Here's the latest of our malware wallpaper calendars.

1280x800 | 1680x1050 | 1920x1200 | 2560x1600

As usual, we’ve highlighted some of the notable malware-related events from years gone by.

Is this malicious campaign familiar to you?
 

What a coincidence! The same day I start tumblring, Tumblr users get hit by what seems to be one of the most publicized phishing attacks the social network has seen so far.

Yet another phishing attack has resulted in thousands of accounts being compromised. Nothing new here. Phishing is a game of numbers – so even though many users are aware of this threat, there still are some of them who fall victim to this old social engineering trick. Therefore, even with just a low efficiency rate in terms of percentage, thousands of accounts can still be easily compromised by cybercriminals if the phishing page is seen by enough people.

So – for those of you out there who still don’t know the basics of avoiding becoming a victim of phishing attack, here are a couple of tips:

The recent online hysteria over the BitCoin virtual money system has attracted the attention not only of those who dream of making money out of thin air but also of cybercriminals who, as usual, want to steal anything they can get their hands on.

A few days ago our colleagues at F-Secure wrote that they had detected a primitive Trojan that steals e-wallets from the computers of BitCoin users.

However, some cybercriminals seem to think that it’s more profitable to steal computer resources rather than e-wallets.

Today our analysts detected a new threat spreading in the Russian sector of the Internet – Trojan.NSIS.Miner.a. This Trojan has two components – the legitimate bcm.exe file BitCoin Miner (not-a-virus:RiskTool.Win32.BitCoinMiner.a), and a malicious module that installs bcm without the user’s knowledge and adds it to the autorun registry. The infected computer then starts to generate bit-coins for the Trojan’s author.

Of course, the Trojan’s code clearly indicates the server address where the cybercriminal’s account is located.

We decided to see how successful our nameless ‘miner’ was, and ended up getting a bit of a surprise.

There’s nothing new in Brazilian cybercriminals exploiting social networks to distribute their malicious code. Orkut was first, followed by Twitter, and now it’s Facebook’s turn.

Facebook is becoming increasingly popular in Brazil and we are witnessing more and more Brazilian bad guys switching their focus to it. We received some proof this weekend: a Brazilian instant message (IM) worm created to steal Facebook passwords and login, and use the infected profile to spread malicious links among Portuguese speakers.

The worm (md5 d8dd66f2ec659687c56feb31ae1ac692) is distributed in a drive-by-download attack. After infecting the user’s machine a malicious applet downloads lots of different files, including the IM worm responsible for stealing users’ Facebook passwords. The worm is designed to connect to the victim profile via the web service Ebuddy.com or via the mobile version of Facebook, and capable of posting the content of the file fb.txt:

A few days ago, we have notified you about malicious activities from the S.A.P.Z. botnet. And we provided evidence that this methodology of attack can be used to affect users of any Latin America bank, or any part of the world.

Now the S.A.P.Z. gang, which may be Peruvian, has resorted to another strategy. It is focusing on the theft of sensitive information, by spreading a variant of Palevo worm, detected by Kaspersky Lab as P2P-Worm.Win32.Palevo.cudq.

The key element of this is that with S.A.P.Z., the cyber-criminals have used the functionalities of an old web application created for the administration of stolen data, called Blackshades. As indicated in this image, now they’re not only focusing on Peruvian users, but also others countries such as Chile, Colombia, Spain and USA.

This month's patch Tuesday is a sizable one by any standards, following the quiet Tuesday that my colleague Roel Schouwenberg described last month. Microsoft is patching a total of 34 vulnerabilities in 16 bulletins, MS11-038 through MS11-051. At least eight different Microsoft product lines are updated, and Adobe is coordinating release of Reader, Acrobat, Shockwave and Flash updates as well today.

So we are looking at patching the following programs:
Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, ISA and Adobe Reader, Acrobat, Shockwave and Flash player. More than half of the vulnerabilities being patched exist in the Internet Explorer and Microsoft Excel software components, frequent targets of drive-by and spear phishing attacks.

Most interesting is MS11-050, a single patch that knocks out 11 separate Internet Explorer vulnerabilities, some enabling information disclosure (cookiejacking), memory corruption and remote code execution: CVE-2011-1250, CVE-2011-1251, CVE-2011-1252, CVE-2011-1254, CVE-2011-1255, CVE-2011-1256, CVE-2011-1260, CVE-2011-1261, CVE-2011-1262. The additional VML patch MS11-052 knocks out another Internet Explorer vulnerability, CVE-2011-1266.

Microsoft already pointed out that the Internet Explorer patch addressing "cookiejacking" is not a particularly high risk issue because it is relatively unknown to them as an attack vector, and because there are more substantial social engineering techniques. While those points may be true, now that the techniques are more widely discussed, the risk of them being abused by more attackers goes up as well.

Eight different privately reported vulnerabilities are being patched in Microsoft Excel alone by MS11-045, each of which allow for remote code execution. We are still reviewing why the patch is rated "important" and not critical for the various Excel versions.

The patches that stand out result in remote code execution within Internet Explorer, Office and Silverlight. The recent history of attacks on consumer and corporate users, including the many successful spear phishing and APT attacks should help increase the urgency of these patches.

On the server side in the cloud, Microsoft is patching a vulnerability that could be abused in a DoS attack that could only be staged from within the cloud. MS11-047 is rated an "Important" patch for Windows 2008 versions, correcting a flaw in Hyper-V where a guest could send a malformed packet to the VMBus and result in denial of service on the server. MS11-039 is the Silverlight patch that could not only be used in a remote code execution attack on the client side, but also can be used to remotely run arbitrary code on vulnerable IIS web servers.

At least eight of the nine patches rated "Critical" requires a restart, be prepared for this interruption. We recommend applying all of this month's released patches asap.

The US Senate and the International Monetary Fund (IMF) are just the latest in a growing line of high profile companies that have been subjected to a targeted cyberattack. Sony made unwelcome headline news when it had to shut down its PlayStation network after hackers were able to steal customer information, including addresses, dates of birth, etc. In that case over 70 million people’s details were exposed. Other examples include Citibank, where personal information was stolen also; and Google, who disclosed that some Gmail accounts had been compromised. How many of us keep usernames and passwords for different sites such as online banking and shopping in our Gmail or Hotmail accounts?

Going back 10 years and more we saw malware like the, “I love you,” Netsky and Bagel grabbing the headlines. The motives behind those threats though were very different. It was more akin to graffiti, wanting to infect as many people as they could and become infamous too.

The recent attacks demonstrate that the bad guys are not interested in an ”infect all” strategy any more, but rather using more targeted methods. They do not just go after financial information like bank logins or credit card details; they’re in fact collecting everything they can get hold of. As we predicted at the beginning of the year, we are now in an age of "steal everything”.

It's obvious what the criminals will do with stolen credit card details, but what about my date of birth, my address or even my hobbies? Well one thing they can do is what we call spear phishing; and this seems to be how the IMF was compromised in the first place.

This form of attack is where an individual or organisation is singled out, usually via email. Now most of us receive lots of spam emails and we simply delete them. But what if you get an email that purports to be from your bank/credit card company and to prove it they put the last 4 digits of your credit card number and your date of birth? This looks much more credible and we are more likely to click on any links in the email. Such a link may contain malware. This in turn would also be finely tuned to the target's operating system and applications that run on it. They could get information of this kind by trawling social networks for titbits of information and/or even calling staff at the organisation. By creating a specific piece of malware just to target one organisation, it stays under the radar of security companies and law enforcement agencies. In the case of the IMF it looks like it may have been there unnoticed for several months!

So what do we need to learn from these targeted attacks? First, if we are seeing more high profile attacks you can bet that there are a greater number of low profile attacks that don’t make the headlines. Small organisations do not expect to be targeted and are also less likely to have elaborate IT security defences in place.

Second, technical solutions can never be enough. Education must play a key part too. Staff awareness is essential in any modern organisation. We need to foster a culture of security awareness so that people know what kinds of social engineering tricks are commonly used. By doing this we are more likely to get buy-in from staff for what we are trying to achieve. So, for example, when they get a reminder to change their password and for it to be a specific length and complexity, they will understand the importance of following the advice, instead of just ignoring it.

Various malware and riskware programs created for mobile platforms with premium rate SMS usage have been a huge problem for a very long time for users from countries like Russia, Ukraine or China. What about other countries?

When dial-up was popular, applications like porn dialers were also widespread. In 2009 we saw the first porn dialer for smartphones.

And now it is time for ‘porn SMS senders’ targeting users at least from US, Malaysia, Netherlands, UK, Malaysia and Kenya whose mobile devices are equipped with Android or J2ME. We’ve discovered a number of application (not-a-virus:RiskTool.AndroidOS.SMSreg and not-a-virus:RiskTool.J2ME.SMSreg families) which send a number of expensive SMS messages in order to subscribe to various services. It is important to mention that all apps contain ‘Terms & Conditions’ with the description of a particular program and cost of the SMS message/subscription.

The first piece of riskware we’ve discovered targets users of Android smartphones from the Netherlands. An application named ‘nooit spijt’ (‘never regret’ in Dutch) sends three SMS messages costing 1,5 EUR each. Complaints on various forums say that this app is spread via advertisements in other applications.

Main windows of ‘nooit spijt’

Recently the security of public cloud services has been a major topic of discussion on the Internet. While service providers assure us that there’s nothing safer than the ‘cloud’, security companies have already managed to discover various kinds of threats in the cloud.

In the meantime, spammers are managing to keep up and have started making more active use of free remote resources. For instance, we recently came across the following phishing messages for harvesting email passwords:

A few days ago, I blogged about a PHP/JS malware targeting the osCommerce platform, which used an interesting new technique to obfuscate the malicious code. It so happens, that today I came across even more advanced sample of a PHP infector, also in the context of a vulnerable e-commerce solution.

When I came to work today, my colleague from our Polish office asked me to help him with finding malware which was affecting his friend's online store. The HTML page, viewed with the browser, contained a link to a jquery.js script in some randomly generated cx.cc domain, although there was no sign of this link in the source files on the server. Reaching a verdict was simple - this piece of code was being added dynamically, by some infected PHP script.

We looked into all of PHP files stored on the server and got a bit confused - there was nothing really suspicious at first glance. But having in mind the div_colors malware, I started to study the code line by line. What at last attracted my attention was a small function at the beginning of one of the core PHP files.

    There were some recent comments about Amazon Cloud as a platform for successful attacks on Sony… Well, today I found that Amazon Web services (Cloud) now is being used to spread financial data stealers.

The TDSS loader, a malicious program that we wrote a lot about (e.g. here and here) now has legs, i.e. a tool for self-propagation. TDSS is a very complicated piece of malware and the cybercriminals have created an ingenious propagation tool for its loader.

New techniques for obfuscating malicious code on websites are a good way to mislead both users and protection software alike. Recently, I came across an interesting attack against the osCommerce online shopping platform in which malicious script was injected into PHP files by exploiting a Remote File Inclusion vulnerability in osCommerce software.

This PHP script works as an infector and is used to add the following code just after specified tags in HTML files and at the top of JavaScript files:

At first glance, this code doesn't look as suspicious as it usually does - there is nothing that stands out: no <iframe> tag, no unescape() function, nor is there an eval(). Instead, we just have a function which seems somehow related to colours displayed on the web page and an array filled with values pretending to be a hex representation of these colours. Unwary users could overlook this code assuming that it's legitimate and belongs to the page, but if we follow it, we can see what it really does. The code takes the values from the array, converts them in some way and builds an ASCII string, so it can then use either the document.write or document.createElement method to append text to the web page source code. It the latter case, the created element has a type of text/javascript.

Now does it look suspicious enough to you? :)

If the second parameter of the div_pick_colours() function is specified, the function returns:

in which the last value always differs and depends on the current date and time. Otherwise, it returns the same URL but without <script> tags. The given address is not active anymore, so we couldn't tell what kind of threat it used to lead to.

Kaspersky Lab detects this malware as Trojan-Downloader.PHP.JScript.a and Trojan.JS.Redirector.px. According to Virus Total, at the time of writing only one other AV vendor was able to detect the PHP part of this malware. For script injected into JS and HTML the ratio was as low as 20%.

How to secure your website from being infected with such malware and what to do in case of infection?

Two most important things are backup copies and regular scanning of all the files on the server. If you are using osCommerce or any other e-Commerce solution, you should always check for the software updates and install them as soon as they're being released. Sometimes the time between disclosing a vulnerability and publishing patch can be shamefully long, so maybe it's worth considering to reject some buggy features and delete vulnerable files from the server. Setting up password on the root directory is also a very good idea, as it prevent malware from modifying core files.

Here's the latest of our malware wallpaper calendars.

1280x800 | 1680x1050 | 1920x1200 | 2560x1600

This month marks the anniversary of the appearance of Cabir, the first malware for mobile phones. This worm - a proof-of-concept worm created by 'Vallez', a member of the virus writing group 29A - was designed to infect devices running the Symbian operating system and to spread using Bluetooth.

Mobile malware has come a long way since then.

• There are now thousands of mobile threats.
• Mobile malware is no longer proof-of-concept.
• Like PC-based malware, most of today's threats are designed to steal money.
• There are threats targeting most mobile operating systems. But the majority are cross-platform, Java-based threats.

On top of this, the use of smartphones has increased massively. And we're all doing so much more with them - at home, at work, or both. As a result, they hold so much more confidential data; and the risk of data leakage from lost or stolen handsets is far greater than at any time in the past.

We all need to be very clear: that's a computer in our pockets or bags - not just a telephone!