A few media sources seem to be picking up a press release from the University of Michigan.

http://www.ns.umich.edu/htdocs/releases/story.php?id=6666

This reports on “CloudAV,” a project and series of papers about having antivirus  etection run “in the cloud” rather than on the PC.

http://www.eecs.umich.edu/fjgroup/cloudav/

As usual, there seems to be some misunderstanding about what is going on here.   CloudAV is not really a new approach, it is simply the use of multiple scanners, which the  AV research community has advocated for years.  It’s like having a bunch of scanners installed on your desktop, or a system like Virustotal, with the exception that the scanners run on different computers so you get a bit of performance advantage (absent the bandwidth lag/drain for submitting files to multiple systems).

So-called Koobface case was covered in the IT news quite widely, but security mailing lists received the information on Thursday 7th August.

Kaspersky Lab reported about the existence of the worm on 31th July. Hey, it’s more than a week ago, but it took several days until the anti-virus protection was notable.

Remarkable anti-virus vendors have the following detection now:
(listed in alphabetical order)

McAfee – W32/Koobface.worm
BitDefender – Win32.Worm.KoobFace.A
Kaspersky Lab – Net-Worm.Win32.Koobface.b
Panda Security – Boface.A [Technical name: W32/Boface.A.worm]
Sunbelt Software – Net-Worm.Win32.Koobface.b
Sophos – detected proactively as Mal/Heuri-D, Mal/Heuri-E, Mal/Emogen-N and Mal/Packer
Symantec – W32.Koobface.A

There is no write-up available from F-Secure, Norman, TrendMicro etc. yet.

The AV industry knows the alias KoobFace too.

The size of the worm is 16 384-16 652 bytes. It is written in Visual C++ 6.0 and packed with UPX and Upack.
The second malware, attacking Facebok users since 7th Aug, is a Trojan horse (Sophos uses name Troj/Dloadr-BPL), spreading as Google video links posted to Wall and is a separate issue.

It’s time to remember that if you don’t see a detailed write-up from your own AV vendor later today - it’s a DEFCON weekend and Facebook has started blocking these from its side already.

But the protection - that’s we need with a delay less than 4 or 5 days.

You wanna know why I’m pedantic about malware terminology?

`United Kingdom banks and other financial institutions are being warned to be extra vigilant following the release on the internet of a new so-called “PC super bug” designed to steal online banking log-on details on an unprecedented scale. Cyber criminals have let loose a virus called Limbo 2 Trojan, which, according to security experts, is an extremely nasty bug developed specifically to worm its way into finance websites in order to cause maximum damage.’

So far, aside from the rather ill-defined reference to a “PC super bug” I don’t have all that much of a problem. A trojan could be designed to “worm” into the system.

“Security firm Prevx said the difference this time is that the new bug has been developed specifically to evade the vast majority of anti-virus computer systems. Such systems are devised by global IT security firms including McAfee, Symantec, and AVG. Finance houses all over the world rely on them to provide adequate protection.”

Hmmm. What we have heah, is a failyuh to c’mmunicate that we are trying to badmouth our competition.

“It is estimated that a single data breach can cost a big firm more than £3m to rectify.”

Ooooh, scary.

“Prevx reported that the Trojan bug features a changeable shell with a pliable cloak coming in many guises and variants to try to fool security systems and slip past conventional signature-based anti-virus detection.”

Can you say “polymorphic”? Can you say that we’ve already dealt with polymorphs, as far back as 1987? Can you say that trojans, because they are non-replicative, don’t use ploymorphism because they don’t copy themselves? (Argh.)

“This involves illegal technology that generates fake information boxes on a compromised computer, asking the user to enter more information than usual. While this is happening, passwords, credit card information and other personal details are transmitted to the malware’s criminal operator to then exploit financially.”

Gee, sounds like phishing.

http://business.scotsman.com/bankinginsurance/ Banks-warned-of-computer-39super.4328710.jp

Let the reader beware of a) vendor press releases, and b) newspapers that uncritically print vendor press releases as news.

In many Word 0-day vulnerabilities covered by SecuriTeam Blogs Word Viewer utility is being included to affected products.

This week the situation is different, however.

Related to the most recent MS Word vulnerability Word Viewer 2003 and Word Viewer 2003 Service Pack 3 are not vulnerable (Microsoft’s advisory here). Word Viewer 2003 SP3 KB document here, in turn.
To readers not familiar with these cases: Normally these vulnerabilities are being reported related to targeted attacks via e-mail. References are listed here: CVE-2008-2244. This particular case in known as so-called attachement.doc case. Trojan malware related to this case is from MSWord.Agent.cq series.

There are connections to Beijing Olympics too - in the form of attend_the_opening_ceremony_of_the_29th_olympic_games_in_beijin.doc files too.

A fix for this vulnerability is not expected before August ’s Black Tuesday. The most important question is: how to implement the use of Word Viewer in your organization.

It’s time to look the recent state of targeted attacks. Like we already know the main attack vector in these attacks is Microsoft Office attachment. There are no many organizations that simply can filter .DOC, .XLS and .PPT files.
In mid-January Microsoft confirmed that a new, previously unknown Excel vulnerability was used in targeted attacks. On Monday this week US-CERT issued a warning about the new wave of exploitation. This extremely critical vulnerability, rated ‘10.0′ by CVSS meter BTW, was known as header information code execution vulnerability.
The fix is included to today’s Excel Bulletin MS08-014. However, Microsoft says the following now:

What causes the vulnerability?

Microsoft Excel does not properly validate macro information when loading specially crafted Excel files.

In January we had a very small pieces of information related tho this vuln and Trojan exploiting it.

Information about the characteristics of these targeted attack can be read via my FAQ documents.

Prevx Blog has a good writeup located at prevx.com/blog/75/Master-Boot-Record-Rootkit…

SANS Internet Storm Center has released an interesting timeline story - link here.

From the post based to Verisign iDefense data:

….

• Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
• Dec. 12, 2007 – First known attacks installing MBR code
  about 1,800 users infected in four days.

McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.

10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.

My Admirer application (previously known as Secret Crush) has been removed from Facebook now. The installation process was canceled during the weekend, but now it is finally gone.

Fortinet reported about the Zango spyware installation related to this application last week. The issue was described in this SecuriTeam post.

Response from Zango Inc. is interesting to read - link to the Zango blog here.

From the post:

At no point in adding the Secret Crush widget to a Facebook profile does the widget install either spyware or Zango software, or even attempt to do so. Any suggestion that Zango software is being “secretly installed” is simply not true.

It appears that there was no automatic installation of spyware at all.

The first spyware spreading with Facebook application has been discovered. Security company Fortinet reports that application called Secret Crush is installing Zango (aka AdWare.Win32.180Solution) with Iframe, technically from ZangoCash.com.

Shortly, this is the spreading mechanism:

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using “Secret Crush” (this happens frequently with Facebook’s Platform Application). [Figure 2] exhibits the social engineering speech employed by the malicious widget to get the user to install it.

The text included to the request entry is “One of Your Friends Might Have a Crush on You!”. Additionally, the buttons are ‘Find Out Who!’ and typical ‘Ignore’.
It appears that Secret Crush is not included to Facebook Application Directory (no log-in needed) any more. Reportedly FortiGuard Team has informed Facebook guys and probably the application has been disabled already.

Update 4th Jan: The application mentioned is located here (renamed to My Admirer), still accessible and has “50,708 daily active users i.e. 4% of total”.

The exact number of affected users is not available.

An Orkut based virus/worm appears to be on the loose, it propagates by posting notes on people’s scrapbook. So chances are that if you got a new scrapbook item on your long-unused Orkut it is because the worm has infected one of your friends there.

The virus/worm utilizes javascript code to propagate. The source of it can be found here: hxxp://files.myopera.com/virusdoorkut/files/virus.js
Update: Google apparently is actively deleting items from the scrapbook of people that were infected and that have infected others.

Update 2: More details can be found here: http://antrix.net/journal/techtalk/orkut_xss.html

Joe has a nice write up on the inner working of the Pushdo Trojan.

Pushdo is interesting since it was written for “future use” - i.e. it updates itself to obey his master’s latest needs and requests. It also has intelligence-collecting routines and in general shows how sophisticated the bad guys are getting.

A German company Medion has confirmed that it has shipped laptops containing a MBR virus - public since 1994.

According to Sunbelt the virus is Stoned.Angelina.

Symantec write-up here and F-Secure write-up here (the same name in use).
It appears that the affected model is Notebook Medion MD 96290. Link to the FAQ page of the vendor (German language):
www.medion.de/?service_~u~_support/allgemeine_FAQs.html

Please check the entry ‘Wichtige Produktinformation zum Notebook MD 96290′.

Update: Or the following permalink www.medion.de/popup_md96290.htm

The number of infected laptops and how the master boot record virus can find its way to the brand new machines (without a floppy drive, I believe) is not known.
But this is not the first time.

Exactly two years ago Creative shipped several thousands Zen Neeon MP3 players containing Windows worm Wullik.B.

And back to 1995 (from F-Secure’s Angelina description):

In October 1995 [Stoned.Angelina] was found on new Seagate 5850 (850 MB) IDE hard disks.

Update #2: There is no a floppy drive included.

The Web site of Bank of India is up and working again after the very serious attack last week.

From the pop-up generated by
www.bankofindia.com/home/startpage.asp

SITE HAS BEEN RESTORED AFTER MAKING IT SAFE FOR CUSTOMERS TO VISIT WITHOUT WORRY!!!!!

NOTICE
In reference to our RFP BOI/HO/IT/FIS/1 dated 1.8.2007for providing Financial Inclusion solution the due date for submission of the bid is extended upto 8th September 2007

But after the delay of some seconds the following error message appeared (Safari in use:)

Server Error in ‘/’ Application.
The resource cannot be found
Description: HTTP 404
Requested Url: /home/OpinionPoll/opinionpoll.aspx

On Monday 3rd Sep the format of main page URL was different:
www.bankofindia.com/home/index.asp

generating a 404 today.

Since last Saturday they have shared the following statement without information about Trojan/spyware risks:

This site is under temporary maintenance till further notice.
Kindly bear with us

BTW: Their online banking system Star Connect uses pop-ups as well.

I was giving a lecture at NPS yesterday, and while I was unlocking my laptop (XP), suddently, before unlocked, a File Open window pops up. I could browse, and more importantly, open files. The first choice of the system was .hlp.

Can someone say pwnage? Anyone up to doing some monkey fuzzing on that interface?

Gadi Evron,
ge@linuxbox.org.

Following up on that strange title, ISOI 3 (Internet Security Operations and Intelligence), a workshop for do-ers who work on the security of the Internet and its users, is happening Monday and Tuesday in Washington, DC.

This time around we have even more government participation (we’re in DC, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

I am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. I am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

If you are interested in this realm of Internet security operations, take a look at ISOI 3’s schedule, and perhaps submit something for the next workshop.

Some reporters are somewhat annoyed that entrance is barred to them, but I hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

The third ISOI is here because after DHS ended up unable to host it, sponsors emerged who were happy to assist:

Afilias Ltd.: http://www.afilias.info/
ICANN: http://www.icann.org/
The Internet Society: http://www.isoc.org/
Shinkuro, Inc.: http://www.shinkuro.com/

It’s going to be an interesting next week here at the swamp. Atendees better show up with their two forms of ID.

Gadi Evron,
ge@linuxbox.org.

I posted a column on eWeek on what critical infrastructure means, looking back at the Estonia incident.

They edited out some of what I had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.

http://www.eweek.com/article2/0,1895,2166125,00.asp

Gadi Evron,
ge@linuxbox.org.

During the last years several domains related to mispelled Microsoft.com have been registered, to advertise online casino etc.

But now, the Web site vvindowsupdate.com has been registered.

Did you see the address windowsupdate.com when reading the sentence? You are not alone!
Sunbelt guys are aware that a group behind the registration is affiliated with the infamous VxGame Trojan.