Posted by Laureli Mallek
Mon, 07 Jul 2008 21:02:00 GMT
The German state of Bavaria has approved laws that allow the police to plant spyware on the computers of suspected terrorists. While German federal laws restrict the government to infecting computers with email, Bavarian laws allow police to enter a suspect’s home to physically infect the machine. According to The Register, Bavarian interior minister Joachim Herrmann “gave short shrift to [privacy] objections, stating that Bavaria is leading the field in ‘internal security’ in becoming the first German state to approve the plan.”
This step taken by the Bavarian government counters a ruling earlier this year by Judge Hans-Juergen Papier in North Rhine-Westphalia. He opined that under regular circumstances spying on individuals was unconstitutional, and that permission of a judge would be required prior to implementing this type of surveillance during extreme situations.
In 2007, the internet was talking, though not over VOIP, about the Bavarian government looking to monitor and record Skype phone calls. Documents leaked through Wikileaks showed the thrifty Bavarian government haggling to get a better price on the products needed to invade their citizen’s computers.
Posted in all | Tags enforcement, law, privacy, security, spyware, trojan
Posted by Maxim Weinstein
Tue, 01 Jul 2008 16:12:00 GMT
Brian Krebs at the Washington Post reports on a study that found that 40% of Google users do not have all the latest security updates for their web browser. This means they’re susceptible to a broader range of drive-by download and other web-based attacks.
Google users may not be globally representative of the Internet using population, as we know that 60% of users in China use a search engine other than Google. However, it certainly represents a large portion of the Internet-using public.
Another finding was that Firefox users are the most likely, and IE users the least likely, to have an updated browser:
The report concluded that Firefox users were more likely to be using the latest version because Mozilla’s patch process is the quickest and most painless (no arguments there). Firefox downloads updates automatically and prompts the user to install them immediately.
Posted in all | Tags browsers, security, stopbadware
Posted by Laureli Mallek
Mon, 23 Jun 2008 19:34:00 GMT
Software company Intego found this Mac Trojan masquerading as a poker game. The Trojan actually transmits the user’s name, password, and IP address to an external server which it acquires through clever social engineering:
“A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.
Computer World wrote on Friday that SecureMac reported finding another Trojan circulating in the wild. “Its researchers had found a Trojan horse, dubbed ‘AppleScript.THT,’ being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple’s instant messaging and video chat software, were also taking place.” Updating that warning today, SecureMac shared that the source code for the Trojan has been distributed, which increases the likelihood of derivative Trojans appearing soon. They write:
“The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items… Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.”
Sandi, blogging at Spyware Sucks, opines that Trojans like this demonstrate that social engineering transcends computer platforms. She emphasizes that sharing information about badware can help to build and reinforce a level of user awareness and suspicion about entering personal information while downloading software (and ideally when deciding to download software in the first place). Sandi also comments on complaints that these Trojans were discovered by companies developing Apple security products.
While there may be a financial benefit to those companies, the goal of the security community is to maintain computers as free of badware as possible, and sharing information about risks with professionals and users-at-large focuses attention on problems so that they can be solved or avoided as efficiently as possible.
Posted in all | Tags apple, badware, security, trojan
Posted by Maxim Weinstein
Fri, 06 Jun 2008 16:44:00 GMT
Jon Kibler, a security guru, posted an e-mail to the DShield mailing list. He did such a good job making an important point that I requested his permission to repost part of his e-mail. He graciously agreed.
The Adobe Flash Player issue brings up what I consider a critical question.
Few (IMHO, very few) web browser plug-ins let you know when there are
updates available. After playing around with Safari and Firefox, the
only out-of-date plugins that I experimented with that told me they were
out of date were the Acrobat Reader and QuickTime plugins. Even more
scary—and I believe a fundamental problem with web plugin design—they did not provide an offer to update to a newer version until AFTER
they had executed (potentially malicious) content.
Note that third-party products exist to help scan a computer for outdated software. StopBadware.org does not endorse particular products, but our friends over at Consumer Reports WebWatch do, and they mentioned such a product on their blog just the other day.
Posted in all | Tags security, stopbadware
Posted by Laureli Mallek
Wed, 04 Jun 2008 15:44:00 GMT
Targeted spear phishing campaigns are using money to lure victims. Brian Krebs blogged this week about a two part spear-phishing attack targeting small and medium sized businesses. The attack focuses on gaining access to circumnavigating two-part authentication used in banking security.
The scam begins with an email containing specific information about the user, their business, and the bank. This email requests that users click to view or download an attached object, which installs a keylogger, according to iDefense, and a browser helper object enabling attackers to modify webpages in real time. When a user with an infected computer attempts to log into their bank account, Krebs writes that a “message is inserted into the body of the bank’s actual Web page.” The interstitial message appears to originate from the bank since it is displayed within the body of the bank’s website, and requests that the user wait 15-30 minutes before logging on. The attackers use this time, after they have intercepted the user’s authentication information, to empty the associated bank accounts.
Quoting Matt Richard, of iDefense, “If a bad guy has malicious code on a customer’s machine, no matter what you do, he’s going to have some way to get in to the customer’s account. The best you’ll be able to do is try to stop the money transfers.”
As something of a coup de grace, Krebs writes “Before the Trojan download, the attacker attempts to get the user to install their bogus root CA certificate with the ‘VeriSign Trust Network’ name.” Combining malware with a new root certificate makes it easier for the attacker to re-infect a computer in the future. Sunbelt has also spotted fake banking certificates in their blog.
In a similar attack noted by McAfee’s Avert Labs last month, a number of spear phishing emails have been playing on an ubiquitous fear: the Tax Court. So many of these emails spoofing petition requests have been received that the US Tax Court website provides a clear warning that “[t]he Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”
Kevin McGhee writes, “The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature.”
Posted in all | Tags badware, irs, keylogger, phishing, security
Posted by Laureli Mallek
Mon, 19 May 2008 17:09:00 GMT
You may recall that StopBadware.org recently played a role in successfully encouraging Apple to improve its disclosure in pushing the Safari web browser to users through its Apple Software Update application. Now, Nitesh Dhanjani, a security researcher, writes about his recent interaction with Apple. Dhanjani alerted Apple to several potential issues that he discovered in the company’s web browser, Safari, most notably the potential for a “Safari Carpet Bomb.”
He writes that Safari “cannot be configured to obtain the user’s permission before it downloads a resource,” and provides this example:
Now assume that http://malicious.example.com/cgi-bin/carpet_bomb.cgi is the following:
#!/usr/bin/perl
print “Content-type: blah/blah\n\n”
Since Safari does not know how to render content-type of blah/blah, it will automatically start downloading carpet_bomb.cgi every time it is served.”
CNET commented that files downloaded by Safari to the desktop on Windows, or the Downloads folder on Mac OS, create the potential for multiple files of unknown nature to mingle with legitimate downloads.
The Apple security team replied to Dhanjani’s emails courteously, but making it clear that this is not a security priority for the company:
We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.
Assuming Nitesh’s analysis is accurate, “unwanted downloads,” as Apple calls them, represent a serious security threat to users, who can be easily tricked into executing a malicious file. StopBadware.org believes that users should have control over software being downloaded to their computers, and we encourage Apple to reconsider its stance and treat this as the security issue that it is.
Posted in all | Tags apple, browser, by, download, drive, security
Posted by Laureli Mallek
Tue, 13 May 2008 20:13:00 GMT
Over the last several weeks, users downloaded more than they were bargaining for from several P2P networks. TechNewsWorld reported on McAfee’s Avert Labs that more than 500,000 computers have been infected. Users download a faux-mp3 file from a legitimate music group, which initiates a request that users download a codec offering free mp3s. By clicking on the EULA and authorizing the download, users are actually downloading a host of executables.
Craig Schmugar, a researcher for McAfee Avert Labs, wrote on that blog, “In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.” During further investigation, Schmugar found that hundreds of infected files were circulating on the internet. Many of those sites pointed to freemp3player.com or “different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files.” The fake mp3 files were actually ASF files instructing media players to navigate to specific urls rife with downloads to further corrupt users’ computers.
More recently, Trend Micro researcher Ivan Macalintal found a malicious script inserted into “various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program.” The drive-by-download directed users to a compromised site which downloaded TROJ_ZLOB.CCW onto unprotected computers. Trend Micro notes that Zlobs in general, and this one in specific, change DNS and browser settings which further open the computer to future infections.
Both of these incidents reinforce the need to keep your security software updated. Downloading files from unknown sources carries with it inherent risk. Badware production has developed into an expanding economy that relies on a sense of inherent security associated with internet use.
Click safely!
Tags badware, by, download, drive, security, trojan
Posted by Laureli Mallek
Wed, 07 May 2008 18:49:00 GMT
Brian Krebs blogged yesterday about a broad coalition of technology groups supporting Kaspersky, an internet security company, during its legal fight with Zango. Krebs writes that in May 2007 Zango sued Kaspersky “charging that the company interfered with its business” by removing Zango’s software, which has been classified as adware by multiple groups.
Kaspersky does not deny that its program removes Zango-based software from computers. In August of 2007 the initial case was dismissed by a judge because the court believed that the Communications Decency Act (CDA) allows companies to remove software in order to protect users from material which may be considered objectionable.
Zango had previously faced off against the FTC in 2006. The settlement that resulted from that investigation required the company to pay $3 million. Caroline McCarthy wrote at CNet that the agreement also stipulated that “the company must adhere to FTC regulations that bar it from loading programs onto customers’ computers and monitoring them without their consent.” FTC spokesperson Lydia Barnes was quoted as saying: “It violates federal law to secretly install software that forces consumers to get pop-ups that disrupt their computer use.”
The current case has drawn significant interest within both the security and business fields. A previous amicus brief was filed in favor of Zango by the National Business Coalition on E-Commerce and Privacy, an organization representing powerful corporate interests according to Krebs. Behavioral advertising and many other profitable marketing strategies depend on installing tracking cookies or web beacons on user computers, so they are actions businesses would like to protect. Thomas M. Boyd, attorney for the organization, represents company concerns that “a security software company has unreviewable power to decide that any content is objectionable and to deny user access to that content without any accountability for any damages that action may cause.”
The amicus brief filed this week represents the other side of the issue in a broad coalition including the Electronic Frontier Foundation, the Business Software Alliance, and the Anti-Spyware Coalition. Ari Schwartz of the Anti-Spyware Coalition stated: “This is an extremely important case for consumers as to how security software protects them going forward, and whether the onus is put on the security company or [the adware vendor].” It is relevant to all the companies that classify Zango software as “adware” such as Microsoft (which removed 7.1 million instances of Zango software from customer computers) and Symantec (which has a description of Zango’s adware attributes here).
This case remains one to watch, as business and technology duke it out over consumers and rights.
Note: This blog post was updated on May 8, 2008 to make corrections regarding Zango’s 2006 involvement with the FTC.
Posted in all | Tags adware, kaspersky, litigation, security, zango
Posted by Laureli Mallek
Thu, 01 May 2008 20:09:00 GMT
In a paper titled Designing and implementing malicious hardware a team from University of Illinios Urbana (Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and Yuanyuan Zhou) delved into the possiblity of malicious curcuits being used to circumvent current anti-virus protocols:
Hidden malicious circuits provide an attacker with a stealthy attack vector. As they occupy a layer below the entire software stack, malicious circuits can bypass traditional defensive techniques.
King and his team designed and implemented malicious circuitry using a processor called a field programmable gate array (FPGA). Connecting the FPGA to an external computer enabled the team to steal data from machines without software vulnerabilities. At the Large-Scale Exploits and Emergent Threats conference in San Francisco last month, King said this is not a threat that can be executed on the weekends, as it requires contact with hardware during the manufacturing phase, yet the reward is immense.
Symantec raised concerns over the manufacturing process in a report issued earlier this year. “The longer the manufacturing supply chain during this process, the greater the opportunity for malicious code to be embedded in the devices directly.” Similar exploits have occured already: virus infected digital picture frames, thumb drives, and counterfeit hardware.
New Scientist quotes Simha Sethumadhavan who believes the increasing complexity of both chips and their design processes increase opportunities for hackers to infiltrate undetected.
Posted in all | Tags hardware, malware, security
Posted by Laureli Mallek
Tue, 29 Apr 2008 17:14:00 GMT
Several major ISPs are substituting ad pages for the error messages normally displayed when users navigate to non-existing subdomains. Ryan Singel writes in Wired that:
“The rub comes when a user is asking for a nonexistent subdomain of a real website, such as http://webmale.google.com, where the subdomain webmale doesn’t exist (unlike, say, mail in mail.google.com). In this case, the Earthlink/Barefruit ads appear in the browser, while the title bar suggests that it’s the official Google site.”
Within this system, when a user tries to locate a nonexistent subdomain of a real website the title of the browser page changes to correspond with the searched-for site. By signaling that the user has reached a subdomain of the target website, ISPs create a potentially dangerous situation. It is possible that nefarious actors could combine fake subdomains with active spamming campaigns to draw users to links and badware camouflaged by a legitimate website’s branding.
Dan Kaminsky, a security researcher at IOActive initially reported the problem. He says that even after the vulnerabilities with advertisers were patched, the loophole remains dangerous as it allows ISPs (Kaminsky cites Earthlink, Verizon, Time Warner, Comcast and Qwest) to subvert the DNS system map to monetize on those nonexistent subdomains. Since 2006, Earthlink has intercepted the non-exsting domain response, sending it to its advertising partner (Barefruit), and then serving a page of suggestions and ads. While the company claims this action enhances the user experience, it exposes them to third party content which may not be held to a high level of security scrutiny.
Katherine Noyes at TechNewsWorld writes that Kaminsky does not see a technical way to fix this problem until ISPs, and others, are forced to stop spoofing subdomains through legal means: “It’s someone else’s domain, someone else’s property.”
Paul Vixie, president of the nonprofit Internet Systems Consortium, believes the problem correlates to ISP’s desire for increasing monetization of their users browsing without necessary regard for security. Speaking with TechNewsWorld he said “The only reason this one wasn’t dangerous is that the discoverer was a good person.”
Additional Coverage
Brian Krebs posted a new piece with additional information on his Washington Post blog, Security Fix, on March 30th.
Happy hunting!
Posted in all | Tags isp, security, stopbadware, subdomain
|
