Tuesday, 23 November 2010

5:15 am (UTC-7)   |   by Gerald Dillera (Fraud Analyst)

Trend Micro researchers recently discovered attacks on the social networking site Multiply. The cybercriminals behind the said attack created new Multiply user accounts then sent malicious personal messages to other site users.
The personal message contains a greeting with the target’s Multiply user name and a video that the recipient is supposed to watch. Clicking the play button redirects users to the malicious URL http://yourtube.{BLOCKED}loring.com/video2/video.php?q=1289224873.
Click for larger view Click for larger view
The page then asks the recipient to download a codec to view the video.
Click for larger view
These sorts of attacks have been occurring for some time.  Users should avoid downloading new codecs to watch videos posted online, as these are frequently malicious. Trend Micro detects the downloaded file in this attack as TROJ_KATUSHA.F. In addition the URL where the malicious video is located is already blocked by Trend Micro products.

Malware Is Everywhere, Report Says

Social Sharing Sponsored by:
Social Sharing Sponsored by Constant Contact
By: Sean Carroll

Dasient Says Malware is Everywhere Security company Dasient released a study today indicating that the number of Web sites infected in with malware and malvertisements in the third quarter of 2010 to be 1.2 million, double its estimate from the same time period last year. And you can't simply avoid shady sites to keep yourself safe either, the report said: government sites are prime targets.
According to Dasient (which, it is worth noting, sells Web antimalware solutions), while other methods of spreading malware—such as spreading viruses via e-mail—continue to grow, "drive-by-downloads and rogue antimalware attacks eclipse other methods of malware distribution."
The most infected domains are .com, .ru, and .info. Attacks from .ru (Russia) have surged since last year, and those from .cn (China) have dropped. The top ten attacker domains were:
  • riotassistance.ru
  • mybar.us
  • myads.name
  • toolbarcom.org
  • freead.name
  • adnet.biz
  • pqshow.org
  • pantscow.ru
  • nt02.co.in
  • nuttypiano.com
Social Media Infections
In particular, the study singled out the growth of social media as a prime target for cyber criminals. Expect more aggressive attacks on Facebook, along the lines of the Koobface botnet, and Twitter, which fell prey to an XSS attack in September. The Twitter XSS attack redirected users to porn and malware sites, and Koobface attack modules spammed Facebook (and MySpace, Twitter, Hi5, Bebo, and Friendster) with malicious links to try to get them to download rogue antimalware.
Advertising Infections
In Q3 of 2010, Dasient estimates that 1.5 million malvertisments per day were served in 2010. This includes those that were delivered by drive-by-downloads and via fake antivirus campaigns. The average lifetime of one of these campaigns was just over 11 days. With this rate of churn, it's clear that it's vitally important to always keep your antivirus software updated.
Government Infections
It's not just social networks or shady fly-by-night sites that serve up these infections, either; cyber criminals are increasingly targeting government Web sites, too. NIH.gov, the site of the National Institute of Health, which gets an estimated 9.5 million page views per month, was infected five times in the period of 2009 to 2010, with the most recent infection in October of 2010. CA.gov was in infected five times during the study period, and Alabama's AL.gov was infected a shocking 37 times before they got control of the problem—the last reported infection was in July 2009.
As PCMag lead analyst for security, Neil Rubenking, points out, government sites may be increasingly vulnerable in this era of budget belt-tightening. If government sites get hacked, there may not be anyone to notice—and there's even less likely to be anyone on hand who can quickly fix the problem.
How to Protect Yourself
Clearly, it's more important than ever to keep yourself protected. If you don't already have protection or are looking for new antivirus app now that the 2011 choices are mostly available, read our roundup of 20 AV apps (including both free and premium choices), The Best Antivirus for 2011.

Monday, 8 November 2010

Firefox Only: Easily scan files for malware before downloading them with VTzilla

We have all heard of VirusTotal, right? (You know, VirusTotal.com, the website that allows users to run files through 43 anti-malware scanners.) VirusTotal is a very handy service, but in order to use VT (VirusTotal) you need to download a file, then upload it on VT. Ever wish you were able to scan a file with VT before you download it? Well now you can (assuming you have Firefox).
VT has released an add-on for Firefox that allows users to scan files with VirusTotal without having to download the file:

When users opt to scan a file with VirusTotal, two things happen:
  • The URL of the website which you are downloading the file from is scanned using VT's new "URL scanner":

(Click on image to view in full size.)
  • The file is uploaded onto VirusTotal.com and scanned:

(Click on image to view in full size.)
To try to get users to make use of their new URL scanner, VirusTotal has programmed VTzilla in such a way that when scanning a file, users are first displayed the results of the URL scanner and then have the option to view the results of the file scanner. (Unfortunately there is no way to change this behavior. I hope an option is added in future updates allowing users to view the results of the file scanner first.) To access the file scanner results from the URL scanner results page, click on View downloaded file analysis found on the URL scanner results page:
Other things worth noting regarding VTzilla:
  • VTzilla has the ability to scan URLs, in addition to files (the URL is run through VT's URL scanner):

  • VTzilla comes with an (annoying) toolbar:

This toolbar allows users to 1) Scan the current website you are surfing [via the URL scanner] 2) Search VirusTotal database/community. However, personally, I find this toolbar to be more annoying than useful. Fortunately, you can turn it off easily by going to "View" -> "Toolbars" and unchecking "VirusTotal Toolbar". (You may also right-click on the toolbar and uncheck "VirusTotal Toolbar".)
  • The 20 MB file size limit of VirusTotal.com still applies to files scanned with VTzilla. Any files over 20 MB will simply not produce file scanner results.
  • VTzilla is a new add-on, so it is not yet available in Firefox's add-on repository - it must be downloaded directly from VirusTotal.com. Typically it is always a good security measure to only download add-ons from Firefox's add-on repository, but VirusTotal.com is a trust source so there should be no issues by downloading directly from VT.
That said, you can download VTzilla from the following links:
Version reviewed: v1.0
Supported OS: Any OS that can run Firefox
Special note: VTzilla does not support Firefox 4 Beta yet
VTzilla homepage [direct download]
[via WebWorkerDaily]

Taking USB Attacks To The Next Level

Posted by John Sawyer, Sep 15, 2010 10:36 AM

USB devices have many benign, legitimate uses. But put a USB-based device in the hands of a savvy hardware hacker, and that USB device can go from good to evil in no time.
Fellow Dark Reading blogger Gadi Evron's recent blog about USB-based attacks with keyboards gave an interesting attack scenario of using a hacked keyboard, Notepad, and custom shellcode to exploit a system. But who needs shellcode when you have a keyboard device?
I mentioned a couple of very interesting hardware hacking presentations given this summer that took USB attacks to the next level. One focused on hacking wireless presentation devices that are no more than USB Human Interface Devices (HID) to the underlying system. When you click on the next button on the remote, it sends a "page down" command via the USB HID keyboard interface.
By reversing the wireless protocol used by the wireless presentation devices, an attacker could inject keystrokes into the system, which could open Notepad, type in a script, save it, then choose Run from the Start Menu and execute the script. Ingenious!
Of course, to be successful you could attack someone only during a presentation. Or you could plant one of these devices on a target machine and communicate with it remotely from outside the office to run your code after hours.
Imagine, instead, that you have a small Arduino-based device that works with the Social Engineering Toolkit to deliver payloads via WSCRIPT and PowerShell. The device emulates a USB HID keyboard and can inject keystrokes into the target system like the attack above. Powerful, right?
The bundling of the Teensy Arduino device with the Social Engineering Toolkit (SET) is an awesome attack vector. It's small and easily planted into a USB port when no one is looking. With SET, an attacker (we'll assume a legit penetration tester) can generate a Metasploit payload and the attack code that gets written to the Teensy device. When the device is plugged into the target, it creates a WSCRIPT file that downloads the Metasploit payload and executes it, as seen in this example.
The other example of using the Teensy HID attack was embedding it into a keyboard since many have built-in USB hubs. If you knew which keyboards were in use in a target's environment, then you could walk in pretending to be the computer repair tech, replace the keyboard, and walk out while your attack happens.
The possibilities are endless when you consider what can be done from just a keyboard alone. And, since USB HIDs are cross-platform, so are the attacks that can be performed.