Archive for Security

RB | December 29, 2011
3 comments

40 Years of Malware – Part 4

2011 marks the 40th anniversary of the computer virus. Help Net Security notes that over the last four decades, malware instances have grown from 1,300 in 1990, to 50,000 in 2000, to over 200 million in 2010. Fortinet (FTNT) marks this dubious milestone with an article which counts down some of the malware evolution low-lights. The Sunnyvale,CA network security firm says that viruses evolved from an academic proof of concepts, to geek pranks which have evolved into cybercriminal tools. By 2005, the virus scene had been monetized, and almost all viruses developed for the sole purpose of making money via more or less complex business models. According to FortiGuard Labs, the most significant computer viruses over the last 40 years are:

- See Part 1 Here  - See Part 2 Here  – See Part 3 Here  – See Part 4 Here

Storm2007 – By 2007, Botnets have infected millions world-wide using Zombie systems send spam to generate Denial of Service (DoS) attacks, compromise passwords and data. By 2007 cybercriminals had developed a lucrative business models they were protecting. The attackers became more concerned about protecting their zombie computers. Until 2007, botnets lacked robustness, by neutralizing its unique Control Center (PDF), a botnet could be taken down, because Zombies didn’t have anyone to report to (and take commands from) anymore. The Storm botnet was the first to feature a peer-to-peer architecture (PDF) to decentralize its command and control functions. At the peak of the outbreak, the Storm Botnet was more powerful than many supercomputers and accounted for 8% of all malware running in the world according to FortiGuard.

Koobface2008Koobface (an anagram for Facebook) spreads by pretending to be the infected user on social networks, prompting friends to download an update to their Flash player to view a video. The update is a copy of the virus. Once infected, users would serve as both vectors of infection for other social network contacts and as human robots to solve CAPTCHA challenges for cyber-criminals, among other things. Koobface is also the first botnet to recruit its Zombie computers across multiple social networks (Facebook, MySpace, hi5, Bebo, Friendster, etc). FortiGuard estimates that over 500,000 Koobface zombies are online at the same time.

Conficker2009Conficker (aka Downadup) is a particularly sophisticated and long-lived virus, as it’s both a worm, much like Sasser, and an ultra-resilient botnet, which download destructive code from a random Internet servers. (We still see it pop-up from time to time at work). Conficker targeted the Microsoft Windows OS and used Windows flaws and Dictionary attacks on admin passwords to crack machines and link them to a computer under the control of the attacker. Conficker’s weakness is its propagation algorithm is poorly calibrated, causing it to be discovered more often according to Fortinet. In 2009 some networks were so saturated by Conficker, that it caused planes to be grounded, hospitals and military bases were impacted. Conficker infected bout 7 million systems worldwide.

Advanced Persistent ThreatAdvanced Persistent Threat (aka APT, Operation Aurora) was a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google (GOOG) on January 12, 2010, in a blog post. In the blog post, Google said the attack originated in China and were both sophisticated and well resourced and consistent with an advanced persistent threat attack. According to Wikipedia the attack also included Adobe (ADBE), Dow Chemical (DOW), Juniper Networks (JNPR),Morgan Stanley (MS), Northrop Grumman,(NOC), Rackspace (RAX), Symantec (SYMC) and Yahoo (YHOO).  There is speculation that the primary goal of the attack was to gain access to and potentially change source code repositories at these high-tech, security and defense contractor companies.

The definition of an Advanced Persistent Threat depends on who you ask, Greg Hoglund, CEO at HBGary told Network World an Advanced Persistent Threat is a nice way for the Air Force and DoD to not have to keep saying “Chinese state-sponsored threat.” He says,” APT is “the Chinese government’s state-sponsored espionage that’s been going on for 20 years,” Mr. Hoglund told Network World.

Stuxnet USB2010 - Stuxnet‘s discovery in September 2010 ushered in the era of cyber war. According to most threat researchers today, only governments have the necessary resources to design and implement a virus of such complexity.Stuxnet is the first piece of malware specifically designed to sabotage nuclear power plants. It can be regarded as the first advanced tool of cyber-warfare. Stuxnet was almost certainly a joint U.S. / Israeli creation for damaging the Iranian nuclear weapons program, which it did, by destroying a thousand centrifuges used for uranium enrichment.

To spread, Stuxnet exploited several critical vulnerabilities in Microsoft (MSFT) Windows, which, until then, were unknown, including one guaranteeing its execution when inserting an infected USB key into the target system, even if a systems autorun capabilities were disabled. From the infected system, Stuxnet was then able to spread into an internal network, until it reached its target: a Siemens industrial software system that run Iran’s Bushehr nuclear reactor and most likely intended to destroy or neutralize the industrial system.

Duqu2011Duqu is the current star in the world of malware but, as history shows, that fame will be short-lived. Just like fashion models, modern malware has a lifespan in the media eye of a couple of weeks to a couple of months, tops. They then fade into the shadow of more dangerous and sophisticated tools, according to Help Net Security.

Gary Warner, director of Research in Computer Forensics in the UAB College of Arts and Sciences blogged that Duqu is a data stealing program that shares several blocks of code with Stuxnet. In fact, one of the two pieces of malware we’ve seen that is described as being Duqu is also detected as Stuxnet by some AV vendors.

Symantec disclosed in their report that one of the infections they were analyzing had been infected via a Word Document that exploited the system using a previously unknown 0-day attack.

On November 3, 2011, Microsoft released a Microsoft Security Advisory (2639658) Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. The advisory starts with an executive summary which says, in part:

Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware.

rb-

Every couple of years a new malware is crowned the most innovative or dangerous cyber threat in the wild. The anti-malware industry is built on a game of chicken between malware creators and the anti-malware creators, with end users stuck squarely in the middle. As this series of article as shown this game has been going on for 40 years since computers were bigger than many houses and were as user friendly as the DMV.

 

Related articles
Category: Malware, Security | Tags: , , , , , , , , , ,
RB | December 22, 2011
4 comments

Santa Gets Hacked!

The UK firm Twist & Shout reports that one of Santa Claus’s key databases has been compromised due to the loss an unencrypted USB stick at the Kris Kringle North Pole workshop.

Santa Gets Hacked! from Twist and Shout on Vimeo.

Related articles
Category: Security | Tags: , , , ,
RB | December 20, 2011
2 comments

Web Connectable TV New Source of Threats

Internet of ThingsYou may want to consider the security of the fancy new 55-inch high-def LCD TV that Santa Claus brings you. Surprise, surprise, surprise they may have security holes that could allow hackers to take over your home network.

Consumer appetite for on-demand and online video content will drive sales of Internet-connectable TV devices to nearly 350 million units worldwide by 2015 reports ITnewsLinkParks AssociatesConnected Living Room: Web-enabled TVs and Blu-ray Players forecasts worldwide sales of Internet-connectable HDTVs, Blu-ray players, game consoles, and digital video players like Apple‘s (AAPL) Apple TV will grow about fourfold from 2010.

Digital televisionParks Associates says all major manufacturers are debuting new models with innovations in content aggregation, apps development, and user interfaces. Content options are finally catching up to the hardware innovations, and growing libraries of on-demand movies and TV available are starting to unlock the potential of connected TV devices as multifunction online entertainment and communications platforms.

The growth of these devices will increase opportunities for apps developers – including third-party developers and giants such as Google (GOOG), Samsung, and Yahoo (YHOO) and one other group, hackers.

Mocana Mocana, a company that focuses on securing the “Internet of Things”, released a study that highlights digital security flaws in Internet-connected HDTVs reports ITnewsLink. The Mocana researchers believe that the security flaws exist in many Internet TVs and recommend that consumers seek out third-party security tests before they purchase and install them in their home.

Mocana’s CEO Adrian Turner told ITnewsLink: “…manufacturers are rushing Internet-connected consumer electronics to market without bothering to secure them … consumer electronics companies that might lack internal security expertise should seek it out, before connecting their portfolio of consumer devices to the Internet.”

Computer securityMocana’s research shows that attackers may be able to leverage Internet-connected TVs to hack into consumers’ home network. Researchers found that the Internet interface failed to confirm script integrity before those scripts were run. Mocana was able to show that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device’s Internet functionality. As a result, an attacker could intercept transmissions from the television to the network using common “rogue DNS”, “rogue DHCP server”, or TCP session hijacking techniques. The security holes could allow attackers to:

  • Present fake credit card forms to fool consumers into giving up their private information.
  • Create a man-in-the-middle attack on the HDTV to dupe consumers into thinking that “imposter” banking and commerce websites were legitimate.
  • Steal the TV manufacturer’s digital “corporate credentials” to gain special VIP access to backend services from third-party organizations including popular search engine, video streaming and photo sharing sites.
  • Monitor and report on consumers’ private Internet usage habits without their knowledge.

The flaws Mocana uncovered should raise questions about the security of consumer electronics in general-which manufacturers are scrambling to connect to the Internet, often with little or no security technology on board.

Alfred E. NewmanMocana’s CEO Adrian Turner continued: “While much public discussion … on the recent explosion of smartphones … the vast majority of new devices coming onto the Internet aren’t phones at all: they are devices like television sets, industrial machines, medical devices and automobiles – devices representing every conceivable industry. And the one thing that all these manufacturers have in common is that, unlike the computing industry, they don’t have deep experience in security technology.”

Related articles
Category: Security | Tags: , , , , , , , , , , ,
RB | December 19, 2011
One comment

McAfee’s 12 Scams of Christmas

Christmas elfBefore logging on from a PC, Mac, or mobile device, for the last minute holiday online shopping madness, consumers should look out for the 12 Scams of Christmas by McAfee:

1. Mobile Malware – A National Retail Federation (NRF) survey found that 52.6% of U.S. consumers who own a smartphone will be using their device for holiday-shopping. Malware targeted at mobile devices is on the rise, and Google’s (GOOG) Android smartphones are most at risk. McAfee cites a 76% increase in  Android malware in the second quarter of 2011, making it the most targeted smartphone platform.

New malware has recently been found that targets QR codes, a digital barcode that consumers might scan with their smartphone to find good deals or just to learn about products they want to buy.

Malicious Mobile Applications2. Malicious Mobile Applications – These are mobile apps designed to steal information from smartphones, or send out expensive text messages without a user’s consent. Dangerous apps are usually offered for free, and masquerade as fun applications, such as games. Last year, 4.6 million Android smartphone users downloaded a wallpaper app that collected and transmitted user data to a site in China.

Facebook3. Phony Facebook Promotions and Contests – Who doesn’t want free stuff? Unfortunately, cyberscammers know that “free” things are attractive lures and they have sprinkled Facebook with phony promotions and contests aimed at gathering personal information. A recent scam advertised two free airline tickets, but required participants to fill out multiple surveys requesting personal information.

Scareware4. Scareware, or Fake Antivirus software - Scareware is the fake antivirus software that tricks someone into believing that their computer is at risk or already infected so they agree to download and pay for phony software. This is one of the most common and dangerous Internet threats today, victimizing one million victims each day. In 2010, McAfee reported that scareware represented 23% of all dangerous Internet links, and it has been resurgent in recent months.

5. Holiday Screensavers – Bringing holiday cheer to your home or work PC sounds like a fun idea to get into the holiday spirit, but be careful. A recent search for a Santa screensaver that promises to let you “fly with Santa in 3D” is malicious. Holiday-themed ringtones and e-cards have been known to be malicious too.

Mac Malware6. Mac Malware – Until recently, Mac users felt pretty insulated from online security threats, since most were targeted at PCs. But with the growing popularity of Apple (AAPL) products, cybercriminals have designed a new wave of malware directed squarely at Mac users. According to McAfee Labs, as of late 2010, there were 5,000 pieces of malware targeting Macs, and this number is increasing by 10 percent each month.

Phishing7. Holiday Phishing Scams - Phishing is the act of tricking consumers into revealing information or performing actions they wouldn’t normally do online using phony email or social media posts. Cyberscammers know that most people are busy around the holidays so they tailor their emails and social messages with holiday themes in the hopes of tricking recipients into revealing personal information.

  • Phony notice from UPS (UPS) saying you have a package and need to complete an attached form which asks for personal or financial details to complete the delivery. The form sends the that will go straight into the hands of the cyberscammer.
  • Banking phishing scams continue to be popular and the holiday season means consumers will be spending more money and checking bank balances more often. From July to September of this year, McAfee Labs identified approximately 2,700 phishing URLs per day.
  • Smishing –SMS phishing remains a concern. Scammers send their fake messages via a text alert to a phone, notifying an unsuspecting consumer that his bank account has been compromised. The cybercriminals then direct the consumer to call a phone number to get it re-activated—and collects the user’s personal information including Social Security number, address, and account details.

Online Coupon Scams8. Online Coupon Scams - An estimated 63 percent of shoppers search for online coupons when they purchase something on the Internet, and October 2011  NRF data shows that 17.3 percent of smartphone users and 21.5 percent of tablets consumers are using their mobiles devices to redeem those coupons. But watch out, because the scammers know that by offering an irresistible online coupon, they can get people to hand over some of their personal information.

9. Mystery Shopper Scams - Mystery shoppers are people who are hired to shop in a store and report back on the customer service. Scammers are using this fun job to try to lure people into revealing personal and financial information. There have been reports of scammers sending text messages to victims, offering to pay them $50 an hour to be a mystery shopper, and instructing them to call a number if they are interested. Once the victim calls, they are asked for their personal information, including credit card and bank account numbers.

10. Hotel “Wrong Transaction” Malware Emails - Many people travel over the holidays, so it is no surprise that scammers have designed travel-related scams to get users to click on dangerous emails. In one example, a scammer sent out emails that appeared to be from a hotel, claiming that a “wrong transaction” had been discovered on the recipient’s credit card. It then asked them to fill out an attached refund form. Once opened, the attachment downloads malware onto their machine.

11. “It” Gift Scams - Every year there are hot holiday gifts that sell out early in the season. Not only do sellers mark up the price of the must have toy, but scammers will also start advertising them on rogue websites and social networks, even if they don’t have them. So, consumers could wind up paying for an item and giving away credit card details only to receive nothing in return. Once the scammers have the personal financial details, there is little recourse.

12. “I’m away from home” Scammers - Posting information about a vacation on social networking sites could actually be dangerous. If someone is connected with people they don’t know on Facebook or other social networking sites, they could see their post and decide that it may be a good time to rob them. Furthermore, a quick online search can easily turn up their home address.

How to Protect Yourself

  • Only download mobile apps from official app stores, such as iTunes and the Android Market, and read user reviews before downloading them.
  • Be extra vigilant when reviewing and responding to emails.
  • Watch out for too-good-to-be-true offers on social networks. Never agree to reveal your personal information just to participate in a promotion.
  • Don’t accept requests on social networks from people you don’t know in real life. Wait to post pictures and comments about your vacation until you’ve already returned home.
Related articles

Mobile Threats Top Holiday Scam List (pcworld.com)
Five Tips to Avoid Malware in Mobile Apps (pcworld.com)

Category: Business, Security | Tags: , , , , , , , , , , , ,
RB | December 1, 2011
2 comments

Blackhole Crimeware

Malware Dark Reading reports that attackers are increasingly using the Blackhole exploit kit in phishing campaigns. The latest phishing scam poses as an email notification from an HP (HPQ) OfficeJet Printer has sent around 36,000 per minute resulting in nearly 8 million emails thus far and uses 2,000 domains to serve up the malware.

BotnetResearchers at AppRiver told Dark Reading the trend demonstrates how Blackhole is following the pattern of popular crimeware kit Zeus and SpyEye. Blackhole traditionally has been used to infect legitimate websites for drive-by infection purposes. “This attack is unique because Blackhole added an email vector to its format and is flooding the Internet with similar methods used by Zeus, SpyEye, and others, essentially moving it into prime time,” says Fred Touchette, senior security analyst for AppRiver.

Blackhole, which previously had been marketed as a high-end crimeware tool, costing $1,500 for a one-year license, in May was unleashed for free in some underground forums. That has propelled more use of the toolkit according to the AppRiver blog.

AppriverMr. Touchette said that attackers using Blackhole have changed tactics,”This is the first that I have personally noticed that leads email recipients to Blackhole websites. Before that, people using the Blackhole Kit relied on techniques such as SEO poisoning to lead victims to their sites,” he says.

The OfficeJet email campaign, like other Blackhole attacks, is trolling for victims’ online banking credentials according to Dark Reading. It works a lot like Zeus and others, using browser vulnerabilities on victims’ machines and creating a backdoor for downloading and installing the Trojans. AppRiver’s Touchette says Blackhole appears to favor Sun Oracle (ORCL) Java (I wrote about Java holes here) and Adobe (ADBE) bugs (I wrote about Adobe bugs here).

HP“This most recent campaign is still trickling in, but will soon stall as most of its domains have been picked up and blacklisted by security professionals … we were seeing malicious emails related to this campaign coming in at a rate of around 36,000 per minute,” Mr. Touchette says.

Recent botnet takedowns have spurred an increase in malware attacks recently as botnet operators try to rebuild, AppRiver’s Touchette told Dark Reading.

rb-

Yeap- We are still seeing these trickling in and still have users reporting they cant access their OfficeJet .

Related articles
Category: Malware, Security | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »

Switch to our mobile site