Archive for the ‘Emerging Threats?’ Category

Gulf Times – Qatar’s top-selling English daily newspaper – Qatar

April 1, 2010

Gulf Times – Qatar’s top-selling English daily newspaper – Qatar: ”
Daily Newspaper published by Gulf Publishing & Printing Co. Doha, Qatar

Homepage \Qatar: Latest Update: Monday22/3/2010March, 2010, 01:08 AM Doha Time

Criminals are devising new threat paths, says IT expert
By Sarmad Qazi

Dr K Rama Subramaniam
Sophisticated cyber criminals are successfully finding new threat paths that are going undetected, a cyber criminologist said yesterday.
Dr K Rama Subramaniam, director at Valiant Technologies, India, and Baker Tilly MKM, Abu Dhabi, who is a visiting professor of Cyber Criminology at the University of Madras, further said that cyber crime was no longer about fun.
‘The players now include terrorists, white collar crimin”

(Via .)

BSOD after MS10-015? TDL3 authors “apologize”

February 16, 2010

BSOD after MS10-015? TDL3 authors “apologize”: “

On last November we’ve blogged about a new rootkit spreading around the net. That rootkit, called TDL3 or TDSS or Tidserv (there are many different names for the same malware, as often happens between various security companies) was pretty scaring because of the new way it compromised the system, by using both improved and new tricks.

After a couple months, we’re here to raise again the alarm against this threat, which has been improved by their creators.

Fact is that the team of coders behind this rootkit is working hard to improve its creature. During these months they never stopped to update it, by releasing every day – sometimes even more times a day – new updated and rebuilt droppers able to evade generic detection signatures.

All TDL3 droppers have been server-side rebuilt every day during November, December, January and February. This allowed the authors to break weak signatures or badly written generic detection routines. Actually this was the only effective obstacle, otherwise only really few specific anti-rootkits are able to detect the infection when active.

Even the rootkit itself has been updated and armored, to defense itself against the attack of a number of anti-rootkit specific tools. It’s funny following the full story of the rootkit, because it looks like a nice chess game between security vendors and malware authors. It’s one of the few times you can see a team of rootkit writers counteracting almost in real time to security vendors.

We already knew the rootkit is able to infect a system driver and to filter every disk I/O request by applying a strong filtering mechanism. Now the rootkit added a watchdog thread able to prevent any change to the service registry key related to the infected driver.By doing so, it is able to block some basic cleanup tools.

Another self defense feature added to the rootkit is that no one is anymore able to get a handle to the infected driver file. By doing so, the rootkit is preventing some cleanup tools to read the content of the file. Prior versions of the rootkit allowed to read the infected file, though they were showing the clean copy of it. This trick was used by some security tools to recover the original clean copy of the file to restore.

We have some doubts about the real usefulness of this self defense feature. If it’s true that it’s not anymore possible to get the original file content, it’s even true that now is easier to discover the infected driver, because every scanner will get no access at all to the file and this anomaly will be reported.

On last Tuesday Microsoft released a number of Windows updates, some of them critical because they fixed a 17 years old bug. After some users updated their Windows operating systems, they got a scaring and really annoying blue screen of death.

Most of those users were angry with Microsoft, but the problem this time is not related to Microsoft. Indeed a number of the users affected by this BSOD was infected by TDL3/TDSS rootkit.

More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

Sadly the number of users affected by this BSOD is quite high and this means the rootkit infection is quickly spreading.

Moreover, a parallel version of the TDL3 rootkit is spreading too. This one is using an old infection technique, already seen in one of the first versions of TDL3. The injected dll is not anymore called tdlcmd.dll but instead z00clicker.dll.

International law police should really consider about cooperating with security vendors and try to shut down this botnet network by tracking down the gang behind it. They are active, they are able to release updates every day. They already are a serious threat that should be defeated as soon as possible.

If during a scan Prevx reports an infection caused by tdlcmd.dll or z00clicker.dll, please contact Prevx technical support. Our technicians will help our customers to get rid off of the TDL3 infection.

(Via Prevx Blog.)

Political hacktivism and the exploitation of tragedies is on the rise

February 9, 2010

Political hacktivism and the exploitation of tragedies is on the rise: “A new McAfee report highlights the rise of political hacktivism in countries like Poland, Latvia, Denmark and Switzerland as well as the most significant spam-generating stories in 2009. 2009 averaged…”

(Via Help Net Security – News.)

How The Koobface Worm Gang Makes Money

December 21, 2009

How The Koobface Worm Gang Makes Money

Trend Micro report looks at the true motivation behind the widespread malware-laden botnet

Dec 21, 2009 | 02:51 PM
By Kelly Jackson Higgins
DarkReading

Chances are you know someone who has been hit by Koobface, one of the first successful social networking worms. But there are many faces to Koobface, and many ways its authors make money from it.

New research from Trend Micro details how Koobface’s creators monetize the worm through scareware or fake antivirus, click fraud, information-stealing malware, and online dating services. “Unlike in the past when we always thought of malware as one piece of malware, like Melissa or Lovebug, in today’s world Koobface is an ongoing criminal enterprise using hundreds and thousands of pieces of code,” says David Perry, global director of education for Trend Micro. “That makes it more difficult to describe to the public at large. It’s not just one file.”

Read the rest here

Web service automates WordPress password cracking

November 30, 2009

Web service automates WordPress password cracking: “

Malefactors debut Hacking as a Service

Hackers have developed a distributed WordPress admin account cracking scheme that poses a severe risk for the security of blogs whose owners select insecure passwords.…

(Via The Register – Security.)

The Six Greatest Threats to U.S. Cybersecurity

November 18, 2009

The Six Greatest Threats to U.S. Cybersecurity

It’s not a very good day when a security report concludes: Disruptive cyber activities expected to become the norm in future political and military conflicts. But such was the case today as the Government Accountability Office today took yet another critical look at the US federal security systems and found most of them lacking. Read more

(via CIO Magazine)

Gumblar is back with a vengeance

November 18, 2009

Gumblar is back with a vengeance: “ScanSafe reported that 29% of all Web malware blocks in October 2009 were the result of Gumblar. This series of website compromises, collectively dubbed ‘Gumblar’ takes a multi-pronged approach, insta…”

(Via Help Net Security – News.)

New Adobe Vulnerability Exploited in Targeted Attacks, (Thu, Oct 8th)

October 8, 2009

New Adobe Vulnerability Exploited in Targeted Attacks, (Thu, Oct 8th): “Adobe’s PSIRT (Product Security Incident Response Team) published a new blog post today [1]. The pos …(more)…”

(Via SANS Internet Storm Center, InfoCON: green.)

Starbucks Launches First Dedicated iPhone App for Stored-Value Cards

September 29, 2009

Starbucks Launches First Dedicated iPhone App for Stored-Value Cards: “

image This is a huge day, and one that I hadnt expected for at least another couple years. The convergence of mobile payments and caffeine. What more could a mobile banking geek and coffee connoisseur want? 

Starbucks pioneered stored-value cards and launched its first card in 2001. Today, it became the first company (note 1) to create an iPhone app exclusively for a payments card. Apparently, Finovate alum mFoundry helped build the app (cnet story, thanks Brandon).

Users were offered $5 extra credit on their first Starbucks card reload of $25 or more made from the new app. Registered cardholders received an email notification earlier today urging them to ‘turn your iPhone into a Starbucks card.’ (see screenshot below).

Note, the Starbucks Card Mobile app (app store link) is in addition to the regular myStarbucks app which has a store locator, coffee/drink info and a favorites-sharing function (app store link). That app also launched today (notes 2, 3). 

The app is gorgeous and shows how important design can be in creating a trustworthy and easy-to-use payment product (note 4). For example:

Home screen (left screenshot):

  • The card balance is immediately and prominently displayed

Reload screen (middle screenshot)

  • Uses big, easy-to-read buttonsremember, this is a small screen, with a giant green, full-width Continue button  
  • Current balance repeats at the top

Mobile payment screen (right screenshot)

  • The bar code for mobile point-of-sale payments (test only, see below) is rendered over a background image of the card, complete with card number, a nice touch to reassure users and Starbucks baristas that this is the real thing.

Analysis
Of course, the mobile commerce and banking community will be abuzz about the mobile payments test. At 16 Starbucks locations (8 in Seattle and 8 in Silicon Valley), iPhone users will be able to pay at the counter using a barcode generated on screen (right screenshot). Luckily, several Starbucks are within a couple miles of my home so I’ll be able to report back with results as soon as the test locations are live.

But I think the stored value card management functions are more interesting for the present. Just think if you had an application that looked like this for your debit or credit card. Think of the brand-value uptick, PR notice, and word-of-mouth buzz. 

Starbucks Card Mobile screenshots (23 Sep 2009)

image    image   image     

Email announcing the new mobile card app (sent to a registered Starbucks cardholder in the mobile payments test market, 23 Sep 2009, 12:43 PM Pacific)

image

 

Notes:
1. Starbucks is the first company in the U.S. to have a dedicated app for a payments card. Although unaware of any elsewhere in the world, I would expect that card apps exist, at least in Asian markets.
2. The main Starbucks app is currently the 33rd most popular free app in the store and number 1 in Lifestyle; Starbucks Card Mobile is number 46 overall and 3 in Lifestyle (6 PM Pacific).
Update (9 PM Pacific): myStarbucks has moved to number 19 and Starbucks Card Mobile to 38.
3. The Starbucks apps are huge, 6.3 MB for the regular and 3.7 MB for the card, so makes sure you have good reception or are connected via WiFi.
4. However, I have been unable to log in to my actual Starbucks account as of 7 PM Pacific, owing perhaps to overloaded servers.
5. For more info on financial institution opportunities, see our Online Banking Report: Mobile Banking via iPhone.

NetBanker.com Sponsors

Trusteer  
Yodlee
FinanceWorks
TierOne

NetBanker.com Sponsors

(Via NetBanker.)