Notorious Koobface worm ported to Mac OS X

Security researchers say they’ve been monitoring a Mac OS X version of the notorious Koobface worm, which uses advanced rootkit techniques to stealthily hijack infected machines.

Although the Mac version isn’t yet ready for prime time, it is nonetheless a sophisticated piece of software that developers put a fair amount of effort into implementing. It was designed to use Oracle’s Java framework to infect not just Macs, but Linux and Windows machines as well, according to Mac antivirus provider Intego. Once installed, the malware gives attackers complete control over the computer.

“While this is an especially malicious piece of malware, the current Mac OS X implementation is flawed, and the threat is therefore low,” Intego researchers wrote in a blog post published Wednesday. “However, Mac users should be aware that this threat exists, and that it is likely to be operative in the future, so this Koobface Trojan horse may become an issue for Macs.”

For that to happen, attackers will probably have to figure out how to bypass a window OS X prominently displays warning that a self-signed Java applet is requesting access to the computer

http://www.theregister.co.uk/2010/10/27/koobface_for_mac/

Credit card ‘flash attack’ steals up to $500,000 a month

Credit card fraudsters may have pocketed as much as $500,000 over the past month by pursuing a new type of attack that exploits a major blind spot in payment processors’ defenses, an analyst said.

The "flash attacks" recruit hundreds of money mules who go to ATMs throughout the US and almost simultaneously withdraw relatively small sums of money from a single compromised account, according to Avivah Litan, vice president at market research firm Gartner, who follows the credit card industry. They then move on to a new account. At the end of the month, the heists can fetch as much as $500,000.

“The resulting cash transactions fly under the radar of existing fraud detection systems — they are typically small amounts that don’t raise any alarms,” Litan blogged on Tuesday.

She has dubbed the method a “flash attack” because as much as $100,000 can be stolen in as little as 10 minutes.

http://www.theregister.co.uk/2010/10/27/credit_card_flash_attacks/

FTC closes investigation into Google’s Wi-Fi snooping

The U.S. Federal Trade Commission has closed an investigation into Google Street View cars snooping into open Wi-Fi networks, with the agency declining to take action.

Google’s announcement in May that its Street View cars mistakenly collected data from open Wi-Fi networks raised FTC concerns "about the internal policies and procedures that gave rise to this data collection," wrote David Vladeck, director of the FTC’s Bureau of Consumer Protection, in a Wednesday letter to Google.

However, Google has announced improvements to its internal processes, added privacy training for key employees, and has begun a privacy review process for new initiatives, Vladeck added. The company has also promised to delete the data collected, and has told the FTC that it will not used the data in any product or service, he wrote.

"This assurance is critical to mitigate the potential harm to consumers from the collection of the payload data," Vladeck wrote.

http://www.networkworld.com/news/2010/102710-ftc-closes-investigation-into-googles.html

How to protect against Firesheep attacks

A VPN encrypts all traffic between a computer — a laptop at the airport gate, for instance — and the Internet in general, including the sites vulnerable to Firesheep hijacking. "It’s as good a solution as there is," Wisniewski said, "and no different, really, than using encrypted Wi-Fi."

One provider, Strong VPN, prices its service starting at $7 per month or $55 per year.

Gallagher, however, warned that a VPN isn’t a total solution. "That’s just pushing the problem to that VPN or SSH endpoint," he said. "Your traffic will then leave that server just as it would when it was leaving your laptop, so anyone running Firesheep or other tools could access your data in the same way." [..]

If free is the object, there are options there, too, said Wisniewski, Sullivan and Gallagher, who pointed to a pair of free Firefox add-ons that force the browser to use an encrypted connection when it accesses certain sites.

One of those Firefox add-ons, HTTPS-Everywhere, provided by the Electronic Frontier Foundation (EFF), only works with a defined list of sites, including Twitter, Facebook, PayPal and Google’s search engine.

The other choice, Force-TLS, serves the same purpose as the EFF’s extension, but lets users specify which sites on which to enforce encryption.

However, other browsers, such as Microsoft’s Internet Explorer and Google’s Chrome, lack similar add-ons, leaving their users out in the cold.

I expect that [Firesheep] will spur the EFF or others, maybe in the open source community, to some additional development [of such add-ons], maybe Chrome ports of those extensions," Sullivan said.

That could take months. In the meantime, Sullivan had another idea. "A MiFi device can encrypt [traffic], so with one you’re always carrying your own Wi-Fi hotspot with you," he said.

MiFi isn’t cheap, however. Verizon, for example, gives away the hardware but charges between $40 and $60 per month for the access to its 3G network.

http://www.computerworld.com/s/article/9193201/How_to_protect_against_Firesheep_attacks?taxonomyId=142&pageNumber=2

New FireSheep-Style Tool Hijacks Twitter Sessions

Days after researchers at the ToorCon Security Conference in San Diego released a tool to hijack insecure Web sessions on Facebook, iGoogle and Flickr, a developer has released a similar tool, dubbed "Idiocy" that does the same for insecure Twitter sessions.

There’s a twist, though. Rather than just monitor the unsecured Web sessions, the new tool allows the attacker to post a warning message using the Twitter account of the unsuspecting user (can we call them "Twidiots"?)

The software is the creation of Jonty Wareing, a 26 year old software developer for Last.fm in London, UK. Wareing, who created idiocy "at 7 AM in a fit of irritation" and released it on github.com.  The program "quitely (sp) watches for people unsecurely (sp) visiting twitter on public wifi networks, then hijacks their session to post a tweet warning them about the dangers," according to a description that accompanies the application.

Contacted using instant messenger, Wareing said he created the program after reading about FireSheep, the browser plugin that snooped on insecure social networking sessions.

Like Firesheep, Idiocy simply streamlines an attack that is "as old as the hills." "It’s been simple to exploit for many years, but there was always an entry barrier," he wrote. Idiocy attempts to lower that barrier. The tool monitors unencrypted wifi traffic, extracting the cookie headers for domains (like Twitter.com) that its interested in. Idiocy then uses the cookies to send HTTP requests to the user’s Twitter account that tweet a message and link to an explanatory Web page set up on Wareing’s blog. The tweet reads "I browsed twitter insecurely on a public network and all I got was this lousy tweet." 

"The main difference is that idiocy is designed to warn the user that they are vulnerable to attack," wrote Waering, who claims his motivation was really to protect users.

http://threatpost.com/en_us/blogs/twidiots-new-firesheep-style-tool-hijacks-twitter-sessions-102710

Inside Google’s Anti-Malware Operation

A Google malware researcher gave a rare peek inside the company’s massive anti-malware and anti-phishing efforts at the SecTor conference here, and the data that the company has gathered shows that the attackers who make it their business to infect sites and exploit users are adapting their tactics very quickly and creatively to combat the efforts of Google and others.

While Google is still a relative newcomer to the public security scene, the company has deployed a number of services and technologies recently that are designed to identify phishing sites as well as sites serving malware and prevent users from finding them. The tools include the Google SafeBrowsing API and a handful of services that are available to help site owners and network administrators find and eliminate malware and the attendant bugs from their sites.

All of these are related to Google’s constant crawling of the Web, which, among many other things, allows the company to identify malware-distribution sites as well as legitimate sites that have been compromised with injected malicious code. Attackers have taken to infecting legitimate sites for a number of reasons, one of which is that those sites will show up more prominently in Google search results.

To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs. The company then ties this in with the data that it gathers from its automated crawlers that are tasked with looking for malicious code on legitimate Web sites.

Fabrice Jaubert, of Google’s anti-malware team, said that the company has had good luck identifying and weeding out malicious sites of late. Still, as much as 1.5 percent of all search result pages on Google include links to at least one malware-distribution site, he said.

"There’s a lot of fluctuation in that over time, and that could be due to a lot of factors. It could be due to a change in the pages, it could be a change in our detection rate and also in the popularity of the infected pages," Jaubert said. "The biggest factor is that we’ve found a substantial number of malware pages are spammy and have no content. We remove those pages. But it’s a cat-and-mouse game, just like viruses and AV. We go and find bad pages and they get better at hiding them."

http://threatpost.com/en_us/blogs/inside-googles-anti-malware-operation-102610

Why system administrators of web servers don’t want to patch soon?

Firefox 0-day targets Firefox in XP system

From Krebs on Security:

I just heard back from Norman ASA malware analyst Snorre Fagerland via e-mail, and he has provided a bit more technical analysis of what’s going on with this Firefox flaw and with the exploit they discovered. Fagerland says the vulnerability is related to a "use-after-free condition" in certain objects, exploited through Javascript.

"Shellcode and a large heapspray is involved," Fagerland wrote. "The script that does this checks for the following versions:

firefox/3.6.8
firefox/3.6.9
firefox/3.6.10
firefox/3.6.11

…and it checks that it is NOT running Vista or Win7 (Windows versions 6.0 and 6.1), pretty much limiting the attack to XP-family OS’s. The underlying vulnerability is confirmed to also affect Firefox 3.5x series, but we have not seen exploit code that attacks this."

http://krebsonsecurity.com/2010/10/nobel-peace-prize-site-serves-firefox-0day/

Emerging Qakbot Exploit Is Ruffling Some Feathers

Fast-spreading attack spreads like a worm, stings like a Trojan, RSA researchers say

It isn’t particularly new, and it’s not as funny as it sounds. But the Qakbot Trojan recently has been causing plenty of ripples in the IT security pond, researchers say.

In a blog posted yesterday, researchers at RSA Security offered a closer look at Qakbot and how its unusual behavior is causing a flock of troubles on the Web.

Qakbot is different in that it almost exclusively targets U.S. financial institutions, the researchers say. It also is the first Trojan seen to be exclusively targeting business/corporate accounts at these financial institutions.

"The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts," RSA says. "While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict ‘preference’ by design, and with no exceptions."

How does Qakbot infect its prey? Researchers are not sure.

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=228000087

Judge slaps Lime Wire with permanent injunction

The end of Lime Wire as it has existed for years appears to be at hand.

U.S. District Judge Kimba Wood issued an injunction today against the company that operates the long popular file-sharing software LimeWire and orders managers there to disable "the searching, downloading, uploading, file trading…and/or all functionality" of the LimeWire software, Lime Wire announced.

In May, Wood, who serves the Southern District of New York, granted summary judgment in favor of the music industry’s claims that Lime Group, parent of LimeWire software maker Lime Wire, and founder Mark Gorton committed copyright infringement, engaged in unfair competition, and induced copyright infringement.

LimeWire, the software, was released 10 years ago and quickly emerged as one of the favorite ways to pass pirated music across the Web. Gorton and his company have acknowledged making millions from offering the software.

"While this is not our ideal path, we hope to work with the music industry in moving forward," a Lime Wire spokesperson said in a statement. "We look forward to embracing necessary changes and collaborating with the entire music industry in the future."

Lime Wire continues to exist but no longer operates as a file-sharing service, the spokesperson said. Exactly what the New York-based company will do in the future is unclear. At this point, the company’s chances of licensing music for Spoon appear to be small and its prospects dim.

http://news.cnet.com/8301-31001_3-20020786-261.html