Information Security Newsletter

Bulletins posted 3/5/2009

Mozilla Releases FireFox, Thunderbird, SeaMonkey Updates
Mozilla has released a new version of Firefox (3.0.7) to address multiple vulnerabilities in Firefox, Thunderbird and SeaMonkey products. These vulnerabilities could lead to the complete compromise of affected systems.

“If you are using any of these products, we strongly recommend updating as soon as possible.

Social Networking Sites Warning of New Attack
A warning has been issued for users of Facebook, MySpace, and other social networking sites about a new strain of the koobeface worm.

Security experts say the latest version arrives as an invitation from a user’s friend or contact, inviting them to click on a link and view a video at a fake YouTube site and install an Adobe flash plug-in. Instead, the worm installs a trojan horse program, giving control of the infected user’s computer.

Trend Micro, which documented the new strain, recommends using caution when clicking on links in unsolicited messages, even if they appear to come from someone a user knows.

Bulletins posted 3/3/2009

Seattle City Light Warns of New Bill Collection Scam
Seattle City Light is urging its customers to be on guard against telephone con artists posing as utility bill collectors who appear to be targeting customers with Asian surnames.

In the past few days, several customers have reported phone calls from con artists claiming to be City Light employees.

In the scam, the callers claimed there were problems with payment of the customers’ bills and demanded immediate credit card payments to resolve the matter. The con artists appear to be targeting customers with Asian-sounding surnames. This is similar to incidents reported to City Light over the past several years.

“It is unfortunate in these challenging economic times that some people try to take advantage of others with such scams,” Customer Service Director Kelly Enright said. “Seattle City Light wants to help its customers protect themselves and the best way to do that is to be informed.”

“If someone asks for your credit card number over the phone, don’t give it to them,” Enright said. “We do not call our customers demanding immediate payment to avoid a shutoff for one late payment.”

If a customer is behind on his or her bill and at risk of having the power turned off, City Light sends at least two written warnings asking the customer to contact the utility directly to make a payment.

City Light also would like to remind customers:

• Seattle City Light never asks customers over the telephone for credit card information to pay their bills.
• Seattle City Light does not call customers on weekends.
• Seattle City Light employees carry identification with the City Light logo and will always display it when asked.

All City Light customers are advised to take down the name and telephone number of anyone who calls and represents themselves as a City Light employee. Also, before customers provide any credit information, they should call City Light at 684-3000 to verify that the request is legitimate. If a customer believes he or she has been contacted by a con artist, they are urged to contact the Seattle Police Department at (206) 625-5011 to report the incident.

Opera Releases New Browser Version 9.64
Opera Software has released Opera 9.64 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or conduct cross-domain scripting attacks.

Opera is a good Internet browsing program as an alternative to Internet Explorer.

If you are using Opera's Browser you should immediately update to version 9.64.

Users Increasingly Falling Victim to Malware Distributed on Digg, YouTube
Infection of the adware called "VideoPlay," which has been spreading through malicious posts and comments on Digg and YouTube, increased 400 percent from January to February, according to Panda Security.

Attackers have been posting comments on news stories and videos posted to the social networking sites Digg.com and YouTube.com, claiming users will be able to see videos of celebrities – some of which claim to be pornographic – by clicking a link that is provided, Sean-Paul Correll, threat researcher and security evangelist for Panda Security, told SCMagazineUS.com in an email Tuesday. But, when a user follows the link, they will be re-directed to a page where they will be prompted to download a codec to view the video. The download is the VideoPlay adware – a worm that aims to steal email login credentials and other information stored in a user's browser and then further propagate itself through removable drives.

The file spreads by making copies of itself on removable drives and creates an autorun.inf that runs when the drives are accessed. Once a user is infected, the file collects data stored in browsers, including cookies, passwords, profiles and email accounts, and sends the information to a remote address.

Some of the fake story titles and comments include: “Jessica Simpson Hotel Sex Tape,” “Megan Fox naked,” and “Christian Bale freak out dubbed with video!”

As we have reported recently, the attackers have also been using purposely registered fake accounts and compromised legitimate accounts to post fake stories on Digg with alluring titles, which when clicked on, lead to the malware-laden sites. These heavily post comments that contain malware-serving links on both legitimate and fake stories on Digg.

As with all of the new Web 2.0 technology, Digg and YouTube are now targets to be aware of and be careful with.

Bulletins posted 3/2/2009

AVG Free Antivirus 7.5 Support Ends
The official date for End of Support for AVG Antivirus Free version was February 28, 2009. You will need to update to AVG Free version 8 to continue to use their free version.

AVG makes a good free antivirus that the City's Office of Information Security recommends.

If you are using AVG Free you should immediately update to the latest version.

Facebook Hit by New Terms of Service Scam
Facebook has suffered its second malware attack in a week, after it emerged that a rogue application has been posting notifications to user profiles containing malicious links.

As some of you may know, there was quite a storm of protest last week when Facebook tried to change its terms of service. They ended up backing off and deciding that they would use the old terms of service until they could resolve everyone's concerns.

This scam took advantage of the publicity surrounding the proposed new terms and conditions for the popular social networking site.

The message read: "[Friend's name] has just reported you to Facebook for violating our Terms of Service. This is your official warning! Click here to find out why you were reported! Request Facebook look at what has happened and rule immediately."

Users following the link had an application called 'facebook - - closing down!!!' installed on their PCs. This then spammed all of the affected user's 'friends' with the same message, potentially collecting personal information as it went.

Facebook and other social networking sites are becoming the latest attack ground for the bad guys. Be very suspicious of messages you receive, even if they are from someone you know.

Spoofed Delta Airlines Emails Contain Trojan
Emails spoofed to look like they are coming from Delta Airlines to confirm a ticket purchase are attempting to infect users with a trojan, according to a Belgium-based security firm.

The fake emails instead contain a ZIP attachment, which, if clicked, installs a data-stealing trojan, Peter Louies, manager at email security vendor MX Lab, told SCMagazineUS.com Friday.

"These emails did not originate with Delta, nor do we believe that any personal information that our customers provided to us was used to generate these emails," an advisory from Delta says.

We have seen this tactic before. If you receive an invoice or purchase confirmation for something you didn't buy, just delete it.

Bulletins posted 2/27/2009

Crooks Use Google Trends Tactics to Poison Google Search Results
Many of the 100 most popular Google search terms now yield a malicious site serving fake anti-virus software, Craig Schmugar, threat research manager for McAfee Avert Labs, told SCMagazineUS.com Thursday.

Attackers choose a popular search term according to Google Trends -- which is regularly updated with the top 100 most searched items -- and then find a website that already is highly ranked for that particular term. Then, the crooks build a malicious site that contains the same content as the legitimate site, enabling these malicious creations to rise to the top of the search rankings.

Recently, results were poisoned for popular searches such as Ash Wednesday, Obama's address to Congress and the Gmail outage. The malicious links deliver users to a website where they are served a trojan called FakeAlert. The site pretends to scan a user's system, then pop-up messages tell the user he or she has been infected and should download software -- for a fee -- to have those threats removed.

“I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages,” Schmugar wrote on a McAfee Avert Labs blog post Thursday.

Schmugar started noticing this last week and said it seems to be as effective or getting stronger since then. By poisoning the most popular search terms, attackers are able to reach a broad audience, and the tactic is effective because users often trust top-rated search results, Schmugar said.

Typically, attackers use botnets they control to inject links to their malicious webpages into millions of sites that have a high reputation, thus bringing up the malicious pages in Google's search rankings, Stephan Chenette, manager of security research at Websense Security Labs, told SCMagazineUS.com Wednesday.

“Hackers are very well aware of how to control search engine rankings and have been doing this for a few years,” Chenette said.

There are several things you can do to protect yourself from these types of poisoned websites. First, make sure your antivirus protection and operating system are up to date. Second, there are several good web site rating products out on the market (such as Norton Safe Web and McAfee Site Advisor and one called WOT - stands for Web of Trust - that depends on user feedback to develop reputational ratings for web sites) that will warn you if you hit a known bad web site.

Bulletins posted 2/26/2009

Phishing Attack on Multiple Instant Messaging Platforms
Users of several different Internet chat services have been hit by a major phishing attack aimed at stealing account log-in details, security researchers have warned.

The unsolicited instant messages urge users to click on a TinyURL link to watch a video, but the link takes them to a site called ViddyHo which asks them to fill in user names and passwords. The phishers can then use these details to hack into user accounts and send more malicious links.

Much of the focus around this attack has been on risks to Gmail account holders, in response to the Google Mail outage on February 24. However, phishers are also targeting users of instant messaging systems from Yahoo, Microsoft and MySpace.

"This is, of course, a classic attempt to phish credentials from the unwary," wrote the Sophos senior technology consultant in a blog posting. "The hackers behind ViddyHo could use the credentials they have stolen via their site to break into accounts, grab identity information and impact your wallet." Users are also more likely to fall for this attack because the link comes from a trusted source, according to a solutions architect at security vendor Trend Micro.

If you use any of these chat services we advise that you do not follow any links sent to you, even though they may seem to be coming from someone you know and trust.

If you do have a link sent to you, contact that person by phone and ask if they actually sent it. If they didn't you can let them know that their credentials have been stolen and they need to contact the chat provider's support staff to have their password reset.

eWeek Ads Infect Users
eWeeK, a leading computer and security news site, became the latest victim of an Adobe exploit earlier this month. Other sites owned by Ziff Davis Media, which owns eWeek, were also affected.

The Ziff Davis sites hosted an ad, which while looking legitimate redirected users through a series of iFrames to a pornographic Web site. And that was not the end of the shenanigans, either. The site then tried to download an Adobe PDF containing a known exploit, 'bloodhound.exploit.213.'

A patch had been previously released for the exploit, which affects Adobe Acrobat and Reader versions 8.12 and earlier, but many users still have yet to receive or apply it.

Once the exploit gains access to the system, it installs a file named "winratit.exe" in the user's temporary files folder and two other files, according to security researchers at Websense. The files are activated when users are browsing the Internet and they try to get users to buy fake antivirus software by redirecting them to phony sites.

Websense describes the fake software: "The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed]-site.info/, which has been set up to collect payment details." The offending ads have been removed from the system.

This is the same fake antivirus scam that we reported on earlier this week, and which we are hearing is a growing problem.

If you accessed any of the Ziff Davis web sites in the last few weeks, you should ensure your antivirus signatures and your Adobe PDF application are both up to date and do a complete scan of your computer. Of course, we know that you didn't fall for the fake antivirus scam... did you!?

Bulletins posted 2/24/2009

New Excel Zero-day Exploit In the Wild
Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. At this time, they are aware only of limited and targeted attacks that attempt to use this vulnerability.

This exploit could become more of a problem very fast. So until Microsoft comes out with a patch, we recommend avoiding opening any Excel file attachments unless you can verify their authenticity with the person who sent them.

Scam Antivirus App Spreads Malware
We've seen this scam before, but this is a new version with a new twist in that it creates and points you to positive reviews of itself! It has already caught some City users, so here's another reminder.

Web users have been warned about a new scam that posts fake product reviews in a bid to encourage people to buy a rogue security application called Anti-virus-1. The app is one of a number of bogus security products which promise to provide protection against the latest online threats, but instead have been designed to spread malware or hold users’ PCs to ransom.

But if a user uses the Internet to research Anti-virus-1, it is possible the user will find a number of glowing reviews, because the tool is posting fake articles online which appear to be endorsed by a number of the Web’s top tech sites, including PC Advisor.

In reality, the likelihood of an individual coming across an Anti-virus-1 review is slim (unless you've already been infected). According to the owner of technology site BleepingComputer.com, fake reviews will only be seen by those who install the rogue security app. He said that when he installed Anti-virus-1, which also goes by the name Antivirus2010, it added a series of entries into the Windows hosts file which direct users to what appear to be the Web sites of a number of U.K. and U.S. tech sites. That means those with Anti-virus-1 running on their PC may be directed to bogus reviews.

The software has never been tested by PC Advisor, and the fake review is not hosted on the PC Advisor site. Other sites apparently targeted by the scam include PC Magazine and TechRadar.

These types of scams are popular for the simple reason that they work. By using your natural fear of malware (which we have to take some responsibility for encouraging), the bad guys convince folks to install their malware! Ironic, eh?

You should never install any type of applications from the Internet unless you are absolutely sure that they come from a reputable source. Applications that pop up on a web site or come in an email are inherently irreputable, so don't be fooled.

Waledac Trojan Uses New Couponizer Theme
We're getting reports that the purveyors of the Waledac Trojan are trying a new tactic: offering coupons on a poisoned web page.

The web pages have various titles, but one we've seen is called 'the Couponizer - Max Your Savings!' It offers 'Exclusive sale coupons and deals at over 100,000 stores' and all you have to do is click anywhere on the website and you are prompted to download an executable to get your coupons. Guess what happens if you do!

This is another example of the bad guys taking advantage of the current economics to lure unsuspecting and struggling victims. It is disgusting but we can expect to see more of it. Be careful and warn your vulnerable friends and family.