Scammers are targeting social networks with phishing scams and relying more heavily on worms and Trojans to attack computers, according to security trend reports to be released Monday by Microsoft and McAfee.
Phishing attacks saw a big spike in May and June, primarily because of campaigns targeting social-networking sites, according to Microsoft's report covering the first half of 2009. Gaming sites, portals, and Web sites of banks and retailers were also popular targets for phishing attacks, the report said.
Trojans top the list of threats to computer security, according to Microsoft's latest Security Intelligence Report.
(Credit: Microsoft)Trojans, including rogue security software, remained the most prevalent category of threats, while Microsoft statistics show that worms rose from fifth place in the second half of last year to become the second most prevalent category, led by Conficker and followed by Taterf, which targets multiplayer online role-playing games.
During the first half of the year, Microsoft detected and cleaned rogue security software--which displays false antivirus warnings to trick people into paying for software they don't need--from 13.4 million computers. That was down from 16.8 million computers in the second half of last year.
Most of the drive-by download pages are hosted on legitimate Web sites that have been compromised by attackers through intrusion or malicious code posted to a poorly secured Web form, such as a blog comment field. The Trojan Downloaders & Droppers category was the type of malware most often delivered in drive-by attacks, according to Microsoft.
The number of total unique vulnerability disclosures across the industry was down sharply from a year ago. While browser vulnerabilities increased slightly, application vulnerabilities dropped and operating system holes were flat, Microsoft said.
Microsoft software accounted for 6 of the top 10 browser-based holes attacked on Windows XP computers, compared with only one on Vista computers. Of the top 10 browser-based holes exploited on computers running Vista, 2 targeted Adobe Reader and the most significant one targeted Adobe Flash Player. In the third spot was an exploit aimed at Internet Explorer.
Infection rates for Windows Vista were significantly lower than Windows XP, while the rate for Windows Server 2008 was less than Server 2003.
Microsoft released 27 security bulletins in the first half of the year, addressing 85 individual vulnerabilities. Of those, 11 were exploited within the first 30 days after the release of the security bulletin.
As far as computer security consciousness, the U.S. is in the middle, according to George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group. Japan is at or near the top of the list and Germany is high up too, he said.
"We are average," he added. "We are not one of the cleanest countries, we are dead on in the middle."
McAfee's report showed the U.S. as the top country when it comes to the number of compromised computers that are zombies used in botnets to do things like send spam, followed by China and Brazil. The U.S. also is the top distributor of spam and has the most servers hosting malware, McAfee said.
Spam comprises 92 percent of all e-mail. It jumped 24 percent from a year ago, McAfee said.
Microsoft 's new Security Essentials software has passed at least one exam so far--a review by security testing firm AV-Test.org.
Using the latest version and definition updates of Microsoft Security Essentials (MSSE) downloaded from the Web, AV-Test ran the product through a series of tests on Sept. 29 and 30 to judge its effectiveness at fighting malware.
(Credit:
AV-Test.org)
To check static known malware, AV-Test pitted Security Essentials against the most recent WildList, a sampling of 3,732 viruses and other threats compiled by the WildList Organization. Microsoft's product successfully detected and blocked all of the samples in both manual and active scanning.
AV-Test also threw its current set of 545,034 viruses, worms, Trojans, and other threats at Security Essentials. MSSE successfully caught 536,535 samples for an overall good detection score of 98.44 percent.
In AV-Test's battle against adware and spyware, Security Essentials stopped 12,935 out of 14,222 samples, earning a detection grade of 90.95 percent. No false positives came up in a scan of over 600,000 clean files from Windows, MS Office, and other commonly used programs.
To check dynamic malware, which is based on its behavior rather than static lists, AV-Test found that MSSE had no "dynamic detection" in place as the software failed to find any of the recently released malware used in the test. AV-Test noted that other standalone antivirus products don't include behavior-based detection either, although that feature is typically found in full security suites.
MSSE also found and eliminated all 25 rootkits that AV-Test threw at it.
Security Essentials did only a fair job of cleaning up infections. Facing 25 different malware samples, the product removed all active components as part of its repair process. But in many cases, some remnants of the malware were left behind, as inactive executable files or empty Registry keys.
Finally, AV-Test found that the speed of Security Essentials scanning was about average compared with that of other security products.
AV-Test's review of Security Essentials was run on Windows XP with SP3, Windows Vista with SP2, and Windows 7 RTM, both the U.S. English and German 32-bit editions. A series of papers on the methodology used by AV-Test in its testing process are at the company's Web site.
CNET's Seth Rosenblatt also looked at Security Essentials this week, while CNET News reporter Ina Fried has said the beta version of the product recently saved her from a Koobface attack.
A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software, according to a post by Matt Mullenweg, founding developer of WordPress.
The worm can be tough to catch, as Mullenweg explains: "it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts."
The vulnerability allowing the attack was discovered August 11, at which point WordPress encouraged users to upgrade to version 2.8.4. However, many people have yet to upgrade, and reports online indicate the worm is making dubious progress by the hour.
The worm does not affect the current version 2.8.4 and the one prior to it. And it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected.
Users can find upgrade links and instructions here. WordPress has also posted an FAQ for people who think their blog has been hacked.
The denial-of-service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.
There were no immediate reports of any of the compromised PCs in the botnet having files deleted, but that doesn't mean it wasn't happening or won't in the future, said Gerry Egan, a product manager in Symantec's Security Technology Response group. (Click here for Larry Magid's related podcast with Symantec expert.)
There are only about 50,000 infected PCs around the world being used in the attacks, which is relatively small compared to the millions that were infected with Conficker, he said.
The attacks started over the July 4 weekend launching distributed DOS attacks on dozens of government and commercial sites in the U.S. and South Korea. The attacks, which resurged during the week at least twice, affected sites including the White House, the Federal Trade Commission, the Secret Service, and The Washington Post.
One of the files dropped on infected PCs is programmed to wipe out files on the PC, including a master boot record, which will render the system inoperable when the PC is rebooted, Symantec said. "Basically, your system is in trouble if this executes," Egan said.
Botnet expert Joe Stewart of SecureWorks told The Washington Post that he tested the self-destruct Trojan and found it capable of erasing the hard drive on an infected system, but that that function wasn't being triggered. He speculated that either there is a bug in the code or that the feature is set to activate at a later date.
Researchers are finding that the botnets launching the attacks are infected with several types of malware. The MyDoom worm is being used to spread infections between computers via e-mail, Symantec and other antivirus vendors have reported.
A dropper program called W32.Dozer that contains the other components is sent by W32.Mytob!gen to e-mail addresses it gathers from the compromised computer, the Symantec Response Blog says. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the system.
The Dozer Trojan serves as a backdoor and connects to IPs through certain ports, allowing it to update itself and to receive instructions on sites to attack, according to Symantec. It's unclear if the DOS attacks will happen again because the infected PCs can receive new instructions at any time, Egan said.
"There is nothing new or novel in the technology," he said. Judging by the high-profile sites attacked it's likely the attackers are just trying to get attention, he added.
South Korea officials told reporters on Friday that the DOS attacks used 86 IP addresses in 16 countries, including South Korea, the U.S., Japan, and Guatemala, but not North Korea, according to an Associated Press report.
For more information listen to CNET blogger Larry Magid's podcast on the subject.
This graphic shows how the different malware components on the denial of service botnets interact.
(Credit: Symantec)The Waledac worm is gearing up for a spam campaign related to the July 4 holiday, a security researcher warned on Thursday.
Researchers analyzing the code of the worm, which has been deploying updates to previously compromised PCs, have discovered that at least 18 domain names have been registered related to fireworks and Independence Day that will be used to trick people into visiting a malicious Web site, said Pierre-Marc Bureau, a senior researcher at antivirus vendor ESET.
Starting any time now and lasting through the weekend, the spam e-mails will arrive in in-boxes with a message urging the recipient to watch a July 4 video. The e-mails are expected to include a link to a site with an executable that, instead of playing a video when double-clicked, will download malware that turns the visiting PC into another bot on the botnet, Bureau said.
The operators of Waledac are using holidays and other current events to lure new victims in order expand their botnet, and it's likely they are leasing out the botnet services to others, he said. Earlier this year, Waledac exploited Valentine's Day, spamming people with fake romantic greetings.
It is estimated that there are tens of thousands of computers infected with Waledac and that more than 20,000 will be used in the July 4 spam campaign, according to Bureau.
More information is on the ESET blog.
Twitter invites have a URL in the e-mail and not an attachment like this worm attack does, Symantec says.
(Credit: Symantec)Symantec is warning about a mass-mailing worm that comes in an attachment pretending to be a Twitter invite.
"The observed messages appear as if they have been sent from a Twitter account; however, unlike a legitimate Twitter message, there is no invitation URL present in the body," a Symantec blog post says. "Instead, the user will see an attachment that appears as a .zip file that purportedly contains an invitation card."
The name of the attachment is "Invitation Card.zip" and Symantec identified it as W32.Ackantta.B@mm, a worm targeting Windows computers that was discovered in an e-card virus attack in February, according to Symantec. The worm gathers e-mail addresses from compromised PCs and spreads by copying itself to removable drives and shared folders.
The Conficker worm, which has set off many a recent security alarm bell, may just be a small fry, compared to the growing number of botnets, viruses, and worms infecting cyberspace.
According to a report released on Tuesday from security vendor McAfee (PDF), cybercriminals have hijacked 12 million new computers since January with an array of new malware. This represents a 50 percent increase in the number of "zombie" computers over 2008.
(Credit:
McAfee)
The United States now hosts the world's largest percentage of infected computers, 18 percent, according to the McAfee report. China is next on McAfee's list, hosting 13.4 percent of the world's infected PCs.
"The massive expansion of these botnets provides cybercriminals with the infrastructure they need to flood the Web with malware," Jeff Green, senior vice president of McAfee Avert Labs, said in a statement. "Essentially, this is cybercrime enablement."
The McAfee report doesn't minimize the danger from the Conficker worm but says other threats that haven't received media attention may pose greater risk. One piece of malware, the Vundo Trojan horse, has been especially active the past three months. Botnets using Web 2.0 technology via social networks also are on the rise. The recent Koobface virus infected thousands of Facebook users, for example, as it was passed along from friend to friend.
Spam levels are threatening to rise again, the report adds. Spam had dipped 30 percent from its peak in the third quarter of 2008 after last November's shutdown of McColo, a major spam-hosting Internet service provider. But since then, the volume of spam has shot up 70 percent. McAfee expects that number to grow to its 2008 level, even though spammers are taking longer than expected to recover from the McColo takedown.
(Credit:
McAfee)
The report challenges one myth--that cybercriminals based in Eastern Europe favor Western targets. Instead, McAfee has found no boundaries for cyberthreats. It notes that key Russian and Eastern European government agencies and corporations have themselves been compromised, and that spammers are hitting more countries with worms and botnets in an effort to spread their efforts globally.
Michael Mooney, aka "Mikeyy"
(Credit: Michael Mooney)The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a Web application development firm and on Friday released a fifth worm on the microblogging site, he said.
Twitter fought off four waves of worm attacks last weekend and into Monday in which Twitter users were infected just by clicking on the name or image of someone whose account was infected. The worms appeared to do no damage other than spread to infected users' followers and modify profile pages.
Michael Mooney, a 17-year-old living in Brooklyn, N.Y., told CNET News that he wrote the worms because he was bored and wanted to bring Twitter's attention to the security holes.
Mooney also grabbed the attention of Travis Rowland, founder of ExqSoft in Hammond, Ore., who has hired the teen.
Rowland told CNET News on Friday that he saw the worms on Twitter and was impressed with Mooney's skills so he contacted him about working for him doing security analysis. "I saw his Web site and he coded that all from hand and it was pretty impressive; it was a complete Twitter clone," Rowland said.
After landing the job, Mooney spread the latest worm, which exploits a fifth vulnerability at the site, he said. Asked why he doesn't contact Twitter directly instead of launching the attacks, the graduating high school senior said he had tried but had gotten no response.
"I just want to let (Twitters) know that my intent is not to aggravate them," Mooney said in a phone interview with CNET News. "It's probably not the best way, but it's the only way I can reach out to Twitter so they will fix the vulnerability."
The latest worm exploits a cross-site scripting vulnerability and posts messages from infected accounts that reference celebrities and references to Mooney getting hired by exqSoft, according to a blog post by Graham Cluley, a senior technology consultant with security firm Sophos.
Rowland blasted Twitter for not adequately protecting its site. "It's a complete failure on their part," he said.
Twitter executives did not respond to an e-mail seeking comment.
Mooney is not the first hacker to have parlayed online stunts into profit. A New Zealand teenager arrested in 2007 on charges of operating a huge botnet that was used to steal from bank accounts was asked to be a speaker at TelstraClear customer seminars late last year and was used in an advertising campaign for the telecom's global security unit, according to Computerworld.
"The author of the Anna Kournikova worm was told by his town's mayor that he would be welcome to work on their systems, the notorious teenager behind the Sasser and Network worms was hired by a security firm, and the creator of a Chinese worm which displayed pictures of pandas burning incense was offered a job by one of his victims," Cluley, wrote in a separate blog post.
Cluley criticized ExqSoft's hiring of Mooney, saying the teen should not be rewarded for behaving irresponsibly. The teen not only wasted the time of thousands of Twitter users and company engineers, Cluley said,but put Twitterers at risk of having their identities stolen or malware installed on their machines by financially-motivated hackers who could have used the cross-site scripting flaw that Mooney used.
"In my opinion, I don't believe it was malicious," said Rowland. "He could have been farming for personal information like e-mail addresses and phone numbers. He potentially could have exposed that information to any numerous sources."
In a tweet last weekend, Rowland implored Twitter to not prosecute Mooney, arguing that he did them a favor by alerting them to a security hole.
Asked earlier in the week about the prosecution scenario for Mooney, Jennifer Granick, an attorney with the Electronic Frontier Foundation, said in an e-mail: "If he's 17, he will not be federally prosecuted and the sentencing, should he be found or plead guilty, should be more about rehabilitation than punishment."
Rowland said he plans to help guide Mooney away from pranks and toward a promising career as a white hat hacker.
"He's got a lot of growing up to do but he's a really good guy and he has a lot of passion for what he does," Rowland said. "Hopefully, I can influence him in the right way."
(ABCNews reported on Mooney getting a job early on Friday.)
Twitter security engineers were cleaning up on Monday following a series of worm attacks over the weekend, including at least two credited to a bored 17-year-old.
In the first attack, which began early on Saturday, four new accounts began spreading a worm, compromising about 90 accounts, Twitter co-founder Biz Stone wrote in a posting on the Twitter blog.
The worms appeared to do no damage other than spread to infected users' followers and modify profile pages. You can get infected just by clicking on the name or image of someone whose account was infected.
Later that afternoon, about 100 accounts were compromised in a second wave, followed by another wave on Sunday morning, he wrote. Nearly 10,000 tweets that could have spread the worm were deleted, according to Stone.
Late on Sunday and into Monday morning, Twitter fended off another attack, he said. "Once again, we secured the compromised accounts and deleted any material that would further propagate the worm," he wrote. Stone declined an interview request from CNET News, saying he didn't have time.
The worms exploit a common vulnerability in Web applications called cross-site scripting, which allows someone to inject code into Web pages others are viewing.
In this instance, Twitter users who clicked on the name or image of anyone sending the worm messages would get infected and then send the message on to all that person's followers. Anyone viewing an infected user's profile would also get infected and pass the worm on.
Interviewed by CNET News on Sunday after the first two iterations circulated, Michael Mooney, a 17-year-old living in Brooklyn, said he created the worms out of boredom. The messages in the first outbreak included a link to rival microblogging site, Stalkdaily.com, which Mooney owns.
Mooney said in the interview that he did not plan on releasing any more worms targeting Twitter. He could not be reached for comment on Monday.
The first worm messages warned people not to go to the StalkDaily site, which would infect a Twitter user's account if they visited the site. The second worm message contained the phrase "Mikeyy" and the third referred to removing the Mikeyy worm but used "bit.ly" to add shortened URLs to messages, said Andy Hayter, anti-malcode program manager for ICSA Labs, which provides third-party validation for security products.
The most recent attack involved a message saying "Hire Mikeyy" and included Mooney's phone number, according to Graham Cluley, a senior technology consultant with security firm Sophos.
"What we're seeing was it was possible for codes to be embedded, small pieces of JavaScript, into people's profiles. This should be fairly elemental to filter out," he said.
While the attacks were mostly a nuisance, they could have been dangerous if spyware or other malware had been downloaded onto Twitter users' computers, Cluley said.
To avoid such JavaScript-based attacks, you can turn off JavaScript in your browser. Instructions for doing this are here. You can also use utilities such as NoScript, an open-source Firefox extension, Hayter recommended.
Users of infected Twitter accounts should also request a password reset and go to the settings page and delete any profile or other information that may have been added during the attack. To reset colors go to the profile design page.
Twittercism has detailed instructions on how to tell if you are infected and how to remove the worm.
And just like e-mail users should be careful what e-mail attachments they open, be careful who you follow on Twitter, Hayter said.
Updated 4:05 p.m. PDT with Sophos comment.
Updated at 7:40 p.m. PDT with more information from the worm's creator.
As a second Twitter exploit began circulating on the micro-blogging site Sunday, a teen-ager from Brooklyn told CNET News he created both worms because he was bored and wanted to draw attention to the Twitter flaw.
Much like Saturday's StalkDaily worm, the "Mikeyy" worm posts unwanted messages to users' pages. The "Mikeyy" worm began spreading on the micro-blogging site early Sunday, posting messages such as "Mikeyy I am done...," "MikeyyMikeyy is done.," and "Twitter please fix this, regards Mikeyy."
Brooklyn resident Michael "Mikeyy" Mooney, 17, told CNET News in an interview that he created the worm "out of boredom."
"I thought about it later and basically did it because I was bored," he said. "And I didn't think Twitter would fix (the flaw) very soon. But I didn't think it would spread as far or as fast as it did."
Mooney, a high school senior who said one day he hopes to get a job as a security analyst, said he has been creating worms for about three years. He added that the worms he creates aren't designed to do much damage but that this will likely be his last worm.
"I'm done with Twitter," he said, adding that he was feeling a bit overwhelmed. "I've been getting too much attention lately."
Mooney said his site has has been live to the public for about two weeks and has 905 members, but that it "is growing quickly because of the worm."
The messages circulating Saturday promoted StalkDaily.com, a short-messaging site similar to Twitter. While initially denying any responsibility for the worm, StalkDaily.com posted a message saying, "I have came clean and have accepted the responsibility for the worm..."
Twitter said it has closed the hole that allowed the worm to spread.
"We've taken steps to remove the offending updates, and to close the holes that allowed this 'worm' to spread," Twitter said in a statement Saturday. "No passwords, phone numbers, or other sensitive information were compromised as part of this attack."
However, Mooney said he released the second worm exploiting the original flaw Sunday morning, after Twitter claimed to have closed the holes. He also said that he had not yet been contacted by Twitter representatives.
