What's the deal with Facebook's Security Questions???
Mother's birthday? — Father's middle name? — Third grade teacher?
Security challenge questions based on social information is probably not the best of ideas on a social networking site. Particularly now that Facebook's user base is as expansive as it is.
After all, who's going to know personal details about yourself?
We continue to see targeted attacks. More and more of them. We're currently collecting some statistics on the frequency of these attacks and hope to publish them here later this week.
Here's some recent examples of documents that we've seen in targeted attacks. All of them use known vulnerabilities to drop backdoors to take over the computer.
The examples cover all popular file types: DOC, XLS, PPT and PDF. (Just to be fair.)
We've seen all of these cases exactly once, worldwide. So whomever got hit by these, it wasn't just bad luck and it wasn't just a coincidence.
Our first example looks like an average in-house purchase agreement… but when viewed, it drops a backdoor that connects to lemondtree.freetcp.com. XLS file.
Connects to heet.25u.com. PDF file.
Drops files called hlwin32.dll, hlsvc32.dll and svchost.exe to SYSTEM32 or TEMP folders. PPT file.
"Fertilizer news and analysis"? What? Drops a backdoor that connects to wolfdu.5166.info. PDF file.
Drops a variant of Poison Ivy remote access trojan. PDF file.
We don't have any information on the identities of the parties targeted with these attacks.
Two new vulnerabilities have been found in Adobe Reader and are under investigation by Adobe. The vulnerabilities exist in two JavaScript functions; getAnnots() and spell.customDictionaryOpen() and both allow remote code execution. This means they both could be used in targeted attacks and drive-by downloads. There are PoCs (Proof of Concept) available for both vulnerabilities but so far no in-the-wild attacks.
We've said it before but it's worth repeating — use an alternative to Adobe Acrobat Reader. We won't recommend any reader over another as it would be better if people use a wide variety of them. A list of readers can be found here, pdfreaders.org. Others are Foxit, CutePDF, etc.
If you can't change from Adobe Reader we strongly recommend that you disable its ability to run JavaScript.
This is easily done via: Edit –> Preferences –> JavaScript –> Un-check "Enable Adobe JavaScript"
Today is the 2nd anniversary of the nation-scale DDoS attacks against Estonia.
Here's the very first blog post I made on these developments on Saturday, the 28th of April 2007, as things started happening. Here's a follow-up post a couple of days later. Reading these now, they really feel sort of historic. Things changed in April 2007.
Today's first presentation was by president of Estonia, Mr. Toomas Hendrik Ilves.
I was really impressed by the talk by Mr. Ilves. It was a rhetorically sound and masterfully executed talk by an European statesman. And even though it was on the topic of my own expertise, I still found it insightful. It was also refreshing to listen him mention technical details like botnets, DNSSEC and DDoS. Impressive. Watch this man.
In order to do that, the worm uploads the CAPTCHA images to a Russian CAPTCHA Cracking Service.
This service offers 1000 cracked codes for $1 with a money-back guarantee in case of mistakes, or with codes that took too long to crack (over 60 seconds).
Such services typically use humans to crack the codes manually. It's hard to image a more repetitive or boring job. The people behind such services exploit cheap labor or possibly – child labor. Read more from this article by Byron Acohido.
Perhaps the most surprising twist in the whole story is that Google is not just a victim here.
Surprisingly, if you go searching for terms like "crack captcha" or "break captcha", you will get sponsored ads in Google search results — for CAPTCHA cracking services!
Techies and non-techies have been debating about "cyberwar" – is there such a thing? Is it a threat? Who would do it? Who cares? – since the movie WarGames came out in 1983.
No consensus on the topic as yet, but it looks like some military officials are taking the threat seriously. Computerworld reports that the Obama administration may be setting up a military command center dedicated to combating and "developing offensive cyberwarfare capabilities".
Not everyone thinks all the concern is warranted. Marcus Ranum, CSO of Tenable Network Security gave a keynote speech at the 2008 Hack In The Box conference in Kuala Lumpur entitled "Cyberwar is Bullsh*t". The title says it all, really. You can get the slides from the speech here (pdf).
Not everyone dismisses the threat though. Interesting commentary to Mr Ranum's contentions come from Richard Bejtlich's TaoSecurity blog, here.
For those interested, there are plenty of debates on the topic floating around the Internet. Thoughts, anyone?
Many European banks provide their customers with a paper list of sequential numbers and randomly requested checksums. Without this physical list, an attacker might be able to access the online banking GUI, but they should not be able to complete a fund transaction.
Now, carrying around a card and scratching off numbers is fairly secure but it isn't always convenient.
What's more convenient and is something you always have with you? Your phone.
More and more banks are beginning to offer transaction authentication numbers (TAN) via SMS text messages. The customer registers their phone to receive the one-time passwords, and the TAN is provided on-demand. Easy, secure.
A company called Ultrascan Research Services claims that East European gangs are paying big money for certain versions of Nokia 1100 phones.
According to Ultrascan's post, some Nokia 1100 phones can be used to intercept SMS messages.
We don't have the details, we only know what's been stated by Ultrascan. We've also been unable to find a hacker forum or an auction site with actual requests for such phones.
To be worth the prices being paid (up to �25,000) the phone would somehow need to spoof the victim's phone number without using their SIM card. If that's possible, then it's a very clever trick and suddenly enables the use of all of the past compromised account information that's been gathered by banking trojans.
And that's a very sizable return on investment. Even for a �25,000 phone.
As we blogged on New Year's Eve, we have been teaching malware analysis and antivirus technologies at Helsinki University of Technology again this Spring.
Above: TKK (Helsinki University of Technology) main building. Photo taken February 2009 on a fairly "white sky" day.
Above: Antti Tikkanen giving a lecture on dynamic analysis of malware
The lectures are now over and the students have about a month to turn in their final assignments. Even though the "last hurrah" for the 2009 Spring course is is still missing, I would like to thank TKK staff and FS Labs lecturers for the course. I would also like to thank the students; It was again a real pleasure to teach motivated and smart people. I'm really looking forward to receiving the final project submissions.
For those interested, slides for all of the lectures are available in PDF format from the course homepages.
— Mika, Principal lecturer of T-110.6220, Spring 2009
What's up with Mikey Mooney? He wrote a series of Twitter worms, got hired, got hacked (hey, nice passwords, Mikeyy) and released yet another worm last night.
This one did extensive modifications to infected profiles; changing the name and bio to "Mikeyy" and the title of the profile to "Mikey and the Mysterious Treqz."
This variant downloaded additional scripts from runebash.net/xss.js (careful, it's still up).
The messages it sent were more philosophical in nature: Be nice to your kids. They'll choose your nursing home. Womp. mikeyy. If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy. Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy. Age is a very high price to pay for maturity. Womp. mikeyy. Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy. If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy. Money is not the only thing, it's everything. Womp. mikeyy. Success is a relative term. It brings so many relatives. Womp. mikeyy. 'Your future depends on your dreams', So go to sleep. Womp. mikeyy. God made relatives; Thank God we can choose our friends.Womp. mikeyy. 'Work fascinates me' I can look at it for hours ! Womp. mikeyy. I have enough money to last me the rest of my life. (unless I buy something) Womp. mikeyy. RT!! @spam Watch out for the Mikeyy worm (bit.ly link) FUCK. NEW MIKEYYY WORM! REMOVE IT: (bit.ly link) Mikeyy worm is back!!! Click here to remove it: (bit.ly link)
How many users got infected? We can't tell the total count. However, Mikeyy seeded the infection via three new Twitter user accounts he had created and we can see how many clicks they got:
The only thing we haven't seen yet is that a really popular Tweeter with tons of followers would get infected (think Britney Spears or Lance Armstrong).
A new Twitter cross-site scripting worm is going around on Twitter. Just like the previous Twitter worms it talks about Mikeey.
Other messages used by the worm include:
Twitter, this sucks! Fix your coding. Twitter Security Team Really? You need to be fired. Horrible Coding! @oprah - sup? welcome to twitter - mikeyy @aplusk - hey, homo. - mikeyy @souljaboyellem - your music sucks dude. - mikeyy @TheEllenShow - hey baby, love me long time? - mikeyy @StephenColbert - you funny. - mikeyy @cnnbrk - he's back. ;) - mikeyy @nytimes - yep, it's true. - mikeyy Twitter, do you know about the before_save model callback? - mikeyy This exploit only affects Internet Explorer users. Thanks. - mikeyy Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlCars!!! - mikeyy Get Firefox, thanks. www.Firefox.com Twitter, you should be paying me now. - mikeyy
Once a user views an already infected profile they get infected as well. The name, location, website and bio all gets changed to Mikeyy and they start posting messages randomly picked from the list above.
The malicious script itself is downloaded from 74.200.253.195. Twitter is working on fixing the problem.
This happens on the same day as media reports that Michael Mooney got a job because of his writing the first Twitter worms. So if he did this one too, what was the motivation? To get an even better offer from someone else!? Stupid.
For now, stay away from looking at user's profiles. Also Firefox and NoScript is a good combo.
Updated to add: Michael Mooney (Mikeey) confesses to writing this latest worm as well.
Searching for good things with bad results is something that now happens on a regular basis, like the example we blogged about the other day. But now it's personal - searching for "f-secure" leads to rogue products. This time it's not via SEO (Search Engine Optimization) but through malicious Google ads. As you can see in the screenshot below there's an ad pointing to update-xp.com. You have to click on search twice for it to come up and it doesn't seem to happen every time.
Let's check it out. It leads to a page talking about Fix F-Secure Problems.
Let's download and install this fix tool on a clean XP SP3 machine and see what it is.
Amazing! 1303 total problems found whereof 1277 couldn't be removed in the unregistered version. Let's try to register.
Surprise! We have to pay $34.95 to register and remove all the "problems".
Last bit of irony, it claims that Windows is up-to-date but as you can see from the screenshot below 36 updates are actually missing.
This has been reported to Google so hopefully it will be removed soon.
Updated to add: Google have now removed the malicious ad. Prompt action from them, we appreciate the assistance.
The Waledac botnet has been actively used to push malware since last year.
The tactics employed by Waledac are so similar to the old Storm Worm that we have reason to believe they are closely connected.
Last night, the websites used to push Waledac infections got an overhaul.
We started seeing infection reports of filenames like sms.exe, trial.exe, smstrap.exe, freetrial.exe and smsreader.exe.
When we went searching, we noticed that the Waledac sites now looked like this:
Nice graphics, jerks.
Anyway, these sites had domain names like downloadfreesms.com, chinamobilesms.com and smsclubnet.com.
If you check the DNS records for these domains, you'll notice that they have a time-to-live set to zero. And they use that to change their IP address every time you query it. This is fast fluxing in effect.
Lets monitor the IP address of smsclubnet.com for two minutes:
Time
IP
11:00:17
118.232.218.209
11:00:22
211.105.220.204
11:00:28
121.179.73.185
11:00:33
124.8.89.29
11:00:38
69.55.30.158
11:00:44
116.127.184.49
11:00:49
201.42.136.214
11:00:54
89.35.18.27
11:01:00
24.77.250.131
11:01:05
118.130.83.202
11:01:11
77.78.150.199
11:01:16
211.180.118.70
11:01:21
189.111.197.36
11:01:27
121.183.32.80
11:01:32
211.218.197.220
11:01:38
121.183.32.80
11:01:43
125.129.151.33
11:01:48
151.60.88.70
11:01:54
121.179.73.186
11:01:59
210.207.217.154
And all those IP addresses are infected home computers, where the owner of the computer has no idea he's actually running a webserver — which is serving viruses.
This botnet is not just used to host the malware: the malware itself uses it when calling home. When Waledac is executed, it does dozens of HTTP posts to IP addresses belonging to this botnet.
Waledac gang has registered over 100 .com domains for their purposes. You can actually tell a bit about their operations if you arrange their domains into groups. Practically all the domains they own are registered to these email addresses: hanlin_425@126.com, lijian@qq.com and wusong_ccc@126.com.
No surprise at all that Google searches for information about the Twitter worm would lead to malware sites, it was really just a matter of time. Especially not after all the talk about it over the weekend and the guy behind it even confessing everything. Malicious search results about popular news is something we see very often unfortunately.
By searching for "Twitter worm" on Google one of the top 10 hits look like this:
Which leads to this site:
But you'll never see that as you immediately will get redirected to videxxxxxs.cn which immediately redirects you to loyxxxxxxno.com which tricks you into downloading a fake video codec from cxxxxxxxxaz.com. No exploits are used, it's just social engineering. At least for now.
And the fake codec is of course malware. In fact, it's a trojan downloader that downloads some additional malware, including a rogue security product called WinPC Defender which shows fake malware detections.
Like all rogue security products it will tell you that you have malware on your PC and that you have to buy the product to remove them. This is more expensive then usual though as they want you to pay $69.99 (the usual rate seem to be $39.95).
So, unfortunately we're not surprised that this happened. As usual, get your news and information from sources you trust. Random Google searches can't be trusted.
Updated to add: Searching for "Mikeyy" also leads to malicious results.
Microsoft just released the security updates for April and this includes the fix for Excel which have been exploited in targeted attacks for over a month now. Make sure you download these patches, including the one for Excel if you use Microsoft Office 2007, right now. Unfortunately a fix for the PPT vulnerability wasn't part of this month's update.
Twitter administrators don't seem to be able to shut down the various XSS / CSRF worms that have been plaguing the service over the weekend.
The actual problems to end users haven't been devastating — so far. Most of the Twitter worms simply modify people's profiles to infect more users.
However, attacks like these could be much worse if the attackers would incorporate nastier attacks, such as browser exploits.
The attacks have been credit to "Mikey" or "Mikeyy", who apparently was the administrator of a site called Stalkdaily. Stalkdaily was a competitor for Twitter and apparently the original motive of the attack was to "steal" Twitter users to join this new service. Web page for Stalkdaily is currently down.
Latest round of worms just started minutes ago. Apparently this run was started by a freshly registered user called cleaningUpMikey:
This is what the attack looked like:
If you clicked on the name or the image of the person sending the message, you would get infected as well and would send the same message - and anyone viewing your profile would do the same.
We can't confirm whether "Mikeyy" is really behind these attacks. We can't confirm the above phone number either. However, it was likely picked up from this page from a social networking site:
For now, don't view profiles in Twitter.
Updated to add:
A quick look at another incarnation of the same worm. This one was interesting, as it was using bit.ly redirector in the messages.
Infected users were sending Tweets like this: "How TO remove new Mikeyy worm! RT!! http://bit.ly/yCL1S"
A message like this is particularily nasty, as there were plenty of re-tweets of this malicious message sent by genuine users.
The bit.ly link got redirected back to Twitter, to user reberbrerber's profile. Which would infect Twitter users who would view it.
The good part about using a URL redirector is that now we can get exact statistics on how much traffic this link received. Turns out the URL got clicked over 18,000 times - and the figure is still growing.
And where were these users from?
One more chart. Based on keyword mikeyy stats from Tweetscoop, the outbreaks are leveling out now:
A cross-site scripting worm was spreading in Twitter profiles for several hours last night.
People started reporting that their profile had sent Twitter messages without their knowledge. Messages looked like this:
Later on the messages morphed several times:
Many people followed the links to stalkdaily.com, as they believe the messages to be genuine Tweets from their friends. A cross-site script on the site then caused new users to start to Tweet the same messages.
More info on the technical internals of the attack are available at dcortesi.com.
As expected, the whole worm was a publicity stunt by stalkdaily.com.
You can see the latest official status of Twitter from their status page at status.twitter.com
We detect the script file as Worm:JS/Twettir.A.
Updated to add: This is not over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links. It's beautiful outside, maybe go for a walk instead?
Here's one current variant:
All these attacks are Javascript-based. Turn Javascript off if you're worried. More info here.
A new variant of Conficker was found yesterday. We're still investigating the files but here's what we know so far.
On April 8th a new update was made available to Conficker.C infected machines via the P2P network
The new file, which we call Conficker.E, was executed and co-existed alongside the old infection.
It re-introduces spreading via the MS08-067 vulnerability. Spreading functionality was removed in Conficker.C and the gang behind this maybe realized they made a mistake and added it again.
The new variant does not have the domain generation algorithm like the previous variants have
There's a possible connection to Waledac, a spambot. Some Conficker.C infected computers connected to a well known Waledac domain and downloaded Waledac from there.
There's also a connection to rogue anti-virus products as we've seen it end up on Conficker.C infected machines. The rogue product was SpywareProtect2009.
Conficker.E deletes itself if the date is May 3, 2009 or later. It does not delete Conficker.C though so that will remain on an infected computer.
Sound complicated and strange? It is and unfortunately nothing is easy when it comes to Conficker so we'll continue to update this post as we find out more about its behavior. We detect the new Conficker.E since yesterday and all the related files it downloads.
We see targeted attacks and espionage with trojans regularily. Here's a typical case.
A malicious Excel XLS file (md5: 3c740451ef1ea89e9f943e3760b37d3b) was emailed to a target - apparently to just one person.
When opened, this is what the XLS looked like:
However, in reality the malicious file had already exploited Excel and taken over the computer by the time you saw this.
The exploit code creates two new DLL files to the SYSTEM32 folder ("apimgr.dll" and "netserv.dll") and executes them.
These DLL files are backdoors that try to communicate back to the attackers, using these sites:
feng.pc-officer.com
ihe1979.3322.org
Right now, host ihe1979.3322.org does not resolve at all, and feng.pc-officer.com resolves to a placeholder IP (which is 63.64.63.64). The attackers can temporarily make the hostname resolve to the real IP address and then turn it back, to hide their tracks.
The domain name pc-officer.com is a weird one. It has been registered already in 2006, and it has been used in targeted attacks before.
See this ISC blog entry from September 2007. Here the attack was done via a DOC files, instead of XLS. And the reporting server was ding.pc-officer.com, not feng.pc-officer.com.
If you haven't read about Ghostnet yet, now would be a good time.
PS. We don't know what area is shown in the map image. If you do, please leave a Comment.
Updated to add, Wednesday the 7th of April:
We kept monitoring the host feng.pc-officer.com. As expected, it became alive for a short period yesterday.
The latest issue of Science publishes a research paper titled Understanding the Spreading Patterns of Mobile Phone Viruses.
The paper is by Pu Wang, Marta C. Gonz�lez, C�sar A. Hidalgo and Albert-L�szl� Barab�si Abstract
We model the mobility of mobile phone users to study the fundamental spreading patterns characterizing a mobile virus outbreak. We find that while Bluetooth viruses can reach all susceptible handsets with time, they spread slowly due to human mobility, offering ample opportunities to deploy antiviral software. In contrast, viruses utilizing multimedia messaging services could infect all users in hours, but currently a phase transition on the underlying call graph limits them to only a small fraction of the susceptible users. These results explain the lack of a major mobile virus breakout so far and predict that once a mobile operating system�s market share reaches the phase transition point, viruses will pose a serious threat to mobile communications.
The paper more or less ignores the effects of technical safeguards built into modern smartphones operating systems.
Another weird thing: the paper mentions that the reason why there hasn't been more mobile outbreaks is that no smartphone operating system is dominating enough. Then in the next paragraph it mentions that Symbian has, oh, 65% market share of all smartphones.
In any case, an interesting paper. And lots of pretty pictures.
As we posted Conficker Q&A prior to April 1st it wouldn't be right if we didn't do one after the event.
Q: First off, how do I know if I'm infected? A: Joe Stewart has created a very simple test that's available at the Conficker Working Group's site. Click here to try it out. It's also available on his own site here. If it says you're infected you can find a bunch of removals tools on the same site, including F-Secure's.
Q: So April 1st came and went. Was there any doomsday activity, did the Internet break down? A: No. If it did you wouldn't be able to read this. And we never really expected anything to happen.
Q: So what really happened then, what was all the fuss about? A: Conficker.C was programmed to start generating a list of websites on April 1st in an attempt to download updates to itself.
Q: So why didn't something major happen then? A: Because the people behind Conficker didn't publish an update on any of the websites Conficker tried to contact.
Q: Was it a mistake on their part, did they forget about the April 1st activation date? A: Very unlikely. What really happened was that the Conficker Working Group was able to prevent them from registering any of the domains used by the worm. Never before have we seen such a global cooperation within the industry and we're proud to be a member of that group. Also, it would've been pretty stupid for the people behind Conficker to do something on the day everyone expected them to.
Q: But isn't it so that the worm can also update itself using the peer-to-peer (P2P) technology? A: That's right, it can. And it could've done this prior to April 1st.
Q: I didn't turn on my PC on April 1st so I should be OK, right? A: If your computer is infected then no, the worm will still be there and it will try to download updates to itself when you turn it on.
Q: Which countries are the most infected? A: China, Brazil, Vietnam, Russia, Indonesia, India, Philippines, Thailand, South Korea and Ukraine
Q: What's this I've heard about two people arrested in Belarus in connection with Conficker? A: It was just an Aprils fools joke. More here
Q: So what happens now, can we forget about Conficker and worry about other things? A: No, not really. April 1st was just the activation date. Infected computers will continue to reach out to 500 websites daily in an attempt to update itself. And let's not forget the P2P technology, it can update itself using that as well.
Q: So that means we'll have to deal with this for a long time? A: Yes, until all the computers are cleaned up or until the people behind it decide it's not worth it anymore. So we'll keep on monitoring the situation.
Q: What if I have more questions? A: Hopefully they're already answered by our previous Q&A. If not, make a comment to this post and we'll answer it for you.
So it's been April 1st for almost 18 hours now in New Zealand and it's the early hours of April 1st on the east coast of the United States. So what's going on? So far — nothing. Infected computers are generating the list of 50,000 domains and are attempting to contact 500 of those like we've described earlier, but so far no update has been made available (by the bad guys).
And we don't really expect one, at least not right now.
The Conficker worm is still creating headlines though as can be seen from the front page of cnn.com.
