MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

28.12.08

Phishing and "stories" in Christmas

The end of each year represents a special relish for malicious users due to the celebration of the holidays, where, through Christmas-related lies, seek to capture the attention of users.


So from a few hours ago, a new phishing attack through spam, or spam, is flooding our mailboxes. Under the pretext of winning the lottery of Christmas, the spam appears to be issued by a company called PostFinance. The appearance of spam is as follows:


To get the alleged prize, you must previously activate an account with WesternUnion. In the body of the message are embedded two links, the first of which, under the caption"GO TO LOGIN PAGE FOR ACTIVATION (CLICKHERE)", it redirects to a real page Company (https: / / e-finance.postfinance . ch), while the second link,"CLICK HERE", it redirects to a fake site requesting personal information (http://203. [REMOVED] .149/js/default.html).

However, when you click on this second link, there is a new but redirect to a site with an IP address (http://203. [REMOVED] .6/panel / [REMOVED] en.html), which presents the form above. The purpose of this is that the user enters personal information that can be used to commit fraud.

If we compare both pages, the real and fake, we see that there are differences between them, but, viewed by a user who does not know these methods of deception, the fraudulent scheme may be effective for the attacker.


As can be seen in the capture, phishing has two more fields of data, email address and telephone number. The main objective of this is that the attacker, in one instance get all the information you need to then commit fraud.

It is clear that the techniques of deception and fraud are increasing and there for everyone, however, it is important that we know how to identify and avoid falling into traps how are you, especially on important dates such as Christmas is where many we tend to shop online.

UPDATE 19:30pm: apparently, the IP address 203. [DELETED] 149 belongs to an Internet service provider in Pakistan called Supernet. In contrast, the second address, 203. [REMOVED] .6 (where it is hosted the fake site) would be under the Ministry of Education of Thailand.

IP
203. [DELETED] 149
SuperNet NetBlockAdmin
10th Floor, Tower B,
75,600 Karachi, Pakistan.

IP
203. [REMOVED] .6
MINISTRY OF EDUCATION
319 Thanon wangchankasem Ratchadamnoen-nok Dusit Bangkok
THAILAND 10,300

Jorge Mieres

Ver más

26.12.08

Most common safety violations

A while ago I came across an interesting recent report developed by the company Verizon Business under which describes the most common security problems that occurred during the past four years causing considerable loss of information in enterprises.

The report shows that:
  • in 87% of cases, problems could have been prevented easily through basic safety measures,
  • in 66% of cases, companies did not know they were publishing sensitive information through their systems and websites,
  • in 39% of security breaches, business partners actively participating in the company (Partners), an issue that has multiplied since 2004.
As you see, so far only mentioned three of the most important points that exposes the document but beyond that, they often miss considered trivial by forgetting that, however, are the key to an attacker. Moreover,
  • 73% of the weaknesses were due to external sources,
  • 18% was caused by internal staff, what is known as insider factor.
Given this information, we can demystify the belief that states that the greatest damage is caused by external attacks (73%) is perhaps carried out by a guy who is on the other side of the world from your PC and drinking beer . Contrary to what may seem remarkable that this percentage, damage from these attacks have a minimal impact.

Not so when the attack is led from within the organization because, although the percentage is lower (18%), this type of attack is what causes more damage in the company because, in most cases are committed by staff with inside information and knows the business and sensitive.

Now, after reading these points, the question that generates the turning point on this subject is "could have been avoided? As the answer a resounding YES.

In the same report stated that 87% of the problems could have been prevented through basic safety measures, ie through the implementation of reasonable safeguards designed precisely to prevent this important 87% of problems.

Another important fact that exposes the document is that 22% of the attacks occurred through the exploitation of vulnerabilities of which over 80% were known, ie it was not 0-Day exploit, besides having its corresponding security patch that addresses the weakness.

This point in particular, brings to mind the great noise that has been causing, for example, the worm conficker high infection rate in just days by exploiting a vulnerability in Windows platforms settled in security bulletin MS08-067, or the recent vulnerability in Internet Explorer resolved in MS08-078 and many trojans are actively exploiting.

Sa ber is extremely important that some basic safety measures we should take into account pass through implementing and / or update the Security Policy of the information in the enterprise, and monitor compliance with the measures outlined in this focuses almost the entire solution to security problems mentioned.

Know what data we have, where they are stored and what is the value that has each risk according to the plan made it is also an issue to consider and you can not secure what is not known and what is not knows where.

We should try to adopt the sense of a strategist to ensure the environment or at least find a proper balance of security in it.

An interesting document that calls for reflection on the security problems that commonly described leaving an organization's most valuable asset protection in that account information, often without knowing who is available "for all audiences".

Jorge Mieres

Ver más

21.12.08

Malware for dummies

On several occasions I have read news about supposedly innovative tools and relatively recent appearance malicious code that can be generated automatically, without the effort than the mere fact one click. The following screenshot shows us one of these applications:

In this case, how this tool was presented to the common user reminds me of scenes from horror films, those that generate panic anyone. However, I would like to share a few words to appease the users the feeling of fear that can generate this type of malware.

On the one hand, remembering their own common stock of old viruses and Trojans early, it is difficult to realize that the functionality offered by this application are not harmful at all novel, taking some of them more than a decade, as can be found at our history of computerviruses.

Features such as disable logging, or System Restore Task Manager, are present in any current malware. For example, the generator set out in the picture was released in September 2007.

Perhaps, what we do is new in this field, is the ability of this incorporating the current malware detect virtualizedenvironments, as shown in the following screen:

While it is true that this style of harmful applications make creating massive automated malware, especially for inexperienced users and computer literacy, we must not fear or paranoia that allows us to enjoy the use of technology.

We simply have to be vigilant and stop anti-malware security solutions like NOD32 detects these threats proactively since its launch, thanks to its advanced heuristics.

Jorge Mieres for ESET Latinoamérica

http://blogs.eset-la.com/laboratorio/2008/12/12/malware-dummies-generador-virus/

Ver más

14.12.08

Phishing for American Express and tips

As we know, phishing is a criminal type whose main objective is to obtain sensitive information and then financially defraud users by deception which is the most widespread cloning websites banking and financial institutions as we see below.

With the arrival of the celebrations of Christmas and New Year, these techniques will increase their rate of criminal exposure and many alternatives will be used by those who are behind these moves, not only through phishing but also through other strategies such as the spread of malware by virtual cards, chain messages, spam with "opportunities" to buy, and so on.

It is therefore essential to act with caution and be alert to these criminal maneuvers in what way? Well, here I propose three basic tips.
  • Secure protocol. Verify that the page where personal information must be accessed, count on the secure version of http protocol(https),so we make sure the site is encrypted through protocol SSL (Secure SocketsLayer). This creates a secure communication channel to protect the data.
  • Embedded malicious links. The email is a highly-used channel for the spread of threats like phishing and malware. It is normal to find emails that claim to be from banks seeking to update our data and have links embedded in the body of the message allegedly redirected us to a form where we enter the information. So we should never click on links or respond to requests through the mail.
  • Web site encryption. It is important that the website of the bank or financial institution, or any other where we request personal data entry, count on the necessary layers of security to ensure secure transmission of information. We verify the existence of a digital certificate in the web browser and that is not expired. This way we know that we are witnessing a safe place.
So pay attention! Recall that an important part of security and prevention of this, and many other types of threats is on the human factor, ie, in us, so we must turn to best practices that enable us to provide an adequate level of security.

Jorge Mieres

Ver más

18.11.08

Default settings: the same old story

After returning from work, I went round the Internet as not to lose the habit :-) and between page and page, I found a page that has a vulnerability very common to find: the default settings.

The point is that, by chance, I ran into a user interface to access a calendar, created an application called
WebCalendar.



Out of curiosity, place an "x" in each field to see the result. A mistake, but without more data. Immediately after, and almost by inertia, put "admin" in each field y. .. guess what?


But that's not all, as expected, coming in with the administration account, you have access to the whole configuration of the application and, most interesting, is that we can gather information from users who are part of the timetable and to a history of events created.



Unfortunately the default settings correspond to a recurring issue that is directly related to lack of training and awareness regarding security issues.


Many attack tools assume that the objectives are with the default settings, as we see in this case. There are also many sites that have a database with usernames and passwords default devices and applications.

Jorge Mieres

Ver más