The folks over at Cisco posted a very interesting blog writeup about the Storm/Waledac botnets and how their marriage to Conficker was consummated in order to start monetizing the enormous computing power of the Conficker botnet.
What I found most interesting was the part about how Conficker would hook itself between Wireshark and the network driver (likely within the winpcap library) to hide all of the network interfaces from Wireshark, essentially rendering the packet sniffing tool useless.
Looking ahead, this makes me wonder what else malware could do to alter the behavior and functionality of other tools that security researchers use to analyze malware. We've already seen Conficker introduce signed, encrypted updates to keep researchers from analyzing updates and penetrating its network. This development of malware physically altering how analysis tools work could be a significant game changer in the cat and mouse game of being able to reverse engineer malicious code. This is definitely something that warrants continued monitoring to see if this tactic continues to be employed by cyber criminals, or improved upon.
In the vein of beating a dead horse, our Threat Operations Center has found another fake Microsoft Outlook/Outlook Express scam with a link to malware making the rounds. This new variant shows a bit more effort in attempting to make the email appear as if it is actually from Microsoft.
This new tactic is similar to the two previous instances that we have seen over the course of the last 3 weeks where emails were being sent out that claimed to link to updates for Microsoft Outlook and Outlook Express. The previous emails were text based, however and outside of using the names of Microsoft products as a lure, didn't contain any convincing social engineering to convince the recipient that the message was authentic. This new tactic does go one step further to create an HTML based message that looks similar to the formatting that one would see when viewing a Microsoft Tech Bulletin.
A screen shot of the received message is below:
As you can see, this isn't the full message, but the pertinent parts are included. There are several links at the bottom of the message labeled "Contact Us", "Privacy Statement", and a couple of others which link off to the Microsoft site in an effort to make the email appear more authentic.
The creators of this new variant also put a little extra care into how they crafted the URL used in the email. As you can see from the example above the display URL appears as if it is going off to update.microsoft.com, which isn't uncommon. In the background these links are typically either going directly to an IP address or to a domain that is clearly not associated with the company they are spoofing. The tactic being used here is the latter of the two, but you have to pay close attention because if you just quickly glance at the URL, you'll miss something important.
For example, here is one of the URLs that our TOC observed:
hxxp://update.microsoft.com.hfhilf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=137389514006574829074907904242972292094527445893638626111136583
You'll notice that the link is really going to "hfhilf.com", clearly a domain not associated with Microsoft, but prepended to the domain is "update.microsoft.com" followed by a query path that looks very much like it could be a legitimate Microsoft Office update path.
As usual, there are a couple of grammatical errors that are your basic tipoff that this message is not from Microsoft. Couple that with the fact that Microsoft does not generally blast out update notifications in this manner and you have two tell-tale signs that this email is the work of cyber criminals, not an official update notification.
Poisoning search results with content that leads unsuspecting users to spam or malware content is nothing new. We've been seeing abuse of Google's PageRank system since early 2008 where spammers would artificially inflate the rankings of their spam web sites and send out email links which emulated the click of the "I'm Feeling Lucky" button on Google's search page to auto-redirect users through Google to fraudulent web sites.
We are now seeing something similar with Twitter. According to this post on Mashable's web site, spammers are using the accounts that they are setting up on the popular micro-blogging site to increase the ranking of certain topics so that they will appear in the list of Twitter's most popular topics and organically increase clickthroughs. In some cases the sites that users are being directed to also can inject malware.
Be careful with these sites because as we have seen with some other Twitter exploits, the possibility exists that you could also have your account credentials stolen and used as another vehicle for distributing Twitter spam. Twitter has been built to be easy for end users to use and interface with. This methodology has been great to drive user adoption. The unfortunate side effect that because of its popularity it has been an increasingly focused target for cyber criminals.
Is It Too Little, Too Late?
In a story released a few days ago, BITS (Banking Infrastructure and Technology Services) released a paper titled "Email Sender Authentication Deployment" focusing primarily on how financial institutions can implement DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) technologies to authenticate mail coming from their domains as opposed to spoofed emails sent by spammers.
In a release done by the Online Trust Alliance (OTA) in 2008, it was reported that 51% of the Fortune 500 consumer facing brands, 52% of the Fortune 500’s consumer-facing financial service brands, and 54% of the Internet Retailer top 300 brands were currently authenticating their email.
Many major financial insitutions are on-board this bandwagon as well, but clearly there is room for improvement. As pointed out by Paul Smocer, VP of Security for BITS, only about 10-15% of BITS 100 members are currently using any form of email authentication. A statistic that seems to be quite different than the adoption rates of F500 brands. For those who haven't yet implemented sender authentication, BITS has released this guide to help financial institutions understand the business value in the implementation of these solutions.
Will SPF and DKIM stop spoofing? No, but what they will do is help email receivers to identify messages that are actually being sent by a financial institution like Bank of America versus an email that was sent by a spammer to merely look like an official BofA message in an attempt to steal someone's identity or web site login credentials.
The question that I would pose here is that for the increased consumer confidence that is attempting to be fostered by using email authentication technologies, is it too little too late? I've heard people from some of the largest banks in the country state that their studies have found that many of their own customers don't even open email from them anymore or have moved away from online banking entirely solely because of their concerns of having their identities stolen. In their eyes, it is easier to avoid the potential for risk entirely (even if it costs additional fees to walk into a branch to conduct business) by not even dealing with their bank via online means. This is because they cannot distinguish between legitimate communications from their bank and what is being sent by cyber criminals.
Trust is very hard to earn and even more difficult to re-establish once lost, especially if you are dealing with matters involving someone's wallet. To that point, when I think about where we are today with the low level of trust that users have overall with email as a communication and marketing vehicle, I believe that as an industry that we should be doing everything that we can to help email senders and receivers proactively identify malicious email, but users might be too jaded to care.
My apologies for being a bit light on posting this week. I have been in Amsterdam for the 16th MAAWG Conference. It's been a great conference with some outstanding presentations, but I am looking forward to being home tomorrow!
It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.
This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured. Many of the samples that I have reviewed use different mail client names between the message subject and the body. A couple of examples:
Message Subject: Microsoft Outlook Setup Notification
Message Body:
You have (6) message from Outlook Express.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
Message Subject: TheBat Setup Notification
Message Body:
You have (9) message from Microsoft Outlook.
Please re-configure your TheBat again.
Download attached setup file and install.
Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again. I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.
These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101.
Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack. This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.
Either way, be on the lookout for this respin of last week's news.
Today the FTC announced via their web site that they have shut down 3FN (aka Pricewert), a major rogue internet service provider specializing in hosting botnets, phishing web sites, child pornography, and other illegal, malicious web content.
Unfortunately, however we are not seeing any volume drop offs as a result of this shut down. Back when McColo, another rogue hosting provider, was shut down back in November 2008, we observed an immediate drop in spam volumes of about 60%. No such luck this time. In fact, spam volumes haven't been affected at all according to our Threat Operations Center.
This begs the question "Why not?" How come spam was so significantly affected by the McColo shutdown, but the termination of 3FN doesn't appear to have had any effect thus far? The reason is that botnets, particularly those that were affected by the McColo shutdown but who serve as a lesson to all botnet owners, have gone to great lengths to ensure that they have built redundancy into their networks to prevent the disruption caused by McColo from ever happening again. It is suspected that some of the larger spam sending botnets like Cutwail had command and control servers hosted at 3FN, but because they now work in a multi-homed model where they have command and control centers interdispersed amongst many different providers on many different networks, the shutdown of a single hosting provider will require nothing more than a minor update to be distributed from the other command and control servers to point the members of that botnet away from 3FN allowing business to run as usual.
Government intervention and the veritable whack-a-mole game that goes on with upstream bandwidth providers can only go so far to get these illegal web hosts shut down. We need more cooperation from the domain registrars in order to completely take these rogue domains offline. Unfortunately, with the decentralization of domain registration that has allowed domain registrars to setup shop who are more than happy to allow these rogue domains to come online and stay online, cyber criminals will continue to flock to these services until high authorities step in to get them shut down; a concept much easier said than done.
In the race to coin new technical terms and phrases that generally only serve to confuse the masses, we now have upon us the dawn of a new term "Web 3.0."
To present a bit of a timeline:
I am willing to wager that most people would consider the movement into "Web 1.0" started sometime in late 1994/early 1995 when Netscape released the first versions of its Navigator browser. This event was basically the catalyst which started to bring "The Internet" as we know it into a more mainstream setting. I realize that some of the more tech savvy out there would argue that "The Internet" is actually quite a bit older than that, and I will concede that point, but for the sake of argument let's also agree that the internet was nowhere near what one could consider mainstream.
The term Web 2.0 was originally mentioned (according to Wikipedia) in an article by Darcy DiNucci titled Fragmented Future. Although Darcy's train of thought was kind of on the right path, the reality of what Web 2.0 eventually became is lot more broad. As such, the "Web 2.0" moniker is more generally credited to Tim O'Reilly who used the term again at the O'Reilly Media Web 2.0 Conference in 2004. O'Reilly's vision is much more on par with what we generally consider to be "Web 2.0" today. That is, the evolution into web based communities, collaboration, communication, and real time data and information sharing. Sites like blogs, wikis, social networking communities as well as the broadcast of information through podcasts are primarily what shape what is Web 2.0 today.
So, now that all of this data is out there on the web, what are we going to do with it? Enter "Web 3.0". What Web 3.0 is intended to be is the method by which all of the data and facts introduced as part of Web 2.0 will be mined and used. This will likely end up getting used mostly by large marketing companies who will be looking for new and inventive ways to target ads in popups and web pages and spam to users.
The question that I have is, why is this "Web 3.0" ? In the software world, when a product or service goes up a whole major version number (the major version is typically the number to the left of the decimal point) it is usually because what is being introduced is significantly different, better, or enhanced over the previous version. In moving from Web 1.0 to Web 2.0 this change in vernacular made sense. It was the movement from the web as a static content delivery vehicle to one where content was made much more interactive. It really was a drastic paradigm shift in how the web was used by both users as well as service providers. The movement from the posting of data and content to the mining of that information seems more like a logical next step in how web content would be used and is hardly a significant change in thought process or a drastic change in how the internet is interacted with. As such, I don't see what is being done as worthy of coining a new phrase.
I know that "Web 2.1" doesn't sound nearly as exciting or as sexy as Web 3.0, but let's call it what it is: a logical progression, not an internet shaking movement.
The MX Logic Threat Operations Center has observed a new type of malware in the wild being sent out as an email posing as a reconfiguration notification for Microsoft Outlook.
The message subject is "Outlook Setup Notification" and contains the following text within the message body:
You have (1) message from Microsoft Outlook.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
The attached file is named micr__outlook_update_6556.zip and has and md5 checksum of 7aa706c521dd8a11ef23b35fc5c4d543.
So far we are not seeing any variants to neither the attachment name (which could easily be made more random with the digits on the end) nor the hash so the malware is not morphing at this point. That could easily change as it is trivial for AV vendors and spam filters to block this particular threat.
The graph below shows hourly volumes of this new threat since about 11:30am MST on 6/2, when we originally started to observe it hitting our systems.
It looks like Western Union is the target of yet another spoofing campaign by spammers. We've seen these come and go on a fairly constant basis over the past few months where several different brands have been targeted (we've also blogged about them before), but since this one appears to be coming out in pretty high volumes, I thought it was worth mentioning.
The message itself appears to come from the Western Union Support Team (see sample below) and follows the same basic tactic that many of its UPS, DHL, FedEx, and previous Western Union scams employed whereby it is trying to trick the recipient into believing that a package or transfer that they had attempted to send was not delivered and to print out and bring the attached invoice (read: malware) to their local branch. Note the lack of specificity as to where to actually go which has been a common thread in previous scams as well.
Our Threat Operations Center is currently monitoring approximately 100,000 of these new Western Union emails per hour. Below is a graph showing the timeline and prevalence of the most recent Western Union scams starting from the 11th of May. The spike on the far right is this most recent variant.
As is usual, if there is a question about a transaction that you had made with a vendor, use the tracking number that they provided you and visit their web site or call them directly to lookup and verify your transaction. Do not fall victim to these scams.
Be on the lookout this morning for a phishing scam floating around Facebook asking you to visit http://areps.at, a domain registered only a few days ago to someone named Andrew Morov out of Russia. (UPDATE 5/21/2009 11:30am MST - According to this CNet article, the domain bests.at is also being used for this scam, registered to the same person as areps.at)
personname: Andrey Morov
organization:
street address: Schelkovskiy proezd d.11 korp.1 kv.3
postal code: 105425
city: Moscow
country: Russland
phone: +74956211281
fax-no: +74956211281
e-mail: ******@nameclub.at
nic-hdl: AM5009456-NICAT
changed: 20090515 15:23:43
source: AT-DOM
Visiting this site will also infect your Facebook profile and cause messages to be sent to your friends inviting them to also visit. Below is a screen shot illustrating the contents of the message you may receive from an infected friend.
If you do receive any of these, contact the person who sent it to you and ask them to change their password ASAP. If you believe that you might have fallen victim to this scam, change your own profile password before whoever has hijacked your account changes it for you and locks you out of your own account!
Every so often our Threat Operations Center runs across things that are either too interesting or too humorous to not pass along. Yesterday, we saw another one of those examples.
It is not uncommon to see messages spoofing government entities. We've blogged many times in the past year about scams targeting entities like the US Tax Court, the Internal Revenue Service, the US District Court, the US Department of Justice, and most recently the Social Security Administration (external link to SC Magazine).
The scam du jour targets the US Treasury. The email appears to come from the U.S. Treasury Support Center and has a subject line containing the words "Federal Reserve Bank" with various other words/phrases like "Attention" or "Read Carefully" either prepended or appended in an effort to grab the attention of the reader. As is commonplace with most of the scams that we run across, it has share of grammatical comedies.
I found two things most interesting in this case: 1) The actual email does not do anything to convince the user that they have to do something RIGHT NOW in order to avoid some loss of privilege or convenience (e.g. their online bank account will get locked out) as most do. 2) (and in my opinion the more comical) The URL in the email contains the word "phishing" in it. Now, I understand that the phishing reference is likely in relation to the content of the message, but I found it simultaneously funny and ironic that an obvious scam would risk tipping off a would-be victim by including a word that would set off as many red flags with someone as obvious as "phishing."
As of the time of this writing the domains that are associated with this scam are still up, however the web sites that are being pointed to by these particular scams appear to be down. The fact that the domains still exist is reason to believe that they will be recycled for future federal bank related scams.
It's 10pm. Do you know where your data is?
One of the strengths of Web 2.0 applications is also one of its greatest weaknesses. As information sharing has become all the rage on Web 2.0 social networking and, blogging, and micro-blogging sites like Facebook, MySpace, and Twitter (and the subsequent mining of that data by search engines like Google), we need to be aware not only of the data that we are sharing about ourselves, but also be more diligent about qualifying what we read.
Case in point: a Twitter user going by the name of @officethemovie started posting content about an upcoming Zune/Windows phone to rival the iPhone. As one would guess, word started to spread quickly and @officethemovie quickly gathered over 1,000 followers. Some of the major technology publications, like PC Magazine (@pcmag on Twitter) understandably became interested as well. Come to find out @officethemovie had only created the post on Twitter in an effort to raise iPhone piracy visibility to Apple via his blog and that the Zune/Windows phone wasn't real. I feel that I've given enough publicity to @officethemovie already via his numerous mentions throughout this post, so I won't link to his blog here. Trying to drive traffic to your blog through deception is lame and basically ruins all of your credibility.
No matter what the communication medium information is traveling quicker and is more distributed than ever before. What's the saying? "If it is on the internet, it must be true" ? Obviously that is meant tongue-in-cheek, and maybe I am paraphrasing a bit, but the moral of the story is that misleading information can run rampant very quickly. Misleading information is the basis behind most of the social engineering attacks employed by cyber criminals today so it is of the utmost importance that whether it is something reasonably benign like a phony phone announcement or something more serious like a scam that can lead to identity theft that we don't take the risks associated with Web 2.0 technologies lightly. Perhaps what we are dealing with is the Web 2.0 version of hacktivism?
Just as a general Public Service Announcement, if you are interested in Cross Site Scripting exploit news, and if you are not following @xssexploits on Twitter, do so (and of course follow @smasiello too :) ).
The reason that I mention that is, in addition to wanting to stay up to date on some of the latest XSS announcements, @xssexploits is also one of the first places that I was informed about the recently made public XSS vulnerabilties found on several McAfee web sites.
So, why are these exploits of consequence?
One of the sites mentioned as being vulnerable to cross site scripting vulnerabilties is McAfee's Rebate and Promotion Center web site. One of the fields that a user must populate when filling out the form to obtain a rebate is the date that you purchased one of McAfee's qualifying products in mmyydddd format. By using a technique known as HTML code injection a user could get redirected to another (potentially malicious) McAfee look alike web site used for phishing unsuspecting user's sensitive information or a malware distribution site that looks like an official McAfee web site.
Many security vulnerabilities are introduced by software not doing proper input checking. Following a "whitelist model" where as part of the input checking code you specify the valid types of input as allowed (generally a small list) as opposed to identifying all of the input that is not allowed (a much larger list) is common practice. In this case, it doesn't appear as if the form was doing any kind of input checking. Why the form would allow HTML characters such as quotation marks, less than, and greater than symbols in a field that is clearly expecting only numerical input is only asking for trouble.
I am not trying to pick on McAfee here, but they are a prime example of the reality that if it can happen to a company where security is their business you would expect them to have a pretty keen eye towards security vulnerabilities within their own web site. Back in January, CWE and SANS posted their list of the top 25 programming errors that occur most frequently within applications and Improper Input Validation is at the top of that list. It tops the list because it is the most common flaw and because it is the easiest to exploit. Improper input checking can be exploited with even the simplest of test cases which means that even your lowest level hacker who only knows the bare minimum about XSS and code injection could take advantage of this flaw.
Protect your brand. Protect your web site. Protect your users. Follow secure coding practices and incorporate a security mindset into the products and applications that you build. You don't have to be a security company to think securely.
I wanted to take a moment to write about a topic that we discussed during the recording of Episode 29 of the Security Buzz podcast earlier today. That topic is based off of a post found on DarkReading that discussed Microsoft's decision to release an update to disable the Autorun feature in Windows for USB drives in response to the variant of the Conficker worm which would spread via these devices. The question at hand was whether or not this move is happening too little too late given Conficker's already large presence.
My opinion is that not only is the move too little too late, but it is also a completely irrelevant one for the main reason that according to the folks over at mtc.sri.com, who have posted in depth research as to how the Conficker worm operates, most of the machines that are infected with this worm are still running versions of the Windows XP operating system with Internet Explorer 6 installed on them. This means that most of the machines infected are not one or two patch levels behind on their updates from Microsoft. They are likely years behind and have never been patched, and may in fact be running the original version of Windows XP originally released in October 2001 and have never had a single security patch applied to them meaning that they are vulnerable to every Windows XP vulnerability ever patched.
USB drives, although an important infection avenue to consider (although in my opinion are more of a risk from a data leakage perspective than they are a malware distribution point), are still only a small portion of the infection problem. Emails with attachments, malicious web sites and compromised legitimate web sites that distribute malware, and peer-to-peer downloads of pirated software with embedded trojans are all far more prevalent issues with respect to current worm and malware propagation than USB drives.
Unfortunately, this move by Microsoft will do little to solve the Conficker problem or slow its' spread. It also will not do much overall to prevent further malware propagation in the future because the machines that need to be cleaned up are not the ones that are following best practices by keeping up to date on security patches, running up to date antivirus, and defending in layers. It's those that aren't are and continue to be the real problem.
The folks over at SecurityFocus have published yet another Adobe PDF Reader related vulnerability. No exploits have been seen in the wild at this time taking advantage of this flaw, but unless patched quickly by Adobe will likely come in short order due to the prevalence of Acrobat Reader in the wild and the success of previous exploits.
This is in no way an endorsement of this product, but if you are looking for an alternative to Adobe's PDF reader, consider looking into FoxIt Reader by FoxIt Software. As with any software, it has its own vulnerabilities that have been patched, but since it isn't as widely used has not been as highly targeted as Adobe's products. There are other alternatives available as well. Consider looking into them if you frequently find yourself opening PDFs as part of your daily professional or personal responsibilities.
|
