Mass-Mailing Worm in Fake Twitter Account Invite

Last month we reported that spammers had used Twitter as bait to lure innocent victims into a phishing trap, and now we’re seeing a wave of fake Twitter invitations that come carrying a mass-mailing worm. The observed messages appear as if they have been sent from a Twitter account; however, unlike a legitimate Twitter message, there is no invitation URL present in the body. Instead, the user will see an attachment that appears as a .zip file that purportedly contains an invitation card.

Invitation Card.zip is the name of the malicious attachment, and it is being identified as W32.Ackantta.B@mm, which was first discovered in an e-card virus attack in February. W32.Ackantta.B@mm is a mass-mailing worm that gathers email addresses from the compromised computer and spreads by copying itself to removable drives and shared folders.

Here is what the message looks like in an inbox:

And here is a sample header:

From: invitations@twitter.com
Subject: Your friend invited you to twitter!

As Twitter continues to gain popularity among social networking users, people are regularly receiving invitations and email updates from fellow users. We expect that spammers will continue to use Twitter and other popular social networks as bait in their attacks.

Researchers To Unleash New SMS Hacking Tool At Black Hat

iPhone-based auditing tool tests mobile phones for vulnerabilities to SMS-borne attacks

Texting just keeps getting riskier: Researchers at next month's Black Hat USA in Las Vegas will demonstrate newly discovered threats to mobile phone users, as well as release a new iPhone application that tests phones for security flaws.

"We set out to create a graphical SMS auditing app that runs on the iPhone," says Luis Miras, an independent security researcher. The tool can test any mobile phone, not just the iPhone, for vulnerabilities to specific exploits that use SMS as an attack vector.

The researchers say they are currently working with mobile phone vendors on the bugs they discovered in their research, and say they expect the vendors to patch the flaws before Black Hat.

"In all of the issues, we're working through with responsible disclosure -- working with all of the [affected] vendors," says Zane Lackey, senior security consultant with iSEC Partners. "[And] they are going to be resolved with patched [phones]."

SMS has evolved into more than just simple text messaging, helping to make it an attractive vehicle for attacks. For example, new features allow graphics, sound, and video to be sent via the protocol. And SMS is live by default, so it requires almost no user interaction to be attacked. Miras and Lackey say the weaknesses they will expose are in specific SMS implementations, however, and not the protocol itself.

SMS hacking has captured the attention of security researchers lately. In March, Tobias Engel demonstrated an exploit that lets an attacker crash SMS text inboxes on several Nokia mobile phone models. Called the "Curse of Silence" attack, the exploit uses a specially crafted SMS message to launch a denial-of-service (DoS) attack on the victim's phone. While the SMS/MMS messaging features go dark, the phone itself remains operational after the attack.

And with mobile phones increasingly storing more sensitive personal and business information, they will inevitably become a bigger target for attackers, Lackey says. "SMS is interesting -- it's an 'always-on' attack surface," he says, and can be used for a DoS or for executing malware on a victim's phone, for example.

Mobile phones are also even more difficult than laptops to manage and protect, leaving them wide open to compromise. Unlike a company-issued laptop, however, mobile phones are sometimes privately owned by users and are under little or no corporate control, Miras says. The best way for users to protect themselves from SMS-based attacks today, he says, is to keep their phones patched.

But, he says, patching has always been a challenge for mobile phones "because of the many people involved -- the OS vendor, the OEM, and the carriers, which all have different aspects of control in the process," Miras says. "It's a difficult job, and it's still maturing."

Meanwhile, Miras and Lackey haven't yet christened their new SMS hacking tool with a catchy name. They also are writing some other minor tools for SMS security: "We're still working on those, but the [graphical SMS auditing app] is our flagship tool," Lackey says.

New Facebook URLs raise cyber-squatting fears

Facebook's new personalised URLs feature has already come under fire from experts who believe it could be abused by cyber-squatters.

The new service, which went live on Saturday, allows account holders to register more distinctive URLs for their profiles by choosing a specific username, which will then be displayed in the URL link to their profile.

"Your new Facebook URL is like your personal destination, or home, on the web," wrote Facebook designer Blaise DiPersia in a blog post.

"People can enter a Facebook username as a search term on Facebook or a popular search engine like Google, for example, which will make it much easier for people to find friends with common names."

However, experts from law firm Eversheds have warned that businesses could be at risk from the malicious registering of company names.

"There is a real risk that well-known brands may be targeted by Facebook users to gain a financial benefit or damage the interests of brand owners, problems which brand owners are already only too familiar with in the context of cyber-squatting," said Evershed partner Antony Gold.

Birgit Schluckebier, a solicitor at the firm, added that, although Facebook has put in place certain measures to counter the efforts of cyber-squatters, such as no transferability for usernames, brand owners must move quickly to mitigate the risk of abuse.

Facebook had given trademark owners the chance to submit their trademarks so that it could block unauthorised requests to register associated usernames. However, this service has been closed now that the registration process has begun.

Facebook has now said that any firm that wishes to report that a third party has registered a username which infringes on their rights, and wants to request the removal of a page, will need to fill out an automated IP infringement form.

MSFT, Adobe and Apple patch together

Three major software companies issued updates this week, with Microsoft fixing 31 vulnerabilities in its operating system and applications, Adobe patching more than a dozen issues in its document reader software, and Apple closing over 50 serious security holes in its Safari browser.

With ten patches, Microsoft fixed more than two dozen flaws, including ten vulnerabilities voided by a trio of patches. The flaws are rated Critical by Microsoft only for Office 2000 and rated Important for other versions of the productivity program. Perhaps the most serious vulnerabilities fixed by the software giant are seven security issues in the company's flagship browser, Internet Explorer 8, said Andrew Storms, director of security operations for network protection firm nCircle.

"Topping this month's moderately large release cycle from Microsoft is the critical IE update that affects even Microsoft's latest and most secure browser, IE 8," Storms said in a statement sent to SecurityFocus. "Client side, browser based vulnerabilities continue to top the charts for threats, so every user should put this patch at the top of their 'install immediately' list."

In its first quarterly patch, Adobe shuttered 13 security holes in Adobe Acrobat and Reader. The quarterly patch, which Adobe announced last month, is scheduled to fall on the same day as Microsoft's Patch Tuesday. Some of the flaws could allow an attacker to run code on the vulnerable system, while others appear to only be denial-of-service issues.

Adobe still needs to work out the kinks in its quarterly patch process, Storms said.

"While the scheduled release cycle for Adobe updates is a big improvement in helping enterprise security teams effectively manage resources, today's security bulletins are still missing information," Storms said in a statement. "Security managers need Adobe to step up and provide mitigation steps and more detail on both the bugs and the patches."

Apple rounded out the patch parade with an update, released on Monday, that fixed more than 50 flaws in its latest browser, Safari 4.

Members Of Legendary '90s Hacker Group Relaunch Password-Cracking Tool

L0phtCrack is back: Former members of L0pht Heavy Industries retool their tool after buying it back from Symantec.

It's official: The famous password-cracking tool L0phtCrack is back, and its creators plan to keep it that way.

L0phtCrack 6 tool, released Wednesday, was developed in 1997 by Christien Rioux, Chris Wysopal, and Peiter "Mudge" Zatko from the former L0pht Heavy Industries -- the hacker think tank best known for testifying before Congress that it could shut down the Internet in 30 minutes. In January of this year, Rioux, Wysopal, and Zatko bought back L0phtCrack from Symantec, and later announced they would build a new version of the tool with support for 64-bit Windows platforms and other new features.

"When Symantec stopped supporting L0phtCrack [in 2005], a lot of people were still using it. They left their customers high and dry," says Mudge, who, along with his co-developers, had initially worried that could happen. "We had clauses in place so that if Symantec ever did cease to support and maintain it, we could have certain options [to get it back]. We didn't want somebody to take it from us and deep-six it. We thought it was a useful tool."

Weak passwords are still a major problem today, even 12 years after Mudge and his colleagues first wrote the proof-of-concept code for L0phtCrack. The tool was later sold commercially by @stake, the security consulting firm that purchased L0pht and then was later acquired by Symantec.

"People are still tremendously dependent on passwords. We have all of these cached credentials and network logons," Mudge says, adding that weak passwords are still getting compromised. "This still needs to be brought to people's attention in a relatively powerful way, and that's what the tool always did."

Among the new features in L0phtCrack 6 is 64-bit support, as well as support for Windows Vista. The tool provides password assessment and recovery, dictionary and brute-force cracking, password-quality scoring, remediation, remote scanning, and executive reporting.

Mudge says he's working on a Mac OS X interface for L0phtCrack, and that later versions of the tool will look at different types of password hashes and encoded credentials. The developers also are exploring how to harness more horsepower for the tool using, for instance, a machine's graphics processing card to handle some of the heavy lifting.

L0phtCrack 6 is available for download from L0pht's newly launched Website. It costs $295 for the Professional version, $595 for the Administrator version, and $1,195 for the Consultant version.

McAfee Reveals Most Dangerous Search Terms

In a study of search terms and results leading to malware sites, McAfee found almost six out of ten (59%*) search results for keyword variations of "screensavers" lead to sites containing malware. Half of "lyrics" searches produce the same.

McAfee's report, entitled "The Web's Most Dangerous Search Terms," suggests cybercriminals' most desirous targets are youngsters presumed to be less educated about dangers on the Web, less careful about their navigation, and more likely to be searching for freebies.

Sadly, cybercrooks also seem to be targeting those down on their luck; variations of "work from home" searches can be four times riskier than the average risk for all popular terms, says McAfee. Results containing the word "free" carry a 21.3 percent chance of encountering spyware, phishing, adware, viruses or other malware.

But it may not be a matter of target markets. Instead, cybercriminals are probably just casting as wide a net as possible. McAfee made tools of trending sites like Google Zeitgeist and Yahoo Buzz to develop a list of search terms to test. In all 2,600 keywords were tested, but McAfee declined to say which search engines were used for the test.

The recession is surely fueling searches for means of earning extra income and saving money, just as lyrics searches were probably heightened by American Idol performances. Viagra, a popular spam keyword, did not turn out to be as risky as other terms, probably not because the Viagra-using population is less Web savvy, but more likely because there is a smaller demographic searching for information about it.

Other risky terms include "free games," "Rihanna," Webkinz," "Powerball," "iPhone," and "Jonas Brothers."

*That's the calculated maximum risk average. Average category risk is 34.4%