| |
Home / Weblog / September 2009
Analyst's Diary
Virus Bulletin 2009 International Conference |
| Stefan | September 24, 2009 | 09:11 GMT |
comment
|
Greetings from Geneva, Switzerland! I am here this week for the Virus Bulletin 2009 conference. Virus Bulletin started out in 1989 as a simple magazine dedicated to preventing computer viruses. It quickly became the leading specialist publication in the field of viruses and related malware. The inaugural VB conference took place in 1991 and its objectives are to present factual information about computer viruses, to demonstrate defensive procedures, to discuss probable future virus developments and countermeasures and to attempt to harmonize research efforts. Virus Bulletin is the main event where the whole Anti Virus industry gets together. Kaspersky Lab is represented very well here at VB2009, with 25 of my colleagues from around the world joining the conference. We have 5 presentations here, on topics ranging from Web 2.0 threats and scanning Twitter for malicious URLs to Brazilian banking Trojans and Russian SMS fraud. You can find the exact abstracts for our papers and the full conference programme here on the VB website. My colleagues from Threatpost are covering the whole event live on the VB Conference dedicated blog. And, if you are a Twitter addict, the hashtag for this conference is #vb2009. Enjoy!
A psychological experiment |
| Josh | September 22, 2009 | 09:12 GMT |
comments (1)
|
I've been thinking a bit about human psychology in the wake of the Fan Check virus scare. There were a lot of rumors flying – depending on who you listened to, the Fan Check Facebook app was malicious, not malicious, a hoax...And while I was thinking, a controversial psychology experiment kept coming back to me. Back in 1963, Yale psychologist Stanley Milgram published an article in the Journal of Abnormal and Social Psychology detailing his research findings on how people respond to authority figures. In Milgram's experiment, a test subject was told to give electric shocks (which escalated in intensity) to an individual in a separate room if the individual failed to respond correctly to questions. The test subject was also told that the individual had a heart condition. No electric shocks were actually administered, but when the button was pressed to "deliver" a shock, a pre-recorded response was played – ranging from screaming to pleading for the shocks to stop to silence. Many of the test subjects continued to administer shocks up to "maximum voltage", even though they admitted they felt uneasy about doing so. Milgram's experiment showed clearly that when a person is told to do something, they'll usually do it, even if it goes against their own perceived values. Our adversaries, the malware authors, have a great understanding of basic psychology, and they know that this principle holds true in the digital world as well. Their latest “experiment”, where they sent Facebook users messages asking them to warn their friends about the “Fan Check” virus was pretty successful. People complied simply because they'd been told to. Of course, this case isn't exactly analogous to the study described above; those who "warned" their friends didn't see any harm in doing so, and probably thought they were being helpful. But the behavior is very similar to the "blind obedience" mentality highlighted by Milgram. The behavior demonstrated in the Milgram study has been replicated in the real, non-research world. And the boundaries between the physical world and the digital world are getting increasingly blurred. At the moment malware scares are mostly created unwittingly. But we've also seen the emergence and rise of cyberbullying and other nasty behavior. How long will it be before we see cybercitizens knowingly acting against their own values, simply because they've been told to do so?
| Tim | September 17, 2009 | 20:37 GMT |
comments (3)
|
A little while ago, Microsoft released an update which partially disables some autorun functionality on Windows operating systems prior to Windows 7. The update, known as KB971029, is intended for Windows XP, Vista, Server 2003, and Server 2008. The autorun function is used to automatically start installation processes from CDs, DVDs, and USB drives, as well as other types of removable media. Autorun works by using a file named autorun.inf found in the root of the file system for removable drives. While this is a helpful process when used with a trusted resource, such as a software installer from a CD, it has long been a successful malware infection vector on rewritable drives. At Kaspersky, we've frequently urged Microsoft to disable this process, as anything that automatically installs software or code without properly informing the user can and will be used maliciously. In the past we've discovered infected consumer devices, and the autorun function has been used to spread incredibly successful threats as Conficker (Kido). This listing gives you a partial idea of just how often "autorun" gets used as an infection vector. Early versions of Windows, including Windows XP Service Pack 1 and earlier, would automatically launch software on a rewritable drive with no notification. XP Service Pack 2 and later would automatically launch a window when the drive was inserted, and you could then choose to run an executable. In fact, you could check a box at the bottom to "Always do the selected action". Malware creators often create an autorun.inf file on removable media when a malicious program launches, and this extends the attack vectors beyond network propagation. A shared USB drive becomes a threat to a network that may not even have Internet access.  With Windows XP Service Pack 2, and in Vista and Server 2008, a new feature called Autoplay was introduced. The Autoplay function pops up a window when an autorun.inf file is detected and requests action from the user. The options are to install a program, which launches the intended executable, or to open the folder to view files. While this approach is better than automatically running an executable without user knowledge, it's not exactly safe. Most casual computer users are conditioned to keep clicking until the file opens, so this just adds a step on the road to infection. The update mentioned above disables the autoplay function on writable media like USB drives, while leaving the autoplay function intact for CDs and DVDs.  Windows 7 disables the function altogether on writable external drives by default. This is a much safer approach; although it makes it more difficult for the average person to find out what to do next when trying to install something new, there's always a trade-off between security and usability. While we commend Microsoft for finally implementing this fix, it took far too long. Countless infections could have been avoided, and Conficker might have spread less widely if this simple fix had been pushed out earlier.
Social networking is sexy! |
| Maria | September 17, 2009 | 07:42 GMT |
comment
|
Social networks are one of the hottest things on the Internet at the moment, so it's not surprising that spammers and malware writers love them. And a recent spam message confirms just how sexy they are! Lots of Russians have found this in their inbox: The mail looks like an invite to join a social networking site – the sender has allegedly added you to his list of friends. The message comes complete with a link where you can register. If you're not up on security issues, you might well click on the link – sure, you don't know who sent the message, but the Internet is a great way to meet new people.
Click – and you end up here, on a site which is designed as a clone of the Russian Odnoklassniki, the equivalent of Classmates or Friends Reunited. Except that the content is rather more adult - if you're lost in cyberspace without a lover, you can use this site to find a lover/ partner/ one-night stand. The pictures are pretty enticing, so why not register? The site promises it only takes 5 minutes, and once you've filled in your details, you just have to send an SMS to a short number to get an activation code. Whether or not the men and girls pictured here are genuine, we can't say. They might be. But the site's been set up to make money in an underhand way - send the SMS to get your activation code, and you'll get a nasty shock: you'll be charged not 9 roubles (around 30c), as promised on the registration form, but around 300 roubles ($10 or so). We've seen quite a bit of malware which makes money by getting infected devices to send SMS messages to short numbers. This scam is a bit different. Maybe $10 isn't that much to pay for sex, but when the price you see isn't the price you actually pay, you have to wonder what else isn't quite what it seems.
| Yury Namestnikov | September 10, 2009 | 10:28 GMT |
comment
|
Late on Monday, a lot of Russian ICQ users got sent this message: Woland (23:07:23 7/09/2009)
Link to download the file Frogs.rar
http://file.qip.ru/file/*********/********/Frogs.html
[-- File sent via file.qip.ru. More details on the site: http://file.qip.ru --]
If you've been using ICQ for a while or are even remotely security savvy, you know not to just click on links that get sent to you, even if they appear to come from a known contact. Instead, you're going to try and check in some way whether it's really a person who sent you the link, or just a bot. Turing tests are designed to distinguish humans from bots, and everyone's come across CAPTCHAs, a reverse Turing test. Of course, if you're on ICQ, you're not going to use an image to check who's on the other side of the screen, but you can ask a challenge question – after all, a computer can't actually answer questions, can it? But there's a problem with this – if you get sent a link to a file, you're going to automatically ask "What is it?" And this is where it gets interesting: the bot behind the link didn't have any trouble answering this question. Yuk(23:07:28 7/09/2009)
What is it? Woland (23:07:28 7/09/2009)
An optical illusion puzzle funny ) This answer sounds pretty human, so why not download and run the file? The puzzle looks like this: The frogs are just there to divert your attention. Working out which way they should jump is a nice little time-waster. But while you're doing that, some malware (we detect it as Hoax.Win32.IMPass.al/ Hoax.Win32.IMPass.am) bundled in the package is quietly stealing your ICQ login and password. And once it's got those details, your password gets changed, and then the same link starts being sent to all your contacts from your account. The bot's not as intelligent as it first seems: it's only able to answer questions which contain one of the following words: «что», «чо», «чё» , «че» , «шо» , «що» и «чито». (The first is standard Russian for "what" – the others are slang widely used on the Russian Internet.) The whole thing is a neat little lesson: security doesn't just depend on checking whether links were really sent by your friends, but also on thinking up challenge questions that no bot could ever answer!
Would you answer this email? |
| Katerina | September 10, 2009 | 07:53 GMT |
comment
|
You might think if you don't use Internet banking, you're not going to be targeted by phishers. Or you might have heard about phishing attacks targeting PayPal and eBay users, so you're careful not to fall for fake emails from these organizations. But even if you're reasonably security aware, there are phishing messages out there designed to catch you out! We got a message today which seemed to come from Blizzard:
 
Of course, this message is designed to get people to give up their account details. Whoever created this email was smart enough not to include any links in the message – after all, lots of people are now on the lookout for signs of a typical phishing message. Looking for other typical signs doesn't reveal very much: the mail client shows the sender address as wowaccountadmin@blizzard.com, although the email was actually sent from wowaccountadmin@blizzarid.com. So what should you do if there aren't any obvious signs that a message is a fake? One simple rule will help you protect yourself: if you get an email asking for your password or other confidential details, assume it's a fake unless you can verify it by other means.
| |
