First thing to consider is that Conflicker, like most of the malware (malicious software) released to the Internet in the past 5-6 years, is *not* likely to do any real, irreversible damage to your computer systems. It’s essential to understand that the programmers creating most modern malware are profit driven and see this as a business. They’re not going to make money by destroying computers. What they *do* want to achieve is to be able to use others computer systems for illegal activities which is most commonly for sending spam.

Case in point is that Dean Turner of Symantec Security says he doubts there will be substantial cyber disaster. More than likely the internet will not go down, the makers of Conflicker C are profit driven and need the computers in the botnet to make money for them by sending out spam emails and so on. Paul Ferguson of Trend Micro agrees. He says these people, “don’t want to bring down the infrastructure. That would not allow them to continue to carry out their scams.”

I hope you’re convinced (and relieved) that the world (or more directly the Internet) is unlikely to end on April 1, 2009 or anytime thereafter because of the actions of malware programmers. Either way most people want to know that their computer system is secure and they’re protected with which I heartily agree.

Let’s look at (1)a quick check list of items that will need to be in place to protect your computer system(s) and (2) how to check to see if your system might already be infected.

(Note: Clients of Shafer Consulting that have an active service agreement are protected as all updates and anti-virus protection are checked/executed as part of the monthly services items.)

Check the following to see if your protection is current:

1. Microsoft Windows updates should always be current. Microsoft released the initial fix for this back in October. If your Microsoft Windows computer is being updated regulary this patch should have been installed in the next update you did after mid-October 2008. If you really want to verify the update was applied then in your Windows machine go to the “Start” icon and then “Control Panel -> Add or Remove Programs” (Note: Depending upon the menu choice you’re using you may have to use “Start -> Settings – Control Panel ->Add or Remove Programs”)

Once in the “Add or Remove Programs” area check the box at the top of the page that is titled “Show updates”. With this item selected you will now be able to see all the installed programs and the Windows updates that have been installed. You want to verify that KB958644 has been installed.

2. Anti-Virus: In today’s connected world *no* computer should be without anti-virus software. Moreover it’s essential to make sure that the anti-virus software is regularly updating the virus signatures. Typically when you open the anti-virus software you will see a place that gives the date of the last update or the date of the signatures database. Make sure this is less than several days old at most. If older than several days run the “update” option and make sure it worked! A full scan of your computer probably isn’t a bad idea either when not in use such as during lunch or at the end of the day.

A simple check for current infection:

1. Try contacting one of the links below that connect to well known anti-virus vendors. Conflicker is setup to block access to the most commonly known anti-virus vendor sites such as McAfee, Symantec and Kaspersky. If you can reach these websites you’re machine is likely *not* infected.

http://www.mcafee.com
http://www.symantec.com

If you think you might have an infected machine McAfee (the anti-virus company) has a special version of their “Stinger” malware removal tool that is being updated daily. It can be downloaded at:

http://www.majorgeeks.com/McAfee_AVERT_Stinger_Conficker__d6157.html

Eugene Kaspersky, founder and CEO of Kaspersky Lab, gives an insider’s view to the Internet Cybercrime Ecosystem and the quick and dirty on the how’s and why’s.

Read this and you might come away with a whole new outlook on Internet security. Either way it’s and interesting insight into the world of professional computer crime and it’s effects on everyone.

Go to Cybercrime Ecosystem

The update is easily done in a minute or two and given the severity of the security issues is highly advisable.

Video instructions here: Java Update Video and step-by-step instructions below.

2. Go to “Start” and select either “Control Panel” OR “Settings” -> “Control Panel” depending upon which start menu view you are using.
3. Once in the Control Panel screen look for an item marked “Java” with this icon and double-click it to open the Java console.
4. On the top row tabs will be a choice marked “Update”. Click that to open the Update panel.
5. On this panel will be a button marked “Update Now”. Click that and following the update instructions. In the case of the video my computer was already updated.

The email shown here is what is known as “a phish” or “phishing attack.” While this one in particular is an attack on those having a PayPal account, phishing attacks have been conducted on virtually all well known financial institutions including banks and credit unions.

To get an understanding of how this is done let’s dissect this rascal and see what’s behind the scenes!

Those familiar with the PayPal service and its logos will likely agree this looks very official, and indeed it should as the attacker is actually using PayPal’s logos from www.paypal.com. For example here’s the HTML code (the language used to create web pages) from the email for the PayPal logo at the top of the page. If you click on the underlined part of the item below you will see that it takes you to the actual PayPal logo at the real PayPal site of paypal.com.

< img src=”http://images.paypal.com/en_US/i/logo/email_logo.gif” alt=”PayPal” border=”0″/>

If you’re not familiar with HTML code, don’t worry about it. The important point here is that those creating phishing attacks do link to the real graphics for logos and other distinctive items at the legitimate web site to make their fake email look more authentic.

Now let’s look at the attacker’s goal and how the actual attack takes place. The attacker’s goal is usually simply to get the unwary user to believe they are actually complying with an official request from the given institution (PayPal in this case) and to get the user to enter their private data such as login name and password. Other phishing attacks similarly try to get users to provide account numbers, passwords, credit card numbers and similar information. In short, any data that the attacker can use to conduct a fraudulent transaction to his financial gain.

The “how” they accomplish this is by hiding the link to where you’ll actually be taken if you click on the link in the letter. Let’s clarify this with the current example above. In the email shown above we see at the end of the first paragraph the sentence ..

You can submit additional information at the following link:

followed by the rather official looking link:

https://www.paypal.com/cgi-bin/webscr?cmd= login-run

Let’s look at the actual HTML code for this email again to see what’s really going on here. The actual code for the above link is:

< a href=”http://some-place-other-than-paypal.com” target=”_Blank”>https://www.paypal.com/cgi-bin/webscr?cmd=_login-run< /a>

The above is how a link to another area on the web is coded within HTML. Notice that the second part, starting after the “_Blank”>” section is the same as that which appears in the link given in the graphic of the actual phishing attack email above. This is the visible part of a hyperlink. Where the hyperlink actually takes you is given by the first part which in this case I have replaced with a fictitious link titled “http://some-place-other-than-paypal.com,” which is exactly what happens. The attacker takes you to a fraudulent site that is made to appear legitimate

Let’s demonstrate this with the actual working link. Note, nothing will happen here as this is a fake link and you’ll just get a “page not found” error if you try. The important thing to note is to look at the actual link given at the bottom of your browser when you position the mouse over the visible link. Notice you’re actually being shown the hidden link of “http:// some-place-other-than-paypal.com”

https://www.paypal.com/cgi-bin/webscr?cmd=_login-run

This is the heart of a basic phishing attack. I obviously used a fictional place and did so for several reasons, in a real situation the attacker will direct the unwary user to a fake site that has been set up to look like the real thing and then have the victim submit the items mentioned above such as login names, passwords, credit card numbers and other personal items that can be exploited for personal gain by the attacker.

New and more sophisticated attacks have been developing over the past year that add a few twists and turns to how the attack is conducted but the above outlines the primary concept of redirecting the unwary user to an area meant solely to fraudulently capture the private data.

Protecting Yourself

If you receive such an email, the safest bet is to just delete it. If you believe that the email might be legitimate, don’t click on links given in the email. Instead start your browser and type in the URL for the institution yourself and then log into your account.

As an example, PayPal did send out emails to account holders a while back requiring that they agree to some changes in the terms of service. Not even bothering to see if they were legitimate, I just deleted the email, started Firefox, and logged into my PayPal account. Sure enough, there was a message there requiring some actions on my part.

Moreover you can help prevent these miscreants from plying their illicit trade by forwarding the phishing email to ‘reportphishing@antiphishing.org’.

Also, many organizations such as ebay and PayPal are using the universal email address of “spoof@the-institution-name.com” such as spoof@ebay.com or spoof@paypal.com.

Thoughts, comments and questions welcome. Tell us what you think!

The enterprise security threat environment for 2006 and 2007 includes a marked increase in sinister security threats — targeted, intentional criminal attacks originating from outside the enterprise, and collusion between criminals and inside contacts — according to Daniel Blum, senior vice president and research director at Burton Group. Blum’s research shows that with global deterrents from law enforcement being weak, criminals are organizing into an underground economy of specialists. Near-term results include increases in the volume and scale of criminal attacks on companies and consumers.

PENNSYLVANIA LOTTERY WARNS PLAYERS TO BE WARY OF A SCAM USING LOTTERY LOGOS
MIDDLETOWN, Pa. – Recently, a number of consumers have received an e-mail titled “CONGRATULATION! CONGRATULATION!! CONGRATULATION!!!,” which fraudulently uses Pennsylvania Lottery logos. These e-mails, as well as other similar e-mails touting a lottery prize, are a scam according to the Pennsylvania Lottery’s Security Office.

The current fraud using the Pennsylvania Lottery name and logos is an attempt to access personal information, such as Social Security numbers or bank account information.

The Pennsylvania Lottery does not notify winners via e-mail or any other method when they win a Pennsylvania Lottery prize. Winners must contact the Lottery when they have a winning ticket. Each individual who wins a Powerball or other Pennsylvania Lottery jackpot prize must file a claim in person at Pennsylvania Lottery headquarters to receive his or her prize.

No not the kind that’s rather tasty sliced and toasted (that’s bagel) but a new variant of the Internet worm that just won’t die. Or at least go away.

Round about last Friday (March 3, 2006) a new variant of the bagle worm was being captured by security labs and seen by potential victims that threatens legal action against the recipient.

Some of the common subject lines are:

Pay your debts before we come to you
Call to your lawer immidiately
Lawsuit against you
We wait your response

As usual the bad grammar and spelling should be a tip-off as to the less than upright intentions and validity of the message.

The object of course is to get the alarmed recipient to throw aside a normal degree of careful judgment (thou shalt not open attachments from unknown sources) and react to the message. That reaction will hopefully, from the worm writer’s viewpoint, include a quick double-click on the attachment. Doing so will not surprisingly infect the computer with this latest variation of the bagle worm variously named by respective parties as:

Email-Worm.Win32.Bagle.fr (Kaspersky)
W32.Beagle.DX@mm (Symantec)
W32/Bagle.dy@MM (McAfee)
W32/Bagle-DO (Sophos)
Win32.Bagle.FM@mm (BitDefender)
Win32/Bagle.AN (CA)
Worm/Bagle.FS (Avira)
WORM_BAGLE.DQ (Trend Micro)

As always keep your anti-virus software up to date and avoid opening attachments until certain of their origin.

SIDE NOTE:

If you have an attachment that you believe is legitimate one small tip that helps prevent mishaps is to always first SAVE the attachment to the hard drive (In Outlook use File -> Save Attachments) before opening. Doing so typically causes the real time anti virus scanning engine in your anti virus software to give the file a once over for nasties. Not all anti virus packages scan email or have that option turned on so the save to disk procedure gives an extra edge of protection.

Related Links & Reading

1. Demystifying Spyware/Malware Security Series

The electronic thefts occurred by infecting the victims’ computers with a key logging
program embedded in emails and malicious web sites. The key logging software
was particularly stealthy in that it remained essentially inactive until a victim
used their computer to contact their bank online. At that time it would record
login and password information and send that via the Internet to a site to be
retrieved by the computer crime gang.

With the login credentials in their possession the hackers could then access
the victim’s financial accounts at will and monitor balances and transactions.
Once they determined there was a sufficient level of funds to be worth the risks
they would transfer the monies to accounts of third parties known as mules in
the jargon of money laundering. Mules are awarded typically a 5-10% commission
for aiding in the transfers and may or may not be aware of their participation
in the electronic crime schemes.

Quoting security expert, Nicolas Woirhaye, from the article:

“He said the best way to beat pirates was to use up-to-date anti-virus software.

“All the French victims were trapped because they didn’t have any [computer] protection,” he said.

To which we would add that not only is a quality anti virus program with up to date signatures a must but so is one of the top anti spyware software programs. Information gathering programs such as key loggers aren’t always detected by traditional anti virus software but are one of the primary areas of focus for the high end anti spyware products.