November 2011

All that, and it was just pharma spam?

Got a message yesterday.  It was immediately suspect, since it purportedly came from YouTube, and was threatening that I had sent “the maximum number of messages per day.”  It was also sent to the “-owner” of a mailing list I run on Yahoo.  Of course, I don’t send email through YouTube.

However, since I do have a YouTube account, and just in case there was a mail capability I didn’t know about, I figured I’d better check it out.  Sending through Yahoo is a good form of obfuscation.  I did, eventually, figure out that it came via ThePlanet in Houston (probably a bot infected machine).

I then suspected that it might be some kind of account phishing.  However, when I actually looked at the URL, and checked it out, it seems to have been a simple pharma spam (bounced from a site in France to one in Russia).

All that trouble and obfuscation, just to post pharma spam?  Sophisticated misdirection kits are obviously getting cheaper and easier for the script kiddie level spammers to buy.

Amex clueless about security–so what else is new?

American Express is, as far as I know, alone among major financial institutions (for large values of “major”) in sending out phish-like messages.  Pretty much every other bank has gotten the message: don’t send email to your customers, and alert them that if they receive email, it’s not from you.

(I’m still getting those messages, by the way.  Ironically, it’s because I don’t want them.  If I want to tell Amex to turn them off, the only way I can do that is to register to receive them.  Explain to me the logic underlying that process …)

Amex is also alone in not providing an email account to which you can send phishing messages.  I guess Amex doesn’t want to do any more takedowns than they absolutely have to.

As a security pro, I’ve got contacts; personal contacts; in many major banks and financial institutions.  These are people who work in phishing and malware takedowns, and I’ve encountered them in the course of my research into same over the years.  I’ve never come across anyone from Amex.  I’ve never had anyone from Amex in any of my seminars.

So, it is no great surprise that when a researcher recently found a gaping hole in Amex security, he had a very hard time letting Amex know about it.

PC Support Sites: Scams and Credibility

Just as 419-ers seem to have been permanently renamed in some quarters as “the Lads from Lagos”, I wonder if we should refer to those irritating individuals who persist in ringing us to offer us help (for a not particularly small fee) with non-existent malware as the “Krooks from Kolkata” (or more recently, the Ne’erdowells from New Delhi). It would be a pity to slur an entire nation with the misdeeds of a few individuals, but the network of such scammers does seem to be expanding across the Indian continent.

Be that as it may, I’ve recently been doing a little work (in association with Martijn Grooten of Virus Bulletin) on some of the ways that PC support sites that may be associated with cold-call scams are bolstering their own credibility by questionable means. Of course, legitimate businesses are also fond of Facebook likes, testimonials and so on, but we’ve found that some of these sites are not playing altogether nicely.

I’ve posted a fairly lengthy joint blog on the topic here: Facebook Likes and cold-call scams

ESET Senior Research Fellow

History of crimeware?

C’mon, Infoworld, give us a break.

“There are few viable options to combat crimeware’s success in undermining today’s technologies.”

How about “don’t do dangerous stuff”?

“Crimeware: Foundation of today’s telescreens”

I’m sorry, what has “1984” to do with the use of malware by criminal elements?

“Advancement #1: Form-grabbing for PCs running IE/Windows
Form grabbing, as its name implies, is the crimeware technique for capturing web form data within browsers.”

Can you say “login trojan”?  I knew you could.  They existed even before PCs did.

“Advancement #2: Anti-detection (also termed stealth)”

Oh, no!  Stealth!  Run!  We’re all gonna die!

Possibly the first piece of malware to use some form of stealth technology to hide itself from detection was a virus.  Perhaps you might have heard of it.  It was called BRAIN, and was written in 1986.

“Advancement #5: Source code availability/release
The source codes for Zeus and SpyEye, among the most sophisticated crimeware, were publicly released in 2010 and 2011, respectively.”

And the source code for Concept, which was, at the time, the most sophisticated macro virus (since it was the only macro virus), was released in 1995, respectively.  But wait!  The source code for the CHRISTMA exec was released in 1988!  Now how terrified are you!

“Crimeware in 2010 deployed the capability to disable anti-malware products”

And malware in 1991 deployed the capability to disable CPAV and MSAV.  With only fourteen bytes of code.  As a matter of fact, that fourteen byte string came to be used as an antivirus signature for a while, since so many viruses were included it.

“Advancement #7: Mobile device support (also termed man-in-the-mobile)”

We’ve got “man in the middle” and “meet in the middle.”  Nobody is using “man in the mobile” except you.

“Advancement #8: Anti-removal (also termed persistence)
As security solutions struggle to detect and remove crimeware from compromised PCs, malware authors are updating their code to permit it to re-emerge on PCs even after its supposed removal.”

I’ve got four words for you: “Robin Hood” and Friar Tuck.”

The author “has served with the National Security Agency, the North Atlantic Treaty Organization, the U.S. Air Force, and two Federal think tanks.”

With friends like this, who needs enemies?

New computers – Mac – batteries and the Apple Store

My MacBook battery, which has had problems in the past, suddenly decided not to charge at all.  Well, one Mac fanatic friend had been on at me to take it in to an Apple Store and have it repaired, as it was still under warranty.I have now had my first, and hopefully last, experience of an Apple Store.

I’m fortunate.  I live in one of the few places in BC where you are less than 500 miles away from an Apple store.  I looked it up on the Web.  I even made a reservation.  Turns out that was porbalby a good thing.

I made the appointment later in the day, after business hours.  The Apple store I chose was in the downtown core, so I figured that I had best do it after office hours, to reduce demand from businesspeople needing to have their devices fixed.

As I approached the Apple Store, I could see which one it was.  This is because, unlike every other store in the mall, it had signage sticking out into the mall.  All the other stores had signage above the front face of the store.  The Apple was relatively small and tasteful.  But it also seemed to indicate a “the rules don’t apply to us” attitude.

Since it was late in the day, the mall was not crowded.  However, my second indication that I was near the Apple Store was a crowd of people outside the store, all looking at iPhones or iPads or with iPods plugged into their ears.

As I got to the store, I could see that it was narrow, but fairly deep.  There were devices of all types (in boxes) wallpapering the walls.  There were two rows of tables, with various devices and laptops on them.  And hordes of people.

It was packed.  It was crowded.  It was noisy.  It was a zoo.  I had a hard time fighting my way to the back to the service desk.  (Sorry.  “Genius Bar.”)

One of the staff asked what I wanted, and I told him repairs.  I told him my name and the time of my appointment.  He said someone would be with me shortly, probably before my appointment time.

At the appointment time, someone found me.  He asked what the problem was.  (At least, I think so.  He had a slight accent, but the noise of the crowd made it extremely hard to hear anything.)  I told him about the consistent problem with charging time, the refusal to charge, and the fact that, after having tried all kinds of rebooting and pulling plugs and checking profiles, that leaving it plugged in while I did some other work had apparently resulted in it finally charging up.

He looked at it and told me it was charged up.

I told him about the consistent problem with charging time, the refusal to charge, and the fact that, after having tried all kinds of rebooting and pulling plugs and checking profiles, that leaving it plugged in while I did some other work had apparently resulted in it finally charging up.

He said he couldn’t do anything while it was charged.

All this had taken place at one of the tables, not the “genius bar.”  (I guess you have to be relatively near the bar to be an actual genius.)  So we moved over there, and he decided that looking at some YouTube videos might run the battery down a bit.  (I suggested that news sites seemed to be faster, but he’s the genius.)  After running the battery down a bit, he looked at the power profile.  Then he rebooted and looked at some diagnostic utility that must be built in, but not accessbile to us plebes.  Then he looked at some other similar utility.  Then he looked at some logs.  Then he ran a short diagnostic.  He told me there the utilities showed that the battery was fine, but the logs said that at one time it wasn’t.  So I’d have to get the battery replaced.  He gave me some forms to sign and disappeared into the back.

I signed the forms and waited.  And waited.  And waited.  Eventually I started to think that maybe he was, in fact, doing the battery replacement.  I waited some more.  And more.

Finally he came back.  He said he had replaced the battery.  It certainly seemed to have less charge than before.  He showed me the power profile, and it now showed 0 cycles rather than the 47 it had showed before.  (This is less comforting than you’d think, since one of the other diagnostics had showed 42 cycles.)

I will take it on faith that he replaced the battery.  Since then I have run down the battery (watching an hour of live video on what was supposed to be a five hour charge), fully charged it, and run it for about seven hours.

But I sure don’t have much faith in them …

Since then, another Mac fanatic has told me that I should buy the extended warranty on the MacBook, since it was really comforting to know that Apple would fix all the problems that would happen over a three year period.

This advice is less reassuring than one might suppose …