Highly critical “Ghost” allowing code execution affects most Linux systems

An extremely critical vulnerability affecting most Linux distributions gives attackers the ability to execute malicious code on servers used to deliver e-mail, host webpages, and carry out other vital functions.

The vulnerability in the GNU C Library (glibc) represents a major Internet threat, in some ways comparable to the Heartbleed and Shellshock bugs that came to light last year. The bug, which is being dubbed "Ghost" by some researchers, has the common vulnerability and exposures designation of CVE-2015-0235. While a patch was issued two years ago, most Linux versions used in production systems remain unprotected at the moment. What's more, patching systems requires core functions or the entire affected server to be rebooted, a requirement that may cause some systems to remain vulnerable for some time to come.

The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that's invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections. Qualys has not yet published the exploit code but eventually plans to make it available as a Metasploit module.

“A lot of collateral damage on the Internet”

The glibc is the most common code library used by Linux. It contains standard functions that programs written in the C and C++ languages use to carry out common tasks. The vulnerability also affects Linux programs written in Python, Ruby, and most other languages because they also rely on glibc. As a result, most Linux systems should be presumed vulnerable unless they run an alternative to glibc or use a glibc version that contains the update from two years ago. The specter of so many systems being susceptible to an exploit with such severe consequences is prompting concern among many security professionals.

Besides Exim, other Linux components or apps that are potentially vulnerable to Ghost include MySQL servers, Secure Shell servers, form submission apps, and other types of mail servers.

It was reported that Qualys researchers enumerated apps they believed were not vulnerable. The list included Apache, Cups, Dovecot, GnuPG, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, and xinetd.

"If [researchers] were able to remotely exploit a pretty modern version of Exim with full exploit mitigations, that's pretty severe," said Jon Oberheide, a Linux security expert and the CTO of two-factor authentication service Duo Security. "There could be a lot of collateral damage on the Internet if this exploit gets published publicly, which it looks like they plan to do, and if other people start to write exploits for other targets."

The bug affects virtually all Linux-based software that performs domain name resolution. As result, it most likely can be exploited not only against servers but also client applications. Word of the vulnerability appears to have caught developers of the Ubuntu, Debian, and Red Hat distributions of Linux off guard. At the time this post was being prepared they appeared to be aware of the bug but had not yet distributed a ready-made fix. People who administer Linux systems should closely monitor official channels for information about how specific distributions are affected and whether a patch is available. Admins should also prepare for the inevitable reboots that will be required after installing the patch.

Update: Red Hat Enterprise Linux 5, has an update here, and readers are reporting a fix is also available for Ubuntu 12.04.

In the meantime, readers can find more technical details about Ghost in the previously mentioned Qualys blog post, as well as here and here.

.

Skype serving virus-laden ads

In the last 24 hours, a virus ad managed to slip through Microsoft filters and made its way into Skype's ad slot.

Clicking on the advertisement will take you to a site pretending to be Adobe, and try to download viruses to your machine. This is not how Adobe distributes updates. This is how attackers trick unsuspecting users to willingly install malicious software.

The payload? It is a very rapid load iframe that redirects to that page again. Getting the payload to successfully infect sandboxes have not been successful so far.

And this might be an IE only thing. The rapid load iframe does not work on Firefox or Chrome.

Microsoft seems to be aware about this issue, but did not comment further.

Suggested quick fix
Add these entries into your local host file:

# fighting off malware/virus
127.0.0.1 qwindowsdefender.nl
127.0.0.1 q-windowsdefender.nl
127.0.0.1 xwindowsdefender.nl
127.0.0.1 x-windowsdefender.nl
127.0.0.1 zwindowsdefender.nl
127.0.0.1 z-windowsdefender.nl
127.0.0.1 wed322d2.qwindowsdefender.nl
127.0.0.1 wed322d2.q-windowsdefender.nl
127.0.0.1 wed322d2.xwindowsdefender.nl
127.0.0.1 wed322d2.x-windowsdefender.nl
127.0.0.1 wed322d2.zwindowsdefender.nl
127.0.0.1 wed322d2.z-windowsdefender.nl
127.0.0.1 m.adnxs.com
127.0.0.1 cdn.adnxs.com

Note: This is not the comprehensive list of URLs used in the attack. There may be more than the ones indicated here.

The Hacker’s New Best Friend Could be Your USB Port

It’s tiny and portable, yet perfect for storing large items. I’m talking about the good ol’ Universal Serial Bus (a.k.a USB) drive, the giveaway of choice at tradeshows across the world, and perfect for the easy storage and transfer of photos, documents, music and more. But you might want to think twice before plugging a free USB into your machine. The reason: USBs can now contract an undetectable - and unfixable - virus that can be spread quite easily.

News of this potent malicious software (often referred to as malware) has circled around the information security industry since researchers Karsten Noh and Jakob Lell described their new attack to a packed room at this year’s Black Hat security conference in early August.

The malware, dubbed BadUSB, can take over a computer, as well as redirect Internet-bound traffic to different site. But BadUSB’s danger doesn’t lie with its ability to execute code—this type of malware, called auto-run (because it runs automatically when the USB drive is inserted into your device), has been around for some time now. The danger lies with its ability to never be detected. BadUSB exploits how the USB standard was built and coded, and mixes malware with the device’s firmware—the code that tells the USB stick how to work. This intermingling of code makes the malware indistinguishable from normal, safe firmware.

Because of the danger this particular form of malware posed to the public at large, the pair refrained from releasing the code to attendees. That reasoning, however, didn’t sit well with another pair of researchers, who did publish the infectious malware after reverse engineering it. The malware that freaked out two security researchers enough to make them refrain from publishing their work is now out in the open.

USBs, long considered secure (perhaps incorrectly), are now major liabilities to consumers everywhere. So the question now is, should you be worried?

The answer is yes and no.

The good thing about this malware variant is that it’s isolated to just USB devices. But that’s also its danger: USB devices are so ubiquitous that consumers typically don’t pay them any attention—the best sort of attack vector hackers could hope for. Hackers could also hide this malware within a larger package and could, theoretically, infect a computer that would subsequently infect any and all USB devices that connect with that machine—thereby spreading the malware even further. All in all it’s pretty bad news.

So why did these researchers knowingly, and publicly, publish such dangerous malware? Because they want to see this security issue fixed, and the only way they’re convinced it’ll be fixed is by lighting a fire under USB manufacturers.

They’re not entirely wrong, either. Manufacturers, largely for business reasons, have been notoriously slow in fixing security issues (called patching), and USB drives are no different. By publicly making this code available, the pair of researchers will deny USB manufacturers the ability to claim that they weren’t aware of security vulnerabilities on USB. That knowledge, it’s theorized, will drive better security further down the road.

Publishing this code was well intentioned, and, truthfully, is a fairly standard practice in the information security industry. But this particular malware is going to cause a lot of headaches for quite a few years (likely a decade). So what can you do to protect yourself while this newfound attack vector is out in the wild? Well there are a few options available:

• Use caution with free USB drives.
  A lot of companies like to go to major conferences and events and hand out free USB drives. This is bad security practice. Free USBs have always carried the risk of being preloaded with malware, and now the risk has doubled. You don’t have to turn down free USBs drives, but you do have to be conscious of the risk you’re running when you don’t know where that USB has been. If you’re uncertain if a USB is safe, run a scan.
  
• Lock down your computers.
  USBs have long been a reliable method of compromising computers. All it takes is an unknowing person to plug a USB drive into a port, and the damage is done. Never leave your computer sitting out in a public place where someone could access your USB port.
  
• Use comprehensive security.
  Between USB devices, computers and mobile phones - all the technology we own is a security risk. So how can you minimize the likelihood of getting infected by malware? By using a comprehensive security service, which provides a comprehensive shield against malware, phishing attacks and a variety of other nasties aimed at compromising your digital life. Such software also automatically scans USBs when they’re connected to your computer, for known malware. This is a step you cannot afford to skip in the protection of your valuable information.

YouTube Ads Lead To Exploit Kits, Hit US Victims

Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube.

Over the past few months, Trend Micro has been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.

Recently, they saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label.

The ads observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.

In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)

The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.

The exploit kit used in this attack was the Sweet Orange exploit kit. Sweet Orange is known for using four vulnerabilities, namely:

• CVE-2013-2460 – Java
• CVE-2013-2551 – Internet Explorer
• CVE-2014-0515 - Flash
• CVE-2014-0322 – Internet Explorer

Based on Trend Micro's analyses of the campaign, they were able to identify that this version of Sweet Orange uses vulnerabilities in Internet Explorer. The URL of the actual payload constantly changes, but they all use subdomains on the same Polish site mentioned earlier. However, the behavior of these payloads are identical.

The final payloads of this attack are  variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM. This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible.

Users who keep their systems up to date will not affected by this attack, as Microsoft released a patch for this particular vulnerability in May 2013. We recommend that read and apply the software security advisories by vendors like Microsoft, Java, and Adobe, as old vulnerabilities are still being exploited by attackers. Applying the necessary patches is essential part of keeping systems secure. Backing up files is also a good security practice to prevent data loss in the event of an attack like this.

In addition to blocking the files and malicious sites involved in this attack, Trend Micro's browser exploit prevention technology prevents attacks that target these vulnerabilities.

With additional insight from Rhena Inocencio (Threat Response Engineer), the following hashes are detected as part of this attack:

09BD2F32048273BD4A5B383824B9C3364B3F2575
0AEAD03C6956C4B0182A9AC079CA263CD851B122
1D35B49D92A6E41703F3A3011CA60BCEFB0F1025
32D104272EE93F55DFFD5A872FFA6099A3FBE4AA
395B603BAD6AFACA226A215F10A446110B4A2A9D
6D49793FE9EED12BD1FAA4CB7CBB81EEDA0F74B6
738C81B1F04C7BC59AD2AE3C9E09E305AE4FEE2D
A1A5F8A789B19BE848B0F2A00AE1D0ECB35DCDB0
A7F3217EC1998393CBCF2ED582503A1CE4777359
C75C0942F7C5620932D1DE66A1CE60B7AB681C7F
E61F76F96A60225BD9AF3AC2E207EA340302B523
FF3C497770EB1ACB6295147358F199927C76AF21

Google has been about this incident.

Unfixable USB Hack Threatens Life as We Know It

USB ports are a bit like Cinnabons at airports and bad Wi-Fi at hotels: ubiquitous. Almost every computer and millions of other connected devices have one. And while USB security has long been discussed, an 'unfixable' exploit threatens to up the danger quotient significantly—especially since it’s been made public.

Two security researchers, Adam Caudill and Brandon Wilson, have reverse-engineered a popular USB firmware from Taiwanese firm Phison, which powers hundreds of millions of devices. With the right exploit, USBs can become an injection conduit for malicious code—so, a flash drive could emulate a keyboard and issue commands on behalf of the logged-in user, to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.

The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.

Or, a modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.

The compromised code in question is stored in the USB’s read-write memory, so a user can’t remove it, and no patch will fix it. In order to get rid of the issue, new USBs must be issued with an entirely different security architecture.

The two are replicating research from SR Labs’ Karsten Nohl, who gave a talk at the Black Hat security conference discussing the exploit, which he dubbed BadUSB. However, given the persistent nature of the issue, he decided not to release it.

“No effective defenses from USB attacks are known,” he said in his information page on the issue. “Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device.”

 To make matters worse, cleanup after an incident is nigh impossible.

“Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root,” Nohl said. “The USB thumb drive, from which the operating system is reinstalled, may already be infected, as may the hardwired webcam or other USB components inside the computer. A BadUSB device may even have replaced the computer’s BIOS – again by emulating a keyboard and unlocking a hidden file on the USB thumb drive.”

In case we missed the point, he added, “Once infected, computers and their USB peripherals can never be trusted again.”

But the decision not to disclose is one that Caudhill and Wilson feel is a grand mistake. So now, they’ve thrown the exploit code up on Github to bring attention to the issue.

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience in Louisville, Ky. Last week. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

Government agencies and high-end espionage groups are probably already using it, Caudhill told WIRED.

“If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” he said. “You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufacturers to fix the real issue.”

He added, “People look at these things and see them as nothing more than storage devices. They don’t realize there’s a reprogrammable computer in their hands.”

WhatsApp. Beware of cyber-crooks and scams!

This week, WhatsApp has announced that it now has 600 million active users.

The news was released by Jan Koum, the CEO and co-founder of WhatsApp, through his Twitter page. Koum made it very clear that this figure refers to the number of active, not registered, users, which means that WhatsApp’s user growth may actually be larger.

The term ‘active users’ refers to the number of users who have used the app at least once in the last month.

WhatsApp security
Despite the doubts raised a few months ago when Facebook bought WhatsApp, it seems that the messaging app continues to be as popular as ever. The figure of 600 million users affirms WhatsApp as the world’s most widely used instant-messaging application, well ahead of rivals like Line or Telegram.

But this success has also placed it in the crosshairs of cyber-criminals who, over the last few months, have come up with countless ways to exploit the app as a means to attack users.

Want to know how? Discover the most dangerous WhatsApp scams and beware of malicious messages!

New TDL4 rootkit successfully hiding from AV

A new variant of TDL4 has been identified, and it is now ranked as the second most prevalent malware strains within two months since detection.



The characteristics are similar to the iteration of the TDL4 rootkit, detected by Damballa a month ago. Damballa picked it up through its network behavioural analysis software, which detected the generated domain names that this new TDL4 variant apparently uses for command-and-control communication.

Since Damballa could only determine the existence of the new malware by looking for domain fluxing, it was concluded that no binary samples of the new malware had been identified and categorised by commercial antivirus products operating at the host or network levels.

HitmanPro, however, has detected Sst.c – also known as Maxss, a modification of the TDL4 strain and it is spreading fast.

This new variant is capable of infecting the Volume Boot Record (VBR) (also known as Partition Table), and commercial antivirus products are unable to detect it, let alone remove the malware.

Joseph Souren, Vice President and GM Wave Systems EMEA, has provided the following commentary:

“Following the success of TDL4, hackers have been able to use the rootkit to develop new variants that continue to go undetected by antivirus. The latest iteration, dubbed Sst.c, infects the Volume Boot Record.

Without embedded hardware security to detect anomalies of behaviour in the boot process, it starts to cause havoc damaging the network. It also reduces the window of detection for the enterprise to contain the threat.

The best defence is based on the Trusted Platform Module (TPM) chip. The TPM stores the signatures of critical start-up components of the machine, and the ones that are most important are used early in the boot process before the antivirus initiates.

By utilising TPMs, the enterprise can collect data from the computers and correlate computer information that is not visible for traditional malware scanning software. The IT manager is alerted when unwanted changes are detected.

It’s undoubtedly not the last we will hear of these types of Advanced Persistent Threats (APT) and activating and managing embedded hardware security is the only way to detect these attacks early enough to prevent damage to the network.

USB drives left in car park as corporate espionage attack vector

A number of infected USB flash drives were recently left in the car park of Dutch chemical firm DSM in a failed corporate espionage attempt. According to a report from Dutch newspaper Dagblad De Limburger, these drives were planted by an unknown party in hopes that one or more of the company's employees would insert them into their office systems.

However, instead of plugging it into one of the company's systems, an employee who found one of the USB sticks turned it over to DSM's IT department. Upon examination, they discovered that the drives contained malware that was set to automatically run upon being inserted into a computer. The malware is said to have been a key logger designed to capture usernames and passwords, and access the company network to send them to an external site.

Upon finding this, the company blocked all access to the IP addresses which the malware attempted to contact. Because, they say, it was a clumsy attempt to steal data and as no damage was done, DSM decided not to contact the police.

Would you report to the police?

SMS-controlled Android malware records calls

Researchers at NQ Mobile Security have discovered a new piece of Android malware that receives instructions, i.e. is controlled, via SMS.

Dubbed TigerBot, the Trojan hides by not showing any icon on the home screen and takes the names and icons of popular and common Google and Adobe apps like "Flash" or "System" in order to blend in with the legitimate apps installed on the phone.

"In order to receive remote commands, it registers a receiver with a high priority to listen to the intent with action 'android.provider.Telephony.SMS_RECEIVED'," point out the researchers. "As a result, it can receive and intercept incoming SMS messages before others with lower priorities."

The capabilities of the malware include: recording phone calls, changing network settings, uploading the current GPS location, capturing and uploading images, sending text messages to a particular number (but, it seems, not a premium service one), rebooting the phone and killing other running processes. Still, not all the actions are always effective.

So far, the Trojan hasn't been detected being offered on Google Play (the former Google’s Android Market), but only on third-party online marketplaces.

The researchers urge users to always be careful when downloading new apps.

"Only download applications from trusted sources, reputable application stores, and markets, and be sure to check reviews, ratings and developer information before downloading," they say.

iOS flaw allows App Store apps download malicious code

Since the App Store's inception, Apple has been carefully examining applications submitted by third-party developers in order to assure its customers a malware-free experience. Approved apps get signed with Apple's cryptographic seal, and only than can they be downloaded and run by iPad and iPhone users.

But well-known Mac hacker and researcher Charlie Miller has discovered a flaw in Apple's restrictions on code signing on iOS devices which would allow attackers to use applications sneaked into the App Store to download and run additional, unsigned code.

To prove his point, Miller created an app called InstaStock that ostensibly lists stock tickers and submitted it to the App Store. The app was approved by Apple and offered to users. But unbeknownst to the company, the app also contained a hidden payload which takes advantage of the aforementioned flaw.

The app was now capable to "phone home" to a server set up by Miller, from which new code - unapproved by Apple - was downloaded and executed without a hitch. This gave him remote shell access to the device and allowed him to do things like making it vibrate, run a video, and most frighteningly, downloading any file present on it to the server.

Miller, who has managed to sneak the InstaStock app into the App Store back in September, has already notified Apple of the flaw on October 14th.

But, as news that he was planning to demonstrate the attack next week at the SysCan conference in Taiwan broke, Apple reacted immediately: not only has his app been removed from the App Store, but he himself has been booted out of the iOS Developer Program since he violated the agreement that forbids developers to “hide, misrepresent or obscure” any part of the submitted apps.

Miller is, understandably, annoyed by the move. “They went out of their way to let researchers in, and now they’re kicking me out for doing research,” he says. “I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”

I guess that his upcoming demonstration can't be executed now - unless he has predicted Apple's reaction and uploaded (or asked someone to upload) a second booby-trapped app.

Trojan Hiding In Legitimate Security Software

An interesting tactic for hiding a Trojan has recently been spotted by Symantec researchers.

Instead of using entirely their own malicious code, the malware authors have decided to take advantage of the code belonging to the KingSoft WebShield browser protection software (part of the KingSoft Internet Security solution).

"The interesting part of this package is in its configuration, which allows an opportunity for malicious intent," explains researcher Éamonn Young. "Kingsoft WebShield has the ability to lock the home page to a specific domain as well as to redirect URLs based entirely on plain text configuration files. This means that a person with malicious intent can repackage it using malicious configuration files and use this as a home-made Trojan package."

And so they did. The new package contains the legitimate software and its support components, but also two configuration files that practically modify it into the Trojan.

Once the apparently legitimate software is installed and running, one of these files makes it so that the home page is changed to one of the designated URLs - which house advertisement link farms - and locked so that the user can't change it.

The other one makes sure that if a user wants to visit one a number of popular domains listed in it, he is also redirected to one of the aforementioned designated URLs.

The authors of the malware are likely to be Chinese, and so are the targeted users. The misused legitimate software is manufactured by Chinese software developer Kingsoft, and all the websites - the advertisement link farms and the domains from which the user is redirected - cater to Chinese users.

Another interesting thing about this Trojan is that deletes all Quick Launch icons except for the Internet Explorer one. And if there isn't one, it creates it. Since the whole package works as they want to only in Internet Explorer, this is a rather (too) obvious way to make sure the user uses only that browser.

Since Kingsoft WebShield works as it usually does, the user might not spot that there's something wrong with his computer right away upon installation of the tainted package. And even when he finally gets suspicious about the constant redirection,

Save as Draft

it will take a while before he learns how to deinstall it since the uninstaller has been omitted.

All in all, the authors of this improvised Trojan have manufactured an annoying but not very dangerous piece of malware. Unfortunately, it seems to me that it is only a matter of time until someone changes the configuration files again and the users are redirected to more malicious sites.

The Mother Of All Android Malware Has Arrived

Openness – the very characteristic of Android that makes us love it – is a double-edged sword.

Free Android applications bundled up with malware have spilled over into the official Android marketplace.

According to Symantec, the malware in question can root the phone, harvest data and open backdoors - similar to the recent Geimini Trojan spotted lurking on third-party Chinese Android app markets.

"The applications in question are popular free apps, bundled with malware, that have then been republished in the official marketplace under different application and publisher names," says researcher Joji Hamada.

Google has jumped into the fray and removed the applications from the market, but according to Symantec's sources somewhere between 50,000 and 200,000 downloads took place during the four days that the apps were available for download.

This new Trojan has been dubbed Rootcager because of the rageagainstthecage file included in the Android Package containing the affected apps.

Rageagainstthecage is a file that can also be used to legitimately root a phone in order for the users to gain administrative rights, but in this case it's used to allow the Trojan to do things like taking screenshots, harvesting IMEI and IMSI numbers and send them to remote sites, and drop a DownloadProvidersManager Android Package that will further execute downloads in the background.

For the full list of the potentially affected apps, go here. In you think you may have installed one of them on your device, check the installed apps against it or check the “running services“ settings on your phone for the DownloadManageService started by an application.

Twitter accounts spreading malicious code

Cybercriminals are exploiting Twitter to spread malware using festive-themed messages, according to PandaLabs. Using methods akin to black hat SEO techniques, hackers are taking advantage of trending topics to position malware distribution campaigns.

As the holiday period has begun, topics such as "Advent calendar," "Hanukkah" or even "Grinch," are among the most popular subjects used by hackers to entice users.

Thousands of tweets have been launched using holiday-related phrases, such as "Nobody cares about Hanukkah," or "Shocking video of the Grinch," along with short URLs pointing to malicious websites.


Users who click the link will be taken to a page that infects systems with false codecs. These exploit a security hole in PDF files and try to trick users into downloading a codec that is really a downloader Trojan, which in turn downloads more malware onto the compromised computer.


In addition to subjects related to Christmas, cyber-criminals are using other hot topics to spread their creations, including the Sundance festival, the AIDS campaign, the Carling Cup and tweets about the actor Morgan Freeman.

With the increased risk over the holiday period, PandaLabs offers users a series of practical security tips for using social media:

1. Don't click suspicious links from non-trusted sources. This should apply to messages received through Twitter, through other social networks and even via email.

2. If you click on the links, check the target page. If you don't recognize it, close your browser.

3. Even if you don't see anything strange in the target page, but you are asked to download something, don't accept.

4. Install all available operating system updates and patches. Cyber-criminals are particularly skilled at exploiting critical vulnerabilities in operating systems and commonly used applications. Computer users are often silently redirected to a website with a carefully crafted malicious payload that leaves the computer infected with data-stealing malware or extortion-based threats. In addition to updating your system, you should update Adobe Flash, Adobe Reader and Java software, which are all commonly targeted by cybercriminals.

5. If you do download or install an executable file and the PC starts to launch messages or behaves strangely, there is probably malware on your computer. In this case, you should check your computer with a free online scanner.

6. As a general rule, make sure your computer is well protected to ensure that you are not exposed to the risk of infection from any malicious code.

Korean cross-border attacks exploited to spread malware

The recent cross-border shellings between North and South Korea have left many people wondering what has been going on and what triggered the attacks: North Korean Artillery Attack on a Southern Island

Scareware and malware pushers have been very prompt at poisoning related search results.

Search combinations such as "north korea bombs/attacks south korea", "kim jong il", "korean war", "world war 3", "yeonpyeong island" and "korean news" have been producing results that take users to pages where warnings about infection on their computers are shown and the users are offered to download rogue antivirus solutions, to pages that attempt to hijack their browser through JavaScript or pages that offer Trojans disguised as codecs and bogus updates for Mozilla's Firefox.

The Tech Herald reports that all of the offending compromised domains are using open source CMS software which was not updated and, consequently, vulnerable to attack. They also noted that topics related to Black Friday, Bristol Palin, Dancing with the Stars, and others have been targeted by the same black hat SEO campaign.

Facebook bug compromises top pages

A customer of Sendible, an online marketing service for promoting and tracking brands through the use of social media, e-mail and SMS messaging, has inadvertently discovered a flaw in Facebook API.

Using Sendible's Facebook application, he tried to post messages on a few Facebook walls - as a fan - but apparently the flaw made them be posted as status messages from the owner of the pages.

Before the flaw could be patched, it was apparently discovered also by some users that decided to use it to propagate a malicious link that would supposedly allow the victims to change their Facebook background. This message appeared on a number of Facebook pages of brands and companies like Coca-Cola, Google, YouTube, South Park, The Daily Show and others.


"A few people who did click on the link reported that it took you to a page outside of Facebook that asks you for some information about you," reports TechCrunch. "The bottom of the page reads 'Powered By AWeber Email Marketing'."

It seems that the malicious link in question has been taken down, but people have been reporting that other links were propagated with the help of the flaw.

Sendible claims that its application wasn't hacked. "This is a flaw in Facebook’s API and may affect all third party Facebook applications," it says. "To ensure this doesn’t happen again, we’ve agreed with Facebook to remove the feature on Sendible that allows fans of Facebook pages to update multiple pages at once."

Facebook claims that there was a bug on its platform AND a flaw in Sendible's API:

"We’ve looked into this more. We began removing the posts immediately upon discovering them and shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn’t have.

There was a flaw in Sendible’s API call that caused Sendible to incorrectly request that posts users had intended to make on the Walls of Pages they liked be rendered on behalf of those Pages themselves. This bug caused those requests to go through.

Upon discovering the bug, we immediately began work to fix it. It’s now been resolved, and these posts can no longer be made. Sendible has also fixed the flaw on its end. We’re not aware of any cases in which the bug was used maliciously."

Drive-By Downloads: Malware's Most Popular Distribution Method

After years of burying malicious software in email and portable storage media, attackers now favor quick downloads via legitimate websites, researcher say.

WASHINGTON, D.C. -- OWASP AppSec DC 2010 -- Why try to fool users into opening email attachments when you can simply drop a Trojan on them from their favorite websites?

That's the question many malware authors and distributors are asking -- and the obvious answer is spurring most of them to try out the emerging "drive-by download" method, according to a speaker here this week.

"What we're seeing is a fundamental change in the method of malware distribution," said Neil Daswani, CTO of Dasient, which offers a service that detects and eradicates Web-borne malware. "In the old days, we saw executable code in a static file, which was originally delivered via floppy disks and then via email attachments. Now we're seeing active content delivered via drive-by downloads at legitimate sites."

A drive-by download typically begins by injecting a Web page with malicious code, often through JavaScript, Daswani explained. The code generally invokes a client-side vulnerability to deliver shell code, such as the JavaScript-based Heap Spray attack, to take control of the user's machine. From there, the attacker can send a "downloader," which is often custom, zero-day code that isn't recognized by traditional antivirus systems.

Once the downloader is in place, the attacker can deliver his malware of choice, Daswani said. Drive-by downloads are particularly effective for delivering code that can steal end user credentials (such as Zeus), launch a fake antivirus scam (such as Koobface), steal server-side administrative credentials (such as Gumblar), steal corporate secrets (such as Project Aurora), or collect fraudulent click revenue (such as clickbot.A), he noted.

While drive-by downloads are often more effective at infecting end user devices than email attachments, they also give the attacker broader reach, Daswani observed. Drive-by downloads can be used to infect thousands of websites at once, often by hiding in common third-party devices that are distributed to many sites, such as advertisements, widgets, images, or third-party applications.

"A lot of user organizations do a great job of scanning the code they put on their own sites, but they may not scan the code they're posting from third parties," Daswani warned. "The marketing people will add an ad or a widget to a site, and the IT people may not vet it before it's posted."

Many well-known sites are infected by malware, and the most popular sites are generally targeted most frequently, Daswani noted. In the past two years, major government sites, such as the Treasury Department and Environmental Protection Agency, have been infected, causing them to serve up drive-by downloads to their users. The National Institute of Health has been infected five times in the past two years, and the state of Alabama's website has been infected 37 times in that same time period, he reported.

"It's time to recognize that this is the method of choice for many distributors of malware," Daswani said.

Fake ImageShack emails lead to Zbot variant

Emails pretending to be registration notifications from the popular free image hosting website ImageShack are hitting inboxes, and are trying to get the users to follow a link to a malicious website where a Zbot variant awaits to be downloaded.

At first glance, they look pretty legitimate, but a second glance at the offered registration link reveals that the target page does not belong to ImageShack.

Another clue that the email might be fake is the provided username and password. Sunbelt's Chris Boyd received the email in question and remarks that he would never use the give combination of username and password, even if he had registered with the service.

The offered link belongs to an Australian art gallery whose website was probably compromised, and presents to the user the following request:

The file in question is, of course, the Zbot variant I mentioned in the beginning. Luckily for potential victims, the great majority of security solutions has the ability to detect this particular variant, which has been removed in the meantime.

But, Boyd says that users should still be careful about visiting the site, since "there’s still some iframe activity taking place". He also advises users to be careful of such emails in the future, because it is likely that criminals will be sending out the same email - albeit with a different malicious link, pointing to different malware and using a different exploit.

When in doubt whether you have signed up for something, it's better to just delete the email.

Employees bypass security roadblocks to engage in social networking

Even though more workplaces are regulating social networking sites, employees are finding ways around security roadblocks, making social networking a way of office-life around the world.

Trend Micro's 2010 corporate end user survey, which included 1600 end users in the U.S., U.K., Germany and Japan, found that globally, social networking at the workplace steadily rose from 19 percent in 2008 to 24 percent in 2010. The highest surge of social networking on the corporate network during the last two years was found among end-users within the U.K., who tallied a 6 percent increase, and Germany, with a more than 10 percent leap.

With the exception of Japan, there were no significant differences between end users from small businesses and those from large corporations, but the survey found that laptop users are much more likely than desktop users to visit social networking sites.

Globally, social networking usage via laptops went up by 8 percent from 2008 to 2010. In the U.S., it increased by 10 percent and in Germany, up by 14 percent.

In 2010, 29 percent of laptop users versus 18 percent of desktop users surveyed said they frequented these sites at work. In Japan for 2010, small-company employees were much more likely than those from large companies to visit social networking sites – 21 percent from small companies compared to 7 percent from large companies.

For all countries surveyed in 2010, laptop users who can connect to the Internet outside of company network are more likely to share confidential information via instant messenger, Web mail and social media applications than those who are always connected to a company's network. This is significantly so in Germany and Japan.

As more and more people communicate through social networks, the more viable social networks become malware distribution platforms. KOOBFACE alone, the "largest Web 2.0 botnet," controls and commands around 51,000 compromised machines globally. This demonstrates the scale of the threat, and emphasizes the need to educate users and implement strong policies.

Trying to just prevent users accessing social networks from work could potentially increase the risk to an organization as users look for ways around computer security possibly increasing the chance of exposure to security threats.

HTML files redirect users to malicious sites, evade mail server antivirus

Facebook, Twitter and Skype are Internet behemoths, counting hundreds of millions users each, so it is not surprising that many malicious email campaigns masquerade as legitimate notices coming from these three sources.

The number of emails that try to trick recipients into downloading malicious files has surged in the last few days. Users are notified that their Twitter or Facebook password has been reset, that they should check details of purchases effected through Skype, that they have messages waiting for them, etc.

What these emails have in common is that they contain a .html file, which changes name from email to email, but always contains a a script that redirects the users to a website rife with malicious code that tries to exploit vulnerabilities in Adobe, IE and Java and through them download malware on the users' computer.

A Bkis security researcher thinks we are witnessing the birth of a new trend. According to him, attackers will be switching to this kind malicious files for two reasons:

• A lot of people have learned by now that .exe and .zip files in attachments are probably bad news and they delete the email, but .html files have managed to avoid looking instantly suspicious.
• These .html attachments don't contain any kind of malicious or exploit code, which makes them perfect for bypassing antivirus programs integrated in mail servers or antivirus solutions in general:

When you think about it, the file in question does the exact same thing a malicious link would do, but - once again - many users have learned not to click on those either.

Popular websites distribute spyware-infected Mac software

Intego has discovered a spyware application that is installed by a number of freely distributed Mac applications and screen savers found on a variety of websites.

This spyware, OSX/OpinionSpy, performs a number of malicious actions, from scanning files to recording user activity, as well as sending information about this activity to remote servers and opening a backdoor on infected Macs.

OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia. The spyware itself is not contained in these applications, but is downloaded during the installation process. This shows the need for an up-to-date anti-malware program with a real-time scanner that can detect this malware when it is downloaded by the original application’s installer.

The information provided with some of these applications contains a misleading text that users must accept explaining that a “market research” program is installed with them, but not all of these specify this. Some of these programs are also distributed directly from developers’ web sites with no such warning.

The malware, a version of which has existed for Windows since 2008, claims to collect browsing and purchasing information that is used in market reports. However, this program goes much further, performing a number of insidious actions, which have led Intego to classify it as spyware.

Detailed analysis of the spyware here.

As seen in the detailed report, this application that purports to collect information for marketing reasons does much more, going as far as scanning all the files on an infected Mac. Users have no way of knowing exactly what data is collected and sent to remote servers; such data may include user names, passwords, credit card numbers and more. The risk of this data being collected and used without users’ permission makes this spyware particularly dangerous to users’ privacy.

The fact that this application collects data in this manner, and that it opens a backdoor, makes it a very serious security threat. In addition, the risk of it collecting sensitive data such as user names, passwords and credit card numbers, makes this a very high-risk spyware. While its distribution is limited, we warn Mac users to pay careful attention to which software they download and install.