Illegal Games? Pay the Price—Publicly!

Security Response has discovered a threat that is being talked about among some members of certain discussion groups in Japan. The threat, named Infostealer.Kenzero, teaches yet another lesson to those using file-sharing networks not to download illegal games. Infostealer.Kenzero primarily arrives in the guise of setup.exe, which in this case is a fake installation file for Japanese pornographic games that are circulating around the file-sharing network “Share.” Several pornographic games have been reported to include this malicious setup.exe file.

Once the setup.exe file is executed it attempts to download image files (.bmp) from a predetermined website. Using these images, the threat brings up a form that asks the user to enter personal information, including his or her full name, password for the game, email address, postal code, residential address, gender, company name, and telephone number. Users who desperately want to play the games may hurriedly complete the form without realizing that this dangerous online practice will come back and haunt them. They will soon find out that the information they have provided is to be made available on a public website, along with system information and screenshots of their desktop.

We have come across several similar cases before. However, those uploaded desktop pictures and private information do not seem to be punishment enough. As a security company we are always looking out for the users, but if you are navigating a dodgy and deceitful place, you must pay extra attention—just like you would in the real world.

What is the moral of this story? Always use legal and legitimate software.

Source:

http://www.symantec.com/connect/blogs/illegal-games-pay-price-publicly

Microsoft releases password attack data

Microsoft released data collected from an FTP-server honeypot, showing that attempts to guess passwords continue to focus on the low-hanging fruit: passwords with an average length of eight characters, with "password" and "123456" being the most common.

The data is part of a project to monitor attacks that everyday users might encounter on a regular basis. Most of the attacks attempted to log into the administrator account on English and French computers -- "Administrator" and "Administrateur" were, by far, the two most popular usernames -- using a variety of passwords. The attackers were typically compromised computer that were part of a botnet, Microsoft researchers stated on the company's Malware Protection Center blog.

"You should take care of what user name and password you're choosing," the researchers wrote. "If your account has no limit on the number of login attempts, then knowing the user name is like having half the job done."

In one case, an attacker made more than 400,000 attempts to guess a user name password combination.

The most common passwords were password, 123456, #!comment:, changeme and an expletive.

Microsoft recommended that users create passwords consisting of letters, numbers and special characters using a combination of lower and upper case. The average length of the password attacks was eight characters, so users should focus on longer passwords, the researchers stated.

MySpace phishing and malware combo

F-Secure warns about phishing emails that urge users to update their MySpace accounts. If you fall for the trick and follow the link, you are taken to a fake MySpace page, where you are asked to enter your username and password. The login information is then used to hijack your account and use it for spreading malware.

But that is not enough for the bad guys. Upon logging on, you encounter the following request:

The update tool is, of course, malware - a Zeus/Zbot variant.

Phishers Playing Games?

Phishers are constantly targeting newer brands from diverse industries, with the sole motive of fraudulently acquiring a large amount of users’ confidential information for financial gains. Symantec has observed and followed up with some recent trends in phishing attacks targeting some of the popular online gaming websites. Since the beginning of this year there has been a steady rise in phishing attacks on gaming websites.

Using these fake websites, phishers are employing tactics to acquire online gaming registrations and product keys from the intended victims.

Read on to find out the tactics observed.

New iPhone Worm attempts to build botnet

iPhone users beware.

History repeats itself, as safety trade-offs occur when a product's security layers are altered for ease-of-use or greater functionality. There is very limited exposure for this new threat that F-Secure is currently analyzing. It only impacts devices where Apple's original security safeguards for the iPhone are intentionally altered through a process called "Jailbreaking".

Read the analysis here.

QUOTE: "it only affects Jailbroken iPhones which have SSH installed and have not changed the default password. This one connects to a web-based command & control center running in Lithuania. The worm is not widespread, but it is much more serious than the first iPhone worm as it seems to try to steal information from the devices."

Other useful reads:

How it works
http://www.net-security.org/malware_news.php?id=1144

Ikee - First iPhone Worm impacts "Jailbroken iPhones"
http://www.f-secure.com/weblog/archives/00001814.html

What are "Jailbroken iPhones"?
http://en.wikipedia.org/wiki/Jailbreak_%28iPhone_OS%29

How to change root password in "Jailbroken iPhones"
http://www.f-secure.com/weblog/archives/cydia.htm

Major IE8 flaw makes 'safe' sites unsafe

The latest version of Microsoft's Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe.

The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago, they said.

Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that's designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a "significant flaw" in the IE 8 feature but declined to provide specifics.

Full report here.

Serious Adobe Flash vulnerability

Foreground Security discovered a critical vulnerability in Adobe Flash.

This vulnerability allows the same-origin policy of Adobe Flash to be exploited to allow nearly any site that allows user generated content to be attacked.

No fix for this vulnerability currently exists.

According to Foreground Security Senior Security Researcher Mike Bailey, who discovered the vulnerability: “Whether you use Flash or not, you may still be vulnerable because this issue affects users directly and not the servers themselves. Websites that are at risk of being vulnerable include social media sites, major career portals, and Fortune 1000 and government agencies websites. Basically, if you have a website, you could be vulnerable.”

Following the discovery, the vulnerability was reported to both Adobe and Google, whose Google Applications, including Gmail, are vulnerable to exploit.

Bailey also noted: “This is insidious because Flash content can be crafted to look like many different file types, such as Microsoft Word or Excel documents, image files or zip files. This variability allows malicious content to appear in many different and normally non-threatening guises. Nobody expects pictures to attack them."

Here's a video demonstration of the (now fixed) Gmail exploit that uses Mike Bailey's Flash exploit as its basis:

Battle of the anti-virus: What is the best software?

AV-Comparatives.org recently released the results of a malware removal tests with which they evaluated 16 anti-virus software solutions:

• Avast Professional Edition 4.8
• AVG Anti-Virus 8.5
• AVIRA AntiVir Premium 9.0
• BitDefender Anti-Virus 2010
• eScan Anti-Virus 10.0
• ESET NOD32 Antivirus 4.0
• F-Secure AntiVirus 2010
• G DATA AntiVirus 2010
• Kaspersky Anti-Virus 2010
• Kingsoft AntiVirus 9
• McAfee VirusScan Plus 2009
• Microsoft Security Essentials 1.0
• Norman Antivirus & Anti-Spyware 7.10
• Sophos Anti-Virus 7.6
• Symantec Norton Anti-Virus 2010
• Trustport Antivirus 2009.

The test focused only on the malware removal/cleaning capabilities, therefore all used samples were samples that the tested antivirus products were able to detect. The main question was if the products are able to successfully remove malware
from an already infected/compromised system. The test report was aimed to typical home users. A further question was if the products are able to remove what they are able to detect.

Based on a scoring system that evaluated malware and leftovers removal capabilities, these were the results:
"None of the products performed “very good” in malware removal or removal of leftovers, based on those 10 samples. eScan, Symantec and Microsoft (MSE) were the only products to be good in removal of malware AND removal of leftovers", says the report. "Some products do not remove all registry entries on purpose (as long as they do not have any visible side effect for the user), e.g. if that helps to prevent reinfection by the same malware. Furthermore, in some cases it is not possible to know if the registry values (or the hosts file) were modified by the malware or by the user itself (or third-party utilities used by the user)."

To see which malware sample were used and why, and how the particular anti-virus solutions behaved, go here.

Facebook groups hacked through design flaw

Mashable reports that anyone can hijack a group on Facebook just by joining the group and registering as an administrator after the real admin has left. The group is then at the mercy of the "illegal" admin, who can change the name, edit the information, the picture, send messages to members - in short, he can abuse the acquired "power" by putting up offensive stuff.

There was a Facebook group by the name Control Your Info, whose members were going around and hijacking groups to try to raise awareness about the flaw, but it has been shut off by Facebook.

Let's hope they are also fixing the flaw.

Koobface worm creates Facebook accounts to spread

Be careful the next person you approve as your friend on Facebook.

According to TrendLabs, there is a new Koobface component that makes Internet Explorer create Facebook accounts. It automates the whole process - the browser registers the account, confirms and activates the registration via Gmail, joins random Facebook groups, adds friends, posts messages to their walls...

It actually does a good job at imitating a person starting its Facebook account - the details it provides are complete, credible and vary from account to account: photo, birth date, favorite movies, religious views, etc. These details are picked up from one of the botnet’s available proxy domain.

Another "smart" Koobface feature is that after it has created the account, it makes sure not to surpass the maximum number of friend requests allowed by Facebook, so it doesn't raise the suspicions of its administrators.

The messages that the account posts on friends' walls usually has a link that, if clicked, takes the unsuspecting user to a site that hosts the Koobface loader.

iPhone worm spreads via default password

In my earlier post about Hacked iPhones held hostage, here's another piece:

An iPhone worm has started jumping between jailbroken devices, taking advantage of users who have replaced the phone's software but failed to create a new root password, security firm F-Secure stated on Monday.

Affected users will find that their iPhone wallpaper has been altered to a picture of Rick Astley (of Rickroll fame) and the message "ikee is never going to give you up".

The worm targets users who have jailbroken their phone but have not changed their default root login password. It will search for vulnerable iPhones by scanning a handful of IP ranges - most of which are in Australia. At the moment, we have no confirmed reports of Ikee outside of Australia.

After Ikee infects a phone, it disables the SSH service, preventing reinfection. To protect your jailbroken iPhone, change your root password. Here's how.

The creator of the worm has released full source code of the four existing variants of this worm. This means that there will quickly be more variants, and they might have nastier payload than just changing your wallpaper or might try password cracking to gain access to devices where the default password has been changed.

Source.

Facebook best practice

I can't stress enough how important it is to take responsibility of what you post up on the Internet, especially on social networking websites. What you reveal about yourself may eventually be used against you - Refer to the earlier post I made about public search engines mining your private Facebook profile details.

I've observed that of late, many of my friends around me are plagued with this Wall posting weird activity. Facebook has provided users with powerful controls to protect themselves online, and it is up to individuals to check and ensure that appropriate settings are in place.

Sophos has published recommendations for how to configure the settings for each of these privacy areas of Facebook.

Take a look here.

Windows 7 vulnerable to most viruses

Windows 7 was touted as a big improvement on Vista, security aspect included.

The Sophos team wanted to test that assertion, so they installed a full release copy of the new OS on a previously cleaned computer, kept the default values for User Account Control (UAC) and didn't install any anti-virus software.

They then proceed to infect the machine with 10 unique samples of malware that SophosLabs received last. The result wasn't good for the users (although it technically is a good result for manufacturers of anti-malware software around the world): only 2 out of 10 failed to operate!

The UAC managed to block by itself only on sample, and that is definitely not good enough.

The conclusion? If you installed Windows 7, don't forget to use anti-virus software.

Hacked iPhones held hostage

Dutch T-mobile customers that use jailbroken iPhones got a nasty surprise yesterday. A "message" popped up on their screen claiming that their iPhone's been hacked and instructs them to visit doiop.com/iHacked and secure their iPhones. To add more incentive, the hacker also wrote: "Right now, I can access all your files."

When the scared users would visit the website, they were asked to send €5 to the hacker's PayPal account so he can send them instructions on how to secure their device.

How did this happen? It seems that the hacker identified the jailbroken iPhones using port scanning, because those particular devices have SSH running. SSH has to be enabled for the user to log in via Terminal and run UNIX commands, and the default root password often gets forgotten and remains unchanged. The hacker used this fact to hack into the phones.

Although it appears that the hacker didn't misuse any of the data he had access to - afterwards he posted the instructions on the website, apologized and returned the money - it doesn't mean that someone else will not, since the technique is pretty simple to execute and requires only a basic knowledge of networking.

To all iPhone users that have jailbroken their device, it is advised to shut down SSH when it's not needed and to change the default root password.

Trojan.Whitewell: What’s your (bot) Facebook Status Today?

I'm very sure by now, most of you Facebookers would have received some weird posts on your Walls from either your friends or your friends would have notified you that you posted something on their wall.

Here are some sample messages:

• Thought you might want to check this out http://_fb-newss.org
• has made $159 today working at home! go to TheBizMeet.com to see how you can start! ktq
• For You http://_newwss2.org
• I found a job you might be interested in news44.org

Here is a breakdown of what's happening.

If you discover that your account has been used to post weird links on your friend's Walls, you should immediately do the following:

• Change the password of your FB account.
• Change the password of the email account linked to your FB.
• Get your antivirus updated with the latest virus definitions with perform a full scan.
• If you do not have antivirus software installed on your computer, pls proceed here to download a free copy.