Online Virus / Malware News

During the last six years, botnets have become one of the biggest threats to security professionals, businesses, and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk, to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in botnets and social media:

• Twitter-controlled bots are the most prevalent example of using social media to receive and execute bot commands
• KreiosC2, though a proof-of-concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
• Protocol standards such as XMPP, used for authentication, presence, and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The dangers from controlling a bot or botnet through an application such as Twitter cannot be understated. Using widely adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. There’s nothing to it: Log into a Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and send an update:

Then we send our command:

It really is as simple as that: decentralized, application-based control of one or many bots. Don’t try this at home: I ran this exercise from a private Twitter account with only one follower (my other Twitter account) in a research environment, so there was no danger!

The McAfee Labs research team has released a report that examines TwitterBots, KreiosC2, and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control, and attack.

During the last six years, botnets have become one of the biggest threats to security professionals, businesses and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in relation to botnets and social media:

-Twitter controlled bots are the most prevalent example of using social media to receive and execute bot commands
-KreiosC2, though a proof-of concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
-Protocol standards like XMPP, used for authentication, presence and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The danger’s from controlling a bot or botnet through an application like Twitter cannot be understated. Using WIDELY adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. It is as simple as logging into one’s Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and sending an update:

Then we send our command…..

It really is as simple as that – decentralized, application-based control of one or many bots. BTW – This was done from a private Twitter account with only 1 follower (my other Twitter account) in a research environment so there was no danger!

Our research team has released a whitepaper that examines TwitterBots, KreiosC2 and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control and attack.

Today, McAfee released a report based on a survey of more than 1,000 decision-makers about the use of Web 2.0 technology for business. The report reveals some interesting results (for example, who would have thought the United States is among the countries with the lowest adoption rate, and Germany is the country with the most companies not having policies governing the use of Web 2.0 in place?) and the unsurprising finding that security concerns are the greatest hindrance to adopting Web 2.0 and social networking.

Business leaders worldwide see the value of Web 2.0 in supporting productivity and driving new revenue, but they remain deeply concerned about security threats associated with deploying the technology. The survey of decision-makers in 17 countries found that half of businesses were concerned about the security of Web 2.0 applications such as social media, microblogging, collaborative platforms, web mail, and content-sharing tools. 60 percent were concerned about loss of reputation as a result of Web 2.0 misuse. Six out of ten organizations have already suffered losses averaging US$2 million, for a collective loss of more than US$1.1 billion in security-related incidents last year. Brazil, Spain, and India led in adoption of Web 2.0 technology for business, while adoption was lowest in Canada, Australia, the United States, and the United Kingdom.

The report, “Web 2.0: A Complex Balancing Act–The First Global Study on Web 2.0 Usage, Risks and Best Practices,” was commissioned by McAfee and authored by faculty affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University in Indiana, examines the drivers for Web 2.0 and social networking use in business, and assesses their benefits and risks. Overall, the research highlights that although organizations see the potential value of Web 2.0 tools, decision makers continue to debate whether or how to allow employee usage of the technology in the workplace. “Web 2.0 technologies are impacting all aspects of the way businesses work,” said George Kurtz, chief technology officer for McAfee. “As Web 2.0 technologies gain popularity, organizations are faced with a choice: They can allow them to propagate unchecked, they can block them, or they can embrace them and the benefits they provide while managing them in a secure way.”

Key Report Findings:

• Web 2.0 adoption rates vary across countries. Overall, Web 2.0 adoption rates are high, reaching 90 percent or above in Brazil, Spain, and India. Adoption is lowest in the United States, United Kingdom, Australia, and Canada.
• New revenue streams are the highest driver of Web 2.0 adoption. Three out of four organizations reported that expanded use of Web 2.0 technologies creates new revenue streams, while 40 percent said the tools have boosted productivity and enhanced effective marketing strategies.
• Security is the leading concern. Half of respondents named security as their primary concern for Web 2.0. One-third identified fear of security issues as the main reason Web 2.0 applications are not used more widely in their businesses. Companies’ top four perceived threats from employee use of Web 2.0 are malicious software (35 percent), viruses (15 percent), overexposure of information (11 percent), and spyware (10 percent).
• Reputation damage is the biggest business consequence. Sixty percent of companies reported that the most significant consequence from inappropriate Web 2.0 and social media usage is loss of reputation, brand, clients, or confidence. One-third of respondents reported unplanned investments related to workarounds related to social media in the workplace. Fourteen percent of organizations reported litigation or legal threats caused by employees disclosing confidential or sensitive information, with more than 60 percent of those threats caused by social media disclosures.
• Many businesses block Web 2.0 rather than put policies in place. Worldwide, 13 percent of organizations block all Web 2.0 activity, while 81 percent restrict the use of at least one Web 2.0 tool because they are concerned about security. Yet almost one-third of organizations reported that they do not have any social media policy in place. A quarter of organizations monitor how staff use social media and 66 percent have introduced social media policies, 71 percent of which use technology to enforce them.

Executives and industry experts who contributed to the research agreed that successful organizational use of Web 2.0 is a complex balancing act. Enterprises must analyze business challenges and opportunities while mitigating the risks and ensure staff training and robust technologies are in place to avoid cyberattacks.

“Web 2.0 and social networking technologies can be used effectively for business,” said Eugene H. Spafford, founder and Executive Director of CERIAS. “But to reap the benefits of Web 2.0, organizations must be proactive about understanding and managing the challenges. That involves putting the right policies in place, and deploying the technology that can enforce those policies.”

McAfee will host a webcast, “Bridging the Web 2.0 Security Gap,” on October 6 at 2 p.m. Eastern time, with Chenxi Wang of Forrester Research. This webcast will cover a recent Forrester Web 2.0 security trends study commissioned by McAfee. The session will help educate enterprise users on protecting their businesses while successfully using Web 2.0 technologies.

“Web 2.0: A Complex Balancing Act–The First Global Study on Web 2.0 Usage, Risks and Best Practices” is available for download at www.mcafee.com.

Over the weekend I had the chance to put some work into my lowbie dwarf paladin named Boulderbrain. I was at the Stormwind bank minding my own business when I suddenly get this whisper:

Now normally I simply ignore most whispers I get in-game (other times I simply don’t notice them) but this one caught my attention. Zooming in I think you will see why:

This message is telling me that Blizzard suspects my account of using third-party tools to cheat and would I go to their website, login, and check my account settings. In actuality this is an “attacker” pretending to be a Blizzard GameMaster, and the website itself is a phishing site:

This particular fake was hosted on an IP address that had a pretty questionable report. (HINT, HINT use our SiteAdvisor browser plug in!) World of Warcraft has millions of users worldwide, making attacks and techniques like this very common. Many players (myself included) have taken the additional step of using two-factor authentication (commonly called 2FA or simply tokens), which can add an additional layer of protection to your logon credentials:

The addition of the 2FA pin makes it extremely difficult to break into or pop the account itself. (It’s like adding a secondary token to your bank logon.) OK, now granted I got the free Core Hound pup with it, but it also has a sweet iPhone app that generates the 2FA code!

Now what were those third-party apps the original phish may have alluded to? Bots most likely. As anyone who follows this blog is aware, bots refer to robots, usually malicious in nature, but they simply automate tasks. Some of the more popular bots for World of Warcraft are farming and leveling bots. They are designed for pretty much what you would guess: They automate the “farming” of a variety of materials (later sold for in-game gold) or even honor (honor points can be used to purchase in-game items). These bots can also automate the process of leveling your character. Some examples:

and also:

Should your account be found to be using any of these, it will get banned–as it violates Blizzard’s terms of service. Credential and logon theft is one of the biggest areas of malware we at McAfee Labs deal with on a daily basis. Make sure you stay updated, properly configured and be cautious of in-game messages!

And level-up old school–the account you save may be your own!

Two weeks ago, I posted a blog entry talking about the counterfeiting of legal documents. I have received many comments and requests for further data related to this type of fraud from various Eastern Europe countries, France, and even the United States. Aside from journalists, for whom it is their job, many people have contacted or attempted to contact me. Most of them were curious and friendly, but others flooded my mailbox:

The first request was for the URLs of the websites that provide the services. At McAfee, like at most of our competitors, we almost never disclose dangerous URLs apart from researchers in the business and law enforcement agencies. And in many cases we also employ some internal testing to avoid infection or compromise. When I wrote my blog entry, that URL was safe (no malware, no iframe), but this can change, especially if their owners know it will be visited by many inquisitive people.

The next question was that of the counterfeiters nationalities. No doubt they are Russian speakers.

Another request was related to the abundance of these offers. The site I visited actually contained a competitor blacklist with a dozen or so “disreputable” companies. As they were all restricted to drivers licenses, I carried on further investigations on the passport field. It was not difficult to find other offers with more attractive prices: less than US$1,000 instead of the US$4,000-$5,000 asked by the first one.

In this last offer, I noted the availability of diplomatic passports (price on demand).

If you are not a Google search ninja, you can just check YouTube. There, various well-phrased searches can direct you to the online shop you are looking for:

And regarding the payment methods? It seems they all prefer Western Union, but they are not very talkative on this subject. You have first to contact them via anonymous mailing services. (They specify: “no ICQ, no SMS, no phone call.”) However, I discovered another offer, with details about how to place an order.

At last, some people wished to know if these sites offered other materials or services. Some of them sell carding equipment to read/write magnetic cards, but the prices were exorbitant. They quoted between US$9,000 and $11,000; yet many of these devices can be found on Amazon or eBay for $500! Proving the relevance of our previous advice regarding what you toss into your household trash, one site offers fake French EDF (national electricity company) and British Telecom utility bills for £10. (In Europe, we frequently use these documents to prove our residency or proof of address.)

Even the envelope is supplied! Seemingly unimportant pieces of paper can interest today’s cybercriminals.

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

Like many iPhone users, I “jailbreak” my iPhone. I do this for many reasons, but mainly for console-level access and the darn cool infosec tools that are available through Cydia. Like many iPhone users, I was quite happy when the Electronic Frontier Foundation (EFF) was able to get jailbreaking included under “fair use” within the Digital Millennium Copyright Act. Like many iPhone users, I was also very happy to learn that Dev-Team would soon make remote jailbreaking possible by simply visiting their jailbreakme website. Alas my happiness was not to last.

While still at Defcon, I saw through Twitter that one exploit or another was being used to remotely jailbreak the iPhone. (I believe the first tweets I saw were from Brian Krebs.) I then saw posts from VUPEN that several flaws were being exploited. From their advisory:

Technical Description

http://www.vupen.com/english/advisories/2010/1992

Did you notice the line “VUPEN is not aware of any vendor-supplied patch”? In the security business we call those zero-day vulnerabilities. We call code that takes advantage of zero-day vulnerabilities zero-day exploits. (I have not seen confirmation from Apple that these are in fact zero-day vulnerabilities, so keep that in mind).

I hope I am not the only one who is bothered by this because it begs the question “What else can this be used for?” Vulnerabilities with reliable exploit code tend to get reused and repurposed for other attacks/malware/uses. Just look at the .LNK vulnerability that Microsoft fixed yesterday via an out-of-band patch. It originally targeted power-plant control systems as the Stuxnet worm and then appeared in more mainstream malware because it was an unpatched vulnerability with working exploit code. Read this article in The Register for a real nice breakdown of it.

This should serve as a wake-up call for anyone with a mobile device: Remote exploitation is real and here to stay. For now these vulnerabilities are being used only (as far as we know) to jailbreak iPhones, but they could be used to do many other things to iPhones and their owners around the world.

Social networking sites and technologies are among the hottest happenings on the Internet. However, in this case every benefit comes with an equal danger: These sites and technologies are also huge targets for cybercriminals. One of McAfee Labs senior researchers, Anthony Bettini, has written an excellent whitepaper on the subject. Social Networking Apps Pose Surprising Security Challenges details some of these areas of concern. I’ll let Tony tell the story:

Facebook, Twitter, MySpace, and LinkedIn—oh my! If we’re not using these services ourselves or hearing about them in the media, our friends, colleagues, and children remind us each day of their existence. Although Web 2.0 may be a buzzword we all love to hate, media-rich web applications that allow information sharing among users are here to stay and growing in popularity. An article written in October 2009 (so it’s clearly out of date) on the size of Facebook’s data center states Facebook stores approximately 80 billion photos and serves up approximately 600,000 photos per second—making it the largest photo archive in the world.1 Social networking web applications such as Facebook are a big deal.

As social networking gains users, it will increasingly be targeted by attackers, just as instant messaging and other media have been. For an interesting view on how platform prevalence draws attackers like bees to pollen, see the IEEE article “When Malware Attacks (Anything but Windows).” One popular technology ripe for exploitation in social network applications is the “mashup.” (Wikipedia: “A mashup is a web page or application that uses or combines data or functionality from two or many more external sources to create a new service.”) From the perspective of an application provider such as Google, mashups allow their applications—for example, Google Maps—to become more widely used and embedded within other new applications, like Yelp or the iPhone operating system. However, as we’ll soon see, attackers have also been using mashups to their advantage.

Download and share this excellent paper with all the people you know who use social networking sites and technologies. The dangers are real–but with education, action, and proper security we can successfully manage them.

This week I’ve seen several interesting articles and posts about the effect and consequences of social networking sites within Europe. Here are a few links:
European Parliament
Dagens Nyheter
IDG Sweden
Travolution

McAfee recognizes the development of social networking as a fundamental business tool as well as a personal tool. What we find particularly interesting are the increased concerns that are being raised lately within Europe.

Europeans are worried about the societal effects of social networking as well as Internet privacy issues. Some feel social networking sites are creating compulsive behavior in some individuals.

Many people spend a significant amount of time on social sites. This takes place at home and at work, as individuals of all ages are drawn to these sites. For many, accessing social sites is something they do a few times per week; but others feel a need to constantly go online, checking for feedback and new messages.

This time drain may become a concern for employers, as the productivity losses and data leakage risks will increase. Because many businesses and city governments are now also using these sites, the lines between personal and professional use are no longer clearly drawn.

Social networking sites also have the potential to be a severe distraction in schools as well as in the workplace.

Some think excessive use of social networking sites may be addictive, and there is a concern that this behavior may pose health risks, similar to compulsive gambling.

In some areas of Europe, the use of social sites is equal to or higher than the use of search engines. Furthermore, as more information is posted, the greater the risks for various breaches of privacy, such as identity theft and unintended distribution of photos and other information. Many users are not aware of the risks they potentially expose themselves or their employers to.

Whether one agrees that social networking sites pose a risk, we can all agree that social interaction via the Internet has grown significantly during the last couple of years. In some ways this form of communication has altered how we converse with each other in both professional and personal environments.

Prior to today’s many online communication tools, we interacted directly with the other party. Today, by posting information, comments, and opinions on the Internet, we indirectly also communicate our messages to many others, in addition to the intended recipients. We need to stay aware of what we post, how we post, and who can access it. Our conduct online may reflect on us both in our professional and personal roles: Our online personas are not separate from our offline personas.

In this blog we often discuss the security risks associated with various evolving threats. However, it is also important that administrators train their users well on social risks. In addition to the dangers of phishing and spamming attempts to friends, targeted attacks, and other social media worms, the distribution and leakage of information can be equally harmful to a corporation. It will be very interesting to see if other nations and cultures speak out on this topic in the days ahead.

Today we announced our McAfee® Family Protection iPhone®, iPod touch® and iPad™ Edition. McAfee now provides strong parental controls to keep young people safe when they are browsing the Internet on an Apple mobile device. McAfee released McAfee Family Protection for the PC in June 2009.

According to data released by Admob in 2010, 65 percent of iPod touch users and 13 percent of iPhone users are below the age of 17. According to The Internet Safety Technical Taskforce in a December 2008 survey, twice as many kids own an Internet-enabled mobile device versus a computer.

McAfee® Family Protection iPhone, iPod touch and iPad Edition offers website and search filtering. The program will automatically block age-inappropriate sites, such as known pornography web sites, as well as filter Google search results. It also includes location tracking for Apple devices that are equipped with GPS technology.

Parents can also view usage statistics, including visited websites and access times, as well as add and remove custom websites while having the option to remotely disable all Web browsing.

From McAfee Chief CyberSecurity Mom, and my pal, Tracy Mooney:

“Many parents don’t consider online dangers when providing their kids with an iPod touch or passing on their old iPhones to them. Even if they are trying to monitor on a regular basis, it’s nearly impossible to know what they’re searching for,” said Mooney. “I’ve tried to be vigilant about checking in from time to time to see what my kids are doing online, but I know that my kids have more access now than ever with their mobile device. This product will help parents be at ease when they are equipping their kids with the latest technology.”

McAfee Family Protection iPhone, iPod touch, and iPad Edition is available for download now at the iTunes App Store and McAfee.com. For more information about McAfee mobile please visit the McAfee Mobile site.