Malware

Overheard - Remote Access Trojan (RAT)

“In an even more sophisticated ploy, the Trojan altered the victim’s online banking page to change the amount of the transfer to a smaller number. In one transaction, the cybercriminals stole more than $8,000, but to the victim, it appeared like a $53 transaction.” Angela Moscaritolo, URLZone touted as most sophisticated banking Trojan yet

Today’s WhatIs.com Word of the Day is RAT.  It’s a type of malware horse.

Overheard - The role of ActiveX in browser exploits

Because so many ActiveX controls turn out to be malicious, Microsoft designed Internet Explorer 7 so that it displays a warning every time a site attempts to use an ActiveX control. The problem is that the casual user does not typically understand what an ActiveX control is, or what the consequences of allowing an ActiveX control to run might be. Brian Posey, ActiveX security improves with Internet Explorer 8’s security features

Experts are predicting that there’s no end in sight for ActiveX exploits.  It makes sense — because even criminals want to be cost-efficient.  If you’re trying to find vulnerabilities to exploit, you to make sure you can affect the highest number of people — and IE is still #1.

Overheard - How a windshield becomes an attack vector

An enterprising group of criminals has been using a real-world scam in an effort to spread malware. The attacks reportedly began with a series of phony parking tickets issued in Grand Rapids, North Dakota. Individuals had the tickets placed under their windshields along with instructions to visit a website. Shaun Nichols, ‘Parking ticket’ scam brings malware infection

Of course, the website was a malware drop.  Lenny Zeltser (SANS Institute) explains how the scam worked. Later on, McAfee’s Avert Labs Blog identified the Trojan as Vundo.

Remember the good old days when phishing stayed on the Internet where it belonged?

Overheard - Confliker / Downadup worm alert

Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Confliker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability. Robert Westerfelt, Confliker, Downadup worm hype? Get the facts

There’s a new variant of the Conficker worm. It’s known as ‘Downadup.’ Microsoft issued a patch for the worm last October but it’s still spreading and mutating.

The worm, which some authorities say has been able to build the largest botnet on record,  works by exploiting a vulnerability in remote procedure calls that allows remote code to be executed once a vulnerable machine receives a specially crafted RPC request.  In plain English, this means that if an end user views a specially crafted Web page using Internet Explorer, his computer will request malicious code to be executed. Like many of its malicious predecessors, this worm denies infected machines Internet access to security vendor websites.

Microsoft added routines to clean up Conficker infections to the January edition of its Malicious Software Removal Tool.  Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. The National Cyber Alert System recommends that to prevent further infections by infected USB devices, users should disable the Windows auto-play feature.

Overheard - Scareware is a $100 million scam

A Baltimore federal court judge ordered six absent defendants yesterday - including one from Maryland - to shut down Internet businesses that the Federal Trade Commission claims are part of a vast $100 million “scareware” scheme that tricked more than a million people into purchasing useless security software by making them think their computers were under attack. Tricia Bishop, Court orders ’scareware’ shut down

The companies allegedly represented themselves falsely as Internet marketers and used legitimate advertising outlets to place malicious advertisements that redirected consumers to the defendants’ Web sites.

There, screens would pop up saying a security scan had revealed harmful or illegal files and urging computer users to purchase software for $40 to fix the phony problems. In that way, the companies were able to bilk people of more than $100 million, according to the FTC.

Overheard: How does anomaly-based monitoring fit into tomorrow’s security picture?

We knew that the volume of new attacks and the vectors used were only going to increase, so we chose to stay ahead of the curve with a behavioral analysis system. I believe behavior and anomaly-based solutions will be most effective long term. Jamie Arnold, as quoted in SUNY’s Binghamton Monitors Network with Lancope’s StealthWatch

I spent part of the morning reading about anomaly-based network monitoring. In October, IBM announced that they would no longer sell the IBM Proventia Network Anomaly Detection System (ADS). Stealthwatch seems to be getting a lot of buzz, especially with college campuses whose biggest threats probably come from right inside the network.

Overheard: Where do you keep your honeypot?

The door to the room simply reads “the lab.” Inside are racks of hundreds of processors and terabytes of disk drives needed to capture the digital evidence that must be logged as carefully as evidence is maintained by crime scene investigators. John Markoff, A Robot Network Seeks to Enlist Your Computer

John Markoff gives a nice overview of what Microsoft is doing to help fight cybercrime — and why:

Just as gangs will often force a recruit to commit a crime as a test of loyalty, in cyberspace, bot-herders will test recruits in an effort to weed out spies. Microsoft investigators would not discuss their solution to this problem, but said they avoided doing anything illegal with their software.

One possible approach would be to create sensors that would fool the bot-herders by appearing to do malicious things, but in fact not perform the actions.

In 2003 and 2004 Microsoft was deeply shaken by a succession of malicious software worm programs with names like “Blaster” and “Sasser,” that raced through the Internet, sowing chaos within corporations and among home computer users. Blaster was a personal affront to the software firm that has long prided itself on its technology prowess. The program contained a hidden message mocking Microsoft’s co-founder: “billy gates why do you make this possible? Stop making money and fix your software!!”

Overheard: Google Chrome and the principle of least privilege

The most important reason for limiting the security privileges your code requires to run is to reduce the damage that can occur should your code be exploited by a malicious user. G Andrew Duthie, The Importance of the Principle of Least Privilege

Google Chrome uses the principle of least privilege. Each tab in Chrome is sandboxed (isolated) to prevent malware from installing itself or allowing what happens in one tab to affect what happens in another.

Overheard: Piracy + spam + malware = net pollution

Have you heard of “net pollution”? If not, you soon will, because it’s a term being pushed by Arts+Labs, the new group backed by AT&T, Viacom, NBC Universal, Cisco, and Microsoft. Nate Anderson, AT&T, NBC lump piracy in with spam, malware as net pollution

Overheard: What to do if your clipboard has been hijacked

“The problem with malware being served through advertisements is starting to become a serious one, with attackers seeming to enjoy it more and more because websites are not rushing to take steps to prevent it.”

Lucian Constantin, Clipboard Hijack Spreads Panic

This particular attack is copying a link to the computer clipboard, which seems to be persistent and cannot be removed by simple means, in most cases a computer reboot being necessary. The link in question redirects the user to a website that promotes a rogue antivirus program that is itself a spyware application.

So what can you do if your clipboard has been hijacked? Shut down your computer immediately and wait 30 seconds before rebooting.