There has been a couple of malware attacks that have tried to use the news coverage of the death of Michael Jackson as the lure to get people infected.
Last night we saw this one: a file called Michael-www.google.com.exe. This file was distributed through a site called photos-google.com and possibly also through photo-msn.org, facebook-photo.net and orkut-images.com. Do not visit these sites.
When executed, Michael-www.google.com.exe drops files called reptile.exe and winudp.exe. These are IRC bots with backdoor capability. The file also shows this fake error message:
We detect the dropper and the backdoors as Trojan.Win32.Buzus.bjyo.
The "King of Pop", Michael Jackson, died last night after suffering a cardiac arrest. The news is currently spreading through a lot of different media outlets and they are being printed worldwide.
Another recent death, Farrah Fawcett, is also making headlines.
The subjects themselves are not related to information security, but how long do you think it will take until the bad guys pick up the news as well and start using it? Usually it has taken a few days at most.
So remember, if or more likely when you start receiving e-mails on these subjects, please be extra careful when opening any links as they might be taking you in for a rough ride.
U.S. Secretary of Defense Robert Gates recently confirmed the creation of a U.S. Cyber Command aimed at dealing with cyberthreats to military resources. A previously announced White House "cybersecurity coordinator" is already in the works to deal with similar threats to critical government infrastructures.
On the whole, that's good news. It would be great however to hear of similar efforts in protecting a particular commercial resource that�s definitely "critical infrastructure" – civil aviation electronic systems.
Earlier this year, the U.S. Department of Transportation released an audit report (streaming PDF here, Open rather than Save) in which it determined the national air traffic control systems administered by the Federal Aviation Administration (FAA) had significant weaknesses and vulnerabilities, potentially allowing an unauthorized party to access and control vital services and systems.
This isn�t the first time the FAA has been criticized for the weaknesses in civil aviation electronic system security, with the first such criticisms coming as early as 1998.
The report cites incidences that took place in 2006, 2008 and 2009 as supporting evidence that the administrative and operational systems can be breached. The FAA contends this claim.
Not cited in the report, but of possible interest, is a 1998 incident in which a teenager successfully disabled vital airport control tower services at a regional Massachusetts airport (CNet article here).
Hopefully, with the current government enthusiasm for improving computer security, the current civil aviation systems get some attention too.
CNN.com carried a recent news article about the city of Bozeman, Montana, USA, which has been pressured into removing an item in its background-check waiver form requesting all applicants for to disclose their account names and passwords for social networking websites such as Facebook, MySpace and Youtube.
The change in policy is attributed to a furore that arose after one applicant contacted the Montana's News Station expressing concern about that particular aspect of the background check.
The city justified the login details request as just another part of an extensive background check they perform on all employees. The precautions were meant to ensure that those holding positions where they'd be handling the city's funds or operations will be reputable and honest. And presumably smart enough not to post details of any objectionable activity they might engage in online.
The Bozeman Daily Chronicle also mentioned that elected city commissioner's weren't affected by the policy, only city employees.
What's actually rather interesting to consider is that the policy has apparently been in force for about three years and according to city attorney Greg Sullivan, "No one has ever removed his or her name from consideration for a job due to the request". Rather begs the question, did they really give up their login details? Provide fake ones? Or just ignore the request?
And yes, legally, the policy does appear to be on some seriously shaky ground. Unlike some states – or countries – Montana's state constitution explicitly guarantees a citizen's right to privacy.
The request for login details was quickly removed last week. Still, it appears the city is still keen on checking applicants' online behavior, as "officials are looking at ways to alter the policy so that they might view an applicant's online information without asking for log-in codes".
And while the Internet is a source of information for political activists, there is also something else more questionable taking place… DDoS attacks against government servers in Iran.
A Twitter search for Iran and DDoS yields numerous results. Some folks are urging against DDoS attacks, but not in principle, rather because they might affect the bandwidth of political protesters. What are those concerned for the protesters promoting instead?
Targeted hacking.
We saw this earlier today on Twitter: "Please, use SURGICAL hacking only".
Our recommendation? No one should hack servers. It's a crime. Period.
Private citizens can participate in organized peaceful protests. Organizing surgical strikes against someone else's servers is virtual violence.
And violence begets violence.
Vigilante cyberwar is not a productive path upon which to proceed.
"Project Worm will be a six-part (web) TV series about international cyber crime. Initial development goals are concept development, story line, synopsis and a screen play for part one. This early development will run from May to July 09. Shooting of the actual TV series will take place in six different countries in 2010."
A series about cybercrime? Cool. Members of the Lab are assisting as "technical consultants" (or something like that).
For the last couple years there has been talk – like this iGillotResearch report (in pdf) – about how the convergence of mobile phones and the Internet would unleash a new wave of threats targeted to the phone and distributed over the Internet. We've definitely seen a number of attacks on mobile network operators. Yet up until now, most users haven't been hit by Internet-based attacks.
For example, the Apple iPhone last year saw its first Trojan to be distributed via the Internet. Still, that was more "script-kiddie prank program" than "serious crimeware". Heck, it wasn't even the first Internet-based mobile threat – technically, you could argue the 2006 Eliles.A worm has that distinction. Halfway through 2009, there hasn't yet been any major outbreaks of Internet-distributed mobile malware.
So what's this, another bogeyman story about mobile security? Well kinda. Today Apple announced the release of its iPhone 3G S model on June 19. It's supposed to be faster, more feature-loaded and so on.
(source: att.com)
In offering a neat package of enhanced phone, easy surfing with the onboard Safari browser and the appeal of a huge variety of programs from the App store, Apple looks set to spur even more people into into getting online via their mobile phones.
And as seems to be the case with mobile phones these days – where Apple leads, others will follow. Most mobile phone producers have been racing to provide the same level of online browsing user-friendliness in their products. If they get it right, that means even more users picking up mobile surfing.
Which means that malware authors will have even more reason to start targeting the mobile phone. Let's hope's the phone producers and mobile network operators consider that first Trojan a kind of "warning shot" and set up some strong security measures.
For now, it seems like all is quiet on the mobile front.
On an unrelated note, the new iPhone model also formally introduces an Internet Tethering functionality allowing users to connect a computer to the phone and surf the Internet – no Wi-Fi hotspot required. Some users have been asking for the feature for a while now, so – wish granted. Enjoy!
I've been testing our ISTP for several weeks now here in the Lab.
The more that I use our ISTP — the more I find to like — and I'm very much looking forward to this year's product releases.
This past weekend I tested some new ISTP features from home. One thing I've never really had a need for is anti-spam for a POP mail account. I've been using webmail since 1997.
That's why I was curious to test our new Browsing protection ratings for webmail based links. And I have to say, it does a pretty credible job so far. I'm looking forward to it being in full production.
Here's a sample screenshot using a malware domain list pulled from malwaredomains.com, a useful blocklist site. The red "X" icons show the domains that our network reputation services already recognize as malicious.
Next I e-mailed myself some Facebook phishing links.
The fourth URL in my test isn't detected, so I clicked on the "?" icon to report that particular link.
Then all I needed to do was to select "It is harmful to use" and to click on the OK button.
That then submits information to be analyzed by our Network Reputation team and their automation.
To Jay-R and team — Keep up the good work! This is a great service.
Last week we had a chance to visit the Global Response Center of IMPACT.
IMPACT is the first global public-private initiative against cyber threats. The headquarters are in Cyberjaya, Malaysia.
Their HQ building is quite impressive!
The Global Response Center is getting ready for action.
More about IMPACT:
The IMPACT initiative has been underway since 2007. Hopefully it will get more traction and international acceptance, as this is the kind of action we need if we really want to fight online threats.
The advisory details a vulnerability in Microsoft's DirectShow, quartz.dll, affecting QuickTime parsing. (Not a QuickTime vulnerability.) Microsoft has reported some use of an exploit in the wild.
An analyst from our Exploit Shield team, Victor, tested a working sample against our Exploit Shield technology.
His efforts can be seen below, click the image for a larger view.
Excellent. Exploit Shield proactively blocks this threat with heuristic detection of shellcode exploitation.
And this is the block page that will be displayed to clients.
P.S. And just so you know, there is ALSO a QuickTime vulnerability that's been patched. See our vulnerability description for details. Update your QuickTime to version 7.6.2.
Updated to add: There's also an advisory for iTunes so you can get your QuickTime update along with iTunes 8.2.
Now that the Pentagon has made its proposal to Barack Obama; and now that the President has announced his civilian agency goals, let's ask a slightly different question.