Get hacked by google, bush, and hotmail

Over the weekend, I got the following message on MSN.

23/02/2008 22:43:03 Jonathan *mssoc :)
23/02/2008 22:44:04 Jonathan *mssoc hey
23/02/2008 22:44:04 Jonathan *mssoc it watches this animation of bush 😛
23/02/2008 22:44:04 Jonathan *mssoc http://[deleted]
I’ve changed the name of the sender, and deleted the googlepages website name, because frankly, you don’t want the ball of infection that is bush.exe.

First thing is, never run an .exe from the internet. Even if your friend has told you its safe (How do they know? Answer most commonly given “Well it didn’t trip out my copy of McAfee”). As we’ll see, even downloading the little pucker can be hazardous.

Normally when I do malware research, I use the electronic equivalent of thick rubber gloves and a bacterial safety screen. No one is pleased when malware stomps all over their system, including me.

Avast didn’t pick it up. Not quite trusting one AV, I submitted the result to VirusTotal, and the scan results showed a couple of potential heuristic nasties (the link is to the report). In the meantime, I deleted bush.exe unopened.

And this is where it went wrong.

You see, even deleting a file (or moving it to the Recycle Bin) counts as an access to a file. On access virus scanners open up a packed file (like bush.exe) to see what’s inside. This means that code set to execute when the file is opened… does. The next thing I knew, my resident protection for Spybot S&D was going crazy.
By the way, Spybot S&D is freeware. If you don’t have it installed, either you didn’t know about it (you do now), or you are certifiably crazy. Go install it now, I’ll wait.

Spybot reported that three new files had appeared, and were trying to insert themselves into my startup. Those files:


They picked C:\WINDOWS because that’s the default setting of the %temp% variable in Windows. There are times when UNIX’s /tmp folder looks eminently more sensible than using a system executable folder to drop stuff in, and this is indeed one of them.

A popup appeared (in Spanish) asking me to install the latest Flash player. Oops. Clicking “don’t install” did not help, and Spybot screamed at me for firing off more instances of the virus. I blacklisted the processes from adding themselves to my startup registry, and spybot went ballistic, warning me that this thing was indeed running rife through my system, trying to infect as much as possible.

So, while spybot was ringing every alarm bell it could find to let me know I had a problem (Houston?) and bringing my machine to a crawl, I fired up Security Task Manager (not free, but useful) and quarantined the nasty processes. I booted from clean, ran a startup AV scan. Everything looked ok.

This took about 2 hours, and the lessons I’d pass on are:

  • Don’t ever download and run an .exe file. My friend didn’t even know that I’d received this message from her, as it fires up windows messenger silently (fortunately I have this set to block already).
  • Run Spybot. Its a line of defence.
  • If you absolutely must download these things, use a virtual machine (Microsoft’s Virtual PC, or VMWare) and examine what’s going on under a clean disk image. Then wipe and start afresh. Better not to.
  • Don’t trust processes that “look good”. WINLOGON.EXE and LSASS.EXE are both names of system processes, however they normally live in %systemdir% (C:\WINDOWS\SYSTEM32)
  • I got thwacked in the chops by being too careless, and was lucky. My friend still has this thing running around their machine. Not so good.
So, that was my weekend fun. How was yours?

Shockwave rider, here we come

The New Scientist reports that Microsoft researcher’s are looking at new ways to spread software patches:

Microsoft researchers are hoping to use “information epidemics” to distribute software patches more efficiently.

Milan Vojnović and colleagues from Microsoft Research in Cambridge, UK, want to make useful pieces of information such as software updates behave more like computer worms: spreading between computers instead of being downloaded from central servers.

The research may also help defend against malicious types of worm, the researchers say.

Software worms spread by self-replicating. After infecting one computer they probe others to find new hosts. Most existing worms randomly probe computers when looking for new hosts to infect, but that is inefficient, says Vojnović, because they waste time exploring groups or “subnets” of computers that contain few uninfected hosts.

What happens when a “friendly” worm is hijacked? And of course, there’s the other issue, of those mission critical systems that are “too sensitive to patch”. I’m not certain of that, hopefully the days of the dodgy patches of Win NT 4.0 are behind us. However production guys get very twitchy if their platform changes under their feet. And of course, as the recent Royal Navy adverts remind us, Windows servers live on nuclear wessels too.

Web developers are not security experts, and security experts are not web developers…

The Web is scarier than most people realize, according to research published recently by Google.

The search engine giant trained its Web crawling software on billions of Web addresses over the past year looking for malicious pages that tried to attack their visitors. They found more than 3 million of them, meaning that about one in 1,000 Web pages is malicious, according to Neils Provos, a senior staff software engineer with Google.

These Web-based attacks, called “drive-by downloads” by security experts, have become much more common in recent years as firewalls and better security practices by Microsoft have made it harder for worms and viruses to directly attack computers.

In the past year the Web sites of Al Gore’s “An Inconvenient Truth” movie and the Miami Dolphins were hacked, and the MySpace profile of Alicia Keys was used to attack visitors.

Criminals are getting better at this kind of work. They have built very successful automated tools that poke and prod Web sites, looking for programming errors and then exploit these flaws to install the drive-by download software. Often this code opens an invisible iFrame page on the victim’s browser that redirects it to a malicious Web server. That server then tries to install code on the victim’s PC. “The bad guys are getting exceptionally good at automating those
attacks,” said Roger Thompson, chief research officer with security vendor Grisoft.

In response, Google has stepped up its game. One of the reasons it has been scouring the Web for malicious pages is so that it can identify drive-by-download sites and warn Google searchers before they visit them. Nowadays about 1.3 percent of all Google search queries list malicious results somewhere on the first few pages.

Some of the data surprised Provos.

“When we started going into this I had the firm intuition that if you go to the sleazier parts of the Web, you are in more danger,” he said.

It turns out the Web’s nice neighborhoods aren’t necessarily safer than its red-light districts.

“We looked into this and indeed we found that if you ended up going to adult-oriented pages, your risk of being exposed [to malicious software] was slightly higher,” he said. But “there really wasn’t a huge difference.”

“Staying away from the disreputable part of the Internet really isn’t good enough,” he noted.

Another interesting finding: China was far and away the greatest source of malicious Web sites. According to Google’s research, 67 percent of all malware distribution sites are hosted in China. The second-worst offender? The U.S., at 15 percent, followed by Russia, (4 percent) Malaysia (2.2 percent) and Korea (2 percent).

It costs next-to-nothing to register a Web domain in China and service providers are often slow to shut down malicious pages, said Thompson. “They’re the Kleenex Web sites,” he said. Criminals “know they’re going to be shut down, and they don’t care.”

Malicious site operators in China fall into two broad categories, Thompson said: fraudsters looking to steal your banking password, and teenagers who want to steal your World of Warcraft character.

So how to stop this growing pestilence?

Google’s Provos has this advice for Web surfers: Turn automatic updates on. “You should always run your software as updated as possible and install some kind of antivirus technology,” he said.

But he also thinks that Webmasters will have to get smarter about building secure Web sites. “I think it will take concentrated efforts on all parts,” for the problem to go away, he said.

Predatory software exploits weaknesses in vulnerable humans

One of the oldest and most successful ways of getting someone to spill information is the “honey trap”, where the mark gets seduced and tells all sorts of stuff they really shouldn’t. Pillow talk works exceptionally well, and its effective for industrial espionage, identity theft, and all sorts of what is quaintly termed “co-operative coercion”.

Everything that has mass market appeal eventually gets automated.

So, I read with interest that ComputerWorld reports that malware expert PCTools has discovered the CyberLover. From the report:

Developed in Russia, the new software is known as CyberLover and has been uncovered by security vendor PC Tools.
CyberLover can be found in chat-rooms and dating sites trying to lure victims into sharing their identity or visiting Web sites with malicious content.
According to its creators, CyberLover can establish a new relationship with up to 10 partners in just 30 minutes and its victims cannot distinguish it from a human being.

Where this becomes serious, of course is that CyberLover encourages its targets to reveal details about themselves, and reports all these back to its (her?) controllers. And yes, its us dumbo blokes who fall for this – women are much more savvy about who they engage online with.

At the moment, CyberLover is infesting Russian web chat sites, however I’d expect to see it pretty quickly move onto AIM, MSN, and Yahoo.

And there’s another place. If I were the author of CyberLover I’d wire this into the open source libsecondlife library, and wreak havoc amongst the horny geeks on there. Its technically easy, and the hard part – the interactive chat – is already done.

When you consider that all the experts such as David Lacey, Stuart King are predicting the growth of targetted attacks against big businesses, plus the fact that so many companies are leaping into Second Life with a glad cry, its an eminently plausible attack vector.

Be wary of that attractive pink talking lobster, it may have sharper claws than you expected.

Schneier’s brave new world

I was going to write what to be frank was a bit of a cheap shot at Bruce Schneier, (a Schneer?) starting with why BT (his employer) have suddenly decided that an account I’ve never heard of owes them £4.93, which they have sent to a debt collection agency.

Lovely. So, while I’m on hold I read this conversation with Ranum, and decided that there are more important things to talk about. One of the things they point out is the shocking brain-drain created by outsourcing. We’ve got to the point in the UK that “computer literate” means being able to write a word document (but not PowerPoint, that’s advanced stuff!) and surf the web. Most computer users can’t tell the difference between web site editing and programming, much less between thick/thin client applications, data abstraction, objects at rest and in transit (as an aside, I had some gleeful wonder who works as an IT security manager for a Government defence contractor tell me how Winzip is a protection measure for data in transit – don’t worry he was wrong about other things too).

Quoting Ranum: “The future will be captive data running on purpose-built back-end systems — and it won’t be a secure future, because turning your data over always decreases your security. Few possess the understanding of complexity and good design principles necessary to build reliable or secure systems. So, effectively, outsourcing — or other forms of making security someone else’s problem — will continue to seem attractive.

How did we get to this point where we all seem to be in a state of blissful ignorance about the technology that we increasingly rely on to run our lives? How did we end up not caring i which country our banking information is held? Where are our taxes accounted for? Do we really have such trust in the corporations (both commercial and governmental) that provide us with services? Is it misplaced? How do we know? What can we do to fix it when it goes wrong?

I recall how difficult it was to hire a C++ programmer a few years back. There aren’t that many people left in the UK who are competent programmers. Does anyone think this is an important skill for our growth as a high-tech industry? I read recently how we are proudly exporting foodstuffs (light ale) to India, who of course are selling us IT services, cars, steel, and manufactured goods. Have a think about the economics (and sociology) of that one.

We don’t understand how insecure the systems on which we base our lives, welfare and repuations. For a simple example, look at the MBS Victims forum – these are people who unwisely searched for adult content on the internet, and found that they had inadvertently clicked on a piece of malware which denied them access to their computer until they paid the subscription. Now consider how additionally distressing it would be if this piece of malware downloaded illicit content to their computer. Bye bye job. Bye bye family. Bye bye liberty.

As Bruce puts it: “…I pointed to the iPhone, whose draconian rules about who can write software for that platform accomplishes much the same thing. We could also point to Microsoft’s Trusted Computing, which is being sold as a security measure but is really another lock-in mechanism designed to keep users from switching to “unauthorized” software or OSes.
I’m reminded of the post-9/11 anti-terrorist hysteria — we’ve confused security with control, and instead of building systems for real security, we’re building systems of control. Think of ID checks everywhere, the no-fly list, warrantless eavesdropping, broad surveillance, data mining, and all the systems to check up on scuba divers, private pilots, peace activists and other groups of people. These give us negligible security, but put a whole lot of control in the government’s hands.
Computing is heading in the same direction, although this time it is industry that wants control over its users. They’re going to sell it to us as a security system — they may even have convinced themselves it will improve security — but it’s fundamentally a control system. And in the long run, it’s going to hurt security.
Imagine we’re living in a world of Trustworthy Computing, where no software can run on your Windows box unless Microsoft approves it. That brain drain you talk about won’t be a problem, because security won’t be in the hands of the user. Microsoft will tout this as the end of malware, until some hacker figures out how to get his software approved. That’s the problem with any system that relies on control: Once you figure out how to hack the control system, you’re pretty much golden. So instead of a zillion pesky worms, by 2017 we’re going to see fewer but worse super worms that sail past our defenses.
By then, though, we’ll be ready to start building real security. As you pointed out, networks will be so embedded into our critical infrastructure — ­and there’ll probably have been at least one real disaster by then — ­that we’ll have no choice. The question is how much we’ll have to dismantle and build over to get it right.

I’m still on hold for BT though.

Your Mac’s whacked

Gadi Evron writes in an email:
For whoever didn’t hear, there is a Macintosh trojan in-the-wild being dropped, infecting mac users.

Yes, it is being done by a regular online gang – it is not yet another proof of concept. The same gang infects Windows machines as well, just that now they also target macs.

Screenshot of New Mac Trojan from Sunbelt

Sunbelt says “Mackanapes can now feel the pain!”

This means one thing: Apple’s day has finally come and Apple users are going to get hit hard. All those unpatched vulnerabilities from years past are going to bite them in the behind.

I can sum it up in one sentence: OS X is the new Windows 98. Investing in security ONLY as a last resort losses money, but everyone has to learn it for themselves.

Ouch. No such thing as e-crime, eh?