Latest Technology News
Trend Micro researchers received a sample of an enterprise information security (EIS) program component file that exhibits easily abused rootkit capabilities.
Enterprise information security (EIS) systems are used by companies to monitor activities within a network. This is done to make sure that security processes are followed, and that all activities done within the network are in line with the company’s policies.
Upon executing the software, the component file SCS11HLP.SYS registers itself as a device driver and a service on the affected system. After which it hooks certain APIs by patching system code. It then searches for the existing processes winpop.exe, xhound.exe and xtsr.exe, which are all related to the EIS software itself. The mentioned processes are hidden, disabling the user from viewing them even through Process Explorer. Information gathered as the software monitors the system are logged in the directory C:\XLog, which also hidden by the software.
What raised the red flag for Trend Micro researchers is that the hidden directory C:\XLog, which is originally used for storing the gathered information, could be exploited by malware authors. Hiding folders is not malicious per se. However malware writers could target systems with the said EIS software installed and place their malicious files inside the directories hidden by the EIS software itself.
Coincidentally, the software publisher of the said EIS program is the same publisher of the Sony MicroVault USM-F fingerprint reader rootkit found in 2007. Originally designed as a security feature to prevent unauthorized access, the rootkit was seen as a possible channel for malware authors to run malware stealthily. That USB rootkit was already the second incident where Sony merchandise were found containing an undeclared rootkit, the first one featured in the Sony DRM issue in 2005.
Trend Micro already contacted the original publisher of the EIS software. Meanwhile, the component file is currently detected as HKTL_ BRUDEVIC.
<p>The newly released Symantec <em><a href="http://www.symantec.com/business/theme.jsp?themeid=threatreport" target="_blank">Report on the Underground Economy</a></em> discusses a number of topics, including the supply and demand of goods and services that were advertised for sale in the underground economy. This information was gathered by monitoring various IRC channels devoted to the commerce of these good and services. In particular, I’d like to highlight some of the things we observed in analyzing the trade in malicious tools.<br /><br />One of the things we observed is that the underground economy is self-sufficient. What this means is that the tools necessary to produce goods and services are also available for sale in the underground economy. This indicates that the market has matured enough that productivity gains can occur through the division of labor; i.e., the economy makes it viable for individuals to increasingly specialize in the tasks they excel at. This is where malicious tools come into play. <br /><br />Malicious tools of many different varieties are offered for sale in the underground. This includes exploits, vulnerability scanners, botnets, autorooters, spam/phishing kits, and tools for obfuscating malicious code. These tools play a part in generating many of the other goods and services marketed in the underground economy, such as credit card numbers, personal information, shells, banking credentials, etc. Therefore, the demand for these goods and services creates an opportunity for individuals with the skills required to develop malicious tools, and this helps to foster increasing specialization.<br /><br />While the market for malicious tools is relatively small in comparison other goods and services such as stolen credit card numbers, the market appears to be productive enough to support the demand for these goods and services. One of our findings is that tools for discovering and exploiting Web application vulnerabilities were popular. This is because compromised websites can generate many different types of goods and services such as personal information, email addresses, shells, spam mailers, credit card numbers, etc. <br /><br />Here are a few examples (all prices in USD):</p><blockquote>• A scanner for remote file include vulnerabilities sold for an average price of $26, and ranged from $5 to $100.<br />• A scanner for cross-site scripting vulnerabilities was advertised for an average price of $20, and prices ranged from $10 to $30.<br />• Exploit links to websites that are affected by remote file include vulnerabilities were sold in bulk—100 links could be obtained for an average price of $34 and 200 links could be obtained for an average price of $70. <br />• SQL injection tools were sold for an average price of $63, and ranged from $15 through $150.<br /></blockquote>The trade in attack tools and exploits for Web-based vulnerabilities is one more example of how attackers are increasingly motivated by profiting from their malicious activities. Our report helps to show how the underground economy is maturing and becoming a viable source of alternative income for hackers, exploit developers, and authors of malicious code.<br /><br />I should also note there is one small correction to the report based on recent events. In the report, we discuss the news that development of the Neosploit toolkit had ceased due to competitive from cheaper, less advanced toolkits. It appears that this no longer the case. A new version—Neosploit 3.1—has been spotted in the wild, sporting new exploits and features. Like legitimate software vendors, the developers of Neosploit are also concerned about the effect of piracy on their bottom line. To counter piracy, they have included new anti-piracy measures into this version. It is not known whether the news of its demise was merely a red herring or whether the developers decided to start developing a new version that incorporated features that could recoup some of the losses experienced from piracy or the prevalence of cheaper toolkits.<br /><br />More information about malicious toolkits and other trends in the underground economy can be found in the Symantec <em><a href="http://www.symantec.com/business/theme.jsp?themeid=threatreport" target="_blank">Report on the Underground Economy</a></em>.<div class='message-edit-history'><span class='edit-author'>Message Edited by SR Blog Moderator on </span><span class='local-date'> 11-27-2008</span><span class='local-time'> 05:19 AM</span></div>
<p>You may have come across multilingual translations of your favorite book or a popular movie. It’s a surefire way to extend one’s work to a wider audience. The desire for an extra buck has driven spammers to adapt to similar tactics for their campaigns. Recent messages observed offered a job that included relaying payments between banks. In return, the “recipient” is allowed to retain some percentage of the amount transferred. This is a type of scam which involves the illegal activity of money laundering.</p><p> </p><p> Initial English language spam attacks were followed by an Italian version within a space of ten days. The nature of the spam source (source IPs from different geographical locations) indicated that this attack was carried out through spamming bots.<br /><br /><strong>Sample headers in English</strong>:<br /><br />Subject: Vacancy! –cB<br />Subject: New Proposal! –aAzs<br /><br /><strong>Sample headers in Italian</strong>:</p><p><br />Subject: IL lavoro facile! –Tvtqp <br />(Translated: THE easy job! –Tvtqp)<br /><br />Subject: Il lavoro buono! -eI <br />(Translated: The good work! eI -)</p><p> </p><p> </p><p><img src="https://www-secure.symantec.com/content/en/us/enterprise/images/security_response/blogs/mk_italiano1.jpg" border="0" width="420" height="300" /> </p><p> </p><p><u>Italian Version Translation</u>:</p><p> </p><blockquote><p>"A prosperous business is looking for representatives. Our company was founded in 2004 and there are many of our representatives all over the world. If you have 3 hours free per week, you could start an international collaboration with our firm and earn more than $2,000. If you are interested in our vacancy, write to our email address developmentgrou@[message details removed] and we will send you more information. Please write your address et cetera...</p><br />The [message details removed] Group"<br /></blockquote><p> </p>
Let me introduce you to the new "Trojan kit," which is a member of the "…no, I don't require root privileges…" malicious code targeted toward Mac OS X. A while ago we received a sample of a new Trojan affecting the Apple operating system. OSX.Lamzev.A is the first sample we’ve seen from this threat family. It’s an easily customizable Trojan kit that could be the first of a long list of malicious code clones.<br /> <br />So, what do we mean by Trojan kit and what makes it stand out from the crowd? The only noteworthy feature is the way in which it infects clean applications—what this Trojan does is hijack a common feature that Mac OS X applications use to launch themselves—a smart but simple hack!<br /><br />Initially, when the Trojan is run, a command prompt will appear, in which the attacker can configure the application that he or she wants to “Trojanize” (figure 1). The Trojan needs to be executed inside the same path as the targeted application.<br /><br /><img src="https://www-secure.symantec.com/content/en/us/enterprise/images/security_response/blogs/ap_lamzev1.jpg" border="0" width="400" height="439" /> <br /><br /><strong>Figure 1</strong>: What a waste of such an interesting command prompt!<br /><br />The way that the Trojan manages to convert a clean application is by changing the CFBundleExecutable key inside the chosen application’s Info.plist file. So, what does this mean? “Plist” stands for Property List, and it's the main file used by OS X applications to hold user settings, as well as information related to the application itself. "CFBundleExecutable" is the key that identifies the bundle's main executable file that will be executed when you double-click on the application from Finder (or from the terminal: $ open Application.app). If an attacker changes that key and points it toward a malicious file, guess what the result is? Whenever the affected application is launched, first the back door will be executed, and then the original application will be started. Simple, but effective!<br /><br />During the “Trojanizing” phase, the attacker is asked to choose an application that:<br />• Must reside in the same path as the Trojan executable.<br />• Must match a service name from /etc/services with a port higher than 1024 (no root privileges required).<br /><br />At this point, the attacker only needs to type in the “hack” command (figure 2):<br /><br /><img src="https://www-secure.symantec.com/content/en/us/enterprise/images/security_response/blogs/ap_lamzev2.jpg" border="0" width="415" height="409" /><br /><br /><strong>Figure 2</strong><br /><br />The Trojan will then perform the following actions to infect the application:<br /><br /><blockquote>1. The target application’s info.plist file will be Trojanized (CFBundleExecutable)<br /><br />2. File "1," which is the loader of the back door (see below), will be copied inside $ApplicationName.app/Contents/MacOS/. This file will be executed every time the Trojanized application is launched.<br /><br />3. The bundle's original main executable will be renamed as file "2" inside the same directory ($ApplicationName.app/Contents/MacOS)<br /></blockquote><br />Up to this point we have talked about the Trojan component and the back door component, but where are these things on your system? Once the affected application is launched, the loader (file 1) will drop a plist file in /tmp and will then move it back to ~/Library/LaunchAgents. The LaunchAgents folder holds all the login items for the given user (or eventually for the system /Library/LaunchAgents). In this case, it will hold the property list for running /bin/sh listening on the port of the chosen service (supplied earlier – see screen shot above), named com.apple.DockSettings, which is why the Trojan requires a service name that matches /etc/services:<br /><br /><blockquote><font face="times new roman,times"><key>SockServiceName</key></font><br /><font face="times new roman,times"><string>$ServiceName</string></font><br /></blockquote>This will ensure that even after a reboot, the back door will still be running, thanks to <a href="http://developer.apple.com/macosx/launchd.html" target="_blank">launchd</a>. After all of this, the Trojanized application is ready to be run on system start-up or whenever the target application is launched.<br /><br />OSX.Lamzev.A has nothing new to show to the anti-reversing/debugging scene, it is just using strip on the binaries in the same way as “all of the others.” The current version of this Trojan kit has several restrictions—the most important one is that somebody needs to be there on your machine, Trojanizing your application. In the future, one thing we could expect to see is an automated OSX.Lamzev.A. <br /><br />In order to ensure the safety of your system, never trust an application if you don't know where it has come from. Also, keep your system patched with the latest security updates. For information on the removal of OSX.Lamzev.A, you can check out <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2008-111315-1230-99" target="_blank">our write-up here</a>.<br /><br />More and more malware has emerged for Mac OS X recently. All of the Mac OS-targeted malware we’ve seen is still affecting the BSD subsystem or are BSD-style infections. We haven’t yet seen anything that completely relies on the Mach Subsystem or Cocoa.<br /><br />Certainly, the number of threats for the Mac OS are still small when compared to the hordes of families aimed at more traditional OS targets. However, at the moment, it seems as if more malware writers are seeing Mac OS as a world worthy of exploration. As they continue to push the boundaries of the threat landscape, we’ll be there to keep you informed!<div class='message-edit-history'><span class='edit-author'>Message Edited by SR Blog Moderator on </span><span class='local-date'> 11-27-2008</span><span class='local-time'> 02:52 AM</span></div>
123People joined the legion of vertical search engines that specialize in finding people online. If you ve ever tried to track down old classmates or get a handle on a potential employee s background you know how much information Google returns do we really need something this specialized Yes we do keep reading to find out why and whether 123People delivers....
The All-New Adobe Creative Suite 4 Now Shipping: Adobe CS4: tools to help students express their ideas in video, on the web, or print.
<p>The online underground economy has evolved into a full-fledged marketplace where participants advertise and traffic stolen information, provide services to aid in the use of this information, and perform other illegal activities. Like any market-based economy, it is governed by the laws of supply and demand and, given enough supply, the goods available for purchase are virtually limitless.</p><p><br />As stated in the Symantec <em><a href="http://www.symantec.com/business/theme.jsp?themeid=threatreport" target="_blank">Report on the Underground Economy</a></em>, credit card information was the most popular category of goods and services available for sale, accounting for almost one-third of the total observed. This category included credit card numbers, CVV2 numbers, expiry dates, and credit card dumps. (The CVV2 number is a three- or four-digit number on the credit card and is used for card-not-present transactions, such as Internet or phone purchases. This number helps to verify that the person completing the transaction is, in fact, in possession of the card. A credit card dump is the information contained within the magnetic stripe on the back of a credit card and contains the account number, expiration date, and may contain additional information such as the cardholder name.)</p><p><br />Credit card information is relatively easy to obtain and also easy to use. Some methods for obtaining this information include phishing schemes, using card skimmers to copy the magnetic stripe information, and hacking into databases that contain this sensitive information. The frequency of credit card usage may also contribute to increases in the rate of this type of theft, as it gives criminals more opportunity to steal the information. For example, in 2006 there were 22 billion credit card transactions in the United States alone.</p><p><br />Once obtained, it is often very easy to fraudulently use this information to generate a profit; individuals can make online purchases and then fence the goods acquired. Many online retailers are improving protections for their customers against these fraudulent transactions by instituting more security measures, such as requiring the CVV2 number when making a purchase. However, credit card numbers with corresponding CVV2 numbers, while more expensive than credit card numbers alone, are also available for purchase in the underground economy. Prices for credit card numbers ranged from $0.10 to $25 USD per number, depending on the country of issue of the card, sizes of bulk/discounted packages, and whether or not extra value items such as the CVV2 number or PIN were included.</p><p><br />Another popular category advertised on underground economy servers was bank account information. While this information may be trickier to use than credit card information, the ultimate payouts can be much larger. The average credit card limit advertised was $4,000 USD, whereas the average bank account balance advertised was a somewhat staggering $40,000 USD.</p><p> </p><p>One added appeal of bank account information over credit card numbers is that the added step of having to fence the purchases to realize a profit is not required because true currency can be withdrawn directly from the account. Prices for bank account information ranged from $10 to $1,000 USD per account, depending on the amount of funds available, the location, and the type of account. Advertised corporate and business accounts were more expensive, as they usually have higher advertised balances.</p><p><br />Symantec determined that the total potential worth of credit cards and bank accounts observed on the underground economy amounted to $7 billion USD. This value was based on the use of the goods, such as making fraudulent credit card purchases or cashing out bank accounts. Symantec used the median value for credit card fraud, average bulk purchase sizes, and average advertised bank account balances to calculate this potential worth.</p><p> <br />It is evident that the online underground economy is a rapidly growing sector of the criminal world, and consumers and enterprises should be extremely vigilant in protecting their personal information and being aware of any breaches to their data. Criminals may be getting smarter but there’s no reason why we can’t be as well.</p>
After last month’s ruckus made by Microsoft’s out-of-band patch, another threat leveraging the MS08-067 vulnerability was recently reported to have been causing more trouble in the wild.
A worm detected by Trend Micro as WORM_DOWNAD.A was found to use the MS08-067 vulnerability to propagate via networks. Trend Micro researchers also noticed high traffic on the affected system’s port 445 upon successful exploitation, after which it connects to a certain IP address to download a copy of itself.
The discovery of this threat is consistent with the spike in port 445 activity reported by DShield. Port 445 has raised security concerns in the past, as the port was used by the Sasser and Nimda worms that wreaked havoc years ago.
However, this worm seems to be just one half of a worm duo that is spreading trouble these days. Systems affected with WORM_DOWNAD.A were found also infected by another worm, detected as WORM_NETWORM.C. WORM_NETWORM.C also exploits MS08-067, attempts to log in to affected systems though a list of strings, and also opens port 445 to connect to certain IP addresses.
The relation between WORM_DOWNAD.A and WORM_NETWORM.C is still undetermined, but it is likely that both worms are key components in the development of a new botnet. Botnet operators were predicted to change ways after web host McColo was shut down earlier this month, and this may just be it.
Botherders are finding spam operations that employ hosts such as McColo too much of a risk. Considering that a shutdown such as what happened with McColo may strike a killer blow to a botherder’s operation, herders are using other means to gather zombies for their botnets. Advanced Threats Researcher Ryan Flores says, “I think botherders are refreshing their bot networks with new machines through this new exploit.”
Users are already protected from this threat through the Smart Protection Network, and as if it couldn’t be stressed enough, everyone is advised to update their systems with the patch provided by Microsoft.
Updated 8:57 PM, PST: Upon further analysis, our engineers have determined that there is no solid evidence to verify the relationship between the two worms. They postulate that the only possible relationship between DOWNAD and NETWORM, considering that NETWORM fails to send the shellcode, is that DOWNAD may be an updated version of an attack orginating from the same botnet gang.
So the time has come for you to consider or more likely than not to reconsider your SEO strategy. Perhaps you re new to the game and don t even know what SEO is. Don t worry we ll explain it. We ll also explain some tactics that seem at first glance to be good ideas but really aren t. Best of all we ll show you how to spot these bad ideas so your site doesn t pay the consequences....
address correction software Validates, corrects and enhances address information.
<p>One topic of discussion in the recently released Symantec <em><a href="http://www.symantec.com/business/theme.jsp?themeid=threatreport" target="_blank">Report on the Underground Economy</a></em> is software piracy. Software piracy occurs primarily in two basic forms: physical counterfeiting and file sharing. Counterfeiters create unauthorized physical copies of software intended for sale as legitimate products (though often the attempt to create a realistic valid copy is minimal). The motivation of counterfeiters is typically financial gain, and customers who know that the software is counterfeit are likely trying to save money. In contrast, piracy by means of file sharing—whether by copying a disc for a friend, uploading files using a peer-to-peer (P2P) application, or some other means—is not typically profitable for the people who share the files. The advent of rapid P2P file-sharing protocols has provided a readily available means for people to distribute and obtain software essentially free of charge.</p><p><br />While both methods of piracy financially affect the legitimate software producers, P2P-based piracy may also affect counterfeiting operations. As broadband Internet penetration increases and digital distribution becomes more mainstream, many people who knowingly purchase counterfeit software may turn to P2P-based piracy to save money, thus cutting into the profitability of counterfeiting. This is an interesting perspective that in some ways makes P2P-based software piracy seem like the lesser of two evils. However, the effect on legitimate producers could be substantial either way. While analyzing data for the report, Symantec observed software piracy that represented over $83 million (USD) in retail costs. Considering that this was only a small sample of the total software piracy occurring over one protocol over a brief period of time, the value is substantial. A <a href="http://www.itwire.com/content/view/12171/53/" target="_blank">study conducted in 2007 </a>estimated the annual cost of software piracy worldwide to be nearly $40 billion (USD).</p><p> </p><p>Nearly half of all the software piracy activity that Symantec observed was of desktop games, with none of the other software categories even coming close. The assumption from that might then be that the desktop game business sector would be the most affected financially; however, the multimedia applications category (which includes photo editors, 3D animation applications, and HTML editors) accounted for substantially more of the total piracy costs observed than desktop games, despite a substantially lower volume of pirated files. This is because the average manufacturer’s suggested retail price (MSRP) for multimedia applications is typically much higher than those of desktop games, $1,300 (USD) for multimedia compared to just $50 (USD) for desktop games. Thus, of the $83 million estimated total for software piracy observed, multimedia applications accounted for over $53 million of that and desktop games for just over $8 million. </p><p><br />For a complete analysis of the software piracy activity observed by Symantec as well as discussion on other cybercrime activity occurring in the underground economy, please see the Symantec <em><a href="http://www.symantec.com/business/theme.jsp?themeid=threatreport" target="_blank">Report on the Underground Economy</a></em>.</p><div class='message-edit-history'><span class='edit-author'>Message Edited by SR Blog Moderator on </span><span class='local-date'> 11-25-2008</span><span class='local-time'> 04:30 AM</span></div>
<p>As part of our continuous false-positive prevention efforts for antivirus signatures at Symantec, we research different areas that may help us in our quest. One area of particular interest is the utilization of clean data to prevent the manifestation of antivirus signatures that cause false positive conditions. As a result of this work, earlier this year Bartek, Julie, Catherine, and I co-authored a paper entitled “Clean Data Profiling.” The paper was subsequently published at the Virus Bulletin 2008 Conference in Ottawa in October and is made <br />available <a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/clean_data_profiling.pdf" target="_blank">here</a> courtesy of the same organization. </p><p> </p><p><a href="http://www.symantec.com/business/security_response/whitepapers.jsp" target="_blank">http://www.symantec.com/business/security_response/whitepapers.jsp</a></p>
<p>Although spam levels remain at a relatively low volume following the takedown of the spam host McColo last week, there is some evidence that spammers are starting to prepare for a rally. Late last week we observed the spam volume spike as much as 150% in an hour-to-hour comparison, which is about a seven percent increase since McColo was shut down.<br /><br />In addition to overall spam volumes, the percentage of spam messages containing the text/HTML content type mime part jumped to 55% of all spam, indicating a change in the overall makeup of spam. Prior to the McColo takedown, the overall percentage of spam messages containing the text/HTML content type mime part was over 55%, but after the takedown the average has been around 34%. This change indicates that a return to normal spam activity could be in the works.<br /><br />When we took a closer look at the spam contained in the spikes, it was revealed that there was an increased use of HTML. The spam messages were typical “Canadian Pharmacy” spam messages that were using short HTML messages with a varying set of domains in the URLs. The spam messages were being sent from compromised hosts around the globe.<br /><br />A copy of one of the spam emails shows the advertisement for Canadian Pharmacy, offering various medications:<br /><br /><img src="https://www-secure.symantec.com/content/en/us/enterprise/images/security_response/blogs/dm_spamvol1.jpg" border="0" width="432" height="446" /><br /><br />The URLs in the messages observed contained hundreds of domains that used the Chinese top-level domain (.cn TLD). The URLs all redirected to a smaller set of domains. Both the domains in the spam emails and the domains that they redirected to were being hosted on the same set of IP addresses located in China. The URLs in the messages used different name servers from the domains that they redirected to. All of the name servers were hosted on either the same IP addresses as the domains, or additional IP addresses also located in China.<br /><br />The spam messages were sent from various locations around the world and appeared to be coming from compromised servers or botnets. The top sources of the spam were the United States, Brazil, and China.<br /><br /><img src="https://www-secure.symantec.com/content/en/us/enterprise/images/security_response/blogs/dm_spamvol_graph.jpg" border="0" /><br /><br />The content of the actual website is familiar—it has appeared in association with Canadian Pharmacy spam messages sent out by SanCash/Affking, which was taken down earlier this year, as well as other spam networks.</p><p><br /><img src="https://www-secure.symantec.com/content/en/us/enterprise/images/security_response/blogs/dm_spamvol2.jpg" border="0" /> <br /><br />Although worldwide spam volumes have only increased slightly overall since the McColo takedown, this recent spam activity indicates that spammers are still willing and able to continue sending spam out on previously seen levels. It seems to be only a question of when they are ready, so it is now just a matter of time.</p>
<p>Underground economy servers are black market forums used to advertise and traffic stolen information. The information can include government-issued identification numbers such as Social Security numbers, credit card information, bank accounts credentials, personal identification numbers, email address lists, and email accounts. They can also provide services to facilitate these illegal activities and can include cashiers who withdraw funds from the stolen accounts, scam page hosting, and job advertisements for roles such as scam developers or phishing partners.</p><p><br />Symantec's <em><a href="http://www.symantec.com/business/theme.jsp?themeid=threatreport" target="_blank">Report on the Underground Economy</a></em> shows that there are a wide variety of goods and services being advertised on underground economy servers, and many of these goods and services form a self-sustaining marketplace. Participants in this fraud can obtain goods by a variety of means; credit card and banking information can stolen by phishing schemes, monitoring merchant card authorizations, the use of magnetic card skimming devices, or breaking into databases and other data breaches that expose sensitive information; as well, email addresses can be obtained by downloading the contact lists in hacked email accounts, or even harvested from public areas of the Internet such as social networking sites and public forums, or from personal websites.</p><p><br />The profits from the sale of goods such as credit card information can be re-invested to develop better spam and phishing exploits for obtaining more data. Credit card information was advertised in the underground economy for between $0.10 and $25 USD per card and often sold in bulk packages. Participants can either buy new exploits and scams or hire developers to produce new ones. Not only can they use these spam and phishing exploits and attempts to build up their supply of sensitive information, but they can also sell these improved exploits to others. Also, profits from one exploit can be reinvested and used to hire developers for other scams, used to purchase new malicious code or new phishing toolkits, and so on. Spam and phishing exploits were advertised for an average of $10 or less.</p><p><br />Participants in the underground economy can use email addresses obtained from hacked databases or hacked email accounts in tandem with mass-mailers for sending out substantial amounts of spam or phishing emails. A botherder can program a botnet to automatically distribute spam to thousands of addresses. He or she can also buy email addresses in the underground economy, which were advertised for as little as $0.30 per megabyte of data.</p><p><br />In addition, compromised email accounts will often provide access to additional sensitive personal information such as bank account data, medical or school information, or access to other online accounts (social networking pages, etc.). From there, it is often simple for someone to go online and use the password recovery option offered on most registration sites to have a new password sent via email and gain complete access to these accounts. This danger is compounded by the habit many people have of using the same password for multiple accounts. </p><p> </p><p>For more information about the underground economy, please Symantec's <em><a href="http://www.symantec.com/business/theme.jsp?themeid=threatreport" target="_blank">Report on the Underground Economy</a></em>.</p><div class='message-edit-history'><span class='edit-author'>Message Edited by SR Blog Moderator on </span><span class='local-date'> 11-24-2008</span><span class='local-time'> 12:53 PM</span></div>
It took three years but Google and the Authors Guild reached a settlement in late October 2 8 over the search engine s book digitization project. The deal benefits Google the authors and even the publishers but the real winners are the readers. Keep reading for the details....
Investment Software At Scottrade® Investment Software - Get Stock Research, Market Updates & Activity.
Like to fine tune Vista's User Access Control? Want to run more than 4GB of memory? Like to remove the arrows on shortcut icons?
Do all this and more with this free utility. Yes, it's like a Vista version of the famous Windows XP utility, Tweak UI. What's more it's portable and a tiny 367KB download.
Given the popularity of Trend Micro’s free online scanner HouseCall, it shouldn’t be a surprise that hackers are now trying to exploit it for their benefit.
Advanced Threats Researcher Ivan Macalintal found this unwelcome search result that comes up when a user searches for “free online virus scan by Trend Micro” in Google:
Figure 1. Fake HouseCall search result.
Clicking on this link brings up the fake scanner:
Figure 2. The software supposedly performs a system scan.
Figure 3. It warns users of bogus malware infection.
Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat.
ADW_FAKEAV also connects to a remote website downloads another adware program detected as ADW_FAKEAV.O, so in this entire process, victims are exposed to more adware threats.
The sites hosting this adware are already blocked by the Trend Micro Smart Protection Network.
Solutions for the cleanup and removal of ADW_FAKEAV and ADW_FAKEAV.O are also provided by this technology.
This would not be the first time our products’ names were used in malicious operations. The following blog entries are about other threats that did that:
Trend Micro advises all users to go to our website for information on the products and services we offer.
Email messages supposedly sent by the popular department stores chain Wal-Mart promises recipients a rather large amount of money by simply participating in a survey. The messages also state that the money will be credited to the respondent’s account once the survey has been completed. Here’s what the spammed message contains:
Congratulations!
You have been selected to take part in our quick and easy 9 questions survey
In turn we will credit $90.00 to your account - Just for your time!
The survey has been sent only to a few people from our random generator !
Please spare two minutes of your time and take part in our online survey
so we can improve our services.
Don’t miss this chance to change something.
To participate in this survey, Click Here
With the information collected we can decide to direct a number of changes to improve and expand our online services
Note:
-If you received this message in your SPAM BULK folder, that is because of the restrictions implemented by your ISP
-For security reasons, we will record your ip address, the date and time.
-Deliberate wrong imputs are criminally pursued and indicted
Copyright 2008 Wal-Mart Stores, Inc. All Rights Reserved.
Survey ID
WWLEKFTSYXDYVLUOSDMVCBRJEXCXCIRWTTFHDQ
A link to the “survey” is provided in the message. This is definitely a scam as Wal-Mart has no such survey, and is not paying potential victims of this scam $90 to answer nine questions. Spammers added some notes to make the email message more believable though. Warnings are written at the bottom of the mail such as the recording of the respondent’s IP address “for security reasons” and the more threatening “deliberate wrong inputs are criminally pursued and indicted.” Email messages are also marked High Priority.
Clicking on the link leads users to the phishing site
Scammers again seem to be exploiting the shopping frenzy that comes with the holidays. Christmas and Thanksgiving related Web threats often prey on users’ enthusiasm for purchasing products whether online or not. Several Trend Micro blog entries also document other spamming operations that have similar social engineering techniques:
The Trend Micro Smart Protection Network already blocks this email message, keeping users away from the phishing website. Non-Trend Micro users are advised to not participate in surveys that come from unsolicited messages. Not clicking links in unwanted messages, or those from suspicious senders also keeps systems safe from threats.
Making its way back in the wild is a WinCE malware that infects Windows mobile phones. Detected by Trend Micro as WINCE_CRYPTIC.A, this new variant uses the same old routines that made WinCE malware notorious before.
Advanced Threats Researcher Jamz Yaneza says it works as a typical companion virus because it stores the infection code in another file. Typical viruses infect files themselves but WINCE_CRYPTIC.A does not. Instead, it creates “companion” files using the same file names as the infected mobile phone’s storage card. These companion files contain the infection code, and when users run the storage card, the malicious files run first.
So in essence it does not infect files themselves, and changes are made from the polymorphic engine of the malware. Yaneza adds that the file could actually be considered a Trojan with some polymorphic functionality. Companion viruses do this to avoid detection. Users are tricked into thinking they are still running a legitimate application when in fact they are already executing the malware.
Users however, will notice changes in their infected mobile phones as WINCE_CRYPTIC.A changes the text and background colors of the affected device. Here are some screenshots:
WinCe malware changes a mobile phone’s display colors.
The malware may be distributed through memory cards. It may also be hosted on malicious websites and may arrive in mobile phones through downloads. Yaneza believes that document-sharing via infrared or Bluetooth could also be a possible avenue for infection, as remote malicious users could easily pass on documents when these said devices are left on.
With more users using mobile devices that are Web-enabled, malware authors are also quick to adapt. From spam to ransomware, cybercriminals are exploiting mobile phone usage as a new avenue for profit. Interestingly, this malicious software deviates from the usual scheming operations that use Symbian malware to extort money from affected users for example. Symbian malware are notorious for locking phones and then asking users for money so affected phones could be fixed.
WinCE malware in the past did not have this routine. Our researchers believe that creators of this new WinCE malware are testing the waters for a bigger threat on mobile devices.
The following mobile phone models may be affected by WINCE_CRYPTIC.A:
- Windows Mobile 5.0 Smartphone
- Windows Mobile 5.0 PocketPC/PocketPC Phone Edition
- Windows Mobile 6.0/6.1 Classic
- Windows Mobile 6.0/6.1 Standard
- Windows Mobile 6.0/6.1 Professional
The Trend Micro Smart Protection Network already detects WINCE_CRYPTIC.A and provides solutions for its cleanup and removal. Trend Micro meanwhile advises users to not download phone applications from unknown locations on the Web. WINCE_CRYPTIC.A itself does not run on PCs but files may be downloaded from there to mobile phones. Beamed applications and documents should also be handled with caution. The US National Institute of Standards and Technology also provides guidelines on mobile phone security.
<p>Microsoft Security bulletin MS08-067 was an out-of-band security update that was released on October 23, 2008, to address a critical remotely exploitable vulnerability that was being exploited in the wild. The <a href="http://www.securityfocus.com/bid/31874" target="_blank">Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability</a> that was addressed by the patch affects Windows 2000, XP, Server 2003, Vista, and Server 2008 to varying degrees. Ultimately the issue can be exploited by a remote attacker to install malicious applications on a target computer without the victim’s knowledge. <br /><br />Microsoft released a <a href="http://blogs.technet.com/photos/swiblog/images/3140946/original.aspx" target="_blank">detailed matrix</a> describing the risk that this vulnerability presents to different versions of Microsoft Windows. When reading this matrix it becomes clear that this issue is exploitable by an unauthenticated attacker on Windows 2000, Windows XP, and Windows 2003. But, it is not exploitable on default configurations of Windows XP because the Windows Firewall blocks connect attempts to the required RPC interface. However, if the firewall is disabled, or the firewall is enabled but file/printer sharing is also enabled, then the issue is remotely exploitable on Windows XP. An attacker would need to authenticate to Windows Vista and Windows Server 2008 in order to exploit this issue.<br /><br />Several public exploits are currently available that leverage this issue. Typically an exploit needs to be reliable for a worm to incorporate the exploit into its propagation routines. The nature of this vulnerability made it difficult for exploit authors to construct a single exploit that would successfully leverage the issue for all versions of Microsoft Windows at once. So, exploits were released that targeted specific versions of Microsoft Windows first, and the <a href="http://www.milw0rm.com/exploits/6841" target="_blank">first public exploit to surface</a> that wasn't a simple crash proof-of-concept leveraged the issue on Microsoft Windows platforms that were localized for traditional Chinese markets. Over the past month, exploit authors have discovered far more reliable methods to exploit this vulnerability and have released more stable exploits. The most reliable public exploit is incorporated into the <a href="http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb" target="_blank">Metasploit Framework</a>—it contains many configurations that can be used to leverage this issue for a large array of Windows versions.<br /><br />When we first noticed worm-like malicious applications exploiting this vulnerability they were using the primitive exploits that were available at the time. In other words, exploits that targeted Chinese Windows systems. However, over the last 24 hours we are observing a new worm. It exploits MS08-067, but it uses the routines from the Metasploit Framework to exploit the following platforms:<br /><br />• Windows 2000 Universal<br />• Windows 2003 SP1 English<br />• Windows 2003 SP2 English<br />• Windows XP SP2 English<br />• Windows XP SP2 Arabic<br />• Windows XP SP2 Portuguese<br />• Windows XP SP2 Russian<br />• Windows XP SP2 Danish<br />• Windows XP SP2 Dutch<br />• Windows XP SP2 Finnish<br />• Windows XP SP2 French<br />• Windows XP SP2 Greek<br />• Windows XP SP2 Hungarian<br />• Windows XP SP2 Hebrew<br />• Windows XP SP2 Italian<br />• Windows XP SP2 Norwegian<br />• Windows XP SP2 Polish<br />• Windows XP SP2 Italian<br />• Windows XP SP2 Spanish<br />• Windows XP SP2 Swedish<br /><br />The routine to attack Windows 2000 systems is very reliable; however, at the moment, the reliability of the routines that attack other platforms is not known. </p><p> </p><p>The worm targets TCP port 445 to exploit the issue, and if it successfully exploits the issue, the worm then creates an HTTP server on the compromised computer on a random port, for example:</p><p> </p><div align="left">http://[EXTERNAL IP ADDRESS OF INFECTED MACHINE]:[RANDOM PORT]/[RANDOM STRING]<br /></div><p><br />The worm then sends this URL as part of its payload to remote computers. Upon successful exploitation, the remote computer will then connect back to this URL and download the worm.<br /><br />We are currently observing an increase in IPs generating activity over TCP port 445 and we believe that this activity is at least in part related to the propagation of this malicious code:</p><p> </p><p><a href="https://www-secure.symantec.com/content/en/us/enterprise/images/security_response/blogs/siat_445activity_lrg.jpg" target="_blank"><img src="https://www-secure.symantec.com/content/en/us/enterprise/images/security_response/blogs/siat_445activity.jpg" border="0" width="336" height="331" /></a><br /> </p><p> </p><p>SANs are also reporting a <a href="http://isc.sans.org/port.html?port=445" target="_blank">spike in activity</a> on TCP port 445. However, this was not the main reason behind our ThreatCon update. The aggressive propagation of this malicious threat in our honeypot network was the main reason behind the update. We decided that the activity was significant enough to remind our customers of the importance of installing the MS08-067 updates. Symantec antivirus currently detects this threat as <a href="http://www.symantec.com/business/security_response/writeup.jsp?docid=200%208-112203-2408-99&tabid=2" target="_blank">W32.Downadup</a>, so please make sure that your antivirus software is up to date.<br /><br />We also recommend that the following mitigating strategies are applied:<br /><br />• Block access to TCP port 139 and 445 at network perimeters.<br />• Ensure that computers that are connected to the network have host-based firewall software installed.<br />• Ensure that antivirus software is installed on all clients connected to the network and that the software is up to date.<br /><br />And, please install the <a href="http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx" target="_blank">update from MS08-067</a> as soon as possible. Microsoft has suggested a number of additional workarounds in the security bulletin, such as disabling the browser service. We advise customers to review their suggestions as well.</p><p> </p><p><strong>* <u>Update</u></strong></p><p> </p><p>Symantec IPS will detect and block this attack with the following signatures:</p><p> </p><p>• MSRPC Server Service Buffer Overflow<br />• RPC Server Service BO2</p><div class='message-edit-history'><span class='edit-author'>Message Edited by SR Blog Moderator on </span><span class='local-date'> 11-26-2008</span><span class='local-time'> 07:19 AM</span></div>
|
