IT Crate Tutorial, Tips, Technology NewsWebsite Design and Development Company

A new scareware campaign is putting a nasty twist to those online scams that try to frighten you into purchasing worthless antivirus protection.

PandaLabs virus hunter Sean-Paul Correll has discovered an attack that not only bombards you with obnoxious sales pitches – it also prevents you from opening any of your applications until you make a purchase. “It’s a major leap,” says Correll. “We have not seen this before.”

Six months ago, promos were being circulated for something called “FileFix Pro.” This particular scam began by encrypting files stored in the My Documents folder of the victim’s PC. Pitches would then follow to buy FileFix Pro to decrypt the files.

But this ongoing attack, promoting “Total Security 2009,” is much worse. It looks similar to the fear-based promos for Virus Remover 2009, SpywareGuard 2008, XP AntiVirus and other worthless security products, triggering fake scans showing your PC to be riddled with viruses. But it goes a step further by locking out access to all other applications. When you click on any other application a text balloon appears above the clock in the lower left corner of your desktop. You then get steered back to pitches to buy Total Security 2009.

Your machine is now unusable. You won’t be able to open Microsoft Office, your favorite online game, or even your antivirus clean up tools. The only thing you can open is Internet Explorer – so you can navigate to the Total Virus 2009 shopping cart page. There you can use Visa or MasterCard to pay $79.95 for a standard version. You may also opt to spend another $19.95 to purchase “premium” tech support services. Once the payment clears, you receive a serial number to activate TotalVirus. You can then open your other applications.

Correll surmises that scareware purveyors are becoming more aggressive because the lucrative scam – in which sales affiliates can earn six figure monthly incomes — may be getting saturated with practitioners. “They may not be making enough money, or maybe they want to make more money,” says Correll

Researchers reveal how attackers may be able to peer into users’ computers over the Web.

The Internet is already a difficult place to maintain privacy, and now two security researchers have revealed new ways to spy on Web users via the browser. At a presentation at DEFCON 17, a hacking conference held in Las Vegas last week, the researchers showed a variety of ways to snoop on people online, despite the privacy tools employed by most browsers.

Credit: Technology Review

Robert Hansen, CEO and founder of the Internet security company SecTheory, and Joshua Abraham, a security consultant for the security company Rapid7, demonstrated how to do everything from obtain details of the software running on a user’s system to gain complete control of a computer. If the attacker can convince the user to visit a website he controls, perhaps through a link in an e-mail, a number of attacks on the user’s browser become possible.

The attacks worked with minimal participation from the user and, in one case, none at all.

“Your privacy is up to whichever site you’re visiting and what browser you’re using,” says Hansen, who emphasizes that users cannot trust the privacy controls built into a browser to keep them safe. “[Browser] privacy buttons are just a basic protection,” he says. In many cases, they’re mainly designed for benign situations, such as protecting a user’s privacy from other members of a household. To a determined attacker, however, Hansen says these privacy protections aren’t enough.

Hansen and Abraham showed how an attacker could build up detailed information about a user and her system with a variety of simple tricks. For example, by persuading a user to cut and paste a particular URL into a browser bar, an attacker can discover the person’s username and the name assigned to her computer, and can gain access to files on that system. Similar attacks can detect what plug-ins the user has installed in her browser.

This sort of information can be used to build a targeted attack against a particular user, Abraham says. Knowing which plug-ins a user has installed, for example, makes it easier to break into a system using a software flaw.

Hansen and Abraham raised privacy concerns about Google Safe Browsing, a commonly used extension for the Firefox Web browser that is designed to warn users about malicious websites. The researchers say that the tool performs that function well, but it also regularly issues a cookie that could be used to track all of the websites that a user visits. This information could be revealed if, for example, a government chose to subpoena the data.

The team gathered data on compromised pages and the would-be victims.

By infiltrating a criminal computer network aimed at infecting visitors to legitimate websites, university researchers have gained firsthand insight into the scale and scope of so-called “drive-by downloading.” They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.

Credit: Technology Review

Drive-by downloading involves hacking into a legitimate site to covertly install malicious software on visitors’ machines or redirect them to another site.

In an unpublished paper, researchers at the University of California at Santa Barbara describe a four-month study in which they connected their servers to a collection of compromised computers known as the Mebroot botnet. Among their findings, the researchers discovered that, while the seedier sites on the Internet–those hosting porn and illegal downloads–were most effective at redirecting users to a malicious download site, business sites were more common among the compromised referrers.

“Once upon a time, you thought that if you did not browse porn, you would be safe,” says Giovanni Vigna, a UCSB professor of computer science and one of the paper’s authors. “But staying away from the seedy places on the Internet is no longer an assurance of staying safe.”

First discovered by researchers in late 2007, the Mebroot network uses compromised websites to redirect visitors to centralized download servers that attempt to infect the victim’s computer. The malicious software, named for its tactic of infecting a Windows computer’s master boot record (MBR), shows signs of professional programming, including a rapid cycle of debugging, researchers say.

“It is definitely one of the most advanced and professional botnets out there,” says Kimmo Kasslin, director of security response for antivirus firm F-Secure, which is based in Helsinki, Finland.

Using a variety of methods, the criminals behind Mebroot infect legitimate Web servers with Javascript code. The code redirects visitors to a different Internet domain, which changes every day, and where a malicious server attempts to compromise their computer with a program that provides the botnet’s owners with remote control over that machine.

The custom domain generation technique is a relatively sophisticated way to foil attempts to permanently shut down the network, the researchers say. Older drive-by download schemes have redirected victims to a hard-coded Web address. Rather than a static address, the Javascript used by Mebroot generates a new address every day, similar to the domain algorithm used by another computer pest called Conficker. However, because the algorithm relies on known inputs–namely the date–domains can be precomputed, aiding the defenders. The Conficker Working Group, for example, attempted to reserve future domains at least a month in advance.

During the four months the researchers studied Mebroot, the infection network used three different domain-generation algorithms, two of which only used the day’s date as an input. The last variant, however, adds a variable that cannot be easily guessed well in advance: The second characters of the day’s most popular search term on Twitter.

“They (Mebroot’s creators) used a variable that was not in control of the bad guys or the good guys,” says Marco Cova, a UCSB student and a coauthor of the paper.

After they reverse-engineered the domain-generation algorithm, the researchers temporarily hijacked Mebroot by mirroring the steps the compromised websites take to calculate the current day’s domain and registering those domains themselves. But the researchers noticed that when they registered a domain for their sinkhole servers, the Mebroot gang would react by registering future domains faster.

The researchers were also able to profile the typical victim of the network. Almost 64 percent of the visitors redirected to the researchers’ servers were running Windows XP, while 23 percent were using Windows Vista. The next two most popular operating systems were Mac OS X 10.4 “Tiger” and Mac OS X 10.5 “Leopard,” which accounted for 6.4 percent of all visitors.

The researchers never compromised visitors’ systems. But they were able to find evidence that they had been infected by analyzing two kinds of information sent over the network. One suggested that 6.5 percent of visitors were infected with malware. The other indicated that 13.3. percent of systems had been modified by malicious or unwanted files. Moreover, more than half–about 54 percent–were running some sort of antivirus software. About 12 percent of those running the security software were also infected by malware, the researchers found.

The researchers also discovered that nearly 70 percent of those redirected by Mebroot–as classified by Internet address–were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems. About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.

The research suggests that users need to update more often, says UCSB’s Vigna.

“Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system,” he says.

Recently, Roger Thompson, chief research officer at security firm AVG, discovered over half a dozen Facebook applications that had been compromised by malicious hackers. Although the apps’ reach was small with relatively few users being affected, Thompson was concerned because it was the first time he had seen apps themselves hacked as opposed to something like Facebook profile pages, a common target for the still-spreading Koobface worm.

While this incident alone wouldn’t generate much excitement given the low-profile nature of the applications affected, it’s not the only example of unsafe applications on Facebook. Another researcher just spent an entire month scouring Facebook apps for security vulnerabilities and what he found is disturbing: six of the hacked apps were in the top ten, 9700 applications were affected, and the potential victims totaled 218 million users.

Hacked Apps Found Forcing Malicious Software on Users

In the case of the hacked Facebook apps found by AVG, the apps had been compromised by the use of “iframes,” which are bits of code embedded in the applications themselves. The iframes were able to load content from malicious websites into the applications’ pages on Facebook.com, directing app users to install software on their computers by purporting to be an update for an out-of-date Adobe Reader product.

At first, Thompson thought the apps had been hacked by the developers, but as it turned out, it was the developers who were the victims. After looking at the source code for the apps in question, Thompson found that the iframes had been injected into the apps’ code due to infected software on the developers’ PCs.

Facebook quickly reacted to the situation and took down the compromised apps while also contacted the developers to warn them of the issue.

Thousands of Apps Vulnerable to Attacks

While hacked Facebook apps may still be a bit of a rarity today on the popular social network, security vulnerabilities that could lead to malicious attacks are not. After spending a month on Facebook looking for application bugs, another security researcher made some disturbing findings.

Specifically, the researcher, who goes only by the handle “theharmonyguy” online, was looking for a specific vulnerability he referred to as a “FAXX Hack.” FAXX stands for “Facebook Application + XSS + XSRF” or, in other words, a cross-site scripting vulnerability – a certain type of security hole that could allow a hacker to access profile information, including personal details, status updates, and photos of a victimized user and their friends.

The findings showed that many Facebook applications, even those that were widely used and considered trustworthy, lacked basic security precautions. There were some 9700 Facebook applications which were affected by vulnerabilities and over half of the applications in question had passed through Facebook’s “Verified Application” program, a sort of “stamp of approval” designed to assure Facebook users of an app’s general trustworthiness. Among the apps, six were ranked in the top ten by monthly active users and the collective monthly active users counts for the hacked apps totaled 218 million. However, that previous figure does include overlaps. Also, seven of the top ten application developers on Facebook were found to host at least one vulnerable app.

While discovering the bugs, the researcher contacted each application developer to make him or her aware of the hole. For the most part, developers responded quickly and took the situation seriously. However, several developers took a while longer to respond. Nine took over a week to patch their application and one even took two weeks. And those delays were not due to the complexity of the required patches – these were, in terms of coding, simple fixes.

What’s most concerning about these findings is how widespread the problem was. Unlike the apps AVG discovered, this wasn’t a minor, isolated incident affecting a small handful of users. Although the apps in question here were just vulnerable to attacks as opposed to being comprised themselves, it shows how risky it is to use any application, Facebook Verified or not.

Is Any App Safe?

On top of all these security issues, in August many Facebook users were surprised to discover the vast amounts of personal information they were revealing by their use of Facebook quizzes. Even if you limit access to your profile through privacy settings, Facebook quiz applications can see everything on your profile page when you take a quiz…or even when your friend takes one. To make matters worse, Facebook does not screen developers for trustworthiness nor do they require developers to comply with a privacy policy.

With hacked apps, security vulnerabilities, lack of privacy policies, and apps that can read your private profile information, one has to wonder if using any Facebook application is appropriate and safe these days.

Mozilla developers have blocked a Firefox plugin that was quietly pushed out by Microsoft, saying that it presents a security risk.

Microsoft shipped the Firefox add-on as part of a .Net software update last February, causing outrage among some Firefox users, who complained that the software was sneaked onto their systems without their knowledge or approval and was extremely difficult to remove.

On Tuesday, Microsoft warned that Firefox users who have not applied a recent Internet Explorer patch were vulnerable to a “browse-and-get-owned attack” because of a bug in the Microsoft .Net Framework Assistant add-on.

“All that is needed is for a user to be lured to a malicious website,” Microsoft said. Triggering this vulnerability involves the use of a malicious XBAP (XAML Browser Application).

The flaw is a nasty one, but users who have installed the MS09-054 IE update, released Tuesday are protected from this attack, “regardless of the attack vector,” Microsoft said.

To protect users who may not have installed Microsoft’s patch, Mozilla is automatically blocking two add-ons: the Microsoft .Net Framework Assistant and a related plugin called the Windows Presentation Foundation. The open-source browser started blocking the software late Friday night.

“Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism,” wrote Mozilla Vice President of Engineering Mike Shaver in a blog posting. “Microsoft agreed with the plan, and we put the blocklist entry live immediately.”

Buggy plugins are a growing problem, as cyber criminals have increasingly leveraged flaws in products such as Adobe Flash Player and QuickTime to launch browser-based attacks. Earlier this week, Mozilla launched a Plugin Check site where Firefox users can see if their plugins are up-to-date.