Fake Microsoft Updates

A technique I see every now and again is the fake Microsoft update these use a social engineering technique that seems to work more than others simply because people feel that they’re being proactive and safe when they install updates, which is true, but what happens when you get an unexpected update from someone like Microsoft. Well, that could turn into another matter entirely. Oftentimes malware authors will watch for recent patches made by companies such as Microsoft and rush out an exploit hoping to catch late patchers, other times they’ll find their own before the official disclosure. Regardless users need a trained eye and a little common sense to avoid these malicious attacks. If you are a Windows user, it is a lways a good idea to have your automatic updates turned on, which is the default setting. This was, Windows will push down and install updates as they become available utilizing their BITS interface, which is the Background Intelligent Transfer Service. This way you don’t have to worry about it as much, and you’d know immediately upon receipt of an executable from “Microsoft”, that this is a scam, besides the fact that when you download any sort of update from Microsoft’s download center, you’ll also realize that the file format is an .Msi, and not an .Exe. The updates came to inboxes with several different subject lines including: Important Security Update for Windows, Get the latest updates available for your computer’s operating system from Microsoft, Get Microsoft Windows XP for your PC, etc etc.

From Africa With Love

Over the past few days we have been seeing an increase in 419 scam letters. These are historically known to be sent largely from Nigeria but lately South Africa has been the most popular point of origin. I know it is hard to believe that anyone would still fall for a scam like this but believe it or not they still do. This scam usually begins with a letter or e-mail seemingly sent to a selected recipient but actually sent to thousands, making an offer that would result in a large payoff for you (the victim). The e-mail's subject line often says something like "I require your assistance ", "Claim Your Winnings!!". The details vary, but the usual story is that a person, often a government or bank employee, knows of a large amount of unclaimed money or gold which he cannot access directly, usually because he has no right to it. Others popular variations are the UK lottery winnings that you need only claim or the Millions of dollars that have been bequeathed to you. During the course of the scam the scammer will ask for you to provide you bank account information and this will lead to them requesting that you send a wire transfer(which is conveniently untraceable) to the scammer. There is literally no limit to the amount of unique reasons that the scammer will tell you to justify you handing your money over to them, these guys are quite imaginative when seeing dollar signs. Most of these have come in attachments lately tow of these were in PDF format and the other an RTF.

Here are some of the letters we have quarantined in the past few days: (click image to enlarge)

I decided that it was high time for me to speak to one of these individuals on the telephone, so I called Mr. Dada Williams who was alleging to work with the Department of Minerals & Energy, South Africa. He answered the phone and I instantly knew the he was operating out of some type of call center (there was tons of background noise from other conversations and the sounds of typing). He was very polite and professional. He instructed me to send him my personal information consisting of full name, address, telephone number, occupation and age. He said he wanted to make sure that I would be a trustworthy candidate for this transaction. Next he asked if I would be able to come to South Africa, of course I can I told him. He said that would be excellent and that this should take no longer than three days (and good thing because I have a four day rule on transactions that would net me less than 5 million dollars). Once I got there I would be meeting with the Bank Director and his Lawyers to go over some documents. I told him to be expecting my information and I left it at that. If you are reading this story I am sure that you are aware of these scams and are not at risk but remember there are thousands of people that will fall or have fallen for these scams, just remember “There’s no such thing as a free lunch”.

Bounty Offered for Every Mac Infected

Sophos Researcher Dmitry Samosseikko recently presented some interesting news in the world of malware at Geneva's 2009 VB Conference. As Ryan Naraine reports in his blog ones & zeros, Dmitry lead conference attendees on a journey into the world of the Partnerka, a Russian network of spam and malware affiliates. The network is made up of thousands of "webmasters" who work to constantly drive web traffic to one another's sites where they sell fake watches and fake pills. He pointed out the shift in focus from the PC to the ever-growing popularity of the Mac world. Through a site called Mac-codec.com the Partnerka was offering $0.43 for every Mac infected. The group even offered tools to help on their site. Tools such as the name would imply, fake video codecs, and fake security software.
This certainly reflects Apple's growth in market share. Soon even the most naive of Mac users will realize that there was a reason why the new Snow Leopard OS shipped with Apple's new AV engine. Also, I've said it before, I'm not a Mac hater, more of a Mac FanBoy/Girl disliker. I would certainly own a Mac if I could afford one. I am currently accepting donations.

More Trouble in Twitter-town

Becoming popular makes you a big target as Twitter has certainly found out first hand. They may have been dealing with many more issues than a lot of the previous big dogs had to simply because the start-up was so small, and the holes were many. Twitter has grown exponentially recently, and it's security infrastructure has grown up a lot too - necessity is the mother...
Unfortunately for them, and who use Twitter, there are still issues that come up, and the latest is a new phishing scheme that poses as an actual friend/follower/followee. This technique is no different than similar campaigns that have been seen attempting to socially engineer MySpace and Facebook users out of their log-in credentials. I'd imagine it started with a single account, and branched out to the friends of the compromised account, then on to friends of friends, and on and on until he we are, talking about it.
This phishing attack arrives as a direct message to your Twitter account from someone you know (whose account has recently been hijacked). The message itself says "ROFL Is this you on here?" with a link to a supposed video. The link takes the victim to a false log-in screen where the log-in credentials are stolen. Any user that is on their toes will realize that they were already logged-in and this is kinda phishy (pun intended - re: fail whale).

And the Hackers Get Hacked

Recently a hacker's site that I monitor had the tables turned on them. This site contains phishing kits and techniques, Exploits and tools, mischievous (at best) tutorials, and even forums where users can brag about the recent defacements and conquests. Well, over the past week the site has been mostly unreachable thanks to someone who obviously doesn't believe in what's going on over there. This user who calls themselves "Catch Them If You Can" set out to dole out a little vigilante justice to these practicing cybercriminals by not only launching a DDoS attack against the site, but also hacked into the site's database in order to obtain the sites user list, email addresses and passwords which they passed on to Insecure.org's Full Disclosure List with the quote
"As you may know these are mostly based in Pakistan involved in illegal activities which include carding, hacking, cracking etc.

I am including this list of their users for law enforcement agencies to investigate and take action where neccessary. Currently their site is hosted in pacificrack.com's server.

WAR Against Cyber Crime
Catch Them If you can."

On the website one of the moderators posted a brief explanation as to why the site had been down, I found this little exchange to be quite humorous.

The admin was obviously trying to avoid mentioning anything about their users list being obtained until Codeslayer1 pointed it out to him. To which Zombie_KsA immediately places blame and bans the user. Good stuff, he also calls these people n00bs which is kinda funny as they were the ones that were pwned in this case. It's also kind of funny to think that Catch Them if You Can may even have been coached by tutorials on their site, some are pretty detailed.

As is the case with most of these sites, the "tools" are often trojans themselves, and the users are comprised of probably 5% security professionals monitoring these guys and 95% criminals. It's not a good place to hang out. Luckily the lifespan of many of these sites is usually short, and incidents like these will often force the users to evacuate, and admins to pack up shop and wait for things to cool down.

Kanye: Stealing the Microphone and Your PC

The last couple of days have yielded a strong surge in headlines aiding to serve Scareware. We first noticed this resurgence with headlines regarding the anniversary of the 9/11 attacks, next was the Serena Williams meltdown. Today there were a whole new slew of pages serving malware reporting to be legitimate news stories. This morning Patrick Swayze’s death and this afternoon I came across Kanye West VMA 2009 the most recent target of poisoned search engine results serving up Malware/Scareware.

In many of these instances the attackers are simply hacking sites that are already yielding high rankings in Google’s index for a particular search term. Then the attackers insert their malicious scripts that redirect users onto the Scareware payload sites. When the unsuspecting person uses a search engine to find related stories some of the search results contain these "poisoned" links.This technique is used in tandem at times with a more intricate approach. In many instances (instead of hacking a legit domain) the attacker will create their own domain. They will then employ some shady SEO practices to boost their domain high in search rankings thus leading the unsuspecting user to click on the link to the malicious site.

By the time I had returned to the latest page serving the “Kanye West” scareware it had already been labeled by Google to be malicious and was being blocked. Google was identifying the following domains that were being used to distibute the malware on this site as: getfreediscounts.com, usdisturbed.cn, try-your-destiny.com. Google issued a statement on Monday stating: "Using any Google product to serve or host malware is a violation of our product policies. In all cases, we actively work to detect and remove sites that serve malware from our search index and our ad network, and we immediately suspend accounts found to contain ads pointing to sites that install malware. To do this, we have manual and automated processes in place to enforce our policies."

Search result poisoning and SEO manipulation for serving malware is nothing new but it is seldom seen with such frequency. This just goes to show that when browsing the web now days one must exercise more caution than ever. It would also be a good idea to utilize some sort of URL filtering to keep you protected from these zero day attacks.

Notice of UnderReported Scareware

Once again this morning we began seeing emails pretending to be from the IRS. The most common spoofing of the IRS comes in the form of phishing sometimes with a little malware to steal your banking credentials peppered in. This one is a little different in both it's approach and its goal, well somewhat.
Today's arrive as an email supposedly from the Internal Revenue Service with the subject line "Notice of Underreported Income". Inside the email is some random information and a line that reads "Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):" The link that this line is referring to is somewhat customized in the fact that it incorporates the recipients name in the link as well as some ficticious taxpayer ID number. Once clicked the link takes you to a website made out to look like the IRS site along with the same random info that the email had in addition it contains the the lines"Filing and paying your federal taxes correctly and on time is an important part of living and working in the United States. Please review(download and execute) your tax statement.Execute my tax statement?! That doesn't even make sense! Regardless, there's the link to download another quasi-customized looking executable file. The file obviously doesn't answer any new tax questions you may have but instead infects your computer with Scareware. I'm sure you're all familiar with scareware, once your computer is infected with this, you will begin to receive pop-up windows alerting you to the fact that your computer is indeed infected, and the only way to clean it up is to purchase their advertised Anti-Virus tool. These will often come with animated windows showing a fake scan taking place with many infections found. The price for these fake AV products is usually around $50 dollars, and in addition to grabbing a quick $50 from you, they also now have your credit card info, but there is a bright side! The pop-ups will usually stop, well at least for a day or two before the whole process starts over.

You Got Your 419 in My PDF

Today we've been seeing another "creative" way that some miscreants in South Africa are using to deliver their 419 scams. As the title of this blog suggests, they're arriving in PDF documents attached to email. Normally these arrive as simple emails, but more than often now, we are seeing the authors of these scams attempt different ways to hide their intents from email filters. The email arrives with only a few simple words such as "Urgent, please read the attached". In my opinion this attachment style of delivery will raise more red flags to recipients than the old techniques, as more and more everyday computer users are beginning to relate attachments with viruses, not nearly enough, but still more.
Please avoid these emails and help stop funding these criminals.click to enlarge

IRC on the Outs for Botnet Command and Control

Internet Relay Chat, or IRC used to be the command and control choice for botherders worldwide. A simple private chat room of sorts that resided in cyberspace among series of interconnected often private servers running IRC server software. The IRC pretty much evolved from the BBS format which resided on dial-up home networks where people would call up and exchange files , play extreme text adventures, and if they were lucky enough to be online at the same time as someone else, and if the SysAdmin was lucky enough to have more than one phone line connection to his board, the two+ signed on users could chat.
Once computers and networks began to maintain constant connectivity to the internet, the IRC channels took off as a standalone chat/texting community. As AOL and other major players began jumping in with its online community complete with chat, the IRC channels became more of an underground hotspot, a nice place to hide from all of the noobs who were now invading the interwebs. The IRCs also became a place hidden where nefarious warez and activities began to bloom. These activities include(d) the trading of personal information, warez, malware, and the purchase and sale of botnets. Not only would botnets be available for purchase or rent, the command and control for these botnets would happen right through one of these private IRC chat rooms. Once a PC was infected and became a bot, it would sign in to one of these IRC chatrooms and await for its botherder to issue commands as simple text. Once a command was received that the bot recognized, it would go off and do its thing. Oftentimes these bots were found in public rooms as well, but only the proper commands could get reactions out of them.
This technique of using IRC was very strong for many many years, but it appears to be on its way out as newer techniques and technologies take its place.
One major flaw that led to this is the fact that IRC communications by default occurs on ports 6666 or 6667. If a bot was on a network with a firewall or a SysAdmin who was paying attention, they could simply cut off, or filter out any traffic to and from those ports as well as figure out exactly which machine was infected and clean it.
The botherders have realized the limitations that they now face in IRC, and have developed many new custom protocols for communicating with their zombie armies. One that had been developed originally for file sharing (Napster) was made very popular among the botnet community, and that was peer to peer communication. Instead of having a single point of failure such as the single command and control server, or IRC channel, these bots could now communicate amongst themselves sharing information in separate nodes. This technique for botnet communication was made infamous by the now defunct Storm Worm whose individual bots would be given lists of IP addresses from which to obtain its commands. If a particular node was down, it would simply try the next. This made it very strong and difficult to stop as it had no one source to shutdown.
There are still several large botnets out there that utilize the P2P technique, but there is no form of communication among bots and botherders more popular today than Http communication. Http traffic is the most prevalent of all traffic across the internet. Since Http traffic remains a very common site on all networks the C&C of these botnets remains hidden amongst all of the other Http requests. This makes the job of filtering out botnet commands from web page requests a very difficult task.
The latest buzz about botnet C&C came just recently when a Brazilian botnet was found to be using the micro-blogging site Twitter to control its bots. The bots would simply subscribe to the RSS feed which is a built in feature of the Twitter account and wait for the botherders to Tweet their commands. Simple and elegant. Once the account was found, it was pretty obvious that the tweets were up to no good as they were all Base64 encoded, obviously not random blurbs about the author's life. Once decoded these commands contained a Url from which to download their latest payloads once again utilizing Http traffic in a very creative way.
All of these techniques show an evolution which will continue among the attackers and the defenders out in cyberspace. We are sure to see many more inventive ideas being put to the test by botherders and malware authors for a good time to come. It's up to the people working on the side of the WhiteHats to continue to research, understand and anticipate the future of attacks.

photo courtesy secfront.com