Two Arrested Over ZeuS/Zbot Trojan

Doug Caverly
Staff Writer
2009-11-19

Computer users all over the world may owe a "thank you" to the Metropolitan Police's e-crimes unit. Officers based there have tracked down and arrested two individuals whom they believe are connected to the ZeuS or Zbot trojan.

This particular type of malware tries to collect financial details from people - think bank account numbers and passwords, credit cards info, and so on - and so has the potential to cause quite a bit more damage than some viruses. An individual might lose his savings, not just have his computer slow down or die.

More details:
http://www.securitypronews.com/insiderrepo...ZbotTrojan.html

Google whacked

By John Leyden

Posted in Enterprise Security, 20th November 2009 11:10 GMT

Microsoft has helped discover a flaw in the Google Chome Frame plug-in for Internet Explorer users.

The plug-in allows suitably coded web pages to be displayed in Internet Explorer using the Google Chrome rendering engine. Redmond warned that the plug-in made IE less secure as soon as it became available back in September, an argument bolstered by the discovery of a cross-origin bypass flaw in the add-in

Successfully exploiting the flaw creates a means for hackers to bypass security controls though not to go all the way and drop malware onto vulnerable systems.

Microsoft and security researcher Lostmon are jointly credited with discovering the vulnerability in Google's browser add-on.

Google acknowledged the flaw and urged users to update to version 4.0.245.1 of Google Chrome Frame. All users should be updated automatically to the latest version of the software, which also tackles a number of performance and stability glitches. Chief among these are problems handling iFrames, as explained in Google's security advisory here. ®

Microsoft's XSS buster busted

By Dan Goodin in San Francisco

Posted in Enterprise Security, 20th November 2009 01:42 GMT

Exclusive The latest version of Microsoft's Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe.

The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago, they said.

Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that's designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a "significant flaw" in the IE 8 feature but declined to provide specifics.

It's not clear how the protections can cause XSS vulnerabilities in websites that are otherwise safe. Michael Coates - a senior application security engineer at Aspect Security who has closely studied the feature but was unaware of the vulnerability - speculates it may be possible to cause IE 8 to rewrite pages in such a way that the new values trigger an attack on a clean site.

"If the attacker can figure out a flaw in the way IE 8 is actually doing that output encoding and then create a specific string the attacker will know will be transformed into an actual attack, they could use that to input a value ... that actually results in an attack firing on the page," he said. "This could be a way to introduce an attack into a page that didn't have a vulnerability otherwise."

XSS attacks are a way of manipulating a site's URL to inject malicious code or content into a trusted webpage. Many security watchers have come to view the IE 8 protections as Microsoft's answer to NoScript, a popular extension that helps prevent XSS and other types of attacks against users of the Firefox browser.

Late on Thursday afternoon, Microsoft told The Register: "Microsoft is investigating new public claims of a vulnerability in Internet Explorer. We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."

Once its investigation is finished, the company will "take appropriate action," including issuing a patch or guidance on how users can protect themselves against exploits.

When Microsoft introduced the protections, it also created a way for webmasters to override the feature (by adding the response header "X-XSS-Protection: 0"). A review of the top 50 most visited websites shows that only web properties owned by Google have actually opted to do so. The small number of sites blocking the protection calls into question how widespread the vulnerability is.

Asked why Google was forgoing the protection, a company spokesman wrote in an email:

"We're aware of a significant flaw affecting the XSS Filter in IE8, and we've taken steps to help protect our users by disabling the mechanism on our properties until a fix has been released." He didn't elaborate.

In addition to potentially introducing serious vulnerabilities into webpages, the XSS protections can bring other undesirable results. That's because its engine frequently flags perfectly acceptable characters as potentially harmful. An examples of such a false positive is here.

David Ross, a senior software security engineer for Microsoft, has saiddevelopers designing the feature aimed to strike strike a pragmatic balance between protecting users and not breaking the web.

"We needed to find a way to make the filtering automatic and painless and thus provide maximum benefit to users," he wrote. "In summary, the XSS Filter will prove its worth by raising the bar and mitigating the types of XSS most commonly found across the web today, by default;, for users of Internet Explorer 8." ®

Rogue clean-up tool poses child abuse frame risk

By John Leyden

Posted in Security, 19th November 2009 18:05 GMT

Rogue anti-virus slingers are getting even sneakier. Instead of offering to clean up non-existent malware threats as per the traditional approach, one rogue scanner offers to clean up images of porn it claims to have found on a prospective mark's PC.

In reality, these images get downloaded by the purported clean-up package itself. Victims were exposed to the pitch on behalf of a especially malodorous scareware package called Win Spy Protect simply by visiting a hacked website.

Roger Thompson, chief of research at security firm AVG, ran across the threat months ago but held back on publishing details until Thursday. Heightened concerns about how malware infection could result in presence of image of child abuse on the PCs of non-paedophiles prompted Thompson into publishing a video of the threat (below).

The hacked website linked to the attack was a children's site and the content strictly adult porn. However, the tactic could result in child abuse images getting dropped onto the machines of surfers whose only mistake was to stray onto hacked websites, as Thompson explains.
Fortunately, LinkScanner detects the rogue-spyware aspects of this and blocks it just fine, but without LinkScanner, these images would now be in the browser cache, and it would sure look like the owner was guilty. Worse still, the images could just as easily be kiddy porn, and just being your cache would be regarded as possession, and therefore highly illegal by most law enforcement agencies.


Poisoned blogs

In related scareware news, hackers have set up 260,000 fake blog pages on compromised sites in preparation for a scareware distribution campaign that relies on manipulating search engine rankings so that booby-trapped sites appear prominently in the search indexes for topical terms.

Between the latest attack (detected this week) and an even larger assault along the same lines detected in September, there are now well over 800,000 fake blog pages. Few of these pages are detected by Google as malicious, net security firm eSoft warns.

A blog post by eSoft explains the mechanism of the scam.

"The key to this scheme is JavaScript uploaded to the compromised server and used in the fake blog pages. The file, css.js, contains obfuscated JavaScript which redirect users to Rogue AV [anti-virus] if the site is accessed through certain search engines," it said.

"Using this technique allows the attackers to quickly and easily change distribution points and payloads. The current payloads have low detection rates among AV [anti-virus] scanners." ®

Connecticut A.G. calls six-month delay in reporting loss 'incomprehensible
By Lucas Mearian
November 19, 2009 01:16 PM ET

Computerworld - A hard drive with seven years' worth of personal financial and medical information on about 1.5 million customers of Health Net of the Northeast Inc. was reported missing to state officials yesterday -- six months after the drive went missing.

Along with medical records, the hard drive contains names, addresses and Social Security numbers of Health Net customers from Arizona, Connecticut, New Jersey and New York. Connecticut has data breach laws requiring individuals be notified of the loss of their personal data without reasonable delay.

The data loss, which occurred in May, was only reported by the insurance company to the Connecticut state attorney general's office and the Department of Insurance yesterday. The device containing the data was an external, portable hard drive. The data had not been encrypted.

Health Net, based in Shelton, Conn., had no information about the data breach on its Web site.

Connecticut Attorney General Richard Blumenthal said his office is investigating the data breach. "Health Net's incomprehensible foot-dragging demonstrates shocking disregard for patients' financial security, as well as loss of their highly sensitive and confidential personal health information," he said in a statement.

"I will demand immediate answers and action, including at least two years of comprehensive identity theft protection for consumers," he said. "We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers" in Connecticut whose data is at risk.

The state's insurance commissioner, Thomas Sullivan, said he is requiring Health Net to offer credit protection monitoring through Debix, a company that provides identity-theft protection services.

According to a statement by Health Net, the information on the drive was saved in an image format that cannot be read without special software. Health Net plans to send letters to its customers officially notifying them of the incident.

"Protecting the privacy of our members is extremely important to us," Health Net said. "We apologize for any inconvenience or concern this may cause our members."

The company said that, to date, it has received no reports of misused data arising from the breach and pledged to provide credit monitoring for over two years "free of charge to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service."

Health Net of the Northeast is a subsidiary of managed health care provider Health Net Inc., based in Woodland Hills, Calif. Health Net Inc. is a $15.3 billion company that provides managed medical coverage to some 6.7 million customers in the U.S.

Health Net of the Northeast currently has about 580,000 members and a physician network comprising more than 160,000 doctors, 5,440 pharmacies, and 244 hospitals throughout Connecticut, New York, New Jersey, and Pennsylvania.

In a post on its company blog, security firm Cyveillance reports on a large-scale scareware attack which appears to have involved manipulating more than 200,000 harmless web pages (for additional information about scareware read our feature article "Thieves and charlatans - Rogue antivirus products" in The H Security channel). Google's search engine reportedly plays an important role in the attack, pointing users to the compromised web pages when certain search terms are entered. According to the report, the search terms used in the attack are not the usual suspects, such as "Britney Spears", "Obama" or "Paris Hilton". Google apparently only provides links to the infected pages when a longer combination of words is entered.

The criminals exploit the circumstance that, surprisingly, most of the queries entered in Google apparently contain four to five words. According to Cyveillance, they have seemingly found a successful "niche". To get Google to index the word sequence, the criminals install their own blog on the hacked pages and automatically generate entries whose headings contain the required words (for example "las vegas rental no credit check", "real world melinda and danny" or "uninvited song lyrics alanis morrissette").

While Google's search results usually warn of such specially crafted web pages, this is only the case if a link leads directly to the page. When a link is redirected to a malicious page, there is no alert in the search results.

Victims who have arrived on one of the pages are redirected to one of the criminals' servers, which will pretend to scan the hard disk for viruses and then attempt to trick the user into paying for and downloading bogus anti-virus software by presenting fake malware infestation results. However, the redirect only becomes active if the user arrived at the page by following a Google search result. For this purpose, the injected blog software checks the HTTP referrer.

The criminals' server domains are all reported to be registered with the Chinese TodayNIC.com registrar and are also said to be involved in spreading the Koobface worm for Windows. How the criminals hack the pages has not been fully clarified. A vulnerability in the old version 1.4.24 of the Coppermine photo gallery software is said to play a role in some cases.

Caution advised over modern day Harry Limes

By John Leyden • Get more from this author

Posted in Spam, 16th November 2009 16:50 GMT

Russian cybercrooks have laid the groundwork needed to build a business cashing in on swine flu panic-buying.

Tamiflu sales from dodgy unlicensed pharmaceutical websites are being promoted through spam email, search engine manipulation and a variety of other underhand techniques. Web affiliates, commonly based in Russia where they are called Partnerka, are driving traffic to dodgy pharmaceutical sites using a variety of spam and adware-related marketing tactics.

Hundreds of virtually similar so-called "Canadian pharmacy" sites exist. Although they claim to be based in Canada (a tactic designed to add a thin layer of legitimacy) the sites might be actually be located anywhere in the world.

Sophos reports that members of Glavmed, one of the more popular Russian affiliate networks, can earn an average of $16,000 a day promoting such dodgy pharmacy websites. These sites have begun advertising Tamiflu alongside more traditional products such as Viagra and Ciallis.

Responding to these spamvertised websites risks exposure to potentially dangerous drugs, while also handing over personal data to cybercrooks, net security firm Sophos warns.

This July witnessed a huge increase in UK internet searches for Tamiflu, at a time when concerns that global Tamiflu production was falling behind schedule. The northern winter could see a repeat of this interest, creating a demand that unlicensed online pharmacies are ready to exploit.
Rat boys

The business model of the cybercrooks is straightforward. Surfers searching for information online about Tamiflu are directed to specific online pharmacies where they are invited to buy a generic and (likely counterfeit) version of the drug. Cybercrooks have manipulated search engine results to drive as much online traffic as possible to illicit pharmacy websites using black-hat search-engine optimisation techniques. Cybercrooks are also bombarding web users with spam and messages from hacked accounts on social networking websites

Sites supplying the drug pay affiliates between 20-40 per cent of the value of any sale. Buyers typically receive some kind of drug as result of their purchase but the supplied pills are liable to be out of date or otherwise risky. In other cases users may receive only sugar-pill placebos. Sophos reckons the top five countries purchasing Tamiflu and other drugs from bogus sites are the US, Germany, UK, Canada and France.

"As more and more cases of swine flu in the UK come to light, it is essential that we all resist the panic-induced temptation to purchase Tamiflu online," said Graham Cluley, senior technology consultant at Sophos.

"The criminal gangs working behind the scenes at fake internet pharmacies are putting their customers’ health, personal information and credit card details at risk. They have no problem breaking the law to promote these websites, so you can be sure they’ll have no qualms in exploiting your confidential data or selling you medications which may put your life in danger.

"If you think you need medication go to your real doctor, and stay away from quacks on the internet."

Sophos's research into Partnerka spam affiliate networks more generally, presented at the Virus Bulletin conference back in September, can be found here (PDF).

The warning about spam promoting dodgy pharmaceutical sites coincides with the start of a campaign by drug firm Pfizer, warning that between 50-90 per cent of drugs sold through unlicensed sites are counterfeit. Pfizer has produced a hard-hitting TV advert - which is only allowed to be shown on British TV after 11 o'clock at night - that depicts a man throwing up a rat, as part of this campaign. It claims that rat poison can be one of the ingredients of "medicines" on offer from illegal websites.

In support of its public education push, the Viagra developer has also set up a website featuring less stomach-churning material at realdanger.co.uk. ®

Software lets pirates thwart Microsoft's antipiracy technology in new OS
By Gregg Keizer
November 16, 2009 01:37 PM ET

Computerworld - Hackers have figured out how to sidestep Windows 7's activation process, continuing a long-running battle with Microsoft, which has blocked such tactics in the past.

According to an article published more than a week ago on My Digital Life, hackers have devised a pair of methods that circumvent the new operating system's product activation, a key component of Microsoft's antipiracy technologies.

Microsoft said it knew about the hacks and was looking into ways to block them. "We're aware of this workaround and are already working to address it," a company spokeswoman said today.

Two utilities, called "RemoveWAT" and "Chew-WGA," remove the activation technologies or prevent them from running, said My Digital Life. Both hacking tools trick Windows 7 into reporting that it has been properly activated, preventing the nagging on-screen displays and other visual cues from appearing that Microsoft has built into its software to mark counterfeit software.

With Windows 7, Microsoft dropped the "Windows Genuine Advantage" (WGA) name for its integrated antipiracy software, and replaced it with "Windows Activation Technologies" (WAT). The end result on users' screens, however, remained similar to what Vista displayed. The most evident change to Windows 7 was the discarding of a delay during log-in on a machine with an inactivated copy of Windows. Under Vista's scheme, users had to wait 15 seconds before clicking the "Activate Later" button to proceed to the desktop. In Windows 7, users can click that button immediately.

Microsoft made dramatic changes to Vista's illegitimate software warnings nearly two years ago, then followed those with nearly identical modifications to the older Windows XP. In both operating systems, the company dumped the reduced functionality mode that essentially made the machine unusable, and instead boosted the number of on-screen messages and planted a black background on the desktop.

Microsoft has blocked anti-activation hacks in the past, using Windows Update to push changes to users. In early 2008, for example, the company stymied a pair of activation cracks with just such an update, then rolled the crack detection code into Vista Service Pack 1 (SP1) a month later. It issued another update in February 2009 to block another crack that affected Vista Ultimate.

The post on My Digital Life acknowledged that Microsoft might take the same tack with the Windows 7 workarounds. "As [the] cracks based on removal of activation component involves patching, changes and modification to many system files, it's likely to be easily detected and nullified by Microsoft, especially in [the] next WGA update or Service Pack 1 (SP1) for Windows 7 and Windows Server 2008 R2," My Digital Life reported.

Viruslist.com - Analytical Digest

*****

12 Nov 2009: Browsing malicious websites

Introduction: cybercrime trends and evolution Over the past few years,
the Internet has become a dangerous place. Initially designed to
accommodate a relatively small number of users, it grew far behind
anything its creators could have anticipated. There are currently over
1.5 billion Internet...

http://www.viruslist.com/en/analysis?pubid=204792089

*****

9 Nov 2009: Spam evolution: September 2009

The amount of spam detected in email traffic averaged 86.3% in September
2009. A low of 83.3% was recorded on 18 September with a peak value of
91.3% being reached on 27 September.

http://www.viruslist.com/en/analysis?pubid=204792088

*****

5 Nov 2009: Monthly Malware Statistics: October 2009

Kaspersky Lab presents its monthly malware statistics for October. From
this month onwards, the data used is gathered from all products which
use the Kaspersky Security Network (KSN), i.e. products from both the
2009 and 2010 lines.

http://www.viruslist.com/en/analysis?pubid=204792087

*****

20 Oct 2009: Malware Miscellany, September 2009

After a lengthy interlude, we're renewing our monthly malware almanac by
popular demand.

http://www.viruslist.com/en/analysis?pubid=204792085

*****

16 Oct 2009: "Brazil: a country rich in banking Trojans"

Anyone who has ever analyzed malware designed to steal data from online
banking customers will agree that Brazil is one of the biggest sources
of so-called banking Trojans.

http://www.viruslist.com/en/analysis?pubid=204792084