‘Stuxnet’ Worm Far More Sophisticated Than Previously Thought

September 14, 2010

The “Stuxnet” computer worm made international headlines in July, when security experts discovered that it was designed to exploit a previously unknown security hole in Microsoft Windows computers to steal industrial secrets and potentially disrupt operations of critical information networks. But new information about the worm shows that it leverages at least three other previously unknown security holes in Windows PCs, including a vulnerability that Redmond fixed in a software patch released today.

Image courtesy Kaspersky Lab

As first reported on July 15 by KrebsOnSecurity.com, Stuxnet uses a vulnerability in the way Windows handles shortcut files to spread to new systems. Experts say the worm was designed from the bottom up to attack so-called Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities.

The worm was originally thought to spread mainly through the use of removable drives, such as USB sticks. But roughly two weeks after news of Stuxnet first surfaced, researchers at Moscow-based Kaspersky Lab discovered that the Stuxnet worm also could spread using an unknown security flaw in the way Windows shares printer resources. Microsoft fixed this vulnerability today, with the release of MS10-061, which is rated critical for Windows XP systems and assigned a lesser “important” threat rating for Windows Vista and Windows 7 computers.

In a blog post today, Microsoft group manager Jerry Bryant said Stuxnet targeted two other previously unknown security vulnerabilities in Windows, including another one reported by Kaspersky. Microsoft has yet to address either of these two vulnerabilities – known as “privilege escalation” flaws because they let attackers elevate their user rights on computers where regular user accounts are blocked from making important system modifications.

Continue reading

Adobe Warns of Attacks on New Flash Flaw

September 13, 2010

Adobe Systems Inc. warned Monday that attackers are exploiting a previously unknown security hole in its Flash Player, multimedia software that is installed on most computers.

Adobe said a critical vulnerability exists in Adobe Flash Player versions 10.1.82.76 and earlier, for Windows, Mac, Linux, Solaris, UNIX and Android operating systems. In a security advisory, Adobe warned that the flaw could cause Flash to crash and potentially allow an attacker to seize complete control over an affected system.

Worse still, there are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player. Adobe’s advisory states that while the latest versions of Adobe Acrobat and Reader also contain the vulnerable Flash components, the company is not aware of attacks against the Flash flaw in those programs.

That last bit may be of little comfort to Adobe Acrobat and Reader users: Last week, Adobe issued a similar advisory warning that hackers were attacking an as-yet unpatched critical flaw in both of those programs.

Adobe said it is in the process of finalizing a fix for the Flash issue and expects to provide an update for Flash Player on Windows, Mac, and Android systems during the week of Sept. 27, 2010. Updates to fix the Flash flaw in Adobe Reader and Acrobat should be ready by the week of October 4, 2010, Adobe said.

Flash is one of those Web components that can be difficult to do without. I often urge readers who use Firefox to install and use the Noscript add-on, which blocks Flash-based content by default and lets the user decide which Flash videos to enable.

Advertisement

A One-Stop Money Mule Fraud Shop

September 13, 2010

A recent chat with an individual who was almost tricked into helping organized criminals launder thousands of dollars stolen through e-banking fraud introduced me to one of the most clever and convincing money mule recruitment Web sites I’ve ever encountered. Through the use of images stolen from legitimate Web sites and well-placed video and interactive content, this bogus work-at-home job site may become a model for mule recruitment scams to come.

Training to be a “financial agent,” a.k.a. a “money mule.”

Money mules are people willingly or unwittingly lured into helping crooks launder stolen funds, usually through work-at-home job scams. Reshipping mules are sent goods and asked to reship them to addresses abroad, or are sent money and asked to purchase goods and then ship them overseas. In both jobs, the mule usually earns a commission for his or her work (either fixed percentage of the transfer or permission to keep one of the purchased goods), but both are usually cut loose before they see their promised paychecks.

A mule who spoke with KrebsOnSecurity.com on condition of anonymity said he was recruited as a financial agent by Lydon Online, which communicated with him via Web-based e-mails (see image directly below), as well as via cell phone text messages.

The mule, whom we’ll call “Jeremy,” ignored instructions to supply his bank account information in preparation for receiving deposits from Lydon Online. That’s because shortly after signing up with Lydon, Jeremy learned that another company which also had hired him for a work-at-home job as a financial agent had tried to send him nearly $10,000 stolen from a Pennsylvania dental practice that was robbed of many times that amount last month (the dental office also agreed to speak to me on the condition of anonymity).

Continue reading

Attackers Exploiting New Acrobat/Reader Flaw

September 8, 2010

Adobe warned today that hackers appear to be exploiting a previously unknown security hole in its PDF Reader and Acrobat programs.

In an advisory published Wednesday, Adobe said a critical vulnerability exists in Acrobat and Reader versions 9.3.4 and earlier, and that there are reports that this critical vulnerability is being actively exploited in the wild. The company says its in the process of evaluating the schedule for an update to plug the security hole.

Meanwhile, an evil PDF file going around that leverages the new exploit currently is detected only by about 25 percent of the anti-virus programs out there (the Virustotal scan results from today are here, and yes it’s a safe PDF).

Adobe’s advisory doesn’t discuss possible mitigating factors, although turning off Javascript in Reader is always a good first step. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript).

Better yet, consider using an alternative PDF reader that isn’t quite so heavily targeted as Adobe’s, such as Foxit, Sumatra, or Nitro PDF.

Revisiting Secunia’s Personal Software Inspector

September 8, 2010

Security vulnerability research firm Secunia has released a public beta of its Personal Software Inspector tool, a program designed to help Microsoft Windows users keep their heads above water with the torrent of security updates for third-party applications. The new beta version includes the promised auto-update feature that can automatically apply the latest patches for a growing number of widely-used programs.

Secunia first announced in March that it would soon make the auto-update feature available to consumers, noting that the average PC user needs to install a security update roughly every five days in order to safely use Microsoft Windows and all of the third-party programs that  typically run on top of it.  The new beta version doesn’t allow auto-updating for all applications, although Secunia says the list of applications that can be auto-updated through its tool will grow as the public beta progresses.

Overall, PSI 2.0 Beta seems to work quite a bit faster and use fewer resources than earlier versions. But my main concern in allowing third-party programs to update through PSI has so far been — ironically — relinquishing control over the update process. That’s because many “free” applications — such as Java, Adobe and Foxit readers — are free because a number of users never bother to deselect the check mark in the box next to offers to install additional software that is often bundled with these products, including virus scanners and various browser toolbars.

Continue reading

VISA Blocks ePassporte

September 3, 2010

Credit card giant VISA International has suspended its business with ePassporte, an Internet payment system widely commonly used to pay adult Webmasters and a raft of other affiliate programs.

Company owner Christopher Mallick broke the news to ePassporte customers in an e-mail sent Thursday, saying Visa International had suspended the company’s ePassporte Visa program, which is processed through St. Kitts Nevis Anguilla National Bank.

Continue reading

Toward a Culture of Security Measurement

September 2, 2010

“Our dependence on all things cyber as a society is now inestimably irreversible and irreversibly inestimable.”

Yeah, I had to re-read that line a few times, too. Which is probably why I’ve put off posting a note here about the article from which the above quote was taken, a thought-provoking essay in the Harvard National Security Journal by Dan Geer, chief information security philosopher officer for In-Q-Tel, the not-for-profit venture capital arm of the Central Intelligence Agency.

The essay is well worth reading for anyone remotely interested in hard-to-solve security problems. Geer is better than most at tossing conversational hand grenades and then walking away, and this piece doesn’t disappoint. For example:

“Looking forward, without universal strong authentication, tomorrow’s cybercriminal will not need the fuss and bother of maintaining a botnet when, with a few hundred stolen credit cards, he will be able to buy all the virtual machines he needs from cloud computing operators. In short, my third conclusion is that if the tariff of security is paid, it will be paid in the coin of privacy.”

Geer’s prose can be long-winded and occasionally sesquipedalian (such as the phrase “Accretive sequestration of social policy”), but then he turns around and shows off his selective economy with words by crafting statements like:

“..demand for security expertise so outstrips supply that the charlatan fraction is rising.”

In the essay, Geer touches on a pet issue of mine: Accountability for insecurity. I recently wrote an editorial for CSO Online addressing a public request for advice by the Federal Communications Commission (FCC), which wants ideas on how to craft a “Cybersecurity Roadmap” as part of its $7 billion national broadband initiative.

In that column, I suggest that the FCC find a way to measure and publish data about the number and longevity of specific cyber security threats resident on domestic ISPs and hosting providers. I also suggest that the government could achieve this goal largely by collecting and analyzing data from the many mainly volunteer-led efforts that are already measuring this stuff.

Geer warns readers that “the demand for ‘safe pipes’ inexorably leads to deputizing those who own the most pipes.” But mine isn’t a “punish or regulate ISPs-for-having-lots-of-security-problems” approach. Instead, it’s more of a “publish a reputation score with the imprimatur of the federal government in the hopes that the ISPs will be shamed into more proactively addressing abuse issues” idea.

Who knows if my idea would work, but it wouldn’t be terribly risky or expensive to try. After all, as Geer said, “security is a means and that game play cannot improve without a scorekeeping mechanism.”

“These are heady problems,” he concludes. “They go to the heart of sovereignty.  They go to the heart of culture.  They go to the heart of ‘Land of the Free and Home of the Brave’.  They will not be solved centrally, yet neither will they be solved without central assistance.  We have before us a set of bargains, bargains between the Devil and the Deep Blue Sea.  And not to decide is to decide.”

Cue the music.

Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College

September 1, 2010

Cyber crooks stole just shy of $1 million from a satellite campus of The University of Virginia last week, KrebsOnSecurity.com has learned.

The attackers stole the money from The University of Virginia’s College at Wise, a 4-year public liberal arts college located in the town of Wise in southwestern Virginia.

Kathy Still, director of news and media relations at UVA Wise, declined to offer specifics on the theft, saying only that the school was investigating a hacking incident.

“All I can say now is we have a possible computer hacking situation under investigation,” Still said. “I can also tell you that as far as we can tell, no student data has been compromised.”

According to several sources familiar with the case, thieves stole the funds after compromising a computer belonging to the university’s comptroller. The attackers used a computer virus to steal the online banking credentials for the University’s accounts at BB&T Bank, and initiated a single fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. BB&T declined to comment for this story.

Sources said the FBI is investigating and has possession of the hard drive from the controller’s PC. A spokeswoman at FBI headquarters in Washington, D.C. said that as a matter of policy the FBI does not confirm or deny the existence of investigations.

The attack on UVA Wise is the latest in a string of online bank heists targeting businesses, schools, towns and nonprofits. Last week, cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa.

Update, Sept. 4, 4:27 p.m. ET: Jordan Fifer, a reporter for the Highland Cavalier, the official student newspaper for UVA-Wise, writes that school officials now say they have recovered the stolen money.

MS Fix Shores Up Security for Windows Users

September 1, 2010

Microsoft has released a point-and-click tool to help protect Windows users from a broad category of security threats that stem from a mix of insecure default behaviors in Windows and poorly written third-party applications.

My explanation of the reason that this is a big deal may seem a bit geeky and esoteric, but it’s a good idea for people to have a basic understanding of the threat because a number of examples of how to exploit the situation have already been posted online. Readers who’d prefer to skip the diagnosis and go straight to the treatment can click here.

DLL Hijacking

Windows relies heavily on powerful chunks of computer code called “dynamic link libraries” or DLLs. Each of these DLLs performs a specific set of commonly-used functions, and they are designed so that Windows can share these functions with other third-party programs that may want to invoke them for their own purposes. Many third-party apps will load these DLLs or bring their own when they first start up and often while they’re already running.

Typically, DLLs are stored in key places, such as the Windows System (or System32) directory, or in the directory from which the application was loaded. Ideally, applications will let Windows know where to find the DLLs they need, but many do not.

The potential for trouble starts when an application requests a specific DLL that doesn’t exist on the system. At that point, Windows sets off searching for it — looking in the above-mentioned key places first. But eventually, if Windows doesn’t find the DLL there or in a couple of other places, it will look in the user’s current directory, which could be the Windows Desktop, a removable device such as a USB key, or a folder shared on a local or remote network.

And while an attacker may not have permission to write files to the Windows system or program directories, he may be able to supply his own malicious DLL from a local or remote file directory, according to the U.S. Computer Emergency Readiness Team.

Several months ago, experts from a Slovenian security firm warned that hundreds of third-party applications were vulnerable to remote attacks that could trick those apps into loading and running malicious DLLs. According to the Exploit Database — which has been tracking confirmed reports of applications that are vulnerable to this attack — vulnerable apps include Windows Live Mail, Windows Movie Maker, Microsoft Office Powerpoint 2007, Skype, Opera, Medialplayer Classic and uTorrent, to name just a few.

The FixIt Tool

Roughly one week ago, Microsoft released a workaround tool to help users and system administrators blunt the threat from all of this by blocking insecure DLLs from loading from remote and local file sharing locations. But the tool wasn’t exactly made for home users: After you installed and rebooted, you still had to manually set a key in the Windows registry, an operation that can cause serious problems for Windows if done imprecisely.

On Tuesday, Microsoft simplified things a tiny bit, by releasing one of its “FixIt” tools to make that registry fix so users don’t have to monkey around in there. Trouble is, you still need to have installed the initial workaround tool before you can install this point-and-click FixIt tool.

It’s tough to gauge whether DLL hijacking poses the same threat to home users that it does to users on larger enterprise networks. Microsoft maintains that this class of vulnerability does not enable a “driveby” or “browse-and-get-owned” zero-click attack, but the attack scenarios Redmond describes where a Windows user could get owned by this attack probably would work against a majority of average Windows users.

And while it may take some time for developers of vulnerable third-party apps to fix their code, Microsoft’s interim fix does add a measure of protection. If you’d like to take advantage of that protection, visit this link, scroll down to the Update Information tab, and click the package that matches your version of Windows. Install the fix and reboot Windows. Then visit this link, and click the FixIt icon in the center of the page and follow the installation prompts.

Further reading:

An excellent writeup on this from SANS Internet Storm Center incident handler Bojan Zdrnja.

A discussion thread about this on DSL Reports’ security forum.

Crooks Who Stole $600,000 From Catholic Diocese Said Money Was for Clergy Sex Abuse Victims

August 30, 2010

Organized cyber thieves stole more than $600,000 from the Catholic Diocese of Des Moines, Iowa earlier this month. The funds were spirited away with the help of dozens of unwitting co-conspirators hired through work-at-home job scams, at least one of whom was told the money was being distributed to victims of the Catholic Church sex abuse scandals, KrebsOnSecurity.com has learned.

In a statement released last week, the diocese said the fraud occurred between Aug. 13 and Aug. 16, apparently after criminals had stolen the diocese’s online banking credentials. The Diocese it was alerted to the fraud on Aug. 17 by its financial institution, Bankers Trust of Des Moines.

The diocese also said the FBI and U.S. Treasury Department were notified, and that the FBI had taken possession of several diocesan computers. To date, roughly $180,000 has been recovered.

The diocese added that law enforcement had advised them that the theft seems to have been the work of a highly sophisticated operation based overseas, which moved the stolen money out of the United States by recruiting people who unknowingly act as intermediaries.

“While the Diocese of Des Moines is protected by insurance and anticipates the restoration of the funds, we have been advised that such criminal activity is rampant,” Des Moines Bishop Richard Pates said. “Obviously, any entity that experiences such a crime should be significantly concerned.”

Once again, the theft involves so-called money mules willingly or unwittingly recruited by a specific money mule cash-out gang whose work I have written about several times already. Among the mules involved in this incident was a man in Newnan, Ga. who received almost $30,000 of the church’s cash. Daniel Huggins, the 29-year-old owner of Masonry Construction Group LLC, got mixed up with a company calling itself the Impeccable Group, claiming to be an international finance company operating out of New York.

Huggins said the Impeccable Group recruited him via e-mail, claiming it had found his resume on job search site Monster.com. The Impeccable Group told him he would be doing payment processing for the company, and on Aug. 16, Huggins’ erstwhile employers sent him two payments, one for almost $20,000 and another for slightly less than $10,000.

Huggins said he contacted the Impeccable Group shortly after the transfers because the amounts seemed quite high and the transfers appeared to be coming from the Catholic Church. The scammers apparently were ready for this question and were quick on their feet with a reply that was as plausible as it was diabolical: Huggins was told the money was going to be distributed as legal settlements to people who had been affected by the clergy sexual abuse scandals that have rocked the church in recent years.

“The told me it was going to be payouts to some of the settlements in the sex crimes cases against the Church,” Huggins said.

Continue reading