NEWS FROM THE LAB - February 2010
 

 

Thursday, February 25, 2010

 
This you?? What's the point of phishing a Twitter account? Posted by Sean @ 15:12 GMT

We've received some questions regarding recent phishing attacks conducted against Twitter.com.

Tweets and Direct Messages (DM) containing phases such as "This you??" or "LOL is this you" are linking victims towards a Twitter login phishing page. If the bait is taken and victim enters their password, Twitter's infamous "fail whale" is displayed and the user is returned to their account. They might not even realize that their account details have been compromised.

Phishing attacks directed against Twitter are not new. But what's the point?

Trust.

Peers within a social network have a greater level of trust amongst themselves.

And so why the recent attacks?

We think it could have something to do with some of the recent search engine deals that have been made.

Yahoo announced that they'll begin to include Twitter's real-time feed into their search results and Facebook is now included in Google's search results.

The bad guys can use social networking trust to enhance their SEO attacks.

Lets take a current hot topic as an example. There are several Twitter results in the image below.

lastest.google.results.seaworld

Note: Always be careful when searching for hot topics. This "sea world trainer killed" example is currently being used in SEO attacks and many results will lead directly to scamware.

There's also a Facebook result in the example above. We expect to see fresh phishing attacks against Facebook before too long.

Twitter's Safety and Spam feeds are useful to follow if you have a Twitter account. Twitter's working on the issue now by prompting those that received phishing messages to change their password.

There is a silver lining to all of this…

While social networking trust can be abused, social networks themselves are incredibly responsive to emerging threats.

Check out the latest search results for "This you??". Twitter users are already spreading information to counter the dis-information pushed by the bad guys.

It used to take weeks to stamp out e-mail hoaxes. Now, the issue almost corrects itself as quickly as it is abused.







 
 

 
 
R.I.P. Waledac? Posted by Sean @ 14:19 GMT

Microsoft took a stab at Waledac bots last April when they added detection to their Malicious Software Removal Tool (MSRT).

The MSRT is part of their monthly Microsoft Updates package.

Well this week, Microsoft is going after the Waledac botnet en masse, by taking down 277 dot.com Command & Control servers.

microsoft's waledac map

Kudos to Microsoft. We hope this endeavor is successful.

We haven't yet seen a drop in spam or bot samples, but we're waiting and watching.

It will likely take some time for the bodies to stop moving around even though the heads have been cut off.

They are zombies after all…







 
 

 
 
60+ Compromised Sites with SEO Poisoning Posted by Response @ 07:23 GMT

More than 60 websites have been found to be hotbeds for SEO poisoning. Each of these domains host hundreds of possible matches for search keys.

Also, the topics in one domain overlap with that of the other domain, thus making it possible that they will both emerge in the search results. Topics range from the Winter Olympics Luge Crash to the death of Alexander McQueen and even to NASCAR Schedule.

When an unsuspecting user happens to input a particular search key that matches one of those being served by the compromised sites, the search results will be full of malicious links. Moreover, unlike before where there are only a few rogue links in the results, there are more than 60 this time, and a lot of them are in the top 10. This strategy increases their chances of being clicked by the user.

search results

After the user clicks on the link, a page will open, pretending to scan your system. Afterwards, it displays a supposed system infection and offers a "solution"…

scanning

If you execute it, you welcome a Rogue downloader onto the system…

downloading

And afterwards, the rogue itself…

security antivirus

Rogue distribution seems to be playing the numbers game. The more websites they can compromise, and the more search keys they employ, the more chances of getting their webpages matched en route to getting the scamware onto the user's system. It's pretty devious, and it seems to be working.

F-Secure Browsing Protection already protects users from visiting these compromised domains and the subsequent malicious sites they redirect to.

Response post by — Christine and Mina

 
 

 
 
Wednesday, February 24, 2010

 
SC Magazine's Five to Follow Posted by Sean @ 17:04 GMT

SC Magazine (US) is hosting security blog awards next week at RSA Conference 2010 and our own Mikko Hypponen is among the nominees in the Five to Follow on Twitter category.

http://twitter.com/mikkohypponen

Mikko decided to take a look at "this Twitter thingy" last year and has now posted over 900 tweets with more than 5,600 followers.

Here's an example of the type of thing you might find from his feed. Lots of good stuff there…

Here's SC Mag's poll. Be sure to check out the other categories on their front page. Thanks.

—————

Updated to add: The poll is closed. Results will be announced at Tuesday's SC Magazine Awards 2010 gala in San Francisco.

Updated to add: Mikko was voted one of the "Five to Follow". Congrats to Mikko.

All results can be found at twitter.com/SCMagazine.

 
 

 
 
Tuesday, February 23, 2010

 
Sprechen Sie SSL? Posted by Mika @ 14:18 GMT

Why is it that banking trojans are a problem when all online banks are HTTPS secured and many of them employ multi-factor authentication?

The answer: Humans are not digital.

If we would have a network cable attached to our brain, and our brain could decrypt and encrypt SSL, there would be no problem. However, due to the "analog" interfaces which human beings have, a web browser has to decrypt the traffic and convert it into images (text characters, icons, et cetera) and sounds. This means that a malicious application that can modify the browser memory can control what the user sees, and what he then sends to the bank via in-band communications. It is technically possible for malware to free ride on authenticated sessions with online services and feed or modify transactions.

If malware can modify the memory of the browser, or some other application, it can gain control. This is not just a problem for online banking and not just with malware. For example, current MMORPG games typically do quite a bit of the computation needed on the client side. Not all of this computation is graphics processing. This creates the possibility for cheating in games by patching the client or its memory locally on the host (Greg Hoglund and Gary McGraw have written a book called "Exploiting Online Games: Cheating Massively Distributed Systems [2007]" on the subject). Another good example of this "client-side dilemma" is voting. Imagine sitting at home on your couch while using your web browser to vote in your local/state/national elections. If and when this becomes possible, malware may be used to rig votes.

Sprechen Sie SSL?

Today's browser is more powerful than yesterday's OS.

The browser is, for all practical purposes, a terminal of the bank, but it is running in a completely untrusted environment. Actually, you could say that the Browser is the new OS. Since important content is more and more in the cloud and accessed via the browser, malware, in theory, does not have to infect the OS at all. Malware only needs to infect the browser and it will be able to access, steal, and modify all the necessary content. Since most browsers have a cross-platform plugin architecture, it may even be possible to create data stealing malware that is not interested in the operating system or file system at all. It will only exist in memory of the browser.

Currently, banking trojans do infect the OS and are typically only a problem for Windows based systems. Banking trojans and other malware that need to bypass HTTPS security operate within the browser. This is called a Man-in-the-Browser (MitB) attack. If the malware would try to intercept the traffic from a lower OS level, it would already be HTTPS encrypted. This is not a new phenomenon but nevertheless it is still on the upswing within most malware author's armory. MitB malware is typically browser dependent and most of them only target Internet Explorer (and possible other browsers using MS WinINet API) and lately also Firefox.

Is safe online banking impossible then?

Aside from keeping your system clean of malware, at least "safe enough" is definitely possible. For example, out-of-band solutions, using an SMS message to review and confirm transactions, provide a good additional layer of security. Some have also suggested using something such as a Live Linux CD when doing online banking.

Alas, both SMS messaging and Live CDs are examples of the old "security versus usability" issue. They're an additional layer of security, but they can also rapidly overwhelm the analog brains of those using them.

 
 

 
 
Monday, February 22, 2010

 
Do you sign your code? Posted by Response @ 15:24 GMT

The lab has a survey request. As Windows 7 gains market share, code signing is becoming more important for software developers.

A byproduct of more clean code being signed is that malware authors now have greater incentives to get their stuff signed in order to prevent it from being easily distinguished from legitimate software.

With this in mind, we'd like to run a questionnaire aimed at developers who sign their code.

So if you're a Windows developer, we would appreciate it very much if you would care to answer following short survey.

1. Do you sign your code?
2. Do you have a separate server for signing code, or are you signing on same computer as you use for development?
3. Are you either signing your files without a password, or have you made a signing batch file that contains the password?
4. Do you browse the Internet, read email, or use your development computer in other activities than just pure development?
5. Do you run antivirus software on your development and/or signing computers?
6. Has your development and/or signing computer ever been infected with a virus or other other type of malicious software?
7. What verifications were required when you applied for your signing certificate?
8. Has your signing certificate even been stolen?
9. Additional comments.

Click here to answer. Cheers!

 
 

 
 
Friday, February 19, 2010

 
Just what is this botnet called Kneber? Posted by Sean @ 15:14 GMT

There's a botnet dubbed Kneber receiving lots of media attention this week.

So, just what is Kneber? Many reports have called it *THE* ZeuS botnet.

But really… it's just *A* ZeuS based botnet, dubbed Kneber because of the name used to register many of its domains.

And so what is ZeuS? Well, ZeuS is a kind of do it yourself toolkit for building botnets. We call it Zbot. Our first samples of Zbot/ZeuS date back to October 2007.

Here are some Zbot posts from our blog:

  •  February 2008: Mikkeli Spam Links to ZBot Malware
  •  April 2008: Ms. Polinka Wants Your Bank Account
  •  November 2009: Poker in the ZBot

Here's a screenshot of a ZeuS packages for sale:

ZeuS for sale

And here's a link to a video of a ZeuS botnet in action.

ZeuS is definitely a threat, but isn't a new threat.

Brian Krebs sums it up very nicely:

"Sadly, this botnet documented by NetWitness is neither unusual nor new. For the past several years at any given time, the number of distinct ZeuS botnets has hovered in the hundreds. At the moment, there nearly 700 command-and-control centers online for ZeuS botnets all over the world, according to ZeuStracker, a Web site that keeps tabs on the global threat from ZeuS."

Updated to add: The video has been removed from YouTube.

 
 

 
 
Thursday, February 18, 2010

 
Google's Buzz, there is no such thing as bad publicity... Posted by Sean @ 14:25 GMT

Google BuzzWould somebody please tell us why there's so much hype regarding privacy issues and Google Buzz?

Buzz integrates into Gmail… an e-mail service that reads (i.e. analyzes) your messages in order to target you with more specific ads, right? We recall objections being made about this analysis when Gmail launched. Has everyone forgotten this? Isn't this just the same tune being played once again?

Is anyone really that surprised that Google so aggressively rolled out automatic sharing features to Buzz?

It seems to us like a win-win situation. Either Google launches Buzz, to minimal objections, or else, they receive a great deal of free publicity while they "fix" the reported privacy issues. Google's launch of Buzz certainly created notable buzz in the press.

That's ultimately important for the search giant because unless they encourage sharing from their own services, they'll be losing out on future revenues to providers such as Facebook.

In fact, Facebook is already the world's largest news reader according to hitwise. It should not go without mention that Facebook's recent homepage update moved their search field towards the center of the screen. It's all connected.

Sharing is tomorrow's search and the players are beginning to battle it out. Your privacy is at stake, if you let it be. It's a trade off folks. You don't get to use free services and expect to get absolute privacy. Either you offer up some of your information for enhanced services, or you don't.

Remember, Google isn't your friend. It's a business.

If you really need privacy, use something else besides Gmail (and other free web based solutions). Some folks actually pay for their e-mail services, you can get something more secure for something like $20 a year, and that's cheap when you think about it.

 
 

 
 
Tuesday, February 16, 2010

 
Security Advisory, Adobe Reader Posted by Sean @ 15:53 GMT

It's Fat Tuesday — time for an Adobe Update.

Adobe plans to release a security update for Adobe Reader and Acrobat later today.

Read Security Advisory APSB10-07 for additional details.







 
 

 
 
Flabber Ad Leads to Rogue AV Posted by Christine @ 04:28 GMT

Paul, an avid reader of our blog asked us to investigate flabber.nl since it led him to a Rogue-hosting website. When we initially checked it, we found nothing. Must be those geolocation-sensing ads. To solve that, Paul sent in packet logs of when he visited flabber.nl.

Flabber

And soon it showed that one ad goes a long way.

+partner.googleadservices.com
++pubads.g.doubleclick.net
+++ad.bannerconnect.net
++++ad.yieldmanager.com
+++++("pharmacy" site that contains a link to a Rogue-hosting site)
++++++The Rogue-hosting site

From googleadservices to yieldmanager.com, it all looks like normal ad traffic. Then, an ad reference from yieldmanager.com sends it downhill to a "pharmacy" website, then to…

Flabber

Flabber

And when you leave, well, the Rogue website reminds you to come back..

Flabber

The latest Rogue AV hosted here is already detected in our latest databases and parties were already being notified to shut down the offending websites and contact flabber.nl.

Updated to add: Flabber.nl has been very quick and vigilant in removing the offending ad and has already cleaned up their site. Thank you for the immediate action guys.

 
 

 
 
Monday, February 15, 2010

 
Answer Survey, Get Stickers Posted by Sean @ 15:44 GMT

One of our researchers, Alexey, has a request. He'd like you to participate in a survey.

And if you do, we'll send you some of our laptop stickers (supplies are limited).

Stickers

100 t-shirts will also be given away to randomly selected participants.

Here are some of the details:

The questionnaire is part of a Future Internet research project of Helsinki Institute for Information Technology, Nokia, and F-Secure. The primary goal of the research is to achieve a better understanding of how people feel about data security and what motivates them to share opinions on data security-related issues.

Click here if you're interested. The survey will be available until March 5th and it's anonymous if you choose.

Cheers!







 
 

 
 
Mobile Browsing Protection and Anti-Theft Posted by Response @ 15:23 GMT

There are new features in our latest release of Mobile Security. And one that affects the lab directly, is Browsing Protection.

With version 6 of Mobile Security, users will be protected from phishing sites.

Harmful web sites are blocked like this:

Mobile Security Browsing Protection

Phishing isn't limited to desktops. Many attacks work exactly as well on smart phones.

But that's not all. We've also released an Android version of Mobile Security.

http://www.htc.com/www/product/g1/overview.html

All of the versions can be found here.

 
 

 
 
Friday, February 12, 2010

 
Just Sign Here Posted by Mikko @ 15:55 GMT

The GSMA Mobile World Congress 2010 is starting next week in Barcelona. It's going to be a huge event.

I got a text message like this from an unknown number:

Mobile World Congress

When you click on the link, you get this page:

Mobile World Congress

"During the installation, please click Yes to every question. You can trust this application: it's the official MWC 2010 mobile guide."

Oh, really? Just trust you because you say so?

And if you click for the application link, you get this:

Mobile World Congress

Folks, this is not the way to do it. Just sign your applications instead of trying to convince us that it's ok.

We did check the application in question, and it is the official mobile guide. But it could have been anything.

P.S. Talking about Mobile World Congress, obviously F-Secure will be at there, so come and meet us. And I'll be talking about Integrating Security into Every Step of the Mobile Handset Design on Tuesday at 2pm.

Signing off,
Mikko

 
 

 
 
Thursday, February 11, 2010

 
Video - Griffin Trailer Posted by Sean @ 16:10 GMT

In a world… One man… One trailer…


Link: Griffin Trailer

Here's the teaser from October.

More details at www.wreckamovie.com/griffin.

 
 

 
 
Tuesday, February 9, 2010

 
Black Hawk Down Posted by Sarah @ 03:59 GMT

Kudos to the Chinese authorities for shutting down an online hacker training operation known as the Black Hawk Safety Net.

The Black Hawk operation, which provides Trojan software and lessons in cyberattack techniques, comprises 12,000 paid subscribers and another 120,000 free members.

Three people who run the Black Hawk's website have been arrested, and the site has now been blocked from access. The police also seized nine servers, five computers and a car during the raid.

For further details, you can read it at Yahoo! News.

 
 

 
 
Monday, February 8, 2010

 
Watch Out for flower-show.org Posted by Mikko @ 14:54 GMT

We saw a pretty PDF file today (md5: 116d92f036f68d325068f3c7bbf1d535).

It looks like this:

flower-show.org

Nice flowers.

Unfortunately, when viewing the file, it uses an exploit against Adobe Reader and drops and runs a file called 1.exe.

This executable is a Poison Ivy backdoor. It calls home to a host called cecon.flower-show.org. Whoever controls the computer at that address gains remote access to the target computer. The PDF was used in a targeted espionage attack against an unknown target.

We've seen the domain flower-show.org before, already in 2009. Then another PDF called home to posere.flower-show.org.

flower-show.org

Today, both of those host names resolve to 202.150.213.12, which is not in China. It's in Singapore.







 
 

 
 
worldrofwarcraft.com Posted by Mikko @ 13:21 GMT

World of Warcraft

The World of Warcraft online game has over 10 million players around the world.

World of Warcraft also has hundreds of phishing websites targeting it, trying to steal end-user login credentials.

Like these:

World of Warcraft

The domain names for most of these phishing sites are easy to spot (wor1dcfwarcraft.com? give me a break), but others are a bit trickier (worldrofwarcraft.com – yes, there's an extra "R").

So, why are these accounts being stolen? For fun? No, they are stolen for the virtual gold and weapons. A stolen account gets emptied quickly and the goods are put for sale for real money online.

But who would buy virtual goods for a game with real cash? Well, based on the amount of sellers, quite a few.

WoW gold







 
 

 
 
Gmail Phish Posted by Alia @ 01:40 GMT

Just a quick note to readers to be aware of e-mails purportedly from Gmail administrators.

One of our Fellows recently received a message from "The Google Mail Team" asking users to verify their account details to combat "anonymous registration of accounts":

Gmail Phishing

The reply-to address is listed as "verifyscecssze@gmail.com", which obviously isn't an official Gmail admin account. Meanwhile, the domain name gmeadmailcenter.com is registered to a Catholic church in Michigan.

Just your typical phishing type message really. Gmail users who receive this e-mail can report it to the (real) Gmail team using the "Report phishing" option in their account, or just delete it.

 
 

 
 
Friday, February 5, 2010

 
New Facebook Home Page, Important New Privacy Setting Posted by Sean @ 13:42 GMT

Facebook started rolling out a new home page and navigation menus earlier today.

And whenever Facebook adds new features, in this case the Applications and Games dashboards, there's usually a new privacy setting as well.

This is what part of the new Applications dashboard looks like.

Facebook Application Privacy

All Facebook has raised some privacy concerns regarding the dashboard's output.

Do you really want all of your "friends" to know what applications you've been running?

You don't?

Then you'll want to take a look at the new control provided by Facebook.

Here's the old Applications and Websites settings page.

Facebook Application Privacy

Here are the new settings.

Facebook Application Privacy

The new privacy option allows you to "Control who can see your activity in the Friends' Recent Activity, Friends' Applications and Friends' Games sections of these pages."

Facebook Application Privacy

The control options should be familiar enough at this point. Sharing can be set to Only Friends, Friends of Friends and Everyone.

Of course, utilizing Friends Lists can limit access in a more refined manner.

Facebook Application Privacy







 
 

 
 
Microsoft Updates and Vulnerabilities Posted by Response @ 12:57 GMT

Updates

February 9th will bring numerous Microsoft Updates, 13 bulletins addressing 26 vulnerabilities.

All versions of Windows are affected.

Microsoft, February 2010

Looks like a busy Tuesday is ahead.

See Microsoft's Security Bulletin Advance Notification for February 2010 for additional details.

Vulnerability

There's also a notable Internet Explorer vulnerability that's been published with Security Advisory (980088).

Ars Technica puts it this way: Microsoft warns of IE flaw, turns PC into public file server. That doesn't sound very good, does it?

Microsoft Support has a Fix it for me tool available.

 
 

 
 
Thursday, February 4, 2010

 
Using Google Images to Investigate Fraud Posted by Sean @ 14:48 GMT

Sami, one of our test engineers, was recently seeking a Play Station 3.

He found this offer at Huuto.net, a Finnish auction site.

PS3 Auction

160� for a 60GB unit, with games, not bad.

Sami wanted to confirm that the seller was legit, so he requested a picture, and received this.

PS3 Auction

When he examined the image properties, he discovered that the picture was taken in 2008.

PS3 Auction

Next, he performed a Google Image search using the size option. Smart.

PS3 Auction

He managed to find the image online, located within a Finnish forum thread from 2008.

PS3 Auction

That seemed kind of suspicious, so he suggested that the seller provide another picture, with the PS3 alongside a current newspaper.

The deal fell through, of course, when the seller refused. Not such a clever fraudster, eh?

He seems to have forgotten how easily things can be found on the Internet using the right tools.

Kudos to Sami for documenting his investigation and for filing a report with the police.

 
 

 
 
Wednesday, February 3, 2010

 
An Apple a Day Posted by Sean @ 14:46 GMT

We were recently asked some questions about Mac security. Mikko's comments can be read at CNET.

Also in Apple news, iPhone/iPod touch OS 3.1.3 has been released and there are security fixes.

(Not that it's mentioned during the update.)

And speaking of iPhones, they're vulnerable to remote attack on SSL.

Updated to add: Here's another interesting iPhone/iPod touch related story at the Register.

Dan Goodin: The Elcomsoft iPhone Password Breaker, which was released for free into beta, recovers passwords for iPhones and iPod Touches by trying thousands of phrases per second.