On Wednesday I wrote that many of the top fake antivirus distribution programs had ceased operations, citing difficulty in processing credit card transactions from victims. Others are starting to see the result of this shakeup: Security firm McAfee says it has witnessed a dramatic drop in the number of customers reporting scareware detections in recent weeks.

Image courtesy McAfee

McAfee has tracked more than a 60 percent decrease in the number of customers dealing with fake AV since late May. “From McAfee’s vantage point, we are seeing a significant decline in detections reported from customers as well as the discovery of new FakeAV variants,” said Craig Schmugar, a security threat researcher for McAfee.

These extortion scams persist because criminal hackers get paid between $25-35 each time a victim relents and provides a credit card number. If fake AV distributors can’t get paid for spreading the scam software, they’ll find some other way to make money.

Fake AV bombards victim PCs with misleading alerts about security threats and hijacks the machine until the user pays for bogus security software or figures out how to remove it. For better or worse, it is likely that the dearth of credit card processors serving the fake AV industry has eliminated the first option for many people dealing with infections.

New and novel malware appears with enough regularity to keep security researchers and reporters on their toes. But, often enough, there are seemingly new perils that  really are just old threats that have been repackaged or stubbornly lingering reports that are suddenly discovered by a broader audience. One of the biggest challenges faced by  the information security community is trying to decide which threats are worth investigating and addressing.  To illustrate this dilemma, I’ve analyzed several security news headlines that readers forwarded  to me this week, and added a bit more information from my own investigations.

I received more than two dozen emails and tweets from readers calling my attention to news that the source code for the 2.0.8.9 version of the ZeuS crimekit has been leaked online for anyone to download. At one point last year, a new copy of the ZeuS Trojan with all the bells and whistles was fetching at least $10,000. In February, I reported that the source code for the same version was being sold on underground forums. Reasonably enough, news of the source leak was alarming to some because it suggests that even the most indigent hackers can now afford to build their own botnets.

A hacker offering to host and install a control server for a ZeuS botnet.

We may see an explosion of sites pushing ZeuS as a consequence of this leak, but it hasn’t happened yet. Roman Hüssy, curator of ZeusTracker, said in an online chat, “I didn’t see any significant increase of new ZeuS command and control networks, and I don’t think this will change things.” I tend to agree. It was already ridiculously easy to start your own ZeuS botnet before the source code was leaked. There are a number of established and relatively inexpensive services in the criminal underground that will sell individual ZeuS binaries to help novice hackers set up and establish ZeuS botnets (some will even sell you the bulletproof hosting and related amenities as part of a package), for a fraction of the price of the full ZeuS kit.

My sense is that the only potential danger from the release of the ZeuS source code  is that more advanced coders could use it to improve their current malware offerings. At the very least, it should encourage malware developers to write more clear and concise user guides. Also, there may be key information about the ZeuS author hidden in the code for people who know enough about programming to extract meaning and patterns from it.

Are RATs Running Rampant?

Last week, the McAfee blog included an interesting post about a cross-platform “remote administration tool” (RAT) called IncognitoRAT that is based on Java and can run on Linux, Mac and Windows systems. The blog post featured some good details on the functionality of this commercial crimeware tool, but I wanted to learn more about how well it worked, what it looks like, and some background on the author.

Those additional details, and much more, were surprisingly easy to find. For starters, this RAT has been around in one form or another since last year. The screen shot below shows an earlier version of IncognitoRAT being used to remotely control a Mac system.

IncognitoRAT used to control a Mac from a Windows machine.

The kit also includes an app that allows customers to control botted systems via jailbroken iPhones.

Incognito ships with an app that lets customers control infected computers from an iPhone

The following video shows this malware in action on a Windows system. This video was re-recorded from IncognitoRAT’s YouTube channel (consequently it’s a little blurry), but if you view it full-screen and watch carefully you’ll see a sequence in the video that shows how the RAT can be used to send e-mail alerts to the attacker. The person making this video is using Gmail; we can see a list of his Gchat contacts on the left; and his IP address at the bottom of the screen.  That IP traces back to a Sympatico broadband customer in Toronto, Canada, which matches the hometown displayed in the YouTube profile where this video was hosted. A Gmail user named “Carlo Saquilayan” is included in the Gchat contacts visible in the video.

The IncognitoRat kit is sold on a English-language script kiddie hacker forum called HackForums.net by “Mr. Incognito,” but acquaintances on the forum refer to him as “Carlo.” Carlo describes himself on HackForums as a 19-year-old college student; he did not respond to repeated requests for comment. Anyway, so much for going incognito: This Facebook account belongs to a Carlo Saquilayan from Toronto, Ontario, and includes a nice picture of a young man in sunglasses and a leather jacket.

CrimePack Resurfaces

Several security forums were abuzz last week over the apparent leak of another crimekit. It’s a recent version of CrimePack, an exploit kit that I’ve profiled on this blog a few times. Will this lead to an outbreak of newly-hacked Web sites infected with the CrimePack exploit kit? I don’t think it’s likely, for a couple of reasons. First, this was initially leaked last fall, not long after its author released it. Second, I reached the author of this crimekit via instant message, and got his reaction. He told me that a main component of the kit — the part that tries to attack vulnerabilities in Adobe’s PDF Reader — was broken in the version that got leaked, and remains largely non-functional.

“I deliver this copy to like 20 people without the domain lock as a last copy, but it got leaked to someone, same day,” said “Crim,” the CrimePack author. “After I saw that the PDF exploit was not working, so pretty much no exploits will work as it will generate error when sending exploits. I was so pissed off when it leaked, so I refused to send out fixed copies.” A strongly-worded snippet of chatter from an exclusive hacker forum where Crim is co-administrator is included in the screen shot above, and seems to support his claim.

Sunspots are Nothing New

Security firm Trusteer said it has identified a little-known Windows malware platform that rivaled ZeuS in sophistication and functionality. In a blog post on May 11, 2011, Trusteer’s Amit Klein described the novelty of this malware, which the company dubbed “Sunspot”. Klein said Sunspot “reveals a new approach to financial malware development. Unlike purpose built financial fraud platforms like Zeus, SpyEye, Bugat, and others, it appears Sunspot was not originally developed as crime ware. If this is the case, we could be witnessing a sea change in malware development where general purpose and little know[n] malware platforms are re-programmed to carry out financial fraud. This will make it even more difficult to defend against attacks since banks will be ambushed by a growing number of unique financial malware platforms.”

When I first read Trusteer’s blog post, I pinged a number of security experts who study malware for a living, to get their thoughts on whether this was a unique threat. Aviv Raff, CTO and co-founder of security alert service Seculert, told me on Wednesday that he’d wrangled a copy of the malware and that it appeared to be a souped-up version of a well-known bot released in the middle of the last decade called Nethell, but also known as Limbo and Ambler. Then on Thursday, Microsoft‘s Tareq Saade & Tim Liu chimed in, saying they’d also pegged Sunspot as an evolved version of Ambler.

Trusteer’s Klein acknowledged that there appeared to be similarities between Sunspot and Limbo/Nethell/Ambler, but said there are major innovations in the way that Sunspot attacks the victim’s browser. He observed that much as the leak of the ZeuS code may soon give some enterprising malware coder ideas about how to extend the capabilities of an existing malware family, it appears that someone has taken a tried-and-true bot family and jazzed it up with a new set of wheels.

“Whether this is an evolution of Limbo/Nethell/Ambler, or merely ‘cannibalizing’ pieces of that malware to build a completely new malware is anyone’s guess,” Klein said in an email to KrebsOnSecurity. “Clearly they are both built with access to some common source code, but beyond that it’s difficult to accurately tell. From our perspective the difference [outweighs] the similarities, so we feel that a new name is in place.”

Keep the tips coming, please  – they are usually helpful and always much appreciated. But do turn a skeptical eye to reports of “new” threats -  many times we discover that something new is really not news at all.

Microsoft today issued 17 software updates to plug a total of 40 security holes in computers running its Windows operating system and other software. December’s bounty of patches means Microsoft fixed a record number of security vulnerabilities this year.

According to Microsoft, the most urgent of the patches is a critical update that fixes at least seven vulnerabilities in Internet Explorer versions 6, 7 and 8, including three that were publicly disclosed prior to today’s update. Microsoft said that at least one of the public flaws is already being actively exploited.

Microsoft also called special attention to the only other critical bulletin in the batch – a vulnerability in the OpenType Font Driver in Windows.  Redmond warns that an attacker could compromise a machine on a network simply by getting a user to open a shared folder containing a malicious OpenType font file.

According to McAfee, Microsoft has rounded out the year with 106 security bulletins, the highest number in history, and a significant jump over the 74 security bulletins released in 2009. This year also brings a record number of vulnerabilities patched, at 266, McAfee noted.

Obviously, merely counting the number of flaws a vendor fixes doesn’t tell you much about how safe it is to use that vendor’s products, but it’s the foundation for a more careful analysis. It may take some time to dig through the data, but it will be interesting to see whether Microsoft has gotten any nimbler in responding to zero-days (the IE zero-day mentioned above was first detailed on Nov. 3).

Microsoft also patched the last of the zero-day vulnerabilities exploited by the infamous Stuxnet computer worm. This flaw exists in the Windows Task Scheduler, and allows a regular user to schedule a task that will run with elevated (administrator) privileges – effectively giving an attacker full access to the system. Researchers at Symantec warned today that at least two new threats are now exploiting this flaw.

Patches are available through Microsoft Update (using IE) or Automatic Update. As always, please drop a note in the comments section if you experience any issues with this month’s updates.

“Firesheep,” a new add-on for Firefox that makes it easier to hijack e-mail and social networking accounts of others who are on the same wired or wireless network, has been getting some rather breathless coverage by the news media, some of whom have characterized this a new threat. In reality, this tool is more of a welcome reminder of some basic but effective steps that Internet users should take to protect their personal information while using public networks.

Most online services use secure sockets layer (SSL) encryption to scramble the initial login — as indicated by the presence of “https://” instead of “http://” in the address field when the user submits his or her user name and password. But with many sites like Twitter and Facebook, subsequent data exchanges between the user and the site are sent unencrypted and in plain text, potentially exposing that information to anyone else on the network who is running a simple Web traffic snooping program.

Why should we care if post-login data is sent in unencrypted plain text? Most Web-based services use “cookies,” usually small, text-based files placed on the user’s computer, to signify that the user has logged in successfully and that he or she will not be asked to log in again for a specified period of time, usually a few days to a few weeks (although some cookies can be valid indefinitely).

The trouble is that the contents of these cookies frequently are sent unencrypted to and from the user’s computer after the user has logged in. That means that an attacker sniffing Web traffic on the local network can intercept those cookies and re-use them in his own Web browser to post unauthorized Tweets or Facebook entries in that user’s name, for example. This attack could also be used to gain access to someone’s e-mail inbox.

Enter Firesheep, a Firefox add-on released this past weekend at the Toorcon hacker conference in San Diego. Eric Butler, the security researcher who co-authored the tool, explains some of the backstory and why he and a fellow researcher decided to release it:

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new ‘privacy’ features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely?”

In his blog post about Firesheep, I believe Butler somewhat overstates the threat posed by this add-on when he says: “After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big ‘Start Capturing’ button. Then wait.”

It appears, however, that this add-on will only capture cookies from other users on a wireless network in cases where the attacker has already compromised the security of the entire network itself. Still, a number of free, open source tools are available to accomplish this task and could be used in combination with Firesheep to collect a ton of user logins on a busy wireless network. For example, Ettercap is an extremely useful program that lets you trick other computers on the local network into thinking that your computer is the wired or wireless router, effectively routing all of the incoming and outgoing traffic on the local network through your computer. Ettercap is a standard component of many Live CD installations of Linux that allow users to boot into a fully usable Linux distribution from a CD or USB device.

I pinged Butler for an interview about his add-on, but have yet to hear back from him. If that changes, I’ll update this post.

I tested Firesheep on a regular wireless network without running Ettercap and, sure enough, the only time Firesheep recorded any logins was when I logged in from the same computer that was running Firesheep: It did not capture cookies when I logged in to the same accounts from other machines on my wireless network. I tested this using two separate, commonly-sold wireless routers — with and without WEP/WPA encryption enabled — with the same results.

Combine Firesheep with something like Ettercap, however, and you have a very powerful, point-and-click method for hijacking social networking and e-mail accounts belonging to other users on the local network. This is exactly what McAfee director of research Dave Marcus found and explained quite well in his take on this tool earlier this week. Marcus also found that the add-on doesn’t collect cookies from other computers on a local network with the help of tools like Ettercap.

“What I like about Firesheep is that it is a very graphical way of showing people a problem,” Marcus said. “That said, it doesn’t do anything new.  People have been talking about session and cookie hijacking since at least 2003. [Butler] has just come out with a nifty extension for you to show the extent of this threat graphically and uniquely.”

The EFF's "https-everywhere" add-on

In any case, Firesheep was meant to raise awareness about this problem, and it appears to have succeeded in doing that. So what can you do to protect yourself? There are at least two Firefox add-ons that can dramatically increase the security and privacy of your Web browsing while on public networks, and that directly address the weakness exploited by Firesheep. These add-ons force any Web site you specify to encrypt all traffic (that is, always use an https:// connection), not just logins.

The Electronic Frontier Foundation‘s add-on, Https-Everywhere, is nice because it comes with about 20 sites pre-selected, including Facebook and Twitter. But some users may find its instructions for adding other sites to be a bit complex.

The ForceTLS add-on

Another plug-in that makes it easier to add new sites is Force-TLS, although it does not include any sites by default.

One final note: The truly scary aspect of these types of network-level attacks is that they work against all computer users, regardless of operating system type. As for the helper add-on, Firesheep is available for Windows and OS X systems, and the authors say they are working on a version for Linux.

Update, 4:06 p.m. ET: A couple of readers have pointed out a blog post from Robert Graham at ErrataSec, which notes that the ForceTLS add-on may not succeed in forcing https on all sites. He also offers some reasons why I may not have seen the Firesheep add-on working to capture cookies over the network. Graham writes: “FireSheep works only as well as the underlying packet-capture. On a Macintosh, the adapter can be fully promiscuous, capturing everybody’s traffic on the local access-point. On Windows, some adapters (like Broadcom) will see all the traffic, others (like Intel) will only see your own traffic (useful for watching which of your own websites can be sidejacked, but not useful for sidejacking others).”

Spam trackers are seeing a fairly dramatic drop in junk e-mail sent over the past few days, specifically spam relayed by one of the world’s largest spam botnets – although security experts disagree on exactly which botnet may be throttling back or experiencing problems.

According to M86 Security Labs, the volume of spam has dipped quite a bit, approximately 40 percent since the beginning of the month by the looks of the graphic the company publishes on its site (pictured at right).

M86 says the decrease in spam is due to a rapid drop in activity from the Rustock botnet (see graphic below left), a collection of spam-spewing zombie PCs that experts say is responsible for relaying about 40 percent of all junk e-mail on any given day.

The decline in spam volume comes at about the same time that the world’s largest spam affiliate program — spamit.com — said it would stop paying affiliates to promote its online pharmacy Web sites — on Oct. 1.

Bradley Anstis, vice president of technical strategy for M86, said the most likely explanation is that the person(s) operating Rustock rented the botnet to a number of spamit.com affiliates, and many of those affiliates have not yet switched over to another pharmacy affiliate program.

“To me, that’s the most logical explanation,” Anstis said. “The timing certainly hooks up well, because we started seeing this decline right around the first of October.”

Several other spam watchers said they also were seeing the decline in junk e-mail, although they attribute it differently. Dmitri Alperovitch, vice president of threat research at McAfee, said his company’s sensors were attributing the drop in spam to a decline in activity from the Pushdo botnet.

Alperovitch said McAfee is seeing a 45 percent drop in the number of Pushdo-infected PCs sending spam spam since Oct. 1, and 27 percent decrease in overall spam levels since that same date.

The dispute over which botnet may be responsible for the missing spam is interesting because it dovetails with a discussion I had last month with a Russian source who has close contacts to many key players in the cybercrime underground. I had asked this source if he could connect me to the author of Rustock, and while my source couldn’t secure me an interview, he related the following tidbit from their conversation: He said the guy was amused because M86 was consistently conflating Pushdo and Rustock infections — effectively giving his Rustock botnet credit for spam that was being sent by Pushdo.

M86′s Anstis said his team would be checking their methodologies to make sure they weren’t misclassifying the spam sources.

“As security vendors, we try to work out which ones are most active and which ones we should concentrate on,” Anstis said. “In the end, the only person who is going to know who is sending what is the botnet authors.”

Update, Oct. 6, 5:13 p.m. ET: M86 said they re-checked their information after my story ran. Here was their response:

“We have also seen a drop since Sunday in Pushdo but not at the level of the Rustock drop. We are sure we have these labeled correctly, for example we saw the drop in just Pushdo last month when some of its controllers were taken offline. We still have no Rustock spam in our traps and since these traps come from many different sources we find it hard to believe that just we were blacklisted. We have double checked all our settings and algorithms, we were the first vendor to start reporting on spam bot traffic and we are positive that we have these labeled correctly.”

I recently highlighted a study which showed that most of the top software applications failed to take advantage of two major lines of defense built into Microsoft Windows that can help block attacks from hackers and viruses. As it turns out, a majority of anti-virus and security products made for Windows users also forgo these useful security protections.

As I wrote last month:

Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.

These protections are available to any applications built to run on top of the operating system, and they’re designed to make it difficult for attackers to develop reliable exploits for vulnerabilities in Windows applications. As we saw last month, few top apps invoke the protections, but many readers may be surprised to learn that few anti-virus products have adopted these technologies.

I installed the trial versions of a dozen top anti-virus and security suites on a virtual machine running Windows Vista, and then checked each product’s executable files using Microsoft’s excellent Process Explorer tool, which provides a mass of information about processes running on your Windows system, including whether or not those processes invoke DEP and/or ASLR.

Among the anti-virus products that used neither ASLR nor DEP were AVAST Home Edition, AVG Internet Security 9.0, BitDefender Internet Security 2010, ESET Smart Security, F-Secure Internet Security, Norton Internet Security 2010, Panda Internet Security 2010 and Trend Micro Internet Security 2010.

Microsoft Security Essentials was the only product that used both ASLR and DEP consistently on Windows Vista (although interestingly it does not invoke DEP on Windows XP). Other anti-virus suites I tested used either ASLR or DEP (or both), but only in some applications that make up the suite. For example, McAfee Internet Security’s “mcagent.exe” program runs both ASLR and DEP, while four other executable processes spawned by the program ran DEP but not ASLR (since these tests were run, McAfee has changed the trial version of MIS available on its site, and the company sent me a screen shot that shows DEP and ASLR on all running processes in that version).

Similarly, I found that the anti-virus suite from Avira ran its main avguard.exe program in ASLR mode but did not use DEP. The rest of the program files that ship with this product run neither ASLR nor DEP. Kaspersky Internet Security had DEP enabled on just one process (the browser plug-in), and did not invoke ASLR with any program components.

To be sure, DEP and ASLR are not panaceas: Security researchers have come up with a number of clever ways to bypass these protection mechanisms. Still, it’s interesting to note the lack of these features in anti-virus products for two reasons: First, even researchers who have developed exploits to work around these protections say the two technologies raise the bar significantly for malicious coders. Second, anti-virus products are not immune to introducing their own exploitable software flaws.

I sought comment from all of the anti-virus vendors whose products I examined (except for Microsoft) and received a few responses. Most either downplayed the usefulness of the two technologies in combating today’s threats, or said that they planned to implement the protections in upcoming releases.

Mikko Hypponen from F-Secure said that “adding support for DEP and ASLR in our products is on our roadmap, but has not been implemented yet. This is because we’ve focused our development efforts lately to focus on performance. Once we have this feature ready, it will be available to all of our customers through our update channel.”

Pedro Bustamante, a senior research adviser at Panda Security, said Panda decided not to use either ASLR or DEP in favor of their own technology “to provide protection not only for the single AV processes but also for other types of operations. For example our products include a Shield component which already takes care of the protection as offered by ASLR and DEP, in addition to other types of self-protections such as preventing a process from injecting a thread into a separate process, preventing certain applications from executing dangerous operations on the system (such as Adobe Acrobat dropping an executable in the system and running it), protection of the AV files in the installation directories, etc.”

Bustamante continued: “These Microsoft technologies might be a good solution for certain types of more basic applications, but from our point of view are insufficient for an anti-malware product trying to get a more defense-in-depth approach to securing the whole OS and third party applications.”

Bitdefender said it plans to incorporate DEP and ASLR in its 2011 suite of products.

Symantec’s director of product management, Dan Nadir, said Norton Internet Security 2010 does in fact include support for DEP (although my experiments with Process Explorer showed it was not enabled) and that the company is “evaluating possible support of ASLR in future versions of our products.”

The research team from ESET responded: “Based upon the types of attacks we see against security software, and the likely attack scenarios, ASLR and DEP do not provide any significant defense. [While] enabling ASLR and DEP is quite trivial, the complexity come in assuring the proper test matrix has been implemented. Without proper testing ASLR can be weaponized…We will consider adding the features in the future, but not without extremely rigorous testing.”

Adobe Systems Inc. said today the next release of its free PDF Reader application will include new “sandbox” technology aimed at blocking the exploitation of previously unidentified security holes in its software.

Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. Adobe said that in developing the sandbox technology, it relied on experts from Microsoft and Google (the latter already has incorporated sandboxing into its Chrome Web browser).

“The idea is to run Reader in a lower-privilege mode so that even if an attacker finds an exploit or vulnerability in Reader, it runs in lower rights mode, which should block the installation of [malware], deleting things on the system, or tampering with the [Windows] registry,” said Brad Arkin, director of product security and privacy at Adobe.

Even if only somewhat effective, the new protections would be a major advancement for one of the computing world’s most ubiquitous and oft-targeted software applications. The company is constantly shipping updates to block new attacks: Less than a month ago, Adobe rushed out a patch to plug vulnerabilities that hackers were using to break into vulnerable machines. Security vendor McAfee found that roughly 28 percent of all known software exploits in the first quarter of 2010 targeted Adobe Reader vulnerabilities. According to anti-virus maker F-Secure, Reader is now the most-exploited application for Windows.

Reader still has to legitimately touch the underlying filesystem in order to save PDF files, but it will be configured to work through a separate Adobe “broker process,” such that any attempts by Reader to communicate directly with the operating system will fail, Arkin said.

“Under such a system, not only would the attacker have to find a vulnerability in Reader, but they’d also have to carry out a second-stage attack from the Reader process to the broker process,” he said. “We have put in a place a very small set of policies to make sure that any action the broker process takes on behalf of Reader is absolutely necessary for operation.”

The initial release will not sandbox “read-only” activities in Reader, such as accessing content on the user’s system, but that functionality may be incorporated into versions down the road.

Arkin said the new feature will be on by default, and will not affect the performance or speed of the application.

“The vast majority of users will never know it’s there,” Arkin said. “It doesn’t increase the number of dialogue boxes or choices, and users should be able to continue to interact with Reader the same way they always have.”

Didier Stevens, a Belgian security researcher who has discovered and reported a number of security vulnerabilities in Reader, said Adobe’s planned protections should indeed block most known PDF-based malware.

“When I read ‘sandboxing of all write calls’ I said to myself: ‘That’s easy to bypass, for example by injecting code into another process (e.g. Windows Explorer) and let it write to disk’,” Stevens wrote in an e-mail to KrebsOnSecurity.com. “But then I read that registry and process calls are also sandboxed, so injecting code inside another process would be blocked.”

Stevens said the broker process could end up being the weakest link of Adobe’s sandbox approach.

“If you can mislead the broker process, you can still get access,” Stevens said. “If similar bugs exist in the broker process, then researchers will soon find them. And I hope this mechanism fails gracefully: if the broker process breaks down, then every action should be denied.”

Adobe isn’t willing to set a date certain for the release of the new sandboxed Reader, but said it should ship in the next version, due out before the end of the year. Arkin said the sandboxing feature will initially be available only for the Windows version of Reader.

“Our primary goal was to protect the largest number of users the fastest,” Arkin said. “In the lab it’s certainly possible to take one of those [vulnerabilities] and export it onto a different platform, but in the real world, every single attack we’ve heard about has been on a Windows platform.”

Purveyors of rogue anti-virus, a.k.a. “scareware,” often seize upon hot trending topics in their daily efforts to beef up the search engine rankings of their booby-trapped landing pages. So it’s perhaps no surprise that these scammers are capitalizing on search terms surrounding McAfee, which just yesterday shipped a faulty anti-virus update that caused serious problems for a large number of customers.

Searching for McAfee’s free scanning tool along with the name of yesterday’s bad update returns page after page of results that when visited launch the familiar come-ons that try to frighten visitors into purchasing bogus (if not also malicious) anti-virus products. I took the screen shots here with Internet Explorer 8, because as usual the booby-trapped pages simply would not load with the noscript add-on enabled in my version of Firefox.

Update 11:08 a.m. ET: Panda Security just published a similar post which lists a number of McAfee-related search terms that can lead to sites like those in the screen  shots below.

McAfee‘s anti-virus software is erroneously detecting legitimate Windows system files as malicious, causing reboot loops and serious stability problems for many Windows XP users, according to multiple reports.

The SANS Internet Storm Center has received dozens of reports from McAfee users who complained that a recent anti-virus update (DAT 5958) is causing Windows xP Service Pack 3 clients to be locked out. According to SANS incident handler Johannes Ulllrich, McAfee is flagging “svchost.exe” as malicious. Svchost is a common system process typically used by multiple legitimate programs on a Windows system (although malware does often inject itself into this process), so having an anti-virus program that flags the process as a threat could cause major problems on a host system, Ullrich said.

“The [reports] keep coming in,” Ullrich said. “Systems either get stuck in a reboot loop, or networking is no longer working.”

One symptom seems to be that McAfee reports that user systems are infected with W32.Wecorl.a. The anti-virus program’s attempts to destroy or quarantine that targeted process then forces the Windows machine into a reboot cycle.

McAfee’s own support forum is currently queuing up with a large number of users piping in with stories about how the incident is affecting their operations. That thread,which began at 9:54 a.m. today, has more than 27,000 views and 83 replies.

Stay tuned for more updates as available.

Update, 1:56 p.m. ET: McAfee released the following statement regarding this event. “McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21. The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2.00 PM GMT+1 (6am Pacific Time).

Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3.

The faulty update has been removed from McAfee download servers for corporate users, preventing any further impact on those customers. We are not aware of significant impact on consumer customers and believe we have effectively limited such occurrence.

McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly. McAfee apologizes for any inconvenience to our customers.”

Update, 3:51 p.m. ET: McAfee’s main support forum is down due to an “unusually large traffic.” McAfee has posted a separate thread here that includes a couple of workarounds for customers struggling to deal with this problem.

The recent targeted cyber attacks against Google, Adobe and other major companies were fueled in part by a previously unknown — and currently unpatched — security flaw in Microsoft‘s Internet Explorer Web browser, anti-virus vendor McAfee said today.

McAfee said its investigation revealed that one of the malicous software samples used in the attacks exploited a new, not publicly known vulnerability in IE that is present in all of Microsoft’s most recent operating system releases, including Windows 7.

George Kurtz, McAfee’s chief technology officer, said the IE vulnerability was just one of several previously unknown software flaws that were leveraged in the targeted attacks, which security experts at iDefense have said affected at least 33 different companies.

“While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios,” Kurtz wrote in a posting to the company’s Security Insights Blog. “So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.”

Several sources, including McAfee, now say Microsoft plans to release more information later today about the vulnerability. A spokeswoman for Microsoft would not confirm that claim, saying only that “Microsoft is investigating these reports and will provide more information when it is available.”

UPDATE, 5:25 p.m: Microsoft has issued an advisory confirming the existence of a previously unknown vulnerability in all supported versions of IE on pretty much every supported version of Windows. The MS advisory is here.

Original post:

In related news, names of additional victims of this targeted attack, which appears to have targeted trade secrets and source code, are starting to trickle out. The Washington Post is reporting that list includes Yahoo, Symantec, Northrop Grumman and Dow Chemical. A source told me that router maker Juniper Systems Inc. also may have been victimized, although I am still trying to confirm that claim.

Update, 10:34 p.m: Juniper issued the following statement about claims that it, too, was one of the nearly three dozen companies hit by targeted attacks: ” Juniper Networks recently became aware, and is currently investigating, a cyber security incident involving a sophisticated and targeted attack against a number of companies. As with any investigation of this nature, Juniper does not disclose details.”