A huge attack by a rogue Facebook application last weekend infected users' PCs with popup-spewing adware, a security researcher said Monday.
On Saturday, AVG Technologies received more than 300,000 reports of the malicious Facebook app, said Roger Thompson, AVG's chief research officer. AVG came up with its tally by counting the number of reports from its LinkScanner software, a free browser add-on that detects potentially poisoned pages.
"It was stunning, really, the number," said Thompson in an interview via instant message late Monday. "And stunning that it was not viral or wormy [but that] Facebook did it all by itself."
The volume of reports on Saturday's rogue Facebook software was highest during the nine-hour period between midnight and 9 a.m. Eastern, with spikes of approximately 40,000 per hour coming at 7 a.m. and noon. For the day, AVG received more than 300,000 reports, triple that of AVG's second-most-reported piece of spyware.
According to Thompson, Facebook eradicated the rogue application about 15 hours after the attack started. Facebook's only acknowledgment of the attack came on its security page, where a "Tip of the Week" Monday morning read: "Don't click on suspicious-looking links, even if they've been sent or posted by friends."
But other security firms also noted the attack. Both U.K.-based Sophos and U.S. security company Websense dubbed the attack "Sexiest video ever," based on the message that appeared on Facebook users' walls, seemingly from their Facebook friends.
Clicking on the link lead users to a Facebook application installation screen, where users were asked to allow the software to access their profiles and walls. Once approved, the application claimed that users had to download an updated version of FLV Player, a popular free Windows video player.
The download was nothing of the sort, but instead the notorious Hotbar adware, a toolbar that inserts itself into Internet Explorer, then starts displaying pop-up ads and links.
The attack spread as the malicious Facebook app posted the same "Sexiest video ever" message on the walls of victims' friends.
According to Thompson, the massive attack demonstrates the power of large social networking sites.
"Facebook is very responsive to threats when we identify them, and removing these applications as soon as they find them, but they're still able to generate huge traffic, just because of the viral nature of social networks," he said in a statement earlier Monday. "It is staggering how many threats were propagated before they were stopped."
Criminals have recognized the value of abusing Facebook to spread adware, launch identity theft attacks or plant malware on users' PCs. Kaspersky Lab, for example, recently estimated that almost 6% of all identity theft attacks originated from Facebook in the first three months of the year, putting the site in fourth place behind PayPal, eBay and the London-based bank, HSBC.
"This was the first time since we started monitoring that attacks on a social networking site have been so prolific," Kaspersky's report said.
Wednesday, May 5, 2010
Fortinet's April Threatscape Report Shows Botnets Battling for Digital Real Estate
From: http://www.marketwire.com/press-release/Fortinets-April-Threatscape-Report-Shows-Botnets-Battling-for-Digital-Real-Estate-NASDAQ-FTNT-1157685.htm
Fortinet® (NASDAQ: FTNT) -- a leading network security provider and worldwide leader of unified threat management (UTM) solutions -- today announced its April 2010 Threatscape report showed high activity from multiple botnets, namely Gumblar and Sasfis. While Gumblar remained in the No. 1 position in Fortinet's Top 10 Network Attacks list, the Sasfis botnet ranking was bolstered by two of its executables prevalent in Fortinet's Antivirus Top 10 listing. Like Bredolab, Sasfis is a botnet loader that reports statistics and retrieves/executes files upon check-in. However, Sasfis differs since it is newer and does not employ encryption (all communications are sent through HTTP unencrypted). Nonetheless, Sasfis continues to spread aggressively and typically loads banking trojans among other malicious files.
Additional key threat activities for the month of April include:
* Microsoft Vulnerabilities: The Internet Explorer vulnerability MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806) was the second-most detected malicious network activity for the second report in a row. While in its zero-day state, Fortinet observed an attack on this vulnerability that installed the infamous Gh0st RAT spy-trojan, a fully-functioning remote administration tool that also streams Webcam video and audio feeds. Secondly, FortiGuard Labs also discovered two memory corruption vulnerabilities in Microsoft Office Visio that allow a remote attacker to compromise a system through a malicious document. The vulnerabilities are triggered when opening and rendering a Visio file. A remote attacker could craft a malicious document that exploits either one of these vulnerabilities, allowing them to compromise a system.
* Adobe Acrobat vulnerabilities: Fortinet's FortiGuard Labs also discovered two memory corruption vulnerabilities in Adobe Reader / Acrobat, which allow a remote attacker to compromise a system through a malicious document. The vulnerabilities are triggered when opening and rendering a PDF document. A remote attacker could craft a malicious document which exploits either one of these vulnerabilities, allowing them to compromise a system.
( Ransomware and Scareware still top virus detection: This is no surprise, as Scareware has been consistently prevalent since September 2008. Ransomware, on the other hand, began making headway in 2010 due to incentives from affiliate-backed programs that pay out when victims purchase the fake products.
* Cutwail spambot leveraged for money mule recruitment: Fortinet continues to observe the Cutwail spambot, which has been active for years, send various spam campaigns for its customers. The spam sent by Cutwail this month typically included malicious links to eCard binaries or emails with the binaries themselves attached. There were various money mule recruitment themes observed in spam emails this report, showing a growing demand for jobs on the black market.
"Money mules are essentially money laundering vehicles utilized by cyber criminals to handle and transfer illicit funds," said Derek Manky, project manager, cyber security and threat research, Fortinet. "The mule receives a commission for doing the transfer. These transfers are typically done in batches of $10,000 USD or less. Money mule positions are, more times than not, crafted as legitimate sounding jobs, such as accounts receivable positions. If something seems too good to be true, it generally is."
Another money mule campaign example can be found here: http://www.fortiguard.com/pics/threatscape1209/image-05b.png
FortiGuard Labs compiled threat statistics and trends for April based on data collected from FortiGate® network security appliances and intelligence systems in production worldwide. Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report.
Fortinet® (NASDAQ: FTNT) -- a leading network security provider and worldwide leader of unified threat management (UTM) solutions -- today announced its April 2010 Threatscape report showed high activity from multiple botnets, namely Gumblar and Sasfis. While Gumblar remained in the No. 1 position in Fortinet's Top 10 Network Attacks list, the Sasfis botnet ranking was bolstered by two of its executables prevalent in Fortinet's Antivirus Top 10 listing. Like Bredolab, Sasfis is a botnet loader that reports statistics and retrieves/executes files upon check-in. However, Sasfis differs since it is newer and does not employ encryption (all communications are sent through HTTP unencrypted). Nonetheless, Sasfis continues to spread aggressively and typically loads banking trojans among other malicious files.
Additional key threat activities for the month of April include:
* Microsoft Vulnerabilities: The Internet Explorer vulnerability MS.IE.Userdata.Behavior.Code.Execution (CVE-2010-0806) was the second-most detected malicious network activity for the second report in a row. While in its zero-day state, Fortinet observed an attack on this vulnerability that installed the infamous Gh0st RAT spy-trojan, a fully-functioning remote administration tool that also streams Webcam video and audio feeds. Secondly, FortiGuard Labs also discovered two memory corruption vulnerabilities in Microsoft Office Visio that allow a remote attacker to compromise a system through a malicious document. The vulnerabilities are triggered when opening and rendering a Visio file. A remote attacker could craft a malicious document that exploits either one of these vulnerabilities, allowing them to compromise a system.
* Adobe Acrobat vulnerabilities: Fortinet's FortiGuard Labs also discovered two memory corruption vulnerabilities in Adobe Reader / Acrobat, which allow a remote attacker to compromise a system through a malicious document. The vulnerabilities are triggered when opening and rendering a PDF document. A remote attacker could craft a malicious document which exploits either one of these vulnerabilities, allowing them to compromise a system.
( Ransomware and Scareware still top virus detection: This is no surprise, as Scareware has been consistently prevalent since September 2008. Ransomware, on the other hand, began making headway in 2010 due to incentives from affiliate-backed programs that pay out when victims purchase the fake products.
* Cutwail spambot leveraged for money mule recruitment: Fortinet continues to observe the Cutwail spambot, which has been active for years, send various spam campaigns for its customers. The spam sent by Cutwail this month typically included malicious links to eCard binaries or emails with the binaries themselves attached. There were various money mule recruitment themes observed in spam emails this report, showing a growing demand for jobs on the black market.
"Money mules are essentially money laundering vehicles utilized by cyber criminals to handle and transfer illicit funds," said Derek Manky, project manager, cyber security and threat research, Fortinet. "The mule receives a commission for doing the transfer. These transfers are typically done in batches of $10,000 USD or less. Money mule positions are, more times than not, crafted as legitimate sounding jobs, such as accounts receivable positions. If something seems too good to be true, it generally is."
Another money mule campaign example can be found here: http://www.fortiguard.com/pics/threatscape1209/image-05b.png
FortiGuard Labs compiled threat statistics and trends for April based on data collected from FortiGate® network security appliances and intelligence systems in production worldwide. Customers who use Fortinet's FortiGuard Subscription Services should already be protected against the threats outlined in this report.
Tuesday, May 4, 2010
McAfee Offers Protection for Android-powered Mobile Devices
From: http://www.findmysoft.com/news/McAfee-Offers-Protection-for-Android-powered-Mobile-Devices/
McAfee, company that specializes in providing security software solutions for home and business users, is now taking on the Google-developed Android operating system. The Santa Clara-based company has announced that its McAfee VirusScan Mobile security software solution can protect Android-powered devices from malware, it can secure the user’s personal information, and it can ensure critical communication functions work while the user is on the go. The security software solution automatically updates itself, thus providing immediate protection for the most recently uncovered threats.
In a press release, McAfee announced that McAfee VirusScan Mobile has been rolled out to Android and Windows Mobile-based smartphones from SK Telecom in Korea. All SK Telecom customers can download the antimalware application from TStore, SK Telecom’s mobile application store. With more than 20 million mobile subscribers, SK Telecom holds the lion’s share of the market in South Korea (bigger than 50% to be more precise).
According to McAfee, cyber criminals will definitely take a closer look at mobile internet access and mobile service usage as it continues to rapidly grow. Security breaches will become inevitable as more and more application developers and other content creators demand more device access from mobile device platforms. McAfee VirusScan Mobile comes in and ensures mobile device users and their data remains safe.
“Wherever mobile consumers go, threats will follow them. McAfee is committed to tackling mobile threats. The introduction of McAfee VirusScan Mobile technology for Android allows McAfee to protect more consumers in more situations of their rapidly changing digital life,” commented Worldwide Head of Mobile Marketing for McAfee, Jan Volzke.
“The user environment of a smartphone is similar to that of a PC, so many security issues can be applied equally. Infections can occur over message attachments, application downloads and Bluetooth. Through this partnership, we are pleased to now offer our SK Telecom users peace of mind that their smartphones have a new level of security,” commented Service Technique Director of SK Telecom, Hu jong Kim.
McAfee, company that specializes in providing security software solutions for home and business users, is now taking on the Google-developed Android operating system. The Santa Clara-based company has announced that its McAfee VirusScan Mobile security software solution can protect Android-powered devices from malware, it can secure the user’s personal information, and it can ensure critical communication functions work while the user is on the go. The security software solution automatically updates itself, thus providing immediate protection for the most recently uncovered threats.
In a press release, McAfee announced that McAfee VirusScan Mobile has been rolled out to Android and Windows Mobile-based smartphones from SK Telecom in Korea. All SK Telecom customers can download the antimalware application from TStore, SK Telecom’s mobile application store. With more than 20 million mobile subscribers, SK Telecom holds the lion’s share of the market in South Korea (bigger than 50% to be more precise).
According to McAfee, cyber criminals will definitely take a closer look at mobile internet access and mobile service usage as it continues to rapidly grow. Security breaches will become inevitable as more and more application developers and other content creators demand more device access from mobile device platforms. McAfee VirusScan Mobile comes in and ensures mobile device users and their data remains safe.
“Wherever mobile consumers go, threats will follow them. McAfee is committed to tackling mobile threats. The introduction of McAfee VirusScan Mobile technology for Android allows McAfee to protect more consumers in more situations of their rapidly changing digital life,” commented Worldwide Head of Mobile Marketing for McAfee, Jan Volzke.
“The user environment of a smartphone is similar to that of a PC, so many security issues can be applied equally. Infections can occur over message attachments, application downloads and Bluetooth. Through this partnership, we are pleased to now offer our SK Telecom users peace of mind that their smartphones have a new level of security,” commented Service Technique Director of SK Telecom, Hu jong Kim.
Monday, May 3, 2010
How botnets, hacking kits and weak apps aid cybercrooks
From: http://content.usatoday.com/communities/technologylive/post/2010/04/how-botnets-hacking-kits-and-weak-apps-aid-cybercrooks/1
Criminal-controlled botnets are becoming more resilient and powerful than ever. It's easier than ever for even low-skilled hackers to supply botnets with freshly infected PCs by using user-friendly virus tool kits, and many of them are using these tool kits to spread infections on weakly protected webpages put up by legitimate corporations, sayreports issued this week by Symantec's MessageLabs division, Microsoft, M86 Security, WhiteHat Security and Imperva.
The MessageLabs report and Microsoft report both show that even when the good guys manage to shut down large swarms of infected, spam-spewing PCs, the bad guys "quickly recover and continue to send malicious content almost uninterrupted," says Paul Wood, MessageLabs Intelligence senior analyst.
Rustock, the largest and most powerful botnet, controls between 1.6 million to 2.4 million infected PCs, and it has increased spam output by 300% in recent months, says Wood.
The M86 report details how hacker tool kits are becoming more refined, and more widely promoted. M86 has counted more than a dozen new kits being marketed on the Internet in the past six months. Most of these kits are in Russian, such as Adpack and Fragus, perhaps indicating the location of buyers, says Bradley Anstis, VP of Technology Strategy for M86 Security.
Meanwhile, the Ponemon Institute recently surveyed 627 IT pros at more than 400 multinational enterprises and government organizations as part of a study sponsored by WhiteHat Security and Imperva. The survey shows more than 55% of in-house developers assigned to write custom Web apps are are too busy to respond to security issues, while 74% of the survey respondents reported that their organization did not have a dedicated security team.
"Botnets are PCs that have been infected with malware. Malware predominantly spreads by exploiting unpatched Web browsers which people use to visit legitimate, yet infected websites," says Jeremiah Grossman, CTO of WhiteHat Security.
Websites, in turn, are getting infected by low-skilled hackers using purchased toolkits capable of searching out webpages ripe forSQL injection attacksthat crack into the database layer of weakly-protected websites. Click on a tainted webpage and you won't notice anything. But your PC gets turned into an obedient "bot," and for good measure, all of your account logons routinely get stolen.
"Welcome to the cat and mouse game," says Antsis. "Every time an infected bot gets remediated or a botnet gets taken down, the blackhats develop new ways to get around that."
Criminal-controlled botnets are becoming more resilient and powerful than ever. It's easier than ever for even low-skilled hackers to supply botnets with freshly infected PCs by using user-friendly virus tool kits, and many of them are using these tool kits to spread infections on weakly protected webpages put up by legitimate corporations, sayreports issued this week by Symantec's MessageLabs division, Microsoft, M86 Security, WhiteHat Security and Imperva.
The MessageLabs report and Microsoft report both show that even when the good guys manage to shut down large swarms of infected, spam-spewing PCs, the bad guys "quickly recover and continue to send malicious content almost uninterrupted," says Paul Wood, MessageLabs Intelligence senior analyst.
Rustock, the largest and most powerful botnet, controls between 1.6 million to 2.4 million infected PCs, and it has increased spam output by 300% in recent months, says Wood.
The M86 report details how hacker tool kits are becoming more refined, and more widely promoted. M86 has counted more than a dozen new kits being marketed on the Internet in the past six months. Most of these kits are in Russian, such as Adpack and Fragus, perhaps indicating the location of buyers, says Bradley Anstis, VP of Technology Strategy for M86 Security.
Meanwhile, the Ponemon Institute recently surveyed 627 IT pros at more than 400 multinational enterprises and government organizations as part of a study sponsored by WhiteHat Security and Imperva. The survey shows more than 55% of in-house developers assigned to write custom Web apps are are too busy to respond to security issues, while 74% of the survey respondents reported that their organization did not have a dedicated security team.
"Botnets are PCs that have been infected with malware. Malware predominantly spreads by exploiting unpatched Web browsers which people use to visit legitimate, yet infected websites," says Jeremiah Grossman, CTO of WhiteHat Security.
Websites, in turn, are getting infected by low-skilled hackers using purchased toolkits capable of searching out webpages ripe forSQL injection attacksthat crack into the database layer of weakly-protected websites. Click on a tainted webpage and you won't notice anything. But your PC gets turned into an obedient "bot," and for good measure, all of your account logons routinely get stolen.
"Welcome to the cat and mouse game," says Antsis. "Every time an infected bot gets remediated or a botnet gets taken down, the blackhats develop new ways to get around that."
Subscribe to:
Posts (Atom)
Posts
