PIFTS

Something is rotten in the state of security.

Users of Symantec’s Norton AV have been reporting instances of a file named PIFTS.exe trying to connect out to the Norton updates.

This wouldn’t be news in and of itself, but it seems that Symantec doesn’t want to discuss the issue. All questions regarding PIFTS are removed from the message board within minutes of being posted. Some users have been banned after attempting to repost.

Since they can’t turn to Symantec for answers, many users have turned to the communal knowledge of the web. Unfortunately, the bad guys have also noticed the influx of searches for PIFTS.exe and some of the top results in Google are actually malicious, attempting to infect any visitors with rogue anti-virus Malware. DO NOT DOWNLOAD ANYTHING from those sites.

ThreatExpert has a breakdown of PIFTS and its attempt to phone home here

VirusTotal shows no hits

Brian Krebs @ The Washington Post is trying to get some answers.

SANS Internet Storm Center writes that they’ve been contacted by a Symantec employee who claimed ownership of the file and tried to make clear that it isn’t intended to do any harm.

Nice of them to respond…

But won’t they let people talk about it on the msg boards?

Why the secrecy Symantec?

**Update** (courtesy of Brian Krebs @ The Washington Post)

“David Cole, senior director of product management at Symantec, said the PIFTS file was part of a ‘diagnostics patch’ shipped to Norton customers on Monday evening. The purpose of the update, Cole said, was to help determine how many customers would need to be migrated to newer versions of its software as more Windows users upgrade to Windows 7.”

As to why Symantec was deleting forums posts and banning users for mentioning PIFTS, Cole says, “hundreds of new users began registering on the forum, leaving inane and sometimes abusive comments.”

This is a lame excuse. Though the forums do seem to have been hit by the 4chan crowd, the first people to ask questions were very polite and straightforward. They asked simple questions, like ‘hey, how come part of your software wants to access the Internet?’

Not exactly ban-worthy behaviour.

A forum moderator could have simply (easily!) answered the question and closed the thread. Wouldn’t that have saved everyone a lot of trouble?

Coin Toss

http://tinyurl.com/akvagb

Go. Read the article.

Anti-virus software vendors like to proclaim that their products achieve success rates in the 90%+ range. This is false and misleading.

It is inconceivable that end users (and many corporate entities) still believe that AV software is the catch all for security.

A 50% success rate is unacceptable. It is a coin toss – 50/50 chance – that your network is secure.

“The average delay in detection and remediation was 54 days.”

54 days?! Two months?!

The bottom line here is that Malware created for non-commercial purposes simply does not exist anymore. It hasn’t in over two years.

Modern Malware is specifically designed to operate quietly and unobtrusively for as long as possible. The bad guys are after our social insurance numbers, credit card numbers, bank account details, credit equity, customer lists, a jump on the quarterly earnings, our emails, online payment accounts, access to our social network of friends, ANYTHING they can get their hands on.

Think about it: the average delay in detection is 54 days. For almost two months the bad guys have access to your system.

This isn’t like having your house robbed.

It’s like having your house broken into and the robbers moving in and hiding in your closet for two months.

From home users to large corporate networks, we must – MUST – move beyond our tired notions of network security. The bad guys are always evolving, adapting their Malware to evade detection and improve levels of compromise. Why haven’t the good guys evolved?

The numbers speak for themselves:

“About 3 to 5 percent of all systems in an enterprise are infected with bot-related malware — even within organizations running up-to-date antimalware tools.”

“Antivirus software immediately discovered only 53 percent of malware samples.”

“Another 32 percent were found later on, and 15 percent were not detected at all.”

Now you may be thinking that 15% doesn’t sound like a lot, that maybe that’s an acceptable level of risk. Consider this:

Security researchers around the world analyze anywhere from 20-30,000 pieces of Malware every day. Every day!

The Shadowserver Foundation has analyzed over 19 million Malware samples in the past 12 months alone.

15% of 19 million is a big number.

You really want to take that chance?

Is your computer watching you?

SecureWorks has a posting up discussing the Ozdok/Mega-D trojan and its ability to capture screenshots on the systems it’s infected. We’ve been talking about this for months! Ozdok is certainly not the only trojan with this ability, and the researchers are specifically talking about screenshots, but what about systems with webcams?

Think the bad guys know how to turn those on?

Check out the video posted in our Facebook group and find out!

24/7

We’re opening the office doors:

Defintel’s on Twitter. Check it out, drop us a line.

Facebook too. Join the Defintel group for botnet building videos, photos, and a chance to ask us questions about computers, security, videos games, comics, and just about anything else.

From the whole Definel team:

Welcome!

Explorer Exiled

There is a 0day exploit currently exploiting a critical flaw in Microsoft’s Internet Explorer.

If this is the first you’re hearing of this flaw, check out the link below to hear Defintel’s CEO, Chris Davis explain the situation:

CTV News – Exploiting Explorer

Researchers estimate that more than 10,000 sites are compromised. While in-the-wild exploits are currently targeting IE 7 on Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Windows Vista (including SP1) and Windows Server 2008, it’s important to remember that all versions of Internet Explorer, from IE5 all the way to IE8 Beta 2, are affected.
If a user visits a compromised site, malicious JavaScript code is injected into the browser, and Malware is downloaded onto the user’s computer. The Malware that gets installed on the user’s computer will likely remain nearly invisible to the average user. The goal of the attacker is not to disrupt a user’s online experience, but rather to remain inconspicuous for as long as possible. The Malware allows the attacker complete access to user’s computer and allows him to track everything you type into your keyboard.

Visit your legitimate online banking site and enter your user information? Now he’s got it.
Visit your favourite social networking site and chat with some friends? Now he’s got that too.

Microsoft intends to release a critical patch today, the second patch coming on Exploit Wednesday instead of Patch Tuesday in as many months. Back in October, Microsoft was forced to release an out-of-band patch to mitigate the extremely critical flaw in several Windows OS’.

In the meantime, users should use other browsers – FireFox, Chrome, Safari – whatever you like! Just not IE.

The general public is completely ill-equipped to deal with security events. Who knows how long it will be before the AV companies have signatures developed for this new exploit. And Microsoft surely isn’t losing any market share over yet another security debacle.

Why do we still treat online security as though the Internet only encompasses six guys at Berkeley? Everyone is online, from 5 year old girls to 95 year old men – they can’t all be expected to keep up to date with these vulnerabilities and exploits.

So, how do we help them?

The Enemy Within

Two weeks ago, users of AVG’s virus scanner awoke to a nasty surprise: their supposed security software had been updated to identify the file named user32.dll as malicious. Those people most keen to protect their computer systems followed the instructions as directed and deleted the file – only to find that they were now stuck in an endless cycle of reboots.

User32.dll is a core Windows file; and not, as identified by AVG, a Trojan Horse named PSW.Banker4.APSA or Generic9TBN. This is not the first time AVG has struggled with misidentifying Malware, nor is it the first time an Anti Virus company has recommended users remove core Windows files.

In December of last year, Anti Virus company Kaspersky Labs decided that a Virus existed within Windows Explorer, the graphical user interface for Windows itself. Thankfully, Kaspersky managed to catch the error before the damage was too widespread; though, I imagine the employees at the UK enterprise that was affected would tell a different story.

Even Microsoft is guilty of such casual coding. In 2007, Microsoft’s OneCare, an Anti Virus product, when used with Internet Explorer 7, was flagging Google’s Gmail as a Virus. Even Microsoft’s own product weren’t safe, with OneCare regularly quarantining or deleting all of the email in a user’s inbox.

AV companies tout their wares as the silver bullet for personal protection. You know this isn’t true. I know this isn’t true. So, why doesn’t everybody else?

It was bad enough that the generic, non-technical computer user didn’t know that his Anti Virus software is only protecting him from a small percentage of modern threats. Now we also have to let them in on the secret that their “protection” might sometimes do more harm than good.

Fun with Dick and Jane

Fail too fast in bed?

Looking to revive your sleep desires?

What is money in comparison to your potency?

To anyone with an email address those phrases might seem awfully familiar. I’m talking about spam: the scourge of system administrators, the friendly pharmacy to the misinformed. It arrives unrequested, unavoidable, unimaginably hilarious. Now, you too can get in on the game, spamming friends, family, and foes alike thanks to the user-friendly Set-X Mail Service, courtesy of the Set-X Corporation.

Straight from the press release announcing the service:

“- Flexible and convenient Web based interface, detailed statistics while sending, changing any settings (mail databases, texts, macros)

– User-friendly web based interface – start spamming from day one

– Automatic “spamming capabilities” assessments of the bot allowing you to think about your business and not about the technical details behind it

– Daily malware updates, four programmers allocated for every server, sending automatic ICQ notifications whenever the malware gets updated

– Automatic optimization of the spam campaign by first allocating the bots with clean IP reputation

– Optional is the option to chose whether or not a dedicated “spamming engineer” should be allocated to your server

– His responsibilities include introducing a higher number of bots if requested, ensuring that dead bots get disconnected from your server, and providing personal advice on optimizing your campaigns and bypassing anti-spam filtering through the built-in multi RBL checking feature

A brief description of the system:

1. The system is automatically harvesting the outgoing and incoming email addresses on the infected hosts and the associated accounting data, supporting the following clients :
– Mozilla Thunderbird
– Outlook Express
– MS Outlook
– The Bat
– Opera

2. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible

3. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible

4. The central control server automatically assigns different regional servers to the bots, and rotates them periodically for security purposes

5. All the information about the spam campaigns and the bots can be exported and syndicated with another regional server as requested, with the regional server dynamically establishing links with other regional servers so that it never really knows the address of the central command server

6. There are several different ways of sending spam using this service :

1) Direct spamming from the legitimate email accounts of the infected computers, with the system automatically syndicating all the available legitimate emails whose accounting data naturally stolen due to the malware infection is again, automatically integrated in a “unique legitimate senders” database. Full support for web based email accounts in the form of domain:username:password

2) Sending via Direct SMTP: send messages directly using the MX and PTR records of the infected host’s gateway

3) Sending to direct recipient

4) Sending through open relays and socks servers, both of which can provided at an additional cost

7. SET-X Mail System is highly modular, with unique features easily coded and implemented as requested by the customer

The average speed from one server is 5000/7000 emails per minute, over 1 million emails per day, and if requested you can purchase as many servers as you would like. The price of rent per month is $2000 with additional $1000 for each additional server if the servers are ordered at the same time.”

Capable of creating clever tag lines? Got a couple of thousand bucks lying around? Sign up now and you too can irritate millions of strangers every day.

Thanks to Dancho Danchev for translating the material from Russian.

Cyber Security Event for the Government of Canada and IT Industry

Dear Friends and Colleagues:

On behalf of the Canadian Internet Registration Authority (CIRA), I am pleased to invite you to attend a special Cyber Security meeting to be held at the Crown Plaza Ottawa, September 23, 2008.

Cyber Security is critical to ensuring the integrity of the network infrastructure of the federal government. This Cyber Security meeting offers an opportunity to discuss, share and learn what we can do and what we should do to respond to modern Cyber Security threats. It will be comprised of four sessions ranging from cyber-attacks, evolution of the modern malware, latest updates on the Kaminsky DNS Vulnerability and Electronic Espionage. Is the Government of Canada well safeguarded against these threats?

Topics include:

Update on the Kaminsky DNS Vulnerability

Christopher Davis, CEO Defence Intelligence

The Evolution of the Threat: From Fun to Profit

Christopher Davis, CEO Defence Intelligence

Meaghan Molloy, Threat Analyst Defence Intelligence

Information Protection Capability Gap

Aron Feuer/Wayne Boone, Cygnos IT Security

Cyber-Attacks: Experiences From the Trenches

Bill Woodcock, Packet Clearing House

We are delighted to welcome Mr. Bill Woodcockto this meeting. Bill Woodcock is research director of Packet Clearing House, a non-profit research institute dedicated to understanding and supporting Internet traffic exchange technology, policy, and economics. Bill has operated national and international Internet service provision and content delivery networks since 1989, and currently spends most of his time building Internet exchanges in developing countries.

This is a meeting not to be missed!

This CIRA Cyber Security event is limited to 60 participants. We urge you to register!

Sincerely,

Norm Ritchie

Chief Information Officer
Canadian Internet Registration Authority (CIRA)

Web experts scrambling to patch security flaw

Code published that could allow hackers to direct surfers to fake websites
Jessey Bird
The Ottawa Citizen
Security experts are urging Internet server administrators to act quickly to head off what they are calling the “single largest threat to Internet security.”They say a critical flaw in the system used to route Internet traffic could let hackers redirect users to dangerous websites, and then steal their personal information.While the flaw was discovered six months ago, and a fix released two weeks ago, the exact nature of the problem was kept secret.That was until yesterday, when a program to exploit the flaw was posted on the Internet, allowing anyone around the world to simply download it and run it.According to Christopher Davis, chief executive of Ottawa-based Defence Intelligence, the “exploit” allows hackers to replace search engines, social-networking sites and even banking websites with their own “malicious” content.So far, government and Internet service provider officials say they are taking the threat to their domain-name servers seriously, but do not have any actual examples of the attack, which is called “DNS cache poisoning,” to report.The attack is aimed at how Internet addresses function, particularly the domain-name servers (DNS) that route Internet traffic.While websites are all identified by addresses using words that are easy for people to remember — like google.ca or facebook.com — they are also identified by addresses of just numbers. Domain-name servers serve as the translator in between — connecting a user that types in a web address to the correct computer.”DNS is kind of the 411 for the Internet,” said IOActive security researcher Dan Kaminsky, who discovered the flaw six months ago.What he realized was that in just seconds, a malicious hacker could poison a domain-name server and reroute users to different websites from the ones they are seeking. Hackers could also route people to copycat websites that would enable them to steal people’s personal information.”This attack works very, very well,” he said. “Any website that you trust is not necessarily the website that you are looking for. Every e-mail you send is not necessarily going where you think.” Even people who take precautions could be fooled.At the time of the discovery, Mr. Kaminsky and industry giants such as Microsoft and Cisco acted quickly to create a patch for the flaw, while keeping the exact nature of the problem secret. They released their fix two weeks ago.Mr. Kaminsky promised to discuss the problem at a technical conference in August, so other security experts could learn from his work; that would give Internet providers about a month to install the fix. But after another expert’s public speculation on the details of the DNS flaw hit too close to home on Monday and the details of the flaw were leaked, Mr. Kaminsky and Mr. Davis say they are worried hackers might know enough to cause problems — and service providers haven’t had enough time to install the patch.”The majority of DNS servers have not yet been patched,” said Mr. Kaminsky.”It is a serious vulnerability,” said Bruce Schneier, chief security technology officer for British Telecom. “It is one that can be used by criminals to steal identity.”Mr. Schneier also stressed that there is no need for the public to panic.”Kaminsky was hoping there would be a full month for people to patch their system,” said Mr. Schneier, adding that the leak has made Internet users “more vulnerable.””But let’s face it — you’re not going to die,” he said. “Money is stolen out of banks every day. This is another way to do that.”Is it a worse way than all the other ways? Probably not,” he continued. “Is it a serious way? Yes. Have there been other serious ways? Yes. Are we still here? Yes.””It is not armageddon,” he said. “We are not going to die.”Officials from Rogers Cable Inc., one of Ontario’s major Internet providers, said they haven’t detected any problems with their system.”Built into our network today are intrusion detection and prevention systems,” said Nancy Cottenden, director of communications for Rogers Cable, adding that Rogers monitors vulnerabilities on a “regular basis.”Ms. Cottenden also said Rogers is in the midst of installing Mr. Kaminsky’s patch.”It takes some time,” said Ms. Cottenden. “Any vendor will tell you it takes some time. The good news is, it is being loaded.”Bernard Beckhoff, spokesman for Public Safety Canada, said there have been “no confirmed incidences of the threat being applied in Canada or elsewhere.”The Canadian Cyber Incident Response Centre will continue to monitor the threat, said Mr. Beckhoff.Mr. Davis said that while the Canadian government has been quick to respond, many are still downplaying the issue.He urged Internet users to contact their service providers to find out whether they’ve patched their systems.”It scares the hell out of us,” said Mr. Davis. “And we know what we’re doing.”