18 May NoSuchCon 2013 Stefano Ortolani
17 May Malicious PACs and Bitcoins Fabio Assolini
13 May Telecom fraud — phishing and Trojans combined Dong Yan
27 Apr CeCOS VII Michael
25 Apr Security policies: remote access programs Kirill Kruglov
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Today, on Wednesday 27th February at 10am, the German Federal Constitutional Court in Karlsruhe made an official statement regarding its verdict on online surveillance.
The final verdict: although online surveillance is permitted, this is only in cases where a overwhelming threat to the existence of extremely important legally protected interests exists, and certain specific criteria will have to be met. Additionally, a new basic right will be introduced, for the first time since 1983, when a basic right was introduced regarding the capacity of the individual to determine in principle the disclosure and use of his/her personal data. This new basic right is intended to guarantee the integrity of IT systems and the confidentiality of data held on these systems.
The catalyst for these proceedings was a collective complaint brought against a law in the German state of Nordrhein-Westfalen designed to protect the constitution. This law permits the installation of spy programs on the computers of alleged criminals and terrorists. Such software, designed to intercept passwords, read the contents of disks, intercept encrypted conversations and transmit all of this via the Internet to the investigating authorities, gave rise to the term 'online surveillance'.
Exactly what the practical results of today's verdict will be remain to be seen. It's clear that the Nordrhein-Westfalen law protecting the constitution will have to be amended. Meanwhile, discussions about the software – nicknamed the 'Bundestrojan' – will continue.
This won't have any effect on our work as an antivirus company. As has already been said, in spite of the fact that it's financed by the government, a Trojan which uses the same methods as spyware created by virus writers (which will very probably be detected by our proactive detection methods, such as heuristics, behavior analysis etc) has to be viewed as being potentially malicious. And although we will probably be able to detect the program, we wouldn't be able to classify it as the 'Bundestrojan'; it's very unlikely that the authorities will provide AV companies with samples, so we would simply have to classify it on the basis of its behaviour, just as we do any potentially unwanted program.
Today our spam traps caught a phishing email targeting Paypal users that we detect proactively as Trojan-Spy.HTML.Fraud.gen.
Of course such emails normally aren't anything special - the interesting bit about this one is that it's in Dutch. This falls in with my prediction towards the end of last year that we'd start to see an increase in the use of Dutch (which is, after all, a minority language) in cyber scams.
A bit of searching through our archives showed that this mail was a re-run from an attack that occurred last week. This indicates that the first one was probably reasonably successful – if not, why resend the same email?
Although it's pretty good, the Dutch is not exactly perfect. This in itself might alert users to the fact that something is not quite legitimate. And the bad guys forgot another major factor – although the email is in Dutch, the site that it links to isn't. Hopefully this will act as a red flag so that recipients don't enter their data on the site.
Our Mexican email addresses started receiving messages on the 19th and 20th of February that looked like standard greeting card emails.
Of course, the messages were fake. The links in the messages sent users to a completely different site – they all led to http://126.96.36.199/~rockybob/ (naturally, we've obscured the link).
Once the user is on this site, a specially crafted php script gets executed, which downloads a malicious file called TarjetasNico.exe from another site.
Quite a few people have already said that we can expect to see an increase in malicious code spreading as Valentine's Day approaches. And no surprises – here it is. For the last couple of day, we've been receiving mass mailings of messages which supposedly will bring joy to the recipient, but which actually have a very different end result – a computer loaded with malware.
Here's an example: Smiley Kiss http://217.X.X.X/. When the user opens the link, he or she will see a picture like the ones below:
Last week there was a lot of speculation going round that Paris Hilton has changed her sexual orientation. A couple of years ago when she was making the news, IM-Worm authors played on this. With these latest rumours – I am an AV researcher after all - I immediately thought that the bad guys would find some way to use these rumours. Unsurprisingly, this prediction turned out to be true. Over the last couple of days we've seen spam being sent out which contains a link in it claiming to be a Paris Hilton video.
The social engineering is obvious – although it's amusing that the video title mentions men rather than women. Putting this aside, it's rather an odd case from a technical point of view.
The URL leads to a simple Trojan-Downloader which is packed using FSG. It doesn't have any anti-AV functionality. In turn the Downloader downloads two files, one for harvesting email addresses from the victim machine and one for sending out spam. One of those is stuffed with anti-AV techniques.
Of course, using Trojan-Downloaders is extremely common these days. What's strange is the combination of such a simple Trojan-Downloader which downloads highly sophisticated malware.
And given that the Trojan-Downloader will be heuristically detected by quite a number of virus scanners, including ours, the chances of actually getting infected are slim. This leaves me wondering if this unusual combination was created by the authors by accident, or by some strange design.
In case you missed it: recently more than 40 anti-malware researchers and testers got together in Bilbao, Spain, to formalize the charter of the Anti-Malware Testing Standards Organisation (AMTSO). The organization's main aim is to create security software testing guidelines and standards.
Why is a body like this needed? Well, although security software has changed enormously in the last ten years, most tests used today haven't evolved at the same rate. New and better tests are needed to better assess the effectiveness of new technologies. AMTSO is a very significant move towards having tests that more accurately reflect the performance of security software in real life situations.
I was part of the initial talks about this way back during the AV Testing Workshop, and it's clear that with this new organization, we've come a long way.
Right now the group consists of AV researchers and testers. One of the goals is to include academics as well. AMTSO strives to be vendor and technology neutral and academic members will be very helpful in ensuring this position.
It'll be interesting to see what AMTSO comes up with it. As a member of the pro tem standards and guidelines subcommittee I'll obviously have a say in the matter. The result may be that we end up with tests where security solutions don't score as highly as they do in current tests. But this will be no bad thing if test results reflect the genuine ability of solutions to combat today's constantly changing threats.
Read more about the organization here