Kind of ironic when you think about it

By John Leyden •

Posted in Malware, 1st September 2010 12:18 GM

Cheeky scammers are offering prospective marks an application that supposedly shields them from exposure to survey scams.

Naturally, you first have to fill in a survey to install the script, which is punted through Userscripts(dot)org. Odds are that even after jumping through these hoops users will still be exposed to surveys and, possibly, left at a heightened risk of malware infection.

"'Only install scripts from sources you trust' is on the install box for a reason," security researcher Christopher Boyd, of GFI Security, notes. Boyd's write-up of the scam can be found here.

Survey scams are becoming increasing common on social networks. Scammers (affiliates) profit from wasting surfers' time with the Web 2.0 equivalent of email spam. Often the spammers attempt to hoodwink users into signing up to premium rate SMS services.

A study by F-Secure, published last week, took advantage of the web analytic tools used by scammers to investigate the response rates of survey scams.

For example, one recent social network spam run, themed around McDonalds, attracted 32,000 clicks, and a conversion rate of 40 percent.

F-Secure notes that these sizeable figures are lower than those pulled in by earlier scams. A survey scam that used supposed footage of a teacher beating a disobedient student pulled in 140,000 hits six weeks ago, for example, because users are getting wise to the ruse.

"The 32,000 clicks is far less than similar spam from just two months ago when we saw several examples of viral links that yielded hundreds of thousands of clicks," writes Sean Sullivan, a security advisor at F-Secure.

"Returns are diminishing as people are exposed, develop a resistance, and recognise Facebook spam for what it is."

Despite increased user awareness, however, it's unlikely that survey spam scams will disappear anytime soon, F-Secure warns.

"Social networking spammers don't need to dupe very many people in order to be rewarded for their efforts," said Sullivan. "Many of the surveys lead to SMS subscriptions (particularly outside of the USA) and there's good money to be made.

"And because the conversion rates are better than e-mail spam, you can be certain that it won't be going away any time soon." ®

Huge spamming botnet injured but still alive
By Jeremy Kirk
August 31, 2010 11:29 AM ET

IDG News Service - A botnet responsible for a significant amount of spam has been crippled but may reconstitute itself in a matter of weeks, according to vendor M86 Security.

The Pushdo or Cutwail network of hacked computers ranked in the top five or so botnets for spam, responsible for as much as 10 percent of all spam, said Ed Rowley, product manager for M86 Security. The spam often advertises fake software, so-called designer goods and questionable pharmaceutical products.

But security analysts with the computer security company LastLine took action last week, contacting ISPs that were hosting the command-and-control infrastructure for the botnet.

More:
http://www.computerworld.com/s/article/918...but_still_alive

Getting punked by 9-year-old parameter

By Dan Goodin in San Francisco •

Posted in Malware, 30th August 2010 19:27 GMT

A security researcher has unearthed a “bizarre” flaw in Apple's QuickTime Player that can be exploited to remotely execute malicious code on Windows-based PCs, even those running the most recent versions of operating system.

Technically, the inclusion of an unused parameter known as “_Marshaled_pUnk” is a backdoor because it is the work of an Apple developer who added it to to the QuickTime code base and then, most likely, forgot to remove it when it was no longer needed. It sat largely undetected for at least nine years until Ruben Santamarta of Spain-based security firm Wintercore discovered it and realized it could be exploited to take full control of machines running Windows 7, Microsoft's most secure operating system to date.

“The bug is is pretty bizarre,” H D Moore, CSO and chief architect of the Metasploit project, told The Reg on Monday. “It's not a standard vulnerability in the sense that a feature was implemented poorly. It was more kind of a leftover development piece that was left in production. It's probably an oversight.”

The presence of _Marshaled_pUnk creates the equivalent of an object pointer that an attacker can use to funnel malicious code into computer memory. Over the years, applications have contained so many of these types of errors that Microsoft eventually built architectural designs into Windows that reduced the damage that can be inflicted from attacks that exploit them.

ASLR, or address space layout randomization, for instance, loaded code into memory locations that attackers can't predict, while DEP, or data execution prevention, prevented any code that does get loaded from being executed.

But in a stroke of efficiency, Santamarta figured out how to repurpose code in a common Windows file to bypass the protections. Using a technique known as ROP, short for return oriented programming, he was able to load a Windows Live file known as WindowsLiveLogin.dll into memory and reorder the commands in a way that allowed him to take control of the underlying computer. Using the Microsoft DLL not only allowed him to know where in memory it would load, it also allowed him to get the the code executed.

Santamarta said the parameter was present in a QuickTime version dating back to 2001, when it could be used to draw contents onto an existing window instead of creating a new one. The functionality was eventually removed from newer versions but the line lived on. Combined with an unrandomized DLL like the one for Windows Live, it represents a serious threat to end users.

The attack has been confirmed on the XP, Vista and 7 versions of Windows 7, Santamarta said.

In addition to demonstrating the importance of regular code reviews to identify extraneous parameters, the exploit underscores the threat that comes from programs that fail to use of the ASLR and DEP protections baked into more recent versions of Windows. A surprisingly large number of popular applications – including Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer and VLC Player – all neglect to use one or the other, a recent review by Secunia found.

While the exploit posted by Santamarta works only against those who have Microsoft's Windows Live Messenger installed, the researcher told The Reg that components that ship by default with QuickTime can be used to pull off the same ROP sleight of hand. Files called QuickTimeAuthoring.qtx and QuickTime.qts are two possibilities.

Indeed, programmers with the open-source Metasploit project used by penetration testers and other hackers are in the process of building an attack module that does just that. And that means, in the next 24 hours, there will be publicly available exploit code for a critical vulnerability that remains unpatched in Apple's blockbuster media player for Windows.

All because of an obsolete parameter named _Marshaled_pUnk. Go figure.

Kaspersky Lab spots new breed of IM worm

Cyber criminals able to wreak havoc on several IM clients simultaneously

Phil Muncaster

V3.co.uk, 27 Aug 2010

Security experts are warning users to be on guard against a new family of computer worms spreading via a variety of instant messaging (IM) clients.

Kaspersky Lab said it has detected four variants of the IM-Worm.Win32.Zeroll worm so far.

The malware is unusual because it is multi-lingual and is able to spread over several IM clients simultaneously, including Yahoo Messenger, Skype, Paltalk Messenger, ICQ, Windows Live Messenger, Google Talk and the XFire client for gamers

More:
http://www.v3.co.uk/v3/news/2268885/kasper...-spots-breed-im

Military Computer Attack Confirmed
By BRIAN KNOWLTON
Published: August 25, 2010

WASHINGTON — A top Pentagon official has confirmed a previously classified incident that he describes as “the most significant breach of U.S. military computers ever,” a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.

Plugging the cigarette-lighter-sized flash drive into an American military laptop at a base in the Middle East amounted to “a digital beachhead, from which data could be transferred to servers under foreign control,” according to William J. Lynn 3d, deputy secretary of defense, writing in the latest issue of the journal Foreign Affairs.

“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Mr. Lynn wrote.

More:
http://www.nytimes.com/2010/08/26/technolo...cyber.html?_r=1

'New era,' says researcher of rootkit that bypasses 64-bit kernel defenses by infecting hard drive's boot record
By Gregg Keizer
August 27, 2010 06:42 AM ET

Computerworld - A new version of the malware that crippled Windows PCs last February sidesteps safeguards designed to block rootkits from hijacking machines running 64-bit editions of Windows, researchers said Thursday.

"A new era has officially dawned: the era of x64 rootkits," said Prevx researcher Marco Giuliani in a post to the security vendor's blog yesterday.

The updated rootkit, which goes by names that include Alureon, TDL, TLD3 and Tidserv, is able to infect 64-bit Windows PCs. "TLD3 can be considered as the first x64-compatible kernel mode rootkit infection in the wild," Giuliani said.

Both Prevx and Symantec have found evidence that hackers are actively using the rootkit.

"The infection is spreading on the Web, by using both porn Web sites and exploit kits," said Giuliani, who added that Derby, England-based Prevx had first spotted the new rootkit more than a week ago. Symantec's first sighting was Wednesday.

A previous version of the rootkit caused serious problems earlier this year after a Microsoft security update crashed 32-bit Windows machines.

Within hours of the Feb. 9, 2010, release of security update MS10-015, users reported that their computers wouldn't restart. Two days later, Microsoft halted automatic distribution of the update and launched an investigation.

MS10-015 patched a 17-year-old Windows kernel bug that was publicly disclosed in January 2010 by Google security engineer Tavis Ormandy.

Microsoft later concluded that only PCs already infected with a rootkit it called Alureon were incapacitated with Blue Screen of Death errors. It didn't restart the distribution of MS10-015 until early March, when it added code to block installation when a rootkit infection was detected. Subsequent kernel patches have included that same detection.

During the Blue Screen of Death brouhaha, the then-current Alureon was able to successfully infect only 32-bit versions of Windows. That limitation no longer applies.

The new rootkit sidesteps two important anti-rootkit protections Microsoft built into 64-bit Windows: Kernel Mode Code Signing and Kernel Patch Protection, also known as PatchGuard. The pair are designed to make it more difficult for malware to tamper with the operating system's kernel.

"To bypass Kernel Patch Protection and driver signature verification, the rootkit is patching the hard drive's master boot record so that it can intercept Windows' start-up routines, own it and load its driver," Giuliani said.

Rootkits that overwrite the hard drive's master boot record (MBR), where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks, are essentially invisible to the operating system and security software.

"The main Tidserv components are stored in unused space at the end of the hard drive in encrypted form," said Symantec researchers in a Thursday note on the company's security response blog. "This makes it more difficult to detect and remove once a computer is infected."

Both Prevx and Symantec said that they were continuing to analyze the 64-bit rootkit, and would publish more information when they had it.

Sophos warns of fake anti-virus spam campaign

Llatest scareware outbreak features emails with malicious HTML attachments

Phil Muncaster

V3.co.uk, 26 Aug 2010

Security vendor Sophos is warning of a major spam campaign designed to trick users into downloading fake anti-virus software.

In a blog post, Sophos senior technology consultant Graham Cluley explained that the unsolicited emails arrive with subject lines such as “You're invited to view my photos!”, “Appointment Confirmation”, or “Your Bell e-bill is ready”.

“Opening the attached HTML file, however, redirects your web browser to a hacked web site containing a malicious iFrame [which Sophos detects as Troj/Iframe-FK],” said Cluley.

More about:
http://www.v3.co.uk/v3/news/2268786/sophos...fake-anti-virus

Aug. 24 2010 - 12:00 pm

Andy Greenberg
The Firewall

Full-Body Scan Technology Deployed In Street-Roving Vans

As the privacy controversy around full-body security scans begins to simmer, it’s worth noting that courthouses and airport security checkpoints aren’t the only places where backscatter x-ray vision is being deployed. The same technology, capable of seeing through clothes and walls, has also been rolling out on U.S. streets.

American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents, Joe Reiss, a vice president of marketing at the company told me in an interview. While the biggest buyer of AS&E’s machines over the last seven years has been the Department of Defense operations in Afghanistan and Iraq, Reiss says law enforcement agencies have also deployed the vans to search for vehicle-based bombs in the U.S.

More about that:
http://blogs.forbes.com/andygreenberg/2010...et-roving-vans/