Posts Tagged ‘Internet Security’

Wedding Bells Ringing in Malware

Wednesday, August 18th, 2010

by Barracuda Labs

Weddings are joyous affairs, happy occasions for celebration. When friends find a soulmate and announce their intentions to the world, it’s exciting. We’re thrilled for them and we want the details right away.

Well, not so fast.

Barracuda Labs spam honeypots have recently detected spammers sending multiple wedding-themed emails, hoping to catch people with their guards down.  The messages can be quite convincing, but there is no “happily ever after” in the malware that is attached to them.

Consider this wedding invitation:

"Wedding Invitation" email

If the attached “Wedding Card” is opened, it launches a fake antivirus – SecurityTool:

Wedding Card results
Result of opening the “Wedding Card”

In addition to dropping SecurityTool on the system, the Wedding Card also downloads Trojan.Fitmu.A:

Download of password stealer

This program quietly runs in the background looking for usernames and passwords to steal.  In particular it steals FTP passwords, and stolen FTP passwords are the most common way that sites are hacked.

The spammers are casting a broad net, even targeting users who might be planning their own wedding. Say you are busy trying to arrange a venue, finalize a contract for catering, find music and a photographer, and then receive an email such as this:

"Wedding Contract" email

Upon first glance and a quick scan, it could appear as your legitimate contract (of course, hopefully the users will notice if the venue is not one they have been reviewing!). If the attachment is opened, it does not appear to do anything at all.  Nothing displays.  However, more is going on behind the scenes.

The attachment is actually a Zeus Trojan, a password stealer that specializes in online banking passwords.  The traffic here shows the Trojan retrieving its configuration and checking in with its command and control server.

The bottom line? Stay alert, scrutinize emails carefully and spread the word to your friends and co-workers. Being aware of these spam attacks helps prevent their success.

Barracuda Spam & Virus Firewall, Barracuda Web Filter and Barracuda Web Filtering Service customers are protected from this attack.

  • Share/Bookmark

Tags: , , , , ,
Posted in Email Security, Security, phishing | No Comments »

Barracuda Labs 2010 Midyear Security Report

Wednesday, July 28th, 2010

 Today Barracuda Labs released our 2010 Midyear Security Report, revealing data from two key areas: search engine malware  and Twitter use and crime rate.

Our study shows that attackers have serious efforts devoted towards getting in front of the billions of eyeballs that are using search engines everyday and the millions of users that are connecting on social networks like Twitter. These research efforts allow us to continue to analyze their approaches and build new techniques to find them and protect users. Highlights of the study are below, and you can download the full report off the BarracudaLabs.com homepage.

Searching for Malware

We conducted a study across Bing, Google, Twitter and Yahoo! over a roughly two-month period. The analysis reviews more than 25,000 trending topics and nearly 5.5 million search results. The purpose of the study was to analyze trending topics on popular search engines to understand the scope of the problem and to identify the types of topics used by malware distributors.  Key highlights:

  • Overall, Google takes the crown for malware distribution – turning up more than twice the amount of malware as Bing, Twitter and Yahoo! combined when searches on popular trending topics were performed. Google presents at 69 percent; Yahoo! at 18 percent; Bing at 12 percent; and Twitter at one percent.
  • The average amount of time for a trending topic to appear on one of the major search engines after appearing on Twitter varies tremendously: 1.2 days for Google, 4.3 days for Bing, and 4.8 days for Yahoo!
  • Over half of the discovered malware had originated between the hours of 4:00 a.m. and 10:00 a.m. GMT.
  • The top 10 terms used by malware distributors include the name of a NFL player, three actresses, a Playboy Playmate and a college student who faked his way into Harvard.

The Dark Side of Twitter

As part of an ongoing study to data we released in June 2009 and subsequently in March 2010, we analyzed more than 25 million Twitter accounts, both legitimate and malicious. The purpose of this part of the study was to measure and analyze account behavior on Twitter in order to model normal user behavior and identify features that are strong indicators of illegitimate account use. The study reviews several key areas including True Twitter Users1, Twitter Crime Rate2, and Tweet Number3.  Key highlights:

  • In general, activity is increasing on Twitter: more users are coming online; True Twitter Users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases.
  • Only 28.87 percent of Twitter users are actual True Twitter Users.
  • Half of Twitter users tweet less than once a day, yet one in 10 users tweet five or more times a day and 30 percent of Twitter accounts have never tweeted.
  • One in every eight Twitter users has at least 10 times more followers than they are following.
  • Only one in 10 users is following more than 100 users, and almost half are following less than five.
  • The Twitter Crime Rate for the first half of 2010 was 1.67 percent.

 

We are presenting the findings of both studies, as well as other Barracuda Labs work, at Security BSides Las Vegas and DefCON 18 this week in Las Vegas. Come see us!

Security BSides Las Vegas:

Wednesday July 28 at 3pm PT – The Darkside of Twitter (Dr. Paul Judge, Dave Maynor)

Thursday July 29 at 3pm PT – A Mechanic’s View of SQL Injection (Ray Kelly)

DefCON 18:

Saturday July 31 at 11am PT – Searching for Malware (Dr. Paul Judge, Dave Maynor)

Resources:

Footnotes:

1 – ‘True Twitter User’ is defined as a user that has at least (≥) 10 followers, follows at least (≥) 10 people, and has tweeted at least (≥) 10 times.

2 – ‘Twitter Crime Rate’ is defined as the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused.

3 – ‘Tweet Number’ is defined as a user’s average number of tweets per day.

  • Share/Bookmark

Tags: , , , , , , ,
Posted in Uncategorized | 3 Comments »

The Wireless Router Insecurity You Might be Overlooking

Tuesday, June 15th, 2010

By Barracuda Labs

Many savvy computer users have experience setting up a wireless access point in their home or office. It’s not that hard, really. Change the SSID, change the password, and perhaps change the channel. Set the IP and you’re good to go.

But if that’s all you’ve done, you could be leaving open an attack vector that malware authors have been targeting for years. They’re still targeting it today.

Many routers, including those that are part of wireless access points, implement the Universal Plug and Play (UPnP) interface. This interface allows programs running on computers connected to the router to control the router.  No authentication is necessary. The bad news is that this makes it easy for malware to change router settings.

While scanning for malware, we found this bogus forum post pretending to be a video recipe for Yankee Pot Roast. However, when looking a bit closer, it revealed itself as TROJ_TDSS.AKA, a downloader that initially downloads a fake antivirus but, as demonstrated, also tries to open a port in the gateway, leaving your computer and personal information exposed.

Malware automatically opening a port in the gateway is significant because most router users, particularly most home wireless access point users, assume a few simple security steps are all they need – enable WEP or WPA, set a strong password and you’re good (enough) to go. The UPnP vulnerability doesn’t have very high non-geek visibility, even though it’s still being exploited – and by Conficker no less.  And despite it having been around for quite a while now (referenced in this ZDNet article at http://www.zdnet.com/blog/soho-networking/wi-fi-routers-vulnerable-to-upnp-attack-from-hackers/120), it’s still alive and incredibly widespread. In fact, Google gives approximately 1,870,000 results for sites linking to the primary attack site, hxxp://vixensandschoolgirls.com.

Users should check to see if their routers allow for more secured startups. For example, it is recommended to disable UPnP and to use forced static IP so that the system will not be subject to unannounced attacks leaving the DHCP server open to assign an IP to any system that breaches your WiFi security.

Further, this once again reiterates the importance of knowing the source of information online, and to not click on links from unknown sources.

Screenshots of the attack follow for reference.

1)  Clicking on this ‘video’ brings up another window displaying a video prompt.

2) At this point, the astute user might wonder why the Yankee Pot Roast recipe is being offered up by hxxp://vixensandschoolgirls.com, but then the standard Windows warning message appears.

3) Running the offered program doesn’t seem to do anything at first. After a long delay, a fake anti-malware program named Defense Center is downloaded and executed.

4) Meanwhile, behind the scenes, multiple attempts are made against the router, followed by this UPnP payload. The payload changes the firewall settings of the router to open a port for additional malicious traffic. Conficker uses this same internal UPnP attack against routers to open up ports for its peer-to-peer control mechanism. UPnP is sometimes used for file or printer sharing, but in most cases it can be disabled with no ill effects.

5) The setting used on the Linksys router used in testing.

  • Share/Bookmark

Tags: , , , ,
Posted in ID Theft, Internet Security Tips, Security, Uncategorized | No Comments »