Family robbed after teen posts photo of money on Facebook http://digitallife.today.msnbc.msn.com/_news/2012/05/29/11935908-family-robbed-after-teen-posts-photo-of-money-on-facebook
QUOTE: On Thursday, a teenage girl posted a photo of a “large sum of cash” on Facebook. About seven hours later, two robbers arrived at her family’s home. Unsurprisingly, this incident prompted local authorities to issue a warning about the dangers of posting photographs online.
According to BBC News, the 17-year-old girl was helping her 72-year-old grandmother count her cash savings when she decided to snap a photo of the money and post it on Facebook. A press release by the local police force explains that this social media activity occured in Sydney, Australia at about 4 p.m. on Thursday. At 11:30 p.m. on the same day, a house about 75 miles south-west was invaded by two armed men. The girl’s mother, a 58-year-old man and a 14-year-old boy were home at the time.
Brandishing a knife and a wooden club, the two men “allegedly entered the home demanding to speak with the girl about the cash” seen in the Facebook photo. After the girl’s mother explained that she no longer lives at that address, the men proceeded to search the house and “took a small amount of cash and other personal property before leaving.”
Skywiper (Flame Virus) – Complex cyber-warfare targeted attacks (FAQ) http://securitygarden.blogspot.com/2012/05/flame-aka-flamer-or-skywiper.html
Crysys Security — DETAILED TECHNICAL ANALYSIS http://www.crysys.hu/skywiper/skywiper.pdf
QUOTE (McAfee link) — Over the weekend, the IR Cert (Iran’s emergency response team) published a new report, which describes this attack as “Flame” and/or “Flamer”. The complex functionality of the malware is controlled over Command and Control (C&C) servers, from which there are possibly dozens. The malware is also capable of slowly spreading over USB drives.
CrySys Lab, a Hungarian security team, noticed that a complex threat that they were already analyzing for weeks was clearly the same threat as “Flamer”. They published a large, preliminary document, several dozen pages in size, that described the complex malware. The report shows that a lot more work has to be done, to analyze the full details of this malware as it has some extraordinary complexity.
Previously, other cyber threats such as Stuxnet and Duqu both required months of analysis and this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smaller encrypted module is over 70000 lines of C decompiled code, which contains over 170 encrypted “strings”! Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.
Skywiper is a modular, extendable and updateable threat. It is capable, but not limited to the following key espionage functions:
- Scanning network resources - Stealing information as specified - Communicate to C&C Servers over SSH and HTTPS protocols - Detect the presence of over 100 security products (AV, Anti-Spyware, FW, etc) - Both kernel and user mode logic is used - Complex internal functionality utilizing Windows APC calls and and threads start manipulation, and code injections to key processes - It loads as part of Winlogon.exe then injects to Explorer and Services - Conceals its present as ~ named temp files, just like Stuxnet and Duqu - Capable of attacking new systems over USB Flash Memory and local network (slowly spreads) - Creates screen captures - Records voice conversations - Runs on Windows XP, Windows Vista and Windows 7 systems - Contains known exploits, such as the Print Spooler and lnk exploit found in Stuxnet - Uses SQLite Database to store collected information - Uses custom DB for attack modules (This is very unusual, but shows the modularity and extendibility of the malware) - Often located on nearby systems: a local network for both C&C and target infection cases - Utilizes PE encrypted resources
Microsoft – Decade of TWC progress shared at RSA conference http://blogs.technet.com/b/security/archive/2012/05/25/webcast-code-red-to-zbot-10-years-of-tech-researchers-and-threat-evolution.aspx
MALWARE DEVELOPMENTS PAST DECADE PDF – EXCELLENT (4.5MB) http://365.rsaconference.com/servlet/JiveServlet/download/38-4003/May_23_2012_Webcast_Microsoft.pdf
QUOTE: For those of you that joined us at RSA this year in San Francisco, you may have taken in the session presented by Jeff Jones and Tim Rains on 10 Years of Tech, Researchers and Threat Evolution. The great news is that Tim and Jeff have delivered a webcast of the session, which you can find here. Jeff and Tim followed up with a series of blog posts delving in to more detail:
- Trustworthy Computing: Learning About Threats for Over 10 Years – Part 1
- Trustworthy Computing: Learning About Threats for Over 10 Years – Part 2
- Trustworthy Computing: Learning About Threats for Over 10 Years – Part 3
- Trustworthy Computing: Learning About Threats for Over 10 Years – Part 4
- Trustworthy Computing: Learning About Threats for Over 10 Years – Part 5
- Trustworthy Computing: Learning About Threats for Over 10 Years – Part 6
I would also recommend reading the Behind the Charts – Scrubbing the Vulnerability Data post to understand more about the data sources and methodology Jeff used in his analysis.
Android Malware – McAfee shows increase for Q1 2012 http://securitywatch.pcmag.com/none/298206-android-malware-spikes-in-2012
QUOTE: According to McAfee the number of malicious Android apps surged from the hundreds to the thousands in the first quarter of 2012, compared to the same period last year. In “McAfee Threats Report: First Quarter 2012″ the company reported that the number of mobile threats on Android reached 7,000 samples, while Symbian, Java ME (mobile edition), and “others” combined reached only 1,000.
The figures are alarming, but it’s still fairly easy to keep your Android devices clean of malware. For starters, steer clear of third-party app stores (outside Google Play or Amazon App Store for Android). Unlike in the PC environment where worms can spread without any user involvement, mobile infections still rely on users installing malicious apps.
Facebook – Advanced New LilyJade Cross Platform Worm http://www.securelist.com/en/blog/706/Worm_2_0_or_LilyJade_in_action
It is quite rare to analyze a malicious file written in the form of a cross-platform browser plugin. It is, however, even rarer to come across plugins created using cross-browser engines. In this post, we will look into a Facebook worm that was written using the Crossrider system – a system still in beta testing.
It uses The Crossrider system, which is intended for writing unified plugins for Internet Explorer (version 7 onwards), Mozilla Firefox 3.5 and Google Chrome. This malicious program is a an excellent example of Malware 2.0-class programs based on modern web technologies, using social networks to propagate themselves and generating illegal incomes for their owners by spoofing various services.
Facebook – New STECKCT worm spreads Instant Messaging http://blog.trendmicro.com/worm-spreads-via-facebook-private-messages-instant-messengers/
QUOTE: We recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www.facebook.com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www.facebook.com” and uses the extension “.COM”. Once executed, this malware (detected as WORM_STECKCT.EVL) terminates services and processes related to antivirus (AV) software, effectively disabling AV software from detection or removal of the worm. WORM_STECKCT.EVL also connects to specific websites to send and receive information.
Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself.
QUOTE: May 21, 2012—The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from http://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more! We recommend that all current users upgrade.
- About Nmap
- Top 6 Improvements in Nmap 6
- Screen Shots
- Detailed Improvements
- Moving Forward (Future Plans)
- Download and updates
Microsoft Security Bulletin Summary for May 2012 http://technet.microsoft.com/en-us/security/bulletin/ms12-may
Microsoft Security – ISC analysis for May 2012 https://isc.sans.edu/diary.html?storyid=13159
AntiVirus Products for 2012 – Review by PC Magazine http://www.pcmag.com/article2/0,2817,2372364,00.asp
QUOTE: To evaluate antivirus utilities I rely on hands-on, real-world testing. The malware removal test involves installing each product on a dozen malware-infested virtual machines and challenging it to clean them up. This article explains how I get from those tests to the figures in the chart below: How We Test Malware Removal I also refer to reports from major independent antivirus testing labs. The labs have vastly more resources than I do, so they can perform large-scale tests that would take more time than I have available. The chart below specifically lists results for the companies whose 2012 products are rounded up here.
Microsoft Security Essentials 4.0 http://www.pcmag.com/article2/0,2817,2403986,00.asp
QUOTE: This product is a straight-up antivirus, not a feature-stuffed suite wannabe. Its main window shows current security status, with a button to resolve any problems. Another button launches an on-demand scan. That’s it!
Pros — Does a decent job protecting an already-clean system. Good ratings from independent antivirus test labs. Free!
Cons — Unusually slow scan. Failed to run on one test system. Low detection rate in malware cleanup test. Failed to thoroughly clean up threats it did detect.
Bottom Line — Microsoft Security Essentials 4.0 does a decent job protecting a clean PC, but in testing its cleanup of already-infested systems wasn’t thorough.