A group of Israeli students and would-be cyberwarriors have developed a program that makes it easy for just about anyone to start pounding on pro-Hamas websites. But using this "Patriot" software, to join in the online fight, means handing over control of your computer to the Israeli hacker group.

"While you're running their program, they can do whatever they want with your computer," Mike La Pilla, manager of malicious code operations at Verisign iDefense, the electronic security firm.

The online collective "Help Israel Win" formed in late December, as the current conflict in Gaza erupted. "We couldn't join the real combat, so we decided to fight Hamas in the cyber arena," "Liri," one the group's organizers, told Danger Room.

So they created a simple program, supposedly designed to overload Hamas-friendly sites like qudsnews.net and palestine-info.info. In recent years, such online struggles have become key components in the information warfare that accompanies traditional bomb-and-bullets conflicts. Each side tries to recruit more and more people -- and more and more computers -- to help in the network assaults. Help Israel Win says that more than 8,000 people have already downloaded and installed its Patriot software. It's a small part of a larger, increasingly sophisticated propaganda fight between supporters of Israel and Hamas that's being waged over the airwaves and online.

Help Israel Win, which has websites in Hebrew, English, Spanish, French, Russian and Portugese, doesn't say much about how the program functions -- only that it "unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the more efficient we are."

Analysis from iDefense and the SANS Institute, however, reveals that computer users put their PCs at risk when they run the Patriot software. The program connects a computer to one of a number of Internet Relay Chat (IRC) servers. Once the machine is linked up, Help Israel Win can order it to do just about anything.

The Patriot program does something "fishy," SANS Institute security specialist Bojan Zdrnja said, by retrieving "a remote file and sav[ing] it on the local machine as TmpUpdateFile.exe." That could easily be a "trojan," Zdrnja said, referring to a program that sneaks malicious code onto a computer.

"While at the moment it does not appear to do anything bad (it just connects to the IRC server and sites there -- there also appeared to be around 1,000 machines running this when I tested this) the owner can probably do whatever he wants with machines running this," Zdrnja wrote.

Liri, with Help Israel Win, conceded that "the Patriot code could be used as a trojan. However, "practically it is not used as such, and will never be."

"The update option is used to fix bugs in the client, and not to upload any malicious code... never have and never will," Liri said. "The project will close right after the war is over, and we have given a fully functional uninstaller to [remove] the application."

It's also unclear how much the Patriot program is really helping the Israeli side in the online information war.

La Pilla has been monitoring Help Israel Win's IRC servers for days. "They didn't make us download and install anything. Didn't make us [attack] anybody. I was basically just sitting idle on their network." The group claims to have shut down sarayaalquds.org and qudsvoice.net. But, as of now, the rest of the group's pro-Hamas targets remain online. Meanwhile, Help Israel Win has had to shift from website to website, as they come under attack from unknown assailants.

China has gained capability to shut down Britain by crippling its telecoms and utilities, a report claimed on Sunday.

Intelligence chiefs have told the government that equipment installed by Huawei, the Chinese telecoms giant, in BT's new communications network could be used to halt critical services such as power, food and water supplies.

According to a report in The Sunday Times, the warnings coincide with growing cyber warfare attacks on Britain by foreign governments, particularly Russia and China.

While BT has taken steps to reduce the risk of attacks by hackers or organised crime, the government believed that the mitigating measures are not effective against deliberate attack by China.

According to the report, Alex Allan, chairman of the Joint Intelligence Committee (JIC), briefed members of the ministerial committee on national security about the threat from China at a top-secret official meeting in January.

Home Secretary Ms Jacqui Smith chaired the meeting.

A media report on Sunday said vast cyber spy network controlled from China has infiltrated government and private computers in 103 countries, including those of Indian embassy in Washington and the Tibetan spiritual leader Dalai Lama.

Canadian researchers, the New York Times reported, have concluded that the computers based almost exclusively in China are controlling the network and stealing documents, but stopped short of saying that the Chinese government was involved.

A China-based cyber spy network has hacked into government and private systems in 103 countries, including those of many Indian embassies and the Dalai Lama, an Internet research group said on Saturday.

The Information Warfare Monitor (IWM), which carried out an extensive 10-month research on cyber spy activities emanating from China, said the hacked systems include the computers of Indian embassies and offices of the Dalai Lama.

Without identifying Indian embassies, the group said all evidence points to China as the source of this spy espionage.

The group said it has evidence that the hackers managed to install a software called malware on the compromised computers to steal sensitive documents, including those from the Dalai Lama's offices.

The group began its research after Tibetan exiles made allegations of cyber spying by the Chinese.

After initial investigations when the group widened it research it found that the China-based cyber espionage had hacked computer systems of embassies of India, Pakistan, Germany, Indonesia, Thailand, South Korea and many other countries.

In all, the hackers had gained access to 1,295 computer systems of foreign ministries of many countries, including Bhutan, Bangladesh, Latvia, Indonesia, Iran, and the Philippines, the researchers said.

After gaining access to foreign government and private computer systems, the hackers installed malware to exercise control over these computer systems to access any documents.

"We have been told by the researchers that the Chinese hackers have gained access to our computers systems all over the world, and taken sensitive documents from the office of His Holiness (the Dalai Lama)," Toronto-based Tibetan student leader Bhutila Karpoche told IANS.

She said, "Our website (studentsforafreetibet.org) has been repeated hacked, and we keep getting all kinds of viruses in our emails. This trend has increased in recent months, and we have become very wary about opening

our emails."

The findings of the 10-month investigation titled 'Tracking GhostNet:

Investigating a Cyber Espionage Network,' can be found here,

Tracking GhostNet: Investigating a Cyber Espionage Network

Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April.

Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed potential call-home web servers from which they might receive updates, a massive increase on the 250 potential web server locales used by earlier variants of the code.

"Conficker-C isn't going to contact all 50,000 domains per day," explained Niall Fitzgibbon, a malware analyst at Sophos. "It's only going to contact a randomly-chosen 500 of them which gives each infected machine a very small chance of success if the authors register only one domain. However, the P2P system of Conficker can be used to push digitally signed updates out to other infected machines that don't manage to contact the domain."

Whether anything will actually be offered for download, much less what the payload might be, is unclear. No particular function or payload currently within the malicious code is due to activate on 1 April. It's also possible that a payload will only be offered up for download days or week after the new call-home routine comes into effect.

If updates are successfully made, infected machines are programmed to suspend call-home activity for 72 hours, as an analysis by Sophos explains.

Lessons from the call back routines of previous variants of the worm provide few clues as to what might happen. Sophos said it never observed the previous Conficker-B variant ever downloading malicious payloads, other than updates to Conficker-B++ and Conficker-C. As a result, there isn't much history to draw upon for any speculation as to the eventual goal of the Conficker botnet.

Anti-virus firms are keeping a close eye on what Conficker might do early next month while downplaying concerns that Downadup will either "erupt" or "explode" on 1 April, deluging us with spam or swamping websites with junk traffic in the process.

"Let's not forget that history has shown us that focusing on a specific date for an impending malware attack has sometimes lead to nothing more than a damp squib," notes Graham Cluley, senior technology consultant, at Sophos.


Although nothing might happen it's never a bad time for sys admins to check for infection by Conficker on their network. Such infections have already caused widespread problems.

Symantec said that the worm, which had initially focused solely on spreading "has since developed into a robust botnet, complete with sophisticated code signing to protect update mechanisms, as well as a resilient peer-to-peer protocol".

Windows PCs infected with Conficker (Downadup) are programmed to dial home for updates through a list of pseudo-random domains. Microsoft is heading a group, dubbed the anti-cabal alliance, to block unregistered domains on this list. The more complex call-home routine deployed by Conficker-C comes in apparent response to this move.

Rik Ferguson, a security researcher at Trend Micro, added that blocking call-back domains associated with the latest variant of the worm will be "almost impossible" not only because of the daily volume, but also because there is a possibility that legitimate domains might be hit as a result. Even earlier versions of the worm, calling far fewer domains every day, used algorithms that threw up addresses that coincided with legitimate domains.

Birth of a superworm

Variants of the Conficker worm, which first appeared back in November, spread using a variety of tricks. All strains of the superworm exploit a vulnerability in the Microsoft Windows server service (MS08-067) patched by Redmond in October.

Once it infects one machine on a network, the worm spreads across network shares. Infection can also spread via contaminated USB sticks. This combined approach, in particular the worm's attempts to hammer across corporate LANs, have made Conficker the biggest malware problem for years, since the default activation of the Windows firewall put the brakes on previous network worms such as Nimda and Sasser.

Compromised Windows PCs, however the infection happens, become drones in a botnet, which is yet to be activated. It's unclear who created or now controls this huge resource.

Estimates of the number of machines infected by Conficker vary, from barely over a million to 12 or even 15 million. More reliable estimated suggest that between 3-4 million compromised systems at any one time might be closer to the mark.

SRI reckons that Conficker-A has infected 4.7m Windows PC over its lifetime, while Conficker-B has hit 6.7m IP addresses. These figures, as with other estimates, come from an analysis of call-backs made to pre-programmed update sites. Infected hosts get identified and cleaned up all the time, as new machines are created. Factoring this factor into account the botnet controlled by Conficker-A and Conficker-B respectively is reckoned to be around 1m and 3m hosts, respectively, about a third of the raw estimate.

Estimates of how many machines are infected by the Conficker-C variant are even harder to come by.

But however you slice and dice the figure its clear that the zombie network created by Conficker dwarfs the undead army created by the infamous Storm worm, which reached a comparatively lowly 1 million at its peak in September 2007. Activation of this resource may not come next week or even next month but the zombie army established by the malware nonetheless hangs over internet security like a latter-day Sword of Damocles.

Some security watchers are sure it will get used eventually, if not on 1 April. Sam Masiello, a security analyst at MX Logic, said: "Why go through all of this effort to create such a huge botnet then not utilize it for something?"

Hundreds of Twitter users have been hit by another attack on the popular micro-blogging site, with messages being sent from compromised accounts trying to drive traffic to a pornographic website.

The messages which say

hey! 23/Female. Come chat with me on my webcam thingy here www.chatwebcamfree.com

are being spammed out as Tweets.



However, the index page of that website serves up obfuscated JavaScript that loads a variety of pornographic adverts and contains a web form directed to a site called eroticgateway.com.



Clearly, if a hacker has managed to ascertain your Twitter password there is a chance that they may have also compromised your system in other ways too.

Any Twitter users who find that they have unwittingly posted the message would be wise to change their Twitter password immediately. Furthermore, if you use that password on any other non-Twitter account then you must also change those passwords too (please *don't* make it the same as your new Twitter password.

As we don't yet know how the hackers compromised accounts, it wouldn't do any harm to scan your computer with an up-to-date anti-virus product either.

Twitter has confirmed that approximately 750 accounts were hijacked by criminals during the course of this attack, and says that they have reset the passwords of all compromised accounts. That should stop the tidalwave of spam messages advertising adult webcam websites for now.

But there is still a lack of clarity of how the accounts were compromised in the first place.

Finally, one extra thing to throw into the mix. Last month, Facebook users reported seeing a very similar message.



You don't have to be Albert Einstein to put two and two together, and deduce that these attacks must be related.

We're seeing more and more attacks from spammers, phishers, malware authors, scammers and identity thieves against the users of social networks like Twitter and Facebook. These aren't just proof-of-concept attacks in controlled conditions - they're full-blooded assaults seen in the wild every day, making money out of real people.

Source: Sophos.com

For the second year in a row, malware has been discovered in major-brand digital photo frames, carried by some of the nation's biggest retailers.

Software that came pre-installed in frames manufactured by Samsung, Element, and Mercury, was found to enable the "Autorun" function in Windows, allowing it automatically install malicious code to a PC whenever it is connected. The nature of the malware varied with the device, and it isn't even yet clear in some cases whether the malicious code was put there intentionally, or if it simply replicated itself from an infected computer used in the manufacturing process.

This problem isn't just contained to digital frames though. In past years, a variety of electronic gizmos—from flash memory sticks to satellite navigation devices—have all been found to pose security threats.

Peripheral Devices And You

What do most of the popular electronic holiday gifts such as digital cameras, music players, photo printers or even cell phones have in common? They're all "peripheral devices"—meaning that they have to be connected to a personal computer in order to become fully functional. Without these devices, our home computers remain just that—stationary libraries of songs, photos, and other data, inaccessible to us when we're outside of the house.

What many consumers don't know is that anything capable of downloading data given to it by a computer, is also capable of replicating its data onto that PC in the process. So before you plug a new device into your USB port, there are a few steps you should take to keep your computer safe.

Fox News interviews identity theft expert Robert Siciliano regarding the discovery of malware on digital photo frames.



What You Can Do

As always, the best way to protect your computer is to have a good, up-to-date anti-virus program installed and running at all times. These programs can identify almost any potential threat and neutralize it immediately upon connection of a device to your computer.

Staying away from cheap brands you've never heard of before (like those $15 drug-store digital cameras or MP3 players,) is also something many experts recommend. But top-notch anti-virus software should be enough to protect you—even from those yPod and Suny products you might find at the flea market.

New malware outbreak resembles first disk-based virus attacks

A malware outbreak is using a new twist on an old infection tactic, security experts have warned.

McAfee researcher Vinooo Thomas said in a blog post that the company had seen a rise in the number of malware attacks spreading by way of removable drives.

Many of the attacks take advantage of autorun, a feature in Windows that allows disks and removable media such as USB thumb drives to automatically load content when inserted into a system.

The feature can be disabled, and Microsoft recently released an update for Windows which allows users to set autorun permissions for each drive to prevent devices automatically launching code.

The exploitation of the feature has become a potent way for malware writers to spread infections. Many target thumb drives and other removable media by directing the Trojan to infect the target system, and to reinstall itself on any removable drives along with a specially crafted autorun file.

The infected drive can then either spread the malware to a new host, or reinstall itself on a recently cleaned system.

The tactic brings back memories of some of the earliest computer viruses which, in the days before the internet, spread by infecting floppy disks shared over multiple systems.

"During the past couple of years we have seen malware authors increasingly incorporate the autorun.inf infection vector into malware families, with stunning success," Thomas wrote.

"While the autorun functionality in operating systems does provide some convenience (it saves a couple of clicks), it has single handedly revived the 1980s model of hand-carried malware propagation."

Between three to five per cent of corporate systems are infected by bots, according to a study by security firm Damballa.

The finding comes from Damballa itself and is being used to promote the need for its line of security appliances, designed to block communications between infected hosts and zombie-control servers, as an added layer of protection in addition to conventional anti-virus defences. Self-interest aside, the Damballa study may point to shortcomings in conventional anti-virus software that are well worth considering.

A study of antivirus scanning tools by Damballa over the last six months found that only 53 per cent of 200,000 malware samples were detected by conventional scanners on the day they first appeared. Around one in seven (15 per cent) of the sample were undetected even after 180 days.

Damballa reckons the average gap between malware release and detection using conventional antivirus is 54 days.

Mozilla has released a new version of Firefox in response to the discovery of several security flaws in the browser software.

Version 3.0.7 of Firefox plugs five security vulnerabilities, three of which earn the dreaded "critical" label. Of these critical flaws a bug that means that Firefox crashes with evidence of memory corruption stands out as the most severe. Critical flaws in Mozilla's garbage collection process (involving memory management and "cloned XUL DOM elements") as well as bugs in the PNG library used by Mozilla also create a possible means for hackers to inject malware onto vulnerable systems.

The Firefox update also fixes a number of lesser security and stability bugs, as explained in Mozilla's release notes. Malware exploiting the bugs is yet to be seen in circulation, but that's a poor reason to hold off upgrading. Those who have enabled Mozilla's automated update process should find that new software is installed within a day or so.

Mozilla's Thunderbird email client and SeaMonkey application suite share a similar code base to Firefox and therefore also need updating, to Thunderbird 2.0.0.21 and SeaMonkey 1.1.15, respectively.

The Firefox update was published on Thursday a day after Opera released a new version of its software, largely in response to the discovery of separate security flaws, making it a busy week on the alternative browser security front.

Facebook reject 'martial law' app vetting idea

A new strain of the Koobface worm is spreading across social networking sites including Facebook, MySpace and Bebo.

The malware posts invitations to the friends of infected users inviting them to view a video. The linked website tries to trick prospective marks into believing they need an updated version of Adobe Flash Player plugin to view the clip. The software offered is, of course, loaded with Windows-specific Trojan code. This malware establishes a back-door on compromised Windows machines.

A write-up of the assault, including screenshots, can be found on Trend Micro's website here.

The attack follows the appearance of two rogue applications - "Error Check System" and Facebook closing down - last week which used misleading messages in order to hoodwink users into activating software packages. Neither app spread malware as such but Error Check System has been linked to indirect attempts to attract surfers to sites punting rogue anti-malware (AKA scareware) packages.

Security watchers, such as Rik Ferguson at Trend Micro, responded to the twin threats by urging Facebook to vet applications. Facebook founder Mark Zuckerberg rejected the idea on Monday. "There will occasionally be some applications that people don't like," Zuckerberg told the BBC Newsbeat. "Our philosophy is that having an open system anyone can participate in is generally better."

Facebook spokesman Simon Axten went much further along this path arguing that vetting applications after two problems is like saying "there have been two robberies, we need to implement martial law in the city". More than 660,000 developers write for the platform and only a tiny, tiny percentage are doing anything potentially untoward, he told CNet, adding the site employs a team that investigates applications that behave suspiciously, he added.

Source : The Register

It's a new year and — what do you know — there's a new tactic in the endless quest for new and improved phishing schemes from scammers.

Here's How It Works

Researchers at Trusteer recently released a security advisory detailing this new phishing technique. Rather than using email to lure unsuspecting victims into clicking over to a fake web site, this technique uses what Trusteer is calling "in-session" attacks. Here's a typical scenario:

* A user opens a browser and logs into their banking web site
* Leaving that browser session open, they open another browser window to check on their Webkinz or some other web pursuit.
* After a time, a pop-up window opens — supposedly from their bank web site — asking for them to re-enter their username and password.
* Since the user has recently logged in to the targeted web site, they are more likely to enter their info.

That's it! Their login credentials are now in the hands of the scammers.

What Makes It Possible?

A few things have to be in place for this to work. First, the scammers need a compromised web server in order to install the malware. Fortunately, there are lots of those around. Second, the malware has to be able to determine which other sites the user has visited. This is possible based on a vulnerability in the JavaScript engine used by Internet Explorer, Firefox, Safari, and Chrome.

From Trusteer:

The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

How Can You Protect Yourself?

Well, the planets have to align a bit to pull this scam off and it's likely the JavaScript vulnerability will be patched in the near (hopefully) future.

Until then, Trusteer recommends the following preventative measures:

* Have an up-to-date anti-virus installed
* Be suspicious of any pop-ups asking you to login

and most of all...
* Log out of banking or other sensitive sites before heading over to Pogo.com for your bingo fix.

Learn more about this attack by downloading Trusteer's security advisory http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

Did that get your attention? Scammers are hoping it will.

Breaking News Malware Emails

An ongoing strategy of scammers is to send out spam emails with shocking or titillating subject lines. They've decided the recent nomination of Barack Obama is a perfect topic and Symantec has reported that emails are showing up that read something like this:

Sample Emails

"

Subject: Breaking news

Barack Obama refused to be the president of the United States of America

Yours Sincerely,
Cecily Lynn

"

Subject: What is going on with our country?

Obama has gone

Yours faithfully,
Rodney Lynch

The link in the actual emails (we're not linking to anything in the examples above) point to the following site:



What is the Threat?

The site instantly attempts to bypass any browser security and install malware on your computer. If that fails, any link on the site will download and install malware software. The software is called W32.Waledac. Here's what it does, as described from the Symantec web site:

Rest assured that we detect this piece of malicious software under the name W32.Waledac. This particular piece of malware is capable, among other things, of:

* harvesting sensitive information on your computer
* turning your machine into a spam zombie
* establishing a back door on your computer that will allow it to be remotely accessed

How Can I Protect Myself?

Resist the Impulse to Click - scammers will try to provoke an emotional response in order to keep us from thinking about what we're doing. When you see an email like this, think for a moment if it's even reasonable. Ask why someone would send an email like this. What's the point?

Keep Your Software Up to Date - we've recently talked about keeping your Windows systems updated. The same goes for browsers, email clients, or anti-virus software. If you're software is up-to-date, you're more likely to avoid being hurt by scams like this.

By the way, Obama certainly didn't refuse to be president. I watched the inauguration myself and my thoughts and prayers are with him. Whatever your political affiliation or citizenship, we should all hope and work for his success.

Millions of infected PCs may 'phone home' to Web address, says researcher

Computers infected by the Downadup worm will "phone home" to several legitimate URLs this month, including one owned by Southwest Airlines, potentially disrupting those sites, a security researcher said Sunday.

According to a researcher at Sophos Plc., the Downadup worm -- also known as Conficker -- will try to contact wnsux.com on March 13 for further instructions. That URL, however, is owned by Southwest Airlines, and redirects visitors to the airline's primary southwest.com address.

"On March 13, the millions of machines infected with Conficker will be contacting wnsux.com for further instructions," said a Sophos researcher identified as MikeW in an entry on the company's blog. "They won't get any [instructions], but that may certainly disrupt the operation of southwest.com."

Once it has infected a PC, Downadup generates a list of 250 possible domains -- the list changes daily -- selects one, then uses that URL to reach a hacker-controlled server from which it downloads additional malware to install on the hijacked computer. The wnsux.com address is one of the 7,750 domains that the worm may use during March, said MikeW.

Previously, researchers had reverse-engineered the algorithm that determines any given day's list of command-and-control routing domains. Then, last month, nearly 20 technology companies and organizations, among them Microsoft Corp. and ICANN, the nonprofit group that manages the Internet Domain Name System, combined forces to disrupt the budding botnet by preemptively removing those addresses from circulation.

MikeW spotted several other legitimate sites on March's Downadup list, including jogli.com (Big Web Great Music) and qhflh.com (Women's Net in Qinghai Province), slated for "phone home" use on March 8 and March 18, respectively.

These domains may be affected by the worm itself or by the steps network administrators have taken to protect their PCs, said MikeW. "Those millions of Conficker infected machines contacting the domain on its given day may overload the site and essentially result in a denial-of-service attack," he said. According to F-Secure Corp., at least 2.1 million PCs are currently infected with the Downadup worm. "[Or] they may end up on a blocklist [that would ] prevent users from accessing their services." Microsoft, for example, has posted a list of Downadup's routing domains that IT administrators can use to block outbound "calls" from infected PCs.

MikeW said Sophos had contacted the owners of the domains on March's list, including Southwest. Currently, wnsux.com -- which Southwest Airlines apparently acquired to stymie negative publicity -- shunts users to Southwest Airlines' site and offers a message that reads in part, "Southwest wants to control the release of inaccurate and irresponsible information about the Company via the Internet."

Downadup first gained attention for exploiting a Windows vulnerability that Microsoft patched last October in one of its rare emergency updates. The worm has spread extensively since earlier this year, when a new variant appeared and quickly compromised as many as 9 million PCs within days.

Microsoft has also offered a $250,000 reward for information that results in the arrest and conviction of the hackers who created and launched Downadup, a move it last used in 2004.

Southwest Airlines was not immediately available for comment.

Info Source : Copyright © 1994 - 2009 Computerworld Inc