Twitter fights back against spam, phishing, and other malicious links

In a move that should be welcomed by many users, Twitter has announced that it is introducing a new feature to combat the many malicious and malware URLs that are distributed via the micro-blogging site.

 

In a blog entry posted by Del Harvey, Twitter’s Director of Trust and Safety, it was revealed that the site will start using its own URL shortener (twt.tl) for Twitter messages sent privately between two users via a direct message (DM), giving it the opportunity to “detect, intercept, and prevent the spread of bad links across all of Twitter”.

 

As Sophos’s Chet Wisniewski told DarkReading, the new http://twt.tl shortened url appears to be only evoked with email notifications for direct messages at this time.

 

Details of how Twitter is determining if a link is potentially malicious or not do not appear to have been released at this time, and it would certainly be great if Twitter would post some more information on how the system will work and what users can expect to see.

 

It’s also to be hoped that this new service will be rolled-out to other areas of Twitter too. We’ve seen many times in the past that phishing and spam attacks on Twitter don’t tend to restrict themselves purely to DMs, but will also often be found in the public timeline too, as the following YouTube video demonstrates:

 

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

The problem of dangerous links being distributed via Twitter has been growing for some time, with some 70% of people polled by Sophos reporting that they have been on the receiving end of spam and malware attacks via social networks in the last year.

 

The news of Twitter’s new twt.tl short url facility follows a few months after bit.ly announced that it would protect users against visiting webpages that may contain a malware, spam or phishing threat using technology from security vendors such as Sophos.

 

* Image source: wonderferret’s Flickr photostream (Creative Commons)

By Graham Cluley, Sophos

 

Fake Conflicker.B Infection Alert puts internet users at risk

The global network of spamtraps controlled by the experts inside SophosLabs are seeing a swarm of attacks today, posing as an email warning about the Conficker worm.

 

Here is a typical message that has been spammed out by hackers:

Subject: Conflicker.B Infection Alert
Attached file: open.zip

 

Message body:

 

Dear Microsoft Customer,

Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

 

Opening the file attached to the email (in this case it’s called open.zip) infects your computer with malware which Sophos detects as Mal/EncPk-KW.

 

The wording is nearly identical to a similar attack I blogged about last October.

 

What surprises me is that during the last few months the hackers behind the attack appear to have made no effort to fix mistakes in their disguise – for instance, it should say Conficker in the subject line not Conflicker!

 

I can only presume that they’re counting on their potential victims not spotting that typo. It certainly has not stopped the cybercriminals from sending out the infected messages en masse today. Presently this malicious spam campaign is one of the most commonly seen examples of file attachment malware being spread around the world:

 

By Graham Cluley, Sophos

 

Tests Show Problems With AV Detections

Dateline: Moscow.

 

Here at a security press conference held by Kaspersky Lab, the company demonstrated how some malware detections are easily triggered by innocuous programs.

 

The problem arises when one vendor detects a threat. Samples are often passed on to other vendors, through multi-scanning services like VirusTotal. The fact that another vendor, particularly a respected one like Kaspersky, detects a threat is enough of a reason to take a serious look at the sample.

 

After suspecting such problems, Kaspersky created a test which demonstrated the phenomenon. They wrote a series of simple and innocuous programs, compiled them, created false detections for them in their engine, and then submitted the files to Virustotal. Only Kaspersky detected the files at this point.

 

But standard procedure with VirusTotal is that if at least one of the products detects a submitted sample, it is submitted to the others who didn’t detect it. The idea is that they can then analyze the file and create their own detection.

 

Instead, what they found was that other companies were creating detections for the false submissions from Kaspersky. The programs create some variables and perform simple mathematical operations on them. They don’t even touch the file system. Kaspersky provided me with the programs and the source code.

 

Click on these to see some of the detections:

• http://www.virustotal.com/analisis/5aee7…1264831301
• http://www.virustotal.com/analisis/0de6d…1264867956
• http://www.virustotal.com/analisis/b2a11…1264867934
• http://www.virustotal.com/analisis/7e79b…1264867923
• http://www.virustotal.com/analisis/0b974…1264831241
• http://www.virustotal.com/analisis/0b974…1264867640

 

But it turns out that the fact that Kaspersky was detecting the threats was not the only reason the others were. The real problems were the aggressive heuristics in the products and that fact that only a static scan was performed.

 

And there is something suspicious about a program that appears to do nothing and then exits. Other vendors I communicated with on the matter said that the behavior was not surprising and that a live on-access detection on a system with their product installed would not be the same. For instance, F-Secure said that “[o]n the end users Windows box, these alerts would show up as a prompt, asking the user whether he really trusts the program. In addition, we have massive whitelist databases in our back-ends, so such prompts would only appear from new, unknown applications.”

 

I suspected that the compiler used to generate the samples might itself be an issue, so I asked Kaspersky about it. They used the mingw crosscompiler, a gcc version for Linux that generates Win32 binaries. It’s possible that the same source code compiled with Microsoft Visual Studio would have generated a different reaction in the anti-malware products, not that it should make a difference. But Kaspersky then creates a “hello world” program with the same compiler and settings and uploaded it to VirusTotal; hours later, even though there were no Kaspersky detections, 2 other products called the sample “suspicious”.

 

This problem is not entirely new; Hispasec Sistemas Lab of Spain, the company that operates VirusTotal, wrote about it a few months ago (original Spanish, Google translation to English). As they point out, the volume of samples coming into company labs is so enormous that the vast majority has to be handled by automated analysis processes, and perhaps they are designed to be a little more paranoid than humans.

 

Kaspersky Lab has written an Analyst’s Diary entry on the issue as well.

 

By Larry Seltzer from PCMag.com

 

 

Mozilla admits Firefox add-ons contained Trojan code

Mozilla has issued a warning that two add-ons available from AMO (addons.mozilla.org, the Mozilla Add-ons website) were infected by malicious code capable of infecting Windows computers.

 

According to a security notice on AMO’s blog, the Master Filer add-on was infected by the LdPinch password-stealing Trojan, and Sothink Web Video Downloader version 4.0 was infected by a version of the Bifrose backdoor Trojan horse.

 

Judging by the statement on the Mozilla Add-ons blog, a fair few people could have found that their Windows computers were infected:

 

Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010.

Versions of Sothink Web Video Downloader greater than 4.0 are said not to be infected. Furthermore, both Trojans were specifically written for Windows, meaning they could not infect on Mac OS X and Linux installations of Firefox.

This isn’t the first time malware has slipped through Mozilla’s security procedures. In May 2008, users who downloaded Firefox’s Vietnamese language pack were warned that it had contained a malicious script designed to display irritating advertising messages.

 

Mozilla says that in light of the security lapse it has strengthened its systems, scanning all add-ons with additional anti-virus tools.

 

Personally, I would recommend that all computer users remember not to rely on someone else doing the virus scanning for them, and ensure they have anti-malware protection running on their computer.

 

By Graham Cluley, Sophos

 

Facebook unnamed app: Hackers poison search results

Thanks to Clu-blog reader Jamie for contacting me regarding a scare that is currently spreading bewteen Facebook users.

 

Users of the social-networking site are warning each other of what is rumoured to be a rogue application, spying on their activities on Facebook. Users are told in the warning that they can find the “Unnamed app” by going to “Settings”/”Application Settings” and then choosing “Add to Profile” from the drop-down box.

 

Here’s a typical example of the message that is being passed around:

ALERT >>>>> Has your facebook been running slow lately? Go to "Settings" and select "application settings", change the dropdown box to "added to profile". If you see one in there called "un named app" delete it... Its an internal spybot. Pass it on. about a minute ago...i checked and it was on mine.

Sure enough, when I went to look on a Facebook account I found an “Unnamed app”:

However, I’m not seeing any evidence that the application is malicious. Indeed, it seems to me that the only sin it may have committed might be to have been given a daft unhelpful name. According to Facebook itself, it appears to be a buggy presentation of the boxes tab that appears on users’ Facebook profiles.

 

Of course, news of the “dangerous” app is spreading more quickly than the sensible advice for everyone to calm down and have a nice cup of tea. And, as a result, many people are searching the internet trying to find clues about the Facebook application.

 

It is at this point that the malicious hackers enter the story.

 

Just as they have done with other Facebook scares (like the Facebook Fan Check Virus scare and the Error Check System application), hackers have created webpages stuffed with keywords related to the “Unnamed” (sometimes “Un named”) app.

 

This and other search engine optimisation (SEO) techniques have helped hackers push their webpages high into the upper reaches of search results.

 

And if you happen to stumble across one of these malicious sites after searching for information about the “Facebook Unnamed app” you might find yourself infected by fake anti-virus software, designed to trick you out of your hard-earned cash.

 

Sophos detects the malware seen on these infected webpages as Mal/FakeVirPk-A.

 

By Graham Cluley, Sophos

 

 

Danger! Internet Explorer zero-day vulnerability – no patch yet

Microsoft has released a security advisory about a previously unknown vulnerability in versions of Internet Explorer. There is currently no patch for the vulnerability which is being blamed, in part, for the high-profile attacks against Google, Adobe and other companies.

 

Microsoft has published some mitigation advice and workarounds which can reportedly help block attack vectors, but at the time of writing there is no official patch available.

 

There has been much speculation in the computer security industry (including some from myself!) that an Adobe PDF vulnerability could have been the route through which hackers delivered malware into Google and Adobe’s systems. Certainly we have seen a significant rise in the last year of targeted attacks exploiting vulnerabilities in Adobe’s code.

 

But researchers close to the Google/Adobe hacking investigation say that they have found no evidence so far of the attack exploiting Adobe’s software in this way. Indeed, a statement posted yesterday on Adobe’s blog confirms this.

 

So, right now, Microsoft Internet Explorer is being looked at with suspicion. And as the world’s most popular internet browser it’s obviously a serious cause for concern that an unpatched vulnerability that allows remote code execution exists that is being actively exploited by cybercriminals.

 

System administrators and computer owners around the world will be holding their breath that an official patch from Microsoft arrives sooner rather than later. In the meantime, Microsoft is recommending that Internet Explorer users use Data Execution Prevention (DEP) – a technology that is enabled in Internet Explorer by default but needs to be turned on in earlier versions.

by Graham Cluley, Sophos

 

MalAware 1.0 Beta – The First Cloud Malware Scanner

New Free SUPERAntiSpyware Online Scanner/Remover!

 

Follow the instructions below to initiate the SUPERAntiSpyware Online Scan. The scanner will detect AND remove over 1,000,000 spyware/malware infections. The scanner does NOT install anything on your Start Menu or Program Files and does NOT need to be uninstalled.

 

The SUPERAntiSpyware Online Safe Scan is free for personal use.

 

How To Use :

 

1. Start the Scan

Click on the button to start the scanner download process.

 

2. Download the Scanner

Click the RUN button when prompted. If you are using a browser other than Internet Explorer then prompt may be different.

 

3. Wait for the Scanner to Download

The scanner will download in just a few seconds.

 

 

4. Run the Scanner

Click the RUN button when prompted. This will start the scanner.

 

 

5. Do the scanner and removal

Click the “Click here to Start” button and then “Check for Updates” to update the  Definition then click on “Scan your Computer” button to start the scanning process.

 

 

Get a free license (1-year for 1 PC) of IObit Security 360 Pro

IObit Security 360 PRO is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the unique “Dual-Core” engine and the heuristic malware detection, IObit Security 360 PRO detects the most complex and deepest spyware and malware in a very fast and efficient way. IObit Security 360 PRO has a real-time malware protection and frequent automatic updating for prevention of zero-day security threats. IObit Security 360 PRO can work with your Antivirus for a superior PC security.

 

Get a free license (1-year for 1 PC) of IObit Security 360 Pro by providing your email address.

Click Here

 

Deadline: Nov 11, 2009

Facebook Password Reset Confirmation E-mails Carry Malware

Are you one of the more than 300 million active users of Facebook?

If you are, then be very careful if you receive an unsolicited email claiming to come from

"The Facebook Team" <service@facebook.com>

which tells you that they have changed your password:

The emails, which all have the subject line “Facebook password resent confirmation email.”, claim that the recipient’s new password is contained in the attached file (named Facebook_Password_4cf91.zip).

The reality, of course, is that these emails are not really from Facebook and have been spammed out widely across the internet. The “from” address has been forged, and the attached file is in fact a piece of malware. (Sophos detects the malware as Troj/BredoZp-M or Mal/Bredo-A)

Don’t make life easy for the hackers hell-bent on infecting your computer, stealing your identity and emptying your bank account – exercise caution when you receive unsolicited emails and protect your computer with up-to-date security software.

By Graham Cluley, Sophos

Next Page »