April Fool's Day - What's to Come?

So it seems that the fact that the Conficker Worm's code is scheduled to update on April 1st has finally gone beyond the immediate tech world because our support team have fielded several calls from concerned clients regarding the big event that is to be April Fools Day. The problem is that no one really understands what's going on with this thing, that includes the experts to a degree. The average concerned citizen simply has heard of this giant scary computer worm that is poised to attack on April 1st and just maybe drain everyone's bank accounts right before melting their harddrives from within.
Though it is true this worm has grown very large, it has yet to do anything besides change its code a couple of times, and spread. It is also true that Conficker has not utilized email as a means to spread, it scours the internet looking for unpatched computers on the other end and slips in. So the key is to make sure you have updated Windows if that's what you use, and disable your autorun feature as well, since this is another means of propogating that the worm uses. It is able to jump on removable media devices such as external drives or USB keys and travel to other computers and by means of it's own autorun.inf file, it can pwn another machine.
Here is the link to the Microsoft patch and here's one to instructions on how to disable your AutoRun feature.
While we're at it, here is a link to the Conficker removal tool.
Ok, just two more, here's an excellent and only slightly sarcastic FAQ about the worm from F-Secure that will help ease the pain, and a detailed Conficker timeline from Byron Acohido that will shed even more light on this new annoying worm.

Sneakey, Scary.

As a security analyst, I feel I am a little more paranoid (careful?) than most people about, well most things, and this little article I read today really helped to add to my ever-expanding list of things to watch out for.
It seems that a group of computer programmers at the University of California San Diego have developed a piece of software which they've dubbed "Sneakey". Sneakey is capable of taking a digital image of a physical key, like the kind most people use to unlock their houses, and produce an exact working copy within minutes. The application can use the digital image of a key from nearly any angle to measure out the depth of each cut and string together the information into what locksmiths call the key's bitting code. This is typically a five or six digit number that the locksmith uses to cut into the blank keys. This bitting code along with the basic key shape/information is all that is needed to make a duplicate key.
In one experiment by the Sneakey team at UCSD, they installed a camera on their four story department building (77 feet above the ground) at an acute angle to a key sitting on a café table 195 feet away. The image (shown above) was correctly decoded and duplicated. They say that it works so well that a low resolution picture from a cell phone is enough to get the job done.
The way it works is quite simple, for someone versed in MatLab and computer vision techniques, that is. Utilizing a reference image of a key and its bitting code, the application adjusts the angle of the target key and overlays it on the reference key. Once there, the software compares the bitting code to the reference control, and calculates the differences.
The Sneakey team says that this software won't be leaked into public, but now the idea has, and that seems possibly bad enough. Their advice is good advice "Keep your keys in your pocket", and you may want to go and pixelate all of your photos where you're sitting somewhere with your keys on the table while you're at it.

The Return of Race to Zero

Even though while I was there at DefCon16 last August, I had trouble locating where the Race to Zero competition was being held (I did attend the announcement of the winners), it was definitely one of the events I was most looking forward to checking out.
Just to give you a little background if you don't already know, the Race to Zero contest was envisioned by a couple security guys named Simon Howard and bogan, and the idea was pretty simple "We'd install a bunch of anti-virus products and see who could modify existing viruses to sneak them past detection engines. There'd be beer and banter, a fun afternoon. It wasn't really a scientific contest -- most of the functionality of the scanners was actually turned off. We'd only test the CLI-based signature and heuristic components of the suites.",cites bogan.
The whole idea was to show how ineffective signature based anti-virus products were. Contestants were given a number of existing pieces of malware that at the beginning were all detected by all of the anti-virus products that were installed on their machines. They then had to alter each one of the samples in order to sneak them past the AVs, and have the exact same functionality once they emerged on the other side.
Since I enjoy reverse engineering these things anyway, this already seemed like a fun idea, but then the media and the AV companies caught wind, and several of them went absolutely nuts. That's even though the aim of the contest was more of a protest that "signature-based antivirus is dead, [and] people need to look to heuristic, statistical and behavior based techniques to identify emerging threats" than a clinic on making malware like some people were trying to claim. Kaspersky's CEO went as far as to compare the contest to robbing banks, and distributing narcotics in schools.
Anyway, all of that created a great buzz, and it's because of that buzz that I'm quite excited to say that they have decided to do it again this year! They are stepping it up a little by hopefully making it more visible ( to me at least) with the use of a large scoreboard so contestants and spectators can see how everyone's doing, and they're doing something that will certainly cause another stir this year. They're going to publish the actual results of the products they're using to show which perform better and worse!
He goes on to say "That's right, vendors, you really should be scared now. We're going to empirically show the world how useless you are, instead of just heavily implying it."
See you in Vegas!
Thanks to Patrick Gray and the Risky Business Blog for bogan's story read it here.
and the Race to Zero site is here
and DefCon17's site is starting to roll too.

Local Terror Attacks

Attacks on our inboxes are constant. There are some that tend to stand out, much like one that came through yesterday on St. Patrick's Day. Yes, whilst most people were daydreaming of green beer, the Waledac authors decided it was a good time to strike. The techniques used in this attack were very similar to their last run, and included a new "feature", if you will, that was first introduced in the last wave, and that is the use of GeoIP Location. By utilizing the visitors' IP addresses when they arrive at Waledac's target sites, they can customize the information to appear to be local to the victim. In this case they wanted victim's to believe that a terror attack had just ocurred in their own home town. This included a brief, and fake news story supossedly from Reuters that claims "At least 12 people have been killed and more than 40 wounded in a bomb blast near market in [insert your town here]" Click on the picture above to read the rest of the "story".
Below the story is where video of the devestation is supossed to be, but of course, you need to download the latest version of Flash to view it. Instead you'll be downloading a file by the name of Run.exe, which is the malicious payload. However, which has also become a staple of these Waledac attacks, they're not going to wait for you to download the malicious exectuable on your own, through the use of a hidden iframe, once you arrive at the site, they're already downloading it for you. This domain is on the same fast flux type network that this group has been using since Waledac was known as The Storm Worm.Finally, at the bottom of the fake page are two links to help make it all look believable. The first is to a Wikipedia entry for the topic "dirty bomb" which according to the story, is what was used, and the second link uses the IP geolocation again to combine your town's name with the words "terror attack" to perform a Google search.

A Variation on a Theme

So I was going through blocking domains that are hosting phishing sites when I came across this little email scam that caught my attention. In essence it's another 419 scam email, but with a different sort of twist. Instead of the more common Nigerian Barrister theme, or the American soldier in Iraq with a treasure of Saddam's gold, this one purported to be from the Chief Accountant of a large brewery, namely Amsterdam Beer. Also different in this one, the author didn't pretend to have come across this money by any legal means. He states in his scam letter that he used his position to "over invoice a contract by excess of" $49 million bucks. Wow, I think I would've noticed that kind of overcharging, but that's just me, I guess. Here's the letter:
Dear

I am the chief accountant of Amsterdam Brewing Co. Limited , and by my position, i was privileged to use my position to over invoice a contract by excess of
Forty Nine million U.S. Dollars, and what i need now is a reliable and trust worthy Foreigner whom I will work in concert with, to pull out this excess money ($49,000,000).I am not a greedy person by nature and as such we shall share the windfall on equal ratio.
I will handle all the documentation of the deal, which is risk free, while you will provide me with your company or private account where to
transfer the money into.
I am so connected, and the deal will take only 5 banking days to be conculded.This is a secret deal and must be treated as such, when you confirm your interest i will tell you the next step.
I am waiting for you reply.

www.amsterdambeer.com

Regards,

Mr.Harry Coker

Reply to: harry_coker14@yahoo.com

Another Conficker Update

It seems that the Conficker worm has updated once more. This time in vain of stealth as opposed to propagation. As was recently informed unto you, the last variation of Conficker would generate 250 pseudo-random domain names to which it would attempt to query all 250 of those domains once every two hours looking for updates from its command and control mothership. This has changed. The worm will now generate 50,000 domain names a day!!! Though, it will only attempt to contact 500 of those 50,000, and that is done only once per day.
The interesting part of this worm remains that even with three (and a half) different variations, Conficker has yet to do anything more than mutate and propagate. I'm guessing that when it does strike, it will be a busy day for the press, considering it hasn't done much of anything so far, and its buzz rivals, if not surpasses the working boys like Rustock, Pushdo, and Waledac.

New Trojan Targets Day Traders

While a reported roughly 10 million PCs are sporting an infection of the Windows Server Service based vulnerability dubbed “Conficker”, a lesser known exploit is flying under the radar. A Trojan targeting day traders is now being referred to by many as “Tigger.A” or “Tigger” has spread through more than a quarter million Windows based machines.

I imagine things have been pretty shaky for the average day trader as of late but for many simply taking the wrong position on a stock may not be the only way to realize a freefall in your trading account. This Trojan is designed to specifically target users of E-Trade, ING Direct ShareBuilder, TD Ameritrade, Scottrade, Options Xpress and Vanguard. Once the victims PC is compromised the Trojan has the ability to steal passwords, take screenshots, log your keystrokes and even steal web cookies. Just as this Trojans data gathering capabilities equally sophisticated are the Trojans abilities to conceal its presence.

This Trojan exploits a previously patched flaw relating to a “privilege escalation” feature that grants access to the “administrator” account thus rendering any permission limitations under the specific user ineffective, as Tigger would have the ability to override that protection. Tigger has the ability to delete competing malicious code (a feature that is far more common in spamming malware) and also disable multiple security programs such as Windows Defender, Outpost, Kaspersky and Windows Firewall.

Though it is well known that the Trojan is targeting day traders and/or employees of the previously mentioned stock and investment trading firms it is still a mystery as to how it is being spread. While we might not know where they are getting it we may know who they are getting it from… According to security firm iDefense, “Tigger uses a special key code to extract its rootkit on host systems, a lengthy key that is almost identical to the key used by the domain name generation feature built into the Srizbi botnet”.

Conficker Scheduled to DDoS Southwest Airlines

So I'm sure everyone's heard of the Conficker/ Downadup.A/B/BB/B+/C etc etc worm by now, and if you haven't, here's a quick synopsis. This worm began to spread very quickly beginning a few months ago soon after Microsoft sent out a patch for what has become quite a popular vulnerability, at least in Conficker's author's eyes. The worm spreads in three ways, the first is by exploiting what was a weakness in Microsoft's Server Service RPC (Remote Procedure Call). This was the big one that Microsoft sent the patch for, but thanks to millions of people that don't utilize their automatic updates, this new botnet has grown to around 10 million strong. The second way it spreads is by attempting to Brute Force attack administrator passwords. This method is extremely inefficient, unless your password is something like "aaaa" or the like. The third way is by copying itself onto what ever removable media it can find, thumb drives, flash cards etc. The worm's ultimate goal is to takeover your computer and accept remote commands.
Once a computer is infected, one way it receives updates has proven to be rather creative. The worm generates pseudo-random domain names via it's onboard domain name generation algorithm. Each machine generates 250 seemingly random domain names on a daily basis to which each machine attempts to contact each one looking for commands. When the worm's authors need to issue a command to the botnet, they will simply register one of the domains that the worm is scheduled to contact, and be there waiting a couple of hours or so before the bots get there. If the bot connects to a domain that isn't issuing commands, it simply disconnects and moves on to the next one on the list. Once the good guys were able to reverse engineer this algorithm, they were granted a look into the future at every domain name that this worm will attempt to look for, and it only makes sense that some of these domains will have already been registered, legitimate domains. When they are, and 10 million PCs try to contact your domain at the exact same time, the result is a Distributed Denial of Service attack, or DD0S. Among the legitimate domains slated for a visit by Conficker are:
Music Search Engine - jogli.com on 8th of March
Southwest Airlines - wnsux.com on 13th of March
Women’s Net in Qinghai Province - qhflh.com on 18th of March
Phonetics by Computer - praat.org on 31th of March
I know that was a whole lot to say to make such a short point, but it had to be done.