The National Credit Union Administration is warning all Credit Unions about malicious hackers and a low tech attack by mailing branches CDs with malware on them.

Using a somewhat dated but still effective Social Engineering attack, a package designed to look as though it was mailed by the NCUA is sent to the branch. The package contains CDs with the attacker’s malware on it, and an accompanying letter (PDF) which informs the branches, ironically, about phishing scams. The letter directs the personnel to review the “training material” on the enclosed CD. Once branch employees proceed as directed, the malware is executed and gives the attackers access to the branch computer systems. Credit Unions seem to be targeted because they tend to be smaller local associations rather then larger banks with higher budgets for computer security.

When people think computer security, they usually envision high tech systems comprising of long passwords, expensive hardware, and updating software with the latest security patches. However, as famed social engineer and hacker Kevin Mitnick once said, “There is no patch for stupidity”.

[via threat post]

The folks over at Arbor Networks were browsing Twitter and discovered something very strange: a Twitter account seemingly posting gibberish. At least, that’s how it appeared at first. Upon closer investigation, they discovered that the profile was posting base64 encoded links to PKZIP archives. When they extracted the contents and unpacked the contained DLL and EXE files, they discovered that the account was posing links to malware that would post user information back to certain URLs. The article was also updated to show that the scheme wasn’t limited to Twitter, but also affected users on Jaiku and Tumblr. It’s a bit scary to see that all malware isn’t as blatantly obvious as we usually would think it to be.

We reported last week that D-Link was adding captchas to their routers to prevent automated login by malware. Unsurprisingly, it doesn’t work all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA configuration. Once activated, any nearby client can request the WPA key using a tool like WPSpy. Only user level credentials are needed to pull this off, so changing just the admin password won’t prevent it.

[photo: schoschie]

D-Link is adding captcha support to its line of home routers. While default password lists have been abundant for many years, it was only recently that we started seeing the them implemented in malware. Last year, zlob variants started logging into routers and changing their DNS settings. It’s an interesting situation since the people who need the captcha feature are the ones who will never see it, since they won’t log in to change the default password.

[photo: fbz]

“Reformat it”. That’s pretty much our default answer when someone calls us complaining of malware and viruses. Though many can be removed, it can sometimes be quicker and less frustrating just to reformat it. Some of us even have specific ways that we organize all of our files just to make the quarterly reformat go smoother.  Unfortunately, reformatting may no longer be the absolute cure. Researchers have developed a piece of malware that infects the BIOS.  It is un affected by reformating or flashing. This means that it is also OS independent. They tested it on Windows and OpenBSD as well as a machine running VMware Player. This is a grim sign for the future.

[via ZDNet.com]

It seems some enterprising individual in Grand Forks, North Dakota has been placing fake parking violations on cars. If the recipient visited the URL on the flyer, they would be told to install a toolbar to view pictures of their vehicle. That piece of malicious software would then attempt to install several more. The actual vehicle pictures were from Grand Forks, but we wouldn’t be surprised to see a similar attack happen in a much larger city.

PandaLabs has identified a botnet running a malware campaign impersonating president-elect Obama’s website. The front page of the site features a sensational story titled “Barack Obama has refused to be a president”. Clicking the link will download the malware and make the target’s machine part of the botnet. They’re using fast-flux to assign the malicious domains to the massive number of compromised nodes that are hosting the actual site. The team has contacted the domain name registrar in China to get the domains removed. Using a sensational headline is not new to malware; it’s how the Storm Worm got its name.

[via lithium]

Zero Day has an interview with German researchers who have found a way to take down the Storm Worm botnet. Their program, Stormfucker, takes advantage of flaws in Storm’s command network: Nodes that are NAT‘d only use a four-byte XOR challenge. Nodes that aren’t NAT’d are only using a trivial 64bit RSA signature. Their solution can clean infected machines and also distribute to other nodes. Unfortunately, installing software without the user’s consent is the exact same behavior as malware. Don’t expect to see this in any sort of widespread use. The researchers did point out that some ISPs have moved to shutting off service for infected customers until their machines are cleaned.

Philosecurity has an interview with [Matt Knox], a former coder for Direct Revenue, an adware company which was sued in 2006 by New York governor Eliot Spitzer. The interview contains some interesting details of how the adware code worked internally: it created a Browser Helper Object, then ensured that the Browser Helper Object stayed up by creating a poller to check every ten seconds and regenerate the Browser Helper Object if it had stopped running. The poller ingeniously masked itself partly by exploiting Windows’ Create Remote Thread function to run itself as a series of threads instead of as an executable.

The truly fascinating bit of the interview is how [Knox] defies your initial suspicion that he’s a complete scumbag; he started off writing spam filtering software, was hired by Direct Revenue to do traffic analysis, started writing tiny bits of code to improve the adware, and eventually wound up knee-deep in the code.  [Knox] notes that you can get ordinary people to do incredibly distasteful things if you break those things into small enough chunks and introduce them gradually.

[via Waxy]

[photo: xcaballe]

Our own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of provided malware, doing a thorough analysis of its behavior, and reporting the results. This wasn’t just to test the chops of the researchers, but also to demonstrate to network/system administrators how they could get into malware analysis themselves.

[Anthony] gives a good overview of how he created his entry (a more detailed PDF is here). First, he unpacked the malware using Ollydbg. Packers are used to obfuscate the actual malware code so that it’s harder for antivirus to pick it up. After taking a good look at the assembly, he executed the code. He used Wireshark to monitor the network traffic and determine what URL the malware was trying to reach. He changed the hostname to point at an IRC server he controlled. Eventually he would be able to issue botnet control commands directly to the malware. We look forward to seeing what next year’s contest will bring.