The Security Blog» Latest InfoSec Threat Research & News | TheSecurityBlog.com

Is that a bot in your pocket – or does it just look like one?

TippingPoint — Wed, 10 Mar 2010 20:40:45 +0000

Last week at the RSA Conference, my colleague Derek Brown and I, presented findings from a research project titled MOBOTS: Pocketful of Pwnage, which was designed to show how easy it would be to create a large mobile botnet. Please note that we did not actually create a botnet; we simply presented results of two [...]

Chilean Earthquake Spawns Malware

Shannon Cole — Wed, 10 Mar 2010 19:27:42 +0000

Most of us are familiar with how high profile news events are used for malware distribution. We’ve seen it many times such as with Tiger Woods’ scandal and the earthquake in Haiti. Now the recent earthquake in Chile is used to prey upon unsuspecting folks interested in what’s going on with the post-quake and tsunami. [...]

MOBOTS: WeatherFist Exposed

DVLabs: Blogs — Wed, 10 Mar 2010 17:41:28 +0000

Posted by Daniel Tijerina
Last week, San Francisco was kind enough to play host to the annual RSA Security Conference. As you may remember from Jason Avery's last post, several TippingPointers were on-hand for the festivities. My colleague Derek Brown and I were fortunate to be granted an engagement in the "Research Revealed" track. We presented our case study in mobile phone botnets entitled "MOBOTS: A Pocketful of Pwnage." Catchy, right? We both felt that the talk was a great success and, despite the modest yet respectable attendance, the audience seemed to enjoy our antics as much as we did. As is the norm for such things, our live demonstration ran long and we didn't get to parlance with the audience for as long as we'd hoped. To that end, and for the benefit of those not fortunate enough to make it to The City by the Bay, we would like to expound on some of the specifics of the talk that have garnered the much of the post-RSA interest.

WeatherFist

WeatherFist, the harmless proof-of-concept application featured in the MOBOTS presentation, is a quick app we wrote for displaying weather information. In order to know what location to pull weather information for, the program uses a phone home technique to submit the user's current GPS coordinates in return for the local ZIP code. Phoning home is a typical way for a botnet to get in contact with a command and control server, so we wanted to see whether this technique would be allowed to slip through into the iPhone/Android marketplace via popular repositories like ModMyI and SlideMe. WeatherFist is not in any way a trojan or a backdoor and can easily be uninstalled via regular uninstallation mechanisms. No functionality or data will persist once the uninstall takes place. It is simply a proof-of-concept that allowed us to collect statistics for the case study. We submitted WeatherFist to the ModMyI (iPhone) and SlideMe (Android) repositories, where users downloaded and ran the application from their own phones. We currently have ~8400 unique downloads of WeatherFist (7700 iPhone and 700 Android) with 22000 hits with statistical data in our database. Even though WeatherFist did not collect any personally identifiable information, our research database will not be available to the public, nor do we have any plans to make it so.

We first decided to the take a run at this project last summer, while we were both enjoying the honeymoon with our respective smartphones. It took us a couple of months to dive into the different smartphone programming languages, but we were able to produce a multi-platform weather forecast display application. We split the development duty evenly - Derek wrote the Android application and I wrote the iPhone application. The purpose of the application is straight forward: deliver relevant demographic information to our host server and return relevant meteorological information to the client. Of course, this is nothing novel or particularly interesting; even as we employed the ubiquitous HTTP query string convention that you've all come to know and love. Google, for example, loves to stuff demographic data into their search query strings:

http://www.google.com/search?q=RSA+Conference&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:en-US:official&client=firefox-a

In this case, Google is packing the query string with information pertaining to my search request, "RSA Conference." The tokens break down thusly:
q=the+thing+i+searched+for
ie=input encoding
oe=output encoding
aq=used firefox toolbar for search ((t)rue or (f)alse)
rls=location information from source
client=brand of web browser

Well, this is pretty much the type of information that we decided we would need to have in our possession in order to substantiate our claims as proof, rather than purely conjecture. Since we were seeking to demonstrate the feasibility of deploying a mobile botnet, we opted to send the following statistically germane demographics to our server with each request:

http://weatherfist/gps2zip?lat=10.101010&long=20.1234&d=a&n=abcdef12345678900987654321fedcba

For our purposes, the query string breaks down thusly:
lat=current latitude
long=current longitude
d=device type ((a)ndroid or (i)phone)
n=phone number MD5 hash

The latitude and longitude values serve two purposes. Firstly, the values are passed to a reverse geocoding method in order to obtain a ZIP code for the weather forecast request. Secondly, it provided us with data points with which to populate a distribution map. The device type data is used in precisely the way Google's "client" parameter is used: in order to track market share between our available application platforms. Finally, we opted to utilize an MD5 hashing algorithm with the client device's phone number (hence the "n") so that we would have a unique, but otherwise meaningless, device identification token. It would be very difficult for us to reverse the standard hashing algorithm to get the number back, and honestly, we have better things to do with our time.

Once we had the demographic data in our hands, we gave the client what they asked for: their local weather forecast. That is, the nice folks over at Weather Underground provided the client with the local weather after we populated the request string with the ZIP code we calculated from the "lat" and "long" query string parameters.

When we pushed the applications out for consumption a couple of months ago, we were mostly interested in discovering which avenues brought users to our door. We quickly discovered that the alternative application markets were bringing in volumes more traffic than our shameless self-promotion via social networking sites. In fact, merely placing our application in one of the alternative repositories effectively subsumed our previous efforts. Within hours of publishing the WeatherFist applications we saw tweets, retweets and various hashtag postings on several social networking sites. The Social Media Machine was doing our work for us; huzzah! In truth, I think we were both surprised by how quickly our download volume increased while the application was still fresh meat.

WeatherFistBadMonkey

It goes without saying that the only interesting things we got out this particular endeavor are the usage statistics. We didn't want to do anything particularly "interesting" to our loyal user base, either. For that we wrote the WeatherFistBadMonkey version and tested it on our own smartphones for this experiment.

WeatherFistBadMonkey is an extension to WeatherFist that allows us to take complete control over the userís phone. WeatherFistBadMonkey was not distributed publicly, it only serves as proof that it is possible to convert a mobile phone into a bot. To the user, there would be no difference between WeatherFist and WeatherFistBadMonkey. Behind the scenes, however, there is a substantial difference between the two. The malicious version will first submit the user's entire address book to our simulated command and control server including the contact's first name, last name, all email addresses, and all physical addresses. The functionality of the MOBOT includes polling our command and control server every five minutes for instructions. The instructions currently supported are: send an email, perform a DDoS of a website, and give us a reverse shell. The first two are pretty standard botnet functionality, while the third is the one that is most interesting. Opening a reverse shell gives us direct remote control over the phone. We are able to browse the entire file system, steal personal data (SMS text messages, browser cookies, etc), as well as deny access to vital applications such as "Phone" or "Messages". The possibilities are pretty much only bound by how malicious we intend to be. Since this happens over the Internet, both 3G and Wifi connectivity would satisfy our connectivity needs.

Closing Thoughts

The concepts of trojans, botnets, and backdoors is nothing new. With the explosive growth of smartphone technology in recent years, a massive amount of always-on and always-connected computers have appeared with little inherent protection against malicious programs. We are still working on doing some interesting things with the private WeatherFistBadMonkey code to show how dangerous a real world mobile phone botnet could be. We plan to continue exploring the security models associated with the mobile computing platforms, especially as they become even more prevalent in the complexion of contemporary enterprise networks.

Death By A Thousand Cuts – Rustock Botnet Sending More Encrypted Spam

MarissaVicario — Wed, 10 Mar 2010 16:29:46 +0000

Posted on behalf of Dan Bleaken, Malware Analyst, Symantec Hosted Services

In the past few days we have noticed that the Rustock botnet has been sending a lot more spam using TLS (Transport Layer Security). TLS is the successor to SSL and is a popular way of sending email through an encrypted channel, rather than sending it in the clear like most emails are sent. MessageLabs Intelligence tracks the use of TLS in order to determine how much spam is sent over TLS, and which botnets are sending it.

Not all mail servers force clients to use TLS, but it is frequently used for securing the communications channel between the client email sender and the email server to which the message is being delivered. It prevents eavesdropping of email traffic that would otherwise be sent in plain sight for anyone else on the network to see if they so wished, perhaps using network analysis tools. Some businesses mandate TLS for remote clients, for example, an employee connecting via a wireless hot-spot. Often other security mechanisms are used as well, in order to authenticate the client, such as SMTP-AUTH, as many email servers don’t force clients to provide a valid TLS certificate, particularly when the client isn’t an employee, but just another mail server on the internet.

TLS uses far more server resources and is much slower than a plain-text email; with TLS it takes time and resources to perform the necessary handshake where ciphers are negotiated and encryption keys exchanged and then to encrypt and decrypt the messages. There is a two-way conversation between the sending client computer and receiving email server, requiring both inbound and outbound traffic. In bandwidth terms, this outbound traffic frequently outweighs the size of the spam message itself and can significantly increase the workload being placed on corporate email servers.

Some stats on what proportion of spam uses TLS are included below, and as you can see, MessageLabs Intelligence is already tracking a large amount of spam that uses TLS. Should the volume of spam from botnets that use TLS increase over the coming weeks and months, businesses need to carefully think about the resources required to handle this type of spam. With corporate email servers coming under more pressure to handle these expensive, but unnecessary TLS connections, it becomes a death by a thousand cuts – on its own the overhead of processing a single spam received with TLS may appear insignificant, but at large volumes, the overall impact can be enormous.

The majority of the spam-requesting TLS connections come from the Rustock botnet. In fact, as much as 70% of spam sent from the Rustock botnet uses TLS currently. I believe that Rustock has rolled-out an updated version of its spam agent to some of its bots in order to achieve this. Not all of the Rustock bots are using TLS yet, but eventually it’s possible that all spam from Rustock will be sent over TLS.

Moreover, there are some other botnets that we have also seen using TLS, namely Grum, Cutwail and Bagle. For these, we have seen TLS used only in relatively tiny volumes. It’s important to note that TLS on its own does not provide sender authentication, as after all, most TLS connections are “opportunistic” – and some TLS enabled email servers are using self-signed certificates – which cannot be validated as they are not issued by a generally trusted certificate authority (CA). Unless an email server is validating the client’s certificate it is not possible to authenticate the client. Most client-to-server TLS encrypted traffic doesn’t require a client certificate at all, requiring only that the client trusts the server’s certificate before negotiating the key exchange prior to starting the TLS session.

Last week, spam using TLS accounted for approximately 20 percent of all spam, rising to approximately 35 percent of spam today. MessageLabs Intelligence will continue to track this in the coming weeks and months. It is also interesting to note that since TLS-enabled spam has increased, there has been a large increase in the volume of outbound traffic also. This is because when TLS is used it requires not only inbound traffic (such as for a typical spam email), but also a significant amount of outbound traffic to negotiate the encryption protocols. The volume of this traffic often exceeds the size of the spam email itself. The average additional inbound and outbound traffic due to TLS is an overhead of around one kilobyte. Many spam mails are often much lower than one kilobyte in size.

How Rustock determines when to use TLS seems to depend on the individual bot being used, rather than on the spam “run” or “campaign” or recipient. It seems that currently some of Rustock’s bots are TLS-enabled and others are not.

Below are two examples of spam from the same Rustock spam run, with virtually identical message bodies (apart from precise wording or subtle differences between subjects and URLs). The first one uses TLS and the second one doesn’t. For each one I’ve included the header, and a screenshot of the email message as it would appear when opened in a mail client.

[example 1 – Rustock spam using TLS]

[example 2 – Rustock spam not using TLS]

Note that the first example successfully negotiated a TLS connection using ESMTPS (Extended SMTP Secure), whereas the non-TLS message used ESMTP. Both bots connected using the EHLO SMTP command to request Extended SMTP, but only the first one requested a TLS connection using STARTTLS. The servers in both cases support incoming TLS connections, and only accept inbound email connections to TCP port 25.

Not all email servers will add the same level of detail to the received headers as seen above, but the encryption protocols used for a TLS connection will be similar.

Botnet operators may be finding that some mail servers and ISPs are mandating the use of TLS in their email connections and consequently as botnets are sending spam through these networks, they are simply asking for TLS connections in advance. Perhaps Rustock’s controllers mistakenly believe that TLS will add a level of legitimacy to their email traffic, or maybe they are just concerned about someone eavesdropping on their spamming operation.

These latest MessageLabs Intelligence findings seem to concur with the comments in a blog posted by Terry Zinc, which can also be read here: blogs.msdn.com/tzink/archive/2010/03/02/more-spam-via-tls.aspx.

[Visual representation of the Rustock botnet]

How are ATM skimmers installed?

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

ATM skimmers are installed like this:

Video source: Spiegel.de & German Federal Criminal Office (Bundeskriminalamt)

On 10/03/10 At 12:06 PM

Select Your Web Browser(s)

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

I wasn't sure I'd see this Browser Choice update:

I set my computer's Regional Options for the United States even though it's physically located in Finland (I'm an American after all).

Regional settings might trump my IP address, I thought… but it seems not. I manually ran Microsoft Update and was provided access to KB976002. Cool.

If you're located outside of Europe and are wondering what's this is all about, read this from the BBC.

Microsoft is offering alternative browser options to European Windows users to settle an anti-trust lawsuit. The update component points users to browserchoice.eu — from where they can select from 12 different web browsers.

On a somewhat not completely unrelated note: Microsoft Security Advisory (981374) was published yesterday.

"Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7."

The vulnerability could allow for remote code execution.

Once again, that browser choice link is browserchoice.eu. Send it to your friends and family.

Signing off,
Sean

On 10/03/10 At 05:00 PM

Be Savvy, Get Six Months of Internet Security

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

F-Secure has an additional blog that launched today. It's called Safe and Savvy.

You'll notice that the name is pink. That's part of our new brand but it also reflects the authorship. Safe and Savvy's contributors are the female employees of F-Secure (mostly).

Hetta, Marja, Annika, Alia, Melody-Jane, (and Jason) have already gotten started.

Read more of Hetta's latest post to learn about six free months of our Internet Security 2010.

On 10/03/10 At 05:29 PM

PDF Based Targeted Attacks are Increasing

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

Microsoft schedules its security updates on the second Tuesday of the month. Adobe recently began following this schedule as well, and while there are no Adobe updates today, there was an out-of-cycle security update two weeks ago.

That update should now be applied if you haven't already done so.

Why?

Because we're now seeing the vulnerability (CVE-2010-0188) being exploited in targeted attacks (Microsoft also).

Our sample was submitted by a European financial organization and the file name includes a reference to the G20. The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G.

It doesn't surprise us to see this Adobe Reader vulnerability utilized so quickly.

Looking through our sample management system, we see a growing number of targeted attack files.

There were 1968 files in 2008. The number was 2195 during the year 2009. That isn't a very large increase in the overall total from 2008 to 2009 but we did see a greater percentage targeting Adobe.

And how about the first two months of 2010?

Well, so far the number is 895, which will more than double last year's number if the current pace continues.

The percentage targeting Adobe Reader continues to rise.

Here's a graph with a breakdown of the most common attack vectors used in targeted (espionage) attacks:

Updated to add: A couple of readers noticed that our graph's 2009 percentages where slightly off — it's been corrected.

On 09/03/10 At 03:30 PM

Darkmarket Avatars

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

As "JiLsi" — one of the online criminals from Darkmarket — was sentenced last week to almost five years in prison, we have received some media queries on the case.

In particular, one journalist wanted to know what JiLsi (aka Renu Subramaniam), Matrix001 (aka Markus Kellerer) and Cha0 (aka Çağatay Evyapan) looked like when they were posting to the Darkmarket forum.

So I went back to my notes and dug up example posts from the guys, complete with their avatar icons. Perhaps these are interesting for our blog readers too.

Cheers,
Mikko

On 08/03/10 At 11:19 AM

Desperate Phishing Attempt

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

Somebody is trying to pose as us. If you see an email like the one below, please ignore it:

     From: security@f-secure.com
     Reply-To: securitysupport@hotxf.com
     Subject: Security Maintenance.F-Secure HTK4S
     Date: Fri, 5 Mar 2010 18:11:05 -0000
     To: undisclosed-recipients:;

     Dear Email Subscriber,

     Your e-mail account needs to be improved with our new
     F-Secure HTK4S anti-virus/anti-spam 2010-version.
     Fill in the columns below or your account will be
     temporarily excluded from our services.

     E-mail Address:
     Password:
     Phone Number:

     Please note that your password is encrypted
     with 1024-bit RSA keys for increased security.

     Management.

     Copyright 2009. All Rights Reserved.

Before you ask: No, we've never heard of "F-Secure HTK4S anti-virus" either.

On 05/03/10 At 10:26 PM

The Morphing PDF

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

Just when we thought SEO using Flash was as interesting as SEO poisoning can get, it seems it's getting even sneakier…

Imagine a PDF file posted by someone evil online. Of course, Google being Google, the file is recognized as a PDF.

And when we open it, it really is a PDF. No evil codes inside, just a good old vanilla PDF file.

Three hours later… Google still says the file is a PDF. Brod (one of our geeky guys here) is attributing this to Google's cache.

But is it really a PDF this time around?

It morphed! And it even has different topics this time. Topics which, when you follow them, will lead you to another PDF:

At least for a few hours before it becomes…

It's a vicious cycle, but a pretty neat trick. Who would suspect a non-malicious PDF file right? At least before it becomes an HTML file. And the end result is a rogue antivirus scam.

Response post by — Christine and Mina

On 05/03/10 At 07:00 AM

SEO Poisoning Sites Use Flash for Redirection

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

Another day, another news, and well… another SEO poisoning stint.

Using PDF files in SEO poisoning is recent, but not exactly fresh news. So we were thinking of just adding the malicious URLs to our Browsing Protection and creating detections for the corresponding files… Then, we saw something:

Ok, could be a one time thing, so we checked the other sites:

And in the usual geeky fashion in the lab… we got excited.

When decompressed, the SWF contains this:

Since a lot of websites use SWF, most users have already installed Flash support in their browsers, thereby also enabling support for the malware behavior.

The SWF is of course the key to getting to:

It seems that the bad guys want the malicious URLs to be hidden inside the SWF.

Perhaps it makes them sleep better at night thinking that their sites won't be discovered very soon.

The malicious URLs are now blocked via our Browsing Protection and malicious files are detected.

Response post by — Christine and Mina

On 04/03/10 At 10:06 AM

Another Bot Bites the Dust?

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

Remember Microsoft's action against 277 Waledac domains last week? Well, that's one way of going after a botnet…

Another way of shutting down a botnet? Arrest the botmasters!

Three Spanish citizens have been arrested for running the "Mariposa" botnet. The three reportedly have no criminal records and have limited hacking skills. Mariposa is a Butterfly Kit based botnet, and the kit is no longer for sale.

Details are available from the BBC and The Register. Kudos to those involved in the arrests.

On 03/03/10 At 04:43 PM

I’m Feeling Lucky?

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

Criminals like to attack the biggest target because BIGGER generally provides a better Return On Investment (ROI). Windows is a good example. Mac is indeed safer than Windows but it isn't necessarily because Mac is more secure. Windows has a larger market share and that equals more potential victims.

How about search engines? What is the biggest search engine on the block? Google — and the bad guys know it. The result?

It's becoming less and less safe to search via Google.

Yesterday, I was testing Internet Explorer 8 and made a typo in the address bar. Instead of update.microsoft.com I used updates.

There is no such domain, so Microsoft Bing kicked in and I ended up with the following search results:

What? No results?!?

So I searched for updates.microsoft.com with Google.

Did I mean update? Yeah, I guess so… Thanks.

Bing's results seemed sort of odd so I examined the settings and it turned out to be some idiosyncrasy of Finnish based results.

Changing the settings to the United States produced the following:

Better.

I continued testing Bing. Here's a Bing search for microsoft updates:

84,700,000 results.

Here's a Google search for the same:

90,900,00 results.

But how about something timely? Using Google trends, I found a hot search topic.

Minnesota's appliance rebate program has 5m dollars to give its citizens for buying energy efficient appliances, e.g. refrigerators.

The program launched on Monday and its web site was quickly overwhelmed; the event generated many searches.

Here's the Bing search for "mn appliance rebate":

25,300 results.

And Google?

31,300 results.

But here's an important difference — I didn't find any harmful links from Bing's results.

Google, on the other hand, had many bad links. This was the sixth result on the first page:

Clicking the link launched a rogue scam:

And then I was given the typical scan scam crap that is so profitable for the bad guys:

The site pushed this file:

It's now detected as Rogue:W32/FakeAlert.LB.

The folks at Google work hard to filter out harmful search results, but it's a difficult task.

The bad guys are constantly working against Google and they often get past their defenses long enough to infect victims. So what can you do stay safe? Avoid monoculture — try something else.

Because soon enough… Bing just might be the search engine that you want to bring home to your mom.

Google has been around and is simply receiving too much attention from the wrong sorts of guys.

Ask you yourself this: Do you feel lucky?

Signing off,
Sean

On 02/03/10 At 04:24 PM

Pwn2Own Interview with Charlie Miller

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

Charlie Miller, the Pwn2Own contest winner for two years in a row, gives his take on Internet security. Guess what — your Mac OS is no less vulnerable than its Microsoft Windows counterpart.

Windows 7 or Snow Leopard, which of these two commercial OS will be harder to hack and why?

Windows 7 is slightly more difficult because it has full ASLR (address space layout randomization) and a smaller attack surface (for example, no Java or Flash by default). Windows used to be much harder because it had full ASLR and DEP (data execution prevention). But recently, a talk at Black Hat DC showed how to get around these protections in a browser in Windows.

No operating system and browser is immune to an attack. And, Flash is the bane of security (well, one of it anyway).

In your opinion, which is the safer combination OS+browser to use?

That's a good question. Chrome or IE8 on Windows 7 with no Flash installed. There probably isn't enough difference between the browsers to get worked up about. The main thing is not to install Flash!

The interview was conducted by Matteo Campofiorito at OneITSecurity. You can read the full version here.

On 02/03/10 At 03:42 AM

RSA Conference 2010

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

Moscone Center, San Francisco, USA is the site of this week's RSA Conference 2010. It's the world's largest information security industry conference with well over 10,000 attendees. For some perspective on just how big it is: there are 19 different tracks of talks going on at the same time given by 556 speakers.

This year we have three talks being presented by fellows of F-Secure:

Mikko has two presentations, "Case m00p" and "Mobile Malware in 2010".

Antti and Kimmo are presenting "Rootkits in the Real World Today".

Browse through RSA's session catalog here.

On 01/03/10 At 04:56 PM

Analyzing PDF Files

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

We've been seeing a gradual shift in malicious PDF file coding (no surprise there, we know malware authors can and do adapt their techniques).

For a long time, we saw malicious PDF files that were simple enough to allow us to readily decipher the intent of the malicious code — shell code, download/execute, drop and load, et cetera.

Now we're seeing more and more complex obfuscation being used, which requires us to break down the PDF file. This can make an Analyst's daily life more miserable or interesting, especially as the obfuscation can bypass automated analysis tools and even AV detectors.

One technique I've encountered in the last few months uses Adobe-specific JavaScript objects such as getPageNthWord and getPageNumWords. Here's a screenshot of one example:

Note how it uses old-school style spacings. Comments in the notepad were added for easier readability.

Anyway, once this is normalized, it becomes something much easier to read and analyze:

An interesting analysis about PDF obfuscation is also available at SANS.

Response post by — Zimry

On 01/03/10 At 10:11 AM

This you?? What’s the point of phishing a Twitter account?

F-Secure Antivirus Research Weblog — Wed, 10 Mar 2010 15:42:12 +0000

We've received some questions regarding recent phishing attacks conducted against Twitter.com.

Tweets and Direct Messages (DM) containing phases such as "This you??" or "LOL is this you" are linking victims towards a Twitter login phishing page. If the bait is taken and victim enters their password, Twitter's infamous "fail whale" is displayed and the user is returned to their account. They might not even realize that their account details have been compromised.

Phishing attacks directed against Twitter are not new. But what's the point?

Trust.

Peers within a social network have a greater level of trust amongst themselves.

And so why the recent attacks?

We think it could have something to do with some of the recent search engine deals that have been made.

Yahoo announced that they'll begin to include Twitter's real-time feed into their search results and Facebook is now included in Google's search results.

The bad guys can use social networking trust to enhance their SEO attacks.

Lets take a current hot topic as an example. There are several Twitter results in the image below.

Note: Always be careful when searching for hot topics. This "sea world trainer killed" example is currently being used in SEO attacks and many results will lead directly to scamware.

There's also a Facebook result in the example above. We expect to see fresh phishing attacks against Facebook before too long.

Twitter's Safety and Spam feeds are useful to follow if you have a Twitter account. Twitter's working on the issue now by prompting those that received phishing messages to change their password.

There is a silver lining to all of this…

While social networking trust can be abused, social networks themselves are incredibly responsive to emerging threats.

Check out the latest search results for "This you??". Twitter users are already spreading information to counter the dis-information pushed by the bad guys.

It used to take weeks to stamp out e-mail hoaxes. Now, the issue almost corrects itself as quickly as it is abused.

On 25/02/10 At 03:12 PM

Consoles for old games come with new malcode

Tom Kelchner — Wed, 10 Mar 2010 15:40:00 +0000

Be on the lookout for websites offering up “free applications” which come with a nasty sting in the tail. Here’s a typical example: Appzkeygen(dot)comIf you like videogame consoles, you may be a fan of emulators (programs that ape lon...

Internet Explorer 0-day targeted in spam runs

Fraser Howard, SophosLabs UK — Wed, 10 Mar 2010 15:27:27 +0000

Hot on the heels of the Patch Tuesday announcements yesterday (see blog or links to vulnerability assessment pages), came the announcement of a new zero-day in Internet Explorer (CVE-2010-0806). Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. [...]