Security Protection – Harry Waldron (WP) Rotating Header Image

May, 2012:

Facebook – Robbery occurs after posting photos of money online

This MSNBC article illustrates the principle of “loose lips sink ships” that I learned in an early security training class.  It is important to avoid posting vacation plans or any other details that might encourage attacks by criminals.

Family robbed after teen posts photo of money on Facebook http://digitallife.today.msnbc.msn.com/_news/2012/05/29/11935908-family-robbed-after-teen-posts-photo-of-money-on-facebook

QUOTE: On Thursday, a teenage girl posted a photo of a “large sum of cash” on Facebook. About seven hours later, two robbers arrived at her family’s home. Unsurprisingly, this incident prompted local authorities to issue a warning about the dangers of posting photographs online.

According to BBC News, the 17-year-old girl was helping her 72-year-old grandmother count her cash savings when she decided to snap a photo of the money and post it on Facebook. A press release by the local police force explains that this social media activity occured in Sydney, Australia at about 4 p.m. on Thursday. At 11:30 p.m. on the same day, a house about 75 miles south-west was invaded by two armed men. The girl’s mother, a 58-year-old man and a 14-year-old boy were home at the time.

Brandishing a knife and a wooden club, the two men “allegedly entered the home demanding to speak with the girl about the cash” seen in the Facebook photo. After the girl’s mother explained that she no longer lives at that address, the men proceeded to search the house and “took a small amount of cash and other personal property before leaving.”

Skywiper (Flame Virus) – Complex cyber-warfare targeted attacks

The most complex malware attack constructed to date has been identified and is currently being researched by security firms:

Skywiper (Flame Virus) – Complex cyber-warfare targeted attacks (FAQ) http://securitygarden.blogspot.com/2012/05/flame-aka-flamer-or-skywiper.html
https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
http://blogs.mcafee.com/mcafee-labs/skywiper-fanning-the-flames-of-cyber-warfare
http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-east
http://www.f-secure.com/weblog/archives/00002371.html
 
Crysys Security — DETAILED TECHNICAL ANALYSIS http://www.crysys.hu/skywiper/skywiper.pdf

QUOTE (McAfee link) — Over the weekend, the IR Cert (Iran’s emergency response team) published a new report, which describes this attack as “Flame” and/or “Flamer”.  The complex functionality of the malware is controlled over Command and Control (C&C) servers, from which there are possibly dozens. The malware is also capable of slowly spreading over USB drives. 

 CrySys Lab, a Hungarian security team, noticed that a complex threat that they were already analyzing for weeks was clearly the same threat as “Flamer”. They published a large, preliminary document, several dozen pages in size, that described the complex malware. The report shows that a lot more work has to be done, to analyze the full details of this malware as it has some extraordinary complexity.


Previously, other cyber threats such as Stuxnet and Duqu both required months of analysis and this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smaller encrypted module is over 70000 lines of C decompiled code, which contains over 170 encrypted “strings”!  Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.


Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:

- Scanning network resources - Stealing information as specified - Communicate to C&C Servers over SSH and HTTPS protocols - Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc) - Both kernel and user mode logic is used - Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes - It loads as part of Winlogon.exe then injects to Explorer and Services - Conceals its present as ~ named temp files, just like Stuxnet and Duqu - Capable of attacking new systems over USB Flash Memory and local network (slowly spreads) - Creates screen captures - Records voice conversations - Runs on Windows XP, Windows Vista and Windows 7 systems - Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet - Uses SQLite Database to store collected information - Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware) - Often located on nearby systems: a local network for both C&C and target infection cases - Utilizes PE encrypted resources

Microsoft – Decade of TWC progress shared at RSA conference

An excellent and detailed history to Trustworthy Computing over past decade.

Microsoft – Decade of TWC progress shared at RSA conference http://blogs.technet.com/b/security/archive/2012/05/25/webcast-code-red-to-zbot-10-years-of-tech-researchers-and-threat-evolution.aspx

MALWARE DEVELOPMENTS PAST DECADE PDF – EXCELLENT (4.5MB) http://365.rsaconference.com/servlet/JiveServlet/download/38-4003/May_23_2012_Webcast_Microsoft.pdf

QUOTE: For those of you that joined us at RSA this year in San Francisco, you may have taken in the session presented by Jeff Jones and Tim Rains on 10 Years of Tech, Researchers and Threat Evolution. The great news is that Tim and Jeff have delivered a webcast of the session, which you can find here. Jeff and Tim followed up with a series of blog posts delving in to more detail:

I would also recommend reading the Behind the Charts – Scrubbing the Vulnerability Data post to understand more about the data sources and methodology Jeff used in his analysis.

Android Malware – McAfee shows increase for Q1 2012

Smartphone users should always be careful of applications installed and links selected as malware attacks continue to increase for this vector

Android Malware – McAfee shows increase for Q1 2012 http://securitywatch.pcmag.com/none/298206-android-malware-spikes-in-2012

QUOTE: According to McAfee the number of malicious Android apps surged from the hundreds to the thousands in the first quarter of 2012, compared to the same period last year. In “McAfee Threats Report: First Quarter 2012″ the company reported that the number of mobile threats on Android reached 7,000 samples, while Symbian, Java ME (mobile edition), and “others” combined reached only 1,000.

The figures are alarming, but it’s still fairly easy to keep your Android devices clean of malware. For starters, steer clear of third-party app stores (outside Google Play or Amazon App Store for Android). Unlike in the PC environment where worms can spread without any user involvement, mobile infections still rely on users installing malicious apps.

Facebook – Advanced New LilyJade Cross Platform Worm

Kaspersky Labs shares a highly advanced new Facebook worm.  This new Javascript based worm can spread from three different browsers (IE, Chrome, and Firefox) providing a cross platform attack.

Facebook – Advanced New LilyJade Cross Platform Worm http://www.securelist.com/en/blog/706/Worm_2_0_or_LilyJade_in_action

It is quite rare to analyze a malicious file written in the form of a cross-platform browser plugin. It is, however, even rarer to come across plugins created using cross-browser engines. In this post, we will look into a Facebook worm that was written using the Crossrider system – a system still in beta testing.

It uses The Crossrider system, which is intended for writing unified plugins for Internet Explorer (version 7 onwards), Mozilla Firefox 3.5 and Google Chrome. This malicious program is a an excellent example of Malware 2.0-class programs based on modern web technologies, using social networks to propagate themselves and generating illegal incomes for their owners by spoofing various services.

Facebook – New STECKCT worm spreads Instant Messaging

A new malicious IM attack is circulating in the Facebook environment, as document by Trend Security

Facebook – New STECKCT worm spreads Instant Messaging http://blog.trendmicro.com/worm-spreads-via-facebook-private-messages-instant-messengers/

QUOTE:  We recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www.facebook.com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www.facebook.com” and uses the extension “.COM”.   Once executed, this malware (detected as WORM_STECKCT.EVL) terminates services and processes related to antivirus (AV) software, effectively disabling AV software from detection or removal of the worm. WORM_STECKCT.EVL also connects to specific websites to send and receive information.

Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself.

Nmap version 6 – Free Network Vulnerabilty Scanner

Nmap is an excellent analytical tool used in the past and the new version 6 has been officially released

https://isc.sans.edu/diary/nmap+6+released/13267

http://nmap.org/6/

QUOTE:  May 21, 2012—The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from http://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more! We recommend that all current users upgrade.

Contents:
  1. About Nmap
  2. Top 6 Improvements in Nmap 6
  3. Press
  4. Screen Shots
  5. Detailed Improvements
  6. Moving Forward (Future Plans)
  7. Acknowledgments
  8. Download and updates

 

Microsoft Security – May 2012 Updates

Please ensure your Windows and Office environments are up-to-date to ensure the best levels of protection.  A number of patches were rated as critical this month.

Microsoft Security Bulletin Summary for May 2012 http://technet.microsoft.com/en-us/security/bulletin/ms12-may

Microsoft Security – ISC analysis for May 2012 https://isc.sans.edu/diary.html?storyid=13159

AntiVirus Products for 2012 – Review by PC Magazine

PC Magazine reviewed and ranked cleaning tools, free AV projects, and premium suites in the attached article:

AntiVirus Products for 2012 – Review by PC Magazine http://www.pcmag.com/article2/0,2817,2372364,00.asp

QUOTE: To evaluate antivirus utilities I rely on hands-on, real-world testing. The malware removal test involves installing each product on a dozen malware-infested virtual machines and challenging it to clean them up. This article explains how I get from those tests to the figures in the chart below: How We Test Malware Removal   I also refer to reports from major independent antivirus testing labs. The labs have vastly more resources than I do, so they can perform large-scale tests that would take more time than I have available. The chart below specifically lists results for the companies whose 2012 products are rounded up here.

Microsoft Security Essentials 4.0 – Review of new version

PC Magazine shares an recent review of MSE 4.0 … In personal testing on all family PCs, there is more consistency in auto-updating and it continues to be transparent in terms of impacting performance.   No issues so far in use on XP and Windows 7 systems.

Microsoft Security Essentials 4.0 http://www.pcmag.com/article2/0,2817,2403986,00.asp

QUOTE: This product is a straight-up antivirus, not a feature-stuffed suite wannabe. Its main window shows current security status, with a button to resolve any problems. Another button launches an on-demand scan. That’s it!

Pros — Does a decent job protecting an already-clean system. Good ratings from independent antivirus test labs. Free!

Cons — Unusually slow scan. Failed to run on one test system. Low detection rate in malware cleanup test. Failed to thoroughly clean up threats it did detect.

Bottom Line — Microsoft Security Essentials 4.0 does a decent job protecting a clean PC, but in testing its cleanup of already-infested systems wasn’t thorough.