Subscribe to RSS
Follow me on Twitter
Join me on Facebook
Security experts have spotted drive-by malware attacks exploiting a critical security hole in Windows that Microsoft recently addressed with a software patch. Separately, Symantec is warning users of its pcAnywhere remote administration tool to either update or remove the program, citing a recent data breach at the security firm that the company said could help attackers find holes in the aging software title.
Latest Warnings
27
Jan 12
Warnings About Windows Exploit, pcAnywhere
23
Jan 12
‘Citadel’ Trojan Touts Trouble-Ticket System
Underground hacker forums are full of complaints from users angry that a developer of some popular banking Trojan or bot program has stopped supporting his product, stranding buyers with buggy botnets. Now, the proprietors of a new ZeuS Trojan variant are marketing their malware as a social network that lets customers file bug reports, suggest and vote on new features in upcoming versions, and track trouble tickets that can be worked on by the developers and fellow users alike.
A screenshot of the Citadel botnet panel.
The ZeuS offshoot, dubbed Citadel and advertised on several members-only hacker forums, is another software-as-a-service malware development. Its target audience? Those frustrated with virus writers who decide that coding their next creation is more lucrative and interesting than supporting current clients.
“Its no secret that the products in our field — without support from the developers — result in a piece of junk on your hard drive. Therefore, the product should be improved according to the wishes of our customers,” Citadel’s developers claim in an online posting. “One problem is that you have probably experienced developers who ignore your instant messages, because there are many customers but there is only one developer.”
In the following excerpt, taken from a full description of Citadel’s innovations, the developers of this malware strain describe its defining feature as a social networking platform for malware users that is made available through a Web-based portal created by the malware itself.
“We have created for you a special system — call it the social network for our customers. Citadel CRM Store allows you to take part in product development in the following ways:
- Report bugs and other errors in software. All tickets are looked at by technical support you will receive a timely response to your questions. No more trying to reach the author via ICQ or Jabber.
-Each client has the right to create an unlimited number of applications within the system. Requests can contain suggestions on a new module or improvements of existing module. Such requests can be public or private.
-Each client has a right to vote on new ideas suggested by other members and offer his/her price for development of the enhancement/module. The decision is made by the developers on whether to go forward with certain enhancement or new module depending on the voting results.
-Each client has the right to comment on any application and talk to any member. Now it is going to be interesting for you to find partners and like-minded people and also to take active parts in discussions with the developers.
- You can see all stages of module development, if it is approved other members. We update the status and time to completion.
29
Dec 11
New Tools Bypass Wireless Router Security
Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use.
At issue is a technology called “Wi-Fi Protected Setup” (WPS) that ships with many routers marketed to consumers and small businesses. According to the Wi-Fi Alliance, an industry group, WPS is “designed to ease the task of setting up and configuring security on wireless local area networks. WPS enables typical users who possess little understanding of traditional Wi-Fi configuration and security settings to automatically configure new wireless networks, add new devices and enable security.”
Setting up a home wireless network to use encryption traditionally involved navigating a confusing array of Web-based menus, selecting from a jumble of geeky-sounding and ill-explained encryption options (WEP, WPA, WPA2, TKIP, AES), and then repeating many of those procedures on the various wireless devices the user wants to connect to the network. To make matters worse, many wireless routers come with little or no instructions on how to set up encryption.
Enter WPS. Wireless routers with WPS built-in ship with a personal identification number (PIN – usually 8 digits) printed on them. Using WPS, the user can enable strong encryption for the wireless network simply by pushing a button on the router and then entering the PIN in a network setup wizard designed to interact with the router.
But according to new research, routers with WPS are vulnerable to a very basic hacking technique: The brute-force attack. Put simply, an attacker can try thousands of combinations in rapid succession until he happens on the correct 8-digit PIN that allows authentication to the device.
One way to protect against such automated attacks is to disallow authentication for a specified amount of time after a certain number of unsuccessful attempts. Stefan Viehböck, a freelance information security researcher, said some wireless access point makers implemented such an approach. The problem, he said, is that most of the vendors did so in ways that make brute-force attacks slower, but still feasible.
Earlier today, Viehböck released on his site a free tool that he said can be used to duplicate his research and findings, detailed in this paper (PDF). He said his tool took about four hours to test all possible combinations on TP-Link and D-Link routers he examined, and less than 24 hours against a Netgear router.
“The Wi-Fi alliance members were clearly opting for usability” over security, Viehböck said in a instant message conversation with KrebsOnSecurity.com. “It is very unlikely that nobody noticed that the way they designed the protocol makes a brute force attack easier than it ever should.”
22
Dec 11
Amnesty International Site Serving Java Exploit
Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers.
The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil. The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw that I’ve warned about several times this past month. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.
A woman who answered the phone this morning at Amnesty International’s research and policy branch in the U.K. declined to give her name, but said she would pass on the information about the break-in. The site remains compromised.
This is hardly the first time Amnesty International’s sites have been hacked to serve up malware. The organization’s site was hacked in April 2011 with a drive-by attack. In November 2010, security firm Websense warned Amnesty International’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown Internet Explorer vulnerability. Continue reading →
13
Dec 11
Security Updates for Microsoft Windows, Java
Microsoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.
The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems. Continue reading →
12
Dec 11
Who Knows What Youhavedownloaded.com?
You may have never heard of youhavedownloaded.com, but if you recently grabbed movies, music or software from online file-trading networks, chances are decent that the site has heard of you. In fact, you may find that the titles you downloaded are now listed and publicly searchable at the site, indexed by your Internet address.
In many ways, the technology behind the site merely recreates in a publicly searchable way what the entertainment industry has been doing for years: It tracks and records information that users share when they download and upload files on public peer-to-peer file-trading networks. But the free service does have the potential to make people think twice about downloading pirated movies, games and music, because it shows how easily this information can be discovered and archived.
So far, youhavedownloaded.com has recorded more than 50 million unique Internet addresses belonging to file-sharing users. The site is searchable by file name and by Internet address. When you visit, it automatically checks and lets you know if your Internet address is in the database.
Youhavedownloaded.com offers only limited information about its founders. One of them is Suren Ter-Saakov, a Russian native who now lives in a suburb of Philadelphia. I first interviewed Ter-Saakov for a story I wrote in 2009 about the Federal Trade Commission’s unprecedented takedown of troubled Web hosting firm Triple Fiber Network (3FN). The FTC alleged it was hard to find any customers at 3FN that had legitimate, legal content. Ter-Saakov, better known in the Russian Webmaster industry as Mauser, disagreed and successfully sued the FTC to retrieve his domains and servers.
Ter-Saakov said he believes youhavedownloaded.com indexes about 20 percent of the file-sharing activity on the Internet. He maintains that the site was created merely as a proof-of-concept, and that it doesn’t have any commercial application.
“The whole thing started with a theoretical discussion I had with some friends about what is possible to track through software and what is not possible,” Ter-Saakov said in a phone interview. Continue reading →
7
Dec 11
Pro Grade (3D Printer-Made?) ATM Skimmer
In July 2011, a customer at a Chase Bank branch in West Hills, Calif. noticed something odd about the ATM he was using and reported it to police. Authorities who responded to the incident discovered a sophisticated, professional-grade ATM skimmer that they believe was made with the help of a 3D printer.
Below is a front view image of the device. It is an all-in-one skimmer designed to fit over the card acceptance slot and to record the data from the magnetic stripe of any card dipped into the reader. The fraud device is shown sideways in this picture; attached to an actual ATM, it would appear rotated 90 degrees to the right, so that the word “CHASE” is pointing down.
On the bottom of the fake card acceptance slot is a tiny hole for a built-in spy camera that is connected to a battery. The spy camera turns on when a card is dipped into the skimmer’s card acceptance slot, and is angled to record customer PINs.
The bottom of the skimmer device is designed to overlay the controls on the cash machine for vision impaired ATM users. On the underside of that space is a data port to allow manual downloading of information from the skimmer.
Looking at the backside of the device shows shows the true geek factor of this ATM skimmer. The fraudster who built it appears to have cannibalized parts from a video camera or perhaps a smartphone (possibly to enable the transmission of PIN entry video and stolen card data to the fraudster wirelessly via SMS or Bluetooth). It’s too bad so much of the skimmer is obscured by yellow plastic. I’d welcome any feedback from readers who can easily identify these parts based on the limited information here. Continue reading →
6
Dec 11
Attackers Hit New Adobe Reader, Acrobat Flaw
Malicious hackers are targeting a previously unknown security hole in Adobe Reader and Acrobat to compromise Microsoft Windows machines, Adobe warned today.
Adobe says attackers are taking advantage of a newly discovered critical flaw that exists in Adobe Reader X (10.1.1) and earlier versions for Windows and Mac systems, and Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, as well as Adobe Acrobat X (10.1.1) and earlier for Windows and Mac machines. A security bulletin warns of reports that the vulnerability is being actively exploited in “limited, targeted attacks in the wild against Adobe Reader 9.x on Windows.” Continue reading →
6
Dec 11
Download.com Bundling Toolbars, Trojans?
It wasn’t long ago that I felt comfortable recommending CNET‘s download.com as a reputable and trustworthy place to download software. I’d like to take back that advice: CNET increasingly is bundling invasive and annoying browser toolbars with software on its site, even some open-source titles whose distribution licenses prohibit such activity.
Although this change started this summer, I only first became aware of it after reading a mailing list posting on Monday by Gordon “Fyodor” Lyon, the software developer behind the ever useful and free Nmap network security scanner. Lyon is upset because download.com, which has long hosted his free software for download without any “extras,” recently began distributing Nmap and many other titles with a “download installer” that bundles in browser toolbars like the Babylon toolbar.
CNET’s own installer is detected by many antivirus products as a Trojan horse, even though the company prefaces each download with the assurance that “CNET hosts this file and has scanned it to ensure it is virus and spyware free.” CNET also has long touted download.com’s zero tolerance policy toward all bundled adware.
Lyon said he found his software was bundled with the StartNow Toolbar, which is apparently powered by Microsoft‘s “Bing decision engine.” When I grabbed a copy of the Nmap installer from download.com and ran it on a test Windows XP machine, CNET’s installer offered the Babylon Toolbar, which is a translation toolbar that many Internet users have found challenging to remove.
The CNET download installer that I got for Nmap from download.com was made by CBS Interactive (CNET Networks was acquired by CBS in 2008), and it is detected as malicious by three antivirus products at Virustotal.com. When I unpacked the installer from the Nmap program and scanned just the installer, 10 out of the 39 antivirus products detected the file as either a Trojan horse or adware.
30
Nov 11
Public Java Exploit Amps Up Threat Level
An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows, Mac and Linux systems.
On Monday, I disclosed how the Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog today, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.”
Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X and even Linux systems.
This development should not be taken lightly by any computer user. According to Sun’s maker Oracle, more than three billion devices run Java. What’s more, Java vulnerabilities are by some accounts the most popular exploit paths for computer crooks these days. On Monday, Microsoft’s Tim Rains published a blog post noting that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK).
