Malware infects 13 percent of North American home networks

Some 13 percent of home networks in North America are infected with malware, half of them with "serious" threats, according to a report released Wednesday by a cyber-security company.

However, that number is a one-percent decrease from the quarter that ended in June, according to Kindsight Security Labs, of Mountain View, California, in its third-quarter malware report [PDF].

Based on information gathered from service providers, Kindsight reported that 6.5 percent of the home network infections were high-level threats that could turn a home computer into a spam-spewing zombie on a botnet or compromise a computer owner's bank account.

ZeroAccess botnet

Some 2.2 million home networks worldwide are infected with malware controlled by the ZeroAccess botnet, the report estimated. In North America, one in every 125 home networks are infected with malicious software.

Map of the ZeroAccess botnet as it spreads across North America

"The ZeroAccess.net has grown significantly to become the most active botnet we've measured this year," Kevin McNamee, Kindsight security architect and director, said in a statement.

"Cyber criminals are primarily using it to take over victim computers and conduct click fraud," McNamee continued. "With ZeroAccess, they can mimic the human behavior of clicking online ads, resulting in millions of dollars of fraud."

Kindsight estimates that online advertisers lose $900,000 a day in fraud perpetrated by ZeroAccess.

Big money for evil-doers

Spam, add-click malware, banking Trojans, theft of identity information, and fake security software are big money makers for cybercriminals, the report noted.

The cyber-security vendor also reported that it saw a 165% increase in the number of Android malware samples during the period. Nevertheless, despite the growth in spyware apps and malware, there have been no major malware outbreaks, the report said.

"Aggressive Adware," some of it bordering on spyware, continues to be a problem in the Android market, according to Kindsight. It estimates that three percent of all mobile devices host some form of that software.

While security software aimed at removing aggressive adware from mobile devices has been introduced into the market, the report explained, it remains to be seen how effective it will be in mitigating the problem.

Similar efforts were made in the past to address spyware problems in the Windows world, but the Android environment is a horse of a different color. "One key difference between these ad-funded Android apps and the traditional Window’s variety is that the Android variety is being distributed from the Google Play App Store, which lends them considerable legitimacy," the report said.

Source: pcworld.com

Read More

Report: Open DNS resolvers increasingly abused to amplify DDoS attacks

Open and misconfigured DNS (Domain Name System) resolvers are increasingly used to amplify distributed denial-of-service (DDoS) attacks, according to a report released Wednesday by HostExploit, an organization that tracks Internet hosts involved in cybercriminal activities.

In the latest edition of its World Hosts Report, which covers the third quarter of 2012, the organization included data about open DNS resolvers and the Autonomous Systems—large blocks of Internet Protocol (IP) addresses controlled by network operators—where they are located.

That’s because, according to HostExploit, incorrectly configured open DNS resolvers—servers that can be used by anyone to resolve domain names to IP addresses—are increasingly abused to launch powerful DDoS attacks.

DNS amplification attacks date back more than 10 years and are based on the fact that small DNS queries can result in significantly larger DNS responses.

An attacker can send rogue DNS requests to a large number of open DNS resolvers and use spoofing to make it appear as if those requests originated from the target’s IP address. As a result, the resolvers will send their large responses back to the victim’s IP address instead of the sender’s address.

In addition to having an amplification effect, this technique makes it very hard for the victim to determine the original source of the attack and also makes it impossible for name servers higher up on the DNS chain that are queried by the abused open DNS resolvers to see the IP address of the victim.

“The fact that so many of these unmanaged open recursors exist allow the attackers to obfuscate the destination IPs of the actual DDoS targets from the operators of the authoritative servers whose large records they’re abusing,” said Roland Dobbins, solutions architect in the Security & Engineering Response Team at DDoS protection vendor Arbor Networks, Thursday via email.

“It’s also important to note that the deployment of DNSSEC has made DNS reflection/amplification attacks quite a bit easier, as the smallest response the attacker will stimulate for any query he chooses is at least 1300 bytes,” Dobbins said.

Even though this attack method has been known for years, “DDoS amplification is used far more frequently now and to devastating effect,” Bryn Thompson of HostExploit wrote Wednesday in a blog post.

“We have seen this recently and we see it increasing,” Neal Quinn, the chief operating officer of DDoS mitigation vendor Prolexic, said Thursday via email.

“This technique allows relatively small botnets to create large floods toward their target,” Quinn said. “The problem is serious because it creates large volumes of traffic, which can be difficult to manage for many networks without use of a cloud mitigation provider.”

Dobbins couldn’t immediately share any data about the recent frequency of DNS-based DDoS amplification attacks, but noted that SNMP (Simple Network Management Protocol) and NTP (Network Time Protocol) reflection/amplification attacks “can also generate very large, overwhelming attack sizes.”

In its report, HostExploit ranked the Autonomous Systems with the largest number of open DNS resolvers in their IP address spaces. The top one, controlled by Terra Networks Chile, contains more than 3,200 open resolvers in a pool of around 1.3 million IPs. The second one, controlled by Telecomunicacoes de Santa Catarina (TELESC)—now part of Oi, Brazil’s largest telecom operator—contains nearly 3,000 resolvers in a space of 6.3 million IP addresses.

“It should be stressed open recursive nameservers are not a problem in themselves; it is the mis-configuration of a nameserver where the potential problem lays,” HostExploit said in its report.

Source: pcworld.com

Read More

Hide your secrets, Anonymous wants to launch a WikiLeaks competitor

Love 'em or hate 'em, it's hard to ignore Anonymous. The hacktivist is famously associated with, among other things, protests against the Church of Scientology, takedowns of government websites, cyber-attacks, and—from time to time—just rampant trolling.

Judging from this report from The Hacker News, however, it looks as though Anonymous's latest endeavor is quite serious. An unnamed individual, who identified himself as a representative of the collective, recently conducted an email interview with The Voice of Russia with regard to the TYLER project.

In the interview, Anonymous explained that TYLER will be "like WikiLeaks on steroids." Scheduled to exit beta testing on November 5th and to go live on December 21, TYLER was apparently designed to "expose corruption malfeasance and counter Internet censorship."

Sounds just like WikiLeaks, doesn't it? That's because it's supposed to be. If you're wondering why Anonymous came up with TYLER, the reason is simple: They're no longer playing on Julian Assange's team. "[W]hat we will do is cease from this day all support of any kind for WikiLeaks or Julian Assange. No longer will Anonymous risk prison to defend WikiLeaks or Julian Assange from their enemies. No longer will Anonymous risk prison to supply material for WikiLeaks disclosures. Anonymous turns it's back on WikiLeaks," Anonymous declared in a statement.

Whatever the case may be, one thing is clear: Now's a great time to make sure you're not on Anonymous's naughty list.

Source: techhive.com

Read More

Email scams stage comeback

Security vendors Sophos and Kaspersky Lab both have in recent days warned of scam emails using the names of well-established companies to try to lure victims to malware sites. The scheme is obvious, or ought to be—the bad guys figure that if they use a trusted name, victims will trust the link.

The scams have been present virtually since email began, but security experts say they are increasing at an accelerating pace.

Graham Cluley, senior technology consultant at Sophos, reported early last week on a"widespread malware campaign that has been spammed out, disguised as a communication from DHL Express." He said it claims to be a tracking notification.

A few days later, Cluley reported on emails claiming to be from companies like British Airways, LinkedIn, YouTube, Google, and Amazon. "The truth is that the headers are forged, and the emails have been specially crafted to look like legitimate communications from online firms, he wrote.

"Clicking on the links could send your computer to Canadian pharmacy-like spam sites offering to sell you Viagra, or even webpages hosting malicious payloads," he wrote.

On Kaspersky Lab's Threatpost blog, Brian Donohue wrote: "Criminal hackers launched an attack campaign earlier this week in which they sent a slew of emails purporting to come from the financial software developer Intuit. The emails contained links that led to sites hosting the Blackhole exploit kit in an apparent attempt to infect the machines of corporate users."

There are multiple other examples, purporting to come from American Express, Microsoft and others.

Email malware the focus?

There are mixed opinions about whether this means that malware attacks are now more focused on email than web searches. Chester Wisniewski, a senior security adviser with Sophos, said web infections still impact more users than any other method.

"There has been an increase in malicious email, but it hasn't approached the amount of infections sourced from the web," he said. "It really is just a change in how email infections work. They used to be attached EXEs and SCRs that were simple Trojans. Most organizations are smart enough to block executables from entering through their email gateways, so criminals have moved on to HTML, PDF and RTF files."

[Related: After 40 years, email security still elusive, experts say]

But Bogdan Botezatu, senior e-threat analyst at Bitdefender, said web search malware"has now lost ground in terms of email spam bundled with malicious attachments or malicious links."

Botezatu said a Bitdefender study earlier this year found that of 264.6 billion spam messages sent daily, 1.14% carry attachments. "That means that, every day, about 300 million spam messages carry a malicious payload. We expect this trend to increase by 2% to 6% from one year to another," he said.

Cluley said it is difficult to compare the two types of attacks strictly in numerical terms. "Many attacks these days will incorporate aspects of both. An email may contain a link to a malicious website, or an email with a dangerous attachment may then download further code from the web," he said.

"I think we can safely say that neither web nor email threats are going away," Cluley said.

Advice

The best way to avoid all this trouble is to adopt some version of President Ronald Reagan's motto: Trust, but verify. In his blog post, Cluley advises users to always be careful about clicking on links in unsolicited emails. "Hover over links with your mouse to tell where it's really going to before clicking, and keep your antivirus and anti-spam protection updated," he said.

Stephen Cobb, a security evangelist at ESET, said to "'Be intelligent,' together with 'Be informed' and probably 'Be suspicious.'"

"I would also say that running good antivirus at all times adds a strong line of defense in addition to anything your browser, browser add-on, or email service is doing to keep you safe," Cobb said.

Another way to spot scams is to recall the grammar you learned in elementary school. Scams are frequently littered with grammatical mistakes.

One scam email circulating Monday, purporting to be a sweepstakes award from Microsoft, declared in a sentence fragment: "Where your email address (XXXX) emerged as one of the online Winning (sic) emails in the 2nd category and therefore attracted a cash award of 350,000.00 Euros (Three Hundred and Fifty Thousand Euros Only) and a (sic) HP laptop."

Cobb and others say some email providers are better than others at screening out scams. "Gmail is pretty good, largely because it can leverage Google's vast amount of traffic to spot malicious activity," Cobb said.

"But, of course, pretty good is not always good enough," he said. "I run Gmail in parallel with an unfiltered email app on some accounts and clearly Gmail learns about new malicious email campaigns pretty quickly, but I sometimes see infected documents and malicious links coming through Gmail, and these are usually first-of-a-kind attacks."

Bogdan Botezatu said while Gmail and Yahoo Mail block potentially malicious attachments, "it would be unreasonable to assume that any e-mail service could block these attachments with 100% accuracy."

J. Wolfgang Goerlich, an information security manager for a Michigan-based financial services firm, agrees that technology is part of the solution. "Organizations need to utilize and update spam filters to reduce the likelihood of scam emails getting to the end user," he said.

But he said given that signature controls always lag behind the scammers, "people become the last line of defense. It is important for an organization help its employees develop the equivalent of email street smarts," he said.

Source: pcworld.com

Read More

Future cyber attacks could rival 9-11, cripple US, warns Panetta

The Secretary of Defense laid out why the military should be involved in defending critical infrastructure

The U.S. is facing a dramatically increasing threat from cyber attacks and a future attack on the country's critical infrastructure could have an effect similar to the Sept. 11 terrorist attacks of 2001, the U.S. Secretary of Defense said Thursday evening.

Speaking at a meeting of the Business Executives for National Security (BENS) in New York, Leon Panetta called the Internet "the battlefield of the future" and spelled out what he believes the Department of Defense's role should be in cyberspace.

The military's role in securing the domestic Internet and working against attacks on commercial institutions has been controversial, although Panetta sought to get the assembled business leaders on his side by warning them of the danger a large-scale attack could have on their companies.

"A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11," he said in the televised speech. "Such a destructive cyber terrorist attack could virtually paralyze the nation." (See video of Panetta warning against future cyber attacks.)

Panetta acknowledged recent distributed denial of service (DDOS) attacks on U.S. financial institutions that disrupted their websites and expressed concern with the speed at which they hit, but said he was even more alarmed by a recent attack by malware dubbed "Shamoon" that hit oil company Saudi Aramco.

"Shamoon included a routine called a 'wiper,' coded to self-execute," Panetta said. "This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional 'garbage' data that overwrote all the real data on the machine. More than 30,000 computers it infected were rendered useless, and had to be replaced. It virtually destroyed 30,000 computers."

"All told, the Shamoon virus was probably the most destructive attack the private sector has seen to date," he said. "Imagine the impact an attack like that would have on your company."

Panetta told his audience the Department of Defense knows of specific instances where attackers have gained access to critical infrastructure systems and said such attacks could do great harm.

"An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches," he said. "They could for example derail passenger trains, or even more dangerous trains loaded with lethal chemicals," he said. "They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country. The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time in combination with a physical attack on our country."

Such a scenario, said Panetta, would "paralyze and shock the nation" and be equivalent to a "cyber Pearl Harbor." (See video of Panetta setting out the scenario.)

The Department of Defense has an interest in stirring up fear of online attacks -- it wants to remain involved in cyber defense.

Over the last few years, the U.S. has developed the world's most sophisticated system to detect and prevent cyber attacks, Panetta said. He then set out why he believes the Department should be involved in national cyber security.

Panetta first addressed one of the biggest issues surrounding increased military involvement with the Internet: the possibility that the Department of Defense would monitor personal e-mail and communications between U.S. citizens.

"That it not our goal, that is not our job, that is not our mission," he said. "Our mission is to defend the nation. We defend. We defer. And if called upon, we take decisive action to protect our citizens. In the past we have done so through operations on land and at sea, in the sky and in space. In this century, the United States military must help defend the nation in cyberspace as well." (See video of Panetta pledging not to monitor the communications of U.S. citizens.)

To do this, Panetta said the Department of Defense in investing more than US$3 billion per year in developing new capabilities to fight cyber attacks and said the U.S. has the capability to go on the offensive when required.

"If we detect an incoming attack that will cause significant physical destruction in the United States, or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president" Panetta said. "For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace."

"Let me be clear, that we will only do so to defend our nation, to defend our interests, to defend our allies. And we will only do so in a manner that is consistent with the policy principles and legal frameworks that the department follows for other domains, including the law of armed conflict," he said. (See video of Panetta's remarks on when the military would get step in to defend the national Internet.)

As a result of the increased focus on cyber security by several government agencies, Panetta said the Department of Defense is in the final stages of revising its rules of engagement in cyberspace. The change is the largest in seven years and will spell out the duty of the military to defend its networks and also the nation should the U.S. come under major cyber attack.

As a result of the increased focus on cyber security by several government agencies, Panetta said the Department of Defense is in the final stages of revising its rules of engagement in cyberspace. The change is the largest in seven years and will spell out the duty of the military to defend its networks and also the nation should the U.S. come under major cyber attack.

Panetta closed with a call to his audience to share the responsibility to protect cyberspace.

"Ultimately, no one has a greater interest in cyber security than the business that depend on a safe, secure, and resilient global digital infrastructure," he said. "To defend those networks more effectively, we must share information between the government and private sector."

"We've made real progress in sharing information with the private sector, but very frankly, we need Congress to act to ensure that this sharing is timely and comprehensive. Companies should be able to share specific threat information with the government without the prospect of lawsuits hanging over their head. And a key principle must be to protect the fundamental liberties and privacy in cyberspace that we are all duty bound to uphold."

Source: itworld.com

Read More

Hacker to use cloud for brute force WiFi crack

WPA-PSK not powerful enough in a cloud world.

A security researcher claims to have figured out a quick and inexpensive way to break a commonly used form of password protection for wireless networks using powerful computers that anybody can lease from Amazon.com over the Web.

Thomas Roth, a computer security consultant based in Cologne, Germany, says he can hack into protected networks using specialised software that he has written that runs on Amazon's cloud-based computers. It tests 400,000 potential passwords per second using Amazon's high-speed computers.
That leaves businesses as well as home networks prone to attack if they use relatively simple passwords to secure their networks.

Amazon leases time on computers to developers and companies that don't have the money to buy their own equipment, or don't use it frequently enough to justify doing so. Customers include individual programmers and corporate users.

A spokesman for Amazon said that Roth's research would only violate his company's policies if he were to use Amazon Web Services (AWS) and its Elastic Compute Cloud (EC2) computing service to break into a network without permission of its owner.

"Nothing in this researcher's work is predicated on the use of Amazon EC2. As researchers often do, he used EC2 as a tool to show how the security of some network configurations can be improved," said Amazon spokesman Drew Herdener.

"Testing is an excellent use of AWS, however, it is a violation of our acceptable use policy to use our services to compromise the security of a network without authorisation."

Roth will distribute his software to the public and teach people how to use it later this month at the Black Hat hacking conference in Washington, D.C.

He said he is publicising his research in a bid to convince skeptical network administrators that a commonly used method for scrambling data that travels across WiFi network passwords is not strong enough to keep crafty intruders from breaking in to networks.

That encryption method, dubbed WPA-PSK, scrambles data using a single password. If a potential intruder is able to figure out the password, he or she can gain access to computers and other devices on the network.

Roth said that the networks can be broken into if hackers use enough computer power to "brute force" their way into figuring out the passwords that protect networks.

Those passwords were difficult for the average hacker to break until Amazon.com recently started leasing time on powerful computers at relatively inexpensive rates: It takes the processing capability of multiple computers to perform mathematical calculations needed to break the passwords.

The online retailer charges users 28 cents a minute to use machines that Roth used in his attack. It would cost at least tens of thousands of dollars to purchase and maintain that equipment.

Roth said that he used his software and Amazon's cloud-based computers to break into a WPA-PSK protected network in his neighborhood. It took about 20 minutes of processing time. He has since updated his software to speed its performance and believes he could hack into the same network in about 6 minutes.

"Once you are in, you can do everything you can do if you are connected to the network," he said.

Roth said he was not publicising his discovery to encourage crime, but to change a misconception among network administrators:

"People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so," he said. "But it is easy to brute force them."

Read More

1.5 million stolen Facebook IDs up for sale

A hacker named Kirllos is offering to sell the accounts in an underground forum for 2.5 cents per account
A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices.
Researchers at VeriSign's iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn't know if Kirllos' accounts are legitimate, and Facebook didn't respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from $25 to $45 per 1,000 accounts, depending on the number of contacts each user has.
To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard.

Hackers have been selling stolen social-networking credentials for a while -- VeriSign has seen a brisk trade in names and passwords for Russia's VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

Facebook has more than 400 million users worldwide, many of whom fall victim to scams each day. In one such scam, criminals send out messages from a compromised account, telling friends that the account's owner is trapped in a foreign country and needs money to get home.

In another, they send Web links that lead to malicious software, telling friends that it's a hilarious or sensationalistic video.

"People will follow it because they believe it was a friend that told them to go to this link," said Randy Abrams, director of technical education with security vendor Eset. Once the malware gets installed, criminals can steal more passwords, break into bank accounts, or simply use the computers to send spam or launch distributed denial of service attacks. "There's just a plethora of things that people can do if they can trick people into installing their software," he said.

Kirllos' Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account -- Kirllos wants as little as $0.025 per Facebook account. More coveted credit card or bank account details can go for much more, ranging between $0.85 to $30 for credit card numbers to $15 to $850 for top-quality online bank accounts.

Read More

Hacker restores "Other OS" to PS3; has Sony opened Pandora's box?

Last week on April 1st, Sony pushed out a (more or less mandatory) firmware update (version 3.21) that clobbered the "Install Other OS" feature from older PS3s (the feature had already been disabled from the newer PS3 Slim).

When Sony revealed that a firmware update would remove this feature, hacker George "Geohot" Hotz announced that he'd see what he could do about helping people retain this functionality while still being able to use their PS3 on the Playstation Network. His plan was to build a custom version of firmware 3.21 that had all of Sony's content (such that is is; the update didn't seem to do anything but remove the feature) while retaining Other OS.

Yesterday he released video purported to show an early version of his custom firmware in operation (video embedded below). Hotz's blog post offers a few more details, but the one caveat is that your PS3 has to have firmware version 3.15 or earlier in order for this to work. If you've already upgraded to 3.21, you'll be out of luck when Hotz releases his custom version.

What's interesting to me about this story is that Hotz (who, prior to taking on the challenge of the PS3, was big in the iPhone hacking scene) was the first to hack the PS3 back in January. Some suspect that this was the incentive for Sony to go all paranoid and yank the "Install other OS" feature in the first place, so there's some poetic justice in Hotz putting that feature back in.

Now I don't know George Hotz and I'd never heard the name "Geohot" before that news in January, and only recently have I started reading his blogs. From reading him, it sounds like he initially hacked the PS3 just for the challenge of doing so and because he's legitimately interested in seeing how things work. He states more than once that he doesn't condone piracy and for now, let's take that at face value. On the other side of the coin, I can understand how Sony can be so skittish about having their hardware hacked, considering how much rampant piracy (accomplished via custom firmware) impacted the Sony PSP. But I think Hotz makes a really good point in the closing paragraph of his most recent blog post:

"Note to the people who removed OtherOS, you are potentially turning 100000+ legit users into "hackers." There was a huge(20x) traffic spike to this blog after the announcement of 3.21. If I had ads on this site I guess I'd be thanking you."

How many PS3 owners were paying attention to the PS3 hacking scene before Sony yanked this feature on them? It didn't seem like there were that many, but now it's become big news. Is Sony trying to put out a fire with gasoline? Newer PS3s didn't have the "Install Other OS" option. Now Hotz says it's possible that his hack will enable it on those new systems too. If that turns out to be true, Sony has done themselves more harm than good. Accepting that Hotz has no interest in piracy, that certainly isn't true of everyone and it seems logical that his custom firmware will offer a good starting point for those with more nefarious reasons for hacking their PS3. By removing the Install Other OS feature, all Sony has managed to do is garner ill-will and encourage the PS3 hacking scene that it was trying so hard to quash.

Read More

More than 100 companies targeted by Google hackers

Two months after hack, security firm says another 68 command-and-control servers have been identified

IDG News Service — The hackers who broke into Google two months ago have gone after more than 100 companies, according to an estimate by security vendor Isec Partners.

Researchers have been closing in on the unidentified criminals responsible for the attack over the past month. In the process, they have uncovered another 68 so-called command-and-control servers, used to control the hacked machines.

Investigators had already identified 34 hacked companies after examining the single command-and-control server used in the Google attack, and the discovery of another 68 servers could mean that many more companies were compromised than previously thought. "It's easily over 100 companies," said Alex Stamos a partner with Isec Partners.

In the weeks since Google went public with details of the hack, informal discussion lists have sprung up, including security experts and staffers from companies that have been compromised. In those discussions, "that list of control machines keeps getting longer and longer," Stamos said.

The code used in the attacks, known in security circles as Aurora, has been in use for at least 18 months, Stamos said. But the security industry was unaware of Aurora until Google discovered the intrusion last December. That allowed hackers to get onto corporate networks undetected.

Other technology companies, including Intel, Adobe, and Symantec, have also been hit by the attack, which investigators have traced back to China.

To break into victim companies, the hackers sent carefully targeted e-mail or instant messages to victims, hoping to trick them into visiting Web pages or opening malicious documents that would then attack their computers.

The worst part of the attack is what happens once the initial victim has been compromised. The hackers then use a variety of techniques to acquire additional usernames and passwords and fan out across the targeted company's network, downloading sensitive data, which is then moved offshore.

This type of targeted attack is not new, but it is dangerous because it is so good at circumventing traditional security measures, said Rob Lee, a computer forensics instructor with the SANS Institute. "We've been dealing with [these attacks] for five years," he said. "They're basically going around all the security appliances via email."

Not all of these attacks have been linked to Aurora, but Lee said that "there have been hundreds of companies infiltrated."

Stamos agreed that traditional security products such as antivirus and intrusion detection systems are not enough to stop the attack. "The interesting thing to me about these attackers is they're very patient," he said. "They'll spend a lot of time writing custom malware to get around people's antivirus."

"They'll use a social network to learn about one person in the company, and then will send emails or chats messages as that person's friend," he added.

Read More

Watchdog issues spam warning to real estate agent

Targets real estate sector.
The communications watchdog has issued a "formal warning" to Elders Real Estate Wollongong following an investigation that found the agency breached the Spam Act.

The Australian Communications and Media Authority said the real estate agent breached the Act by sending commercial electronic messages without an unsubscribe facility.

ACMA said it contacted "more than forty" head offices of real estate franchisors and companies last year to inform them of "key obligations" and "consequences of non-compliance" with anti-spam laws.

"This is the first enforcement measure taken against a real estate agent since an ACMA awareness campaign about unsolicited communications targeted at the real estate sector," said Chris Cheah, acting chairman of the ACMA.

Penalties of up to $1.1 million per day may be imposed by the Federal Court for repeat offenders of the Spam Act, ACMA said.

Read More

Hackers attack IE7 flaw

Less than a week after the last round of Microsoft Internet Explorer patches, security experts are already warning that exploit code is in circulation.

The particular flaw, MS09-002, is being exploited using a specially crafted Word document which is emailed to users. Once opened it installs malware onto the target system, including a Trojan to allow the malware to update itself.

"Several anti-virus vendors reported MS09-002 exploits in the wild. We can confirm that the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working on an unpatched Windows XP machine," said Bojan Zdrnja of the Sans Internet Storm Center.

"Initially there was some confusion about this attack as most anti-virus vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document.

"That being said there is absolutely nothing preventing attackers from using the exploit in a drive-by attack and we can, unfortunately, expect that this will happen very soon."

The first malware to try and exploit the flaw looks to have been reverse-engineered rather than being in existence before the patch was announced, experts said. The malware collects information from infected computers, encrypts it and sends it to a server in China.

The short turnaround time from patch to malware will leave IT administrators racing to update corporate servers in time, and they are advised to warn users about potential threats.

Read More

Hackers clone passports in drive-by RFID heist

A British hacker has shown how easy it is to clone US passport cards that use RFID by conducting a drive-by test on the streets of San Francisco.

Chris Paget, director of research and development at Seattle-based IOActive, used a US$250 Motorola RFID reader and an antenna mounted in a car’s side window and drove for 20 minutes around San Francisco, with a colleague videoing the demonstration.

During the demonstration he picked up the details of two US passport cards, which are fitted with RFID chips and can be used instead of traditional passports for travel to Canada, Mexico and the Caribbean.

“I personally believe that RFID is very unsuitable for tagging people,” he said.

“I don’t believe we should have any kind of identity document with RFID tags in them. My ultimate goal here would be, my dream for this research, would be to see the entire Western Hemisphere Travel Initiative be scrapped.”

Using the data gleaned it would be relatively simple to make cloned passport cards he said. Real passport cards also support a ‘kill code’ (which can wipe the card’s data) and a ‘lock code’ that prevents the tag’s data being changed.

However he believes these are not currently being used and even if they were the radio interrogation is done in plain text so is relatively easy for a hacker to collect and analyse.

The ease with which the passport cards were picked up is even more worrying considering that less than a million have been issued to date.

Paget is a renowned ‘white hat’ ethical hacker and has made the study of the security failings of RFID something of a speciality.

In 2007 he was due to present a paper on the security failings of RFID at the Black Hat security conference in Washington but was forced to abandon the plans after an RFID company threatened him with legal action.

He points out that RFID tags are increasingly being used in physical security systems such as building access cards and the technology needs significant security adding before it could be considered safe for commercial use.

Copyright © 2009 vnunet.com

Read More

A New Internet Attack: Parking Tickets

Trojan-pushing parking tickets? Yes, really. The Internet Storm Center, which tracks Internet attacks and threats, documented a case in Grand Forks, North Dakota where someone put yellow fliers on cars that claimed to ticket a parking violation. The fliers named a Web site that purportedly had pictures of your supposed violation.

To see the pictures, according to additional commentary from the McAfee Avert Labs, the site instructs you to download a toolbar named PictureSearchToolbar.exe. Do so, and you end up with a Trojan. That Trojan, called Vundo by Symantec and McAfee and Monder by Kapsersky (according to a Threat Expert report linked by the ISC), displays false infection warning pop-ups that market a fake antivirus product called "Antivirus 360."

I knew that pushing rogue antivirus was becoming a more popular tactic for crooks, who get a cut of the purchase price via shady affiliate marketing deals, but I had no idea the potential profits could justify the time and expense of physically distributing fake parking tickets. Then again, maybe it doesn't: Many Internet crooks aren't exactly known for their excessive brain power.

The ISC post from Lenny Zeltser has more details on the discovery, including some digital sleuthing about the model of the camera used for pictures on the Web site. And keep an eye out for an upcoming PC World story that delves into rogue antivirus, including how to tell a harmless browser-based social engineering attempt from one that can indicate a malware infection like the one described here

Read More

Attachment spam – the latest trend

Spammers using common file formats as attachments for pump-and-dump scams

This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily to beat anti-spam software. In the space of two months, spammers have switched from image spam to using PDF, Excel and ZIP file attachments. By using these attachments to send images instead of embedding them in the body of the email message, spammers have taken the cat-and-mouse game with anti-spam software developers to a new level.

At one point or another – like the majority of computer users – you have received emails that promise business deals worth millions of pounds, that try to sell products to improve your appearance or that try to convince that it’s worth investing your money in a particular company or stock. Dealing with spam (unsolicited email that is not targeted at specific individuals), is one problem that all email users share in common. Research shows that between 65% and 90% of all email received is considered spam.
On an individual user basis, spam is annoying; it is a waste of time and often contains spyware, malware and even pornography. On a company-wide basis, the same threats apply however there is also the financial cost to manage spam that must be taken into consideration.

The evolution of spam

Until a while ago, spam was the domain of text- or html-based emails. For anonymous delivery, these messages traditionally relied on abusing open SMTP relays. When open SMTP relays became less common, spammers switched to proxy servers, dial-up services and more recently, hijacked computers. Spammers designed personalized template emails to deliver their messages and then made use of bulk mailing software for distribution.
To block spam, email service providers and companies often relied on keyword ‘detection’, and drew up a list of keywords that commonly appeared in most of the spam email. This list would often include keywords such as ‘viagra’ or ‘bank’. However, this method often blocked genuine email and adding more keywords simply resulted in more false positives which in turn blocked legitimate email. But spammers became smarter too, and they addressed keyword blocking by replacing keywords such as ‘viagra’ to ‘v1agra’.
Another attempt at blocking spam includes making use of blacklists that contain a list of IP addresses of known spammers or compromised hosts. However, these lists have to be constantly updated because spammers have learnt to counteract this by rapidly changing the origin of spam.

New trends: Dynamic Zombie botnets

Botnets can be defined as networks of compromised computers which can be controlled by a single master. The number of nodes (also known as zombies) of these botnets can run into millions and these machines make use of different software vulnerabilities to gain full access to the infected hosts and add it to their existing array of zombies. Computer hackers had long been using botnets to launch DoS (denial of service) attacks and distribute network hacking attacks. Computer criminals had also been using botnets for money-making schemes, such as stealing credit card information and scamming pay-per-click advertising companies.
Seeing huge potential in botnets, spammers started financing hackers to make use of zombie machines. Hackers were able to offer services such as renting of botnets for a few minutes or hours and collections of email recipients (spam lists). The anti-virus industry noticed correlations between the spam industry and botnets. Not only were malware writers allowing spammers to make use of their creations, but they were writing malicious code to specifically suit their needs. An unholy alliance had been created.

Image spam

By early 2006, most anti-spam vendors had added Bayesian filtering to their arsenal of spam blocking methods. The fight between spam and anti-spam looked like it was taking a positive turn. However, by the end of 2006, the nature of spam had totally shifted. Whereas spam had been mainly text based, this time spam started looking more graphic in nature. Spammers began making use of images to bypass text-based content filtering, simply by no longer using any text content. By making use of image spam, spammers were attacking the defenses of most anti-spam solutions; while the images displayed text messages to the end-users, the anti-spam software was only able to see pixels.
Some email anti-spam solutions decided to go with OCR (Optical Character Recognition) to turn the images into text that the software could then use. However, spammers took their images to the next level. In an approach usually applied to CAPTCHA (an anti-spam solution that is used on web forums), they started fuzzing (including noise and distortions) images to make it even harder for the machine to recognize text. Although it is possible for the machine to read this text, the process is very CPU intensive – especially when it is handling multitudes of images every few seconds. Read the full article: Attachment Spam- the latest trend

Read More

British UFO hacker's extradition case to be reviewed

IDG News Service —

A British hacker who sought to find evidence of UFOs on U.S. military computers has another chance at avoiding extradition after a court ruling Friday.

The High Court in London ruled that Gary McKinnon can have his case reviewed by the director of public prosecutions for England and Wales, Keir Starmer, according to statement released by McKinnon's attorney.

McKinnon is seeking to be prosecuted in the U.K. although his extradition order has been approved by the U.K. government. He has managed to avoid extradition so far through a series of legal maneuvers and appeals, all of which have been unsuccessful but held up his transfer to the U.S.

McKinnon was indicted in November 2002 in the U.S. District Court for the Eastern District of Virginia. He faces charges of illegally accessing and damaging U.S. government computers.

The U.S. government alleges his exploits cost at least US$700,000 and caused the shutdown of critical military networks shortly after the Sept. 11, 2001, terrorist attacks. McKinnon could face a sentence of 60 years or more.

Most recently, McKinnon has tried to garner support that, for medical reasons, if he is extradited and sentenced he should be allowed to serve a sentence in the U.K. Now McKinnon is pushing to only be prosecuted in the U.K. due to the stress he would endure from a U.S. trial.

He has been diagnosed with Asperger Syndrome, which is a neurological disorder characterized by obsessive behavior and deficiencies in social interaction.

McKinnon has admitted to hacking the computers and described how he did it in detail at computer security conferences in London. From his north London home, McKinnon began probing military computers looking for evidence of UFOs.

He used a program called "RemotelyAnywhere" to control U.S. military computers. Many of the computers he accessed were set up with default passwords, which made them easy to access, McKinnon has said.

He timed his hacking when no one was working at the U.S. offices. But on one occasion he miscalculated the time difference. Someone using a computer that McKinnon controlled noticed the cursor moving on its own. The connection was severed, and U.K. police eventually tracked McKinnon down.

IDG News Service

Read More

'Amazing' worm attack infects 9 million PCs

Biggest infection in years, says Finnish security firm.
Calling the scope of the attack "amazing," security researchers at F-Secure Corp. today said that 6.5 million Windows PCs have been infected by the "Downadup" worm in the last four days, and that nearly 9 million have been compromised in just over two weeks.

Early Friday, the Finnish firm revised its estimate of the number of computers that had fallen victim to the worm, and explained how it came to the figure. "The number of Downadup infections [is] skyrocketing," Toni Koivunen, an F-Secure researcher, said in an entry to the company's Security Lab blog. "From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing."

On Tuesday, Koivunen put the number of infected systems at 2.4 million, then updated the estimate Wednesday to 3.5 million, an increase of 1.1 million in just 24 hours.

"We haven't seen outbreaks of this scale in many years," said Mikko Hypponen, chief research officer at F-Secure, in an e-mail reply to questions. "[It] reminds me of the old Loveletter/Melissa/Sasser/Blaster cases size-wise," he added, ticking off some of history's biggest malware attacks.

Downadup -- which also goes by the name "Conficker" -- exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. Although Microsoft fixed the flaw with one of its rare "out of cycle" updates in late October, about a third of all PCs have not yet been patched, according to Qualys Inc., another security company. Those PCs are the ones being hijacked by the worm.

In his Friday blog post, F-Secure's Koivunen also provided some background on the company's estimate, in part because some people had expressed disbelief in the number. According to Koivunen, F-Secure came to its 8.9 million-machine estimate by spying on the worm's communication with hacker-controlled servers.

Once it's gotten onto a PC, Downadup generates a list of possible domains, selects one, then uses that URL to reach a malicious server from which it downloads additional malware to install on the hijacked computer. F-Secure, however, has registered some of those domains, and has been able to monitor traffic through those URLs.

By examining logs of connection attempts to the domains, F-Secure discovered several hundred thousand different IP addresses -- over 350,000 as of today -- as well as a counter embedded in each that spells out the number of additional PCs that the infected machine has compromised.

"So this number tells us how many other computers this machine has exploited since it was last restarted," explained Koivunen. A sample log provided by F-Secure showed 12 Downadup-infected PCs, which collectively had infected 186 additional systems. Just one of the originally infected computers successfully attacked 116 other machines.

"We wrote a program that parses the logs, extracting the highest value for the IP/User-Agent pairs ... then added together to get our figures," said Koivunen. "As you can see now, they are very conservative."

Earlier this week, the already-high number of Downadup infections prompted Microsoft to add detection for the worm to its Malicious Software Removal Tool (MSRT), the anti-malware utility that the company updates and redistributes each month to Windows machines. Microsoft released the latest edition of the MSRT with anti-Downadup capabilities last Tuesday.

Like other security researchers, those from Microsoft have put some of the blame on users slow to patch their PCs. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," a pair of security researchers who work at Microsoft said Tuesday.

Microsoft has recommended that Windows users install the emergency update, then run the January edition of the MSRT to scrub the worm from compromised computers.

Read More

1 in 3 Windows PCs vulnerable to worm attack

And open-source exploit code made hacker's job easier.
The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft Corp. rolled out an emergency fix, a security expert said today.

Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc. concluded that about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067.

"The unpatched numbers went down significantly around the 30-day mark," said Wolfgang Kandek, Qualys' chief technology officer, "when less than 50% were unpatched. After that, it went down a little slower. As of yesterday, 30% of the machines are unpatched."

With nearly a third of all Windows systems still vulnerable, it's no surprise that the "Downadup" worm has been able to score such a success, Kandek said. "These slow [corporate] patch cycles are simply not acceptable," he said. "They lead directly to these high-infection rates."

The Downadup worm, called "Conficker" by some researchers, surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003 and Server 2008.

Microsoft issued a patch in late October after confirming reports of in-the-wild attacks, most of them against machines in Asia.

On Tuesday, Microsoft laid at least some of the blame for the worm's success at the feet of Windows users. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," said Cristian Craioveanu and Ziv Mador, researchers at Microsoft's Malware Protection Center, in a Tuesday blog post.

Kandek agreed with them. "This shows that a three-month patch cycle, which some companies use, is unacceptable," he said.

In related news, a researcher at McAfee Inc. today said that the author of Downadup/Conficker worm took a shortcut when crafting the malware by grabbing functional exploit code from Metasploit, the open-source penetration testing framework.

"By using the exploit from the Metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading," said Xiao Chen, a McAfee security researcher, in an entry to the company's blog. "We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills.

"It's obvious that worm writers are abusing open-source tools to their advantage to make their work easier," Chen added.

Microsoft has recommended that Windows users install the October update, then run the January edition of the Malicious Software Removal Tool to clean up compromised computers.

"Patch faster," urged Kandek from Qualys.

Read More

NASA Hacker May be Tried in UK

NASA hacker Gary McKinnon could be prosecuted in the UK after his lawyers informed the Crown Prosecution Service (CPS) that he would enter a guilty plea if the case was heard in the U.K.

McKinnon broke into U.S. military computers, including those belonging to NASA, in 2001 in a bid to prove the U.S. government has knowledge of UFOs.

While McKinnon says his exploits did not cause any damage, the U.S. allege that McKinnon stole 950 passwords and deleted files at a naval base in New Jersey, responsible for replenishing munitions and supplies for the Atlantic fleet. They also maintain the intrusions disrupted computer networks used by the military that were critical to operations conducted after the terrorist attacks of September 11, 2001. The U.S. estimates the damage caused by McKinnon at $700,000.

McKinnon currently faces extradition to the U.S. to stand trial, following the European Court of Human Rights' decision in August 2008. However, this latest move by his lawyers, means that if McKinnon was found guilty, he would be punished in the U.K. and extradition would be very unlikely.

"McKinnon has had tremendous support from the hacker community and even ordinary people - many IT workers have a lot of sympathy for his ongoing plight and would rather see him tried in Britain as opposed to the U.S.," said Graham Cluley, senior technology consultant at security firm Sophos.

"Any form of hacking is illegal and should be punished as such, and hacking into U.S. government networks is bound to come with harsh repercussions -- anyone thinking about engaging in these types of activities in the future should think twice. This man's sorry tale should warn other would-be hackers that they are playing with fire if they break into sensitive networks, and shouldn't be surprised if the full force of the law goes after them."

Read More

Twishing attacks steal data in 140 characters or less

Twitter, and its 140-characters-or-less message restriction has become quite popular over the past year, attracting attention from organizations and individuals all across the globe. American conservatives are scrambling to reach out to constituents (and educate elected officials) through the social network, and the Israeli Consulate held a Tweet-friendly conference on that nation's response to recent problems in the Gaza Strip. Even the US military is interested in the nation's tweeting trend, and is investigating whether or not the service could be used to plan or coordinate terrorist attacks. The malware industry, ever one to follow a popular trend, has taken notice of Twitter; preliminary attempts to breach the social network and exploit it as a malware distribution point are already underway.

According to blogger Nathania Johnson, she recently received a tweet from a friend directing her to "this funny blog about you" followed by a link to blogspot. She clicked on the link and was warned away by installed anti-phishing software (I assume), which correctly flagged the site as a forgery. Hapless users who actually clicked on the link were bounced away to a Twitter-look-alike at a different URL where they were prompted to enter their login ID and passwords.

Normally, I'd be tempted to excoriate someone for clicking on a link that practically screams "spam," but Twitter is a unique case. One of the more reliable ways of detecting spam/phishing is watching for grammar mistakes, spelling errors, and the lack of personalization within the missive. The 140 character limit on Twitter, however, encourages its users to be as concise and compact as possible; sending a URL leaves even less room for an additional message. This type of brief exchange actually plays to a phisher's strengths, provided they can craft even the most basic hook. As Nathania herself notes, "it was a very strange message," but she clicked it anyway. Fortunately, she was warned off, but lots of other Twitter users weren't.
Responses to the spam have been varied. Nathania herself posits that a flood of phishing schemes could drive people away from Twitter entirely, Dan Tynan of Computerworld is calling this both an inevitable development and the end of Twitter's innocence, while BoingBoing reports that Fox News has revealed some unexpected news about Bill O'Reilly's sexuality.

Twitter is likely to come out of this with nary a ripple. Spam, malware, and phishing are facts of life that every single website has had to deal with. Methods of dealing with the problem vary from website to website, but tweeters can look forward to a great many more micro-conversations.

Read More

Root inside: researchers claim crack for Intel's vPro

Two security researchers based in Poland claim to have cracked Intel's vPro—specifically the trusted execution technology (TXT) part formerly known as LaGrande. Little is currently known about the crack, which the team will fully unveil at the forthcoming Black Hat conference in Washington. They have revealed that it involves two stages, and that an attacker can use it to "compromise the integrity of a software loaded via an Intel TXT-based loader in a generic way."

The first stage of the attack [PDF] is apparently based on "an implementation flaw in a specific system software," specifically the part that loads trusted code into memory. The second stage exploits the design of the current release of TXT.

The researchers, who work for a group called Invisible Things, claim to have found more than one implementation flaw that can enable the first stage of the attack, and Intel will be releasing information to the developer community on how to make your applications immune to it. The design-based exploit will presumably be addressed in a later release of TXT.
Right now, few people are actually using TXT, so the impact on Intel's customer base should be pretty minimal, if any. But it has to bother the company that an exploit was even found at all.

vPro is a critical link in Intel's larger vision for networked computing. At this past IDF, I talked with Intel's Andy Tryba about the company's vision of widespread remote tech support—instead of walking my aunt through a troubleshooting session over the phone, Intel would like to see me remotely and securely log into her machine and fix it. Or, Apple could remotely and securely log into her machine, if she's a Mac user.

Obviously, such a support scenario would need a lot more than just vPro, and Tryba acknowledged that. vPro is only a building block out of which which a company like Apple or Best Buy, or a third party software developer, could build a complete remote support solution. But of course, that building block has to be secure before users will feel comfortable handing over the keys to their machine to a faceless corporation (or to their nephew).

With so few details of the attack made public, it's difficult to assess its potential impact. In a statement to InfoWorld, Intel merely indicated that they're working with Invisible Things on addressing the issue.

Read More