Wiz's Computer and Website Security Blog

March 20, 2013

As I predicted on March 17, this week is off to a running start for email-borne malware scams. Today, we are seeing an ongoing spam blast with the subject: DHL delivery report - which contain malware attachments.

Here are some identifying words and phrases you should be looking out for, when (not if) you receive this email message.

Subject: DHL delivery report (or similar)
From: "(A spoofed personal name) - DHL regional manager" <[email protected]>

Body Text: (dozens of lines of HTML precede readable text)

DHL notification
Our company?s courier couldn?t make the delivery of parcel.
REASON: Postal code contains an error.
LOCATION OF YOUR PARCEL: New York
DELIVERY STATUS: sort order
SERVICE: One-day Shipping
NUMBER OF YOUR PARCEL: ETBAKPRSU3
FEATURES: No
Label is enclosed to the letter.
Print a label and show it at your post office.
An additional information: If the parcel isn?t received within 15 working days our company will have the right to claim compensation from you for it?s keeping in the amount of $8.26 for each day of keeping of it.
You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for using our services.
DHL Global

Do you notice the inconsistency in the name of the company being spoofed and the place you are told to take the printed label? The label is supposed to be taken to "your post office," but the message claims to come from DHL, a private courier service, totally unaffiliated with the US, or Canadian, or Australian, or British Postal Services. You should not allow these errors to get past your bullshit detectors. Neither DHL, nor FedEx, nor UPS would ask you to take a printed form to your "post office!" They are in competition with your Postal Service!

Note the part that tries to panic recipients into acting quickly: "If the parcel isn?t received within 15 working days our company will have the right to claim compensation from you for it?s keeping in the amount of $8.26 for each day of keeping of it" This is meant to goad the recipient into acting on the message (printing the 'label') without thinking it through or paying more close attention to the grammatical errors.

If you fell for this scam, assume that your computer is infected with a botnet controller and possibly information stealing Trojans. If you have anti-virus and/or anti-spyware programs installed, assume that they failed you, until proven otherwise. While I often recommend this or that security program, something else came to my mind for this case. Why scan with one company's security scanner when you can have multiple scans performed under one blanket app?

I am referring to a commercial security program I am affiliated with, named Hitman Pro. It is a specialized 'second opinion' malware detection tool, often employed in malware removal forums. Hitman scans for threats for free. It detects and removes the ZeroAccess Rootkit when others don't. This rootkit is often deployed by botnet installers to protect their ill-gotten access to your computers.

Scanning with Hitman Pro is always free. Removal requires 30 day fully functional free trial, or a purchased license. Start a Free 30 day trial to remove any detected malware, or buy a 1 year, 1 PC subscription for $19.95.

I would take the 30 day free trial and see if Hitman finds and removes malware that you have picked up over the Interwebs. If you are happy with the results, license it for a year. If not, be happy it helped you out one time for free.

Posted by Wiz at 5:27 PM | Permalink

back to top ^

March 19, 2013

Two days ago, on Sunday afternoon, 3/17/2013, I wrote about two email scams that I intercepted, which contained malicious code in their attachments. At that time I predicted that we would see a flurry of malware laden messages this week. It is happening right now.

Today alone, I have analyzed 7 more email scams, all of which either contained malware attachments, or had links to online exploit kits. The last two, at the time of this article, are worthy of me writing about them, to warn my readers against clicking on the links they contain.

I am referring to a new scam that forges the BBC as the sender, claiming that a friend asked for it to be sent to (you). It has language describing an ongoing crisis in Cyprus and contains links pretending to go to the BBC article about this matter. Instead, they take you to the Blackhole Exploit kit.

Here are some of the pertinent details to watch out for...

Subject: BBC-Email: Several countries' deposits may be excluded from Cyprus Bank Tax, Why? We got a draft.

Body text (Visible portion):

Hazel Moon saw this story on the BBC News website and thought you should see it.** Several countries' deposits may be excluded from Cyprus Bank Tax, Why? We got a draft. **Cyprus can amend terms to a bailout deal that has sparked huge public anger....http://www.bbc.com/go/em/news/world-europe-00184647 >** BBC Daily E-mail **Choose the news and sport headlines you want - when you want them, allin one daily e-mail http://www.bbc.co.uk/email >** Disclaimer **The BBC is not responsible for the content of this e-mail, and anything written in this e-mail does not necessarily reflect the BBC's views or opinions. Please note that neither the e-mail address nor name of the sender have been verified.If you do not wish to receive such e-mails in the future or want to know more about the BBC's Email a Friend service, please read our frequently asked questions here

The bold portions are obfuscated links leading to a compromised website, where you are instantly redirected to a Russian server. There, the Blackhole Exploit Kit attacks your browser for any exploitable software that might be installed. The code begins with: applet code="hw" archive="/kill/larger_emergency.php?hgpw=codtpl&srjxxyhz=cayporkq" and continues with a huge long line of obfuscated numeric entities, ending in a malicious script being run against your web browser (<script>zz=eval;</script>).

The payload is usually a hostile Java Applet (as seen in "applet code" above), whose purpose is to install a backdoor downloader onto your computer. This downloader will then download Trojans and remote control software, making your computer a zombie member of a botnet. The Trojan it downloads may steal your online banking credentials, or lock up your computer until you pay a ransom.

The thing that makes this type of scam believable is that I just read an actual Fox News alert about this very situation. It said: "Cyprus lawmakers vote down European Union-mandated seizure of bank deposits to fund a bailout of the country"

Knowledge of these ever changing social tricks employed by cyber criminals should get your scam detectors up and running. If you receive an email such as the one I just described, delete it on sight. If you want to read news reports about crisis' just go directly to your favorite online news website, without clicking on any links contained in shady emails.

You can also detect spoofed links by hovering your mouse pointer of them, without clicking. The actual link destination will appear on the bottom of your email client or (webmail) browser, in a status bar. If the visible text says bbc.(com|co.uk), but the hovered over status bar readout says something like "golubevod.org.ua" or "absolutionpw.ru" - don't click on the link!

I hope this helps save somebody's day from a malware attack.

Posted by Wiz at 2:29 PM | Permalink

back to top ^

March 17, 2013

After one quiet week, where most spam was for pump and dump penny stocks and fake Russian pharmacies, two malware attachment emails appeared in my inbox on Sunday afternoon. Both are spoofing an ACH or wire transfer transaction being completed.

Subject: Transaction is completed
From: Heidi Summers

Text:
WIRE transaction is completed. $6224 has been successfully transferred. If the transaction was made by mistake please contact our customer service. Payment receipt is attached.*** This is an automatically generated email, please do not reply ***

From: Bank of America

Text:
ACH transaction is completed. $5009 has been successfully transferred. If the transaction was made by mistake please contact our customer service.Receipt on payment is attached.*** This is an automatically generated email, please do not reply ***

Both contain a zipfile attachment, weighing in at about 92.5 kb. A Trojan, with the filename "Payment slip ID-GF-37840.exe" is inside the zip package.

These spam messages are targeted at businesses and were sent on Sunday, for delivery Monday morning, at the start of the business week. This is an earlier than usual beginning of what typically turns into a Monday through Friday malware-laden email blast.

This being tax time in the US and Canada, expect a rush of fake tax payment failed messages. These too are loaded with Trojans, or have links to the Blackhole Exploit Kit.

If you receive such an email, delete it. The coding for the zip file in the two samples above is "inline," indicating that some email clients may actually open the attachment for you, to display its contents. Please don't become another victim. Most of these exploits install Trojans that empty your bank accounts.

Posted by Wiz at 2:46 PM | Permalink

back to top ^

March 8, 2013

The work week of March 4 through 8 has been very dangerous for email recipients, with all manner of malware links and attachments thrown at us. Subjects and senders vary widely, as do the names of the payload files. If you are not super careful, you might be tricked into clicking on a hostile link, or opening a Trojan Horse attachment.

Here are some of the subjects I intercepted over the last 5 days.

• Your AT&T wireless bill is ready to view
• IRS notification of your tax appeal status.
• Order N38956
• Email confirmation for Wire Transfers service
• Please respond - overdue payment
• Re: Fwd: Order confirmation
• ACH Dept. Notification : ACH Process End of Day Report
• You have been sent a file (Filename: Software-60.pdf)
• Transaction is completed
• Your Receipt and Itinerary
• Efax Corporate

Every one of these messages either contained a Trojan attachment, or led to the Blackhole or similar exploit attack kit. Judging by the subjects, all or most are targeted at office personnel. Busy, or unaware recipients who click on the hostile links would have their default web browser probed with JavaScript until it found a vulnerable plug-in, or browser type or version.

Java, by Oracle, is the first plug-in targeted by these exploit kits. This is due to the fact that millions of computers have Java installed, unbeknownst to the owners. If one doesn't even know that they have Java installed, how is one to keep it updated with patches? Java is so exploitable right now, that Oracle has issued three critical patches in 30 days. Add to that the fact that fully patched Java Virtual Machines fell four times in two days, to hackers at this week's Pwn2Own contest in Vancouver, and you have a real minefield for common computer users.

Not to be left out in the cold, both Adobe Flash and Reader were also hacked at Pwn2Own, as were the Firefox, Chrome and Internet Exploder web browsers. You can read about these hacks here.

So, expect more updates and patches from Oracle, Adobe, and the big three browser makers over the next week or so. If you find Java installed and don't know if you really need it, disable it as a plug-in from your web browsers. Windows users can do this via the Java Control Panel Applet, in the Windows Control Panel. Under the Security Tab, just uncheck the top option that allows Java content to run in your browsers and click Apply. Restart any open browsers and they will be Javaless!

People using other operating systems will have to manually disable Java plug-ins from each browser, or better yet, uninstall all installed versions for your own safety (old versions of Java were left behind when new versions are installed, until the more recent updates). After disinfecting a PC, I usually end up uninstalling 4 or more versions of Java, which was how they probably got infected in the first place.

Android smartphone users are also sometimes targeted in malware exploit attacks and this is becoming more prevalent every week. One advantage that PC users have over smartphone users is the ability to hover over a link and get a readout of the actual destination in a status bar. This way, if the text claims that a link is to AT&T, but the hovered over link goes to a totally non-related website, your Sixth Sense should tell you that something just ain't right.

Here's an example of a hostile link, cloaked around bait-words:

Visible text says: My AT&T Account
Actual link goes to: AllAboutHearingAidsInc.com/confrontation/index.html
This loads three JavaScript includes into an HTML coded message, all of which redirect your web browser to a Blackhole Exploit Kit server. A person using a mouse pointer would see this wrong destination and hopefully not click on it.

No matter what type of device you use to access the Internet and do email, it is imperative that you have good and up-to-date anti-virus and anti-malware protection installed. If you leave matters to chance, the bad guys will have the upper hand.

Posted by Wiz at 11:13 AM | Permalink

back to top ^

March 6, 2013

Oracle, the current owner and maintainer of Java technology, has just released another critical patch for its "write once, run anywhere" Java Virtual Machine. This makes 3 critical patches in about 30 days. The new versions are now: Java 7 Update 17 and Java 6 Update 43. This patch closes a critical vulnerability (#CVE-2013-1493) in Java that is being used in targeted attacks against important targets in sensitive positions (e.g. espionage).

In a previous blog entry, I mentioned that Oracle had intended to quit shipping updates for Java 6 at the end of February, in an effort to get users to migrate to the new Java version 7 platform. Apparently, due to the huge number of companies and Government agencies that still use version 6 and are being targeted by this exploit, they reversed their decision.

What does this mean for you?

If you have Java installed on any computer that accesses the Internet, either update to the latest version (6-43, or 7-17), or disable Java in your web browsers, or uninstall it altogether (unless your business requires it). Instructions for upgrading or uninstalling Java follow. But, if you use Java applications for business or development purposes, verify that it is okay to upgrade to the new version (6 or 7), and/or reduce your risk by securing your Java enabled computers and operating with reduced user privileges. If you use Firefox as your browser, consider installing the NoScript Add-on and learn to use it for your protection against JavaScript driven, Java Plug-in exploit kits.

How to update Java

If you have Windows based computers, up to Windows 7, navigate from the Start button to the (Settings) Control Panel link, on the right side of the Start Menu. If you have Windows 8, use Search to find Control Panel. Once you are in the Windows Control Panel, switch to Classic View (Win XP), or to either large or small icons, for Windows Vista, 7, or 8. This will reveal an (alphabetically sorted) icon for Java, if you have it installed. Click or double click to open the Java control panel applet and click on its Update tab. There is a button to check for updates now, so use it. Accept any new updates that are offered and make sure that anything you download is signed by Oracle.

Before you close the Java applet, change the schedule for checking for updates to Daily, at a time when the computer is usually powered on. The default period is set to Monthly, which is ludicrous considering how often Java is exploited and how unpredictably the updates are released. Note, after you update to a new build or version, go back to that Control Panel Java Applet and make sure that it has not reverted back to Monthly checks. This has been reported as happening by many people. It appears to be by design, by misguided programmers. Reset to Daily checking and save the change every time Java modifies your preferences. Sigh

For other operating systems like Mac, you can visit www.java.com and download the correct version for your computer. If you run Ubuntu Linux, use your Software Update feature to get new versions of Java.

How to disable Java in your browsers

Starting with Java Version 7 Update 10, a new security feature was added to Java. Some web pages may include content or apps that use the Java plug-in, and these can now be disabled using a single option in the Java Control Panel. With the Java control panel applet open, click on the Security tab. Uncheck the top option: "Enable Java content in the browser" and click Apply, on the bottom right. Close any browsers that were open, to flush out Java applets that may have been running, as well as the Java Plug-in. When you re-open your browsers, Java will be non-functional in them. But, you will still be able to use desktop applications that require Java support.

If it is truly necessary for you to access particular websites that run Java applets, I recommend doing so with just one browser that is only used to visit those websites. You will have to manually disable the Java Plug-in from any other browsers you have installed. At this time, either Chrome, or Firefox - with the NoScript Add-on - are the safest browsers to use with Java enabled. But, this could change at any time.

Uninstalling Java

Windows users need to go to their Windows Control Panel, then click on either Add/Remove Programs, or Programs (and Features) > Uninstall a program. Locate all entries related to "Java" and uninstall them, one at a time. Reboot your computer to flush out any Java processes that were active in memory.

For Mac operating systems, read the instructions on this page. To uninstall Java from a Linux computer, read this.

Posted by Wiz at 12:13 PM | Permalink

back to top ^