2010 June - September Security Threat Summary
F-Secure sees malware and spam in social networks on the rise
Spam in social networks reached a record high level May to September 2010. Malware and spam are appearing more frequently on social media like Twitter and Facebook. So far, most of the attacks on Twitter have been made for testing purposes or for fun to see how quickly they replicate. However, when hobbyists create social networking worms, profit-driven criminals often try to adapt them for making money.
“A deal you just can't refuse!”, “Do not pay for a new iphone 4, get one for free one for no cost!”, “Whoa, check this out everyone” – spam on Facebook runs under numerous creative tag lines. In June the following string of text tried to lure Facebook fans: "I am shocked!!! The teacher nearly killed this boy: http://bit.ly/aWeBMl - Worldwide scandal!" People who clicked on the link, were directed to an application.
We had a closer look at the case and found more than 140 thousand clicks within the first day and the applications page indicated almost 59 thousand active users. This means that more than 40% of the users exposed to this lure were falling for it.
In August we found another, more popular spam about an unlucky McDonald's Happy Meal. This spam used bit.ly links to spread itself on Facebook. The links lead to http://happytruthblog.co.cc and there were just over 32,000 clicks within a few hours. The ‘clicks to likes’ conversion rates were around 40% and about 48%. These are excellent results for spammers, and much better than e-mail spam. However, the 32,000 clicks were far less than similar spam from June when we saw several examples of viral links that yielded hundreds of thousands of clicks. Returns are diminishing as people are exposed, develop a resistance, and recognize Facebook spam for what it is. In fact, the spammers themselves seem to know this and are working harder to convince people. This version of the Happy Meal spam promises "no need to complete surveys". But it was the same old spammer lie and the page had an anti-spam bot "test", which is just a survey by another name.
Social networking spammers don't need to dupe very many people in order to be rewarded for their efforts. Many of the surveys lead to SMS subscriptions (particularly outside of the USA) and there's good money to be made. And because the conversion rates are better than e-mail spam, you can be certain that it won't be going away any time soon.
Facebook has actually made things easier for the spammers and scammers by not implementing the restrictions on landing pages which it first announced in May 2010. Unfortunately, it's a rather simple task to create a page on Facebook and the bigger problem is that of "landing tabs”, the first tab that's shown to someone who doesn't already like the page. Originally, Facebook announced in May to restrict landing pages to “authenticated pages” or to pages with more than 10,000 fans. One day later Facebook back-pedaled and didn't implement the limitations because small businesses complained. The 10,000 fan requirement was seen as too difficult to achieve. The major use for landing tabs is to build the page's base, so perhaps it was too much to ask. But having nothing in place opened up a deluge of scams and spam. Some kind of compromise must be possible.
In early September a clever spammer discovered a Facebook vulnerability that allows for auto-replicating links. Until then, a typical Facebook spam required the use of some social engineering to spread. But clicking on any of the application spam links is now enough to "share" the application to the user's Wall.
Malware in the cloud presents new security problems. Mikko Hypponen, Chief Research Officer at F-Secure, says, “When you start using cloud services more and more, this also means that you are giving up control over your data. As long as your documents and communications are on your own computer, it is possible to encrypt and secure them. Once they are in the cloud, you can only hope that someone else is doing it on your behalf.
Twitter targeted – antibodies fight back
Opportunist spammers have also been quick to pounce on the newly discovered XSS vulnerabilities in Twitter in an attempt to lead users to dubious surveys and websites. Most of the worms are using onmouseover techniques, meaning it's enough to simply move your mouse on top of a malicious (mischievous) Tweet to resend the malicious message to your followers. Though the XSS vulnerability has been fixed, we expect problems to continue. It's perfectly possible that there will be more malicious attacks, possibly combining this technique with browser exploits.
Mikko Hypponen suggests that Twitter establishes a bounty for finding major new security vulnerabilities in their system, as an incentive to potential hackers to stop breaking into their system. Twitter worms are quite different from the more sinister trojans we see attacking the Windows operating system. Most of the Twitter worms are made just for testing, or for fun. Very few try to steal information or to make money. They are created by the same kind of curious tinkerers that 10 years ago would have been writing Internet worms, just to see how quickly they would replicate.
While social networks are increasingly attractive to malware writers because they can spread information so quickly, this also means that Twitter and Facebook users can stop the spread of malware faster than before. Sean Sullivan, Security Advisor at F-Secure, says, “Social networks have built-in antibodies – their users. Whereas the malicious attacks of yesteryear took weeks or even months to develop, the recent Twitter attacks peaked and ebbed in just two and a half hours.
For more information, here are some posts from the F-Secure Labs Weblog related to social network spam:
- Twitter Attack
- Warning on Facebook worm "FBHOLE"
- Facebook Spam App Du Jour
- All Your Farm Are Belong To Us
- Should Facebook limit landing tabs?
- Two Steps Away from a Free iPad
- Facebook Recommends Spam Profiles
- What's the success rate of Facebook spam?
- I May Never Text Again: More Facebook Spam
- CPAlead Spam on YouTube
- When do 258 tweets equal nearly half a million dollars?
- Twitter Spam and the OAuthcalypse
- New Spam Worm on Facebook
- Facebook Spam Worm Links to "Mobile Entertainment"
- Twitter onMouseOver Spam
- Twitter Antispam: Media not displayed
- Voi Paska, Facebook Spam Localized in Finnish
Stuxnet worm targets industrial infrastructure
The Stuxnet Windows worm is one of the most significant malware cases in recent times. Discovered in June 2010, Stuxnet is the first malware to target specific industrial systems. The Stuxnet worm is highly complex and has required considerable resources to develop it, leading to speculation that a government or governments are behind it. Stuxnet has infected hundreds of thousands of computers around the world but the large number of infections in Iran suggests that the motive of the people behind the worm is to attack Iran’s nuclear program.
Stuxnet spreads via USB sticks and can also spread by copying itself to network shares if they have weak passwords once it is inside an organization. The LNK vulnerability used by Stuxnet would still infect your computer even if AutoRun and AutoPlay are disabled. The current versions have a "kill date" of June 24, 2012, which means the worm will stop spreading on this date.
After infecting the system, Stuxnet hides itself with a rootkit and checks if the infected computer is connected to a Siemens Simatic (Step7) factory system. Stuxnet can make complex modifications to the system; for example it could adjust motors, conveyor belts and pumps. It could even stop a factory and, with the right modifications, cause things to explode.
So far only a few factories have been hit and most of the infected machines are collateral infections of normal home and office computers that are not connected to SCADA systems. Stuxnet does not cause any damage unless it finds the specific factory system it is looking for.
So how can the attackers get a trojan like this into a secure facility? One method could be by breaking into a home of an employee, finding his USB sticks and infecting them. When the employee takes the USB sticks to work, they infect his work computer and the infection spreads further inside the secure facility, eventually hitting the target.
Stuxnet is a very complex and unusually large in size at 1.5Mb. It uses multiple vulnerabilities and drops its own driver to the system because the Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp. The stolen certificate was been revoked by Verisign on 16th of July 2010. A modified variant signed with a certificate stolen from JMicron Technology Corporation was found on 17th of July.
Stuxnet exploits five different vulnerabilities, four of which were 0-days:
- LNK (MS10-046)
- Print Spooler (MS10-061)
- Server Service (MS08-067)
- Privilege escalation via Keyboard layout file
- Privilege escalation via Task Scheduler
The two Privilege escalations have not yet been patched.
There is a reference to "Myrtus" (which is a myrtle plant) in Stuxnet. "Myrtus" could also mean "My RTUs" – RTU is an abbreviation for Remote Terminal Units, used in factory systems. However, the reference is not "hidden" in the code. It's an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project "Myrtus", but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.
Stuxnet knows that it has already infected a machine as it sets a Registry key with a value "19790509" as an infection marker. This is actually a date: 9th May 1979. This could be the birthday of the author, or it could refer to the date that a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused of spying for Israel.
Arrests in UK
Arrests in multi-million pound online bank fraud case in the UK
In September 2010, a police investigation into the theft of at least £6m from online bank accounts has resulted in globally more than 100 arrests and charges against ten people for conspiracy to defraud and money laundering. According to reports from the BBC and Daily Mail, the accused used the Zeus trojan to get access to the online banking login details of at least 600 accounts with HSBC, the Royal Bank of Scotland, Barclays Bank and Lloyds TSB.
Infecting weakly protected computers, the gang was able to steal the online credentials and manipulate the web browsing sessions of their victims by creating an additional page that requested passwords, PIN and card numbers. After gaining access to their victims’ accounts, the gang transferred several thousand pounds at a time to the accounts of specially recruited money mules, who allowed their bank accounts to be used for money laundering in return for payment. The accused are from the Ukraine, Estonia, and Latvia. According to the charges, the gang targeted British banks from 13 October 2009 until 28 September 2010.
Zeus trojan used to target online banking
Zeus continues to be one of the most common malware we run into. There was an interesting Windows+mobile case in September involving a ZeuS variant that steals mTANs, using a Symbian (.sis) or Blackberry (.jad) component. An mTAN is a mobile transaction authentication number, sent via SMS, and is used by some banks as a form of single use one-time password to authorize an online financial transaction. The SMS message may also include transaction data that allows you to ensure that nothing has been modified (via a Man-in-the-Browser attack).
Windows OS based online banking is constantly under attack from phishing, pharming, cross-site scripting, and password stealing trojans. Adding an "outside" device to the process is a useful security countermeasure; one that we thought might be technically challenging enough to dissuade any would-be attackers. However, online security is a constant cat-and-mouse game, and we have often predicted that it is only a matter of time before some banking trojan is targeting phones.
S21sec, a digital security services company, recently published information about the ZeuS variants they have discovered, see ZeuS Mitmo: Man-in-the-mobile. This malware asks for mobile phone details and then send an SMS with a download link based on the answers given by the victim. It is difficult to get the complete picture of this emerging threat vector as the C&C used by the Zbot.PUA is no longer online, but based on the analysis and their configuration files, this attack is not a one-off by some hobbyist. It has been developed by individuals with an excellent understanding of mobile applications and social engineering. We expect that they will continue its development.
Mobile Security Developments
Mobile security developments – jailbreaks, anti-terrorists, snakes and spies
The biggest security story on the mobile front has been the jailbreakme.com website, which made it possible to jailbreak an iPhone, iPad or iPod Touch simply by visiting the website with the device. Jailbreakme.com used an exploit to execute code on the device. Anyone could have used the same vulnerability to execute malicious code on iPhones and iPads, which could have resulted in the first global mobile worm outbreak. Luckily this did not happen and Apple released a new version of iOS to patch the vulnerability on most of their platforms,” says Mikko Hypponen. The jailbreaking community also put out their own patch which also closed the security hole for operating systems not supported by Apple.
Some Windows Mobile smartphone users have been affected by the 3D Anti-terrorist trojan, which makes expensive calls to international premium rate numbers, including countries like Somalia and Antarctica. A Russian hacker removed copy protection from the 3D Anti-terrorist Action game and uploaded the trojanized version download sites where people search for free games. “It’s a way of stealing money directly from infected smartphones and the victims only realise what has happened when they receive their next phone bills,” says Mikko Hypponen.
Another malicious application has been found from the Android Market. A game called Tap Snake turns out to be a client for a commercial spying application called GPS SPY. The Tap Snake game looks like an average "Snake" clone. However, it has two hidden features. First, the game won't exit. Once installed, it runs in the background forever, and restarts automatically when you boot the phone. Secondly, the game secretly reports the GPS location of the phone to a server every 15 minutes.
GPS SPY is a simple mobile spying tool and only costs $4.99. When bought, the application advises you to download and install the "Tap Snake game" to the phone you want to spy on. During installation, the game is registered with a keycode to enable spying. This means that the spy has to have physical access to the phone he wants to spy on. In many ways, GPS SPY / Tap Snake can be seen as a little brother of mobile spying tools like FlexiSPY. GPS SPY is developed by a Russian developer based in Texas, Mr. Max Lifshin ("Maxicom"). GPS SPY and Tap Snake are no longer available in the Android Market.
F-Secure expects to see more malware attacks targeting smartphones. Jarno Niemelä, Senior Researcher at F-Secure, says, “Since 2004 there have only been 517 families of mobile viruses, worms and trojans, but as some mobile malware authors have now made money, we expect to see a lot more activity. Most of the mobile malware we have seen in 2010 has been profit motivated rather than hobbyist activity.” So far the malware monetization methods used by criminals include premium SMS messages, premium voice calls, subscription scams, banking attacks, ransomware, and fake applications.
See Mikko Hypponen’s video on mobile security developments at the FSecureNews Video Channel: Mobile Security Review September 2010