Archive for December, 2009

Online Safety: Tips to Protect Your Information

Monday, December 21st, 2009

Posted by: Barracuda Labs

With the increased awareness and attention around incidents of identity theft, consumers are becoming more vigilant in how they provide personal information online. At the same time, businesses that require such information to complete a transaction also must evaluate how they collect that information online from consumers.

For example, a colleague recently forwarded the email below from Southwest requesting personal information to complete the Transportation Security Administration’s (TSA) Secure Flight verification. Because the email was sent after the flight reservation was booked, it was unclear to the recipient whether or not the email was legitimate. Upon examination, it is clear that this is a legitimate email from Southwest; however, it is one that could easily be forged by a spammer or hacker attempting to collect a user’s personal information.

As people are making final travel arrangements and gift purchases online in this last week leading up to the holidays, Barracuda Networks has compiled a number of tips to help consumers discern legitimate emails and Web sites from malicious attempts, as well as recommendations for businesses to better serve their consumers online.

Online consumer safety:

1. Real or fake? Do not click on links included in an email. Instead, type the address directly into your Internet browser.

2. Email security and anti-virus solutions up-and-running. Make sure you have a strong email security solution in place that can block spam and phishing emails as well as detect and block viruses and other malware (including malicious Web links) contained in the email. As an extra precaution, make sure your desktop anti-virus protection is up-to-date and running. This will keep any viruses/malware not sent over email from infecting your computer or adding you to a larger botnet.

3. Strong Web filtering. Having a strong Web filter in place will allow you to block access to potentially dangerous Web sites. Web filters can block downloads by file type and applications that access the Internet (i.e. IM, music services, etc.) that are often used by hackers as a means of transporting malware onto your computer.

4. When in doubt, check it out. If you receive an email from a business that you recently have done an online transaction with – retail, bank, airline, etc. – and are not sure of its authenticity, check it out. Call or email the business to verify that the request is legitimate. Also, you can go directly to that company’s Web site to look for warnings listed of recent Web scams that have targeted the business.

Helping businesses serve customers:
1. On-site, at-once. Request all necessary customer information at the time of purchase, while the consumer is on the Web site. In the case of the Southwest email, if the consumer had been directed to the “MySouthwest Account” to provide this information at the time of flight reservation and purchase, it would have expedited the process for the consumer and eliminated the need to send a follow up email that raised the suspicion of the recipient.

2. Avoid follow up email. Consumers are likely to be more suspicious of emails requesting that they log back into – or create – an account to provide personal information.

3. Provide clear instructions. If sending a follow up email to complete the transaction is unavoidable, provide a clear message to the consumer at the end of the initial online transaction – before they leave the Web site – so that they know to expect an email that will require additional information and what that required information will be.

4. Privacy Policy. Be sure to provide a privacy policy that’s easy to find and is clear on what the Web site will and won’t do with the information entered.

5. Protect customer information on your site. Businesses are responsible for ensuring that the customer information that it collects online is protected from those with malicious intent. Implementing a strong Web application firewall protects the business Web site from being hacked and customer information from being stolen.

The underlying goal here is to enure that businesses that legitimately require user information receive it in a timely and secure fashion. That will keep the bad guys out of consumer’s wallets and bank accounts, and from stealing their identities.

If you look at the email you will see that we have identified the hyperlinks take you to a legitimate Southwest domain. We know it is a legitimate Web site because the URL contains the Southwest domain.

Share

Posted in Email Security, ID Theft, Internet Security Tips, Security, Web Security | No Comments »

Yet Another Reputable Site Asks You to Install Rogue AV

Friday, December 18th, 2009

Posted by: Barracuda Labs

Yet another reputable site has fallen victim to compromise — University of Arkansas.

This Tuesday, Barracuda’s Malicious Javascript Detection engine (MJD) identified Rogue AV software being distributed from a page that belongs to the University of Arkansas Web site. When users accessed a particular page from the university Web site, it opened a window warning them about their computer being infected with viruses and then subsequently downloaded an anti-virus software which was identified to be a fake anti-virus software.

A forensic analysis of the attack revealed that the user requested the following:

hxxp://bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which in turn requested a javascript from a malicious domain via script include:

hxxp://xrusx.com/counter.php?sref=bumperscollege.uark.edu/ssp_director/inc/html/d/georgia-inmate-query.html

which contained further malicious javascript includes that generated fake warning messages on the user’s computer.

And ultimately attempted to download setup.exe:

setup.exe was linked off another malicious domain:

hxxp://www.loker.us/forum/attachments/setup.exe

While investigating deep into the tracks of the user to determine how the user got to this page, we made yet another interesting discovery. Our investigation could not find user browsing a page linking directly off Universityof Arkansas linking the malicious page that was distributing the Rogue AV. Instead, it was a Bing search result that lead user to this page. Specifically, one customer using the Barracuda Purewire Web Security Service searched for ‘georigainmatequery’ on Microsoft Bing search engine.

hxxp://www.bing.com/search?q=georgiainmatequery

Which yielded following results:

As you can see, the malicious link from uArk.edu shows up in the bing search results — and in the number two spot. The page is leveraging uArk.edu’s reputation ranking in what we’ve previously reported on as SEO poisoning (see previous post). This is becoming increasingly more popular as hackers are targeting vulnerabilities in legitimate Web sites since it makes the malicious page more likely to be visited. While search engines have been proactively adding malware scanning in their arsenal, legitimate Web site owners also need to take proactive steps to keep their site free of such malicious content.

Customers using the Barracuda Purewire Web Security Service are protected from this attack.

Share

Posted in Research, Security, SEO Poisoning, Web Security | No Comments »

Web Security: Be Careful Clicking on the Google Doodle

Tuesday, December 15th, 2009

Posted by: Barracuda Labs

It’s been widely reported that Google sponsored links are being used for malicious purposes. Once again, Google is an easy target and consumers are vulnerable. Rogue AV continues to be a big business, and the criminals are taking advantage of the more popular (and trafficked) areas to spread their wares.

Today, December 15, 2009, is the 150th birthday of LL Zamenhof, the inventor of Esperanto (an international auxiliary language).

Google celebrated by decorating its logo with the flag of Esperanto, turning it into what is called a Google Doodle (Google often uses its logo to celebrate various historical events etc http://www.google.com/logos/).

Clicking on the Google Doodle performs a search for the term “LL Zamenhof” – making it remain steady in the top 5-10 most popular searches of the day. Malware distributors have recognized this significant opportunity to concentrate their poisoning efforts on popular search terms. This is just another egregious act of criminals using these Google popular search terms – and SEO poisoning – as vehicles to carry out their malicious intent.

On page one of the search results, one of the examples falls under the domain rubbermouse.com —- The poisoned results point to legitimate domains that have been compromised. This leverages the site’s already good Google reputation so that the results do not appear with a Google safesearch alert. This is becoming increasingly more common for almost any popular search term.

Once the user clicks on the link, he/she is then re-directed to a Rogue AV site (hxxp://antyspywaretoday.net….). On this page, the user is given a warning that the computer might be infected, a fake scan ensues, then the user is prompted to purchase the AV software — regardless if the user clicks on the “OK” or not.

How prevalent is this? First 100 results, there are 31 poisoned sites. Even better, first 50 results, there are 27 poisoned sites. These criminals get search engine optimization – and are good at it!

The sites are hard to identify – and hard to remove – since they are designed to re-direct to multiple sites (some with malicious intent such as selling Rogue AV, and some offering up nothing more than a waste of time via a fake search site). Regardless, these rogue orphan pages exist and are under the control of those who can, with the push of a button, offer up dangerous exploits to attack users, steal information, and damage corporate networks.

What’s most concerning about this – Google is posting its Doodle, inviting users to click (out of their own curiosity, they will), and then serving up more than half of the results as malicious. What does that say about the current state of search and SEO?

Below are several screenshots taken from this experiment.

GoogleDoodle1 – Google Doodle from today 12/15/09.

GoogleDoodle2 – First results: at first, these look good. Upon further review, the entry with the link sio.ucsd.edu/cop15/newsroom/?byza=6 shows that it’s gibberish… The site is most likely compromised, but it’s down as of this writing.

GoogleDoodle3 – Most of the results in this image are poisoned and clicking on the rubbermouse.com link provides GoogleDoodle4 (see below).

GoogleDoodle4 – Once clicking on rubbermouse, the user is then redirected to the fake antivirus site regardless of which button is pressed.

GoogleDoodle5 – This additional prompt attempts to reassure the user about downloading the payload. Until the payload is downloaded, the user is not really infected.

GoodleDoodle6 – This Web page is carefully crafted to mimic the Windows look and feel, but it’s still a Web page. A javascript animation makes it look like the user’s computer is being scanned and threats are being found. Nothing of the sort is taking place.

GoogleDoodle7 – Once it’s done “scanning” the user is then served this page — and there are no mouse options at this point.

GoogleDoodle8 – This is an attempted delivery of the payload. Until the user clicks “run” on one of these dialogs, he/she is not infected. If the user does click, the program will install (in this case, Internet Antivirus Pro) but does nothing real other than nag the user for money so that it can be ‘activated’ for use. These fake antivirus programs (Rogue AV) purport to find many threats, but in fact do not find or fix anything at all.

GoogleDoodle9 – This image shows the Internet traffic generated by this click. From the compromised site rubbermouse.com, it goes to a free Webhost in Poland which redirects the browser to an intermediary, godotscan.com. This site then redirects the browser to the final malicious site, docipge.cn. This site will most likely be active for only a few days before it’s replaced by a new landing site.

Share

Posted in Research | 1 Comment »

Preview to a Possible Future of Rogue AV

Wednesday, December 2nd, 2009

Posted by: Barracuda Labs

Yesterday, Purewire’s Malicious Javascript Detection (MJD) engine identified the following malicious URL:

hxxp://unsoft.eu/hitin.php?affid=02992

The site uses a now ubiquitous social engineering lure: fake javascript-generated alerts that claim the user’s system is infected with malware:

If the user believes these alerts to be genuine, the following Rogue AV software (called “Privacy Center”) will end up installed on their system:

The above screenshots well-represent what Rogue AV looks like today. But what about the Rogue AV of tomorrow? The investigation of other malicious domains related to unsoft.eu yielded the discovery of one such future vision of rogue software.

The story of this vision begins at newtunesclub.com, which resolves to the same IP address as unsoft.eu. However, instead of serving the user fake pop-up scanners and alert notifications, the site claims to act as a media distribution portal:

In addition, unlike some rogue software operations, newtunesclub.com is well put-together and includes a functioning search engine. As an example, the top result of a search for “Troy” is the 2004 movie of the same name; clicking on the result presents the user with accurate release and cast information, a series of movie stills, and a link to download the movie:

Yet, instead of a large movie, a small executable is served when the user clicks on the Download button. This executable has the same icon as the Rogue AV software served off of unsoft.eu:

In addition, about half of the few VirusTotal detections identify the above Troy executable as Rogue AV:

http://www.virustotal.com/analisis/4f40e8bb48d660a8b3d13d19f401a2f831469e
aa7dd6607be872860d0c7ef1c3-1259366297

However, the similarities between these two binaries end at identical icons and similar AV detections. When Troy.exe is run, a larger executable is downloaded from the following location:

hxxp://iqmediamanager.com/download/0

This larger binary is automatically executed and installs an interesting type of rogue software (called “IQ Manager”) on the user’s system:

Before IQ Manager even attempts to connect outbound, a child window appears, stating that there are “no empty spots” in the “shared channel”, and that the user must “wait their turn” or “activate the VIP Channel”. Activation, of course, requires a credit card.

However, even if the user decides not to perform activation, the download proceeds:

Upon completion, the resulting file was indeed a playable copy of the 2004 movie Troy. Subsequent investigation into IQ Manager’s operation revealed that it acts as a BitTorrent client, using torrents offered by the popular tracker thepiratebay.org.

While current Rogue AV software offers the user almost nothing, newtunesclub.com and the IQ Manager software collectively provide a functional (if illicit) download service that will meet many users’ expectations. If this model proves financially successful for the criminals behind it, “pay for free” software could become a standard that forms the face of tomorrow’s rogue software.

Users of the PWSS are protected from this emergent threat.

Share

Posted in Research | No Comments »