The eCard Returns

The ever popular method of sending malware disguised as an ecard has returned in mass quantities over the past couple of days. We began seeing a flood of these yesterday and we are successfully blocking these messages. They are still hitting our filters today in large volumes. At first glance I was expecting these to contain a Halloween reference but they do not. They simply instruct you to cooperate by opening the attachment.

The time has arrived for us to start seeing a steady increase in fake ecard virus messages. I expect these to continue through Halloween, Thanksgiving and Christmas. If you do receive an ecard, remember that legitimate ecards should identify the sender by name. If the sender is not someone that you know then it is probably not a good idea to open it.

Carders Get Pwnd

Last week an undercover FBI operation came to an end. Two years ago, the FBI started up an underground forum at DarkMarket.ws. It quickly became a site full of cybercriminals involved in the buying and selling of credit card information, names and passwords, as well as the equipment needed to carry out these cybercrimes.
The site maintained a registered user base 2500 strong. They also gave the users a feeling of safety by banning anyone that appeared to be a ripper or acted sketchy. In the cyber world, there are two types of criminals, those who steal, but not from one another, and the "rippers" who will steal from anyone, the lower of the low-lifes. By noticeably removing these undesirable elements, the criminals then felt free to put their guards down and get to real business after the formalities were taken care of.
During the life of the site, the forum's undercover admin Master Splyntr said he saw millions of dollars trade hands, but thanks to the work between US, German, Turkish, and British organized crime officials, 56 people were arrested worldwide which saved what they estimated to be around $70 million dollars in potential losses. Good for them.
The FBI hasn't reported on why the operation ended at all if it was so successful, but rumor has it that the German radio station Südwestrundfunk leaked the FBI's role in detaining a German carder that was active on DarkMarket.ws. Also, shortly after the site's launch, hacker Max Ray Butler had allegedly hacked his way onto the servers that hosted the site and found information that linked it to the FBI, fortunately for the FBI et al. the warnings went unheeded, and the site gained alot of popularity in the underground.

Clickjacking, A New Old Concern

Clickjacking, an attack where browser exploits actually steal your mouse clicks, has raised new concern in the internet security realm. Essentially the attacker is getting you to click on something you hadn't intended on. The attack works like this, when a user is looking at an image, a button, or another link of some sort on a web page, the attacker will hover an invisible link in between the mouse pointer and the real button, often with the use of hidden iframes. Sometimes the iframe will simply remain over the links on the page, or sometimes they will insert one that will follow the mouse pointer around, regardless of its location on the page. This attack used to be used soley to direct user clicks towards advertisments, which in turn would make the bad guys money, as the amount they got paid was proportional to the number of clicks a link would generate. Only recently have concerns been raised that this type of attack can be combined with others in order to inject malware onto your system, or even combined with current Adobe Flash exploits to turn on a computer's microphone and/or webcam in order to spy on the unknowing web surfer.
This is primarily a browser exploit in itself, which the browser companies have known about since 2002, but had dismissed until now as less impotant. They have all begun to try and patch this flaw once and for all, and Adobe has released workarounds for the flaws which have now been labeled "critical" with their Flash plug-ins.
One good way to avoid this type of attack is to use the No-Script plug-in for FireFox. Not only will it announce the presence of hidden iframes, it will also stop the execution of various scripts such as Javascript, and Flash Players (amongst others) without your approval. Check it-->here.

Virus Activity Tapers (for now)

For a while there I didn't believe I'd see daylight as virus activity rose in frequency to points that were sometimes as much as 1700% higher than the past 5 years' averages. Slowly but surely though, virus activity has begun to stabilize. That is certainly something very good for the present time, and could mean any number things. It could mean that the number of machines, or bots, capable of sending these viruses has been cut down due to them being cleaned up, or taken offline. It could mean that the bad guys are sitting back, calmly writing a new version of the trojans they had been working with. It could be because our buddy the Storm Worm has all but dropped out of the competition (even though Storm's numbers during those peak times were minimal).
A majority of the past few months' traffic can be attributed to only a couple different botnets, those are Srizibi, Rustock, and Pushdo. The amount of spam and virii that these guys were pumping out was quite large, we were seeing as much as 40 million pieces of malware laden email per day on peak days. To put that into perspective, our average piece per day over the past 5 years has been between 300K and 600K. That was a big jump. These botnets, especially Srizbi, were on a somewhat relentless campaign, constantly repacking and obfuscating their malicious code in order to send out wave after wave of fresh undetected variants.
Luckily we can all breathe all little better for now as the averages over the past few weeks have dropped down to about 3-6 million infected messages per day, a giant improvement. Good news, yes, but I wouldn't get too excited, as every well run business, even criminal ones, have down times used to reinvent, or focus on other aspects, you know good old fashioned R&D. Sorry about the sensationalism, sometimes I can't help it.

More Off-The-Shelf Malware

It seems to be happening a little more frequently these days, malware being pre-loaded into electronic devices right at the factory. Well maybe not at the factory where final assembly occurs, but possibly at the factories where the parts for the final assembly are manufactured. Regardless, soon to be gone are the days when you can feel safe going to the store and buying a clean computer, or digital picture frame, or flash drive...
The newest item to hit the shelves no infection required, is the Asus Eee PC, or Eee Box Desktop Computer. The computer's 80GB harddrive comes preloaded with a file called recycled.exe hidden in its D: partition. When the drive is accessed the file runs accessessing the C: drive as well as all removable media in attempts to further propogate the worm, which has been the W32/Usbalex worm in some cases or the W32.Gammima.AG worm in other cases. The latter's sole purpose is to sniff out and steal online gaming passwords and usernames.
So in case you were looking into these, the model numbers affected were:
Model number: EEEBOXB202-B; UPC code: 610839761807
Model number: EEEBOXB202-W; UPC code: 610839761814
Model number: EBXB202BLK/VW161D; UPC code: 610839530526
Model number: EBXB202WHT/VW161D-W; UPC code: 610839531202
Model number: EBXB202BLK/VK191T; UPC code: 610839547753

Malware Delivery Aided by SEO

In recent months there has been an increase in malware activity across the board. As spammers ramp up their efforts to reach your inbox they continue to explore as many attack vectors as possible. Spammers continue to bombard our email inbox with extremely high levels of messages containing malware. A recent study showed that as many as 75% of compromised sites that are unwittingly hosting malware are trusted or known sites. They are also, now more than ever, attempting to infect you through web searches. One method that has risen in popularity recently is malware delivery via Search Engine Optimization.

SEO is nothing new but we have been seeing more and more of it lately. Search Engine Optimization (SEO) is the process of editing and organizing the content on a webpage or across a website to increase its potential relevance to specific keywords on specific search engines. The spammers simply utilize SEO to guide you to their malware infected web pages where they can infect your computer often invisibly and almost instantly.
By using SEO in combination with the most popular search terms they are able to substantially increase the chances that your search will result with many of their malicious web pages. In the most common version of this exploit, you are directed to a web page that you believe related to your search. You are then presented with an image of a video. This image is in fact a link to a web page that in turn redirects you to another web page where the malware awaits you. Most often these have led to the installation of one of the many rogue anti-virus programs (malware) seen recently such as VirusResponse Lab 2009.

You can avoid a lot of this risk by minimizing your use of searches, especially when seeking out sites that you visit often. Many people are in the habit of simply doing a search for the site they are seeking and then clicking on the first link. This type of behavior carries a risk that can be reduced by storing all the trusted sites that you visit in your bookmarks/favorites and accessing them from that location whenever possible. A better solution would be to implement the use of a web content filter.

Hackers Have Your Missles, Oh $#!*

So, here's some good news. It looks like a company in South Korea that manufactures and supplies guided missiles to their military, has had their computers hacked and malicious coded implanted on their machines. Let's hear it for LIG Nex1 Hyundai Heavy Industries and their network security administrators! You know, everyone wants to have a secure system, but it would seem like there are a few systems that had better be, this being one for sure. There hasn't been a whole lot of detail on the issue, but it seems that the malware was meant to steal information from the weapons makers. Oops, what's the plans for a few guided missiles in the hands of miscreants, organized crime rings, or the ever popular terrorists?!

A spokesperson said: “The research institute suspects the culprits are Chinese or North Korean hackers but doesn't know specifically what information they stole. In the worst case, the blueprints of missiles and Aegis ship could have been stolen.

“It's shocking that our major defense industries are open to attacks from hackers and that our missiles are vulnerable to theft by cyber terrorists. A general review of our cyber security system is needed.”

So let's think about this, but not too long as that would possibly lead to more anxiety than necessary. If they are able to get in that far, how much further can they get? Nevermind, on second thought, I hate to think about it. Maybe I'll just go write the screenplay.

How Much is Your Identity Worth?

Lately there has been an immense increase in the number of Phishing scams attempting to be passed through our filters. There have been all sorts of variants of the usual angles and social engineering stratagem and as usual AppRiver has been blocking them. What if you did get phished? Have you ever wondered where your information goes? I often imagined some pale faced nefarious looking character sitting at his computer and wearing a trench coat.
In his recent interview with Cnet, Tom Rusin of Affinion Group, shed some light on the subject. Affinion is a company that monitors underground criminal activity for thousands of financial/banking institutions and are one of the largest identity protection companies in the world.
Rusin has gained access to credit card numbers, debit card numbers (favored since they almost always have cash available), usernames and passwords, your very own phishing kit or “fulls”. The information for sale that they refer to as “fulls” is certainly the most disturbing. These consist of a name, address, SSN, date of birth, and driver's license number. This would be all the essential information needed to steal someone's identity and profit from new-account creation using their identity.
Gaining access to these criminal networking sites was not easy. Rusin has been at it since 1998 and has had to establish his own criminal credentials to do so. Rusin explains that one common way of proving your credentials is that you may be asked to provide at least five active credit card account numbers to be granted access. Once inside he has access to purchase everything. You can get thousands of account numbers for pennies on the dollar. You can also purchase your very own Infection Kit and/or Trojan for $700-$500. If you don’t feel like doing it yourself you can also purchase software as a service for around $299 a month. Perhaps most shockingly you can purchase U.S. “fulls” for about $20.

Linked-In Spoofed in Malware Campaign

It's been a trend for the past year or two to use social networking sites in order to infect people with malware. At first people would create fake profiles on said networks, such as MySpace and/or Facebook, to post infectious comments on valid sites within the network. Once the excited recipient clicked on the link in the comment to 'see who had a crush on' them, or 'get free gift cards', they would then in turn start sending out the same messages to all of their network of "friends". That was popular until MySpace figured out who was doing it, took them to court and won a big lawsuit against them.
So, naturally, that began to look like a bad idea, and the bad guys would send out spam emails that appeared to come from these networks. The emails would lead to fake log-in screens where the users' credentials would be stolen and accounts used to send the spam and malware or, the fake emails would simply infect the recipient with an attachment that contained malware or include a link to a web site that hosted other malware.
Yesterday we began to see another social network being used as a theme to infect recipients. Linked In, if you're unaware is supposed to be a social network designed for an older, more professional demographic. These email's would arrive pretending to be from the network explaining that they were finally able to export your list of business contacts from your account. They are written in a "better than most" support style email, signed from the "Technical Support Department". The attachment that is supposed to have your contact list is actually a .Scr file inside a .Zip titled 'Contacts.Zip'. Those screensaver files (.scr), are always bad news, especially when Zipped up, avoid them.
If you're an AppRiver client, we're going to help you avoid them, and the rest, by making sure you don't see them. Ok, you can look, but only here, click for a larger view.