[SecurityRatty] tag: malicious

Windows, Office, Sharepoint, Among Products Getting Updates This Patch Tuesday

Thu, 04 Dec 2008 11:34:54 +0000

Microsoft's Security Bulletin Advance Notification for December 2008 says that there will be 8 bulletins and updates coming next Tuesday for a variety of Microsoft products. 6 of the bulletins have a maximum rating of Critical. One critical update affects all shipping versions of Windows. Another affects only Windows Vista and Windows Server 2008. One update for Internet Explorer is rated Critical for all versions of Windows, indicating that version 7 is affected. Another affecting Windows Media software is rated Important and affects all versions other than the Itanium-based server products. 4 other bulletins affect various Office and server-based products. One for Visual Basic affects only FrontPage and Project in Office, but also Visual Basic 6, Visual Basic.NET and Visual FoxPro. One fix for Microsoft Word is rated Critical for Office 2000 and 2007 (with or without SP1), but Important most everywhere else, including Office 2003. An Excel fix is Critical only on Excel 2000, and Important elsewhere. Lastly, a flaw in Sharepoint Server 2007 and an associated flaw in Search Server 2008 are both rated Important. There will also be the usual assortment of non-security updates: An update to the Junk Mail filter; a new version of the Malicious Software Removal Tool; an update to deal with legal changes in daylight savings time in various unspecified countries; and one which addresses application compatibility problems on Windows Server 2008.

Zeus Crimeware as a Service Going Mainstream

Thu, 04 Dec 2008 04:34:50 +0000

Since 100% transparency doesn't exist in any given market no matter how networked and open its stakeholders are, Cybecrime-as-a-Service (CaaS) in the underground marketplace went mainstream with the introduction of the 76service -- now available in Winter and Spring editions -- followed by a flood of copycats monetizing commodity services on the foundations of proprietary underground tools.

Originally launched as an invite only service where only trusted individuals would be able to take advantage of the malicious economies of scale concept, in August, 2008 copycats ruined the proprietary model of the 76service by tweaking the service and converging it with web malware exploitation kits of their choice. The output? Near real-time access to freshly harvested financial data, which when combined with their aggressive price cutting once again lowers down the entry barriers into this underground market segment.

Start from the basics. Intellectual property theft in the underground marketplace has been a fact for over an year now, with proprietary web malware exploitation kits leaking to the average cybercriminals who after a brief process of re-branding and layout changing, include their very own copyright notice. Upon obtaining the kits for which they haven't a cent/eurocent, it would be fairly logical to assume that they can therefore charge as much as they want for offering on demand access to them, thereby undercutting the prices offered by the experienced market participants. IP theft in the underground marketplace equals a volume sales driven cash cow that messes up the basics of demand and supply that the experienced cybercriminals consciously or subconsciously follow.

Not only is IP theft a reality, but also, among the very latest Zeus crimeware for hire services is charging pocket money for extended periods of time :

"[Q] What is ZeuEsta?
[A] ZeuEsta is a mix between the ZeuS Trojan and MalKit, A browser attack toolkit that will steal all information logged on the computer. After being redirected to the browser exploits, the zeus bot will be installed on the victims computer and start logging all outgoing connections.

[Q] How much does it cost?
[A] Hosting for ZeuEsta costs $50 for 3 months. This includes the following:

# Fully set up ZeuS Trojan with configured FUD binary.
# Log all information via internet explorer
# Log all FTP connections
# Steal banking data
# Steal credit cards
# Phish US, UK and RU banks
# Host file override
# All other ZeuS Trojan features
# Fully set up MalKit with stats viewer inter graded.
# 10 IE 4/5/6/7 exploits
# 2 Firefox exploits
# 1 Opera exploit"

We also host normal ZeuS clients for $10/month.
This includes a fully set up zeus panel/configured binary"

Think cybercriminals in order to anticipate cybercriminals. Would a potential cybercriminal purchase a crimeware kit for a couple of thousand dollars, when they can either rent a managed crimeware service, or even buy a gigabyte worth of stolen E-banking data for any chosen country, collected during the last 30 days? I doubt so, and factual evidence on the increasing number of such services confirms the trend - in 2009 anything cybercrime will be outsourceable.

Related posts:
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw
Crimeware in the Middle - Zeus

Related underground marketplace posts:
Will Code Malware for Financial Incentives
Coding Spyware and Malware for Hire
Malware as a Web Service
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Inside a Managed Spam Service
Dissecting a Managed Spamming Service
Segmenting and Localizing Spam Campaigns
Localizing Cybercrime - Cultural Diversity on Demand
Localizing Cybercrime - Cultural Diversity on Demand Part Two

Firefox users targeted by rare piece of malware

Thu, 04 Dec 2008 02:00:00 +0000

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

Firefox users targeted by rare piece of malware

Wed, 03 Dec 2008 21:00:00 +0000

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

Online Finance Flaw: TIAA-CREF XSS & Potential CSRF

Wed, 03 Dec 2008 06:42:00 +0000

Before discussing a TIAA-CREF security flaw, allow me to clarify my "terms of engagement".
Prior to offering analysis of any security flaws in online financial services, be assured I have engaged the service provider and offered what I believe to a reasonable amount of time to remedy this issue. Specifically, a minimum of two weeks and three unique contact attempts are made. Should the vendor offer a timeline in which the issue will be resolved, so long as it is not months or years, I will wait until they are ready to deploy the fix, then discuss the vulnerability. If I am not in receipt of a reply other than generic customer service replies, I will follow the two week standard, then discuss the issue.

TIAA-CREF, or the Teachers Insurance and Annuity Association - College Retirement Equities Fund, is a respected, widely utilized provider of numerous financial products and services. The TIAA-CREF site is ranked 26,148 on Alexa.com at the time of this writing.

I'll first direct you to the TIAA-CREF Security page, where they discuss the expected elements like identity theft, spoofing, tips, and my favorite, phishing.
Here's where the trouble begins. Obviously, most phishing occurs when some miscreant creates a fake page and attempts to lure victims via email.
The severity of phishing risks are greatly increased by the introduction of a cross-site scripting (XSS) vulnerability in a site that is of high value to phishing attackers.
With such a vulnerability available, the prospect of success for a phisher are much higher given that the malicious URL they would craft could include the actual target domain, rather than a faked misrepresentation. A simple script insertion at the vulnerable variable would then allow the attacker to redirect victims to a maliciously crafted logon page in the context of the vulnerable site.
Sad side note: when you search security at the TIAA-CREF site, the above mentioned Security page is not returned in the results as I write this.
However, the resulting search URL serves as the starting point for our discussion of the flaw:
http://www.tiaa-cref.org/explore/portlets/search.jsp?query=security&strtfrm=1&totpresults=75&srchtype=4&sc=1&frmsite=0
The vast majority of non-search input variables on the TIAA-CREF site offer reasonable XSS protections, likely a blacklist method that redirects you to the following language when common XSS strings are noted, particularly where it counts at logon pages.
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
Unfortunately, this methodology was not deployed globally, and thus the following online finance flaw.
All input variables used in TIAA-CREF's search.jsp script are vulnerable to XSS.
Utilized by an attacker, this could have a much more significant impact on TIAA-CREF customers who fall victim to a now more convincing social engineering effort.
Here's the site before script insertion:

Here's the site after script insertion:

Further, certain parts of the site, including the Trust Company logon page, show potential signs of cross-site request forgery (CSRF) in that they accept updates via GET or allow submittal with the referrer stripped.

Lessons learned:
1) Don't assume all is well even though a site may offer examples of how attentive they are to security.
2) Never log on to an online financial service offering (or anything else for that matter) via a link sent to you in an email. Period.
3) Take all steps at your disposal to ensure you are logging in to and transacting with the actual site you intended to utilize. Don't depend on security badges and SSL certificates as your sole means of confirmation.
4) If you note something of concern at a site you utilize, advise them immediately and demand repair or clarification until you're satisfied.

Please feel free to send feedback to TIAA-CREF as I have per my "terms of engagement" above. Hopefully they'll resolve this issue soon, on behalf of customers in their care.

Up next in our series, two of the top five banks mentioned in Javelin Strategy & Research's Banking Identity Safety Scorecard are vulnerable to similar issues.

del.icio.us | digg | Submit to Slashdot

It makes good sense to just re-install

Tue, 02 Dec 2008 13:35:34 +0000

This article offers a different approach to fighting malware infections.
There is that stigma that users have with a re-install, they are not familiar with how to do it. Many dont even know if they have a restore CD that may have come with their puter when they bought it.

clipped from www.isyougeekedup.com

The Only Way To Permanently Remove Viruses, Spyware, and Malicious Code

If you ask any experienced and competent IT professional what to do about an infected system, they should only give you one answer: format your hard drive and reinstall your operating system.? Why skip straight to the format/reinstall and disregard the anti-virus and anti-spyware removal tools?

Actns/Swif.T virus found in YouTube videos

Tue, 02 Dec 2008 07:51:00 +0000

TOOLS FOR FLASH ANALYSIS

Breaking news regarding malicious Flash popping up from YouTube is starting to break all over the Internet.
CrunchGear has a bit of a write-up on it.
Rather than sound off about what will become old news quickly, I'd like to point you to resources I use to analyze (or have the analysis done for me, to be more concise) malicious Flash or JavaScript.
I grabbed the evil .swf in question from the URL below via command-line on my trusty Ubuntu box:
wget hxxp://www.youtube.com/v/O7tB1pYSNuE&rel=1
I then fed l.swf to Adops Tools and Wepawet.
The results from each analysis are below for your review.
Note System.security.allowDomain("*").
Not good. ;-)
Adops Tools Results
Wepawet Results
Use in good faith, but always be careful grabbing the evil .swf.

del.icio.us | digg | Submit to Slashdot

Rock Phish-ing in December

Tue, 02 Dec 2008 04:12:31 +0000

Nothing can warm up the hearth of a security researcher than a batch of currently active Rock Phish domains, fast-fluxing by using U.S based malware infected hosts as infrastructure provider. What is this assessment of currently active Rock Phish campaign aiming to achieve? In short, prove that the people that were Rock Phish-ing at the beginning of the year, are exactly the same people that continue Rock Phish-ing at the end of the year, thereby pointing out that as long as they're not where they're supposed to be, they are not going to stop innovating and working on a higher average online time for their campaigns.

What's particularly interesting about this campaign, is that compared to previous ones targeting multiple brands, the thousands of malware infected hosts and domains are targeting Alliance & Leicester and Abbey National only.

Active Rock Phish Domains in fast-flux :
stgsfw7sr .com
q06ciwt60 .com
jnlyf96v4 .com
neegzlh35 .com
7azwmrsg5 .com
pn3ekq976 .com
2coxi8sb6 .com
d8ri1iz5d .com

ki7wvgauf .com
5nt5r3keh .com
5nt29884j .com
bgoryomek .com
a725jv8ik .com
fke5nnp8m .com
stgsfw7sr .com
10c0ka49t .com
zp304ju3z .com
j0rykafwn .cn
2j1f .net

confirm-updates .com
paypal.confirm-updates .com
user-data-confirmation .com
paypal.user-data-confirmation .com
capitalone.updating-informations .com

Sample sub-domain structure :
mybank.alliance-leicester.co.uk.7azwmrsg5 .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.5nt29884j .com
mybank.aliance-leicester.co.uk.bgoryomek .com
mybank.alliance-leicester.co.uk.bgoryomek .com
mybank.aliance-leicester.co.uk.stgsfw7sr .com
mybank.alliance-leicester.co.uk.stgsfw7sr .com
mybank.aliance-leicester.co.uk.zp304ju3z .com
mybank.alliance-leicester.co.uk.zp304ju3z .com
myonlineaccounts2.abbeynational.co.uk.pn3ekq976 .com
myonlineaccounts1.abeynational.com.pn3ekq976 .com

DNS servers for the campaigns :
ns1.thecherrydns .com
ns2.thecherrydns .com
ns3.thecherrydns .com
ns4.thecherrydns .com
ns5.thecherrydns .com
ns6.thecherrydns .com

ns10.realgoodnameserver .com
ns1.realgoodnameserver .com
rens2.realgoodnameserver .com
rns3.realgoodnameserver .com
ns4.realgoodnameserver .com
ns8.realgoodnameserver .com

ns6.myboomdns .com
ns4.myboomdns .com

Domains registrant :
Name : Pan Wei wei
Organization : Pan Wei wei
Address : BaoChun Rd. 27, No. 3, 1F, Apt. 1903
City : Bejing
Province/State : Beijing
Country : CN
Postal Code : 100176
Phone Number : 010-010-58022118-58022118
Fax : 86-010-58022118-58022118
Email : 127@126.com

These well known Rock Phish campaigners, have been naturally multitasking on several different underground fronts throughout the year. For instance, their 2j1f .net is known to have been hosting money mule company's site, and also, it was used in a previously analyzed phishing campaign that was spreading across Facebook in June. Need more evidence on the consolidation that's been ongoing for over an year and half now? An infamous money mule recruiting company (Cash-Transfers Inc.) was also taking advantage of the fast-flux network offered by the ASProx botnet masters in July.

As a firm believer in that "the whole is greater than the sum of its parts", the popular "sitting duck" cybercrime infrastructure hosting model will be either replaced by a cybercrime infrastructure relying entirely on legitimate services, or one where the average malware infected Internet user would be temporarily used as a hosting provider.

If millions were made by using the "sitting duck" hosting model, how many would be made using the others, given that they would inevitably increase the average online time for a malicious campaign?

Related Rock Phish research :
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Assessing a Rock Phish Campaign

Related fast-flux research :
Fast-Flux Spam and Scams Increasing
Fast Fluxing Yet Another Pharmacy Scam
Storm Worm's Fast Flux Networks
Managed Fast Flux Provider
Managed Fast Flux Provider - Part Two
Obfuscating Fast Fluxed SQL Injected Domains
Storm Worm Hosting Pharmaceutical Scams
Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Yet Another Web Malware Exploitation Kit in the Wild

Tue, 02 Dec 2008 03:24:43 +0000

With business-minded malicious attackers embracing basic marketing practices like branding, it is becoming increasingly harder, if not pointless to keep track of all XYZ-Packs currently in circulation. How come? Due to their open source nature allowing modifications, claiming copyright over the modified and re-branded kit, the source code of core web malware exploitation kits continue representing the foundation source code for each and every newly released kit.

In fact, the practice is becoming so evident, that anecdotal evidence in the form of monitoring ongoing communications between sellers and buyers reveals actual attempts of intellectual property enforcement in the form of exchange of flames between an author of a original kit, and a newly born author who seems to have copied over 80% of his source code, changed the layout, re-branded it, added several more exploits and started pitching it as the most exclusive kit there is available in the underground marketplace.

What's new about this particular kit anyway? Changed iframe and js obfuscation techniques, doesn't require MySQL to run, with several modified Adobe Acrobat and Flash exploits - all patched and publicly obtainable. This is precisely where the marketing pitch ends for the majority of malware kits released during the last quarter.

As always, there are noticable exceptions to the common wisdom that time-to-underground market isn't allowing them to innovate, but thankfully, these exceptions aren't yet going mainstream. What is going to change in the upcoming 2009? Web malware exploitation kits are slowly maturing into multi-user cybercrime platforms, where traffic management coming from the SQL injected or malware embedded sites is automatically exploited with access to the infected hosts or to the traffic volume in general offered for sale under a flat rate, or on a volume basis.

Converging traffic management with drive-by exploitation and offering the output for sale, all from a single web interface, is precisely what malicious economies of scale is all about.

Related posts:
Cybercriminals release Christmas themed web malware exploitation kit
New Web Malware Exploitation Kit in the Wild
Modified Zeus Crimeware Kit Gets a Performance Boost
Zeus Crimeware Kit Gets a Carding Layout
Web Based Malware Emphasizes on Anti-Debugging Features
Copycat Web Malware Exploitation Kit Comes with Disclaimer
Web Based Malware Eradicates Rootkits and Competing Malware
Two Copycat Web Malware Exploitation Kits in the Wild
Copycat Web Malware Exploitation Kits are Faddish
Web Based Botnet Command and Control Kit 2.0
BlackEnergy DDoS Bot Web Based
A New DDoS Malware Kit in the Wild
The Small Pack Web Malware Exploitation Kit
The Nuclear Grabber Kit
The Apophis Kit
Nuclear Malware Kit
The Random JS Malware Exploitation Kit
Metaphisher Malware Kit Spotted in the Wild

A Diverse Portfolio of Fake Security Software - Part Fourteen

Thu, 27 Nov 2008 04:47:55 +0000

You didn't even think for a second that the supply of typosqutted domains serving packed and triple crypted to the point where the binary is not longer executing, fake security software domains is declining? With the upcoming holidays and the usual peak of web traffic, malicious activity on all fronts is prone to increase during December. YEWGATE LTD, Sawert Alliance, and Sagent Group, personal favorites affiliate participants in a revenue sharing program for serving fake security software, try to maintain a decent rhythm in their typosquatting process, always worth taking a peek at. The very latest rogue security software additions include :

micro-antiv2009 .com (91.208.0.223)
micro-antivir2009 .com
micro-antivirus-2009 .com
micro-av-2009 .com

Sawert Alliance
Peltonen Martti seodancer@gmail.com
33 New Road, Upper Flat
Belize City
Belize
Tel: +7.9602578790

avmyscan .com (91.203.92.186; 78.157.143.184)
go-your-scan .com
bestproscan .com
avproscan .com
goyourscan .com
iabestscan .com
avmyscan .com
best-scan-pro .com
avscan-pro .com
bestscanner-pro .com
avscanpro .com
iascannerpro .com

Jaroslav Voltz
Email: mensfult@gmail.com
Organization: Private person
Address: Biskupsk 9
City: Praha
State: Praha
ZIP: 11000
Country: CZ
Phone: +420.2224811382

virus-labs2009 .com (66.232.113.62)
virus-trigger .com
virusresponse2009 .com
virusresplab .com
virus-response .com

Roman Spitsikov
Uus-Sadama 12
Tallinn, Tallinn 10120
Estonia
Roman.Spitsikov@gmail.com

virusremover2008plus .com (77.245.61.80; 93.190.139.229)

Sagent Group (sergbelo@gmail.com)
Brignal Solutions
P.O. Box 3469 Geneva Place, Waterfront drive
Road town, BVI
BZ
+1.14193017015

antivirus-pro-scan.com (84.243.197.183)
anti-virus-defence.com
protection-livescan.com

Aleksey Kononov cndomainz@yahoo.com
+74954538435 fax: +74954538435
ul. Yakimanskay 34-56
Moskva Moskovskay oblast 112745
ru

rapidantivir .com (91.208.0.220)
rapidantivirus-2009 .com
securityscanner2009 .com
rapidantivirus2009 .com
rapid-antivir .com
extraantivir .com
rapid-antivirus .com
rapidantivirus .com

Sawert Alliance
Peltonen Martti seodancer@gmail.com
33 New Road, Upper Flat
Belize City
Belize
Tel: +7.9602578790

sgscanner .com (116.50.14.185)
sguardscan .com
scansguard .com
getsg2008 .com