Flame Virus Scares Microsoft

Story first appeared on CNBC.

Discovery of the Flame virus that mainly affected computers in the Middle East, has prompted Microsoft Corp to strengthen the security of a Windows program that helps customers secure their PCs and update software.

The senior director of the Microsoft Security Response Center said in a blog post that the world's biggest software maker plans to boost security measures on the Windows Update software that is included with the operating system that runs the majority of the world's PCs.

Microsoft disclosed over the weekend that the hackers who built Flame exploited a flaw in Windows that allowed them to trick PCs into believing it was a legitimate piece of software from Microsoft. The software was then downloaded onto computers using the Microsoft Update feature.

News of the Flame virus surfaced a week ago when cyber security experts described it as one of the most sophisticated pieces of malicious software discovered to date. They are still investigating the virus, which they believe was released specifically to target computers in Iran and across the Middle East, similar to the Stuxnet worm that attacked Iran's nuclear program in 2010.

The security experts said Flame likely only infected several thousand computers and was targeted at entities that would be of interest to nations involved in espionage.

Microsoft said on its website on Sunday that it was releasing software to fix the bug using its Windows Update system. But security experts said machines infected with some advanced viruses may not benefit from that update because those viruses had disabled the Windows Update software.

That is partially what prompted the need to further boost the security of the Windows Update feature, they said.

If Microsoft is going to 'harden' the update feature, they must also prevent writers of malicious software from disabling the updating process on local computers.

Microsoft disclosed the plan to boost security of Windows Update late Monday on a Microsoft Security Response Center blog: http://blogs.technet.com/b/msrc/

Windows has said that it was taking the flaw in Windows seriously because the bug could be exploited by developers of less sophisticated viruses to launch more widespread attacks.

For information on website optimization or for the latest SEO News, visit the SEO Done Right blog.

For more national and worldwide Business News, visit the Peak News Room blog.

For more local and state of Michigan Business News, visit the Michigan Business News blog.

For more Health News, visit the Healthcare and Medical News blog.

For more Electronics News, visit the Electronics America blog.

For more Real Estate News, visit the Commercial and Residential Real Estate blog.

For more Law News, visit the Nation of Law blog.

For more Advertising News, visit the Advertising, Marketing and Media blog.

For more Environmental News, visit the Environmental Responsibility News blog.

Infected PCs May Lose Internet In July

Story first appeared in USA Today.

For computer users, a few mouse clicks could mean the difference between staying online and losing Internet connections this summer.

This image provided by The DNS Changer Working Group (DCWG) shows the checkup webpage. It will only take a few clicks of the mouse. But for hundreds of thousands of computer users, those clicks could mean the difference between staying online and losing their connections this July.

Unknown to most of them, their problem began when international hackers ran an online advertising scam to take control of infected computers around the world. In a highly unusual response, the FBI set up a safety net months ago using government computers to prevent Internet disruptions for those infected users. But that system is to be shut down.

The FBI is encouraging users to visit a website run by its security partner, http://www.dcwg.org, that will inform them whether they're infected and explain how to fix the problem. After July 9, infected users won't be able to connect to the Internet.

Most victims don't even know their computers have been infected, although the malicious software probably has slowed their web surfing and disabled their antivirus software, making their machines more vulnerable to other problems.

Last November, the FBI and other authorities were preparing to take down a hacker ring that had been running an Internet ad scam on a massive network of infected computers.

The FBI started to realize that there might have a little bit of a problem on our hands because if they just pulled the plug on their criminal infrastructure and threw everybody in jail, the victims of this were going to be without Internet service. The average user would open up Internet Explorer and get 'page not found' and think the Internet is broken.

On the night of the arrests, the agency brought in the chairman and founder of Internet Systems Consortium, to install two Internet servers to take the place of the truckload of impounded rogue servers that infected computers were using. Federal officials planned to keep their servers online until March, giving everyone opportunity to clean their computers. But it wasn't enough time. A federal judge in New York extended the deadline until July.

Now, the full court press is on to get people to address this problem. And it's up to computer users to check their PCs.

Hackers infected a network of probably more than 570,000 computers worldwide. They took advantage of vulnerabilities in the Microsoft Windows operating system to install malicious software on the victim computers. This turned off antivirus updates and changed the way the computers reconcile website addresses behind the scenes on the Internet's domain name system.

The DNS system is a network of servers that translates a web address — such as www.ap.org — into the numerical addresses that computers use. Victim computers were reprogrammed to use rogue DNS servers owned by the attackers. This allowed the attackers to redirect computers to fraudulent versions of any website.

The hackers earned profits from advertisements that appeared on websites that victims were tricked into visiting. The scam netted the hackers at least $14 million, according to the FBI. It also made thousands of computers reliant on the rogue servers for their Internet browsing.

When the FBI and others arrested six Estonians last November, the agency replaced the rogue servers with clean ones. Installing and running the two substitute servers for eight months is costing the federal government about $87,000.

The number of victims is hard to pinpoint, but the FBI believes that on the day of the arrests, at least 568,000 unique Internet addresses were using the rogue servers. Five months later, FBI estimates that the number is down to at least 360,000. The U.S. has the most, about 85,000, federal authorities said. Other countries with more than 20,000 each include Italy, India, England and Germany. Smaller numbers are online in Spain, France, Canada, China and Mexico.

Most of the victims are probably individual home users, rather than corporations that have technology staffs who routinely check the computers.  Many corporations utilize Managed IT Services that provide quality control and Security Solutions to avoid situations such as these.

FBI officials said they organized an unusual system to avoid any appearance of government intrusion into the Internet or private computers. And while this is the first time the FBI used it, it won't be the last.

Until there is a change in legal system, both inside and outside the United States, to get up to speed with the cyber problem, the FBI will have to go down these paths, trail-blazing if you will, on these types of investigations.

Now, every time the agency gets near the end of a cyber case, they get to the point where they say, how are we going to do this, how are we going to clean the system" without creating a bigger mess than before.


For organic SEO and web optimization related news, visit the SEO Done Right blog.
For national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical blog.
For law related news, visit the Nation of Law blog.
For real estate and home related news, visit the  Commercial and Residential Real Estate blog.
For technology and electronics related news, visit the Electronics America blog.

Ukraine Arrests Five Members of Botnet Ring

PC Mag

 

The Security Service of the Ukraine (SBU), in conjunction with the U.S. Federal Bureau of Investigation said Friday that the Ukrainian agency had detained five people of interest in a worldwide cybercrime investigation tied to the "Zeus" bot.

On Thursday, the New York Attorney General charged 37 defendants in 21 different cases. The criminals allegedly used the Zeus trojan to make off with $3 million in stolen funds.

The FBI said Friday, however, that the Zeus cybercriminal ring resulted in the attempted theft of $220 million, with actual losses of $70 million from victims' bank accounts. The FBI's investigation, code-named Operation Trident Breach, began in May 2009 and involved law enforcement agencies from the Ukraine, the Netherlands, and the U.K., among others.

"No one country, no one company, and no one agency can stop cybercrime," said FBI Director Robert S. Mueller, III, in a statement. "The only way to do that is by standing together. For ultimately, we all face the same threat. Together, the FBI and its international partners can and will find better ways to safeguard our systems, minimize these attacks, and stop those who would do us harm."

The FBI did not announce any arrests. However, Ukraine's SBU detained five individuals who were "key subjects responsible for this overarching scheme," the FBI said. Additionally, the SBU served eight search warrants.

The Zeus trojan was actually advertised beginning late in 2009, with an entire YouTube channel devoted to explaining how the malware worked. In March, disconnecting the troyak.org domain in Kazakhstan crippled the Zeus attacks. But one of the popular methods of spreading Zeus has been via a fake LinkedIn email, which loads the Zeus malware via a drive-by download.

Hackers Find New Paths Through Facebook And Social Media
Reuters

A new type of computer virus is known to have breached almost 75,000 computers in 2,500 organizations around the world, including user accounts of popular social network websites, according Internet security firm NetWitness.

The latest virus -- known as "Kneber botnet" -- gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information back to hackers, NetWitness said in a statement.

A botnet is an army of infected computers that hackers can control from a central machine."

The company said the attack was first discovered in January during a routine deployment of NetWitness software.

Further investigation by the Herndon, Virginia-based software security firm revealed that many commercial and government systems were compromised, including 68,000 corporate login credentials and access to email systems, online banking sites, Yahoo, Hotmail and social networks such as Facebook.

"Conventional malware protection and signature-based intrusion detection systems are, by definition, inadequate for addressing Kneber or most other advanced threats," Chief Executive Amit Yoran said in a statement.

Rapidly Spreading 'Gumblar' Attack Redirects Users' Web Searches
Malware scripts morph from site to site, and even from page to page, within the same site, ScanSafe researchers say

By Tim Wilson, DarkReading, May 14, 2009

A Web-borne malware attack that redirects users' Internet searches is growing "exponentially," and has already infected more than 2,300 Websites, researchers said today.

Researchers at security company ScanSafe are warning users about an emerging series of Website compromises, collectively dubbed "Gumblar," which are spreading at a rapid rate. In the past week, Gumblar site compromises have grown at a rate of 188 percent, making it one of the fastest-growing infections on the Web, ScanSafe says.

"It should be waning by now, but it isn't," says Mary Landesman, senior security researcher at ScanSafe. "It just keeps spreading."

Gumblar, which has been spotted on popular sites such Tennis.com, Variety.com, and Coldwellbanker.com, is believed to be growing rapidly due to its unique combination of characteristics. The malware resulting from Gumblar forcibly redirects search page results to sites other than those users expect. Many of these pages are imitations of the Websites users actually intended to visit.

"For example, if a user is trying to visit Tennis.com via Google, they may be directed to a fraudulent site designed to look like Tennis.com, where a backdoor Trojan will be immediately downloaded," ScanSafe reports. "The Trojan could then allow cybercriminals control of the victim's computer, leading to a myriad of security issues, including personal data theft and stolen FTP credentials. Once cybercriminals are in possession of a victim's FTP credentials, any sites that victim manages can also be targeted for compromise -- a common malware propagation tactic."

One of Gumblar's exploits is to launch a "man-in-the-browser attack," in which the downloaded malware monitors all traffic to and from the browser, Landesman says. From this position, the malware can selectively swap out links in search results, effectively fooling the user into going to an unintended site.

Landesman speculates that Gumblar might be operating as a "botnet for hire," achieving different ends for different "clients." In many cases, the attack seems to be facilitating click fraud, in which the criminal simply redirects Web traffic to a fraud site in order to collect page views and advertising revenue. In other cases, Gumblar is routing users to malicious sites that might load additional malware onto the user's machine.

"A third potential exploit, which we haven't seen yet, is to redirect users from e-commerce or banking sites for the purpose of fraud, like a traditional phishing attack," Landesman says.

Gumblar is difficult to detect because its scripts vary from site to site, and even from page to page, Landesman says. "The cybercriminals responsible for Gumblar have learned to morph its features quickly," Landesman says. "This, coupled with Gumblar's other dynamic characteristics, is allowing the compromise to disseminate more rapidly than others we've seen."

The rapidly changing nature of the attack also makes it difficult for traditional signature detection or blacklisting tools to block, Landesman says. "If you were an individual user, I'd just tell you to disable JavaScript," she says. "But that's not possible for most businesses to do."

ScanSafe is attacking the problem via Web filtering, essentially preventing the user from going to the Gumblar sites and being infected in the first place, Landesman says. "Prevention is really the only workable defense because once you've been infected and your FTP credentials have been stolen, the criminal can modify passwords and make it difficult for you to get control back," she says.

The Gumblar Website, which dishes out the malware, is going to be difficult to find and bring down, Landesman says. While the site itself has a Chinese registry (Gumblar.cn), its source IP addresses have been traced to Latvia and Russia, and its servers are located in the U.K. "The criminals are doing a really good job of hiding their actual location," she says.

ScanSafe has posted blogs on its Website that describe the malware and its potential effects on enterprises and end users. The company will continue to post updates as the attack spreads, Landesman says.