Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google's Chrome OS will "create another opportunity for malware writers to prey on users."
The company also anticipates smarter and more dangerous Trojans that "follow the money," as well as a "significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies."
In a recorded interview (scroll down for audio) David Marcus, McAfee Labs' director of security research and communications, said that he expects "an explosion of Facebook and other services targeted by cybercriminals." In addition to malware like Koobface that spreads among Facebook users' friends list, Marcus expects an increase in rogue Facebook applications.
"When you click yes to 'do you want to allow this application to access your Facebook account,' you're giving that application access to all the data in your Facebook account," he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps.
"A lot of the spammers and scammers will send fake Facebook application requests to users' inboxes," he said. Marcus recommends that you only install apps from within Facebook by clicking "browse more applications" in the Facebook application installer."
Twitter vulnerabilities
According to McAfee, Twitter is vulnerable mostly because of URL-shortening services like bit.ly and tinyurl.com. There's nothing wrong with Twitter or these services, but when you click on a shortened URL you have no idea where you're going until after you get there. I would like to see a URL-shortening service that vets each URL for security and rejects those that are potentially dangerous. Twitter, according to the McAfee report is "also serving as a control vehicle for botnets."
Criminals are now being more surgical in their attacks, singling out individuals and corporations as targets. The report points to the 10-month investigation of "GhostNet," which McAfee Labs describes as a "network of at least 1,295 compromised computers in 103 countries" that "primarily belonged to government, aid groups, and activists." The malicious code was delivered by e-mail with subject headings related to the Dali Lama and Tibet, according to the report.
The report also sites "a very targeted wave of attacks against the management of major companies," as well as attacks carried out against "journalists from various media organizations, including Agence France Press, Dow Jose and Reuters based in China."
Adobe products and Google Chrome vulnerable
Adobe products, especially its Acrobat Reader and Flash, are likely to replace Microsoft Office as the No. 1 software target, according to McAfee. It's nothing they've (Adobe) done wrong," Marcus said. "The bad guys go where the masses go" and because of the increasingly widespread use of Adobe products, "that tends to be what the bad buys will start looking to exploit. It really is nothing more sophisticated than that."
Criminals are infecting PDF files and leveraging exploits in the opening of PDF documents, according to Marcus.
"Instead of viewing a PDF you're actually taken to a website that downloads some type of malware to your machine." Adobe plans to patch a critical hole in Reader and Acrobat on January 12.
There is also concern about Google's Chrome operating system, which is expected to be officially released in 2010. Chrome, which will run Web-based applications, is likely to be vulnerable to attacks in HTML 5--the newest version of the hyper-text markup language that, says the report, "holds all the promises that today's Web community seeks--primarily blurring and removing the lines between a Web application and a desktop application."
McAfee also warned of banking Trojans with "new tactics that went well beyond the rather simple keylogging-with-screenshots" that were used earlier. Trojans now use rootkit techniques to hide on a victim's system to disable antivirus software.
"Often the victim's computer becomes part of a botnet and receives malware configuration updates," the report said.
For more on the threats on Facebook and Twitter read "Using Facebook and Twitter safely" on CNET.
Cause for optimism
The report did end with some optimism, calling 2009 a good year for law enforcement. In November 2009, the U.S. Department of Justice indicted nine individuals "from Russia, Moldova, and Estonia who were allegedly responsible
for $9 million in customer payroll data compromises at RBS WorldPay."
The year also "saw the conviction of the infamous "Godfather of Spam," Alan Ralsky of Michigan, and his criminal syndicate, which was responsible for generating a significant portion of the world's unsolicited e-mail," McAfee said.
"You started to see that not a lot of resiliency was built into some of those botnets, they were taken down, and poof they disappeared for very long periods of time," Marcus said. He said he thinks "the bad guys will learn from that and build in some redundancy," but he remains optimistic. "The good guys and regular users are getting tired of getting exploited and we're finally starting to see more offensive and aggressive take downs of botnets...we're starting to see people wanting to take back the Internet."
Listen to Larry's interview with David Marcus.
Listen now: Download today's podcast
Citigroup denies it, but its Citibank unit was reportedly robbed of tens of millions of dollars, the victim of a cyberattack by members of a Russian criminal gang, says Tuesday's Wall Steet Journal (subscription required).
The attack was discovered this past summer, says the Journal, but investigators for the FBI and National Security Agency believe it could have happened months or a year prior. The two agencies have reportedly shared information with the Department of Homeland Security and Citigroup to defend against the attack. The investigation is supposedly ongoing, with no word on whether or not any of the stolen money has been found.
Investigators initially became suspicious after spotting traffic coming from IP addresses once used by the Russian Business Network, a Russian gang of cybercriminals who went off the radar back in 2007, notes the Journal. But reports have surfaced that members of the gang have since regrouped to launch a wave of new attacks.
One of the tools allegedly used by the hackers to break into Citibank was Black Energy, says the Journal, a $40 piece of software that launches Distributed Denial of Service (DDoS) attacks to prevent access to a specific Web site. Designed by a Russian hacker, Black Energy is commonly sold on certain Russian language forums. But Black Energy is now being sold as part of a $700 kit called the YES Exploit System. The kit includes other crimeware that steals bank account credentials, making it an especially dangerous threat to firms like Citibank.
But Citigroup denies that such an attack ever took place. In a prepared statement e-mailed to CNET, Citigroup said: "Allegations of a breach of Citi systems and associated losses are false. Denial-of-service attacks are directed against companies around the world. While there have been attempts to interfere with the availability of our systems, none of these have resulted in any breaches, compromise of customer information, or losses to Citi."
A company spokesperson further denied any involvement from the FBI. "We had no breach of the system and there were no losses, no customer losses, no bank losses," said Joe Petro, managing director of Citigroup's Security and Investigative services. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true."
Phone calls to the FBI and NSA were not returned.
Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections, if the computers are behaving as if they have been compromised by malware.
For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus taking control of the system and using it to send spam as part of a botnet.
Comcast is launching a trial of a service that will warn customers via a browser pop-up that their computers may have been compromised by malware.
(Credit: Comcast)The alerts are triggered "when we see computers on our network that are doing things that are known bot activities--say, a computer is spewing out thousands of spam e-mails," said Jay Opperman, senior director of security and privacy at Comcast.
The Philadelphia-based cable giant, which is the largest residential Internet service provider in the United States, with 15.3 million consumer customers, also is alerted to compromised customer computers when an IP address of one of its customers is identified as the source of spam on an industry spam list, Opperman said.
Customers in Denver are set to begin receiving notifications that their system may be infected with a virus or other malware via a pop-up message in the browser, as part of the new free service, called Comcast Constant Guard. The "Service Notice" will include a link to a Comcast security Web site where customers can follow a set of instructions to remove the malware from their computer.
If customers don't have antivirus software, they can download McAfee Internet Security Suite for free. Comcast also offers a Comcast Toolbar that includes spyware detection and removal, a pop-up ad blocker, antiphishing software, and antispam protection for e-mail.
The company first started notifying customers about the security issues about a year ago, with support representatives calling customers on the phone, Opperman said.
"We learned that customers love it," he said. "We wanted to reach more people and to automate the process."
This appears to be the first service through which a major ISP proactively notifies customers about security issues on their computers. For years, security experts have complained that ISPs are uniquely positioned, and should do more, to help customers combat security problems. But ISPs have been reluctant to assume additional responsibilities that are not central to their core service offering and for which they would then have to maintain a standard, going forward.
"I would hope that the government would do things to encourage this, if you alleviate some of the potential concerns that others may have about giving that kind of notification," said Jerry Upton, executive director of the Messaging Anti-Abuse Working Group. "I think it's the beginning of many ISPs and network providers realizing that customers need a little better knowledge of what the problems are out there."
Alissa Cooper, chief computer scientist for the Center for Democracy and Technology, said the organization welcomes Comcast's initiative.
"ISPs have a helpful role to play in helping subscribers mitigate these kinds of security threats," she said. "The challenge is...when users get these notices, do they understand them? Do they trust that they are real? Do they follow through to the point where they clean up their computers?"
The new service will eventually be rolled out in the rest of the country, replacing the phone calls Comcast has been using to notify customers to security problems, Opperman said.
Asked how many alerts have been sent to customers with Macintosh computers, Opperman said he could not provide a specific number but that there had been some.
Update 12:50 p.m. PDT October 9: Comcast is not the first to proactively monitor and help customers whose computers have been compromised. Qwest has been doing so for two years. Qwest's Customer Internet Protection Program displays a Web page with a warning to customers and offers a way to remove the infection for free before the customer can continue surfing the Web, a Qwest spokeswoman said.
And SBC (before it was part of AT&T) even quarantined customer accounts, George Ou reports on his Digital Society blog. While preventing infected computers from accessing the Internet until they are cleaned is going too far, he said, displaying warnings that could be faked by scammers might not be the answer either. Ou suggests a standardized "out-of-band notification mechanism that doesn't rely on the Web browser and can only be triggered by authorized entities," combined with remote management tools for automatic cleanup.
A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.
Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.
Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.
But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.
"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.
This post was updated at 1:05 p.m. PDT to note that Arbor Networks also reported the Twitter-based botnet.
Spam and botnets have hit their highest levels ever, according to McAfee's second-quarter Threats Report, released Wednesday. McAfee's Avert Labs says spam recorded in the second quarter shot up 80 percent compared with the first quarter of the year.
This follows a brief reprieve from spam following last year's shutdown of the McColo ISP. June alone saw the largest amount of spam recorded by McAfee, surpassing the previous monthly high in October by more than 20 percent. McAfee now estimates that spam accounts for 92 percent of all e-mail.
(Credit:
McAfee Avert Labs)
By country, the amount of worldwide spam originating from the United States has dropped steadily over the past three quarters, but the U.S. still leads in spam production at 25.5 percent of the global market. Brazil, Turkey, India, and Poland have also seen sizable increases at producing spam.
(Credit:
McAfee Avert Labs)
Zombies and botnets are on the rise, said the report, indicating that more computers are being hijacked to send spam and malware. McAfee recorded almost 14 million new zombies in action over the second quarter, a rise of more than 150,000 new zombies each day, another record.
Zombies and botnets can thank all the unprotected home computers, notes McAfee. More home users are setting up their PCs as remote access machines and as Web hosts, leaving those PCs increasingly vulnerable.
Another major threat reported by McAfee is AutoRun malware, which is triggered automatically when a person plugs in a USB stick, memory card, or other external device. The Trojans PWS-OnlineGames and PWS-Gamania and two viruses named W32/Sality and W32/Virut have propagated through removable cards and drives.
McAfee said it uncovered AutoRun malware in more than 27 million infected files during one 30-day period alone this past quarter, earning it the No. 1 spot of all malware detected worldwide.
(Credit:
McAfee Avert Labs)
"The jump in bot and spam activity we saw in the last three months is alarming, and the threat from AutoRun malware continues to grow," said Mike Gallagher, senior vice president and chief technology officer of McAfee Avert Labs.
Social-networking sites are another popular target for cybercriminals, noted the report. The openness of social networks often puts them at risk.
On Facebook, people freely access different applications that require a username and password, so those apps can easily tap into their accounts. McAfee also saw an increase this past quarter in the "popular" Facebook malware Koobface.
Twitter too has seen its share of threats. In April, the site was hit by a JavaScript worm that exploited a hole to infect user profiles. The same month, a French hacker was able to gain access to the account of a Twitter product director.
The use of sites like TinyURL by tweeters to shorten a lengthy URL can also pose a problem, said McAfee. Users have no idea what Web site the TinyURL redirects to until it actually opens.
McAfee releases its Threats Report each quarter. The first-quarter report was published in May.
Spam made up 90.4 percent of all e-mail traffic in June, with botnets accounting for the vast majority of those unsolicited messages, according to a new report from Symantec's MessageLabs.
Spam sent out from botnets, or networks of zombie PCs, made up 83.2 percent of unsolicited e-mail messages this month, MessageLabs said Tuesday in a statement. In May, 57.6 percent of spam was sent from known botnets, with Donbot responsible for 18.2 percent of these messages.
According to the messaging security company, the biggest botnet currently is Cutwail, which has doubled in size and output per bot since March. At its peak, Cutwail had an army of 1.5 million to 2 million active bots, but the shutdown of Californian ISP Pricewert earlier this month led to several hours of downtime for the botnet.
Cutwail, however, bounced back within hours, noted MessageLabs. It currently has an output of around one-third of its original capacity. Other major botnets include Rustock, Grum, Donbot, Bagle, Xarvester, Mega-D, Gheg, Asprox, and Darkmailer.
Also in June, there were an average of 1,919 new Web sites per day harboring malware and other potentially unwanted programs including spyware and adware. This represented an increase of 67 percent over May.
Over half, or 58.8 percent, of all Web-based malware that MessageLabs intercepted during the month was new, a month-on-month increase of 24.6 percent.
Data from MessageLabs also shows that more hyperlinks in instant messaging conversations are stepping stones to "instant malware."
In June, 1 in 78 hyperlinks found in instant messages linked to Web sites hosting malicious content, compared with 1 in 200 at the end of 2008. The hidden malware typically tries to perform a drive-by attack on a vulnerable Web browser or browser plug-in, said the company.
One in 80 IM users, predicted MessageLabs, may receive a malicious instant message each month.
Vivian Yeo of ZDNet Asia reported from Singapore.
Home page of the Golden Cash network.
(Credit: Finjan)Researchers at security firm Finjan said on Wednesday that they have uncovered an underground botnet-leasing network where cyber criminals can pay $5 to $100 to install malware on 1,000 PCs for things like stealing data and sending spam.
The Golden Cash network, dubbed "Your money-making machine" on its home page, sells access to botnets comprised of thousands of compromised PCs to cyber criminals for custom malware spreading jobs, according to issue 2 of the Cybercrime Intelligence Report for 2009.
Here's how it works: a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor that reports back to the Golden Cash command and control server.
In order to increase the number of botnets, the Golden Cash server installs an FTP (file transfer protocol) grabber on new zombies to steal credentials used by the computers to run Web sites, giving the server control over additional legitimate Web sites. Approximately 100,000 domains, including corporate domains from around the world, were identified among the stolen FTP credentials under Golden Cash's control, according to the report.
Customers pay for the ability to install different types of malware on the Golden Cash bots, which are recycled for new jobs and new customers afterward. Prices are higher for compromised PCs in western countries, the report said.
"This advanced trading platform marks a new milestone in the cybercrime evolution," Finjan said in a statement.
More technical analysis is available on Finjan's Malicious Code Research Center blog, including the fact that the command and control server is hosted in Texas, the registrant country is China and the "proxy" Web site that tunnels traffic to the command and control server is hosted in Krasnodar, Russia.
Experts have warned of serious security flaws in the Chinese government's censorship software, which could open the door to hackers creating huge botnets.
Programming errors in the Green Dam Youth Escort software, which the Chinese Ministry of Industry and Information Technology said Tuesday must be preinstalled on all new computers in the country, are at the root of the flaws, according to experts from the University of Michigan.
This message pops up on PCs when the Green Dam software spots banned phrases.
(Credit: University of Michigan)"Once Green Dam is installed, any website the user visits can exploit these problems to take control of the computer," wrote the university's researchers. "This could allow malicious sites to steal private data, send spam, or enlist the computer in a botnet." The warning came in a paper published Thursday by researchers Scott Wolchok, Randy Yao, and J. Alex Halderman.
The Green Dam software filters content by blocking URLs and Web site images and by monitoring text in other applications. The filtering blacklists include both political and adult content.
The researchers said that after only one day of testing Green Dam, they discovered programming errors in the code used to process Web site requests. These would result in buffer overrun conditions on all computers running the software, they said.
"The code processes URLs with a fixed-length buffer, and a specially crafted URL can overrun this buffer and corrupt the execution stack," said the researchers. "Any website the user visits can redirect the browser to a page with a malicious URL and take control of the computer."
The researchers built a proof-of-concept program to demonstrate the flaw and said it would crash any computer running Green Dam.
In addition, Green Dam can be used to install any other program on a computer, via a blacklist vulnerability. This problem would allow Green Dam's makers, or a third-party impersonating them, to execute arbitrary code and install malicious software on the user's computer, after installing a filter update.
Chinese government news agency Xinhua reported that Jinhui Computer System Engineering, which developed Green Dam, had said the software was not spyware. "Our software is simply not capable of spying on Internet users, it is only a filter," Jinhui is quoted as saying.
The Xinhua article did not address whether the filter itself could be used to upload spyware.
The University of Michigan researchers recommended that anybody running Green Dam uninstall the software immediately. However, according to a translation of feedback on Jinhui's user forum, teachers and educational establishments have no choice but to use the software.
"Let me say something here," wrote one teacher. "We were forced to install the software. So I have to come to this website and curse. After we installed the software, many normal websites are banned."
Currently, Green Dam is only optimized for Microsoft's Internet Explorer browser, according to leaked technical specifications posted on the Wikileaks website.
Tom Espiner of ZDNet UK reported from London.
The abstract concepts of "botnet" and "Trojan" just became a lot more concrete for me.
In less than an hour on Thursday, I was able to use programs readily available on the Internet underground for as little as $300 to infect several Windows clients and take complete control of them in a test environment.
In contrast to the real world, the McAfee Malware Experience event, which was akin to a Malware 101 class (or, in my case, Malware for Dummies), served up printed step-by-step instructions for us nonhacker journalists. But McAfee researchers said the programs used--real samples of malicious code from the wild--were not particularly sophisticated and any script kiddie could manage them easily.
First, I used a tool to infect a PC with a Sub Seven Trojan. With a few clicks it was on the client and I had remote access to everything on that machine via a so-called "back door." A management console provided an easy-to-use interface, including drop down menus with names like "Fun Manager."
Feeling mischievous I used the "flip screen" feature so that everything on the victim's PC was upside down and I changed the colors for the desktop and background to Hello Kitty hues of pink and orange. If I wanted to be nastier I could have directed the victim's browser to a URL of my choosing, turned on the client's Web cam, taken control of a chat session, printed out obscenities on the networked printer, or hidden the desktop or mouse from sight.
McAfee didn't let us save screen shots so I found this one on the Internet. It shows the interface of the Sub Seven Trojan and the "fun" things that can be done to a victim's computer with it.
(Credit: All-Interenet-Security.com)I tested out the keystroke logger and found it to be particularly empowering and scary. It was thrilling to have so much control at my fingertips. It felt a bit like the electronic equivalent to pranks we did as kids, such as shorting the sheets and drawing on someone while the victim was sleeping. But these digital shenanigans have much more dire consequences.
Next up was creating a botnet, which would give me control over multiple zombies to do things like shut Web sites down with a denial of service attack and blanket e-mail inboxes with spam. I infected the two clients with the bot software and then created a command-and-control center on an IRC room. I then ordered up the system information from the bots, scanned their ports, and downloaded a malicious file onto the computers, as well as a keystroke logger. As they say in hacker lingo, I "pwned" the machines.
Finally, I used a program called "Shark" (also known as "Backdoor-DKG") to create a Trojan and install it on the victim clients by sending it through a Microsoft Outlook e-mail. Using a spreadsheet interface, I was able to set the functions of the Trojan, activate a keystroke logger and could have disabled antivirus software or set it to shut the system down based on certain conditions.
Following the tutorial, McAfee provided some bleak statistics to put my actions into perspective. For instance, the company's Avert Labs sees more than 400,000 new zombies a day, 4,000 new pieces of malware a day and 1.5 million malicious sites a month. There were 1.5 million pieces of unique malware last year and McAfee predicts that number will rise to 2.4 million this year.
The numbers aren't all that surprising to me now that I've seen firsthand how easy the malware is to create and use. All in all, I'd say it was a very sobering experience.
Cutwail's spam activities on Thursday as Pricewert got shut down.
(Credit: MessageLabs)It's been almost a week since the Federal Trade Commission had the allegedly rogue Pricewert ISP shut down, and it seems like the Internet has indeed been a safer, or I should say slightly less dangerous, place.
The FTC charged that Pricewert's distribution of illegal, malicious, and harmful content and deployment of botnets that compromised thousands of computers caused substantial consumer injury and was an unfair practice, in violation of federal law.
According to Symantec, the Cutwail botnet--one of the most notorious botnets, accounting for up to 35 percent of all spam in May across the globe--experienced a major blow to its track record after the shutdown late Thursday of Internet service provider Pricewert.
Another botnet Pricewert is allegedly involved with is the Pushdo, which was also reportedly affected. Both Pushdo and Cutwail reportedly used 3FN, one of the names Pricewert did business under, as botnet control servers.
According to the data released Monday by TRACElabs, the overall spam volume index has been reduced by 15 percent since Thursday. However the day-by-day number has gradually increased.
This means a couple of things.
First, either the timing of these changes was a coincidence or Pricewert was indeed involved in this nasty business. It's important to note that the company has not yet been convicted of any wrongdoings. The first court hearing is scheduled for June 15.
Second, it's likely that the spammers will soon recover from this heavy blow as many similar companies are based outside of the U.S., where the anti-spam laws are not strictly enforced.
Nonetheless this for now looks like an apparent victory for the authorities and for all the Internet users. In terms of its long-term impact on spam, Symantec's MessageLabs Senior Anti-Spam Technologist Matt Sergeant told CNET News: "For now, we will see spam levels lower than usual, but we expected the swift comeback of Cutwail. The spammers learned that they can't put all their eggs in one basket and need to have backup command and control."
It's indeed wait and see, but so far I personally have received less spam in the last few days. How about you? Share your thoughts about this case and your recent spam experience, in the comment area below.
