A recent report from Symantec reinforces the idea that most web-based malware is distributed via compromised, legitimate sites:

In 2010 so far, using the same approach, the proportion of malicious domains that are legitimate [i.e., set up for reasons other than distributing malware] has increased dramatically compared to last year – it’s now about 90%.

On a related note, Avast reports that, despite popular belief, adult sites are not carrying the load of malicious content:

...the statistics are clear - for every infected adult domain we identify there are 99 others with perfectly legitimate content that are also infected.

Everyday Internet users who are hearing this for the first time should take this as a wake-up call. Protect your computer. Protect your website. And recognize that, while making smart decisions about your Internet use is always a critical part of security, deciding which type of website you visit isn't as important as it once was.

Hat tip: H-Online via UnmaskParasites (Twitter)

In early June, the Australian Internet Industry Association, an ISP industry trade group, published icode [PDF], a voluntary code of conduct for ISPs to follow to better fight bots on their networks. Like the previously-mentioned IETF draft, this document lays out a rationale for, and recommendations on how to implement, an ISP-level response to bots. Unlike the IETF draft, icode is a reflection of a coordinated effort by a large number of ISPs to buy in to a common framework for how to respond.

The icode framework has four parts:

1. Education. ISPs that adopt icode are expected to educate their customers about keeping their computers from becoming compromised.
2. Detection. ISPs can implement their own detection methods and/or get data from trusted third parties. Even better, they can get data from the Australian Internet Security Initiative, a government-led effort to centralize bot reporting by collecting bot reports from trusted providers and then distributing ISP-specific data daily to participating ISPs. (Wouldn’t it be great if we had something like this for infected URLs and hosting companies?)
3. Action. ISPs are encouraged to act on the information about bots, through whatever combination of customer notification, password resets, bandwidth throttling, walled garden quarantining, smtp blocking, or other measures they consider appropriate.
4. Reporting. ISPs are expected to report “significant cyber security incidents” to governments.

icode also recommends, though doesn’t require, that participating ISPs share threat data with each other, facilitated by the Australian CERT.

One could quibble over some of the details, but it’s clear that the Australian ISPs that created and will be adopting icode are light years ahead of most ISPs (and web hosting providers) globally in tackling the spread of malware.

StopBadware assisted the Open Net Initiative in evaluating China’s Green Dam filtering software, which the Chinese government recently mandated be installed on every new PC in the country.

The software violates our guidelines due to a lack of disclosure about some significant unexpected behavior. While the software advertises itself as protecting children from harmful content such as pornography and violence, it also filters political speech without notice. Also not mentioned is the fact that, if such political speech appears in an application window, whether Internet Explorer or Notepad, the window completely shuts down without advance notice and without saving the user’s work.

Based on our and ONI’s research, and also other research posted online, the software has additional flaws, as well, ranging from poorly implemented features to security vulnerabilities. The biggest flaw of all, though, appears to be China’s policy of mandating such a product. As ONI’s report, released yesterday, concludes:

The mandate requiring the installation of a specific product serves no useful purpose apart from extending the reach of government authorities. Given the resulting poor quality of the product, the large negative security and stability effects on the Chinese computing infrastructure and the intense backlash against the product mandate, the mandate may result in less government control.

Those interested should read the full report, which explains both the software’s behavior and the national reaction to the software, in detail.

Websense and IBM released security reports this week covering topics from spam to research on the impact of publicizing software vulnerabilities.

In his Security Fix blog post, Brian Krebs continues his coverage on badware distribution, prompted by the release of the report from Websense that includes data from the 40 million websites scanned hourly to collect computer security data. According to the Websense report, three quarters of all web sites containing badware, malicious downloads, are legitimate sites that have been hacked, and 60 of the Top 100 most visited websites have at one point during the last year “either hosted malware or forwarded visitors to malicious sites.”

Krebs writes that spam is still a major conduit to disseminate links to dangerously hacked websites:
bq. According to Websense, nearly 30 percent of those links lead to sites that try to plant software which steals passwords and other sensitive data from victims. The remainder of the spam links attempt to install software that lets attackers control the systems from afar, and/or install additional software without the owner’s knowledge.

Badware authors target legitimate sites, using the prior relationship of trust established between that website and computer users to find holes in security system. Users who are familiar with programs such as NoScript, which blocks Javascript, Java, and Flash from executing without express permission of the user, will know that it is possible to allow scripts for specific trusted websites.

Network World’s Ellen Messmer discusses results from both of the reports. The IBM report tracked statistics relating to 3,534 disclosed software bugs. Messmer writes that “[a]ccording to IBM, 95% of all browser-related online exploits occurred within 24 hours of official vulnerability disclosure.”

On a more positive note, the IBM report finds that the incidence of image spam has been reduced, which has forced spammers for now to return to earlier methods. Yet spam and badware are driven by innovative badware writers, who work hard to stay ahead of security researchers. These reports highlight how important it is for computer users to be aware and use aggressive caution. Krebs recommends two excellent pointers to maintaining the sanctity of your computer:

1. Disable automatic downloads.
2. Browse the internet while using a User account that does not allow downloading or changing passwords or computer keys. This tip is applicable in any operating system, and protects users from absent-minded clicks that may lead to future infestation.

Software company Intego found this Mac Trojan masquerading as a poker game. The Trojan actually transmits the user’s name, password, and IP address to an external server which it acquires through clever social engineering:

“A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

Computer World wrote on Friday that SecureMac reported finding another Trojan circulating in the wild. “Its researchers had found a Trojan horse, dubbed ‘AppleScript.THT,’ being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple’s instant messaging and video chat software, were also taking place.” Updating that warning today, SecureMac shared that the source code for the Trojan has been distributed, which increases the likelihood of derivative Trojans appearing soon. They write:

“The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items… Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name AStht_06.app.”

Sandi, blogging at Spyware Sucks, opines that Trojans like this demonstrate that social engineering transcends computer platforms. She emphasizes that sharing information about badware can help to build and reinforce a level of user awareness and suspicion about entering personal information while downloading software (and ideally when deciding to download software in the first place). Sandi also comments on complaints that these Trojans were discovered by companies developing Apple security products.

While there may be a financial benefit to those companies, the goal of the security community is to maintain computers as free of badware as possible, and sharing information about risks with professionals and users-at-large focuses attention on problems so that they can be solved or avoided as efficiently as possible.

Targeted spear phishing campaigns are using money to lure victims. Brian Krebs blogged this week about a two part spear-phishing attack targeting small and medium sized businesses. The attack focuses on gaining access to circumnavigating two-part authentication used in banking security.

The scam begins with an email containing specific information about the user, their business, and the bank. This email requests that users click to view or download an attached object, which installs a keylogger, according to iDefense, and a browser helper object enabling attackers to modify webpages in real time. When a user with an infected computer attempts to log into their bank account, Krebs writes that a “message is inserted into the body of the bank’s actual Web page.” The interstitial message appears to originate from the bank since it is displayed within the body of the bank’s website, and requests that the user wait 15-30 minutes before logging on. The attackers use this time, after they have intercepted the user’s authentication information, to empty the associated bank accounts.

Quoting Matt Richard, of iDefense, “If a bad guy has malicious code on a customer’s machine, no matter what you do, he’s going to have some way to get in to the customer’s account. The best you’ll be able to do is try to stop the money transfers.”

As something of a coup de grace, Krebs writes “Before the Trojan download, the attacker attempts to get the user to install their bogus root CA certificate with the ‘VeriSign Trust Network’ name.” Combining malware with a new root certificate makes it easier for the attacker to re-infect a computer in the future. Sunbelt has also spotted fake banking certificates in their blog.

In a similar attack noted by McAfee’s Avert Labs last month, a number of spear phishing emails have been playing on an ubiquitous fear: the Tax Court. So many of these emails spoofing petition requests have been received that the US Tax Court website provides a clear warning that “[t]he Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.”

Kevin McGhee writes, “The scammers do their homework when it comes to spear phishing. Instead of pumping out millions of emails to anybody and everybody, spear phishers send out their scams only to people they know will be susceptible to the scam. In this case a top executive–rather than the average employee–is much more likely to be involved in a court case of this nature.”

Over the last several weeks, users downloaded more than they were bargaining for from several P2P networks. TechNewsWorld reported on McAfee’s Avert Labs that more than 500,000 computers have been infected. Users download a faux-mp3 file from a legitimate music group, which initiates a request that users download a codec offering free mp3s. By clicking on the EULA and authorizing the download, users are actually downloading a host of executables.

Craig Schmugar, a researcher for McAfee Avert Labs, wrote on that blog, “In the end you’re left with a fake MP3 file taking up space, a worthless MP3 player, adware that claims not only to not display popups, but also to block them, and more adware that successfully displays popup and popunder ads.” During further investigation, Schmugar found that hundreds of infected files were circulating on the internet. Many of those sites pointed to freemp3player.com or “different sites distributing adware and others still pose as codec installers that when run, display fake error messages and download and silently install tons of files.” The fake mp3 files were actually ASF files instructing media players to navigate to specific urls rife with downloads to further corrupt users’ computers.

More recently, Trend Micro researcher Ivan Macalintal found a malicious script inserted into “various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program.” The drive-by-download directed users to a compromised site which downloaded TROJ_ZLOB.CCW onto unprotected computers. Trend Micro notes that Zlobs in general, and this one in specific, change DNS and browser settings which further open the computer to future infections.

Both of these incidents reinforce the need to keep your security software updated. Downloading files from unknown sources carries with it inherent risk. Badware production has developed into an expanding economy that relies on a sense of inherent security associated with internet use.

Click safely!

Two noteworthy exploits have surfaced recently. This blog post will cover: first a server-based attack-tool and second the discovery of a now-patched vulnerability in Flash.

First:

Tornado, a web-based exploit tool, can exploit more than a dozen browser vulnerabilities. ITNews Australia explains that the tool “is commonly installed on a server by a single ‘administrator,’ who then offers accounts on the server to other attackers.” This structure protects the proprietary code and protects it from being released “underground.”

The seller is also able to discriminate between clients, which Liam O’Murchu, a Symantec researcher, sites as a reason that the exploit has remained undiscovered for so long. Shaun Nichols of ITNews writes that Tornado “offers attackers a full set of traffic statistics and options for selecting which exploits can be conducted.”

Second:

Robert Jaques reports for ITNews that a new Flash vulnerability has been discovered by Tier-3. This issue arises from the use of “NULL pointers,” software code which points to specific locations in a computer’s memory. Geoff Sweeney, an executive at Tier-3, is quotes as saying,
bq. “Buffer overflows are still an issue, but they are a problem that has been tackled by the industry for many years. NULL pointer de-referencing has not received anywhere near the same level of attention, which means that users need to be more vigilant than ever.”

A recent paper by Mark Dowd, a researcher at IBM Internet Security Systems, provides a detailed example of this type of exploit. The Matsano Chargen blog explains Dowd’s achievement while claiming that Dowd was “sent back through time to kill the mother of the person who will grow up to challenge SkyNet.” And his accomplishment does inspire some awe. In brief:
bq. “Dowd’s exploit uses a NULL pointer write32 to knock the locks off the bytecode interpreter in Flash, so that his SWF file can run bytecode that will rewrite the system stack.”

So the NULL pointer presents an entry point for Dowd to run his exploit, and this entry exists on Internet Explorer and Firefox, which have compatible internal addressing, and Vista.

According to DailyTechNotes Adobe has already released a patch for the vulnerability and you should download it now. They explain the risk,
bq. “Vulnerabilities in various online software is nothing new. But what makes vulnerability in flash so much damaging is that flash is installed on almost all browsers and it is independent of the operating system you are running.”

Owen Thor Walker, an 18-year-old whose online alias was Akill, assumed responsibility for invading a network of 1.3 million computers, causing havoc at the University of Pennsylvania in 2007, and skimming an as-of-yet unknown amount of money from banks in the Netherlands.

The incident at UPenn occurred when Walker and Ryan Goldstein were attempting to update their botnet. While the denial of service attack affecting UPenn was accidental, it did lead to the arrest of Goldstein, who in turn directed police to Walker. The New Zealand Herald writes “While the New Zealand police were waiting for the FBI to finish its investigations” the NZ police began investigating several large deposits into Walker’s bank account. These were traced to ECS International, a company reported to be connected with similar situations. Walker claims to have sold his code to other people, and no one seems to know what happened to the skimmed money.

According to Technology Review eight people have been indicted, plead guilty, or convicted and an additional 13 warrants have been issued in the United States and abroad in association with this case. Walker’s supposed role as “kingpin” has not lead to additional charges. The ITNews Australia writes that Judge Arthur Tompkins “would not be considering a custodial sentence” due to Walker’s youth when writing the code — he claims to have been 15 at the time.

Botnets are devious. The New Zealand police are quoted by NZ Herald as saying Walker’s code is “considered by international cyber crime investigators to be among the most advanced bot programming encountered,” as it spread automatically, disabled anti-spyware software, deleted rival bots, and functioned mostly without detection. The Anti-Spyware Coalition provides an excellent definition of botnets:

A type of Remote Control Software, specifically a collection of software robots, or “bots,” which run autonomously. A botnet’s originator can control the group remotely. The botnet is usually a collection of zombie machines running programs (worms, Trojans, etc.) under a common command and control infrastructure on public or private networks. Botnets have been used for sending spam remotely, installing more spyware without consent, and other illicit purposes.

Botnets have been used for a variety of nefarious purposes from those listed above to last year’s attack against Estonia.

A number of security companies have come out with their first quarter 2008 assessment of the badware on the internet.

F-Secure begins with a somewhat disturbing statement in their report: “While there are more viruses being created than ever before, people often actually report seeing less of them. One reason behind this illusion is that malware authors are once again changing their tactics in how to infect our computers.” Viruses are being effectively camouflaged and acting through less obvious vectors.

F-Secure also notes, as we reported in our “Trends in Badware 2007” report last September, that malware makers have moved past emails and are targeting computers through drive-by-downloads, defined by the Antispyware Coalition as:
bq. The automatic download of software to a user’s computer when she visits a Web site or views an html formatted email, without the user’s consent and often without any notice at all. Drive-by-downloads are typically performed by exploiting security holes or lowered security settings on a user’s computer.

F-Secure aptly summarizes the risk as “instead of getting infected over SMTP, you get infected over HTTP.” These attacks exploit a weakness in a browser, browser plug in, or operating system. Many techniques are used to expose users to malware, from infiltrating trusted sites to disguising links to malware sites through social engineering.

F-Secure also spotlights the reappearance of MBR rootkit (MEBroot), a blast from the past, and a look into the future as mobile devices become targets for spam and worms distributed via SMS and Bluetooth.
All told, F-Secure predicts that if current rates continue, the total number of known Trojans and viruses will exceed one million by the end of 2008.

Help Net Security, or MessageLabs, writes that 9.2% of malware intercepted in 2008 was new. They are also identifying approximately 595 new sites a day “harboring malware and other potentially unwanted programs such as spyware and adware.”
On the spam front, MessageLabs reports: “The prolific Storm botnet is responsible for 20 percent of all spam in the first quarter of 2008, with messages selling male enlargement drugs accounting for 41 percent of its efforts.” Which raises a question for me: who shops for personal enhancement on randomly email ads?

Panda Security has a list of the most active viruses in the first quarter. Here are the first three of ten:

1. Adware/Comet
2. Adware/NaviPromo
3. W32/Bagle.HX.worm

Researchers from Panda Labs agree that the increasing prevalence of Trojans makes detection more difficult for security companies, agreeing with Brian Krebs’ recent post. Krebs is correct to stress that an “[a]nti-virus software is no substitute for common sense.”

Many of the developments in malicious technology are created specifically to obviate common sense. Perhaps caution when clicking emailed links and maintaining up to date software should be considered a first line of intentional self-preservation rather than common sense.