Security experts won court approval last year to seize control of the infrastucture that powered the search-hijacking Trojan in a bid to help users clean up infections. But a court-imposed deadline to power down that infrastructure will sever Internet access for PCs that are not rid of the malware before July 9, 2012.

The company said the warning (pictured above) will appear only when a user with an infected system visits a Google search results property (google.com, google.co.uk, etc.), and will include the message, “Your computer appears to be infected.” Google security engineer Damian Menscher said the company expects to notify approximately a half-million users in the first week of the notices.

“In general we want to notify users [of malware infections] anytime we are capable of doing so, but the fact that we don’t do this more often is really just because it’s hard to come across cases where we can do it this accurately,” Menscher said.  “In many cases we only have maybe a 90 percent confidence that someone is infected, and the false positive rate of 10 percent is simply too high to be feasible. But in this case we can be essentially certain that someone is infected.”

The warning that infected users will see is nearly identical to a similar alert Google used last year in a campaign to rid the Web of another search hijacker that was trying to frighten users into purchasing bogus antivirus software — also known as “scareware.”

DNSChanger may no longer be hijacking search results, but the malware still carries secondary threats and risks. It was frequently bundled with other nasty software, and consequently machines sickened with DNSChanger also probably host other malware infestations. Additionally, DNSChanger disables antivirus protection on host machines, further exposing them to online threats.

To address these concerns, Google is steering users of infected systems to a set of instructions that include steps to eradicate DNSChanger and to third-party cleanup tools that may help scrub infections from other malware.

Menscher said Google will be displaying the warning in dozens of different languages.

“We think part of it is that all of the public press on this so far has been in English or a handful of other languages,” Menscher said. “It turns out that only half of these infected users speak English as their primary language.”

DNSChanger modifies settings on a host PC that tell the computer how to find Web sites on the Internet, hijacking victims’ search results and preventing them from visiting security sites that might help detect and scrub the infections. The Internet servers that were used to control infected PCs were located in the United States, and in coordination with the arrest last November of the Estonian men thought to be responsible for operating the Trojan network, a New York district court ordered a private U.S. company to assume control over those servers.

The government argued that the arrangement would give ISPs and companies time to identify and scrub infected PCs, systems that would otherwise be disconnected from the Internet if the control servers were shut down. The court agreed, and ordered that the surrogate control servers remain in operation until March 8. When the March 8 deadline approached and cleanup was discovered to be taking longer than expected, the court agreed to extend the cutoff date to July 9, 2012.

An ad served by IWantThis! browser extension. Source: Wikimedia

In a posting on its blog, Wikimedia noted that although the nonprofit organization is funded by more than a million donors and does not run ads, some users were complaining of seeing ads on Wikipedia entries. “If you’re seeing advertisements for a for-profit industry (see screenshot below for an example) or anything but our fundraiser, then your web browser has likely been infected with malware,” reads a blog post co-written by Philippe Beaudette, director of community advocacy at the Wikimedia Foundation.

The blog post named one example of a browser extension called “IWantThis!,” which is essentially spyware masquerading as adware. The description at the IWantThis! Web site makes it sound like a harmless plugin that occasionally overlays ads on third-party Web sites and helps users share product or online shopping wish lists with others. As I was researching this extension, I came across this helpful description of it at the DeleteMalware Blog, which points to the broad privacy policy that ships with this extension:

Examples of the information we may collect and analyze when you use our website include the IP address used to connect your computer to the Internet; login; e-mail address; password; computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform; the full Uniform Resource Locator (URL) clickstream to, through, and from the Site, including date and time; cookie; web pages you viewed or searched for; and the phone number you used to call us.

The author of that DeleteMalware post said he found a copy of the IWantThis browser extension bundled with freeware from software download sites (the author doesn’t mention which download site, but it’s worth mentioning again that sites like Download.com have recently begun bundling adware, toolbars and other potentially invasive software with otherwise “free” titles).

The Wikimedia blog post specifically mentions that this extension affects Google Chrome users, but the extension appears to be equally capable of installing across multiple browsers, including Mozilla Firefox and Internet Explorer. Last week, I wrote about LilyJade, a new computer worm that was spreading across Facebook accounts by abusing the free services offered by Crossrider, a platform that makes it simple to develop browser extensions that work seamlessly across browsers and operating systems.

In researching IWantThis, I spoke with Sergey Golovanov, a malware expert at Russian antivirus maker Kaspersky Lab, who pointed out that the IWantThis extension has been delivered via Crossrider since at least February of this year. This may or may not be linked to an affiliate program that rewards people with commissions for convincing people to install the software.This writeup from Symantec’s ThreatExpert malware scanning engine steps through some of the registry changes that the IWantThis extension executes on a host system.

It’s also worth noting that few — if any — antivirus firms are likely to alert users about malicious or invasive browser extensions. For example, none of the 43 antivirus and security applications used to conduct this scan of the IWantThis! extension at Virustotal.com flagged it as malicious, or even a potentially unwanted application.

Broken record alert: If you didn’t go looking for it, don’t install it!

The latest disclosure, detailed in a story at BankInfoSecurity.com, now aligns with the timeline outlined by anonymous hackers who reached out to me after I broke the story on this breach back at the end of March. Global has disclosed relatively little about the breach, and has sought to downplay the severity of it. Initial reports suggested that more than 10 million card accounts were compromised in the breach, yet Global insists fewer than 1.5 million were taken. Recent reports by The Wall Street Journal put that figure closer to 7 million stolen card accounts.

Shortly after the breach, Global executives were complaining about “rumor and innuendo” in press reports about the incident. I borrowed that quote for the title of a follow-up blog post, which included claims from a hacker who told me he was reaching out because he felt Global was hiding the true extent of the breach. He told me that he was part of a group that had been inside of Global since just after the new year in 2011. From that story:

The hacker said the company’s network was under full criminal control from that time until March 26, 2012. “The data and quantities that was gathered [was] much more than they writed [sic]. They finished End2End encryption, but E2E not a full solution; it only defend [sic] from outside threats.” He went on to claim that hackers had been capturing data from the company’s network for the past 13 months — collecting the data monthly — gathering data on a total of 24 million unique transactions before they were shut out.

Global has refused to comment further on the incident, referring people to a Web site with a series of Q&As for various parties potentially impacted by the breach. I guess only time will tell whether the hackers were right about the number of compromised transactions as well.

At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google Chrome, Internet Explorer, and Mozilla Firefox.  The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.

The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as Facebook.com, Yahoo.com, Youtube.com, Bing.com, Google.com and MSN.com. In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.

I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from hackforums.net. This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.

It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user is required to agree to before installing it.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview.  “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff claims his software is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites.

A LilyJade administrative panel

Dozens of customers who bought or trialed LilyJade posted statistics to Hackforums that purport to show the plugin spreading virally to tens of thousands of users per day. According to Mundorff, customers who use the system can expect to make about 50 cents per hour for every 100 users who install the plugin.

It’s impossible to verify those numbers or to say exactly how many Facebook users have installed this browser plugin. But the plugin has apparently been successful enough to have caught the attention of Facebook’s security team, which earlier this week sent Mundorff a cease-and-desist order demanding that he stop selling the program.

“Plugins such as LilyJade are configured to modify our [site] to inject ads and/or send spam through Facebook to the victim’s friends via wall posts and chat messages,” said Fred Wolens, public policy manager at Facebook. “These alterations materially change people’s Facebook experience and bypass Facebook’s quality and security controls. Additionally, programs like LilyJade can make Facebook slower, cause user confusion and can obfuscate authenticate user content by displaying banner ads.”

In a follow-up instant message conversation, Mundorff indicated that he has no intention of bowing to Facebook’s demands.

“I pretty much told them to go fuck themselves cause we cant post on anyones [sic] walls with out there [sic] permissions automated or not,” Mundorff said. “So they can go to hell.”

It remains to be seen who will prevail in this now-public battle (which according to Mundorff has since caught the interest of the anarchic hacker collective Anonymous). I wanted to call attention to this topic because I believe LilyJade is likely the precursor to a stream of malicious cross-browser plugins that we can expect in the coming months and years.

Plugin based threats seem to be especially pernicious because they work seamlessly across multiple operating systems and browsers, and are unlikely to be detected as malicious by antivirus software. What’s more, writing malicious plugins for different browsers has never been easier: Kango, an up-and-coming cross-browser plugin development environment that’s competing with Crossrider, supports plugins on even more browsers, including Opera and Safari.

The purpose of this post is not to cause alarm about legitimate development platforms like Crossrider and Kango, or even to dissuade people from using Facebook. It’s also true that rogue browser plugins are hardly a new problem, and that they can spread just as easily on Facebook as on Twitter, Pinterest or any other community where millions of users gather to share information. Rather, I wanted to remind readers that while modern malware can take many forms, it most often succeeds because computer users agree to install it in one form or another.

When in doubt, always consider Rule #1 from Krebs’s 3 Basic Rules for Online Safety: “If you didn’t go looking for it, don’t install it!” Religiously observing this advice will likely keep you safe from a huge percentage of the malware threats out there today.

The latest reports of this apparent cyberspy activity come from security experts at Shadowserver.org, a nonprofit that tracks malware attacks typically associated with so-called “advanced persistent threat” (APT) actors. APT is a controversial term that means many things to different folks, but even detractors of the acronym’s overuse acknowledge that it has become a useful shorthand for “We’re pretty sure it came from China.”

A diagram depicting the (since-cleaned) attack on the Website of the Center for Defense Information.

One look at the list of the sites found to be currently serving an exploit to attack a newly-patched Adobe Flash Player vulnerability (CVE-2012-0779) shows how that shorthand is earned. Shadowserver uncovered Flash exploits waiting for visitors of the Web sites for Amnesty International Hong Kong and the Center for Defense Information, a Washington, D.C. think-tank. The home page for the International Institute for Counter-Terrorism was found to be serving up malware via a recent Oracle Java vulnerability (CVE-2012-0507), while the Cambodian Ministry of Foreign Affairs site was pointing to both Flash and Java exploits.

“In recent months we have continued to observe 0-day vulnerabilities emerging following discovery of their use in the wild to conduct cyber espionage attacks,” wrote Shadowserver volunteers Steven Adair and Ned Moran, in a blog post about the attacks, which they dubbed “strategic Web compromises.”

“Frequently by the time a patch is released for the vulnerabilities, the exploit has already been the wild for multiple weeks or months — giving the attackers a very large leg up,” they wrote. “The goal is not large-scale malware distribution through mass compromises. Instead the attackers place their exploit code on websites that cater towards a particular set of visitors that they might be interested in.”

The discoveries come just days after security vendor Websense found that the site for Amnesty International United Kingdom (AIUK)  was hosting the same Java exploit. According to Shadowserver, other sites that were compromised by remarkably similar attacks but since cleaned include those belonging to the American Research Center in Egypt, the Institute for National Security Studies, and the Center for European Policy Studies.

Shadowserver experts believe that many of the attacks above are likely the work of the same hacking group. For example, Adair and Moran said they found “a clear connection” between the hackers who compromised the AIUK site in this incident and a separate attack on the same site in December 2011, a break-in first reported by KrebsOnSecurity.com. Some of the common elements in the attacks include identical Internet addresses and files (down to the same internal metadata) used in different attacks.

Adair and Moran also called attention to targeted attacks that leverage the Flash flaw (CVE-2012-0779) via Microsoft Word documents, which have the built-in ability to invoke Flash objects. Mila Parkour, the author of the Contagiodump blog, on May 6 published an exhaustive look at just such an attack.

I hope it is obvious to readers that the exploits leveraged in these cyberspy attacks to steal national security and trade secrets are the same weapons that traditional computer crooks use to steal financial information (in fact, last week I blogged about other tantalilzing signs of overlap between these two seemingly disparate communities). It is almost certain that this Flash exploit will soon be bundled into automated exploit kits that are sold to miscreants on the cybercriminal underground, if it hasn’t already. If you use any of the above-mentioned software products and have fallen behind in patching them, please see the following posts:

May 8, 2012: Adobe, Microsoft Push Critical Security Fixes

May 4, 2012: Critical Flash Update Fixes Zero-Day Flaw

Mar 27, 2012: New Java Attack Being Rolled Into Exploit Packs

At the beginning of March 2012, Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. When the bank determined that the school was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach at the Atlanta-based processor, according to Doug Fuller, Union Savings Bank’s chief risk officer.

That’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc.

According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.

“Higgins said, ‘You have a problem,’” Fuller recalled, of a phone conversation the bank had with Higgins in early March. “He said he had a slew of these people going through their Vons and Safeway stores exchanging cards. He had them on surveillance tape, knew where they were from and everything.”

Higgins told USB that the fraud he was seeing was mostly in Las Vegas, but that there also was some fraudulent card activity in neighboring states in the southwest.

“He had a theory that these guys came from Los Angeles and San Diego to Vegas just to make these transactions, and then went back,” Fuller said.

The fraud described by Higgins matched the unauthorized activity that they had seen stemming from accounts used at the private school cafeteria. Fuller said Visa has alerted Union Savings Bank that about 1,000 debit accounts it issued were compromised in the Global Payments breach — including the dozen or so card accounts that initially prompted USB to investigate.

USB officials say the bank has suffered approximately $75,000 in fraudulent charges, and that it has so far spent close to $10,000 reissuing customer cards.

Other banks notified by Higgins had much higher losses, Fuller said. “Mr. Higgins told us that the thieves also hit Bank of Oklahoma and Fulton Bank of New Jersey. He said Fulton was hit very hard by these guys, to the tune of about one thousand [stolen card accounts] each week.”

Higgins could not be reached for comment. Safeway officials confirmed that he retired from the company last month, but declined to discuss Higgins’ work or the incidents that prompted him to alert USB and other financial institutions affected by the Global Payments breach. Neither the Bank of Oklahoma nor Fulton Bank responded to repeated requests for comment.

The experience of Union Savings Bank illustrates how fraudsters can extract value from debit cards even if they only have some of the data associated with the accounts. Initial alerts about the breach from Visa and MasterCard stated that the breach at Global Payments compromised both Track 1 and Track 2 data from affected card accounts, meaning thieves could produce counterfeit versions of the cards and possibly commit other acts of identity theft against cardholders. Global Payments claims that only Track 2 data was taken, and that cardholder names, addresses and other data were not obtained by the criminals.

Yet, as USB’s story shows, the data on Track 2 alone was enough for the crooks to encode the card number and expiration date onto any cards equipped with a magnetic stripe. The cards could then be used at any merchant that accepts signature debit — transactions that do not require the cardholder to enter his or her PIN.

Visa and MasterCard each have revoked their certification of Global Payments as a compliant card processor. Global Payments said it is still investigating the cause and extent of the incident. The company maintains that fewer than 1.5 million card accounts were stolen, but some in the industry now believe more than 7 million card accounts may have been compromised. Meanwhile, the card associations keep broadening the window of time in which hackers likely had access to the processor’s network. Initially, Visa and MasterCard said the breach window at Global Payments was between January and February 2012, but in the latest round of alerts sent to banks affected by the breach, the card brands warned that the breach dates back to at least early June 2011.

USB’s experience also raises fresh questions about the timing of the breach discovery. Global Payments says it self-discovered and self-reported the breach on March 8, but Fuller said his bank figured out Global Payments was having an issue and reported the fraud before that.

“Global is saying this was self-discovered, but already knew it was them at the beginning of March, because within 48 hours of a customer telling us they were having problems, we figured out it was Global and alerted Visa,” Fuller said. “We are going to put Global on notice that we hold them accountable, because we’re bleeding here. Granted, a seventy-five thousand dollar loss isn’t the end of the world, but when you have a large institution like Global that doesn’t want to accept responsibility about what’s happened, that’s sort of annoying.”

From the FBI’s advisory:

“Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.”

The warning is a good opportunity to revisit some wireless safety tips I’ve doled out over the years. Avoid updating software while you’re using networks that are untrusted and public, whether they are wired or wireless. This generally means Wi-Fi networks like those available in hotels and coffee shops, and even wired connections at hotels. The only exception I make to this rule is when I have a device that is tethered to the 3G connection on a mobile phone. But even this can be dicey, because many laptops and mobile devices will switch over to available Wi-Fi networks in the event that the 3G signal dies.

There are a number of free attack tools that can be used to spoof software update prompts, and these are especially effective against users on small local networks. Bear in mind that false update prompts don’t have to involve pop-ups. I’ve written at least two blog posts about EvilGrade, a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles. The deviousness of this tool is that it can be used to hijack the legitimate updaters built into software already installed on your computer.

If you must update while on the road, make sure that you initiate the update process. Avoid clicking pop-up prompts or anything that looks like it was launched from an auto-updater. When in doubt, always update from the vendor’s Web site. Most importantly — and Rule #1 of Krebs’s 3 Basic Rules for Online Safety covers this nicely — “if you didn’t go looking for it, don’t install it!” Also, using an update tracker, such as Secunia‘s Personal Software Inspector or File Hippo‘s Update Checker, can help you stay on top of the latest security patches for widely-used software, and make it easier for you to plan your software updates ahead of time.

Microsoft’s May patch batch includes fixes for vulnerabilities that could be exploited via Web browsing, file-sharing, or email. Eight of the 23 flaws earned Microsoft’s “critical” rating, meaning no user interaction is required for vulnerable systems to be hacked. At least three of the flaws were publicly disclosed before today.

According to Microsoft, the two updates are the most dire: The first is one related to a critical flaw in Microsoft Word (MS12-029); the second is an unusually ambitious update that addresses flaws present in Microsoft Office, Windows, .NET Framework and Silverlight. In a blog post published today, Microsoft explained why it chose to patch all of these seemingly disparate products all in one go. But the short version is that Microsoft is addressing the ghost of Duqu, a sophisticated malware family discovered last year that was designed to attack industrial control systems and is thought to be related to the infamous Stuxnet worm. A patch Microsoft issued last year addressed the underlying Windows vulnerability exploited by Duqu, but the company found that the same vulnerable code resided in a slew of other Microsoft applications.

Separately, Adobe has issued an update for its Shockwave Player. Adobe recommends that users of Adobe Shockwave Player 11.6.4.634 and earlier for Windows and Macintosh update to Adobe Shockwave Player 11.6.5.635. Fixes are available for Windows and Mac systems, from this link. Windows users can tell if they have Shockwave installed by checking for an entry for the program in the Add/Remove Programs listing from the Windows Control Panel. If you don’t already have this program, I’d recommend keeping it that way. I seem to have gotten along fine without it for several years now, and going without it just means one less buggy application to patch.

As always, if you experience any issues installing these updates, please leave a note in the comments section below.

It may be that the Internet security industry is long overdue for its own “Reese’s moment.” Many security experts who got their start analyzing malware and tracking traditional cybercrime recently have transitioned to investigating malware and attacks associated with so-called advanced persistent threat (APT) incidents. The former centers on the theft of financial data that can be used to quickly extract cash from victims; the latter refers to often prolonged attacks involving a hunt for more strategic information, such as intellectual property, trade secrets and data related to national security and defense.

Experts steeped in both areas seem to agree that there is little overlap between the two realms, neither in the tools the two sets of attackers use, their methods, nor in their motivations or rewards. Nevertheless, I’ve heard some of these same experts remark that traditional cyber thieves could dramatically increase their fortunes if they only took the time to better understand the full value of the PCs that get ensnared in their botnets.

In such a future, Chinese nationalistic hackers, for example, could avoid spending weeks or months trying to break into Fortune 500 companies using carefully targeted emails or zero-day software vulnerabilities; instead, they could just purchase access to PCs at these companies that are already under control of traditional hacker groups.

Every now and then, evidence surfaces to suggest that bridges between these two disparate worlds are under construction. Last month, I had the opportunity to peer into a botnet of more than 3,400 PCs — most of them in the United States. The systems were infected with a new variant of the Citadel Trojan, an offshoot of the ZeuS Trojan whose chief distinguishing feature is a community of users who interact with one another in a kind of online social network. This botnet was used to conduct cyberheists against several victims, but it was a curious set of scripts designed to run on each infected PC that caught my eye.

Computers infected with ZeuS variants typically relay not only password data, but also basic information about the victim PC, including operating system version, default browser, the system time, and the machine name that the victim user picked when installing the OS. But this version of Citadel sought much more information, and instructed all infected PCs to relay the output of several network diagnostic tools designed to help map out a local network.

Hosts infected with this version of Citadel were instructed to run several variations on the “net view” command, which displays a list of domains, computers and resources that are being shared by systems on the host PC’s local network. The hacked machines also were forced to run the command “osql -L”, which produces a list of database servers that may be present on the network. In addition, compromised PCs were prompted to run the Windows command line instruction “ipconfig /all”, which provides a wealth of data on the Internet addresses assigned to different components of the local network.

A screen shot of the Citadel panel. This page shows the breakdown of antivirus tools installed on infected PCs.

Other diagnostic commands run on each machine sought to dump the list of Windows users and groups on the network, as well as the homepage of the victim’s default browser (the latter is interesting because many organizations set internal systems to default to the company’s Intranet page).

It may well be that the miscreants behind this botnet simply wanted to cover their bases, in case the need arose to identify administrator accounts or users most likely to have access to sensitive financial information. And, of course, miscreants with complete control over infected systems always can run these commands manually. But it is rare to find examples of those involved in traditional cybercrime who are interested in gathering this information from so many infected systems by default, according to Dmitri Alperovitch, one of the aforementioned experts on Eastern European cybercrime who transitioned to tracking APT threats a few years back.

Alperovitch, co-founder of CrowdStrike, a security startup focused on identifying APT attacks and victims, called the development “troubling.” Alperovitch said the hackers behind this Citadel version may be trying to map out who exactly the victims are — as a precursor to selling access to those machines.

“Many of these techniques are exactly what the APT guys use to map out victim organization once they get access to it,” he said.

If APT attackers and the miscreants focused on ebanking fraud are such a match made in heaven, why aren’t we seeing more signs of interaction between these two communities? Alperovitch believes it’s because there aren’t many areas where these two worlds overlap.

“It always amazed me that this was not happening, and I questioned why that was the case for a number of years, and I’ve come to realize the reason is that these two communities — those doing intrusions for espionage purposes and cybercrime purposes — are so far apart and don’t really talk to each other or don’t know how to connect,” he said.  “If you’re a guy who’s specializing in banking cashouts, how do you find someone who is interested in F-35 fighter plane schematics? It’s not so easy.”

Alperovitch said he’s seen APT-based groups occasionally using financial cybercrime tools like ZeuS, but in those cases it appears the attackers were either lazy or were trying to conserve resources.

“That’s just the nature of convenience, because tools like ZeuS allow you to build [the malware] yourself and use it as a first-stage malware delivery system, instead of burning your own custom tool that’s much more valuable to you,” he said. “But just because these [APT actors] were using ZeuS doesn’t mean that they were collaborating with any cybercriminal group. I’m not discounting the possibility of an intermediary potentially bridging these two groups, but it would take someone in the cybercriminal world with a lot more connections with the intelligence agencies to take advantage of it.”

Adobe classifies a security flaw as critical if it can be used to break into vulnerable machines without any help from users. The company said the vulnerability (CVE-2012-0779) fixed in the version released today has been exploited in targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message, and that the exploit used in the attacks seen so far target Flash Player on Internet Explorer for Windows only.

Nevertheless, there are updates available for Flash Player versions designed for all operating systems that Adobe supports, including Mac, Linux and Android devices.

Adobe is urging users of Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235. Windows users of Flash Player 11.2.x who have selected the silent update option will receive the update automatically. Flash Player installed with Google Chrome is updated automatically, so no user action should be required for Chrome users. Users of Adobe Flash Player 11.1.115.7 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.8. Users of Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.9.

To find out if you have Flash installed, or which version is on your system, visit this link. If you have trouble updating your Flash version, consider uninstalling the program using Adobe’s Flash removal tool, rebooting, and then reinstalling the latest version. Updates are available via the Adobe Flash Player Download Center. Direct links to the OS-specific downloads are here.