Security

A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday from antivirus vendor Panda Security.

Across the globe, the average number of PCs hit by malware now stands around 59 percent, an all-time high for the year. Among 29 countries tracked, the U.S. ranked ninth with slightly more than 58 percent of its PCs infected. Taiwan hit first place with an infection ratio of 69 percent, while Norway came in lowest with only 39 percent of its PCs attacked by malware.

The study found that in the U.S., Trojans and Adware were the two most pernicious types of malware, followed by worms and viruses.

"This is a clear sign that hackers are becoming more and more sophisticated," said PandaLabs Technical Director Luis Corrons. "Cybercriminals have found news ways to spread their creations, frequently exploiting the latest news stories to launch attacks through social networks, videos, and e-mail. The huge amount of Trojans in circulation is due to the spectacular increase in the number of banker Trojans aimed at stealing user data."

The company based its results on data taken from users who scanned their PCs with the free Panda ActiveScan online tool. The results for September were gathered from August 28 to September 28 and compared with the results from July 28 to August 27.

Cybercrime fighter Eugene Kaspersky can't help but be impressed by the slick operations behind the Conficker botnet, and says that it could have been worse had the botnet been after more than just money.

"They are high-end engineers who write code in a good way," Kaspersky told ZDNet.com.au Wednesday. "They use cryptographic systems in the right way, they don't make mistakes--they are really professional."

Kaspersky says he's "60 percent certain" that Conficker is being controlled from the Ukraine, but can't be certain. And while the threat posed by Conficker seems serious enough, Kaspersky says, "It could be worse. We are lucky they are just cybercriminals looking to make money and not worse than that."

The unknown threat posed by Conficker, which hit 10 million Windows machines prior to the suspected D-Day of April 1, prompted a coordinated response. Kaspersky, Symantec, Microsoft, the Internet Corporation for Assigned Names and Numbers (ICANN), and the Federal Bureau of Investigations' Cyber Division, among others, began a campaign to frustrate Conficker's attempt to download a software update.

One reason for ICANN's involvement, according to its CEO and president Paul Twomey, was that Conficker was targeting the Internet's Domain Name Service layer, which is equivalent to the address book of the Internet.

During a keynote delivered at the AusCERT 2009 conference held on the Gold Coast this week, Twomey noted the change in tack by botnet operators. "The application layer has typically been used as the attack vector, but we are beginning to see the DNS resolution used as the command and control," said Twomey.

Conficker is the current darling of the Internet's dark side, preceded by others such as Storm, and spam-machine McColo. But all botnets maintain an edge over their various opponents: they are centrally controlled, "located" potentially anywhere, generally don't rely on third-parties, and are free of regulations.

Botnet operators in Russia, however, have started to cooperate with each other, according to Dmitry Levashev and Ruslan Stoyanov, network security experts from Russian ISP RTComm.ru. At the AusCERT 2009 conference, via a translator, the two gave a sobering account of what lies ahead for Australia in the next three years.

"The different botnets work in cooperation. One would say, 'I'm just a bot herder, I don't care about money laundering.' Or 'I do fraud, we just do our own task.' So, one is doing spam, like advertising services, and another is doing money laundering. It's like a manufacturing business," they said.

Indeed it appears to have occurred when Conficker adopted the Waldec virus, previously used by the Storm botnet as a mechanism to self-propagate.

Meanwhile, the group working to frustrate Conficker's attempt to complete a software upgrade on April Fools' Day fought to coordinate themselves. While ICANN was responsible for coordinating Top Level Domains, Microsoft pushed out patches to non-pirated versions of Windows.

Kaspersky says of his company's role that they had found Conficker was using an algorithm to generate random URLs that it would target in order to download updates to its malware.

"The worm used an algorithm which generated a list of domains. Every day it produced a new list. It looked for these URLs, and if they were online, the worm was designed to download upgrades form the URL. The initial version of the 10 million machine botnet would just wait and download. That's why we were really scared on April Fools' Day. We didn't know what was going to happen."

The group was able to exploit that algorithm and second guess the URLs that would be targeted, and block requests to those URLs. But, says Kaspersky, it was only partially successful.

"We blocked all the URL names which the worm was going to generate. It's an algorithm, so we generated all these URLs and registered these domain names, except ones which were already owned by someone. And because of that--the domain names not owned by those in this process--the Conficker authors managed to take control of one of these domains and upgraded the worm. That was scary," he said.

ICANN's Twomey insisted the group's efforts against Conficker proved that key Internet players, such as Top Level Domain registrants, are capable of coordinating a response to such threats. Still, the Conficker response was the exception and not the rule.

It wasn't the first time a botnet operator has attempted to compromise DNS servers to magnify its capacity to add to its army.

At an ICANN conference held in Mexico in March this year, Rod Rasmussen, chief technology officer of phishing take-down firm Internet Identity, showed evidence of a recent nine-hour attack on CheckFree, an online bill payment provider to 22 U.S. financial institutions, which resulted in a two-day shut-down of affected online services and an estimated 10,000 infections over 48 hours.

"Somebody came in and took over the CheckFree's domain name portfolio at their registrar. They changed the DNS servers for those domains and pointed...basically every host name that would resolve under their domain names to a malware server that was in the Ukraine. Anybody who tried to go to CheckFree.com or any of their other domain names were redirected, instead, to a malware server and were exposed to getting malware download on their computer," Rasmussen said.

In a similar vein to the attack on CheckFree, hackers targeted MelbourneIT's New Zealand subsidiary, Domainz. The hackers, who appeared to be politically motivated, defaced Coca-Cola, Microsoft, Xerox, and F-Secure's Web sites by injecting name server records for the domains in question by compromising Domainz' infrastructure. It didn't knock out critical national infrastructure, but it was able to take down several large companies' websites for a few days.

Kaspersky says, "It's a major example of their Internet weapon, because the bad guys can use a botnet this size, not just for commercial interests, but other interest also."

He insists, "I don't admire them" yet there is an undeniable sense of respect he conveys.

Originally published at ZDNet Australia.

An attacker tried to extort $10 million after breaking into a Virginia state Web site used to track prescription drug abuse and allegedly holding the data hostage, according to a posting on the Wikileaks Web site.

The ransom message on the Virginia Prescription Monitoring Program site read:

"I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."

The site, which was broken into late last week, was not accessible late on Monday.

Sandra Whitley Ryals, director of Virginia's Department of Health Professions, told The Washington Post that a criminal investigation is under way by federal and state authorities. An FBI spokesman declined to comment.

Is your computer acting funny? Are you worried that you may have visited a malicious Web site or opened an e-mail attachment with malware?

Instead of worrying about it you can now go to a new Web site McAfee is launching on Tuesday that is designed to help computer users figure out if they have legitimate reason to be concerned.

The new Cybercrime Response Unit offers a forensic scanning tool that checks for malware on the computer and cookies left by suspicious Web sites to help determine if the machine has been compromised. A toll-free number is available for people whose scan results are worrisome.

I gave it a test run and decided to have my mother try it out too. The home page is full of information and links related to McAfee's cybercrime strategy and it's not immediately clear where to go. There is a link to "Cybercrime Response Unit" at the top, along with other links and at the bottom, but if you don't know the name of the help center it wouldn't be readily apparent that that is what you are looking for. It would be nice to have a special box prominently placed that says something like "To find out if your machine is at risk, click here."

The prompts thereafter are straightforward. The main Cybercrime Response Unit page explains that the site will help determine the likelihood that the computer or a user's habits may be linked to fraudulent activities, guide victims to the financial institutions and creditors to clear up any fraudulent activity, and report any crime to law enforcement. There's also a five-minute video explaining what the site is about.

If visitors feel they may have been victimized by cybercrime, they can click through to a page that contains a series of questions that will be used to determine the level of risk. They are asked whether there are unexplained charges or suspicious activity on any financial accounts or other indications of identity fraud and whether the computer is running more slowly than usual, displaying pop ads, or having difficulty shutting down or starting up.

There are also questions about user behavior, including whether the visitor responded to an e-mail or Web site request for personal information that may have been a scam, whether an e-mail attachment was opened that could have been malicious, and whether the computer was lost or stolen.

The visitor is then prompted to run the McAfee Cybercrime Scanner. However, the tool does not run on Firefox so my mother and I both had to open Internet Explorer and start the process over. (McAfee says the Firefox version is coming but could not provide a time frame.) The scanner looks for unwanted processes or unauthorized programs running on the computer, visits to known malicious Web sites, unauthorized connections to the computer, unauthorized modifications to the computer protections, security sessions or browser and other unauthorized activity.

It took less than five minutes to scan my mother's home PC and close to 15 minutes to scan my office PC. The outcomes were similar. My machine was found to have cookies from one suspicious domain, which it listed and recognized as high risk. I did not recognize the site and couldn't find it in Google either. My mother's machine had cookies from two other suspicious domains, one of which was deemed high risk and the other medium risk.

The site said we were both at high risk of being victims of cybercrime or fraud and recommended that we place fraud alerts with credit reporting agencies and report signs of potential fraud. It also suggested that we install McAfee's SiteAdvisor, a free antiphishing toolbar.

That is all good advice, although I wasn't ready to place a fraud alert based just on the fact that I had visited one potentially malicious site when my machine is loaded with up-to-date antivirus and other security software.

"Many of these sites that trigger red flags host malicious software and you could have downloaded a keylogger or other malicious software on the PC," McAfee cybercrime strategist Pamela Warren said in an interview.

"If you have the latest virus definitions, 9 times out of 10 you're going to be safe," she said. "I'd rather be proactive in terms of seeking a fraud alert now versus rebuilding six month of my life and getting my credit history back in check."

I called the toll-free number to see what they would say. A gentleman with a Spanish name but speaking excellent English answered and asked for my session ID so he could see the results of my scan. Then he explained that I may have been exposed to a malicious Web site from surfing. He said the results don't mean my machine is infected or has been compromised, but said I should use SiteAdvisor to help protect the computer from malicious sites in the future.

Neither my mother nor I were alarmed but I urged her to go ahead and install SiteAdvisor and place a fraud alert, just in case.

Given how many people still get hit with worms and other malware and tricked into providing sensitive information on phishing site, it's clear that the best way to change this is through education. The McAfee Cybercrime Response Unit provides the electronic equivalent of hand holding for consumers as they try to figure out whether they have been victimized and what to do if they have been.

After using the site, my mother has a better handle on the different types of risky behavior. As for the site design, she said she liked the fact that there were no ads or blatant marketing on the site and that it had a lot of useful information, such as links to other resources and detailed steps to take to report financial fraud or a crime and tips on best practices for things like protecting your computer and using social networking sites.

"If I had taken the time to read more (of the information on the site) I would have learned more," she said.

It costs $6.6 million on average when an organization suffers a data breach, and more than $200 per compromised record, according to a survey conducted by the Ponemon Institute that's due to be released on Monday.

The report, sponsored by PGP Corp., examined the costs incurred by 43 organizations that experienced a data breach. Breaches ranged as high as 113,000 records and the average total cost per company ranged from more than $613,000 per breach to nearly $32 million.

Most of the cost is due to lost business, which averaged nearly $4.6 million, the report found.

Forty-four percent of the organizations surveyed reported a breach by a third party, such as a contractor or outsourcer, and more than 88 percent of all cases this year involved incidents resulting from insider negligence, according to the study.

Last week McAfee estimated that cybercrime costs corporations $1 trillion globally each year.

Amid the global downturn in the economy, cybercrminals appear to be winning in the war against law enforcement. That's the sobering conclusion drawn by a panel of experts in a report from McAfee released Tuesday.

"We saw the cybercriminals take advantage of economic messaging very, very quickly," said Dave Marcus, director of security research and communications for McAfee Avert Labs. He said cybercriminals are cashing in on consumer anxiety, particularly around the holidays and noted that as more and more people go online looking for better deals, criminals are preying on their inexperience in order to lure them to bogus sites and old-fashioned "get rich quick" scams.

One scam involves online job seekers responding to ads for "international sales representatives" or "shipping managers" being recruited as "cybermules" to launder the cybercriminal profits. "It's not a 'mule' in the traditional drug sense, where they're carrying drugs across the country or across a border," Marcus said, " but they are ultimately lured into what they think is like an Internet sales marketer or an Internet sales manager position." In reality they are laundering funds, putting it through additional hands, so that law enforcement has a few more obstacles in their path toward finding the thieves themselves.

Marcus recommends online job seekers go to legitimate job finding sites such as Monster.com rather than respond to Google ads.

Unfortunately, we're on our own, he said. As governments begin to focus on internal economic hardships, the fight against cybercrime slips further in funding and support. McAfee predicts that in the fourth quarter of 2008 cybercrime will continue to escalate in severity.

Once again, McAfee found that there is a shortage of computer specialists in law enforcement. And those who are specially trained are often hired away to high-salaried jobs at private companies. Of the remaining law enforcement, they're often bound to national borders, said Marcus, with international jurisdictional disputes further slowing online investigations.

The McAfee report said Russia and China remain the largest safe havens for cybercriminals, while Brazil and Moldova have become the fastest-growing countries to be most often blamed for cybercrime.

Europe is getting a cybercrime alert system as part of a European Union drive to fight online criminals.

According to plans, European law enforcement body Europol will receive 300,000 euros ($386,430) to build an alert system that pools reports of cybercrime, such as online identification and financial theft, from across the 27 member states.

Police will launch more remote searches of suspects' hard drives over the Internet, as well as cyberpatrols to spot and track illegal activity, under the strategy adopted by the European Union's council of ministers Thursday.

The strategy, a blueprint for fighting cybercrime in the EU over the next five years, also introduces measures to encourage businesses and police to share information on investigations and cybercrime trends.

"The strategy encourages the much-needed operational cooperation and information exchange between the member states," said Jacques Barrot, vice president of the European Commission. "If the strategy is to make the fight against cybercrime more efficient, all stakeholders have to be fully committed to its implementation. We are ready to support them, also financially, in their efforts."

Plans for the EU alert system follow the recent establishments of the Police Central E-crime Unit and National Fraud Strategic Authority, which aim to fight cybercrime in the United Kingdom.

Nick Heath of Silicon.com reported from London.

Did you know that you can buy a keystroke logger for $23 or pay $10 to have someone host your phishing scam? Having a botnet at your fingertips will cost you $225, and a tool that exploits a vulnerability on a banking site averages $740 and runs as high as $3,000.

That's according to the Symantec Report on the Internet Underground Economy due to be released Monday.

Symantec researchers spent a year observing the chat among cybercriminals on IRC channels and forums on the Internet between July 1, 2007 and June 30, 2008 and were able to piece together a veritable menu of malicious code, as well as dig up detailed information on the exchange of highly prized financial information.

For example, credit card information accounted for more than 30 percent of all of the types of goods and services sold and was the most requested category. Bank account credentials were the most commonly advertised thing for sale on underground economy servers monitored by Symantec, with prices ranging from $10 to $1,000 depending on the balance and location of the account.

This is a lucrative business, Symantec has discovered. If the sellers were able to sell everything they were offering, the amount would reach more than $275 million. That represents just the sales amount. Factoring in the emptying of victims' accounts and maxing out credit cards, the potential worth of credit card information and bank credentials for sale would be $7 billion, the report estimates.

The report also studied trends in software piracy, with researchers monitoring those sales between July and September of this year. The most pirated software was found to be desktop games, followed by utility applications and then multimedia software, such as photo editors, 3D animation, and HTML editors.

There is some interesting geographical data as well. Most of the people uploading pirated software to be sold were in the United States, the report found. The U.S. was home to most of the underground economy servers (41 percent) followed by Romania (13 percent) and North America had the largest number of underground economy servers.

Meanwhile, cybercriminals in Russia and Eastern Europe appear to be more organized than their counterparts in the North America who are "often made up of acquaintances who have met in online forums and/or IRC channels," the report says.

"The big picture is this system is highly self-sustaining. You can buy the attack tool kit, use it to steal information and sell that information to others in the economy," Zulfikar Ramzan, technical director of Symantec Test and Response, said in an interview. "You don't need to have expertise in every area of cybercrime. You can have expertise in just one area and with others, form a supply chain to make money."

The report joins a growing list of research devoted to the organization and sophistication of the cyber underground. Affinion Group , as well as McAfee and Finjan monitor such underground marketplaces. RSA discovered that data from 550,000 online bank accounts and credit card accounts was stolen with the aid of one Trojan, and has done research on the "Internet Fraud Chain".

Updated Nov. 24 with Symantec researcher comment and background on other research.

RSA FraudAction Research Lab has discovered log-in information for about 300,000 online bank accounts and 250,000 credit and debit card accounts that have been gathered by a cybercrime gang over the past three years using the Sinowal Trojan.

"This may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," according to a blog entry posted Friday from RSA, EMC's security unit.

The Sinowal Trojan infects computers without the owner knowing it by surrepticiously planting itself onto the computer while the owner is Web surfing in an attack dubbed a "drive-by download."

The malicious code is typically hidden on an unfamiliar Web site, often related to porn or gambling, but can also be found lurking on legitimate Web sites, says Sean Brady, manager of identity protection at RSA.

The Trojan is programmed to execute when the victim visits a particular banking or financial Web site; it is triggered by more than 2,700 specific URLs, according to RSA. The malware then inserts additional fields into the victim's browser prompting the victim to type in information such as PIN and Social Security number, which the Web site itself does not ask for.

The account information has been stolen since at least February 2006, uninterrupted, and includes e-mail and FTP accounts, according to RSA.

The company has alerted law enforcement and has provided the compromised account information to the financial institutions involved, Sean Brady, manager of identity protection at RSA, said in an interview on Thursday.

"This could be a wake up call for institutions and end users who have ignored the fact that Trojans are out there," he said.

The Sinowal Trojan has had ties to the identity theft organization known as Russian Business Network, but the hosting facilities of the malware appear to no longer be connected to that group, according to RSA.

"Only rarely do we come across crimeware that has been continually stealing and collecting personal information and payment card data, and compromising bank accounts as far back as 2006," the blog post says. "And in addition to its longevity, Sinowal has also been evolving at a dramatic pace - its rate of attacks spiked upwards from March through September of this year."