Shortly after a phishing attack that targeted the 200 million users of immensely popular social networking site, Facebook, another attack was launched by cybercriminals. This time however, the attack targets not only Facebook users but also members of Tagged, Friendster, MySpace and other networking sites as well.

A new Koobface attack was found, which uses the very same fake YouTube site utilized in another recent Koobface attack, which scared users into breaking CAPTCHA codes for cybercriminals.

Once executed, the Koobface worm searches the affected system for cookies related to social networking sites, then attempts to extract login credentials from them. Once done, it sends a HTTP POST request to a remote server. The server then answers the request with data that triggers the creation of a message that contains a link to a copy of the worm. The said message is then sent to the contacts of the affected user.

Samples of this Koobface worm are detected by Trend Micro as WORM_KOOBFACE.ET, WORM_KOOBFACE.EY, and WORM_KOOBFACE.EX, while the Facebook phishing page has been blocked since May 15, 2008.

Here are previous reports related to Koobface:

• Koobface Tries CAPTCHA Breaking
• Bogus Facebook, Malware, and a Dancing Girl
• New Variant of Koobface Worm Spreading on Facebook
• Malevolent Social Networking: Now on Friendster
• Malevolent Social Networking: Now on Friendster
• Worms Wriggling Their Way Through Facebook

Check out the first, second, and third part of this report.

The bad guys behind this botnet are sly and evil, you have to give them that!

From their end, this is just pure business. They cater to Russian companies to advertise their services, be it a law firm or a dance academy, but they have a problem: how to ensure that those spammed messages have been delivered? Well the Pushdo gang have come up with a way of doing just that – by sniffing all emails being sent from every infected machine. That’s right–they added an inbuilt network sniffer to the growing list of compontents of the Pushdo threat

When the computer first becomes infected, one of the modules drops a device driver (“tcpsr.sys“) that intercepts all outgoing email traffic being sent and logs the recipients of each message. Every now and then, it then sends this information to a server that collects all this data allowing the gang to know exactly how many mails for each campaign have been sent.

An appropriate side effect for them is that Pushdo increases their database every time the user sends a legitimate email from the infected PC, as the recipient is being sent along with the rest of the sniffed data. The sniffer driver is deleted from the disk immediately after becoming active.

This is yet another feature used by the Pushdo gang which shows exactly how business-oriented they are. These guys are in it to get money and this shows in the attention to detail they put into their evil creations. I can already picture a nice web interface on their end to see the status of every bot around the world at each moment. After all what self-respecting evil overlord does not have a giant plasma screen showing a map of the world–its practically on page 1 of their handbook.

Don’t miss our final installment of the series: “Pushdo/Cutwail: Traditional AV is useless”.

Previous Pushdo/Cutwail posts from this series can be read at following links :
Pushdo/Cutwail – The Art of Spamming (Part 1 of 5)
Pushdo/Cutwail – From Russia with Love (Part 2 of 5)
Pushdo/Cutwail – Can’t Touch This (Part 3 of 5)

Read the first and second part of this report.

We’ve all been there. Your scheduled scan displays a popup with text similar to

“A malicious file c:\definatelyNotAVirus_Honest.exe has been detected on your computer”

On finding a malicious file some network administrators will even proactively submit suspicious files to multi-scanner online services such as “Virus Total” – which will scan the file with 40 or so different vendors and give the files detection results.

Notice the word that has been used four times above – file. One of the core modules of antivirus technology is based on scanning executable files – which is why Pushdo goes out of its way to avoid them whenever possible.

We’ve mentioned previously that Pushdo contains a lot of different sub-components, and that must mean lots of exes, dlls and sys files littering up the system, right? Wrong – in fact Pushdo only needs to write two files to disk and does everything possible to avoid touching the disk in any other way. To better understand – let’s step you through a standard Pushdo attack (keep an eye out for the amount of times it actually accesses the hard disk).

1. A user gets lured to a malicious site triggering a series of exploits that injects the Pushdo installer directly into memory.
2. Pushdo copies itself as a single file to the System directory.
3. Right after this, and on every boot, it downloads other malware components – but keeps them in memory, never writing them to disk
4. One of these malicious components downloads a kernel mode rootkit, which is installed as a device driver in the system.

For our less eagle-eyed readers parts 2 and 4 are the only times that a malicious file is written to disk, in other words the real time scanner “can’t touch” any of the other components.

With each windows process having 2GB of virtual memory space, actually scanning memory is incredibly time-consuming for an antivirus scanner, so much so that many do not even try.

So how can you protect against a threat like Pushdo? The answer is in a multi-layered defence approach such as that provided by Trend Micro’s Smart Protection Network – but more of that in our final article. Come back later this week for our penultimate piece – “Pushdo/Cutwail – Sniffing for the win”.

Previous Pushdo/Cutwail posts from this series can be read at following links :
Pushdo/Cutwail – The Art of Spamming (Part 1 of 5) 
Pushdo/Cutwail – From Russia with Love (Part 2 of 5)

The increasing number of website defacements by hackers in the Mediterranean region highlights persistent Web server security issues. A few weeks ago, Turkish hackers defaced several New Zealand websites, among them some high-profile and high-traffic sites, by modifying the pages to display messages like “Stop the war Israel (sic),” or a picture of Bill Gates like in Figure 1.

The malware underground in the Mediterranean region has always kept a low profile, save for a few newsworthy incidents like the defacing of around 700 Israeli websites by Moroccan hackers in 2006, the Israeli hackers’ retaliatory vandalizing of around 400 Moroccan websites, and the most recent being the trashing of several New Zealand sites by Turkish hackers. Though the attacks may strike one as well-organized, researchers find it difficult to pin down whether the people behind them are working under one umbrella group in the same way that there has been no strong evidence linking them to cybercriminals in the Russian, Ukrainian, and Eastern European regions (of the Russian Business Network infamy).

The motives behind these attacks seems now to be a little more transparent. Aside from the questionable patriotism suggested by these hackers’ occasional calls for war, they may simply enjoy the notoriety of their very own 15 minutes of fame. Ten years ago, virus authors coded mainly for fun rather than profit. This contrasts starkly with the current-day cybercriminal industry where virus writers are capable of earning several million dollars per year.

The spread of broadband Internet facilities in Morocco, Algeria and Tunisia allow more people to use the Internet on a daily basis. Script kiddies may be hacking websites as a means of reaching out to the growing number of Internet users in these countries. This juvenile behavior is actually very similar to how cybercriminals started out and took root in the United States and Europe some years back.

ADSL Connection

Morocco:
2MB at 26 euros (34 dollars)
4 Mega at 50 euros (66 dollars)

Algeria:
512 Kb at 15 euros (20 dollars)
1 Mega at 19 euros (25 dollars)

Tunisia:
2 Mega at 16 euros (21 dollars)

ADSL continues to get cheaper. In Europe, the cost for these services has decreased while connection speeds have gone up (at present, it’s at 30 euros for a 20MB connection, with TV and free local phone calls).

Hackers from the Mediterranean region have defaced company websites using exploits, SQL injections and/or poisoning the DNS resolving the sites’ domain names. As long as this trend persists, website administrators, especially those with websites actually hosted in the Mediterranean region, should reassess their security situations and employ the necessary policies and best practices both at their end and to the extent that they can impose these conditions to their Web hosting providers.

Related reading:

• Hacktivism Incidents Escalate, Become More Frequent
• New Year Ushers in New Waves of Hacktivism

Image from the Countermeasures blog.

Microsoft finally released on Tuesday the patch for the PowerPoint vulnerability that has been exploited by cybercriminals early last month. The said update patches 14 Microsoft PowerPoint vulnerabilities, 11 of which were rated as critical, Microsoft’s highest threat ranking. It provides fixes for some versions of Microsoft Office, including 2000, XP, 2003 and 2007.

However, this batch of patches does not address Office 2004 and 2008 on Macs, which suffer from the same vulnerabilities. According to the Microsoft Security Bulletin MS09-017, the updates for Mac are “still in development.”

This update resolves a publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. This vulnerability was exploited to full effect when cybercriminals fashioned PowerPoint files and sent them to unknowing users. These files, when opened, drop a couple of malware (KUPS variants) that perform several suspicious activities including sending a list of the PC’s contents to a certain IP address.

Users are strongly advised to update their system with this latest patch immediately. Moreover, until Microsoft issues a security fix for Mac versions of Office, Mac users are encouraged to exercise caution in opening PowerPoint files that come from doubtful sources, especially spam messages and online downloads. Trend Micro Smart Surfing for Mac blocks IMs and email links that lead to malware that attempt to exploit these vulnerabilities.

Related posts:

• New Exploit Takes on MS PowerPoint
• April 2009 Patch Tuesday Release
• Trend Micro Security Advisory for MS09-017

OfficeScan users with Intrusion Defense Firewall plugin installed are protected from this threat if they have updated to the latest filters (IDF09014).