Posted by Laureli Mallek
Mon, 23 Jun 2008 19:34:00 GMT
Software company Intego found this Mac Trojan masquerading as a poker game. The Trojan actually transmits the user’s name, password, and IP address to an external server which it acquires through clever social engineering:
“A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.
Computer World wrote on Friday that SecureMac reported finding another Trojan circulating in the wild. “Its researchers had found a Trojan horse, dubbed ‘AppleScript.THT,’ being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple’s instant messaging and video chat software, were also taking place.” Updating that warning today, SecureMac shared that the source code for the Trojan has been distributed, which increases the likelihood of derivative Trojans appearing soon. They write:
“The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items… Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.”
Sandi, blogging at Spyware Sucks, opines that Trojans like this demonstrate that social engineering transcends computer platforms. She emphasizes that sharing information about badware can help to build and reinforce a level of user awareness and suspicion about entering personal information while downloading software (and ideally when deciding to download software in the first place). Sandi also comments on complaints that these Trojans were discovered by companies developing Apple security products.
While there may be a financial benefit to those companies, the goal of the security community is to maintain computers as free of badware as possible, and sharing information about risks with professionals and users-at-large focuses attention on problems so that they can be solved or avoided as efficiently as possible.
Posted in all | Tags apple, badware, security, trojan
Posted by Laureli Mallek
Wed, 04 Jun 2008 15:44:00 GMT
Targeted spear phishing campaigns are using money to lure victims. Brian Krebs blogged this week about a two part spear-phishing attack targeting small and medium sized businesses. The attack focuses on gaining access to circumnavigating two-part authentication used in banking security.
The scam begins with an email containing specific information about the user, their business, and the bank. This email requests that users click to view or download an attached object, which installs a keylogger, according to iDefense, and a browser helper object enabling attackers to modify webpages in real time. When a user with an infected computer attempts to log into their bank account, Krebs writes that a “message is inserted into the body of the bank’s actual Web page.” The interstitial message appears to originate from the bank since it is displayed within the body of the bank’s website, and requests that the user wait 15-30 minutes before logging on. The attackers use this time, after they have intercepted the user’s authentication information, to empty the associated bank accounts.
Quoting Matt Richard, of iDefense, “If a bad guy has malicious code on a customer’s machine, no matter what you do, he’s going to have some way to get in to the customer’s account. The best you’ll be able to do is try to stop the money transfers.”
As something of a coup de grace, Krebs writes “Before the Trojan download, the attacker attempts to get the user to install their bogus root CA certificate with the ‘VeriSign Trust Network’ name.” Combining malware with a new root certificate makes it easier for the attacker to re-infect a computer in the future. Sunbelt has also spotted fake banking certificates in their blog.
In a similar attack noted by McAfee’s Avert Labs last month, a number of spear phishing emails have been playing on an ubiquitous fear: the Tax Court. So many of these emails spoofing petition requests have been received that the US Tax Court website provides a clear warning that “[t]he Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”
Kevin McGhee writes, “The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature.”
Posted in all | Tags badware, irs, keylogger, phishing, security
Posted by Laureli Mallek
Tue, 13 May 2008 20:13:00 GMT
Over the last several weeks, users downloaded more than they were bargaining for from several P2P networks. TechNewsWorld reported on McAfee’s Avert Labs that more than 500,000 computers have been infected. Users download a faux-mp3 file from a legitimate music group, which initiates a request that users download a codec offering free mp3s. By clicking on the EULA and authorizing the download, users are actually downloading a host of executables.
Craig Schmugar, a researcher for McAfee Avert Labs, wrote on that blog, “In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.” During further investigation, Schmugar found that hundreds of infected files were circulating on the internet. Many of those sites pointed to freemp3player.com or “different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files.” The fake mp3 files were actually ASF files instructing media players to navigate to specific urls rife with downloads to further corrupt users’ computers.
More recently, Trend Micro researcher Ivan Macalintal found a malicious script inserted into “various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program.” The drive-by-download directed users to a compromised site which downloaded TROJ_ZLOB.CCW onto unprotected computers. Trend Micro notes that Zlobs in general, and this one in specific, change DNS and browser settings which further open the computer to future infections.
Both of these incidents reinforce the need to keep your security software updated. Downloading files from unknown sources carries with it inherent risk. Badware production has developed into an expanding economy that relies on a sense of inherent security associated with internet use.
Click safely!
Tags badware, by, download, drive, security, trojan
Posted by Laureli Mallek
Fri, 25 Apr 2008 18:55:00 GMT
Two noteworthy exploits have surfaced recently. This blog post will cover: first a server-based attack-tool and second the discovery of a now-patched vulnerability in Flash.
First:
Tornado, a web-based exploit tool, can exploit more than a dozen browser vulnerabilities. ITNews Australia explains that the tool “is commonly installed on a server by a single ‘administrator,’ who then offers accounts on the server to other attackers.” This structure protects the proprietary code and protects it from being released “underground.”
The seller is also able to discriminate between clients, which Liam O’Murchu, a Symantec researcher, sites as a reason that the exploit has remained undiscovered for so long. Shaun Nichols of ITNews writes that Tornado “offers attackers a full set of traffic statistics and options for selecting which exploits can be conducted.”
Second:
Robert Jaques reports for ITNews that a new Flash vulnerability has been discovered by Tier-3. This issue arises from the use of “NULL pointers,” software code which points to specific locations in a computer’s memory. Geoff Sweeney, an executive at Tier-3, is quotes as saying,
“Buffer overflows are still an issue, but they are a problem that has been tackled by the industry for many years. NULL pointer de-referencing has not received anywhere near the same level of attention, which means that users need to be more vigilant than ever.”
A recent paper by Mark Dowd, a researcher at IBM Internet Security Systems, provides a detailed example of this type of exploit. The Matsano Chargen blog explains Dowd’s achievement while claiming that Dowd was “sent back through time to kill the mother of the person who will grow up to challenge SkyNet.” And his accomplishment does inspire some awe. In brief:
“Dowd’s exploit uses a NULL pointer write32 to knock the locks off the bytecode interpreter in Flash, so that his SWF file can run bytecode that will rewrite the system stack.”
So the NULL pointer presents an entry point for Dowd to run his exploit, and this entry exists on Internet Explorer and Firefox, which have compatible internal addressing, and Vista.
According to DailyTechNotes Adobe has already released a patch for the vulnerability and you should download it now. They explain the risk,
“Vulnerabilities in various online software is nothing new. But what makes vulnerability in flash so much damaging is that flash is installed on almost all browsers and it is independent of the operating system you are running.”
Tags badware, flash, security
Posted by Laureli Mallek
Tue, 08 Apr 2008 15:30:00 GMT
Owen Thor Walker, an 18-year-old whose online alias was Akill, assumed responsibility for invading a network of 1.3 million computers, causing havoc at the University of Pennsylvania in 2007, and skimming an as-of-yet unknown amount of money from banks in the Netherlands.
The incident at UPenn occurred when Walker and Ryan Goldstein were attempting to update their botnet. While the denial of service attack affecting UPenn was accidental, it did lead to the arrest of Goldstein, who in turn directed police to Walker. The New Zealand Herald writes “While the New Zealand police were waiting for the FBI to finish its investigations” the NZ police began investigating several large deposits into Walker’s bank account. These were traced to ECS International, a company reported to be connected with similar situations. Walker claims to have sold his code to other people, and no one seems to know what happened to the skimmed money.
According to Technology Review eight people have been indicted, plead guilty, or convicted and an additional 13 warrants have been issued in the United States and abroad in association with this case. Walker’s supposed role as “kingpin” has not lead to additional charges. The ITNews Australia writes that Judge Arthur Tompkins “would not be considering a custodial sentence” due to Walker’s youth when writing the code—he claims to have been 15 at the time.
Botnets are devious. The New Zealand police are quoted by NZ Herald as saying Walker’s code is “considered by international cyber crime investigators to be among the most advanced bot programming encountered,” as it spread automatically, disabled anti-spyware software, deleted rival bots, and functioned mostly without detection. The Anti-Spyware Coalition provides an excellent definition of botnets:
A type of Remote Control Software, specifically a collection of software robots, or “bots,” which run autonomously. A botnet’s originator can control the group remotely. The botnet is usually a collection of zombie machines running programs (worms, Trojans, etc.) under a common command and control infrastructure on public or private networks. Botnets have been used for sending spam remotely, installing more spyware without consent, and other illicit purposes.
Botnets have been used for a variety of nefarious purposes from those listed above to last year’s attack against Estonia.
Tags badware, botnet
Posted by Laureli Mallek
Thu, 03 Apr 2008 15:27:00 GMT
A number of security companies have come out with their first quarter 2008 assessment of the badware on the internet.
F-Secure begins with a somewhat disturbing statement in their report: “While there are more viruses being created than ever before, people often actually report seeing less of them. One reason behind this illusion is that malware authors are once again changing their tactics in how to infect our computers.” Viruses are being effectively camouflaged and acting through less obvious vectors.
F-Secure also notes, as we reported in our “Trends in Badware 2007” report last September, that malware makers have moved past emails and are targeting computers through drive-by-downloads, defined by the Antispyware Coalition as:
The automatic download of software to a user’s computer when she visits a Web site or views an html formatted email, without the user’s consent and often without any notice at all. Drive-by-downloads are typically performed by exploiting security holes or lowered security settings on a user’s computer.
F-Secure aptly summarizes the risk as “instead of getting infected over SMTP, you get infected over HTTP.” These attacks exploit a weakness in a browser, browser plug in, or operating system. Many techniques are used to expose users to malware, from infiltrating trusted sites to disguising links to malware sites through social engineering.
F-Secure also spotlights the reappearance of MBR rootkit (MEBroot), a blast from the past, and a look into the future as mobile devices become targets for spam and worms distributed via SMS and Bluetooth.
All told, F-Secure predicts that if current rates continue, the total number of known Trojans and viruses will exceed one million by the end of 2008.
Help Net Security, or MessageLabs, writes that 9.2% of malware intercepted in 2008 was new. They are also identifying approximately 595 new sites a day “harboring malware and other potentially unwanted programs such as spyware and adware.”
On the spam front, MessageLabs reports: “The prolific Storm botnet is responsible for 20 percent of all spam in the first quarter of 2008, with messages selling male enlargement drugs accounting for 41 percent of its efforts.” Which raises a question for me: who shops for personal enhancement on randomly email ads?
Panda Security has a list of the most active viruses in the first quarter. Here are the first three of ten:
- Adware/Comet
- Adware/NaviPromo
- W32/Bagle.HX.worm
Researchers from Panda Labs agree that the increasing prevalence of Trojans makes detection more difficult for security companies, agreeing with Brian Krebs’ recent post. Krebs is correct to stress that an “[a]nti-virus software is no substitute for common sense.”
Many of the developments in malicious technology are created specifically to obviate common sense. Perhaps caution when clicking emailed links and maintaining up to date software should be considered a first line of intentional self-preservation rather than common sense.
Tags 2008, badware, security, stopbadware, trend
Posted by Laureli Mallek
Thu, 21 Feb 2008 21:39:00 GMT
The UK National Consumer Council (NCC) issued a report on Feb 19th, 2008 questioning the legality of End User Licensing Agreements (EULAs). This investigation corroborates findings from German and Norwegian research that companies exploit consumers using the language in these documents.
In an article on the BBC, Carl Belgrove of the NCC said: “Consumers can’t have a clue what they’re signing up to when some terms and conditions run to 10 or more pages… There’s a significant imbalance between the rights of the consumer and the rights of the holder.”
The NCC examined 25 different software packages, it listed the 17 in this report as being unfair to consumers:Adobe, Microsoft, Apple, Chief Architect, Symantec, Magix, Nero, Corel, Sega, Nova Development, Britannica, Sonic Solutions, Twelve Tone Systems, THQ, GSP, McAfee, Kaspersky. The NCC claims these companies shift the weight of responsibility onto users through unclear and complex legal jargon, termination rights for service providers, and the right to end coverage without notification.
In some cases, the BBC notes that users are required to install the software before having a chance to read the EULA in the first place. The next step for the NCC is to present the problem to the UK’s Office of Fair Trade (OFT) and hope that they support user rights better than manufacturers.
StopBadware’s software guidelines address the need for clear disclosure in EULAs – we believe “EULAs and privacy policies should be written in as understandable a manner as possible.” Companies should be open with consumers about the nature and extent of actions implemented by software.
Hopefully, the OFT shares this view.
Tags badware, license
Posted by Erica George
Thu, 21 Feb 2008 16:35:00 GMT
RealNetworks yesterday posted a response to StopBadware’s alert (and later full report) labeling its RealPlayer software versions 10.5 and 11 as badware. Unfortunately, Real seems to have chosen to explain away the issues we noted in its software, rather than working to change RealPlayer’s badware behaviors, missing the larger point of our report. What’s at issue is not whether downloading RealPlayer “actually hurts anyone,” but that both versions of RealPlayer which we reviewed limit the ability of computer users to make informed choices about what happens on their computers – which violates our guidelines.
Real suggests that consumers might enjoy RealPlayer 10.5 Message Center’s ability to display ads. But as Real admits, many users find that type of ad annoying and unwanted. If an application’s default behavior disrupts a user’s normal and expected computer use with ads and does not disclose that fact clearly before the user chooses to install, it violates our guidelines.
Real’s blog post states that RealPlayer 10.5 is outdated, obsolete, and fully replaced by version 11. Many prominent web links for RealPlayer still lead to the download page for the older version. To truly make RealPlayer 10.5 obsolete, Real needs to do its best to take its outdated software out of circulation. We urge Real to stop distributing RealPlayer 10.5 and redirect the download page for 10.5 to the page for the latest version.
As Real explains in its response, there are legitimate reasons to bundle the Rhapsody player engine with RealPlayer 11. But not disclosing the inclusion of the Rhapsody player is a significant oversight, in contrast to other disclosures in the installation for RealPlayer 11. Users have a right to know if Rhapsody Player Engine is being installed on their computers. Users who choose to remove RealPlayer from their machines should also be able to remove anything that installed along with it just as simply. Real notes in its blog post that the Rhapsody player can be seen and uninstalled from the control panel. Expecting users to seek out a program they are not even aware is on their machine is simply not enough. For users to be able to make informed choices about what software is on their computers, bundled applications need to be disclosed and easily removable if the core application is uninstalled.
Also, if users have no idea that the Rhapsody player software is installed on their computers, they won’t know to keep it updated. Many media player engines have security flaws that have been exploited in the wild. Once these flaws are found they can be fixed with software patches – but only if the user knows to download the patch or updated version. If the Rhapsody player sits on a user’s computer for two or three years without security updates, it could become a serious and potentially harmful vulnerability.
When StopBadware chooses applications to research and report, we don’t focus only on applications that are clearly egregiously harmful. Trojans and keyloggers and other malware are bad, and the average consumer doesn’t need us to tell them that. Where consumers can use a little help, however, is in figuring out which commonly available applications require extra caution. When a computer user chooses to download an application, they are placing their trust in the software’s makers and distributors. It’s the responsibility of the companies behind consumer software to make sure their products fully live up to that trust.
StopBadware believes that software applications should be held to a high standard of full disclosure and user consent. That belief is the underlying principle for our software guidelines, which we apply to determine if an application should be considered badware. Our computers are increasingly important parts of our lives, and we deserve to have control over the software that is on them.
We welcome a continuation of our dialog with the folks at RealNetworks, and we hope that Real will move to addressing the concerns we’ve raised in its next update.
Tags badware, consent, disclosure, realplayer
Posted by Brandon Palmen
Fri, 15 Feb 2008 20:15:00 GMT
Public response to StopBadware’s recent RealPlayer alert has generally been positive, and we are pleased to hear that RealNetworks plans to correct some of the behaviors which we identified in the alert in a future RealPlayer release.
Nonetheless, we are a little confused by the reported comments of RealNetworks’ PR Manager, Ryan Lukin, whose words may have the potential to mislead consumers regarding the undisclosed features of RealPlayer 10.5 and RealPlayer 11. According to CNET News, Lukin claims that the Message Center software that is bundled with RealPlayer is “clearly identified during installation”, and that the content served by this software does not qualify as advertising. Lukin also implies that all users are provided with the opportunity to opt out of these ‘messages’ by the RealPlayer 10.5 installer. In our experience, the advertising features of the message center are not adequately disclosed, and only users who submit their personal information to RealNetworks during the registration stage of the RealPlayer 10.5 installation are actually granted the opportunity to opt out of the pop-up advertisements; users who exit the registration must accept the message center’s default settings, which include the display of pop-up advertisements for third-party products and offers.
Our alerts describe the ways in which software applications violate our software guidelines, but they do not always fully depict the behavior of those applications. This can make it difficult for some users to understand the conclusions that we draw in these alerts. In order to better illustrate our reasons for applying the ‘badware’ label to RealPlayer, we are now releasing a follow-up report, replete with screenshots, to the public. We hope that you will find it informative.
The RealPlayer follow-up report can be found here and the original alert can be viewed here.
Posted in all | Tags badware, realplayer, stopbadware
Posted by Maxim Weinstein
Thu, 31 Jan 2008 15:00:00 GMT
StopBadware has released an alert identifying RealPlayer as badware. See our press release here and the complete alert here.
Interestingly, RealPlayer 10.5 and RealPlayer 11, both of which are distributed widely, both violate our badware guidelines, but in different ways.
RealPlayer 10.5 is badware because it doesn’t tell the user that its “Message Center” feature will pop up ads from the system tray if the user doesn’t register the application.
RealPlayer 11 is badware because it installs the Rhapsody Player Engine without notifying the user. When the user uninstalls RealPlayer, Rhapsody Player Engine is left behind, unless the user also knows to uninstall it separately.
RealNetworks, Inc., the publisher of RealPlayer, has been upfront about these behaviors in our conversations with them. They point out that version 11 does not install the ad-serving Message Center by default, and they acknowledge that it was a mistake on their part to not offer to uninstall Rhapsody Player Engine when uninstalling RealPlayer 11. We expect that the next version of RealPlayer will correct the issue and provide better disclosure, and we encourage RealNetworks to work with their downstream partners to ensure that older versions are replaced by the new version.
Posted in homepage, all | Tags badware, realplayer, stopbadware
|
