A post in a support forum says customers should hear from Dell shortly. It does not provide any technical explanation of what type of spyware is included with the hardware or what extra cleaning process customers should go through.

Some forms of malware are likely to have spread if the hardware has been attached to a network. The forum post, from yesterday morning, is here.

The forum poster was concerned not to have more technical information – and that the call he received to book technical support said the call might not happen for up to ten days.

In response a Dell support staffer said there was an issue with a small number of service motherboard stock – new PowerEdge systems are not infected. He said the malware would not infect non-Windows servers.

Dell has also sent out the following statement:

“Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers – PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software.

This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware.

Customers can find more information on Dell’s community forum.” – Forrest Norrod, vice president and general manager of server platforms at Dell.

Fortunately the forum has also been updated with information which answers some of the relevant questions – the malware was found in the flash on motherboards, not in firmware. It is a W32.Spybot worm which should be detected by any decent anti-virus software.

Dell said that less than one per cent of boards shipped have the infection. Systems using an iDRAC Express or iDRAC Enterprise card will not be damaged. In fact systems will only be hit if you run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.

The Pirate Bay

A series of attacks on The Pirate Bay, one of the most well known and controversial file-sharing websites has allowed a group of Argentinian hackers, headed by malware researcher Ch Russo, to access both the user database and the website administration panel of The Pirate Bay, comprising over 4 million usernames and email addresses in the process.

It is thought that the group first targeted the website administration panel on The Pirate Bay, the group succeeded and then employed a series of SQL injection vulnerabilities to gain access to the user database, where they were able to add and amend records and obtain information to identify trackers and torrents uploaded by specific users.

Ch Russo posted a cryptic message on his blog detailing reasons behind the attack:

As any other website, as any other system or mechanism, www.thepiratebay.org has robust parts and soft spots. We beleive that the people behind this comunity always acted with the local laws on their side, and so have we. The community caused problems to huge companies and corporations which turned into threats between this companies and them. What we have done, we did not do it with anger, or for commercial value. As always, we saw the change, the moment and decided to take it. The protocol or procedure done to achieve this wasn’t anything out of the ordinary.

As you can see, Russo acknowledges that the data would be of huge interest to anti-piracy groups like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA). In a telephone interview with KrebsOnSecurity he said: “Probably these groups would be very interested in this information, but we are not [trying] to sell it,” adding “Instead we wanted to tell people that their information may not be so well protected.”

Screenshot of the backend of The Pirate Bay

According to Softpedia, the attackers have not been in contact with The Pirate Bay administrators since the attack but the offending weakness has since been identified and patched.

The website in this malicious iframe led to the download of a BREDOLAB variant detected as TROJ_BREDOLAB.BY (by Trend Micro). This malware family is well-known for being a downloader of other malware onto affected systems, particularly ZBOT and FAKEAV variants.

BREDOLAB first gained prominence in late 2009 when the number of reported infections significantly grew. Upon investigation by senior advanced threats researcher David Sancho, it was found that BREDOLAB was a new malware family similar to earlier PUSHDO variants.

Later investigations by senior advanced threats researcher Loucif Kharouni established the key role BREDOLAB plays in the criminal underworld. As mentioned earlier, cybercriminals running pay-per-install (PPI) scams frequently use BREDOLAB to infect user systems.

Botnet Model

Lenovo has acknowledged the incident on its official forum and has indicated that the affected pages have now been cleaned. Reports from Vietnamese antivirus vendor Bkis indicated that the pages have been infected since at least Sunday afternoon. Some users also reported getting antivirus warnings while visiting Lenovo’s download website since Saturday.

Users who did go to the Lenovo pages to download support materials from late on June 18 (Friday) to June 21 (Monday) may have been affected by this compromise and should check their systems accordingly.

This further proves the point that you should always have an antivirus program running on your computer at all times (and make sure its updated as well!). Even websites that you think are safe can fall victim to these types of attacks leaving everyone at risk. So be safe out there… cause the internet is one crazy place!

Those days are over. Recent iPad security scares are a sign that Apple’s devices are a growing target for hackers, spammers and malicious coders.

“Market share is a pretty good indicator of who hackers are going after,” said Kevin Haley, director at Symantec Security Response. “Hackers are motivated by money, so they want to get access to the most amount of people.”

Hacker group Goatse Security was able to obtain 114,000 iPad 3G users’ e-mail addresses and iPad SIM card ID numbers from AT&T’s website last week. The vulnerability was on AT&T’s site, but any hit against the iPad dings Apple as well. And in a blog post, Goatse Security said Monday that a “skilled attacker” could take advantage of a weakness in the iPad’s Safari Internet browser to launch a spam attack from a compromised iPad.

“This is a wake-up call for Apple, and it cannot afford to hit the snooze button,” said Hemanshu Nigam, founder of SSP Blue, a cybersecurity consulting firm. “The hacker community focuses on companies that are on the top of their games. Apple has gained enough market share that it has caught hackers’ attention.”

It’s not surprising that Apple is becoming a growing target — it’s simply a matter of scale. Cybercriminals try to hack the software that most people use to access the Internet, and increasingly, that software is made by Apple. While Apple’s PC market share is still in the single digits, Apple is now the second largest smart phone maker in the United States, behind only BlackBerry maker Research in Motion. It has also sold more than 2 million iPads in just two months.

“Any company’s device or platform on which lots and lots of people are exchanging or storing data is going to be susceptible to an attack,” said Fred Rica, principal security analyst at PricewaterhouseCoopers. “Hackers are beginning to change over to other platforms that hadn’t been traditional targets, particularly to mobile.”

As Apple products become higher-profile targets, its response is going to be tested. The company’s stance on security has long been “don’t worry about it.” For instance, on its website Apple says simply, “Mac OS X doesn’t get PC viruses.” The iPhone and iPad websites don’t even mention security.

Apple claims that the Unix framework that its Mac operating system is built on is inherently safer than Windows. The truth is that Mac OS has as many vulnerabilities as Windows, according to Nigam — Apple patches its products just often as Microsoft does.

In the past, Apple has responded quietly when vulnerabilities are exposed, patching products through automatic updates with no announcement. The company’s famous “Get a Mac” ads say Microsoft’s constant security updates and alerts interfere with users’ ability to do work on their computers. Ironically, Apple’s Safari browser’s lack of security alerts is one of the factors contributing to the security hole in the iPad, according to Goatse Security.

“Suggesting Apple doesn’t get viruses gives its users a completely false sense of security,” Nigam said. “It’s essentially taunting hackers. They’ll take it as a challenge, and just start exploiting Apple’s user base.” As a result, Nigam suggested it’s time for Apple to change it’s attitude. Right now, Apple prioritizes the user experience ahead of security. That can backfire. ”Apple has the capability to take charge of this situation now,” he said. “If it doesn’t, it’s risking damage to its reputation for the long haul, a la Microsoft.”

Escher Auernheimer, a security analyst with Goatse Security, said in an interview today that his firm “did the right thing” by going public about the hole in AT&T’s website.

UPDATE: AT&T sent a letter to Apple 3G iPad owners over the weekend that shed some light on AT&T’s position on the hack, according to a report in the New York Times. “On June 7 we learned that unauthorized computer ‘hackers’ maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service,” wrote Dorothy Attwood, a senior vice president and chief privacy officer at AT&T.

“The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity,” Atwood said.

Meanwhile, Goatse’s Auernheimer says the researchers went public with their findings via the Gawker website after AT&T fixed the flaw. They handed over the email address finds to Gawker, but stipulated that the site not publish the actual email addresses. “Our disclosure process was extremely proper and above and beyond,” Auernheimer says. “Many researchers do not wait for patches” before they disclose, he says.

“What influenced our decision was that there were so many people who were stewards of important infrastructure on the public and private list [exposed],” he says. “Someone else could have scraped this data.”

According to Auernheimer, his team got the data without a password or actual breach/intrusion. The researchers wrote a PHP script that grabbed the email addresses from the errant AT&T script. “It’s not uncommon to see this type of vulnerability,” he says.

The FBI’s involvement could be due to the high-profile iPad customers whose email addresses Goatse discovered, Auernheimer says. “We haven’t had any contact” with the FBI, however, he says. Meanwhile, the FBI issued this statement: “The FBI is aware of these possible computer intrusions and has opened an investigation to address the potential cyber threat.”

Among the email addresses Goatse was able to access were that of White House Chief of Staff Rahm Emanuel, New York City Mayor Michael Bloomberg, U.S. Air Force Col. William Eldridge, and New York Times Co. chief executive Janet Robinson, according to Gawker.

Security experts at Praetorian published the script written by Goatse. It basically grabs email addresses via the integrated circuit card identifiers that associate the iPad SIM card to a subscriber: “An e-mail address gets returned in the successful iterations (active ICCID) and parsed. There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it,” Praetorian’s Daniel Kennedy blogged on Wednesday.

Meanwhile, Auernheimer has taken issue with AT&T’s claims that his firm acted maliciously. He says he released a semantic integer overflow exploit for Apple Safari in March, which was later patched on Apple’s desktop Safari but has not yet been fixed for the iPad.

“This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system,” he blogged yesterday. “We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.”

published

So what does this mean for the Twitter ecosystem? Twitter VP of Product Jason Goldman says that the feature serves three purposes. First, it’s going to help Twitter crack down on spam, as the service will be able to accurately monitor the distribution of each link, and it can warn users when it thinks a link may be malicious. Second, it will allow users to better understand where links are going (more on that below). And third, it will help Twitter with analytics, which is related to its Promoted Tweets. Goldman says that Twitter is pre-announcing the feature, which is currently only active with three accounts, to give the developer community a heads up for what’s coming.

The confusing part about t.co is that many users won’t really be aware of it. That’s because Twitter is including metadata with each tweet that allows clients to display the link’s original URL, even when the link is being routed through t.co first. For example, if I shared a link to AndrewSaysHello.com, the link in my tweet would still show up as http://www.andrewsayshello.com, despite the fact that users were being silently routed through t.co before they arrived at their favorite tech blog.  One other thing to note: while users will now be seeing expanded links show up in their tweets (which could be quite lengthy), each link will only count as twenty characters against the 140 character maximum. That’s because all t.co links will be exactly twenty characters long.

Goldman says that the “goal is not to build a brand around t.co”. Instead, it’s to increase the transparency of links that are being shared on Twitter.

This isn’t good news for link shorteners like bit.ly, but it isn’t necessarily their death knell either. Goldman says that bit.ly’s value-added services, like analytics and custom shortened domains, will still work properly with t.co, and users can obviously still use bit.ly for more general link shortening purposes. Thing is, most people sharing links through services like bit.ly are doing it because it’s what their Twitter clients do by default — they don’t need analytics or custom domains. For these users there’s now no obvious reason to use these services, because Twitter will be handling the shortened links itself.

Today’s news doesn’t come as a surprise — back in March, Twitter began routing direct messages through a new link shortening service as an anti-phishing mechanism. It didn’t take long for users and developers to question whether Twitter would soon be broadly launching a link shortening service, and Twitter confirmed that it would in April.

New data gathered from users of a free smartphone security tool shows the bad guys are increasingly going after smartphone users. According to Lookout, which offers a free lightweight mobile client with cloud-based security, backup, and anti-theft features, there were about nine pieces of malware and spyware per 100 smartphones as of last month — more than twice as many as in November 2009.

Even more worrisome is how rapidly these threats are hitting smartphones in comparison to the desktop: What took 15 years to evolve with the desktop machine is happening practically overnight in mobile handsets, security experts say. “We call this the 1999 factor: It feels like about 10 years ago in terms of prevalence of threats. There was a tipping point between 2000 and 2002 [for PC threats] that was driven by broadband” and more consumers going online, according to John Hering, CEO and founder of Lookout, formerly Flexilis. “The same trends are going to hold true here [with smartphones].”

Tyler Shields, senior security researcher with Veracode, says he has seen a definite uptick in malware arriving for smartphones during the past few months. “It’s coming at a much faster rate now. It’s difficult to quantify the amount of growth,” however, he says. Shields earlier this year developed and released proof-of-concept source code for a spyware app he created that forces a BlackBerry to hand over its contacts and messages. The spyware can also can grab text messages, listen in on the victim, as well as track his physical location via the phone’s GPS.

Spyware is the main type of malware Lookout sees being created for BlackBerrys, while Windows Mobile phones suffer more from traditional malware, and Androids from a little of both, according to Lookout’s data. “We’re seeing a pretty equal spread [of the threats] across these platforms,” Lookout’s Hering says. The firm doesn’t yet support the Apple iPhone in its app, so data on the iPhone isn’t included.

Why mostly spyware on the BlackBerry? Veracode’s Shields says it might be due to the heavy corporate use of BlackBerrys, which would make any data lifted from them more easily monetized. “The type of data on a BlackBerry generally is going to be corporate-centric and could be of interest to attackers,” he says.

A recent malware attack against Windows Mobile phones basically took an existing, legitimate smartphone app and booby-trapped it with malware: The 3D Anti-Terrorist app game for Windows Mobile was rewritten with auto-dialer malware, according to Lookout’s Hering. The app basically fires up the auto-dialer malware when the user runs the game. “It sits dormant for hours or days, and then wakes up and calls numbers at a premium rate — from Somalia to the South Pole,” for instance, he says. “The victim is then incurring charges but doesn’t notice until [he] receives the phone bill.”

A Windows codec and poker app also were hijacked, copied, and repackaged with malware. The apps are being distributed via typical mobile download and app store sites, such as sharewareplaza.com, geardownload.com, myzips.com, and top4download.com. “We’re seeing the same evolution on mobile as on the desktop: It’s going from notoriety [purposes] to trying to profit,” Hering says.

The malware attack vector being used against smartphones isn’t the SMS or email spam that was all the rage in the early days of mobile attacks. Instead, it’s following smartphone user behavior trends and exploiting downloadable applications, experts say. “Users are downloading apps at a huge pace,” Hering says.

And smartphones are actually more “personal” than PCs. They include GPS location, payment information, email, text messages, and records of who a user communicates with. Hering says today’s smartphone malware is all about grabbing personal information and, now, attempting to monetize it. “On the spyware side, you can imagine an app grabbing personal data that you’re unaware of [occurring] and transmitting that to a third-party location” where it can be resold, for example, he says.

Meanwhile, enterprises should be aware of the risks of breaches via their smartphone users. “They should be worried about this,” Hering says.

But the likelihood of another Operation Aurora-scale targeted attack isn’t as likely to hit via the smartphone just yet: “At this point in time, the PC [attack] model is so much easier and faster. I don’t foresee that level of coordination to target mobile devices at this point,” Veracode’s Shields says.

According to security firm Sophos, hundreds of thousands of users have already fallen for this new “likejacking” trick thanks to the clever and tantalizing linkbait the spammers use to entice people to click their links. For example:

“LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE.”

“This man takes a picture of himself EVERYDAY for 8 YEARS!!”

“The Prom Dress That Got This Girl Suspended From School.”

After clicking through on a link, victims don’t get to see the promised content, but rather a blank page reading “click here to continue.” This page contains the clickjacking worm (Troj/Iframe-ET) embedded via an invisible link. Click anywhere on the page and the message is posted to your profile and News Feed, allowing the worm to further its spread.

This particular exploit is made possible by way of Facebook’s new “like button” and its associated developer code. According to the Like Button documentation, the buttons can be customized with meta data that includes things like the title of the webpage, the name of the Web site and the URL of a picture for the page. By customizing these fields, spammers and hackers can easily create links that are, in fact, malicious “likes.”

The popularity of this particular attack vector is not surprising. Soon after the launch of the Facebook like button, it has been reported on its potential as a threat, noting how incredibly easy it is to create like buttons that link to anything on the web – even pages you have never visited.

It was only a matter of time before spammers and hackers started exploiting this weakness for their own purposes. (Frankly, many are surprised it took this long.)

The problem has to do with the overly simple way Facebook has implemented the “like button” feature. Non-developers can plug a URL into a wizard that generates code which can be copied and pasted anywhere on the Web. Like buttons created this way or manually, via handwritten code, will function properly even if they point to a webpage that’s on a different domain from the page where the button is being hosted.

Kyle Bragger, a Web entrepreneur who just launched Forrst, an online community for developers and designers, warned Facebook users of “like fraud” back in April by way of personal blog post. To circumvent potential likejacking attempts such as these, he created a Facebook “like” bookmarklet which safely “likes” the page you’re on, allowing you to feel secure that you’re actually liking the real thing and not some shady linkbait. (Or likebait, if you will).

If you’ve been hit with this likejacking attack, the best you can do is remove the like from your profile and delete the post from your News Feed. You might want to apologize to your friends with a Facebook status update, too.

Is your computer secure?

Have you got $67 burning a hole in your pocket? Then you can rent a botnet for 24 hours to launch distributed denial of service (DDoS) attacks, sell fake antivirus software and relay spam to unsuspecting email users via millions of compromised — aka zombie — PCs. Or if you only need an hour, that’s just $9.

Those findings come from iDefense VeriSign’s security intelligence service, which studied 25 black market botnet offerings. Based on the company’s research, botnets are becoming increasingly commoditized, with sellers freely hawking their wares via online forums and banner advertising.

“Organizations need to be wary of the fact that their critical online applications or services could be taken down in under a day by a criminal renting services from bot herders,” said Rick Howard, director of intelligence at iDefense, in a statement.

Unfortunately, the easy access to botnets, as well as the emergence of more automated botnet software, has lowered the botnet barrier to entry for less technologically inclined or well-connected criminals.

In March, for example, Spanish police arrested the three alleged masterminds behind the Marisposa botnet, which ran undetected for six months, compromising more than 12 million PCs, many at blue-chip firms and banks.

“Our preliminary analysis indicates that the botmasters did not have advanced hacking skills,” Pedro Bustamante, senior research adviser with Panda Security, told the Guardian. “This is very alarming because it proves how sophisticated and effective malware distribution software has become, empowering relatively unskilled cyber criminals to inflict major damage and financial loss.”

Mariposa may now be defect, but one of the most well-known botnet tools, Zeus, is still alive and well. According to a recent report from managed security services provider SecureWorks, “Zeus is sold in the criminal underground as a kit for around $3,000-4,000, and is likely the one malware most utilized by criminals specializing in financial fraud.”

Customize Zeus with numerous add-ons: virtual networking to take over an infected PC ($10,000), an upgrade for attacking Windows 7 or Vista ($2,000), Jabber IM broadcasting to receive stolen data in real time ($500), a Firefox form grabber ($2,000) and a back-connect module for making financial transactions from an infected PC ($1,500). Interestingly, the Zeus application also includes sophisticated anti-piracy features.

If the going rate for renting a botnet or buying the right software seems steep, antivirus vendor Sunbelt recently said that it’s been tracking a Twitter-controlled botnet that can be used to launch DDoS attacks. Dubbed TwitterNET Builder, the tool — available at no charge — lets an attacker simply enter a Twitter username and hit “build” to generate the required malware.

Thankfully, the tool’s reliance on public Twitter commands for control means that attackers get what they pay for. “We’ve notified Twitter about this bot creation system, and they’re looking into it,” said Boyd. In other words, don’t try this at home.

Clicking the link will take you to what seems like a Facebook application which then tells you that your video player is out of date – and encourages you to download a file.

If you do, then the same “video” plus link gets posted using your avatar to al your friends on Facebook -– meaning it is spreading virally.

It’s not clear at present whether Facebook has acted to halt it. You should, however, expect that it will mutate in the coming hours/days (depending on how determined the virus writer is), so it might not be exactly that message or video frame. The key element in the attack is that it tells you to download a file.

At Sophos, Graham Cluley notes that:

“Judging by the number of messages posted on Facebook, thousands of people received this attack. If you were one of them, you should scan your computer with an up-to-date anti-virus, change your passwords, review your Facebook application settings, and learn not to be so quick as to fall for a simple social engineering trick like this in future.”

The file seems to install a piece of adware called Hotbar, which thus generates revenue for the malware writer. (About Hotbar: “displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity. The toolbar appears in Internet Explorer and Windows Explorer. The toolbar contains buttons that can change depending on the current Web page and keywords on the page. Clicking a button on the toolbar may open an advertiser Web site or paid search site. Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. Hotbar may collect user-related information and may silently download and run updates or other code from its servers.”)

Microsoft is, separately, strongly encouraging people and companies to stop using Internet Explorer 6, using the argument that “you wouldn’t drink 9-year-old milk, so why use a 9-year-old browser?”

Though aimed at the Australian market (possibly IE6 has a higher prevalence there due to some geographical quirk), the arguments for abandoning IE6 are stronger than ever, and have been repeated many times – not least on this site (the browser that won’t die, why the NHS can’t get its browser act together). And of course it is widely believed – though so far not confirmed – that IE6 was the vector for an attack against Google by Chinese hackers at the end of last year.

Allowing users to search using https – the web security system which many associate with online banking and shopping — would mark a first for a major search engine, and could begin a move by web services such as social networks to begin offering encryption for more than just log-ins. Such increased adoption would cut down on network eavesdropping and also have the added benefit of preventing some online attacks.

Ironically, the announcement of the upcoming change came in a long blog post explaining that the search company had been “mistakenly” eavesdropping and recording what people were doing on unencrypted wi-fi networks as its Street View cars were taking pictures of cities around the world and recording the IDs of wifi networks and routers. That data is used to help geo-locate people using devices without GPS, but the company has said for years it was not collecting session data.

Google turned on encryption — better known as https:// — as a default for Gmail users earlier this year. That encrypts the data sent between a user’s browser and Google’s servers, making it nearly impossible for someone in the middle to read the contents of that e-mail. When not using SSL, a user of a school or corporate network can have their e-mail and web traffic content read by authorities who control the network, while anyone using an open Wi-Fi connection can have their traffic sniffed by a hacker using simple tools.

Gmail was the first major webmail service to offer encryption for full sessions, rather than just for log-ins. Google allowed power users to use https:// for years, and under pressure from privacy and security advocates turned it into the default for all users earlier this year. In contrast, Gmail’s competitors including Yahoo Mail or Microsoft’s Hotmail don’t even offer https sessions as an option.

Using https, rather than http, is not technically difficult, but the authenticating handshakes between a server and a browser do require more resources from both a server and the browser. That means it costs a company more to run a service and can slow down an application.

In its April 2010 security report, Symantec said it has detected 36,208 unique strains of malware that were designed to carry out targeted attacks.

MessageLabs, which was acquired by Symantec later, was the first one to raise the alert on the Love Bug virus, which was designed to overwrite and destroy data. The virus came in the form of a message attachment when, once opened, sent itself to the addresses of the email recipient and spread on from there.

Ten years since Symantec Hosted Services, then MessageLabs, intercepted 13,000 copies of the virus in a single day on 4 May 2000, MessageLabs Intelligence said it now stops 1.5 million copies of malicious e-mails each day.

“Although mass mailing viruses like the Love Bug are rare today, cyber criminals’ techniques have evolved to more malicious, highly targeted attacks and they are motivated less by achievement and credibility than by financial gain and identity theft,” Symantec said in a statement. “On 4 May, 2000, 1 in 28 e-mails contained the Love Bug virus. By comparison, 1 in 287.2 e-mails contained a virus on 9 April 2010, the peak for April. In April 2010 overall, MessageLabs Intelligence intercepted 36,208 unique strains of malware.”

“The Love Bug was operating in the wake of the Melissa virus, a similarly destructive worm from the previous year,” said MessageLabs Intelligence senior analyst Paul Wood. “Back then, users were less savvy, regarding the dangers posed by suspicious e-mail attachments and e-mails from unknown senders. The general public was also less aware of issues such as spam and denial of service attacks.”

Bot Attacks

The April 2010 MessageLabs Intelligence Report also revealed that Rustock has surpassed Cutwail as the biggest botnet both in terms of the amount of spam it sends and the amount of active bots under its control.

The report noted that Rustock has reduced the output of individual bots by 65 per cent but increased the number of active bots by 300 per cent, thus, making up for the decreased output. Meanwhile, Cutwail has reduced in size to 600,000 bots from two million bots in May 2009 and is now responsible for only four per cent of all spam. “Rustock remains the largest spam-sending botnet responsible for 32.8 per cent of all spam,” the report read.

“Affected by the closure of ISP Real Host in August 2009, Cutwail likely lost the ability to update some of its bots causing its numbers to diminish greatly without the ability to recover,” said Wood. “As a result, Rustock has taken over significant volumes from spammers by undercutting the market with greater capacity and lower operational costs.”

Spam

Worldwide, the spam rate this month was pegged at 89.9 per cent, a drop of 0.8 per cent from the previous month. In the region, Malaysia and Singapore also saw a drop in the spam rate to 87.7 per cent, and 87.6 per cent respectively, the report added.

“Spam is more commonly sent from computers running Windows than from those running other operating systems,” Wood said. “However, spam not identified as coming from botnets was seen in lower proportions coming from Windows machines than from known botnets.”

Researchers at BitDefender, BKIS, and Symantec today each separately warned Yahoo Messenger users about the worm attack, which is rapidly growing. Catalin Coisoi, senior malware and virus researcher for BitDefender, based in Romania, says his team has seen infection rates as high as 500 percent per hour in his home country since they first spotted it last week. “Today it started spreading like wildfire,” Coisoi says.

He says the socially engineered message appears to be capitalizing on the May 1 national holiday in Romania. “People expect to see pictures [from their friends and colleagues] after a national holiday,” he says. But he also expects the worm to make inroads in the U.S. today and tomorrow, with potential victims coming off of a weekend.

The worm — known as Palevo by BitDefender, W32.Ymfocard.fam.Botnet by BKIS, and W32.Yimfoca by Symantec — is a new variant of an existing worm. In the Yahoo IM attack, it tricks the user into saving what appears to be a JPG or GIF file, but instead is a malicious executable.

BitDefender says the worm contains a backdoor, which lets an attacker take over the victim’s compromised machine, to install more malware, steal files, intercept passwords, and launch spam or other malware attacks on other systems. It’s also spreading the way the infamous Conficker worm has done, via network shares and removable USB drives using the Autorun feature. When an infected memory stick gets loaded into a machine with Autorun enabled or unprotected, the machine can automatically be infected with the worm.

“You can do anything you want with a backdoor — keylogging to search for passwords, or it could be a botnet,” Coisoi says. “It offers the attacker full system access.”

It also spreads via peer-to-peer sharing sites, such as Kazaa and LimeWire which are all too easy to pack these types of files in with movies files and software cracks.

The good news: Because it drops an .exe file, it requires the user to run it for it to go live. According to Symantec, once the worm is run, it adds itself to the Windows Firewall list, stops the Windows Update service, and configures itself such that it runs each time the system boots. The worm automatically sends itself to everyone on the victim’s contact list.

“The nature of this attack is nothing new, because some worms already used this way of attack,” BKIS researchers blogged. “However, it is always potentially dangerous to [unaware] users. Bad guys have integrated some phishing elements to trick [the] user into clicking the link and then opening the downloaded file.”

So basically, if someone sends you a link via an instant message out of the blue, it might be best to double check with them what exactly they are sending you, so you don’t fall victim to this new worm.

1)    Your fan kicks into overdrive when your computer is idle
This can indicate that a program is running without your knowledge and using a fair amount of resources. Of course this could also be a bunch of Microsoft updates being installed. Another problem that can cause the fan to kick in like that is excessive dirt in the computer or a failing CPU fan.

2)    Your computer takes a long time to shut down, or won’t shut down properly
Oftentimes malicious software has bugs in it that can cause a variety of symptoms, including long shut down times of a failure to shut down. Unfortunately, operating system bugs and conflicts with legitimate programs may cause the same symptom.

3)    You see a list of outbound Wall posts you didn’t send on your Facebook page (see below)

There are few reasons other than malicious software or having your account hacked that would cause this problem. If you see this happening, you definitely want to change your password and make sure you computer is not infected. Best to make sure your computer is not infected before changing your password!!! Don’t use your Facebook password on multiple sites!!!

4)    Programs are running very slowly
This can be a sign that hidden programs are using a lot of your computer’s resources. This also can be a sign of other problems. On Windows systems if there are 10,000 files or more in a single directory it can really bring a system to a crawl.

5)    You cannot download operating system updates
This is a symptom you cannot ignore. Even if it isn’t a bot or other malware, if you don’t keep your system patched your computer probably will get infected.

6)    You cannot download antivirus software updates / visit vendors’ websites
Malware often tries to prevent antivirus software from running or being installed. An inability to update your antivirus software or visit the vendor’s web site is a pretty strong indicator of malware.

7)    Internet access slows to a crawl
If a bot is using your computer to send massive amounts of spam or participate in an attack against other computers, or to upload or download a lot of data it can make your internet access very slow.

8)    Your friends and family have received e-mail message from you that you did not send
This can be a sign of a bot, other malicious software, or that your webmail account has been hacked.

9)    You receive pop-up windows and advertisements even when you are not using a web browser
While this is a classic sign of adware, bots can install adware on your computer. You definitely want to get this problem taken care of.

10)    Windows Task manager shows programs with very cryptic names or descriptions (the highlighted line is the example)

Using task manager requires some skill and research. Sometimes legitimate software uses cryptic names as well. An entry in task manager is generally not enough to identify a program as being bad. This can help you find bad programs, but many additional steps must be performed to validate you findings. Killing processes and deleting files or registry entries because you “think” it is a bot or other malware can result in the inability to even boot your computer. Be very careful of making assumptions and acting on them.

Although this doesn’t cover everything that could mean you are part of a botnet, this is a good list of the major signs you will see, and means you need to get your computer cleaned ASAP!

Unlike its predecessors, however, this sample uses the file name AV.exe. If users are not into computers, they may think this is a valid antivirus application. It uses registry shell spawning as autostart technique, which means the malware is executed every time a user runs files that have the .EXE file name extension. It also uses any of the following application names:

• %1 Antispyware 2010
• Antivirus %1 2010
• %1 Guardian 2010
• %1 Guardian
• %1 Defender 2010
• %1 Antivirus
• %1 Antivirus 2010
• %1 Antivirus Pro
• %1 Antivirus Pro 2010
• %1 Internet Security
• %1 Internet Security 2010

Note that %1 refers to the OS installed on the affected machine. This makes the malware flexible in that it is able to take advantage of the features of an infected user’s OS.

Whenever an infected user attempts to access the Internet via Internet Explorer (IE) or Firefox, this malware displays warning messages saying these browsers are malicious. (Internet Explorer on the left and Firefox on the right)

This may cause the user to panic since these are two of the most commonly used browsers. Users who are tricked into purchasing the bogus product are redirected to multiple rogue antivirus domains.

This list ensures that the malware can access other domains even if some have already been taken down. Lastly, this malware does not allow users to execute files from security companies, which prevents the affected user from scanning the affected computer.

When faced with these kinds of false alarms, I would urge users to calm down and avoid purchasing rogue antivirus products. This does not help solve the problem. Instead, it makes things even worse, as this is just a waste of hard-earned money.

This is only the latest tactic seen from the perpetrators of rogue antivirus malware. Recently, advanced threats researchers spotted another FAKEAV run using Sandra Bullock’s recent marital difficulties to spread malware. If you have any questions about this type of malware, please feel free to contact me and I will be glad to answer any of your questions.

In the space of only two days, February 8 and 9, the HTML/Goldun.AXT campaign detected by Fortinet accounted for more than half the total malware detected for February, which gives some indication of its unusual scale.

The attack itself takes the form of a spam e-mail with an attachment, report.zip, which if clicked automatically downloads a rogue antivirus product called Security Tool. It is also being distributed using manipulated search engine optimisation (SEO) on Google and other providers.

Such scams have been common on the Internet for more than a year, but this particular one features a more recently-evolved sting in the tail. The product doesn’t just ask the infected user to buy a useless license in the mode of scareware, it locks applications and data on the PC, offering access only when a payment has been made through the single functioning application left, Internet Explorer.

What’s new, then, is that old-style scareware has turned into a default ransom-oriented approach. The former assumes that users won’t know they are being scammed, while the latter assumes they will but won’t know what to do about it.

The technique is slowly becoming more common — see the Vundo attack of a year ago — but what is also different is the size of this attack, one of the largest ever seen by Fortinet for a single malware campaign.

Fortinet notes that Security Tool is really a reheat of an old campaign from November 2008, which pushed the notorious rogue antivirus product Total Security as a way of infecting users with a keylogging Trojan.

“This is a great example of how tried and true attack techniques/social engineering can be recycled into future attacks,” says Fortinet’s analysis.

According to Fortinet, the “engine” pushing the spike in ransom-based malware is believed to be the highly-resilient Cutwail/Pushdo botnet, the same spam and DDoS system behind a number of campaigns in the last three years including the recent pestering of PayPal and Twitter sites.

In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.

“The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer,” read the advisory. “If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.”

Last week, Prodeus called the bug a “logic flaw,” and said attackers could exploit it by feeding users malicious code disguised as a Windows help file — such files have a “.hlp” extension — then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as “medium” because of the required user interaction.

Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug, said Microsoft, and any supported versions of Internet Explorer (IE) on those operating systems — including IE6 on Windows XP — could be leveraged by attackers. Previously, Prodeus had said that users running IE7 and IE8 were at risk, but had not called out IE6.

Until a patch is ready, users can protect themselves by not pressing the F1 key if a Web site tells them to, said Microsoft. ”As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from Web pages or other Internet content,” said David Ross with the Microsoft Security Response Center (MSRC) engineering staff in a blog entry on Monday.

“The prompt can appear repeatedly when dismissed, nagging the user to press the F1 key,” Ross added.

The security advisory made the same recommendation: “Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited.” Users can also stymie attacks by disabling Windows Help. The advisory explained how to entering a one-line command at a Windows command-line prompt to lock down the Help system.

The company took Prodeus to task for taking the bug public, something it regularly does when researchers disclose a vulnerability or post sample attack code before a patch is available.

“Microsoft is concerned that this vulnerability was not responsibly disclosed, potentially putting customers at risk,” said Jerry Bryant, a senior manager with the MSRC, in an e-mail. By Prodeus’ account, he notified Microsoft of the flaw Feb. 1, about four weeks before publishing his findings.

Microsoft has not set a timeline for a fix, saying only that, “Microsoft will take the appropriate action to help protect our customers.” The next scheduled security patch date for the company is March 9.

Although it does not rate the severity of vulnerabilities in its advisories, Microsoft noted that hackers exploiting the VBScript flaw using Windows Help and Internet Explorer could grab complete control of a Windows system. Customers running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 are safe from such attacks, Microsoft said.

Months of investigations by the Guardia Civil in Spain, the FBI and security firm Panda Security and Defence Intelligence led to the takedown of the 12.7 million strong zombie network in December and the arrest of three suspects in Spain two months later.

At a press conference announcing the operation in Madrid on Wednesday, Spanish police said they recovered the personal details of 800,000 people from systems recovered from three alleged cybercriminals. This cache of stolen information includes bank login credentials from businesses and consumers as well as email passwords.

Three Spanish residents suspected of running the botnet have been charged with online offences: the most senior alleged botmaster, nicknamed “Netkairo”, 31, from Balmaseda in the spanish province of Vizcaya, as well as his two alleged lieutenants JPR, 30, from Molina de Segura Murcia and JBR, 25, from Santiago de Compostela in La Coruña. None of the suspects have been named at this stage of proceedings.

In a statement (in Spanish here), Guardia Civil officers said they were also on the trail of a fourth suspect nicknamed Phoenix, who’s possibly based in Venezuela.

Defence Intelligence discovered the botnet last May and formed a team that brought in security experts from Bilbao-based Panda and computer scientists at Georgia Tech Information Security Center. Security researchers infiltrated the botnet’s command and control systems, learning enough to mount a successful takedown operation in cooperation with ISPs on 23 December.

Netkairo responded to this by launching a retaliatory denial of service attack against Defence Intelligence that took out customers at a Canadian ISP for several hours. In wrestling to obtain control of the botnet he made the mistake of connecting to compromised systems using his home PC, a mistake that led to his identification.

Luis Corrons, technical director of PandaLabs, explains the Mariposa botnet’s business model and the takedown operation in a video below.

A botnet is a network of infected computers under the control of hackers.

The firm said that closing the domains would mean that up to 90,000 PCs would stop receiving orders to send out spam.

A recent analysis by the firm found that between 3-21 December “approximately 651 million spam e-mails attributable to Waledac were directed to Hotmail accounts alone”. It said it was one of the 10 largest botnets in the US.

Machines in a botnet have usually been infected by a computer virus or worm. Typically, users do not know their machine has been hijacked.

Microsoft said that although it had effectively shut down the network, thousands of computers would still be infected with malware and advised people to run anti-virus software. The court order was part of what was called “Operation b49″.

Along with intelligence organisation Shadowserver, the University of Washington and security firm Symantec, Microsoft managed to get a court in Alexandria, Virginia, to force Verisign, which manages the .com domain, to temporarily switch off the domains.

Microsoft said it was the result of months of investigation and described it as a legal first.

“This action has quickly and effectively cut off traffic to Waledac at the .com or domain registry level, severing the connection between the command and control centres of the botnet and most of its thousands of zombie computers around the world.”

The flaw was found in Adobe Download Manager (DLM), an application Adobe uses to deliver common applications (e.g., Flash and Reader) to users’ systems. Normally, it cannot be used to download non-Adobe files onto users’ systems. However, according to Raff, a vulnerability in DLM that allows third parties to download and install files onto users’ systems, in effect, making it vulnerable for use as a malware downloader.

Raff has not released specific details about this vulnerability and has indicated that he would not do so until the problem has been resolved by Adobe. On Tuesday, Adobe released a new security bulletin indicating that they have resolved this issue. Users who used Adobe DLM to download either Flash or Acrobat from February 23, 2010 onwards are safe; everyone else is advised to removed the Adobe Download Manager entry in the Add/Remove Programs applet in the Windows Control Panel.

This is not the first time DLM has proven vulnerable to malicious attacks. In fact, in January of this year, a remote code execution vulnerability in the application was among those Adobe patched.

This was on top of a bug that Raff also discovered earlier, which allowed DLM to be triggered to download Adobe or Adobe-approved applications by going to a specific URL on the company’s site. In a situation where an unpatched vulnerability in an Adobe product was thus present, this bug could allow cybercriminals to install vulnerable applications onto users’ systems, which they could then exploit to execute malware.

Security Has a Price—Problems with Security Updates

Trend Micro researcher, Rajiv Motwani, notes that the combined impact of fixing these and other similar holes in a relatively short period of time are becoming problematic for users, particularly enterprises. In theory, Adobe is supposed to release quarterly security updates for its products but regular discoveries of new flaws have significantly been undermining its plan.

Though unscheduled patches pose problems for home users and small businesses, large enterprises face greater risks. System administrators traditionally loath to use automatic updates on enterprise systems, as this may cause disruptions to important business operations.

The burden of updating systems will then fall either on users or administrators—neither of whom think this is an appealing proposition. It is also likely that systems will not be updated, leaving them wide open to exploits. A Trusteer study found that this was exactly the case for Adobe products, revealing that only 7 percent of the total number of product users had updated versions of Acrobat applications while only 19 percent had updated Flash versions.

These concerns are always present for applications. However, for Adobe products like Flash and Acrobat, the risks are greater due to the vendor’s success. The same Trusteer study found that more than 90 percent of the total number of users run some version of Flash while 99 percent run Acrobat or Reader applications.

As Motwani notes, these two factors—Adobe’s high market penetration and users’ failure to regularly patch their systems—not only raises the number of systems that can potentially be affected. It also means that organizations face the added burden of testing each patch for stability and/or performance issues and of rolling it out in a phased manner.