Browse >Home / Archive by category 'Security News'
When a Naked Security reader forwarded us a suspicious email he received today, it served as a healthy reminder for all computer users to be on their guard against phishing attacks.
The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple’s MobileMe service.
Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in ‘the cloud’ and wirelessly push them to all of your devices).
Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait.
Welcome to iCLOUD
Important information for MobileMe members.
Dear MobileMe member,
Please sign up for iCloud and click the submit botton, you'll be able to keep your old
email address and move your mail, contacts, calendars, and bookmarks to the new service.
Your subscription will be automatically extended through July 31, 2012, at no additional charge.
After that date, MobileMe will no longer be available.
Click here to update iCLOUD
The Apple store Team
If you make the decision to click on the link in the email, however, you are not taken to an official Apple website – but instead a third-party site that is trying hard to present itself in an Apple style.
Yes, it’s a phishing website.
And just look what it’s asking for: your credit card details, your address, your social security number, your full date of birth, your mother’s maiden name and your Apple ID credentials.
Crumbs! Imagine the harm a fraudster could cause with all that information.
Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox. It could be you who gets hit by a phishing attack next.
By Graham Cluley @ nakedsecurity.sophos.com
Nicholas Allegra, better known as ‘comex’, the creator of the JailBreakMe website which made it child’s play for iPhone owners to jailbreak their devices, has been given an internship at Apple.
The 19-year-old from Chappaqua, New York posted the news of his new position on Twitter:
Allegra has given Apple plenty of headaches in the last couple of years, finding security vulnerabilities in Apple’s iPhone that allowed anyone to convert their smartphone into a device capable of running unapproved applications.
Normally jailbreaking requires users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad – but JailBreakMe made it significantly easier.
Just visiting the website with Safari would trigger a security vulnerability, allowing code to run which would jailbreak the iPhone or iPad.
Apple don’t like folks jailbreaking their iPhones, so it’s understandable that they would rather have the man behind the JailBreakMe website working for them rather than exposing their security weaknesses.
After all, whenever Allegra updated his JailBreakMe website to defeat Apple’s security he was given a potentially dangerous blueprint to more malicious hackers who may want to plant more dangerous code.
Each time Allegra has found a flaw in Apple’s software, the company has been forced to rush out a security patch.
So, what’s going to change now Apple has made jailbreaking expert Nicholas Allegra an intern?
Well, I would imagine that they’ll be strongly encouraging him to share with them any details of security flaws he finds with their software rather than updating his drive-by jailbreaking website. That way they’ll be able to work on patching any vulnerabilities he discovers before they are made public.
I’m sure they’ll be particularly keen to prevent Allegra from publishing details on how to jailbreak the next incarnation of iOS, version 5.0, or the much-mooted iPhone 5.
From Apple’s point of view it’s a case of: If you can’t beat ‘em, hire ‘em.
By Graham Cluley @ nakedsecurity.sophos.com
Facebook users are sending scary warnings to each other regarding a supposed new piece of malware spreading across the social network.
Attention!!!If you see anyone post out an application written "May God always bless this kind person below with peace, love and happiness", with your profile picture attached below, and send by your friend via Bold Text. Please DONT click "like" or "SHARE", is a spyware, and all your info at FB will be copy and reuse for other purpose. Please share this info out. Thanks......;)
The warnings are being spread rapidly by well-intentioned Facebook users, but the truth is that we have seen no evidence of any such spyware.
Our friends at Facecrooks believe they have got to the bottom of the mystery.
They have determined that rather than a genuine virus, the warning was kicked off by a Facebook application called Bold Text making over-exuberant, if not downright spammy, wall postings.
Over one million people are reported to have used the application, so clearly its self-promoting tactics are working.
If you see one of your friends reposting the warning about the ‘May God always bless..’ message then please tell them that it isn’t true that it’s a virus, and point them to this article or the information on Facecrooks.
And if you installed the Bold Text application, and aren’t enjoying the messages it is posting, you should revoke its access to your Facebook account.
It’s not the first time, of course, that Facebook users have been misled of the full facts by virus hoaxes. Most recently we have seen a bogus warning message about an Olympic Torch virus that could “burn the whole hard disc.. C of your computer”
Make sure that you stay informed about the latest genuine scams spreading fast across Facebook and other internet attacks. Join the Sophos Facebook page, where more than 100,000 people regularly share information on threats and discuss the latest security news.
By Graham Cluley @ nakedsecurity.sophos.com
The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.
The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.
TDL-3 encrypted disk with SHIZ modules
At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.
The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.
Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn’t have to worry about competition from those who bought TDL-3.
In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.
The way in which the new version of TDL works hasn’t changed so much as how it is spread – via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.
Affiliates spreading TDL
Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.
The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.
Encrypted network connections
One of the key changes in TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.
Readers may recall that one of the distinguishing features of malware from the TDSS family is a configuration file containing descriptions of the key parameters used by various modules to maintain activity logs and communications with command and control servers.
Compared to version 3, there are only negligible changes to the format of the configuration file. The main addition is the bsh parameter, an identifier which identifies the copy of the malware, and which is provided by the command and control sever the first time the bot connects. This identifier acts as one of the encryption keys for subsequent connections to the command and control server.
Upon protocol initialization, a swap table is created for the bot’s outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.
The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.
Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.
TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.
This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.
Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.
Notably, TDL-4 doesn’t delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.
One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?
We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:
- The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
- Computers infected with TDSS receive the command to download and install the kad.dll module.
- Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
- The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
- Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.
Below is a list of commands from an encrypted ktzerules file.
- SearchCfg – search Kad for a new ktzerules file
- LoadExe – download and run the executable file
- ConfigWrite – write to cfg.ini
- Search – search Kad for a file
- Publish – publish a file on Kad
- Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.
The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.
How publicly accessible and closed KAD networks overlap
Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands.
Furthermore, access to Kad makes it possible for the cybercriminals to download any files to botnet machines and make them accessible to the P2P users. This includes adult content files and stolen data bases.
The key threat that such a botnet poses is that even when its command and control centers are shut down, the botnet owners will not lose control over infected machines. However, the system does face two major obstacles:
- By using the publicly accessible Kad network, the cybercriminals still run the risk of fake botnet commands.
- When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.
In addition to its known adware function, TDL-4 has added some new modules to its arsenal. This article has already touched on the ‘antivirus’ function and the P2P module. The owners of TDSS have also added several other modules to their malware, and now offer services such as anonymous network access via infected machines and 64-bit support.
A file called Socks.dll has been added to TDSS’s svchost.exe; it is used to establish a proxy server on an infected computer. This module facilitates the anonymous viewing of Internet resources via infected machines.
Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month. For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser.
The appearance of a 64-bit malicious driver in TDSS was another innovation in malware in 2010. In order to support operations with 64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a version of cmd.dll for 64-bit systems. However, due to the limitations of working with 64-bit programs, cmd64.dll code only provides communication with the botnet command and control servers.
The cmd.dll module (see for details) remains almost completely unchanged. This module facilitates communication with the botnet command and control servers and substitutes search results, i.e. fraudulently manipulates advertising systems and search engines. The newest innovation in the list of commands for TDSS is the SetName command, which assigns a number to each infected computer. For search engines and banner networks, TDSS uses the same fake click and traffic technologies as similar malicious programs. However, TDSS has the longest list of search engines for which it substitutes search results.
List of search engines supported by TDSS
Botnet command and control servers
When running, TDSS uses several sources to obtain lists of command and control server addresses. The default list is taken from cmd.dll; if these addresses are inaccessible, then TDSS gets a list from cfg.ini. If for some reason no command and control server listed is accessible, then a list is created from an encrypted file called bckfg.tmp, which the bot receives from the command and control server on first connection. Since the beginning of the year, around 60 command and control centers have been identified across the globe.
|Server address at the|
beginning of February
|Server address at the |
beginning of March
|Percentage of |
mentions in C&C lists
A careful examination of this list reveals that the IP addresses of command and control centers are constantly changing, while some command and control centers are phased out altogether. These changes are due to the use of proxy servers, which hide the true location of the command and control centers.
Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.
Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.
This heading of this last section has become traditional in our articles on TDSS. In this case, we have reason to believe that TDSS will continue to evolve. The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware. The botnet, with more than 4.5 million infected computers, is used by cybercriminals to manipulate adware and search engines, provide anonymous Internet access, and acts as a launch pad for other malware.
TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.
Our good friends over at Symantec love VIPRE so much, they’ve decided to use the logo in their new marketing campaign!
We prefer our colors, of course (I like blue) but otherwise, not a bad copy of our logo.
Imitation is the sincerest form of flattery!
Alex Eckelberry - GFI
In today’s business world, internet usage has become a necessity for doing business. Unfortunately, a company’s use of the internet comes with considerable risk to its network and business information.
Web security threats include phishing attacks, malware, scareware, rootkits, keyloggers, viruses and spam. While many attacks occur when information is downloaded from a website, others are now possible through drive-by attacks where simply visiting a website can infect a computer. These attacks usually result in data and information leakage, loss in productivity, loss of network bandwidth and, depending on the circumstances, even liability issues for the company. In addition to all this, cleanup from malware and other types of attacks on a company’s network are usually costly from both the dollar aspect as well as the time spent recovering from these web security threats.
Fortunately, there are steps a company can take to protect itself from these web security threats. Some are more effective than others, but the following suggestions should help narrow down the choices.
Employee internet usage policy
The first and probably the least expensive solution would be to develop and implement an employee internet usage policy. This policy should clearly define what an employee can and cannot do when using the internet. It should also address personal usage of the internet on the business computer. The policy should identify the type of websites that can be accessed by the employee for business purposes and what, if any, type of material can be downloaded from the internet. Always make sure the information contained in the policy fits your unique business needs and environment.
Train your employees to recognize web security threats and how to lower the risk of infection. In today’s business environment, laptops, smartphones, iPads, and other similar devices are not only used for business purposes, but also for personal and home use. When devices are used at home, the risk of an infection on that device is high and malware could easily be transferred to the business network. This is why employee education is so important.
Good patch management practices should also be in place and implemented using a clearly-defined patch management policy. Operating systems and applications, including browsers, should be updated regularly with the latest available security patches. The browser, whether a mobile version used on a smartphone or a full version used on a computer, is a primary vector for malware attacks and merits particular attention. Using the latest version of a browser is a must as known vulnerabilities would have been addressed
Internet monitoring software
Lastly, I would mention the use of internet monitoring software. Internet monitoring software should be able to protect the network against malware, scareware, viruses, phishing attacks and other malicious software. A robust internet monitoring software solution will help to enforce your company’s internet usage policy by blocking connections to unacceptable websites, by monitoring downloads, and by monitoring encrypted web traffic going into and out of the network.
There is no single method that can guarantee 100% web security protection, however a well thought-out strategy is one huge step towards minimizing risk that the network could be targeted by the bad guys.
This guest post was provided by Sean McCreary on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI web security software.
All product and company names herein may be trademarks of their respective owners.
Facebook users are being tricked into helping scammers earn money, in the mistaken belief that they will receive a free $25 Apple iTunes Giftcard.
We have seen a number of Facebook users posting messages like the following onto their walls:
Free $25 Apple iTunes Giftcard
Limited time left, get yours now!
Clicking on the link takes you to a webpage which urges you to “Share” the message with your Facebook friends before you can go any further.
You should, of course, always treat such requests with suspicion – but that hasn’t stopped many people unwittingly help the scammers to spread their links far and wide across Facebook.
Perhaps you noticed that you still haven’t been given a free $25 Apple iTunes Giftcard at this point. Instead, the scammers would like you take a survey.
Clearly they have no qualms about using Apple imagery to try to trick you into believing that the campaign is endorsed in some way by Apple itself.
This type of survey scam is all too familiar to regular readers of Naked Security. The scammers earn commission for every survey they trick people into completing – and your chances of ever receiving an iTunes Giftcard are close to zero.
But it’s too late for your Facebook friends, as you have already shared the link with them – and so the scam spreads across the social network as users pass it on between eachother.
Of course, if you have fallen for the scam, it’s a good idea to remove all references to it from your Facebook page and warn your friends not to participate in it.
If you use Facebook and want to get an early warning about the latest attacks, you should join the Sophos Facebook page where we have a thriving community of over 100,000 people.
By Graham Cluley @ nakedsecurity.sophos.com
When Facebook revealed last year it was introducing facial recognition technology to help users tag their friends in photographs, they gave the functionality to North American users only.
Most of the rest of us found the option in our privacy settings was “not yet available”, which meant we could neither enable or disable it. We simply had to wait until Facebook decided to roll it out to our account.
Well, now might be a good time to check your Facebook privacy settings as many Facebook users are reporting that the site has enabled the option in the last few days without giving users any notice.
There are billions of photographs on Facebook’s servers. As your Facebook friends upload their albums, Facebook will try to determine if any of the pictures look like you. And if they find what they believe to be a match, they may well urge one of your Facebook friends to tag it with your name.
The tagging is still done by your friends, not by Facebook, but rather creepily Facebook is now pushing your friends to go ahead and tag you.
Remember, Facebook does not give you any right to pre-approve tags. Instead the onus is on you to untag yourself in any photo a friend has tagged you in. After the fact.
If this is something you’re uncomfortable with, disable “Suggest photos of me to friends” now.
Here’s how you do it.
* Go to your Facebook account’s privacy settings.
* Click on “Customise settings”.
* Under “Things others share” you should see an option titled “Suggest photos of me to friends. When photos look like me, suggest my name”.
* Unfortunately at this point you can’t tell whether Facebook has enabled the setting or not, you have to dig deeper..
* Click on “Edit settings”.
* If Facebook has enabled auto-suggestion of photo tags you will find the option says “Enabled”.
* Change it to “Disabled” if you don’t want Facebook to work that way.
* Press “OK”.
Earlier this year, Sophos wrote an open letter to Facebook. Amongst other things, we asked for “privacy by default” – meaning that there should be no more sharing of information without users’ express agreement (OPT-IN).
Unfortunately, once again, Facebook seems to be sharing personal information by default. Many people feel distinctly uncomfortable about a site like Facebook learning what they look like, and using that information without their permission.
Most Facebook users still don’t know how to set their privacy options safely, finding the whole system confusing. It’s even harder though to keep control when Facebook changes the settings without your knowledge.
The onus should not be on Facebook users having to “opt-out” of the facial recognition feature, but instead on users having to “opt-in”.
Yet again, it feels like Facebook is eroding the online privacy of its users by stealth.
If you are on Facebook and want to keep yourself informed about the latest news from the world of internet security and privacy you could do a lot worse than join the Sophos Facebook page where we regularly discuss these issues and best practice.
You should also take some time to read our step-by-step advice on how best to configure your Facebook privacy settings.
By Graham Cluley @ http://nakedsecurity.sophos.com/
By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.
The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.
SQL injection flaw? Check. Plain text passwords? Check. People’s personally identifiable information totally unprotected? Check.
Idahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: “I was Bored and I play the game of the year : ‘hacker vs Sony’.” He posted the link to pastebin with the simple note “Sony Hacked: pastebin.com/OMITTED lol.”
If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.
You can also download our free technical paper Securing Websites.
By Chester Wisniewski @ nakedsecurity.sophos.com
Don’t be too quick to click on links claiming to “Enable Dislike Button” on Facebook, as a fast-spreading scam has caused problems for social networking users this weekend.
Messages claiming to offer the opposite to a like button have been appearing on many Facebook users’ walls:
Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!
Like the “Preventing Spam / Verify my account” scam which went before it, the scammers have managed to waltz past Facebook‘s security to replace the standard “Share” option with a link labelled “Enable Dislike Button”.
The fact that the “Enable Dislike Button” link does not appear in the main part of the message, but lower down alongside “Link” and “Comment”, is likely to fool some users into believing that it is genuine.
The potential for malice should be obvious.
As we’ve explained before, there is no official dislike button provided by Facebook and there isn’t ever likely to be. But it remains something that many Facebook users would like, and so scammers have often used the offer of a “Dislike button” as bait for the unwary.
If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.