Security

Peter Coogan at Symantec put up a very interesting blog post yesterday about a crimeware kit called SpyEye v1.0.7 (on sale now on Russian sites — $500) that has a module that will kill a Zeus bot infection on a victim’s computer so the bot created by SpyEye can take it over. In September, Computer Weekly reported the Swedish telco Telia Sonera shut down the Internet connections of Latvian company Real Host after it was linked to the Zeus botnet. At the time, researchers said they believed Real Host’s servers had captured about 3.6 million PCs for the Zeus botnet. ...

At the BlackHat DC conference and SchmooCon, Nicolas Seriot, an independent researcher and Tyler Shields of Veracode have independently presented two very similar papers. The papers analyse weaknesses in security and application delivery models for iPhone and Blackberry and provide interesting read, especially if you are looking to write the next spyware application or a bot for one of the platforms. For me, the most interesting part of the papers is the one that shows that regardless of the implemented security mechanisms like data caging, providing applications with its own private storage, a third party application will be able to access a lot of potentially confidential data, like contact lists, sms and email storage and even the Blackberry’s microphone. ...

Clients of escorts and call girls are usually aware of the the risks presented from STIs. However, SophosLabs has been monitoring a different type of infection risk for clients of escorts in Indian cities. The Troj/JSRedir-AR infection has morphed slightly: If you look at the variable ‘o[e]‘ (two-thirds of the way down) you will see the beginnings of an obfuscated string ‘http://’. Previous versions of Troj/JSRedir-AK and Troj/JSRedir-AR have used non-alphanumeric characters to disguise the strings.

Security blogger Brian Krebs is reporting that some Windows XP users are reporting blue screen of death on reboot after installing Microsoft’s Tuesday patch KB977165 (MS010–15: “Vulnerabilities in Windows kernel could allow elevation of privilege.”) “Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond,” ...

SecurePcAv is a phony antivirus program that has been infecting PC’s across the interwebs in recent days. If your PC is infected with SecurePcAv you will most likely experience the following: Fake system scans that report numerous infections and refuses to remove the supposed infections until you buy the phony software. Alerts and warnings stating the PC is under attack or unprotected and recommends you buy the phony software. Other software will not work, when attempting to open programs a warning stating the program is infected appears and the software is closed. Web browser hijacking, redirecting the user to malicious websites or showing false security warnings on sites like Google.com.

The Zeus crimeware family has moved into new territory with its latest spam campaign – purporting to be a warning about targeted phishing attacks on “.gov” and “.mil” domains, by Zeus Trojans no less! In fact, one of the latest spam samples we’ve seen, duplicates the title and first three paragraphs of a blog entry by well-known security expert Brian Krebs, which discusses a previous iteration of this Zeus attack. As seen below, the spam sample starts off with the same three lines of the blog post, before starting into the phony KB content and links that lead to Zeus malware. ...

Paladin Antivirus is a phony security program, designed to rip people off. Paladin Antivirus tricks people into thinking they are downloading a legit antivirus software, then continually displays false security alerts and warnings followed up with a requests for users to buy or register the software. Once a computer becomes infected with Paladin Antivirus it will instantly begin a system scan and will report multiple infections. Paladin Antivirus will refuse to remove any of these supposed infections until the user buys or “registers” the software. Do not fall for this scam. ...

It has been barely two days since Google announced their new social integration and messaging tool called Google Buzz. Today we saw the first example of malware, W32/Zuggie-A, pretending to be Google Buzz. Analysis of W32/Zuggie-A gives the impression of a hastily assembled worm, really a modification of the W32/SillyFDC family of worms but with a twist. When W32/Zuggie-A is installed, it creates the following files: Program Files\Mozilla Firefox\extensions{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul Program Files\Mozilla Firefox\extensions{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest Program Files\Mozilla Firefox\extensions{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf System\googlebuzz.exe – copy of W32/Zuggie-A System\GoogleUpte.exe – copy of W32/Zuggie-A W32/Zuggie-A modifies the registry to autostart GoogleUpte.exe and googlebuzz.exe. A quick search shows that the CLSID: 9CE11043-9A15-4207-A565-0C94C42D590D has previously been seen in multiple worms. This supports my theory that this is a hastily assembled worm built from recycled malware. I fired up a copy of Firefox on the infected machine and, as determined from analysis, found an installed Firefox extension called Firefox security 2.0 – Internal security options editor under the extensions tab of Firefox Add-ons. This “security extension” has added a JavaScript (timer.xul), which is triggered when the browser queries: yahoo.com, bing.com, google.com, aol.com/aol/search, ask.com and executes JavaScript hosted on: searchrequest1 . com / request . php ? aid = blackout which will silently click all Google or Yahoo Ads. displayed on the search results page (hey why not make a few bucks while infecting eh?). Google Buzz is new and is garnering quite a bit of interest and adoption among Internet users including myself. Clearly the malware authors view Google Buzz as the fresh big lucrative social fruit to exploit much like they have done with Facebook, MySpace, Hi5 and others. So in the coming weeks and months I predict we will see a host of new malware exploiting or attempting to exploit Google Buzz as the malware authors figure out its internals. This may have only been an exploratory attempt or a quick response to the latest craze – only time will tell.

Several reports have been published detailing a Blackberry proof of concept (PoC) exploit called txsBBSpy that was recently presented at a security conference. Although it may not have been the aim of the original presenter, some reports have framed the PoC as being able to exploit so-called vulnerabilities that the writers believe to be present in the Blackberry platform. The “vulnerabilities” involve secretly forwarding incoming emails, locating devices by way of their GPS capabilities, eavesdropping on conversations by surreptitiously turning on microphones, and other such nefarious behavior. ...

Bruce Schneier, in his blog Schneier on Security http://www.schneier.com/ drew attention to this great interview with an ex-Nigerian-419 scammer on the Scam-Detective site. It’s a fairly long piece and gives a pretty good view of the Nigerian scam industry run by organized crime, how it sucks in young people who have good computer and English skills and pays them a huge amount of money ($75,000 per year in this case) to scam victims they view as white, greedy and rich. ...