SophosLabs is intercepting a spammed-out malware campaign, pretending to be an email about a revealing photo posted online of the recipient.
The emails, which have a variety of subject lines and message bodies, arrive with an attached ZIP file (IMG0893.zip) which contains a Trojan horse.
Subject lines used in the spammed-out malware campaign include:
- RE:Check the attachment you have to react somehow to this picture
- FW:Check the attachment you have to react somehow to this picture
- RE:You HAVE to check this photo in attachment man
- RE:They killed your privacy man your photo is all over facebook! NAKED!
- RE:Why did you put this photo online?
The message bodies contained inside the email can also vary. Here are some examples:
- Hi there ,
I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??.
- Hi there ,
I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than i thought about you man :)))).
- Excuse me,
But i really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.MORE
Tempted to try out the much talked about Instagram app? Well, be careful where you get it from – as malware authors are distributing malware disguised as the popular app.
It’s a rain cloud on a summer’s day for the Instagram photo-sharing smartphone app, which is otherwise having a glorious time right now.
First of all, Instagram released a first version for Android and managed to get five million downloads in less than a week.
Then the 13-employee firm managed to sell itself to Facebook for a cool $1 billion, making some of us wonder about privacy, and others think – “to heck with that, do I have a program that’s never earnt any money that I might be able to flog to Mark Zuckerberg?”.
Naturally, the Facebook acquisition news raised Instagram to even higher levels of public awareness and that’s where the bad guys stepped in.
Cybercriminals have created fake versions of the Instagram Android app, designed to earn money from unsuspecting users.MORE
Stop press! The art of computer viruses may not be dead, after all.
Vancouver-based artist Bratsa Bonifacho says his latest collection of paintings has been inspired by computer malware.
One of Bonifacho’s virus paintings is titled “Horty MyParty is Weird and Coolnow”.
An unusual name, you might think, but it is apparently inspired by a number of viruses from yesteryear including VBS/Horty (which claimed to offer pornographic content of adult film star Jenna Jameson), 2002’s MyParty email worm, and the CoolNow MSN Messenger worm.
Early today Symantec published an inside look at a new targeted malware attack called Duqu. This might not be important news if it weren’t for its ties to Stuxnet.
Early analysis of Duqu shows it has evolved from the Stuxnet codebase. We shouldn’t jump to conclusions that it was developed by the same authors, but whoever created this malware likely had access to the original source code used to compile Stuxnet.
The components that were reused were not the pieces used to target SCADA/industrial control systems, but rather related driver files that provide the malware the ability to download additional components.
Symantec reports that after it retrieves the additional malicious files it is focused on gathering information rather than industrial sabotage.
SophosLabs confirms that the driver files are signed, similar to the drivers used by Stuxnet. In this case the certificate purports to belong to C-Media, a Taiwanese firm known for their embedded audio chipsets.
Signature of driver file:
SHA1 hash of file: A5190A8E01978C903BF1FABCFCBA40D75996D8B9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 3/08/2028 12:59:59 AM
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B
Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 21/05/2019 12:59:59 AM
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3
Issued to: C-Media Electronics Incorporation
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: 3/08/2012 12:59:59 AM
SHA1 hash: 83F430C7297FBF6C1D910B73414132DB48DBDE9C
This may not be a coincidence, as Stuxnet used certificates that appeared to belong to RealTek and JMicron, two other embedded chip manufacturers in the same neighbourhood.
The mystery remains, however. Were these certificates stolen, or simply generated through compromised certificates to appear to belong to these organizations?
As with Stuxnet, it is too early to determine anything definitive about the who, why or what this malware was designed to do. I can assure you that the security industry will be analyzing these samples diligently to determine their intent.
One of the topics I frequently get asked about by customers when they visit SophosLabs, is what do we do about the hoards of legitimate web sites that we see getting hit with malware? How do we go about alerting them to the problem? How can we help to get things cleaned up quickly thereby reducing risk for users?
Sophos customers can take advantage of our WebAlert service, but this is not relevant to non-customers.
Web security is a topic that affects us all. The web has become the predominant way in which malware is delivered nowadays. Thanks to techniques such as blackhat search engine optimisation (SEO) or drive-by download attacks, failings in the security of a single site or hosting provider can expose many innocent users to malware. Improving the process by which the bad stuff gets reported and cleaned up is in all of our interests.
I am pleased to have been involved in a great initiative over the last few months, coordinated by the folks at StopBadware. They put together a working group in order to thrash out a process for reporting malicious URLs. I am happy to say that a few days ago the final version of Best Practices for Reporting Badware URLs was published.
Hopefully the initiative will facilitate communication between the parties that discover the bad stuff, and those in a position to do something about it, mitigating the effects of malicious URLs.
More information about the initiative can be found on the StopBadware blog, in their press release, or you can dive straight into the report here.
A man from Southern California who hacked into over 100 computers, and used personal information stolen from them to extort sexually explicit videos of young women and teenage girls, has been sentenced to six years in prison.
32-year-old Luis Mijangos, an illegal immigrant from Mexico who was living in Santa Ana, California, was arrested last year after a lengthy investigation by the authorities.
Mijangos infected his victims’ computers with malware, allowing him to gain access to their email accounts, turn on their webcam to take secret movies, and search their PCs for sexually explicit and intimate images and videos.
In some cases, Mijangos also posed as some of the victims’ boyfriends to convince them to send him nude pictures.
At this point, things got really nasty. Mijangos would threaten to post his victims’ intimate images online unless they provided him with more sexually explicit photos and videos for his personal gratification.
In at least one instance, Mijangos posted naked photographs of a woman on her friend’s MySpace page.
Mijangos, who is confined to a wheelchair because of a medical condition, was sentenced to six years in prison by US District Judge George King.
Before sentencing, Mijangos apologised to his victims:
"To all the victims I want to say that I'm sorry. I'm ready to do the right thing and stay out of trouble."
Mijangos is far from the first hacker to take remote control of webcams to spy upon victims.
For instance, in early 2005, Spanish authoritiesfined a student who captured movie footage from unsuspecting users, and arrested a 37-year-old man who spied on victims via a webcam while stealing banking information.
The following year, Adrian Ringland, from the English town of Ilkeston, Derbyshire, wassentenced to jail for ten years after admitting posing as a minor on internet chatrooms and using spyware to take explicit photographs via children’s webcams.
And in 2008, a 27-year-old Canadian man was charged with using spyware to take over the webcams of women as young as 14 and coercing them into posing naked for him.
Perhaps the most eyebrow-raising incident I have heard of, however, is the case of the man who is alleged to have displayed error messages on his potential victims’ laptop screens, tricking them into taking their webcams into the shower with them.
With many home users keeping poorly-defended PCs in their bedroom, there is clearly considerable potential for abuse – particularly amongst the young. The message is simple: keep your PC protected against the latest threats with anti-malware software, security patches and firewalls, and if in any doubt unplug your webcam when you’re not using it.
The US Deputy Defense Secretary William Lynn has revealed that a foreign intelligence agency was behind a hack attack that stole classified information about a top secret weapons system.
According to Aviation Week, the weapons system, which is under development, might have to be redesigned after the files were stolen from a military contractor’s computer network.
Plans and confidential blueprints were included in the haul of 24,000 files said to have been copied by the hackers.
The revelation came to light as William Lynn gave a speech at the National Defense University (NDU) in Washington DC, outlining his department’s “first ever strategy for operating in cyberspace”. Recognising that the problem extended beyond its own networks, the Pentagon is piloting a program to share classified intelligence about threats with select military contractors and their ISPs.
NDU was somehow an appropriate venue for the speech – Lynn told his audience that the National Defense University itself had fallen victim to hackers after its “website and its associated server were recently compromised by an intrusion that turned over system control to an unknown intruder.”
Lynn’s speech contained much jaw-jaw about the nature of cyberwar – and how it could vary from destructive attacks to information theft:
"Tools capable of disrupting or destroying critical networks, causing physical damage, or altering the performance of key systems, exist today. The advent of these tools mark a strategic shift in the cyber threat - a threat that continues to evolve. As a result of this threat, keystrokes originating in one country can impact the other side of the globe in the blink of an eye. In the 21st Century, bits and bytes can be as threatening as bullets and bombs."
"But disruptive and destructive attacks are only one end of a continuum of malicious activity in cyberspace that includes espionage, intellectual property theft, and fraud. Although in the future we are likely to see destructive or disruptive cyber attacks that could have an impact analogous to physical hostilities, the vast majority of malicious cyber activity today does not cross this threshold."
"In looking at the current landscape of malicious activity, the most prevalent cyber threat to date has been exploitation - the theft of information and intellectual property from government and commercial networks."
I have always been nervous of the tendency amongst governments to point fingers at foreign nations and blame them for an internet attack. For instance, Lynn claims that a foreign government was involved in the hack, but does not say which one.
You have to ask yourself, why the reluctance to say which country? And if you don’t know which country, how do you know it was any country?
Of course, the US Deputy Defense Secretary has shown himself to be tight-lipped on matters to do with internet attacks in the past. For instance, he declined to confirm or deny if the USA had been responsible for the Stuxnet virus.
And we shouldn’t be naive. Just because it’s hard to prove that a particular country was behind a particular cyber attack, doesn’t mean that that country is whiter-than-white when it comes to such things.
My suspicion is that all countries are using the internet to their advantage when engaged in espionage – whether it be for political, economic or military ends.
What surprises me, however, is that Lynn claims that these sort of “sophisticated capabilities” (the ability to hack into military contractor computer systems and steal files) is almost exclusively within the abilities of nation states, and that the only thing stopping countries from using the internet to destroy their enemies is the risk of a military counter-attack:
"Today, sophisticated cyber capabilities reside almost exclusively in nation-states. Here, U.S. military power offers a strong deterrent against overtly destructive attacks. Although attribution in cyberspace can be difficult, the risk of discovery and response for a major nation is still too great to risk launching destructive attacks against the United States. We must nevertheless guard against the possibility that circumstances could change, and we will have to defend against a sophisticated adversary who is not deterred from launching a cyber attack."
Of course, terrorists probably wouldn’t fear a counter-attack like this. Why haven’t they launched a destructive strike against the United States? Well, Lynn has an answer for that:
"If a terrorist group gains disruptive or destructive cyber tools, we have to assume they will strike with little hesitation. And it is clear that terrorist groups, as well as rogue states, are intent on acquiring, refining, and expanding their cyber capabilities."
Hmm. So, thank goodness that only governments know how to get their hands on the most dangerous and destructive internet weapons and that the rest of the world just isn’t as sophisticated..
Marine Gen. James Cartwright, Vice Chairman of the Joint Chiefs of Staff, told the press gathered at NDU that he believed a defensive approach to cyberwar is insufficient, and that the current situation of the Pentagon being 90% focused on defensive measures and 10% on offensive, should be reversed.
One thing is clear amongst all this talk – computer security needs to be taken seriously. Cybercriminals, whether state-sponsored or not, are regularly going beyond damaging and defacing websites to stealing sensitive information which could have more than a financial value. You would be foolish to ignore such a threat, and ensure that you have strong defences in place.
Meanwhile, the US Department of Defense says that it is now treating cyberspace as an operational domain – alongside land, air, sea and space. As such, I think we can expect to see more speeches warning about the perils that the United States faces from other nations and terrorist forces.
Naked Security has been hearing from our Canadian readers about more fake technical support calls trying to get people to infect themselves with fake anti-virus software, keyloggers and remote control software. That’s right, they are calling people on the telephone and trying to defraud them in numerous ways.
The fraudulent callers represent themselves as being from Microsoft, Telus (one of the traditional Canadian phone companies) and other brands believed to be trusted by the intended victims.
As we have reported previously the calls seem to originate from overseas call centres, but often use caller ID numbers that appear to be local. They likely are taking advantage of extremely cheap Voice Over IP technologies that allow them to purchase local phone numbers.
They falsely claim the user’s computer has been sending error messages to them and that they are calling to help fix their PCs. Their modus operandi varies, although the outcome is always the same: them stealing your money.
They usually offer to assist you through remote control software, often from legitimate vendors like LogMeIn. Once they are able to access your PC they will install fake anti-virus software or other malware and charge you for the privilege. This way they get two bites at the apple… Once for the technical support incident and another when you pay for the rogue security suite.
This has been common enough recently that Telus has posted an advisory on their website. Telus states that they are working with the Royal Canadian Mounted Police to trace the origin of the calls and recommend Telus customers who believe they have been defrauded call 310-2255.
A recent study by Microsoft showed that the average Canadian victim had $1560 USD stolen from their accounts. It is important to apply the same skepticism to incoming phone calls as you would apply to unsolicited emails or strangers ringing your doorbell.
Paul Ducklin and Sean Richmond of Sophos Australia recorded a podcastexplaining these scams and provide advice on how to avoid becoming a victim, I recommend listening to it and sharing it with your friends and family.
These attacks aren’t just affecting Canadians, we have had reports from Australia, the United Kingdom and the United States as well. Stay vigilant and remember, hanging up isn’t rude when someone is calling to scam you.
Thanks to Savio in SophosLabs Canada and Naked Security reader Lystra for contributing information to this story