That sounds like an irresistable idea! Though it also sounds too good to be true. As you can imagine, there is something wrong here. Instead of flying for a buck, you may end up with several fewer hundred dollars in your bank account.

This example is the most recent seasonal spam targeting Brazilians. In the image below you can see the pitch.

When you click on the image, which is hosted at hxxp://dhroot.hpg.com.br/images/danosse.jpg, you’ll follow a link that will attempt to download a Trojan from hxxp://www.medcitybuilders.com/plugins/system/[REMOVED]/. This Trojan is a downloader that will copy a password-stealing malware that targets the customers of Brazilian banks. The malware is currently hosted at hxxp://www.radfahrschule.at/html/modules/PagEd/browsepics/[REMOVED].

In Brazil we say “there is no such thing as free dinner.” In the States there’s no free lunch. In this case we can also see that there are no free air tickets.

Recently there seems to be a leak of the software onto the Internet. On Tuesday November 10, someone using the pseudonym DrWeird of Eti.in posted the documentation and a working build from Version 1.1.2 online.

Here are some details I collected from one of the posted manuals.

Working on Windows XP, COFEE consists of three major components: the GUI for the investigator, the command‐line application to be executed on the target machine, and the individual tools that are managed by COFEE and the command‐line application. As explained in the manual, the execution process is divided into three phases: tool generation, data acquisition, and report generation.

During the tool generation phase, digital forensics specialists can select tools to run against a target machine based on the individual case requirements. They can do this by either selecting a predefined profile, or by manually creating a profile and selecting which tools (including switches) to run against the target machine.

Two predefined profiles were developed to help investigators during the generation phase. The first is the Volatile Data Profile, which carries out a full forensic examination. None of the programs makes any direct writes to the suspect’s file system. The second, the Incident Response Profile, can be used when an investigator cannot perform a forensic analysis on the target machine. This profile is designed to have minimal impact on the suspect’s file system.

After “brewing” a cup of COFEE, investigators insert the USB device into the target machine. The data acquisition phase runs and all collected data will be stored on the USB stick.

After data collection, investigators can start the report generation phase by loading that information into the GUI console on the investigator’s machine and generate a report.

In the past, I pointed out that if law enforcement created dedicated tools, that one of these days they will certainly fall into crooked hands. These hands will be happy to study and re-use them for their own porpuses. The detection policies for the original piece of codes as well as its existing and potential future variants is still much debated. Today the disclosed program is not so sensitive; it is merely a repackaging of known utility tools many have been using for a long time. But this leak must remind us that people will use the same tools for very different reasons and goals.

The PDF is the latest in the ugly line of exploit- and malware-ridden embedded PDFs that damage your computer. If you were unfortunate enough to open the file, you’d see what the malware writers expect you to see: a file named “Adobe.pdf” with details about a real story about piracy off the coast of East Africa.

But behind the scenes, sinister things occur. The malicious PDF runs some JavaScript that exploits the Adobe Collab overflow (CVE-2007-5659) and Adobe getIcon (CVE-2009-0927) vulnerabilities. This screenshot shows the beginning of the compressed JavaScript stream:

In addition, two variants of ProcKill-EM are dropped into the Windows system folder, usually C:\Windows\system32.

As always, if you receive a document – PDF or otherwise – from someone you don’t know, then don’t open  the document. And even if you know the document’s sender, scan the file with your antivirus program with the latest signatures before you open it.

McAfee customers are protected in the 5809 DATs against the threats mentioned above, as Exploit-PDF.aa and ProcKill-EM. Keep your signatures up to date and stay secure!

Source: Google Trends

Java applets provide everything from interactive features to web applications to advertisements. Since the birth of Java, attackers have exploited its security platform. Attackers are now taking advantage of a feature in Java to social-engineer not tech-savvy Internet users into infecting themselves with malware.

Here’s how an attack works:

• The bad guys spam a link claiming to be the Carrie PreJean video
• Then they trick victims into visiting a malicious website, which prompts users into running a Java applet to view the video

The signed applet contains a signature that browsers should verify through a remote, independent certificate-authority server. Once the signature is verified and the user also approves, the signed applet can gain more rights, becoming equivalent to an ordinary application. When the app is injected into a trusted website, users would hardly take the trouble to validate if the certificate is legitimate.

• At this point, the applet runs in the browser, which in turn downloads a malicious executable that launches itself on the victim’s machine

This approach is very effective for the following reasons:

• It’s easier to social-engineer users, as many rich multimedia applications use Java
• Unlike spammed links that contain a cocktail of exploits or a zero-day attack, this approach exploits the applet’s design
• The attack is independent of browser type and version
• The attack works on a machine with the latest version of Java, which makes the exploit all the more dangerous

The malicious applet has almost no detection on Virustotal, but it is detected by McAfee with the current DATS as Exploit-ByteVerify.b. The malicious executable incorporates SMTP functionality that is capable of sending spam and is currently detected as BackDoor-EHP.

We urge users to handle unknown Java applets with caution and make sure any digital signature comes from a trusted authority before executing it.

However, only days after McColo was taken offline, it was reconnected for a brief period–about 12 hours–by its uplink provider, giving just enough time for the Rustock botnet owners to recommunicate with their infected machines and point the command and control centers to other service providers. Rustock quickly regained its status as a top spam distributor. The Mega-D botnet owners also bounced back until it was shut down just this past week. Srizbi, which once accounted for more than 50 percent of spam volume, never recovered and is no longer a factor in today’s spam wars.

What has happened since McColo was shut down? Did spam volumes ever recover from the loss of three of the largest spam-sending botnets? Not only did spam volumes recover, unfortunately, but they recovered quickly and have greatly surpassed the volumes that we saw before McColo was taken offline.

You can see in the preceding graph where volumes stood and how they dropped off after McColo was cut off. However, the shutdown’s effect was brief and ultimately small. We have seen dramatic increases since then due to the relaunching of botnets such as Rustock as well as new botnets such as Bredo (which primarily sends fake nondelivery notifications spoofing package delivery services like FedEx, DHL, and UPS) and Waledac (the rebirth of the Storm botnet). Spam volumes have more than doubled since just February 2009, dwarfing several times over the decreases due to McColo’s demise.

The McColo closure as a single event remains significant, but when you compare it with the huge increases in volumes that we have seen since then–because of increased spoofs against social media sites through viruses like Koobface and spam continuing to be major factors in the successes of Rustock and Cutwail–the decrease now reflect only a momentary blip on the radar. 

Nonetheless, you should expect to see more of these types of takedowns as security researchers and research organizations continue to get involved, but you should also expect the overall effect of those shutdowns to be temporary. McColo has taught botnet owners a lesson. As a result botnet control centers have become more distributed, spanning many networks in many countries. Today taking down a big hosting provider would prove only a minor inconvenience as opposed to a major victory for security forces.

Last week saw someone in the Netherlands attempting to extort iPhone owners.  The attacker scanned his mobile phone carrier’s network looking for jailbroken iPhones. Once he located a phone running the secure shell service(SSH) he attempted to login using the default root user account password.  instead of quietly taking a look at or copying the user’s SMS messages and emails,  he decided to be a nice guy and replace their wallpaper with a demand for €5(approximately $7) in order to secure their iPhone.  His PayPal account was shut down and he quickly put up instructions for changing the password on his site.

Then this very week also saw the release of a worm by an Australian malware author using the handle ‘ikee’.  It exploits the same root password vulnerability as that used by the Netherlands attacker.  The worm family is now called OSX/RRoll.  It’s notable for replacing your wallpaper with an image of Rick Astley and a message from the author.  After changing the background image, OSX/RRoll.A-B will delete the binary of the SSH daemon(service) and terminate its process.  This serves the dual purpose of closing the hole that allowed infection and also preventing reinfection by the worm or other attackers.

Background image displayed while the iPhone is locked. (Simulated)

Background image displayed during a phone call. (Simulated)

Potential Legal Issues

The malware author gave an interview earlier in the week where he explains that there are four variants in the wild.  While he was willing to share the source code with his interviewer he expressed concern with its public release:

[10:13] <ikee> [...](I don’t know if its so wise posting the code online, nefarious people that otherwise would not have had the chance could modify it to be quite destructive)

Fortunately the interviewer shortly removed public access to the Google Code project.

The concern by ikee is certainly good to see and shows that perhaps he views malware creation as a bad idea.  What is odd, is that he doesn’t think he will run into any trouble with the authorities.  Unlike our friend from the Netherlands.

From ikee’s interview:

[09:39] <JD> Are you aware of the possible legal consequences of this (the [OSX/RRoll worm])? Are you concerned?
[09:40] <ikee> I’d like to think I’m aware, and also I highly doubt I’m in any real trouble (So no not concerned)

It seems Australia actually has a number of laws concerning High Tech Crime and ikee may eventually have a conversation with the Australian Federal Police. But who knows as I am not a lawyer.

Prevention

OSX/RRoll.A-B only targets jailbroken iPhones that run on the networks of three mobile carriers in Australia.  If you’ve installed the SSH service on your iPhone but neglected to change your root password from the well known default, you’re likely to be at risk from attackers.

Users can reduce their risk by:

• Changing the default root password.
• Not installing/uninstalling the SSH package if you don’t use it.
• Modifying your phone’s firmware can sometimes result in having software installed by default or with default settings.

Future threats

The source code for both versions of OSX/RRoll was available from a Google Code project for a little while earlier this week.  Once you have working source code for a worm, it can be straightforward to add more malicious actions.

As with the first attempt at iPhone malware which exploited an installer application for jailbroken iPhones, OSX/RRoll.B  exploits the Cydia Installer application.  Where previously the Installer application dealt only in free applications developed with the unofficial iPhone SDK, the Cydia application also provides the ability to buy applications through a Cydia Store. With the possibility of making money(application sales) and possibly lax security(unchanged default root passwords) attackers may see an opportunity in targeting  applications like Cydia.

[ Legitimate McAfee site]

[Rogue Anti-Virus MaCatte site]

Recently we have seen the rapid growth of rogue anti-virus/spyware programs. This one is especially interesting. Why? Because it mimics McAfee’s security product. This rogue software displays the same user interface as McAfee Security Center. It also offers a web page that looks similar to McAfee’s legitimate site.

I suppose we should be flattered that malware authors have chosen our product as one worth imitating. Rogue anti-virus products have long mimicked Microsoft’s security apps in Windows XP (FakeAlert-XPSecCenter) and Windows Vista/Windows 7 (FakeAlert-EA).

The idea behind fake AV software is to trick unsuspecting users into thinking their machines are infected. The malware will display a window that shows many innocent files detected arbitrarily as compromised. These fake security alerts are baseless–they exist to trick victims into pressing the panic button. In this case agreeing to “Remove all threats now” will lead to purchasing the MaCatte Antivirus 2009 product. The rogue software offers several “features”:

[MaCatte SecurityCenter image]

And that’s not all–MaCatte Antivirus 2009 will block currently installed or downloaded anti-virus software. It will redirect your browser to various misleading websites, including the rogue program’s homepage, www.macatte.com.

Once installed, MaCatte Antivirus will start automatically when you boot Windows. Then it will scan your computer and display numerous infections, but will not remove them until you first purchase the program.

The cost of cleaning the “malicious” files comes at the rip-off price of $99. Leading legitimate anti-virus security products don’t come close to the cost of this imposter. I hope that’s an eye opener for you. Don’t become a victim.

Update: McAfee’s legal team contacted the domain registrars, who swiftly brought down the site to spare unsuspecting surfers from becoming victims to this imposter. Detection is available beginning with the 5793 DATs as FakeAlert-MaCatte.

Similar to the scam described at Arun Pradeep’s blog post. Once the search result is clicked, users are redirected to a website showing a fake online malware scanning and warns users that their systems are infected. It would then ask to install an anti-virus program to remove the malware.

This fake online scanning is seen hosted at the following domains:

• secure-pcprotection.net
• examinedicho.com

This malware is now detected as FakeAlert-AB. Always update your security product and be extra careful when accessing unknown sites.

It’s not new that the Google logo includes Big Bird; it does so on special occasions. The Google logo clearly shows Today’s Hot Trends, and that’s a target for malware writers.

This year is the fortieth anniversary of Sesame Street, and the bad guys have begun their attack. Searching for keywords such as Big Bird’s birthday and Big Bird on Google displays pages with compromised sites.

Watch the video below, which shows how rogue anti-spyware attacks a system.

The video shows that the malware is literally pushed onto the system regardless of what the user does. In the past we have seen malware injected into a compromised site through exploits and iframes. Today, malware often attacks only from a search-results page. In certain attacks, if a user directly accesses a compromised site, then there’s no redirection to a payload and no infection.

Users have no idea what they will get by clicking on search results, which now are like a virtual minefield; you never know what will happen next. McAfee strives to protect users from such attacks through its free SiteAdvisor technology. It warns users with green, yellow, and red alerts next to each search result. You can minimize your risk of attack by using SiteAdvisor and paying attention to what you are clicking on.

The new community will have main areas for Business users, Home/Home Office users, Security Awareness, and Community Help. Through discussions, blogs, wikis, profiles, polls, and special interest groups, you’ll find the McAfee Online Support Community a great place to be.

Go to http://community.mcafee.com to explore, join, and participate today!