One bit of criticism I’ve heard about my stories on small businesses losing their shirts over online banking fraud is that I don’t often enough point out what banks and customers should be doing differently to lessen the chance of suffering one of these incidents. As it happens, a source of mine was recently at a conference where one of the key speakers was a senior official from the Office of the Comptroller of the Currency, one of the main banking industry regulators.
Security Updates for Foxit, QuickTime/iTunes
Foxit Software has issued an update to make it easier for users to spot PDF files that may contain malicious content. Also, Apple has pushed out new versions of QuickTime and iTunes that correct nearly two dozen security problems in those programs.
Last month, researcher Didier Stevens said he’d discovered that he could embed an executable file — such as a malicious program — inside of a PDF file. Worse, Stevens found that PDF readers from Adobe Systems and Foxit contained a feature that would run those embedded files upon request, in some cases without even warning the user.
Stevens found that when he triggered the feature in Adobe Reader the program throws up a warning that launching code could harm the computer (although he also discovered he could change the content of that warning in Adobe Reader).
Foxit, however, displayed no warning at all and executed the action without user approval. According to Stevens, the Foxit fix shipped last week changes the reader so that it now warns users if a PDF document tries to launch an embedded program.
Virus Scanners for Virus Authors, Part II
The very first entry I posted at Krebs on Security, Virus Scanners for Virus Authors, introduced readers to two services that let virus writers upload their creations to see how well they are detected by numerous commercial anti-virus scanners. In this follow-up post, I take you inside of a pair of similar services that allow customers to periodically scan a malware sample and receive alerts via instant message or e-mail when a new anti-virus product begins to detect the submission as malicious.
While there are free services like VirusTotal and Jotti that will let visitors upload a suspicious file and scan it against dozens of commercial anti-virus tools, the reports produced by the scans are shared with all of the participating anti-virus makers so that those vendors can incorporate detection for newly discovered malware into their products. While virus writers probably would love to use such services to fine-tune the stealth of their malware, they may not want their unique malware samples broadly shared among the anti-virus community before the malware has even had a chance to infect PCs.
So it’s not hard to see why some malware authors and purveyors choose to avoid these free services in favor of subscription products that scan submitted files with multiple anti-virus engines, yet prevent those results from being shared with the anti-virus vendors. Such is the business model behind scan4you.net, a service that charges 15 cents for each file checked. Scan4you will scan your malware against 30 anti-virus products, but promises it will bar those products from snarfing up a copy of the malware:
Java Patch Plugs 27 Security Holes
A new version of Java is available that fixes at least 27 security vulnerabilities in the ubiquitous software.
To see which version of Java you have installed, visit this link and click the “Do I Have Java?” link under the big red “Free Java Download” button. The newest version that includes these 27 fixes is Java 6 Update 19.
It seems Java’s built-in updater has gotten better about notifying users in a more timely fashion about available security updates. On one of my Windows 7 test machines, I received a prompt today to install the update. If you didn’t get that prompt yet and want to force an update, go to the Windows Control Panel, click the Java icon, then on the window that pops up click the “Update” tab, and then the “Update Now” button.
SpyEye vs. ZeuS Rivalry
It’s common for malware writers to taunt one another with petty insults nested within their respective creations. Competing crime groups also often seek to wrest infected machines from one another. A very public turf war between those responsible for maintaining the Netsky and Bagle worms back in 2005, for example, caused a substantial increase in the volume of threats generated by both gangs.
The latest rivalry appears to be budding between the authors of the Zeus Trojan — a crime kit used by a large number of cyber thieves — and “SpyEye,” a relatively new kit on the block that is taking every opportunity to jeer at, undercut and otherwise siphon market share from the mighty Zeus.
Symantec alluded to this in a February blog post that highlighted a key selling point of the SpyEye crimeware kit: If the malware created with SpyEye lands on a computer that is already infected with Zeus, it will hijack and/or remove the Zeus infection.
Now, just a few months later, the SpyEye author is releasing a new update (v. 1.1) that he claims includes the ability to inject content into Firefox and Internet Explorer browsers, just as Zeus does (this screen shot shows the result of a demo configuration file on the left, which instructs the malware to inject SpyEye and “Zeuskiller” banner ads into a live Bank of America Web site). It is precisely this injection ability that allows thieves using Zeus to defeat the security tokens that many banks require commercial customers to use for online banking.
The new version comes as the Zeus author is pushing out his own updates (v. 1.4), along with a hefty price tag hike. The old Zeus kit started at around $4,000, while the base price of the newer version is double that. According to research from Atlanta-based security firm SecureWorks, Zeus plug-ins that offer additional functionality raise the price even more. For example:
feed
WANUBNVESD8U
Spam Site Registrations Flee China for Russia
A crackdown by the Chinese government on anonymous domain name registrations has chased spammers from Chinese registrars (.cn) to those that handle the registration of Russian (.ru) Web site names, new spam figures suggest. Yet, those spammy domains may soon migrate to yet another country, as Russia is set to enforce a policy similar to China’s beginning April 1.
In mid-December 2009, the China Internet Network Information Center (CNNIC) announced that it was instituting steps to make it much harder to register a Web site anonymously in China, by barring individuals from registering domains ending in .cn. Under the new policy, those who want to register a new .cn domain name need to hand in written application forms, complete with a business license and an identity card.
Chinese authorities called the move a crackdown on phishing and pornographic Web sites, but human rights and privacy groups marked it as yet another effort by Chinese leaders to maintain tight control over their corner of the Internet. Nevertheless, the policy clearly caught the attention of the world’s most profligate spammers, who spam experts say could always count on Chinese registrars as a cheap and reliable place to buy domains for Web sites that would later be advertised in junk e-mail.
According to data obtained from two anti-spam experts, new registrations for sites advertised in spam began migrating from .cn to .ru just a few weeks after the Chinese domain policy took effect.
Monster Mac OS X Update
Apple released a software update on Monday that includes fixes for a massive number of security vulnerabilities in Mac OS X and associated software.
The update corrects more than 90 security flaws and weaknesses in a variety of Apple and third-party products included in versions of OS X, such as ClamAV, Firewall, iChat, Mail, PHP and QuickTime.
Updates are available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2, through Software Update or via Apple Downloads. You might want to schedule the download when you have some time to be away from the computer: Depending on which version you’re downloading, the size of the update may weigh in at more than 750 megabytes.
Online Thieves Take $205,000 Bite Out of Missouri Dental Practice
Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online.
Dentists working at the Smile Zone, a Springfield, Mo. based dental practice that caters specifically to the needs of children, weren’t exactly all smiles on March 22. That was the day unidentified crooks sent at least $205,000 of the practice’s money to nearly a dozen individuals around the country.
Eric Hudkins, the office manager and husband of one of the dentists at Smile Zone, said the money was taken in 11 different transfers, including three large wires. Once again, it seems the attack was carried out with the help of money mules, willing or unwitting individuals hired through work-at-home job schemes over the Internet and lured into helping the attackers launder the stolen money.
“I’ve got the names, account numbers, and phone numbers for most of them, and have even looked some of them up on Facebook,” Hudkins said of the co-conspirators. “The bank talked to two of the [mule] account holders and asked them why they opened the account, who it was for, that kind of thing. Both of them said they’d had their resumes out on careerbuilder.com or monster.com and that someone they’d never met contacted them and offered to help them make some money.”
Hudkins said he contacted the FBI, and that the agent he spoke with told him the FBI wouldn’t open a case on the theft unless it was over $500,000 in losses. As it stands, he was told, his case would be lumped into a group of similar investigations that is being run out of an FBI task force in Omaha, Nebraska. It also appears there is little appetite for prosecuting the money mules, he said.
“The FBI said prosecuting these [mules] for doing anything wrong is near impossible,” Hudkins said.
Microsoft to Issue Emergency IE Fix
Microsoft Corp. said today it plans to break from its regularly scheduled monthly software update cycle to issue a patch on Tuesday for a security hole in its Internet Explorer Web browser that hackers have been exploiting lately.
Microsoft normally releases security updates on “Patch Tuesday,” the second Tuesday of each month. But this Tuesday, Mar. 30, Microsoft will release a cumulative update for Internet Explorer that fixes a critical software flaw in IE 6 and IE 7. The browser flaw lets hackers break into vulnerable systems remotely, with little help from users.
Redmond initially said it was aware of only “targeted” attacks that leveraged this vulnerability. But Microsoft’s statement that accompanied this announcement suggests that these attacks may have become more widespread.
“We have been monitoring this issue and have determined an out-of-band release is needed to protect customers,” Microsoft said in a statement on its Security Response Center blog today.
Tomorrow’s update will correct that flaw, as well as at least nine other security holes in IE that Microsoft had planned to patch on the next official Patch Tuesday (April 13).