Symantec on Tuesday confirmed a vulnerability in Adobe Acrobat and Reader and said it was being exploited by a Trojan hidden in e-mail attachments.
The malicious Adobe Acrobat PDF file is distributed via an e-mail attachment that "drops and executes when opened on a fully patched system with either Adobe Acrobat or Reader installed," Symantec said in a statement.
Symantec identified the file as Trojan Pidief.H, which targets Windows 98, 95, XP, Windows Me, Vista, NT, 2000 and Server 2003.
The rate of infection is extremely limited and the risk assessment level is very low, according to Symantec.
The exploit has been in the wild since at least last Friday, according to the Shadow Server blog.
"Several tests have confirmed this is a 0-day vulnerability affecting several versions of Adobe Acrobat [Reader] to include the most recent versions of 8.x and 9.x. We have not tested on 7.x, but it may also be vulnerable," the post says. "We did not discover this vulnerability but have received multiple reports of this issue and have examined multiple different copies of malicious PDFs that exploit this issue. This is legit and is very bad."
The vulnerability is in a JavaScript function within Adobe Acrobat Reader itself, the Shadow Server post says, before advising users to disable JavaScript.
Adobe posted a security advisory late on Tuesday saying that it had confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could crash the system and allow an attacker to take control of the computer.
Affected software is Reader 9.2 and earlier for Windows, Macintosh, and Unix, and Acrobat 9.2 and earlier for Windows and Macintosh, Adobe said. The company recommended disabling JavaScript to protect the system.
Adobe had said on Monday night that it was investigating reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild.
Adobe has increasingly had to deal with holes in and exploits targeting its popular software. Adobe issued updates in October that fixed nearly 30 holes in Reader and Acrobat 9.2. Earlier that month, Trend Micro reported on a zero-day exploit targeting Adobe Reader, as well as 9.1.3 and earlier versions of Adobe Systems' Acrobat.
In July, Adobe warned of attacks in which malicious PDF files were exploiting a vulnerability in Flash. And in April a new Reader hole emerged after Adobe fixed a two-month-old critical vulnerability in Adobe Reader 9 and Acrobat 9.
Updated 5:10 p.m. PST with Adobe confirming vulnerability.
Updated 5:10 p.m. PST with information about later versions of the e-mail campaign directing to a landing page with hidden code that uses an Adobe exploit to try to download malware onto the system.
The e-mail appears to be from the CDC but directs people to a fake CDC site that serves up a Trojan.
(Credit: AppRiver)You can ignore that e-mail that looks like it comes from the U.S. Centers for Disease Control and Prevention about creating a profile for an H1N1 vaccination program. It's a malware scam, according to security provider AppRiver.
The fake alert informs recipients that as part of a "State Vaccination H1N1 Program" they need to create a profile on the CDC Web site. The link in the e-mail goes to a fake CDC page where the visitor is assigned a temporary ID and a link to a vaccination profile that is actually an an executable file containing a copy of the Kryptik Trojan targeting Windows, according to an AppRiver blog post on Tuesday.
Once installed, "this Trojan will create a security-free gateway on your system and will proceed to download and install additional malware without your authorization," the post warns. "It also enables a remote hacker to take complete control of your computer. This malware can log your typed keystrokes and send confidential personal and financial data (including banking information, credit card numbers, and website passwords) to a remote hacker."
AppRiver said it was seeing the fake CDC e-mails at a rate of nearly 18,000 messages per minute, reaching more than 1 million in the first hour alone.
The malware campaign apparently got more dangerous as the day wore on. In later iterations of the fake CDC e-mail, the landing page that the link led to contained a hidden iFrame that pointed to a site hosted in Ukraine, according to Symantec. In the background, the iFrame checks to see if the system is running an unpatched version of Adobe Reader, Acrobat or Flash Player and if so it uses an exploit to download a file to the system, the company said.
"During testing, our detections picked up the Adobe exploitation attempts using generic IPS and AV signatures," a Symantec spokesperson said.
This screen shot shows the fake CDC Web page that is distributing the Trojan.
(Credit: AppRiver)
The Lose/Lose game warns players before they launch the application that they are likely to have files deleted.
(Credit: Lose/Lose)As part of his Master of Fine Arts thesis project, Zach Gage wrote a game to run on Macintosh computers that resembles Space Invaders but with a digital roulette twist--for every alien space ship the player destroys a random file on the computer is deleted.
"Lose/Lose is a video-game with real life consequences. Each alien in the game is created based on a random file on the player's computer. If the player kills the alien, the file it is based on is deleted. If the player's ship is destroyed, the application itself is deleted," the computer technology design major wrote on his Web site.
"At what point does our virtual data become as important to us as physical possessions? If we have reached that point already, what real objects do we value less than our data?" he asks.
On September 14, Gage posted his "Lose/Lose" game on his Web site and at the Experimental Gameplay Project, which links back to his site where he has a big warning in red: "KILLING ALIENS IN LOSE/LOSE WILL DELETE FILES ON YOUR HARDDRIVE PERMANENTLY." The application also displays a warning when it is launched.
This week, Symantec announced that it has flagged the application as malware, a Trojan it has dubbed OSX.Loosemaque. Sophos is calling it a Trojan too, OSX/LoseGame-A and Intego has named it OSX/LoserGame.
"We are concerned that somebody could take this and modify it in some way where users aren't aware of the consequences," Kevin Haley, director of product management at Symantec Security Response, said in an interview on Wednesday. "We want to make people aware of what's on their machine and they can make the decision on whether to run it or not."
Asked to comment on the stir his project was creating, Gage seemed amused.
"I'm kind of OK with it being labeled malware," he said in a phone interview. "I would categorize it as dangerous software, but not malware because it is dangerous if you use it in a certain manner. Whereas malware implies it was designed to be malicious...Calling it a Trojan is really blowing it out of proportion."
Trojan horses are programs, typically masquerading as a benign program or hidden in legitimate software, which provide an attacker unauthorized access to the system. However, Gage's program explicitly says what it does and what the consequences are.
In addition to exploring the nature of risk and reward with regard to war and the notion of how small wins distract from the larger picture, the game provokes discussion about the risks people take with technology every day, Gage said.
"We need to pay attention to how we behave on computers," he said.
Apparently, some people don't mind playing with fire. The list of high scorers on the game site shows more than 40 players, with the highest score having destroyed nearly 5,000 files, or aliens.
"I'm surprised anyone has played it," Gage said. "I'm shocked."
Asked to comment on any possible beneficial merits of the project, Symantec's Haley said: "I don't see the positive aspect of it, but I suppose if it's art we're not supposed to completely understand it."
Symantec created a video that shows how the game works. When an alien ship is destroyed (on the left) a corresponding file is deleted (on the right).
(Credit: Symantec)Symantec is warning about a new Trojan horse that encrypts files on compromised computers but offers no ransom note like other software designed to hold data hostage for a fee.
Instead, a Web search for terms related to the Trojan horse leads to a company offering a way to remove the malware. The company offering the product used to charge for it but now offers it for free.
Trojan.Ramvicrype uses the RC4 algorithm to encrypt files on systems running Windows 98, 95, XP, Windows Me, Vista, NT, Windows Server 2003 and Windows 2000, according to Symantec's Web site.
Computers with files that have the .vicrypt extension are infected, a Symantec researcher wrote in a blog post this weekend.
A Web search for "vicrypt help" brings up a news release for a company called Exquisys Software Technology Ltd in Mauritius offering a product called Antivicrypt that will "repair and restore" files that are "damaged." Symantec reports that the company charges for the product.
Exquisys could not be reached for comment on Monday, which happens to be a national holiday in that country.
Meanwhile, Symantec is offering a free tool to decrypt the encrypted files.
However, there is a chance that an affected computer will not have access to the Internet to search for any tools, free or otherwise. If a file in the Windows system folder has recently been opened, all the files in the system folder will be encrypted and the user may be unable to access the Internet, Symantec said.
When the Trojan is executed it searches for files in MyDocuments, Desktop and Application Data\Identities and renames them with a .vicrypt extension. Then it looks for links in the Recent folder and renames all the files in the folders that are pointed to by links there and encrypts the head section of each file.
It then displays this warning: "Vicrypt error! Please Restart Windows."
This shows a screen from a computer infected with the Ramvicrype Trojan, which encrypts data to be held hostage for payment.
(Credit: Symantec)Correction at 1:28 p.m. PST: This post initially misstated the price of the Anticrypt software. Exquisys no longer charges for it.
Updated at 12:25 p.m. PST: with Monday being a holiday in Mauritius.
It's still unclear exactly how 20,000 passwords discovered on the Web recently were stolen, but the finding reveals much in the way of people's password habits: some of us are lazy.
Several lists of passwords from Hotmail, Gmail, Yahoo Mail, and other accounts were discovered and reported on earlier in the week. While, Microsoft, Google, and Yahoo are blaming phishing, a researcher at ScanSafe thinks password-stealing malware on computers could be the culprit, which would mean that more than just the Web e-mail accounts may have been compromised.
More on that later. First, let's look at what an analysis of the leaked passwords reveals.
Security researcher Bogdan Calin did a statistical analysis of the list of more than 10,000 Windows Live Hotmail passwords and wrote about his findings on the Acunetix blog. He discovered that the most common password was "123456," used for 64 of the passwords. In second place was "123456789," used for 18 of them. Also, 42 percent of the passwords used only lower case letters.
While that shows some people aren't exercising caution in securing their e-mail accounts, other statistics reveal that many people are putting more thought into it.
For instance, 30 percent used a combination of uppercase and lowercase letters and numbers. Twenty-two percent of the passwords used six characters, 14 percent used seven, 21 percent used eight, and 12 percent used nine characters. One account even had a password that was 30 characters long.
"My impression is that these passwords have been gathered using phishing kits," Calin writes. "Even more, the phishing kit used most probably was badly designed, since it was one that didn't further authenticate the users to the Hotmail/Live Web site. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong."
Mary Landesman, senior security researcher at ScanSafe, theorizes that passwords were obtained by a data-stealing Trojan horse and not phishing.
There are errors in the list of Hotmail passwords that appear to be the result of improper extracting or merging data, she writes on the ScanSafe blog.
Among other reasons, Landesman notes that usernames often appear multiple times with the same password except for a slightly different spelling. Also, she said the "@" separating the username from the account is not always present, which could indicate that the data was pieced together from a form or was extracted from a larger set of data.
Asked to comment on Landesman's speculation, Microsoft and Yahoo representatives said the companies still think the passwords were phished.
A Google spokesman offered this comment: "Passwords can be compromised in multiple ways, so it's a good idea to take several steps to help protect your personal information. Select unique passwords, especially on your most important Web sites, and use antivirus software to help detect software that may try to steal your password."
It's important to remember that phishing can lead to the download of malware onto a victim's computer. So people may never been known what happened.
Regardless, be careful out there.
(Related: See Larry Magid's story for tips on making strong, easy-to-remember passwords.)
Update, 1:20 p.m. PDT on October 9: The list of passwords analyzed apparently was limited to usernames starting with A and B, which is not exactly a representative sample but could explain the use of Spanish words beginning with "A."
Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log-in credentials but actually steals money from your account while you are logged in and displays a fake balance.
The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.
It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added.
The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement, Ben-Itzhak said.
"It's a next generation bank Trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems."
Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySploit administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.
About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers installed the Trojan, a few hundred had money stolen from their bank accounts, he said.
During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly $438,000.
The Trojan code includes detailed instructions on how the Trojan should calculate the amount to steal from a victim's bank account.
(Credit: Finjan)Here's how the Trojan works:
Potential victims get their computers infected either by opening an e-mail and clicking on a link to a Web site created to distribute malware or by visiting a site that has been compromised and malware hidden on it.
In this case the malware, a toolkit called LuckySploit, exploits a known security hole in the browser, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action.
While the computer user goes about his or her business on the site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers antifraud systems and to leave a certain percentage in the account, Ben-Itzhak said.
After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.
"The Trojan is sending requests to the bank and getting replies that your browser doesn't display," Ben-Itzhak said. "You are looking at your account and you don't see any of it."
A Finjan blog post describes it like this:
URLZone is a Trojan Kit that allows the attacker with the use of the 'URLZone Builder' to create a configuration file. This file contains precise orders to the bot, enabling the attacker to target any bank he wants...The URLZone successfully managed to bypass the German banks' protection using 'One Time Password.' This is a technique used to enable the user to get a new password every time he logs into his account. Its goal is to make the theft of usernames and passwords worthless. In order to be successful, the malware must execute itself on the browser to change the parameters and fool the the user to approve a fraudulent money transaction from his account...So far the malware behavior is similar to many other Trojans. However, URLZone uses the delivered configuration file to manipulate the user.
The Trojan has the money sent to the bank account of a money mule, someone who has an account set up to receive the funds. Money mules are typically people recruited online as "independent contractors" or "financial managers" whose sole purpose is to wire the money placed into their account to someone else, typically out of the country, in exchange for a commission. Because their accounts are used only once or twice, they often do not realize the ruse immediately, Ben-Itzhak said.
Meanwhile, the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance--what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.
The Trojan also keeps a log of the victim's bank account log in credentials, takes screenshots, and snoops on the user's other Web accounts, such as PayPal, Facebook, and Gmail, according to the Finjan report.
This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said.
People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said.
Updated 5:30 a.m. PDT to specify that the Trojan targets Firefox, Internet Explorer 6, IE7, IE8, and Opera, that is different from previous Trojans, and that it affects Windows only. Also, more technical details were added, as well as links to the report and blog post from Finjan.
Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.
By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.
According to Candid Wüest, threat researcher with security firm Symantec, around 10 percent of the Trojan market is now open source.
The move to an open source business model is allowing criminals to add extra features to their malware.
"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," Wüest said.
Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.
More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.
Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favor in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.
There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for $350 per time before it went open source, while the Zeus Trojan today sells for between $1,000 to $3,000.
However, head of new technologies at RSA, Uri Rivner, said the move to become open source had not reversed Limbo's decline in fortunes.
"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations.
"At the beginning of it going open source it was big news but people have since stopped investing in it.
"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.
Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking websites and capture the keystrokes and the files saved on an infected computer.
And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.
"If you make (the Trojan) open source, that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's Wüest said.
The majority of Trojan infections occur via drive-by downloads, where the malware is automatically downloaded after browsing an infected website, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.
These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an e-mail with a link to an infected file or attachment.
RSA analysts say these new methods have fuelled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.
Nick Heath of Silicon.com reports from London.
Along with keyloggers that track what you type, now we have to worry about malicious software that listens in on our voice over Internet Protocol conversations.
Gerry Egan
(Credit: Joris Evers/CNET)A Symantec security blog on Thursday disclosed a new Trojan horse, Tojan.Peskyspy "that records VoIP communications, specifically targeting Skype." The posting, based on analysis from Symantec's Karthik Selvaraj, pointed out that "its existence isn't due to any problems with Skype itself" but that Skype may have been targeted "simply because it has such a large install base."
Gerry Egan, Symantec's director of security response, says the Trojan is capable of "hooking...through some Windows APIs into some audio streams" that "can be intercepted, turned into MP3 files, and then sent over a remote channel to a remote electronic eavesdropper."
A PC can be infected through the usual channels for malware, including an executable file in an e-mail you click on and a "drive by download" that's automatically triggered when you visit an infected Web site. The most recent trend, Egan said, "is a shift toward socially engineered attacks like a fake video site."
The code has been published on the Web by a Swiss researcher, Egan said, adding that "we've not seen any indications of it being used maliciously, but the published code opens up endless possibilities in the mind of a hacker."
The code would affect Skype or any other VoIP software on a Windows PC that uses an audio stream, Egan said.
Unlike most malware, Symantec does not anticipate the code being used to launch widespread attacks.
"To do this en masse really isn't practical," Egan said. Even if a "piece of malware gets on the machine of someone who is using (VoIP), and they are talking about interesting things, finding those interesting things among the many hundreds of thousands of hours of phone calls would be like trying to find a needle in a haystack." He said it might be more valuable in a targeted attack against a specific individual.
Eavesdropping is a risk, when it comes to industrial espionage, prying spouses or significant others, and political campaigns, as well as political dissidents. U.S. law requires a court order before a phone or a computer can be legally tapped by government or law enforcement officials.
The best way to avoid being infected with this or any other malware is to use good up-to-date security software and to be sure that your operating system and browser are updated. It's also a good idea to avoid clicking on e-mail attachments and consider using security software that warns you when you're about to visit a potentially malicious Web site.
You can listen to my interview with Gerry Egan here:
Listen now: Download today's podcast
UPDATED: Benchmarks provided by CNET Labs were added on Monday, August 24.
A new season of security suites is upon us, and Kaspersky has made improvements to its Kaspersky Internet Security and Kaspersky Anti-Virus programs that include changes indicative of where security software as an industry is leaning. Three new features along with expected upgrades to its antivirus engine keep Kaspersky competitive.
The main window of Kaspersky Internet Security 2010.
(Credit: Screenshot by Seth Rosenblatt/CNET)The full-feature suite Kaspersky Internet Security offers a complete and competitive range of security options. The new features in the 2010 edition include a behavioral-based detection system called the Urgent Detection System. The UDS utilizes the anonymous data of 10 million Kaspersky customers who choose to participate in submitting their system scans to Kaspersky's central servers for analysis. In fact, the UDS must be opted-out of--there's a check box and data collection statement to read when you install the program.
Although this might sound insidious, it's actually a smart way to leverage a huge consumer base for security purposes as long as the data remains anonymous. Symantec's Norton 2010 will contain a behavioral check, too, and what both do is look at programs installed on your computer and judge their safety based on how many people have them installed and how they behave. Among UDS's better sub-features are the ability to customize how long it takes to pass judgment on a new program and per-user configuration of the rules governing program behavior.
Even if a program has deep penetration and it starts behaving badly, Kaspersky will block it. If it's an unknown, Kaspersky will treat it skeptically, monitoring and restricting the program until it has been proven safe. The Vulnerability Scan option, available under the Scan tab, utilizes tech from Secunia to determine which programs are potential security risks because they lack recent updates or patches. For programs that may not warn you that they have a pending security update, such as Adobe Flash, having this tool baked-in could be exceptionally useful.
... Read more
A Twitter account can be used as the command center for harnessing a "botnet" of virus-infected computers, security firms Arbor Networks and Symantec reported. In a blog post Friday, Symantec analyst Peter Coogan wrote that researchers found an account, @upd4t3, which was tweeting out links to download a piece malware called Downloader.Sninfs. The account has since been suspended by Twitter.
Downloader.Sninfs, also known as Infostealer.Bancos, is a Trojan that uses the guise of a Brazilian banking site to collects passwords and related personal information from infected computers.
Security on Twitter is front and center right now, as the microblogging site was completely downed by a distributed denial-of-service attack last week that was targeting a Georgian political blogger. While other services like Facebook and the Google-owned Blogger were also hit by the attack, Twitter was the only one to suffer a full-out, hours-long outage, and it called into question just how secure the service really is.
But in this case, the Twittering botnet doesn't necessarily highlight a vulnerability that would be unique to Twitter.
"Although Twitter.com has been used in this instance, there are plenty of alternative sites on the Internet that could also be used as a similar medium of communication," Coogan wrote.
This post was updated at 1:05 p.m. PDT to note that Arbor Networks also reported the Twitter-based botnet.
