Devious ransom trojan takes data hostage

Taking data hostage is not a new invention in the world of cybercrime but a trojan currently infecting computers does it in a way that can leave the victim unaware that he has been scammed.
Mikko Hypponen, CRO at F-Secure, says, “When the W32/DatCrypt trojan infects a computer, it makes it seem as if some files, such as Microsoft Office documents, video, music and image files have been “corrupted”, when the files have in fact been encrypted by DatCrypt. Next the trojan creates what looks like an authentic message from Windows, advising the user to download and execute the "recommended file repair software" called Data Doctor 2010.”

If this utility is downloaded and executed, the user receives a message that it can "only repair one file in unregistered version". In order to repair — or more accurately, decrypt — more files, the user has to buy the product for $89.95. After the money is paid, the software does return access to the files.

Mikko Hypponen continues, “This trojan works in a very devious way. The user is probably very relieved to get his files back and may not realize that he has just paid a ransom for his own files. The user may even recommend what seems like an excellent file recovery product to his friends. Similar ransomware tricks have also involved the File Fix Pro utility during the past year.”

These criminal schemes only work if the user has not backed up his important files elsewhere. F-Secure recommends that everyone backs up their important files regularly, either on removable media like CDs, DVDs or USB thumb drives, or with online resources.

Virus writers produce hardware damaging code?

BitDefender identified a new e-threat that combines the destructive behavior of a virus with the spreading mechanisms of a worm. There are two known variants of this virus, which enters the computer as a harmless IQ test.

Once executed, the worm creates between seven and eleven copies of itself (depending on the variant) in critical areas of the Windows system.

Win32.Worm.Zimuse.A is an extremely dangerous piece of malware. Unlike average worms, Win32.Worm.Zimuse.A could lead to severe data loss as it overwrites the first 50 KB of the Master Boot Record - a key zone of the hard disk drive.

In order to execute on each Windows boot-up, the worm sets the following registry entry:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun]"Dump"="%programfiles%DumpDump.exe

It also creates two driver files, namely:

%system%driversMstart.sys and %system%driversMseu.sy

Since 64-bit versions of Windows Vista and Windows 7 require digitally signed drivers, the worm would fail installing these files.

Unfortunately, in its early stages, this worm makes it nearly impossible for users to know their system has fallen victim to the e-threat. If a certain number of days have elapsed since the infection (40 days for variant A and 20 days for variant B), the computer user receives an error message stating that a problem has occurred due to malicious content in IP packets from a peculiar-looking web address. It then asks the user to recover the system by pressing “OK.” After this message, the next restart causes the computer’s hard disk to become damaged due to the compromised boot sector.

Hackers prey on Google workers' friends

It has been discovered that the hackers who mounted the attacks on Google, Adobe and other companies recently breached, have targeted friends of employees that had access to proprietary data.

According to the Financial Times, the plan was simple: compromise the social network accounts of those friends, send messages with links that lead to spyware and so improve the chances of the victims clicking on the malicious link.

It obviously worked flawlessly. But, knowing now how they did it raises some serious points.

First, the attacks were obviously scrupulously planned. And second, the attacks included spying on people, so the likelihood of this being a government-sponsored effort has suddenly skyrocketed.

Security researchers also discovered that part of the code used in the attacks dates back to 2006, which means that attacks like these have been planned years ago.

Sobering facts, indeed.

How / what does Aurora work?

For the technical peeps who want to have a better understanding of what this Aurora can do, you can read the following articles:

http://www.symantec.com/connect/blogs/trojanhydraq-incident

http://www.symantec.com/connect/blogs/hydraq-vnc-connection

17-Year-Old Windows Flaw Found

Here's a little something to make people who are interested in security shudder: a vulnerability's been discovered, and believe it or not, it's present in just about every version of Windows from 1993's Windows NT 3.1 on.

Tavis Ormandy, who works for Google, appears to have discovered the issue sometime towards the middle of last year, and - after giving Microsoft more than a fair amount of time to deal with it (he notified the company in June) - wrote about it yesterday.

Apparently the fault lies with the Virtual DOS Machine, which comes with 32-bit versions of Windows for the sake of supporting 16-bit applications. And the problem amounts to a privilege escalation bug, which isn't the most benign thing in the world.

Fortunately, 64-bit versions of Windows are gaining market share every day, and Ormandy's recommended precaution for older systems isn't complicated.

Ormandy wrote, "Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack from functioning . . . . Applying these configuration changes will temporarily prevent users from accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users require this functionality."

Let's just hope there aren't too many other 17-year-old problems lying around out there.

Microsoft Hurries Out IE Patch (for Aurora)

The time-honored idea of "Patch Tuesday" has gone out the window (no pun intended, promise) in response to an Internet Explorer vulnerability Microsoft's classified as critical. A patch will be issued today, Thursday the 21st, in response to the threat, instead.

This ties in to a couple of recent news stories. Remember the Google China attack that caused the search giant to threaten leaving the country? The same attack that may have affected Adobe, Dow Chemical, Northrop Grumman, Symantec, and Yahoo? The hole Microsoft's shutting today was used in that series of hacks.

Also, like the 17-year-old Windows flaw we wrote about yesterday, the IE vulnerability has been around for quite a while; an official list of affected software names everything from Windows 7 and IE 8 to Windows 2000 and Internet Explorer 5.01.

As for some other facts, the problem relates to remote code execution, Microsoft's patch should come out around 11 AM Redmond time, and installing the patch will require a system restart.

And if you need further evidence of the importance of this development, Microsoft said in a security bulletin that it "will host a webcast to address customer questions on the out-of-band bulletin on January 21, 2010, at 1:00 PM Pacific Time . . ." (The webcast will be available for viewing afterward, too.)

IT professionals and end users might want to respond as quickly as possible, allowing for a reasonable degree of convenience; just save your work and sacrifice a couple of minutes of computer time when the patch comes out.

It's not very often that Microsoft abandons the tradition of Patch Tuesday, and it's usually in everybody's best interest to pay attention when the corporation does.

7 Steps For Protecting Yourself From 'Aurora'

Microsoft patch is imminent, but here's a checklist for locking down in the meantim.

Microsoft today confirmed it will release an out-of-band emergency patch for the previously unknown Internet Explorer vulnerability that was abused in the attack against Google and others, and amid concerns the threat could be used for more widespread attacks.

The so-called "Aurora" attack exploit on IE 6, which was unleashed in the wild late last week, has raised alarm as researchers demonstrated the exploit code can be retooled to attack IE 7 and IE 8 as well, and can bypass Data Execution Protection (DEP). So far, just a few attacks have actually been spotted in the wild, according to Websense.

Though the exploit is just one piece of the puzzle in the attacks out of China, it's what we know for now and can at least try to mitigate, security experts say.

So with the exploit code taking on a life of its own and an IE patch on the horizon, how do you protect your computer in the meantime? Here are some steps Microsoft and other security firms recommend you can take now to help defend yourself:

1. Upgrade to IE 8 if you're an IE shop.
Despite concerns that IE 8 also could be compromised by the attack, Microsoft is still recommending the newest version of its browser as the safest.

Dino Dai Zovi, a security researcher and co-author of The Mac Hacker's Handbook, warns, however, that IE 8 on Windows XP SP3 isn't safe from this exploit, thanks to the latest research findings. "IE 8 on Windows Vista SP1 and above or Windows 7 is considerably more difficult to exploit," he says.

2. Enable DEP in IE.
DEP is automatically enabled in IE 8 on XP SP3, Vista SP1, Vista SP2, and Windows 7, but other versions of the browser require manually selecting DEP.

3. Run IE in Protected Mode on Visa and newer versions of Windows.
Microsoft says doing so limits the "impact" of an attack on the flaw.

4. Warn users about suspicious links that could be used for this attack or Websites containing online ads or user-generated content.
A user has to click on the malicious link to get infected with the malware, so remind people to be careful about links in email and instant messages, and to take care on the Web.

5. Limit user privileges.
If an attacker victimizes a user with administrative rights, then he would have the same access as that user.

6. Set Internet zone security in IE to "high."

7. Update all third-party applications with the latest versions and patches.
"Asking people to use a browser [other] than IE is not going to help one bit, unless the user also patches all other programs," says Thomas Kristensen, CSO at Secunia. "The reason is actually quite obvious -- more than 60 programs are installed on the average PC, approximately one out of five programs on the average PC are vulnerable, [and] some of these programs go unpatched for months, even years."

Full report.

D-Link routers vulnerability allows hackers to reconfigure admin settings

Recently, SourceSec Security Research announced on its blog that they have discovered a vulnerability in D-Link routers that allows outsiders and insiders to access and edit the router settings without having to use admin login credentials.

This can be done because the routers have an additional administrative interface, which uses the (insecurely) implemented Home Network Administration Protocol. Just the fact that the HNAP is present on the routers is enough to allow attackers to bypass the CAPTCHA login features.

They have issued a detailed report in which they state which D-Link routers are vulnerable (DI-524, DIR-628 and DIR-655) and the code required to take advantage of the flaw. They also made available the proof-of-concept tool for executing the attack.

According to ZDNet UK, a week or so later D-Link acknowledged the vulnerability in three of its routers, but not the three that SourceSec named. They claimed that the tool SourceSec has provided is the only way to exploit the vulnerability because running the code by itself doesn't do the trick. D-Link has also criticized their move to render public the flaw AND offer software to take advantage of it - they say that they have put a lot of their customers in danger. In the meantime, they did upload patches on its websites.

It didn't take long for SourceSec to post a rebuttal: they challenge some of the information about which appliances are vulnerable and point out that, of course, they haven't tested all of the D-Link routers. They also claim that the code can be used with any piece of software that can make Web requests.

Google China Hackers May Have Had Inside Man

Google's original announcement about an attack based in China was almost breathtaking; it was hard to imagine the tech leader, which employs thousands of brilliant people, losing so badly to hackers. But an explanation could be surfacing insofar as a new report's indicated that some Google employees may have helped the hackers.

Reuters - which isn't in the business of spreading baseless rumors - stated this morning, "Google is investigating whether one or more employees may have helped facilitate a cyber-attack that the U.S. search giant said it was a victim of in mid-December, two sources told Reuters on Monday."

More specifically, people who actually work for Google in China are said to be under the microscope.

From a how-did-they-do-it perspective, involvement on that end of things would make a lot of sense. It could explain why Google's ready to abandon China, too, since the corporation probably isn't equipped to fight the Chinese government (which most experts believe was behind the attacks) at every turn.

Still, any inward-looking investigation may just be a matter of Google covering its bases. It's a little too early to start comparing this matter to some spy thriller just yet.

Haiti Earthquake Donation Sites - Please be careful of the scammers

Every major event of this type leads to phishing attacks and money not going where it's intended. Please only donate to mainstream sites like the Red Cross, special church funds, etc. Please avoid many of the sites that might appear in email or web searches.

Meanwhile, my deepest sympathy, prayers, and thoughts continue for those affected by this great disaster.

Read on: Do the Right thing.

Adobe hacked, China to blame

In what seems to be normal news this week, Adobe became a victim of what the company is calling "a sophisticated, coordinated attack" and is actively investigating the incident.

Given the size and scope of the attack, Adobe expects the full investigation to take quite some time to complete.

At this time there is no evidence indicating that any sensitive information was compromised.

It was not initially clear if this attack was related to the hacking incident in which China targeted Google, but Adobe did say that this attack against corporate network systems did target also other companies and they are working with them to get a clear picture of what happened.

In an e-mail exchange with Computerworld, Wiebke Lips, Adobe's senior manager of corporate communications said: "It appears that this incident and the one Google announced earlier are related."

Google did say that at least twenty other large companies have been targeted. It will be interesting to see what cybercriminals were looking for at Adobe and what companies have also been attacked.

Facebook Privacy Doesn't Really Exist

Facebook recently rolled out new privacy settings that provides additional publishing controls.

But, does this really make your profile info private? Think again. Read on here to see why.

Google hacked, plans to leave China

Although it does face a variety of cyber attacks on a regular basis, Google recently acknowledged the theft of intellectual property following a sophisticated attack on their infrastructure originating from China.

Investigation of the incident uncovered a more serious problem - at least twenty other large companies have been targeted as well. These are not only IT companies but doing business in a variety of sectors - finance, media, technology, etc. U.S. authorities are working with Google and the affected companies to try and understand the depth of the attacks.

It's not a secret that the Chinese government relies heavily on censorship as a way of control. There's evidence that these people are going the extra mile in order to retain control. Google suggests that a primary goal of the attacks was accessing the Gmail accounts of Chinese human rights activists although their apparently failed to gain access to the accounts during this attack.

Following these events, Google is reviewing the feasibility of their business operations in China and they are no longer willing to continue censoring their search results on Google.cn.

Full report here.

Spammers Target Brands To Spread Malware

Spammers continue to take advantage of the reputation of global brands such as UPS, DHL and Facebook to prompt opening of emails, according to a new report from Commtouch.

During the past quarter, cybercriminals focused on distributing the Mal-Bredo A virus, according to Commtouch's Threats Trend Report for Q4 2009. The number of variants decreased from 10,00 to 1,000 as compared to last quarter.

"As we review the Internet threats for this quarter, we can really see the creativity the cybercriminals use to ensure their messages are opened," said Asaf Greiner, Commtouch vice president, products.

"Whether we like it or not, their activities really demonstrate when society-wide activities - such as social media participation - reach critical mass. Essentially, if a spammer is using a specific brand to entice consumers to open their mail, it means that brand has achieved a strong, positive reputation."

Blended threats, including fake Swine Flu alerts and Halloween tricks, continued to circulate, while spammers introduced a few new ploys including MP3 spam and personal improvement spam targeting women.

Other highlights from the Q4 Trend Report include:

An average of 312,000 zombies were newly activated daily for the purpose of malicious activity.

Spam levels averaged 77% of all email traffic throughout the quarter, peaking at 98% in November and bottoming out at 68% at the end of December.

Sites in the "Computers & Technology" and "Search Engines & Portals" categories topped the list of Web categories manipulated by phishing schemes.

"Business" continued to be the Web site category most infected with malware for the third quarter in a row.

Pharmacy spam remained in the top spot with 81% of all spam messages; last quarter, it led with 68%. Replicas remained in the #2 spot, falling from 19% to 5.4%.

Brazil continues to produce the most zombies, responsible for 20.4% of global zombie activity.

Adobe predicted to Surpass Microsoft As top Malware Target in 2010

Adobe predicted to Surpass Microsoft As top Malware Target

Adobe Flash and Acrobat are popular standard tools for users. Any unpatched vulnerabilities provide wide targets for malware developers. It is essential to keep both of these products patched to ensure the best levels of safety. Also users should avoids avoid any suspicious items presented to them in email or web browsing.

Adobe predicted to Surpass Microsoft As top Malware Target in 2010
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=222100263

QUOTE: Adobe Reader and Flash will surpass Microsoft Office applications as favorite targets of cybercriminals, a security vendor predicted Tuesday. In unveiling its 2010 Threat Predictions report, McAfee said the growing popularity of the Adobe products has attracted the attention of cybercriminals, who have been increasingly targeting the applications. Adobe Reader and Flash are two of the most widely deployed applications in the world. As a result of Adobe's success in client software, McAfee Labs believes "Adobe product exploitation will likely surpass that of Microsoft Office applications in 2010."

McAfee Threats prediction 2010
http://www.mcafee.com/us/local_content/white_papers/7985rpt_labs_threat_predict_1209_v2.pdf