The story of the take down of ‘Dark Market’
The question of just how capable law enforcement is in the face of cyber-criminals comes up regularly. Unfortunately, tracking down the true perpetrators is a complex and time consuming process. Many times it requires a detailed technical knowledge and understanding, which then needs to be coupled with potentially cross jurisdictional cooperation and coordination. I told you that it was difficult!
At RSA this week, the FBI provided an insight into how they went about ‘Dark Market’ bust. The man who led the operation outlined just how they went about it. What is also interesting is the insight to the structure and operation of ‘Dark Market’. A link to the story is here.
In the end, 60 people were ultimately arrested and an estimated $70M of fraud averted. It is good to see that law enforcement can be effective and cyber-criminals can be brought to account. However, the victory is short-lived given the dynamic and growing nature of the under-ground economy and the cyber-criminals who frequent it.
Trojan.Brisv – an interesting backing track
My colleagues at Symantec Security Reponse have seen a significant uptick this week regarding Trojan.Brisv.A, a threat that infects multimedia files. This trojan searches for multimedia files with extensions .asf, .mp2, .mp3, .wma and .wmv, and injects additional functionality into the multimedia files it finds. While playing these infected multimedia files, Windows Media Player will access a malicious link on the Internet, which may in turn, result in more malware being downloaded. Symantec Security Response has seen 400,000 AV pings over a few day period, which translates to an estimated rate of 200,000 to 1.6 million people impacted. Symantec Security Response believes the threat has reached its peak.
We have updated our virus defintions to spot and neutralise this trojan. In addition, We have also created a removal tool to repair the infected multimedia files, which is available to customers online here. We have tracked more than 135,000 downloads of the fix tool to date.
All of which, is a useful reminder that when downloading multimedia files, you need to be careful. People are gradually, but it is slow progress, becoming vigilant when downloading files and application executables from web sites. However, what Trojan.Brisv.A brings to the forefront is that even the ‘content’ can become compromised.
Play your part in a safe and secure inauguration
The inauguration of Barack Obama is capturing the attention of the world. What I have found interesting, in the run-up to the event itself, is the sheer size and scope of the preparations. Particularly, the security arrangements that are being taken. Preparations are being made to cover all eventualities. The roads in Washington have been closed, there will be tens of thousands of Police and Army personnel deployed, with snipers providing cover from the roof-tops along the parade route. That is not to mention, the helicopters and even fighter jets that will patrol the skies and the patrol boats monitoring the waterways. We all hope for a safe and peaceful event.
Now, I would also encourage you to take your own security precautions in the run up to and through, what is turning out to be, a world event. The Symantec Global Intelligence is detecting and picking up a surge of inauguration themed Spam. We have written about this here.
The tactic is the well- worn one of sensationalist email headings, with an embedded link, that takes you to a web site that ostensibly looks like an official Obama campaign web site. However, it is far from that. The web site will then automatically try and attack your web browser to surreptitiously install malicious software onto your machine. Although, your machine maybe fully patched and therefore deflect this type of attack, the site hopes that your curiosity gets the better of you, and further hyperlinks on the site points to other malicious content. We have detected the piece of piece of malicious software being used here under the name W32.waledac. This particular piece of malware is capable of harvesting your machine for personal information, turning it into a spam zombie and also leaving a ‘back-door’, so that the hackers can come and go from your machine and use it at their will.
Blast off with Norton!
Do you want to take a trip into Space? Well, to celebrate the launch of the Norton 2009 products, we are offering the change to do just that! In an unprecedented sensory experience, rocket engines boost you beyond the normal limits of flight to regions above 62 miles (100 kilometers) – where space begins. After the engines shutdown, you will experience up to five minutes of continuous weightlessness, all the while gazing at the vast blackness of space and the blue horizon of the Earth below. Cool! This link takes you to a video of what to expect.
Follow this link to register for the competition. All the very best!
Beware of the ‘antivirus’
As we approach this time of year, many security vendors refresh their products. We are in the process of finishing the BETA of our Norton Antivirus 2009 and Norton Internet Security 2009 products and getting ready to release them to market. Many of our fellow competitors have launched, or are, launching their new products. So, in turn this starts to get people thinking about ‘new’ security products.
The last few days have seen reports of ‘malvertizements’ that ultimately lead to fraudulent products. Newsweek.com is one of several high-profile websites suspected of running rogue banner ads that try and trick visitors into installing fraudulent anti-malware programmes. This opens up an interesting dimension. People implicitly expect and trust that the web sites owners have checked into the people who have placed ads on their sites. The web site owners do, but incidents like this point out that they are not infallible and need to do more.
The trick of the bad guys pretending to be an anti-malware utility or antivirus product has been around for a some time. However, in recent weeks we have seen a number of examples of this resurface. Symantec’s security response blog has written about this.
What we have observed is a combination of attack elements being used in concert. First a spam email, with an Olympic led fake new story. The user is encouraged to click on a link, the link in turns asks the user to ‘get_flash_update.exe ’ or get_flash_codec.exe. These files then host a number of variants, one of which is a fake antivirus product: ‘Antivirus XP 2008’. 
A cursory glance would lead you to believe that it looks legitimate: it is far from that. Once it is installed, ‘Antivirus XP 2008’ basically gives false reports on the security of a system, claiming it has multiple threats running. The software interrupts the user constantly by popup messages, balloon reminders and such, asking the user to register to remediate the threats. The victim’s desktop background is changed to show a virus warning message. The goal of this threat is to get the victim to pay for what they think is a fully-functional legitimate security product, which of course it isn’t.
Now, you will think this blog to be pretty self serving – guilty as charged! With many new (legitimate) antivirus products making their way onto the market, you need to be mindful. If you see something about some new product from someone you have not heard of, then do your homework: ensure they really are who they say they are.
On your marks!
The Beijing Olympics start tomorrow. The World’s biggest sporting event of all time, I am sure that it will not disappoint.
In winning the Olympics, Beijing outlined that it would harness the power of IT, innovate around it, to bring the Games to new audiences. We will see a convergence of IT and Media on a scale not seen before. Many of the big Media companies and franchises have extensive plans to bring the games to the ‘net in a big way. I know that many network administrators are bracing themselves for the impact of ‘streaming’ video of Games – if they allow it on your corporate network. It will be interesting to see (or maybe not) what the strain will be on your ISP as well.
Where you have a mass audience connected to the ‘net, then in the shadows the’ bad guys’ will be lurking. In the Symantec State of Spam report for August, we are already seeing Spammers peddling their wares on the back of the Olympics. Symantec Security Response have already written up a blog on an attempted Phishing attack, purporting to sell tickets for the games. The creators of the site went to great lengths to make it convincing, even using an SSL connection, believe it or not.
So, get on your marks, get set, and it is ‘Go’ for no doubt many Olympic related Spams, Phishing attempts, links to web sites that will be showing funny/curious videos of events of the games etc. So, I say, “Citius, Altius Fortius”, to all of my colleagues in the IT Security industry, to keep you all safe and for you to enjoy the Games.
Cuil? Cool? Kool?
So, we now have a new search engine called ‘Cuil’ and pronounced ‘Cool’. Well a catchy name never tripped up a good product, but an obscure spelling could. That being said, the arrival of Cuil was welcomed in most parts. The company goes onto explain why it is different from what is out there already:”The search engine goes beyond today’s search techniques of link analysis and traffic ranking to analyse the context of each page and the concepts behind each query”. So, there you have it, a kind of deeper more relevant search.
So what did Google make of it? They seemed quite ‘cool’ about it, however, in a blog entry they did outline that they still felt they had the biggest web index out there. Now, the people behind Cuil do have a good pedigree in this area, being ex Google and IBM people. So, they know what it takes to build a successful search engine. The arrival of Cuil brings with it many questions. The most prosaic of which being, how will they make money (there is no advertising for the moment). They will be on a steep learning curve and the story today of an embarrassing snafu is testament to this. As to how they will handle the security side of operating a search engine, we will also have to wait and see what they come up with.
D’oh! Homer falls in with the malware crowd
The malware guys have now roped in Homer Simpson system into spreading malware. It appears that going back in time, there was a episode of the ‘Simpsons’ in which Homer’s e-mail address was given as “chunkylover53″. Prior to the episode’s airing, the address was registered by the production company and was then used it to answer hundreds of e-mails from Simpsons fans.
In the past few days ‘chunkylover53’ name has resurfaced, and it’s now being used to distribute a trojan disguised as a Simpsons movie file. If you get an email from Homer and his ‘chunkylover53’ email address you will be invited to follow a link to a special exclusive episode of the show available for download. The link in the message leads to an executable file.
Upon launching the trojan, the user is presented with a fake error message which is followed by several real error messages and, finally, a blank screen. Upon restarting, the system will run noticeable slower and be prone to crashes.
The other nasties in this attack is that once the malware is delivered onto the PC it has remote control software which logs the user in a botnet. The botnet itself could easily be called on to launch another attack.
What is still unclear and a matter for conjecture is just how the bad guys got a hold of the ‘chunckylover53’ email address.
Cyber-vandalism has not gone away
We continue to report and comment upon that the vast majority of malicious activity is now for ‘profit’. What once started out as ‘look how clever I am’ hacking and goofing around has morphed into an increasing focus on using these technical skills and techniques to make money. However, there is still cyber vandalism out there. One example of this that occurred in the past few days was a high profile hijacking of sites owned by the Internet Corporation for Assigned Names and Numbers, or ICANN as it is more commonly known.
To reach another person on the Internet you have to type an address into your computer – a so called Unique Reference Link (URL). That URL has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet. Late last week, visitors to the ICANN site were redirected to a site, wherein they saw this message:
“You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha 
(Lovable Turkish hackers group)”
The attack was from a group called NetDevilz, who are thought to be Turkish. Now, from what can be seen, there seems to have been no other malicious content served up from the site that users were redirected to. This was a very public embarrassment for the organisation, who, is responsible for ensuring that the URL you type into your browser takes you to the site you think you are going to. It did not take long for ICANN to spot what had happened and to start to rectify it. I am sure it was all very frustrating and time-consuming: which really is just what vandalism of any sort, whether in the real-world, or in the virtual world, is all about.
Games within games
By some estimates, there are in excess of 250 million online gamers worldwide. The revenue associated with this is in excess of $8billion in 2007, with it forecasted to grow to just short of $10billion in 2008. You know the drill: where there are many users and a lot of money, then the bad guys are sure to coming calling.
By our estimates, there are in excess of five thousand Trojans that have been developed with the purpose of stealing user details from computer games. Getting access to a ‘gamers’ account can be very valuable and lucrative for the bad guys. They can use the old ploy of extorting money from you to get your account ‘back’. Or, they can simply sell-on your account to someone else. There have been instances of the bad-guys raiding and accumulating valuable on-line game paraphernalia, e.g. swords, shields, weaponry that has a ‘value’ and then ‘cashing this out’ into real money.
In advance of the ‘Dreamhack’ event in Sweden later this month, my colleagues in Sweden have created an interesting YouTube posting – you can see it below . It walks you through some of the potential issues that are posed by computer games as well as giving some pointers as to how to avoid some of these threats.