Information Security Newsletter

Bulletins posted 4/10/2009

Coming soon to a phone near you? Scareware scammers adopt cold call tactics
Scareware scammers are phoning up prospective marks in an effort to frighten people into buying software that has little or no value or utility.

Rogue security (AKA scareware) packages are a growing problem. The number of such bogus packages in circulation rose from 2,850 in July to 9,287 in December 2008, tripling in number in the space of just six months, according to the latest figures from the Anti-Phishing Working Group. Earlier this week Microsoft said that its malicious software removal tool had picked up two rogue scareware packages, FakeXPA and FakeSecSen, on more than 1.5 million PCs in the second half of 2008 alone. Some of these instances were probably trial versions of the rogue anti-malware utilities, but their sheer number illustrates the potential value of the market.

The growing trade in scareware is partly being driven by the scamming of search engines to direct surfers to sites peddling scareware. Such fraudulent search engine optimisation techniques are often themed around breaking news events, such as the Conficker worm or the recent earthquake in Italy.

While the internet has been the traditional route to market for cybercrooks peddling scareware, some have begun using high-pressure telephone sales techniques. A reader of "The Register" reports his mother got a cold call peddling scareware on Thursday. "My mum just had a call from someone claiming that there was something wrong with her computer. Luckily she was busy and called me," their reader wrote.

He was able to warn her that the ruse was a scam after searching for information on the net and finding an article by H-security on the tactic, dating back to last month. H-Security reports that scammers phone up to warn victims that their PCs are infected and might become damaged beyond repair unless they purchase security software which turns out to be of questionable utility.

Callers pretend to come from an outfit called supportonclick.com, according to one report.

Supportonclick.com is becoming notorious. A blog posting about Supportonclick by website developer Steven Burn reports that scammers occasionally pose as representing legitimate anti-malware publisher Malwarebytes. He lists a range of telephone numbers associated with the scam in locations including the US, UK, Canada and Australia. The Supportonclick.com domain is registered to Pecon Software Ltd in India.

We've seen a large increase in phone scams here in the City of Seattle offices lately and heard of many of them nationwide. We can expect to hear of this scam in our area soon as well. So, please do not be fooled by this or other similar scams and warn your vulnerable friends and relations.

Bulletins posted 4/9/2009

Fake 'Conficker Infection Alert' spam campaign circulating
Researchers at Marshal8e6’s TRACElabs have intercepted a spam campaign that’s issuing bogus “Conficker Infection Alerts” and redirecting users to rogue security software upon clicking on the links.

The event-based social engineering campaign is also impersonating various Microsoft security departments in order to improve its perceived truthfulness. This is the second attempt in recent weeks to hijack anticipated Internet traffic and alerts regarding the Conficker infection.

Typical messages include: Infection Alert; Conficker Infection Alert; Microsoft Alert; Security Breach, with the end user redirected to the following scareware domains upon clicking on the links: antivirus-av-ms-check .com; antivirus-av-ms-checker .com; ms-anti-vir-scan .com; mega-antiviral-ms .com.

These types of attacks, using current news items, popular celebrities, etc. continue to evolve and become more sophisticated.

Don't be fooled by these hoaxes and never agree to download software from the Internet that you haven't specifically and carefully selected yourself. If you find yourself redirected to one of these scareware sites, close down your browser immediately (including all the pop-ups and warnings that will come up when you try to shut it down).

Real Conficker News - On Wednesday it woke up and updated
The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

CNET’s Elinor Mills reports that researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine.

According to a post on the TrendLabs Malware blog, the awakened worm tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity. It then deletes all traces of itself in the host machine, and is scheduled to shut down on May 3.

Researchers are carefully watching this newest development and we'll keep you posted as we hear more, especially if there is more you need to do to protect yourself.

Bulletins posted 4/7/2009

Trend Micro rushes to patch 0-day vulnerability
The development department at anti-virus vendor Trend Micro has been recently hard at work to plug a hole in the Internet Security 2008 and 2009 products after someone posted a Proof of Concept exploit for it.

On 30 March 2009, someone going by the handle of “b1@ckeYe” posted a proof-of-concept exploit code for a privilege escalation vulnerability, affecting TIS 2008 and 2009, both standard and professional editions, on the exploit-tracking Web site milw0rm.

If you use either of these Trend Micro products, watch for a patch and install it as soon as possible.

Multiple Vulnerabilities Found in VMware Products
Multiple vulnerabilities have been discovered in several VMware (virtual machine) products that could allow an attacker to gain unauthorized access or take complete control of a vulnerable system.

VMware is used to create and run multiple virtual operating systems on a computer. Depending on the privileges associated with the logged in user or specialized processes, an attacker could exploit these vulnerabilities to install programs; view, change, or delete data; create new accounts with full user rights; or communicate with other systems.

Unsuccessful exploitation attempts may cause a denial-of-service condition on all affected systems.

If you use any VMWare products, we recommend you visit their website at vmware.com as soon as possible to find and install updates. Keep checking as they will be posting new updates for all of the vulnerable applications over the next few days.

Bulletins posted 4/3/2009

New Malware Specifically Targets Firefox
Webroot has uncovered adware that targets the Firefox platform.

The malware resembles DNSChanger, a common DNS hijacking threat, but operates differently. Instead of hacking the registry to change DNS, the new variant throws a DLL into the C:\Program Files\Mozilla Firefox\components directory and therefore runs inside the browser.

This is not a vulnerability in Firefox in any sense; in order for this to happen the user has to run a malicious program as Administrator or some other privileged account. But it does show that some malware authors see enough potential in Firefox to write special malware for it. The use of a DLL does make the malware specific to Windows, although it may be possible to write versions for other platforms as well.

Like DNSChanger it intercepts certain operations, like search requests, and redirects them through a Ukrainian host previously used by DNSChanger.

A second piece of Firefox adware came bundled with the installer for a 3rd party Firefox plugin called PlayMP3z. The terms of service agreement that everyone just clicks through explicitly permits the software. It's called Foxicle and it generates popup and popunder ads. Once again this isn't Firefox's fault; you chose to install it, you got what you asked for.

Ensure that your antivirus and anti-adware applications are up to date, and of course don't download software unless you can be sure it is safe. Also, take the time to look through those terms of service agreements before you just click through. There is a great little program called Eulalyzer that will do a quick look at them for you to see if there is anything odd. We recommend it.

New Microsoft Vulnerability in PowerPoint
Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. At this time, they are aware only of limited and targeted attacks that attempt to use this vulnerability.

By convincing a user to open a specially crafted Office file, a remote attacker may be able to gain access to the affected system with the same rights as the user running PowerPoint.

Microsoft will probably patch this on the next patch Tuesday, so be sure your automatic update is on. In the meantime, be especially diligent about not opening any PowerPoint attachments unless you are positive they are legitimate.

Bulletins posted 3/31/2009

SPECIAL BULLETIN: Conficker-Downadup Worm Not an April Fools Joke
You may have heard that the Conficker worm (also known as Downadup) has infected hundreds of thousands of computers and is expected to start communicating with command and control tomorrow, April 1st. All of these infected computers have what is known as 'bot' malware installed on them and security researchers expect them all to start phoning home for instructions on April 1st. This could potentially be a huge impact on computer systems and networks worldwide.

On your home computers you can prepare by ensuring that your Windows operating system is patched with all the current patches; and that your antivirus is up to date and running. You should also run a complete scan of your computer tonight. If your computer does begin to show signs of problems tomorrow, you should unplug from the Internet immediately and do a deep scan of all your systems. We recommend contacting a service for this if you are not comfortable doing so yourself (if you feel you are infected).

WARNING NOTE: We do not recommend searching for information on the Conficker/Downadup worm online as we have reports of many poisoned searches. You are likely to pick up the virus by following a link that comes up from an Internet search.

New Zero Day Flaw in Adobe Reader and Acrobat
A zero-day flaw (a security vulnerablity with no fix available before attacks might be launched) exists in Adobe Reader and Acrobat, and can be exploited by a poisoned PDF file in an attempt to take over a vulnerable computer. Crooks have hit the flaw with small-scale attacks that e-mail PDF attachments to specific targets.

Adobe says a patch should be ready shortly for version 9 of both programs, with fixes for earlier versions to follow.

Watch for these updates to come out and apply them as soon as possible. In the meantime we recommend being particularly careful about opening up any Adobe pdf files in attachments or online.

New scheme purportedly announcing a Millionaire Contest on Oprah
We have a bulletin today from the IC3 - the FBI's Internet Crime Complaint Center about the circulation of a fraudulent e-mail, purportedly from the "The Oprah Winfrey Show", notifying recipients of their nomination for the "Oprah Millionaire Contest Show."

To participate, recipients are requested to mail their contact information such as full name, address, telephone number, and e-mail address. Verified contestants are then required to purchase airfare and a ticket to attend "The Oprah Winfrey Show," as well as complete a forthcoming contest form containing personal questions. The contestants are then promised a seat for "The Oprah Winfrey Show" in April and asked to provide their responses to the personal questions for a chance to win a million dollars.

The IC3 bulletin notes: "Consumers always need to be alert to unsolicited e-mails. Do not open unsolicited e-mails or click on any embedded links, as they may contain viruses or malware. Providing your personally identifiable information will compromise your identity!"

Firefox update to 3.08 available now
Mozilla Foundation issued an update to its Firefox browser over the weekend, blocking proof-of-concept code released last week that exploited an unresolved critical bug.

Firefox 3.0.8, released Saturday, plugs a hole exploited by a researcher at the CanSecWest 2009 Pwn2Own contest. It also blocks a XML tag remote memory corruption vulnerability. Mozilla said both vulnerabilities could be exploited by tricking a user to visit a Web page containing malicious code.

If you use the Firefox browser, we recommend updating to the latest version as soon as possible.