Windows and Mac users urged to update Safari

Apple has released version 4.0.5 of its Safari browser, fixing a number of issues with its browser for Windows and Mac OS X including – most importantly – a grand total of 16 security vulnerabilities.

If you dilly-dally over updating your computer, it’s possible that hackers could exploit the security bugs – including some that could mean that simply visiting a webpage with a maliciously crafted image could lead to malicious code being automatically run on your computer.

Interestingly, one of the bugs (CVE-2009-2285) fixed in Safari 4.0.5 was announced and patched in Mac OS X 10.6.2 back in December 2009, and in Mac OS X 10.5 since January, meaning that Windows users of Safari have been vulnerable for over two months to the way their browser handles booby-trapped TIFF images.

But it doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website.

Safari users should practise safe computing, and update their systems as soon as possible.

By Graham Cluley, Sophos

Twitter fights back against spam, phishing, and other malicious links

In a move that should be welcomed by many users, Twitter has announced that it is introducing a new feature to combat the many malicious and malware URLs that are distributed via the micro-blogging site.

In a blog entry posted by Del Harvey, Twitter’s Director of Trust and Safety, it was revealed that the site will start using its own URL shortener (twt.tl) for Twitter messages sent privately between two users via a direct message (DM), giving it the opportunity to “detect, intercept, and prevent the spread of bad links across all of Twitter”.

As Sophos’s Chet Wisniewski told DarkReading, the new http://twt.tl shortened url appears to be only evoked with email notifications for direct messages at this time.

Details of how Twitter is determining if a link is potentially malicious or not do not appear to have been released at this time, and it would certainly be great if Twitter would post some more information on how the system will work and what users can expect to see.

It’s also to be hoped that this new service will be rolled-out to other areas of Twitter too. We’ve seen many times in the past that phishing and spam attacks on Twitter don’t tend to restrict themselves purely to DMs, but will also often be found in the public timeline too, as the following YouTube video demonstrates:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

The problem of dangerous links being distributed via Twitter has been growing for some time, with some 70% of people polled by Sophos reporting that they have been on the receiving end of spam and malware attacks via social networks in the last year.

The news of Twitter’s new twt.tl short url facility follows a few months after bit.ly announced that it would protect users against visiting webpages that may contain a malware, spam or phishing threat using technology from security vendors such as Sophos.

* Image source: wonderferret’s Flickr photostream (Creative Commons)

By Graham Cluley, Sophos

Hackers exploit Oscar film awards to spread scareware

Last night saw Kathryn Bigelow’s hard-hitting film “The Hurt Locker”, about a bomb disposal team in Iraq, scoop the major gongs at the Academy Awards. It shouldn’t probably be any surprise to hear that movie buffs around the world used the internet to keep track of who won which Oscars, and – sadly -that hackers would try and exploit the event.

Internet users searching for phrases like

Oscars 2010 winners

 

may be putting the security of their computers at risk today, as some of the results returned by search engines can point to malicious webpages.

By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer.

As you can see, information about the Oscars ceremony and award winners has been one of the hottest search topics overnight.

Clicking on the dangerous links takes you to a page which pretends to scan your computer for security threats, trying to trick you into downloading malicious code and hand over your credit card details.

As Fraser Howard recently described on the SophosLabs blog, victims are redirected a number of times upon visiting from a search engine, before being taken to a webpage hosting a malicious script.

Sophos detects the malicious scripts as Mal/FakeAVJs-A, and the fake anti-virus itself as Troj/FakeAV-AXS.

Fake anti-virus attacks (also known as scareware) are nothing new, and it’s very common for hackers to exploit hot topics in an attempt to bring a steady stream of traffic to their infected webpages.

By Graham Cluley, Sophos

Surveillance rootkits on smartphones

Liviu Iftode and Vinod Ganapathy, two researchers at Rutgers University, have revealed some experiments they have been conducting, showing how rootkits could be used to take control of smartphones.

The scientists have shown that a malicious attacker could cause a smartphone to “eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless”.

Watch the following YouTube video to learn more:

It’s a cute little video, but how realistic is this threat in reality?

I don’t think the kind of attack described by Iftode and Ganapathy is a big deal right now.

Yes, it is possible to change or put software onto a smartphone (by, for instance, installing a rootkit) so that the mobile device then performs malicious functions. For instance, code that enables covert remote surveillance, battery drainage or silently steals data.

Of course, this relies upon the smartphone allowing you to make changes to its low-level software. Popular smartphones like the Apple iPhone lock down that kind of meddling to a great extent.

So, the key thing to remember is that the bad guys have to somehow get the malicious rootkit onto your phone in the first place.

How are they going to do that?

They would either need to have physical access to your smartphone, exploit an unpatched security vulnerability or use a social engineering attack to trick you into installing malicious code. Even if they went down the “trick” route they would be relying upon the phone’s OS to allow you to install unapproved apps (iPhones, for instance, are strictly controlled by their Cupertino-based overlords, allowing users to only install code that has been approved and checked by the AppStore).

So it doesn’t sound like what Iftode and Ganapathy are describing is actually any different from the rootkits that infect traditional desktop computers. The main difference is that there are probably less opportunities (and thus much harder) to infect a mobile phone than, say, a computer running Windows.

Furthermore, I would argue that the typical mobile phone user is still typically less used to installing applications than their Windows counterparts, and so the chances of success via fooling the user into installing a dangerous application can be assumed to be even lower.

Iftode and Ganapathy have not demonstrated any revolutionary new way of getting round the biggest hurdle for those wanting to spy on smartphones: how are they going to get the malware onto the phone?

If I really wanted to snoop on someone’s phone I think it would probably be easier to swap my victim’s mobile phone for an identical (but bugged) device rather than go to all this effort with no promise of success.

Sure, the mobile phone malware threat is growing – but it’s a tiny raindrop in a thunderstorm compared to regular attacks that strike Windows computers. Slowly but slowly it’s becoming more serious (the recent discovery of financially-motivated malware that targets jailbroken iPhones is proof of that), and undoubtedly we will begin to see more users running anti-virus security on their phones in the years to come.

However, if I was responsible for securing my company’s mobile phones I would be much more worried about the real security threat of staff losing their phones in taxis or on the train, rather than the theoretical risk of surveillance rootkits.

It’s a nice video and presentation that Iftode and Ganapathy made, but I won’t be losing any sleep over it just yet.

More information on the topic of smartphone rootkits can be found in the paper Iftode and Ganapathy have produced: “Rootkits on Smart Phones: Attacks, implications and opportunities” [PDF]

By Graham Cluley, Sophos

Malware attack spammed out disguised as email settings file

Sophos is intercepting a large number of malicious emails that have been spammed out around the world, posing as a new settings files for internet users’ email systems. However, attached to the emails is a Trojan horse.

Each email is carefully disguised in an attempt to lure the recipient into believing they are genuine. For instance, they use the recipient’s email address in the subject line and pretend to come from the support team at the recipient’s email domain:

A typical malicious email reads as follows (I’m assuming the user’s email address is username@example.com below):

Subject: A new settings file for the username@example.com has just be released

Attached file: settings.zip

Message body:
Dear use of the example.com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox username@example.com settings were changed. In order to apply the new set of settings open zip attached file.

Best regards, example.com Technical Support.

Although the hackers behind this attack have clearly put a little thought into how they might infect as many people as possible, they have made some grammatical mistakes which may tip off potential victims that the emails are not genuine.

For instance, the subject line of

A new settings file for the username@example.com has just be released

is very clumsy.

Attached to each email is a file called settings.zip, which contains a copy of the Troj/Bredo-BE Trojan horse.

Stay on your guard against attacks arriving via email. Although we see many web-based attacks these days, the rumours of the death of email-based malware are greatly exaggerated.

By Graham Cluley, Sophos

Critical security update for Adobe Reader and Acrobat

Adobe has issued a security bulletin urging users of its Adobe PDF Reader and Acrobat products to update their software before hackers take advantage of two critical vulnerabilities.

Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh are vulnerable to a flaw that could be exploited by hackers to make unauthorised cross-domain requests. This same vulnerability was revealed in Adobe Flash Player last week.

Meanwhile, another flaw could give hackers an opportunity to inject malicious code onto computers via vulnerable installations of Reader and Acrobat.

As we’ve mentioned many times before, it’s essential that you keep your installations of Adobe’s software up-to-date as they are increasingly being taken advantage of by hackers to launch attacks.

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1 if possible. Similarly, Adobe Acrobat should be updated to version 9.3.1. It’s a shame, therefore, that Adobe’s Reader advisory makes such a bad job of linking to the right files.

For instance, the link it is giving for the Mac update actually links to a page full of Windows files:

Hopefully Adobe will sort that out soon, and make it clearer where users can download the right patches for their operating system from. I, for one, am still finding it difficult to locate Adobe Reader 9.3.1.

By Graham Cluley, Sophos

Fake Conflicker.B Infection Alert puts internet users at risk

The global network of spamtraps controlled by the experts inside SophosLabs are seeing a swarm of attacks today, posing as an email warning about the Conficker worm.

Here is a typical message that has been spammed out by hackers:

Subject: Conflicker.B Infection Alert
Attached file: open.zip

Message body:

 

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

Opening the file attached to the email (in this case it’s called open.zip) infects your computer with malware which Sophos detects as Mal/EncPk-KW.

The wording is nearly identical to a similar attack I blogged about last October.

What surprises me is that during the last few months the hackers behind the attack appear to have made no effort to fix mistakes in their disguise – for instance, it should say Conficker in the subject line not Conflicker!

I can only presume that they’re counting on their potential victims not spotting that typo. It certainly has not stopped the cybercriminals from sending out the infected messages en masse today. Presently this malicious spam campaign is one of the most commonly seen examples of file attachment malware being spread around the world:

By Graham Cluley, Sophos

Tests Show Problems With AV Detections

Dateline: Moscow.

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

Click on these to see some of the detections:

• http://www.virustotal.com/analisis/5aee7…1264831301
• http://www.virustotal.com/analisis/0de6d…1264867956
• http://www.virustotal.com/analisis/b2a11…1264867934
• http://www.virustotal.com/analisis/7e79b…1264867923
• http://www.virustotal.com/analisis/0b974…1264831241
• http://www.virustotal.com/analisis/0b974…1264867640

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

By Larry Seltzer from PCMag.com

Mozilla admits Firefox add-ons contained Trojan code

Mozilla has issued a warning that two add-ons available from AMO (addons.mozilla.org, the Mozilla Add-ons website) were infected by malicious code capable of infecting Windows computers.

According to a security notice on AMO’s blog, the Master Filer add-on was infected by the LdPinch password-stealing Trojan, and Sothink Web Video Downloader version 4.0 was infected by a version of the Bifrose backdoor Trojan horse.

Judging by the statement on the Mozilla Add-ons blog, a fair few people could have found that their Windows computers were infected:

Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010.

Versions of Sothink Web Video Downloader greater than 4.0 are said not to be infected. Furthermore, both Trojans were specifically written for Windows, meaning they could not infect on Mac OS X and Linux installations of Firefox.

This isn’t the first time malware has slipped through Mozilla’s security procedures. In May 2008, users who downloaded Firefox’s Vietnamese language pack were warned that it had contained a malicious script designed to display irritating advertising messages.

Mozilla says that in light of the security lapse it has strengthened its systems, scanning all add-ons with additional anti-virus tools.

Personally, I would recommend that all computer users remember not to rely on someone else doing the virus scanning for them, and ensure they have anti-malware protection running on their computer.

By Graham Cluley, Sophos

Operation Aurora: Microsoft knew about Internet Explorer flaw for four months

On Thursday there were sighs of relief from all corners as Microsoft released a security patch for a vulnerability that had been exploited by hackers.

The patch fixed a critical zero-day vulnerability in versions of Internet Explorer that would have meant visiting a boobytrapped webpage could have infected your computer, opening a backdoor for remote hackers.

Nasty stuff, especially as it was being alleged that the security hole had been exploited by Chinese hackers who broke into the likes of Google and Adobe in an attack dubbed “Operation Aurora”.

Interestingly, details are now emerging that Microsoft was first told about the security hole early last September – a full four months before it hit the world’s headlines.

According to reports, Microsoft was informed about the security problem with its software (and the potential for hackers to take advantage of it) by security researcher Meron Sellen, and the company planned to roll-out a fix in a cumulative update for Internet Explorer scheduled for next month.

Now, if you were one of the high-tech, financial or miltary targets that are said to have been struck by the Chinese hackers you might be feeling a little bit miffed that Microsoft didn’t roll out its patch for this critical vulnerability sooner.

For their part, Microsoft may well feel that as the flaw primarily affected Internet Explorer 6 that such organisations should already have updated to a more secure version of their browser (such as version 8.0).

Is four months too long a time to fix a security hole of this severity? I’m not sure. One thing we have to bear in mind is that it can be very complicated developing and then testing a security patch to ensure that it works in all environments with multiple different versions of the software being patched.

I would rather a patch worked than was rushed out and caused more problems than the bug it was trying to solve.

The thing we should all be grateful for is that there is now a patch for Internet Explorer, meaning there really is no excuse for any company to be breached via this particular security hole again.

But if Microsoft knew about this critical security vulnerability four months ago, I wonder how many other security holes there are that they secretly know about, but we don’t have a clue about yet.

Oh, and don’t forget, there’s nothing to suggest that the hackers only exploited this Internet Explorer flaw. Chances are that they took advantage of a whole bunch of different weaknesses in different products, as well as some social engineering tricks, to break into computers inside the affected companies.

By Graham Cluley, Sophos