The German state of Bavaria has approved laws that allow the police to plant spyware on the computers of suspected terrorists. While German federal laws restrict the government to infecting computers with email, Bavarian laws allow police to enter a suspect’s home to physically infect the machine. According to The Register, Bavarian interior minister Joachim Herrmann “gave short shrift to [privacy] objections, stating that Bavaria is leading the field in ‘internal security’ in becoming the first German state to approve the plan.”

This step taken by the Bavarian government counters a ruling earlier this year by Judge Hans-Juergen Papier in North Rhine-Westphalia. He opined that under regular circumstances spying on individuals was unconstitutional, and that permission of a judge would be required prior to implementing this type of surveillance during extreme situations.

In 2007, the internet was talking, though not over VOIP, about the Bavarian government looking to monitor and record Skype phone calls. Documents leaked through Wikileaks showed the thrifty Bavarian government haggling to get a better price on the products needed to invade their citizen’s computers.

Software company Intego found this Mac Trojan masquerading as a poker game. The Trojan actually transmits the user’s name, password, and IP address to an external server which it acquires through clever social engineering:

“A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

Computer World wrote on Friday that SecureMac reported finding another Trojan circulating in the wild. “Its researchers had found a Trojan horse, dubbed ‘AppleScript.THT,’ being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple’s instant messaging and video chat software, were also taking place.” Updating that warning today, SecureMac shared that the source code for the Trojan has been distributed, which increases the likelihood of derivative Trojans appearing soon. They write:

“The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items… Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.”

Sandi, blogging at Spyware Sucks, opines that Trojans like this demonstrate that social engineering transcends computer platforms. She emphasizes that sharing information about badware can help to build and reinforce a level of user awareness and suspicion about entering personal information while downloading software (and ideally when deciding to download software in the first place). Sandi also comments on complaints that these Trojans were discovered by companies developing Apple security products.

While there may be a financial benefit to those companies, the goal of the security community is to maintain computers as free of badware as possible, and sharing information about risks with professionals and users-at-large focuses attention on problems so that they can be solved or avoided as efficiently as possible.

Dancho Danchev wrote about a vulnerability found in Zeus, a crimeware kit circulating widely. Danchev explains:

The vulnerability allows the injection of logins and passwords within any misconfigured web interface, due to the way in which Zeus is processing php scripts (web shells and backdoors) from the directory in which it stores the stolen data. Ironically, ‘Zeus users are advised to take care of their directory permissions, and forbid the execution of scripts from the folder holding all the encrypted stolen information’.

“The implications of this flaw are huge, since, what used to be the practice of hijacking someone’s misconfigured botnet a couple of years ago, is today’s hijacking of the malware campaigns’s command and control interface, which on the majority of occasions is left accessible to everyone – including independent researchers and the security community.

The Zeus Trojan kit is available on the market for around $700, and Danchev writes in a previous post that the Zeus kit has been used more than 150 times and attacks around 4,000 computers per day. Similar to popular software receiving unwanted attention from hackers, the prominence of this badware led to increased attention from the security community, leading to the discovery of this vulnerability.

In an additional twist, the Russian Business Network, which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to sue security companies for blacklisting their products.

The RBN even includes an EULA when they sell the crimeware kit:

The help section of the latest version of the Zeus malware states that the client has no right to distribute Zeus in any business or commercial purpose not connected to the initial sale, cannot examine the source code of the product, has no right to use the product to control other botnets, and cannot send the product to anti-virus companies.

The RBN threatens to release information on their customers if they violate this agreement and to require customers to purchase future updates. Would they pursue lawsuits against bot herders who modify their software kit without permission?

Danchev asks what would happen if the security community began unethically pen-testing the Zeus network in order to estimate the size of the botnet. Would the RBN seek to protect its intellectual property, thereby claiming ownership of the Russian Business Network infrastructure (botnet) in order to sue trespassing parties? As crimeware becomes more commercialized, the badware authors have more invested in protecting their investments in intellectual property and infrastructure. It will be interesting to see how the current legal structure can be applied to regulate the development of the malware industry.

Over the last several weeks, users downloaded more than they were bargaining for from several P2P networks. TechNewsWorld reported on McAfee’s Avert Labs that more than 500,000 computers have been infected. Users download a faux-mp3 file from a legitimate music group, which initiates a request that users download a codec offering free mp3s. By clicking on the EULA and authorizing the download, users are actually downloading a host of executables.

Craig Schmugar, a researcher for McAfee Avert Labs, wrote on that blog, “In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.” During further investigation, Schmugar found that hundreds of infected files were circulating on the internet. Many of those sites pointed to freemp3player.com or “different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files.” The fake mp3 files were actually ASF files instructing media players to navigate to specific urls rife with downloads to further corrupt users’ computers.

More recently, Trend Micro researcher Ivan Macalintal found a malicious script inserted into “various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program.” The drive-by-download directed users to a compromised site which downloaded TROJ_ZLOB.CCW onto unprotected computers. Trend Micro notes that Zlobs in general, and this one in specific, change DNS and browser settings which further open the computer to future infections.

Both of these incidents reinforce the need to keep your security software updated. Downloading files from unknown sources carries with it inherent risk. Badware production has developed into an expanding economy that relies on a sense of inherent security associated with internet use.

Click safely!

Earlier this week, RSA issued a warning that Rock Phish has updated their attack methods. Dark Reading writes “Rock Phish attacks are estimated to account for more than 50% of phishing attacks world-wide and to be responsible for the theft of tens of millions of dollars from users bank accounts.”

The new Rock Phish attack combines phishing with a potent Trojan. When users navigate to the phishing site, Zeus, the Trojan, installs automatically onto their computers, compromising personal information revealed through future internet use, and allowing the computer to be externally controlled, according to ITNewsAustralia. Uriel Maimon, an RSA representative, opined: “The Zeus Trojan has many startling capabilities… As I look on this blissful union of fraud and crime technologies, I can only envy the criminals who can find such coupling.” This type of potent cooperation is becoming increasingly common within badware production

Despite longevity (they have been suspected of operating since 2004) and level of activity, Rock Phish has managed to remain hidden, inspiring disagreements as to whether it is a group, an individual, or even how the term should be applied. Rock Phish has been known for innovative phishing capabilities including unique URL generation to circumnavigate blacklist restrictions.

This new level of interaction will no doubt be as problematic as it is interesting.