Last week we at the K7 Threat Control Lab (K7TCL) spotted one such malware. It is a very simple perl script converted into a windows executable using perl2exe. When executed, the malware collects documents from the infected machines and uploads them to the author’s FTP site. Perhaps not as impressive as Stuxnet, but it does the business.

Decompiling the executable gives us the perl script and the user credentials used to upload the stolen files. Just out of curiosity I decided to follow the malware trail back to the FTP site, and I was in for quite a surprise. The FTP site was not just full of stolen documents, but some came from what appeared to be world renowned financial institutions.

This malware is detected by K7 Security products as Trojan (001ECA471). Such malware spread using social engineering techniques, masquerading as something beneficial. Distribution channels tend to include IRC, peer-to-peer networks, newsgroup postings, email, etc. Users are advised to exercise caution while downloading files from untrusted sources.

Lokesh Kumar
Collection Manager, K7TCL

A survey by e-commerce security vendor RSA claimed that businesses believed that 52% of internal IT security breaches were accidental, with only 19% being deliberate actions by employees.

The results go against a common perception in the industry, with many of the belief that high profile security breaches were most commonly the result of premeditated, malicious actions.

“Unintentional risk gets overlooked, yet it’s the most serious threat to business,” said the RSA’s Chris Young.

“The sexy incident where someone gets arrested for stealing records and selling them to a third party for a lot of money is the stuff that catches the attention of the media, the regulators, executives and Congress people.

“But this is not necessarily where organisations have 100% of the risk,” said Mr Young, the RSA’s senior vice president of products.

The study conducted by the RSA and IT analysts IDC examined 11 different categories of risk ranging from malware and spyware to employees having excessive access to systems and from unintentional data loss to malicious acts for personal gain. Around 400 businesses from the US, UK, France and Germany, working across sectors including finance, telecommunications and healthcare were examined as part of the survey.

The report concluded that the difference between the most frequent type of cyber breach – unintentional data loss, at 14.4% per year, and the bottom of the list – internal fraud, at 10.6% – represented a clear signal that no single solution can address all potential internal security risks.

The report also noted that whether the threats are accidental or deliberate, the cost to a company of a cyber breach is still the same. The survey put the estimated cost of employee-related security breaches at around $800,000 per year for companies in the US, with companies in the UK, France and Germany facing an annual bill of between $180,000 and $330,000.

Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart has agreed to delete any information that it gained after it was found to have misled users into installing software from ComScore which would then monitor their online habits.

The agreement comes as part of a settlement with the Federal Trade Commission although the company did not concede that it had broken any laws.

The FTC accused Sears Holdings of misleading customers in as part of market research campaign in which customers were encouraged to join an “online community”. Tracking software from ComScore was installed on the PCs of those who agreed to be part of the scheme.

But the FTC said Sears used the software to collect information on non-Sears sites, such as online bank statements, drug prescription records and emails as well as tracking user keystrokes, contrary to what many customers believed that they were agreeing to.

Sears did disclose that it would monitor non-Sears sites on page 10 of a 54-page user license agreement, but the FTC argued it was not enough.

“The complaint charges that Sears’ failure to adequately disclose the scope of the tracking software’s data collection was deceptive,” the FTC said in a statement.

“At all times, Sears Holdings ensured the privacy and security of the personal information of all participants who enrolled in the program,” Sears said in an email statement. “No customer data was ever compromised or disclosed.”

It is not the first time that ComScore software has been criticised, with experts such as Harvard researcher Ben Edelman claiming in 2007 that ComScore software was being distributed over the controversial DollarRevenue network, which has since been shut down. ComScore subsequently took steps to prevent DollarRevenue from distributing its software.

Developed by 121Media, Phorm is an advertising programme designed to deliver targeted advertising based on individual user browsing habits by using a process known as deep packet inspection. The software, which has attracted the interest of a number of ISP’s including BT, Virgin Media and Talk Talk, monitors a user’s online activity to deliver specifically targeted advertisement which it believes match the user’s interest.

But the program has attracted controversy from privacy campaigners and customers of the ISP’s concerned, claiming that the implementation of software represents a breach of privacy and data storage regulations. Others have pointed to previous products developed by 121Media which have previously been classified by some security companies as forms of spyware.

The implementation of the software suffered two more setbacks this week, with both Amazon and Wikipedia stating that it will block Phorm from analysing the habits of their users.

In a letter to Phorm’s creators, Wikimedia’s chief technology officer Brion Vibber said: “We consider the scanning and profiling of our visitors’ behaviour by a third party to be an infringement on their privacy.”

But a legal challenge now surrounds the program from European Commission after they claimed that the UK government failing to ensure the privacy of UK internet users.

The EC claim that by allowing the use of Phorm, the government is failing to comply with European privacy laws.

It has also emerged that BT had already run covert trials of the software, in 2006 and 2007 but despite complaints to the police, Government and Information Commissioner’s Office, no action was taken against BT.

Viviane Reding, EU telecommunications commissioner said: “The rules are quite clear. A person’s information can only be used with their prior consent. We cannot give up this basic principle and have all our exchanges monitored, surveyed and stored in exchange for a promise of ‘more relevant’ advertising.”

Researchers from the University of Bolton, UK revealed that 54% of users have, at some point, become so frustrated with their PC’s that they have shouted at the screen, slammed on keyboards or smashed mice in anger.

Psychologists at the university asked 126 British computer users how often they “lost it” with their computer equipment and to provide a written description of one such incident.

They found that the majority experienced “computer rage” three or four times a month, with more than 10% showing some sign of rage at least 10 times. Most of these cases were associated with unsatisfactory work progress and time pressure, the survey concluded.

However, experts do believe that throwing a tantrum at a computer could actually be better for people’s health, rather than “bottling up” any anger.

John Charlton, from the university said: “Although the study did not look at health factors, habitual, unrestrained expression of anger is known to be a significant cause of ill-health.

“However, moderate outbursts of anger, in the form of shouting at a computer might actually be beneficial.”

One of the primary causes of poor computer performance could be the presence of malware on a system, with spyware or adware performing functions that command large amounts of a computer’s resources.

If your computer’s pace is causing you to lose your temper, download the latest antivirus software updates to ensure that it isn’t being held up by malicious software.

Online banking fraud increased to £52.5m last year, a huge jump from £22.6m in 2007, said UK payments association Apacs.

Total fraud losses on UK debit and credit cards rose by 14% to £609m.

The increase has been blamed largely on the increased sophistication of various forms of spyware and keylogging software which captures information stored and entered into a computer, particularly when entering sensitive details such as passwords or credit card numbers.

Under UK’s Banking Code, customers are not liable for any fraudulent activity on their account unless the bank can prove a customer acted “without reasonable care”. However, a technicality in the code could see such a clause could apply to any customer who does not have antivirus software installed on a PC on which they make financial transactions.

“The industry continues to remind customers to ensure that they have their computer’s firewall switched on and anti-virus software up to date,” said an Apacs spokeswoman.

UK Credit card fraud in general has been falling in recent years following the introduction of a Chip & Pin system, which has seen a customer PIN number replacing the signature system, although those figures have also risen in the past year

As in previous years, the biggest area of card fraud was with goods bought over the internet, phone or by mail order – where chip-and-pin was not used. Fraud levels in these instances rose 13% to £328m.

The most significant rise in 2008 was when criminals took over other people’s accounts, known as card ID theft, with losses up by 39% to £47.4m.

The plot, which would have been worth around £229m if successful, involved the use of complex “keylogging” techniques installed on computer systems within the offices of the Sumitomo Mitsui Bank in London that harvested every keystroke and mouse click made on the infected PC’s. The intention was to then retrieve this data which would, in theory, have contained login details for many of the bank’s security systems.

The scam failed however and last week, Hugh Rodley, 61, of Twyning, Tewksbury was found guilty of conspiracy to defraud and conspiracy to transfer criminal property and David Nash, 47 of Durrington, West Sussex was convicted of conspiracy to transfer criminal property.

The device in question in this instance was a USB hardware based keylogger but software based versions remain in existence, although many are not as sinister as they may seem.

If you’re reading this on a work, school or college PC, then the chances are that you’re using a machine or network that has some form of keylogging software installed. The recording of keystrokes and mouse clicks is a major principle behind many PC monitoring or parental control systems.

There are however, many malicious uses for keylogging software, most examples of which are spread through various forms of adware and spyware.

The software is used by criminals to secretly monitor and record everything that a user types or clicks on your PC in order to harvest your log-in names, passwords, and other sensitive information, before sending it on to the hackers. This can also include any passwords or user names that you may have asked your computer to remember for you, as these are usually held as cookies on your PC.

Some keyloggers also allow the creators to ‘target’ information entered into websites which could be of greater interest to criminals, such as online banking for example.

The software is one of the many reasons behind the growth in identity fraud over recent years and, had the Sumitomo Mitsui Bank come off, it would not have been the first financial institution to come unstuck.

In 2007, keylogging software was used to steal more than US$1m from the Swedish bank Nordea and in the same year, users of an American retirement savings and investment plan for federal employees were targeted by keyloggers, resulting in $35,000 going missing.

With the most common distribution methods for keyloggers being through over forms of malware, including adware, Trojans and spyware, the advice is to ensure that your firewall and antivirus software remains updated and that their copy of Windows is fully patched with the latest security updates.

A critical flaw in MS09-002, is being exploited using a specially coded Word document which is emailed to users. Once opened, the attachment installs spyware onto the target system, including a Trojan that allows the malware to update itself.

The malware itself is believed to include key-logging and data harvesting functions, putting users at an increased risk of identity fraud. Data is then send through an encrypted channel to a location in China.

“Several antivirus vendors reported MS09-002 exploits in the wild. We can confirm that the exploit for the CVE-2009-0075 vulnerability (Uninitialized Memory Corruption) in Internet Explorer 7 is definitely in the wild and working on an unpatched Windows XP machine,” said Bojan Zdrnja of the Sans Internet Storm Center.

“Initially there was some confusion about this attack as most anti-virus vendors mentioned Word documents. The exploit targets Internet Explorer 7, but so far it has been delivered to the end user as a Word document.”

It is expected however that criminals will look to exploit the flaw through more sophisticated means.

“That being said there is absolutely nothing preventing attackers from using the exploit in a drive-by attack and we can, unfortunately, expect that this will happen very soon,” added Zdrnja.

Users who are currently using both patched and un-patched versions of IE7 are advised to be vigilant over any Word document attachments that they may receive by email and to ensure that their antivirus software remains updated.

Amazon.com has posted a warning on its website warning that purchasers of the Samsung SPF-85H 8-Inch Digital Photo Frame could find traces of malware on the installation CD including key logging software worm.

Traces of the worm W32.Sality.AE were found on the installation disc SAMSUNG FRAME MANAGER XP VERSION 1.08, which is needed for using the SPF-85H as a USB monitor. It is thought that the issue relates to versions of the product sold between October and December 2008.

Samsung have advised that most antivirus or security software packages will recognise the malicious file and user are being requested to quarantine or delete the file, remove the software and download an updated version from the Samsung website.

Both Samsung and Amazon.com have apologised for the error.

This is not the first incident in which potentially malicious software has been found on products from big-name technology companies.

Perhaps the most high-profile case involved music group Sony BMG back in 2005 when, as part of a copy protection measure, programs known as “rootkits” were hidden within audio CD’s which automatically installed without warning to a user’s Windows PC. The rootkits exposed key flaws in the Windows operating system, prompting Sony to recall all affected CDs and back down on their copy protection measures.

In similar cases, versions of GPS units supplied by TomTom were found to contain two separate trojans in January 2007 whilst in October 2006, McDonalds Japan recalled around 10,000 promotional MP3 players after traces of a malicious worm were found.

Research conducted by North Carolina State University found that participants clicked on a ‘fake’ pop-up advertisement 63% of the time with the majority of users clicking ‘OK’ without reading the message itself.

The study highlights the vulnerability of even experienced users to the threats posed by pop-up advertisements, given that pop-ups are one of the most common methods for malicious software to access a PC system.

Adware and Spyware are particularly common forms of malware which are transmitted using pop-up technology.

Research co-author Michael Wogalter, professor of psychology at North Carolina State University, warned users to read all pop-ups before acting.

“This study demonstrates how easy it is to fool people on the web,” he said.

“Be suspicious when things pop up. Don’t click OK – close the box instead.”

Tony Neate, managing director of the UK’s Get Safe Online campaign advised users to install a pop-up blocker and antivirus system.

“Browsers and most anti-virus software offers them. Pop-ups are either downloading something malicious or trying to sell me something so I just don’t want them there at all,” he said.