AVG Blogs | Karel Obluk

Some police officers in Manchester apparently had a bad day - according to this article. Details are not available (if you have any, please, let me know!) but it looks like the most typical attack vector was used - human error. Somebody inserted an infected USB stick (flash memory) into a computer that apparently did not have any anti-virus installed. Or maybe there was some antivirus but it was not updated? Anyway, as you can see, having an anti-virus product really is a must, even if you are not visiting dangerous or illegal web sites and only use legitimate software. 

Yes, of course AVG blocks all the known Conficker variants and the latest version AVG 9 even has an option to scan USB devices automatically as they are connected to the PC. Sorry, I just could not resist that one ;)

Share | |

I am not a big Facebook fan myself even though I have a profile myself and use it from time to time. But I do not follow it on a regular basis and do not use all the fancy applications that you can install and have so much fun with. However, I know many people who spend on FB lots of time and install pretty much anything that others recommend and this story is especially for them. Before I start, let me say a big thank you to my colleague Nick Fitzgerald, who collected all the information and is actually the real author of this post ;)

Bill Brenner, editor of CSO magazine, advised that someone was using his name to lure Facebook users to "infect" (his word) their machines with something that would then send notifications to others of new wall posts. This was reputedly all with the aim of getting many Facebookers to accept an app and add it to their profile. Here's a screenshot of Bill's message:

 

Investigating this our analysts did not find any strong evidence of worm-like or viral functionality, but the number of people installing - sorry, "accepting" - the app at the heart of this was increasing rapidly until Facebook security disabled or blocked access to it.

Fortunately, Facebook has disabled the app - if you try to visit a link to it now, instead of the "accept" page you will see:



However, visiting a link from a notification of the kind Bill mentioned or spread through some other means (we reiterate, we saw no evidence that the actual Facebook app at the heart of this was directly involved in generating such messages) would result in Facebook asking you to confirm your acceptance of the app, similar to this:


 
Note that this app was called "News Feed". If you accepted this News Feed app, you were directed to a page with a weird animated GIF that looked (frozen at one frame of the GIF) something like this:



Then, if you checked your Facebook application settings you would see something like:



If you clicked the "Edit Settings" link in the above screenshot, you'd have seen that News Feed was specifically asking for permission to post to your wall. Perhaps the authors of this app expected people to shrug off the ugly, annoying web page it redirected to and hoped that they would forget that they had accepted the app and given it wall-posting rights. This could make a handy "spam tool" for the app's author's in future.

Many people actually don't realize that a Facebook application can be malicious, too. Note one of the responses to the original Bill's post - Ann thinks that she is safe because she has a Mac. Unfortunately for Ann and many others with Mac or Linux (or other systems), this is not necessarily true. Facebook applications are portable, they support all the different systems, including Mac, and once installed, they can obtain access to your profile data. Fortunately, Facebook takes security very seriously and the user has control over what data can an application access. However, social engineering is a powerful weapon and many people fall into traps like the one above. So next time you install a new Facebook application, be careful about where it comes from and what permissions do you grant to it.

Share | |

Nothing new, unfortunately, very typical in this world - whenever there is a major disaster, some human hyenas appear, sending scam, trying to trick people. Fake charity sites, infected pages with reports on the disaster, all these start appearing automatically, within hours or days. 

Haiti earthquake was not an exception. So it's good to see that not only security vendors are trying to protect users but also legal authorities became active. If you happen to live in the US, the FBI and the National Center for Disaster Fraud together established a hotline and a dedicated e-mail address to report suspected Haitian earthquake relief fraud. The number is (866) 720-5721 and is staffed by a live operator 24 hours a day. You can also e-mail the info to disaster@leo.gov. 

You can find more info at http://www.ic3.gov/media/2010/100118.aspx. 

Excellent activity, would be great to see other law enforcements follow this example!

P.S. Read more about Haiti earthquake scams in Nick Fitzgerald's blog

Share | |

For some of you, the name Aurora might sound familiar in a context that is not necessarily related to security. It was a cruiser, a Russian one and a gunshot from this cruiser (is said to) start the Great October revolution in Russia back in 1917, causing lots of trouble to many many people all around the world. But recently, you might have heard about Aurora related to China, Google or Internet Explorer.

A sophisticated exploit was created and used to misuse a bug in Internet Explorer. Using this exploit, the attackers were able to infect machines in some really large and otherwise well secured networks, such as Google, Juniper, Adobe and others. The exploit was code-named 'Aurora' and was a typical example of a 0-day exploit attacking systems that could not have a patch for it - it was misused as soon as it has been discovered, giving the vendor no chance to fix the bug. It was sufficient for some users with Internet Explorer to just visit a web page and their systems immediately got infected, no need to download anything or go to suspicious sites. That just illustrates the need for protection against web threats. The malware that was distributed using this attack actually was detected very soon by AV vendors, too (including AVG, of course); however, it is clearly better to block the whole attack vector. Which leads me again to LinkScanner and the advantages of it :)

I am pretty sure that Roger will be posting more details and more info on his blog. And maybe he will also include some thoughts about targeted attacks, where they can come from and how difficult it is even for an experienced user to protect against them without the right tools. So come back and check his blog. And remember that your comments and opinion are more than welcome

Share | |

As you probably can guess, I travel a lot. I even have to stay in hotels in the Czech republic, and that is not such a big country. So tonight I arrived in Prague (have you all been to Prague? if not, you should come, such a beautiful city!), decent hotel, not too late in the evening so still time to reply to all the e-mails that reached my inbox in the last three hours. I connected, fired up my VPN, sorted company e-mails and just to close my day, I opened my private mail boxes, too. And here the fun begins.

The minute I wanted to reply to one of the private e-mails, strange things started happening. A dialog like the one below appeared on my screen (the highlights are by me ;) )

 

Can you see the difference? What happened? Why is this? A bit of background first

As a security person, I am a bit paranoid, so all my e-mail accounts connect through secure connections - SSL. The SSL connection means that all the traffic with your e-mail server is encrypted. You can set that up for most e-mail providers and usually, this is a separate setting for incoming and outgoing e-mail. For incoming e-mails, if SSL is used, the connection simply must go to the original, legitimate server, or you will not connect to your mailbox. If, for example, somebody redirects my IMAP connection to another server, it will never download my e-mail. If, however, I am trying to send e-mails, any SMTP server can do that! And that is exactly what was happening here! And not just for GMAIL - as you can see below, other SSL outgoing e-mail connections got hijacked as well!

So what is going on again? When I try to connect to my e-mail server to send e-mail, the ISP redirected my connection to their server! And instead of connecting to smtp.gmail.com or smtp.me.com, the secured connection went to some mikenopa.com mail server. And the server is pretending to be gmail.com or me.com mail server! So my e-mail client was trying to establish a secure, encrypted session with me.com or gmail but instead, the encryption ends at mikenopa.com. Yes, mikenope.com will most likely deliver my e-mail to the addressee, but that server will see the full content of my e-mail! And that also means my e-mail address and the e-mail of all recipient!

Obviously, I have not confirmed the certificate exception and did not connect to any of the servers. My friends can wait for my reply until I get to a more secure location, that does not redirect SSL connections. I do not want to expose my or their addresses to spam harvesters or other suspicious systems. And I bet that you do not want that either! So next time you are in a hotel or some other public place and your e-mail client prompts you with some strange message about certificates - I recommend that you do not connect. And maybe let the Internet provide know? I will...

Have a very happy and secure 2010!

Share | |

Koobface Gang wishing Merry Christmas on their website - with a big thank you to Dancho Danchev for 'analyzing their software' and his dedication to taking down their command and control centers... Now that is irony. Of course, they claim that they have never stolen or misused any personal data or credit card info! If only that was true, that would be a nice Christmas present! :)

Share | |