By

What Conficker was – and wasn't

Well, the big April 1st “dooms day” has come and gone.

I’ll admit that even though we really didn’t think anything malicious was going to happen, we did add a Conficker scanner to The Box (our security appliance at www.ebasedsecurity.com) so we could scan our client’s systems.

Let me explain our thinking.  We’ve been following Conficker all along the way. From the first strain to the most recent, we’ve been watching with our honeypots – collecting data and samples and determining what could happen. We’ve seen the changes, what it does and how it communicates with it’s “mother ship” waiting for it’s next set of instructions.

When news of Conficker hit mass media, (60 Minutes did a piece on it) our non-technical gut feeling was that the cybercriminals wouldn’t actually do anything malicious with their code. There was too much public awareness.

Keep in mind that if they had, they could have created some real havoc on the Internet. Some experts (my Dad’s definition of an expert is: an ex is a has been and a spirt is a drip under pressure) estimate that anywhere from 10 million to 100 million PCs are infected with Conficker.

If a cybercriminal or a group of cybercriminals have remote control of that many PCs and they decided to launch an attack against some main Internet servers, they could overload them with so much bogus traffic as to basically eliminate them from accessibility.

Now, if they attacked the main DNS servers on the Internet (the servers that convert domain names to IP addresses) could they slow down or shut-down the Internet? Possibly.

However, nothing happened.

Or did it?

What actually happened might be exactly what the cybercriminals wanted.

How many of you did Google searches for Conficker over the past week (the week before April 1)?

Many, many (our research showed that over 1.7 million ) people searched for “conficker scanner” or “conficker removal”, “remove conficker”, “find conficker” and numerous other terms.

Did you realize that many of the search results were offering solutions that actually infected your PC? Many of the websites that were displayed as a result of those search terms were created by the cybercriminals!

Could this have been the real intention of the cybercriminals? If so, this could be the biggest social engineering hack of all time. We examined many of these sites and found a number of them (64%) were selling Conficker scanners and removal tools. All of these “tools” we found were actually RATs (Remote Access Trojans) which actually provided the cybercriminals with remote control of the PC it was installed on.

And, “they” (the cybercriminals) got you to pay for it!

Are these guys geniuses or what?

Many of the sites that weren’t selling bogus removal tools tried to infect any PC that visited their site. These infected webpage sites used a variety of sneaky methods to infect PCs. One instance we found actually tried 17 different attacks on all the PCs visiting it’s infectious website.

If you’ve been following us, you know that legitimate websites serving malware are increasing. This coupled with infected websites serving malware makes the Internet a very dangerous place.

Fortunately for all of our clients with The Box, they don’t have to worry about things like this because The Box doesn’t allow downloads from non-whitelisted websites. What a concept.

That’s what Conficker was and what it wasn’t.

Anyone have comments? (comments that aren’t SPAM)

By

Bomb Threat SPAM

Cybercriminals are using cleverly crafted SPAM messages to get you to click on a link that supposedly takes you to a Reuter’s video of bomb blasts in your area.

I say cleverly crafted because the email will change based on where your IP address is. For instance, I received one with a subject line of, “Are you and your friends okay?”.

When I clicked on the link (yes as part of my research), I saw a webpage that showed the Reuter’s logo with, “Powerful explosion burst in Chicago this morning”. There’s a graphic to see the video with text below that reads, “At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Chicago. Authorities suggested that explosion was caused by “dirty” bomb. Police said the bomb was detonated from close by using electric cables.”

Scanning through our logs of SPAM for our clients using The Box, we’ve been able to see how the message refers to a different major nearby city depending on where the client receives their email.

The video will install some malware via a download. We’ve identified the trojan as a strain of Waled or Waledac depending on your AV.

Other subject lines we’ve seen are: “Take Care!”, “At least 18 killed in your city” (which is interesting as all the emails we’ve seen state that 12 have been killed), “I hope you are not in the city now”, “Bomb blast near you” and a host of others.

We’ve reported before on how clever cybercriminals are to use hype and fear as examples of social engineering to get people to want to click on their links. When clicked, systems become infected.

Cyber threats such as these will continue as long as they’re successful at hooking at least a few million people. Hackers are making good money through their craft and will not stop. Using extreme fear and directing visitors to infectious websites will always be a tactic they pull out every once in awhile. This will die down and then in another few months they’ll use some other alarmist strategy and infect some more computers.

That’s what they do.

By

Fake iTunes cards – next cybercriminal profit center

What if you were offered a $200 iTunes card for less than $5?

How about for $2.60?

Would you buy it?

Apparently cybercriminals based in China have cracked the algorithm used by Apple to generate legitimate iTune cards. This along with their stolen credit card data has become yet another revenue stream for the cyber-criminals.

What’s really amazing is that you can’t even buy a $200 gift card from Apple. Their denominations are: $15, $25 and $50.

This story originally broke here: http://outdustry.com/2009/03/10/the-chinese-itunes-gift-voucher-trick/ and a little investigation on our part revealed some interesting sites.

We’ve seen some “middle men” insert themselves in this tangled web of deceit. They actually buy the numbers from the original cybercriminals and then resell them to people they know, thus creating a wholesale/distributor type of business. Talk about an affiliate program that pays big dollars!

Some people are offering cards on various auction type websites. (I’m not mentioning any names but one of them rhymes with prepay)

Please know that buying and using these cards is illegal. We’re posting this so you know NOT to buy them and think they’re legit – they’re not.

What will they think of next?

I don’t know, but I’m sure we’ll see it soon.

By

Malicious PDF's being sent

In the past 2 days we’ve been picking up malicious Adobe Acrobat files also known as PDF’s (the file extension on these files).

We received these files in our honeypots as email attachments and when clicked on they infect Windows XP SP3 systems with Adobe Acrobat 8.1.1, 8.1.2, 8.1.3 and 9.0.0. It appears that disabling JavaScript in your Adobe Acrobat Reader will eliminate the threat that this attack exploits.

To disable JavaScript in Adobe Acrobat Reader, open the program, click on Edit->Preferences->JavaScript then uncheck Enable Acrobat JavaScript. You may experience some program crashes even with JavaScript disabled, however, you will not become infected.

When a computer is infected, it will have these additional files:

  1. temp/svchost.exe
  2. temp/temp.exe
  3. system32/(8 random characters).dll

In addition the infected computer will open a backdoor that will allow the cybercriminal to remotely control the PC (it will become part of a botnet)

Of course, if you’re security system is blocking “exe” downloads from non-whitelisted sites, you don’t have worry about this. (The Box does)

By

Website used by Federal Government Hacked!

It was discovered that GovTrip.com, a website used by federal government employees for booking travel reservations was hacked and serving up malicious code through redirects.

The site is currently unavailable as they perform their forensic investigation and clean up the mess.

According to reports, “sometime” before February 11th, cybercriminals compromised the site and inserted redirect code that sent visitors to a website serving up malicious code. The site is used by such government agencies as: the US Environmental Protection Agency, departments of Agriculture, Energy, Health and Human Services, Interior, Transportation and Treasury.

The website is also used to reimburse employees for travel expenses so all sorts of information is stored there, however, it is not yet known what information was compromised during this breach. I personally don’t think the cybercriminals would have done both – insert redirect code and steal the data available. If the cybercriminals thought the data was valuable, they probably wouldn’t have risked inserting the redirect code as this could have, and did, alert others to the compromise.

The GovTrip.com website is managed by defense contractor Northrop Grumman.

The site had been blocked when the proper authorities were notified. Government agencies using the website were issuing warnings which could have only exacerbated the situation due to human curiosity. Frequently, when you tell a large number of people not to do something, you’re going to get a large percentage of those people to do exactly what they were told not to do.

Cybercriminals know this and use it all the time.

By

Anti-virus companies get hacked

I was going to avoid jumping on the bandwagon of blasting the anti-virus companies for getting their websites hacked, but another vulnerability was just exploited so I can’t hold back any longer.

If you’ve followed any of my talks, presentations, rantings or other communications, you know that I’ve never been a big fan of relying solely on anti-virus (AV) for computer security. I’ll admit it’s a necessary layer of protection, but too many times I’ve seen infected computers where the owner relied solely on a “firewall” and AV for their protection. However, cybercriminals have known for some time how to bypass detection by AV software.

Just today, BitDefender was compromised by Romanian hackers. This is second time in a week they’ve come under fire by hackers who have publicly announced their accomplishments.

Kaspersky Lab was the victim of a SQL injection attack recently which left their customer data exposed for 11 days. While a forensic analysis showed that none of the data was actually breached, it was available for 11 days.

Also last week, F-Secure, another AV company was successfully breached by SQL injection – although the data that became available was already in the public domain.

Isn’t there some old saying about the shoemaker’s son not having good shoes, or something like that.

One has to wonder, if a company dedicated to computer security is successfully breached, what does that mean for the rest of us?

Post your comments on what you think about these security breaches.

By

Is the Internet worth it?

I know I’ll be accused of FUD (Fear, Uncertainty, Doubt) with this post but here goes.
The whole world knows the Internet is used for building businesses. Some businesses rely solely on the Internet – they simply wouldn’t exist without it.
However, with all the security threats, at some point you have to ask: Is it worth it?

On November 12, 2008 the 63rd Session of the International Telecommunications Union (ITU) Council met and discussed the current state of cybersecurity. The event concluded with the declaration that cyber-security is one of the most important challenges of our time. The ITU Secretary-General, Dr. Hamadoun Toure stated: “The costs associated with cyber threats and cyber-attacks are real and significant — not only in terms of lost revenue, breaches of sensitive data, cyber-attacks and network outages but also in terms of lives ruined by identity theft, debts run up on plundered credit cards or the online exploitation of children.”

While I might not totally agree with the severity he states, I do agree that the situation is bleak – and apparently only getting worse.

Hackers use any method available to achieve their goal – total domination of the Internet. Okay, that’s really extreme.

Think of your own specific situation. You undoubtedly have at least one anti-virus (AV) program installed on your working computers, right? (many of you have 3-4 different security programs installed)

How many times has it actually caught a virus? If your AV is set to scan once a day, how often has it detected a virus/worm/trojan during it’s scan? If ever, you have to

During the course of the past 2 months we’ve seen the following security issues:

  • Malware delivered by infectious Adobe Acrobat files (pdf)
  • “Common” websites delivering malware (i.e., www.mlb.com, www.businessweek.com, www.cbs.com)
  • 85% of malware being delivered by infectious websites
  • Numerous content management systems (CMS) and forums having various vulnerabilities
  • “Hacking” used in a multitude of political wars (website defacements, etc)
  • More intelligent malware (blocking of AV updates, disabling security software)

In addition to the above list, more malware has been delivered via social engineering. Social engineering is the “art” of using deception to get a user to intentionally install something which turns out to be malware (definition of trojan).

Back in October we saw the keyword “costumes” being abused by cybercriminals to get people to visit malicious websites promising to offer fantastic ideas on Halloween attire. Then in November we saw numerous emails be circulated that offered various food recipes for Thanksgiving many of which resulted in webpages that contained more than recipes. They offered recipes for infection (you can use that if you want).

Along with the holiday themed malware strategies, here in the US we were also going through a Presidential election which brought about an abundance of election themed malware attacks. Then we had the year-end holidays and New Year’s each with their own malware messages and accompanying websites.

Now with the Presidential Inauguration just completed we’ve seen numerous messages “flying” around the internet touting “Obama refuses to take oath”. When any of these links are followed, they lead the unsuspecting inquisitive reader to a website that delivers more than the message they were seeking. It also attempts to infect their computer with little pieces of code that are just the beginning of taking control of the infected PC.

All of this is actual, real world reality. I didn’t make this “stuff” up. I didn’t write these viruses/worms/trojans like some of you think.

Cyber crime is something we all have to deal with.

You’re in business to solve some real world problem. Whether you’re a plumber or a rocket scientist, you solve someone’s problem otherwise you wouldn’t be in business.

I selected computer security as my profession and I believe I do it well. I try to solve real world computer security problems. If you find my work offensive, you’re free to ignore it.

I don’t work in FUD. I just merely try to educate you so you know what you’re facing being online.

Please leave me your comments on this posting.

Thank you.