Mule-ing Over that Job Application?

Recently at Symantec Security Response, we came across a seemingly innocuous program which was being hosted at a number of different URLs. What flagged the file as unusual was the fact many different customers were submitting the same file for analysis.

The basic behaviour of the program is to run you through a job suitability questionnaire before redirecting you to one of the following URLs:

hxxp://groupinc-upland.biz/registration/1
hxxp://artby-group.biz/registration/1
hxxp://artby-gorup.net/registration/1
hxxp://callisto-ltdco.net/registration/1
hxxp://kresko-group.biz/registration/1
hxxp://kresko-group.net/registration/1
hxxp://targetmarket-groupllc.net /registration/1
hxxp://neoline-llc.net/registration/1
hxxp://neoline-groupco.cc/registration/1

You cannot simply browse to these pages without first downloading and completing the suitability test.

This program generates a unique URL, giving you access to the registration page.

What is unnerving about this application is the level of detailed information they are requesting.

They even ask you for you online bank account details including the URL, your login, and your password for an extra $100.

As a final step, an email is sent to the supplied address whereby you are asked to sign an agreement and upload a scanned copy of your ID or a utility bill.

The contract states the purpose of the job:

“The Contractor undertakes the responsibility to receive payments from the Clients of the Company to his personal bank account, withdraw cash and to effect payments to the Company's partners by Western Union or MoneyGram money transfer system within one (1) day”

It also states the remuneration:

“The Contractor is engaged by the Company on terms of thirty-days (30) probationary period. During the probationary period the Company undertakes to pay to the Contractor the base salary amounting to 2300 USD per month plus 8% commission from each payment processing operation. After the probationary period the Company agrees to revise and raise the base salary to 3000 USD.”

And don’t forget the bonus $100 you can get from providing your online bank account details!

So called Money-Mules keep a cut of the transaction and wire the remainder of the cash to third-party accounts. This activity is illegal and many cases have already ended up in the courts.

http://www.theregister.co.uk/2010/09/30/zeus_money_mules_charged/

http://www.wired.com/beyond_the_beyond/2010/10/the-zeus-money-mules-the-federal-complaints/

Users should also be aware that during this scam all this important information is being sent over HTTP and not HTTPS, so their bank details are being transmitted in plaintext over the wire.

As a general rule of thumb, users shouldn't share their personal information (passwords, bank account information, etc.) with anyone or any site unless the transaction was initiated by the user themselves, intentionally. Even when visiting such pages which require personal information, make certain that the site is using encryption by looking for an 'HTTPS' in the URL, along with a lock appearing in the browser. This indicates the use of SSL.

Symantec detects these survey applications as Fakesurvey.

http://us.norton.com/security_response/writeup.jsp?docid=2011-032307-1016-99&tabid=2

- Post by Stephen Doherty, Symantec

Collaboration is Hot … Very Hot (Adoption is Increasing at Cisco)

If you followed my blog last year (and I appreciate those of you who offered comments), you know that Cisco has launched a collaboration solution internally which we call the “integrated workforce experience” or IWE. 

In December, I told you about the deployment of IWE across our enterprise to 110,000 employees and contractors worldwide. This was the culmination of a multi-year project which started as a business process and IT initiative, and evolved into a business unit endeavor after our CEO John Chambers said: “product-ize it.” 

For those of you at companies that are contemplating rolling out your own collaboration program, you may be interested in some of our metrics and key learnings.

Since our November 19^th cutover to IWE being powered by Cisco Quad, we’ve had over 54,000 unique users of IWE, over 750,000 visits and more than 5.3 million hits.  And, 390 different community groups now reside on IWE, and nearly 22,000 documents have been uploaded.  In fact, the highest content creation on IWE has been via documents and posts. 

In February, we had the highest ever monthly visitors, approaching 40,000 unique visitors in a short month.  Cisco’s three largest functional groups accounted for 77% of all unique visitors to IWE in February.  And, 18% of our employees have added colleagues to your Contact list (think “Friends” on Facebook).

Globally, IWE’s adoption rate has been steadily increasing – in fact, February had the highest ever Theatre awareness for all our global regions:

• Japan – 68 percent
• European markets – 57 percent
• Emerging markets – 56 percent
• US and Canada – 53 percent
• Asia Pacific – 32 percent

So, understanding that it is still in its early days, usage and adoption rates are encouraging.

IWE now powered by Cisco Quad has not been without some challenges as any IT deployment is bound to have.  Based on our surveys, we know that the top three issues employees currently have with IWE are:

• Ease of use
• Performance improvements
• The ability to use IWE on mobile devices

Our IWE team is continually looking at and addressing ease of use and performance issues – this is a high priority for us.  And, we are thrilled to be able to offer access to IWE from iPhones and iPads next month which we know employees want, will make IWE more relevant and, in turn, help drive higher adoption.

In addition, we continue to add new features –

• A new instant messaging feature, known as “Click to Chat,” which now allows employees to chat in real time with others from within IWE. 
• Employees can now let others know if they’re available to chat through a new Presence feature that can be set to display “available,” “do not disturb,” “away” or “offline.”
• A new “follow” feature enables team members to stay current on the activities, information and opinions of their important contacts.  This allows employees to add someone to their contact list and follow their public IWE activities.
• Employees can increase conversations about activities, information and status updates by commenting on people’s activities directly within the enhanced Activities application.

Adopting IWE powered by Cisco Quad is an ever-evolving journey, and we’re just beginning.  I’ll keep you posted on additions and updates as we travel our own collaboration road. 

 Next week, I’ll tell you how one of our functional business groups (Customer Value Chain Management) is using IWE successfully to transform its business

Until then, happy collaborating!

- Post by Sheila Jordon, Communication and Collaboration IT, Cisco

Rustock Takedown’s Effect on Global Spam Volume

When Brian Krebs posted a report about Rustock botnet takedown, Symantec observed a decline in overall spam traffic. Symantec.cloud posted a blog about this, and the Wall Street Journal is now reporting that Microsoft led this takedown.

On March 16, Symantec saw global spam drop 24.7% compared to March 15. On March 17, global spam volume dropped another 11.9% compared to March 16. Compared to a week prior, the volume on March 17 was down 40.4%.

As we typically see with a drop in global spam volume, the overall spam percentage saw a similar decline when spam volume fell. The increase seen on March 19 and 20 can be attributed to a weekend anomaly when the spam percentage is typically higher than on weekdays.

Symantec has kept a close eye on spam volume since Rustock temporarily ceased activity back in December. When Rustock, along with two other botnets, “fell asleep” on December 26, we saw a big decline in spam volume. The chart below shows the percentage decline in global spam volume using the trigger event as a baseline. While the fate of red line (representing current volume) remains to be seen, it looks to be mirroring the drop we saw back in December.

-Posted byEric Park, Symantec

Spam and Phishing Landscape: March 2011

As predicted in last month’s report, average daily global spam volume increased month-over-month for the first time since August 2010. The average daily spam volume increased 8.7 percent in February. This rise in spam volume also increased the overall spam percentage, as spam made up 80.65 percent of all messages in February, compared with 79.55 percent in January.

On the phishing side, we take a look at phishing attempts using fake SSL. Fraudulent sites are becoming more sophisticated and are using fake, or even basic domain validated SSL certificates to fool visitors. An Extended Validation (EV) SSL certificate, which turns the address bar green and ensures a more rigorous validation process, is conducted to verify the website owner is who it says it is.

To find out more, click here to download the March 2011 State of Spam & Phishing Report, which highlights the following trends:

·         Examining “BRIC” for Spam

·         3D Secure Passwords for Recharging Mobile Airtime

·         Mass Phishing on Credit Card Services Brand Using Fake SSL

·         February 2011: Spam Subject Line Analysis

With horrific events unfolding in Japan, spammers have taken advantage of the disaster to send spam. In next month’s report, we will examine the various messages and tactics they used to trick users.

- Posted by Eric Park, Symantec

Firefox Extension Used in Facebook Scam

Not only Facebook is adding new and interesting features to its toolbox; spammers and scammers in Facebook are, too. Currently there is a scam making rounds using a classic “who is viewing your profile” themed bait.

So far - nothing new. After the user grants the application the requested privileges, which of course will send out the above mentioned spam posts to all his or her friends, the user gets redirected to a download instruction site. There he or she is asked to download the Firefox browser and then install a popular Firefox extension which allegedly gets downloaded over 27,000 times per week. This simple tweak should generate a new menu entry in Facebook which would then show user statistics.

Of course this “Facebook Connect” Firefox extension is not found on the official Mozilla domain but is hosted on a third-party site. This is not uncommon, so most users might ignore the generic warning displayed to them when installing the extension. Needless to say, the promised feature is not present in it. All the user has installed is a compiled Greasemonkey script which will open a remote site in a pop-up browser window each time the user visitswww.facebook.com. Currently, the pop-up window promotes the same profile view feature scam mentioned beforehand, but this time the user has to fill in surveys in order to get through to it. Of course, this content could be changed at any time to something even more dangerous.

If you accidently installed the Firefox extension you can uninstall it from the browser menu: Tools-> Add-ons. There you can also see that the extension is honest enough and tells you exactly what it intends to do, which is: “automaticly (sic) open popup on facebook”.

Facebook’s security team already reacted and removed the offending applications and the corresponding posts from the user space. But as always keep an eye or two open, since where there is one scam, there are more to follow.

We also have seen the same extension being advertised in manual script scams. These are the ones where you get redirected to a Web site that asks to copy/paste some obfuscated javascript into the browser or even better, asks the user directly to post the message at least five times on Facebook.

An easy and good protection step against this variant is to enable the SSL login on Facebook, since the pop-up is only generated when the http version is loaded and not on the https site. In addition, this will help secure your session from sniffer shenanigans like those in the Firesheep extension

Google Tool Cleans Up Mobile Malware ‘Dream’

Over the weekend Google released the Android Market Security Tool to help clean up  devices infected with the DroidDream malware. The Android/DrdDream family of malware used a pair of exploits (Expoit/LVedu and Exploit/DiutesEx) to gain root access on vulnerable Android devices.  More than 50 Android applications were reported to be infected; all were pulled from the Android Market. The applications were all versions of legitimate programs that were repackaged by the malware authors with malicious code.

Android/DrdDream sends a collection of information (IMEI, IMSI, OS version, etc.) to the attacker and also attempts to download additional payloads. Although the malware uses the pair of root exploits, it doesn’t actually need root access to send the data to the attacker.

Inside the Android Market Security Tool

Google has its official statement on the the tool on the Android Market help site. They list a number of steps they’ve taken to remedy Android/DrdDream (“March 2011 Security Issue”):

• Suspending the developer accounts (three users) and removing the malicious applications from Android Market
• Remotely uninstalling the malicious apps from infected devices
• Pushing out the Android Market Security Tool to infected devices

Disabling accounts, taking apps out of the store, and hitting the remote-app kill switch were already well known ways for handling bad Android apps. Sending a security application to a phone is a whole new addition to the toolbox.

As a security researcher I find it interesting to see how new security tools are put together, more so when they come from an operating system developer. Normally I dig into the internals of malware; this time I got to see inside a mobile malware removal tool. Google’s security tool is available on the Android Market, so I was able to grab a copy for analysis.

The Android Market Security Tool is an Android app that also has a non-Dalvik native application component called droidreamclean. Android/DrdDream drops a few additional files (native binaries, an additional APK, etc.) on an infected phone. Because the files are located outside of the app directory, simply uninstalling the app won’t remove them from the phone. Really cleaning the phone requires access to the file system at a level that standard Android applications can’t reach. The security app  launches droiddreamclean to delete the additional files and restore some security settings.

The droiddeamclean binary deletes the second payload, DownloadProvidersManager.apk, downloaded by the Android/DrdDream malware. This prevents the malware from downloading additional malware or updates to the device.

After it gains root access, Android/DrdDream attempts to copy a second payload from its assets directory to the application directory (/system/apps/DownloadProviderManager.apk). This is a manual installation that completely bypasses the Android Market and because the Market doesn’t record the installation, it can’t be remotely killed. droiddreamclean doesn’t have this problem and instead tries a couple of uninstallation methods: using the “pm” package manager or manually deleting the APK.

The malware copies a renamed “su” executable (/system/bin/profile) to a directory of other system commands. This allows the attacker or updated malware to gain root access in the future. The Security Tool gives that executable the same treatment as the downloader component of Android/DrdDream.

In case the remote kill does not work, the security tool includes a list of apps that are removed using the command-line package manager. The Android/DrdDream authors definitely are not going to be able to slip one through.

A selection of the 58 packages removed by the Android Market Security Tool.

After droiddreamclean finishes, the Android Market Security Tool informs Google that your phone is now clean. It then uninstalls itself. At the end of all this, you get an email from Google telling you that it has removed the malware and that no issues remain.

Google informs you after the Android Market Security Tool finishes cleaning your phone.

Is the Android Market Security Tool enough?

The Android Market Security Tool is a pretty comprehensive tool, but it’s really designed only to clean up Android/DrdDream and its side effects. The tool itself doesn’t patch or reflash the operating system, so the vulnerabilities exploited by Android/DrdDream will remain. Updating the operating system will require help from the manufacturers of the various affected Android devices.

For similar infections, Google might have to follow the route that other security software takes and provide regular updates. The creation of the security tool and the work put into handling the Android/DrdDream issue shows that Google understands the need for mobile security software.

#SecChat Highlights – Threats and Cyber Espionage

Last week, we hosted #SecChat on the topic of threats and cyber espionage. With the recent Night Dragon threat earlier this month, we thought it would inspire a timely and lively discussion. We were right. Looking back on the chat, we had over 50 contributors who were engaged and shared with us over 300 tweets on the topic.

We kicked off the conversation by asking what companies should be doing to protect against IP theft. According to @kevinkrus, it’s important to start with a presumption of suspicion and take into account a level of risk-tolerance where trust should be dealt out sparingly. For @DaveMarcus, he stated, “forensics and IR are becoming more important than ever. Expect compromise and targeting.” In the meantime,@joshcorman began a list of thoughts and one of them being that as an industry, we need more precision and commonality in our language use. This was widely agreed by other participants. He also stated that APT is not a question of “what” but rather a question of “who and how” thus leading him to coin the phrase Adaptive Persistent Adversary.

As the conversation moved onto the question of security priorities and the importance of protecting IP, @anton_chuvakin expressed that assuming assets are owned is a good model but it is a difficult one to apply. @DaveMarcus added that while it may be a difficult model to apply, it at least causes one to think through answers and stages deductively. @Joshcorman also emphasized that compliance should never be confused with security whereas @djbphaedrus rephrased and said that good security can result in compliance.

The chat turned to big picture when we brought up the need to broaden the security community and begin hiring criminologists, economists, sociologists and psychologists to help with cyber-espionage. As@davemarcus mentioned, the more non-infosec people we can get into infosec, the better. So long as those people have a passion and a willingness to learn and contribute, according to@danielkennedy74. Other participants suggested bringing in skilled and motivated educators to teach and shape new behaviors. In the end, participants felt that a focus on social engineering, like research, training and awareness would help the state of affairs for threats and cyber espionage.

Readers, what are your thoughts on the topic or the comments provided by the contributors? Post your comments below and let us know.

We’re also taking suggestions for new #SecChat topics each month. If there’s a topic you’d like to discuss, please leave it below or tweet @McAfeeBusiness with the hashtag #SecChat.

by Brian Contos

Gartner on Endpoint Security

Gartner released their annual report on endpoint security (see: Magic Quadrant for Endpoint Protection Platforms, Gartner)

The reports starts with an indictment, "Malware effectiveness continues to accelerate, while vendors are busy polishing increasingly ineffective solutions and doing little to fundamentally reduce the attack surface and protect users."

Gartner goes on to state, "Signature-based malware detection has been limping along on life support for years, yet vendors

seem unwilling to aggressively invest in more-effective solutions, preferring to "tweak" the existing paradigm."

I couldn't agree more.  Last year Symantec encountered more than 240 million unique malware samples.  True, these were mostly minor variants of a far smaller number of malware families.  Also true, most of these variants could be detected through signature scans.  But the point remains that "most" is not good enough.  Malware writers are flooding the internet with automatically generated malware.  Signature scanning isn't dead, it is gravely wounded.  Heuristic/behavioral approaches can help, but results are often inconclusive.  These approaches lack context and history.

Symantec recognized this as far back as 2006 when we started designing Insight (sometimes called Ubiquity), an innovative approach that analyzes files in context, using the age, frequency and source along with other security metrics to expose threats others miss. Insight won't replace signature or heuristic analysis, but it does make those approaches far faster and more effective.  Insight seperates files at risk from those known safe, dramatically reducing the number of files to scan.  It provides a safety rating for each file based on the file's context - allowing heuristics to indict or release files with confidence.  Finally, it gives users confidence as well - confidence that the video codec they downloaded or the free disk utility really is safe.

Our Norton product line, powered by Insight, have dominated the most widely accepted 3rd party detection tests - those from av-comparatives.org and av-test.org.  Recognition of this approach played a big part in Gartner's ranking of Symantec.  Insight will be a cornerstone of all our malware detection products.  Look for it in the next version of SEP.

Enterprise Java Applications on vSphere Best Practices

Many of our customers have run critical enterprise Java applications on vSphere successfully.  The best practices guide is often referred to by our customers when embarking on running Java applications on vSphere.

December last year version 2 of the best practices paper was released here:http://www.vmware.com/resources/techresources/1087,

The paper covers quite few best practices and definitely recommended for anyone doing deployments of Java applications on vSphere, however it is worthwhile to note that the top 3 most sought after best practices from this paper are as follows and based on customer interaction:

• BP4 – VM Memory Sizing
• BP5 – Setting Memory Reservation
• BP6 – Using memory large pages

BP4 – VM memory Sizing: Whether you are using Windows or Linux as your guest OS, refer to the technical specification of the various vendors for memory requirements. It is common to see the guest OS allocated about 1GB in addition to the JVM memory size. However, each installation may have additional processes running on it, for example monitoring agents, and you need to accommodate their memory requirements as well.   Figure 2 shows the various segments of JVM and VM memory, and the formula summarizes VM Memory as:

VM Memory (needed) = guest OS memory + JVM Memory,

whereJVM Memory = JVM Max Heap (-Xmx value) + Perm Gen (-XX:MaxPermSize) + NumberOfConcurrentThreads * (-Xss)

The -Xmx value is the value that you found during load testing for your application on physical servers. This value does not need to change when moving to a virtualized environment. Load testing your application when deployed on vSphere will help confirm the best –Xmx value.  It is recommended that you do not overcommit memory because the JVM memory is an active space where objects are constantly being created and garbage collected. Such an active memory space requires its memory to be available all the time. If you overcommit memory ballooning or swapping may occur and impede performance.  ESX host employs two distinct techniques for dynamically expanding or contracting the amount of memory allocated to virtual machines. The first method is known as memory balloon driver (vmmemctl). This is loaded from the VMware Tools package into the guest operating system running in a virtual machine. The second method involves paging from a virtual machine to a server swap file, without any involvement by the guest operating system.

 

BP5- Setting Memory Reservation: JVMs running on VMs have an active heap space requirement that must always be present in physical memory. Use the VMware vSphere Client to set the reservation equal to the needed VM memory.

Reservation Memory = VM Memory = guest OS Memory + JVM Memory

You may set this reservation to the active memory being used by the VM for a more efficient use of the amount of memory available. Or, a simpler approach is to set the reservation equal to the total configured memory of the VM.

BP6- Use memory large Pages:  Large memory pages help performance by optimizing the use of the Translation Look-aside Buffer (TLB), where virtual to physical address translations are performed. Use large memory pages as supported by your JVM and your guest operating system. The operating system and the JVM must be informed that you want to use large memory pages, as is the case when using large pages in physical systems.

• Set the -XX:+UseLargePagesat the JVM level for Sun HotSpot.
• On the IBM JVM it is -Xlp, and JRockit -XXlargePages.
• You also need to enable this at the guest OS level. For information, see Large Page Performance: ESX Server 3.5 and ESX Server 3i v3.5.