Contact
DON'T SURF IN THE NUDE
Security on a Shoestring
Security issues in the news -  2008
More of the same this time: security vulnerabilities in software used to install malware via exploits on hacked web sites.

Virtual Heist Nets 500,000+ Bank, Credit Accounts

A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today. The discovery is among the largest stolen data caches ever recovered.

...

The makers of Sinowal typically have spread their Trojan by sewing malicious code into the fabric of large numbers of legitimate, hacked Web sites. When an unsuspecting Windows user visits one of these sites, the code left on the site tries to install the Trojan using one of several known Web browser security holes, such as vulnerabilities found in popular video and music player plug-ins like Macromedia Flash and Apple's QuickTime player.

SecurityFix

Also reported here:

Trojan virus steals banking info BBC

It's not just by stealing credit card numbers that the villains make their money: victims of malicious software installed by exploiting insecure software are also conned into paying for scam anti-virus products:

How much money can criminals make scaring naïve computer users? Try $5 million a year

A pop-up that appears on computers, aimed at persuading users they need the Antivirus XP program, for $49.95.

That is how much a marketing associate of one Russian operation appears to be earning from its sales of fake antivirus software through an elaborate scheme that relies on e-mail spam and indirectly controlling thousands of unprotected PCs, according to internal company files posted online by a Russian hacker.

The company is Bakasoftware, a clandestine effort based somewhere in Russia that markets what it claims is an antivirus program strictly to English-speaking computer users.

The program, whose name has recently been updated from Antivirus XP 2008 to Antivirus XP 2009, lodges itself on a victim’s computer and then begins generating a series of pop-up messages warning that the user’s computer is infected. If the user responds to the warnings, he is urged to buy a $49.95 program for disinfecting the machine.

...

Mr. Stewart estimated that one affiliate alone was able to install 154,825 versions of the software in just 10 days and that 2,772 copies of the program were later purchased from those infected users. Based on that conversion rate, Mr. Stewart estimated that an affiliate could expect to earn over $5 million annually by maintaining a botnet large enough to force between 10,000 and 20,000 installations on a daily basis.

The New York Times

Astute readers may notice a common thread to the two reports:

Brady said his team could find no trace of a single Russian victim in the entire database of credentials and identities stolen from customers of hundreds of banks across the United States, Europe and Asia, and at least 27 other countries. SecurityFix

Mr. Stewart also discovered that when the Bakasoftware program starts, it checks the language of the computer user based on information contained in the Windows operating system. If it finds the personal computer of a Russian language speaker, the program terminates. The New York Times

The excellent web browser Opera has patched a few security vulnerabilities recently, so it's vital to have the latest version.

Opera scrambles to quash zero-day bug in freshly-patched browser The Register

Opera is not alone in having fixed security issues. As mentioned previously, the best way to ensure that a Windows system is up-to-date and secure is a scan with Secunia. The Secunia Software inspector has now become Secunia Online Software Inspector (OSI), and the Personal Software Inspector is now known as (PSI).

Secunia OSI
Secunia PSI

3/7/08


With the prevalence of malware on the internet discussed below, it's vital to keep all web-facing software up to date, so that security vulnerabilities cannot be exploited to install malware during normal browsing of perfectly reputable web sites. With this in mind, it's alarming that 40% of web users seem to be surfing with unsafe browsers. Security Fix.

Browser safety

Still on the 'infected site' theme, the Guardian has an interesting article on 'poisoned' search results at Google, where links in a Google search direct browsers to malicious sites that try to install malware either by the use of exploits or by fooling the user into downloading a Trojan horse by social engineering.

What's an IFrame attack and why should I care? guardian.co.uk

The best way to stay safe against exploits is to stay up to date with the Secunia Software Inspector:



8/5/08


A basic web page consists of text, pictures and links. Web developers add features to a page using programs which run either on the user's computer or on the server. Programs on the server can alter the appearance of a web page according to who visits, and have a page display information particular to a certain visitor.

Both browser-based and server-based web applications may contain security vulnerabilities that can be exploited to infect a computer if a web site is compromised (hacked) or contains compromised third-party content (typically ads from hacked ad servers). Browser-based programs such as Javascript, Java, Flash, Quicktime, Realplayer etc. have all had these vulnerabilities in the past. However, the big story recently has been server-based web infections serving up malware. Malware pushers have been supplying malicious commands to server-based database programs which cause the websites concerned to install malware on visiting computers.

The problem is widespread- with thousands of web sites affected. The big difference when compared to previous attacks is that the web sites concerned have not been hacked- the malicious content is 'injected' into the behind-the-scenes database (SQL) not using a security vulnerability, but by slipping past weak database security checks.

Web infection attacks more than 100,000 pages The Register
Hundreds of Thousands of Microsoft Web Servers Hacked Security Fix
Thousands of More Hacked Websites Targeting Your Passwords Shadowserver
Hundreds of thousands of SQL injections SANS
Mass SQL Injection f-Secure

The good news is that exploits served up by infected sites do not seem to affect a fully patched computer. Once again, a good reason to keep up-to-date and use Secunia services to check for vulnerable software.

Secunia Software inspector
Secunia Personal Software Inspector

28/2/08

Malware is becoming more numerous, more prevalent and harder to remove.

The growth in malware.

Data from Andreas Marx at AV-Test.org on unique malware samples plotted against year, posted on the Sunbelt blog with this comment:

It's worth noting that these numbers are also increasing because of variants -- i.e. the same Trojan will be changed sometimes hourly or daily just to try and fool the scanners. So it's not like there's over 5 million unique pieces of malware. There are many that are variants of the same piece of malware.

Nevertheless, this is a good representation of the staggering load of malware that anti-malware folks are under. Like most companies, we’re processing gigabytes of malware daily.

Harmful sites in Search results.

Data on the prevalence of malware on the web from Google.

It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. web pages that attempt to exploit their visitors by installing and running malware automatically. During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware. During the course of our research, we have investigated not only the prevalence of drive-by downloads but also how users are being exposed to malware and how it is being distributed. Our research paper is currently under peer review, but we are making a technical report [PDF] available now.

Google Online Security Blog

The prevalence of malware is partly explained by a tactic recently deployed by malware pushers: injecting malware into advertisements displayed on legitimate sites via third-party ad servers. The Register, Sunbelt Blog

Detection rates

The Google report above also identifies how anti-virus programs are failing to keep up with the growth in malware numbers, as this graph of detection rates shows.

In what follows, we evaluate the potential implications of the web malware delivery mechanism
by measuring the detection rates of several well known anti-virus engines 4 . Specifically, we evaluate
the detection rate of each anti-virus engine against the set of suspected malware samples collected
by our infrastructure. Since we can not rely on anti-virus engines, we developed a heuristic to detect
these suspected binaries before subjecting them to the anti-virus scanners. For each inspected URL
via our in-depth verification system we test whether visiting the URL caused the creation of at least
one new process on the virtual machine. For the URLs that satisfy this condition, we simply extract
any binary 5 download(s) from the recorded HTTP response and “flag” them as suspicious.
    We applied the above methodology to identify suspicious binaries on a daily basis over a one
month period of April, 2007. We subject each binary for each of the anti-virus scanners using the
latest virus definitions on that day. Then, for an anti-virus engine, the detection rate is simply the
number of detected (flagged) samples divided by the total number of suspicious malware instances
inspected on that day. Figure 15 illustrates the individual detection rates of each of the anti-virus
engines. The graph reveals that the detection capability of the anti-virus engines is lacking, with
an average detection rate of 70% for the best engine. These results are disturbing as they show that
even the best anti-virus engines in the market (armed with their latest definitions) fail to cover a
significant fraction of web malware.

Technical Report (PDF)

It's not only the fact that even that detection rates are not keeping up with the growth in malware that's making removal more difficult: malware is also using more advanced techniques to avoid removal. One of the most egregious culprits is the Vundo/Virtumonde scam Trojan:

Vundo creates a DLL file in the Windows system32 directory and writes registry entries, causing Windows to inject the file into winlogon.exe and many other programs.

Wikipedia

A tool that seems to be having some success in keeping up with Vundo is ComboFix, worth a try in the case of persistent pop-ups for scam anti-virus products that other anti-spyware products just wont remove.

It's worth pointing out that however prevalent malware becomes, it's still easy to avoid by following some simple precautions: don't download programs from untrusted sites, don't open files in emails or IM programs, even if they appear to come from a friend, and keep all software up to date to avoid malware installation through security holes. Use the Secunia Software Inspector below to check for out-of-date and vulnerable software on your computer.

The latest software vulnerability to hit the news (and those slow to update) is in Adobe's Acrobat program. Banner ads are used to serve malicious PDF files that exploit the vulnerability, a tactic mentioned above, so the malware may be encountered on "safe" sites if they happen to carry ads from a compromised third-party ad server. Sunbelt Blog



Security News from 2007

Security news from 2006

Security news from 2005

Hosted by www.Geocities.ws

1