Members of an exclusive underground hacker forum recently sought to plant malware on KrebsOnSecurity.com, by paying to run tainted advertisements through the site’s advertising network — Federated Media. The attack was unsuccessful thanks to a variety of safeguards, but it highlights the challenges that many organizations face in combating the growing scourge of “malvertising.”

Last week, I listed the various ways this blog and its author has been “honored” over the past few years by the cybercrime community, but I neglected to mention one recent incident: On May 27, 2011, several hackers who belong to a closely guarded English-language criminal forum called Darkode.com sought to fraudulently place a rogue ad on KrebsOnSecurity.com. The ad was made to appear as though it was advertising BitDefender antivirus software. Instead, it was designed to load a malicious domain: sophakevans. co. cc, a site that has been associated with pushing fake antivirus or “scareware.”

The miscreants agreed to pay at least $272 for up to 10,000 impressions of the ad to be run on my site. Fortunately, I have the opportunity to review ads that come through Federated’s system. What’s more, Federated blocked the ad before it was even tagged for approval.

Darkode members plot to purchase a rogue ad on KrebsOnSecurity.com. They failed.

I learned about this little stunt roughly at the same time it was being planned; Much to the constant annoyance of the site administrators, I secretly had gained access to Darkode and was able to take this screen shot of the discussion. The incident came just a few weeks after I Tweeted evidence of my presence on Darkode by posting screenshots of the forum. The main administrator of Darkode, a hacker who uses the nickname “Mafi,” didn’t appreciate that, and promised he and his friends had something fun planned for me. I guess this was it. Interestingly, Mafi also is admin at malwareview.com and is the developer of the Crimepack exploit kit.

The Darkode forum launched sometime in 2008, and according to past and current members was used primarily as a support forum for the “Butterfly Bot,” a prolific bot program that was sold in the underground for several years by its creator, a hacker who used the name “Iserdo.” At some point, Iserdo sold the forum to other miscreants, and began running support for customers of his Butterfly Bot program via a Google Group called simply “Bf-Support”.

A message from Iserdo warning Butterfly Bot subscribers not to try to reverse his code.

In July 2010, the 23-year-old Iserdo was arrested by authorities in Slovenia on suspicion of running the infamous “Mariposa” botnet. According to the Mariposa Working Group — a partnership between the FBI and private security firms — Iserdo sold thousands of Butterfly kits for prices ranging from $500 to $2,000. The buyers of these kits didn’t need to know much about coding or hacking; the kits allowed even unskilled hackers to create relatively sophisticated botnets.

Butterfly Bot customers wonder why Iserdo isn't responding to support requests. He has just been arrested in Slovenia.

As evidenced by a recent front page story by USA Today’s Byron Acohido, malicious content embedded in online ads, or “malvertising,” is a long-standing problem that has recently taken a sharp turn for the worse: The story points to a recent analysis which documented a peak of 14,694 occurrences of malvertisements in May of this year, up from 1,533 in May 2010.

Many security-conscious readers have chosen to block ads altogether with browser add-ons like Adblock. Wholesale blocking ads can be effective in stopping malvertisements, but this approach also has the perverse effect of blocking a primary source of revenue for many sites (including this one). I have limited Federated Media to serving a very small slice of the ads on KrebsOnSecurity.com, and I am choosy about those that I let in. Add-ons like Noscript for Firefox allow users to be far more selective in which ads/scripts to allow and block.

In addition, many malvertisements rely on scripts that redirect browsers to sites that host exploit kits, software packages that probe the visitor’s browser for unpatched security flaws in popular plugins like Adobe Reader, Adobe Flash Player, Java, QuickTime and WinZip. Keeping these third-party apps up-to-date with the latest security fixes is a great way to fortify your browser against drive-bys. If you need help remembering to patch these programs, consider using a free program like Secunia’s Personal Software Inspector or FileHippo’s Update Checker.

I recently highlighted a study which showed that most of the top software applications failed to take advantage of two major lines of defense built into Microsoft Windows that can help block attacks from hackers and viruses. As it turns out, a majority of anti-virus and security products made for Windows users also forgo these useful security protections.

As I wrote last month:

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operating system, and they’re designed to make it difficult for attackers to develop reliable exploits for vulnerabilities in Windows applications. As we saw last month, few top apps invoke the protections, but many readers may be surprised to learn that few anti-virus products have adopted these technologies.

I installed the trial versions of a dozen top anti-virus and security suites on a virtual machine running Windows Vista, and then checked each product’s executable files using Microsoft’s excellent Process Explorer tool, which provides a mass of information about processes running on your Windows system, including whether or not those processes invoke DEP and/or ASLR.

Among the anti-virus products that used neither ASLR nor DEP were AVAST Home Edition, AVG Internet Security 9.0, BitDefender Internet Security 2010, ESET Smart Security, F-Secure Internet Security, Norton Internet Security 2010, Panda Internet Security 2010 and Trend Micro Internet Security 2010.

Microsoft Security Essentials was the only product that used both ASLR and DEP consistently on Windows Vista (although interestingly it does not invoke DEP on Windows XP). Other anti-virus suites I tested used either ASLR or DEP (or both), but only in some applications that make up the suite. For example, McAfee Internet Security’s “mcagent.exe” program runs both ASLR and DEP, while four other executable processes spawned by the program ran DEP but not ASLR (since these tests were run, McAfee has changed the trial version of MIS available on its site, and the company sent me a screen shot that shows DEP and ASLR on all running processes in that version).

Similarly, I found that the anti-virus suite from Avira ran its main avguard.exe program in ASLR mode but did not use DEP. The rest of the program files that ship with this product run neither ASLR nor DEP. Kaspersky Internet Security had DEP enabled on just one process (the browser plug-in), and did not invoke ASLR with any program components.

To be sure, DEP and ASLR are not panaceas: Security researchers have come up with a number of clever ways to bypass these protection mechanisms. Still, it’s interesting to note the lack of these features in anti-virus products for two reasons: First, even researchers who have developed exploits to work around these protections say the two technologies raise the bar significantly for malicious coders. Second, anti-virus products are not immune to introducing their own exploitable software flaws.

I sought comment from all of the anti-virus vendors whose products I examined (except for Microsoft) and received a few responses. Most either downplayed the usefulness of the two technologies in combating today’s threats, or said that they planned to implement the protections in upcoming releases.

Mikko Hypponen from F-Secure said that “adding support for DEP and ASLR in our products is on our roadmap, but has not been implemented yet. This is because we’ve focused our development efforts lately to focus on performance. Once we have this feature ready, it will be available to all of our customers through our update channel.”

Pedro Bustamante, a senior research adviser at Panda Security, said Panda decided not to use either ASLR or DEP in favor of their own technology “to provide protection not only for the single AV processes but also for other types of operations. For example our products include a Shield component which already takes care of the protection as offered by ASLR and DEP, in addition to other types of self-protections such as preventing a process from injecting a thread into a separate process, preventing certain applications from executing dangerous operations on the system (such as Adobe Acrobat dropping an executable in the system and running it), protection of the AV files in the installation directories, etc.”

Bustamante continued: “These Microsoft technologies might be a good solution for certain types of more basic applications, but from our point of view are insufficient for an anti-malware product trying to get a more defense-in-depth approach to securing the whole OS and third party applications.”

Bitdefender said it plans to incorporate DEP and ASLR in its 2011 suite of products.

Symantec’s director of product management, Dan Nadir, said Norton Internet Security 2010 does in fact include support for DEP (although my experiments with Process Explorer showed it was not enabled) and that the company is “evaluating possible support of ASLR in future versions of our products.”

The research team from ESET responded: “Based upon the types of attacks we see against security software, and the likely attack scenarios, ASLR and DEP do not provide any significant defense. [While] enabling ASLR and DEP is quite trivial, the complexity come in assuring the proper test matrix has been implemented. Without proper testing ASLR can be weaponized…We will consider adding the features in the future, but not without extremely rigorous testing.”

Keystroke-logging computer viruses let crooks steal your passwords, and sometimes even read your e-mails and online chats. Recently, however, anonymous criminals have added insult to injury, releasing a keylogger strain that publishes stolen information for all the world to see at online notepad sharing sites such as pastebin.com.

Last week, security experts at BitDefender discovered a continuing stream of new entries at pastebin.com and pastebin.ca that included text files laid out in the format typically used by keystroke-logging malware. For example, each keypress in the log posted to pastebin.com is preceded by a listing of the program currently in focus on the victim’s screen, and each function key pressed is spelled out, so that when the victim hits the backspace or down arrow key, for instance, the keystroke log will show a “[back]” or “[down]” entry in place of each corresponding keypress (see the screenshot to the right).

Typically, keystroke logging malware will submit stolen data to a Web server specified in the malware that the attacker controls. BitDefender theorizes that those responsible for creating this keylogger variant may have chosen pastebin.com because it is unlikely to be blocked by Web filters or malware blacklists.

I kept the pastebin.com home page open most of the weekend and refreshed it periodically, and confirmed that a relatively large number of keylogger records were being uploaded in real time to the free service. To the right is one of many screenshots I took of the files I found on Pastebin.com.

Pastebin owner Jeroen said Pastebin is aware of the problem and is working on a new version of the site that should block these automated keyloggers from posting their content there.

“This will take another week or two though,” Jeroen wrote in an e-mail to KrebsOnSecurity. “We also remove all reported pastes within 24 hours. But at this point in time people do need to warn us about them manually via the report pages.”

A great deal of what gets posted into pastebin.com appears to be programming code snippets and online gaming logs, but if you poke through the incoming posts long enough, you’re bound to find random gems by turns strange, funny, lurid and voyeuristic. Oh, and if you stumble upon any entries that look like keylogger reports, consider clicking the “report” button in the upper right of of the pastebin, per Jeroen’s suggestion.

I suspect that this particular keylogger variant is the work of amateurs or beginners trying out a new method, as many of the files keylogger reports I found included chat logs and snippets of e-mails. Most criminals are after financial information — such as credit and debit card account numbers and online banking credentials — and couldn’t care less about your everyday online conversations. Indeed, all of that extra data tends to quickly cause massive data storage problems for thieves, who often are dealing with monster amounts of data streaming from thousands of infected systems. Hence, criminals who have been doing this for a while tend to rely on keyloggers that are really more akin to what are known as form grabbers; the malware concentrates on recording the credentials that the victim passes when he or she logs in to an encrypted or unencrypted Web site.

One of the more common questions I hear from readers with computer virus infections is, “How do I get rid of a virus if I can’t even boot up into Windows to run an anti-virus scan?” Fortunately, there are a number of free, relatively easy-to-use tools that can help on this front.

The tools in this review are known as a “rescue CDs.” These are all free, Linux-based operating systems that one can download and burn to a CD-Rom. Once you’ve configured your PC to boot from the CD you’ve just burned, you can use the CD to scan your hard drive, and — depending on the type of rescue CD you choose — even copy files to a removable drive.

I have recommended more full-fledged versions of these rescue CDs (also known as “Live CDs) as a way for small businesses to protect their online banking sessions from malicious software, the lion’s share of which simply fail to run on non-Windows-based operating systems. But several anti-virus companies also offer slimmed-down Linux-based rescue CDs that can be extremely handy in getting rid of a persistent malware infection, or just for getting a second opinion (or third or fourth) about the state of your system.

Before I go any further, let me just state for the record that I don’t believe there is any substitute for having known good, solid backups of your data and your entire hard drive to restore to in case things go south. I also urge users to segment their systems so that important data files are on a separate chunk of hard drive space than the Windows operating system, which tends to make restoring backups a far simpler affair. I’ll post a separate tutorial on setting up a good backup plan soon. For now, though, I want to introduce readers to these simple tools.

Just one housekeeping note before I get started: If you want to run a rescue CD on a laptop, you’ll need to plug the notebook into a router or other Internet connection via a networking cable. The reason is that the first thing you’ll need to do when you boot into the rescue CD is update the program’s anti-virus definitions, and that requires a working Internet connection. I don’t believe any of these tools support wireless networking, but in any case setting that up is far beyond the scope and ambition of this brief how-to.

Grab the CD image

Several anti-virus vendors offer burnable rescue CDs that are based on Linux, including:

AVG Rescue

Avira Rescue

BitDefender Rescue

Dr. Web Rescue

F-Secure Rescue

Kaspersky Rescue

Panda Rescue

Burn the image to a CD or DVD

After you’ve download the file, burn the image to CD-Rom or DVD. If you don’t know how to burn an image file to CD or don’t know whether you have a program to do so, download something like Ashampoo Burning Studio Free. Once you’ve installed it, start the program and select “create/burn disc images,” and then “burn ISO.” Locate the .iso file you just downloaded, and follow the prompts to burn the image to the disc.

Incidentally, if your computer is a netbook and doesn’t have a CD-Rom drive — or if you’d just prefer to boot the rescue disc from a USB drive — you can create a bootable USB/flash drive using the same .iso image by downloading and running this free tool here.

Set your PC to boot from the CD

When the burn is complete, just keep the disc in the drive. We next need to make sure that the computer knows to look to the CD drive first for a bootable operating system before it checks the hard drive, otherwise this rescue will never be recognized by the computer. When you start up your PC, take note of the text that flashes on the screen, and look for something that says “Press [some key] to enter setup” or “Press [some key] to enter startup.” Usually, the key you want will be F2, or the Delete or Escape (Esc) key.

When you figure out what key you need to press, press it repeatedly until the system BIOS screen is displayed. Your mouse will not work here, so you’ll need to rely on your keyboard. Look at the menu options at the top of the screen, and you should notice a menu named “Boot”. Hit the “right arrow” key until you’ve reached that screen listing your bootable devices. What you want to do here is move the CD-Rom/DVD Drive to the top of the list. Do this by selecting the down-arrow key until the CD-Rom option is highlighted, and the press the “+” key on your keyboard until the CD-Rom option is at the top. Then hit the F10 key, and confirm “yes” when asked if you want to save changes and exit, and the computer should reboot. If you’d done this step correctly, the computer should detect the CD image you just burned as a bootable operating system. [Unless you know what you're doing here, it's important not to make any other changes in the BIOS settings. If you accidentally do make a change that you want to undo, hit F10, and select the option "Exit without saving changes." The computer will reboot, and you can try this step again.]

Note that if you chose above to create a bootable USB drive instead of a rescue CD, you will need to tell your BIOS to select the USB drive as the primary startup target.

Scan and remove any found malware

Some of the free rescue CDs above are more intuitive and user-friendly than others. Of them all, I thought Kaspersky and BitDefender offered the easiest to use and probably the most newbie-friendly interfaces. Both boot into a desktop-like environment that may be more familiar to Windows users. In addition, they each offer an Explorer-like window that allows users to examine files on the Windows hard disk. BitDefender’s rescue CD was the only one I tried that had a copy of the Firefox Web browser built into it. It also includes a point-and-click program that checks for common rootkits, tools often planted on hacked machines to hide the presence of malicious software.

If you have a secondary USB drive connected to the machine, you may even be able to use either the Kaspersky or BitDefender rescue CDs to copy files over to the external drive, although moving files from a damaged hard drive to a backup drive is probably best accomplished with an all-purpose type of Live CD, such as Ubuntu or Knoppix, which generally have better support for removable drives.

It is safe to power off the PC when you’re done with these rescue CDs. Just make sure to remove the CD before you try to boot up again into Windows, otherwise the computer will boot back into the rescue CD.

A faulty update  is being blamed for incapacitating an untold number of Microsoft Windows systems running anti-virus software from BitDefender.

BitDefender says the problem occurred Saturday morning with a faulty update for 64-bit Windows systems that  caused multiple Windows and BitDefender files to be quarantined. The bad update causes the anti-virus program to flag thousands of legitimate Windows and BitDefender program files as a threat called “”FakeAlert.5″.

The Romanian software firm  said the glitchy update has been removed and that the company is working on a fix for the problem.  BitDefender’s user forum has lit up with complaints from customers, and the company appears to be fielding quite a number of inquiries on the problem via its Twitter page.

“We are creating a patch that will restore all quarantined files,” the company said in a statement on its site. “The patch will be available shortly. We apologize for this error and we will work to prevent this from occurring again in the future.”

BitDefender has posted partial recovery instructions for users who are having trouble booting up Windows after this bad update, although several apparent users commenting on the company’s Twitter feed indicated they were still unable to boot after following the instructions.

Meanwhile, Bitdefender representatives on Twitter are warning users that malware writers already are taking advantage of the situation, and urging users to download the fix — whenever it is made available — only from BitDefender’s Web site.