Facebook Fake AV Malware Again

On the topic of social media and Facebook in particular, a very complex and effective fake Anti-Virus campaign is targeting Facebook users.  Like most of the cruft that targets Facebook users, it starts with contact by a Facebook friend using the social network’s chat feature.  “Hi. How are you? It is you on the video? Want to see?” asks the “friend” offering a link to a YouTube page.  Intrigued, the target follows the link, and sees that the video with the target’s name in the title, has apparently been commented on both positively and negatively by a bunch of their Facebook friends.

Of course, the target cannot view the video because they appear to be “missing an Adobe Flash Player update”, according to a message written over the blank space where the video is supposed to be displayed.   The file offered for download is Trojan.FakeAV.LVT.   This little miscreant copies itself as %windir%\services32.exe and as %windir%\update.X\svchost.exe, where update is a hidden directory and X is the version of the malware. It then adds a registry key in %SYSTEM% and the malicious code is either added to the list of authorized applications for the software firewall, or it disables the firewall altogether.  Finally it disables all notifications generated by the firewall, the update module, and whatever antivirus it finds installed on the PC, according to BitDefender.

This malware makes the effort to detect which legitimate AV solution the user has installed, and displays customized warning messages that mimic what the legitimate solution would present.  So clever, and so deviant.  Someone deserves a beating.  Of course it “scans and finds” a virus on the system, and asks the user to reboot so that it can clean up the mess.  Unfortunately, the reboot triggers the system to boot into safe mode, allowing the malware to uninstall the legitimate AV solution, and then the system is rebooted into normal mode.  The system is now completely vulnerable, and a downloader component launches to quietly download additional malware from an array of URLs.

The malware agent contains a list of IPs of other infected systems which will be used for exchanging malware, creating a fully-fledged malware distribution system with peer-to-peer update capabilities.  These IP lists are updated regularly so infected systems are always in contact, and constantly exchanging malicious code.

Once a system is compromised by such a viscious malware agent, it should never be fully trusted again.  If you are the unlucky recipient of this insidious and devastating attack, my recommendation to you is to backup ONLY your most important data to SACRIFICIAL MEDIA, and to nuke the system to bare metal.  Because your AV was compromised and the malware causes reboots and loadpoints to be activated, there is no telling what the additional payloads may have done.  Assume the worst; root-kits, password captures, and keystroke logging.  Reformat your hard drives, including the Master Boot Records (MBR), and the same for any removable media that you have used on that system.  Media that can’t be sanitized should simply be destroyed.  Otherwise you are taking chances that malware will still exist on your computer, and be able to load before your Operating System and any defensive software that you install.  That means, you might as well not install it at all.

Now you know why I’m not real fond of malware or its authors.  Stay thirsty my friends…

-=[BUSTED]=- Two Scareware Rings Taken Down

InformationWeek reports that the FBI has disrupted two scareware (fake anti-virus) crime rings, as part of “Operation Trident Tribunal.”  The FBI obtained warrants to seize 22 PCs and servers located across the United States that were used to support the scammers’ operations.  They also worked with law enforcement agencies in France, Germany, Latvia, Lithuania, Netherlands, Sweden, and the United Kingdom to seize an additional 25 PCs and servers.  It would appear the seizure of several servers hosted by DigitalOne in data center space it leased in Reston, Va. may have impacted some unrelated sites.

The first group bagged at least $72 million over a three-year period by tricking one million people into buying the scareware for up to $129 per copy.  The second criminal operation resulted in the arrest of 2 people in Latvia, and charges each with two counts of wire fraud, one count of conspiracy to commit wire fraud, and computer fraud.  The pair were apparently running a “malvertising” scam by creating a phony advertising agency, and purchasing advertising space on the Minneapolis Star Tribunewebsite.  Newspaper staff vetted the digital advertisement before posting it to the site.

The defendants altered the advertisement code to infect website visitors with malware that launched scareware applications on their PCs.  The scareware froze PCs until the user paid to purchase fake AV software.  Those that didn’t pay  found that all information, data, and files stored on the computer became inaccessible.  As part of this scam, the two Latvians allegedly netted $2 million.

These scams may sound lucrative, but it is good to hear that arrests are being made.  Watch for an increase in arrests as the FBI and other Law Enforcement Organizations get a handle on the scope and scale of this type of activity and trace it back to the nest.

Recent Attacks Due To Common Vulnerabilities

The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing.  There has been a substantial amount of complacency in the Information Technology and Security fields.  There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training…  Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press.  I have said it before, and I will say it again, although saying it before has cost me at least one job.

Regulatory Compliance DOES NOT equal Security!!

If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly.  In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.

Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems.  We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent.  The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain.  We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.

A big part of the problem is that employees simply have too much access.  The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years.  So what are you doing about these recent attacks? Continue reading

Beware “MS-Update” Fake AV

Sophos is reporting that Fake AV distributors are reamping up efforts to deploy their malicious wares by closely imitating the Microsoft Update site in a bid to take advantage of the monthly patch cycle.  Be very wary of any alerts that pop up in your web browser.  You should only trust security alerts in your browser if you initiated a check with Microsoft, Adobe, Sophos or any other vendor for updates to their software.

In this particular attack, victims are being told to install the fake updates urgently, with attackers claiming that “This installation is essential for the normal work of your system. Critical update is needed.”  Here is a message enticing users to download the Fake AV and infect their machine, errors and all:

“After the download, this tool is run only once checking your whole system for infection. It removes any infection found, any specific, prevalent malicious programs such as Blaster, Sasser and Mydoom. When an infection is found this tool displays a status report with the next computer start. This tool is necessary for you computer to make your system being protected from hi-jacking and its download is crucial if you value your personal data and your privacy.”

Victims tricked into downloading this Fake AV will end up infecting their computers with a potential array of malicious programs.

Sophos 2011 Security Threat Report

Sophos’ threat experts see 30,000 new malicious URLs each day.

70% of these sites are legitimate websites that have been compromised.

Their 2011 Security Threat Report has been released detailing the battle against malware.

It describes the significant threats of 2010, what to watch for in 2011, and more importantly, what you need to do to get ahead of the threats.

  • .
  • One of the more persistent threats of the year was fake anti-virus, also commonly known as “scareware” or “rogueware.”  In this widespread practice, software is introduced into a victim’s computer system, through an interface closely resembling—and in some cases directly impersonating—genuine security solutions.   Criminals are using this ploy to drain bank accounts and completely take over identities.
  • The search engine is our gateway to the web, and crooks are skilled at manipulating search results from the popular engines such as Google, Bing and Yahoo! to lure victims to their malicious pages.   These pages host security risks and browser exploits just waiting to infect users who are directed to these sites. There’s also the abuse of legitimate search engine optimization (SEO) techniques. Legitimate SEO techniques are regularly used as marketing tools, but when SEO is abused by the bad guys, and supplemented by more devious methods, it’s known as “SEO poisoning”. With SEO poisoning, search engine results are poisoned to drive user traffic to the rogue site.  Google reported that up to 1.3% of their search results are infected . You’re directed to a bad page through a poisoned search.  Once a victim is lured to the desired webpage, they’re redirected to a rogue or compromised site.  On these sites, criminals infect users’ machines with malware or push fake goods and service while attempting to steal personal information.
  • Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.  Young people are less likely to use email, and more apt to communicate through Facebook, Twitter or other social sites.  Unsurprisingly, scammers and malware purveyors targeted this massive and committed user base , with diverse and steadily growing of attacks throughout 2010.  One of the more common types of attack hitting Facebook users is “clickjacking,”.  These attacks use maliciously created pages where the true function of a button is concealed beneath an opaque layer showing something entirely different.  Often sharing or “liking” the content in question sends the attack out to contacts through newsfeeds and status updates, propagating the scam.

Other areas that are assessed and reported on are passwords, and spam.  It’s a good report, well worth the read.

Beware Malware, Everywhere!

Let this article at ComputerWorld’s Security Manager’s Journal serve as a warning to us all.  Even those who are employed in the Information Security profession are subjected to, and sometimes prone to, malware infections.  Just because you know a little something about a subject doesn’t mean that you are immune to the cleverness of others.  Most, but not all, of my malware infections have been intentional as part of my research, as a learning experience, or in order to gain a sample to study and understand.  Malware authors are no longer the pimple-faced kids, swilling JoLt in some dingey basement, looking to gain notoriety among their nerdy friends by causing a little disruption on the Internet for kicks.  Malware authors have grown up a bit, and are now motivated by greed.  They are committing fraud, and doing so in a business like fashion.

This will not be news to most people that have had a computer for a few years, but may surprise some.  Malware authors have entered the business of organized crime.  They sell their services to, produce customized code for, and share profits with the same groups or affiliates of the guys that are running drugs and guns.  Online is where the money is, and the risks of getting caught remain low.  For the top dogs, anyway.  Not so much for the guys on the ground sho actually gather the credentials, move the money around, and are often left holding the virtual bag.  Those are the ones that most often get busted.

Everywhere that you turn online these days, you are taking a risk.  Malware can be delivered very easily from porn sites.  These sites are always looking to separate you from your cash, and are not above selling re-directs to malicious fraudsters.  Their business is seedy to begin with, so what’s a little extra coin gained anonymously?  I have trolled some of these sites (for research purposes only, of course 8) on occasion, and it is not uncommon to be redirected to some other site 2/3 of the time you click on a link or picture.  Out of the links and pictures that I merrily clicked away on, at least 2/3 of those either attempted to load some malicious code, presented a questionable pop-up, or offered some sort of nebulous download.  This of course is not the only way to get infected these days.  Malicious code distribution is taking place regularly on legitimate web sites through online ads, where the malicious “vendor” purchases ad space from a legitimate ad supplier, and provides an ad that contains malicious script, or when clicked through, loads code from the directed site.  these ads are served up by many, many sites unknowingly, as they present the rotating ads.  Other legitimate sites are probed for vulnerabilities, in the code they use, the back-ends they connect to, or the add-ons that they support.  Once a vulnerability is found, code is injected into the pages that either infects or directs the browsing user.

Continue reading

Bin Laden Blogger Site Hacked

According to ComputerWorld, curious Web surfers who visited the blog, Reallyvirtual.com, belonging to the guy that was tweeting about the Bin Laden takedown from on the ground as it happened, may have had fake-anti-virus malware quietly installed onto their computers.  The blog was quickly hacked, and the site was attempting to install the malicious “Windows Recovery” program until about 9:30 a.m. Pacific Time Monday.

Windows Recovery hides system folders on the PC and then tries to scare the victim into paying for bogus software that it claims will fix the issue.  If you visited this blog during that time period, best be running a real anti-virus scan on it, ASAP.  Follow the removal advice provided in the link above.