05 Dec Corporate threats in 2013 - the expert opinion GReAT
04 Dec Putting malware in the picture Tatyana Shcherbakova
04 Dec ZeuS – now packed as an antivirus update Andrey Kostin
03 Dec Top security stories of 2013 - the expert opinion GReAT
03 Dec PasswordsCon in Bergen Marco
21 Nov Multimedia overwriter with Spy features Dmitry Bestuzhev
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
I've just returned from Budapest, after attending and presenting at the Information Security Day (ITBN) conference. Now in its second year, this event has gained quite a bit of popularity in Hungary, receiving attention from both the people working in the IT industry, the press and of course, end users.
It's a pity that events like this aren't more popular in other countries as well - judging by the massive participation (more than 1000 registered visitors), there is obvious interest in how to make our beloved computers more secure.
PS: If you understand Hungarian, you can find a short interview I gave to InfoRadio here.
The criminals behind Licat have been quick to respond to MSN's updated network filters, and have already deployed a new method (which has already been seen in the wild) to bypass the filters.
What is it? Offline messages.
Windows Live Messenger (aka MSN Messenger 8) introduced the long awaited ability to send messages to offline users. Users of earlier versions of MSN Messenger can receive messages sent while they’re offline; they just can’t send messages to their contacts who are offline.
Why is this important? It turns out that messages sent to offline contacts in WLM aren’t being filtered in any way! This means that the attackers can send any message they want, provided it’s to offline users. We notified Microsoft of this filtering weakness yesterday.
We know that messages are being sent to offline users, but at the moment we’re not absolutely clear how this is being done - we haven't (yet) seen an IM-Worm which sends its messages to offline contacts.
While we were investigating the whole offline messages/ malware issue, we came across an interesting point. There are two ways to receive offline messages: either by a normal MSN pop-up window or by email. In the case of the ITW attack, the offline message arrived via email. In our testing we only received one offline message via email; after that, all offline messages were delivered by MSN IM pop-ups. (If anyone knows why this happened, please leave a comment or contact us at blog [at] viruslist [dot] com.)
It's to be hoped that Microsoft will fix this loophole as soon as possible. We'll also be keeping our eyes open for an IM-Worm which sends messages specifically to offline contacts.
Once in a year, Kaspersky Lab organizes a security roundtable in Munich, Germany, followed by a visit to the Oktoberfest (probably Germany's most famous festival).
Last Thursday, a lot of journalists (mostly from IT publications) got together to gain an overview of malware development so far this year, as well as information about current trends and possible future threats.
We pointed out that fighting cybercrime (botnets, blackmail, theft of credit card data etc.) will require more and more effort in terms of working together. This doesn't just mean co-operating between antivirus companies, but improved communication with independent research facilities, universities, financial institutions and the relevant national and international law enforcement bodies.
We also made use of the Oktoberfest opportunity to swap information and opinions with the journalists. After a couple of beers it became clear that there weren't any questions left unsolved : )
EICAR (http://www.eicar.org/) was formally founded on this day in 1990, in Brussels. EICAR was originally conceived as a professional body focused on anti-virus whose membership would extend beyond the technical experts in CARO (http://www.caro.org/tiki-index.php).
For many people, EICAR is best known for the EICAR test file, an industry-standard test file that can be used to confirm thatt anti-virus software is installed and working correctly.
Here's wishing EICAR success in its next 16 years as a forum for anti-malware professionals.
Microsoft has fixed the .PIF 'vulnerabilty' in their MSN network filters as described in the previous blogpost.
So that's one less thing to worry about.
This week we've seen a couple of IM-Worms peaking above the radar to an extent you can probably call epidemic levels.
Two of these were MSN-Worms. Each worm sends a link:
Each of the links lead to a different Trojan-downloader. The downloaders download a variety of adware and adware-related Trojans.
Moreover, IM-Worm.Win32.Licat.c is also downloaded, which in turn launches a new mass mailing of the original message. Nothing unusual, right?
Wrong! Both worms spread using links to .PIF files. But some of you might remember that Microsoft blocked messages containing ".pif"?
Yes they have, but... the MS block is case sensitive!
So the criminals used capital letters, ".PIF" and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.
We have notified Microsoft of this and hope they take the necessary actions. In the meantime, users and admins should beware.
The funpic.de page has been taken down during the night and the uglyphotos link is dead and blocked by MSN. But there's no doubt there will be new ones to replace it. Especially with the VML vulnerability still un-patched.
With various elections now taking place in the U.S., a recent report published by Ariel J. Feldman, J. Alex Halderman and Edward W. Felten of Princeton University details insecurities found in AccuVote-TS/x e-voting machines. Pointing out and detailing three different types of software-based attacks, this paper is sure to receive further attention.
The question is will it be the attention of malicious attackers, or from Diebold and the U.S. government.
From a malware research perspective, the most interesting attack detailed in the article is the Vote stealing virus. After reading this section of the paper I was left with the impression of a small malicious program with rootkit-like characteristics. We aren't talking about hidden files and modified software kernels however. In the described attack, covering tracks is as easy as modifying two separate data files in a way that end results agree with each other.
As described the malicious program randomly steals votes from one candidate and gives them to another. The authors of the paper understand well enough about election fraud, and took steps to ensure their malicious program did not result in a completely lopsided election result. In theory, if the results "feel" right, officials won't detect the fraud and may accept the results. There will be no need for people to vote again.
All-in-all a very interesting paper, and unlike the recent RFID proof-of-concept paper this one seems to have substance to it. One can easily imagine a would-be attacker slipping into a small, hidden, enclosed space to do their thing. In this case, that small enclosed space might just be your local voting booth!
It has been reported that Microsoft has just won a court order requiring a UK spammer to pay £45,000.
The interesting point here is that Microsoft took action against Paul Fox for breaching the terms and conditions of its Hotmail service, rather than using the relevant sections of the Privacy and Electronic Communications Regulations introduced in the UK in 2003.
It's to be hoped that this case will prove a deterrent against spammers. Nevertheless, it does highlight the limitations of UK anti-spam legislation.
The Moroccan authorities have announced that Farid Essebar, 18, better known as "Diabl0" and his 20-year old friend, Achraf Bahloul have been finally sentenced, after a trial which took more than an year. The duo has been convicted for conspiracy, theft, using forged credit cards and illegal access to computer systems, altough explicitely not for writing the Zotob / Bozori worm. As a result, Essebbar will spend two years in prison and Bahloul one.
Hopefully, this will make some people think better before releasing a worm in wild.
Earlier today we blocked an interesting phishing sample:
We fully appreciated not only the expert social engineering and well-written text, but also the fact that the phisher included not only the email of the intended victim, but also the postal address.
Yet another reminder – no matter how good it looks, banks simply do not send such email. Period. Be careful.
The number of phishing scams continues to grow: the Anti-Phishing Working Group recording its highest number of unique phishing web sites ever in June 2006. And, of course, financial services continues to be the biggest target for the phishers.
Clearly the losses from this type of financial fraud are high. But who pays? Well, in a case reported today, the bank did. Bank of Ireland has agreed to compensate customers who fell victim to phishing scams. However, this was a 'goodwill gesture', rather than matter of general policy.
Of course, it's hardly surprising if financial institutions are reluctant to routinely compensate customers in such situations. The key issue for consumers is being able to demonstrate that they have taken adequate precautions to avoid falling victim to phsihing scams, as highlighted by APACS [APACS, the UK payments association] in one of its BankSafeOnline FAQs.
The onus will be on the customer to demonstrate that they have 'acted with reasonable care'. The increasing sophistication of the phishers may make this harder to do.
We all know how complicated it can be to demonstrate that you have 'acted with reasonable care', so we're providing a checklist that should help you. Pin it up on the wall and be sure to follow the recommendations.
Pre-notification of September's Patch Tuesday was posted to http://www.microsoft.com/technet/security/bulletin/advance.mspx today. The patches themselves will be released next Tuesday, 12th September.
Among other important Windows-specific patches, included in the September release is a bulletin for a “Critical” Microsoft Office vulnerability. Patches rated critical always draw the attention of exploit writers. Following the release of a critical patch, we usually see an increase in the number of exploits and malicious attacks. It is thus especially important to update both your operating system, as well as any Microsoft Office installation that you may maintain.
Yesterday, the Washington Post reported that the conviction of spammer Jeremy Jaynes had been upheld in a Virginia Court of Appeals. In February 2005, Jaynes received a nine-year prison sentence. However, he remained free on a $1 million bond while his case went to the Virginia appellate court.
His attorneys disagree with the court's decision, and will appeal again. Their main arguments are that there had been ‘overbreadth’ infringments of Jaynes’ First Amendment rights, and that Virginia courts have no jurisdiction because Jayne’s crime was committed from his home in North Carolina.
The First Amendment which relates to freedom of speech as defined in the U.S. Constitution always merits further discussion and further refinement. It's particularly interesting when examining the now widely-used forms of electronic communication and media. How should the law be applied? And where are the limits?
Using the First Amendment argument might just be a legal ploy; an attempt to keep Jaynes out of prison a bit longer. According to statements included in a 26-page opinion put forth by Judge James W. Haley, Jr., “facial challenges are sometimes allowed when an appellant claims First Amendment protections”. Because “the Supreme Court recently said the First Amendment doctrine of overbreadth is an exception to our normal rule regarding the standards for facial challenges”, the Jaynes’ attorneys First Amendment challenge might just be given another day in court.
The argument that a Virginia Circuit court doesn’t have the jurisdiction to review this case also seems an ineffective argument. Haley’s Opinion states that “[c]ircuit courts in Virginia have exclusive original jurisdiction over all felony indictments for offenses committed within their respective circuits”. North Carolina and Virginia are both in the 4th Circuit. Additionally, “jurisdiction may exist where the immediate harm occurs, even if the criminal act does not physically occur there”.
By its very nature, cyber crime crosses territorial and legislative boarders. Differences in national legislation are one of the reasons why it can be difficult to prosecute cyber criminals. The Jaynes case may be nearly over - it’s to be hoped that the court ruling may act as a precedent which can be used to effectively prosecute spammers in the future, and which will also pave the way for more effective cyber crime legislation.
I think I speak for just about the entire security industry when I say that I really value the work of the people who help out on security forums.
These people put in a lot of hard work and effectively it's all voluntary.
Some of these people create tools to remove certain malware families/types, and these tools will be very popular within the communities that they belong too.
Recently the tools created by members of one community have proved so popular that someone decided to copy them. Most of these tools are scripts, which means that they can very easily be edited. Normally editing is done to update the scripts so that they can detect new malware. Sadly, in this case someone has basically copied the scripts and put his own name to them.
This copying and taking credit for other people's work has been going on for quite a while now. Normally ignoring such people is the best course of action, so as not give them any (more) attention, but I think a line has been overstepped.
'Pcbutts1' is actively promoting 'his' anti-malware tools which remove a number of threats. This is what people see when they go to his very recently updated downloads page.
The people listed on this page are well respected within the security community and a number of them are actually Microsoft MVPs. It's 'pcbutts1' who is the fraud, not them.
Let's hope 'pcbutts1' grows up - and fast.
You may remember that back in February this year we detected RedBrowser, the first Trojan for J2ME. RedBrowser is able to run on the vast majority of today's handsets, i.e. those which support Java. The Trojan sends multiple SMSs to pay numbers without the user's knowledge or consent. Naturally, this rapidly reduces the user's account balance.
Today one of our users told us about a particular program which has been placed on a popular Russian mobile phone site. This program is allegedly designed to 'steal money from mobile operators'. Our helpful user not only provided us with information, but also sent us a sample for analysis.
The program turned out to be a completely new Trojan for J2ME. When it's launched, it sends 5 SMSs to 1717, a pay number. The message text is made up of code chosen at random from the Trojan's body.
It turns out that http://games.gsmland.ru/, a site which sells games, ringtones and images, uses this number. Every game ordered via this site costs $3. This means that as a result of the Trojan sending SMSs, the user will have $15 deducted from his/ her account.
The Trojan arrives in a .jar file 32647 bytes in size, called 'pomoshnik.jar'. ('Pomoshnik' is the Russian for 'assistant' or 'helper'.) The .jar file also contains two images.
We've named this new malicious program Trojan-SMS.J2ME.Wesber.a, and added detection for it to our antivirus databases.