As always malware and mass infections is a numbers game so the bad guys will always target the most popular and prolific operating systems to increase their chances of widespread infections.

For me personally UAC in Windows Vista was simply a pain in the ass, so much so I just turned it off completely as did most people rendering it completely ineffective. They seem to have toned it down in Windows 7 to make it less invasive and perhaps as a byproduct have made it less effective.

A researcher at Sophos reports putting Windows 7’s User Account Control feature to the test and finding the technology failed to block numerous pieces of malware. Microsoft, however, stresses that UAC is only one part of Windows 7’s security.

A researcher at Sophos called the UAC feature in Windows 7 ineffective after numerous pieces of malware snuck by the technology in a test.

Microsoft first introduced User Account Control in Windows Vista to improve security. After some users complained the number of alerts it generated were annoying, the company pledged to cut down on the number of prompts in Windows 7. The move however has raised concerns in the security community, and Sophos Senior Security Adviser Chester Wisniewski said his test proves Microsoft took it a step too far.

Wisniewski wrote on his blog Nov. 3 that seven of the 10 pieces of malware he tested ran with the default AUC enabled in Windows 7 without generating any prompts. As part of the test, no antivirus software was installed on the system. Two of the malware samples did not work in Windows 7; of the remaining eight, only one generated a prompt, and that one still would have been installed had the user clicked yes, Wisniewski told eWEEK.

I’d imagine it only throws an alert if the software being installed tries to modify system files or place itself in system directories (c:/windows etc).

That would make sense to me, and yes it would make it ineffective against malware and even more ineffective when the bad guys work out how it functions and adapt to that.

Nothing much new here though is it, run anything on Windows XP and you’ll get no warnings..so just be vigilant. I’d rather Microsoft try an educate people on good security practice rather than trying to implement half-arsed technical measures to protect against wetware ignorance.

When asked about the test, Microsoft officials pointed to the other features of Windows 7 that have improved security.

“Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware; this includes features like Security Development Lifecycle (SDL), User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP),” a spokesperson said.

“Windows 7 retains all of the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released,” the spokesperson added. “Coupled with Internet Explorer 8—which includes added malware protection with its SmartScreen Filter—and Microsoft Security Essentials, Windows 7 provides flexible security protection against malware and intrusions.”.

All the above technologies are great and they do help a LOT when it comes to exploitation of vulnerabilities and trying to execute shell-code. But that’s not the biggest threat, the biggest threat is idiot users installing malware ‘by accident‘ on their own computers.

So yes, however obvious it may seem to us – you still need to install Anti-virus software on Windows 7.

Source: eWeek

The latest to hit is a spam e-mail claiming to be from the Facebook team that actually spreads a nasty piece of malware called Bredolab. It’s also been observed the trojan will connect to additional servers to install more malware.

The ultimate goal as usual is to make the victims part of a botnet.

Researchers at several security firms have uncovered a spam campaign targeting Facebook users. The e-mails, which pose as communications from Facebook about password resets, contain a nasty downloader that ultimately makes users part of a notorious botnet.

Researchers at several security firms have tied the Bredolab Trojan to a spam campaign targeting Facebook users.

The malware is being blasted out by spammers in e-mails claiming to come from “The Facebook Team.” Inside the e-mails is a message that the recipient’s Facebook password has been changed. In order to get the new one, recipients are told to open the accompanying attachment containing the malware.

Researchers at Websense told eWEEK Oct. 27 that they have observed more than 350,000 of the messages. On the company’s blog, researchers explained that the malware connects to two servers to download additional malicious files. Among them is Pushdo, also known as Cutwail.

This spam campaign seems to be generating some fairly high levels of traffic meaning whoever is behind it is pretty serious and committed to this vector for disseminating malware.

Social engineering isn’t a new method for propagating malware as always the weakest link is never the technological barriers but is always the stupidity/greed/gullibility of humans.

You can ALWAYS hack the wetware.

“One of the first things we saw this Trojan horse download was the Pushdo bot which began spamming out more of these Facebook password reset emails,” according to M86 Security.

MX Logic noted that Bredolab bypasses firewalls by injecting its own code into the legitimate process svchost.exe and explorer.exe. It also contains anti-sandbox code to thwart researchers, and creates the following files: %AppData%\wiaservg.log, %Windir%\temp\wpv861256600826.exe and %Programs%\Startup\isqsys32.exe. Bredolab also creates the processes isqsys32.exe and svchost.exe.

Sophos is detecting the malware as Troj/BredoZp-M or Mal/Bredo-A.

“Don’t make life easy for the hackers hell-bent on infecting your computer, stealing your identity and emptying your bank account – exercise caution when you receive unsolicited emails and protect your computer with up-to-date security software,” Graham Cluley, senior technology consultant at Sophos, advised in a blog post.

It looks like a pretty advanced piece of malware code which evades firewall measures and even tries to thwart analysis by AV companies.

Anti sandbox code and process injection, these bad guys are getting smart.

That does not bode well for the average citizen.

Source: eWeek

If you asked any techie back in 2002 which AV should you use, the answer would invariably be AVG free (or perhaps Panda).

After that AVG just got bloated, slow and their signature files became very weak missing a lot of nasty infections, I had to fix so many PCs running AVG that were infected up the ass with all kind of malware.

People starting recommending other like Avast!, Avira and BitDefender which also offer free use versions for home use.

AVG is putting an emphasis on increased speed with a revamp of its free and paid for security suites.

The latest revamp – AVG 9.0 – boasts 50 per cent faster speed and increased ease of use. Improvements in speed have been achieved by skipping the scan of files already marked as safe in future scans unless the file structure changes. The approach also offers claimed improvements of ten to 15 per cent for boot times and memory usage, respectively.

The firewall module in AVG 9.0 has also been redesigned to be less intrusive (ie fewer ‘Do you want to allow this application online’ questions) alongside tighter integration with the anti-malware scanner that forms the core of the product. This anti-malware scanner makes greater use of behaviour-based, cloud-based and white-listing technologies.

I haven’t tested AVG 9.0 yet as the free version isn’t being released until later this month, but if it stands up to their claims it could be a good product.

Speed and bloat is definitely something they need to work on along with a more accurate scanning engine and complete signature files.

Let’s hope it’s not all just hype.

AVG Free 9.0 will be available mid-October. Details of the features are being held back until then, but expect to see a cut-down product based on the same engine but without a firewall and other bells and whistles. Based on past form, AVG free will offer an anti-malware scanner alongside LinkScanner safe search technology.

AVG’s business model relies on selling into small business and getting a percentage of consumer users of its free product (perhaps around two per cent) to upgrade. The consumer end of this equation is severely threatened by Microsoft Security Essentials launch.

Recommendations from tech savvy friends were one of the main reasons consumers latched onto AVG in the first place. AVG lost a lot of goodwill in this area with the traffic-spewing fiasco that attached to version 8.0 of its security scanner.

Secondly, irrespective of the technical merits of its product, AVG is facing off against Redmond’s marketing muscle while at the same time hunting for a new chief executive.

Microsoft Security Essentials is definitely a huge entry barrier for them and they will need to push hard to gain back a decent market share. There are some extremely good AV products out there now and a lot more choice for consumers.

Plus of course the big fat behemoths are still out there bundling their software with OEMs (Symantec, McAfee etc).

We shall see if it stands up to the tests of real world use.

Source: The Register

The level of detection by AV software is quite scary, especially since the malware is specifically targeting bank login details and it has the ability to intercept the browser process.

Definitely one to watch out for in your organization.

One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.

Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study [PDF] released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.

Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.

It seems to be operating on a level that the AV engines can’t even detect as when installed with the latest signatures they still can’t alert a user they are infected.

It’s time AV engines get a little more advanced and hook into important processes like the browser and ensure they aren’t being tampered with or monitored.

Some kind of active memory protection must be possible.

A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.

Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date.

Sitting at number 1 trojan this is a serious issue, especially with the stealthy mode in which it operates it looks like it’s going to be hard to stop the infections.

I someone comes up with a tool or method to prevent and detect these infections.

Source: The Register

Even though they tried to do so quietly, they are slipping a ‘malware detector’ into the latest OS X update known as Snow Leopard.

The problem is though, it only scans for two trojans? Seems a bit pointless to me.

Although Mac OS X is considered by many to be the most secure operating system available to end users, it does suffer from security issues. Perhaps the new malware detector in Apple’s new Mac OS X Snow Leopard release will help prove that.

Mac OS X is viewed by many as the most secure operating system on the market. It’s certainly considered far more secure than Microsoft’s Windows operating system.

But with a report hitting the wire Wednesday claiming Apple’s new Mac OS X release, Snow Leopard, will feature a malware-detection tool, some of those beliefs might be put into question.

According to reports, Mac OS X will feature an application that will scan the user’s Mac for known trojans. It will also flag malicious files if they are downloaded from Safari, iChat, Entourage and a few other applications. There’s just one catch: that feature will only look for two trojans. Every other possibly damaging trojan will not be scanned for.

Only two trojans? Why not make it a full on malware scanner, or at least something a little more useful than a finite scanner.

I mean even Windows pushes their Malicious Software Removal Tool and I’m sure it scans for more than just two threats.

Either way it’s a step in the right direction and Apple are acknowledging their OS isn’t bullet proof and they need to do something to address that.

Over the past few months, we have seen several Mac OS X security issues hit the wire. From security outbreaks to an update that included several security fixes, it was becoming clear that Mac OS X’s reputation for strong security wasn’t as reliable as some believed. And if Mac OS X Snow Leopard does, in fact, feature that new malware detector, it could change everything. Just don’t expect Apple to change.

“The Mac is designed with built-in technologies that provide protection against malicious software and security threats right out of the box,” Apple wrote on the company’s Mac OS X Snow Leopard page. “However, since no system can be 100 percent immune from every threat, anti-virus software may offer additional protection.”

I’m a little shocked by that statement. Although Apple does admit that no system is totally immune from issues, it says anti-virus software “may” offer additional protection. I think that perpetuates the myth that end users don’t need to worry about Mac OS X security.

I think the landscape for Apple is changing, as they get more users in the marketplace they WILL be exposed to more threats.

And more people will have their fingers in the operating system trying to break it for fun and profit. With Mac machines being sold as lifestyle products you can bet the majority of Apple users aren’t very tech savvy.

You can’t really compare it to the Linux desktop market, but even then Linux does have anti-virus software available for free and commercially.

Source: eWeek

The normal method for controlling Botnets is via an IRC channel, usually a private keyed channel on some obscure network. A lot of people used to use EFnet due to it’s lack of network services, but nowdays there are so many networks to choose from people can keep out of the limelight.

Sometimes even using a private IRCd setup on a hacked server or via Dynamic DNS on a home server.

For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission.

That’s the conclusion of Jose Nazario, the manager of security research at Arbor Networks. On Thursday, he stumbled upon a Twitter account that was being used as part of an improvised update server for computers that are part of a botnet.

The account, which Twitter promptly suspended, issued tweets containing a single line of text that looked indecipherable to the naked eye. Using what’s known as a base64 decoder, however, the dispatches pointed to links where infected computers could receive malware updates.

Ok so one such channel was discovered, how many more accounts are there on Twitter being used for nefarious purposes?

Very hard for anyone to track them down, especially if they don’t use standard syntax across all the accounts.

I’m sure Twitter will be thinking up some way to auto-discover these accounts.

Master command channels used to herd large numbers of infected machines have long been one of the weak links in the botnet trade. Not only do they cost money to maintain, but they can provide tell-tale clues that help law enforcement agents to track down the miscreants running the rogue networks. Bot herders have used ICQ, internet relay chat, and other chat mediums to get around this limitation, but this appears to be the first time Twitter is known to have been employed.

Nazario said he’s found at least two other Twitter accounts he suspects were being used in the same fashion, but needs to do additional analysis before he can be sure. The bots using the Twitter account connected using RSS feeds, a technique that allowed them to receive each tweet in real time without the need of an account. It was unclear how many bots connected to the account.

Up to now, the bot designers have done a good job keeping their enterprise under wraps. The original bot software is detected by just 46 percent of the major anti-virus tools, according to this VirusTotal analysis. The updates, which appear to be affiliated with the Buzus trojan, are even stealthier, with only 22 percent of AV engines detecting it.

The example discovered uses base64 encoding, so perhaps they can track down accounts with base64 strings in their feed.

You can read more on the Arbor Networks blog here:

Twitter-based Botnet Command Channel

Source: The Register

It’s a pretty cool concept, abusing the Symbian Express Signing procedure. It reminds me of the heydays of self-propagating e-mail worms when corporate e-mail servers were getting flooded because everyone in the company was sending the same attachment to everyone else in their address book.

Now with the application integration on mobile phones it’s now possible on mobile phones.

Three Chinese companies — XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin — created the ‘Sexy Space’ worms or Yxe Worm (Worm:SymbOS/Yxe.D) and submitted to Symbian OS-based phones through the express signing procedure, said F-Secure Security Labs recently.

“The worm is the first text message worm in history,” said Chia Wing Fei, security response senior manager at F-Secure. “Our labs have received few confirmed reports from China and Middle East at the moment.”

The first stage of Symbian’s signing process is done automatically using an antivirus engine, said Chia, adding that once an application has been submitted and scanned, random samples are then submitted for human audit.

So what next? Anti-virus for your mobile phone? Well that already exists (e.g. Kaspersky Mobile Security).

I’m sure the Symbian developers will tighten up the OS and the signing procedure too. It’s an area that is definitely going to get some attention with people starting to do more on their phones (PayPal just came out with an iPhone app for example) and mobile banking has been gaining popularity.

However, most applications are not inspected by humans through the express signing procedure, he noted.

An attacker can therefore put a web link pointing to the worm’s web site into a text message and invite the user to download the worm by clicking the link, Chia said. Once activated, the worm will install itself on the device, and send a similar text messages to all phonebook contacts listed, he added.

“These messages are sent in your name and from your phone. It means you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you 500 times 5 cents,” Chia noted.

It could cost you some money getting infected, and definitely cause a headache for you and your friends.

No one likes spam right? Especially when it’s serving up some self-replicating malware.

Source: Network World

I’ve spent a reasonable amount of time in Dubai on various projects, and my first surprise was Flickr being blocked. Especially as Dubai is probably the most liberal place in the Middle East. But now this massive invasion of privacy is taking it one BIG step too far, the sneaky way in which it was done is unforgivable too.

I hope Etisalat sees a mass exodus of users leaving their service and joining one that doesn’t try and send a copy of their e-mails and messages to some central location.

An update for Blackberry users in the United Arab Emirates could allow unauthorised access to private information and e-mails. The update was prompted by a text from UAE telecoms firm Etisalat, suggesting it would improve performance. Instead, the update resulted in crashes or drastically reduced battery life.

Blackberry maker Research in Motion (RIM) said in a statement the update was not authorised, developed, or tested by RIM. Etisalat is a major telecommunications firm based in the UAE, with 145,000 Blackberry users on its books.

In the statement, RIM told customers that “Etisalat appears to have distributed a telecommunications surveillance application… independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user’s smartphone”.

With 145,000 BB users, that’s a fair amount of data they could have been harvesting with their covertly installed monitoring software.

Thankfully the users realised something was wrong with the crashes and terrible battery life not usually seen on Blackberry devices. And RIM have come forward in a responsible manner stating it had nothing to do with them and offering a fix for affected users.

The concern over this unauthorised access only came to light when users started reporting problems with their handsets. After downloading the update, users across the country noticed significantly reduced battery life, poor reception and in some cases, handsets stopped working altogether. Users have complained that the firm’s customer service is unable to provide information on the problem. Initial advice led many users to simply buy new batteries.

The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of “lawful electronic intercept and surveillance solutions”. It is not clear why Etisalat wanted to include the software in the download.

The firm issued a brief statement last week, calling the problem a “slight technical fault”, saying that the “upgrades were required for service enhancements”.

Yah…sure! A slight technical fault led to installing spyware on your users phones? Ok, I believe you. How does snooping on your users classify as a service enchantment?

Well the competitors certainly don’t offer the same spyware service, so you can claim to be unique at least.

Shame on you Etisalat, really, shame on you.

Source: BBC (Thanks Navin)

It seems like with China pumping out the most malware this might be a very useful project, they have designed it quite intelligently too meaning it’s useful for many applications.

A Chinese company that has created a massive database of malware found on Chinese Web sites opened up the information to other security organizations on Thursday. Beijing-based KnownSec gathered the viruses and other information with a crawler that scans nearly 2 million Chinese Web sites each day, Zhao Wei, CEO of the security company, said in an interview in Beijing. He planned to give a presentation on the subject at the Forum of Incident Response and Security Teams (FIRST) security conference in Kyoto, Japan this week.

The database covers more Chinese Web sites and provides more up-to-date information about their security than any other, Zhao said in the interview. China produces the majority of the world’s malware, he said. A history for each site in the database lists dates of malware infection, the strings of malicious code placed on the sites and which antivirus products defend viewers against their attacks. The database also stores tens of thousands of viruses found being distributed by the sites.

Apparently according to McAfee with the current rate of malware growth in China, it could be doubling every year.

And phishing is starting to wake up in China, so get ready for more spam and scam e-mails with terrible English.

KnownSec each day finds more than 100 Trojan downloader files that have never been seen before, Zhao said. Each of those can direct a victim’s PC to download up to ten viruses. The database also has a list of Web sites that are currently compromised. Only about half of the newly infected sites KnownSec finds each day are also listed by Google as dangerous, said Zhao.

Google labels search results it has found to be potentially dangerous during scans of its index. When asked for comment, a Google spokeswoman said organizations need to work together to identify online threats and stamp them out. Security companies and national computer emergency response teams can request access to the KnownSec database, Zhao said. Security companies could use the information to shield users of their antivirus programs against new malware threats, he said.

The majority of the malware is password stealing trojans, which I’d imagine are targeted at users within China themselves and users of China based banks.

The phishing attacks are targeting these same users, either way be careful. It looks like China is jumping into the malware/phishing/spam arena with both feet so expect a rise in threats.

Source: Network World

But then he exposed his IP address on IRC, posted his face on some freaky vampire site and posted up screenshots of the HVAC system he ‘owned’ on a forum.

He wasn’t exactly making it hard for someone to find him..especially seen as though he actually WORKED IN THE HOSPITAL.

The leader of a malicious hacker collective who used his job as a security guard to breach sensitive Texas hospital computers has been arrested just days before his group planned a “massive DDoS” attack for the July 4 Independence Day holiday.

Jesse William McGraw, 25, of Arlington, Texas, was taken into custody late Friday evening after posting screenshots showing he had complete control of computers that administered air-conditioning systems at The Carrell Clinic in Dallas, federal prosecutors said. McGraw also brazenly posted videos showing him installing malware on hospital computers that made them part of a botnet he operated, said a network security expert, whose sleuthing uncovered the breach.

As a contract security guard at the hospital, McGraw had no authorized access to any of its computers. But that didn’t stop the miscreant, who went by the handle GhostExodus, from taping himself as he walked down the halls of the hospital with a blue security guard uniform poking out through a gray hoody, as he bragged about gaining control over sensitive computers.

If there was ever an original script kiddy, I think this guy fits the bill perfectly.

Seems like his l33t hacking skills extend to walking into rooms he has access too (with a security card), and taking some screenshots!

Or perhaps even sometimes he booted in with BackTrack and reset the passwords.

“It’s a unique mindset among these hackers,” said Wesley McGrew, a 29-year-old network PhD network security researcher at Mississippi State University. “It’s all about respect and fame and the respect of their equally weird peers.”

According to McGrew and federal prosecutors in Dallas, McGraw was the leader of a hacker gang known as the Electronik Tribulation Army. He had recently posted videos admonishing fellow hackers to carry out a “massive DDoS,” or distributed denial of service, attack on July 4, a date he called “Devil’s Day”. While the target and other details of the attack are unknown, the investigators are taking the threat seriously because McGraw, prior to his arrest, had tendered his resignation as a security guard job effective July 3.

According to court documents, hospital officials had experienced problems with their HVAC, or heating, ventilation and air-conditioning, units and were perplexed why none of the system alarms had gone off as programmed. Had they seen screenshots posted here by someone calling themselves GhostExodus, they would have known why. They images showed the HVAC control window for the hospital’s surgery unit. A test alarm setting was turned to “inactive.”

“You almost can’t help it ya know,” GhostExodus writes. “It must be done!”

Yah you just can’t help messing with the critical HVAC system of a hospital YOU TOOL. What is the point of that anyway, other than bragging rights (which will only impress other script kiddies).

Who knows…I guess if he had any real skills he wouldn’t be working as a security guard and he’d actually be using his talent to make some real bank.

Oh well, good luck to you I say GhostExodus.

Source: The Register