Anti-Spyware and PC Security News

Chase customers could be the target of an e-mail scam that solicits their personal information for false security measures.

The New York State Consumer Protection Board warns that the e-mail appears to look like it’s from Chase, but consumers should not respond.

The bogus e-mail purports that the online form is necessary as a result of “new security measures.”

The e-mail may state:

“As part of the new security measures, all Chase bank customers are required to complete Chase Customer Form. Please complete the form as soon as possible.”

The consumer protection board and Chase warn that scammers are attempting to illegally obtain personally identifiable information from consumers for the possible purpose of committing identity theft and fraud.

Consumers who have responded to these e-mails may already be victims, as the form asks for their name, address, and phone number in combination with credit card numbers, bank account information, Social Security number, passwords, and other sensitive information.

The CPB and Chase urge consumers who receive this e-mail to:

— Install, update and use anti-virus and anti-spyware software, as well as firewalls.

— Review your financial account statements upon receipt to check for unauthorized charges.

— Check your credit report regularly. You can do this free of charge three times a year through the three reporting agencies found online at www.freecreditreport.com.

— Use caution when opening any attachment or downloading any files from e-mails received even from known sources, to avoid the possibility of infecting computers with viruses, malware, spyware or other software designed to impair your computer’s security.

— Look for the “https” prefix and a closed padlock when entering any financial information for electronic transmission over the Internet.

— Report suspected Phishing scams to the Federal Trade Commission at spam@uce.gov and to the institution or company targeted in the Phishing e-mail. You also may report Phishing e-mails to the Anti-Phishing Working Group at reportphishing@antiphishing.org.

Bookmark to:

The latest large-scale malware outbreak to hit the Web, known variously as Gumblar and Geno and Martuz, is a multi-stage attack that not only infects compromised machines with a number of separate pieces of malware but also has the ability to steal credentials and block the victim from taking actions to clean his PC.

The Gumblar attack, for all its sophistication, still relies on the basic drive-by download technique to infect machines, and it’s been wildly successful in that endeavor. Some estimates have Gumblar responsible for more than 40% of all Web site infections, and ScanSafe, which has been following the attack, has seen huge increases in the number of infected sites throughout this week. The only good news appears to be that the Chinese domains controlling the infections are down for the time being.

Andrew Martin, a corporate security specialists who writes a technical security blog, has done a lab analysis of Gumblar and came up with a detailed deconstruction of the malware’s behavior and capabilities. In short, Gumblar is 100 miles of bad road.

After infecting a machine, Gumblar installs a series of malware programs, including a small application capable of stealing FTP credentials, as well as the ever-popular spambot to turn the PC into a mail relay. Gumblar also installs a fake antivirus program known as System Security 2009, and disables whatever legitimate security software the user has installed on the machine.

But the real fun is in the hijacked search results. As Martin points out, Gumblar installs a proxy on TCP port 7171 that redirects search queries. So an infected user searching for information on a restaurant might get an attacker-generated results page full of bogus links.

While the main domains controlling the attack seem to have been taken offline, there are still dozens of other domains involved. Martin has an extensive list of the secondary domains involved with Gumblar.

Bookmark to:

The Conficker worm is finally doing something–updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

“After May 3, it shuts down and won’t do any replication,” Perry said. However, infected computers could still be remotely controlled to do something else, he added.

Last night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

“As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP,” the blog post says. “The Conficker/Downad P2P communications is now running in full swing!”

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.

The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart .

Bookmark to:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

The espionage appeared pervasive across the U.S. and doesn’t target a particular company or region, said a former Department of Homeland Security official. “There are intrusions, and they are growing,” the former official said, referring to electrical systems. “There were a lot last year.”

Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said. Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, “If we go to war with them, they will try to turn them on.”

Officials said water, sewage and other infrastructure systems also were at risk.

“Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts, ” Director of National Intelligence Dennis Blair recently told lawmakers. “A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure.”

Officials cautioned that the motivation of the cyberspies wasn’t well understood, and they don’t see an immediate danger. China, for example, has little incentive to disrupt the U.S. economy because it relies on American consumers and holds U.S. government debt.

But protecting the electrical grid and other infrastructure is a key part of the Obama administration’s cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage.

Bookmark to:

If you’re one of those people with a passing knowledge of Linux, you might see it as something used exclusively by network admins, developers, and hobbyists. What you may not realize is that these admins, devs, and hobbyists have taken this versatile OS and ported it to all sorts of devices over the years. While some of these ports were for fun (epitomizing the “because I could” attitude of many hardware enthusiasts), Linux slowly began to appear on everyday devices.

Today you can find the operating system on anything from phones to cameras to PVRs. Even if you’re not a gadget geek, you may have Linux-embedded device yourself without even knowing it.

While this swell in usage is great news for open-source advocates, it also brings with it unwanted attention. As we’ve seen time and again-as software gains in popularity it becomes more of a target for malicious code. Over the last few months, security researchers have been tracking a threat that appears to have slowly built itself a significant botnet (what we’re calling Linux.Psybot). Now threats written for Linux are nothing new or all that newsworthy. What’s different about this threat is that it is written to specifically target a broad set of embedded Linux routers currently on the market.

Once on a device, the threat opens a back door, after which it can perform any number of malicious actions. The implications here sound severe, but it’s important to note that while the threat shows the potential to run on a broad swath of hardware, Linux.Psybot relies on two very common malicious code techniques:

* Brute-forcing weak passwords
* Exploiting vulnerabilities

The good news is protecting yourself is fairly simple-enforce strong passwords and patch. The problem is many people, even some that vigilantly keep their desktop OS up-to-date, don’t regularly administer their routers. In some cases they may have left the default password enabled and don’t keep abreast of patches for their routers.

There are a broad number of routers susceptible to this threat, and their configurations vary, which makes it difficult to give comprehensive advice on how to protect from the threat. Briefly, here are some guidelines to shore up your router. In all cases, if these tips don’t work, consult your router’s manual or your network admin for further details.

Strong passwords

Open a Web browser and type http://192.168.1.1/ or http://192.168.0.1/ in the address bar. In most cases this will take you to your router’s interface and you will be prompted for a user name or password. Most routers contain a default set, and may still be using this combination if you haven’t changed it. Try some of the following (or a blank password), known to work on some default router configurations:

* root
* admin
* default
* password
* 1234

Once you’re in, change that password to something more secure. The location of the password-changing feature will vary from device to device, but should be easy enough to perform.

Patch the router

Now that you’re in, navigate around the interface and look for a feature for upgrading the firmware. Many embedded Linux routers on the market today contain a feature that will check for updates. While the location of the upgrade feature varies from router to router, they’re usually quite easy to run. Just follow the in-browser instructions.
(Alternatively, if you have installed custom firmware, check the project’s Web site for updates.

Disable external Admin access

Another thing you can do to protect yourself from such threats is disable administrative access to the router from outside the network.
Linux.Psybot must be able to establish an external connection to your network in order carry out its infection. While this will limit you to accessing the router’s interface from within the network, in most cases this should be sufficient to administer the router. This process is more complex than the previous two, and the steps needed vary greater, so we’ll have to refer you to your manual or network admin here.

Flush the router’s memory

Finally, if you suspect the threat is on your router, you can flush it out by performing a hard reset. This will return the device to its factory settings. Usually, it’s as simple as pushing a button on the back of the router. But before doing so, it’s important to note that you will likely lose any configuration information you may have changed in the router. This will clear out any saved changes in the router, as well as the worm. If you are unsure of the process here, consult your manual or network admin for help in completing this process.

Bookmark to:

The fast-moving Conficker computer worm, a scourge of the Internet that has infected at least 3 million PCs, is set to spring to life in a new way on Wednesday — April Fools’ Day.

That’s when many of the poisoned machines will get more aggressive about “phoning home” to the worm’s creators over the Internet. When that happens, the bad guys behind the worm will be able to trigger the program to send spam, spread more infections, clog networks with traffic, or try and bring down Web sites.

Technically, this could cause havoc, from massive network outages to the creation of a cyberweapon of mass destruction that attacks government computers. But researchers who have been tracking Conficker say the date will probably come and go quietly.

More likely, these researchers say, the programming change that goes into effect April 1 is partly symbolic — an April Fools’ Day tweaking of Conficker’s pursuers, who for now have been able to prevent the worm from doing significant damage.

“I don’t think there will be a cataclysmic network event,” said Richard Wang, manager of the U.S. research division of security firm Sophos PLC. “It doesn’t make sense for the guys behind Conficker to cause a major network problem, because if they’re breaking parts of the Internet they can’t make any money.”

Previous Internet threats were designed to cause haphazard destruction. In 2003 a worm known as Slammer saturated the Internet’s data pipelines with so much traffic it crippled corporate and government systems, including ATM networks and 911 centers.

Far more often now, Internet threats are designed to ring up profits. Control of infected PCs is valuable on the black market, since the machines can be rented out, from one group of bad guys to another, and act as a kind of illicit supercomputer, sending spam, scanning Web sites for security holes, or participating in network attacks.

The army of Conficker-infected machines, known as a “botnet,” could be one of the greatest cybercrime tools ever assembled. Conficker’s authors just need to figure out a way to reliably communicate with it.

Infected PCs need commands to come alive. They get those commands by connecting to Web sites controlled by the bad guys. Even legitimate sites can be co-opted for this purpose, if hackers break in and use the sites’ servers to send out malicious commands.

So far, Conficker-infected machines have been trying to connect each day to 250 Internet domains — the spots on the Internet where Web sites are parked. The bad guys need to get just one of those sites under their control to send their commands to the botnet. (The name Conficker comes from rearranging letters in the name of one of the original sites the worm was connecting to.)

Conficker has been a victim of its success, however, because its rapid spread across the Internet drew the notice of computer security companies. They have been able to work with domain name registrars, which administer Web site addresses, to block the botnet from dialing in.

Now those efforts will get much harder. On April 1, many Conficker-infected machines will generate a list of 50,000 new domains a day that they could try. Of that group, the botnet will randomly select 500 for the machines to actually query.

The bad guys still need to get only one of those up and running to connect to their botnet. And the bigger list of possibilities increases the odds they’ll slip something by the security community.

Researchers already know which domains the infected machines will check, but pre-emptively registering them all, or persuading the registrars to neutralize all of them, is a bigger hurdle.

“We expect something will happen, but we don’t quite know what it will look like,” said Jose Nazario, manager of security research for Arbor Networks, a member of the “Conficker Cabal,” an alliance trying to hunt down the worm’s authors.

“With every move that they make, there’s the potential to identify who they are, where they’re located and what we can do about them,” he added. “The real challenge right now is doing all that work around the world. That’s not a technical challenge, but it is a logistical challenge.”

Conficker’s authors also have updated the worm so infected machines have new ways to talk to each other. They can share malicious commands rather than having to contact a hacked Web site for instructions.

That variation is important because it shows that even as security researchers have neutralized much of what the botnet might do, the worm’s authors “didn’t lose control of their botnet,” said Michael La Pilla, manager of the malicious code operations team at VeriSign Inc.’s iDefense division.

The Conficker outbreak illustrates the importance of keeping current with Internet security updates. Conficker moves from PC to PC by exploiting a vulnerability in Windows that Microsoft Corp. fixed in October. But many people haven’t applied the patch or are running pirated copies of Windows that don’t get the updates.

Unlike other Internet threats that trick people into downloading a malicious program, Conficker is so good at spreading because it finds vulnerable PCs on its own and doesn’t need human involvement to infect a machine.

Once inside, it does nasty things. The worm tries to crack administrators’ passwords, disables security software, blocks access to antivirus vendors’ Web sites to prevent updating, and opens the machines to further infections by Conficker’s authors.

Someone whose machine is infected might have to reinstall the operating system.

Bookmark to: