Bill Williams (IT): Support Site
Bill Williams (IT): Support Site

adv20_331.gif
[home] | [profile] | [register] | [help] | [Contact Us]

[Sections]
[Security Tips]
       this page
Security Tips   [Tell someone about this]
By Cyber Criminals, Viruses and Trojans
Bill Williams


Edit MessageUploaded - 10 Apr 2011 23:23


First of all stop thinking of virus/trojan writers as Hackers. The culprits are criminals using cyber techniques. The days of the 'hacker' who were mostly harmless adventurers poking around are gone.

Modern stuff is serious crime, run by criminal gangs, and sorry to say the worst of them are in Russia. The Bosses employ those hackers, who have turned to the dark side, to do the dirty work.

The days of the simple viruses are also gone. The earlier viruses were mostly written as a sort of graffiti by kids with the same sort of attitude as graffiti artists, i.e "show the world what I can do but don't let them find out it was me". Early viruses had objectives of seeing how far and fast they could propagate and though some did malicious damage most often the payload was just a joke, such as causing your screen characters to fall to the bottom or the screen turn sideways etc. i.e if it had a payload it was a visible one.

Modern malware, including viruses, worms and trojans try to be as invisible as possible.

Bill.

Bill Williams


Edit MessageUploaded - 10 Apr 2011 23:25

The first objective of the cyber-crim is to get a trojan into the victim's computer, There are many ways of doing this. A trojan is (usually) a program that permits the cyber-crim to install any programs that he wishes onto the victim's computer by remote control over the Internet.

A self-propagating virus could have an invisible trojan program as its payload. The virus might be started on one computer of a network and then copy itself to other insecure computers on a network. The trojan will then end up on all the insecure computers.

A trojan might be inserted by the same technique as its name obviously come from, i.e a harmless looking gift which contains the trojan. These are most often propagated by spam emails of many many kinds, which have links to 'something good' to attract the victim. Or it might for instance have been inserted into a copy of a legitimate shareware program and then uploaded to one of the many shareware distribution sites. Or it might have a fake name and appear to be a harmless picture or text file from its name, but is actually an executable program, which possibly disguises its action, by installing the trojan and then performing the apparent action of displaying a picture or text file.

A trojan might be inserted via an EXPLOIT. An exploit is generally an insecure bit of programming in standard legitimate programs, which can be 'exploited' to insert external coding into that legitimate program, sufficient to fetch and install a trojan.

The most frequent type of exploit that you will see is a 'buffer overflow'. Within some programs instructions and data are mixed together and a buffer overflow might occur as in this example. Suppose a program is inputing some stuff from a user in a typical input box on the screen, say the users name or email address. The legitimate programmer assumed that the name would not be longer than 60 characters, so he assigns a buffer 60 characters long. The compiler might allocate 60 bytes for that buffer and then carry on compiling more instructions. Now if the original programmer is careless and does not check or restrict the size of the incoming information before it is written into the buffer, it might jam a large input into the small buffer and would overflow. The incoming stuff would then overwrite the following instructions.

Now if this happens by accident the incoming characters considered as instructions will be nonsense and the most likely result is that the computer crashes or hangs. But if a cyber-crim (ex-hacker) knows of a particular buffer-overflow insecurity he can carefully craft characters in the overflow portion so that they are not nonsense but are a loader of trojans instead. So it loads the trojan and then crashes. After the re-boot the trojan is in place.

Cyber-crims learn of insecurities in various ways, by their own investigations, by publications on hidden criminal forums, etc or by buying them from each other. There's plenty of victims out there so they probably don't mind selling their second best exploits to each other. Dark-hackers might actually develop the whole exploit and sell it as an injection tool.

Most of the patches issued by Microsoft on it's monthly updates are to fix insecurities by re-writes which perform the checking or restricting that the original programmer should have put in in the first place, thus closing the exploit.

How do they get the bloated data into a relevant buffer on the victim's computer? Well usually it is from stuff output by a dodgy or compromised website. Within an internet browser program (Internet Explorer, Firefox etc) many actions take place when a page is received from a website. Internally some of these use buffers and some of the programming is insecure. Firefox is generally considered to have less such insecurities than Internet Explorer, mainly because the program is open-source so many many people read the actual programming and report insecurities. Unfortunately it also means that dark-hackers can also read the programming looking for new insecurities on which they can write exploits.

Where the buffer overflow insecurity is in the programming of a legitimate website itself, it is somewhat easier for the cyber crim as they can merely (?) compose the exploit and then feed it directly to the website. So they can get a hidden program onto the website itself. This can then be used to rework legitimate web pages so that they contain exploits which will then infect users computers.

Bill.

Bill Williams


Edit MessageUploaded - 10 Apr 2011 23:26

A new form of exploit arose recently which was the cause of over 80% of the infections last year (or the year before).

http://www.computerworld.com/s/article/9157438/Rogue_PDFs_account_for_80_of_all_exploits_says_researcher Link


Some idiot in Adobe Inc thought it would be a great idea if PDF files (Portable Document Format) could also be forms for filling in and it would be 'nice' if the designer of the form was able to program in checks on values etc before the complete form was sent back to the originator. Adobe did this by including the ability to write programs in the language Javascript within a PDF file.

In essence not a bad idea, BUT, the number of PDF files including forms is probably way below the 1% mark, yet Adobe chose to ENABLE this capability by default i.e. PDF files can contain executable programs INCLUDING MALWARE and since Adobe Reader version 6 onwards this can execute silently.

In itself, this is not bad because the Javascript is supposed to be limited to performing actions relating to the form, but the problem is that just about all the software written by Adobe is riddled with insecurities, many of the buffer-overflow type. This means that malware in a PDF file can exploit one of these insecurities to inject instructions into Adobe Acrobat Reader and those instructions can install a trojan into the rest of the victim's computer.

Adobe inc do not make it easy to find the list of exploits & fixes, it is not on their main menues, but if you want to see the raw facts click this Link

Adobe have been issuing patches frequently to fix these insecurities, which is why it is very important that if you want to use an Adobe Reader later than version 5 it is very important that you update to the latest version and that you allow it to download further updates.

Despite knowing all the chaos they have caused and despite the very small quantity of legitimate PDF files that need Javascript, Adobe have not (yet?) done the obvious thing of turning off Javascript by default and then popping up a box if it is actually needed. Despit the fact that they actually reccommend turning it off.. What egotistical wallies!! Link

Turning off Javascript does not make it completely safe, but it is a lot safer.


Revised on 10 Apr 2011

Bill Williams


Edit MessageUploaded - 10 Apr 2011 23:27

So what does a trojan malware program do?

Well first of all, like ET the Alien, it 'phones home', since the infections are scattered on the wind, the crim will not know that a computer has been infected until it calls home.

Naturally the crims, make the call home as invisible as possible so a variety of techniques are used, to make the crims difficult to trace. One method is to use the IRC internet protocol, the original version of instant messaging (like Windows Live Messenger etc.). It's possible to use legitimate IRC servers, by sending to a specific user ID. The crim-user logs in to the legitimate IRC server from time to time and from a different IP address each time, so s/he cannot easily be traced. {the crims-actions are all automated of course}.

The trojan sends the IP address(es) of its infected computer etc and a name etc and will probably try open any firewalls for particular ports.

The cyber-crim then adds this computer to his database of infected computers or robots, collectively known as his BOTNET.

The crim can then send programs to the trojan for the trojan to install in the infected computer. One of those programs could well be a keylogger program. This will record all keystrokes typed by the victim on his keyboard, so it is quite likely to contain internet addresses of banking websites etc and anything typed shortly there after is likely to be an account name and password. Banks try to prevent this working by asking for only part of a password, but a frequent on-line bank user will eventually have typed in many of the combinations and the whole password will be obvious over time.

Another common program to be installed by the trojan is a spam mail relay program. The billions of spam emails are not nowadays sent from a few spammers locations (they would be found out and blocked) instead they are sent out by botnets. The botnet crim send a sample email and a big list of email addresses over the net to his slaved computers and each one will silently send out hundreds of thousands or millions of spam emails. The crim will of course use this to send out more infection emails to expand his botnet, but he will also rent out his botnet for sending more conventional spam such as the many adverts for Viagra.

Other installed programs will search the files of the infected computer looking for valid email addresses for mor span and for any passwords in files.
NB: Never name a file of passwords with an obvious name like passwords.txt and never include the word 'password' or 'key' or 'passkey' as headers or such within such a document. And never use any financial passwords on any other websites etc and always create a different password for each different financial situation.

<enough for today. I will try explain more at a later date>

If you want more right now read this white paper from Sophos
http://web.sophos.com/sph/enterEmailAddress.jssp?PivotalWebId=sophos-security-threat-report-midyear-2010-wpna&FormName=White_Paper&lang=en&Resource=sophos-security-threat-report-midyear-2010-wpna&returnUrl=/security/whitepapers/sophos-security-threat-report-midyear-2010-wpna?action=lead_collected
Link

You have to 'sign-up' to download it {probably because Sophos would like to find the dumbest criminals who give out their contact info to read the report about their criminal activities.


Revised on 10 Apr 2011

Bill Williams


Edit MessageUploaded - 10 Apr 2011 23:30

Some attempts to gain password info are very simple and just use fake emails.

For example this one:

quote:

Dear Lloyds TSB Online Customer,

In the event of providing a more secure environment for online activities,
we periodically screen accounts and restrictions were placed on
your account in the process, due to suspicious account activities.


To regain full access to your account please by fill in all
the details that are required to complete this verification process.


To do this we developed a new secure way that keeps your banking safe,
we have attached a form to this email to complete this process.
Please download the form and follow the instructions on your screen.


If you choose to ignore our request, you leave us no choice
but to temporary suspend your account.


Sincerely,
The Lloyds TSB Security Department
~~~~~~~~~
Attachment: restricted.htm


Now in a lot of cases the attachment 'type' would also be a fake and it would actually directly install a trojan in the victim's system. So I investigated this one carefully under a Linux operating system and found it actually was a real HTM file (i.e. a web page in a file instead of on a server) so I inspected it. It is all 'charmingly' simple, it just asks you ALL the details needed to get all you money from bank and credit card and then instead of sending that info to Lloyds bank it sends it to an un-named server belonging to the cyber-crim.

If you were foolish enough to open the attachment you would see the request form shown below. No seasoned Internet user would fall for this one I hope, but a naive user only recently introduced to the Internet could easily fall for it. The scam is stupidly assisted by the fact that the real Lloyds bank does not prevent its images of the logo etc from being used by web-pages that are not on the Lloyds website. So the fake page below carries genuine logo's which would conveniently be kept up to date by the bank itself.

~~~~
For anyone reading this, please note for future reference. NO REAL BANK WOULD EVER SEND OUT SUCH AN EMAIL REQUEST to re-affirm your login details etc.!! If you get such an email jjust delete it immediately.





Bill.

Bill Williams


Edit MessageUploaded - 10 Apr 2011 23:32

The first approach when trying to figgure out how to make any program do what you want is to drop down its HELP menu and see what is there. Or press the HELP key F1 on your keyboard.

In the case of Firefox the help information is not held locally on your computer it is at the Firefox website, where it provide a search box. I typed [password removal] in the search and it cam up with various pages, not directly answering the question, but one of them was this:

http://support.mozilla.com/en-US/kb/Protecting+stored+passwords+using+a+master+password?s=password+removal&as=s Link

Which shows how to install a master password to protect all the stored website passwords.

As you see a short way down that help page it tells you to drop down the EDIT menu and select PREFERENCES and then SECURITY.




And you could follow the procedure to set a master password, but also on that dialog box is a button called [saved passwords]. Click that button and it leads to the dialog box for managing the saved passwords and for removing them from the list.

REMINDER: On ordinary shopping or discussion websites etc never define the same password(s) that you use for any of your financial logins such as banks or Paypal or credit cards etc. And try to avoid having a shopping site remember your credit card details (unfortunately a lot of them do memorise the details). If it does memorise your credit card detail go back to your shopping site account details and make sure you used a good secure password or change it to a good one.. A good password should be LONG at least over 12 symbols long and should contain both upper and lower case letters, some digits and some graphic symbols if allowed. Keep a record of your passwords in a secure paper booklet such as an old diary and don't make it too obvious which website a given password belongs to.

Tips for making passwords: try using a few simple rules to help you. e.g
i)use TWO or THREE words strung together (no spaces),
ii)perhaps use digits to separate the words. iii)Use some sort of rule for the digits such as the digits of the date on which you defined the password or a count of the letters in the preceding word
iv)Avoid capitalizing the first letter of each word, instead always capitalize the second or the third or the last or those letters that happen to occur in your own name or in the other word of a two word pair.
v) don't tell anyone else the rules you choose.


Bill.

Revised on 10 Apr 2011

Bill Williams


Edit MessageUploaded - 10 Apr 2011 23:33

On Internet Explorer if you drop down Help and search around what is supplied you should eventually find this (for Internet Explorer 7):

quote:

Delete webpage history
As you browse the web, Internet Explorer stores information about the websites you visit and information that you're frequently asked to provide (for example, your name and address). The following is a list of the type of information that Internet Explorer stores:

Temporary Internet files
Cookies
A history of the websites you've visited
Information that you've entered into websites or the Address bar (this is referred to as saved form data and it includes things such as your name, address, and the website addresses that you've visited before)
Passwords
Temporary information stored by browser add-ons
Usually, it's helpful to have this information stored on your computer because it can improve web browsing speed or automatically provide information so you don't have to type it in over and over. You might want to delete that information if you're cleaning up your computer or are using a public computer and do not want any of your personal information to be left behind.

To delete all browsing history

In Internet Explorer, click the Tools button, and then click Delete Browsing History.
Click Delete all, and then click Yes.
To delete a specific category of browsing history

In Internet Explorer, click the Tools button, and then click Delete Browsing History.
Click the Delete button next to the category of information you want to delete, click Yes, and then click Close.
Notes

You should close Internet Explorer when you're done to clear cookies that are still in memory from your current browsing session. This is especially important when using a public or kiosk computer.
Deleting all browsing history does not delete your list of favorites or subscribed feeds. It only deletes temporary files, browsing history, cookies, saved form information, and saved passwords.


Bill.

Bill Williams


Edit MessageUploaded - 10 Apr 2011 23:35

Phishing

The fake email above is a simple instance of what is generally known as phishing [Phoney fishing ?]

Most often it is not an attachment but a link in the email that is fake

Which is why it is best to always view your emails as plain text.

It's nice maybe to have those pretty emails with logos and backdrop paper textures etc, but its far safer to look at them as plain text so that you do not get fooled by fraudsters.

Here is a phishing attempt I received some time ago. It pretends to be from HSBC and tells me about fraudulent attempts.

quote:
Hsbc Bank plc. is hereby announcing newly upgrade security system. We have been dealing with cases of fraudulent messages in recent times and we have decided to carry out a verification exercise on all of our customers account to prevent them from being victimized.
Due to the recent security upgrade, you are requested to follow the link below.http://www.hsbc.co.uk/1/2/personal/pib-home/

We appreciate your understanding, as we work towards making Hsbc
Bank a safe and reliable place to do business.
Thank you for your patience in this matter.


And here is the actual text of the key sentence:

Due to the recent security upgrade, you are requested to follow the link below.<a href="http://www.manualdirectory.co.uk/menu/hs/index.php">http://www.hsbc.co.uk/1/2/personal/pib-home/</a><br><br>

The RED bit is where it will actually go if you click the link (a crim's website), the Green bit is where it LOOKS as if it will go if you view your email in HTML pretty format.

REMEMBER: Real Banks will never ask for this kind of information. If you see an email of this type delete it without compunction. :-)smile


Another typical phishing attempt:

quote:

Dear Citibank Customer,
We recently noticed one or more attempts to log in to your Citibank account from a foreign IP address and we have reasons to believe that there was attempts to compromise it with brute forcing your PIN number. No successful login was detected and you have full protection by now. If you recently accessed your account while travelling, the unusual login attempts may have been initiated by you.

The login attempt was made from:
IP address: 173.127.187.124
ISP Host: cache-822.proxyserver.cis.com

By now, we used many techniques to verify the accuracy of the information our users provide us when they register on the Site.
However, because user verification on the Internet is difficult, Citibank cannot and does not confirm each user's purported identity. Thus, we have established an offline verification system to help you evaluate with whom you are dealing with. The system is called CitiSafe and it's the most secure Citibank wallet so far.

If you are the rightful holder of the account, click the link bellow, fill
the form and then submit as we will verify your identity and register you to CitiSafe free of charge. This way you are fully protected from fraudulent activity on all the accounts that you have with us.

Click to protect yourself from fraudulent activity!

To make Citibank.com the most secure site, every user will be registered to CitiSafe.

NOTE! If you choose to ignore our request, you leave us no choice but to temporally suspend your account.

* Please do not respond to this e-mail, as your reply will not be received.

Regards, Citibank Customer Support



In phishing attempts, of course, the target website is preset to look exactly like or in the same style as the real Bank's website. And it contains a fake login page. Some really crafty techniques are used, such as superimposing an invisible page on top of the real page from the bank. and/or using man-in-the-middle techniques whereby the info the victime types in is also passed to the real bank and the victim ends up logged into his bank for real without realising that his/her credentials have been stolen.

On a real bank, the login page will be a SECURE page, check the address bar; it should begin with HTTPS with that extra S there indicating SECURE.


Bill.

Bill Williams


Edit MessageUploaded - 10 Apr 2011 23:36

Members might find this article interesting; It describes the criminal processes mentioned above.

http://www.scmagazineuk.com/avalanche-botnet-moves-from-distributing-spam-to-zeus-lures/article/181641/?DCMP=EMC-SCUK_Newswire
Link


Bill.


To search for
a particular item or
a particular place
type a word or the
name of the place
in the find box near
the top of page
and click the
FIND button.

*

Home Page.

Click to Add Comments.
	
	
	
	
	
	
	

Implemented by Bill Williams (IT)
based on ASP Forum.

3762
adv20_331.gif