Beware of the ‘antivirus’

As we approach this time of year, many security vendors refresh their products.  We are in the process of finishing the BETA of our Norton Antivirus 2009 and Norton Internet Security 2009 products and getting ready to release them to market. Many of our fellow competitors have launched, or are, launching their new products. So, in turn this starts to get people thinking about ‘new’ security products.

The last few days have seen reports of ‘malvertizements’ that ultimately lead to fraudulent products. Newsweek.com is one of several high-profile websites suspected of running rogue banner ads that try and trick visitors into installing fraudulent anti-malware programmes. This opens up an interesting dimension. People implicitly expect and trust that the web sites owners have checked into the people who have placed ads on their sites. The web site owners do, but incidents like this point out that they are not infallible and need to do more.

The trick of the bad guys pretending to be an anti-malware utility or antivirus product has been around for a some time. However, in recent weeks we have seen a number of examples of this resurface.  Symantec’s security response blog has written about this.

What we have observed is a combination of attack elements being used in concert. First a spam email, with an Olympic led fake new story. The user is encouraged to click on a link, the link in turns asks the user to ‘get_flash_update.exe ’ or get_flash_codec.exe. These files then host a number of variants, one of which is a fake antivirus product: ‘Antivirus XP 2008’. A cursory glance would lead you to believe that it looks legitimate: it is far from that.  Once it is installed, ‘Antivirus XP 2008’ basically gives false reports on the security of a system, claiming it has multiple threats running. The software interrupts the user constantly by popup messages, balloon reminders and such, asking the user to register to remediate the threats. The victim’s desktop background is changed to show a virus warning message. The goal of this threat is to get the victim to pay for what they think is a fully-functional legitimate security product, which of course it isn’t.

Now, you will think this blog to be pretty self serving – guilty as charged! With many new (legitimate) antivirus products making their way onto the market, you need to be mindful. If you see something about some new product from someone you have not heard of, then do your homework: ensure they really are who they say they are.

August 20, 2008 | Filed Under Security, Spam, Uncategorized | Leave a Comment 

Be alert to the ‘CNN Alert’!

Many of you may have received a SPAM email with the subject line, “CNN Alerts: My Custom Alert”.   This turned up in  my personal email folder. It was a very authentic looking email.  I thought it clever as, whilst I do not use the CNN site on a regular basis, I have used it now and again.  The interesting thing about this SPAM was that it did have a link to a legitimate CNN story about the discovery of the World’s smallest snake. Clicking on this would have given the email that feel of credibility.  The malicious link still exists in the e-mail but you must click the FULL STORY link to get there. 

The ‘FULL STORY’ link leads to a botnet of compromised machines which host a page prompting the user to download an updated version of Video ActiveX Object. If agreed to, you’ll download ‘adobe_flash.exe’ which is detected by us here at Symantec as ‘Downloader’.

August 11, 2008 | Filed Under Security, Spam | Leave a Comment 

On your marks!

The Beijing Olympics start tomorrow. The World’s biggest sporting event of all time, I am sure that it will not disappoint. 

In winning the Olympics, Beijing outlined that it would harness the power of IT, innovate around it, to bring the Games to new audiences. We will see a convergence of IT and Media on a scale not seen before. Many of the big Media companies and franchises have extensive plans to bring the games to the ‘net in a big way. I know that many network administrators are bracing themselves for the impact of ‘streaming’ video of Games – if they allow it on your corporate network.  It will be interesting to see (or maybe not) what the strain will be on your ISP as well. 

Where you have a mass audience connected to the ‘net, then in the shadows the’ bad guys’ will be lurking. In the Symantec State of Spam report for August, we are already seeing Spammers peddling their wares on the back of the Olympics. Symantec Security Response have already written up a blog on an attempted Phishing attack, purporting to sell tickets for the games. The creators of the site went to great lengths to make it convincing, even using an SSL connection, believe it or not. 

So, get on your marks, get set, and it is ‘Go’ for no doubt many Olympic related Spams, Phishing attempts, links to web sites that will be showing funny/curious videos of events of the games etc. So, I say, “Citius, Altius Fortius”, to all of my colleagues in the IT Security industry, to keep you all safe and for you to enjoy the Games.

August 7, 2008 | Filed Under Events, Identity theft, Security, Spam, Uncategorized | Leave a Comment 

Farewell Neosploit?

The past couple of years has seen a dramatic rise in the sheer number of pieces of malware out there on the internet, hence, associated attacks. One of the contributory factors to the dramatic volume increase in attacks  has been the arrival of ‘do-it-yourself’ infections kits. One of the most infamous of these is Neosploit, but there are many others such as Mpack, IcePack, Cyber Bot, Zunker etc.

Neosploit allowed a budding ‘hacker’ to launch their own exploits  and amass a sizable botnet. There were regular updates and even a user forum. However, the other day, a posting appeared on a Russian web site announcing that the authors of Neosploit were going to retire the product. The translation in effect announced:

 “Unfortunately, supporting our product is no longer possible. We apologize for any inconvenience, but business is business since the amount of time spent on this project does not justify itself.
We tried hard to satisfy our clients’ needs during the last few months, but the support had to end at some point. We were 1.5 years with you and hope that this was a good time for your business.”

So, it seems that the authors of Neosploit just couldn’t make it work from a commercial sense. That  got me to thinking, why? Is it because the cost of them coming up with new exploits is becoming more difficult, hence costly? I do not see any particular evidence as to this. There are other tool-kits out there and many new exploits being developed on-going.

Could it be, that they are being ‘boxed in’ by better security? Well, to be fair on this one, we are finding many more exploits, so this may not be the case. Is it that the market dynamics of the ‘under-ground economy’, ultimately played against them? Well, like every efficient market, there have been new entrants and competitors to Neosploit, who could compete with them on product and price. Therein may well be the answer.

So, farewell Neosploit, but there are other exploit tool-kits out there and no doubt, new ones will make it onto the ‘market’. 

July 31, 2008 | Filed Under Security, Spam, Technology | Leave a Comment 

You do not want this package

This month has seen a new twist on an old scam.  There have been mass Spam mailings with fake invoices.  One version purports to inform you that you have a package, from one of the very pick next-day-delivery companies, that could not be delivered and was returned.  There is a zip file attached, you are asked to download it, print it out and then collect your parcel from your local office.

When you download and unzip the file, the malware is copied onto the system, replacing a Windows file that manages explorer, the user interface and some other important processes. Additionally, it establishes a connection with a domain, which has been used on some occasions by banker Trojans. From this domain it will redirect the request to another domain in order to download a rootkit and a rogue antivirus.

So, you get a ‘package’ but not one you want nor expect!

July 31, 2008 | Filed Under Security, Spam | Leave a Comment 

D’oh! Homer falls in with the malware crowd

The malware guys have now roped in Homer Simpson system into spreading malware. It appears that going back in time, there was a episode of the ‘Simpsons’ in which Homer’s e-mail address was given as “chunkylover53″. Prior to the episode’s airing, the address was registered by the production company and was then used it to answer hundreds of e-mails from Simpsons fans.

In the past few days ‘chunkylover53’ name has resurfaced, and it’s now being used to distribute a trojan disguised as a Simpsons movie file. If you get an email from Homer and his ‘chunkylover53’ email address you will be invited to follow a link to a special exclusive episode of the show available for download. The link in the message leads to an executable file.

Upon launching the trojan, the user is presented with a fake error message which is followed by several real error messages and, finally, a blank screen. Upon restarting, the system will run noticeable slower and be prone to crashes.

The other nasties in this attack is that once the malware is delivered onto the PC it has remote control software which logs the user in a botnet.  The botnet itself could easily be called on to launch another attack.

What is still unclear and a matter for conjecture is just how the bad guys got a hold of the ‘chunckylover53’ email address.

July 12, 2008 | Filed Under Security, Spam, Uncategorized | 1 Comment 

Really, your face isn’t stupid

Spam is annoying. By our estimates, 80% of all email is now spam. As you’d expect, many people are now a lot smarter about how to filter out or completely ignore spam. This means that spammers are having to come with new ways to approach us and get to open and or click on attachments that are enclosed.

Recent weeks have seen the spammers switch their attention to insulting us to get our attention.  There has been a flood of emails with a subject line of ‘Your stupid face’. Their intent has been to get us angry or curious enough to open the email and then click on the attachment purporting to the user’s ’stupid face’. The attachment is a ‘video.exe’ or something similar. If you click on it, you can be directed to a host which has the malware on it and before you know it, you are infected with a bot.
 
This new genre of spam is being described as ’spam slam’. So, if you see something like this in your in-box, don’t open or click on it: delete it.  Even, if you think your face is a bit stupid.

June 24, 2008 | Filed Under Security, Spam | Leave a Comment 

Would you credit it?

At Symantec we have a our Global Intelligence Network.  This comprises over; 40K sensors, a couple of million decoy email addresses, and then 150 million or so Symantec end-points. It allows us to monitor what is happening on the internet, second-by-second. One facet of this is, our monthly ‘State of Spam’ report that we publish.

Casting our minds back to June 2007, we reported that nearly 70% of all email sent was Spam. This was an alarming,  and at the same time, interesting trend.  One of the new tricks that helped fuel the increase was the use of, so called, PDF-Spam.  Here, the spammers had attached the spam message as a PDF file to help circumvent spam-filters.  New countermeasures were brought into place and PDF spam came and went.

Well, here in June 2008, the amount of spam is an incredible 80% of all emails. What gives?

 This is testament to the on-going determination and inventiveness of the spammers. Now, one thing I have noted in my own personal email account is the amount of ‘credit’ related emails that have flowed into my spam folder. They all follow a similar pattern: I have been ‘pre-cleared’ for a loan, or, ‘Get out of the red’ instant credit available to me.  The further twist is that you get them in week 2 or 3 of the month, on the basis that is when we are getting low on cash and waiting for the next pay day. So, the spammers have piggy-backed on the back of the ‘credit-crunch’ and hence the continued and unparalleled levels.  We see this constant ‘see-sawing’ from them using either technically or socially related means to keep pumping out the flood of spam.

Even the ‘credit crunch’ is old news now, we are seeing them switching to spams that focus on the fuel crises, with promises of discounted or free petrol diesel, gas, electricity. For those of you who want to read the full ‘State of Spam’ report for June 2008, follow this link. http://www.symantec.com/business/theme.jsp?themeid=state_of_spam

June 9, 2008 | Filed Under Market trends, Spam | Leave a Comment 

Bosses most at risk of Identity Theft?

The media has been quick to cover the story from Experian, the credit reference agency, of the rise in reports of identity theft.  Many covered the story under the headline of ‘Bosses most at risk of ID theft’.  What was notable in this news release was the profiling of reported victims and the ability to show ‘hot-spots’ for identity theft in the UK.

But why is it company directors or bosses who run their own businesses are most prone to identity theft?  Of course criminals go where the money is, and by and large, ‘Bosses’ have more money than other mere mortals.  I can see some logic there. Given the growing sophistication of identity theft attacks and the ancillary capability to gather more information on people, the criminals can start to separate the ‘bosses’ from the ‘non-bosses’.

Then again, it may simply be that given the legal and reporting requirements of being a ‘Boss’ there is more publicly available information out there if you a company director.  Is it time to look back into this to assess if there is a potential risk?

Or, it may just be a lifestyle issue.  If you are a ‘Boss’ then maybe you rely on others to help you with some of the admin that goes with being in charge and trying to organise a hectic lifestyle. This plays in the risk of personal identifiable information being shared amongst the boss and maybe an admin assistant PA etc. You see the picture; shared logins, shared passwords, weak passwords so that a number of people can remember what it is etc. The other reality maybe that many of these people are just so busy building and running their businesses, they do not have time to focus on ‘security’?

So, my messages to the ‘Bosses’ is hopefully something they can appreciate - do the basics well and do them all the time. So, use strong passwords. We found that 50 per cent of people still use really weak passwords (http://www.symantec.com/norton/theme2.jsp?themeid=nol). Use some sort of anti-phishing tool in your browser and ensure you have good anti-spam tool for your email.

May 28, 2008 | Filed Under Identity theft, Miscellaneous, Security, Spam | Leave a Comment 

When Malware becomes Crimeware

Now, without wanting to necessarily start an official book club – there are enough in the world without me getting into the act. I have had the opportunity in the past few weeks to read a couple of security focused books that I thought you may well be interested in and benefit from.  They both focus on the evolution of ‘malware’ into ‘crimeware’.  ‘Crimeware – understanding new attacks and defences’ is by Markus Jakobsson and Zulfikar Ramzan (www.informit.com/aw).  It is very comprehensive in its scope and helps the expert, and not so expert, understand and prevent specific crimeware threats.  What is does well is to explain how, from a technical standpoint, malware can and is used for the purposes of crimeware.  Zulfikar Ramzan is a colleague of mine here at Symantec and he has also roped in some other members of the team to help with some of the chapters. 

‘Zero Day Threat’, by Byron Acohido and Jon Swartz (www.sterlingpublishing.com), provides a further insight into the developing world of crimeware.  The authors are journalists with USA Today and they neatly manage to intertwine a narrative of a real-life ‘bust’ of an author of crimeware in Canada, whilst outlining the failures of Banks and Credit Bureaus to keep people save from crimeware.  It provides a good and thought provoking overview of what is and potentially could happen, without descending into the realms of deep technical analysis.

May 28, 2008 | Filed Under Data loss, Market trends, Security, Spam | Leave a Comment