Online Virus / Malware News

Two weeks ago, I posted a blog entry talking about the counterfeiting of legal documents. I have received many comments and requests for further data related to this type of fraud from various Eastern Europe countries, France, and even the United States. Aside from journalists, for whom it is their job, many people have contacted or attempted to contact me. Most of them were curious and friendly, but others flooded my mailbox:

The first request was for the URLs of the websites that provide the services. At McAfee, like at most of our competitors, we almost never disclose dangerous URLs apart from researchers in the business and law enforcement agencies. And in many cases we also employ some internal testing to avoid infection or compromise. When I wrote my blog entry, that URL was safe (no malware, no iframe), but this can change, especially if their owners know it will be visited by many inquisitive people.

The next question was that of the counterfeiters nationalities. No doubt they are Russian speakers.

Another request was related to the abundance of these offers. The site I visited actually contained a competitor blacklist with a dozen or so “disreputable” companies. As they were all restricted to drivers licenses, I carried on further investigations on the passport field. It was not difficult to find other offers with more attractive prices: less than US$1,000 instead of the US$4,000-$5,000 asked by the first one.

In this last offer, I noted the availability of diplomatic passports (price on demand).

If you are not a Google search ninja, you can just check YouTube. There, various well-phrased searches can direct you to the online shop you are looking for:

And regarding the payment methods? It seems they all prefer Western Union, but they are not very talkative on this subject. You have first to contact them via anonymous mailing services. (They specify: “no ICQ, no SMS, no phone call.”) However, I discovered another offer, with details about how to place an order.

At last, some people wished to know if these sites offered other materials or services. Some of them sell carding equipment to read/write magnetic cards, but the prices were exorbitant. They quoted between US$9,000 and $11,000; yet many of these devices can be found on Amazon or eBay for $500! Proving the relevance of our previous advice regarding what you toss into your household trash, one site offers fake French EDF (national electricity company) and British Telecom utility bills for £10. (In Europe, we frequently use these documents to prove our residency or proof of address.)

Even the envelope is supplied! Seemingly unimportant pieces of paper can interest today’s cybercriminals.

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

Social networking sites and technologies are among the hottest happenings on the Internet. However, in this case every benefit comes with an equal danger: These sites and technologies are also huge targets for cybercriminals. One of McAfee Labs senior researchers, Anthony Bettini, has written an excellent whitepaper on the subject. Social Networking Apps Pose Surprising Security Challenges details some of these areas of concern. I’ll let Tony tell the story:

Facebook, Twitter, MySpace, and LinkedIn—oh my! If we’re not using these services ourselves or hearing about them in the media, our friends, colleagues, and children remind us each day of their existence. Although Web 2.0 may be a buzzword we all love to hate, media-rich web applications that allow information sharing among users are here to stay and growing in popularity. An article written in October 2009 (so it’s clearly out of date) on the size of Facebook’s data center states Facebook stores approximately 80 billion photos and serves up approximately 600,000 photos per second—making it the largest photo archive in the world.1 Social networking web applications such as Facebook are a big deal.

As social networking gains users, it will increasingly be targeted by attackers, just as instant messaging and other media have been. For an interesting view on how platform prevalence draws attackers like bees to pollen, see the IEEE article “When Malware Attacks (Anything but Windows).” One popular technology ripe for exploitation in social network applications is the “mashup.” (Wikipedia: “A mashup is a web page or application that uses or combines data or functionality from two or many more external sources to create a new service.”) From the perspective of an application provider such as Google, mashups allow their applications—for example, Google Maps—to become more widely used and embedded within other new applications, like Yelp or the iPhone operating system. However, as we’ll soon see, attackers have also been using mashups to their advantage.

Download and share this excellent paper with all the people you know who use social networking sites and technologies. The dangers are real–but with education, action, and proper security we can successfully manage them.

As I traveled to a recent messaging-security conference I was surprised to realize that our research team had seen little spam, solicitations for donations, or affiliate marketing related to the oil spill in the Gulf of Mexico. As usual, however, tragedy becomes opportunity: Our researchers have now uncovered an interesting affiliate marketing program that piqued my interest.

We’ve seen emails offering legal advice for those who have been affected by the spill, using subject lines such as:

File your lost income claim against BP Oil
Gulf Coast Oil Spill Information
Gulf coast oil spill legal information
Have you been effected by the oil spill?
Oil Spill Injury Representation
Oil Spill Lawsuit Compensation
Oil Spill Lawsuit Information for
Oil Spill Lawsuit Information
Will the oil spill hurt your business?

These emails typically contain one or two short lines of text and a link to information on filing a lost-income claim against those responsible. Once the link is clicked, the fog of redirection and obscurity begins. One particular example contains a link to a URL on jellydrum.com, which redirects to lynxtrack.com, then to chilaytrk.com, before finally hopping to http://www.consumerinjuryalert.com/oil/index.php.

Upon further investigation we was found that the consumerinjuryalert.com domain is actually the host for a number of other affiliate marketing campaigns.

Many users consider these affiliate advertising campaigns unsolicited and a less-than-ethical means of advertising. In many cases users report these emails as spam to their service providers, so these messages are frequently blocked. Yet affiliate marketing and information gathering are big business; they are not going away anytime soon.

As we frequently recommend, be careful whom you give your personal information to. You have no control over your data once you give it away, so provide it only to vendors that you feel you can trust. Never provide sensitive information that you are not comfortable giving out, and if you feel that your email address may be used for unwanted marketing, use a throw-away address that you check only as needed or not at all. You do not have ultimate control over how your data is used or to whom it is given, but you do have control over how personal the information is that you provide.

Years ago adware was distributed primarily in two forms.

• Adware vendors sought out mainstream software vendors to distribute their programs in bundling arrangements. The Adware makers often used a pay-per-install model, paying as much as $1 or more to those responsible for the installation of the ad-delivering components. Often users could opt out of the adware installation.

• Malware authors abused the pay-per-install model, silently installing adware via drive-by-download exploits, or instructing already infected computers (bots) to install the adware.

The end of an era
Adware maker Direct Revenue profited from questionable business practices that ultimately resulted in a $1.5 million settlement with the FTC. That settlement included a ban on using affiliates that engage in drive-by downloads and other questionable practices. Shortly thereafter Direct Revenue closed shop; the then adware king was dethroned.

Rebirth
Over time other adware vendors closed, including 180Solutions/Zango/Hotbar and Claria.

The programs created by some of these entities were resurrected by Pinball Corp., which acquired Zango’s assets in 2009.

Recently Pinball began engaging in a reverse bundling of sorts. Rather than partnering with commercial vendors looking to participate in ad-supported software, Pinball is going after open source products, but with a twist. Historically users would run an installer for KaZaa, for example, and adware might be bundled within. Pinball is bundling open-source applications such as VLC, Vuze, and Audacity with their adware, such as Hotbar. One example is a file distributed as VLCSetup.exe, which is digitally signed by Pinball. When run, we see the following screen:

The installation screen states “Downloading this version of VLC from Hotbar’s servers also requires installation of the Hotbar software. …”  VLC’ is distributed under the GPL V2 license and Pinball Corp. seems to justify the required Hotbar installation under the terms of this license:

Oddly enough the installation screen also states “This distribution of VLC is provided free of charge. …”  I guess there’s free and then there’s “free.”

What the setup program doesn’t tell you is that in addition to installing Hotbar, it also adds Search Toolbar, a program digitally signed by Zugo Ltd. Even if you opt out of installing ShopperReports and Blinkx Video Screensaver, you still end up with Hotbar and Search Toolbar.

I was able to cancel the VLC installation, yet still wound up with Hotbar, making this more of an open-source supported adware, rather than the other way around. I personally object to this installer being promoted as VLCSetup.

Just as they did many years ago, malware authors have exploited this situation. In a raft of viral Facebook applications that spread hyperlinks to “videos,” users are told they need to install this VLCSetup to view the content. This ruse is enabled by Pinball’s installer as well as by their pay-per-install program.

Whenever you want to install an application, you’re best off going to the primary distributor, such as:

• http://www.videolan.org/
• http://www.vuze.com/
• http://audacity.sourceforge.net/

Lately Facebook has been all over the news regarding security and privacy issues. Today Facebook replied, by announcing some new tools, settings, and measures to allow users to better protect their logons. In his blog, Facebook’s Lev Popov describes the new settings and features in nice detail.

In a nutshell, users now have the ability to be notified of a logon from a variety of devices. From his post:

Login Notifications

Over the last few weeks, we’ve been testing a new feature that allows you to approve the devices you commonly use to log in and then to be notified whenever your account is accessed from a device you haven’t approved. This feature is now available to everyone.

To try it out, go to the Account Settings page and click on the link next to “Account Security” at the bottom of the page. If you select the option to receive notifications for logins from new devices, when you log in you’ll be asked to name and save the various devices you use to access Facebook.

The feature itself is easy to enable: From Account Settings > Account Security you will see the following screen:

I like that users can name and save various “devices” they use to access Facebook. If someone logs into that account from a device not on this list, Facebook will prompt that user for further information. Handy!

Facebook has also done some tuning/magic on their side to block bogus or questionable logon attempts. If they see logons from unusual devices, they will prompt those users with additional verification questions, in essence, making them prove they are who they say they are:

I think these are great steps, and I am glad to see Facebook stepping it up in regards to securing account access. When you consider the high prevalence of password-stealing Trojans and Koobface (malware that targets Facebook users) these measures are certainly a move in the right direction.

More general information on what Facebook does for security can be found on their Security Page.

I was just reading Byron Acohido’s writeup on Microsoft ending security support for patches for Windows XP Service Pack 2 and Windows 2000. Now as I work for a vendor myself I completely understand why Microsoft is going EOL (or is it EOS for end-of-support?? I forget…) for these operating systems – better, more robust OS choices exist and no company has unlimited resources to support application and technologies that have seen better days.

I get that, I really do. I do, however, think some larger issues certainly loom:

1. Legacy applications that will not run on higher patch builds
2. Point-of-Sale and embedded devices (think ATM’s an such….) ESPECIALLY if you have a global deployment
3. Patching and upgrading is never easy anyway
4. The agility of cybercriminals

Now I will also concede that its relatively straightforward to compromise a fully patched system. The tools and techniques are readily and easily available if you have a browser and even limited Google search skills – but let’s also be honest: its WAY easier to own an older unpatched build especially when all the vulnerabilities that XP Service Pack 2 and Windows 2000 have are so well documented and available. Malware also tends to be fairly backwards compatible in many cases.

I am not so certain this will cause a great shift in toolkits or focus of your average malware writer or cybercriminal. I DO think it is an excellent opportunity for scammers tho. Just think of the spam campaigns or link spam possibilities – its a great lure.

“MS has stopped support for XP Service Pack 2 click here for low cost upgrades!!!”
“Your machine seems to be running Windows 2000. Click here to upgrade to Windows 7 for a low price.!”

I can see the spam runs, phishing sites and associated fake-av installs now… Be forewarned my friends. And is it just me or is whitelisting and application control looking better and better??

Last week in Strasbourg, France, the Council of Europe organized the Octopus Interface Conference 2010. More than 300 experts from all over the world, representing governments, law enforcement authorities, international organizations, and the Internet industry gathered to discuss the “Cooperation Against Cybercrime.”

On Tuesday, in the opening session, Maud de Boer Buquicchio, Deputy Secretary General of the Council, reminded the attendees that the international principles of human rights and the rule of law must apply online as well as offline. In this way, the Internet itself is now increasingly considered as a basic right. But in this new environment cybercrime is a greater concern than ever; it threatens those rights. Security and the protection of rights is the responsibility of both public authorities and private sector organizations. After a panel discussion run by countries engaged in the fight against cybercrime, Alexander Seger discussed the Budapest Convention on Cybercrime. Currently used by more than 100 countries around the world, it is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography, and violations of network security.

Seger recommended the implementation of the convention worldwide to boost legislative reforms already underway in a large number of countries. Nations should consider adopting the policies to make use of the international cooperation provisions of this treaty. Increasing consensus on this treaty as a common framework of reference helps mobilize resources and create partnerships among public- and private-sector organizations. As a result, the ratification of the Budapest Convention by Azerbaijan, Montenegro, and Portugal prior and during the conference, and the expressions of interest from Argentina and other countries serve as examples to other countries.

In the afternoon, I joined a workshop on law enforcement responsibilities. Here, police units from various countries presented their services and discussed their local laws against cybercrime. I was particularly interested, as many of them discussed trends on this matter. In 2009, the Romanian National Police indexed 102 cases (indictments) with 766 offenses, 482 people charged, and 289 people arrested. In that country, 80 percent of IT fraud and phishing attacks are aimed at United States citizens, whereas 80 percent of credit card fraud (skimming) targets West European citizens. In Turkey, the the Organized Crime Department (KOM) made 2,871 arrests in 2009.

However, these figures represent only a small part of the fraud that is committed. In many cases, nobody files a complaint. After fraud is committed and reported, the bank refunds its conned client via their insurance company. The bank is well insured and the victim is compensated. As for the insurance company, its profit is barely affected. There is no need to alert the authorities.

In the second part of this workshop, people from the FBI and SOCA presented three objectives for law enforcement as well as recommendations for ICANN:

1. Due Diligence: ICANN needs to vet potential registrars and registries, through checks of international databases to ascertain an organization’s good standing. Registrars need to validate data received at the time of domain name registration and periodically thereafter.
2. WHOIS: Accurate and public WHOIS is essential. The proxy/privacy registrations have to be limited for private individuals for noncommercial purposes. Companies providing services should be accredited by ICANN.
3. Transparency and accountability: Domain name resellers and all third-party beneficiaries must be held to the same terms and conditions as registrars. ICANN should require all registrars, registries, proxy services, resellers, and all third-party beneficiaries of any contracts or policies of ICANN to publicly display ownership, parent companies, subsidiaries, and business associations.

On Wednesday, I participated in the mapping networks and initiatives workshop. Here, various organizations dealing with cybercrime presented their objectives and initiatives. Among them,the Inhope fight against illegal content (child sexual abuse images, extreme violence, racism and xenophobia, bestiality, online hate and xenophobia websites, adult pornography). Looking at their map representing countries saying “no” to illegal content, the audience realized that there is a long way to go:

In the next workshop, dedicated to technical assistance against cybercrime, two talks grabbed my attention. The first one exposed the situation in India. In this country, only about 10 percent of all cybercrimes committed are actually reported, and fewer than 2 percent result in a conviction. Nevertheless, 30 million judicial actions are pending. The Indian people purchase seven million mobile phones monthly. A large number do not have any traceability mechanism. This is a golden opportunity for terrorists who can use these phones without fear. 

The second talk was given by my colleague Greg Day, Director of Security Strategy for Europe, the Middle East, and Africa at McAfee. He presented various initiatives that industry can use to share intelligence and drive knowledge transfer. Besides training sessions and the direct line to McAfee Labs offered to various police crime units around the world, Day focused on the Industry Connections Security Group. This outfit gathers computer security entities to work on common goals and industry issues. Day sees that cybercriminals have leveraged the underground economy to gain economies of scale and access to specialist tools and services, whereas the security industry has generally responded to threats as individual entities. To tackle this problem, security professional established the ICSG, under the umbrella of the IEEE Standards Association, to pool their experiences and resources in response to the systematic and rapid rise in new malware being introduced to the market.

The last workshop I attended was on Thursday morning. We discussed cloud computing and the law enforcement challenges introduced by this new environment. Christian Aghroum, chief of the French National Unit for Countering Cybercrime, explained the threats facing data and services that are stored somewhere in the “Internet cloud.” His talk was a fitting conclusion for these three days in Strasbourg. Although there are no borders on the Net, the concept of national sovereignty keeps on confronting us. Human rights are acknowledged around the world, international maritime or air rights are usually respected, yet there is no universal right for the extra dimension that is the Internet. Unfortunately the Budapest Convention is far from accepted by all countries worldwide. In everyday police work, this produces a huge gap that greatly favors criminals. If a French neo-Nazi website is hosted in the United States, France really has little possibility of shutting it down. If a company leaves a foreign country after some diplomatic issues, there is no guarantee to ensure the security of its data stored in the cloud. Today, in some cases, we cannot maintain security in our country because of the start of cloud-based services. In one or two years, this will be worse in the “absolute cloud,” which will have no borders. If international laws are not rapidly created, based on the Budapest Convention, the problems will certainly become worse.  

Before ending this post, I have to mention the Nigerian delegation, which offered us a song made by famous Nigerian singers. “Maga No Need Pay!” denounces fraud. (Maga is the Nigerian word for victims of fraud.) To the Nigerian people, the song explains that fraud is not the right way toward a better life. To the rest of the world, it explains that Nigeria is a great country that should not be considered solely corrupt.

Cybercrime must be fought with laws and technology, but it can be also fought with music.

The clip is viewable here.

All over the world, individuals and many organized crime and mafia groups have found that the Internet can help them make a lot of money. Others are motivated by ideology: Manipulated by or acting in accordance with an ethos, they conduct illegal activities against institutions or individuals they consider the “enemy.” Far removed from the isolated individuals acting simply irresponsibly or for amusement, these two groups constitute the double threat we know today as cybercrime and hacktivism.

Last week we published a new report that looks, in great depth, at this phenomenon. The main goal is to explain how these organized groups have become established and what the extent of their activities are. In the first part of this report, after offering some definitions, we present some of the major participants who simply cannot be ignored. The second part deals with various topics including cybercrime and hacktivism, economics, politics, culture, and others. Each topic is illustrated with examples found in the news. Through other examples, the third part of the document deals with prices and the return on investment criminals can expect.

Chinese, Japanese, and Brazilian Portuguese versions are also available from the McAfee Labs Technical White Papers web page.

On March 9 McAfee warned consumers that “scareware,” or fake anti-virus software, may be the most costly online scam in 2010, causing significant monetary loss and damage to users’ computers. In this blog, I’ll give you some additional details about the figures we cited last week in McAfee’s new Consumer Threat Alert program.

Apart from the scareware files themselves, many malware that aid rogue anti-virus programs in attacking computers are grouped into the fake-alert Trojan family. As shown in the following graph, their number exploded in 2009. To give you some idea of the rapid growth, from March 1 to March 10, 45,000 new FakeAlert samples entered in our malware collection!

Between January 2004 and December 2009, I cataloged more than 3,000 scareware software “products” created by various rogue companies. Many of them have a short life cycle (some weeks, some months), while others, some created in 2004, are still available on the web. For half of them (see next table) we were able to extrapolate the year they appeared. Their number surpassed 100 for the first two months of 2010.

For many of these “products,” only the name changes. This trick maximizes a malware developer’s chances to catch victims. The scareware companies create website after website with a single rogue offer repeated under various names.

Fake-alert malware and scareware software are numerous. But scareware companies are restricted in number. Perhaps between 30 and 50. The names change, but the managers remain the same. They create many subsidiaries and recruit affiliates. For more than 2,000 of these products, I was able to map them to the companies that distribute them. To avoid possible legal hassles as well as personal trouble, I will not give you the names–but the following table speaks for itself.

Some companies work openly. Their managers are not afraid to create even LinkedIn profiles. When the pressure becomes too strong they simply create a new business.

To multiply sales, scareware companies recruit affiliates and promise them commissions reaching 75 percent of the product’s sales price.

When I presented our research on scareware in Paris in January, I explained that a colleague monitored–during a six-month period–the production servers of one of the main scareware companies. In 10 days, he counted more than four million downloads (that is, more than four million scareware infections)! This was from only one company, and some victims made more than one download in a day.

In 11 months, this scareware company received more than 4.5 million orders. Using this figure, I forecast annual revenues of greater than US$180 million. This leads to a substantial worldwide income for this criminal activity.

Finally, these scareware companies have not only fake security software for sale. They also peddle many other fake products (multimedia software, fitness software, family software, etc.). And, above all, they offer pornography. Consequently, their revenues are still greater.

To avoid becoming a security software scam victim, the McAfee Consumer Threat Alert advises the following:

1. Before downloading any security software from the Web, get a recommendation from someone you trust who is savvy about Internet security software
2. Investigate the company before purchasing the software
3. Be careful when responding to pop-up ads
4. You can protect your computer from these types of cybercrimes by installing a complete security software suite that includes anti-virus, anti-spyware, and firewall protection, such as McAfee Total Protection. Ensure that your software is always up to date (enable the “auto-update” feature) and perform regular scans.