A post in a support forum says customers should hear from Dell shortly. It does not provide any technical explanation of what type of spyware is included with the hardware or what extra cleaning process customers should go through.

Some forms of malware are likely to have spread if the hardware has been attached to a network. The forum post, from yesterday morning, is here.

The forum poster was concerned not to have more technical information – and that the call he received to book technical support said the call might not happen for up to ten days.

In response a Dell support staffer said there was an issue with a small number of service motherboard stock – new PowerEdge systems are not infected. He said the malware would not infect non-Windows servers.

Dell has also sent out the following statement:

“Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers – PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software.

This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware.

Customers can find more information on Dell’s community forum.” – Forrest Norrod, vice president and general manager of server platforms at Dell.

Fortunately the forum has also been updated with information which answers some of the relevant questions – the malware was found in the flash on motherboards, not in firmware. It is a W32.Spybot worm which should be detected by any decent anti-virus software.

Dell said that less than one per cent of boards shipped have the infection. Systems using an iDRAC Express or iDRAC Enterprise card will not be damaged. In fact systems will only be hit if you run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.

The Pirate Bay

A series of attacks on The Pirate Bay, one of the most well known and controversial file-sharing websites has allowed a group of Argentinian hackers, headed by malware researcher Ch Russo, to access both the user database and the website administration panel of The Pirate Bay, comprising over 4 million usernames and email addresses in the process.

It is thought that the group first targeted the website administration panel on The Pirate Bay, the group succeeded and then employed a series of SQL injection vulnerabilities to gain access to the user database, where they were able to add and amend records and obtain information to identify trackers and torrents uploaded by specific users.

Ch Russo posted a cryptic message on his blog detailing reasons behind the attack:

As any other website, as any other system or mechanism, www.thepiratebay.org has robust parts and soft spots. We beleive that the people behind this comunity always acted with the local laws on their side, and so have we. The community caused problems to huge companies and corporations which turned into threats between this companies and them. What we have done, we did not do it with anger, or for commercial value. As always, we saw the change, the moment and decided to take it. The protocol or procedure done to achieve this wasn’t anything out of the ordinary.

As you can see, Russo acknowledges that the data would be of huge interest to anti-piracy groups like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). In a telephone interview with KrebsOnSecurity he said: “Probably these groups would be very interested in this information, but we are not [trying] to sell it,” adding “Instead we wanted to tell people that their information may not be so well protected.”

Screenshot of the backend of The Pirate Bay

According to Softpedia, the attackers have not been in contact with The Pirate Bay administrators since the attack but the offending weakness has since been identified and patched.

The website in this malicious iframe led to the download of a BREDOLAB variant detected as TROJ_BREDOLAB.BY (by Trend Micro). This malware family is well-known for being a downloader of other malware onto affected systems, particularly ZBOT and FAKEAV variants.

BREDOLAB first gained prominence in late 2009 when the number of reported infections significantly grew. Upon investigation by senior advanced threats researcher David Sancho, it was found that BREDOLAB was a new malware family similar to earlier PUSHDO variants.

Later investigations by senior advanced threats researcher Loucif Kharouni established the key role BREDOLAB plays in the criminal underworld. As mentioned earlier, cybercriminals running pay-per-install (PPI) scams frequently use BREDOLAB to infect user systems.

Botnet Model

Lenovo has acknowledged the incident on its official forum and has indicated that the affected pages have now been cleaned. Reports from Vietnamese antivirus vendor Bkis indicated that the pages have been infected since at least Sunday afternoon. Some users also reported getting antivirus warnings while visiting Lenovo’s download website since Saturday.

Users who did go to the Lenovo pages to download support materials from late on June 18 (Friday) to June 21 (Monday) may have been affected by this compromise and should check their systems accordingly.

This further proves the point that you should always have an antivirus program running on your computer at all times (and make sure its updated as well!). Even websites that you think are safe can fall victim to these types of attacks leaving everyone at risk. So be safe out there… cause the internet is one crazy place!

Those days are over. Recent iPad security scares are a sign that Apple’s devices are a growing target for hackers, spammers and malicious coders.

“Market share is a pretty good indicator of who hackers are going after,” said Kevin Haley, director at Symantec Security Response. “Hackers are motivated by money, so they want to get access to the most amount of people.”

Hacker group Goatse Security was able to obtain 114,000 iPad 3G users’ e-mail addresses and iPad SIM card ID numbers from AT&T’s website last week. The vulnerability was on AT&T’s site, but any hit against the iPad dings Apple as well. And in a blog post, Goatse Security said Monday that a “skilled attacker” could take advantage of a weakness in the iPad’s Safari Internet browser to launch a spam attack from a compromised iPad.

“This is a wake-up call for Apple, and it cannot afford to hit the snooze button,” said Hemanshu Nigam, founder of SSP Blue, a cybersecurity consulting firm. “The hacker community focuses on companies that are on the top of their games. Apple has gained enough market share that it has caught hackers’ attention.”

It’s not surprising that Apple is becoming a growing target — it’s simply a matter of scale. Cybercriminals try to hack the software that most people use to access the Internet, and increasingly, that software is made by Apple. While Apple’s PC market share is still in the single digits, Apple is now the second largest smart phone maker in the United States, behind only BlackBerry maker Research in Motion. It has also sold more than 2 million iPads in just two months.

“Any company’s device or platform on which lots and lots of people are exchanging or storing data is going to be susceptible to an attack,” said Fred Rica, principal security analyst at PricewaterhouseCoopers. “Hackers are beginning to change over to other platforms that hadn’t been traditional targets, particularly to mobile.”

As Apple products become higher-profile targets, its response is going to be tested. The company’s stance on security has long been “don’t worry about it.” For instance, on its website Apple says simply, “Mac OS X doesn’t get PC viruses.” The iPhone and iPad websites don’t even mention security.

Apple claims that the Unix framework that its Mac operating system is built on is inherently safer than Windows. The truth is that Mac OS has as many vulnerabilities as Windows, according to Nigam — Apple patches its products just often as Microsoft does.

In the past, Apple has responded quietly when vulnerabilities are exposed, patching products through automatic updates with no announcement. The company’s famous “Get a Mac” ads say Microsoft’s constant security updates and alerts interfere with users’ ability to do work on their computers. Ironically, Apple’s Safari browser’s lack of security alerts is one of the factors contributing to the security hole in the iPad, according to Goatse Security.

“Suggesting Apple doesn’t get viruses gives its users a completely false sense of security,” Nigam said. “It’s essentially taunting hackers. They’ll take it as a challenge, and just start exploiting Apple’s user base.” As a result, Nigam suggested it’s time for Apple to change it’s attitude. Right now, Apple prioritizes the user experience ahead of security. That can backfire. ”Apple has the capability to take charge of this situation now,” he said. “If it doesn’t, it’s risking damage to its reputation for the long haul, a la Microsoft.”

Escher Auernheimer, a security analyst with Goatse Security, said in an interview today that his firm “did the right thing” by going public about the hole in AT&T’s website.

UPDATE: AT&T sent a letter to Apple 3G iPad owners over the weekend that shed some light on AT&T’s position on the hack, according to a report in the New York Times. “On June 7 we learned that unauthorized computer ‘hackers’ maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service,” wrote Dorothy Attwood, a senior vice president and chief privacy officer at AT&T.

“The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity,” Atwood said.

Meanwhile, Goatse’s Auernheimer says the researchers went public with their findings via the Gawker website after AT&T fixed the flaw. They handed over the email address finds to Gawker, but stipulated that the site not publish the actual email addresses. “Our disclosure process was extremely proper and above and beyond,” Auernheimer says. “Many researchers do not wait for patches” before they disclose, he says.

“What influenced our decision was that there were so many people who were stewards of important infrastructure on the public and private list [exposed],” he says. “Someone else could have scraped this data.”

According to Auernheimer, his team got the data without a password or actual breach/intrusion. The researchers wrote a PHP script that grabbed the email addresses from the errant AT&T script. “It’s not uncommon to see this type of vulnerability,” he says.

The FBI’s involvement could be due to the high-profile iPad customers whose email addresses Goatse discovered, Auernheimer says. “We haven’t had any contact” with the FBI, however, he says. Meanwhile, the FBI issued this statement: “The FBI is aware of these possible computer intrusions and has opened an investigation to address the potential cyber threat.”

Among the email addresses Goatse was able to access were that of White House Chief of Staff Rahm Emanuel, New York City Mayor Michael Bloomberg, U.S. Air Force Col. William Eldridge, and New York Times Co. chief executive Janet Robinson, according to Gawker.

Security experts at Praetorian published the script written by Goatse. It basically grabs email addresses via the integrated circuit card identifiers that associate the iPad SIM card to a subscriber: “An e-mail address gets returned in the successful iterations (active ICCID) and parsed. There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it,” Praetorian’s Daniel Kennedy blogged on Wednesday.

Meanwhile, Auernheimer has taken issue with AT&T’s claims that his firm acted maliciously. He says he released a semantic integer overflow exploit for Apple Safari in March, which was later patched on Apple’s desktop Safari but has not yet been fixed for the iPad.

“This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system,” he blogged yesterday. “We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.”

New data gathered from users of a free smartphone security tool shows the bad guys are increasingly going after smartphone users. According to Lookout, which offers a free lightweight mobile client with cloud-based security, backup, and anti-theft features, there were about nine pieces of malware and spyware per 100 smartphones as of last month — more than twice as many as in November 2009.

Even more worrisome is how rapidly these threats are hitting smartphones in comparison to the desktop: What took 15 years to evolve with the desktop machine is happening practically overnight in mobile handsets, security experts say. “We call this the 1999 factor: It feels like about 10 years ago in terms of prevalence of threats. There was a tipping point between 2000 and 2002 [for PC threats] that was driven by broadband” and more consumers going online, according to John Hering, CEO and founder of Lookout, formerly Flexilis. “The same trends are going to hold true here [with smartphones].”

Tyler Shields, senior security researcher with Veracode, says he has seen a definite uptick in malware arriving for smartphones during the past few months. “It’s coming at a much faster rate now. It’s difficult to quantify the amount of growth,” however, he says. Shields earlier this year developed and released proof-of-concept source code for a spyware app he created that forces a BlackBerry to hand over its contacts and messages. The spyware can also can grab text messages, listen in on the victim, as well as track his physical location via the phone’s GPS.

Spyware is the main type of malware Lookout sees being created for BlackBerrys, while Windows Mobile phones suffer more from traditional malware, and Androids from a little of both, according to Lookout’s data. “We’re seeing a pretty equal spread [of the threats] across these platforms,” Lookout’s Hering says. The firm doesn’t yet support the Apple iPhone in its app, so data on the iPhone isn’t included.

Why mostly spyware on the BlackBerry? Veracode’s Shields says it might be due to the heavy corporate use of BlackBerrys, which would make any data lifted from them more easily monetized. “The type of data on a BlackBerry generally is going to be corporate-centric and could be of interest to attackers,” he says.

A recent malware attack against Windows Mobile phones basically took an existing, legitimate smartphone app and booby-trapped it with malware: The 3D Anti-Terrorist app game for Windows Mobile was rewritten with auto-dialer malware, according to Lookout’s Hering. The app basically fires up the auto-dialer malware when the user runs the game. “It sits dormant for hours or days, and then wakes up and calls numbers at a premium rate — from Somalia to the South Pole,” for instance, he says. “The victim is then incurring charges but doesn’t notice until [he] receives the phone bill.”

A Windows codec and poker app also were hijacked, copied, and repackaged with malware. The apps are being distributed via typical mobile download and app store sites, such as sharewareplaza.com, geardownload.com, myzips.com, and top4download.com. “We’re seeing the same evolution on mobile as on the desktop: It’s going from notoriety [purposes] to trying to profit,” Hering says.

The malware attack vector being used against smartphones isn’t the SMS or email spam that was all the rage in the early days of mobile attacks. Instead, it’s following smartphone user behavior trends and exploiting downloadable applications, experts say. “Users are downloading apps at a huge pace,” Hering says.

And smartphones are actually more “personal” than PCs. They include GPS location, payment information, email, text messages, and records of who a user communicates with. Hering says today’s smartphone malware is all about grabbing personal information and, now, attempting to monetize it. “On the spyware side, you can imagine an app grabbing personal data that you’re unaware of [occurring] and transmitting that to a third-party location” where it can be resold, for example, he says.

Meanwhile, enterprises should be aware of the risks of breaches via their smartphone users. “They should be worried about this,” Hering says.

But the likelihood of another Operation Aurora-scale targeted attack isn’t as likely to hit via the smartphone just yet: “At this point in time, the PC [attack] model is so much easier and faster. I don’t foresee that level of coordination to target mobile devices at this point,” Veracode’s Shields says.

According to security firm Sophos, hundreds of thousands of users have already fallen for this new “likejacking” trick thanks to the clever and tantalizing linkbait the spammers use to entice people to click their links. For example:

“LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.”

“This man takes a picture of himself EVERYDAY for 8 YEARS!!”

“The Prom Dress That Got This Girl Suspended From School.”

After clicking through on a link, victims don’t get to see the promised content, but rather a blank page reading “click here to continue.” This page contains the clickjacking worm (Troj/Iframe-ET) embedded via an invisible link. Click anywhere on the page and the message is posted to your profile and News Feed, allowing the worm to further its spread.

This particular exploit is made possible by way of Facebook’s new “like button” and its associated developer code. According to the Like Button documentation, the buttons can be customized with meta data that includes things like the title of the webpage, the name of the Web site and the URL of a picture for the page. By customizing these fields, spammers and hackers can easily create links that are, in fact, malicious “likes.”

The popularity of this particular attack vector is not surprising. Soon after the launch of the Facebook like button, it has been reported on its potential as a threat, noting how incredibly easy it is to create like buttons that link to anything on the web – even pages you have never visited.

It was only a matter of time before spammers and hackers started exploiting this weakness for their own purposes. (Frankly, many are surprised it took this long.)

The problem has to do with the overly simple way Facebook has implemented the “like button” feature. Non-developers can plug a URL into a wizard that generates code which can be copied and pasted anywhere on the Web. Like buttons created this way or manually, via handwritten code, will function properly even if they point to a webpage that’s on a different domain from the page where the button is being hosted.

Kyle Bragger, a Web entrepreneur who just launched Forrst, an online community for developers and designers, warned Facebook users of “like fraud” back in April by way of personal blog post. To circumvent potential likejacking attempts such as these, he created a Facebook “like” bookmarklet which safely “likes” the page you’re on, allowing you to feel secure that you’re actually liking the real thing and not some shady linkbait. (Or likebait, if you will).

If you’ve been hit with this likejacking attack, the best you can do is remove the like from your profile and delete the post from your News Feed. You might want to apologize to your friends with a Facebook status update, too.

Is your computer secure?

Have you got $67 burning a hole in your pocket? Then you can rent a botnet for 24 hours to launch distributed denial of service (DDoS) attacks, sell fake antivirus software and relay spam to unsuspecting email users via millions of compromised — aka zombie — PCs. Or if you only need an hour, that’s just $9.

Those findings come from iDefense VeriSign’s security intelligence service, which studied 25 black market botnet offerings. Based on the company’s research, botnets are becoming increasingly commoditized, with sellers freely hawking their wares via online forums and banner advertising.

“Organizations need to be wary of the fact that their critical online applications or services could be taken down in under a day by a criminal renting services from bot herders,” said Rick Howard, director of intelligence at iDefense, in a statement.

Unfortunately, the easy access to botnets, as well as the emergence of more automated botnet software, has lowered the botnet barrier to entry for less technologically inclined or well-connected criminals.

In March, for example, Spanish police arrested the three alleged masterminds behind the Marisposa botnet, which ran undetected for six months, compromising more than 12 million PCs, many at blue-chip firms and banks.

“Our preliminary analysis indicates that the botmasters did not have advanced hacking skills,” Pedro Bustamante, senior research adviser with Panda Security, told the Guardian. “This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss.”

Mariposa may now be defect, but one of the most well-known botnet tools, Zeus, is still alive and well. According to a recent report from managed security services provider SecureWorks, “Zeus is sold in the criminal underground as a kit for around $3,000-4,000, and is likely the one malware most utilized by criminals specializing in financial fraud.”

Customize Zeus with numerous add-ons: virtual networking to take over an infected PC ($10,000), an upgrade for attacking Windows 7 or Vista ($2,000), Jabber IM broadcasting to receive stolen data in real time ($500), a Firefox form grabber ($2,000) and a back-connect module for making financial transactions from an infected PC ($1,500). Interestingly, the Zeus application also includes sophisticated anti-piracy features.

If the going rate for renting a botnet or buying the right software seems steep, antivirus vendor Sunbelt recently said that it’s been tracking a Twitter-controlled botnet that can be used to launch DDoS attacks. Dubbed TwitterNET Builder, the tool — available at no charge — lets an attacker simply enter a Twitter username and hit “build” to generate the required malware.

Thankfully, the tool’s reliance on public Twitter commands for control means that attackers get what they pay for. “We’ve notified Twitter about this bot creation system, and they’re looking into it,” said Boyd. In other words, don’t try this at home.

Example of a Server Room.

At the Federal Trade Commission’s request, a district court judge has permanently shut down 3FN, a rogue Internet service provider that recruited, hosted, and actively participated in the distribution of spam, spyware, child pornography, and other illegal content.

The ISP’s computer servers and other assets have been seized and will be sold by a court-appointed receiver. The operation has been ordered to turn over $1.08 million in ill-gotten gains to the FTC.

In June 2009, the FTC charged that 3FN, which does business under a variety of names, actively recruited and colluded with criminals to distribute harmful electronic content, including spyware, viruses, Trojan horses, phishing schemes, botnet command-and-control (C&C) servers, and pornography. The FTC alleged that the defendant advertised its services in the darkest corners of the Internet, including a chat room for spammers.

The FTC complaint alleged that 3FN actively shielded its criminal clientele by either ignoring takedown requests issued by the online security community, or by shifting its criminal elements to other Internet protocol addresses it controlled to evade detection.

The FTC also alleged that 3FN deployed and operated botnets. According to the FTC, the defendant recruited bot herders and hosted the C&C servers.

Transcripts of instant-message logs filed with the district court show the defendants’ senior employees discussing the configuration of botnets with bot herders. And, in filings with the district court, the FTC alleged that more than 4,500 malicious software programs were controlled by C&C servers hosted by 3FN.

This malware included programs capable of keystroke logging, password stealing, and data theft; programs with hidden backdoor remote control activity; and programs involved in spam distribution, the FTC said.

On June 15, 2009, the court issued a preliminary injunction to prohibit 3FN’s illegal activities and require its upstream Internet providers and data centers to stop providing services to 3FN.

The court has now ordered a permanent bar on the illegal activities of 3FN and its agents. It has appointed a receiver and instructed him to liquidate the operation’s assets.

The defendants named in the FTC’s complaint are Pricewert LLC, also doing business as 3FN.net, Triple Fiber Network, APS Telecom, APX Telecom, APS Communications, and APS Communication.

Clicking the link will take you to what seems like a Facebook application which then tells you that your video player is out of date – and encourages you to download a file.

If you do, then the same “video” plus link gets posted using your avatar to al your friends on Facebook -– meaning it is spreading virally.

It’s not clear at present whether Facebook has acted to halt it. You should, however, expect that it will mutate in the coming hours/days (depending on how determined the virus writer is), so it might not be exactly that message or video frame. The key element in the attack is that it tells you to download a file.

At Sophos, Graham Cluley notes that:

“Judging by the number of messages posted on Facebook, thousands of people received this attack. If you were one of them, you should scan your computer with an up-to-date anti-virus, change your passwords, review your Facebook application settings, and learn not to be so quick as to fall for a simple social engineering trick like this in future.”

The file seems to install a piece of adware called Hotbar, which thus generates revenue for the malware writer. (About Hotbar: “displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity. The toolbar appears in Internet Explorer and Windows Explorer. The toolbar contains buttons that can change depending on the current Web page and keywords on the page. Clicking a button on the toolbar may open an advertiser Web site or paid search site. Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. Hotbar may collect user-related information and may silently download and run updates or other code from its servers.”)

Microsoft is, separately, strongly encouraging people and companies to stop using Internet Explorer 6, using the argument that “you wouldn’t drink 9-year-old milk, so why use a 9-year-old browser?”

Though aimed at the Australian market (possibly IE6 has a higher prevalence there due to some geographical quirk), the arguments for abandoning IE6 are stronger than ever, and have been repeated many times – not least on this site (the browser that won’t die, why the NHS can’t get its browser act together). And of course it is widely believed – though so far not confirmed – that IE6 was the vector for an attack against Google by Chinese hackers at the end of last year.

In its April 2010 security report, Symantec said it has detected 36,208 unique strains of malware that were designed to carry out targeted attacks.

MessageLabs, which was acquired by Symantec later, was the first one to raise the alert on the Love Bug virus, which was designed to overwrite and destroy data. The virus came in the form of a message attachment when, once opened, sent itself to the addresses of the email recipient and spread on from there.

Ten years since Symantec Hosted Services, then MessageLabs, intercepted 13,000 copies of the virus in a single day on 4 May 2000, MessageLabs Intelligence said it now stops 1.5 million copies of malicious e-mails each day.

“Although mass mailing viruses like the Love Bug are rare today, cyber criminals’ techniques have evolved to more malicious, highly targeted attacks and they are motivated less by achievement and credibility than by financial gain and identity theft,” Symantec said in a statement. “On 4 May, 2000, 1 in 28 e-mails contained the Love Bug virus. By comparison, 1 in 287.2 e-mails contained a virus on 9 April 2010, the peak for April. In April 2010 overall, MessageLabs Intelligence intercepted 36,208 unique strains of malware.”

“The Love Bug was operating in the wake of the Melissa virus, a similarly destructive worm from the previous year,” said MessageLabs Intelligence senior analyst Paul Wood. “Back then, users were less savvy, regarding the dangers posed by suspicious e-mail attachments and e-mails from unknown senders. The general public was also less aware of issues such as spam and denial of service attacks.”

Bot Attacks

The April 2010 MessageLabs Intelligence Report also revealed that Rustock has surpassed Cutwail as the biggest botnet both in terms of the amount of spam it sends and the amount of active bots under its control.

The report noted that Rustock has reduced the output of individual bots by 65 per cent but increased the number of active bots by 300 per cent, thus, making up for the decreased output. Meanwhile, Cutwail has reduced in size to 600,000 bots from two million bots in May 2009 and is now responsible for only four per cent of all spam. “Rustock remains the largest spam-sending botnet responsible for 32.8 per cent of all spam,” the report read.

“Affected by the closure of ISP Real Host in August 2009, Cutwail likely lost the ability to update some of its bots causing its numbers to diminish greatly without the ability to recover,” said Wood. “As a result, Rustock has taken over significant volumes from spammers by undercutting the market with greater capacity and lower operational costs.”

Spam

Worldwide, the spam rate this month was pegged at 89.9 per cent, a drop of 0.8 per cent from the previous month. In the region, Malaysia and Singapore also saw a drop in the spam rate to 87.7 per cent, and 87.6 per cent respectively, the report added.

“Spam is more commonly sent from computers running Windows than from those running other operating systems,” Wood said. “However, spam not identified as coming from botnets was seen in lower proportions coming from Windows machines than from known botnets.”

Researchers at BitDefender, BKIS, and Symantec today each separately warned Yahoo Messenger users about the worm attack, which is rapidly growing. Catalin Coisoi, senior malware and virus researcher for BitDefender, based in Romania, says his team has seen infection rates as high as 500 percent per hour in his home country since they first spotted it last week. “Today it started spreading like wildfire,” Coisoi says.

He says the socially engineered message appears to be capitalizing on the May 1 national holiday in Romania. “People expect to see pictures [from their friends and colleagues] after a national holiday,” he says. But he also expects the worm to make inroads in the U.S. today and tomorrow, with potential victims coming off of a weekend.

The worm — known as Palevo by BitDefender, W32.Ymfocard.fam.Botnet by BKIS, and W32.Yimfoca by Symantec — is a new variant of an existing worm. In the Yahoo IM attack, it tricks the user into saving what appears to be a JPG or GIF file, but instead is a malicious executable.

BitDefender says the worm contains a backdoor, which lets an attacker take over the victim’s compromised machine, to install more malware, steal files, intercept passwords, and launch spam or other malware attacks on other systems. It’s also spreading the way the infamous Conficker worm has done, via network shares and removable USB drives using the Autorun feature. When an infected memory stick gets loaded into a machine with Autorun enabled or unprotected, the machine can automatically be infected with the worm.

“You can do anything you want with a backdoor — keylogging to search for passwords, or it could be a botnet,” Coisoi says. “It offers the attacker full system access.”

It also spreads via peer-to-peer sharing sites, such as Kazaa and LimeWire which are all too easy to pack these types of files in with movies files and software cracks.

The good news: Because it drops an .exe file, it requires the user to run it for it to go live. According to Symantec, once the worm is run, it adds itself to the Windows Firewall list, stops the Windows Update service, and configures itself such that it runs each time the system boots. The worm automatically sends itself to everyone on the victim’s contact list.

“The nature of this attack is nothing new, because some worms already used this way of attack,” BKIS researchers blogged. “However, it is always potentially dangerous to [unaware] users. Bad guys have integrated some phishing elements to trick [the] user into clicking the link and then opening the downloaded file.”

So basically, if someone sends you a link via an instant message out of the blue, it might be best to double check with them what exactly they are sending you, so you don’t fall victim to this new worm.

1)    Your fan kicks into overdrive when your computer is idle
This can indicate that a program is running without your knowledge and using a fair amount of resources. Of course this could also be a bunch of Microsoft updates being installed. Another problem that can cause the fan to kick in like that is excessive dirt in the computer or a failing CPU fan.

2)    Your computer takes a long time to shut down, or won’t shut down properly
Oftentimes malicious software has bugs in it that can cause a variety of symptoms, including long shut down times of a failure to shut down. Unfortunately, operating system bugs and conflicts with legitimate programs may cause the same symptom.

3)    You see a list of outbound Wall posts you didn’t send on your Facebook page (see below)

There are few reasons other than malicious software or having your account hacked that would cause this problem. If you see this happening, you definitely want to change your password and make sure you computer is not infected. Best to make sure your computer is not infected before changing your password!!! Don’t use your Facebook password on multiple sites!!!

4)    Programs are running very slowly
This can be a sign that hidden programs are using a lot of your computer’s resources. This also can be a sign of other problems. On Windows systems if there are 10,000 files or more in a single directory it can really bring a system to a crawl.

5)    You cannot download operating system updates
This is a symptom you cannot ignore. Even if it isn’t a bot or other malware, if you don’t keep your system patched your computer probably will get infected.

6)    You cannot download antivirus software updates / visit vendors’ websites
Malware often tries to prevent antivirus software from running or being installed. An inability to update your antivirus software or visit the vendor’s web site is a pretty strong indicator of malware.

7)    Internet access slows to a crawl
If a bot is using your computer to send massive amounts of spam or participate in an attack against other computers, or to upload or download a lot of data it can make your internet access very slow.

8)    Your friends and family have received e-mail message from you that you did not send
This can be a sign of a bot, other malicious software, or that your webmail account has been hacked.

9)    You receive pop-up windows and advertisements even when you are not using a web browser
While this is a classic sign of adware, bots can install adware on your computer. You definitely want to get this problem taken care of.

10)    Windows Task manager shows programs with very cryptic names or descriptions (the highlighted line is the example)

Using task manager requires some skill and research. Sometimes legitimate software uses cryptic names as well. An entry in task manager is generally not enough to identify a program as being bad. This can help you find bad programs, but many additional steps must be performed to validate you findings. Killing processes and deleting files or registry entries because you “think” it is a bot or other malware can result in the inability to even boot your computer. Be very careful of making assumptions and acting on them.

Although this doesn’t cover everything that could mean you are part of a botnet, this is a good list of the major signs you will see, and means you need to get your computer cleaned ASAP!

Those are three examples of how Facebook is moving quickly to make the Internet one big personalized social network, setting up the Palo Alto firm as the default communications platform for what some observers are already calling Web 3.0.

The possibilities are exciting to marketers and Web site operators – and alarming to digital privacy advocates.

“Facebook wants to be the center of the social Web,” said Debra Aho Williamson, senior analyst for the research firm eMarketer Inc. Whether the company succeeds, “we’re going to have to wait and see,” she said. “The biggest question to me is whether consumers and companies are going to want to cede the social Web to Facebook. And maybe some privacy concerns will come out that we haven’t even thought about yet.”

Last week at its developers conference in San Francisco, Facebook Inc. introduced an ambitious plan to export the Facebook experience to all Web sites, using “social plug-ins” like a new “Like” button to link news stories, restaurant reviews, movie data, product information and other content to a Facebook user’s network.

Chief Executive Officer Mark Zuckerberg outlined his vision of linking the “social graphs” of the more than 400 million Facebook users to the rest of the Internet, creating an efficient, interconnected Web of social interactions.

Companies jump in:

Numerous companies are already on board with the plan, including Yelp, CNN, the New York Times, IMDb, Time Inc., Fandango, the National Hockey League, USA Networks, Levi Strauss, Univision and ABC-TV.

They hope that tapping into a beehive of social activity yields a wealth of customer data that leads to more product sales or advertising opportunities. And combined with Facebook’s growing reach into the Web, “marketers realized they needed to fish where the fish are,” Willamson said.

Job searches:

For job search firm Simply Hired Inc., integrating Facebook into its Web site with just a few lines of computer code will provide useful tools for job seekers, said Dion Lim, the Mountain View firm’s president and chief operating officer.

Once a Facebook member signs in, photos of Facebook friends are displayed, and the site automatically finds listed jobs for each of their employers. Simply Hired can also tap the visiting Facebook member’s profile for interests or fan pages and suggest jobs available in those fields.

“What’s so compelling is that the information we are leveraging is creating high amounts of utility for the user,” Lim said. And, he added, “you can opt out at any moment.”

Facebook’s frequent changes to its pages or policies always lead to complaints. That happened in December when the company said it was changing privacy settings to give members more control over their information, even though critics said the opposite was true. This time, some members set up a fan page to criticize a new Instant Personalization setting installed in all members’ profiles to control information accessed by the social plug-ins.

Kurt Opsahl, a senior attorney with the Electronic Frontier Foundation, criticized the fact that Instant Personalization is by default set to share user information and is time-consuming to change.

“Your friends could be giving away information like your name, your gender, your community interests and pages to the Web sites they chose to interact with,” Opsahl said.

Opting out:

Opsahl posted a detailed video showing the exact steps needed to opt out of allowing Instant Personalization access, including separate actions needed to block applications like Microsoft Docs, Pandora and Yelp.

“There appears to be a number of people out there who think they’ve opted out, but they have not completed the process,” Opsahl said. “What people want and need is to have control over their information.”

Researchers at VeriSign’s iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn’t know if Kirllos’ accounts are legitimate, and Facebook didn’t respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from $25 to $45 per 1,000 accounts, depending on the number of contacts each user has.

To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard. Hackers have been selling stolen social-networking credentials for a while — VeriSign has seen a brisk trade in names and passwords for Russia’s VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

Facebook has more than 400 million users worldwide, many of whom fall victim to scams each day. In one such scam, criminals send out messages from a compromised account, telling friends that the account’s owner is trapped in a foreign country and needs money to get home.

In another, they send Web links that lead to malicious software, telling friends that it’s a hilarious or sensationalistic video.

“People will follow it because they believe it was a friend that told them to go to this link,” said Randy Abrams, director of technical education with security vendor Eset. Once the malware gets installed, criminals can steal more passwords, break into bank accounts, or simply use the computers to send spam or launch distributed denial of service attacks. “There’s just a plethora of things that people can do if they can trick people into installing their software,” he said.

Kirllos’ Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account — Kirllos wants as little as $0.025 per Facebook account. More coveted credit card or bank account details can go for much more, ranging between $0.85 to $30 for credit card numbers to $15 to $850 for top-quality online bank accounts.

Unlike its predecessors, however, this sample uses the file name AV.exe. If users are not into computers, they may think this is a valid antivirus application. It uses registry shell spawning as autostart technique, which means the malware is executed every time a user runs files that have the .EXE file name extension. It also uses any of the following application names:

• %1 Antispyware 2010
• Antivirus %1 2010
• %1 Guardian 2010
• %1 Guardian
• %1 Defender 2010
• %1 Antivirus
• %1 Antivirus 2010
• %1 Antivirus Pro
• %1 Antivirus Pro 2010
• %1 Internet Security
• %1 Internet Security 2010

Note that %1 refers to the OS installed on the affected machine. This makes the malware flexible in that it is able to take advantage of the features of an infected user’s OS.

Whenever an infected user attempts to access the Internet via Internet Explorer (IE) or Firefox, this malware displays warning messages saying these browsers are malicious. (Internet Explorer on the left and Firefox on the right)

This may cause the user to panic since these are two of the most commonly used browsers. Users who are tricked into purchasing the bogus product are redirected to multiple rogue antivirus domains.

This list ensures that the malware can access other domains even if some have already been taken down. Lastly, this malware does not allow users to execute files from security companies, which prevents the affected user from scanning the affected computer.

When faced with these kinds of false alarms, I would urge users to calm down and avoid purchasing rogue antivirus products. This does not help solve the problem. Instead, it makes things even worse, as this is just a waste of hard-earned money.

This is only the latest tactic seen from the perpetrators of rogue antivirus malware. Recently, advanced threats researchers spotted another FAKEAV run using Sandra Bullock’s recent marital difficulties to spread malware. If you have any questions about this type of malware, please feel free to contact me and I will be glad to answer any of your questions.

In the space of only two days, February 8 and 9, the HTML/Goldun.AXT campaign detected by Fortinet accounted for more than half the total malware detected for February, which gives some indication of its unusual scale.

The attack itself takes the form of a spam e-mail with an attachment, report.zip, which if clicked automatically downloads a rogue antivirus product called Security Tool. It is also being distributed using manipulated search engine optimisation (SEO) on Google and other providers.

Such scams have been common on the Internet for more than a year, but this particular one features a more recently-evolved sting in the tail. The product doesn’t just ask the infected user to buy a useless license in the mode of scareware, it locks applications and data on the PC, offering access only when a payment has been made through the single functioning application left, Internet Explorer.

What’s new, then, is that old-style scareware has turned into a default ransom-oriented approach. The former assumes that users won’t know they are being scammed, while the latter assumes they will but won’t know what to do about it.

The technique is slowly becoming more common — see the Vundo attack of a year ago — but what is also different is the size of this attack, one of the largest ever seen by Fortinet for a single malware campaign.

Fortinet notes that Security Tool is really a reheat of an old campaign from November 2008, which pushed the notorious rogue antivirus product Total Security as a way of infecting users with a keylogging Trojan.

“This is a great example of how tried and true attack techniques/social engineering can be recycled into future attacks,” says Fortinet’s analysis.

According to Fortinet, the “engine” pushing the spike in ransom-based malware is believed to be the highly-resilient Cutwail/Pushdo botnet, the same spam and DDoS system behind a number of campaigns in the last three years including the recent pestering of PayPal and Twitter sites.

In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.

“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” read the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”

Last week, Prodeus called the bug a “logic flaw,” and said attackers could exploit it by feeding users malicious code disguised as a Windows help file — such files have a “.hlp” extension — then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as “medium” because of the required user interaction.

Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug, said Microsoft, and any supported versions of Internet Explorer (IE) on those operating systems — including IE6 on Windows XP — could be leveraged by attackers. Previously, Prodeus had said that users running IE7 and IE8 were at risk, but had not called out IE6.

Until a patch is ready, users can protect themselves by not pressing the F1 key if a Web site tells them to, said Microsoft. ”As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from Web pages or other Internet content,” said David Ross with the Microsoft Security Response Center (MSRC) engineering staff in a blog entry on Monday.

“The prompt can appear repeatedly when dismissed, nagging the user to press the F1 key,” Ross added.

The security advisory made the same recommendation: “Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited.” Users can also stymie attacks by disabling Windows Help. The advisory explained how to entering a one-line command at a Windows command-line prompt to lock down the Help system.

The company took Prodeus to task for taking the bug public, something it regularly does when researchers disclose a vulnerability or post sample attack code before a patch is available.

“Microsoft is concerned that this vulnerability was not responsibly disclosed, potentially putting customers at risk,” said Jerry Bryant, a senior manager with the MSRC, in an e-mail. By Prodeus’ account, he notified Microsoft of the flaw Feb. 1, about four weeks before publishing his findings.

Microsoft has not set a timeline for a fix, saying only that, “Microsoft will take the appropriate action to help protect our customers.” The next scheduled security patch date for the company is March 9.

Although it does not rate the severity of vulnerabilities in its advisories, Microsoft noted that hackers exploiting the VBScript flaw using Windows Help and Internet Explorer could grab complete control of a Windows system. Customers running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 are safe from such attacks, Microsoft said.

Months of investigations by the Guardia Civil in Spain, the FBI and security firm Panda Security and Defence Intelligence led to the takedown of the 12.7 million strong zombie network in December and the arrest of three suspects in Spain two months later.

At a press conference announcing the operation in Madrid on Wednesday, Spanish police said they recovered the personal details of 800,000 people from systems recovered from three alleged cybercriminals. This cache of stolen information includes bank login credentials from businesses and consumers as well as email passwords.

Three Spanish residents suspected of running the botnet have been charged with online offences: the most senior alleged botmaster, nicknamed “Netkairo”, 31, from Balmaseda in the spanish province of Vizcaya, as well as his two alleged lieutenants JPR, 30, from Molina de Segura Murcia and JBR, 25, from Santiago de Compostela in La Coruña. None of the suspects have been named at this stage of proceedings.

In a statement (in Spanish here), Guardia Civil officers said they were also on the trail of a fourth suspect nicknamed Phoenix, who’s possibly based in Venezuela.

Defence Intelligence discovered the botnet last May and formed a team that brought in security experts from Bilbao-based Panda and computer scientists at Georgia Tech Information Security Center. Security researchers infiltrated the botnet’s command and control systems, learning enough to mount a successful takedown operation in cooperation with ISPs on 23 December.

Netkairo responded to this by launching a retaliatory denial of service attack against Defence Intelligence that took out customers at a Canadian ISP for several hours. In wrestling to obtain control of the botnet he made the mistake of connecting to compromised systems using his home PC, a mistake that led to his identification.

Luis Corrons, technical director of PandaLabs, explains the Mariposa botnet’s business model and the takedown operation in a video below.

A botnet is a network of infected computers under the control of hackers.

The firm said that closing the domains would mean that up to 90,000 PCs would stop receiving orders to send out spam.

A recent analysis by the firm found that between 3-21 December “approximately 651 million spam e-mails attributable to Waledac were directed to Hotmail accounts alone”. It said it was one of the 10 largest botnets in the US.

Machines in a botnet have usually been infected by a computer virus or worm. Typically, users do not know their machine has been hijacked.

Microsoft said that although it had effectively shut down the network, thousands of computers would still be infected with malware and advised people to run anti-virus software. The court order was part of what was called “Operation b49″.

Along with intelligence organisation Shadowserver, the University of Washington and security firm Symantec, Microsoft managed to get a court in Alexandria, Virginia, to force Verisign, which manages the .com domain, to temporarily switch off the domains.

Microsoft said it was the result of months of investigation and described it as a legal first.

“This action has quickly and effectively cut off traffic to Waledac at the .com or domain registry level, severing the connection between the command and control centres of the botnet and most of its thousands of zombie computers around the world.”