Tuesday, 23 November 2010

5:15 am (UTC-7)   |   by Gerald Dillera (Fraud Analyst)

Trend Micro researchers recently discovered attacks on the social networking site Multiply. The cybercriminals behind the said attack created new Multiply user accounts then sent malicious personal messages to other site users.
The personal message contains a greeting with the target’s Multiply user name and a video that the recipient is supposed to watch. Clicking the play button redirects users to the malicious URL http://yourtube.{BLOCKED}loring.com/video2/video.php?q=1289224873.
Click for larger view Click for larger view
The page then asks the recipient to download a codec to view the video.
Click for larger view
These sorts of attacks have been occurring for some time.  Users should avoid downloading new codecs to watch videos posted online, as these are frequently malicious. Trend Micro detects the downloaded file in this attack as TROJ_KATUSHA.F. In addition the URL where the malicious video is located is already blocked by Trend Micro products.

Malware Is Everywhere, Report Says

Social Sharing Sponsored by:
Social Sharing Sponsored by Constant Contact
By: Sean Carroll

Dasient Says Malware is Everywhere Security company Dasient released a study today indicating that the number of Web sites infected in with malware and malvertisements in the third quarter of 2010 to be 1.2 million, double its estimate from the same time period last year. And you can't simply avoid shady sites to keep yourself safe either, the report said: government sites are prime targets.
According to Dasient (which, it is worth noting, sells Web antimalware solutions), while other methods of spreading malware—such as spreading viruses via e-mail—continue to grow, "drive-by-downloads and rogue antimalware attacks eclipse other methods of malware distribution."
The most infected domains are .com, .ru, and .info. Attacks from .ru (Russia) have surged since last year, and those from .cn (China) have dropped. The top ten attacker domains were:
  • riotassistance.ru
  • mybar.us
  • myads.name
  • toolbarcom.org
  • freead.name
  • adnet.biz
  • pqshow.org
  • pantscow.ru
  • nt02.co.in
  • nuttypiano.com
Social Media Infections
In particular, the study singled out the growth of social media as a prime target for cyber criminals. Expect more aggressive attacks on Facebook, along the lines of the Koobface botnet, and Twitter, which fell prey to an XSS attack in September. The Twitter XSS attack redirected users to porn and malware sites, and Koobface attack modules spammed Facebook (and MySpace, Twitter, Hi5, Bebo, and Friendster) with malicious links to try to get them to download rogue antimalware.
Advertising Infections
In Q3 of 2010, Dasient estimates that 1.5 million malvertisments per day were served in 2010. This includes those that were delivered by drive-by-downloads and via fake antivirus campaigns. The average lifetime of one of these campaigns was just over 11 days. With this rate of churn, it's clear that it's vitally important to always keep your antivirus software updated.
Government Infections
It's not just social networks or shady fly-by-night sites that serve up these infections, either; cyber criminals are increasingly targeting government Web sites, too. NIH.gov, the site of the National Institute of Health, which gets an estimated 9.5 million page views per month, was infected five times in the period of 2009 to 2010, with the most recent infection in October of 2010. CA.gov was in infected five times during the study period, and Alabama's AL.gov was infected a shocking 37 times before they got control of the problem—the last reported infection was in July 2009.
As PCMag lead analyst for security, Neil Rubenking, points out, government sites may be increasingly vulnerable in this era of budget belt-tightening. If government sites get hacked, there may not be anyone to notice—and there's even less likely to be anyone on hand who can quickly fix the problem.
How to Protect Yourself
Clearly, it's more important than ever to keep yourself protected. If you don't already have protection or are looking for new antivirus app now that the 2011 choices are mostly available, read our roundup of 20 AV apps (including both free and premium choices), The Best Antivirus for 2011.

Monday, 8 November 2010

Firefox Only: Easily scan files for malware before downloading them with VTzilla

We have all heard of VirusTotal, right? (You know, VirusTotal.com, the website that allows users to run files through 43 anti-malware scanners.) VirusTotal is a very handy service, but in order to use VT (VirusTotal) you need to download a file, then upload it on VT. Ever wish you were able to scan a file with VT before you download it? Well now you can (assuming you have Firefox).
VT has released an add-on for Firefox that allows users to scan files with VirusTotal without having to download the file:

When users opt to scan a file with VirusTotal, two things happen:
  • The URL of the website which you are downloading the file from is scanned using VT's new "URL scanner":

(Click on image to view in full size.)
  • The file is uploaded onto VirusTotal.com and scanned:

(Click on image to view in full size.)
To try to get users to make use of their new URL scanner, VirusTotal has programmed VTzilla in such a way that when scanning a file, users are first displayed the results of the URL scanner and then have the option to view the results of the file scanner. (Unfortunately there is no way to change this behavior. I hope an option is added in future updates allowing users to view the results of the file scanner first.) To access the file scanner results from the URL scanner results page, click on View downloaded file analysis found on the URL scanner results page:
Other things worth noting regarding VTzilla:
  • VTzilla has the ability to scan URLs, in addition to files (the URL is run through VT's URL scanner):

  • VTzilla comes with an (annoying) toolbar:

This toolbar allows users to 1) Scan the current website you are surfing [via the URL scanner] 2) Search VirusTotal database/community. However, personally, I find this toolbar to be more annoying than useful. Fortunately, you can turn it off easily by going to "View" -> "Toolbars" and unchecking "VirusTotal Toolbar". (You may also right-click on the toolbar and uncheck "VirusTotal Toolbar".)
  • The 20 MB file size limit of VirusTotal.com still applies to files scanned with VTzilla. Any files over 20 MB will simply not produce file scanner results.
  • VTzilla is a new add-on, so it is not yet available in Firefox's add-on repository - it must be downloaded directly from VirusTotal.com. Typically it is always a good security measure to only download add-ons from Firefox's add-on repository, but VirusTotal.com is a trust source so there should be no issues by downloading directly from VT.
That said, you can download VTzilla from the following links:
Version reviewed: v1.0
Supported OS: Any OS that can run Firefox
Special note: VTzilla does not support Firefox 4 Beta yet
VTzilla homepage [direct download]
[via WebWorkerDaily]

Taking USB Attacks To The Next Level

Posted by John Sawyer, Sep 15, 2010 10:36 AM

USB devices have many benign, legitimate uses. But put a USB-based device in the hands of a savvy hardware hacker, and that USB device can go from good to evil in no time.
Fellow Dark Reading blogger Gadi Evron's recent blog about USB-based attacks with keyboards gave an interesting attack scenario of using a hacked keyboard, Notepad, and custom shellcode to exploit a system. But who needs shellcode when you have a keyboard device?
I mentioned a couple of very interesting hardware hacking presentations given this summer that took USB attacks to the next level. One focused on hacking wireless presentation devices that are no more than USB Human Interface Devices (HID) to the underlying system. When you click on the next button on the remote, it sends a "page down" command via the USB HID keyboard interface.
By reversing the wireless protocol used by the wireless presentation devices, an attacker could inject keystrokes into the system, which could open Notepad, type in a script, save it, then choose Run from the Start Menu and execute the script. Ingenious!
Of course, to be successful you could attack someone only during a presentation. Or you could plant one of these devices on a target machine and communicate with it remotely from outside the office to run your code after hours.
Imagine, instead, that you have a small Arduino-based device that works with the Social Engineering Toolkit to deliver payloads via WSCRIPT and PowerShell. The device emulates a USB HID keyboard and can inject keystrokes into the target system like the attack above. Powerful, right?
The bundling of the Teensy Arduino device with the Social Engineering Toolkit (SET) is an awesome attack vector. It's small and easily planted into a USB port when no one is looking. With SET, an attacker (we'll assume a legit penetration tester) can generate a Metasploit payload and the attack code that gets written to the Teensy device. When the device is plugged into the target, it creates a WSCRIPT file that downloads the Metasploit payload and executes it, as seen in this example.
The other example of using the Teensy HID attack was embedding it into a keyboard since many have built-in USB hubs. If you knew which keyboards were in use in a target's environment, then you could walk in pretending to be the computer repair tech, replace the keyboard, and walk out while your attack happens.
The possibilities are endless when you consider what can be done from just a keyboard alone. And, since USB HIDs are cross-platform, so are the attacks that can be performed.

Saturday, 9 October 2010

Automatic Logon Into Windows 7

If you want to further speed up the Windows 7 boot process you could configure the computer system to automatically logon the user. This is especially for computer systems that are in use by only one person as it would not even be a privacy or security risk.
All that needs to be done to configure Windows 7 for automatic logon is the following:
Press Windows R. A command box should appear. Type control userpasswords2 and hit the enter key. This should display the User Accounts screen in Windows 7. Select the user account in the main table and uncheck the “Users must enter a user name and password to use this computer. A click on the Apply button will open the Automatically Log On window. Enter the password and confirm it to add the password to the system so that it does not need to be entered during logon.
windows 7 automatic logon

Friday, 24 September 2010

» Twitter 'onMouseOver' security flaw widely exploited

The Twitter website is being widely exploited by users who have stumbled across a flaw which allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a link. In a worrying development, messages are also spreading virally exploiting the cross-site-scripting (XSS) vulnerability without the consent of users.
Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister.
Sarah Brown's Twitter page
It appears that in Sarah Brown's case her Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan. That's obviously bad news for her followers - over one million of them.
Japanese porn website
To Mrs Brown's credit, she has posted a warning on her Twitter page:
don't touch the earlier tweet - this twitter feed has something very odd going on ! Sarah
Here's an example of a Twitter profile which is using the exploit to pop-up a message.

Twitter security flaw popping up a message box

It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed.
Here's a quick YouTube video I made demonstrating the exploit live on Twitter:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Hopefully Twitter will shut down this loophole as soon as possible - disallowing users to post the onMouseOver JavaScript code, and protecting users whose browsing may be at risk.
Some users are also seemingly deliberately exploiting the loophole to create tweets that contain blocks of colour (known as "rainbow tweets"). Because these messages can hide their true content they might prove too hard for some users to resist clicking on them.
Rainbow Tweet exploiting security flaw
Right now you might be safer using a third-party Twitter client rather than the Twitter.com website.
Update Twitter says that it is aware of the problem, and hopes to roll out a patch soon.
Response from Twitter
Update 2 Twitter has posted a blog entry going into some detail of what happened, and how it says it has now fixed the problem.
Which means that - if you like - you should be safe to follow me on Twitter at @gcluley to keep up-to-speed on the latest security threats. :) Take care folks.

Email this story to a friend   Reddit   Technorati   Slashdot   NewsVine   MySpace   Google   Live   Mixx   del.icio.us   StumbleUpon  

The Malware, the SMS, and the Money

A threat we call Trojan:MSIL/Fakeinstaller.A has been making the rounds lately. It is a slight deviation from the family of malware threats known as Trojan:Win32/Ransom.
The malware is similar to Trojan:Win32/Ransom, which seizes control of the computer by locking the user's screen and then demanding a passcode from the user. The user receives the passcode only after sending an SMS to a premium number.
This particular sample of Trojan:MSIL/Fakeinstaller.A (SHA1: 5a888391750c0efefe9dfc7dd63ed5b78f603ef9) is not as aggressive, but nonetheless racketeers by ripping some freely distributable application from the Internet and then using that to gain profit.
The malware arrives supposedly as an installer for a program. But when users actually try to install the program, they are prompted to send an SMS to a premium number, from which a reply is sent back with a code to unlock and install the application. While the application doesn’t lock up your desktop, unsuspecting users may still get charged to send the SMS to a premium account.
Fake installer for uTorrent
Fake installer for DivX
Contrary to Trojan:Win32/Ransom, which is mostly targeted towards Russian users, Trojan:MSIL/Fakeinstaller.A seems to have been purposely made for users residing in other countries in Europe.

Tuesday, 21 September 2010

BMW introducing iPad docks for back seats, iPhone 4 integration

Filed under: , , , ,
BMW ConnectedDrive
BMW ConnectedDrive - Click above for high-res image gallery

Good news, Apple fans. BMW has turned up the level of smart phone integration in its vehicles in a big way. The company will be showing off its new ConnectedDrive system at the 2010 Paris Motor Show. The swank tech not only boasts Bluetooth wizardry and a text-to-speech function that will allow drivers to access text messages, memos, emails and the like from their Blackberry, it will also work with Apple iOS4. That means that the system clicks with the latest iPhone.

But wait, there's more.

The German manufacturer is also introducing something it calls iPod Out that's designed to make the most of using Apple music players in the vehicle. There's even a handy docking system for the iPad in the back seats. What's more, BMW will offer a mobile hotspot system with ConnectedDrive so that passengers can surf the web without burning up their data plans. Welcome to the brave new world. Thanks for the tip, Chris!

[Source: BMW]
BMW introducing iPad docks for back seats, iPhone 4 integration originally appeared on Autoblog on Mon, 20 Sep 2010 11:28:00 EST. Please see our terms for use of feeds.
Permalink | Email this | Comments

Phishing Proliferating via Facebook Chat

Recently, while chatting with someone on Facebook, one of my friends surprised me when she sent me this:
Facebook chat messages
Out of curiosity and suspicion, I visited the link. This eventually led me to the following site, which was hosted at http://{BLOCKED}atingchatnetwork.com/facebook/index.php.
Click for larger view
Users who input their Facebook credentials here would be surrendering their credentials to phishers. Phishing attacks such as this that use Facebook applications are not entirely new but having it spread via Facebook’s own chat feature makes it a more significant threat. The appearance of these messages coming from a user’s friends may lead to more people clicking these links.
The Facebook application used in this attack has already been removed. The underlying phishing page has also been blocked by the Trend Micro™ Smart Protection Network™.
Post from: TrendLabs | Malware Blog - by Trend Micro

Phishing Proliferating via Facebook Chat

Friday, 10 September 2010

Trend Micro's Ultimate Security Giveaway

: Neil J. Rubenking
From September 8 through October 8, Trend Micro is offering consumers a chance to win one of three premium Dell PC systems. Those registering for the contest can choose their desired prize: a Dell Alienware M11x (for gamers), a Dell Inspiron 14R (for families), or a Dell Vostro 3400 (for work). Naturally each prize computer will come pre-loaded with Trend Micro Titanium Maximum Security 2011. Those who don't win still have a chance to win one of 1,000 copies of Trend Micro Titanium Maximum Security 2011 (a $59 value).
To enter the contest simply visit TrendMicro.Com/Free and fill in the entry form. Naturally you'll have to give them your e-mail address, so they can contact you if you win. You can also opt in to receive promotional e-mails from Trend Micro, if you wish.
"With the 2011 Trend Micro Titanium Maximum Security software we are giving our customers the Internet security, confidence and convenience they deserve plus the chance to win one of three new Dell computers," Trend Micro vice president Tobias Lee said in a statement.
He described the product as "our revolutionary software and premium customer support bundle, an online equivalent of a day at the spa for [the] PC."
However, in PCMag's testing Trend Micro's Titanium technology failed at cleaning up malware from infested test systems. A recent evaluation by AV-Test.org also found the product's malware removal abilities lacking. AV-Test reports that "in the majority of the cases, active malware components … were not removed" and also indicated that rootkit protection was "far below the average of the industry." On the plus side, the full Titanium suite includes a link to Trend Micro Housecall, which scored much better in our malware cleanup tests.
Those winning the laptops surely won't quibble about these test results, which aren't relevant to protection of a brand-new clean system. The more numerous winners of the Titanium suite should definitely call on Trend Micro Housecall for an initial cleanup.

'Here You Have' Malware Preys on the Incompetent

  • 09.09.2010
This afternoon at least one story began swirling about a new threat provisionally called "here you have". It's thus named because this malware arrives in an e-mail with "here you have" in the subject.
ABC News reported that NASA, Comcast, and ABC's parent Disney were hit hard, among others. The McAfee Labs Blog referred to it as a virus, a Trojan, and a worm. The term "worm" refers to a malicious program that can spread to other computers without any human interaction, so that last point had me worried.
As it turns out, this threat isn't a worm. It can't attack your computer by itself. In fact, it can't do anything at all unless some goofball clicks the wrong link (though once that happens it can infect connected computers and USB drives). Really, it's barely more than a social engineering attack. The fact that it managed to spread widely through various multinational businesses doesn't say a lot for the security savvy of the workers.
People! DO NOT click links in e-mail messages from unknown people. DO NOT even click links in e-mail messages from your friend, since the real source of the message might be a virus. DO keep your computer protected with an antivirus or a security suite. That way if you click the wrong link in a fit of weakness you'll still be protected from whatever new threat replaces "here you have".
Originally posted to the PCMag.com security blog, Security Watch.

Wednesday, 8 September 2010

Orange and T-Mobile merge networks

Mobile phone The deal will initially only apply to text messages and voice calls
Customers of Orange and T-Mobile will soon be able to hop between the two mobile networks.
The deal is one of the first practical benefits from the recent merger of the two firms, which have 30 million customers combined.
The network sharing deal is limited to 2G signals, meaning that customers will see little benefit when using the mobile web.
Analysts said that T-Mobile had the most to gain from the merger.
"Outside of the South-East [of England] there has been a constant perception that T-Mobile is an underperforming network," said Shaun Collins of research firm CCS Insight.

Related stories

"This literally takes it away overnight."
Network evolution He said that network coverage was becoming a "key battleground" between the major UK networks.
"The network coverage advantages of the merger [between Orange and T-Mobile] were always the most important part of it," he said.
Customers of the two firms will have to sign up for the free "roaming" service, which goes live on 5 October.
Once registered, their phone will automatically hop between the networks when it loses signal. The underlying system is similar to that used when a phone "roams" on a different network abroad.
Next year Everything Everywhere - the company that runs Orange and T-Mobile in the UK - said that phones would automatically switch to whichever of the two networks has the strongest signal mid-call.
It said it also plans to roll it out to 3G services.
When it does, Orange customers will be able to use a 3G network owned and operated by Mobile Broadband Network Limited (MBNL), a joint venture company owned by Three and T-Mobile.
Orange joined MBNL on the 16 August.
"Everything Everywhere will be adding Orange sites to the network it shares with Three in the course of time, and Three customers will get access to a significant proportion of those as they are added," said a spokesperson for Everything Everywhere.
Three customers are already able to use the Orange network for 2G calls and texts.
Further down the line, Everything Everywhere aims to start building a next-generation LTE (long-term evolution) mobile network, to cope with the surge in demand for data and the mobile web.
LTE offers faster speeds than current 3G networks and is able to handle more traffic.
The UK government plans to hold an auction of spectrum for next generation services in 2011.

More on This Story

PlayStation 3 update targets hardware hacks

PS Jailbreak Sales of the dongle are now illegal in Australia
Sony has closed a loophole that allowed users to run software that enables pirated games to be played on the PS3 console.
The update blocks the PSJailbreak and PSGroove applications.
Mathieu Hervais, one of the developers behind PSGroove, told BBC News that it was "safer not to update" if users wished to continue using the hacks.
Sony won a court order in early September banning the distribution of the PSJailbreak dongle.
The update is the latest step in Sony's ongoing battle against the commercial dongle - PS Jailbreak - that allows users to play pirated software. It also targets open source code, known as PSGroove, which allows homemade games to be played on the console.

Related stories

While the PSGroove software was not originally intended to allow the playing of pirated games, as PSJailbreak does, it has already been modified by other hackers to permit the practice.
Mixed response It is the continuation of a cat-and-mouse game between hackers and the electronics giant, which started when PSJailbreak first appeared for sale on website.
The USB dongle was the first hardware hack of Sony's secure games console.
Sony has since obtained a court injunction preventing the distribution of the PSJailbreak dongle in Australia.
The firm has also filed a US lawsuit against Zoomba, a firm that runs a site selling the device. Distributors in the Netherlands have also told the BBC that they have received court documents banning the sale of the dongles.
However, Sony has now decided to tackle the problem head-on by releasing a software update for the consoles that block the hacks.
The new patch received a mixed reception from the gaming community, with some users praising Sony for its prompt action, while others were more critical.
"Every time there is an update, it's a security patch I don't care about," wrote one.
"Give me something that will keep me occupied like more visuals on the music player, a way to delete trophies for a game I don't have anymore, backward compatibility for PS2 games, better video chat.
"You guys don't take to many suggestions from your players. If you listen, I mean really listen, to the ideas you will be top," they added.
Mr Hervais told BBC News that it did yet know how Sony fixed the security flaw.
Sony declined to comment on the specifics of the update, but a spokesman told BBC News: "Since this is an overall security related issue, we will not be providing further commentary to this case.
"But as we always have, we will continue to take necessary actions to both hardware and software to protect the intellectual content provided on the PlayStation 3."