Announcing the First Security Blogger Summit!

PandaLabs has been buzzing with activity as we’re gearing up for the first Security Blogger Summit in Madrid, Spain.

On Tuesday, February 3rd, the world’s foremost security experts and bloggers will convene to discuss the most important issues we face in IT Security. Moderated by Panda Security’s Josu Franco, a roundtable of experts will debate the most effective strategies to fight cybercriminals, what role governmental compliance will play in the future of IT security, and the hottest issues we have to tackle with the growing threats of the underground cyber-economy.

Roundtable participants include:

• Bruce Schneier, one of the most influential security theorists in the world
• Byron Acohido, technology journalist for USA Today and author of “Zero Day Threat”
• Steve Ragan, security editor for The Tech Herald
• Andy Willingham, author, blogger, and IT professional with expertise in financial services
• Ero Carrera, Chief Research Officer of Collaborative Security, VirusTota – Hispasec
• Antonio Ortiz, co-founder of Weblogs SL and editor of ERROR500
• Javier Villacañas, editor, network chief COP and founder of “A Todo Chip” blog

If you are a blogger, professor or journalist in Europe and would like to attend our event, please go to http://www.securitybloggersummit.com/?page_id=11 and submit the form.

The event will stream live on Tuesday, February 3rd at 6:30 PM (GMT +1), 9:30 AM (PST), 12:30 PM (EST) via

Link: http://www.ustream.tv/channel/panda-security-blogger-summit
Twitter: @Panda_Security  Hashtag: #pandasummit

 

Roundtable Participant Bios:

Josu Franco
Josu Franco is licensed in Economics and Law from the University of Deusto and has a MSBA (Masters of Science in Business Administration) from the University of Illinois. He has been working with Panda since September 1999 occupying numerous positions related to the international expansion, technological alliances and analyst relations. Currently, Franco is the Director of the Corporate Products Division. Previously, Josu Franco worked in the commercial office of the Spanish embassy in Ottawa, Canada.

 

Bruce Schneier
Bruce Schneier is recognized internationally for his writing on security. Described by The Economist as the “gurú of security”, he is recognized as a great critic and for being a sincere and refreshing commentator. Schneier’s first best to seller, “Applied Cryptography,” explains how secret codes work at the moment, and Wired describes it as “the book to it that the National Security Agency never wanted that outside published”. His book on network and computer security, “Secrets and Lies,” is mentioned by Fortune as “a box with small surprises that really you can use”. Schneier’s last book, “Beyond Fear,” includes all the problems of security, from small to large: personal security, crime, corporate security and national security. He has written news articles and opinion pieces for publications including The New York Times, The Guardian and The Washington Post. Schenier also publishes a monthly bulletin, Crypto-Gram, with more than 150,000 readers and writes regularly on his blog, Schneier on Security.

 

Byron Acohido
Byron Acohido is a journalist for USA Today and author of the book, “Zero Day Threat.” He writes regularly on his Zero Day Threat blog in addition to covering security for USA Today. Acohido is skilled at demystifying complex topics. He’s been a working journalist since three days after graduating from the University of Oregon School of Journalism in 1977.

Acohido’s 1987 detailed report on Boeing published in The Seattle Times awarded him 11 major journalism awards including the Pulitzer Prize for Beat Reporting.

Andy Willingham
Andy Willingham has been working in the security industry for over 12 years.
He is currently Information Security Officer of a company of the financial sector and author of blog Andy ITGuy, one of the most popular security blogs.

 

Antonio Ortiz
Antonio Ortiz is the Co-founder and editorial director of Weblogs SL (2004), a network of company of Spanish blogs serving vertical markets.

 

Javier Villacañas
Javier Villacañas Is licensed in Journalism by the Complutensian University of Madrid, and has 25 years of experience in security. He maintains the Atodo Chip blog.

 

Ero Carrera
Ero Carrera is the Chief Research Officer de Collaborative Security at VirusTotal (HISPASEC). Previously, Carrera worked for several years investigating malware for the F-Secure laboratories of Finland and Silicon Valley. He has presented at conferences like HackInTheBox, RSA, BlackHat and SOURCE in addition to being instructor of the course of reverse engineering at BlackHat conferences.

Steve Ragan
Steve Ragan is a full time IT consultant in Indianapolis, Indiana.  In addition, he is the security editor for Tech Herald and network administrator for Monsters and Critics. Steve has written in numerous occasions on technical subjects in the la
st four years, with an emphasis on computer and Internet security.

 

Sebastián Muriel
Sebastián Muriel Herrero is a Telecommunications Engineer from the Superior Technical School of Engineers of Telecommunication, Polytechnical University of Madrid (ETSIT-UPM) and Executive MBA by IESE. He is also currently the Director of red.es, a public organization assigned to the Ministry of Industry, Tourism and Commerce through the Secretary of State of Telecommunications and for the Society of Información (SETSI), with the mission to impel the society in network in Spain.

Francisco A. Lago
Francisco A. Lago is a Telecommunications Engineer from the University of Valladolid with a Diploma of Advanced Studies (DEA) in IT & Telecommuncations. Until 2007 he was a professor of the Superior Technical School of Engineers of Telecommunication at the University of Valladolid.

The new target of Waledac Storm worm: Valentine’s day

In the beginning it was Christmas, then Obama and now Saint Valentine! We knew it would be a matter of time and here we have again spam messages related to this special day.

PandaLabs has detected a new variant of this worm, W32/Waledac.C.worm, which now uses Saint Valentine as bait to spread itself and affect as many computers as possible. The Waledac worm is being distributed via email in messages that use the subject of love before Saint Valentine’s day and contain one of the following links:

hxxp://goodnewsreview.com
hxxp://worldnewseye.com
hxxp://www.spacemynews.com
hxxp://www.worldnewsdot.com
hxxp://www.worldtracknews.com
hxxp://www.wapcitynews.com
hxxp://linkworldnews.com
hxxp://goodnewsdigital.com
hxxp://waleprojekt.com
hxxp://expowale.com
hxxp://topwale.com
hxxp://waleonline.com
hxxp://goodnewsdigital.com
hxxp://wapcitynews.com
hxxp://bestgoodnews.com
hxxp://spacemynews.com
hxxp://linkworldnews.com
….

When clicking the image, a file whose name is related with love will be downloaded. In fact, this file is the worm:

youandme.exe
onlyyou.exe
you.exe
meandyou.exe

 

The size of the files is always around 390Kb.

This reminds us of last year’s Storm worm wave which was one of the main threats during 2008. Let’s hope it isn’t as active as last year’s but…the Waledac’s storm has already started!!!

Thanks to Asier Martinez for the information.

New Rogue Antivirus: Total Defender

A new Rogue Antivirus program called Total Defender appeared over the weekend. 

_{The following data is included for informational purposes only. Please do not attempt to view or download files from the website.}

Domain: Total-Defender. com
IP: 94.247.2.41
Country: Latvia
Host: DATORU EXPRESS SERVISS Ltd.
Organization: ZlKon

File:  total-defender-setup.exe

Connects to:

0    200    HTTP    94.247.2.41    /ck.php    21
1    200    HTTP    94.247.2.41    /tdd.php?i=1
2    200    HTTP    94.247.2.41    /ck.php
3    301    HTTP    94.247.2.41    /tdp.php?ak=24DIGITHASH
4    200    HTTP    CONNECT    pp-pay.net:443
5    200    HTTP    CONNECT    pp-pay.net:443
6    200    HTTP    CONNECT    pp-pay.net:443
7    200    HTTP    CONNECT    bill-support.com:443 

Additional Info:

An interesting thing we noticed is that the Rogue did not attempt to
scare us into purchasing it, rather telling us that the computer was
secure after the scan.  The Rogue authors are probably doing this to
keep a high amount of Rogue installations active for the purposes of
data theft or for hire services.  

 

 

 

Heartland Payment Systems Breach – Why it likely happened

You may have heard about the recent large data breach with
Heartland Payment Systems in which hackers planted malware to specifically
capture TRACK 2 information along with credit card data; subsequently using it
in a fraudulent manner, later discovering that the breach had been present
since fall of 2008. In this case the only way in which Heartland detected the
breach was through an alert they received from Visa / Mastercard in regards to
suspicious charges linked to Heartland Payment Systems. I cautioned of the high probability of this occurring on more
of a regular basis in August 2008 in an article published in the Information
Security Systems Association (ISSA) Journal titled “Breaching Wireless POS Networks”
and in an article published in CIO Magazine and ISC2 Journal titled “Anatomy
of a Data Breach: A Global Perspective”. The major points that I stressed in the above articles mainly
had to do with focusing efforts on securing / hardening the systems themselves,
not just encrypting communications as recommended by PCI standards.

Essentially
if the system itself is vulnerable to attack – meaning unpatched, out-of-date
or ineffective AV or other security miss-configurations – a hacker can simply
plant malware that will reside within the communications channel to intercept
data before it is encrypted; this way the hacker can intercept the information
that is being entered or transmitted (before encryption) from the terminal in a
‘live’ fashion as opposed to attacking data that is already in transmission
that likely will be encrypted and already secure. This is the weakest link here
folks.

What we will likely find in common with these types of breaches:

• The payment processing systems ‘themselves’ were
  probably not as secure as one would think, the primary focus from a security
  perspective was put on encrypting data in motion; what we will see here is
  systems that could contain the following: not frequently patched, ineffective
  AV, password policy is not complex enough, services are not locked down, among
  a host of other things.
• 
  Lack of audit controls to monitor for suspicious
  activity inside the network originating from the POS terminals to the payment processing systems. 

Social Networking, Passwords & Privacy

We have been warning for a long time of the issue of adding our personal information to any social network. I use them by myself (Facebook, LinkedIn, etc.) and I'm surprised at the amount of personal information that my contacts have there, even more surprised when more than the 90% of my contacts work in security related companies -yes, that means that my social life sucks, I know 😉

Social networks are also a good communication tool, just a few days ago we could see how the Queenstown police arrested a man thanks to Facefook. But things are not black or white, and when the mankind is involved you can also see the dark side. In September 2008 we could see some news reports about terrorist using Facebook to kidnap Israeli soldiers.

But we don't need to go that far. There is another major issue: people are lazy, we don't want to have complex passwords that we can't remember, nor to have a different password for each application; so people just choose an easy to remember password or just create passwords consisting of some of their own personal information, using their birthday, wife/husband name, hometown, etc. Last week 4 people were arrested for blackmailing Spanish singer David Bisbal. Basically they had got into his mail account and used the information stored there. The head of the gang, psychologist, was able to figure out his password after studying all the personal information of the singer that can be obtained from the Internet.

We do not usually have that kind of information about ourselves available for our friends, but we have it on Facebook and similar networks. They are only visible to our friends (we should redefine the word "friend" in a social network enviroment, but I won't talk about it here). I have not tried (and won't) to figure out my friends passwords, but I could do it and I'm sure it would work in many cases. And what happens if one of our friend's accounts gets hacked, is that whoever it is will have access to all his friends info… scary at least.

So please, just follow some basic recommendations:

• Use common sense.
• Restrict viewing of your details to trusted persons.
• Don't publish your full birth date.
• Don't reveal your e-mail, phone number or postal address.
• Ignore unsolicited requests to be friends or group membership from unknown people.
• Use different passwords, and change them periodically.

Finally, you can take a look at this list, containing a list of the Top 500 worst passwords of all times, taken from the book Perfect Password (Mark Burnett, 2005). I miss some passwords in this list, as "guest", "admin" or "backup", but it is useful so that you can know which ones you shouldn't choose.

Malware Campaign Impersonates Barack Obama's Website

Today we discovered a botnet controlled, fast-flux operated malware campaign
impersonating the United States President-elect Barack Obama’s website.  The fake website looks just like the real
thing and attempts to bait viewers into clicking a story entitled, “Barack
Obama has refused to be a president”.  When the user clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victims computer. 

Excerpt: Barack Obama's inauguration that was
planned on 20th January 2009 is under the threat of failure. On the Eve of
Inauguration Day President-elect Barack Obama made statement. He declared that
he is definitely NOT ready for this position. Analysts say that Barack Obama
has refused to be next president because he recognized inconsistency of his
plan of stimulating USA
economy

 

The attack appears to have originated from China as the
domains were purchased from a Chinese domain registrar called XINNET TECHNOLOGY
CORPORATION.  Xinnet has a history
of abuse problems and we have contacted them to remove the domain
names.  

The file names of the malware are:

•  doc.exe
• 
  statement.exe
• 
  obamaspeech.exe
• 
  blog.exe
• barack.exe
• usa.exe
• baracknews.exe
• pdf.exe
• news.exe
• obamasblog.exe
• barakblog.exe
• statement.exe
• president.exe
• obamanews.exe

Visual Representation
of the domains:

 

Fast–Flux Representation (1 of 40 domains):

 

Updated list to 75 domain names as of 1/20/09

Note:  These domains
are included for informational purposes only. 
Please do not attempt to visit the sites.

httx://bestbarack.com
httx://bestbaracksite.com
httx://bestchristmascard.com
httx://bestmirabella.com
httx://bestobamadirect.com
httx://bestyearcard.com
httx://blackchristmascard.com
httx://cardnewyear.com
httx://cheapdecember.com
httx://christmaslightsnow.com
httx://decemberchristmas.com
httx://directchristmasgift.com
httx://eternalgreetingcard.com
httx://expowale.com
httx://freechristmassite.com
httx://freechristmasworld.com
httx://freedecember.com
httx://funnychristmasguide.com
httx://goodnewsdigital.com
httx://goodnewsreview.com
httx://greatbarackguide.com
httx://greatmirabellasite.com
httx://greatobamaguide.com
httx://greatobamaonline.com
httx://greetingcardcalendar.com
httx://greetingcardgarb.com
httx://greetingguide.com
httx://greetingsupersite.com
httx://holidayxmas.com
httx://itsfatherchristmas.com
httx://jobarack.com
httx://justchristmasgift.com
httx://lifegreetingcard.com
httx://linkworldnews.com
httx://livechristmascard.com
httx://livechristmasgift.com
httx://mirabellaclub.com
httx://mirabellamotors.com
httx://mirabellanews.com
httx://mirabellaonline.com
httx://newlifeyearsite.com
httx://newmediayearguide.com
httx://newyearcardcompany.com
httx://newyearcardfree.com
httx://newyearcardonline.com
httx://newyearcardservice.com
httx://reportradio.com
httx://smartcardgreeting.com
httx://spacemynews.com
httx://superchristmasday.com
httx://superchristmaslights.com
httx://superobamadirect.com
httx://superobamaonline.com
httx://superyearcard.com
httx://thebaracksite.com
httx://themirabelladirect.com
httx://themirabellaguide.com
httx://themirabellahome.com
httx://topgreetingsite.com
httx://topwale.com
httx://uperobamadirect.com
httx://waledirekt.com
httx://waleonline.com
httx://waleprojekt.com
httx://wapcitynews.com
httx://whitewhitechristmas.com
httx://worldgreetingcard.com
httx://worldnewsdot.com
httx://worldnewseye.com
httx://worldtracknews.com
httx://yourchristmaslights.com
httx://yourdecember.com
httx://yourmirabelladirect.com
httx://yourregards.com
httx://youryearcard.com

 

Social Networking & Privacy – Borrador

We have been warning for a long time of the issue of adding our personal information to any social network. I use them by myself (Facebook, LinkedIn, etc.) and I'm surprised at the amount of personal information that my contacts have there, even more surprised when more than the 90% of my contacts work in security related companies -yes, that means that my social life sucks, I know 😉

Social networks are also a good communication tool, just a few days ago we could see how the Queenstown police arrested a man thanks to Facefook. But things are not black or white, and when the mankind is involved you can also see the dark side. In September 2008 we could see some news reports about terrorist using Facebook to kidnap Israeli soldiers.

But we don't need to go that far. There is another major issue: people are lazy, we don't want to have complex passwords that we can't remember, nor to have a different password for each application; so people just choose an easy to remember password or just create passwords consisting of some of their own personal information, using their birthday, wife/husband name, hometown, etc. Last week 4 people were arrested for blackmailing Spanish singer David Bisbal. Basically they had got into his mail account and used the information stored there. The head of the gang, psychologist, was able to figure out his password after studying all the personal information of the singer that can be obtained from the Internet.

We do not usually have that kind of information about ourselves available for our friends, but we have it on Facebook and similar networks. They are only visible to our friends (we should redefine the word "friend" in a social network enviroment, but I won't talk about it here). I have not tried (and won't) to figure out my friends passwords, but I could do it and I'm sure it would work in many cases. And what happens if one of our friend's accounts gets hacked, is that whoever it is will have access to all his friends info… scary at least.

So please, just follow some basic recommendations:

• Use common sense.
• Restrict viewing of your details to trusted persons.
• Don't publish your full birth date.
• Don't reveal your e-mail, phone number or postal address.
• Ignore unsolicited requests to be friends or group membership from unknown people.
• Use different passwords, and change them periodically.

Finally, you can take a look at this list, containing a list of the Top 500 worst passwords of all times, taken from the book Perfect Password (Mark Burnett, 2005). I miss some passwords in this list, as "guest", "admin" or "backup", but it is useful so that you can know which ones you shouldn't choose.

Rash of Rogue Security Malware

The amount of Rogue Security samples increases daily and today was no exception.  We discovered a rash of newly created domain names pushing rogue security software harder than ever.  I captured a video so that you may see what the site and infection process looks like.

In the January 2009 ISSA Journal (pdf) we covered the rogue epidemic in 2008 and from our data we predicted that they would be amongst the most prolific malware in 2009. 15 days into the new year and it feels like the prediction is already coming true. 

Note: The sites are live and infectious so do not attempt to visit them!

best2008-scan-av .com
forpc-av-scanner .net
best-scanner-pc .net
best2008-scan-av .com
av-pcscan-comp .com
quickly-scan-no-av .com
best6scan .com
easy6scan .com
bestscan6 .com
easy4scan .com
easyscan6 .com
fastscan6 .com
fast4scan .com
fastscan4 .com 
fastscan6 .com 
livescan4 .com 
livescan5 .com
livescan6  .com
newscan4 .com
newscan5 .com 
new7scan .com 
newscan6 .com 
plus4scan .com 
plus6scan .com 
plusscan4 .com
scan4easy .com 
scan4fast .com 
scan5best .com 
scan5plus .com 
scan6live .com
scan7live .com 
sg10scanner .com
sg11scanner .com 
sg12scanner .com

Microsoft Updates for January

 

In the first security bulletin of the year 2009, MS09-001, Microsoft has published several critical updates which resolve 2 privately reported vulnerabilities and a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) protocol.

If exploited successfully, an attacking user could execute remote code on the system, and could view, change or delete data, or create new accounts with full user rights.

This security update has been rated as critical for all the versions of Microsoft Windows 2000, Windows XP and Windows 2003 and as moderate for all the versions of Windows Vista and Windows Server 2008.

We remind you that in order to improve the security level of your computer against known and unknown network vulnerabilities, you can stop or block the access to any network service you don’t use by using a properly configured firewall or by disabling the network services that are not used in the system.

Although in PandaSecurity we work daily on how to improve our products in order to protect our clients from these new vulnerabilities, we always recommend to install as soon as possible the security patches published in the Microsoft’s security bulletins, as well as other security updates that may affect other products installed on the same system.

•  MS09-001 – Vulnerabilities in SMB Could Allow Remote Code Execution
  

The pretty Paris Hilton is attacked again!!

Paris Hilton is fashionable. This girl does a bit of everything, she’s a model, an actress, a singer… and she hasn’t only become the target of paparazzis but also of the computer attacks…

Several months ago the image of Paris was being used in thousands of spam messages which contained hot videos of this celebrity. However, this was too good to be true and it was actually malware which installed rogue AVs on our computers.

 

This time, cyber-crooks have gone further and Paris Hilton’s official website has been attacked. When accessing this web page, a popup window appears offering visitors the option to download the last update of  flash player.

When the downloaded file is run, it ends the smss.exe service, which belongs to the Windows NT Session Manager Subsystem. Then, it drops a file in system32 under the name twext.exe, which hooks to the winlogon.exe process and modifies the following Windows Registry entry in order to be run whenever Windows is started:
       
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
Old type: REG_SZ
New type: REG_SZ
Old data: C:\WINDOWS\system32\userinit.exe,
New data: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
 
It is continuously trying to connect to the website you69tube to obtain the file flvideo/.a/.z/cfg.bin, which is no longer available, and it also launches connections to 72.167.37.109.

It creates more files and directories, all of them hidden, in
 
  
         %systemroot%\twain_32\user.ds and local.ds (encrypted files)
        C:\Documents and Settings\NetworkService\Application Data\twain_32\local.ds

This malware has been detected as Trj/Sinowal.VYO.

Now the question is: how long would take cyber-crooks to use once again the image of this celebrity? I suppose that it wouldn’t be long.