MoMusings

I suppose it had to happen; we have spammers learning from malware authors, scammers learning from spammers, malware authors learning from scammers, phishers using malware tools, spammers using malware tools, malware authors including spam proxies in their creations…..

Now we have Phishers learning from the long-established ‘African Cottage Industry’ known as 419s, Advance Fee Frauds or the Nigerian Scam.

Here’s a clip from the story on Techweb:
In the example e-mail that Websense captured, the text begins, “We have been directed by the Mega Magic Foundation of France to notify you that the sum of One Million Euros has been deposited in our bank, DBS Bank, in your name, awaiting immediate transfer to your personal bank account.”

The message concludes with the kicker: “Once logged in to your account, you can transfer via wire directly to your personal bank account by clicking on the ‘click here to transfer’ link.”

Of course clicking on the link takes you to a phishing site which asks you to supply your account details and other personal information so that the ‘funds’ can be transferred to your account. Needless to say, there are no ‘funds’ and you are likely to have your account emptied or the details you provide to be used for the phishers own nefarious purposes.

What’s the old saying, “Plagiarism [or imitation] is the sincerest form of flattery”? Guess the boys and girls from Lagos should be cock-a-hoop with this level of flattery.

You do know what PC stands for right?

Well in a bizarre scam that it targeting students in south London [England], the ‘P’ stands for ‘Potato’ and the ‘C’ stands for ‘Chips’ [no not Crisps or Fries]!

Here a clip from the Register:

“South London students are being warned of a scam in which they may end up parting with up to 200 quid of their hard-earned cash for nothing more than a laptop bag full of spuds [potatoes].

Police say two scoundrels have targeted Southwark unis and colleges, claiming to have a laptop or other mouth-watering piece of kit for sale at a knock-down price. They show their intended victims a PC in a car boot but, after trousering the wonga [money], hand over a case packed with potatoes.”

I never fail to be amazed at the gullibility of people, in this case just to get a new potato computer for a knock-down price, when all they’ll get for their money is the raw material for some chips [fries to the Americans out there]!

At least the unfortunate victims that can’t tell the difference between a bag of spuds and a computer full of chips can use their new purchase to power a clock [see picture above]. So in this case PC stands for Potato Clock.

So, maybe the scammers should ask their customers; “Do you want salt and vinegar with that mate?”

Not!

Looks like the Boys [and Girls] from Lagos are learning from the malware authors and phishers and other assorted internet scum.

What do I mean? Well over the last few months I’ve noticed that the 419ers have started to depend more and more on using the names of large companies to try and add credence to their drivel; a case of authenticity by name dropping or impersonation. This is a bit of a change as they have tended to use impersonation in other ways before, such as pretending to be people like:

• Saddam Hussein
• Suha Arafat [widow of Yasser Arafat]
• Winnie Mandela [wife of Nelson Mandela]

They still use the more usual fake ‘officials’, such as Doctors, Government Officials, Bank Managers, Lawyers, Barristers, Accountants, Military Leaders, Royalty, Priests and other Church members, etc.

So, not only are they guilty of fraud, they have now added impersonation to their list of crimes. This also could damage the credibility of the company or individual who is unfortunate to have their name used in this way.

Here is a typical example:

MICROSOFT EMAIL LOTTERY INTERNATIONAL
FROM:INTERNATIONAL PROMOTION / PRIZE AWARD.
PROMOTING INTERNET USAGE OVER THE GLOBE
(MICROSOFT ENCOURAGE GLOBALIZATION)

FROM: THE LOTTERY COORDINATOR,
INTERNATIONAL PROMOTIONS/PRIZE AWARD DEPARTMENT
Microsoft B.V. Boeing Avenue 44 9459 PE Schiphol-Rijk.

RESULTS FOR CATEGORY “A” DRAWS
Congratulations to you as we bring to your notice,
the results of the First Category draws of MICROSOFT
LOTTERY INT. We are happy to inform you that you have
emerged a winner under the First Category, which is
part of our promotional draws. The draws are being officially announced
today 21st of February 2005. Participants were selected through a
computer ballot system drawn from 2,500,000 email addresses of
individuals and companies from Africa, America, Asia, Australia,
Europe, Middle East, and Oceania as part of our
International Promotions Program.

Your e-mail address, attached to ticket number 50941465206-529, with
serial number 5772-54 drew the lucky numbers 3-4-17-28-35-44 and
consequently won in the First Category.
You have therefore been awarded a lump sum pay out
of 1,000,000 (One Million Euros), which is the
winning payout for Category A winners. This is from the total prize
money from 2,000,000 shared among the 2 winners in this category
CONGRATULATIONS!
Your fund is now deposited with the paying Bank.
In your best interest to aviod mix up of numbers and
names of any kind, we request that you keep the
entire details of your award strictly from public
notice until the process of transferring your claims has
been completed, and your funds remitted to your
account.
This is part of our security protocol to avoid
double claiming or unscrupulous acts by
participants/nonparticipants of this program.
Please contact your claims agent immediately for due
processing and remittance of your prize money to a
designated account of your choice:
To file for your claim,please contact the fiduciary
agent.
***********************************************
Mr. Harvey Kurt,
Prudent Trust Agency
Email:prudenttrustt@netscape.net
1156 H T NL-6400 AA SITTARD
AMSTERDAM
THE NETHERLANDS,
Tel.:+31-611-447-805
***********************************************

You are advised to contact the agents by email
within a week of receiving this notice.
Failure to do so may warrant disqualification.
NOTE: For easy reference and identification, find
below your reference and Batch numbers. Remember to
quote these numbers in every one of your
correspondence with your claims agent.
REFERENCE NUMBER: LSLUK/2031/8161/04
BATCH NUMBER: 14/011/IPD
Congratulations once again from all our staff and
thank you for being part of our promotions program.

Sincerely Yours,
MRS.ELIZABETH MOUS.
THE LOTTERY COORDINATOR,
MICROSOFT INT.

N.B: Any breach of confidentiality on the part of
the winners will result to disqualification. Please do
not reply to this mail. Contact your fiduciary agent
immediately.

Notice the veiled threat at the foot of the e-mail, this is to ensure that the intended sucker….er I mean victim does not tell anyone, as they might be told by someone that this is nothing more than the scam it is.

The ‘Lottery’ variant of the 419 Advanced Fee Fraud has been around for about 18 months now and was a major shift in the 419ers method of enticement.

I have also seen other company names used, these include:

• Zenith
• Camelot [This company runs the UKs Official Lottery]
• William Hill [A large UK Betting (Gambling) Company]

If I received all the alleged winnings from all the copies of the Lottery scams I get each day, then I’d now be richer than Bill Gates
Not to mention all the 10-25 percent handling fees I’d have received for helping to move all the milliions of US Dollars in trapped cash from Nigeria, Iraq, South Africa, Ivory Coast, China, Russia, and the vast majority of the rest of the world too. By now I should own most of the planet!

Oh, while we are on the subject of Bill Gates, no he isn’t giving away his money, no matter what this hoax states.

So next time you receive an e-mail saying that you’ve won a lottery you don’t remember entering, be suspicious, be very suspicious……

A new variant of the Sober family of mass-mailing worms was found this morning, nothing too exciting about that as new variants of existing malware are quite common and cause as much excitement as watching paint dry. However, this mornings catch had an interesting addition to it that was missing from its siblings.

So, what does it do apart from the usual mass-mailing routine with social-engineering?

Well, it not only avoided lots of AV companies e-mail addresses, claims that the e-mail has been virus scanned and found to be clean, is written in Visual Basic, and it seems that this new variant will also try and disable Microsoft’s new anti-spyware tool [was Giant Anti-Spyware]. Oh, it will works on all Windows versions from 9x to XP, and like a few other mass-mailing worms it is multilingual [in this case it is English and German].

If you run the attachment you will see the following:

If you see the above after running the attachment then you are infected!

what do we know about it so far [modified version of the description from F-Secure]:

The worm uses the following English text:

Subjects:

Your new Password
Mail_delivery_failed
Paris Hilton, pure!
Alert! New Sober Worm!
You visit illegal websites

Senders:

service
webmaster
register
hostmaster
postmaster
police
Officer
Admin
Web
FBI
Michele@yahoo.com
Melanie@yahoo.com
security@microsoft.com

Body texts:

Thanks for your registration!
We have received your payment.

For more detailed information, read the attached text.

— OR –

This is an automatically generated Delivery Status Notification.

ESMTP Error []

I’m afraid I wasn’t able to deliver your message.
This is a permanent error; I’ve given up. Sorry it didn’t work out.

The full mail-text and header is attached

— OR –

More than 50 HOT Hilton Videos
More than 3000 Hilton picks

FREE Download until April, 2005

Make your own Download Account, it’s free!
Further details are attached

Thanks & have fun

— OR –

ATTENTION!

Antivirus vendors are warning of a new variant of the Sober
virus discovered today that can delete the hard disk.

Protection:
Download and read the zipped patch. It’s very easy to install!

Thanks for your cooperation!

— (c)2005 Microsoft Corporation. All rights reserved
— Microsoft Corporation
— One Microsoft Way
— Redmond, Washington 98052-6399

— OR –

Dear Sir/Madam,

we have logged your IP-address on more than 40 illegal Websites.

Important: Please answer our questions!
The list of questions are attached.

Yours faithfully,
M. John Stellford

++-++ Federal Bureau of Investigation -FBI-
++-++ 935 Pennsylvania Avenue, NW, Room 2130
++-++ (202) 324-3000

Attachments:

text.zip
register_[random].zip
header_[random].zip
register.zip
text_[random].zip
help-text.zip
patch_[random].zip
indictment_cit.zip
text-[random].zip

where [random] is a randomly generated number.

The worm can add a fake anti-virus scanning report to its infected messages:

Attachment: No Virus found

— OR –

Mail-Scanner: No Virus detected

— OR –

AntiVirus: Found to be clean

Followed by:

*-* Anti-Virus Service
*-* http://www.[domain]

Links:

• F-Secure
• Symantec
• McAfee

Snort signatures are now available on my website which should detect this new version.

Bill Gates gave the keynote speech at the RSA Conference yesterday, which is being held in San Francisco, unfortunately I wasn’t able to attend, however I did get to see his speech/presentation via the Microsoft Security360 site.

So, did he have anything interesting to say?

Well, there was the usual Microsoft sales job; shoving new and updated products in everyones face at every possible opportunity, so from that perspective it was a bit of a let down. However, it seems that Bill has got a case of ‘Security’ religious fervour at the moment [again], and seems to be evangelising on his companies new acquisitions and other security plans.

Is this bad? No. But, he is about 10 years too late, not only has the horse bolted but it has attacked all his neighbors, millions of his customers and even innocent bystanders, would you buy security from a firm that behaved like this?

It is just as well then that Bill announced that the recently purchased ‘Giant’ anti-spyware tool that his company acquired last year, and rebranded and released for Beta testing in December will not be charged for when a finished version is released [for non-corporate use], a corporate version will be chargeable.

The problem is the ‘Giant’ has already been defeated, so it will need to be ‘fixed-up’ to attempt to restore its credibility, otherwise it will go the same way as the much over-hyped MSAV did when Bill last got ‘Security’ and end up a complete and utter flop.

The following is an excerpt from a report published by Forester Research on Spyware:

“39% of companies surveyed had no idea how many of their systems were affected. However, report author David Friedlander writes that the remaining respondents put the infection level as high as 17%. Indeed, According to Friedlander, the problem is likely to get worse, noting Forrester expects this to increase to as much as 25% within 12 months as spyware proliferates and becomes more aggressive.”

I have already been saying for some time that Spyware is the next big corporate headache, most companies don’t even know it is a problem as they don’t have the tools in place to know they are infected.

On the subject of MSAV [MicroSoft Anti-Virus], Bill hinted that they [MS] would have an anti-virus ’solution’ by the end of the year, details were somewhat lacking, so this may only mean that the recent Sybari acquisition will be re-released with the relevant MS branding. But, we may see Bill’s second attempt at desktop anti-virus.

The final area he mentioned that caught my ear was that there will be a new version of Internet Explorer [IE7] released. IE7 was not expected to be released before Longhorn, so it seems that Bill is somewhat concerned with the almost 10% swing away from IE6 since Firefox was released by Mozilla.org. A beta version is expected in the summer. This new version will attempt to address ‘Phishing’ and other security issues.

I applaud Microsoft’s attempts to fix many of the security problems which in many cases they helped spawn in the first place, due to the severe lack of security features in their operating systems and products. Will MS cause the established anti-virus vendors or anti-spyware vendors to lose any sleep? I somehow doubt it going on past attempts, but it may well start a price war which will be good for the consumer and corporate makets but could ultimately result in further consolidation of the industry.

So what was the overall theme from Bill? “Security is important”.

As Homer Simpson would exclaim, Doh! Talk about stating the obvious. Which alternate universe has Bill been in for the last 15 years?

I came across this neat little plugin for both Firefox and Internet Exploder that will spot Phishing Sites, so if you click on a link on a Phishing E-mail which claims to have come from your Bank [e.g. Natwest, CitiBank, Abbey, HSBC, etc.] it will show you which site it is really on, neat huh?

Here’s some blurb from the site:

What is SpoofStick?
SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won’t notice the incorrect URL and give away important information. This practice is sometimes known as “phishing”.

What’s more is that it has also been updated to handle the so-called IDN or Homograph bug that all browsers except Internet Exploder suffer from.

Here’s the link: Spoofstick

The only problem is that currently this useful tool only works with Internet Exploder and Firefox, not Konqueror, Opera or Safari.

Anyone got any other useful security related plugins or browser tools that they would care to share details on?

I covered virus writers a few weeks ago, but made sure that I didn’t cover their alleged and actual motivations at that time, mainly because it is a complete topic in itself. So, I have decided to cover it now. So why do they write malware in the first place, what motivates them?

There are many possible reasons why people create malware but at the end of the day, only the original writer knows the real reason, but below are common reasons [there are many others]:

One virus writer that I asked, confessed to me that the reason he wrote viruses was:

“because I was bullied at school, and I’m using viruses to get back at them”.

Is it me or is this about as logical as using a nuclear weapon to kill one person in the midle of a heavily populated continent?

Another reasons for covering this topic now is due to the recent resurfacing of the ‘Urban Legend’ that goes something like this:

“The anti-virus companies write them, or pay others to create new malware, it’s in their interest as otherwise they would all be out of a job”

If that were true then the following must also be true:

• Thieves must be being shielded by the insurance companies or being paid by them? Hang on the police must be in on this scam too!
• Smoke-alarm makers or firemen are paying or shielding arsonists.
• Fitness instructors must be in league with the fast food companies!
• Dentists are funding sweet [candy] manufacturers.

What about Doctors, Nurses…..oh and Undertakers, the list is endless! Are they all corrupt, do they all drum up business by being unethical?

Please note I didn’t include politicians in that list

Conspiracy theorists would love this

However it is true that if new viruses creation significantly slowed, the industry would be effected, but not in the way most people envisage. The AV companies would be able to come-up with better products which were more proactive and that didn’t rely on the current ‘junkie fix’ cycle that end-users are ‘hooked’ on…..[Begin Chant] “must have virus signature updates……MUST have anti-virus updates!” [End Chant]

Even if the AV industry collapsed, the researchers/developers, and even the sales droids would find employment elsewhere. Sheesh, come to that so would I, malware/anti-malware is not my only specialism.

Microsoft’s much vaunted purchase of ‘Giant’; the anti-spyware company late last year caused a ripple of consternation in the anti-malware industry as it was the second in a series on ’security’ purchases made by the company. Yesterday, Microsoft completed its ’security product set’ when it announced that it had purchased Sybari, a messaging and e-mail anti-virus company.

So, Microsoft now has a third leg for its security tripod [should make it a tad more stable than a two-legged stool or chair]. Let us hope they don’t ruin another good product set.

Anyway, on with the ‘Giant’ story….

Many expected the malware authors to start poking and prodding the ‘Giant’ seeing if they could get under its skin, and lo and behold we have the following just in:

From ‘The Register’

“The first piece of malware to attack Microsoft’s new prototype anti-spyware product has emerged. The BankAsh-A Trojan disables Microsoft AntiSpyware Beta in an attempt to suppress any warning messages the package might display. It also deletes files within the program’s folder. Unlike other items of malware, BankAsh-A makes no attempt to turn off anti-virus apps.”

You know what they say, ‘The bigger they are, the harder they fall….’ Now malware authors know they can fool or slip by unnoticed past the ‘Giant’, the floodgates will open and the ‘Giant’ will be left penniless as all the jewels and treasure [your data] will be stolen!

Thank [insert deity of choice here] that there are still some anti-spyware products that Microsoft don’t own, otherwise it would be a case of getting out your virtual axe and performing surgery on your PC [chopping down the beanstalk], changing it from the MS infested slums that you are used to and moving up to Linux Luxury

Go on, be Jack…..

Yes it’s that time of the month again….

As hinted over the last few weeks Microsoft released 12 security patches yesterday. Of these eight of the patches are marked “critical.”
You can find more detailed information about each of the patches at the following URLs:

• http://www.microsoft.com/security/bulletins/200502_windows.mspx
• http://www.microsoft.com/technet/security/bulletin/ms05-feb.mspx

Here’s a quick reference table:

Bulletin Severity    Impact                   Supersedes
MS05-004 Important   Information Disclosure   N/A
                     Elevation of Privilege
MS05-005 Critical    Remote Code Execution    MS04-028
MS05-006 Moderate    Remote Code Execution    N/A
MS05-007 Important   Information Disclosure   N/A
MS05-008 Important   Remote Code Execution    N/A
MS05-009 Critical    Remote Code Execution    MS03-021, MS04-010
MS05-010 Critical    Remote Code Execution    N/A
MS05-011 Critical    Remote Code Execution    N/A
MS05-012 Critical    Remote Code Execution    MS03-010, MS03-026, MS03-039
MS05-013 Critical    Remote Code Execution    N/A
MS05-014 Critical    Remote Code Execution    MS04-038, MS04-040
MS05-015 Critical    Remote Code Execution    N/A


The ‘critical’ vulnerabilities include:

• Security bugs in Windows licensing logging service (MS05-010).
• Windows Server Message Block (MS05-011).
• Multiple flaws in Internet Explorer (MS05-014) which could be used by scumware [malware, spyware, phishing] to remotley control affected systems.
• A flaw in the way Windows Media Player and MSN Messenger process PNG files (MS05-009).
• A flaw in an ActiveX control in Windows which is used for DHTML Editing (MS05-013).
• A vulnerable Hyperlink Object Library in Windows (MS05-015).
• A bug in Windows OLE and COM middleware components affecting Exchange and Office could let hackers run hostile code on vulnerable systems (MS05-012).
• Finally, flaws with Office XP (MS05-005).

The MS03-026 vulnerability was used by the infamous Blaster worm [aka Nachiwhich caused many, many, problems during the later half of 2003. Looks like someone has found yet another flaw in the DCOM/RPC yet again!

10 out of the 12 have an impact for ‘Remote Code Execution’, which means that these vulnerabilities may well be added to malware to increase their chances of compromising a system. You have been warned, patch now rather than shutting the barn door after the horse has not only bolted but also attacked all your friends and neighbours and lots of other innocent parties too.

Even the CERT has published an advisory on this latest batch of cracks in Windows. SANS also has an article about this bunch of patches.

Interestingly McAfee has added detection to VirusScan for all of the latest crop of vulnerabilities, I wonder if other AV companies will follow their lead?

What does this mean to IBMers?

Expect a patch fest very soon!

I’ve finally managed to find some time to create some graphs and perform some trend analysis from the raw data from my WormCharmer. Hope they are of some interest?

In total I captured 2814 samples during January, which have been catalogued as 144 distinct families and variants. In comparison in December 2004 I captured 4934 samples which were catalogued as 141 distinct families.

During January I captured 21 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The first pie chart below shows the Top 10 distinct malware by percentage. As you can see this includes not only mass-mailers but also three share-crawling worms [2 Opaserv variants and 1 Ranky variant].

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

The full raw data is also available there, however that data is in a restricted area. If you feel you need access to it then please contact me to discuss.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.