Information Security Newsletter

Bulletins posted 6/05/2009

Adobe Security Bulletin Advance Notification
Adobe expects to deliver security updates for Adobe Reader and Acrobat versions 7.x, 8.x, and 9.x for Windows and Macintosh on Tuesday, June 9. This is the first quarterly security update for Adobe Reader and Acrobat as described in our May 20 blog post, and incorporates the initial output of code hardening efforts.

Adobe considers this a critical update and recommends users be prepared to apply the update for their product installations. Details of where to download updates will be posted to Adobe’s Security Bulletins and Advisories support page on June 9.

If you use and of the Adobe products mentioned above, please be sure you are setup to receive these updates automatically if possible, and/or download and install them when they come out next week.

From Donna Buenaventura at Donna's Security Flash Blog

The Dangers of URL Shortening
I just read a great article and a related blog on the dangers and problems inherent in using URL shortening tools such as TinyURL, or Bit.ly.

We've seen the popularity of the new Web 2.0 applications such as Twitter growing, and subsequently becoming the latest attack vector. Many of these apps use short messaging for communications between users. With only a limited number of characters available, it is often necessary to shorten URLs if you are sending out links in a message.

There are many sites out there that will let you do that. The oldest and most well known is TinyURL. But there are also some called tr.im and notlong.com, as well as the new Twitter default mentioned above, bit.ly.

However, all of these raise concerns both for reliability and trust. In order for these short links to work, both the service that created them and the destination server must be up. So, if one of these services goes out of business or has some kind of server issues, all of the links created there simply go away or are not available and no longer work.

But the worse problem from a security perspective, is that the user clicking on the link has no way of knowing where that link is actually taking them. There have been scams where these short links were used to direct people to poisoned or nefarious websites resulting in the compromise of the user's computer.

We strongly recommend against using these services. But if you have to, we suggest using ShuURL, and installing Web of Trust in your browser. ShuURL will not let you redirect a link to a bad site, and Web of Trust is a great add-on that warns you if you are hitting a site with a bad reputation.

If you'd like to read the AP article by Rachel Metz on URL shorteners, you can find it here.

Cybercriminals targeting Twitter "trending topics"
Cybercriminals are using Twitter to propagate malicious links in an attack that's easier to mount than black-hat search-engine optimization (SEO), according to PandaLabs.

Twitter “trending topics” are the subjects being noted most by users of the site. Cybercriminals are now regularly "tweeting" about these topics, and including malicious links in their tweets, Sean-Paul Correll, threat researcher and security evangelist at Panda Security, told SCMagazineUS.com Thursday. For instance, on Wednesday, Google Wave was a popular Twitter topic and cybercriminals posted tweets such as, “Unreal Google Wave” containing a link that took users to a malicious site, Correll said.

“Over the last 24 hours there have been over 3,000 malicious tweets,” Correll said.

The malicious links take users to adult-themed sites that attempt to infect users with rogue anti-virus products, but cybercriminals can change the attack at any time, Correll said.

He claimed that organisations using custom Office extension applications should avoid the temptation to carry on using Office 2000 due to the likelihood of malware being injected into the unpatched holes.

“This is no reflection on the efficacy of Microsoft's software, merely the fact that hackers and malware developers will now be gunning for Office 2000. Companies need to be aware of this possibility and prepare accordingly,” said Kirk.

Correll recommended not clicking on links in trending topics. “Avoid clicking links in trending topics at all costs,” he said. “I don't think they are going to stop targeting these any time soon.”

From SC Magazine - Angela Moscaritolo

Bulletins posted 6/03/2009

Freecycle Phishing Scam
This week the Seattle Freecycle group warned of a phishing scam that is targeting their users. Freecycle is a community web service that allows people to post items online that they wish to give away or that they are looking for (cheap or free).

The moderators of the Seattle group notified their users that they have received several reports of people posting WANTEDs who then soon afterwards get an phony email much like the following in response:

From: missclarke@jennaclarke.info
To: freecycleuser@hotmail.com
Subject: RE: [freecycleseattle] WANTED: Shelving
Date: Mon, 1 Jun 2009 14:20:46

Hey, wow, i was JUST about to post this on the group! Do you want it?

I had made a lil page with my map and address and some pics on it for yahoo members: http://viralurl.com/z/yahoogroup1ctures

If you're interested, let me know when you can come pick up.

To quote the moderators, "Needless to say, this is a scam and is intended to entice you to visit the "viralurl.com" site (that's a little obvious, eh!?) - possibly just to get you to view ads, possibly for more nefarious purposes."

If you use Freecycle, or any of the other similar services such as Craig's List, etc. - be aware that this is just another venue for the criminals to try to take advantage of. If you get a response like this, just delete it. Do not visit the site or click on a link.

The Seattle moderators have asked that people not send them any more reports unless there is some important new information, since they already have plenty of examples to work with. But in other groups or cases, it is usually a good idea to report any abuse to moderators so they can take action to stop it.

Yet another Twitter Scam
Twitter users were hit with another attack over the weekend featuring tweets reading "Best Video" and a link to a Web site that downloads malware, a security firm said on Monday.

The Web site, with a .ru (Russia) domain, purports to show an embedded YouTube video. Instead, the page downloads a malicious PDF that contains a "flurry of exploits" and if successful downloads fraudware that displays a fake security warning to try to get people to pay money, according to Kaspersky's Viruslist.com blog.

Contrary to earlier reports that the attack was a worm, the Kaspersky blog post speculates that the attackers were using accounts stolen in a phishing attack about a week ago.

Thousands of Twitter users were affected by what looked like a worm-like phishing attack last week, but was instead a site designed to help Twitters increase their number of followers quickly. The TwitterCut site looked like a Twitter log-in page and prompted people to type in their user names and passwords. Site administrators denied the phishing allegations and said they were shutting it down, according to the TrendLabs Malware Blog.

"This attack is very significant," the Kaspersky post says of the latest attack. "It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we've seen on other social platforms are any indicator for Twitter, then we can only expect an increase in attacks."

Twitter said on Saturday that it was aware of the problem and working on it. Another message from Twitter on its status page said some legitimate accounts affected by the attack were suspended but would be restored and that no personal information had been compromised.

We probably don't need to keep saying this - but just in case you haven't figured this out yet, these new social networking tools and sites are prime targets for all of the latest scams. Be aware and be careful.

Cnet News - Elinor Mills

Microsoft Office 2000 users warned of potential malware attacks as final patching date announced
Microsoft has warned Office 2000 users that it plans to no longer deploy patch updates as of the middle of July.

According to Network World, Microsoft supports business software for a total of ten years by policy, half in ‘mainstream' support and the second half in the more limited support, with security updates delivered for the entire ten year stretch.

Also being removed from the Patch Tuesday update list will be Office Update and Office Inventory Tool. Microsoft has urged system administrators that still use Office Inventory to switch to its Windows Server Update Services (WSUS).

Richard Kirk, European director of Fortify Software, said: “That date is, of course, Patch Tuesday, so Office 2000 users can expect their last security patches for this still-popular version of Office to be issued on that date. From that date onwards, however, if any security threats are discovered with this version of Office, no patches or updates will be issued.”

He claimed that organisations using custom Office extension applications should avoid the temptation to carry on using Office 2000 due to the likelihood of malware being injected into the unpatched holes.

“This is no reflection on the efficacy of Microsoft's software, merely the fact that hackers and malware developers will now be gunning for Office 2000. Companies need to be aware of this possibility and prepare accordingly,” said Kirk.

If you are still using Office 2000, it is time to seriously consider upgrading to the newest version. You can be assured the criminals will begin concentrating on exploits for that software when Microsoft stops patching it.

From SC Magazine - Dan Raywood

Apple has updated QuickTime and iTunes
Apple released security updates yesterday for both QuickTime and iTunes. The Quicktime release reports 10 new vulnerabilities are patched in this update, while the iTunes has one buffer overflow issue being patched.

If you use either of these programs you should login to Apple's support site and download and install version 8.2 for iTunes and 7.6.2 for QuickTime as soon as possible.

Bank of America certificate scam propagating Waledac, Virut
A new spam campaign disguised as a Bank of America email telling users they need to update their digital certificate is attempting to lure users into installing the Waledac worm.

The messages, which first started being detected this past weekend, seemingly come from Bank of America, and tell users, “The digital certificate for your Bank of America direct online account has expired. You need to update the certificate using Bank of America direct digital certificate updating procedure” (see photo below). Recipients are then instructed to click on a link and follow the given instructions, Phil Hay, lead threat analyst at web and email security firm Marshal8e6 told SCMagazineUS.com in an email Monday. The spam originates from the Pushdo botnet, which has been active in similar malicious phishing attacks, Hay said.

After following the link, the user is encouraged to fill in a web form, and to download a new "digital certificate" to continue, Hay said. The “certificate” however, is an executable file which seeks to download malware to the victim's PC.

Bank of America, in a statement to SCMagazineUS.com, said it is aware of the situation and is continuing to research the issue and protect customers as diligently as it can. Bank of America did not however, provide any additional information about their research into this threat.

If you are a Bank of America customer, please be aware of this scam and don't be victimized by it.

From SCMagazine - Angela Moscaritolo

Fake Outlook config scam aims to harvest logins
Cybercrooks have come up with a new way to trick prospective marks into handing over login credentials or installing fake security (scareware) packages.

The first of two similar batches of scam emails doing the rounds claim that users have a new message in Microsoft Outlook - which can supposedly only be seen after users reconfigure their settings. This might sound technically tricky but the dubious emails come complete with a handy link, which serves only to hand over email settings to internet hackers.

If you use Outlook, watch out for this scam and don't be fooled.

From The Register - John Leyden

Bulletins posted 6/01/2009

Hackers exploit unpatched Windows bug
For the third time in the last 90 days, Microsoft Corp. has warned that hackers are exploiting an unpatched critical vulnerability in its software.

Late Thursday, Microsoft issued a security advisory that said malicious hackers were already using attack code that leveraged a bug in DirectX, a Windows subsystem crucial to games and used when streaming video from Web sites.

Hackers are using malicious QuickTime files -- QuickTime is rival Apple Inc.'s default video format -- to hijack PCs, Microsoft said. "The vulnerability could allow remote code execution if [the] user opened a specially crafted QuickTime media file," the company said in the advisory. "Microsoft is aware of limited, active attacks that use this exploit code."

Until a patch is available, users can protect their PCs by disabling QuickTime parsing. To do that requires editing the Windows registry, normally a task most users shy from, but Microsoft has automated the workaround. "We've gone ahead and built a 'Fix it' that implements the 'Disable the parsing of QuickTime content in quartz.dll' registry change," Budd said. "We have also built a 'Fix it' that will undo the workaround automatically."

From ComputerWorld - Gregg Keizer

McAfee documents riskiest search terms
A McAfee study into 2,600 of the most popular keyword searches on the web has concluded that hunts for "screensavers" present the most risk.

The report released this week shows that users who search for "screensavers" have a 59.1 percent chance that they will be infected by malware on a given page of results.

By category, the most dangerous searches involved keywords containing the word "lyrics" (26.3 percent risk) and "free" (21.3 percent). The safest category searches, meanwhile, related to "health" (four percent) and the "economic crisis" (3.5 percent).

The report also warned of the risk generated by searching for information on "work from home." Variations of this search term -- considered more popular than ever, given the state of the economy -- ranged from a 6.3 percent-risk to a 40 percent-risk of infection.

"This study confirms that scammers consider popular trends when deciding which victims to target," the study said. "This makes common sense. If hackers are now motivated largely by profit, the biggest profits can be wrung from the largest pools of potential victims. And on the web, popular trends and visitor traffic are highly correlated."

This is a worthwhile study to take a look at. You can find it online by following this link.

SC Magazine - Dan Kaplan

More Than 80 percent Of Phishing Attacks Use Hijacked, Legitimate Websites
It used to be that researchers could sometimes track a phishing exploit by the notorious cybercrime ring behind it, like the Rock Phish gang, but no more: New research from the Anti-Phishing Working Group (APWG) has found that most phishers are setting up shop on legitimate Websites to be inconspicuous when they steal valuable information from victims.

In the second half of 2008, roughly 57,000 phishing attacks worldwide targeted a specific brand or organization, up from around 47,300 in the first half of 2008, according to a newly released report (PDF) from the APWG. The attacks were waged on 30,454 different domain names, only 5,591 of which were domains the phishers set up themselves. The rest were from legitimate Websites they had hijacked to carry out their exploits.

The average amount of time a phishing site was up: 52 hours, according to the report.

Phishers used their own malicious domains in 13 percent of attacks, according to the report, while 11 percent used subdomain registration services, some of which offer free hosting as well as DNS services that let you redirect your domain name at any time. These services are notorious for making the taking down of malicious sites difficult, according to the report. Around 6,340 subdomain accounts were used for phishing purposes in the second half of last year, up from 4,512 in the first half of the year.

"When we used to talk about the Rock Phish Group, phishers were segmented, and you could tell what sites they were setting up. But we're seeing more groups now, and it's harder to say, 'Here's one site by one particular group,'" says Laura Mather, chair of the Antiphishing Working Group's Internet Policy Committee. "They are obfuscating what they are doing...making it harder to specifically group them...Now they are more creative, agile, and flexible."

Phishers also are paying close attention to what users fall and don't fall for. Interestingly, phishers are using fewer unique IP address-based attacks -- only 2,809 in the second half of the year versus 3,389 in the first half of the year. That has been a gradual downward trend since early 2007.

Putting a brand name in the URL to fool victims isn't necessarily effective, Mather says. "Consumers don't know how to look at URLs to tell where they are going, so it doesn't even matter," she says.

From Dark Reading - Kelly Jackson Higgins

Bulletins posted 5/28/2009

Twitter Gets Targeted Again by Worm-like Phishing Attack
Twitter users have been tricked into divulging their login and password details to a Web site that then spammed their contacts.

The culprit is a Web site called TwitterCut. Some Twitter users began getting a message that appeared to be from one of their friends and included a link to the TwitterCut Web site. The message implied they could gain more Twitter contacts by following the link.

At one time TwitterCut looked quite similar to the real Twitter login page, said Mikko Hypponen, chief research offer for the security vendor F-Secure.

If a person entered their login details, TwitterCut would then send the same message via Twitter to all of the victim's contacts, a kind of phishing attack with worm-like characteristics. No malicious software is installed on a user's machine, Hypponen said.

We're seeing new attacks like this nearly every week, so be very careful when using these types of Web 2.0 products.

From PCWorld - Jeremy Kirk, IDG News Service

‘Gumblar’ virus could be bigger than Conficker worm
A new malware virus is on the loose and within days has become accountable for half the malware on the web. It is particularly vicious because it targets Google users in particular.

The worm, also known as JSRedir-R, attacks computers through vulnerabilities in Adobe PDF reader and Flash player.

By last week, more than half of all malware found on websites was identified as Gumblar, with a new webpage infected every 4.5 seconds.

The worm redirects the user’s Google search results to sites that download more malware onto the machine or allow criminals to conduct phishing attacks to steal login details.

It has begun to spread on sites where passwords or software have been previously compromised and visitors are infected without realising it.

This one will be difficult to avoid - make sure you're antivirus and other antimalware tools are up to date and be very careful in your google searches.

SiliconRepublic.com - John Kennedy

90 percent of e-mail is spam, Symantec says
Spammers seem to be working a little bit harder these days, according to Symantec, which reported Tuesday that unsolicited e-mail made up 90.4 percent of messages on corporate networks last month.

That represents a 5.1 percent increase over last month's numbers, but it's nothing out of the ordinary. For years, spam has made up somewhere between 80 percent and 95 percent of all e-mail on the Internet.

Symantec reported that nearly 58 percent of spam is now coming from so-called botnets --networks of hacked computers that can be misused by criminals to steal financial information, launch attacks or send spam. The worst of the spamming botnets -- called Donbot -- generates 18.2 percent of all spam, according to Symantec.

These botnet computers can be rented out on the black market by anybody, but in recent months some spammers have been moving away from botnets, experimenting with a new way to sneak their unwanted e-mail past corporate filters, according to Adam O'Donnell, a researcher with antispam vendor Cloudmark.

From ComputerWorld - Robert McMillan, IDG News Service