The Green Card Lottery

Well here's something strange I just ran across as I was blocking the latest and greatest phishing sites. The USAGC Green Card Lottery program. The site's well done with many pages and languages to choose from, but seemed sketchy in itself, besides the fact that it was a pop-up from another Canadian pharma site. Essentially it offers you the chance to subscribe for a membership in year intervals wherein they will also give you the opportunity to buy all sorts of US related learning materials in addition to the possibility of winning a Green Card (even though I thought you had to speak with INS about that). Maybe after you give them your home address, you'll get a surprise visit from the INS, that would be fun.
The site's IP traces to Dallas and a pretty large network. However, the verbage on the site reads as if someone of a different nationality had written it, not to mention a spelling error or two. I also found it strange that they wanted my payment in Euros even though I said I was currently living in the US. They would even accept wire transfers or even cash! Cash for essentially nothing (a subscription to a lottery?), for an internet purchase! Sign me up!
Scams like this are all over the place, you should be careful, and vigilant, when trolling around the interweb, and as always, there's a reason the saying "If it's too good to be true..." has been around for so long. Rest assured though, I'm looking out for you, and I'll go ahead and block this one for all AppRiver clients.

Another Adobe Acrobat Exploit in the Wild

There used to be a day when a person could email and open up .pdf documents all day long without fear of nasty exploits taking over your computer. Well, that day is long gone. As a matter of fact, it has become quite popular as a means for exploit. Adobe has released a critical update patch for a vulnerability that affects many versions of Adobe Reader as well as Adobe Acrobat Professional.
According to Adobe’s advisory, the flaw “could potentially allow an attacker to take control of the affected system”, and exists in the wild.
Go patch it up, again! The affected versions are:
Adobe Reader 8.0 through 8.1.2
Adobe Reader 7.0.9 and earlier
Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
Adobe Acrobat Professional, 3D and Standard 7.0.9 and earlier

Adobe Reader 7.1.0 and Acrobat 7.1.0 are not vulnerable to this issue.

Storm, again.

Well, if you ever had doubts that Storm wasn't going to stick around, don't you worry! Yep, the Storm crew made another run yesterday. This time bringing news of that giant earthquake in Beijing, you know, the one that registered a 9 on the Richter scale, and damaged the Great Wall?! Unfamiliar? Yeah, me too, didn't happen. However, Storm brought the news in an email with many different subject lines such as:









Countless victims of earthquake in China
Toll mounts in China earthquake
China's most deadly earthquake
China Earthquake claims 1 million lives
A new massive quake struck China
A new deadly catastrophe in China
Great Wall of China damaged by earthquake
The most powerful quake hits China
Earth tremors in China is going on

The last one being my favorite. The link within the email took you to a site that contained what looked like was going to be video of the devestation instead once you tried to click play, you would download the Storm Worm, the file being named beijin.exe. The site also contained a hidden iframe that attempted to secretly install Storm even if you didn't click on the link via Javascript.

The Zlob!

Like cockroaches and taxes, some things will never go away. It would seem that the Zlob trojan can be thrown in that group. This thing has been around forever and is still making appearances today. Zlob uses a kind of social engineering technique to trick you into installing it on your machine. It will entice you with a must-see video, usually claiming to be porn, but not always, take you through a click or two, and then hit you with a pop-up that claims you don't have all of the proper codecs to view it. Luckily enough, they'll go ahead and supply them right then and there, wow, these guys are nice. The least they could do is actually let you see the video after you've infected your computer, it'd probably trick more people into not realizing they were just infected too. Ooops, maybe I shouldn't have written that, oh well too late.

Storm Still Spreading Love

Well looks like the Storm Worm is still chugging along. Here’s a screenshot of the page it takes you to today. The interesting thing is the love theme, still. It made me start to wonder… A couple of months ago people started reporting that it looked like Storm’s reign was coming to an end when in fact it hadn’t. It just took a break. I have read reports as of late citing the slow down as a combination of Storm’s authors having some internal situations with their botnet, as well as a number of their bots being taken offline. This was around the beginning of the year. I theorize that they’re using all of the love themed stuff that they had intended to use in succession over the Valentine’s Day season, but were unable to due to their issues. In the past year and a half they have always used either a generic sort of fake postcard, or something themed for the occasion. These have definitely been themed, but no occasion.

Ransomware Returns

Ransomware is a directed attack usually against business owners wherein their private data, which there usually isn’t any back-up for, is hijacked by malware which then encrypts the data until the victim pays the attacker for decryption software. This has been seen several times in the past; however, there is a new one on the streets known as the GPCode Ransonware.

Most of these in the past used some pretty easy encryption, therefore easy and fairly quick to decrypt. This one’s a little different, bordering on near impossible to decrypt without the software the attackers provide. The encryption used for the majority of the work is RC4 the same code used to encrypt SSL, and WEP connections. No big deal there, well not as big of a deal if the author didn’t go ahead and encrypt the RC4 key with 1024 bit RSA Key. This leads to challenges as the largest RSA key ever to be publicly broken was only 663 bits. It’s estimated that it would take a million computers working in tandem around year to break a 1024 bit key. Seems inefficient considering the malware author can simply change the key regularly, and it’s likely that it could never be cracked.

Currently the datanappers are charging $100 - $200 for the decryption software.

**photo courtesy of Dancho Danchev

Mars Lander Mission Site Pwned

Last weekend as news of another successful Mars lander mission, this one named Phoenix, was making the news, its official mission website was hacked, and not once, but twice. The first time by someone calling themselves "VITAL", a Ukranian hacker who replaced the site's lead story with his tag and a link that redirected visitors to another site located overseas. The second time was from a group of Turkish hackers who utilized the same SQL injection attack as Vital, and replaced the site's main page with one of their own.
The Phoenix Mars Lander Mission team quickly found the defacements, and took the site offline to restore the site, and plug the SQL holes. These SQL injection attacks have been very popular in the past few months as evidence of remote scanning tools have hit the underground designed specifically for this task, and mass attacks have been seen all over. Now these tools are easily obtained by almost anyone that wants them. Luckily in this case, it was just a few script kiddies playing with their new toy, as most of the cases reported in the recent past have included malware that was either placed directly on the site, or iframe injections redirected the visitor to another site that hosted them. Even the Storm Worm's latest campaigns have begun using this type of injection technique. The sooner webmasters update their sites to avoid this type of SQL injection, the sooner these tools will become useless, and the authors will be forced to move on. Unfortunately, there are only moments of peace of mind before they do move on to another previously unrecognized vulnerability.