Thursday, 10 December 2009

Scareware Fake MS endorsement

Scareware wronguns have developed a neat but evil piece of coding trickery designed to dupe prospective marks into believing that Microsoft is endorsing their worthless scamware.

A rogue anti-malware product called DefenceLab redirects infected PCs to Microsoft's Support portal, but modifies the HTML content as it returns so as to appear as if Microsoft is endorsing the worthless software. The ploy, which follows a fake scan and bogus Windows Security Center alert, is designed to persuade Windows users already exposed to infection by agents of the scareware package to pay for a full version of the supposed clean-up utility.

Surfers visiting the URL on the Windows Support site referenced in the scareware from a clean PC will get a 404 'page not found' message. Hacked PC victims will see an apparent endorsement.

Screenshots of the attack in action can be found in a blog post by anti-spyware firm Sunbelt Software, which was the first to warn of the threat, here.

The ruse is a development of earlier trickery that involved hacking the hosts' file on compromised computers in order to hijack web surfing sessions. An earlier attack using this technique redirected Microsoft queries to a hacked UK-based computer, as explained in a blog posting by AVG's Roger Thompson here

Prevx U-turn

Updated PrevX has backtracked on earlier claims that a Windows update caused Windows machines to lock up with a so-called "Black Screen of Death".

An updated blog post from the UK-based software security firm withdraws earlier claims that a recent Microsoft update caused a glitch that resulted in affected PCs displaying only the My Computer folder on a blank screen. PrevX's new line is that changes in the Windows Registry that trigger the behaviour might be caused by malware or some other factor, which it is yet to pin down, but not the Windows update that it earlier held culpable.

Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches including KB976098 and KB915597 as referred to in our previous blog. Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor.

PrevX apologised for earlier pointing the finger of blame towards Redmond, adding that whatever the cause of the problem it has a fix.

We apologize to Microsoft for any inconvenience our blog may have caused. This has been a challenging issue to identify. Users who have the black screen issue referred to can still safely use our free fix tool to restore their desktop icons and task bar.

A blog posting by Microsoft Security Response, about research in Redmond that appears to have contributed to PrevX's volte-face, clearly states that the "Black Screen" reported by PrevX was not caused by Microsoft's updates.

We’ve conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don’t believe the updates are related to the "black screen" behaviour described in these reports.

Redmond adds that it hadn't received many reports of users getting clobbered by the problem, adding that previous instances of "black screen" behaviour have been associated with some malware families such as Daonol.

PrevX wasn't able to supply a screengrab illustrating the latest outbreak of "black screen" lock-ups in response to our request on Wednesday morning. PrevX's initial warning about the "Black Screen of Death" was widely reported by El Reg and many other media outlets, however it's unclear how many people have actually been affected.

No other security firm we're aware of bar PrevX has issued and advisory on the issue and several others have privately expressed skepticism about a least the extent of the problem. ®
Update

In an updated blog post on Tuesday, PrevX fought back against suggestions that it had overstated the scope of the Black Screen of Death glitch. Mel Morris, PrevX chief exec, said it's free Black Screen fix tool had been downloaded more than 50,000 downloads times since its publication last Friday.

Morris also criticised the media for misinterpreting PrevX's original warning by taking material out of context and causing "inconvenience for Microsoft".

However PrevX's original advisory is pretty clear is pointing blame towards recent Microsoft patches, KB915597 and KB976098, now ruled as blameless. Malware or problems between Windows and third-party software don't get a mention.

Default Windows 7 less secure than Vista

Windows 7 is less secure out-of-the box than Vista, despite Redmond's protestations to the contrary, a top security firm has claimed.

Trend Micro said that the default configurations of Windows 7 are less secure than Vista. Raimund Genes, CTO of Trend Micro, said that Windows 7 had sacrificed security for useability - at least for default configurations.

"I'm not saying Windows 7 is insecure, but out of the box Vista is better," Genes told El Reg.

The User Account Control (UAC) feature that debuted with Vista was a security safeguard that asked users for permission before allowing applications to run. The nagware technology irked users and was blamed for producing numerous largely meaningless pop-ups that users blithely clicked past.

Even senior Microsoft execs, for example UK security advisor Ed Gibson, have taken to describing the technology disparagingly as "User Annoyance Control" over recent months. A toned down version of UAC has been developed for Windows 7, but Genes regards this and other changes as a step backwards.

"I was disappointed when I first used a Windows 7 machine that there was no warning that I had no anti-virus, unlike Vista," Genes said. "There are no file extension hidden warnings either. Even when you do install anti-virus, warnings that it has not been updated are almost invisible."

"Windows 7 may be an improvement in terms of useability but in terms of security it's a mistake, though one that isn't that surprising. When Microsoft's developers choose between usability and security, they will always choose useability," Genes argued.

Genes said the security of Windows 7 for consumers might be improved by offering virtual XP, a sandboxed version of the older OS, with Windows 7 home editions. The virtualisation technology (criticised by other security firms, most notable Sophos, as a security risk in its own right because it needs separate patching and security protection) was only released in enterprise versions of the operating system.

Trend's unfavorable default security comparison between Vista and Windows 7 was released alongside its Trend Micro 2010 Future Threat Report. The main focus of the report places the security implication of the wider IT industry shift towards cloud computing and virtualisation under the spotlight.

While offering significant benefits and cost-savings, the architectural shift means cybercrooks are likely to turn their sights towards manipulating the connection to the cloud, or attacking the data center and cloud itself, instead of trying to infect desktop or server systems.

"The focus for security firms has been protecting desktops or servers, but this needs to shift to providing security for the cloud, where sensitive information such as credit card records will be held. Using encryption to establish shielded containers for sensitive data and improving the security and back-up of cloud computing systems needs to be improved so that we can have safe cloud computing," Genes explained

Zeus bot found using Amazon's EC2 as C&C server

Add Amazon's EC2 to the roster of cloud-based services being exploited to do the bidding of malware gangs.

Over the past few days, a new variant of the Zeus banking trojan has been spotted using the popular Amazon service as a command and control channel for infected machines. After marks get tricked into installing the password-logging malware, their machines began reporting to EC2 for new instructions and updates, according to researchers from CA's internet security business unit.

"We believe this was a legitimate service that was purchased and compromised via a vulnerability" such as a weak password, Don DeBolt, CA's director of threat research, told The Reg. "It could have been any vulnerable system on the internet."

Over the past few months, accounts on Twitter, Google's app engine, and Facebook have also been transformed into master control channels for machines under the spell of surreptitious malware. In addition to their high availability and low cost, the sites are attractive because they don't set off alarms when infected machines are observed connecting to them.

While it's relatively easy to block channels located in China or based on internet relay chat, blacklisting some of the world's most popular online destinations is another matter completely.

According to analysis from Zero Day blogger Dancho Danchev, the cybercriminals behind Zeus appear to have plugged into Amazon's Relational Database Service as a backend alternative in case they lose access to their original domain.

DeBolt said the EC2 channel was disconnected after it was brought to the attention of Amazon officials. People who want to report future abuse of cloud-based services offered by the online retailer can use this link. An Amazon spokeswoman didn't respond to an email requesting comment. ®

Potent malware link infects almost 300,000 webpages

A security researcher has identified a new attack that has infected almost 300,000 webpages with links that direct visitors to a potent cocktail of malicious exploits.

The SQL injection attacks started in late November and appear to be the work of a relatively new malware gang, said Mary Landesman, a researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. Hacked sites contain an invisible iframe that silently redirects users to 318x .com (a space has been added to protect the clueless), which goes on to exploit known vulnerabilities in at least five applications.

At time of writing, this web search showed more than 294,000 webpages that contained the malicious script. Infected sites included yementimes .com, parisattitude .com and knowledgespeak .com.

People who visit infected pages receive an invisible link that pulls code from a series of sites tied to 318x .com. The code looks for insecure versions of Adobe Flash, Internet Explorer, and several other Microsoft applications, and when they are detected it exploits them to surreptitiously install malware known as Backdoor.Win3.Buzus.croo. The rootkit-enabled program logs banking credentials and may do other nefarious bidding, Landesman said.

At the moment, about two percent of the requests ScanSafe sees are for sites infected by the malicious link, an indication the threat is significant, Landesman said.

SQL injection attacks prey on web applications that fail to adequately inspect user supplied input before passing it off to a webserver's backend database. They are a favorite way of adding malicious links and content to third-party websites and were also the the chink that allowed Albert Gonzalez and other hackers the toehold they needed to steal more than 130 million credit card numbers from card processor Heartland Payment Systems and four other companies.

The fingerprints on this latest attack lead Landesman to believe the perpetrators are new to the SQL injection game. More sophisticated mass attacks using the method, such as the Gumblar infection inject unique, dynamically-generated links that prevent researchers from being able to locate them using web searches.

Gumblar also uploads exploits directly to infected sites, which greatly complicates white hat efforts to clean up the mess. Rather than shutting down a single site that's hosting the malware, thousands of mom and pop sites must be disinfected one at a time.

"I'm not convinced SQL injection is the method they're most accustomed to," Landesman said of the gang behind the most recent mass infection. "It's almost as if they're a seasoned attacker but this is their first foray into managing a wide-scale web attack.

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News