You may have received the following email recently (click to enlarge):

Some of the text reads:

“Recently you received an e-mail inviting you to participate in a Web-based survey from Bank of America. If you have not already taken the opportunity to access the survey, we again invite you to provide your opinions. The survey is about the ATM transaction that you, or someone in your household, made recently.”

In order to complete the so-called survey, you are asked to login into your bank account:

Of course, this is a phishing site and your credentials will be stolen.

The page is hosted at:

user27336.vs.easily.co.uk/bankofamerica/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin

Surveys, negative balances, account update… be aware that these are probably all scams!

Jerome Segura

You’ve probably heard it on the news, war intelligence documents (also known as Afghan Diaries) were leaked on the popular whistle-blower site wikileaks.

The documents show some embarrassing (to say the least) facts that were not publicly known and that will certainly cause more hatred towards the US.

While Wikileaks says they don’t know the source of data, rumors have been circulating, which would point the finger at a former US Army intelligence man.

The fact that almost everything is recorded digitally one way or another makes data leakage a bigger risk than before. It used to be that top-secret documents were stored in a safe somewhere, and you’d have to physically be present with a key to get them. But when all computers are connected to one another and information can circulate very fast, it is much easier to intercept and publish it.

Each company or government body has to trust their employees (and that’s what a background check, criminal check is usually for). But employees are only human and subject to bribes or other unwanted behaviours. A lot of companies do not apply enough policies on user access control, leaving precious documents exposed to anybody (even an intern) that has access to the corporate network.

Back when I was in university, I remember a bunch of us doing some recon on the network. It was the beginning of the year and we were just getting settled. Well, so were the teachers… We found the previous year’s tests with answers in  a zipped document, somewhere that you wouldn’t think of looking. Whether that was a mistake or not, the file was promptly burned on a CD and stored securely.

With sensitive data, you just can’t take a chance. Here are some tips to prevent data leakage:

- Map out where you store your documents. Is the same document in multiple places? Then do not share this map with anyone but the people who need to know.

- Control user access for different locations. Again, give very restricted access to people.

- In case you suspect a dangerous behaviour or that an employee is going south, immediately revoke her rights.

- Regularly go through your data: Should some of it be discarded, moved or archived permanently?

- Encrypt sensitive data with a limited number of keys. Even if the data is leaked, it’s unreadable unless you have the key.

- Enforce strict policies for employee laptops. For example: make sure that all laptops are encrypted in case they get lost or stolen.

You may see other tips advising to disable USB slots,  remove CD/DVD-RW drives, blocking webmail etc…. Altough they make sense, doing so can reduce employee’s productivity and in many cases is not practical.

Your best bet is knowing what you have and protecting it well.

Jerome Segura

Beware of this phishing scam hitting your inbox:

Download a FREE 30-day Trial of MCAfee VirusScan Plus and Be Automaticaly Entered to Win Installation file attached

The attached file is a Trojan that will infect your computer. We tested it for you in our lab:

Upon execution, the file downloads a binary from:

httpconfig.com/getfile.php?r=-233192095&p=TUFDSElORT0xM0UzN0IwRjRBNTAxQzRCRURBNDlFQTRCNEI1QkI0RQ0KT1A9RklMRQ0KVFJLPTI0DQo=

Very soon after, you will see a fake AV scan called Desktop Security 2010:

It will detect all sorts of bogus infections:

from files it created itself:

Then the program wants to bill your credit card for a whopping $89.95:

If you decline, most programs on your computer will stop working and you will receive reminders or special promotions:

The domain name associated with that rogue is desktopsecurity2010ltd.com, where Desktop Security 2010 can also be downloaded (www.desktopsecurity2010ltd.com/security.exe)

But, this version  is different, in fact it is the ‘non-aggressive’ version, which detects 0 threat!

Why do they do that? Well, from a legal point of view, a lot of people are going to complain about this application. The scammers can then turn around and pretend it is clean and point to the program they host on their website. They can also say that other versions of the program were not made by them.

This is a cheap way of trying to get away from fraud and we’re not going to fall for that.

Let’s compare the two versions:

Trojanized version:

‘Clean’ version:

Both files are encrypted with the Morphine packer. While it makes sense for a malicious file to be packed by a well-known packer, there is no reason why a legit company would do that.

At almost $90 a pop, this bogus company is going to make a lot of money… but only for so long before they get caught.

Jerome Segura

Looking at the exploits detected by our HoneyPot today I stumbled upon this one (warning: live malware!!!):

macromediasetup.com/zombie/load.php?f=1&e=4

If you browse to the main domain, you are redirected to adobe.com. Logical isn’t it? After all Macromedia was bought out by Adobe in 2005. So, you could say that Macromedia is kind of a zombie…

The domain is registered to:

That particular URL is a drive-by download that will infect your PC with Rogueware:

Since the file is quite new, detection isn’t too good yet. VirusTotal (9/42)

Upon infecting your PC, a couple more files are downloaded from:

85.234.191.111/bat.exe
188.65.74.161/hiro_esrhohlshgaqwagj.exe

So don’t get fooled, macromediasetup.com is no place to go!

Jerome Segura

The August 2010 edition of PCWorld (printed before the big kerfuffle) was on my desk this morning, and I couldn’t help but smile at the cover:

Well, more particularly this:

55 sneaky shortcuts and undocumented workarounds? Could the editors have had a crystal ball to see the future in malware?

The new Windows zero-day LNK shortcut exploit certainly is sneaky… and what about those workarounds, not so clean-cut eh?

Let’s review what the buzz is all about:

Mid-July, researchers from VirusBlokAda, an AV company from Belarus, warned of a new zero-day exploit taking advantage of Windows Shortcut files. The threat was said to propagate through USB storage devices and the payload was specifically targeting Siemens SCADA software (such software is used to control power plants and other big infrastructures). The obvious thought was that this attack was very focussed, and possibly an act of cyber terrorism.

Over the last week we learned more about the LNK exploit with Microsoft releasing a Security Advisory (CVE-2010-2568).

“When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.”

“This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.”

The exploit affects all supported versions of Microsoft Windows:

What is so special about this exploit is that it does not require the user to do anything and will work even if AutoRun or AutoPlay are disabled.

Microsoft published a workaround to mitigate the exploit, which involves modifying your registry. As many people are not too registry savvy, they then released a free tool to do the same thing:

Although we can applaud Microsoft for providing users temporary relief, this workaround will change your regular icons to blank icons.

I understand that security and protecting its user base is the number one concern, but at the same time I can’t help but feel this looks a little amateurish and will cause a lot of frustration!

While the exploit was getting more publicity, we have seen the bad guys jump on the occasion to use it as a new vehicle to distribute their payload. A solid anti-virus with real-time protection can catch malware spread using this flaw.

We don’t see core Operating Systems zero day vulnerabilities every day, usually flaws involve the browser or other plugins. I’m curious to know how long this LNK flaw had been used in the wild before it got uncovered. Criminals would want to keep this kind of juicy exploits to themselves as long as they can especially if they intend to do cyber espionage and the like.

If you are concerned about your PC’s security, you may want to apply Microsoft’s temporary fix and of course keep your Anti-Virus up to date, as another line of defense.

Our own Anti-Virus PLUS proactively blocks malformed shortcut files exploiting this latest zero day flaw:

Jerome Segura

The Internet is used as a means to distribute a lot of different types of content to the entire planet. Not surprisingly, pornography ranks way up as the most popular searched for item.

And in this age of Internet 2.0 and celebrity fiascoes, we have something called ‘sex tapes’, which sadly, seems to be a must-do for every celebrity wannabe.

But there is no such thing as supply and demand here; the stuff is offered for free.

Hundreds and hundreds of bogus blogspot.com blogs are built to redirect to the latest hot videos for free!

Fill them in with ‘content’  for best SEO ranking:

Even under the main pic, you can see keywords inserted if you highlight them:

Oh, and how about some bogus ads too?

But mostly, don’t forget to plant the bait somewhere in there:

That ‘buffering’ is going nowhere… but instead redirects you to a fake adult website:

Curiously, there are two different links – depending where you click – but rest assured that both will infect your PC:

An annoying message will keep nagging you until you download the Adobe-Flash file:

How about that site (exclusivetube.co.tv)?

A look at the Alexa report confirms some things, such as the sites that lead to it. In the SEO lingo this is called upstream:

And this next picture shows where users go after visiting the site (downstream):

Back to their search engines or back to the blog they came from (probably thinking: “what was all that about?”)

Who are these people searching for ‘sex tapes’? They are mainly American men in their late forties-early fifties:

That’s the way it goes down in the intertubes…

Jerome Segura

When it’s not Canadian Pharmacy sites, spammers like to promote ‘discounted software’.

How do they do that? Well, they send you emails that look like they are from Twitter. You may need to change your password, or check a direct message etc.

Once you click the link you are redirected to: cheapsoftwarebuy.ru

The domain is registered to:

state: REGISTERED, DELEGATED, VERIFIED
person: R01 Personal Data Operator protected

Operator protected? Fancy that!

The IP address is 123.30.184.35 and located in VietNam.

The merchandise sold on that site is counterfeit but the prices may seem too good to pass by:

The legit same copy sold on Microsoft’s website costs three times as much:

At the end of the day, would you trust a pirated version that may contain viruses? Not to mention the fact that it may not pass the Microsoft Genuine certification test, thus preventing you from getting the latest security updates.

Also, do you really want to support criminals and pay for their fancy cars (Rogueware buys you BMWs):

Man I so want a BMW!

Jerome Segura

This scam is making the rounds on Facebook. Hosted on www.thetruthaboutcoke.us and then on www.thetruthaboutcoke.info, the page uses viral marketing techniques to spread the word:

The bait:

In order to see this video, you must follow strict instructions:

And then comes the information gathering part:

With a survey:

By entering your phone number, you are going to receive an SMS message.

Obviously, nothing is really free in this world of scams:

Facebook is the perfect vehicle for scammers: It’s free and propagation is lightning fast. Next time you’re being sent a “must see” video, use caution.

Jerome Segura

A Xerox Phish has been making the rounds. More precisely, a document sent using a Xerox machine landed in your Inbox.

However, subject or content of the said document are not revealed.

This scam uses the Xerox template for sending documents, similar as the one below:

One thing to note is that the file is Zipped, something that the Xerox machines do not do. The file is in fact a Trojan that will infect your PC with some FakeAV scareware.

Jerome Segura

I was analyzing some of the latest Fake AV files, namely video-plugin.45309.exe, on Windows 7 for a change. A lot of malware does not run properly on Microsoft’s latest Operating System and this one kind of crashed but somehow still managed to do some payload.

This Trojan blocks access to the most popular torrent sites:

Rogueware makers have always tried to frustrate users by either hijacking their Desktop or bombarding them with pop ups, so blocking torrent sites makes sense. Seeing that porn sites also have very high traffic, can we imagine the bad guys taking that away as well?

Jerome Segura