Be Aware of Fake Security Software

According to a report by security software firm Symantec, software that tricks users into believing it is protecting them could potentially be installed on tens of millions of machines. Users are encouraged to download such programs with fake security alert pop-ups (something you are likely familiar with) on websites that then go on to offer software to protect against attacks, sometimes free and even sometimes for a fee. Of course, these programs are exactly the kind of thing they claim to defend against, in some cases exposing machines to be taken over for use in botnets. Symantec found a considerable variety of scam software, carrying legitimate sounding names such as Antivirus 2010. It said that around 43 million downloads were attempted in one year, but couldn't be sure how many were successful. It was also surprised to find out how sophisticated some of the tactics used in order to get users to download the software were. For example, scam software makers have been known to operate affiliate models that allow agents convincing people to download the programs to earn money.

While I'm sure most of our members will already be wise to this kind of deception, it reinforces the need to be sure where your software is coming from, and that the source is a reputable one.

Snow Leopard Bug Could Leave You with no User Data

Operating system bugs can often have undesirable consequences. The possibility of losing all of your user data is pretty high up on the list of things you would rather didn't happen, but that is what some users have been reporting after upgrading to Snow Leopard, the latest version of Apple's Mac OS X. The problem has been cropping up when users, intentionally or accidentally, have logged into the 'guest' account. After logging out of this account and back into a normal one, they have found settings have been reset and all of the user data wiped along with it, leaving an empty directory under "Users/username". Even worse, it appears that there is no easy way to recover the lost data, with users having to resort to external backups (assuming they have them).

At the moment, disabling the guest account is a possible workaround for the problem. Anyone who had the guest account enabled when upgrading from Leopard to Snow Leopard could potentially be affected. Apple has now confirmed it knows about the problem, which says only occurs in extreme cases, and that it is working on a fix.

Exploits Increasing for Apple Computers

Mac security researcher Dino Dai Zovi has unveiled a new Mac exploit referred to as Machiavelli at the Black Hat conference. This attack takes aim at computers that have already been infected through Safari. Once the hacker has infiltrated the system, encrypted data such as bank account information is at their fingertips. This exploit comes at the same conference that an SMS vulnerability was revealed for the iPhone. Several of the experts at Black Hat stated that once enough effort is put into Mac exploits, they could become as vulnerable as Windows computers.

Hackers Taking Advantage of Death of Michael Jackson

Within minutes of the announcement of his death, internet users with malicious intent were trying to take advantage of people who wanted more information. The attacks originated mostly from e-mail, which some people apparently still open and download from without knowing the sender. One of the scams promised breaking news, but really just confirmed the user to be signed up for spam. Another contained an embedded video that when launched would run several malicious programs in the background. Another site downloaded a virus to the users computer that would stop any program before Windows was able to launch it.

Apple Finally Fixes Java Exploit

Apple has released a fix for the Java code that was shipped with the Mac OS X Operating System. An exploit in the code could allow someone to execute malicious code on a computer through a Java applet, allowing the hacker to steal information or turn the computer into a zombie. Apple was made aware of the issue nearly six months ago, but did nothing until now. Professionals in the computer security industry have long been trying to get Apple to be better about handling issues that arise, but they are still lackluster in that area. This isn't the first time a situation like this has arisen and experts fear it won't be the last. Programmers are releasing code to take advantage of exploits that Apple fails to patch to demonstrate the seriousness of the issues. I wonder when Apple will include this information in the Mac vs. PC commercials.

Worm Attacks United States Marshals

Just like the Conficker worm, another worm known as Neeris targets computers that are unpatched and infects themselves upon those machines. On Sunday, the United States Marshals were attacked by the Neeris worm on many of their computers. The systems that were infected had to be shut down by IT workers to prevent further spreading of the problem. As of right now, this situation is being blamed on the United States Marshals using a backlevel antivirus software, Trend Micro OfficeScan 5.0, as well as patches not being applied to the computers. The fix has been worked on since yesterday when the problem was found, though the whole attack seems rather odd since the patch for the Neeris worm has been out since October of last year.

Zeus Botnet Shutdown By Operator

100,000 PCs infected with the Zeus family of malware were recently hit with the dreaded BSOD. The writers of the malware included a command that would allow them to corrupt the operating system of the host computer. Opinions as to why the operators of the botnet issued the command are varied. Some believe that the operators wanted more time to put their stolen information to work, while others believe that the botnet was hijacked by other cyber criminals. The damage done to the operating system doesn't appear to have affected the registry or Trojan that is used to infect the systems.

Number of 'Zombie' Computers on the Increase

Unfortunately 'Zombie' computers aren't nearly as cool as you might first imagine them to be. They are computers which have been hijacked by cyber-criminals and security vendor McAfee says that it has detected twelve million cases since January of this year. According to McAfee's reports, that puts the number of infected computers up 50% since 2008, with more un-detected cases likely to be out there. It was also reported that the US hosted the largest number of infected computers, with 18% of the total. China isn't too far behind, making up just over 13%. With the expansion of botnets, cyber-criminals have a lot of power to tap into, which can enable them to distibrute large quantities of malicious malware.

While a number of countries have now begun the process of establishing comprehensive strategies with regard to cyber-security, a recent report from Deloitte Touche Tohmatsu (DTT) has emphasized the requirement for a globalized approach to the problem and that solutions need to be implemented with some urgency. It is notable that president Obama has publically made the issue a priority, though it is thought that the release of a 60-day review ordered soon after he took office has been delayed by the recent H1N1 flu crisis. Greg Pellegrino, a global public sector industry leader Deloitte said "This issue is moving so quickly, and with so much at stake economically and in terms of safety and security for people, we don't have 100 years to figure this out."

Phishers Catch the 'Swine Flu Fever'

Phishers never cease to stop creating new illegal scams, and today is no different. According to reports, Phishers are now using Swine Flu related material as part of their email scams to lure worried folk. The emails typically contain a subject header related to the recent global swine flu outbreak with an accompanied malicious website link or PDF document. The swine flu related spam has accounted for an estimated 4% of worldwide spam at its peak over the last few days according to Cisco IronPort. It seems that these days Phishers will try to exploit people in any and every way possible. To avoid becoming a victim, the best advice is to keep your anti-virus software up to date and to never open any suspicious looking sites or attatchments.

F-35 Data Hacked?

There are several reports floating around stating that cyber spies have broken into the Pentagon's computer system, compromising terabytes of data about the Joint Strike Fighter project. Some sources say these were Chinese spies, while another site claims no security breach has occurred at all. Why all the commotion? This project, also known as F-35 Lightning II, is one of the most expensive military projects with a $300 billion budget. If the attacks were successful, the information gained will help other countries build countermeasures against the new plane. Either way, this shows how seriously cyber warfare needs to be taken in this era of computers.

Could Your Mac Become Part of a Botnet?

A Mac botnet is probably something you never thought you would hear about. All you ever hear about is Windows computers being infected on a large scale. However, there are reportedly 20,000 computers that have been infected with Trojans that could lead to information being stolen from these Mac users. You might say that these people are getting what they deserve, as the malware comes bundled with pirated versions of iWork '09 and Photoshop CS4. The cracked iWork launches the Trojan when the program is launched while Photoshop installs a system back door with root privileges. Regardless of how the Trojans found their way onto the Macs, it shows that Mac users need to be careful of what they do in the future.

Conficker Finally Does Something

The Conficker worm has finally started to do something; however, it's still not doing much. The worm is now updating through peer-to-peer networks amongst infected computers. Trend Micro says that the infected computers have been updated with a new binary that instructs them to search for other unpatched computers that could become victims. The update also instructs Conficker to connect to common websites such as, MySpace and eBay, to make sure the machine is connected to the Internet. Also part of the update, more sites have now been blocked on top of the alreay blocked security company sites. The new update is also timed to stop on May 3rd, but it is unknown whether this will happen and what the result might be.

Conficker has Activated; No Consequences Yet

The newest worm, Conficker, that everyone has been worried about for the past few months has activated today as planned. The latest estimates suggest that the worm has infected between 10 and 15 million machines, creating the largest botnet ever seen. Previously, the infected computers have been contacting approximately 250 domains to check for and download updates. The activation is based on the infected machine's local time, so not all infected machines have activated yet. For those that have activated, they generate a list of 50,000 domains and poll 500 of those generated to try to connect with command-and-control servers. Although many of the infected machines have started this process, nothing of importance has happened yet. McAffee Avert Labs has noticed the worm polling, but has not seen any detrimental effects from it yet. It is possible that the developers are waiting for the hype to die down before they begin their damage. However, time is not on their side as it is relatively easy to detect and remove the worm. Many precautions are being implemented to prevent Conficker from contacting its command servers. It is unknown whether those efforts will help.

Let's hope that the worm was simply an April Fool's joke and the creators are happy simply having annoyed people and diverted time and money from companie trying to prevent it.

Unstoppable BIOS-Level Attacks

As hardware level attacks are becoming more popular, two security experts at CanSecWest unveiled a completely new BIOS-based attack. Once the system is infected, the code will survive hard disk wipes and even BIOS flashes. Note that as the attack is completely hardware-based, all operating systems could be affected. While root privileges or physical access to the computer is needed to infect it, the security researchers are now working on a BIOS rootkit to readily implement the attack.

New Conficker Worm Variant Attempts to Evade Industry Measures to Sever It

Security researchers are seeing a new variant of the Conficker/Downadup worm that attempts to skirt around industry efforts to sever the link between the malware and its control servers. computers currently infected with the Conficker worm are being updated with the new variant which represents the first time that any new orders have been sent out. Researchers have been speculating what the malware authors intent was as they built up a massive botnet of infected machines and this move signals their intent to preserve and defend the network. Close to twenty companies have banded together to fight the spread of the Conficker worm after one company reverse engineered the algorithm the code was using to generate domain names used by the control servers. The companies were registering the domain names ahead of the worm in an attempt to prevent any contact with its owners. Prior versions were generating 250 URLs a day and the new variant has upped that to 50,000, making the job of preventing contact much more difficult. The new version also has a stronger defense against attempts to remove it as it now turns off several security services and tools used to examine machines for infection. Microsoft has offered a $250,000 reward for information that will lead to the arrest of the worm's authors.

You May Want to Think Twice Before Opening that PDF Attachment

Think twice the next time you open a PDF, or it could mean disaster for your computer. An unpatched bug in Adobe's popular PDF format is becoming a growing concern. While Adobe has known of the bug since mid-January, they only admitted to having a problem two weeks ago.The bug was originally believed to center around a JavaScript exploit, but since then Danish researchers have found an exploit that does not involve JavaScript, confirming that merely disabling JavaScript does not fix the vulnerability. After reporting their results to Adobe, Adobe confirmed that only the upcoming patch, due on March 11, would fix all of the problems. Adobe also has to contend with immense criticism coming from the fact that their patching schedule is generally regarded as too slow, and as such, exploits like the one they're patching now are left alone for too long. Hopefully Adobe can get the patches through soon, as attacks against end-users are being reported.

Hackers Expoliting Zero-Day Excel Vulnerability

Security researchers are reporting they are beginning to see attacks making use of an unpatched flaw in Microsoft Excel. The flaw affects all supported version of Excel including Excel 200, 2002, 2003 and 2007 on Windows and Mac OS X Excel 2004 and 2008 versions. The attack has so far been limited to parts of Asia, although with the code now having gone public, experts fear the number of attacks are sure to increase. The attacks so far have been limited to specific targets at government offices and a few high-profile corporations according to Symantec's security response group. The attack involves delivering a downloader Trojan to the targeted machines which, in turn, is used to download and install more malware. Microsoft has issued a security advisory and said it is working on a patch. Until then the workaround involves editing the registry to prevent Excel files from opening.

Malware Authors Exploiting Latest IE7 Vulnerability

Microsoft issued a patch for a couple of Internet Explorer bugs last Tuesday during its monthly cycle known as Patch Tuesday. Security researchers have begun seeing exploits appear that take advantage of those vulnerabilities on machines that have not yet been patched. Although the attacks are currently small in numbers, we've seen this type of approach before, just witness the success of the Conficker/Downadup worm that has infected millions of machines by taking advantage of a bug for which Microsoft had issued a patch months before. The latest threat comes in spam messages disguised as a Word document. If a user launches the bogus document the malware infects machines that have not been patched with Microsoft's MS09-002 security update. Researchers are not sure the direction this attack will take, but speculate it will evolve into a campaign based on news about Tibet as this is the 50th anniversary of China's takeover of Tibet and the command and control servers for this exploit seem to be China-based.

Former Fannie Mae Contractor Arrested for Planting Time Bomb Script

A former Unix contractor for the Federal National Mortgage Association (Fannie Mae) is now facing charges for embedding a malicious piece of code in an existing script that could have wreaked havoc on the mortgage firm's servers. According to federal officials, the contractor, Rajendrasinh Makwana, was terminated by Fannie Mae on October 24, although his system access rights were not removed until later that evening. Sometime between his being fired and loosing access, Makwana allegedly planted a malicious script, known as a 'time bomb', set to go off on January 31. The federal affidavit claims the Unix engineer embedded code at the bottom of another legitimate script that runs daily. An attempt was made to hide the code by inserting a page's worth of blank lines before the malicious code. Five days later, another Fannie Mae engineer stumbled upon the time bomb before it could do any damage. The script could have caused millions of dollars in damage and shut down operations for at least a week. The malicious code was particularly nasty in that it would have propagated itself across approximately 4,000 servers at Fannie Mas where it would have deleted the root password, disabled all log-ins and alerts and deleted all data by overwriting with all zeros. Finally all 4,000 servers would have been powered down forcing system administrators to physically access each machine to turn them back on.

More Pirated Mac Software Besieged by Malware

When pirated versions of iWork '09 hit the the torrents last week  folks soon discovered an added payload in the form of the OSX.Trojan.iServices.A Trojan. Now a new variant, cleverly named OSX.Trojan.iServices.B, is affected more pirated Mac software. According to security firm Intego the new Trojan is targeting versions of Adobe Photoshop CS4 and comes in the crack program users run to be able to use the pirated version of the software. The Trojan installs a backdoor, then requests an administrator password and starts the backdoor application with root privileges. It also makes contact with a pair of IP addresses which means someone out there will know when the malware is installed and could possibly download additional software to the infected Mac.

Pirates Get More Than Bargained For

After Apple released its popular updated suite, iWork ’09, it was almost guaranteed that users would try and torrent or download the pirated version of the software instead of buying it legitimately. Unknown to many people however was that a Trojan was also included with the pirated version, which can affect new application installations as well as some that are already installed onto the infected computer. The Trojan horse called OSX.Trojan.iServices.A can also startup as root, and can give its specific location to malicious users who take advantage of the infected system. It is now estimated that at least 20,000 people downloaded the pirated version of iWork ’09 that was infected, and will soon see the repercussions of their actions in little time.

Downadup/Conficker Worm Still Going Strong

According to security firm Panda Security, around 6% of the PCs scanned with its online scanning tool were infected with the Downadup worm. Its been just over a week since the worm appeared and researchers are differing on the number of PCs actually infected. Panda says the 6% represents only those PCs whose owners elected to have them scanned. The actual infection rate may be much greater, even as high as 30%. When researchers last week estimated the number of infected machines at 8.9 million, there was a some skepticism over the large number. What security researchers do agree on though, is that this is the biggest and fastest spreading malware in the last several years.

Trojan Spreading Through Bogus Web Sites Claiming Obama Won't Take Oath of Office

Several security firms are reporting on a new spam campaign underway that try to lure users to fake web sites that result in the 'Waledec' Trojan being downloaded on their machines. 'Waledec' is thought to be the follow on to the Storm Trojan. The e-mails contain one-line messages concerning President-elect Obama and how he no longer wants to be President. The messages contain links to sites that resemble the Obama-Biden campaign site with links to real and fake news headlines. One of the headlines claims Obama is refusing to become President. Clicking on the link to read more causes the Waledec Trojan to be downloaded. Researchers are saying the similarities between Waledec and Storm are too great for it not to have been written by the same person or group. Because this particular variant is os new, many users' anti-virus software (if they have any) may not detect it.

'Downadup' Worm Infection Rate Astounding Researchers

There's a worm going round, alternatively labeled as 'Downadup' or 'Conficker', and if you haven't kept your Windows PC fully patched, chances are you could become a victim too, if you aren't already. By early Wednesday of this week some 3.5 million PCs had been infected, with 1.1 million having been hit in the previous 24 hours. By today that number had leaped to over 8.9 million and researchers are saying that number is conservative. The worm takes advantage of a vulnerability in the Windows Server service, a bug for which Microsoft rushed out an emergency patch in October. Microsoft has added the worm to the list of malware that its Malicious Software Removal Tool deletes. The latest MSRT was released this week in its regular patch Tuesday batch of fixes. Researchers are still unsure of the intent of the worm's authors and whether they intended to use the infected machines a part of a massive botnet. Currently the worm phones home to control servers to download additional malware but doesn't seem to be trying to steal passwords or other sensitive information.

1.1M Unpatched Windows Machines Infected by Worm in 24 Hours

When Microsoft releases an emergency out-of-cycle patch you know the vulnerability must be serious and would think people would pay attention and install the patch. Apparently that isn't happening as a worm that takes advantage of a bug in the Windows Server service has managed to infect 1.1 million Windows machines in the past 24 hours, bringing the total number of infected machines to 3.5 million. Security researchers are calling that number conservative.  Researchers are not sure of the intent of the worm's authors and whether it will be transformed into a botnet.

Digital Photo Frame Malware

As Yogi Berra once said "This is like deja vú all over again." Last Christmas several retailers sold digital photo frames unaware that they contained a nasty little surprise in the form of a Trojan horse. This year's variation on that theme comes from Samsung. Amazon.com began sending notices to customers that purchased certain models of Samsung photo frames warning them that the installation CD may contain a downloader Trojan that, once installed, downloads additional malware. The Trojan is labeled as W32.Sality.AE, W32/Sality or Troj_Agent.xoo by various security firms and only affects Windows XP machines. Amazon is advising its customers to download a new version of the Frame Manager software from Samsung's web site.

SAMSUNG Ships Trojan Horse

Earlier this week, SAMSUNG announced that a Trojan horse came with many of its Windows XP driver CDs that were shipped with some digital photo frames. The electronics manufacturer recommends to download the software directly from its site instead of using the driver on the CD that comes with the digital photo frame. The Trojan horse included in some CDs is only known to affect Windows XP, and has been in the virus community since sometime back in April of this year. Windows Vista is not affected by the virus, so those who used the driver included with the product should be safe.

Microsoft to Issue Critical IE Patch Tomorrow

For the second month in a row, Microsoft will issue an out of cycle security patch. The fix, due out tomorrow around 1 PM Eastern time, is designed to correct a problem in Internet Explorer that has been the target of exploits for over a week now. Microsoft has confirmed that other versions of its browser contain the bug, not just IE 7 as some earlier reports had suggested. The fix is rated 'critical', Microsoft's highest severity level. Over the weekend, Microsoft reported seeing a large increase in the number of attacks, most of which were targeted toward users of IE 7. The attacks were originating from a large number of compromised web sites, including many legitimate sites.

ScanSafe Reports Spread of Koobface

Koobface, which is a virus that has been attacking Facebook and its users, is now reported by ScanSafe to be on the networking site Bebo. The virus works by having users click on a link, which takes them to a website with a video on it. The video however cannot be played, so typical non-aware users download the suggested software that will supposedly make the video play for them. Once installed, the software load hoax search engines, which can lead to identity theft. ScanSafe is also claiming that the Trojan may find its way onto other social networking sites such as Myspce or even Friendster.

Microsoft Tuesday Security Patch Biggest in Five Years

Microsoft issued 28 security patches yesterday in the biggest round of fixes in five years. Of the bunch, 23 were rated a top ranking of 'critical' and three were rated as 'important'. The fixes affected a range of Microsoft's products including Windows, Internet Explorer, Office as well some of its development products including Visual Studio and Visual Basic. Security researchers said two of the patches, affecting the Graphics Device Interface and Internet Explorer, should be at the top of most users' lists.