|
The Winlock numbers, the Winlock laws
<p>While Eugene’s <a href="http://www.securelist.com/en/blog/299/The_Winlock_case_I_m_taking_bets">busy</a> taking bets (wonder how much he’s going to make?), I’ve been having a think about the Winlock case.</p><p><p>Russian law enforcement is estimating that the bad guys could have raked in as much as $1 billion. While it’s difficult to be certain about the exact amounts involved (obviously they spread their money across a lot of different accounts to avoid attracting attention), a little bit of simple math makes me think this figure isn’t as crazy as it might sound.</p><br><p>Our statistical analysis tells us there could be around a million people who’ve been infected. 10 cybercriminals, each getting a cut of a ransom between $10 and $30 - even though they were paying out $3 per infection to the people willing to spread this malware, the numbers add up pretty quickly. </p>
Understanding Current Trends in the Fake Anti-Virus/Scareware Ecosystem
The cyber-criminal groups behind fake anti-virus (scareware/rogueware) infections have run into some significant roadblocks over the last few years, but there is much more to the overall story.<br><br><br>Some groups have been arrested. Some have had their operations and entire call support centers <br><a title="Large Fbi Scareware Ring Bust" href="http://chicago.fbi.gov/dojpressrel/pressrel10/cg052710.htm" target="_blank">shut down</a>. <br><br>Some groups attracted too much attention, picked off <br><a title="Conficker/Kido Downloads SpywareProtect2009" href="http://www.securelist.com/en/blog/208187654/The_neverending_story" target="_blank">the low hanging fruit</a> and eventually walked away from their botnets. <br><br>In some cases, the groups just <a title="MonaRonaDona Unigray FakeAV Scam" href="http://www.securelist.com/en/blog/208187485/MonaRonaDona_malware" target="_blank">weren't very skilled </a><br>at developing anti-anti-malware techniques, blackhat SEO, and malware distribution. They couldn't keep up with the changes in anti-malware technologies, <a title="MonaRonaDona Unigray FakeAV Scam" href="http://www.prevx.com/blog/82/MonaRonaDona--We-might-be-in-the-AV-industry-but-at-least-we-arent-STUPID.html" target="_blank"><br>weren't exactly dedicated </a>to the effort, and simply fell off the map.<br><br><br>However, some of the remaining scareware distribution gangs upped the ante and are aggressively developing difficult-to-detect polymorphic installers and difficult-to-remove support components. And the newest of these malware components include some of the first ITW 64-bit malware components to be taken seriously. But, for the most part, the scareware program itself remains the same. The development continues to change and progress, all for the purpose of evading anti-malware solutions and helping coerce the end-user to pay for the fake product, including support/rootkit components like <a title="Exhaustive TDSS Securelist Analysis" href="http://www.securelist.com/en/analysis/204792131/TDSS" target="_blank">TDSS</a> (and its extreme complexities) or the more recent Black Internet (also known as "Trojan-Clicker.Win32.Cycler") support/rootkit components. These complex Mbr infectors and other rootkit components meant to maintain money-making scareware on the system are signs of this somewhat extreme development effort.<br><br>
The Winlock case - I'm taking bets!
<p>Interesting news on Trojan SMS Blockers (Winlock etc). These programs block Windows and demand a ransom in the form of a text message which is sent to short number for a fee. It's a very popular type of racket at the moment, both in Russia and a few other countries. </p><br><p>The whole affair has now reached the General Prosecutor’s office of Russia – the criminals have been identified and detained (or so it seems) and will be prosecuted in Moscow soon.</p><p><p>Altogether the criminals have earned an estimated 790,000 roubles, or $25K. Moreover, they have caused other damages by blocking or crashing a yet to be determined number of personal and company PCs. Very often people have needed to re-install the OS and all software and then restore data from backups - even after paying the ransom.</p><br><p class=c><a href="http://www.securelist.com/en/images/pictures/klblog/2273.png" target=_blank><img src="images/pictures/klblog/2273.png" border=0 width=400 height=288 alt=''></a></p><br><p class=c><a href="http://www.securelist.com/en/images/pictures/klblog/2274.png" target=_blank><img src="images/pictures/klblog/2274.png" border=0 width=400 height=276 alt=''></a></p><br><p>But I wanted to focus on the outcome – or the possible outcome of this incident, not on the investigation, arrests and so forth.</p>
Twitter goes OAuth-only (Yay for security!)
<p>In a long overdue move, Twitter turned off basic authentication for third-party applications, while <a href="http://blog.twitter.com/2010/08/twitter-applications-and-oauth.html">enforcing OAuth for all apps</a>. This is a move that should be applauded by anyone concerned about the security of their Twitter account.</p><br><p>This latest move covers a potential vulnerability in the process of giving read/write access to third-party applications, which could lead to a Twitter account being compromised. Well, not anymore. You don't need to give your username and password to third-party developers anymore if you want to use their application on your Twitter account.</p><br><p>Being always concerned about security, I salute Twitter's move to enforce OAuth. This lets me use an application without having to share my Twitter username and password with an unknown entity. Also, hats off to all developers that updated their applications in time and made this change as seamless as possible for the majority of users.</p><br><p>However, keep in mind that OAuth doesn't protect against local attacks - stealing passwords straight from the users' machines. Make sure you use a clean computer when you log-in to Twitter. Also, for more tips on staying safe, I invite you to read my quick <a href="http://threatpost.com/en_us/blogs/how-avoid-getting-your-twitter-account-hacked-081810">How to Avoid Getting Your Twitter Account Hacked</a> guide on Threatpost.</p>
Gumblagra and a piano
<p>Since the beginning of August, our Japan office has seen 900+ mails of a certain kind in their spam traps.</p><br><br><br><p class=c><img src="images/pictures/klblog/2266.png" border="1" alt="" title=""></p><br><br><br><p>We noticed two common patterns in all of the mail. First, the links in these spammed messages all point to compromised servers. Also, the file names of the redirectors are all dictionary words followed by two digits. The files redirect the users to online pharmacy sites and fake watch stores. Here is a screen capture of a directory hosted on one of these online sites:</p><br><br><br><p class=c><img src="images/pictures/klblog/2268.png" border="1" alt="" title=""></p><br><br><br><p>You might wonder why this caught our attention. The answer is simple: about half of these files contained links to 'gumblar.x' servers.</p><br><br><br><p class=c><img src="images/pictures/klblog/2269.png" border="1" alt="" title=""></p><br><br><br><p>The upper red link points to a pharmacy site, the lower one is a gumblar.x URL.</p><br><p>So basically an unsuspecting (and unprotected) user who will click these links in their mail will experience a typical 'gumblar-attack' while browsing a pill catalog. The recent peak of such hybrid attacks may be a sign that the cybercriminal(s) who’ve been slowly but surely growing the Gumblar botnet worldwide, and who up until now have been keen to fly under the radar, are now starting to monetize it. The first test runs of mixed pharmacy/gumblar pages were actually identified by our experts as early as April 2010, when we noticed a few mails of this kind, with subjects like "Twitter 61-213".</p><br><p>On further investigation of the involved servers, it turned out that plenty of them have additional malicious code injected directly into their www root. We counted mostly gumblar.x but also some 'pegel.*' and other obfuscated code containing iframers or other redirectors. <p><p>Additionally, almost ALL of these domains contained a link to 'hxxp://nuttypiano.com/*.js' at the end of the file.</p><br><br><br><p class=c><img src="images/pictures/klblog/2270.png" border="1" alt="" title=""></p><br><br><br><p>There are more than 300 different .js files in circulation on such servers, the content of these is obfuscated and similar to known 'pegel' threats. To make our researchers' task more difficult, the malicious code will only be sent once to the same IP address. However, we have managed to download several samples from the same locations and identified polymorphic-like structures.</p><br><br><br><p class=c><img src="http://www.securelist.com/en/images/pictures/klblog/2271.png" border="1" alt="" title=""></p><br><br><br><p>These are redirecting to other :8080 locations, which in turn try to push more malware onto the victim's machine.</p><p><p>Here is a quick summary of such injected sites, sorted by country: #1 is the US, followed by FR, DE, TR and JP. Affected webmasters should consider changing their compromised ftp credentials, clean the machines which led to the leak, and investigate their server logs for more details.</p>
Who needs my SQL server?
<p>We all know that cybercriminals will target anything and everything they can reach. And at Kaspersky, we also know that a lot of IT admins don’t look after their Internet resources. Sad but true – ask an admin if their servers are protected, and you’ll often get the answer, "Oh, come on, who needs my SQL server?"</p><p><p>A few months ago we set up a new honeypot (<a href='http://www.mwcollect.org'>http://www.mwcollect.org</a>) in our Japanese research centre in Tokyo. The honeypot is mainly used to collect malicious Windows executables, which it does pretty well by emulating shellcode when it finds network exploits. A side effect of using the honeypot to listen on all ports is that we get statistics (as well as unexpected data) coming in on various network ports of the host, which has a global IP address.</p><p><p class=c><a href="http://www.securelist.com/en/images/pictures/klblog/296.png" target=_blank><img src="images/pictures/klblog/295.png" border=0 alt=''></a></p><p><p>This graph shows the number of attacks and unwanted connections on specified ports of our server. It shows the ten ports most commonly used, but even the least commonly targeted port (in this case, port 1130) gets about 16 connections a day.</p><p><p>Here’s a table of the common services using each port:</p><p><p class=c><a href="http://www.securelist.com/en/images/pictures/klblog/298.png" target=_blank><img src="images/pictures/klblog/297.png" border=0 alt=''></a></p><p><p>Hopefully, this proves what seems to us to be obvious – there’s someone on the Internet who wants your SQL server! (And a few other things besides…) And the data above shows that there are a lot of bad guys looking for backdoored orphaned hosts on the internet. Some of them are trying to find Backdoor.Win32.Noknok, while others are trying to break in through legitimate services like Radmin and Windows Remote Desktop.</p><br> <br><p>Maybe you’re wondering just who it is who is looking for badly protected resources? Here’s another graph with those details, showing how many connections different countries make to our honeypot every day:</p><p><p class=c><a href="http://www.securelist.com/en/images/pictures/klblog/294.png" target=_blank><img src="images/pictures/klblog/293.png" border=0 alt=''></a></p><p><p>Take a minute to compare it to the previous graph! You can see that the number of MSSQL attack attempts is mirrored by attacks coming from China. And recently, South Korean hosts have joined this massive attempt to exploit the service.</p><p><p>Running a honeypot helps us get valuable data; we’re kept busy analyzing it and crunching the numbers, and finally, it’s a cheap form of entertainment. Our honeypot is running on 500MHz Pentium III CPU with 384 Mb RAM, which nowadays probably costs less than $100. So if you’re thinking of throwing out some really old, slow hardware, consider setting up a honeypot! ;-)</p>
New IM Worm Squirming in Latin America
</head><br><body><br> Whenever we discuss the most active<br>malware-producing countries, Russia, China and Brazil are always atop<br>the list. But there’s a new country<br>that’s starting to appear in the top five: Mexico<br><br><br><br>In our monthly Latin America malware analysis published on <a<br> href="http://www.viruslist.com/sp/">Viruslist</a><br>and <a<br> href="http://threatpost.com/es_la?set_region=es_la">Threatpost</a><br>(both in Spanish), we already mentioned that Mexico is known<br>for producing local botnets.<br><br><br><br>On Aug 21, we (Kaspersky Lab) detected a new instant messenger worm<br>that spreads through almost all well-known IM programs, including<br>Skype, GTalk, Yahoo Messenger and Live MSN Messenger. The name of the<br>threat is "<span<br> style="font-weight: bold; color: rgb(204, 0, 0);">IM-Worm.Win32.Zeroll.a</span>"<br><br><br><br><br>It "speaks" 13 different languages (including<br>Spanish and Portuguese) according to the local language of the infected<br>Windows computer. There are some characteristics<br>that show the worm originated Mexico. It is written in VB and the<br>C&C is located on an IRC channel (an old botnet technique<br>recycled by the Mexican coders). <br><br><br><br>Our statistics based on the KSN data show the biggest infections were<br>registered in Mexico and Brazil.<br><br><br><br><p class=c><img src="images/pictures/klblog/2263.png" border="1" alt="" title=""></p><br>It seems like the criminals behind the worm are now at the first stage<br>of the crime -- infecting as many machines as they can to have<br>"a good" offers after to another criminals: pay per<br>install, spam and others. <br><br><br><br>It’s worth mentioning that only three anti-virus programs<br>(including Kaspersky) detect the threat. <br><br></body><br></html>
Whitelisting - how it protects us
<p>Malware writers are inventing new attacks regularly - but the anti-virus industry invents new protection techniques just as regularly. Whitelisting is on of the newer protection technology which are now standard in Internet Security products. It sounds positive, but how does it actually work? Does it overload your computer? How can developers whitelist their programs? Will whitelisting replace other protection technologies?</p><p><p>Join Andrey Nikishin, Director of Cloud and Content Technology Research, Vladimir Zapolyansky, Manager of Whitlelisting and myself as we discuss how whitelisting itself works. We will also discuss how software writers can join our program and what the benefits are for them.</p><p><p><object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/r_r5VutvmeE?fs=1&hl=en_US&rel=0"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/r_r5VutvmeE?fs=1&hl=en_US&rel=0" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object></p>
Oops they did it again!
<p>It seems the BBC has been dabbling in the world of malware ... again. They have <a href="http://www.securelist.com/en/ http://www.bbc.co.uk/news/technology-10912376"target=_blank>reported</a> that they have created a smartphone application that is also able to spy on the activities of the person using a compromised handset.</p><p><p>Readers of the blog may remember that the Beeb has something of a history in this area. They raised eyebrows in March 2009 when they 'acquired' a <a href="http://www.securelist.com/en/ http://www.securelist.com/en/blog/208187646/Smack_on_the_bot_for_the_Beeb "target=_blank>botnet</a>. Shortly after this they also <a href="http://www.securelist.com/en/ http://www.securelist.com/en/blog/208187647/BBC_crosses_the_line_again "target=_blank>bought personal information</a>, including credit card numbers, from a 'broker' of such data in India.</p><p><p>There's no question of any law having been infringed here - the BBC has not distributed the application. However, we believe its actions to be unethical and unwise. There's enough bad stuff out there without good guys developing their own malicious, or potentially malicious, code - as Denis's <a href="http://www.securelist.com/en/ http://www.securelist.com/en/blog/2254/First_SMS_Trojan_for_Android "target=_blank>blog</a> testifies.</p>
First SMS Trojan for Android
<p>I think the title of this post speaks for itself. Trojan-SMS.AndroidOS.FakePlayer.a passes itself off as a media player application. If the user chooses to install it, this icon with the name "Movie Player" will appear in the list of applications:</p><br><p class=c><img src="images/pictures/klblog/2256.png" border="1" alt="" title=""></p><br><p>The malware sends SMS messages to two premium rate numbers 3353 and 3354, with each message costing approximately $5. It does this stealthily, without requiring any confirmation from the device owner.</p>
LNK patch is out
Just a short notice and heads-up to all - the Microsoft Security Bulletin <a href="http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx" target=_blank>MS10-046</a> which deals with the LNK vulnerability originally exploited by <a href="http://www.securelist.com/en/blog/283/Myrtus_and_Guava_Episode_5">Stuxnet</a> is now out. If you haven't patched yet, you should. This is a critical vulnerability which is being actively exploited in the wild.<br>
When security gets hot
There are people who think that all hackers should be sent to the desert - well, once a year this dream comes true.<br /> <br>Greetings from Las Vegas where two major security conferences just ended.<br /><br /><p>As every year Black Hat took place here at the Caesars Palace. People from around the globe gave presentations about ATM-hacking, reverse-engineering and other security related topics distributed over 11 tracks in two days. The host casino offers for this event lots of space, so you walk long until you get in the target room where you want to attend the presentation.<br /><p>At the vendor area you may always find interesting people to talk to or get information about security products and services. This year a big group of Kaspersky people attended Black Hat 2010 (from the US, Japan, Romania, France and Germany). <br /><br /><p><p class=c><img WIDTH=400 HEIGHT=300 src="images/pictures/klblog/2250.JPG" border="1" alt="" title=""></p>
My vacation photos
Yes, it’s that time of the year again! People from all around the world try to escape the heat and pollution of the big cities and find much more enticing options. Once the vacation is over and we are all back to work, what does everybody do first?<br><br><br><br>Publish photos, of course!</p></p><br><p class=c><img src="images/pictures/klblog/2245.jpg" border="1" alt="" title=""></p>
Zbot and CVE2010-0188
<p>I just came across a suspicious PDF file, so I decided to take a deeper look. Once the file was unpacked, I got an xml file with TIFF image. However, the whole thing looked very strange. The whole thing looked very fishy, and ultimately, it turned out that the xml file contained an exploit for<br><a href='http://www.securelist.com/en/blog?author=19278'>CVE-2010-0188</a>.<p><p>I thought it was a bit odd that we hadn’t come across files like this before, so I decided to tak a look at stats for this vulnerability:</p><p><p class=c><img src="images/pictures/klblog/287.png" border="1" alt="" title="" width = 600 height = 400></p><p><p align = "center"><b>CVE-2010-0188 exploit statistics 2010</b></p><p><p>The graph shows that malware exploiting CVE=2010-0188 started spreading actively at the end of June. It was pretty much a rarity until then. Maybe the virus writers needed a few months to catch up with creating exploits for the new hole in Adobe – who knows?</p><p><p>When I took a closer look, it turned out that the PDF was mainly designed to download and launch another file, Trojan-Dropper.Win32.Zbot.cm. Which, in its turn, is mainly designed to secretly install Zbot (ZeuS) to the system and to combat antivirus software.</p><p><p>I was able to get a final example of Zbot, but it turned out to be encrypted and obfuscated. I then got its dump and decrypted strings, which included a clear link to the banking site under attack, the bot’s http requests and some of the commands used by the botnet C&C:</p><p><a href ="images/pictures/klblog/288.jpg" target = "_top"><p class=c><img src="images/pictures/klblog/289.png" border="1" alt="" title=""></p></a><p><p align=center><b>Part of the decrypted Zbot file</b></p><p><p>This is the first example of an encrypted Zbot variant spreading via CVE-2010-0188. Clearly, the guys behind this program aren’t sitting on their hands, but working on the most up-to-date methods of delivering their malware to end users.</p>
Myrtus and Guava, Episode 5
<p>So far in our series about Stuxnet we’ve focussed on the main issue: the threat posed by the zero-day vulnerability in the processing of LNK files, and the fact that cybercriminals have somehow got their hands on digital certificates. What we haven’t done in any detail is look at the worm’s functionality.</p> <p><p>Anyone following the story has probably already read about how the worm, in addition to replicating, attempts to gain access to industrial systems running WinCC from Siemens.</p><p><p>I can’t remember which journalist or antivirus researcher first mentioned power plants (some of which certainly do run WinCC) in connection with Stuxnet. Since then, the whole story’s taken on the air of a Hollywood movie, with dark and repeated murmurings of ‘attacks on industry’ and ‘inter-government espionage’.</p> <p><div align=center><img src="images/pictures/klblog/284.jpg" border=0 width=567 height=475 alt=''></div> <br> <br><div align=center>(How WinCC works; image from Siemens documentation)</div></p><p><p>Stuxnet <i>does</i> attempt to connect to the WinCC SCADA visualization system using the default password from Siemens. Part of the worm is a very interesting component, a dll, which acts as a wrapper for the original Siemens dll. It’s this wrapper that tries to connect to WinCC, redirecting the majority of the functions to the original dll, while emulating the remaining functions itself.</p> <p><p>The functions are:</p><p><p>s7db_open<br><br>s7blk_write<br><br>s7blk_findfirst<br><br>s7blk_findnext<br><br>s7blk_read<br><br>s7_event<br><br>s7ag_test<br><br>s7ag_read_szl<br><br>s7blk_delete<br><br>s7ag_link_in<br><br>s7db_close<br><br>s7ag_bub_cycl_read_create<br><br>s7ag_bub_read_var<br><br>s7ag_bub_write_var<br><br>s7ag_bub_read_var_seg<br><br>s7ag_bub_write_var_seg<br> <br></p><p><p>The module also contains several encrypted blocks of data – here’s an example of a decrypted block:<p><p><div align=center><img src="images/pictures/klblog/285.jpg" border=0 width=480 height=270 alt=''></div></p><br> <br><p>Siemens is currently conducting its own investigations and analysis of the malware. They’ve published <a href="http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&=en&objid=43876783&caller=view" target=_blank>official information</a> about the incident, which reports one confirmed case of infection of a WinCC client in Germany.<p><p><p>From the report:</p> <br> <br><p><i>"Currently there is still only one known case where a customer's WinCC computer has been infected. The virus infiltrated a purely engineering environment of a system integrator, but was quickly eliminated. A production plant has not been affected so far."</i></p><p><p><i>"There is only one known case of infection in Germany. We are, at present, trying to find out whether the virus caused any damage."</i></p> <p><p>Siemens also confirms that the worm is able to transmit process and production data, and that it attempts to establish a connection with the cybercriminals’ servers. At the moment, however, the servers are apparently inactive.</p> <p><p>P.S. Siemens has just issued an update:</p><p><p><i>"Currently we know of two cases worldwide where a WinCC computer has been infected. A production plant has so far not been affected."</i>
Myrtus and Guava, Episode 4
<p>A few days ago we wrote about a new variant of the Stuxnet worm’s rootkit component, signed not with Realtek’s digital signature, but with one owned by JMicron. Costin posted about it in detail.</p><p><p>The media jumped on the news, and there was a lot of talk about "New worm variant discovered". However, the situation isn’t quite as simple as the headlines made out.</p><p><p>There wasn’t a clear answer to the main question i.e. where’s the worm which the signed driver would have come from? The fact that the driver was created on 14 July could indicate that a new variant of the worm, potentially with new functionality, was out in the wild.</p> <p><p>However, all of our attempts to find the dropper of the second rootkit driver (there are meant to be two) came to nothing.</p><p><p>Over the last few days, all the discussions have boiled down to two possible explanations: either cybercriminals stole the digital certificates using a Trojan, or it was the work of an insider. Our failure to find the dropper or second driver, though, makes the whole story all the more complicated.</p><p><p>So we decided to look at some statistics: how many times has the Kaspersky Security Network detected Rootkit.Win32.Stuxnet.c (the driver signed with the JMicron certificate)? The numbers are discouraging – since 20 July, the module’s been detected all of twice, once in Russia and once in Ukraine. These figures look pretty silly when compared to the detection statistics for the rootkit component signed with the Realtek signature.</p><p><p>Verisign has now revoked the JMicron certificate, making it invalid. Our whitelisting database contained 124 programs which had been signed using the certificate – all of them, of course, were clean.</p><p><p>At the moment, I’m not drawing any conclusions about the origins of this mythical driver. I don’t doubt that it is a modified variant of mrxcls.sys. We’re still looking for whatever is launching it, or computers which it’s infected.</p> <p><p>If we look at the stats relating to the initial Stuxnet variant, they show epidemics in India, Iran, and Indonesia. The number of infected computers increases by about a thousand every day, and this is only what our monitoring systems show us. In other words, it’s merely the tip of the iceberg.</p><p><div align=center><img src="http://www.securelist.com/en/images/pictures/klblog/282.jpg" border=0 width=384 height=401 alt=''></div><p><p>Apart from the three countries hit by Stuxnet, Azerbaijan and Afghanistan have also been heavily affected, with more than a thousand infected machines each.</p> <p><p>The geographical spread of the Trojan, together with the "missing" variant, has given us all a lot to think about.</p>
Different x86 Bytecode Interpretations
<p>Working on an efficient generic shellcode detection engine and verifying results with randomly generated input, I've effectively ended up fuzzing different open source disassembler libraries. The disassembler library of choice for my current project is <a href="http://code.google.com/p/libdasm/">libdasm</a> because of its comparatively long history and public domain license. But writing a sound and complete x86 disassembler is obviously not a trivial task due to the complex nature of the <a href="http://www.intel.com/products/processor/manuals/">x86 instruction set</a>.</p><p><p>libdasm used to have issues correctly disassembling certain floating point instructions in the past, but this was simply caused by an off-by-three error in the opcode lookup tables (three NULL rows missing) and thus <a href="http://code.google.com/p/libdasm/source/detail?r=3">the fix</a> was comparatively easy.</p>
How does your vacation affect your security?
<p>Vacation is a time for visiting friends and family, going abroad, eating ice-cream, gardening – whatever helps you regroup and recharge. Computer security is probably the last thing on your mind, even if you’ve taken your laptop home with you to keep tabs on what’s going on at the office.</p> <p><p>But as my colleague Christian pointed out in <a href=http://www.securelist.com/en/analysis/204792066/Summertime_is_Wireless_Time" target=_blank>this article</a> last year, summer often brings some serious security issues. And I’ve got recent further proof of this: just a few weeks ago I was attending our annual security conference at a very classy hotel in Cyprus. Everything seemed perfect – until we connected to the hotel Wi-Fi.</p> <p><p>If you’ve ever taken your laptop with you on business or vacation, you’ll know the drill. When you want to connect to the Internet via a hotel network, you get redirected to a site controlled by the hotel’s router. You need to either enter a code provided by the hotel, or your credit card details – all on a site which may or may not be secure.</p><p><p>In Cyprus, we found out that the page you get redirected to when you try and access the Internet was infected with <a href='http://www.securelist.com/en/blog/208187897/The_Gumblar_system'>Gumblar</a>. The hotel was lucky to have 30+ security experts staying there – but if we hadn’t been holding our conference there, the site could have stayed infected for quite a while!</p> <p><p>Logging on via insecure connections isn’t the only seasonal security issue. People’s computer and online habits change when they’re on holiday – they tend to use their computers less, and in short bursts, just to get the information they need. For instance, you’ll often see people logging on for ten minutes to quickly check email, download maps or details about the places they’re planning to visit, etc.</p><p><p>If you’re quickly checking for some information that you need via GPRS or a slow Wi-Fi connection, you’re probably not going to bother updating your antivirus or installing security patches. You might rationalize your decision (if you even think about it) by telling yourself that you don’t go to dodgy sites which are likely to be hosting malware. But our experience in Cyprus really highlights the fact that malware is everywhere.</p> <p><p>Ignoring security patches and antivirus updates while you’re on vacation means that if you log on, you are putting yourself at risk. And when you get back to work after two, three, or even four weeks off, if you haven’t been using your computer, the very first thing you should do is make sure that it’s fully patched, and security software up to date. Of course you want to get to all the funny YouTube links etc. that your colleagues sent while you were away – but update before you start checking your mail or clicking through links and attachments.</p> <p><p>Insecure networks, infected sites, and vulnerable software and systems are all technical aspects of IT security. But apart from all the technical stuff, lots of people are giving out far too much information on Facebook, Twitter, and even in their Out Of Office replies. Posting that you’re off to some exotic resort for two weeks is almost an open invitation to burglars and other criminals to come and rifle your property while you’re gone…</p> <p><p>Simple tips on how to have a more secure vacation</p><p><p><b>Before you go</b><br><ul><br><li>Don’t write on your social network that you’re going on holiday!<br><li>Make sure you’ve got all the latest security patches installed, including patches for third party applications such as PDF readers, browsers, chat programs, etc.<br></ul><br></p><p><p><b>While you’re away </b><br><ul><br><li>Make sure that your antivirus is up to date. You never know what might be lurking on the network!<br><li>Use common sense - don’t enter credit card details or passwords unless it’s essential, and only if you’re confident the network is secure<br><li>If you’re paranoid, disable programs that autostart such as Skype or MSN – you wouldn’t want someone to steal your passwords over an insecure network. <br></ul><br><p><b>When you get back</b><br><li>Make sure you scan and patch your work computer before you start reading emails and working.<br></ul></p>
Stuxnet signed certificates frequently asked questions
Last night, Verisign acted promptly and revoked the second stolen certificate used to sign a version of the Stuxnet rootkit driver. As previously mentioned, this certificate <a href="http://www.securelist.com/en/blog/2234/Stuxnet_and_stolen_certificates">belonged to JMicron Technology Corp</a>, a popular Taiwanese hardware company.<br><p><br><center><br><p class=c><img src="images/pictures/klblog/2238.png" border="1" alt="" title=""></p></center><br><p><br>We have prepared a short FAQ about Stuxnet and the revoked stolen certificates:<br><p><p><p>1. I heard Microsoft and Verisign revoked the stolen Realtek certificate, does it mean I’m safe now?<p><br>Due to the way certificates work, a revoked certificate doesn’t mean the malware will not run anymore. You will still get infected by Stuxnet and the driver will still load without any warning. The only effect of the revoke process is that the bad guys will not be able to sign any further malware with it. <br><p><br>2. How many stolen certificates are we talking about?<p><br>So far, we’ve seen Stuxnet drivers signed with certificates from JMicron Technology Corp and Realtek Semiconductor Corp. Both companies seem to have offices in the Hsinchu Science and Industrial Park, which could indicate an insider job. It is also possible that the certificates were stolen using a dedicate Trojan, such as Zeus, meaning, there could be more.<p><br>3. I have a Realtek/JMicron motherboard/network card in my computer. Does it mean that I am at risk?<br><p><br>So far, we haven’t found anything suspicious in the Realtek/JMicron hardware drivers. <p><br>4. Now that Microsoft and Verisign revoked the Realtek/JMicron certificates, does it mean that my Realtek/JMicron drivers will stop working?<p><br>No. Due to the way certificates and signatures work, the revoking doesn’t have any effect on already signed drivers. Both companies were issued new certificates, which they can use to sign upcoming drivers.<p><br>5. Are we going to see more signed malware in the future?<p><br>Most likely, yes. There are currently tens of thousands malicious programs that have been signed – that’s a fact. For more information, I encourage everyone to view Jarno Niemelä’s excellent presentation <a href="http://www.f-secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf">"It's Signed, therefore it's Clean, right?"</a>, presented earlier this year at the CARO Workshop.<br><p>
Stuxnet and stolen certificates
Yesterday, our colleagues from <a href="http://blog.eset.com/2010/07/19/win32stuxnet-signed-binaries">ESET</a> discovered a new version of Stuxnet, which has its driver signed by yet another trusted party - "JMicron Technology Corp.".<br><p><br><p class=c><img src="images/pictures/klblog/2235.png" border="1" alt="" title=""></p><br><p><br>JMicron is a rather well known hardware producer, I've myself owned about three or four different computers which had JMicron components inside.<p><br>The initial RT certificate was suspicious, but another stolen certificate raises interesting questions.<p><br><p><br>One possibility here is that both JMicron and Realtek got infected with a <a href="http://www.securelist.com/en/analysis/204792107/ZeuS_on_the_Hunt<br>">trojan such as Zeus, that steals digital certificates</a>. Then, the cybercriminals who got the certificates, either re-sold them on the market or used them by themselves to sign the Stuxnet drivers.<br><p><br>To be honest, the fact that trojans were stealing digital certificates did not really seem that impressive when I have first seen this capability. <p>Now, coupled with the Stuxnet story, it begins to make sense.
LNK zero-day, the fundamentals
<p>Over the weekend I spent more time looking into the zero-day LNK (shortcut) Windows vulnerability that Aleks <a href="http://www.securelist.com/en/blog/269/Myrtus_and_Guava_Episode_1">blogged about</a> last week. It’s now been classified as CVE-2010-2568 and is being actively exploited in the wild.</p> <p><p>My main conclusion is that this vulnerability is a fundamental part of how Windows handles LNK files. This means there are two huge negatives – firstly, as this functionality is pretty standard, it's going to be harder to create effective generic detections which don't cause false positives.</p><p><pp>Secondly, I suspect Microsoft is going to have a very hard time patching this one. There doesn’t seem to be any security model associated with how Windows handles shortcuts. This whole situation reminds me a bit of vulnerabilities in the WMF format – it’s another case of legacy code coming back to bite Microsoft.</p><p><p>We’ve released generic detection for malicious LNK files which try to exploit the feature. I think that the LNK format will start receiving a lot more attention now, both from the good guys, and the bad, so do take a look at the <a href="http://www.microsoft.com/technet/security/advisory/2286198.mspx" target=_blank>mitigations</a> put up by Microsoft. I’m sure it will be time well spent, as I fully expect this vulnerability to be widely exploited while we’re waiting for the patch. </p>
Myrtus and Guava, Episode 3
<p>The geographical distribution of Stuxnet infections is just as interesting as the Trojan itself. We detect the rootkit component (the signed drivers) as Rootkit.Win32.Stuxnet, and the other files as Trojan-Dropper.Win32.Stuxnet.</p><p><p>Over the last four days, KSN has identified Trojan components (although the program should really be thought of as a worm, as it spreads via removable storage media) on more than 16,000 computers around the world. A map with infection statistics shows three countries (all starting with the letter I!) are at the centre of the epidemic - Iran, India and Indonesia.</p>
Myrtus and Guava, Episode 2
<p>Having finished <a href="http://www.securelist.com/en/blog/269/Myrtus_and_Guava_Episode_1">episode 1</a> on a botanical note, let’s continue our trip into the undergrowth by taking a look at the Stuxnet Trojan’s digital signature.</p><p><p>Digitally signed malware is a nightmare for antivirus developers. Digital signatures have a lot riding on them – they act as proof that an application is legitimate, and are a key concept in information security. They also have considerable influence on how effective a security solution is – it’s no secret that a digitally signed file will be "trusted" by security software and will often automatically be whitelisted. </p><p><p>However, sometimes cybercriminals do somehow manage to get their hands on their very own code signing certificate/ signature. Recently, we’ve been seeing regular instances of this with Trojans for mobile phones. When we identify cases like this, we inform the appropriate certification authority, the certificate is revoked, and so on.</p><p><p>However, in the case of Stuxnet, things look very fishy indeed. Because the Trojan isn’t signed with a random digital signature, but the signature of <a href="http://www.realtek.com/about/" target=_blank>Realtek Semiconductor</a>, one of the biggest producers of computer equipment.</p><p><p>Recalling a certificate from a company like this simply isn’t feasible – it would cause an enormous amount of the software which they’ve released to become unusable.</p>
Myrtus and Guava, Episode 1
<p>A few days ago, colleagues from the Belarussian antivirus company VirusBlokAda (VBA) <a href="http://anti-virus.by/en/tempo.shtml" target=_blank>announced</a> they’d come across an interesting new malicious program. They published a short analysis of the program which highlighted two innovations:</p><p><p>1. Using lnk files to launch files from USB storage devices, a method which hasn’t been used before.<br> <br>2.The malicious driver has a valid digital signature from Realtek.</p><p><p>The <a href="http://www.secureblog.info/files/new_rootkit.pdf" target=_blank>VBA article</a> is well worth taking a look at – great research, guys!</p><p><p>Over here at Kaspersky, we’ve also taken a look at the malware, and we’ve also come up with a few interesting things.</p>
Nirvana for cybercriminals?
<p>Today Microsoft is ending support for XP/Service Pack 2. According to reports there are still a lot of machines running XP/SP2. So this sounds like a serious problem, right? Actually, I’m not convinced of that.</p><p><p>Let’s look first at consumer machines – those which aren’t being centrally managed. Why would these machines still be running SP2? Obviously, Windows Updates must have been disabled. I can only think of two main reasons why that would be the case: either a malware infection which is somehow preventing WU from working, or people have disabling WU on pirate versions to be sure they can continue to use Windows without having to pay for it. </p><p><p>In the first case, infection already occurred. In the second case, it’s very unlikely that the machine was ever patched after the initial SP2 install. That means that such machines are vulnerable to any of the exploits that exploited XP vulnerabilities discovered after August 25, 2004, when SP2 was released. In other words, these computers have been vulnerable for a long, long time.</p> <p><p>What about the business environments still running SP2? In the vast majority of cases the admins will have decided that the time just isn’t ripe for SP3. SP3 was released just over two years ago. If admins haven’t rolled out SP3 yet, it seems pretty unlikely that the other software they’re running - such as Office and Adobe Reader – is going to be up to date. These are the same companies that are still running Internet Explorer 6.</p><p><p>Given all this, I don’t think ending support for SP2 will create any sort of nirvana for cybercriminals. All the unpatched (and attackable) machines have been this way for a long time now – and chances are, if they were going to be infected, it would have happened a long time ago. </p>
Anti-virus testing - to believe or not to believe
<p>Join Roel Schouwenberg and myself as we explore what AV tests are about today and reflect on what is important for people using these tests to make an informed decision about buying protection for themselves and their families.<p><p><p>Roel describes what he believes a useful test is and also discusses AMTSO - the independent <a href="http://amtso.org/">Anti-Malware Testing Standards Organization</a>. AMTSO has created a series of documents describing testing processes; the results can be seen already in how some of the more reputable testers are changing their methodologies.</p><p><p>AV testing is important for everyone who is looking to purchase an AV for themselves or for their organization. Take a few minutes and learn more about it with us.</p><p><p><object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/e2HwuZmdZro?fs=1&hl=en_US&rel=0"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/e2HwuZmdZro?fs=1&hl=en_US&rel=0" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object></p>
Technical Support – they’re not always the good guys
<p>We’ve blogged a few times about rogue AV, explaining how search engines have been abused using Black Hat Search Engine Optimization techniques to redirect web surfers to rogue AV websites.<br></p><br><p>Recently, we’ve noticed that the rogue AVs being spread are all equipped with an "Online Support" button. See the top right corner:</p><p><p class=c><a href="http://www.securelist.com/en/images/pictures/klblog/250.png" target=_blank><img src="images/pictures/klblog/251.png" border=0 alt=''></a></p><p><p>Pressing Support takes you into a live chat with the rogue AV Tech Support. We wondered whether it was a bot answering questions based on keywords or real people – and yes, they turned out to be real! </p>
Google Dorks: fighting fire with fire
<p>During my recent research into PHP backdoors, bots and shells, I came across a few IRC servers which looked pretty suspicious. After lurking in these channels I noticed that most of them were all about controlling botnets, automated exploitation and credit card fraud. This isn’t news – channels and IRC servers like this have been a hot media topic for the last five years. The question is, though, how can we find them so we can shut them down?</p><p><p>Digging a bit deeper in some of the channels, and looking the websites people were talking about in these channels, I started to see patterns. For example, some of the websites use the same words, phrases and layout. By combining these terms and creating a simple rotation algorithm I could use search engines to find websites offering illegal stuff such as credit card data and skimming tools.</p><p><p class=c><img src="http://www.securelist.com/en/images/pictures/klblog/2232.png" border="1" alt="" title=""></p>
Hot Fail On SexBoosters
<p>Over the last couple of days we've been noticing a few pharmacy spam mails which are a bit different. Somebody seems to have replaced the original graphical content with an alert highlighting that such messages are malicious.</p><p><p class=c><img src="images/pictures/klblog/2227.png" border="1" alt="" title=""></p><p><p>So far we have counted three (ab)used image hosting services for this spam:</p><br><ol><br> <li>imageshack.us</li><br> <li>imgur.com</li><br> <li>myimg.de</li><br></ol><p><p>A quick analysis of these showed that #1 currently serves all the replaced images, #2 serves all original spammers images and #3 seems to have removed the offensive content immediately, good work!</p><p><p>At the moment, we don't have any further information about the source/background of the warning replacements - this gives us plenty of opportunity to use our imaginations when thinking about what's actually going on. A few of the key words and concepts we're considering are: white hats, rival spammers, compromised hosting service(s). Not an exhaustive list, but more of a launch pad for further theories and research!</p>
It's a bug, not a feature
<p>Over the years we've heard the phrase "it's a feature, not a bug" quite a number of times. And it can be argued that the vulnerability in the PDF specification with regards to Launch actions is just that. The patch which Adobe released last week supposedly fixed this vulnerability in their PDF parsing products. However hours after release of the patch security researchers found that the patch didn't truly fix the vulnerability.</p><p><p>It turns out that the patch issued by Adobe introduces the use of a blacklist of extensions which may not be executed through the Launch functionality. In theory, this idea is pretty good. However, the implementation leaves much to be desired.</p><p><p>The implementation of the blacklist is much too simplistic and looks for very narrow exact matches. This means that the blacklist can be circumvented by applying extremely simple forms of obfuscations.</p><p><p>In cases such as this one there are two approaches that one could take.</p><p><p>1. Use a whitelist instead of a blacklist.<br><br>2. Make the parser which is used by the blacklist resiliant against obfuscation.</p><p><p>All in all, this latest patch is another example that Adobe is still new at the security game.</p>
|
|