30. January 2009 by Myke.

Sexual performance enhancers and pharmaceuticals were the most common subjects used by spam in 2008

GLENDALE, Calif., Jan. 28, 2009 ” PandaLabs, Panda Security’s malware analysis and detection today revealed the results from its analysis on 430 million email messages from 2008 and discovered that only 8.4 percent of messages that reached companies were legitimate. Some 89.88 percent of messages were spam, while 1.11 percent were infected with some type of malware. This data has been compiled after the analysis by TrustLayer Mail, the clean mail managed service from Panda Security.

Only January 2008 witnessed levels of spam below 80 percent. The amount of spam fluctuated throughout the year, peaking in the second quarter at 94.27 percent of all mail reaching companies.

With respect to infected messages in 2008, the Netsky.P worm was the most frequently detected malicious code. This type of malware activates automatically when users view the infected message through the Microsoft Office Outlook preview pane. It does this by exploiting a vulnerability in Internet Explorer that allows automatic execution of email attachments. The exploit of this vulnerability was detected by PandaLabs as Exploit/iFrame and was the third most frequently detected type of malware in emails by TrustLayer Mail.

“The fact that these two malicious codes often act in unison explains the high number of detections of both,” said Luis Corrons, Technical Director of PandaLabs. “Cyber crooks often launch several strains of malware with each exploit to increase the chances of infection, so even if users whose systems are up-to-date are immune to the exploit, they could still fall victim to infection by the worm if they run the attachment.”

The Rukap.G backdoor Trojan, designed to allow attackers to take control of a computer, and the Dadobra.Bl Trojan were also among the most prevalent malicious code.

Top Malware in email Netsky.P.worm Bck/Rukap.G Exploit/iFrame Trj/Dadobra.BL Generic Malware Trj/Downloader.PSJ Trj/SpamtaLoad.DO Trj/Downloader.PWR Bck/Haxdoor.PL Trj/Spamtaload.DZ

“For companies, spam is more than just a nuisance. It consumes bandwidth, wastes employees’ time and can even cause system malfunctions. In the end, it all results in a loss of productivity,” adds Luis Corrons.

Much of this spam was circulated by the extensive network of zombie computers controlled by cyber-crooks. A zombie is a computer infected by a bot, a type of malware allowing cyber criminals to control infected systems. Frequently, these computers are used as a network to drive malicious actions such as the sending of spam. Just in the last three months of the year, 301,000 zombie computers were being put into action every day.

Spam subjects in 2008

With respect to the different types of spam in circulation, 32.25 percent of spam in 2008 was related to pharmaceutical products with sexual performance enhancers accounting for 20.5 percent.

Spam relating to the economic situation also grew significantly throughout 2008. False job offers and fraudulent diplomas accounted for 2.75 percent of all junk mail in the year, while messages promoting mortgages and fake loans were responsible for 4.75 percent.

Spam promoting fake brand products, such a swatches, was responsible for 16.75 percent of the total. This last category nevertheless, dropped from 21 percent in the first half of the year to 12.5 percent in the last six months. To view an entire breakdown of the variety of spam subjects that PandaLabs discovered, please access the data here: http://www.flickr.com/photos/panda_security/3234535186/

About PandaLabs Since 1990, its mission has been to detect and eliminate new threats as rapidly as possible to offer our clients maximum security. To do so, PandaLabs has an innovative automated system that analyzes and classifies thousands of new samples a day and returns automatic verdicts (malware or goodware). This system is the basis of collective intelligence, Panda Security’s new security model which can even detect malware that has evaded other security solutions. Currently, 94 percent of malware detected by PandaLabs is analyzed through this system of collective intelligence. This is complemented through the work of several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), working 24/7 to provide global coverage. This translates into more secure, simpler and more resource-friendly solutions for clients. More information is available in the PandaLabs blog: http://www.pandalabs.com and the Panda Security website: www.pandasecurity.com/usa.

Posted in Spam, Internet, Security, Exchange | 1 Comment »

30. January 2009 by Myke.

Black Hat researcher will show how the bad guys can use a database’s own features against it

A database security researcher will demonstrate at next month’s Black Hat DC how an attacker who breaks into a SQL Server database can cover his tracks using antiforensics techniques.

Cesar Cerrudo, lead researcher for Application Security’s Team SHATTER, and founder and CEO of Argeniss, says he will show a proof-of-concept that circumvents forensics investigations by abusing some inherent features in the database. “If the attacker has done a good job of removing his tracks, then it becomes pretty difficult to determine what was done, how it was done, why, and by whom,” Cerrudo says.

So far, Cerrudo says he hasn’t seen any database attacks that have gone to the next level like this yet. “But as criminal hacking is rapidly growing, and databases are where the juicy stuff is saved, in the future we will start to see more and more sophisticated attacks,” he says, especially since many big breaches are the result of database hacks.

And in the current economic climate, the risk of an insider attack is even higher. The financial pressures of a possible layoff or otherwise could entice a database operator to go rogue. “The main point of this research is that if you don’t properly protect database servers, soon or later you will get hacked and probably lose millions of dollars,” he says.

Although Cerrudo’s research focuses on SQL Server, any database could be hacked and manipulated with antiforensics, he says. Among the database features that the bad guys can use for nefarious purposes are the ability to load external libraries or binary code, which can manipulate the server itself. Buffer overflow attacks are another way to do so as well, according to Cerrudo.

All it takes is for an attacker to gain database administrative privileges — which is not difficult if the database isn’t locked down properly — by exploiting a vulnerability in the database or stealing the credentials via a Trojan or brute-force hacking, for instance.

“Once you have enough privileges, you can do anything on any database server. This includes loading code to database server memory, [and] then this code can manipulate all functionality and let the attacker perform any actions” on the database he wants, Cerrudo says.

If the database hack using antiforensics is detected, some of the damage can be discovered by forensics, such as stolen data or changes made to the data stored in the database, for instance. But how it was hacked or who did it would remain a mystery, he says.

An attacker who infiltrates a database can even frame another person for the attack using antiforensics techniques. “One of the scary things about these antiforensics techniques is that the attacker can point investigators in the wrong way by making it look like another person performed the attack,” Cerrudo says.

The attacker could leave behind phony tracks that incriminate the victim organization’s database administrator so that when the forensics investigators do their work, all evidence leads to the database admin rather than the real culprit. “Without logs or [with] confusing logs, investigation becomes harder, the evidence is not enough, and in order to find the real culprit you must find real evidence that points to him,” Cerrudo days.

How can an organization protect itself from such an attack? “Nowadays, using a third-party monitoring mechanism should be a must since built-in security mechanisms can’t protect [the database] once the attacker has enough permissions,” he says.

Cerrudo also recommends regular database patching, strong passwords, and periodic database vulnerability scans.

Posted in SQL, Security, Servers | 1 Comment »

30. January 2009 by Myke.

IT Worker Indicted For Setting Malware Bomb At Fannie Mae

IT contractor deployed highly malicious script before his administrative rights were terminated

A former IT contractor at Fannie Mae, angry at being terminated in October, has been thwarted in his attempt to crash all 4,000 servers at the mortgage services institution and wipe out all of their data.

According to a report from the U.S. Department of Justice, a federal grand jury in Maryland has indicted Rajendrasinh Babubhai Makwana, a contractor working at Fannie Mae’s Urbana, Md., facility, for transmitting a malicious script to the company’s servers.

The malicious code, which was set to execute on Jan. 31, was designed to propagate throughout the Fannie Mae network and destroy all of the company’s data, the DoJ says.

According to court documents, Makwana — who was employed by OmniTech, a third-party contractor that handles server administration for Fannie Mae — was censured by management on Oct. 10 after unintentionally distributing a server script without authorization. The documents suggest the mistake was so egregious that Makwana probably knew he would be fired, although his administrative rights were not revoked until hours after his official termination on Oct. 24.

Apparently, Makwana had been busy before he was kicked off the system. On Oct. 29, five days after Makwana had left the company, a senior Unix engineer found a malicious script buried in a legitimate script that validates the storage area network connections among the company’s 4,000 servers every morning at 9 a.m. A page break had been inserted between the malicious script and the legitimate script, making it less obvious.

The malicious script was set to execute multiple tasks, all of them bad. First, it would wipe out all of the passwords on the servers, effectively locking administrators out. Then it would build a list of all servers that contained Fannie Mae data and wipe out all of the data, replacing it with zeros. This would also destroy the backup software on the servers, making the restoration of data more difficult because new operating systems would have to be installed on all servers before any restoration could begin, the court documents say.

The script would also remove all “High Availability” software from any critical server, the complaint continues. Then it would power off all servers, disabling the ability to remotely turn on a server. After the second run-through, the script would remove all of the files on the current host and try to zero out the root file system.

“Had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced, if not shut down, operations at [Fannie Mae] for at least one week,” the complaint says. “If this script were executed, the total damage would include cleaning out and restoring all 4,000 [Fannie Mae] servers, restoring and securing the automation of mortgages, and restoring all data that was erased.”

Makwana faces a maximum sentence of 10 years in prison. He had his initial appearance in federal district court on Jan. 6, following the filing of the complaint. Arraignment is scheduled for Jan. 30, 2009.

Industry experts warn that such exploits may become more common as the economy forces companies to lay off an increasing number of employees. Enterprises should be careful to terminate all data and administrative access rights for the affected employees before they have the opportunity to act in retribution, the experts warn.

Posted in Security, Servers, Storage | No Comments »