Network card rootkit offers extra stealth

Security researchers have demonstrated how it might be possible to place backdoor rootkit software on a network card.

Guillaume Delugré, a reverse engineer at French security firm Sogeti ESEC, was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards.

He used publicly available documentations and open source tools to develop a firmware debugger. He also reverse-engineered the format of the EEPROM where firmware code is stored, as well as the bootstrap process of the device.

Using the knowledge gained from this process, Delugré was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card. The technique opens the possibility of planting a stealthy rootkit that lives within the network card, an approach that gives potential miscreants several advantages over conventional backdoors.

Chief among these is that there will be no trace of the rootkit on the operating system, as it is being hidden inside the network interface card. [...]

Delugré gave a presentation on his research at the hack.lu conference last month. A write-up of his research, along with slides on his presentation and a demo, was published on Sunday here.

http://www.theregister.co.uk/2010/11/23/network_card_rootkit/

RIM denies reports that Indian official snooped for it

Research In Motion denied reports in Indian media that it had received information from an Indian government official questioned by police Monday during an investigation into the leaking of information to telecommunications companies.

Ravi Inder Singh, a senior official in the country’s Ministry of Home Affairs, was taken in for questioning on Monday, Delhi police sources said.

Special Commissioner of Police P.N. Aggarwal said on Tuesday that Singh had not been arrested, and investigations were still going on in the case. He declined to comment on the line of investigation.

RIM is currently in difficult negotiations with the Indian government, which has been demanding that law enforcement agencies be given the ability to intercept communications on RIM’s network.

The government has given RIM until January to provide total access to communications on its BlackBerry Messenger service. It has also demanded access to RIM’s corporate email and communications service, BlackBerry Enterprise Server

http://www.computerworld.com/s/article/9197779/RIM_denies_reports_that_Indian_official_snooped_for_it

Malicious Video Spreads via Multiply;Cross-Border Korean Shelling Leads to FAKEAV

Trend Micro researchers recently discovered attacks on the social networking site Multiply. The cybercriminals behind the said attack created new Multiply user accounts then sent malicious personal messages to other site users.

The personal message contains a greeting with the target?s Multiply user name and a video that the recipient is supposed to watch. Clicking the play button redirects users to the malicious URL http://yourtube.{BLOCKED}loring.com/video2/video.php?q=1289224873.

The page then asks the recipient to download a codec to view the video.

These sorts of attacks have been occurring for some time. Users should avoid downloading new codecs to watch videos posted online, as these are frequently malicious.

Screenshots in http://blog.trendmicro.com/malicious-video-spreads-via-multiply/

Cross-Border Korean Shelling Leads to FAKEAV

News outlets all over the world are talking about the recent cross-border clash between North and South Korea. The shelling, one of the worst incidents between the two countries in years, is naturally being used by the usual criminals behind fake antivirus malware.

Within hours of the incident, certain Korea-related search terms were already poisoned.

Note that the Google preview of the page shows the supposed content of the page. However, if the user clicks on the offered search result, they see these (familiar) pages.

http://blog.trendmicro.com/cross-border-korean-shelling-leads-to-fakeav/

E-mail computer hacker jailed after international scam

A computer hacker who accessed personal data and photos from his mother’s front room in a major e-mail scam has been jailed.  Father-of-five Matthew Anderson, 33, of Drummuir, Moray, who was part of an international gang, was caught after a Scotland Yard investigation.

He sent millions of worldwide e-mails which released a virus when opened, allowing remote control of computers.  Anderson was jailed for 18 months at Southwark Crown Court.

He admitted the Computer Misuse Act crime.  He was able to access private images, wills and confidential medical reports and CVs.

http://www.bbc.co.uk/news/uk-scotland-north-east-orkney-shetland-11818671  via Sophos.

Mozilla Fixes Site Error-Handling Bug

Mozilla has fixed a bug in the way that its Bugzilla Web site and others handled certain errors, which could have been exploited to execute a man-in-the-middle attack against an unsuspecting user.

The bug was related to the way that the sites responded to certain requests from client machines when the clients specify an incorrect HTTP host header. The Bugzilla site holds a wild card SSL certificate that also is valid on Mozilla.org, and as a result when the sites respond to the request with the incorrect header, clients can be redirected to a non-HTTPS site for an error message.

"As a result, a network attacker can divert a client connection bound for any *.mozilla.org site to one of these servers and cause the client to receive an incorrect redirect. This is already a breach of the integrity that SSL is supposed to provide. But what is worse, since the redirect is to http://, the attacker can substitute arbitrary content and thereby perform XSS," Matt McCutchen wrote in an explanation of the certificate problem on Bugzilla.

More on attack scenario at http://threatpost.com/en_us/blogs/mozilla-fixes-site-error-handling-bug-112210

Anonymizer Labs Develops ‘Anonymizer Nevercookie’ to Contend With the Evercookie Threat

Introducing Anonymizer Nevercookie™, a FREE Firefox plugin that protects against the Evercookie API. The plugin extends Firefox’s private browsing mode by preventing Evercookies from identifying and tracking users.

Evercookie is a new, more persistent cookie form that enables the storage of cookie data in a number of different locations, such as Flash cookies and various locations of HTML5 storage. This allows websites to track user behavior even when users have enabled private browsing. Because an Evercookie stores data in locations outside of where standard cookies are stored, an Evercookie can rebuild itself unless users go through a number of steps to completely clear and reset their local storage.

Anonymizer Nevercookie simplifies this process and eliminates the manual steps required to completely remove Evercookies. And it does so without also removing all of the necessary cookies that a user actually wants to keep, such as those for browsing history and remembered logins. When Anonymizer Nevercookie is engaged along with Firefox’s private browsing mode, it quarantines an Evercookie and removes it after the browsing session.

Anonymizer Nevercookie was developed by Geoffrey Abbott, Lead Researcher at Anonymizer Labs.

http://nevercookie.anonymizer.com/

Pointing upThe plugin is currently in BETA.  Use at your own risk.

Google ‘Instant Previews’ hit Google Analytics with fake traffic

Google’s new "Instant Previews" search tool is skewing traffic stats for sites using Google Analytics, creating page views before pages are actually viewed.

Rolled out across Google’s search engine earlier this month, Instant Previews lets searchers, yes, preview sites before they visit them. Users click on a small icon that appears beside a search result, and this launches an image of the site in question on the right-hand-side of Google’s results page.

As Google pointed out when "Instant Previews" was launched, Google is – in some cases – fetching these previews in real time. Soon after the tool’s launch, webmasters posting to Google’s help forums noticed that these pre-fetches were skewing Google Anayltics numbers. And as noticed by Search Engine Land, a Google employee later confirmed this with a post of his own.

The employee confirms that these real-time fetches are executing JavaScript used by Google Analytics, the company’s own web analytics tool, and this is skewing traffic numbers. But he indicates that a fix is on the way. "We’re working on a solution for this, to prevent Google Instant Preview on-demand fetches from executing Analytics JavaScript," the Google employee says. "I’m not sure about the timeframe, but I’ll drop a note here when I have more to share. Thanks for your patience."

http://www.theregister.co.uk/2010/11/22/google_instant_previews_skew_web_analytics/

Google sued for scanning emails of non-Gmail users

Electronic Communications Privacy Act violation alleged

A Texas man has fired a legal broadside against Gmail in a federal lawsuit that claims the Google service violates the Electronic Communications Privacy Act of 1986.

Keith Dunbar of Bowie County, Texas, claims that emails he sent from a non-Gmail service to Gmail users were scanned by Google algorithms without his consent. The algorithms are designed to serve Gmail users targeted ads based on the content of messages they receive.

“No consent from non-Gmail account holders is given prior to Google using the content of non-Gmail account holders for the purpose of delivering targeted ads and other related information to Gmail account holders,” the complaint, filed in US District court in Texarkana, Texas, stated. “Google does not inform non-Gmail account holders that it scans the content of their emails for the purpose of delivering targeted text ads and other related information to Gmail account holders.”

The complaint is seeking class-action status so other non-Gmail users may also joint the action. It seeks damages of $100 a day for each violation or $10,000, whichever is greater, and the disgorgement of profits made by Google as a result of the Gmail scanning.

“We haven’t received a formal complaint and can’t comment on specifics,” a Google spokesman wrote in an email on Monday. “To be clear though, Gmail – like most webmail providers – uses automatic scanning to fight against spam and viruses. We use similar technology to show advertisements that help keep our services free.  This is how Gmail has always worked.”

Indeed, internet law expert Eric Goldman, a professor at Santa Clara University School of Law, told InformationWeek that there were numerous calls to investigate Google for such behavior in 2004. “Frankly, after all the furor died down a half-decade ago, I had assumed everyone had moved on long ago,” he told the publication.

http://www.theregister.co.uk/2010/11/23/gmail_privacy_lawsuit/

Karagany Isn’t a Doctor, but Plays One on Your PC

A Trojan that pulls a sly performance of now-you-see-me-now-you-don’t disguises itself on an infected system as the Adobe Updater, a real program that’s installed alongside such mainstay applications as the Adobe Reader. This method of hiding in plain sight means the downloader, Trojan-Downloader-Karagany, may remain active on an infected system for an extended period of time, reinfecting PCs even after the more obvious payloads have been cleared up.

During the initial infection, subtlety is this Karagany’s strong suit. When executed, it pulls an act I find slightly more interesting than the conventional file copies itself from one place to another, then deletes the original behavior that is so common among contemporary malware.

In this case, the malware app (which uses an Adobe icon) does copy itself to another location — the Application DataAdobe folder under the currently logged-in user’s account, using the filename AdobeUpdater.exe — but leaves behind a benign program afterward, in exactly the same place as the original, and with the same filename as the original.

Details with video clip at http://blog.webroot.com/2010/11/22/karagany-isnt-a-doctor-but-plays-one-on-your-pc/

Study: Fifth of Facebook users exposed to malware‎

Security software manufacturer BitDefender today released some statistics gleaned from Safego, a Facebook application that it offers to users of the social-network to keep an eye on their vulnerability to malware. The big finding: 20 percent of Facebook users are exposed to malicious posts in their "news feeds" of friends’ activity, generally defined as posts that, when clicked on, result in "the user’s account being hijacked and in malware being automatically posted on the walls of the respective user’s friends."

The numbers were derived from Safego’s analysis of news feed items viewed by the 14,000 Facebook users who have installed the app. Considering Facebook has 500 million users around the world, that’s a small sample, but it’s also a sample of users who, by virtue of installing the app in the first place, indicate that they’re relatively security-minded. The "average" Facebook user may well be even more likely to see malicious posts, in theory.

Over 60 percent of attacks come from notifications from malicious third-party applications on Facebook’s developer platform, the study found. Within that, the most popular subset of "attack apps" (21.5 percent of total kinds of malware) were those that claim to perform a function that Facebook normally prohibits, like seeing who has viewed your profile and who has "unfriended" you. 15.4 percent lure in users with bonus items for Facebook games like free items in FarmVille; 11.2 percent offer bonus (yet bogus) Facebook features like free backgrounds and "dislike buttons," 7.1 percent promise new versions of well-known gaming titles like World of Warcraft; 5.4 percent claim to give away free cell phones; and 1.3 percent claim to offer a way to watch movies for free online.

Beyond "app attacks," BitDefender found that an additional 16 percent of malware viewed on Facebook entices users to watch some kind of shocking video…

http://news.cnet.com/8301-13577_3-20023626-36.html