Apple fans are eagerly awaiting the arrival of iPhone 5 which is due out today. Each unveiling of an iDevice is accompanied by a global buzz of excitement which usually attracts the attention of spammers: every new iPad or iPhone inevitably becomes the bait in numerous fake lotteries and other fraudulent emails.

However, customers are not only interested in Apple’s devices but also their accessories. This year’s first registered mass mailing dedicated to the new iPhone came from a Chinese company that has decided to fill this niche.

The advertiser, having first apologized for any inconvenience that may be caused by the email, offers users the chance to buy a case for the new iPhone 5 which has not even been officially presented.

Considering the sort of promises that usually appear in spam, one can only wonder why the sender didn’t offer an actual iPhone 5 or, better still, an iPhone 6 (or whatever it’ll be called in 2013? iPhone 5v?).

This month's patch Tuesday fixes a small set of critical vulnerabilities in a variety of client side software and one "important" server side Forefront UAG data leakage/information disclosure issue. Six bulletins have been created to address eleven exploitable flaws. Three of the six bulletins are top priority and should be addressed ASAP. These are the MS12-023 bulletin, patching a set of five Internet Explorer vulnerabilities leading to remote code execution, and the MS12-027 bulletin, patching the MSCOMCTL ActiveX Control currently receiving some attention as a part of very limited targeted attacks. If they must prioritize deployment, administrators should start their work here. Most folks should have automatic updates enabled and will silently receive the patches, or they can simply navigate their start menu and manually begin the Windows update process.

RCE attacks abusing these six IE and ActiveX vulnerabilities would look like web browser redirections to malicious sites hosting web pages attacking Internet Explorer and emails carrying malicious attachments constructed to appear familiar to the targeted victim. These are currently significant vectors of attack for both consumer/home and corporate Microsoft product users.

Microsoft also is recommending that administrators prioritize the Authenticode flaw and rated it critical, which could be used as a part of targeted attacks. And ActiveX controls can be delivered leveraging this vulnerability, so some distribution vectors may become enhanced. But this flaw allows for additions and modifications to existing code that in turn won't invalidate the existing signature.

A vulnerability exists in the .Net framework, allowing for XBAP applications to be run from the Internet Zone with a prompt. But anytime a decision like that is left to a user, it seems that we have a 50/50 chance of successful exploitation. The remaining vulnerabilty in the Office converter is significant and may result in RCE, but is much less likely to be attacked.

Dangerous, but manageable.

“Nigerian” spammers are extremely quick to react to the world’s hottest news stories. News of the death of former Libyan leader Muammar Gaddafi had barely even broken before a string of emails from the “relatives of the deceased” began to appear.

Gaddafi’s inconsolable relatives would be amazed if they knew how many emails had been sent in their name to Internet users around the world.

Instead of joining in the funeral rites, it looks like Gaddaffi’s sons and daughters, or his wife, his brothers or even friends, have rushed straight to their PCs to write to people all over the world asking for help in spiriting uncountable millions of dollars out of the country.

According to the “Nigerians”, the family of the Libyan leader is worth hundreds of millions of dollars. The emails which fell into my hands cited a minimum figure of $300 million.

Most of these emails purport to come from “Gaddafi’s wife”. The spammers seem to think their heart-rending stories about her hard life in her husband’s family could explain her sudden desire to share his money with her close friends. Or even with distant strangers, depending on the recipient of the email.

She’s not alone, though: an unlikely coalition of “opposition forces”, “lawyers” and “bank clerks who have access to Gaddafi’s accounts” also share the general desire to transfer the Colonel’s money abroad.

“Nigerian” spam is, of course, pure fraud. None of Gaddafi’s wives or even his lawyers will ever send emails to someone they do not know asking for help in getting millions of dollars out of the country and offering an unknown agent the commission for doing so. If a user takes the bait the fraudsters will extort money from him to allegedly cover different “expenses” until no more money is left. One should be realistic about the many offers received via the Internet from an unverified source calling himself Colonel Gaddafi’s son (ALL OF A SUDDEN!).

Below are the screenshots of several “Nigerian letters” sent on behalf of Gaddafi’s family:

A short while ago, I decided to prepare a presentation on web vulnerabilities and specifically on XSS attacks. This involved studying the way today’s filtration systems work.

I selected the most popular Russian social networking website, VKontakte.ru, as a test bed. One thing that grabbed my attention was the updated user status system.

The HTML code in the part of the page where users edit their status messages is shown below:

As you can see, filtering is performed by the infoCheck() function. The status itself is located in this string:

What we have here is two-step filtration. The first step is performed when the user enters the status message. The second step involves converting the status message to text and returning it to the page in the shape in which other users will see it.

While the second step definitely works well and it would clearly be impossible to convert to active XSS, things are not as simple where the first step is concerned, so it is that step that we will look at in greater detail.

Predictably, the simple <script>alert()</script> did not work, and the status remained empty. Other ‘script-like’ attempts didn’t work, either – it seems that this particular string is explicitly filtered.

However, the <script> tag is not essential for a script to be executed. The first vulnerability is introduced on the user’s machine by using the <img> tag: by entering the string <img src=1.gif onerror=some_function> as the user’s status, we can get that function to be executed. For example, we can call the function profile.infoSave(), which is called with an empty parameter to clear the status, but use a parameter of our choice. Thus, if we enter <img src=1.gif onerror=profile.infoSave('XSS')>, we get the string “XSS” as our status message:

Another interesting vulnerability associated with the filter is that the tag <A> is not filtered. If we enter <A HREF="//www.google.com/">XSS</A> as our status, we get… a hyperlink clicking on which brings up a status editing window and, a moment later, opens google.com.

As we all remember, XSS = cross site scripting, so I decided to test the next vulnerability using a third-party website with a script loaded on it. In addition to the tags mentioned above not being filtered, the <iframe> tag also successfully passed the filter. As a result, entering <iframe src="yoursite.com" width="100%" height="300"> in the status line will produce an iframe which will launch the above-mentioned script loaded on the page. Below is an example of what the iframe can look like:

This is a more serious vulnerability than the other two. One way of exploiting it is by creating a URL to change user status and sending it to the victim user in the hope that the user will click on it. The script will be executed on the user’s page even before the status message is published. This is a classic example of passive XSS.

These vulnerabilities existed from 01 August, 2010 – the time when the new user status system was introduced. We notified VKontakte’s administration on 01 March, 2011 and the vulnerabilities were closed on 03 March.

A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.

The malicious links go through a number of redirections which are described below. The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the “Security Shield” Rogue AV. The webpage is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Our users are protected from this worm and all the URLS are being blacklisted in our products.

Here are some of the technical details:

1. Redirection Chains

   Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:

   

   This html page will then redirects users to a static domain with a Ukrainian top level domain:
   

   

   As if that was not enough, this domain redirects the user to another IP address which is related to Fake Anti Virus distribution:

   

   This IP address will then do its final redirection job, which leads to the Fake AV website:

   

As you may have read the AMTSO had another meeting a couple of weeks ago. AMTSO is strongly committed to improving the overall relevance of anti-malware testing.

During our latest meeting we accepted two new papers. The first paper is on whole product testing and the second is on performance testing. As pointed out by the vast majority of people in the AV space the tests of old have never truly accurately reflected real life performance. With the changes that the threat landscape has seen over the past few years this has become truer than ever.

So rather than having tests which focus on individual components to test detection of, or rather protection against, threats an entire product should be tested. Just think about a scenario where an email-borne threat is not detected by the file scanner, but the anti-spam component is able to flag the message it comes with as spam.

The other document talks about how to more accurately test the performance – or speed (impact) – of AV solutions. One scenario where this will be useful could be determining the amount of RAM a certain product may occupy. Many people will try to establish this by looking at the amount of (virtual) memory taken by the processes belonging to the product. However, certain products may also inject some of their DLLs into other processes, therefore unintentionally masking some of their footprint. It’s therefore the best practice to compare the entire RAM usage.

The bad news, I say jokingly, comes from one of the new documents we continued working on in Helsinki. The False Positive testing document has proven to be quite the challenge and sparked a lot of debate. Especially the area of testing false positives on web resources - such as domains and web scripts - an interest of mine, proved to be particularly challenging.

It definitely looks like testers are continuing to improve their tests to more accurately reflect real life scenarios. And that’s great for two main reasons. Most importantly, it gives users better information. Secondly, it gives vendors the opportunity to spend their resources focusing on things that protect the user. So it’s great to see the progress that we’re making in AMTSO.

If you haven't had a chance to read the documents go to the AMTSO web site and have a look!

Microsoft has now announced it will be issuing a out-of-cycle patch for the IE7 vulnerability today at 1pm EST. The patch is available via auto-update and from the Microsoft Download Center.

There's been an update on the Trojan case we mentioned earlier this week – a 24 year old has been sentenced to five and a half years for computer crime. He was found guilty under Section 1, Article 272 (unlawful access to legally protected computer data) and Section 4, Article 159 (gross fraud) of the Russian Federal Criminal Code and will serve out his sentence in a minimum-security correctional facility.

The case stated that "between June and August 2007, the accused used a malicious program to get the secret key of a commercial organization and, in the name of the organization, traded futures on the commercial market." The losses totalled more than 1.3 million roubles.

The young man, who admitted his guilt in court, transferred 1,000,000 of his ill-gotten roubles to a personal account which he opened with one of the local Yoshkar-Ola banks.

Regular readers of this blog and our analytical articles may remember that in summer last year we wrote about a new variant of Bancos.aam designed to steal data from users of QUIK, a Russian Internet trading system.

Russian reports on the ongoing investigation say the suspect, one Evgeny Simonov from Yoshkar-Ola, is currently not permitted to leave the city. He used the Trojan to steal a broker's log-in and password and then illegally made at least 2.5 million roubles (around a hundred thousand dollars) on fraudulent trades.

Simonov clearly saw the opportunity to turn a quick buck. But he slipped by making deals via his mobile: the investigators checked when the fraudulent deals were made, and the originating IP address, and traced Simonov via his mobile operator.

The whole case throws up an interesting point: new technologies and increased connectivity provide malware writers with increased opportunities, but the same technologies can also be used against them.

Today Nikolay Patrushev, head of the Federal Security Services, announced the results of the measures taken to combat cyber crime in 2007.

Among other information, it was announced that it had been established who was the author of the notorious Pinch Trojan - two Russian virus writers called Ermishkin and Farkhutdinov. The investigation will soon be completed and taken to court.

It's well known that Pinch is one of the most popular Trojan programs with Russian malicious users. The Trojan makes it possible to steal email, icq and other account data, including to network services and application. The authors of this program, also known as Damrai and Scratch, used Pinch to build a criminal industry.

Anyone who wants can order a customized version of the Trojan, and also get 'technical support' from the authors of the program. Russian hacker forums were flooded with advertisements for this 'service'.

A mass of script-kiddies clearly found the idea attractive - get a functional spy program for a mere few dollars. As a result, the Internet became flooded with Pinch modifications. Our antivirus databases currently contain more than four thousand variants.

At the very lowest estimates, Pinch has caused several hundred thousand infections. It's impossible to estimate what financial losses have been caused over the years since this Trojan first saw the light of day.

Patrushev's announcement today clearly shows that the security services are targeting active virus writing groups which participate in cyber crime, and that the steps being taken are meeting with success.

The arrest of the Pinch authors is on a level with the arrests of other well known virus writers such as the author of NetSky and Sasser, and the authors of the Chernobyl and Melissa viruses.

Unfortunately, it doesn't mean that new variants of Pinch will disappear. Sadly, the source code of this Trojan is circulating on the Internet, and we'll certainly encounter 'remakes' of this pest, created by virus writers who have not yet been arrested.