Windows XP Users et al. Beware

So you didn't want to upgrade to Vista, and you couldn't let go of the grand+ to get that MacBook that your trendy friends are pressuring you to get. You decided that you were comfortable enough to stick with your XP machine. Well be warned, Microsoft has released a security advisory that affects DirectX on older versions of Windows. These are XP, Windows 2000 service pack 4, and Windows Server 2003.
The vulnerability requires a malicious Quicktime media file that will exploit this hole in DirectX and execute its code of malintent.
Microsoft has not yet offered a patch, nor has it announced when one will be available. They have provided what they're calling a "workaround", that removes a couple of registry entries that enable Quicktime parsing. They give instructions to do this manually, or if you prefer, they provide two simple buttons to click on - one to "Enable Workaround" and one to "Disable Workaround". Once clicked you'll get the standard Microsoft .msi file which will do the deed for you. Here's a link to Microsoft's Workaround page right ----------------------> here

Riding on the Recession

Here's a crafty routine spammers are running with currently. As they are prone to do, these scammers like to hitch on to current events and milk them for all they're worth. This particular scam to collect recipient information and email addresses began a few days ago. The email pretends to come from the Ford Motor Company and is in a response of sorts to the recent government bailout of the auto industry. They claim that in an attempt to "get back on their feet" they are selling off a surplus of vehicles at a big mark down in price, which they are passing on to you. The monies generated through this liquidation is supposedly going to supplement the giant loan the government has already given them. Anyway, here ya go read the email for yourself:
Dear Mr/Ms,

Due to the World Economy Recession, Ford Motor Company, Inc undergo a statistic fall in Sales and result in a drastic financial crisis this last season.

The Government has given us the opportunity to bounce back on our feet, but unfortunately we have not achieved the fund necessary.

Therefore, we offer you the opportunity to purchase a very good Auto at 35% discount of the price. We decided to pull the sales of 1.000 cars from United Kingdom at a very low price for us to aquire the capital needed to bounce back in business and to use this medium to increase the scale of our valued customers.

The payment shall be made in installments through the bank at 1 month after signing the contract.
If you are interested in this offer please fill out the application form, A representative will contact you about this application within five business day.



Sincerely,
Ford Motor Company
P.O. Box 6248
Dearborn, MI 48126

The email also contains an attachment that through the use of a double extension tries to trick the recipient into believing it is a .pdf document. This attachment is actually a .html page. Once the page is loaded it pulls down a background graphic from a domain called malala.biz which makes the page look like it is actually a pdf document with minor imperfections such as tiling that occurs at high resolutions. Information is then gathered through a series of drop down menus, and text boxes. Pertinent information includes your name, email address, and mobile phone number. A "send" button that rests above a poorly created company footer submits your data to the harvesters. AppRiver is blocking all of these with several different tests, so click below to get a chance to check it out.

Spammers Attempting To Cash In On Global Epidemic

In the early morning hours we saw a huge surge in image spam. The vast majority of this increase in traffic was from spam aimed to capitalize on global fears of the Swine Flu outbreak. The “Canadian Pharmacy” spam we are all so familiar with is now pedaling Tamiflu, in addition to the usual Viagra. This surge of spam emails has reaching into the millions since just this morning. The emails have varying subject lines.

Some of the Subjects:
· Swine flu- new age pandemic?
· new age pandemic is here
· pig flu pandemia news
· worst pandemic since spanish flu
· nobody is safe from new pandemic
· Real Swine flu protection now available!
· usa and europe is in great danger
· millenium pandemia - defeat it
· real brand swine flu remedy
· pandemic news
· 500 mils died in last pandemic - be prepared!
· worst pandemic since spanish flu!

Here is an example:

(Click to Enlarge)

Clicking on the link provided will take you here:

(Click to Enlarge)

We have seen a few versions of this in the past month or so but this one is by far the largest and most organized campaign to date. These messages are likely being sent by the Rustock botnet. I myself will probably have to get my Tamiflu elsewhere this epidemic because I do not think the world famous “Canadian Pharmacy” is in my insurance network.

Want An Alternative to Captchas? It'll Cost Ya.

Are you a message board enthusiast or top poster on your favorite forum sick of sharing your hard-earned space with spammers? Are you an administrator sick of getting spam on your free forums? Why not pay a service to help eliminate these spammy posts for you? What's being marketed as an alternative to that annoying Captcha, which was designed to force a human to have to be present for each new free mail account creation or for each blog or forum post, is the new service provided by a company by the name of Form Armor.
The service works like this, when someone wants to leave a comment on any of the above mediums, the form is proxied through Form Armor's service where it is put through their propreitary algorithms to check for things such as SQL injection attacks, possible XSS attacks, or just general spamminess. If they fail they are trashed, if they pass, the Form Armor service then passes the comment onto the appropriate forum.
The service will cost between $9 and $29 bucks per month per website. $9 is for the basic set it and forget it service, and the more expensive of the services include a more advanced API with way more control as well as all of the data you could ever want. Worth it? Good question, I guess it depends on your site's visibility, or history. I guess if you run a site that a lot of people are really into, and generates a lot of comment traffic, it may not be a bad thing to have all of the garbage filtered out. Maybe you can request donations from your users to cover the cost. Currently I don't think I would pay for this service, for one because I don't admin a bulletin board, and two I'm not sure people would be motivated to do it. Simply because I'm willing to bet that people don't think it affects them that much, so why pay for an extra service? But then again, people used to think that they didn't need anti-spam for their inboxes either.

Windows 7 with Free Trojan Horse

A new botnet has formed via a pirated version of the new Windows 7(RC) that also contains a Trojan horse. The version has been available on forums and piracy sites for a few weeks now. Reportedly, the botnet had grown to 27,000 bots before having their command and control taken over by security firm Damballa. It appears that the botmasters (in this case) are seeking profit by serving as a middle man of sorts. Once the Trojan horse is installed the botmasters use it to allow installations of as many pieces of malware possible, presumably getting paid per install. Infections through new installations are continuing at a rapid rate however since the takedown of the CnC server any of these new installations should prove unreachable by the botmaster. According to Damballa, the infection is currently spreading at a rate of around 1,600 machines per day and was widespread geographically with the highest concentration of infection in the US. There have been multiple unique reports of the Windows 7(RC) being used to propagate malware. This is a great example of the increased activity in the entrepreneurship of malware delivery. It is just like pay per click but with malware. The individuals responsible for propagating this Trojan horse were most likely not the authors, instead they likely purchased the code from a third party vendor, got hooked up with the right people, started distributing the Trojan and then got paid by another party to install their malicious code. This underground network is nothing new but I believe that this market is still in its infancy. I expect to see these networks only broaden, and for this type of activity to continue to rise.

Botnets Busy with the Western Union Theme

Yes, it's true, and here they come again. Last August is when we really started seeing this type of trend. A trend where botnets (mostly Pushdo) last year began sending malware dressed up as fake Western Union receipts. Now we're seeing them apparently coming from the Waledac botnet, and a lot of them. The ploy has morphed from Western Union emails to fake airline ticket purchases, to false credit card purchases, the language has changed too from English to German to French, and back to English. The one thing thing that hasn't changed is the malware authors' desire to continue expanding their botnets. It did appear there for one hot second that Waledac was focusing more on their spam business, as we didn't see many propagation efforts from them, but perhaps they were just making a few extra bucks while these new campaigns were in the works. They are certainly back for now, and we're seeing at least two new zero-day variants a day. Don't worry though, we're on it. Here's a picture of an email using this theme from back in August, and below that is one that I blocked about an hour ago.If this is any indication of cyclical themes, we should see the "Airmail Express" themes next.

Mac Users Should Start Brushing Up on Old Techniques

Another new, although poorly written Mac OS X worm has been spotted in the wild very recently. It arrives through email and has the ability to open a backdoor (if it connects properly), attempts to create a botnet, has keylogging functionality, can send spam, and has the ability to join in to DDoS attacks. The worm is being called OSX/Tored-A. you can read more about this particular worm here @ZDNet.
Even though Mac oriented malware is becoming much more prevelant, judging by the comments I've read on any article involving a new attack, and by talking to my friends who use Macs, the population remains quite naive to the threats that these pose. I see a lot of the "It will never happen to me", or "Macs don't get viruses" arguments, even though it has been proven, and spotted in the wild, time and time again. I'll say it once again, malware authors could care less about what operating system you choose to run, they just want the biggest bang for their buck, and therefore will cater their malware to the most popular. With Apple's OS becoming increasingly more popular, it's not a question of if...you know the rest. I know you may be in denial, but if it were about anything else, you would agree with the obvious.
So with that being said I just wanted to warn Mac users about an extremely popular social engineering technique that is being used in a lot of the new (and older) Mac attacks. These have been used to infect PC users for at least ten+ years now. This is something you probably wouldn't think twice about if you feel you're completely secure, and that's how it works so well. This is the fake codec technique. This was probably made most popular by a family of PC malware known as Zlob (click the link, and scoll down for more about Zlob). The trick is that you are lured to a page where you're expecting to watch the coolest new video, or a shocking video a "friend" sends you. Once you try to play the video, you are prompted by a message that tells you that you are missing a codec or the proper plug-in to watch the movie, but luckily they have it for you right there, available for download. This codec is instead, malware which you just willingly installed.I know this may seem obvious now that you're thinking about it, but this technique has been very popular for one reason, because it works. Be vigilant, it's been speculated that Apple will start urging users to utilize internet security software within the next year and a half.
I also want everyone to know, that I'm not a platform hater. I would have a Mac too, if someone felt obliged to give me 2 grand, oh and one of those sweet giant Mac monitors I see in the Apple store.

McAfee Drops the Ball

What must be turning into quite an embarrassing situation for McAfee, is turning into an exciting bit of press for the security industry, and I say "exciting", because it's one of those bits of information that makes you stagger backwards and say "I just can't believe this!". McAfee, as you all know, is one of the big boys in Anti-Virus and web based security protection services and software industry. It has come to the public's recent attention through the blog of Mike Bailey, a security researcher from Provo Utah, that one of McAfee's major services called McAfee Secure is in itself, very insecure. The service is used to scan websites on a daily basis in order to determine whether or not the sites are secure from exploit and vulnerability. You've probably seen these little shields on some of the larger sites you've visited, it's red with a large white M in the middle with the product name McAfee Secure, and a line beneath it stating "TESTED xx-xxx" where the X's are the last days date the site was scanned by McAfee.
One of the major consumers of this service are sites that are required to be PCI DSS compliant. That is Payment Card Industry Data Security Standard. These are a very strict set of rules aimed at any business that accepts card numbers as a form of payment, and its goal is to prevent credit card fraud and data exposure. As it turns out the very very tool, or McAfee Secure Vulnerability Scanning Portal contained a very elementary CSRF (Cross Site Request Forgery).
Unlike a XSS (Cross Site Scripting) attack that exploits a user's trust in a particular site, a CSRF exploits the trust that site has in a particular user.
For example: An attacker can create a fake link or script in a page that accessess a reputable site that the target user is known to have authenticated previously, such as McAfee's Secure Vuln. Portal. The attacker could then lure the victim to this page and have them click on an image or the link that would run their script. If McAfee still holds onto the cookie of the victim's last login, and it hasn't expired, the attacker is given access to victim's account. If this account contains personal information, such as PCI information, this equals to big trouble. In McAfee's case, not only do these accounts contain this information, but because of the nature of the service, also contain a listing of all of the other vulnerabilities McAfee had formerly found on their websites.
As a vendor of these website scanning tools, McAfee itself is supossed to be PCI DSS compliant, and by having these holes, they're not only endangering all of their protected clients, but they themselves are not PCI compliant.
It is said that a simple routine audit, such as the one Mike Bailey performed from a distance, would've easily uncovered this flaw, and allowed McAfee to patch this before it was known about. Especially since their product is supposed to protect against these things.
Once McAfee was contacted by Bailey, he immediately received a response, and McAfee patched all of the holes that had been pointed out. In addition their entire codebaes was sunsequently audited for additional related security vulnerabilities.
You can find Mike Bailey's blog post here, as well as another article from Patrick Gray and his blog-Risky Business who first broke the story of Bailey's blog to the media realm.

Waledac and Google Cash

Not completely concerned with spreading so much anymore, the Waledac botnet spends a lot of time spamming, and spamming a lot! Recently, like many of the other botnets, Waledac has used the Swine Flu concerns, I mean H1N1 concerns, as subject matter for their campaigns. These spam emails claimed to have vaccines for the flu, but instead a link in the email leads you to that old familiar Canadian Pharmaceutical site, which strangely enough only sells the regulars like ED meds. I am quite surprised that they didn't even pretend to have a fake vaccine on these sites, but they didn't. The only one to actually offer a fake vaccine was a piece of Cyrillic spam from last week.
Anyway, enough about that, as I was saying Waledac spends a lot of time spamming nowadays, and today's offering is no different. Seemingly to still be playing off of the global recession, Waledac offers you a way to make from $99 - $375 dollars a day on the internet! The emails arrive with subject lines such as:
"Be your own boss with Google", "Make thousands a month from home", or "Use Google to earn extra cash".
As the subject lines imply, somehow you're going to be using Google to make tons of money. The bodies of these emails go on to say: (click to enlarge)
Once you click on the "Google Cash" link you're taken to a CSS and Javascript rich site where you are to first give up all of your usual and spammable information, including your telephone number, but hurry, according to the running timer at the top, you only have 14 minutes and only 56 spots left for this amazing opportunity!!
After they have your contact information, you're taken to a similar page where they ask for your credit card information, but don't worry the graphic says that it's 100% secure, there's even a little picture of a lock, so you know it has got to be safe, right?!
Luckily for AppRiver clients, we have proactively blocked all of these emails, but always be vigilant and as french singer Amanda Lear said, never trust a pretty face, or is that a flashy web page with too good to be true promises, still, I think the point's the same.