13 Jul Nirvana for cybercriminals?
23 Apr Checking your credit card
06 Aug Taking down botnets
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Today Microsoft is ending support for XP/Service Pack 2. According to reports there are still a lot of machines running XP/SP2. So this sounds like a serious problem, right? Actually, I’m not convinced of that.
Let’s look first at consumer machines – those which aren’t being centrally managed. Why would these machines still be running SP2? Obviously, Windows Updates must have been disabled. I can only think of two main reasons why that would be the case: either a malware infection which is somehow preventing WU from working, or people have disabling WU on pirate versions to be sure they can continue to use Windows without having to pay for it.
In the first case, infection already occurred. In the second case, it’s very unlikely that the machine was ever patched after the initial SP2 install. That means that such machines are vulnerable to any of the exploits that exploited XP vulnerabilities discovered after August 25, 2004, when SP2 was released. In other words, these computers have been vulnerable for a long, long time.
What about the business environments still running SP2? In the vast majority of cases the admins will have decided that the time just isn’t ripe for SP3. SP3 was released just over two years ago. If admins haven’t rolled out SP3 yet, it seems pretty unlikely that the other software they’re running - such as Office and Adobe Reader – is going to be up to date. These are the same companies that are still running Internet Explorer 6.
Given all this, I don’t think ending support for SP2 will create any sort of nirvana for cybercriminals. All the unpatched (and attackable) machines have been this way for a long time now – and chances are, if they were going to be infected, it would have happened a long time ago.
This week I received a letter from American Express which stated that my credit card had been temporarily blocked because of potential fraudulent activity. It also said that I needed to call a number to confirm the recent transactions and get the card unlocked.
That seems like a very reasonable thing to do. However the number they asked me to call was not listed on the American Express web site. Though the letter seemed legit I did the only right thing – call their regular number and work things out from there. While digital phishing is the current hot thing to do there are still criminals forging good old snail mail letters to trick users.
It turned out that the number listed was a direct number to their fraud department which isn’t listed on the site. I’ve requested American Express to change their practices.
I was just looking at Facebook to check for spam and scams when I found this:
I've blurred out a few things for privacy, and, most crucially, safety. The point of this post is the domain name. The spaces around the dot and the zero in "C0M" are just as they were in the original spam message. If spammers are going to the trouble to obfuscate their messages, it seems to show that Facebook's spam filters are having some effect. Malformed links mean that you have to make an serious effort to actually go and visit the spammer site. And consequently, if someone's going to go through all that trouble, they're more likely to buy into whatever scam is at the other end.
As you've most probably read by now search engines providers have been working on providing so called real time search results. These results include queries to, for instance, Facebook, Twitter and Myspace.
We may not all realize this, but we have just turned yet another technological corner. Everyone will have exponentially more and faster access to personal information now including data from social networks. Everyone naturally includes cybercriminals.
In my opinion, cybercriminals now have a great new opportunity to combine two major threat vectors - Black Hat Search Engine Optimization and social networks. Now turnaround will be faster and more people will see the malicious links created by black hat SEO – something search engines have already failed to control.
This is important, because to date attacks via social networking sites aren't yet as prevalent or sophisticated as they could be. The gang behind Koobface has recently stepped up their game but overall isn't really technically advanced. In fact, from where I sit, the development of malware that's targeting social networks is really reminiscent of that of IM-Worms some years back. It's the same situation: your friend's compromised account is used to persuade you to click on a malicious URL. So we'll probably soon see the social engineering approaches used to spread social networking threats following a similar evolutionary path.
I'm also concerned about how real time search results will affect our online privacy.
Clearly, it's no coincidence that Facebook introduced their new set of privacy guidelines just days before Google introduced real time search. The recommended Facebook settings - which surely will be used by the vast majority of the Facebook community - put a lot of information into the public and semi-public domains.
Yes, this approach will definitely make real time search results more effective. But I definitely think that the recommended settings expose too much PII.
What does this hold for the future? I'm convinced that real time search is just in its infancy. I'm positive that soon enough search engine providers will offer everyone the opportunity to use real time search with their Facebook/Twitter/MySpace/etc. credentials. This would then allow people to more effectively crawl what their friends - or friends of friends - are up to. An opportunity that the cyber criminals will surely not let go to waste.
Today we got another DDoS attack on Twitter. A lot of people are asking why Twitter doesn't seem to be coping with attacks like these. And at the same time there are more and more people jumping on the bandwagon saying stay away from Adobe products.
What's the link? Two extremely high profile companies which are being targeted by various cyber criminals around the world. In addition, both of these companies have less than outstanding track records when it comes to security issues.
But that's pretty much where the parallel ends. Looking at Twitter over the course of this year what conclusions can we draw?
Let’s start with a few facts. Last week the Dutch police arrested a 19 year old Dutch man for selling a botnet to a Brazilian, who was also arrested. The ‘Shadow’ botnet is made up of around 100 000 infected machines.
However, the arrest isn’t the end of the story. The Dutch police are working to help the victims. One of the steps they’re taking is informing users that Kaspersky Lab websites include removal instructions (created at the request of the Dutch High Tech Crime Team) on how to get rid of the malware which transformed machines into bots.
The case raises a number of security questions which need to be discussed once the botnet has been dismantled. But in the meantime, if you think your computer might be part of the Shadow botnet, check it with an online scanner such as Kaspersky Online Scanner, and read the removal instructions we’ve posted here. The botnet does include machines from around the world, so you’re not automatically safe just because you don’t live in the Netherlands.
Do remember that the removal instructions only apply to the malware which has been used to create the botnet. These programs may have downloaded additonal malware to your machine, so make sure you also scan your computer with an up-to-date antivirus solution.
Today our spam traps caught a phishing email targeting Paypal users that we detect proactively as Trojan-Spy.HTML.Fraud.gen.
Of course such emails normally aren't anything special - the interesting bit about this one is that it's in Dutch. This falls in with my prediction towards the end of last year that we'd start to see an increase in the use of Dutch (which is, after all, a minority language) in cyber scams.
A bit of searching through our archives showed that this mail was a re-run from an attack that occurred last week. This indicates that the first one was probably reasonably successful – if not, why resend the same email?
Although it's pretty good, the Dutch is not exactly perfect. This in itself might alert users to the fact that something is not quite legitimate. And the bad guys forgot another major factor – although the email is in Dutch, the site that it links to isn't. Hopefully this will act as a red flag so that recipients don't enter their data on the site.
Last week there was a lot of speculation going round that Paris Hilton has changed her sexual orientation. A couple of years ago when she was making the news, IM-Worm authors played on this. With these latest rumours – I am an AV researcher after all - I immediately thought that the bad guys would find some way to use these rumours. Unsurprisingly, this prediction turned out to be true. Over the last couple of days we've seen spam being sent out which contains a link in it claiming to be a Paris Hilton video.
The social engineering is obvious – although it's amusing that the video title mentions men rather than women. Putting this aside, it's rather an odd case from a technical point of view.
The URL leads to a simple Trojan-Downloader which is packed using FSG. It doesn't have any anti-AV functionality. In turn the Downloader downloads two files, one for harvesting email addresses from the victim machine and one for sending out spam. One of those is stuffed with anti-AV techniques.
Of course, using Trojan-Downloaders is extremely common these days. What's strange is the combination of such a simple Trojan-Downloader which downloads highly sophisticated malware.
And given that the Trojan-Downloader will be heuristically detected by quite a number of virus scanners, including ours, the chances of actually getting infected are slim. This leaves me wondering if this unusual combination was created by the authors by accident, or by some strange design.
After blogging about Dutch language spam last week, we've seen more of it yesterday.
The criminals sent out almost the exact same messages that we saw last time, with the same subjects: a girl called Polina looking for a friend and a nuclear accident in Amsterdam. The only differences are that the date of the 'nuclear accident' has been changed, and the spam was sent on a much larger scale.
Once again, the attachment is a new Zbot variant, which we detect as Trojan-Spy.Win32.Zbot.di.
I must say that there are interesting times in the Netherlands. Normally we don't see Dutch used often in spam and phishing emails, but there's been a real spike the last 10 days.
It began last week on Monday with two simultaneous spam runs in Dutch: one about a supposed nuclear accident in Amsterdam and one purportedly from a girl called Polina who was in need of a 'friend'. Both of these spam runs tried to convince the user to install one and the same codec, which in reality was a Trojan-Spy.Win32.Zbot variant.
After this incident there was a spam run in Dutch concerning helpnumee.com. This site claimed to be part of the Aids foundation and was asking for donations. Obviously this was a fraud.
And then last night I saw a Dutch phishing email trying to steal Windows Live logins. We've notified the local CERT and hope that the site gets taken down promptly.
The quality of the Dutch varies from incident to incident, but overall has greatly improved over the attacks from six months ago. The Windows Live phishing email was an exception: it was written rather badly. However, the sad reality could be that the attackers are trying to mimic teenage slang as part of their social engineering strategy.
If these incidents are a sign of more to come than I foresee 2008 being a very interesting year for Dutch users.