4 X Security Team

“Committing cybercrime around the Christmas tree” has always been a tradition for malicious attackers introducing new ways to scam the millions of online shoppers during the holidays. This Christmas isn’t going to be an exception, but what has changed compared last couple of years is the tone of the Xmas promotions already circulating across various cybercrime communities. Do cybercriminals exchange gifts during the Christmas holidays? A recently released web malware exploitation kit coming with three different types of licenses and 9 modified exploits, aims to become “the pefect Christmas gift for all of your friends”.

Not surprisingly, the exploitation kit itself is released purely for commercial gains which when combined with the fact that it appears to be using a large percentage of the source code from a competing exploitation kit — appreciate the irony here — the already patched vulnerabilities it attempts to exploit can be easily taken care of. However, going through the infection rate statistics which were temporarily left available as a promotion tool, thousands of people have already became victim of their lack of decent situational awareness on how important patching of their third-party applications really is.

A translated description of the kit’s marketing pitch :

“Feeling bored? Miss the Christmas spirit? Want to make a lot of money before the holidays but you lack the right tools? We have the solution to your problems - our web malware exploitation kit which will bring back the Christmas attitude and also become the perfect gift for your friends. Available are Professional, Standard and Basic licenses, with each of these including or lacking some unique features based on your budget. Professional package comes with support.”

Modified exploits included within with their associated descriptions :

• modified MDAC - “the notorious exploit that continues to provide high infection rates of IE6 users”
• IE Snapshot - “unique exploit offering high infection rates for both IE6 and IE7 users”
• FF Embed - “still relevant for exploiting all Firefox versions”
• Opera Old+new - “capable of infecting all versions of Opera up to the latest one”
• Old PDF - “targeting Adobe Reader v8.1.1 it’s still relevant, also it checks whether the exact version is installed before launching the exploit”
• New PDF - “targeting Adobe Reader 8.1.2, a perfect combination with Old PDF
• XLS - “unique exploit targeting Microsoft Excel”
• SWF- “modification of the infamous exploit, works quietly and targets all browsers”

The malware obtained in one of the currently active campaigns has a low detection rate (6 out of 37 AVs detect it - 16.22%) and continues phoning back home to findzproportal1 .com (64.69.33.138; 72.233.114.126) from where it attempts to drop a rootkit (TDSSserv.sys). Among the main ways of ensuring that you’re going to ruin their holidays is to make sure they’re not exploiting you with last year’s client-side vulnerabilities, which is the main vehicle for continuing growth of web malware exploitation kits in general.

[Source: zdnet]

Apple has released iPhone OS 2.2 with patches for 12 documented security flaws, some very serious.

The vulnerabilities covered by the patch (which also affect iPod Touch) could allow remote code execution, information theft, software crashes and weakened encryption settings.

The skinny on this batch of updates:

• CVE-2008-2321: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution. Credit to Michal Zalewski of Google for reporting this issue.
• CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
• CVE-2008-1586: A memory exhaustion issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected device reset. Credit to Sergio ’shadown’ Alvarez of n.runs AG for reporting this issue.
• CVE-2008-4227: The encryption level for PPTP VPN connections may revert to a previous lower setting. This update addresses the issue by properly setting the encryption preferences. Credit to Stephen Butler of the University of Illinois of Urbana-Champaign for reporting this issue.
• CVE-2008-4211: A signedness issue in Office Viewer’s handling of columns in Microsoft Excel files may result in an out-of-bounds
  memory access. Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code
  execution. Apple discovered this bug internally.
• CVE-2008-4228: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner.
• CVE-2008-4229: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is
  entered. A race condition in the handling of device settings may cause the Passcode Lock to be removed when the device is restored
  from backup. This may allow a person with physical access to the device to launch applications without the passcode. Credit to Nolen Scaife for reporting this issue.
• CVE-2008-4230: If an SMS message arrives while the emergency call screen is visible, the entire SMS message is displayed, even if the “Show SMS Preview” preference was set to “OFF”. This update addresses the issue by, in this situation, displaying only a notification that a SMS message has arrived, and not its content.
• CVE-2008-4231: A memory corruption issue exists in the handling of HTML table elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Credit to Haifei Li of Fortinet’s FortiGuard Global
  Security Research Team for reporting this issue.
• CVE-2008-4232: Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing. Credit to John Resig of Mozilla Corporation for reporting this issue.
• CVE-2008-4233: If an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be
  possible for a maliciously crafted website to block the user’s ability to cancel dialing for a short period of time. Credit to Collin Mulliner of Fraunhofer SIT for reporting this issue.
• CVE-2008-3644: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a person with physical access to an unlocked device.

It should be mentioned that several known phishing and spamming flaws in iPhone are not yet addressed.

[Source: zdnet]

Known as Kardphisher and “in the wild” since April, 2007, last week the malware author of this trojan horse mimicking the Windows XP activation interface while collecting the credit card details the end user has submitted, has made significant changes to visual interface and usability of the trojan, consequently improving its authenticity. Guess what happens when a gullible end user falls victim into this social engineering attack?

Their credit card details end up automatically into an IRC channel specifically set for that purposes. Some of changes in the new version include more legitimately looking color scheme, improved restrictions making it much harder for the end user to close the application without submitting their credit card details, built-in validation of credit cards and email, next to displaying the current product key to make the application look more legitimate. Once the user enters all the validated data, the new version of the tool automatically removes itself as if the activation was successful. Moreover, a bogus “verified by Visa” message that is also requesting social security number and a date of birth makes the trojan the perfect tool in the hands of identity thieves relying on nothing else but plain simple social engineering impersonating Microsoft.

The latest Kardphisher may indeed by filling in all the gaps from the previous version, but the trojan can never scale as efficiently as crimeware “in the middle” does for the time being. Among the main growth factors for the increasing number of such malware remains the fact that throughout the entire year proprietary crimeware kits costing several thousand dollars on average started leaking out, allowing many new entrants to start using what once used to be a highly exclusive tool in the arsenal of the experienced cybercriminal.

[Source: zdnet]

Spammers are abusing Microsoft’s online services at such an alarming rate that a non-profit spam fighting group now lists Microsoft as the world’s 5th most spam-friendly ISP (Internet Service Provider).

The latest update of Spamhaus.org’s list of the world’s worst spam networks shows Microsoft at #5 because of 26 “current known spam issues” surrounding Nigerian (419) advance-free fraud e-mails (see screenshot below):

The comments from Spamhaus highlight the problems at Microsoft:

• Months of LifeFileStore abuse, we see little done to stop it.
• livefilestore.com - hacked by the tens of thousands.
• spaces.live.com used and abused by spammers.
• Pump and Dump spam anonymized via Hotmail.

Security Fix’s Brian Krebs first reported this story.

[Source: zdnet]

Computer maker Lenovo is shipping a malware-infected software package to Windows XP users, according to warning from anti-virus researchers at Microsoft.

The malicious file was identified by Microsoft as Win32/Meredrop, a Trojan dropper that is used to install and execute multiple malicious executables on an infected computer. Other anti-virus vendors are detecting the threat as a ‘hooligan’ virus or a porn dialer. It was found the Lenovo Trust Key software for Windows XP, a digitally signed driver package available to Windows XP SP2 users.

The infected software is used to install the Lenovo Security Logon and the Lenovo Private folder applications for use with the Lenovo Trust Key (also known as Lenovo Insider Key).

[ SEE: Malware-infected USB drives distributed at security conference ]
My sources tell me the Lenovo package contains lots of files, including the one with the embedded malware. At first glance, the malicious file contains functional, but buggy code and attemps to infect files, spread across the network and USB drives.

Lenovo has been notified and is investigating the issue.

UPDATE: Lenovo has removed the compromised download from its Web site.

[Source: zdnet]

Under sustained attack from what is described as a rapidly spreading network worm, the U.S. army has banned the use of USB sticks, CDs, flash media cards, and all other removable data storage devices, according to internal e-mail messages seen by Wired’s Noah Shachtman.

According to the article, service members have been ordered to “cease usage of all USB storage media until the USB devices are properly scanned and determined to be free of malware.” Eventually, some government-approved drives will be allowed back under certain “mission-critical,” but unclassified, circumstances. “Personally owned or non-authorized devices” are “prohibited” from here on out, according to the e-mails.

The USB device ban was handed down by the commander of U.S. Strategic Command and includes everything from external hard drives to “floppy disks. It takes effect immediately.

To make sure troops and military civilians are observing the suspension, government security teams “will be conducting daily scans and running custom scripts on NIPRNET and SIPRNET to ensure the commercial malware has not been introduced,” an e-mail says. “Any discovery of malware will result in the opening of a security incident report and will be referred to the appropriate security officer for action.”

The threat from malware that spreads via removable media has been on a steady rise with some estimates showing a 10 percent increase in detections this year.

ALSO SEE:

Malware-infected USB drives distributed at security conference

Malware found in Lenovo software package

[Source: zdnet]

Just like every decent marketer out there, vendors of commercial malware tools are very good at positioning their tools. However, their pitches often contradict with themselves in a way that what’s promoted as a Remote Administration Tool, has in fact built-in antivirus software evading capabilities, rootkit functionality and tutorials on how to remotely infect users over email.

This fake positioning is finally receiving the necessary attention. CyberSpy Software LLC, a popular vendor of such commercial spyware tools has been recently targeted by the U.S Federal Trade Commission, with the company’s sites shut down already. Wish it was that simple.

“Defendants touted RemoteSpy as a “100% undetectable” way to “Spy on Anyone. From Anywhere.” According to the FTC complaint, the defendants violated the FTC Act by engaging in the unfair advertising and selling of software that could be: (1) deployed remotely by someone other than the owner or authorized user of a computer; (2) installed without the knowledge and consent of the owner or authorized user; and (3) used to surreptitiously collect and disclose personal information. The FTC complaint also alleges that the defendants unfairly collected and stored the personal information gathered by their spyware on their own servers and disclosed it to their clients. The complaint further alleges that the defendants provided their clients with the means and instrumentalities to unfairly deploy and install keylogger spyware and to deceive consumer victims into downloading the spyware.”

Going through a dozen of such tutorials and new releases courtesy of the illegal vendors of malware daily, the way commercial vendors explain the process of sending the malware is very similar to the way the illegal vendors do it :

“Now it is time to send out the file to the remote PC. In this guide we are using Outlook Express on Windows XP. Click the Create Mail button to open a new mail window. Click ATTACH and navigate to where you saved your Realtime-Spy file you created previously. Click on the file and then click ‘Attach’ to attach the file to your email. You will now have to enter a recipient for the file you are sending, as well as an email subject and body. Notice the size of the Realtime-Spy file - it should be approximately 100-115kb at all times! Once you are ready to go click Send to send the email! Note: Users will only appear after they have downloaded and executed the file you have sent them.”

Vendors of commercial malware are naturally vertically integrating by not only offering malware for PCs, but also, actively developing mobile malware applications. Both of these are then actively advertised through popular advertising networks, but are mostly driving their traffic from affiliate based programs.

What’s the antivirus vendors take on this particular piece of commercial malware? Labeled as a surveillance tool or spyware, the majority of them already detect it. Anyway, such shut down operations must be done in a “bulk fashion” with a great deal of other commercial malware and keylogging software vendors whose products still remain active online. For instance, the following brands remain active and are operated by other companies whose network of affiliates is reaching a wider audience, with some of the vendors allowing affiliates to re-brand leading to new names for old commercial malware :

“Keystroke Spy, Keylogger Pro, Key Spy Pro, KeyCaptor, Keylog Pro, Invisible Keylogger, SpyAgent, SpyBuddy, Golden Eye, CyberSpy, Screen Spy, AceSpy Spy, SniperSpy, RemoteSpy, Realtime Spy, SpyAnywhere, RemoteSpy, KeySpy Remote, Catch Cheat, Silent Logger, Email Spy Pro; WebMail Spy; Spy Mail; Stealth Email Redirector, Perfect Keylogger for Mac OS X, “

With CyberSpy Software LLC’s site now shut down, it would be interesting to monitor whether another company would brandjack the popularity of their products.

[Source: zdnet]