Malware authors have been quick to implement this idea in their social engineering techniques. It is now common to see spam and malicious sites use local languages to spread regional malware. Some driveby downloads, for example, deliver custom malware based on the user’s geo-location.

However some malware authors do not bother to make the extra effort. At K7TCL we recently saw an example of ransomware which appears to have come from Russia. The malware holds the computer to ransom by locking the user out. Access to the computer is denied until the victim enters a serial number, which needs to be requested from the attacker for a price. Shown below is the screenshot of the ransom message:

The point is that though the sample was accessed from an IP address originating from India, and from a site serving English content, the malware displays the ransom message in Cyrillic text. Most non-Russians are unlikely to be able to understand the ransom message, and will not even be able to decipher the text using online tools since the machine is locked out.

How does one resolve this situation? One solution could be to consult a Russian friend, and have sufficient funds in your bank account. A far better solution would be to use up-to-date Anti-Virus software. Detection and cleaning for this malware is available in K7 Total Security as Riskware ( 0015e4f01).

Lokesh Kumar
Collection Manager, K7TCL

Last week we at the K7 Threat Control Lab (K7TCL) spotted one such malware. It is a very simple perl script converted into a windows executable using perl2exe. When executed, the malware collects documents from the infected machines and uploads them to the author’s FTP site. Perhaps not as impressive as Stuxnet, but it does the business.

Decompiling the executable gives us the perl script and the user credentials used to upload the stolen files. Just out of curiosity I decided to follow the malware trail back to the FTP site, and I was in for quite a surprise. The FTP site was not just full of stolen documents, but some came from what appeared to be world renowned financial institutions.

This malware is detected by K7 Security products as Trojan (001ECA471). Such malware spread using social engineering techniques, masquerading as something beneficial. Distribution channels tend to include IRC, peer-to-peer networks, newsgroup postings, email, etc. Users are advised to exercise caution while downloading files from untrusted sources.

Lokesh Kumar
Collection Manager, K7TCL

During the talk, I used some links for demos (many thanks to my good friend Dave Marcus for originally showing me a few of these). For those that are interested, here are the links:

• Trend Tracking:
  • http://www.twitscoop.com/
  • http://twopular.com/
  • http://hashtags.org/
• Location Tracking:
  • http://twittermap.eu/
• URL Shortening/Expanding:
  • http://tinyurl.com/
  • http://bit.ly
  • http://kiserai.net/turl.pl
• Facebook Search:
  • http://youropenbook.org/
• Https Everywhere Plugin:
  • https://www.eff.org/https-everywhere
• Secure Browsing:
  • http://www.k7computing.com/secureweb

Andrew Lee
CTO K7 Computing

Pump-and-dump scams involve hyping the value of a cheap/worthless stock by advertising it heavily over the internet using spam. Typically, the stock is bought by the attacker who then sends out the mails to hype the stock, which creates buying interest, and then the attacker sells all their stock, cashing in on the falsely inflated value.

In this case, the defendant had allegedly hired people to use botnets to distribute his messages. The botnets were also used to compromise private accounts so that these could be used to buy up large amounts of the stocks in question. He also faces charges from sending spam.

Full story is here http://www.theregister.co.uk/2010/10/21/pump_and_dump_botnet/

Andrew Lee
CTO, K7 Computing

The MalCode conference, to be held in Pune, India (maybe because India seems to have no legislation against such software?) is supposedly there to provide a platform for security researchers to meet malware writers and learn from them.

This, apart from being wildly optimistic that any actual learning will take place (unless it is potential malcoders learning to write more malcode), is a breathtakingly ignorant statement.

Let’s just think about this for a second – malware is very often extremely buggy, often failing to run, it might only run on a single platform, and if using an exploit to spread, relies fully on those platforms that expose the vulnerability.
Most malware uses pretty much similar techniques to spread and run, and in reality the most ‘difficult’ part of analysis is in getting through the packing techniques that are used – and much of that can be automated.

Antivirus software (or Anti-malware software to be more complete) on the other hand, is some of the most complex you can imagine.

• It must work on a range of platforms, at a very low level where it must avoid interfering with or crashing other processes.
• It must intercept every single file system call, and be able to search through the memory and network traffic of a machine.
• It must be able to examine every piece of code that gets loaded, and in less time than it takes you to blink your eye, it must decide whether that code is (or is a possibly altered version of) one of millions of pieces of malware.

Not only that, it must do all of this without affecting the performance of the system, without causing interference to the user, and it must do it in such a way that if the code is legitimate (think of how many billions of pieces of code there are in the world) that code must be allowed to run, and if not, must be prevented from running.

Further, it is the only type of commercial software in the world that is updated so frequently; sometimes as often as every 5 minutes. These updates must not disrupt the system (though inevitably, they sometimes do, which is part of the reason we have technical support departments), must be as accurate as the rest of the software, and must work well with the rest of the system.

Far from being a group of people desperate to know how malware writers work, anti-malware researchers number some of the worlds most skilled reverse engineers, cryptographers, software analysts, software designers and programmers.

Not only that, but anyone who thinks that the several hundreds of thousands of new malware samples we see every day (often many of these are just auto-generated, slightly altered versions of the same things) are not enough of a ‘research platform’ for any self-respecting Anti-malware company, is truly delusional.

We have enough malware, we know how to detect it just fine, and the last thing we want is more being written, and certainly the last thing we need to waste time on is going to a conference with people who are part of the problem rather than part of the solution. Security researchers are not necessarily Anti-malware experts, and vice-versa, it’s good to remember that.

Our industry, in the last 25 years or so, has developed some of the most complex software on the planet, and has done so within a strict code of conduct – NO legitimate anti-virus researcher has ever needed to write a virus. Indeed, to openly do so would be grounds for dismissal and would make such a person unemployable within the wider industry. On the few occasions where malware writers have been inadvertently employed, as soon as the employer has found out about the malware writing, the employee has been dismissed.

Quite simply put, it is never necessary to write malicious software to be able to defend against it. Indeed, any developer working for K7 Computing who wrote such terribly poor code as exists in much malware wouldn’t last long at the company anyway. We employ, and need, highly skilled, hard working and dedicated developers, not sloppy kids with nothing better to do than write malware.

These are just a few reasons why this conference is such a bad idea, but there is one reason it is a good idea ; maybe it’s a great opportunity for law enforcement to go and round up the malware writers stupid enough to turn up, and put them out of our harm’s way.

Andrew Lee
CTO K7 Computing

Terry Childs will be sentenced on June 14 after being found guilty of denial-of-service charges after a series of computer security violations in 2008.

Childs, reportedly in despite with city officials, breached internal security procedures to lock city officials out of their own networks and refused to disclose passwords.

Before the incident, Childs had spent much of his time building and managing the city’s FiberWAN infrastructure, Childs responded to the dispute by locking down the network, preventing management from accessing the network.

The resulting dispute saw Childs arrested and San Francisco left without access to around 60% of the city’s stored data. Childs argued that he was protecting the system from possible damage at the hands of fellow administrators unfamiliar with the FiberWAN deployment.

More than a week after the crisis began, San Francisco mayor Gavin Newsome was able to defuse the situation by visiting Childs in jail and retrieving the needed passwords to regain access.

The ‘GetSafeOnline’ group has warned users of smartphones, such as iPhones, Blackberrys and Androids that they are effectively carrying a “mini laptop” in their pockets which could hold a wealth of data useful to a would-be fraudster.

The group found that two thirds of smartphone users do not have any form of security protection on their handset and that one in four synchronise their handset with their PC.

That can give would-be fraudsters a wealth of consistent information should a handset become lost or stolen, the group has warned, prompting them to issue a call to all smartphone users to keep their handsets secure.

“Users must remember that they are essentially carrying around a tiny laptop with a wealth of personal information that is very attractive to fraudsters,” explained Tony Neate, managing director of GetSafeOnline.org.

“The frequency with which many of us upgrade or replace our phones means that we often don’t value or look after them in the same way as we would a laptop,” he added.

According to GetSafeOnline.org, criminals can easily uncover where you bank and shop with a quick look at your browsing history and favourites, with cookies used to remember login details also providing clues that allow a fraudster to access email and social networking accounts.

They also warned that users who sync smartphones with their PCs but don’t protect their phones, using methods such as PIN protection or access keys, are allowing fraudsters to access all the information stored on the PC as well.

David Kernell, who is accused of hacking into the former Alaskan governor’s email account during the Republican presidential campaign of 2008 and will go on trial in April next year, is expected to claim that a malicious programme that had infected his laptop computer was responsible for the breach.

Lawyers of the 21-year-old student, who is the son of a Tennessee Democrat politician, will argue that he was not personally responsible for the attack on Mrs Palin’s personal email account, even though authorities traced the hack to an IP address used by Kernell.

Screenshots of the emails, including message content, were posted to Wikileaks and to the imageboard 4chan during the presidential campaign which Republican candidate John McCain, supported by Palin, lost to Barack Obama.

It was believed that hackers were able to break into the account by guessing Palin’s Yahoo password, a word that was thought to be easily associated with the 45-year-old based on information that was released into the public domain both before and during the election campaign.

This case would not be the first time that a successful defence citing a Trojan or other form of malware has been used. In perhaps the most high-profile case, jurors in UK acquitted 19-year-old Aaron Caffrey of hacking into and crashing computer systems at the port of Houston in Texas, believing his defence that hackers had broken into his computer and used it to launch the attack.

The defence has also been used in numerous cases surrounding the downloading and storing of obscene and unlawful materials, with computer forensics often demonstrating that the material was found on a PC due to malicious software that had infected the user’s PC rather than any deliberate user activity.

With just a laptop or even a WiFi enabled mobile phone, PDA or even MP3 player, we can now access the internet through public networks at an huge host of locations in any major city. Anywhere from fast food restaurants, coffee shops and bars through to trains, airplanes and even some taxi cabs, accessing the internet on the move has never been easier.

But does tapping into public networks pose a computer security risk? Is it safe to access a network connection that is in all likelihood being accessed by hundreds, if not thousands of people simultaneously?

Last week visitors to the SecTor 2009 Security Conference in Toronto, Canada experienced how secure WiFi networks were for themselves as conference organisers secretly bugged the WPA-secured wireless connection at the conference venue.

Organisers then demonstrated to visitors how they had managed to harvest hundreds of passwords, login credentials and a huge array of data on information that passed through the network, with delegates completely unaware that the data was being recorded.

“In 2009, we still have so many applications leaking credentials onto the wire, and we have people still deploying and using insecure protocols,” said conference organiser Brian Bourne. “Our intention with the Wall of Shame was to highlight that.”

This example was obviously a contrived example and the reality is that your typical coffee shop is unlikely to be full of online criminals attempting to hack intercept your email passwords, but there are steps that you can take to minimise the risk of your WiFi connection, be it at home or on the move, from being the target of hackers.

1. Only use secure networks
Only use a network that has been secured using some form of encryption. The most common forms of wireless encryption are WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access). Networks in public places will have their own form of user authentication system whilst others will be behind what is known as a “paywall” – where the user is charged for using the network.

2. Use a firewall
Make sure that you install a firewall on your PC to monitor and traffic coming into, and going out of, your PC and network. Most forms of antivirus software will include some form of firewall.

3. Be aware of who is around you
If you are in a public place; be aware of who is physically around you. The threat might not come from who is on the network but instead, from who may be looking over your shoulder.

4. Be selective over the data that you transmit wirelessly.
If for any reason there is data that you would be particularly nervous about transmitting wirelessly, don’t. Simply wait until you have the opportunity to physically plug your PC into a secure connection.

5. Don’t broadcast your SSID.
This isn’t a way to completely secure your network by any means, but it can reduce your risk to automated attacks. The SSID is effectively the identity of your home wireless network, and is broadcast to any PC within range.
Automated attacks, such as those using a ‘botnet’ look for a number of tell-tale signs that there is a wireless network in the vicinity, one of those is a broadcast SSID. By hiding the SSID, you can cut down on the amount of traffic your network gets from people trying to exploit vulnerabilities on random networks.

According to a statement from WordPress, a worm is currently exploiting a security hole in the software in an attempt to distribute spam and links to numerous forms of malware, including fake antivirus software.

A statement posted by WordPress on the company blog read: “This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

“The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage.”

Users who are using downloaded versions of the open source CMS to run their self-hosted site or blog have been advised to upgrade to WordPress 2.8.4, a version which includes a patch that closes this security flaw. Bloggers that are using the online version of WordPress at www.wordpress.com are unaffected by the threat, although experts would advise users to back-up their posts if possible.

WordPress has also taken the opportunity to reminded users that an upgrade could save considerable time in having to repair a blog in the event of a security breach, writing “A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well – a little bit of work on an upgrade now saves a lot of work fixing something later.”