- Email: [email protected]
Extortion malware scares file sharers with fake copyright messages
NEWS ...Continued from front page Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Web: www.networksecuritynewsletter.com Publisher: Laurence Zipson E-mail: [email protected] Editor: Danny Bradbury E-mail: [email protected] Senior Editor: Sarah Gordon International Editoral Advisory Board: Dario Forte, Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The Fortress; Bill Hancock, Exodus Communications; Ken Lindup, Consultant at Cylink; Dennis Longley, Queensland University of Technology; Tim Myers, Novell; Tom Mulhall; Padget Petterson, Martin Marietta; Eugene Schultz, Hightower; Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact Production Support Manager: Lin Lucas E-mail: [email protected] Subscription Information An annual subscription to Network Security includes 12 printed issues and online access for up to 5 users. Prices: 1059 for all European countries & Iran US$1185 for all countries except Europe and Japan ¥140 500 for Japan (Prices valid until 31 December 2010) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Network Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.
02158 Pre-press/Printed by Mayfield Press (Oxford) Limited
2
Network Security
fact that it is an open file format, making it easier to attack multiple software plug-ins and readers. “There are more applications out there that are capable of rendering PDFs, whereas it used to be just an Adobe product,” he said. The news came hot on the heels of new attacks using what researchers said was a fundamental flaw in the design of the PDF format. The attack, which spreads the Zeus botnet, uses a malicious PDF file, using an embedded command that asks users to open another file when viewed. The attached PDF file asks you to save a PDF file called Royal_Mail_ Delivery_Notice.pdf. This file is actually a Windows executable that installs the Zeus Trojan. The attack used a flaw discovered by researcher Didier Stevens that enabled attackers to use the Launch function within the PDF specification to exploit a fully patched copy of Adobe Reader. Stevens showed how alterations to dialog boxes presented by Adobe Reader could be used in conjunction with a social engineering attack to persuade users to let a PDF file launch an executable program.
Extortion malware scares file sharers with fake copyright messages Anti-malware researchers have reported an extortion scam designed to scare users into giving their credit card information to a phishing site. The malware, which Avira identifies as TR/Ransom.CardPay.A, uses an interesting variation on the scareware tactic commonly employed by rogue antivirus vendors to shock people into paying for fake antivirus tools. This software searches for Torrent files on the victim’s computer. A Torrent file is a small file used to point a BitTorrent client to a Tracker server that then directs it to other clients hosting pieces of large files. Torrent networks are commonly used to distribute large files such as long videos, software packages, and disk images, many of which could represent copyrighted content. Even if
no Torrent files are found on the victim’s machine, it still displays a warning, purporting to be from the ICPP Foundation, a fake law firm supposedly assisting intellectual property rights holders to enforce their copyright. The message invites victims to pay an out-of-court settlement to avoid a lawsuit, taking them to a web page (now down), which asks them to enter their credit card details. “The site is forged and it clearly serves only to collect credit card data, which is meant to be profitably sold to the criminal underground,” Avira said. The introductory text used on the now-defunct fake site was stolen from the web site of a real legal firm called ACS:Law. According to an analysis by F-Secure, the domain for the site was registered to an email address seen before in various other domains connected to the Zeus and Koobface botnets. F-Secure detected two pieces of malware using this extortion technique and linking to the website. At the time of writing, Virustotal suggested that only 75% of anti-malware tools caught those malware strains, indicating that even though the webpage was only up for a few days, it is likely to have been highly effective.
PAC attack redirects browsers to malicious sites using proxy hack Brazilian malware writers are making use of a long-available feature within most modern browsers to launch attacks that redirect victims to malicious websites without their knowledge. The feature, known as proxy auto config, is turning up in banking trojans, according to researchers from Kaspersky. Proxy auto config (PAC) is a feature accepted by all modern browsers, according to Fabio Assolini, a lab expert at Kaspersky. It contains a function to redirect browsers to a specific proxy server. A proxy server is a computer that accesses the Internet on a computer user’s behalf, and feeds it the results. Continued on page 20...
April 2010
02158 Pre-press/Printed by Mayfield Press (Oxford) Limited
2
Network Security
fact that it is an open file format, making it easier to attack multiple software plug-ins and readers. “There are more applications out there that are capable of rendering PDFs, whereas it used to be just an Adobe product,” he said. The news came hot on the heels of new attacks using what researchers said was a fundamental flaw in the design of the PDF format. The attack, which spreads the Zeus botnet, uses a malicious PDF file, using an embedded command that asks users to open another file when viewed. The attached PDF file asks you to save a PDF file called Royal_Mail_ Delivery_Notice.pdf. This file is actually a Windows executable that installs the Zeus Trojan. The attack used a flaw discovered by researcher Didier Stevens that enabled attackers to use the Launch function within the PDF specification to exploit a fully patched copy of Adobe Reader. Stevens showed how alterations to dialog boxes presented by Adobe Reader could be used in conjunction with a social engineering attack to persuade users to let a PDF file launch an executable program.
Extortion malware scares file sharers with fake copyright messages Anti-malware researchers have reported an extortion scam designed to scare users into giving their credit card information to a phishing site. The malware, which Avira identifies as TR/Ransom.CardPay.A, uses an interesting variation on the scareware tactic commonly employed by rogue antivirus vendors to shock people into paying for fake antivirus tools. This software searches for Torrent files on the victim’s computer. A Torrent file is a small file used to point a BitTorrent client to a Tracker server that then directs it to other clients hosting pieces of large files. Torrent networks are commonly used to distribute large files such as long videos, software packages, and disk images, many of which could represent copyrighted content. Even if
no Torrent files are found on the victim’s machine, it still displays a warning, purporting to be from the ICPP Foundation, a fake law firm supposedly assisting intellectual property rights holders to enforce their copyright. The message invites victims to pay an out-of-court settlement to avoid a lawsuit, taking them to a web page (now down), which asks them to enter their credit card details. “The site is forged and it clearly serves only to collect credit card data, which is meant to be profitably sold to the criminal underground,” Avira said. The introductory text used on the now-defunct fake site was stolen from the web site of a real legal firm called ACS:Law. According to an analysis by F-Secure, the domain for the site was registered to an email address seen before in various other domains connected to the Zeus and Koobface botnets. F-Secure detected two pieces of malware using this extortion technique and linking to the website. At the time of writing, Virustotal suggested that only 75% of anti-malware tools caught those malware strains, indicating that even though the webpage was only up for a few days, it is likely to have been highly effective.
PAC attack redirects browsers to malicious sites using proxy hack Brazilian malware writers are making use of a long-available feature within most modern browsers to launch attacks that redirect victims to malicious websites without their knowledge. The feature, known as proxy auto config, is turning up in banking trojans, according to researchers from Kaspersky. Proxy auto config (PAC) is a feature accepted by all modern browsers, according to Fabio Assolini, a lab expert at Kaspersky. It contains a function to redirect browsers to a specific proxy server. A proxy server is a computer that accesses the Internet on a computer user’s behalf, and feeds it the results. Continued on page 20...
April 2010