Finally, some help with explaining Internet security to my non-geek friends! The Guide to Scary Internet Stuff video series will hopefully make my life a little easier. Explaining the intricacies of Internet security is a challenging task. I often have difficulty explaining to my non-technical friends and relatives why they need to know about risks on the Internet. On top of that, I sometimes discover that my advice has fallen on deaf ears as I inevitably fix their computers after a click on a spam or phishing link, or after they have not run Windows Update or updated their antivirus software in a while.
Although this is not the normal technical type of material that we post here on the Security Response blog, when Dominic Cook from our UK PR team showed me these, I immediately thought they were worth a post. The animations are fun, but most of all I think my friends will understand them, remember some of the advice,...
The problem: You develop a software package that you want to sell in the underground community. However, your buyers are not the most reputable/trustworthy people. How do you prevent your product from being purchased once and then distributed freely afterwards? How do you enforce your “copyright”?
The solution: Ask the antivirus companies to help you out.
Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.
Brazil is the home of the infamous Infostealer.Bancos family ofmalware. Recently, however, we have seen a more diverse number of sites- beyond just banking sites - coming into the crosshairs of theBrazilian malware gangs. Is the recent W32.Imcontactspam worm anotherof their creations?
The worm is Brazilian and spammed the infected users’ MSN contactswith email advising them that they had received an electronic greetingcard. We see these types of worms quite often; however what caught ourattention were the similarities between the techniques this worm usesand the techniques used by the Infostealer.Bancos family of trojans.
When executed, the worm does the following:
Minimizes the real MSN Messenger login window;
Displays a fake Portuguese language MSN login screen;
Records the username and password that is typed;
Displays the real MSN Messenger login window (user must re-type password);
There have been lot of rumours and discussions about the recent Adobe Flash Player Remote Code Execution vulnerability.The most interesting thing is that it is a cross-platformvulnerability. Due to the fact that Flash can run in different browsersand on many different platforms, the discovery of this onevulnerability could leave all those operating systems and devices thatare Flash-enabled open (e.g., including some advanced smartphones) tothe attack.
The vulnerability has already been tested on Windows, Apple Mac, andsome Linux distributions, but many other devices that are Flash-enabledcould be affected by the problem too. For example, we verified that theNintendo Wii gaming console is also affected. Wii has an Internetchannel that runs a special version of the Opera browser with Flash,and yes… we verified that it is affected by the problem too! The Wiiconsole completely hangs while...
A threat that we see very frequently in the lab is the back doornamed Backdoor.GrayBird or Backdoor.HuiPigeon. Today, I will shed somelight on this back door both to show how easy it has become to create apowerful back door with a rich feature set, and also to show why we seeso much of this particular back door.
Backdoor.Graybird gets its name from the Chinese company that makesthe product, which translates to Gray Bird. It is a commercial Chineseremote access tool that sells for about $100 for a 100 user license. Itcan be configured to run silently on the victim's machine and isnormally distributed via email or via drive-by downloads. (If sent viaemail, the user still needs to execute the file.) It can be packed tomake each sample unique and, most recently, NsAnti has been the packerof choice.
Backdoor.Graybird is very popular in underground Chinese hackingforums partly because it is all written in Chinese, so it is easilyunderstood, and also because cracked...
Mirror, mirror on the wall, who is the lamest of them all? Theattacker behind this scheme hopes to find out where all the l4m3rs are(his words not mine). In a classic social engineering attack, customershave been reporting that they have received an unusual piece of spamrecently.
The mail is supposedly from a hosting or collocation company and says something along the lines of this:
Dear COMPANYNAME Inc. Valued Members,
Regarding our new security regulations, as a part of our yearlymaintenance we have provided a security guard script in the attachment.
So, to secure your Web sites, please use the attached file and (forUNIX/Linux Based servers) upload the file "guard.php" in:"./public_html" or (for Windows Based servers which use ASP) upload the file "guard.asp" in: "./wwwroot" in your site. [instructionsincluded] Thank you for using our services and products. We look forward to providing you with a unique and high quality...
Spoke is a community for sales andmarketing professionals (home users would probably not have much usefor the site or software). Spoke makes a sales/marketing tool thathelps find contacts in companies across North America. For example, asales team can search for a company in the Spoke database and find thenames and titles of different employees in the company. This makes itclearer who to contact within that company in order to sell/market aproduct.
The Spoke database cuts down on the amount of time spent searchingonline, cold calling, and searching the phone book to find a useful andcorrect contact in a company. As well as providing information aboutcontacts within a company, Spoke also calculates relationships that youand other users have to each other, so that you can perhaps find acontact of yours who already has a relationship with someone at yourtarget company and who could possibly provide a friendly introduction.Spoke is essentially a data...
We regularly see Brazilian Bancos samples that try to steal the credentials of Brazilian bank users. These are generally delivered via spam or drive-by downloads. However, recently a different form of threat was spotted that specifically targets Brazilian users.
W32.Selfish is a file infector that checks what your default language pack is and only proceeds to execute its payload if you are using the Brazilian Portuguese Language pack. If you are using a different language pack, W32.Selfish will simply execute the infected host file and exit.
When W32.Selfish is executed on a Brazilian machine, it tries to download a file from the internet and execute it. At the time of writing, this file is not accessible, so it is uncertain whether it will download a Brazilian bank password stealer. However, the emergence of this threat does show that Brazil is being specifically targeted by online criminals. Not only does this show that criminals are targeting Brazil, but it...
While analyzing a sample of W32.Graybird recently, I noticed a request for a picture from a well-known photo hosting site. The picture was of a cute fluffy bird (not gray, though) ;-) holding a bunch of roses (see below). The request seemed unusual and caught my attention.
Why was a back door connecting to a photo hosting site and requesting a picture like this? We often see threats connecting out for what appears to be a picture, but what is downloaded is actually an executable. In this case, it really was a picture that was downloaded. In other cases, the downloaded picture may contain executable code hidden within it, but here there was no executable code found inside either.
Upon closer inspection, a URL was found appended to the end of the image. The Graybird sample was downloading the image and...
While analyzing a sample of W32.Graybirdrecently, I noticed a request for a picture from a well-known photohosting site. The picture was of a cute fluffy bird (not gray, though);-) holding a bunch of roses (see below). The request seemed unusualand caught my attention.
Why was a back door connecting to a photo hosting site andrequesting a picture like this? We often see threats connecting out forwhat appears to be a picture, but what is downloaded is actually anexecutable. In this case, it really was a picture that was downloaded.In other cases, the downloaded picture may contain executable codehidden within it, but here there was no executable code found insideeither.
Upon closer inspection, a URL was found appended to the end of theimage. The Graybird sample was downloading the image and parsing it tofind...
There is a relatively new annoyance called "spim" that seems to be popping up on our screens more frequently. Spim is the equivalent of spam (unsolicited email, usually selling snake oil) that is delivered over instant messaging clients. After recently receiving more spim, which was advertising what I believed to be a spyware product, it occurred to me that the best tricks are still the oldest ones. With the recent attention that spyware applications are receiving, it is easy to overlook some of the simpler, more direct methods of spying. Spyware applications are not the only way people can catch their spouses cheating (!). The spim message I received was advertising a “catch your spouse cheating service”. No download necessary, no application to install, no hidden software on your spouse’s computer.
The service is based strictly on social engineering. It is a “very straightforward service”, as it is explained on their Web site. For a fee of only...
I would never associate the phrase "good ethics" with rogue anti-spyware. Maybe "questionable ethics" or, indeed, "no ethics" are phrases that would be more appropriate! We encounter questionable ethics everyday in the lab, especially when dealing with rogue applications. I will provide some information below on one of the best examples of rogue anti-spyware we have seen in the lab, called "Punisher".
Symantec detects this rogue application as Punisher, but it is also known as Remedy AntiSpy, SystemStable, HitVirus, and Adware Bazooka in the industry. Rogue applications often employ a technique of using various guises, where the application will be advertised and distributed using seemingly different software applications that all turn out to be exactly the same (except, perhaps, a different skin).
It is so great to now have the opportunity to choose how to receive your adware. In the past, drive-by downloads were targeted exclusively towards Internet Explorer (IE) users and indeed, many people changed to Firefox or Safari browsers specifically because of this fact. But now you can choose which browser you want to use to be hit with your least favourite adware!
When people contemplated moving from IE to Firefox, it didn’t matter if Firefox was measurably safer than IE or not, the simple fact that the bad guys weren’t targeting it made it far more secure in practice. Those heydays have long since disappeared. In the Symantec labs we still see a greater number of drive-by downloads solely targeting IE; however, we often see sites that will detect which browser you are using and then serve you your specific poison. Moreover, there have been several vulnerabilities discovered that can affect applications that are common across all Internet browsers (such...
