Password-Stealing Trojan Spreads

March 8, 2008 – 6:28 PM

A fresh round of spam with a password-stealing Trojan horse detected this week uses a German-language pitch, saying the malicious attachment is an official Microsoft Windows update.

The attached malware, called “Trojan-PSW.Win32.Sinowal.u” by antivirus software developer Kaspersky Lab, is a next-generation Trojan that’s on the rise, said Roel Schouwenberg, a senior research engineer with the company. The Sinowal family of malware was first detected in December, and first seeded on malicious Web sites.

If a user visited the site and did not have a properly patched browser, the software would install itself, allowing it to harvest login and password information for some European banks’ Web sites, Schouwenberg said. The Sinowal family of malware may have been created in Russia, since the malware code contains some Russian, he said.

The latest spam messages have a “.de” e-mail address. Rather depending on a browser exploit to install itself, the latest version of Sinowal tries to trick users into installing it. The message, written in German, claims that a new worm is on the loose, and that the recipient should run the attached file to protect their system.

Schouwenberg said the malware writers may have decided to send it by mass e-mail if the browser exploit approach wasn’t working as well.

How It Works

The Sinowal Trojan is a type of “man-in-the-middle” malware. Even if a user has started a Secure Sockets Layer transaction with a bank, the Sinowal Trojan can insert HTML code that causes a pop-up window asking for a user name and password. It is programmed to react to certain bank Web sites.

“This is something we are going to see more and more and really make life hard,” Schouwenberg said.

It’s unique since it then sends that information immediately to the hacker’s server rather than storing the information for periodic transmission, Schouwenberg said. The Trojan is also capable of checking for updates of itself.

http://www.pcworld.com/news/article/0,aid,125915,tk,nl_dnxnws,00.asp

Microsoft Advises Switching Word to ‘Safe Mode’

March 8, 2008 – 6:28 PM

Microsoft is advising people to run its Word application in “safe mode” to help guard against a Trojan horse that surfaced recently, though security experts on Wednesday said there still appears little cause for alarm.

“The good news is that it doesn’t seem to be very widespread,” said Graham Cluley, a senior technology consultant with United Kingdom antivirus company Sophos PLC. “There have been very, very few reports.”

Damage Limited So Far

Researchers at F-Secure and Trend Micro also said the number of reported incidents remained low on Wednesday. Trend Micro rates the Trojan horse as “low risk” because, while the potential for damage is high, the impact so far has been small, said David Sancho, a senior antivirus engineer.

The Trojan horse surfaced last Thursday and arrives buried in a Word file attached to an e-mail message. It secretly installs software on a user’s PC that could be used to execute remote commands, download other malware, or monitor keystrokes and gather passwords, among other mischief.

For the Trojan horse to do its work, however, users must first be tricked into opening the Word attachment. And the incidents reported so far suggest that hackers are still using the Trojan horse in a very targeted fashion rather than sending it in mass e-mail, said Erkki Mustonen, a security researcher at F-Secure.

The Finnish vendor received reports from a handful of European companies affected last week that were all in the same business area, Mustonen said. He declined to name the industry. The company received a few more reports this week, but “it seems to be pretty calm,” he said.

The number of hacker groups using the Trojan horses appears quite small at this point, Mustonen said. “It seems they have been written by expert people,” he said.

He advised businesses to monitor any suspicious traffic in their firewall coming from China. The Trojan horse may not have originated there, but it appears at least to be talking to a host server in that country, he said.

Safe Mode Workaround

Microsoft’s Security Research Center is analyzing the vulnerability, which affects Microsoft Word XP and Word 2003. The company said it will release a patch with its next regular update, due June 13, or earlier if necessary.

In the meantime, Word’s safe mode won’t fix the vulnerability but will prevent the vulnerable code from being exploited, Microsoft said.

In safe mode, Word ignores toolbar customizations, changes to preferences can’t be saved, and functions such as AutoCorrect and Smart tags are disabled.

The first step is to disable the Outlook feature that uses Word for editing e-mails. The second involves creating a new desktop shortcut that adds “/safe” to the Word command line. Detailed instructions are in the Workaround section in Microsoft Security Advisory (919637).

“For the sake of security I’d recommend doing it, even though it’s a bit difficult,” Sancho of Trend Micro said.

http://www.pcworld.com/news/article/0,aid,125859,tk,nl_dnxnws,00.asp

Malware using search engines to spread

March 8, 2008 – 6:27 PM

Internet search engines are now one of the commonest means by which malware spreads, a new study has suggested.

The study carried out by McAfee?s spyware expert Ben Edelman using the company?s SiteAdvisor tool, analysed common searches on all the Net?s major search engines, Google, Yahoo, MSN, AOL and Ask.

The results make sobering reading. Between January and April of this year all surveyed engines returned numerous sites that could be classified as ?risky?. At times the risky site percentage reached 72 percent of returned sites for apparently innocuous searches such as ?free screensavers,? ?digital music,? and ?popular software?.

MSN emerged as the best of the bunch with 3.9 percent of risky sites returned overall, with Google on 5.3 percent and Ask the worst at 6.1 percent.

The report claims US consumers are now making 285 million clicks to hostile sites each month as a result of search engines alone, a figure which is an extrapolation of the estimated 5.7 billion searches made by the US population over the same period.

Sponsored links ? the commercial frontline for search engines ? were particularly prone to malware subversion, returning between two and four times as many risky sites as unsponsored links.

The results held true, regardless of which page was analysed. Page one results were only moderately safer than page 2-5 searches.

“As we look at the web, we see many instances when search engines lead users to dangerous content,? the report says. “Our analysis of search engine safety finds bad practices among 5 percent of search results for popular keywords, or roughly one site per page of search results.”

McAfee lays the blame at the doors of search engines move to earn as much money as possible without considering the implications of malware evolution.

“Profit motivations have shifted search engines’ ranking methodologies. Prominent results often reflect solely a site’s willingness to pay rather than its quality, relevance, or safety,” it says. “Some analysis indicates that search engines make big money selling ads to untrustworthy of sites ? many millions of dollars each year.?

The report cautions against reading the risk rates as low, rightly pointing out that becoming infected with even a single piece of malware can be disastrous for the average consumer.

http://www.techworld.com/security/news/index.cfm?RSS&NewsID=6001

Webroot uncovers thousands of stolen identities

March 8, 2008 – 6:26 PM

Spyware researchers at Webroot Software. have uncovered a stash of tens of thousands of stolen identities from 125 countries that they believe were collected by a new variant of a Trojan horse program the company is calling Trojan-Phisher-Rebery.

The FBI is investigating the stolen information, which was discovered on a password-protected FTP (File Transfer Protocol) server in the U.S. and is believed to be connected to a Trojan horse that is installed from the Web site teens7(dot)com. The information, organized by country, includes names, phone numbers, social security numbers, and user log-ins and passwords for tens of thousands of Web sites, according to information provided to InfoWorld by Webroot.

The discovery is just the latest evidence of rampant identity theft by online criminals who use malicious Web sites, common software vulnerabilities and keylogging software to harvest information from unsuspecting Web surfers.

The Trojan was discovered on April 25 by Dan Para, a member of Webroot’s Threat Research Team, who was investigating one of a number of malicious files installed using “drive by downloads” from the teens7(dot)com Web site. In drive by downloads, software vulnerabilities in Web browsers are exploited so that malicious software can be pushed down to the machine running the Web browser, usually without any warning to the computer’s owner.

The Rebery malicious software is an example of a “banking” Trojan, which are programmed to spring to life when computer owners visit one of a number of online banking or e-commerce sites, said Gerhard Eschelbeck, CTO at Webroot.

Webroot notified the FBI after it discovered the stolen information, which had been groomed and organized in folders by country where it was “ready to be sold,” Eschelbeck said. The stolen data was hosted on an FTP server hosted by nLayer Communications in New York, according to Webroot. However, the company does not know who is behind the scam, Eschelbeck said.

“It’s probably an individual who set it up,” said Eschelbeck. However, it is unlikely that the individuals running the Web site or hosting the FTP server have any direct knowledge of the scam, he said.

Rebery is still “running wild” on the Internet, Webroot said. The company believes there are more than 12,000 systems infected with the Trojan, 1,200 of them in the U.S.

The stash of stolen identities is just one of many that have been uncovered in recent months, as identity theft has evolved into a lucrative operation for online criminal groups.

Researchers at antispyware firm Sunbelt Software? have also uncovered stashes of stolen information harvested by keyloggers on more than one occasion, and company employees have, in the past, informed some consumers that their identities have been stolen.

Catching the perpetrators is a different matter, however. Often, criminals conduct their affairs from afar, connecting to their servers through one or more compromised machines, which are often scattered around the globe, making criminal investigation and enforcement difficult, experts say.

http://www.infoworld.com/article/06/05/09/78139_HNTrojanrebery_1.html

Used Hard Drives Retain Data in eBay Sale

March 8, 2008 – 6:26 PM

Anybody with five bucks and a little patience may be able to score sensitive corporate data on eBay.

Organizations engaging in the common practice of disk drive recycling–selling unneeded disk drives directly or through a service–may find that company data winds up for sale on eBay’s auction site, even if the drives have been wiped first.

Idaho Power found itself in that situation last week as it attempted to track down unscrubbed company disk drives that had been sold on eBay.

The drives contained confidential employee information, correspondence with customers, and memos that discussed proprietary company information, the company said.

The Boise, Idaho-based utility supplies electricity to approximately 460,000 customers in southern Idaho and eastern Oregon.

Idaho Power said it hired Grant Korth of Nampa, Idaho, to recycle about 230 SCSI drives. Korth sold 84 of those drives to 12 parties, which have not been disclosed by the company, using the eBay Web site. The remaining 146 drives were returned to Idaho Power, the company said.

Korth declined to comment on the situation.

Search and Retrieval

Idaho Power has received assurance from ten of the 12 parties that bought drives over eBay that the hardware would be returned or the data on them would not be saved or distributed. The other two parties are still being tracked down, the company said.

An Idaho Power spokesperson said the company has hired a Seattle law firm, Blank Law & Technology, to launch an investigation to determine what information was on the affected drives and why they weren’t scrubbed as required.

Typically, Idaho Power either destroys drives or scrubs them to Department of Defense standards, the spokesperson said. In this case, the salvage vendor was to have scrubbed the drives to DOD standards, he said.

The company said it will not know what regulatory penalties it may face until the investigation is completed.

In the meantime, Idaho Power has implemented a new policy that calls for drives to be destroyed rather than sold for salvage. That’s the type of policy advocated by Simson Garfinkel, a postdoctorate fellow at Harvard University’s Center for Research on Computation and Society who has researched the issue.

“The resale value of a hard drive is really minuscule,” he said. “These things are worth $5 to $20 each. I don’t think anyone’s buying them on the secondary market for extortion, but you never know.”

Frances O’Brien, an analyst at Gartner, said the distribution of drives carrying unscrubbed data is commonplace. “It happens all the time,” she said. Typically, a user either doesn’t know to clean the drives or doesn’t do it correctly, she said.

Aside from the financial concerns related to losing data, organizations that improperly recycle disk drives can run afoul of a number of federal regulations, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, O’Brien said.

In addition, such incidents could lead to significant penalties in states like California and New York that have broad privacy regulations, said Robert Houghton, president of Redemtech, a Columbus, Ohio-based outsourcer.

When a company hires an outsourcer–which is a practice Gartner recommends–it needs to be aware of the outsourcer’s methods for cleansing data, O’Brien said. “If everyone else is charging $20 and someone says they’ll do it for $2,” he said, “you’ve got to wonder why.”

http://www.pcworld.com/news/article/0,aid,125662,tk,dn050906X,00.asp