Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2009  
Jan Feb Mar
Apr May Jun
Jul    
     
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Viruslist poll
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog

Analyst's Diary

Curiosity killed the cat


  Maria       July 02, 2009 | 07:45  GMT

comment  

If you’re reading this, you’re probably not a cat, so curiosity won’t kill you. But it can result in someone getting hold of your confidential data.

In my blog about Michael Jackson, I mentioned that Britney Spears had her Twitter account hacked and news of her death posted on her own site. The vulnerability which was exploited has been fixed, the post was deleted, and Britney (or one of her staffers!) has posted saying the singer is alive and well. (I was glad to see that message, because Britney is giving a concert in Russia soon, and tickets are selling fast!)

Britney’s post hasn’t stopped the spammers though – we just picked up the message shown below:

Another prime example of spammers exploiting that vulnerability called “curiosity”. Anyone who’s foolish enough to open the attachment is going to find themselves saddled with Trojan-Spy.Win32.Zbot, a program designed to steal personal data.

Patching technical vulnerabilities is easy; eliminating human vulnerabilities is a lot more difficult.

Tweet’n’earn


  Maria       June 30, 2009 | 13:42  GMT

comment  
We love social networking sites, and phishers are no exception. They’ve been sending out fake Twitter notifications for a while now. The one we’ve just received doesn’t have much in common with previous phishing attacks.
The message looks like this:


Lots of suspicious things about this message: the word “twitter” comes at the end of the link, rather than the beginning, and the English is a bit dodgy as well. None of the addresses in the “From” fields have any strong associations with Twitter:

  1. From: "Donald" VanceShade@qoodly.com
  2. From: "Michael" KirbySchulte@filepages.net
  3. From: "Jeff" JeremiahSilver@savingssavingsandmoresavings.net

Click on the link (aren’t people getting tired of all this clicking?) and you end up on a site which is very generously offering to let you into the secret of how to make money on Twitter. All you have to do is enter your details.


And once you’ve done that, you get asked for your credit card details:


So here’s the $64,000 question: is it really a good idea to enter your credit card details on a site telling you how to make money from home, a site that you reached by clicking on a spam link? (On second thoughts, no prizes, because we should all know the answer by now!)
But the story doesn’t end here – out of sheer curiosity, I put http://www.digilinks.mobi/facebook into my browser (instead of http://www.digilinks.mobi/twitter/) and got this:


And then got redirected to a site telling me I’d won a stack of money. Great news – why should I put in time ‘earning’ money on Twitter when I can just win the lottery? All I need to do is give them my details...


We love social networks for some of the oddities they throw up. And phishers love them too, because there’s always someone who’s willing to click, and click, and click again.

The truth about Michael Jackson


  Maria       June 30, 2009 | 13:37  GMT

comment  
Not surprisingly, the death of Michael Jackson whipped up a frenzy of activity, with every new “fact” and comment from fans and the media adding to the storm of rumour. And of course the bad guys quickly got in on the act – one example is the hackers who hacked Britney Spear’s Twitter account to tweet about her untimely death.
The spammers have also jumped on the Michael Jackson bandwagon – the screenshot below is a piece of Italian spam we picked up today.


[Translation: “The whole world was in shock when it found out about Michael Jackson’s death. His death is surrounded by secrets. This video shows the last moments of Michael Jackson’s life and the harsh truth about his death.
Children under 16 are not permitted to watch this video!”]
The link at the bottom of the message looks like a YouTube link – and if you click on it, you end up at something which does look very like that site. The page even has a view counter tracking the 5 million plus views in the bottom right hand corner.


But if you try and watch the video, rather than being shown any shocking truths, you get asked whether you want to open or save a file. Of course, this isn’t a video file, and it’s not a video codec either – it’s Net-Worm.Win32.Kolab.cxa (blocked by our products).


It’s a pretty good piece of social engineering, although there are giveaway signs – the link doesn’t look 100% like a YouTube link, and repeat visitors to the site will notice that the view counter never increases.
So if you’re looking to get the latest news, just remember: use your common sense, look at links carefully before you click them, and don’t forget to keep your antivirus up to date.
And Michael – rest in peace.

URL shortening service compromised


  Roel       June 16, 2009 | 16:04  GMT

comments (3)  
As pointed out by Stefan short URLs create big problems. How big those problems can get has been made very clear in an attack suffered by cli.gs. They claim to be the 4th most used shortening service on Twitter.

In a blog posting on their site the company says that they had been breached. This resulted in over two million shortened URLs pointing to the same page. The page is a blog posting from another site talking about hashtags on Twitter.

No malicious code has been found on that particular page. Put that together with the topic of the particular page leads and it appears that the attacker didn't have too much harm in mind. S/he wanted to show that the site was vulnerable to attack, but didn't want to install any malware onto the visitor's machine. A welcome change. ;-)

Having control to so many URLs makes these services a very attractive target. The fact that you can easily change the address to which a shortened URL leads with this particular service made it extra attractive.

Personally, I've abandoned URL shortening services on any of the social networks I'm on some time ago. If you strip out the "http://" portion such sites will no longer convert them into shortened URLs automatically. It's certainly a bit less convenient, but at least the reader knows where I'm pointing to.

Firefox updating message misleads users


  Roel       June 05, 2009 | 18:33  GMT

comments (2)  
Over the course of last weekend I was busy setting up some new systems.
During that process I came across an old virtual machine that I decided to fire up.

Upon launching Firefox on that machine I was greeted by the following:

Now what's wrong with this picture? Quite a lot if you take a good look.

The issue of course is that Firefox 2.0.0.13 is nowhere near the latest version of Firefox. Even worse, the message is flawed in two ways. Not only are we at Firefox 3.x. but Firefox 2.0.0.13 isn't even the latest release in the 2.x branch.

So the message is incorrect as regards both major and minor releases.
Now one could argue that the auto-update mechanism takes care of this problem. But that can be turned off for a whole variety of reasons. Fact of the matter is that this is plain sloppy on Mozilla's end.

Sadly, launching such incorrect messages is not particularly a new issue for Mozilla, and in my opinion such carelessness about easy-to-fix issues does not send a good message. Since the page is actually being downloaded from Mozilla's site, it really shouldn't be too much work for them to fix.

However when checking the situation for the 3.x branch of Firefox a better result appeared.

This means that the Mozilla guys got around fixing this page for the latest release branch, but forgot about the earlier branch.

Let's hope that Mozilla gets around to fixing this so that the pages will correctly show if a version is up to date or not. Even if it's only the older branch being affected. After all, we all know that there are millions of people out there who take forever to update.

Short URLs, big problems


  Stefan       June 03, 2009 | 14:28  GMT

comments (2)  
Short URL services are becoming increasingly popular among social networks, especially on Twitter. When you have to limit your message to just 140 characters, every character becomes important, and posting links to searches on Google or news websites can rapidly fill an entire Twitter message.

Of course, for every problem there is a solution, so what URL shortening services like TinyURL, Is.gd or Bit.ly are doing is to offer for free short URLs that redirect to the longer ones. Everything might seem great until the moment you start thinking about security, and several problems come to my mind.

Social engineering is made easier. The user doesn’t really see the URL of the page he’s going to, but just the shortened version, which usually doesn’t offer any clue of where the destination page is hosted. An attacker can say he’s linking to “nice pictures with bunnies”, but instead sending the user to a website hosting malicious content.

The reliability is questionable. In order to get to the final destination, it’s not only necessary for the destination’s server to be reachable, but also for the short URL service to be up and running. Reliability problems with TinyURL were what made Twitter to switch to Bit.ly recently.

Trust can be a problem. The user wants to only click on safe link, so now he does not only have to trust the person who sends him a link, but also an intermediate player: the URL shortening service.

Security concerns are being raised by these URL shortening services, and I am very glad to see the media also starting to notice them and raise the security awareness level throughout their readers: AP recently posted an article about short URL services that also touches on the security problems.

The Twitter worm that isn't


  Roel       June 01, 2009 | 14:17  GMT

comments (3)  
On Saturday an alert went out about a new Twitter worm.

Could this have been another XSS-Worm? Upon clicking the link users would see the following:

However that's not all that happens. Covertly a connection is made to another server that will result in a malicious PDF being downloaded. This PDF contains a flurry of exploits.

If exploitation is successful a file will be downloaded. Given the reports one would expect this to be the worm. However, it turned out to be yet another Fraudware installer. This time a fake program called "System Security" is being promoted.

During the research process I was not able to detect any worm-like component. There's another very plausible explanation for the worm-like activity we've seen.
About a week ago there was a pretty high-profile phishing attack targeted at Twitter. It was only going to be a matter of time before we would see the abuse of the stolen accounts one way or the other.

Most likely the cyber criminals behind this attack simply used the stolen credentials of those phished accounts to tweet the messages. From my perspective this would also have been the more likely scenario rather than using a worm.

This attack is very significant. It would seem that at least one criminal group is now exploring the distribution of for-profit on Twitter. If the trends we've seen on other social platforms are any indicator for Twitter then we can only expect an increase in attacks.

AMTSO documents revisited


  Roel       May 29, 2009 | 15:19  GMT

comment  
The other week I blogged about the newly accepted AMTSO documents.
Over the next weeks, I'll go through all the documents individually in some more detail and why they are important.

The first document we're going to have a look at is the Best Practices for Validation of Samples document.

Samples are obviously a crucial component in good testing. There are other important aspects such as proper configuration of the products and interpretation of the (scan) results.

However when we think about testing samples come to mind first and foremost.
When we're talking about validation we're strictly looking at making sure all samples in a set are functional. So this doesn't include looking at either relevance or classification of a sample.

Why is validation important? Because non-loadable files will pose no threat to the user. Therefore they don't have to, and even shouldn't be detected.

Having non-loadable files in the set will influence the test results. Let's have a look at a theoretical example. We have a 100 KB large network worm which is detected by AV product A, B and D, but C does not detect it.

Now let's look at what happens when the worm loads. As this worm is trying to infect a honey pot the connection gets broken after only 80KB of the file was transferred.

Suddenly the test results look completely different:

  • Product A still detects this file as it has a signature in the first 80KB of the original file.

  • Product B no longer detects this file as it had a signature that relied on the last 20KB of the file.

  • Product C sees a miss-match between the info in the PE header and the actual file size and suddenly starts detecting this file heuristically.

  • Product D no longer detects it as it has an emulation-based detection for this particular worm. With the worm no longer loadable it can't be emulated.

The document primarily focuses on the validation of PE (portable executable) files as these make up the vast majority of today's malware. Ideally the sample handler tries to actually execute the sample in a secure environment as this will give the most accurate results. If that's not possible for reasons such as time or resource constraints the document gives hints for statically checking if a sample is loadable.

You can find all of the published documents here.

German spammers hooked on Christmas


  Maria       May 21, 2009 | 09:41  GMT

comment  
It’s already May and almost half a year since Christmas. There’s more than six months until next Christmas.
That’s no excuse not to use the Christmas theme in spam, it would seem. After all, every festive season it’s a sure fire winner.
So why not exploit its popularity in February, March, April or May?
Below are some messages we received on 27 March and 29 April.


This message includes the usual text extolling the virtues of Viagra. At the end of the message 12 tablets are offered for free for Christmas.
When I got spam messages in German containing Christmas greetings in February, I thought the spammers had just forgotten to remove the extra lines with their seasonal greetings or offers of presents. The same idea occurred to me in March. In April I was at a bit of a loss. But earlier today when I received a free offer of 12 Viagra tablets for Christmas, I understood that the spammers were most probably planning ahead.


You never know, maybe the spammers meant that if you buy a pack of Viagra today, you’ll get another pack for free by Christmas. Who knows what goes on inside their heads? In any case, the issue of freebies is nothing new.

Live from Interop Las Vegas


  Roel       May 20, 2009 | 14:58  GMT

comment  
I'm at the Interop Las Vegas show which is again taking place in the Mandalay Bay convention center. This is my first time in Vegas and I'm finding it quite the experience.

Yesterday I talked about the dangers of social networks and the bigger issue of implicit trust around it. Today I'll be talking about the methods attackers are using and how the malware ecosystem works.

Just like many of our competitors we also have a booth at Interop. Stop by booth #1212 and see us when you have the time.
Page Top  |  Archive >>

 

Copyright © 1996 - 2009
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com