New Facebook worm uses sexy model to get guys to click da’ button

Facebook worm uses a cross-site request forgery attack to spread via the victim’s wall posting.

Israeli security researcher Gadi Evron and AVG researcher Nick Fitzgerald are reporting a new Facebook worm that uses a suggestive picture of a scantily clad woman to spread on the social network.

The picture includes a button and the phrase “Click da’ button, baby!” Once a Facebook user clicks the malicious link they are brought to an attack website landing page which automatically updates and copies the victim’s Facebook wall with the malicious link. It also copies the wall.

In blog posting Evron said he stumbled across the Facebook attack after he was tricked by a posting of the link on a friend’s Facebook wall.

This shows that even experts can become complacent and trust systems when they really shouldn’t. It’s a good reminder for me to be more careful with social networks, which for some reason I have grown used to trusting more, without even noticing it happen!

Fitzgerald wrote that the worm uses a cross-site request forgery (CSRF) attack “resulting in a form submission to Facebook “as if” the victim had submitted a URL for a wall post and clicked on the “Share” button to confirm the post.”

Increase in Gumblar backdoors poses FTP credential problems

Security Researcher explains how to detect the Trojan, but many victimized website owners don’t have the technical expertise to fix the problem.

Mary Landesman, a senior security researcher at security vendor ScanSafe writes about how to decode and identify backdoor PHP scripts – the kind of code associated with the FTP stealing Trojan, Gumblar.

The Gumblar and Martuz Trojans surfaced earlier this year and have been successfully stealing thousands of FTP credentials, gaining access to websites in order to set them up as an attack platform to host malware. We don’t know exactly how prevalent Gumblar is since most security vendors that track Trojans fail to provide any actual numbers, but it’s safe to say that Gumblar continues to spread at high enough levels to warrant concern. ScanSafe, Symantec, McAfee and others have warned that thousands of websites have been compromised by Gumblar to create a relatively strong botnet.

In addition to checking log files for any abnormalities, Landesman said site administrators can be more proactive:

1. Search for unexpected PHP files or for PHP files unexpectedly modified in the past month (sort your file listing by date);
2. Look for a corresponding /s subfolder found in the same location as the suspicious PHP file;
3. Check all folders on the site, as Gumblar may install itself to multiple locations.

The problem is that many of these websites are small, may be abandoned or are run by people with little technical expertise. I’ve spoken to several other security researchers who have attempted to contact some of the owners of the infected websites. Some of the site owners didn’t even realize they had a website let alone one that was being used as an attack platform. Others didn’t have the technical expertise to take any action.

This is a growing problem and one that may need to be solved by the registrars that are in the business of selling domains to anyone with a credit card. Who is responsible here? Obviously that wasn’t clear enough when many of these website owners signed up to establish a Web presence.

New York cafe WiFi passwords show Mac versus PC reality

Photograph depicts password needed to use cafe WiFi.

The Apple blog, Cult of Mac posted a picture of the day depicting the stark difference between a WiFi password needed for Apple laptops versus those using a Windows PC. The picture was taken at the Lure Restaurant in New York City.

Russian cybercriminals target H1N1 Swine flu fears

Report outlines massive affiliate campaigns pushing pharmaceuticals, including counterfeit Tamiflu, making Russian hackers millions.

Researchers at security vendor Sophos’ Canadian-based research labs have released a report outlining how some Russian cybercriminals are making millions off the H1N1 flu by pushing counterfeit Tamiflu through well organized affiliate programs.

The cybercriminals have created an affiliate network to make it more difficult to track them down by distributing responsibility for different spam tasks while increasing advertising space to gain visibility and more potential victims. It’s been an evolving process and today there are literally hundreds of malicious affiliate networks touting everything from phony dating websites, porn and pharmaceuticals such as Tamiflu.

Rather than direct spam campaigns that flood inboxes, the cybercriminals use Web marketing campaigns and drive potential victims to partner affiliate websites using a mixture of spam, search engine results (search engine optimization), blogs and forum posts, the report finds. Each affiliate gets a small cut but most of the profits go to cybercriminal gangs in Russia.

Many organize expensive parties for their members, send generous gifts for holidays, run lotteries where a top producer wins a luxury car, and the list goes on. In some cases, the war between different partnerkas turns ugly, where one portal may get DDoS’ed by a competing gang.

Members of the affiliate network learn how to mine Google Trends data for popular search terms, generate content and use appropriate linking to trick search engines into giving the malicious sites a higher slot in search results. The results are affiliate websites that have potential to get more than 10,000 page views a day, generating hundreds of thousands of dollars a year.

The good news says Sophos’ Dmitry Samosseiko is that security researchers are gaining a better understanding of the affiliate networks and working closely with law enforcement to get rogue networks shut down.

Billing and hosting companies are becoming more responsive to abuse reports and do stop providing support to rogue businesses. The most dangerous sides of the affiliate business such as scareware are being forced to close or go underground, which impacts their operational costs.

Let’s hope this is true. Unfortunately the cat and mouse game continues. I’m sure many cybercriminals out there are working on the next trick to gain visibility and slurp up more cash from the victim pool. As Sophos security evangelist Graham Cluley puts it, the affiliate sites have potential to snowball into other illegal activities including selling victim data to other hackers, spreading malware and rogue antivirus - basically spinning of Web of cybercriminal activity around the victims that buy into the phony pharmaceutical websites and other rogue Web pages.

iPhone worm Rickrolls jailbroken phones

Security researchers warn iPhone users of the ikee worm, which uses SSH default passwords to hack the smartphone and change the wallpaper to a Rick Astlee photo.

A hacker from Wollongong, New South Wales is claiming responsibility for the new ikee worm, which started to infect jailbroken iPhones in Australia and is a possible threat for iPhone users in other countries. The worm, which the SANS Institute Storm Center calls very simple, scans certain IP addresses and uses Cydia – a replacement packaging and repository manger for jailbroken iPhones – to try to login to the IP address as root.

It’s easy to determine if your jailbroken phone has been infected. The end result is a wallpaper image of 80s pop singer, Rick Astley. The worm’s author, who goes by the name Ash/ikex, said he was bored and wanted to shed light on iPhone users running SSH without changing the default password.

Israeli Mossad add Trojan Horse to Syrian laptop

Data stealing malware helped Israeli spies reap data from official’s laptop.

Sophos security guru Graham Cluley writes today about the Mossad, Israel’s intelligence gathering operation and how spies there gained access to a Syrian official’s laptop and uploaded a Trojan to collect data. According to German magazine Der Spiegel, the data collected using the malware helped Israeli officials plan a bombing run against a suspected Syrian nuclear facility in 2007.

According to Der Spiegel story on the Syria bombing:

The hard drive contained construction plans, letters and hundreds of photos. The photos, which were particularly revealing, showed the Al Kibar complex at various stages in its development. At the beginning — probably in 2002, although the material was undated — the construction site looked like a treehouse on stilts, complete with suspicious-looking pipes leading to a pumping station at the Euphrates.

As Clueley puts it, the Israeli operation is an example of how cyberespionage is very much happening around the world. Reports seem to trickle out a few times a year about how malware was found on government computers in the United States and abroad.

Spyware has evolved to the point where many variants remain undetectable by antivirus programs. And no doubt intelligence gathering operations around the world are using it on any systems connected to the Internet.

Fragus exploit pack’s pricy business model locks users in

The $800 attack toolkit comes with a self-destruct mechanism after a certain time period

Security researchers at Symantec are closely monitoring the Fragus exploit pack, an $800 package of tools developed by cybercriminals to enable users to set up attack websites. Their latest findings have identified an effort by the toolset writers to clamp down on how the toolpack is used – an effort, no doubt, to keep the revenue stream open long after someone plunks down the hefty chunk of change needed to buy Fragus.

The blog entry, written by Peter Coogan with help from researcher Cathal Mullaney includes several screenshots of the exploit kit the researchers found in use on a specific domain. The toolkit they found was in use in September and October and targeted users in Spain and Germany.

Symantec said the toolkit is one of the most popular, but we’ll have to see how the author’s clampdown affect its popularity. The authors restrict files to run on specific IP addresses and servers meaning that if an owner of the kit wants to make a change they have to go back and get a software update to do so. The toolkit also contains a self-destruct mechanism, expiring files after a certain time period.

Despite the limitations, the toolkit’s popularity must mean that it is a big – real big – money maker for cybercriminals. A person willing to give up $800 is willing to accept a lot of risk and much like the stock market, the more risk you take on, the bigger the rewards.

New ransomware Trojan tricks victims to buy software fix

Trojan Horse doesn’t ask for money, but sends victims to software that can eliminate malware file extension, according to Symantec Security Response

Symantec has posted an interesting blog post about a new ransomware Trojan with a twist. Instead of asking for cash to unlock the files, the Ramvicrype Trojan encrypts files on victim computers and then sends victims seeking help via a search engine to a website where they can buy software that supposedly fixes the problem and decrypts the files. Older ransomware would push the the victim buy the keys outright.

Symantec virus researcher Shunichi Imano said in a blog entry that Ramvicrype victims will see some files on the computer with a vicrypt extension.

Entering the term ‘vicrypt’ into a search engine leads us to a company offering a fix, which of course is a charged service. So, there was a reason for that file extension after all.

The security vendor has developed a Symantec Ramvicrype removal tool for victims to decrypt the files.

Ransomware is not new. In fact, security expert Mike Chapple points out that it could be over a decade old. In an expert tip on what to do if you’re infected with ransomware, Chapple says you could reimage the drive and/or restore from backup. Check the Internet for the keys first. In many cases Chapple says others have been infected and security researchers likely have made the keys available.

Whether ransomware affects your organization directly or not, use the painful experiences of your peers to learn a lesson: install current antivirus software on all enterprise systems (especially the CEO’s laptop!). Make sure to also run regular backups and check firewall configurations.

Twitter warns of new phishing attacks

Phishing campaign uses a direct message and a fake Twitter login page to pilfer credentials.

Twitter issued a spam warning via a Twitter message telling users not to click on a direct message that sends users to a Twitter login page. The Twitter warning said the login page is a fake and attempts to steal login and password credentials. Once a victim types in their credentials, a fake Twitter fail-whale over capacity message is displayed.

Sophos security expert Graham Cluley blogged about the Twitter phishing attempts on Wednesday, describing the fake Twitter message. calling on users of the social network to change their passwords regularly.

So, what should you do if you fell for one of these phishing messages and handed over your Twitter login details to the bad guys? You should consider yourself now hacked, and must change your Twitter password *immediately* before your account is abused by hackers.

Mozilla update repairs Firefox buffer overflow vulnerabilities

Repairs fix several critical memory corruption errors and buffer overflow flaws that could cause the browser to crash and leave users vulnerable to attack.

Mozilla issued an update to its popular Firefox browser this week, repairing more than a dozen flaws that could cause the browser to operate erratically and crash or allow remote attackers to target vulnerable users.

The browser maker issued 10 advisories on Tuesday, five critical, fixing memory corruption errors, buffer overflow flaws and an object handling flaw that could enable an attacker to execute malicious code and gain access to sensitive data. Firefox 3.5.4 and 3.0.15 plug 16 holes were addressed in a variety of browser functions.

Mozilla repaired four critical memory corruption errors affecting the browser engine and the JavaScript engine. In its advisory, Mozilla said some of the errors could be targeted by attackers to execute arbitrary code.

The browser maker also updated several third-party libraries used to render media. The corrupted libraries were used by the browser to read Ogg Vorbis encoded media files.

“Some of the bugs discovered could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer,” Mozilla said.

Other serious flaws were repaired. The Mozilla update fixed a heap-based buffer overflow in Mozilla’s string to floating point number conversion routines; A flaw that could enable an attacker to execute malicious JavaScript code with chrome privileges; and an error in Mozilla’s GIF image parser.

Last month, Mozilla released a new feature it said would help get users to update third-party plugins. The changes came in the release of Firefox 3.5.3 and Firefox 3.0.14.