Online Virus / Malware News

During the last six years, botnets have become one of the biggest threats to security professionals, businesses, and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk, to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in botnets and social media:

• Twitter-controlled bots are the most prevalent example of using social media to receive and execute bot commands
• KreiosC2, though a proof-of-concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
• Protocol standards such as XMPP, used for authentication, presence, and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The dangers from controlling a bot or botnet through an application such as Twitter cannot be understated. Using widely adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. There’s nothing to it: Log into a Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and send an update:

Then we send our command:

It really is as simple as that: decentralized, application-based control of one or many bots. Don’t try this at home: I ran this exercise from a private Twitter account with only one follower (my other Twitter account) in a research environment, so there was no danger!

The McAfee Labs research team has released a report that examines TwitterBots, KreiosC2, and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control, and attack.

During the last six years, botnets have become one of the biggest threats to security professionals, businesses and consumers. We at McAfee Labs have just released more information about how cybercriminals can use common social networks and common web applications, such as Twitter and XMPP-enabled applications like Google Talk to take over a user’s computer.

As Web 2.0 services evolve, so do the efforts of botnet writers. They are rapidly adopting new technologies to increase the sophistication of their attacks. We have identified the following trends in relation to botnets and social media:

-Twitter controlled bots are the most prevalent example of using social media to receive and execute bot commands
-KreiosC2, though a proof-of concept research tool, effectively demonstrates how LinkedIn and other social networks and applications can be used to control a botnet
-Protocol standards like XMPP, used for authentication, presence and messaging, can also be used by cybercriminals to communicate with botnets and execute malicious attacks

The danger’s from controlling a bot or botnet through an application like Twitter cannot be understated. Using WIDELY adopted and deployed applications like Twitter to control a botnet effectively allows the attacker to hide in plain site by using an application or website that is allowed on most desktops worldwide. It is as simple as logging into one’s Twitter account from a variety of Twitter applications (I’ll use TwitScoop) and sending an update:

Then we send our command…..

It really is as simple as that – decentralized, application-based control of one or many bots. BTW – This was done from a private Twitter account with only 1 follower (my other Twitter account) in a research environment so there was no danger!

Our research team has released a whitepaper that examines TwitterBots, KreiosC2 and XMPP as examples of how cybercriminals can use social networks as the new platform for botnet command, control and attack.

Just after Adobe released its out-of-band patch for CVE-2010-2862, we discovered a malware exploiting a new zero-day vulnerability in the wild. Similar to the iOS PDF jailbreak vulnerability and CVE-2010-2862, this zero day occurs while Adobe Reader is parsing TrueType Fonts. We’ve analyzed and confirmed that the vulnerability affects the latest Adobe Reader, Version 9.3.4.

This zero-day vulnerability is a typical stack buffer overflow; exploitation of this issue is expected to be relatively easy. Although the latest version of Reader has been compiled with stack protection (/GS), the exploit uses an Return Oriented Exploitation (ROP) technique to bypass /GS protection and data execution prevention (DEP).

We saw a similar technique used to exploit an older Adobe TIFF parsing vulnerability. All this seems to point to the fact that ROP is gaining wider acceptance by malware writers to bypass DEP and existing stack protections.

McAfee Labs is coordinating with Adobe PSIRT, and we’ve provided them with additional details on the bug. The Adobe team is actively working on this issue, although there is no patch available at the time of writing this blog. Adobe Acrobat users are urged to update their security definitions for the various products.

McAfee protection to date:

• McAfee Network Security Platform: Coverage provided under the signature 0×40293c00, UDS-HTTP: Adobe Reader Unspecified Buffer Overflow
• DAT files: Coverage for known exploits provided in the 6099 DAT release under the signature Exploit-PDF.ps.gen
• Host IPS: Generic buffer overflow protection provides partial coverage
• Foundstone: The FSL package of September 8 includes a vulnerability check to assess if your systems are at risk

Two weeks ago, I posted a blog entry talking about the counterfeiting of legal documents. I have received many comments and requests for further data related to this type of fraud from various Eastern Europe countries, France, and even the United States. Aside from journalists, for whom it is their job, many people have contacted or attempted to contact me. Most of them were curious and friendly, but others flooded my mailbox:

The first request was for the URLs of the websites that provide the services. At McAfee, like at most of our competitors, we almost never disclose dangerous URLs apart from researchers in the business and law enforcement agencies. And in many cases we also employ some internal testing to avoid infection or compromise. When I wrote my blog entry, that URL was safe (no malware, no iframe), but this can change, especially if their owners know it will be visited by many inquisitive people.

The next question was that of the counterfeiters nationalities. No doubt they are Russian speakers.

Another request was related to the abundance of these offers. The site I visited actually contained a competitor blacklist with a dozen or so “disreputable” companies. As they were all restricted to drivers licenses, I carried on further investigations on the passport field. It was not difficult to find other offers with more attractive prices: less than US$1,000 instead of the US$4,000-$5,000 asked by the first one.

In this last offer, I noted the availability of diplomatic passports (price on demand).

If you are not a Google search ninja, you can just check YouTube. There, various well-phrased searches can direct you to the online shop you are looking for:

And regarding the payment methods? It seems they all prefer Western Union, but they are not very talkative on this subject. You have first to contact them via anonymous mailing services. (They specify: “no ICQ, no SMS, no phone call.”) However, I discovered another offer, with details about how to place an order.

At last, some people wished to know if these sites offered other materials or services. Some of them sell carding equipment to read/write magnetic cards, but the prices were exorbitant. They quoted between US$9,000 and $11,000; yet many of these devices can be found on Amazon or eBay for $500! Proving the relevance of our previous advice regarding what you toss into your household trash, one site offers fake French EDF (national electricity company) and British Telecom utility bills for £10. (In Europe, we frequently use these documents to prove our residency or proof of address.)

Even the envelope is supplied! Seemingly unimportant pieces of paper can interest today’s cybercriminals.

The Anti-Malware engine is a critical and core piece of the McAfee anti-malware solutions. As with any core technology, the engine must be rock-solid stable, fast, and functionally rich.

A new McAfee Labs whitepaper outlines these engine technologies and values, covering both endpoint and gateway uses. Beyond introductions to malware detection methodologies–ranging from exact detection to heuristics, and technologies from exploit detection to cloud-based detection, the new paper especially outlines McAfee’s approach to Cooperative Anti-Malware on Endpoint and Gateway. “Cooperative” in this case refers to the added value of combining anti-malware on the endpoint and on the gateway: a true defense-in-depth strategy in action.

In this defense-in-depth implementation we have engine technologies that are optimized for the endpoint and the gateway, respectively, and both are connected through our Global Threat Intelligence back-end, or “cloud.” This combination allows strict enforcement and the highest proactive catch rates at the network perimeter, keeping the majority of threats outside of your network, and effectively and accurately protecting the desktops in an enterprise as well.

Download and read it now!

As McAfee Labs predicted in a previous blog post regarding the Microsoft Windows Shell .LNK vulnerability, it was just a matter of time before malware started using Exploit-CVE2010-2568 to take advantage of this new Microsoft zero-day flaw. The flaw is described in CVE-2010-2568.

First, there was talk about PWS-Zbot (a.k.a. Zeus) using the vulnerability in encrypted emails that contained the malicious .LNK file(s); then our research team found a new variant of Downloader-CJX that extended its previous .LNK propagation strategy using social engineering with the new Exploit-CVE2010-2568 .LNK files.

Downloader-CJX is a malware family that installs .LNK files mimicking current Windows and user folders such as Music, Documents, or New Folder. The malware changes the attributes of the real folder to hide it from Explorer, and drops the .LNK files with folder icons, so the user is lured into clicking on these malicious links that appear as legitimate folders. These .LNK files are detected as Downloader-CJX!lnk when found in an infected machine.

The new variant drops additional files on infected systems:

The file x.exe is another copy of Downloader-CJX that in turn drops xxx.dll, a DLL component of Downloader-CJX.

The additional .LNK files exploit the CVE-2010-2568 vulnerability, enabling the malware to load the DLL file when users browse the folder.

These .LNK files are already detected as Exploit-CVE-2010-2568 and the new Downloader-CJX variant as Downloader-CJX.gen.g.

We offer you yet another reminder to keep your anti-malware software updated with the latest DATs, because the bad guys are always updating their software, too.

Today Microsoft updated the security advisory that was initially published last Friday (July 16), stating that they’re working on issuing a security patch for this vulnerability. Earlier, malware exploiting this issue was found in the wild. Researchers at McAfee Labs have been busy tracking this issue over the weekend and we have come up with some more quick Q&A’s.

1. What is the issue with .LNK files and how can it be exploited?
A. McAfee Labs researchers analyzed malware that was exploiting a design flaw in parsing shortcut (.LNK) files. This issue gets triggered because the Windows Shell component does not validate parameters sent out in the shortcut. This issue can be exploited via any mechanism that makes the user load the icon of the .LNK file.

2. Does the malware need a payload (shellcode) to exploit this flaw?
A. Since this is a design issue in the way shortcuts are parsed, no malicious payload (shellcode) is required to exploit this flaw. The .LNK file needs to point to a malicious file, the path of which needs to be hardcoded in the shortcut.

3. What are the requirements to successfully exploit this flaw?
A. This flaw can be triggered when Windows Explorer or Internet Explorer tries to render a malformed .LNK file that points to a malicious executable. The user need not double-click on the .LNK file to trigger the vulnerability; just opening the folder containing the malicious shortcut is enough to get infected.

4. What are the most likely attack vectors used to exploit this vulnerability?
A. USB drives are likely to be affected the most. The malware discovered in the wild was exploiting this issue via a USB drive. File sharing over SMB is another likely vector to exploit this flaw and this can lead to widespread malware infections over internal networks. WebDAV shares are equally susceptible to exploitation.

5. What are the affected platforms?
A. Microsoft has acknowledged that all supported platforms are affected. More details are available in the Microsoft security advisory. Windows XP SP2 is not listed in the list of affected platforms from Microsoft, so there is a chance of Windows XP SP2 users might remain vulnerable.

6. How widely is the issue being exploited?
A. The issue is known to be exploited by malware in the wild. Initial attacks were limited. However, an exploit module in metasploit was published today that uses WebDAV shares as an exploit vector. We expect wider exploitation of this issue. Users should keep their anti-virus software updated with the latest DATs (signatures).

We’ll keep our readers updated on this issue as we analyze more malware and techniques used by malware writers to exploit this flaw.

The news that Google is supposedly dropping Microsoft Windows is spreading like wildfire all over the Internet today. Without getting into any “which OS is better or more secure” holy war, let’s review some facts to see if this “decision” has any basis in reality. (I caution readers to remember this is not confirmed, even if it is true.)

The supposed cause of this change is Operation Aurora, the attack that affected Google and many other companies. From the McAfee Labs Threat Center:

“Operation Aurora was a coordinated attack which included a piece of computer code that exploits the Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit is then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.”

What many people fail to realize is that Operation Aurora was not really about any technical issues.

But you may ask “Marcus, how can you possibly say that? Have you gone mad? Aurora 0wned multiple computers on multiple networks! They were all running that evil Microsoft Windows. Surely removing Windows will solve all the problems!”

These objections are not even close to the real issue. Sure, the attackers used a very effective zero-day vulnerability. And, certainly, they used lots of evasion techniques in delivering the payload? But the real vulnerability has not been discussed.

People were the weak link.

The attackers who launched Operation Aurora knew their targets well from both corporate and personal viewpoints. They knew what their victims were running and what their roles were. The attackers even knew what application versions they used. (Ever wonder why the zero-day was limited in effectiveness to Internet Explorer Version 6 when the attack commenced? The attackers knew that was all they needed.)

The intel that the attackers gathered to make Operation Aurora work is what made it a success–not the operating system involved. The targets were the people.

Would it make any difference if the victims were running Linux or any other operating system if an attacker builds such a sophisticated profile? Not remotely. Linux, Windows, Mac, whatever–everything has weaknesses. Especially the users of those systems.

When an attacker knows the details of a company’s technical deployment and personnel to the level we saw in Operation Aurora, the difference between one operating system and another is irrelevant. Any system or network can be technically compromised. Likewise, malware can be written for any operating system.

If determined attackers and gatherers of intelligence invest the time to get to know their targets–their behaviors, likes, dislikes, technical backgrounds, job roles, etc.–the actual exploit is trivial. All they have to do is get their victims to click a link. The more they know about their targets, the more likely users will click it.

Social engineering and intelligence gathering trumps technology every time. It always has and always will.

I was just reading Byron Acohido’s writeup on Microsoft ending security support for patches for Windows XP Service Pack 2 and Windows 2000. Now as I work for a vendor myself I completely understand why Microsoft is going EOL (or is it EOS for end-of-support?? I forget…) for these operating systems – better, more robust OS choices exist and no company has unlimited resources to support application and technologies that have seen better days.

I get that, I really do. I do, however, think some larger issues certainly loom:

1. Legacy applications that will not run on higher patch builds
2. Point-of-Sale and embedded devices (think ATM’s an such….) ESPECIALLY if you have a global deployment
3. Patching and upgrading is never easy anyway
4. The agility of cybercriminals

Now I will also concede that its relatively straightforward to compromise a fully patched system. The tools and techniques are readily and easily available if you have a browser and even limited Google search skills – but let’s also be honest: its WAY easier to own an older unpatched build especially when all the vulnerabilities that XP Service Pack 2 and Windows 2000 have are so well documented and available. Malware also tends to be fairly backwards compatible in many cases.

I am not so certain this will cause a great shift in toolkits or focus of your average malware writer or cybercriminal. I DO think it is an excellent opportunity for scammers tho. Just think of the spam campaigns or link spam possibilities – its a great lure.

“MS has stopped support for XP Service Pack 2 click here for low cost upgrades!!!”
“Your machine seems to be running Windows 2000. Click here to upgrade to Windows 7 for a low price.!”

I can see the spam runs, phishing sites and associated fake-av installs now… Be forewarned my friends. And is it just me or is whitelisting and application control looking better and better??

Today Microsoft released MS10-018 covering 10 vulnerabilities, including CVE-2010-0806, a zero-day threat discovered in the wild earlier in this month.

Reported exploit detections from McAfee home users are significant, though well below the top 20 detections at the the time of this blog post. Nonetheless, vulnerable users should patch soon.