MoMusings

Mobileav.org is reporting a new malware which is allegedly able to spread to the PocketPC mobile platform from a normal Windows desktop computer. Information from the advisory posted on the site suggests that it erases files too.

Below you can see the contents of the text file that was supplied with the proof-of-concept malware:

"virus name: crossover virus - proof of concept
virus type: multiplatform

Target Platforms: Windows desktop OS’s, Windows ce, mobile with .NET CF 1.1

This is a proof of concept virus that shows how a virus can spread from a desktop computer to a pocket pc. With the growing use of handheld devices this type of virus may become very prevalent in the future. For viruses to be more effective they need to spread across a wider range of devices including wireless devices. AVers have to be able to provide adequate protection to deal with these types of viruses. The crossover virus is named so because it crosses over from wired PC’s to wireless pocket PC’s. It is the first virus of its kind. When executed the virus checks what the current OS is, if it is not windows ce or mobile the virus makes a copy of itself and puts a startup command to the copy in the registry local-machine-current-version-run, the virus then quietly waits for an activesync connection to be detected, it can wait infinitely and everytime the desktop is rebooted the virus recreates itself and again add new copies to the registry, theoretically you can have so many copies running on startup it could degrade or halt the PC’s performance. When an active sync connection is detected the virus copies itself to the handheld device and remotely executes the virus to start running on the device.

If the current OS is windows ce or mobile the virus erases all files in the \\My Documents directory of the device. Then it copies itself to the \\Windows directory and creates a shortcut to the copy in \\Windows\\startup. When the device is reset the shortcuts execute their target files, here also you can theoretically have multiple copies of the virus running on startup.

The crossover virus was written in C# (C Sharp) using Visual Studio .NET 2003, the Communications Library of openNETCF.org was used and a great help. It should run on any handheld device running windows ce/mobile and .NET CF 1.1

This is proof of concept code for educational purposes only. This virus closes the gap between handhelds and desktops, now its one big world open to all."

So, in summary, the virus waits for a connection be be established from an infected desktop computer through ActiveSync, it then copies itself to the PDA or smart-phone running WindowsCE or Mobile OS and carries out it’s payload, deleting files and creating a shortcut to itself on the PDA.

At the time of writing none of the major anti-virus companies seemed to have managed to get a sample from MARA, once they do I will update this posting, stay tuned!

Links:
Virus Passes From PCs to Mobile Devices (PC World)

Woohoo, my paper on using Bayesian Filtering to classify malware has been mentioned on no other than the ‘Looswire’ blog run by Jeremy Wagstaff. Jeremy, apart from having a very interesting blog is also a regular columnist for WSJ.

The paper was written for and presented at the Virus Bulletin 2004 international conference in Chicago, USA.

The tool he is discussing is POPfile a FREE anti-spam tool for all platforms that support PERL [for Windows you don\’t have to install PERL as it is all part of the Windows install package supplied].

It is very easy to set up and it learns very quickly. Why not give it a try?

The blog entry can be found here: How to Make More Use of the Vicar

The Vicar in question is Thomas Bayes, an 18th Century nonconformist minister who came up with a simple but very effective way to classify things using a simple theorem. If you want to know more then take a look at the paper.

One of the things I do each year is to analyse what has occurred in the ‘big-bad-internet’ aka the ‘wicked-wicked-web’. I focus on what the Bad Guys/Girls[TM] have been up to; such as new platforms, techniques and technologies that they have used and abused during the previous year.

I then add all the data I have from the previous 20+ years of malware and related nastiness and try and predict what we may see in the coming year. This doesn’t include any predictions that might give the Bad Guys/Girls[TM] any new ideas that they haven’t already tried or at least discussed.

The last thing I want to happen is for me to give them something new to use; be it a technique, some technology they can abuse, or suggest new platforms they can attack. These ‘potentially dangerous’ predictions will not be published. I do not want to be held responsible for suggesting new ideas.

So let me disclose some of the results from being ‘up-to-the-armpits’ in malware entrails, meditations on 419 and phishing scams and looking at the vast pits of daily SPAM as well as gazing into my virtual crystal ball and interpreting the malware runes.

Without further ado, Let us see what 2006 may hold.

The Obvious Ones:

• Phishing to continue to grow
  More scams using social engineering to dupe users into disclosing private or confidential information or getting them to perform a task, such as running an attachment or deleting system files (user initiated malware). More phishing scams to use malware such as key-loggers and backdoors to compromise/further exploit a victims system. However, we have already seen a move towards more targeted phishing and pharming.
• Less mass-mailing worms
  We will actually see a fall in this method of distribution and an increase in the other more stealthy and invisible methods used by share-crawling worms and bots instead. Unlike others I don’t believe that the mass-mailing worm is quite dead yet, I give it at least another 12 months. Many anti-virus vendors predicted it’s death at the end of 2004.
• Increased use of blended threats and multi-stage attacks
  More vectors, more exploits, more fragmented attacks.
• Increased social-engineering use in malware
  Malware authors are well aware that most often the weakest link in a company’s security is the person behind the keyboard. Until users gain a healthy level of paranoia then the problem will continue and may be used more often to defeat a company’s anti-malware defence. 2005 saw numerous examples of social engineering being used to get user to infect their computers, fall for hoaxes, and disclose their personal and financial data to scammers and malware authors.
• Increased Cyber Blackmail
  In 2006 I expect that this will also include the threat of infecting systems with new worms/viruses and more cyber-hostage malware. 2005 saw a number of cases of malware encrypting data and demanding a ransom. There were a number of high profile DDoS attacks during the second half of 2005 and it seems that organised crime has moved their protection rackets in to the digital world.
• SPAM will continue to grow
  Despite the recent legislation passed in both the UK/EU and the US and even allowing for the arrests/prosecutions of spammers in 2005, the growth in risk of being caught will be offset by the increasing use of bot nets as spam proxies.

The Less Obvious Ones:

• Increase in Spyware and Adware as a problem in the corporate space
  Many companies currently don’t realise that they have a problem. This is expected to be one of the major areas of growth in 2006, both from the malware/spyware/adware authors and security solutions to counter the threat. If you don’t believe me just ask the average home user.
• Mobile malware will continue to grow
  I expect that it will follow the same pattern that we have seen in the past with both DOS and Windows malware however I expect that the timeframe will be significantly shorter.
• Increasing use of rootkit and or stealth/cloaking technology
  Use of this technology can effectively make malware almost invisible to most current anti-virus and anti-spyware tools. I also expect that we will start to see a growth in true polymorphic and stealth Windows malware as malware authors try to hide from anti-malware tools.
• Bots and botnets will continue to be the tool of choice for cyber-criminals
  What we will see in 2006 is a further move from using IRC for command and control, to other methods such as web servers running SSL [encrypted] command and control systems. We may also see encrypted peer-to-peer [P2P] networks created by bot/botnet creators as IRC server owner’s crackdown on misuse of their servers. Furthermore the increasing use of IPS/IDS to detect botnet IRC traffic will force the bad guys to move to encrypted protocols as an attempt to try and defeat the use of these technologies.
• Exploit code auctions to become common-place
  At the end of 2005 there was evidence that so-called zero-day exploit code was being offered for sale by authors. This was effectively an auction. It seems clear that this will become a common occurrence during 2006, as organised criminals look for new ways to gain access to targeted systems.
• Broadening of Operating Systems and platforms being targeted
  It has become clear over the last few years that malware authors are increasingly looking at operating systems other than Windows. The number of Linux malware is increasing steadily as they search for effective ways to target it. The same has been happening on the Apple Mac platform. We will see more, and increasingly complex and successful malware for Linux and Mac operating systems during 2006.

Agree, disagree whith these? Have your own predictions? If so that’s what the comments function is for, use it.

I wrote a paper a few years ago on this subject, the paper entitled ‘Hoaxes and Other Electronic Ephemera’. This covered the impact of Hoaxes, Scams, Chain E-Mail, Urban Legends, etc. on companies and suggested ways to help control or eliminate the effects they have on network/e-mail resources and staff productivity. The paper was written for and presented at the Virus Bulletin 2001 International Conference held in Prague, Czech Republic.

I updated the paper for another conference in 2004, this being the first Open University - Combating Vandalism in Cyberspace conference. The paper was entitled: ‘Mind Wars: Attack of the Memes[1]’.

Both papers can be found here: http://arachnid.homeip.net/papers

If you are interested in memetics[2] then I have included a couple of pictures of books that would be good introductions to the subject, without being too involved, technical or boring.

Why am I informing you of this, now?

Well, two reasons:

1. I haven’t covered this area in this blog yet, apart from hoaxes.
2. A number of new hoaxes and chain e-mails have surfaced over the last month or so.

The first one below is the latest ‘Virus Hoax’ and is rather topical as it is using the Olympics.

Please read the attached warning issued today.

PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS:

You should be alert during the next days: Do not open any message with an attached filed called “Invitation” regardless of who sent it.

It is a virus that opens an Olympic Torch which “burns” the whole hard disc C of your computer.
This virus will be received from someone who has your e-mail address in his/her contact list, that is why you should send this e-mail to all your contacts.
It is better to receive this message 25 times than to receive the virus and open it.

If you receive a mail called “invitation”, though sent by a friend, do not open it and shut down your computer immediately.

This is the worst virus announced by CNN, it has been classified by Microsoft as the most destructive virus ever.

This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus.

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.

SEND THIS E-MAIL TO EVERYONE YOU KNOW, COPY THIS E-MAIL AND SEND IT TO YOUR FRIENDS AND REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US.

The next one is a typical chain e-mail which has been circulating for many years in one form or another:

THIS TOOK TWO PAGES OF THE TUESDAY USA TODAY - IT IS FOR REAL

Subject: PLEEEEEEASE READ!!!! it was on the news!

!!!! It was on the news! Kathy South Alcoa - EHS Maintenance Coordinator Phone: 765/771 - 3547 Pager : 765/420 - 6575

To all of my friends, I do not usually forward messages, But this is from my good friend Pearlas Sandborn and she really is an attorney.

If she says that this will work - It will work. After all, What have you got to lose?
SORRY EVERYBODY.. JUST HAD TO TAKE THE CHANCE!!! I’m an attorney, And I know the law.
This thing is for real. Rest assured AOL and Intel will follow through with their promises for fear of facing a multimillion-dollar class action suit similar to the one filed by PepsiCo against General Electric not too long ago.

Dear Friends; Please do not take this for a junk letter. Bill Gates sharing his fortune. If you ignore this, You will repent later. Microsoft and AOL are now the largest Internet companies and in an effort to make sure that Internet Explorer remains the most widely used program, Microsoft and AOL are running an e-mail beta test.

When you forward this e-mail to friends, Microsoft can and will track it ( If you are a Microsoft Windows user) For a two weeks time period.

For every person that you forward this e-mail to, Microsoft will pay you $245.00 For every person that you sent it to that forwards it on, Microsoft will pay you $243.00 and for every third person that receives it, You will be paid $241.00. Within two weeks, Microsoft will contact you for your address and then send you a check.

Regards. Charles S Bailey General Manager Field Operations
1-800-842-2332 Ext. 1085 or 904-1085 or RNX
292-1085 Charles_Bailey@csx.com Charles_bailey@csx.com

I thought this was a scam myself, But two weeks after receiving this e-mail and forwarding it on.
Microsoft contacted me for my address and withindays, I receive a check for $24,800.00.
You need to respond before the beta testing is over. If anyone can affoard this, Bill gates is the man.

It’s all marketing expense to him. Please forward this to as many people as possible.
You are bound to get at least $10,000.00. We’re not going to help them out with their e-mail beta test without getting a little something for our time. My brother’s girlfriend got in on this a few months ago. When i went to visit him for the Baylor/UT game. She showed me her check. It was for the sum of $4,324.44 and was stamped “Paid in full”

Like i said before, I know the law, and this is for real.

Just to make sure you all get the point of this posting, I suggest you watch this: http://www.softlab.ece.ntua.gr/~sivann/pub/swf/may02-smilepop-soapbox4.swf

Don’t worry, it is fun and educational too.

But ‘pleeeeease‘ do NOT follow the advice at the end, just in case any of you were tempted to

[1] Memes (pronounced ‘Meems’ for plural, ‘Meem’ for singular) are contagious ideas, all competing for a share of our mind in a kind of Darwinian selection. As memes evolve, they become better and better at distracting and diverting us from whatever we’d really like to be doing with our lives. They are a kind of Drug or Virus of the Mind.
[2] Memetics is the study of Memes.

According to a new survey ‘Two-thirds of U.K. businesses fail to patch‘ their Windows desktops and servers. An older survey found ‘Patch Management An Ongoing Challenge For Many Companies‘ with ‘only about one in five completely ready for the next virus attack‘. Why is this a problem?

Well read on, and all will hopefully be made clear:

Over the last few years we have seen the window between a vulnerability being announced and malware exploiting it shrink from years to months, weeks and more often now just a few days[1]. So, this area needs to be addressed in the fight against malware and spyware as many use known vulnerabilities [which have patches available] to gain access to vulnerable systems.

Some of these vulnerabilities may be used when you visit a website which uses exploit code that your system is not yet patched against. These are commonly called ‘drive-by-downloads‘ or ‘drive-by-infections’. In most of these types of attacks, such as with the WMF vulnerability you may not even be aware that your computer has become infected. There is no warning, no download prompt, nothing to warn you or tip you off that something nasty and underhand has taken place during your visit to the site.

So, what can you do?
For home systems and those not already managed via third party or in-house patch management tools, you should at the very least ensure that all Windows systems are set to automatically check the Windows Update website at least once a week. If your systems run Windows 2000, 2003 or XP make sure you enable the Windows update service via Automatic Updates. This will ensure that updates are automatically downloaded and installed on those systems.

If you or your customers prefer to control when windows updates are deployed across their networks then you could use the Microsoft Software Update Server [SUS].

Here is some data on SUS from the Microsoft site:

SUS is a version of Windows Update designed for organizations that want to approve each software update before installing them. SUS allows administrators to quickly and easily deploy Windows related security updates and critical updates to any computer running Windows 2000, Windows XP Professional, or Windows Server 2003 systems. SUS includes the following capabilities:

• Software updates can be approved on each SUS server, enabling testing in a separate environment as well as phased deployments across an enterprise.
• SUS clients, which are the same as the Automatic Update component described earlier, can be configured to download software updates from the SUS server (saving bandwidth on shared Internet connections), or directly from Windows Update.
• Software updates can also be copied onto a CD-ROM from an SUS server connected to the Internet, and then transferred to SUS server in a protected network with no Internet access.

SUS servers require Windows 2000 Server or Windows Server 2003, IIS, and port 80 communications with SUS clients. SUS servers can be configured to synchronize software update packages and approvals either manually or automatically from a parent SUS server (or from Windows Update), enabling flexibility in how the environment is maintained.

There are lots of other third party patch management systems available, and some companies create their own instead of using off-the-shelf patch management tools.

Below are links to articles covering other solutions:

• http://www.networkworld.com/reviews/2003/0303patchrev.html
• http://www.serverwatch.com/tutorials/article.php/3414841
• http://www.serverwatch.com/tutorials/article.php/3381211
• http://www.serverwatch.com/tutorials/article.php/3424551

[1] There have been a number of malware using so-called ‘Zero-day’ exploits. In this case there is no patch from the vendor to actually fix the hole in the operating system or application, and other mitigation techniques are required to partially or ideally completely manage the situation until a patch becomes available. An example of this would be the WMF exploit that surfaced in December 2005, but was not patched by Microsoft until January 2006.

And now for something completely different, but related:
I have blogged about rootkits previously, but I came across a new one recently that I’d never heard of before.

The difference is this one is not a piece of malicious software, actually it is a band named ‘Root Kit‘ from Sydney, Australia. The fun thing is that they have just released a music video cheekily called ‘Patch Me Up‘, hence the title of this entry, and it has lots of security buzzwords in it. Normally I’d just ignore such trivia, however the video is quite good and the song is catchy. There are a few comedy moments in there too.

Let me know what you think of it.

Oh, you want a link to it? No problem, here you go, via Google: http://video.google.com/videoplay?docid=9151435244001559688

If you prefer to download it, you can via this link: http://www.rootkitonline.com/NetNuke/Download/tabid/55/Default.aspx

January has come and gone and another interesting month on the malware front it has been, and I have finally managed to find a bit of time to write a review!

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 2645 samples during January, which have been catalogued as 86 distinct families and variants. In comparison during December 2005 I captured 1822 samples which were catalogued as 61 distinct families/variants. As you can see January was below the average malware haul for 2005. As a guide, an average month’s captures for 2005 was around 3,000 samples, however January was significantly busier than December 2005.

During January I captured and submitted 6 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].
The low haul in January is partly due to an apparent slow-down in new samples being spread via SMB [Windows shares] which was first noticed in December 2005.

During January I reported 50 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] held onto pole position during January. However Tenga only accounted for a 39 percent of all captured files during January, this is a significant drop from the 63 percent of all captured files during it was responsible for in December 2005!

Surprisingly the Mytobs bounced back in January, recovering significant ground lost during December 2005. The Sober family disappeared from the top 10 to be replaced by MyWife during January.

It seems that the share-crawling worms and bots lost a number of slots during January; in fact their share fell from six to just two. This left room for Netsky.P and Lovgate.X which have been around quite a long time to appear once more in the top 10.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen Zafi.d consolidate its hold on the top spot accounting for over 29 percent of reports. Mytob.c has had to make do with second place again in January; but with an increased margin up from seventeen percent to twenty-two percent of reports. The rest of the chart is made up of Lovgate.w in third, Netsky.b in fourth, another Zafi [b] in fifth place followed by Mytob variants [u and t] in sixth and seventh place. Netsky.q breaks up the Mytob run by stealing eighth place. The last two places see more Mytob variants [ a and q], just managing to keep a place in the top 10.

In the SOPHOS chart we see a different pattern, with Sober-Z sitting in pole position. Netsky.p has grabbed back second place this month; its second place spot from December was stolen by Zafi.b, which has fallen to third place in January. Fourth spot is filled by Nyxem.D. Five Mytob variants [ EX, FO,BE, C, and AS] appear in the top 10, along with another Netsky variant [D].

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which accounts for over 39 percent of all samples caught. Mytob managed to claw back two places from 4th.to 2nd place. Third place is occupied by MyWife, aka Nyxem. :Lovgate, Netsky and Mydoom complete the e-mail worms appearing in the top 10. The rest of the vacant spots are taken by share crawling worms and bots, these being: Sdbot, Opaserv, Ranky and the related multi-component dropper.

Interestingly Zafi dropped out of the top 10 this month.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of January] here. This clearly shows that January was significantly busier than December, which was the quietest month in the last two years!

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 175,147 [as at the end of January 2006]. That’s a growth of 6,350 in one month! In 2005 we saw 56,369 new malware strains compared to 28,327 in 2004, so we have seen an almost 200 percent increase in new malware strains during 2005.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurences in Janaury 2006.

• I’ve Won a Car and Pots of Money!
• MyWife is causing problems…
• Spyware For All

Conclusions:
As you may have noticed phishing and 419 scams have been very aggressive during January and they show no sign of stopping. The growth in spyware is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

Links:

• Virus Top Twenty for January 2006 [Kaspersky]
• Top ten viruses and hoaxes for January 2006 [Sophos]

After yesterday’s posting about the first ‘in-the-wild’ Apple Mac OS X worm, I thought it might be somewhat quieter on the Mac malware front for at least a while.

How wrong can one person be

So, today F-Secure announce they have found another OS X worm [known as OSX/Inqtana.A]. This new one uses Bluetooth as its infection vector, just like the Cabir worm which was written to target the Symbian OS used by a number of mobile phone and PDA manufacturers.

If the Mac community were thinking that ‘this was just a one off’ then they better think again, as this clearly shows that the ‘Bad Guys[TM]’ are looking very hard at OS X.

The good news is that this new Mac OS X Bluetooth worm is obviously a ‘proof-of-concept’ as it seems that it is rather hobbled by the fact that the Bluetooth library used is locked into a specific Bluetooth address and the library expires on 24. February 2006.

Links:
http://www.f-secure.com/weblog/archives/archive-022006.html#00000817

If it isn’t the small number of *NIX evangelists boasting that their boxes can’t be infected by malware, then it is usually the Apple evangelists that are stating the same[1], all the while looking down their noses at the great unwashed; the Windows users!

This ‘it-can’t-happen-to-me‘ attitude is either accompanied by loathing or pity.

Guess what, there is malware for *NIX and Apple has also been afflicted with malware from time to time, no Operating System is immune.

Well, today a new worm has been found that will spread and infect Apples running OS X; which is based on BSD [one of the common *NIX flavours].

The worm is currently known as OSX/Leap-A or OSX/Oompa-A

This is what Sophos had to say about it:

“The OSX/Leap-A worm spreads via the iChat instant messaging system, forwarding itself as a file called latestpics.tgz to contacts on the infected users’ buddy list. When the latestpics.tgz archive file is opened on a computer it disguises its contents with a JPEG graphic icon in an attempt to fool people into thinking it is harmless.”

According to F-Secure: “The malware was originally posted via link to MacRumors forum pretending to be screenshot for Mac OS X v10.5 Leopard.”

So, what does it do?
Well, according to Symantec, this is how it works:

The worm makes use of the Spotlight search program, included in OSX, and will run each time the machine boots. It identifies any applications being started, and if iChat begins to run, the worm uses iChat to send the infected file – latestpics.tgz – to all contacts on the infected user’s buddy list. Those on the buddy list will then be asked to accept the file. If they do, the file will subsequently be saved to their hard drive. Files infected by OSX.Leap.A may be corrupted and may not run correctly.

So, the bottom line is that this is a ‘Worm‘ and a ‘Companion Virus‘; the virus part replaces files on the infected system with a copy of itself and saves the original file to a resource fork with the same filename. This means that when the ‘infected’ application is opened the worm activates first and then calls the original application from the resource fork.

The worm part allows it to spread via iChat to other systems, the file transfer is not visible to the user as the worm hides the transfer status information. However, the worm part works in the same way as Windows instant messaging worms, in that the user has to accept and run the attachment or click on a link to the malware to start the infection process.

“Apple Mac owners should remember that computer viruses started on Apple; the first one was known as Elk Cloner it infected diskettes inserted into an infected Apple II computer.”

Some pundits have said that this worm won’t get far as it requires human intervention for it to successfully propagate, all I say to them is ‘I Love You’[2]. The only difference is that windows users are now more suspicious, whereas some Mac users believe they are safe and secure and can’t get infected. For them it is time to wake up and smell the coffee…..

Like it or not Mac OS X will see more malware now that a working ‘in-the-wild’ prototype has been released, expect lots of copycat versions over the coming months.

Links:
http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html?pl_id=9&lang_id=1&lp_keyword=firstosx
http://news.com.com/New+worm+targets+OS+X+chat+users/2100-7349_3-6040681.html?part=rss&tag=6040681&subj=news
http://www.f-secure.com/v-descs/leap_a.shtml
http://securityresponse.symantec.com/avcenter/venc/data/osx.leap.a.html
http://wiredblogs.tripod.com/cultofmac/index.blog?entry_id=1415489

[1] Luckily there are only a small number of such zealots, most *NIX and Apple users are not so blinkered. Let the ‘my-OS-is-better-than-yours‘ flamewars begin [again]
[2] Aka Loveletter

Well it is almost that day of the year again when we all hope we’ll receive a card, gift or a proposal from a partner, spouse or from a supposed ‘friend’ and even complete strangers, or at least those that want to remain anonymous. Yes it is almost ‘Valentines Day’; the day of that four letter word, L-O-V-E.


However, not all declarations of love are what they seem, sometimes they are ‘jokes’ or ‘malicious’ with the intent to deceive or worse.

With the rise in use of ‘e-cards’ and ‘e-mail’ as a medium for declarations of love, it is not surprising that this makes a pranksters job easier as they can hide behind a throw-away free e-mail account or anonymising services. Even worse, malware can be sent with the false declarations of love, poisoning not only your heart but also your computer.

The final insult is when malware authors themselves use these tactics in their creations to dupe the recipient into infecting their own computer in the vain hope that someone loves them enough to send them an e-mail, e-card, etc. Yes, I’m talking about that old favourite technique of the malware authors; Social Engineering.

So, why am I writing about this now? Well, the simple answer is that some of the ‘Bad Guys [TM]’ have started sending out ‘Valentine’ related e-mails with links to an ‘e-card’ that is supposedly sent to you. This is what the latest e-mail looks like*:

If you click on the link, then in most browsers you’ll see the following:

If you are using Internet Explorer you will also see the following, which will install a so-called ‘Flashplayer ecards‘ ActiveX control.

Guess what? The ActiveX control that gets installed is not a player for the e-card, it is malware, you have just infected your computer!

If you use ‘Firefox’ or ‘Mozilla‘ the page doesn’t seem to display at all, using Opera will show the page, but the popup for the ‘Flashplayer’ doesn’t seem to appear, so it is another good reason not to use the ‘malware’ or ‘spyware/adware‘ authors favourite browser [IE]. Don’t believe me, then read this: “New academic research says Internet Explorer users can be up to 21 times more likely to end up with a spyware-infected PC than Firefox users.”

This technique is not new, it has been used very successfully in the past, not just with bogus ‘e-cards’ but poisoned e-mail attachments, instant messages with poisoned links, poisoned web sites, and so on. It is also not limited to Valentines Day, Christmas is popular too as are any other widely known anniversaries or events.

The problem, in this case is that there is a real ‘e-card’ site being harmed by this. The malware author has stolen web content from the ‘real’ site, registered a very similar domain name and sent out lots of e-mails that claim to have come from users of the ‘real’ site or the site itself.

So, please be careful out there on Valentines Day, don’t fall for the bogus e-cards or any other social engineering tricks that the ‘Bad Guys [TM]’ will use for the next few days. If you wear your heart on your sleeve you may end up with not just a poison arrow through your heart, but also your computers too!

Well, at least someone loves you, the malware authors and spyware/adware authors certainly do, without you their job would be so much tougher!

Now all together, sing:

Who broke my heart?
You did, you did
Bow to the target,
Blame cupid, cupid
You think you’re smart
Stupid, stupid.

Shoot that poison arrow to my heart
Shoot that poison arrow
Shoot that poison arrow to my heart
Shoot that poison arrow…

So, who would you most tempted to open a Valentine e-card or e-mail from? Brad Pitt, Tom Hanks, Jennifer Lopez or Kate Moss, someone else? Go on confess, it’s good for the soul.

Apologies to any ABC fans out there for ‘borrowing’ some lyrics from the song ‘Poison Arrow‘ from the album ‘Lexicon of Love‘

* This particular piece of malware is pretty new, many anti-virus products did not detect it at the time I wrote this entry. Never fear, a sample has been sent to them all, just to show that I love them you understand .

Link to the data submitted to the anti-virus vendors, including scan results can be found here: http://vsub.blogsome.com/2006/02/13/vs0602001-possible-new-malware-microjoiner/

Hilton instead of me?

Here’s an interesting e-mail I received this morning, basically someone wants to build a Hotel or Theme Park in ‘my’ country. That’s all well and good as I’m happy to help new enterprise, and the UK could always do with more hotels or theme parks, couldn’t it?

I would however, suggest that you read the whole e-mail, and my comments below it before you all rush to help.

Here is the full e-mail*:

From: Mr Kuso (mr_kusonext @hotmail.com)
Subject: Hello Sir,
Date: Thu, 02 Feb 2006 03:30:49 +0000
	
Dear Beloved,
	
I am looking for your cooperation in building a Tourist Hotel/amusement
theme park in your country. I am sorry if this is not in line with your
business.I need an experienced person like you to assist me to set up ,
develop the project and assume responsibility of ownership as chairman
but  will be bringing in profit /distribute profit monthly or annually.
	
I am Puluzi Kuso,a citizen of Malawi.A former Presidential adviser  on
Budget and planning to the former president of malawi,Bakili Muluzi .I
acuirred this money as a result of gold and diamond export.
	
Now the present government of Dr bingu wa mutharika has intensified  efforts
  at probing Muluzi's government,which has made it quite impossible for  me
to  claim the funds,With this,goverment officials have turned their backs
on us  and have been frustrating me and others that served under Bakili
Muluzi  .That is why i need someone like you who is trustworhty and
honest,to  assist  me achieve my objectives,and also manage the business for
me.
	
It is pertinent to note that because of my present condition and  situation
and also because of government's searchlight on former ministers who  served
  under Bakili Muluzi.Therefore i need someone like you for us to work as
partners.I will send the legal papers to you for the release of the  funds
as  my proxy/beneficiary.
	
However ,I got your email information on your Hotel contact list,that  is
why  i am making this exclusive contact with you. your immediate reply will
be  highly appreciated and I shall give you more information on this
project,and  your percentage and all what is expected of you.
	
Please contact me at my private email address.Your response is higly
welcomed.
	
Thanks and God bless.
	
I Remain Yours;
	
Puluzi Kuso

Well, anyone still interested? Did any alarm bells go off in your head, or are you all ‘gung-ho’ to help this chap out and participate in this wonderful opportunity?

I wonder what he will call the hotel? I suggest ‘Fraudy Towers‘. Whatever he calls it, I suggest that you don’t ask for a ‘Waldorf Salad‘, oh and don’t request a ‘Screwdriver’ as you’ll probably end up using what you get back from Mr Fraudy as a murder weapon.

If he creates a theme park instead, I would suggest that he calls it ‘Lagos Land‘ or ‘Wally’s Folly‘, have you guessed what this e-mail is yet?

Here’s a big clue, think winning a lottery you don’t remember entering or trapped funds/oil/gold, did that help?

Yes, this e-mail is just a new twist from the boys from Lagos aka the 419ers, aka the Advance-Fee-Fraud cottage industry. It is a scam, there is no money, any data you supply may be used to steal your identity, and if you are naive enough to fall for this then you’ll be expected to send money for bribes, etc. to help and get the non-existent money out of the country.

BTW, did I mention that this is a scam and there is NO money?

If anyone has other suggestions for hotel or theme-park names, this chap could use, or even names for possible rides for such a theme park, then pop them in a comment and I’ll collate them and send them back to him.

* Please note, this is the original e-mail body, any speeeling mishtakes in it are hiss and knot mine, all other spelling mistakes are mine