Tonight on 60 Minutes: Conficker and cyber-crime

In this video, Lesley Stahl previews her report on computer viruses and cyber crime which airs tonight.


Watch CBS Videos Online

XPAntiVirus2009 Morphs Into FileFix Professional 2009

I've had a couple of incidents involving Vundo over the past six months. Vundo once posed as antivirus software. A new version of Vundo has a new trick up its sleeve. It now extracts money from the infected user by encrypting the user files and asking $40.00 for the tools to decrypt their data.



There is some good new. There's a free service called the FileFix File Decrypter will decrypt the data for free. Score: Bad Guys 1/Good Guys 1.

Video: Basic Nessus

Another great video by John Strand. I use Nessus on my home network to find and fix vulnerabilities.



Basic Nessus from John Strand on Vimeo.

Efforts to combat Conficker worm an arms race

Combating malware continues to be an arms race. The bad guys are always one step ahead. The majority of malware writers are often well educated, well funded and supported by large criminal organizations like the Russian Business Network . The days of teenagers writting malware in their parent's basement are far gone.

Yesterday came word that Conflicker has evolved again, and continues to find ways to confound and frustrate security researchers. A new analysis of Conficker by SRI International reports: "In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis."


Related Story: Conficker/Downadup Evolves

Basic Wireshark Video

Here's another good video from John Strand



Basic Wireshark. from John Strand on Vimeo.

New Fake AntiVirus warning screen

With looking at this screen closely you might not recognize this is a web page rendered in Firefox. Once gain the bad guys have upped the ante in the high stakes poker game of malware. This particular trick attempts to make the end user believe they are looking at a Windows Explorer screen with warning messages of a large number of trojans and virus infections. It next presents a popup box to entice the user to download the fake antivirus, probably our old friend Antivirus2009.



Click on the picture of a better view.

This is another example of how malware writers continue to excelerate the arms race in the battle of keeping users from clicking on things.

If you see a screen like this kill it from the process viewer. There has been reports clicking anywhere on this screen will cause infection. In this case the user was looking for NCAA brackets using a Google search. Thankfully he called to report the incident before taking any other action.

Related Story: NCAA March Madness Malicious Blog Links

Another video on wireless security

How easy it really is to crack WEP 128bit encryption?



DojoSec Monthly Briefings - February 2009 - Jesse Varsalone from Marcus Carey on Vimeo.

Basic Nmap Video

Here's a basic video on how to install and run nmap from SANS instructor and PaulDotCom Security Weekly co-host John Strand.


Basic Nmap part 2 from John Strand on Vimeo.

British Law Firms Increase Employee Surveillance

Some British law firms have increased employee surveillance in light of economic presures. Many IT managers fear data loss as they fear some employees might be temped to steal data to sell to competitors, Legal Technology Journal reports.

IT heads at the top 20 firms admit that they are particularly wary of confidential material being downloaded into a transportable form now that the credit crunch has begun to bite and is costing jobs both internally and among their top financial institution clients.

At magic circle giant Allen & Overy (A&O), which last month announced jobs cuts affecting 9% of its workforce, IT director Jason Haines said: “Most law firm employees are bound by a professional conduct code but we would be careless if we weren’t being a bit more vigilant.”

The pressure is arising not only out of concerns that disgruntled employees may download firm precedents and other closely guarded intellectual property, but out of the need to meet a higher security bar imposed by many clients in relation to confidential material.

Addleshaw Goddard’s head of IT Graham van Terhayden said: “Clients want to do extra audits and are asking more questions about our capability and redoubling their questions.

“The more clients ask the question, the more we will focus on it.”

While many of the top firms have long banned access to social networking sites such as Facebook, the majority allow lawyers to use mobile media such as USB keys.

But where some firms are still monitoring activity on an ad hoc basis, others have rolled out constant surveillance of all employees.

Malware is big money

My users often ask why people write malware. The simple answer is money. There are huge illegal businesses behind this type of cyber-crime and criminal organizations are making a huge profit from identity and data theft. Many of these organizations are based in Russia and China. The days of teenagers writing viruses in their parent's basement to impress their online buddies are over. Malware is big money now.

Conficker/Downadup Evolves

Researchers at at Symantec reported last week that they have found a completely new variant of Conficker, AKA Downadup, last week. The new variant has the ability to disable antimalware tools, switch domains more frequently.

Dark Reading further reports:

The new variant, which Symantec calls W32.Downadup.C, appears to have defensive capabilities that weren't present in earlier versions. While it spreads in the same manner, "Conficker.C" can disable some of the tools used to detect and eradicate it, including antivirus and other antimalware detection tools.

W32.Downadup C also can switch domains at a much greater rate, Symantec said. "The Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm," the researchers reported. "The new domain generation algorithm also uses one of a possible 116 domain suffixes."

A report from CA about Conficker.C confirms Symantec's findings, although the CA researchers said the jump from 500 to 50,000 domains will not occur until April 1.

The ability to quickly switch domains will make it difficult for Internet security organizations, such as ICANN and OpenDNS, to block the domains used by the worm, industry experts note.

The new variant emerges just as some vendors have come out with tools they say will eradicate the worm. today issued a new, free toolz that it says will remove Conficker.A and Conficker.B from infected machines. A spokesman says the company has begun work on the new variant. And BitDefender also is offering a free tool it says will remove all variants of the worm.

Perhaps the most disconcerting aspect of the worm is that although it has reportedly infected hundreds of thousands of machines, it does not, as yet, seem to have a purpose. Although it has been contacting domains and spreading itself through various means, security experts say it has yet to be given a task -- such as distributing spam or launching a DDoS attack -- and researchers are still uncertain as to what it might be used for.

And some experts say there may be other exploits that behave like Conficker/Downadup. "BitDefender Labs has been seeing an increase in worms, like Downadup, that have a built-in mathematical algorithm, generating strings based on the current date," says Vlad Valceanu, BitDefender's senior malware analyst. "The worms then produce a fixed number of domain names on a daily basis and check them for updates. This makes it easy for malware writers and cybercriminals to upgrade a worm or give it a new payload, as they only have to register one of the domains and then upload the files."

The AV vs virus writer arms race continues. The bad guys always seem to be one step ahead, but with a worm as big as Conficker/Downadup AV researchers are watching this situation closely.

ARP spoofing attacks on web sites

SANS reports attackers are using ARP spoofing to inject malicious JavaScript into content served off other web sites. Using ARP to inject packets is common in cracking wifi keys. In this attack ARP is used to send packets containing fake data to the target.

This is exactly what happened in both incidents I was involved in. A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).

The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed).

This is another example of how we cannot depend on antivirus programs to protect against all threats.

Scary video: Cracking your WPA/WPA2 catchphrase no clients.

This is only for whitebox testing. Cracking WEP or WPA key is illegal.

No patch coming on Tuesday for Excel zero-day

Microsoft has released the Security Bulletin Advance Notification for March 2009, but a patch for the recently discovered Excel zero-day is not included. The security4all blog has complete coverage.

All my Virut/Virux links in one place

All my Virut/Virux links can be found here.

WORM_KOOBFACE.AZ worm spreading via Facebook and other social networking sites

Beware of messages from friends on social networking sites saying “Take a look of this picture of you” or “Check out this video I found of you.” The links lead to a malicious website that looks like YouTube. You will then bee asked to install a viewer or a new version of flash which is actually the WORM_KOOBFACE.AZ worm. The worm will then use your contact list or friends list to send the same fake message to all your friends. The message will look legitimate to them because it will say it’s from you.

The TrendLabs Malware Blog has a very good description of what these fake messages look like and how this thing spreads.

Mass mailing worm delivers Trojan.Vundo payload

Symantec Security Response reports that W32.Ackantta.B@mm and Trojan.Vundo infections are on the rise. They also report that Symantec has released more aggressive heuristics that detect and block hundreds of Trojan.Vundo variants as a response to the threat.

They have a nice graph of how the attack vector works.