Information Security Newsletter

Newsletter Posted 12/05/2008

Special Bulletin - Tis The Season - Many New Threats To Be Wary Of
Please be aware that at this time of year the scammers and cyber criminals ramp up their efforts to fool you into becoming a victim of cyber fraud or identity theft.

We are seeing and hearing of many new scams which seek to take advantage of both the suffering economy and this season of giving. Some of these are offers for great deals, while others are using all of the tactics we are used to but blasting our email boxes with a huge increase in spam traffic.

One scam that we have had several reports on is when scammers send you an email with your own address in the 'From:' line. Many of these are refering to "Your order" or "Order status", no doubt recognizing that many of us might have ordered something online and therefore might be willing to open that email or attachment. DON'T DO IT!

We also had a report today from our colleagues at the City of Everett of instances of a new virus being spread through embedded YouTube videos.

We were notified recently of a twist on the Nigerian scams that tell you there are millions of dollars they need help with and you can have a lot of that money for a minor handling fee, etc. This one purports to come from the Seattle FBI office and ensures the recipient that they have legitimately won two million dollars and should trust and follow the specific directions of the "Head of Operations - International Remittance Department" for "Spring Bank". It says to be careful not to fall for scams (gotta love that) and to trust this because the FBI has checked it out and is "monitoring every move now".

The City's email filtering and antivirus software should catch any of these problems, but it is still worth reminding everyone of good Internet safety practices. So pass on the following reminders to friends and family:

• Delete any suspicious emails without opening them - even if they come from someone you know (even if they come from your own email address!).



• Never open an attachment that you did not expect to receive. If you think it might be legitimate but you're not sure, call the sender on the phone and verify it before you open it.



• When you're online - close any unwanted or unexpected pop-ups (do not click anywhere but on the 'close' icon). If they're persistent it might be necessary to shut down your computer.



• If your computer is running very slowly and or pop-ups won't stop, or you have other reasons to expect that your computer has been compromised - at home, you should update your antivirus/anti-spyware and do a complete scan. If you're at work you should immediately contact your service desk.

This time of year and in this economy the scammers are going to work especially hard to steal your identity or defraud you - don't be a victim!

This Week's Trends
This week we're seeing a growing amount of SPAM with some tricky new tactics. Some of those were outlined in the special bulletin above. We've also seen a new one that looks like it comes from your own email address and purports to be a 'Delivery Status Notification (Failure)'. Since we're all used to seeing these when an email address is mis-typed or no longer valid, it is very tempting to open them up to see what went wrong.

You'll also note several new warnings about scams taking advantage of the economic crisis, bank failures and the Holidays. The most prevalent have been offers of deep discounts and special sales from retailers and fast food places. Be very careful out there!

Theft of Children’s Identities Often Goes Unnoticed for Years
The Federal Trade Commission estimates about 500,000 identity theft incidents annually involve children under age 19, with the majority of the thefts occurring between birth and age 5. That is about 5 percent of all suspected ID theft cases.

Federal officials said they have seen the numbers rise slightly during the past several years. Often, but not always, a parent or guardian is involved. The nonprofit Identity Theft Resource Center in San Diego estimates more than half of the child ID theft reports it has examined involve parents or family members. But strangers also can pick up a Social Security number, which has no age identifier, from pediatric or school records, from stolen ID cards, or through data breaches, said the center founder.

Some law enforcement agencies also think child ID theft is becoming more attractive to thieves as personal information becomes harder to steal from adults, who are becoming more vigilant about monitoring their credit. A spokesman for the Federal Bureau of Investigation in Washington, D.C., said a “world of financial hurt” can happen between the time a theft occurs and when it is discovered. Often, that gap is a decade or more — when the victim applies for a school loan, a credit card, or a job.

Be aware of the potential harm this could do to your children and guard their social security numbers carefully. When- ever you are asked to give out their numbers, you have a right to know why and how they are going to be secured.

Bogus Discount Emails from Coca Cola and McDonalds
Researchers at Websense Security Labs are reporting that bogus e-mail messages are being circulated claiming to be offers of discounts or other promotional materials from McDonald's and Coca-Cola. The messages attempt to entice users to open an attachment containing a Trojan executable.

Email Trojans Threaten to Block Email Accounts
A new wave of trojans is rolling through the net. This time, the emails bearing the Trojan warn that the recipient’s email account will be blocked within a few hours, they read: “Subject: The email address xyz@heise-online.co.uk is being blocked. Ladies and Gentlemen, due to misuse, your email address “xyz@heise-online.co.uk” will be blocked within the next 24 hours. We have received 98 complaints of spam being sent from it. Details and possible ways to unblock your account can be found in the attachment.”

The subject and text contain the recipient’s address, though the wording and the number of alleged complaints varies. The attached zip file contains the executable file blocking.exe along with the malicious program. These emails should be deleted unread, because most virus scanners are powerless to deal with them. Only a few such programs can currently recognize the culprit.

An analysis by Heise Security has shown that the malware installs itself as the default debugger for the Explorer.exe process, so that it is activated after a reboot. This unusual self-starting mechanism has already been used by the “account-rendered” Trojan, which appeared in users’ inboxes exactly a week ago, claiming to be an invoice, a collection order, or a warning of non-payment.

Apple Recommends Using Antivirus Software
Apple, which has long perpetuated the belief that its operating system is immune to security problems, is recommending that users install security software to make it harder for hackers to target its platform.

“Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult,” according to a support note posted last month.

Data by computer security researchers has shown that while Apple has not been affected by malicious software nearly to the extent as Windows, it is merely because hackers go after the most widely used platform. Apple is gaining market share, however, which means hackers could increasingly look to exploit the platform, particularly if it becomes perceived as an easier target.

Apple systems are also not immune from problems in third-party software, such as plug-ins, which are used to view animated Flash graphics and PDF (Portable Document Format) files. Security problems in plug-ins have frequently been manipulated to cause browsers to redirect to malicious Web sites, which are rigged to try and take advantage of browser flaws.

Compared to Windows, there are not nearly as many antivirus products for Apple computers.

MAC OSX Targeted by Trojan and Backdoor Tool
Two pieces of malicious software affecting Apple's Mac OS X appeared this week: a Trojan horse with the ability to download and install malicious code of an attacker's choice, and a hacker tool for creating backdoors, according to security vendors.

The Trojan — called 'OSX.RSPlug.D' by Intego, the Mac security specialist that discovered the threat — is a variant on an older piece of malicious code but with a new installer, Intego said.

"It is a downloader, and it contacts a remote server to download the files it installs," Intego said in an advisory. "This means that, in the future, the downloader may be able to install payloads [other] than the one it currently installs."

In other respects the Trojan is similar to previous versions of RSPlug, which first surfaced in October 2007, Intego said. It installs a piece of malicious code known as DNSChanger, which routes the user's internet traffic through a malicious DNS server, leading users to phishing websites or pages displaying advertisements.

The Trojan is found on porn websites posing as a codec needed to play video files, a technique used to trick the user into downloading and installing it.

New Windows Worm Builds Massive Botnet
The worm exploiting a critical Windows bug that Microsoft Corp. patched with an emergency fix in late October is being used to build a new botnet, a security researcher said December 1.

A senior research engineer with Trend Micro Inc., said that the worm, which his company has dubbed “Downad.a” — it is called “Conficker.a” by Microsoft and “Downadup” by Symantec Corp. — is a key component in a new botnet that criminals are creating.

Last week, Microsoft warned that the worm was behind a spike in exploits of a bug in the Windows Server service, which is used by the operating system to connect to network file and print servers. Microsoft patched the service with an emergency fix it issued October 23, shortly after it discovered a small number of infected PCs in Southeast Asia. However, the new worm is a global threat, said the senior researcher. “This has real potential to do damage,” he said.

Trend Micro has spotted infected IP addresses on the networks of Internet service providers (ISPs) in the United States, China, India, the Middle East, Europe, and Latin America. The worm first appeared about a week and a half ago, and began spreading in earnest just before Thanksgiving, he added. He also said that it appears the botnet is being built by a new group of cyber- criminals, not one of the gangs that lost control of compromised computers when McColo Corp., a California hosting company, was yanked off the Internet.

FBI Warns of Holiday Cyber Scams
With cyber Monday comes an FBI warning against spam containing malware and phishing attempts that appear to be greeting cards and ads for shopping bargains.

E-mails attempt to lure victims to dummy e-commerce sites in hopes of gleaning credit card numbers and passwords, the FBI says. By mimicking legitimate sites, they lull unsuspecting shoppers into giving up the information as they make what they think are legitimate purchases.

The e-mails look real, often containing legitimate company logos and live links.

In some cases criminals direct users to genuine Web sites, but trigger popups over them to capture personal information that they use to run up credit-card bills and drain bank accounts, according to the FBI.

The information entered will most likely be sold to other criminals who will exploit them for cash and merchandise, the bureau says.

Greeting card scams come in the form of e-mails urging recipients to click on a link to read a greeting card that has been sent to them. When they do, they are directed to a site where malicious software is automatically downloaded to their machines, the FBI says.

Security Breach Gives PayPal Phish the Personal Touch - Beware Skype Users
Skype users who use a piece of software dubbed Pamela to manage their online phone accounts should be on the lookout for customized phishing attacks following revelations that one or more user databases containing names and email addresses have been breached.

The attack, which took place last week, has already led to one phishing campaign that calls recipients by their real names and then tries to trick them into turning over personal information. That added personal touch could throw some users off guard because most phishing emails address their marks by generic terms such as "Dear PayPal User."

The online thieves managed to penetrate the defenses of Pamela Systems (http://www.pamela-systems.com/) by exploiting a security hole in an unnamed application the website uses, Dick H. Schiferli, Pamela's founder and CEO told The Register. He declined to say how many of the site's users had their information stolen, or how many users have registered with his site. Pamela boasts 4.5 million downloads, although the number of registered users is probably much smaller.

Schiferli said his team was still in the process of contacting customers whose information was stolen.

"This is our first experience with something like this," he said. "We're taking this very seriously. We contacted PayPal last week." So far, they've yet to get a response.

High School Musical Songs and Videos Used to Infect Unsuspecting Users
PandaLabs, Panda Security's malware analysis and detection laboratory, has reported that numerous downloadable songs and videos related to the hit movie "High School Musical" are being used by cyber-crooks to disguise malware (viruses, worms, Trojans, etc.).

The infected files are distributed through popular peer-to-peer (P2P) file sharing networks such as eMule, eDonkey, etc. and when users search for files related to "High School Musical" using these programs, some of the results include files infected with malware.

Beware of Phishing Scams by Crooks Posing as Banks
While banks work to clean up their money mess, con artists are working to clean out your account.

They are focusing on customers of Washington Mutual and JP Morgan Chase, but every bank customer is a potential target. It is a new wave of email “phishing” that claims to be from Chase bank. One email promises $50 for answering an online banking survey. Click to answer and one gets what looks like an official survey from Chase bank asking for account information - it is a fake. Another email claims to be an account verification alert.

Unlike previous imposter scams which claim there has been a security breach or technical problem, this latest version goes to extra lengths to tie in the economy, with an elaborate explanation about the financial crisis, and a threat, that unverified accounts will be shut down in three business days. By using the Chase name, scammers are reaching potentially millions of costumers of JP Morgan Chase, and recently acquired Washington Mutual. And, in what may be a first, the scammers are using the name of an actual Chase executive. The email is signed by the chief operations officer. In a statement, a bank spokesperson said, “It is definitely not a legitimate email, as you already know.”

Odd "Microtransactions" May Point to Credit Card Breach
A wave of unauthorized microtransactions is currently sweeping the accounts of a number of U.S. credit card holders, though the size and scope of the fraud scheme have not yet been determined. Beginning on or around November 20, consumers apparently began to notice small charges-typically for 19-29 cents-appearing on their bank statements or online account information. These small withdrawals or deposits are typically test fees, sent to verify account authenticity.

Paypal, for example, makes two small deposits in a user’s bank account in order to verify its authenticity. While legitimate companies will reverse the fee (or occasionally let you keep the extra quarter), thieves use the transactions to verify that a credit card number is good. If the deposits complete successfully, the hacker knows he has got a live card (or a live card number). The next step is usually to burn through the account’s balance as quickly as possible before anyone notices what is happening.

Beginning on or about November 20, various card holders began complaining online about unauthorized microtransactions that were suddenly showing up on their accounts. The charges fit the model described above, and were labeled as coming from Adele Services. Adele Services appears to be a dummy corporation; the 1-800 number listed as the customer contact point is disconnected and there is no official website. The company may not officially exist, but that has not stopped it from continuing to test accounts. It is impossible to state how many card holders have been pinged in this manner, but the number of online reports is growing steadily. Theories on which company’s security was breached abound, although PayPal has been collectively ruled out, given the number of non-PayPal users affected. Amazon seems to be a current favorite, based on the fact that a number of the irate forum posters recently shopped there.

This is a good reminder to always look carefully at your credit card billing statements for any odd or unrecognized transactions.

Firefox Plug-in Trojan Harvests Logins
Virus writers have latched onto the popularity of Firefox with a new variant on the established practice of stealing online banking passwords.

A password pinching Trojan that poses as a Firefox Plugin is doing the rounds, Romanian security firm BitDefender warns. ChromeInject-A is typically downloaded onto Windows PCs already compromised by other strains of malware.

Once installed, the Trojan sits in Firefox's Plugin folder, activating every time the popular browser is started. The backdoor code looks for data exchanged between a compromised machine and a list of pre-programmed banking sites in Europe, Australia and the US.

Harvested login credentials are captured and subsequently posted to a server located in Russia.

Secunia Study Finds 98 Percent of PCs Vulnerable
Secunia offers a great free tool for home users that I highly recommend. This study was created from information garnered from 20,000 home users who have deployed their product. Having used this at home myself for some time - I would caution that these statistics are a little skewed. The product works so well that it will find all sorts of applications such as Java and some obscure Windows system files that have vulnerabilities but might be a little difficult to find or update. They do a good job of helping the user understand how to update these applications, but still - even I have several that I haven't gotten around to updating, or for one reason or another have decided to let go for now. But it is a great tool and I sincerely recommend installing it.

Now on to the article!

A survey of computer users has shown that almost every PC is running at least one unpatched application, according to vulnerability testing firm Secunia.

Secunia gathered reports from over 20,000 computer users who had downloaded its Personal Software Inspector tool, and found that over 98 percent have at least one application running that is vulnerable to attack. The company warned that the results are even more worrying since the tool is likely to have been downloaded predominantly by more security aware computer users

“Has the world improved since the last look at the numbers? The short answer is no. Nearly every PC continues to run with several insecure programs. If anything, these numbers are worse than [11 months ago] when we generated them initially,” said Secunia. “The total number of PCs/users included in these numbers is 20,000, and 98.09 per cent have one or more insecure programs installed on their PC. Hence 98 out of 100 PCs that are connected to the internet have insecure programs installed.”

Another shocking figure from the research is that nearly 50 percent of PCs have 11 or more unsecured programs running on their computers. Secunia warned that antivirus software is largely ineffective at protecting against such vulnerabilities.

Popular Home DSL Routers at Risk of CSRF Attack
A researcher has demonstrated the ease of hacking home routers with insidious cross-site request forgery (CSRF) attack.

A deadly attack typically associated with Websites can also be used on LAN/WAN devices, such as DSL routers, according to a researcher who this week demonstrated cross-site request forgery (CSRF) vulnerabilities in devices used for AT and T's DSL service. A consultant and founder of security think-tank Hexagon Security Group discovered a CSRF vulnerability in the Motorola/Netopia 2210 DSL modem that, among other things, could let an attacker insert malware onto the victim’s computer or recruit it as a bot for a botnet.

“CSRF is one of the only vulnerabilities that can be either completely innocuous or completely devastating,” he says. The vulnerability is not isolated to Motorola/Netopia DSL modems. It affects most DSL modems because they don’t require authentication to access their configuration menu, he says. “I can take over Motorola/Netopia DSL modems with one request, and I can do it from MySpace and other social networks,” he says. The attack uses HTTP POST and GET commands on the modems, he says. CSRF vulnerabilities are nothing new; they are pervasive on many Websites and in many devices.

BlackBerry Desktop Software Contains Critical Security Flaw
RIM has posted a knowledge base article describing a critical security flaw within the BlackBerry Desktop Software. The flaw has been confirmed by Secunia, a leading vulnerability intelligence provider.

Here’s the problem as described by RIM: “The BlackBerry Desktop Manager includes the Roxio Media Manager for managing media synchronization between the BlackBerry smartphone and the Microsoft Windows computer. The Roxio Media Manager includes a Microsoft ActiveX control used for retrieving and installing application updates. A buffer overflow exists in the DWUpdateService ActiveX control that could potentially be exploited when a user visits a malicious web page that invokes this control.”

Facebook Virus Turns Your Computer Into a Zombie
This is a type of attack we've seen reported in the past. But since it has come up again, it never hurts to be aware.

Hey, I have this hilarious video of you dancing. Your face is so red. You should check it out.

If you've received a message like that through Facebook or MySpace, you may have been exposed to the "Koobface" virus. "Koobface" comes through an e-mail sent by one of your social networking site friends inviting you to scope out a video.

Once the URL is clicked, "Koobface" prompts you to update your Flash player before the video can be displayed. Therein lies the virus, cloaked in a "flash_player.exe" file. According to the Kaspersky Lab, an antivirus organization working closely with Facebook, "the worms transform victim machines into zombie computers to form botnets."

The McAfee Security Blog explains that when "Koobface" infects your computer, it prompts a downloaded service named Security Accounts Manager (SamSs) to load on start-up. SamSs then proxies all HTTP traffic, stealing results from popular search engines and hijacking them to lesser-known search sites. A clear eye for fraud will help you avoid this mess. You can usually spot phony e-mails by their titles. Kaspersky found the following:

• Paris Hilton Tosses Dwarf On The Street;
• Examiners Caught Downloading Grades From The Internet;
• You must see it!!! LOL. My friend catched you on hidden cam;
• Is it really celebrity? Funny Moments.

The author's own "Koobface" attack came in an e-mail entitled, lool, yoour blushingg afce is so funny! Checkk out. Obviously, Paris Hilton never threw dwarves, and in all likelihood, the author's 26-year-old friend knows how to spell more than two words. These are clear indicators you're being attacked.

Facebook has posted instructions about how to remove the "Koobface" virus: give your computer an antivirus scrub-down and change your Facebook password.

Microsoft to Patch Critical Windows, Excel Flaws
Microsoft said it plans to release patches next week to plug six critical vulnerabilities in Windows, Visual Basic, Internet Explorer, Excel and Word.

The preliminary information was issued by the software giant Thursday as part of its security bulletin advance notification on its TechNet site. Details will be released Dec. 9 when the bulletins are made public. Microsoft is also hosting a webcast to discuss the bulletins on Dec. 10.

iPhone and iPod Touch 2.2 Update Addresses Flaws
Apple has issued software update 2.2 for its iPhone and iPod Touch devices to fix multiple vulnerabilities which could lead to disclosure of sensitive information and a number of other issues.

Secunia rated the 12 flaws "highly critical" and said the vulnerabilities could be maliciously exploited to bypass certain security restrictions, disclose sensitive information, conduct spoofing attacks, cause a denial-of-serve condition or potentially compromise a user's system.

Sun and VMware Issue Vital Updates
Users are being advised to update their software after Sun Microsystems and VMware posted software fixes Wednesday.

The patch from Sun addresses security and stability problems in Java, fixing 18 flaws covering stability, data corruption, and security vulnerabilities. Sun did not provide details on the exact nature of the security flaws, but the U.S. Computer Emergency Response Team has advised users and administrators to install the Java update immediately.

The VMware patch, meanwhile, addresses two security flaws in a number of the company’s virtualisation products. The fix applies to VMWare Workstation versions 5 and 6, VMWare Player versions 1 and 2, and VMWare Server version 1.0.9 and earlier, as well as the company’s ESX offering.

The first of the two flaws addresses a problem which could allow an attacker to remotely cause a memory corruption issue. If exploited, the attacker could cause the target system to crash and gain the ability to write code to memory. The second addresses a previously patched flaw in the bzip2 library on ESX systems. If exploited, the vulnerability could be targeted by an attacker to crash the system while decompressing a specially-crafted archive file.