Security Protection – Harry Waldron MVP Rotating Header Image

March, 2013:

SPAM Protection – Lower detection rates in March 2013

Virus Bulletin tests note that anti-spam products are having more difficulty in automatically stopping these unwanted messages due to advancement in techniques by spammers 

http://www.net-security.org/secworld.php?id=14674

QUOTE: Virus Bulletin announced the results of its latest anti-spam comparative review: 17 solutions achieved a VBSpam award, but the majority did so with a lower spam catch rate than in recent tests. Nine out of the 19 full solutions tested saw the percentage of spam they missed at least double, with only three products improving their catch rates. A spam email was almost twice as likely to make it to a user’s inbox compared to the previous test.

Most products had more difficulty with legitimate emails as well, with only four solutions correctly identifying all of them, and products had even more difficulty blocking phishing emails. More than half of the solutions missed at least 10% of the emails in a dedicated feed of phishing emails. “Spam has been a relatively good news story in recent years, with spam levels declining while catch rates remained high,” said VB’s Anti-Spam Test Director, Martijn Grooten. “But in spam filtering, the devil is in the details, and when we look at these details, we see more emails slipping through the maze.”   This is not the first time Virus Bulletin has observed a drop in products’ spam catch rates: a similar drop was observed early last year, with the decline continuing throughout the first half of the year.

April Fools Day 2013 – Top scams and Malware alerts

While many practical jokes and pranks will surface tomorrow, best practices are required for safety

http://www.net-security.org/secworld.php?id=14668

QUOTE: April Fools’ Day is a time for practical jokes, hoaxes and laughs. However, it’s important to understand that April Fools’ Day is also an ample opportunity for cybercriminals to capitalize on the popular day and its events for their own nefarious purposes.  To help you make sure cybercriminals don’t get the last laugh this April Fools’ Day – and to give you a few laughs, too – Kaspersky Lab has compiled a few of the top April Fools’ Day hoaxes throughout history and tips on what to look out for to stay safe online.

Safety tips for April 1, 2013, with focus on ransomware:

* Watch out for ransomware: Like the example above, cybercriminals take over your computer, offering to “clean it up” for a fee. Sometimes this technique masquerades as fake anti-virus. Don’t trust messages warning that your Internet or computer is shut down or infected.

* Don’t click on pop-up windows even if they aren’t blocked by the browser security or other security solutions. You should only click on messages from a legitimate antivirus solution installed on the computer. Ignore any messages warning you of infection that appear randomly while you’re browsing the Internet

* Legitimate programs designed to combat malware will never first scan a computer and then demand money for activation. You should never pay for a product which does this: install a genuine antivirus solution developed by a well-known antivirus company and use this to scan and clean your computer.

* If you find an unknown antivirus program on your computer, check whether the vendor has an official site and technical support. If it doesn’t, it is definitely a rogue antivirus.

Avira Security – Twenty Internet Safety tips for 2013

Many best practices are shared in this excellent list of 20 protective techniques

http://techblog.avira.com/2013/03/15/20-security-tips-for-a-safer-2013/en/

Mobile Phone Security – Targeted Malware attacks as next step

McAfee Security highlights potential growth in specialized targeted attacks during 2013

http://blogs.mcafee.com/mcafee-labs/targeted-attacks-the-next-step-in-mobile-malware

QUOTE: The Android threat landscape continues to evolve in 2013. To distribute Android threats, malware authors are transitioning away from attacking traditional vectors like the Google Play Market and third-party Android markets to vectors like spam and phishing emails and SMS.  Recently a new information-stealing Android malware was found being distributed as an attachment in emails as part of a targeted attack against Uyghur, Mongolian, Tibetan, and Chinese activists. The social-engineering attack was carried out through email consisting of an invitation to the “World Uyghur Congress” (WUC) and an attachment pretending to be a letter on behalf of WUC, the Unrepresented Nations and Peoples Organization, and the Society for Threatened Peoples. In reality the file was the Android application “WUC’s Conference.” After downloading, the application asks for the following suspicious permissions:

TDL Rootkit – New variant uses Google Chrome application framework for control

This new variant uses Google Chrome application framework for control, replacing legitimate library components with those controlled by the rootkit itself  

http://www.symantec.com/connect/blogs/new-tidserv-variant-downloads-50-mb-chromium-embedded-framework

QUOTE:  Tidserv (a.k.a. TDL) is a complex threat that employs rootkit functionality in an attempt to evade detection. The malware continues to be on the Symantec radar since its discovery back in 2008. The latest variant of Tidserv being distributed in the wild has began to employ the legitimate Chromium Embedded Framework (CEF). While this may not be the first time a malware has made use of a legitimate framework for nefarious purposes, this new Tidserv variant requires the download of the 50 MB framework to function correctly, which is an unusual thing for a threat to do.  The CEF provides a Web browser control based on the Google Chromium project. This allows developers to build applications that include Web browser windows. The CEF libraries perform all of the functionality required to run the browser, such as parsing HTML or parsing and executing JavaScript.

Easter 2013 – New Spam and malware attacks

Symantec warns of several new spam and malware attacks actively circulating

http://www.symantec.com/connect/blogs/spammers-magical-gifts-easter

QUOTE: Easter Sunday is one of the most important festivals in the Christian calendar and it is observed anywhere between March 22 and April 25 each year; this year it falls on March 31. Spam messages related to Easter have begun flowing into the Symantec Probe Network. As expected, most of the spam samples are encouraging users to take advantage of products offers, personalized letters, e-cards, as well as clearance sales of cars and replica watches. Clicking the URL will automatically redirect the user to a website containing some bogus offer.

Spammers are also exploiting the event by sending casino spam email using the name “Easter bonnet”. The Easter bonnet represents the tail-end of a tradition of wearing new clothes at an Easter festival.  The following spam sample provides instructions for ways that users can acquire a “bonus”.

1. “Three different bonuses can produce some extra winnings.”
2. “Make your deposit and get free spins.”
3. “Free welcome package up to $500.”

Symantec advises our readers to be cautious when handling unsolicited or unexpected emails

Apple iCloud – Two factor security authentication offered

Apple has enhanced security in iCloud by offering two factor security authentication, which provides a 4 digit pass key back to the users mobile phone

http://www.itpro.co.uk/security/19490/apple-beefs-icloud-security

QUOTE: Apple has bolstered the security in its iCloud, App Store and iTunes service in a bid to prevent hacking. The services will now offer two-step verification in order to prevent unauthorized access. Once activated, the additional security measure sends a four-digit number to a user’s phone via a text message. This is in addition to entering the regular Apple ID password associated with the username.

The function is enabled when a user access an Apple service such as downloading content from the App Store, a forgotten password or getting Apple ID-related support. Apple said in a statement that it took customer privacy “very seriously”. “Two-step verification is an even more robust process to ensure our users’ data remain protected.  “Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account. After you sign in, you can manage your account or make purchases as usual.

Mobile and Desktop Botnet attacks continue growth in 2013

Botnet attacks continue to grow, including a major increase in mobile phone attacks

http://securitywatch.pcmag.com/none/309491-a-peek-at-the-future-of-botnet-evolution

QUOTE: Botnets weren’t always malicious. According to a report by Symantec called The Evolution of IRC Bots, botnets were originally designed to automate basic tasks on IRC and allowed IRC operators to link instances of the bot together and manage its power. Eventually, botnets were used to perform DoS attacks and other malicious activities as computer users realized the potential collective power botnets had.

 Mobile Botnets on the Rise – Although not as prevalent as their computer counterparts, mobile botnets have been on the rise, with the rate of infections of mobile devices growing exponentially. Mobile malware has passed the point of simple hidden SMS fraud. According to Henderson, researchers are finding mobile malicious apps that are extensions of popular computer botnet software. For example, a mobile version of the Zeus bot intercepts mobile banking logins and sends the credentials back to its owners. This provides the owners with another means of stealing funds from victims.

Enjoy Social Networking? So Do Botnets – Now that botnets have upgraded to the affiliate model of spreading malware, social networks have become another means of infection and it can happen to anyone. Once a botnet controls your computer, it’s a simple matter for the owner to post a malicious link on your social networking account.

Botnet defenses – In order to protect a mobile device, Henderson recommends that a user try out mobile antivirus, especially those who own Android devices. He also advises that users be cautious when installing third party apps, including iOS users who made the decision to jailbreak their phone. For non-mobile devices, Henderson suggests that users keep their software up-to-date at all times and uninstall unnecessary applications, such as Java and Flash. Botnet and malware authors take advantage of every vulnerable moment, don’t get caught off-guard.

Mobile Phone Security – Hacking attacks increase in 2013

This NBC news article enumerates how Smart Phone attacks are more popular outside the USA, but are still a growing world-wide threat

http://redtape.nbcnews.com/_news/2013/03/21/17390282-smartphone-hacking-comes-of-age-hitting-us-victims

QUOTE: Devastating cellphone hacks that hijack your most personal gadget and rob you of privacy and money have long been forecast. But even as smartphone users in Asia are beginning to suffer exploding bills and emptied bank accounts at the hands of hackers, U.S. users largely remain safe and blissfully unaware of the gathering threat

They took a year-old mobile virus named NotCompatible, which allows hackers to take complete control of a phone, and posted the malicious code on websites. Then they sent out enticing spam emails with links to the booby-trapped sites. The emails were all the more tempting because they appeared to come from friends or others on the recipients’ contact list.  Victims who clicked on the link from their phones and downloaded the file surrendered control of their Android phones to the criminals. Security firm Lookout says 10,000 customers per day are still being tricked to click on the bogus link and landing on the booby-trapped pages, and virtually all of them are in the U.S.

U.S. smartphone users have been spared much grief from mobile malware so far for a variety of reasons. Chief among them: Most users get their apps from a centralized and safe source. Apple keeps tight controls on its App Store, so malware writers are largely ignoring that platform. And while Google’s Play Store for Android is not as tightly controlled, criminals haven’t had much luck sneaking infected software onto that platform, either.  That leaves hackers with time-consuming, clumsy methods, such as tricking users to visit a rogue website and electing to install an app.

Android attackers in other parts of the world have an easier time. In China, for example, it’s hard to access Google’s Play store, so consumers often get their apps from websites. That means rogue apps on random websites raise less suspicion.

SpamHaus DDoS attack – in depth analysis

PC Magazine security shares an in-depth analysis of the Spamhaus DDoS attack:

http://securitywatch.pcmag.com/none/309843-understanding-the-spamhaus-ddos-attack

QUOTE: Distributed Denial of Service is the topic of the day, due to a recent massive DDoS attack by Dutch Web host CyberBunker against spam-fighting agency SpamHaus. Just how significant was the collateral damage to the rest of the Internet? CloudFlare, a Web security company directly involved in defending SpamHaus against the attack, likened it to a nuclear bomb, but Keynote Systems, a company that tracks website availability and response time, said it was no more than a blip.

How the attack worked – A Denial of Service attack simply overloads the victim’s servers by flooding them with data, more data than the servers can handle. This can disrupt the victim’s business, or knock its website offline. Launching such an attack from a single Web location is ineffective, as the victim can quickly block that traffic. Attackers often launch a Distributed Denial of Service attack via thousands of hapless computers controlled by a botnet.

What Can Be Done — Wouldn’t it be nice if someone would invent technology to foil such attacks? In truth, they already have, thirteen years ago. In May of 2000, the Internet Engineering Task Force released the Best Current Practices paper known as BCP38. BCP38 defines the problem and describes “a simple, effective, and straightforward method… to prohibit DoS attacks which use forged IP addresses.”

Lock It Down — “Your authoritative server should be available to anyone on the Internet, however, it should only respond to queries about your company’s domain.” In addition to the outward-facing authoritative DNS server, companies need an inward-facing recursive DNS server. “A recursive DNS server is intended to supply domain lookups to all your employees,” explained Nachreiner. “It should be able to reply to queries about all sites on the Internet, but it should only reply to people in your organization.”