20 May Jumcar. From Peru with a focus on Latin America [First part] Jorge Mieres
18 May NoSuchCon 2013 Stefano Ortolani
17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
27 Apr CeCOS VII Michael
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Earlier today we intercepted a number of mailings with a new Warezov downloader. The good news is that it's already detected as Email-Worm.Win32.Warezov.pk, which we added to our database two days ago.
What's interesting about the mails is that along with the usual executable (which in this case is called "access.exe") the messages have a couple of PDFs attached.
The PDFs, which are otherwise harmless, contain alleged financial transactions. Here's an example:
If you get tricked by these and get to run the executable, it will contact kitinjderunhadsun.com and download another executable from there. This second exe is 91095 bytes in size, and we detect it as Email-Worm.Win32.Warezov.iq.
We detected the first version of Warezov almost one year ago and after all this time, the gang behind these worms is still roaming free. I'm really looking forward to the day they get caught.
Online banking and security still seem to have only the most tenuous relation to each other. Even though more and more German banks are moving towards implementing HBCI, an independent protocol for online banking, (entering a PIN number via an external card-reader, which may have its own display) the investment needed (between 70 and 170 euros) is frightening a lot of customers off.
It seems that some of the British banks have been thinking about this, and drawing their own conclusions. A recently published article covers a major British bank's refusal to implement two factor authentication: apparently the increased popularity of online banking shows that 'customers already feel safe on the Internet', without the need for extra hardware. But if the bank has the feeling that customers are blissfully happy, perhaps they should dig a little deeper.
Banks which don't implement appropriate security may find themselves dealing with satisifed customers like the German woman who recently came to us for help. Her antivirus solution (not ours, I should hasten to add!) malfunctioned. The consequence - a Trojan got away with a smooth 5000 euros from her account. The local prosecution service suspended the investigation, because the attack could only be traced back to a computer located at a university. The bank, meanwhile, has spent more than a month trying to push the blame back onto the customer. The happy customer, who thought that the combination of antivirus software and PIN/ TAN would keep her assets safe...
ComputerWeekly.com provided us here at KL with a giggle today.
Boy, are we glad that it wasn't one of us :-))).
Yesterday I came across something interesting. An email caught by some of our mailtraps, written in poor Dutch, about a site which can get you free sex.
Obviously I was interested in the matter as this didn't look like a typical spam email. These days most Dutch spam emails are about casinos. The site mentioned in the email contained a version of the popular MS XML exploit, MS06-71. We already detected this particular variant as
The purpose of the exploit is to download and execute a backdoor, which we are now detecting as Backdoor.Win32.VB.bcv. After discovery we notified GOVCERT, the Dutch CERT, and they acted quickly to have the site taken down.
Next to this incident we're also picking up increased activity of the gang behind the later variants of Backdoor.Win32.MSNMaker, which is mostly spreading in The Netherlands as well.
Malicious emails/messages tailored to the Dutch market have been rare, but they are on the up. People can no longer assume that emails/messages in Dutch are automatically benign and will have to start being more careful.
This morning I received the following message in my Yandex.ru inbox:
Thank you for using the Yandex.ru national email service!
Recently, many email accounts have been opened for the purpose of sending spam. As a result, we have actively begun to delete these addresses from the server.
At present, all email accounts with suspicious names - including yours - have been put on a blacklist, and all users are being asked to re-authorize their account using the following link: http://r.yandex.ru/****/yandex/?id=02cfdd227b9735c35a8288f37c020cd2&p=blacklist&mt=0.090866193010010
Once you have completed the re-authorization process, your email address will automatically be removed from the blacklist, because it means you will have confirmed reading this email, which could not happen with a spammer address.
All email addresses that are still on the blacklist as of August 2007 will be deleted from our server, striking a major blow against spammer organizations and improving Yandex.ru email services.
Don’t forget - if you receive an email with advertising content that you did not request, you can report it as spam. The Yandex.ru administration reviews all complaints and will modify its filtering algorithms for new kinds of spam.
Thanks again for using Yandex.ru.
I was only half awake when I read this and I almost followed the instructions in the email. But common sense prevailed: I suspected something was fishy and I decided to check this out. Turns out I was right: the address shown in the browser’s status bar when you move the cursor over the link is http://r.yandex.ru/..., which actually takes you to a page hosted by the freebie service tu1. ru. If you go directly to the address (by copying it from the browser window), you will find that there is no such site.
If you look deeper, you will find several other minor things that don’t match up:
This is a classic example of phishing. Phishing Russian services is still uncommon. As far as I can remember, this is the first mass phishing email using @yandex.ru addresses - at least of the ones that have got around spam filters. This gives phishers an element of surprise, and there's no doubt that they'll manage to harvest numerous passwords, even if their ploy is primitive and poorly thought out (if, for example, there are none of the careless mistakes such as the ones listed above).
It is easy to avoid phishing if you follow some simple rules: always make sure that the domain name of the link is question is authentic. In order to do this, you should not just click on it, but copy and paste it into a new browser window. If you do this, even the slickest phisher tactics used to disguise the real URL won't work.
If you do fall for a phishing ploy and you entered your password on the page they sent the link to, change your password as soon as possible.
There's been quite a lot in the news lately about a mini-epidemic caused by Trojan.Win32.Small.mi. Since the attack started on June 15th, the number of compromised sites (and infected users) has been increasing.
If you've been following the media, you'll know that the majority of sites affected are in Italy. Although Small hasn't caused anything like the havoc wreaked by the worm epidemics of 2004/ 2005, Italian TV went so far as to warn viewers of the danger - both with a short item on the midday news, and by running a warning across their news ticker. This is something that hasn't been seen in Italy since Slammer first hit.
A nice example of an offline approach to online security.
Virus writers didn't take any time off over the public holidays, and the results of their labour have made their way into our May miscellany.
The summer holidays are coming up, and although it's unlikely we'll see worm epidemics on the scale of those in 2004/5, we'll still have plenty of work to do. See you in June for the next issue of our Miscellany!
A few days ago the Inquirer published a interesting little article talking about how Google hadn't returned the search results he wanted, but instead told him his computer might be infected with a malicious program. And today one of our clients got caught the same way – the ubiquitous search engine was displaying the same error message to lots of the company's staff.
I'm interested in why this happened. It's not very difficult to find a possible answer: a lot of spammers use Google to find the emails of potential victims and automate this task by using little scripts which may be run from infected machines. So Google can implement a temporary block which is lifted when the user correctly responds to Google's captcha by entering the letters and numbers shown, proving that s/he is not a spambot.
We've managed to reproduce the suspicious behaviour that can get a human user getting locked out of Google. And once the user's been locked out, his/ her IP address get's blacklisted. This can be a problem if the user is coming in via a proxy server – it will be the proxy that will be seen as the attacker, and the proxy that gets blocked. Which means that all the users coming in via the same proxy will also be subject to the same restrictions, until someone correctly solves the captcha. It would of course be helpful if the Google warning clearly stated that it could be the proxy, rather than the user's computer, which is suspected of being a bot. We've suggested this to Google, and we'll let you know their response.
Of course, it might not be a false alarm at all - there might be an infected computer on your network, and Google raising the red flag could be the first sign of infection. But even though Google's search capability may be awesome, a dedicated antivirus program is still going to be the most reliable way of catching malicious programs.
We've heard that another lot of cyber criminals were arrested, this time in Italy. More than 150 arrests for bombarding Italian users with fake mails. The phishers' ill-gotten gains – around 1,250,000 euros.
These guys were targeting the most popular Italian banks, and some users were getting 30+ phishing mails a day! The attacks were such a problem that they were even discussed on TV (although sadly not by the major news channels).
The arrests are the result of an investigation which began in May 2005. We'll be tracking this case, waiting for news of convictions and jail sentences. We'll keep you posted on progress.
Microsoft has released this month's update package, which contains (among other patches) updates for Internet Explorer, Vista, Outlook Express and Visio.
As we mentioned in our pre-patch post, some of the vulnerabilities are critical, so if you haven't done so, check the June Security Bulletins and patch your systems now.
The friendly handlers over at Internet Storm Centre have produced another colorful table to guide you through this month's patch maze.
As a quick reminder, June 12th is patch Tuesday for Microsoft products.
The corporation has several updates planned, including 4 critical patches. All 4 critical patches address remote code execution vulnerabilities found either in Windows, Internet Explorer, Outlook Express or Windows Mail. Microsoft also plans to release seven non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS). Microsoft's prenotification bulletin is here.
Microsoft plans to host a webcast next Wednesday to discuss the bulletins released on June 12th. Additonal information, including how to sign up for the webcast is here.
This week we added another unusual detection – detection for a calculator virus.
Virus.TI.Tigraa.a is a memory resident virus, and in the best tradition of DOS viruses, it's a mere 492 bytes in size. It works on Texas Instruments TI-89 graphing calculators (the TI-89, TI-89 Titanium, and the Voyage 200 which will run most programs for the TI-89) with the Motorola 68000 processor. The virus is designed to clear the screen and then display a message saying 't89.GAARA'.
Of course, Tigraa.a is classic proof of concept code. It'll only work on individual calculators, and can't spread. But nevertheless, it's created another entry in the roll call of potentially infectable devices.