Demystifying KB976902, a.k.a. Microsoft’s “Blackhole” Update

October 28, 2010
57 Comments

I’ve received several e-mails from readers concerned about a mysterious, undocumented software patch that Microsoft began offering to Windows 7 users through Windows Update this week. Some Microsoft users have been spinning conspiracy theories about this patch because it lacks any real description of its function, and what little documentation there is about it says that it cannot be removed once installed and that it may be required as a prerequisite for installing future updates.

Normally, when Microsoft offers a patch through Windows Update, it also will publish a corresponding “knowledgebase” article that describes in great detail what the patch does and why users should install it — and how applying the update may impact current and future operations on the system.

This fix went out via Windows Update on Oct. 26 as a “recommended” and “important” patch, but it lacked any additional details, prompting conspiracy theories and speculation on message boards from users wondering whether they should ignore or install this update — which for many users was sandwiched between the dozens of security patches Microsoft began offering earlier this month as part of its regular Patch Tuesday security update cycle.

To make matters worse, many Windows 7 users said the patch was no longer offered after they declined installing it the first time, leading some curious researchers to dub it the “Blackhole” update.

I have verified with Microsoft that this update is designed to smooth the way for the deployment of future updates on Windows 7 systems (read on to the very end if you’d like the official response from Microsoft). The confusion appears to stem from a timing mistake by the folks at Microsoft, but this incident illustrates the hysteria that can ensue when the world’s largest software company fails — for whatever reason — to be fully transparent with a user base that has come to expect detailed advisories with every patch.

When I was researching this patch, I found an amusing thread on the Microsoft Answers forum — where several Microsoft most valuable professional experts urged other forum members to hold off installing the patch until more information was available. Others offered more speculative answers, suggesting that the patch was instead:

-A new service pack for Windows 7

-A “heuristic scanner to the machine that turned on whenever the machine went idle, and searched all attached storage devices for ‘terrorism-related’ information, then alerting ‘somebody’ over the Internet”

-The result of Microsoft having been hacked, with the patch being some kind of malicious third-party code being sent out to infect all Windows machines

-A new anti-piracy check from Microsoft.

Continue reading

Koobface Worm Targets Java on Mac OS X

October 27, 2010
57 Comments

A new version of the infamous Koobface worm designed to attack Mac OS X computers is spreading through Facebook and other social networking sites, security experts warn.

Security software maker Intego says this Mac OS X version of the Koobface worm is being served as part of a multi-platform attack that uses a malicious Java applet to attack users. According to Intego, the applet includes a prompt to install the malicious software:

Intego notes that if the download is allowed, “it runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can activate a number of other functions, either through files initially installed or other files downloaded subsequently. It spreads by posting messages on Facebook, MySpace and Twitter, usually trying to get people to click a link to view some sort of video.”

SecureMac also has a writeup on what appears to be the same threat, which it calls OSX.Boonana.a. SecureMac says that “there have been reports of similar behavior in recent trojan horses targeting Microsoft Windows, but they have not included cross-platform capabilities until now.”

It is not surprising that attackers would begin leveraging Java to attack Mac users with threats that have traditionally only menaced Windows users. My research shows that Java is now the leading vector of attacks against Windows systems, findings that recently were buttressed by oodles of attack data released by Microsoft. Also, Java was designed to be a cross-platform technology that would allow applications to run seamlessly regardless of the operating system relied upon by the user. It makes sense for attackers to consider Java as a platform-agnostic vehicle for delivering platform-specific malicious software.

Continue reading

Advertisement

Firesheep: Baaaaad News for the Unwary

October 27, 2010
41 Comments

“Firesheep,” a new add-on for Firefox that makes it easier to hijack e-mail and social networking accounts of others who are on the same wired or wireless network, has been getting some rather breathless coverage by the news media, some of whom have characterized this a new threat. In reality, this tool is more of a welcome reminder of some basic but effective steps that Internet users should take to protect their personal information while using public networks.

Most online services use secure sockets layer (SSL) encryption to scramble the initial login — as indicated by the presence of “https://” instead of “http://” in the address field when the user submits his or her user name and password. But with many sites like Twitter and Facebook, subsequent data exchanges between the user and the site are sent unencrypted and in plain text, potentially exposing that information to anyone else on the network who is running a simple Web traffic snooping program.

Why should we care if post-login data is sent in unencrypted plain text? Most Web-based services use “cookies,” usually small, text-based files placed on the user’s computer, to signify that the user has logged in successfully and that he or she will not be asked to log in again for a specified period of time, usually a few days to a few weeks (although some cookies can be valid indefinitely).

The trouble is that the contents of these cookies frequently are sent unencrypted to and from the user’s computer after the user has logged in. That means that an attacker sniffing Web traffic on the local network can intercept those cookies and re-use them in his own Web browser to post unauthorized Tweets or Facebook entries in that user’s name, for example. This attack could also be used to gain access to someone’s e-mail inbox.

Enter Firesheep, a Firefox add-on released this past weekend at the Toorcon hacker conference in San Diego. Eric Butler, the security researcher who co-authored the tool, explains some of the backstory and why he and a fellow researcher decided to release it:

“This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL. Facebook is constantly rolling out new ‘privacy’ features in an endless attempt to quell the screams of unhappy users, but what’s the point when someone can just take over an account entirely?”

In his blog post about Firesheep, I believe Butler somewhat overstates the threat posed by this add-on when he says: “After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big ‘Start Capturing’ button. Then wait.”

Continue reading

Nobel Peace Prize Site Serves Firefox 0day

October 26, 2010
16 Comments

The Web site for the Nobel Peace Prize has been serving up malicious software that takes advantage of a newly-discovered security hole in Mozilla Firefox, computer security experts warned today.

Oslo-based Norman ASA warned that visitors who browsed the Nobel Prize site with Firefox while the attack was active early Tuesday may have had malicious software silently installed on their computers without warning.

Mozilla just posted a blog entry saying it is aware of a critical vulnerability in Firefox 3.5 and 3.6, and that it has received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild. The software firm isn’t saying much more about the flaw for now.

Mozilla says it is developing a fix, which it plans to deploy as soon as it has been tested. In the meantime, Firefox users can mitigate the threat from this flaw by using a script-blocking add-on like NoScript.

Update, 6:40 p.m. ET: I just heard back from Norman ASA malware analyst Snorre Fagerland via e-mail, and he has provided a bit more technical analysis of what’s going on with this Firefox flaw and with the exploit they discovered. Fagerland says the vulnerability is related to a “use-after-free condition” in certain objects, exploited through Javascript.

“Shellcode and a large heapspray is involved,” Fagerland wrote. “The script that does this checks for the following versions:

firefox/3.6.8
firefox/3.6.9
firefox/3.6.10
firefox/3.6.11

…and it checks that it is NOT running Vista or Win7 (Windows versions 6.0 and 6.1), pretty much limiting the attack to XP-family OS’s. The underlying vulnerability is confirmed to also affect Firefox 3.5x series, but we have not seen exploit code that attacks this.”

Update, Oct. 27, 11:50 p.m. ET: Mozilla has opened up the bug report on this flaw.

SpyEye v. ZeuS Rivalry Ends in Quiet Merger

October 24, 2010
39 Comments

Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking Trojan and to merge its code base with that of the up-and-coming SpyEye Trojan, new evidence suggests. The move appears to be aimed at building a superior e-banking threat whose sale is restricted to a more exclusive and well-heeled breed of cyber crook.

Underground forums are abuzz with rumors that the ZeuS author — a Russian hacker variously known by the monikers “Slavik” and “Monstr” — is no longer planning to maintain the original commercial crimeware kit.

According to numerous hacker forums, the source code for ZeuS recently was transferred to the developer of the SpyEye Trojan, a rival malware maker who drew attention to himself by dubbing his creation the “ZeuS Killer.” The upstart banking Trojan author constantly claimed that his bot creation kit bested ZeuS in functionality and form (SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself).

In an era when it has become a truism to say that malicious hackers seek riches over renown, the SpyEye author — a coder known as either “Harderman” and “Gribodemon” on different forums — appears to have sought both, boasting on numerous forums about the greatness of his malware, using flashy logos to promote it (see below), and granting an interview with security researchers about the riches it will bring him. Although the ZeuS author chose to license his botnet creation kit to private groups through multiple intermediaries, the SpyEye creator has peddled his kit directly to buyers via online forums and instant messages.

But — very recently — the public rivalry died down, and forum members on different sites where Harderman maintained a presence began complaining that they could no longer reach him for support issues. In an Oct. 11 message to one of the UnderWeb’s most exclusive hacker forums, Harderman can be seen breaking the news to fellow forum members. A screen shot of that message is below, followed by a translated version of it:

Good day!

I will service the Zeus product beginning today and from here on. I have been given the source codes free of charge so that clients who bought the software are not left without tech support. Slavik doesn’t support the product anymore, he removed the source code from his [computer], he doesn’t sell [it], and has no relationship to it. He also doesn’t conduct any business on the Internet and in a few days his contact [information] will not be active.

He asked me to pass on that he was happy to work with everyone. If you have any unresolved issues remaining [there is a] request to get in touch with him as soon as possible.

All clients who bought the software from Slavik will be serviced from me on the same conditions as previously. [I] request that [you] come directly to me regarding all issues.

Thanks to everyone for [your] attention!

Continue reading

Pill Gangs Besmirch LegitScript Founder

October 21, 2010
54 Comments

Individuals who normally promote unlicensed, fly-by-night Internet pharmacies recently registered hundreds of hardcore porn and bestiality Web sites using contact information for the founder of a company that has helped to shutter more than 10,000 of these Internet pill mills over the past year, KrebsOnSecurity.com has learned.

The reputation attack is the latest sortie in an increasingly high-profile and high-stakes battle among spammers, online pill purveyors and those trying to shed light on their activities. Around the same time that these fake domains were registered, KrebsOnSecurity.com came under a sustained denial of service attack that traced back to Russian pill gangs.

In the third week of September, hundreds of domains were registered using the name, phone number and former business address of John Horton, founder of LegitScript, an Internet pharmacy verification service. The domains, many containing the word “adult,” all redirect to a handful of porn and bestiality sites (a partial list is available here, but please tread lightly with these sites because they are definitely not safe for work and may not be safe for your PC).

The sites were registered just days after LegitScript finalized a deal with eNom Inc., the world’s 5th-largest domain name registrar. At the time of that agreement, roughly 40 percent of the unlicensed online pharmacies selling drugs without requiring a prescription were registered through eNom, according to Horton.

Since then, many affiliates who promote pill sites via online pharmacy affiliate programs have been scrambling to move their domains to other registrars, with varying degrees of success.

Continue reading

Critical RealPlayer Update

October 20, 2010
12 Comments

Real Networks Inc. has released a new version of RealPlayer that fixes at least seven critical vulnerabilities that could be used to compromise host systems remotely if left unpatched.

I’ve never hidden my distaste for this program, mainly due to its history of unnecessarily tracking users, installing oodles of third party software, and serving obnoxious pop-ups. But I realize that many people keep this software installed because a handful of sites still only offer streaming in the RealPlayer format. If you or someone you look after has this program installed, please update it.

The new versions listed in the chart below are not vulnerable to these flaws. Real Networks says it has no evidence that attackers are exploiting any of these flaws yet. The latest versions for all operating systems are available here.

Microsoft: ‘Unprecedented Wave of Java Exploitation’

October 18, 2010
34 Comments

Microsoft Corp. today warned that it is seeing a huge uptick in attacks against security holes in Java, a software package that is installed on the majority of the world’s desktop computers.

In a posting to the Microsoft Malware Protection Center blog, senior program manager Holly Stewart warned of an “unprecedented wave of Java exploitation,” and confirmed findings that KrebsOnSecurity.com published one week ago:  Java exploits have usurped Adobe-related exploits as attackers’ preferred method for breaking into Windows PCs.

Image courtesy Microsoft

Stewart said the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions,” she added. Indeed, according to Microsoft’s one-year anniversary post for its Security Essentials anti-malware tool, exploits for a Java vulnerability pushed the Renos Trojan to the top of the list for all malware families (malware and exploits) detected in the United States.

My research shows the reason for the spike, and it precedes the 3rd quarter of 2010: Java exploits have been folded into a number of the top “exploit packs,” commercial crimeware kits sold in the hacker underground that make it simple to seed hacked or malicious sites with code that exploits a variety of browser flaws in a bid to install malware.

Stewart asks, “Why has no one been talking about Java-based exploits?” Then she answers her own question:

Continue reading

Earn a Diploma from Scam U

October 17, 2010
15 Comments

Since the dawn of the Internet, tutorials showing would-be scammers how to fleece others have been available online. But for novices who can’t be bothered to scour the Net for these far flung but free resources, the tricks of the trade now can be learned through the equivalent of community college classes in e-thievery, or or via intensive, one-on-one online apprenticeships.

Take the program currently being marketed on several fraud forums — it’s called Cash Paradise University (see screen shot below). For $50, a newbie scammer can learn the basics of online fraud, such as hiding one’s identity and location online, and how to obtain reliable stolen credit card numbers. For a $75 fee and an investment of about 2 to 3 hours, one can become fluent in the ways of “Skype carding,” or selling hacked and newly-created Skype accounts that have been loaded with funds from stolen credit cards.

The prices go up as the fledgling fraudster progresses from the Scam 101 courses to the more crafty classes, which naturally depend on the earlier courses as prerequisites (“for those who passed the basic,” admonishes the Scam U. professor). Learning the basics of “carding” merchandise — such as intercepting the shipments and selling the loot online — requires an investment of four to six hours and at least $250, with course materials adding as much as $150 to the cost of the class.

Tackling the tenets of cashing out stolen credit card numbers using Internet gambling sites could take up to seven hours of study time and require a $300 admittance fee. The master class — learning how to bootstrap and build out a botnet of computers infected with the ZeuS Trojan — can take upwards of 18 hours of classroom instruction, and cost at least $500 (although a copy of ZeuS bot builder is not included in the price of tuition!).

According to this fraud instructor’s profile on a top scammer forum, more than a dozen novice hackers have already paid for and progressed through the course work, and most appear to be giving their teacher high marks.

“Please note: due to change in the place of stay, I’ll be offline on 12-13 September,” the headmaster of CPU says to potential new students. “Classes take place from September 14, do not waste! Good luck in business.” For those ADHD students who need more individual attention, there is private tutoring available starting at $20 extra per class.

But don’t count paying for the classes with a (stolen?) credit card: This institution only accepts irreversible forms of payment, such as Western Union or virtual currencies like WebMoney and Liberty Reserve.

[EPSB]

Have you seen:

I’ll Take Two MasterCards and a Visa, Please…When you’re shopping for stolen credit and debit cards online, there are so many choices these days. A glut of stolen data — combined with innovation and cutthroat competition among vendors — is conspiring to keep prices for stolen account numbers exceptionally low. Even so, many readers probably have no idea that their credit card information is worth only about $1.50 on the black market.

[/EPSB]

Cyber Deterrence Group Urges Greater Disclosure, Transparency

October 14, 2010
11 Comments

A group tasked with devising strategies to deter cyber attacks is calling for mandatory public disclosure of fraud and hacking incidents by governments and organizations of all sizes, including banks.

The recommendations were a major thrust of a report issued earlier this month by the National Research Council, which was asked to examine the issue by the Office of the Director of National Intelligence. The 400-page document is actually well worth the time to read, or at least skim. The bulk of the paper addresses how solving the problems associated with cyber crime requires aligning incentives and liabilities so that those in the best position to fix the problems have an incentive to do so.

But to me, the most interesting and useful components of the report come at the end, where the group makes several broad policy recommendations, including:

  • Mitigating malware infections via ISPs by subsidized cleanup
  • Mandatory disclosure of fraud losses and security incidents
  • Mandatory disclosure of industrial control system incidents and intrusions
  • Aggregating reports of cyber espionage and reporting to the World Trade Organization

I don’t know how effective or realistic the last two recommendations would be, but as a reporter I’m naturally inclined toward disclosing data whenever possible. Loyal readers no doubt know where I stand on the first two points. I have long called for some kind of system in which ISPs are encouraged or given incentives to regularly scrub their networks for bot-infested customers and compromised Web sites.

And hardly a month goes by when I don’t hear from someone asking me where to find aggregated statistics on the costs of cybercrime and Internet banking fraud in the United States. The banks don’t have to publish reports of their losses, and although they are supposed to publish indicators of fraud (through suspicious activity reports) financial institutions seem to be spotty and begrudging about this level of reporting as well. Writing for SC Magazine earlier this summer, Charles Jeter of security software maker ESET penned a useful three part series on the lack of reporting by banks about the costs of online banking Trojans.

The free report is available at this link.

Speaking of global trends in cybercrime, Microsoft published its biannual Security Intelligence Report covering cybercrime activity it has observed in the first half of 2010. Anyone looking for granular data on which threats are most prevalent (at least from Microsoft’s perspective in scrubbing millions of PCs) should have a look at this informative report. Unsurprisingly, the United States (or more accurately — US-based ISPs) continues to lead the world in botnet infections.

While we’re on the subject of data breach and attack disclosure, now seems like a perfect time to mention that Arbor Networks is seeking additional perspective for its annual Worldwide Infrastructure Security Threat Report. Arbor is looking for a few clueful network administrators to anonymously share experiences and perspectives about operational risks and challenges involved in building, operating and defending large networks. If this describes you, check out their survey.