IT Security Blog

The folks over at Cisco posted a very interesting blog writeup about the Storm/Waledac botnets and how their marriage to Conficker was consummated in order to start monetizing the enormous computing power of the Conficker botnet. 

What I found most interesting was the part about how Conficker would hook itself between Wireshark and the network driver (likely within the winpcap library) to hide all of the network interfaces from Wireshark, essentially rendering the packet sniffing tool useless.

Looking ahead, this makes me wonder what else malware could do to alter the behavior and functionality of other tools that security researchers use to analyze malware.  We've already seen Conficker introduce signed, encrypted updates to keep researchers from analyzing updates and penetrating its network.  This development of malware physically altering how analysis tools work could be a significant game changer in the cat and mouse game of being able to reverse engineer malicious code.  This is definitely something that warrants continued monitoring to see if this tactic continues to be employed by cyber criminals, or improved upon.

In the vein of beating a dead horse, our Threat Operations Center has found another fake Microsoft Outlook/Outlook Express scam with a link to malware making the rounds.  This new variant shows a bit more effort in attempting to make the email appear as if it is actually from Microsoft.

This new tactic is similar to the two previous instances that we have seen over the course of the last 3 weeks where emails were being sent out that claimed to link to updates for Microsoft Outlook and Outlook Express.  The previous emails were text based, however and outside of using the names of Microsoft products as a lure, didn't contain any convincing social engineering to convince the recipient that the message was authentic.  This new tactic does go one step further to create an HTML based message that looks similar to the formatting that one would see when viewing a Microsoft Tech Bulletin. 

A screen shot of the received message is below:




As you can see, this isn't the full message, but the pertinent parts are included.  There are several links at the bottom of the message labeled "Contact Us", "Privacy Statement", and a couple of others which link off to the Microsoft site in an effort to make the email appear more authentic. 

The creators of this new variant also put a little extra care into how they crafted the URL used in the email.  As you can see from the example above the display URL appears as if it is going off to update.microsoft.com, which isn't uncommon.  In the background these links are typically either going directly to an IP address or to a domain that is clearly not associated with the company they are spoofing.  The tactic being used here is the latter of the two, but you have to pay close attention because if you just quickly glance at the URL, you'll miss something important. 

For example, here is one of the URLs that our TOC observed:

hxxp://update.microsoft.com.hfhilf.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=137389514006574829074907904242972292094527445893638626111136583

You'll notice that the link is really going to "hfhilf.com", clearly a domain not associated with Microsoft, but prepended to the domain is "update.microsoft.com" followed by a query path that looks very much like it could be a legitimate Microsoft Office update path. 

As usual, there are a couple of grammatical errors that are your basic tipoff that this message is not from Microsoft.  Couple that with the fact that Microsoft does not generally blast out update notifications in this manner and you have two tell-tale signs that this email is the work of cyber criminals, not an official update notification. 

Poisoning search results with content that leads unsuspecting users to spam or malware content is nothing new.  We've been seeing abuse of Google's PageRank system since early 2008 where spammers would artificially inflate the rankings of their spam web sites and send out email links which emulated the click of the "I'm Feeling Lucky" button on Google's search page to auto-redirect users through Google to fraudulent web sites. 

We are now seeing something similar with Twitter.  According to this post on Mashable's web site, spammers are using the accounts that they are setting up on the popular micro-blogging site to increase the ranking of certain topics so that they will appear in the list of Twitter's most popular topics and organically increase clickthroughs.  In some cases the sites that users are being directed to also can inject malware.

Be careful with these sites because as we have seen with some other Twitter exploits, the possibility exists that you could also have your account credentials stolen and used as another vehicle for distributing Twitter spam.  Twitter has been built to be easy for end users to use and interface with.  This methodology has been great to drive user adoption.  The unfortunate side effect that because of its popularity it has been an increasingly focused target for cyber criminals.

In a story released a few days ago, BITS (Banking Infrastructure and Technology Services) released a paper titled "Email Sender Authentication Deployment" focusing primarily on how financial institutions can implement DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) technologies to authenticate mail coming from their domains as opposed to spoofed emails sent by spammers. 

In a release done by the Online Trust Alliance (OTA) in 2008, it was reported that 51% of the Fortune 500 consumer facing brands, 52% of the Fortune 500’s consumer-facing financial service brands, and 54% of the Internet Retailer top 300 brands were currently authenticating their email. 

Many major financial insitutions are on-board this bandwagon as well, but clearly there is room for improvement.  As pointed out by Paul Smocer, VP of Security for BITS, only about 10-15% of BITS 100 members are currently using any form of email authentication.  A statistic that seems to be quite different than the adoption rates of F500 brands.  For those who haven't yet implemented sender authentication, BITS has released this guide to help financial institutions understand the business value in the implementation of these solutions. 

Will SPF and DKIM stop spoofing?  No, but what they will do is help email receivers to identify messages that are actually being sent by a financial institution like Bank of America versus an email that was sent by a spammer to merely look like an official BofA message in an attempt to steal someone's identity or web site login credentials. 

The question that I would pose here is that for the increased consumer confidence that is attempting to be fostered by using email authentication technologies, is it too little too late?  I've heard people from some of the largest banks in the country state that their studies have found that many of their own customers don't even open email from them anymore or have moved away from online banking entirely solely because of their concerns of having their identities stolen.  In their eyes, it is easier to avoid the potential for risk entirely (even if it costs additional fees to walk into a branch to conduct business) by not even dealing with their bank via online means.   This is because they cannot distinguish between legitimate communications from their bank and what is being sent by cyber criminals. 

Trust is very hard to earn and even more difficult to re-establish once lost, especially if you are dealing with matters involving someone's wallet.  To that point, when I think about where we are today with the low level of trust that users have overall with email as a communication and marketing vehicle, I believe that as an industry that we should be doing everything that we can to help email senders and receivers proactively identify malicious email, but users might be too jaded to care.

My apologies for being a bit light on posting this week.  I have been in Amsterdam for the 16th MAAWG Conference.  It's been a great conference with some outstanding presentations, but I am looking forward to being home tomorrow!

It looks like the Outlook Reconfiguration Malware from last week has returned for another round, this time claiming that other user mail clients are in need of reconfiguration.

This one is fairly interesting because it seems to be rather confused as to which mail client is supposed to be reconfigured.  Many of the samples that I have reviewed use different mail client names between the message subject and the body.  A couple of examples:

Message Subject: Microsoft Outlook Setup Notification
Message Body:

You have (6) message from Outlook Express.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.

Message Subject: TheBat Setup Notification
Message Body:

You have (9) message from Microsoft Outlook.

Please re-configure your TheBat again.

Download attached setup file and install.


Notice that between the message subject and the first and second sentence of the message it might tell you that you are receiving a setup notification for TheBat (a legitimate mail client frequently spoofed in spam), tell you that you have X messages from Microsoft Outlook, and tell you that you need to reconfigure TheBat again.  I am not sure if this is intentional or not (it is sloppy work on the part of the spammer if it is) or if it is just a piece of broken spamware.

These messages have an attachment of client_update.zip and has an md5 checksum of a50838afddd97a744804bdb6b153b101. 

Virustotal reports (as of the time of this writing) that only about 60% of the antivirus engines are detecting this malware, which is better than we typically see in the early stages of a new attack.  This lends itself to the theory that this new malware is close enough to the one seen last week where the old signatures might still be catching it.

Either way, be on the lookout for this respin of last week's news. 

 

Today the FTC announced via their web site that they have shut down 3FN (aka Pricewert), a major rogue internet service provider specializing in hosting botnets, phishing web sites, child pornography, and other illegal, malicious web content. 
Unfortunately, however we are not seeing any volume drop offs as a result of this shut down.  Back when McColo, another rogue hosting provider, was shut down back in November 2008, we observed an immediate drop in spam volumes of about 60%.  No such luck this time.  In fact, spam volumes haven't been affected at all according to our Threat Operations Center. 

This begs the question "Why not?"  How come spam was so significantly affected by the McColo shutdown, but the termination of 3FN doesn't appear to have had any effect thus far?  The reason is that botnets, particularly those that were affected by the McColo shutdown but who serve as a lesson to all botnet owners, have gone to great lengths to ensure that they have built redundancy into their networks to prevent the disruption caused by McColo from ever happening again.  It is suspected that some of the larger spam sending botnets like Cutwail had command and control servers hosted at 3FN, but because they now work in a multi-homed model where they have command and control centers interdispersed amongst many different providers on many different networks, the shutdown of a single hosting provider will require nothing more than a minor update to be distributed from the other command and control servers to point the members of that botnet away from 3FN allowing business to run as usual.

Government intervention and the veritable whack-a-mole game that goes on with upstream bandwidth providers can only go so far to get these illegal web hosts shut down.  We need more cooperation from the domain registrars in order to completely take these rogue domains offline.  Unfortunately, with the decentralization of domain registration that has allowed domain registrars to setup shop who are more than happy to allow these rogue domains to come online and stay online, cyber criminals will continue to flock to these services until high authorities step in to get them shut down; a concept much easier said than done.

In the race to coin new technical terms and phrases that generally only serve to confuse the masses, we now have upon us the dawn of a new term "Web 3.0." 
To present a bit of a timeline:

I am willing to wager that most people would consider the movement into "Web 1.0" started sometime in late 1994/early 1995 when Netscape released the first versions of its Navigator browser.  This event was basically the catalyst which started to bring "The Internet" as we know it into a more mainstream setting.  I realize that some of the more tech savvy out there would argue that "The Internet" is actually quite a bit older than that, and I will concede that point, but for the sake of argument let's also agree that the internet was nowhere near what one could consider mainstream. 

The term Web 2.0 was originally mentioned (according to Wikipedia) in an article by Darcy DiNucci titled Fragmented Future.  Although Darcy's train of thought was kind of on the right path, the reality of what Web 2.0 eventually became is lot more broad.  As such, the "Web 2.0" moniker is more generally credited to Tim O'Reilly who used the term again at the O'Reilly Media Web 2.0 Conference in 2004.  O'Reilly's vision is much more on par with what we generally consider to be "Web 2.0" today.  That is, the evolution into web based communities, collaboration, communication, and real time data and information sharing.  Sites like blogs, wikis, social networking communities as well as the broadcast of information through podcasts are primarily what shape what is Web 2.0 today.

So, now that all of this data is out there on the web, what are we going to do with it?  Enter "Web 3.0".  What Web 3.0 is intended to be is the method by which all of the data and facts introduced as part of Web 2.0 will be mined and used.  This will likely end up getting used mostly by large marketing companies who will be looking for new and inventive ways to target ads in popups and web pages and spam to users. 

The question that I have is, why is this "Web 3.0" ?  In the software world, when a product or service goes up a whole major version number (the major version is typically the number to the left of the decimal point) it is usually because what is being introduced is significantly different, better, or enhanced over the previous version.  In moving from Web 1.0 to Web 2.0 this change in vernacular made sense.  It was the movement from the web as a static content delivery vehicle to one where content was made much more interactive.  It really was a drastic paradigm shift in how the web was used by both users as well as service providers.  The movement from the posting of data and content to the mining of that information seems more like a logical next step in how web content would be used and is hardly a significant change in thought process or a drastic change in how the internet is interacted with.  As such, I don't see what is being done as worthy of coining a new phrase. 

I know that "Web 2.1" doesn't sound nearly as exciting or as sexy as Web 3.0, but let's call it what it is: a logical progression, not an internet shaking movement.

The MX Logic Threat Operations Center has observed a new type of malware in the wild being sent out as an email posing as a reconfiguration notification for Microsoft Outlook. 

The message subject is "Outlook Setup Notification" and contains the following text within the message body:

You have (1) message from Microsoft Outlook.

Please re-configure your Microsoft Outlook again.

Download attached setup file and install.

The attached file is named micr__outlook_update_6556.zip and has and md5 checksum of 7aa706c521dd8a11ef23b35fc5c4d543.

So far we are not seeing any variants to neither the attachment name (which could easily be made more random with the digits on the end) nor the hash so the malware is not morphing at this point.  That could easily change as it is trivial for AV vendors and spam filters to block this particular threat. 

The graph below shows hourly volumes of this new threat since about 11:30am MST on 6/2, when we originally started to observe it hitting our systems.