IT Security Blog

The folks over at SecurityFocus have published yet another Adobe PDF Reader related vulnerability.  No exploits have been seen in the wild at this time taking advantage of this flaw, but unless patched quickly by Adobe will likely come in short order due to the prevalence of Acrobat Reader in the wild and the success of previous exploits. 

This is in no way an endorsement of this product, but if you are looking for an alternative to Adobe's PDF reader, consider looking into FoxIt Reader by FoxIt Software.  As with any software, it has its own vulnerabilities that have been patched, but since it isn't as widely used has not been as highly targeted as Adobe's products.  There are other alternatives available as well.  Consider looking into them if you frequently find yourself opening PDFs as part of your daily professional or personal responsibilities.

Over the coming days, please be on the lookout for any spam campaigns related to the recent outbreak of the Swine Flu.  With the number of confirmed swine flu cases rising in the United States (currently at 40 according to this recent article posted on bloomberg.com) and around the world coupled with the threat looming that the World Health Organization (WHO) will raise its pandemic alert because of the illness, and you have a combination of circumstances that creates a dangerous cocktail that we frequently see spammers and phishers jump all over.

Although we are yet to see any specific fraudulent campaigns related to the Swine Flu in our Threat Operations Center, our team is on high alert looking for anything that may crop up.  Due to the nature of today's blended threat landscape, it is possible that we could see phishing campaigns related to donations to help victims of Swine Flu purporting to be from the WHO or other related organizations.  We could also see emails that attempt to lure users to news oriented web sites that play videos which are setup as spoofs for the intention of distributing malware. 

News grabbing events like the Swine Flu outbreak are exactly the type of social engineering lures that spammers love to latch onto because of the public's interest in learning more about the topic.  Be aware.  If you would like to learn more about the recent Swine Flu, or any other breaking news story topic, visit the site of your most trusted news organization directly.  Clicking on links within emails is an invitation for trouble.

It seems lately that if we aren't talking about Conficker, we are talking about Waledac.  To make things even more interesting there have been purported links between the Conficker and Waledac botnets as during the last week the infected machines associated with the former pulled a code update from the latter. 

Today's topic is Waledac specific: a new spam campaign with an SMS Spy theme.  Ever wanted to spy on your girlfriend's SMS messages to see if see is cheating on you?  Curious as to whether or not your significant other is truly in love with you?  Waledac wants to "help" you find out.

Starting earlier this morning our Threat Operations Center began detecting a new spam campaign from the Waledac botnet that contains a link to a web site where users can download a 30 day free trial for a piece of software (read: malware) that when installed on your partner's mobile phone will allow you to read all of the SMS messages that they receive.

The email received looks like the following:




We have seen a number of subject lines associated with this campaign including:

Are you ready to know the truth

Are you sure in your partner

Can your love life be re-ignited

Does your partner truly love you

Have more fun and pleasure in your intimate life

Keep a spy eye on your girlfriend

Make Sure your girlfriend

Now, It's possible to read other people's SMS

Now, you can read any SMS message

possible to read other people

Read his SMS

Read other people's SMS online

The world's most advanced sms reading program

We will teach you to be the master of making love art

What's your hall of shame

You can read anyone's SMS

Are you interested in reading other people's sms?

Do you trust her?

Do you trust your partner blindly?

Do you want to test your partner

Free program for reading sms

Is your partner cheating on you?

Is your partner faithful?

Is your wife or girlfriend cheating on you?

Read her messages

Read your girlfriend sms online

You can download new program for reading sms

Below is a screen shot of the site that the user is directed to when the email link is clicked:


It is important to note that by simply visiting the web site does not infect the user with Waledac.  They must download and execute the file (currently named "sms.exe") after clicking the "Download Free Trial Link"

*** UPDATE 1 4/16/2009 11:20am MST ***  Funny enough there is an article posted on NetworkWorld today which discusses a potential vulnerability with Apple's iPhone which could result in the execution of shellcode on non-jailbroken versions of the device.  Such a vulnerability could result in an exploit that could allow an attacker to see someone's SMS messages according to the article.  Maybe the Waledac authors know more than we are giving them credit for :)

Below is an updated volume graph. 




As you can see from the above graph volumes were in the 2-4k range per hour until about 2am MST this morning before peaking at about 12,000 during the 6am hour.  More updates as they become available.


*** UPDATE 2 4/17/2009 10:40am MST ***  After waning for a bit during the mid-morning hours yesterday, volumes started to pick up again at around Noon MST.  Current averages are between 12-20k messages per hour and have been maintaining in that range for about the last 24 hours.

I thought it was appropriate to issue a "Threat Warning" (ala the National Weather Service) for tax related scams for today and for the coming days and weeks considering today's midnight tax deadline.  By a warning I am implying that conditions are ripe for something to occur even though we have not seen anything specific yet. 

Considering current economic conditions and the fact that it is likely that more people who owe money are likely to be delinquent in payment this year it is also possible that we might see a new twist this year from: tax filing extension "services" that for a fee will grant you an extension on paying your taxes without additional interest penalties if you do not file on time.   

It is also likely that we could see scams like we have seen in years past related to tax refunds that can be received faster if applied to your credit card or purported errors made by the IRS that results in you receiving additional refund money that can be applied to your credit card or directly into your bank account. 

Be on the lookout for these and other potential scams spoofing the IRS.  It is most important to remember that the IRS does not discuss tax refund related issues directly to consumers over email so if you receive anything like what I have described above in your email box or anything else similar, delete those messages immediately.  Our Threat Operations Center is on high alert for any IRS related scams and when any arise we will report them here.

Just about anyone and everyone who is active on the internet is either using, has used, or at least has heard of Twitter, the micro-blogging service that grew in usage by 752% in 2008 and is poised to grow even more in 2009. 

As we know, where there are users, there are hackers.  Any technology that has grown in popularity at the speed of which Twitter has is certain to become a target for information and money stealing cyber criminals.  As such, Twitter has been the target of several application exploits over the last few months including a Samy-like exploit which would force users to follow you, multiple Clickjacking exploits, and two worms dubbed Mikeyy and Stalkdaily just this past weekend.
Funny enough, one of the things that is frequently part of the fallout of numerous security exploits is a drop in brand trust and user confidence.  So far, that fallout does not appear to have taken place with Twitter.  At least based on the reported numbers, Twitter's growth does not seem to have been hampered at all despite the numerous security flaws that have been patched over the past 8 months.  Perhaps this is because there hasn't been a serious incident of data theft or widespread malware infection as a result of one of these exploits.  Rest assured, those are coming!

So, what can we learn as a result of Twitter's recent security woes? 

I believe that one of the most important lessons to be learned from Twitter is the need to ensure security is being built into your product from the concept and design phases, not after the code has been consumed by the public.  This is true for online applications like Twitter as well as boxed software that you buy in the stores.  Don't let your customers be your test bed to identify security risks because you can bet that criminals will find them and exploit them before your customers do.  At that point you have put your customers at risk also.  It is far cheaper and less damaging to your corporate brand and reputation if security risks are identified up front, before any code is launched than to try to retrofit security into a live product.

Up to this point the vulnerabilities exposed on Twitter have largely been considered annoyances.  I was unable to find any reports of identity or financial theft as a result of a Twitter exploit, and again perhaps that is why they haven't been placed under the same microscope that Microsoft and Google have been.  Don't take these proof-of-concept quality threats lightly though as they could easily have been much more nefarious than they were.

Let's take the Mikeyy worm as a primary example.  One of the ways that Mikeyy would spread is by sending Tweets out under the accounts of infected users trying to lure their followers to visit the profile of another Twitter user that exploited a site flaw.  Once that page was visited the user's account was hijacked and Tweets would be sent out as them to their followers trying to trick them into clicking also.  Rinse and repeat.  In this instance the worm was merely spreading out across Twitter to anyone who was fooled into clicking the link presented in the Tweet.  What if this link was forwarding unsuspecting users out to a drive by malware site that installed malware like Storm or Conficker?  In a previous post we discussed how URL abbrevation services can potentially hide an underlying threat vector to redirect users to malware drive-by or phishing sites.  Granted, that example isn't one of a specific Twitter flaw, but it is just another thing that users of the popular service need to be on the lookout for.

In its short existence Twitter has almost single handedly revolutionized how we communicate (in 140 characters or less :) ) online.  Whether you are using Twitter to communicate with friends from school, family, or professionally to keep up on market trends or as another method to increase your brand awareness (a recent report by comScore said that more than 50% of Twitter users are between 25-54 with most users being on the upper end of that scale), Twitter has stormed onto the social media scene and has already become an important part of how people communicate online.  I use it myself.  As such, it creates another avenue by which we need to make sure we educate ourselves and our users about the potential for online threats.

According to a post on the Microsoft Malware Protection Center site last Friday, Conficker has a copycat cousin named Neeris that has been updated to exploit the same vulnerability that Conficker started targetting in September 2008. 

Neeris is not new on the scene and originally came to be known a couple of years ago by exploiting a different vulnerability, MS06-040 (patched in August 2006 by Microsoft), in the Windows Server service (Conficker also exploits this same service).  This latest Neeris update targets the same vulnerability as Conficker, MS08-067 in addition to MS06-040. 

From the Microsoft blog post, Neeris contains many of the same propagation methods as does Conficker such as spreading via removable drives.  Neeris is primarily an IRC based bot (a dying breed) that spreads via links sent in MSN Messenger instant messages to attempt initial infection.  Once a PC is compromised, it attempts to download the actual worm code via the HTTP protocol.  Once this happens, Neeris then attempts to locate other machines on the network to infect.
It was only a matter of time before the Conficker copycats would start showing up as riding on the coattails of previously successful malware is a fairly common tactic.  It is somewhat interesting that in this case there were not many updates made to the original malware, which made it easy to identify and stop by commercial AV software vendors.  In Microsoft's case, it was identified by generic signatures that they already had in place from the original Neeris launch.  This is another one of those situations though where if computers and servers had been kept up to date on patch levels from the beginning, this attack could have been mitigated.

I had the honor and privilege of representing MX Logic over the past couple of days in some local television stories regarding Conficker.  I did an in office interview with Russell Haythorn from Denver's KMGH Channel 7 on Tuesday which aired as the lead story on their 5pm newscast (and replayed in condensed versions on their 10pm and 6am newscast the next day).  Wednesday morning I did an in-studio interview with CBS 4 Denver with Tom Mustin and Brooke Wagner on their 6am newscast.  The video from that interview is posted here. 

I went to the CBS interview with Charles, our Director of Corporate Communications.   They couldn't possibly have treated us better.  We were taken up to the news area by Duncan Shaw, one of their producers, who in addition to getting me all set up for the interview took us on a tour of the studio, editing area, and the control room.  It was really neat to get to see how all of the backend of everything works (I was geeking out!).  During one of the commercial breaks I had a chance to speak briefly with Tom and Brooke, who were very friendly also and willing to engage in small talk despite the fact that they were obviously preparing for their next segment.  Tom also introduced himself personally after the newscast was over.  All in all, they really treated us well.  I would guess that the fact we were there so early in the morning before the place was really hopping helped.

It's been a fast, wild ride over the past couple of days...now if people in the office would just stop making fun of me and asking me for my autograph :-D