Farewell Neosploit?

The past couple of years has seen a dramatic rise in the sheer number of pieces of malware out there on the internet, hence, associated attacks. One of the contributory factors to the dramatic volume increase in attacks  has been the arrival of ‘do-it-yourself’ infections kits. One of the most infamous of these is Neosploit, but there are many others such as Mpack, IcePack, Cyber Bot, Zunker etc.

Neosploit allowed a budding ‘hacker’ to launch their own exploits  and amass a sizable botnet. There were regular updates and even a user forum. However, the other day, a posting appeared on a Russian web site announcing that the authors of Neosploit were going to retire the product. The translation in effect announced:

 “Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself.
We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.”

So, it seems that the authors of Neosploit just couldn’t make it work from a commercial sense. That  got me to thinking, why? Is it because the cost of them coming up with new exploits is becoming more difficult, hence costly? I do not see any particular evidence as to this. There are other tool-kits out there and many new exploits being developed on-going.

Could it be, that they are being ‘boxed in’ by better security? Well, to be fair on this one, we are finding many more exploits, so this may not be the case. Is it that the market dynamics of the ‘under-ground economy’, ultimately played against them? Well, like every efficient market, there have been new entrants and competitors to Neosploit, who could compete with them on product and price. Therein may well be the answer.

So, farewell Neosploit, but there are other exploit tool-kits out there and no doubt, new ones will make it onto the ‘market’. 

July 31, 2008 | Filed Under Security, Spam, Technology | Leave a Comment 

You do not want this package

This month has seen a new twist on an old scam.  There have been mass Spam mailings with fake invoices.  One version purports to inform you that you have a package, from one of the very pick next-day-delivery companies, that could not be delivered and was returned.  There is a zip file attached, you are asked to download it, print it out and then collect your parcel from your local office.

When you download and unzip the file, the malware is copied onto the system, replacing a Windows file that manages explorer, the user interface and some other important processes. Additionally, it establishes a connection with a domain, which has been used on some occasions by banker Trojans. From this domain it will redirect the request to another domain in order to download a rootkit and a rogue antivirus.

So, you get a ‘package’ but not one you want nor expect!

July 31, 2008 | Filed Under Security, Spam | Leave a Comment 

Storms in July – who would have thought it?

So, even now 17 months down the line the ‘Storm Worm’ still is morphing and reinventing itself to keep itself alive and ‘out there’. The chronology of ‘storm’ is interesting as it shows just how the intersection of social engineering, and news events, allow the bad-guys to continue to use and repurpose this attack. More of this in a future blog.

The tactic that is being used this time round is to hide the Storm malware within fake news stories about the FBI and Facebook.  As usual, you are directed to a fake web site, a site is hosted on an infected Storm web proxy. If you follow the lure and click the link you will end up with an executable named “fbi_facebook.exe”. This is the malware.  The web site you link to not only hosts the download attachment, but the site also launches a set of browser exploits at you.

July 30, 2008 | Filed Under Security | Leave a Comment 

No ‘Summer of Love’ in San Francisco

San Francisco city officials are currently wrestling with a difficult issue, namely, they cannot access their FiberWAN network after a disgruntled system administrator deleted admin passwords. All administrators are locked out except, for Terry Childs, the unhappy and now ex-employee, who is refusing to divulge his access codes.

He is now facing criminal charges and is due in court tomorrow. However, the stand-off continues, with Childs not prepared to disclose his passwords. Engineers from Cisco have been brought in to try and gain access.  The Mayor of San Francisco has gone to pains to reassure people that the network is working fine: the only issue being if it crashes and there being no way to go into it and fix it.

All very unsatisfactory and embarrassing for the City of San Francisco. It brings into focus the need to be careful as to who has admin rights to your network and the background of people who you give access to. It turns out, that going back, Terry Childs, has a conviction from aggravated burglary.

There is a lesson from all of this for our own home networks. Our research shows that the majority of us use the default names and passwords that come with our routers at home. The bad-guys know all of these default names and passwords. So, if you do not want to have your own version of what is happening in San Francisco, make sure you change your router name and password to something unique to you. Also, be sure to also change the default password on the config/setup for the router as well.

July 17, 2008 | Filed Under Security | 1 Comment 

NAV and NIS 2009 Public BETA

We have released Public BETA versions of Norton AntiVirus and Norton Internet Security 2009, If you follow this link it will take you to the download page. We would really like for people to download it and let us know what they think.

We plan some very bold things with our 2009 releases. We are aware that customers want security products that do not overwhelm there system resources. Our 2009 products provide strong protection whilst being light on system resources.  We have implemented a new architecture for the 2009 products to reduce boot time, scan times, memory usage and install time.

There is a lot of new stuff, so go ahead and download it!

July 15, 2008 | Filed Under Announcements, Security | Leave a Comment 

D’oh! Homer falls in with the malware crowd

The malware guys have now roped in Homer Simpson system into spreading malware. It appears that going back in time, there was a episode of the ‘Simpsons’ in which Homer’s e-mail address was given as “chunkylover53″. Prior to the episode’s airing, the address was registered by the production company and was then used it to answer hundreds of e-mails from Simpsons fans.

In the past few days ‘chunkylover53’ name has resurfaced, and it’s now being used to distribute a trojan disguised as a Simpsons movie file. If you get an email from Homer and his ‘chunkylover53’ email address you will be invited to follow a link to a special exclusive episode of the show available for download. The link in the message leads to an executable file.

Upon launching the trojan, the user is presented with a fake error message which is followed by several real error messages and, finally, a blank screen. Upon restarting, the system will run noticeable slower and be prone to crashes.

The other nasties in this attack is that once the malware is delivered onto the PC it has remote control software which logs the user in a botnet.  The botnet itself could easily be called on to launch another attack.

What is still unclear and a matter for conjecture is just how the bad guys got a hold of the ‘chunckylover53’ email address.

July 12, 2008 | Filed Under Security, Spam, Uncategorized | 1 Comment 

A very ‘Patchy’ Patch-Tuesday

Most of us have become accustomed to Microsoft ‘Patch-Tuesday’. On the second Tuesday of the new month, Microsoft coordinate the release of security patches to fix security ‘holes’ they have been made aware of, and for which, they have found a solution to. Many people look at ‘Patch-Tuesday’ with a mixture of frustration and reassurance. Frustration borne from very public exposition of ‘not another list of security issues’ and then having to wait for their PCs to download and install the patches.  Reassurance comes in the form that solutions have been found and that the bad guys have been put back in their box. This month was a bit different.
 
When an exploit or vulnerability is discovered for the first time and hence no patch or solution is available for it, we describe this as a ‘zero-day’ vulnerability. On Monday, as Microsoft were preparing everyone for this month’s ‘Patch-Tuesday’, they had to warn that  attackers were exploiting a flaw in the Snapshot Viewer ActiveX control bundled with all versions of Access, Office’s database program, except the newest edition, Access 2007. As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated injection of malware into some of the pages on the site. In the past, we have seen government, commercial, and hobby sites fall victim to these attacks and subsequently begin serving exploits to each of their visitors. An attacker would have to lure a victim, via a link in an e-mail or IM for instance, to a specially crafted Web page that could exploit the security hole to allow remote code execution. This would provide the attacker with as much access to and rights on the computer as the logged-on user has.  Now, until a patch is created and deployed, we recommended that all Internet Explorer users, including those who do not have the Access Snapshot viewer installed, should update their Norton antivirus/internet security definitions.

But things didn’t stop there, as we rolled into ‘Patch-Tuesday’, and therefore only hours after fixing nine vulnerabilities in several of its programs, Microsoft, confirmed that attackers are exploiting an unpatched bug in Word 2002. In lieu of a patch, the Microsoft advisory recommended that users turn to Word 2003 Viewer to open and view Word files. Microsoft said that a patch may be forthcoming, but did not specify a timetable.

All-in-all, a very messy ‘Patch-Tuesday’

July 10, 2008 | Filed Under Security | Leave a Comment 

Cyber-vandalism has not gone away

We continue to report and comment upon that the vast majority of malicious activity is now for ‘profit’.  What once started out as ‘look how clever I am’ hacking and goofing around has morphed into an increasing focus on using these technical skills and techniques to make money. However, there is still cyber vandalism out there.  One example of this that occurred  in the past few days was a high profile hijacking of sites owned by the Internet Corporation for Assigned Names and Numbers, or ICANN as it is more commonly known.
 
To reach another person on the Internet you have to type an address into your computer – a so called Unique Reference Link (URL). That URL has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet. Late last week, visitors to the ICANN site were redirected to a site, wherein they saw this message:
 
  “You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group)”
 
The attack was from a group called NetDevilz, who are thought to be Turkish. Now, from what can be seen, there seems to have been no other malicious content served up from the site that users were redirected to. This was a very public embarrassment for the organisation, who, is responsible for ensuring that the URL you type into your browser takes you to the site you think you are going to.  It did not take long for ICANN to spot what had happened and to start to rectify it. I am sure it was all very frustrating and time-consuming: which really is just what vandalism of any sort, whether in the real-world, or in the virtual world, is all about.

July 1, 2008 | Filed Under Uncategorized | 1 Comment