Interesting that it’s using the Facebook notes feature to communicate depending on title/subject of the note.

The actual malware itself is spread through doc/pdf exploits and not through any flaws in Facebook itself.

Researchers at Symantec find a Trojan that uses Facebook to communicate with a command and control server.

The Trojan malware, known to Symantec as Whitewell, is being spread via e-mail through “documents (PDF, or MS Office formats) containing exploits for known vulnerabilities,” Andrea Lelli, a security analyst with Symantec Security Response, wrote on a Symantec blog Oct. 31. The malware works by contacting the mobile version of Facebook and using its Notes section. By analyzing the Trojan’s code, Lelli found that the Trojan will perform four different actions, depending on the notes’ titles that are found.

If the title is Wells, the note will contain the timedate stamp for when a machine was infected. If it is WebServer, however, the note will contain a URL to be contacted from which the Trojan will receive commands, Lelli wrote.

The malware can actually parse the data in Facebook, and post new notes itself meaning it is self-propagating according to whatever logic is programmed inside.

The ability of the trojan to do anything damaging is somewhat limited but it does show what could be achieved by using a social networking site as a command and control channel.

I’d imagine this won’t be the last we see and this could evolve into something much nastier.

If the note has the title ‘White’, it contains a URL that leads to an executable to be downloaded. If the title is anything else, the Trojan is programmed to wait, Lelli wrote.

This is not the first time social networks have been used to help control malware. In August, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter to communicate with its army of compromised machines.

According to Symantec, in this case, the documents containing the malware are made to look legitimate to conceal their intent, mimicking for example the names of well-known courier companies and utilizing popular headlines from the news media.

“Besides documents they can also spread the executables themselves, sending them with icons that resemble those that accompany legitimate documents, and with legit-looking file names such as ‘Competitive assessment.pdf .exe,’” Lelli wrote.

As with most attacks of this kind, the actual infection comes from lack of user knowledge and social engineering (double file extensions) as Windows STILL insists on hiding known file extensions from the user.

People have been falling for the old double-extension forever, I don’t see why Windows can’t just show extensions by default – do they scare people that much they have to be hidden?

Source: eWeek

Binging is a simple tool to query Bing search engine. It will use your Bing API key and fetch multiple results. This particular tool can be used for cross domain footprinting for Web 2.0 applications, site discovery, reverse lookup, host enumeration etc. One can use various different directives like site, ip etc. and run queries against the engine. On top of it tool provides filtering capabilities so you can ask for unique URLs or hosts. It is also possible to filter results by applying power of regular expression. Get your Bing API key and use this tool for your audit, assessment and research.

You can download Binging here:

Binging.zip

Or read more here.

Features

• Create PDF documents from scratch.
• Parse existing documents, modify them and recompile them.
• Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
• High-level operations, such as encryption/decryption, signature, file attachments…
• A GTK interface to quickly browse into the document contents.

Full Scripts

Some scripts are provided to help in performing common actions on PDF files. You can contribute more by sending your own scripts to origami(at)security-labs.org.

• detectjs.rb: search for all JavaScript objects.
• embed.rb: add an attachment to a PDF file.
• create-jspdf.rb: add a JavaScript to a PDF file, executed when the document is opened.
• moebius.rb: transform a PDF to a moebius strip.
• encrypt.rb: encrypt a PDF file.

You can download Origami here:

origami-1.0.0-beta1.tar.gz

Or read more here.

It was uncovered recently that it was being used as a Botnet Control Channel, shortly before that it was subjected to a DoS attack.

This isn’t the first time DMs have been used in a Phishing attack too.

Phishers are targeting Twitter users in a new attack involving direct messages sent to Twitter users containing a link to a site requesting user log-ins.

There are reports of a new phishing scam making the rounds on Twitter. The attack seeks to steal user credentials by sending tweets out with links to a phishing site. The attack site requests the user’s log-in information; once the attackers have that, they can take over the account of the victim and use it to send out more messages.

According to messages from Twitter users, the tweets with the link to the phishing site have to do with the sender supposedly making a certain amount of money. Such periodic phishing attacks on users of the popular microblogging service have become a fact of life.

I’m not exactly sure why anyone would want to steal a bunch of Twitter accounts? Perhaps to monetize them somehow with spam/affiliate schemes.

But the current threat on Twitter is a phishing scam executed via DM with a link to various things including ways to make money, a video of you or some other juicy gossip.

The cornerstones of social engineering in phishing attacks.

In May, researchers at Sophos reported that a number of Twitter users were lured to a phishing site via a tweet with the message: “check this guy out [tinyurl address leading to the attack site].” As was the case in that instance, URL shortening services are increasingly being abused by attackers to mask the Websites they are sending their victims to.

Besides drawing attackers as it has grown, Twitter has also gotten the interest of security researchers, as shown by the “Month of the Twitter Bugs.”

Twitter warned users about the attack, stating in a message: “A bit o’ phishing going on—if you get a weird direct message, don’t click on it and certainly don’t give your log-in creds!”

If you are using Twitter you should follow @spam and keep up to date with what is happening on the network.

Source: eWeek

The level of detection by AV software is quite scary, especially since the malware is specifically targeting bank login details and it has the ability to intercept the browser process.

Definitely one to watch out for in your organization.

One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.

Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study [PDF] released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.

Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.

It seems to be operating on a level that the AV engines can’t even detect as when installed with the latest signatures they still can’t alert a user they are infected.

It’s time AV engines get a little more advanced and hook into important processes like the browser and ensure they aren’t being tampered with or monitored.

Some kind of active memory protection must be possible.

A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.

Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date.

Sitting at number 1 trojan this is a serious issue, especially with the stealthy mode in which it operates it looks like it’s going to be hard to stop the infections.

I someone comes up with a tool or method to prevent and detect these infections.

Source: The Register

The legal system has ticked along and now they have to stand up for their charges, which are spiraling as more and more cases are linked to them.

Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey — along with two unnamed Russian conspirators — on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.

According to the court document, the hackers allegedly stole more than 130 million credit and debit card numbers (.pdf) from Heartland and Hannaford combined. Prosecutors say they believe these breaches constitute the largest data-breach and identity-theft case ever prosecuted in the United States. They’re investigating other breaches and have not ruled out Gonzalez’s involvement in even more intrusions.

“We’re not seeing a huge array of hackers capable of doing this, but rather a more select group, [and that] demonstrates that there is a level of sophistication involved in these hacks,” said Assistant U.S. Attorney Erez Liebermann of the Justice Department’s New Jersey district office.

As with most things, 80% of the damage is done by 20% of the people. I’d say in this case it’s more like 98% of the damage is done by 2% of the hackers only a few of which ever get caught.

I think these guys just got too greedy and went after too many targets, but then their credit card theft ring is called “Operation Get Rich or Die Tryin”. They aren’t likely to die, but they are likely to go down for a long time.

But these are just the latest in a string of high-profile breaches that have been connected to Gonzalez. He and 10 others were charged in May and August 2008 with network intrusions into TJX, OfficeMax, Dave & Busters restaurant chain and other companies. Jury selection is slated to begin Sept. 14 in one of those cases. With regard to the Heartland-Hannaford cases, Gonzalez and the two unnamed Russian hackers have been charged with one count of conspiracy to commit computer fraud and one count of conspiracy to commit wire fraud.

They each face a maximum penalty of five years in prison and a possible maximum fine of $250,000 on the computer-fraud count and an additional 30 years and $1 million fine on the wire-fraud count, or twice the amount they gained from the offense, whichever is greater.

Attorneys for Gonzalez were not available for comment.

According to the New Jersey indictment, Gonzalez, 28, and an uncharged conspirator identified only as “P.T.,” allegedly found their targets on a list of Fortune 500 companies and then did reconnaissance to determine the payment-processing systems they used and uncover vulnerabilities. The hackers used computers they leased or controlled in California, Illinois and New Jersey as well as in Latvia, Ukraine and the Netherlands to store malware, launch their attacks against the networks, and receive the stolen numbers.

If you tally up all the counts that could be one hell of a sentence, especially with the 30 years for the wire-fraud tacked on. I guess if they ever manage to get out of prison, they might get to enjoy the millions they have stolen.

That is assuming they’ve laundered it and stashed it safely somewhere outside the jurisdiction of a US federal investigation.

Either way it’s an interesting case and I’m sure there will be more news about it.

Source: Wired (Thanks Navin)

I’ve spent a reasonable amount of time in Dubai on various projects, and my first surprise was Flickr being blocked. Especially as Dubai is probably the most liberal place in the Middle East. But now this massive invasion of privacy is taking it one BIG step too far, the sneaky way in which it was done is unforgivable too.

I hope Etisalat sees a mass exodus of users leaving their service and joining one that doesn’t try and send a copy of their e-mails and messages to some central location.

An update for Blackberry users in the United Arab Emirates could allow unauthorised access to private information and e-mails. The update was prompted by a text from UAE telecoms firm Etisalat, suggesting it would improve performance. Instead, the update resulted in crashes or drastically reduced battery life.

Blackberry maker Research in Motion (RIM) said in a statement the update was not authorised, developed, or tested by RIM. Etisalat is a major telecommunications firm based in the UAE, with 145,000 Blackberry users on its books.

In the statement, RIM told customers that “Etisalat appears to have distributed a telecommunications surveillance application… independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user’s smartphone”.

With 145,000 BB users, that’s a fair amount of data they could have been harvesting with their covertly installed monitoring software.

Thankfully the users realised something was wrong with the crashes and terrible battery life not usually seen on Blackberry devices. And RIM have come forward in a responsible manner stating it had nothing to do with them and offering a fix for affected users.

The concern over this unauthorised access only came to light when users started reporting problems with their handsets. After downloading the update, users across the country noticed significantly reduced battery life, poor reception and in some cases, handsets stopped working altogether. Users have complained that the firm’s customer service is unable to provide information on the problem. Initial advice led many users to simply buy new batteries.

The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of “lawful electronic intercept and surveillance solutions”. It is not clear why Etisalat wanted to include the software in the download.

The firm issued a brief statement last week, calling the problem a “slight technical fault”, saying that the “upgrades were required for service enhancements”.

Yah…sure! A slight technical fault led to installing spyware on your users phones? Ok, I believe you. How does snooping on your users classify as a service enchantment?

Well the competitors certainly don’t offer the same spyware service, so you can claim to be unique at least.

Shame on you Etisalat, really, shame on you.

Source: BBC (Thanks Navin)

In our first alpha release, we released a core built by Matt and Jay, with introductory plug-ins by Justin and InGuardians agent Tom Liston. It runs on Linux and Mac OS X, with most of the code functional on Windows and BSD Unix.

The current codebase is in the alpha state, but a beta release is coming soon, with better documentation (see the wiki), easier installation, and even more plug-ins.

Plug-ins

• plugin-beef.py – inject the Browser Exploitation Framework (BeEF) into any HTTP requests originating on the local LAN
• plugin-metasploit.py – inject an IFRAME into cleartext (HTTP) requests that loads Metasploit browser exploits
• plugin-keylogger.py – inject a JavaScript? onKeyPress event handler to cleartext forms that get submitted via HTTPS, forcing the browser to send the password character-by-character to the attacker’s server, before the form is submitted.

The author team has done a tremendous amount of research, design and pseudo-code work, fleshing out attacks on web-based e-mail systems and social networking sites.

Dependencies

The Middler depends on the following Python modules:

• scapy
• libpcap
• readline
• libdnet
• beautifulsoup

You can download The Middler here:

middler-alpha-2009022301.tgz

Or read more here.

If a company or organisation has a decent data/information security policy in place (Like ISO27001 for example) they should have a secure destruction/disposal policy as part of that.

The current fiasco reminds me of the digital camera sold on eBay containing terrorist information from the MI6!

The recent discovery of a computer on eBay with data on a U.S. missile system underscores the importance of securing data when it is time to retire and dispose of a machine. Enterprises need to have proper plans and oversight in place to protect their information.

When reports that data on a U.S. missile system was found on a computer auctioned on eBay, enterprises were provided another example of what happens when they fail to securely manage data at the end of its life.

In this case, the consequences were nil, as the computer in question was purchased as part of a research project and has been turned over to the FBI. Still, the situation underscores the importance of having policies in place to protect data that extend all the way to the “death” of an organization’s machines.

The kind of information floating around in computers really needs to be kept under a tighter control, how can missile systems data be left on a computer sold on eBay? It just seems ridiculous.

Companies dealing with confidential information generally have data disposal policies in place, why do government organisations dealing with World security not have tight policies regarding disposal of decommissioned hardware?

For sensitive data, it’s best to do it using a disk degausser or seven-way random write algorithm, which some operating systems support either through tools or the command line, noted Forrester analyst Andrew Jaquith. There are also third-party tools that do this as well, he said.

“There’s also the physical option,” he added. “A sledgehammer to the memory card or hard disk is quite effective. It’s also usually faster and arguably more satisfying.”

Another layer of protection can also be found in encryption. Deguassing or physically shredding a drive can be costly, said Seagate’s Gianna DaGiau said. Overwriting a drive also may be incomplete if it doesn’t cover reallocated sectors or is thwarted by drive errors.

“Some corporations have concluded the only way to securely retire drives is to keep them in their control, storing them indefinitely,” said DaGiau, Seagate’s senior manager of enterprise security. “This cannot be considered truly secure, as large numbers of drives in close proximity can easily tempt employees and lead to some drives being lost or stolen.”

A 7 pass overwrite will be good enough in most situations, tools are available to do this for free like DBAN and Eraser so there is really NO excuse not to do it.

Personally if it’s important I’d recommend 7-pass overwrite, then degauss then bang the shit out of it with a baseball bat then burn it up (a blowtorch would be good).

I’d say your data should be pretty secure then, downside is no-one would want it buy it on eBay after you did that.

Source: eWeek

The latest revelation is that used BlackBerries are being traded, not by the value of the phone but by the value of the data contained on the phone!

It just shows most companies still don’t have responsible disposal policies when it comes to releasing old equipment and making sure it’s wiped of data or destroyed.

A TV investigation has revealed that secondhand BlackBerries on Nigerian markets are priced according to the data held on them, not the age or the model of a phone.

Jon Godfrey, director of Sims LifeCycle Services, who is advising on a TV investigation into the trade due to screen later this year, said that BlackBerries sell for between $25 to $65 on Lagos markets. Details of the trade come from an agent in Nigeria unaffiliated to Sims’ technology recycling business.

Godfrey explained that the smart phones offered for sale come from the US, continental Europe and the UK. “It’s unclear as yet whether the phones are either sold, thrown away, lost or stolen,” Godfrey explained.

Other type of smartphone are also of potential interest to data thieves, but it is the trade in BlackBerries that seems to be the most active. Data retrieved from smartphones is itraded by crooks in Nigeria.

I’d imagine the phones are older models sold off by lot from companies upgrading to the newer versions of the BlackBerry.

The BlackBerry is a wise choice for data thieves as it’s more likely to be used for business purposes and contain important e-mail information.

Other smart phones would be used more for media and leisure purposes.

BlackBerries include technology to remotely wipe devices and come with built-in encryption. But this encryption is often left switched off because it is considered an inconvenience.

“Business critical data is left on unprotected devices,” Godfrey explained. “Anyone who gets these devices will obtain a snapshot of someone’s life.”

“People need to take residual data issues more seriously and have a policy on how to use and dispose of devices,” he added.

According to a survey by endpoint security firm Credant Technologies, four in five mobile phone users store information on their phones that might easily be used to steal their identities. A survey of 600 commuters at London railway stations revealed that 16 per cent kept their bank account details saved on their mobiles, while 24 per cent also saved their PIN numbers and passwords in the same insecure manner. One in 10 (11 per cent) keep social security and inland revenue details on their phone. Two in five fail to take even basic security precautions, such as password protecting their devices.

It’s scary the amount of people that keep really important stuff in their phones like their bank PIN numbers, banking passwords, passport numbers, social security info and much more.

And only 3 out of 5 take some basic security precautions like passwording their device, that means the number who actually encrypt their data and secure it properly would be less than 5%.

Source: The Register