For quite some time now, I have been advising customers of the risk of installing a domestic-grade Wi-Fi Access Point. These units make it easy for anyone with a laptop in your home or office to connect to the Internet.

While the designers of these devices have included the ability to make the wireless signal secure this feature is normally disabled and must be enabled by a technician for security of the wireless signal to work properly.

Correctly enabling the Wireless Security feature is often overlooked or beyond the ability of non-technical users. This insecure wireless signal spreads out from the source and is easily hacked into by any knowledgeable user with a laptop computer.

These days many ADSL Modems are sold with the local Wi-Fi wireless facility built in and turned on. Many users are unaware that this signal will radiate and give anyone within range free access to this signal and therefore they will have access to the Internet and to the local network of PCs and other devices connected to that access point. If the owner of the ADSL Connection pays for the Internet by data volume used, the extra data used by the Guests could lead to a very large bill for excess usage.

This is exactly what happened to some businesses in the main street of Gatton. They were hacked into by people using Laptops in their cars in the street near their businesses, leading to unexpected accounts for excess data usage.

There are now three main types of data encryption to enable the wireless signal to be secure. The first and oldest of these methods is called WEP or Wired Equivalency Protocol – unfortunately this uses an encryption key that is transmitted with the data. These days’ hackers can capture a stream of data from a wireless access point that uses WEP decrypt the Key and then break into the Data Stream.

The newer security protocols are much harder to break and so now the computer industry recommends that users should be using WPA or WPA2 i.e. Wi-Fi Protected access of Wi-Fi Protected Access version2. With these new methods, all that is needed is to program into both the Access Point and the Laptop a starting key usually in the form of a “Pass Phrase”. This then rolls on automatically without the actual key being transmitted. Pass Phrases take the form of a sentence like “mydogbringsinthenewspaperforme” No one is going to guess that in a hurry.

Users who need help in setting up wireless or other networking systems can call a computer service such as Aspire Computing see advert this page. Wishing you Happy and Safe Computing.

News Ltd. recently reported that Tom Wood a 16-year-old, Year 10, Melbourne schoolboy had cracked the federal government’s new “NetAlert” internet porn filter released in August.

Tom said it took him about 30 minutes to break through the filter. Tom deactivated the filter after several clicks and his method ensures the software’s toolbar icon is not deleted so parents will think that the filter is still working. Tom said a computer-savvy child could post the bypass on the internet for other kids to use.

Communications Minister Senator Helen Coonan said the government had anticipated children would find ways to get around the filters so Suppliers were contracted to provide updates. She said “Unfortunately, no single measure can protect children from online harm and … traditional parenting skills have never been more important.”

Man steals personal info using Limewire file sharing program

from the Sydney Morning Herald

In the USA, the Justice Department recently arrested a man in its first case against someone committing identity theft by using a file-sharing program to steal digital data.

Federal prosecutors said the suspect used ’Limewire’ a file-sharing program to troll other people’s computers across the internet for financial information. He then used the info to open credit card accounts for an online shopping spree.

Authorities said they have identified least 83 victims – most of whom were teenage children who did not know the file-sharing software was on their computer. Investigators also believed the number of people affected was in the hundreds – and that in all, they lost hundreds of thousands of dollars.

Each day, computer users inadvertently share hundreds of thousands of sensitive files from bank statements, medical records, tax returns and legal documents stored on their computers’ Hard Disk Drives through such file-sharing programs. Typically the vulnerabilities occur after a user downloads and installs file-sharing software and accidentally allows it to share all files on a computer, rather than just the music files.

“If you are running file-sharing software, you are giving criminals the keys to your computer”. “Criminals are getting access to incredibly valuable information” said assistant US attorney Kathryn Warma.

“We continue to be frustrated that despite our warnings and precautions, a small fraction of users override the safe default setting that comes with the program and end up inadvertently publishing information that they would prefer to keep private,” said the Head of Limewire.

Chaim Lee from Aspire Computing advises that computer users need to get assistance from Qualified and experienced technicians to check out their security flaws and provide appropriate protection.

I have been reading the recent Security Threat Report: 2008 by Sophos a leading IT Security company. (http://www.sophos.com/sophos/docs/eng/marketing_material/sophos-security-report-08.pdf )

Unlike ten years ago, when virus writers were writing code for mischief; today’s attacks are organized, commercial ventures designed to steal information and resources from computers to make money. Cybercriminals are planting malicious code on innocent websites waiting to infect visiting web surfers.

Sophos says it discovers a new infected webpage every 14 seconds. That is 6000 new infected web pages per day. The majority of these sites (83%) are legitimate websites that have been compromised by an unauthorized third-party. Surfers are often lured to these compromised web pages via emails using social engineering tactics to attract unsuspecting users to visit. Also, hackers place their malicious code on sites which are known to have a high number of visitors. Once the site is infected, unwary visitors without proper firewall, security or patches, on their PCs can themselves be infected. The content of these sites varies dramatically. Because of the range of subjects that hacked sites cover, blocking sites by content is not sufficient to protect users against these threats.

This year, I have disinfected quite a few customers’ PCs each week that have been infected by drive-bys. In my own network, protection starts with a SonicWALL Unified Threat Management device located at the head of my network directly after the ADSL Modem. Then Adware/Spyware immunization & protection products are installed on each PC. If you need help with your problems please call me at Aspire Computing.

I had a customer ring a few days ago saying that some thousands of dollars had just been stolen from her bank account. Then this story arrived in my Inbox last night.

A banking Trojan designed to intercept Australian customers’ security details has been discovered. Security researchers say it can circumvent two-factor authentication and will force-feed 600 porn sites to infected PCs.

The Trojan, “Silentbanker”, installs itself as a .midi music player driver on Windows systems. It not only steals passwords, session cookies and digital certificates, but also directs infected computers to over 600 porn Web sites, which the attackers use to generate extra income.

“The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis,” said a Symantec security researcher.

The Trojan is targeting customers of 400 banks around the world, including banks from Turkey, the US, Europe and several banks from Australia, Symantec told ZDNet Australia.

“But it’s not just about these banks. The configuration information can be updated anytime, meaning that at any time, banks can be added or dropped from that list”.

The Trojan accesses the following URLs for configuration, updates, and to send stolen data:
• iloveie.info
• webcounterstat.info
• microcbs.com
• reservaza.com
• screensaversfor-fun.com
• mystabcounter.info
• 85.255.119.218

The Trojan also downloads a copy of Trojan.Flush.J, which changes the users DNS settings to the following attacker settings:

85.255.116.133
85.255.112.87

Call to Action

Symantec says: block these addresses at your firewall and keep your Anti-Virus definitions Up-to-date:

85.255.116.133
85.255.112.87

I have just done that on my SonicWALL TZ180 and please remember that if you can’t work it out call for help. Chaim Lee, Aspire Computing

17 January 2008 02:02 PM

Tags: banking trojan, porn, commonwealth bank, security, dns

A banking Trojan designed to intercept Australian customers’ security details has been discovered which can circumvent two-factor authentication and will force-feed 600 porn sites to infected PCs, according to security researchers.

The trojan, which installs itself as a .midi music player driver on Windows systems, not only steals passwords, session cookies and digital certificates, but also directs infected computers to over 600 porn Web site URLs, which the attackers use to generate extra income.

“The scale and sophistication of this emerging banking trojan is worrying, even for someone who sees banking trojans on a daily basis,” said Symantec security researcher, Liam OMurchu, on Symantec’s blog.

The trojan is targeting customers of 400 banks around the world, including banks from Turkey, the US, Europe and several banks from Australia, John McDonald, senior security response manager for Symantec told ZDNet Australia.

“But it’s not just about these banks. The configuration information can be updated anytime, which means that at any time, banks can be added or dropped from that list,” he told ZDNet Australia.

Because the bank’s real Web page is presented to the user, OMurchu fears that customers equipped with a second-factor one-time password — delivered by SMS or security “dongles”, which generate random authentication codes every few seconds — will not suspect anything and then enter their second-factor code, unwittingly giving the attacker their money.

“The ability of this trojan to perform man-in-the-middle (MITM) attacks on valid transactions is what is most worrying. The trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker’s account details instead,” said OMurchu.

However National Australia Bank’s general manager of technology, risk and security, Gary Blair, has previously said that MITM attacks are impossible where an SMS two-factor authentication system is used. NAB offers its customers one-time user passwords sent by SMS at the time of a customer making a transaction. But according to Symantec’s McDonald, this trojan can beat even that authentication system.

“I don’t believe it matters where passwords [are] delivered from, [the password] still must be entered on the Web page so it wouldn’t matter how it was sent — they still have to enter the password to the online banking form and that’s where it is intercepted,” said Symantec’s McDonald.

Want to know more?

For all the latest news, analysis and opinion on Security, click here

One variant of this trojan also changes a PC’s domain name server (DNS) settings to redirect browsers to attacker-controlled servers.

“This feature could also mean that if the trojan is removed but the DNS settings are left unchanged then the user may still be at risk,” said OMurchu.

Banking in Silence – Symantec

Targeting over 400 banks (including my own ! ) and having the ability to circumvent two-factor authentication are just two of the features that push Trojan, Silentbanker into the limelight. The scale and sophistication of this emerging banking Trojan is worrying, even for someone who sees banking Trojans on a daily basis.

This Trojan downloads a configuration file that contains the domain names of over 400 banks. Not only are the usual large American banks targeted but banks in many other countries are also targeted, including France, Spain, Ireland, the UK, Finland, Turkey—the list goes on.

The ability of this Trojan to perform man-in-the-middle attacks on valid transactions is what is most worrying. The Trojan can intercept transactions that require two-factor authentication. It can then silently change the user-entered destination bank account details to the attacker’s account details instead. Of course the Trojan ensures that the user does not notice this change by presenting the user with the details they expect to see, while all the time sending the bank the attacker’s details instead. Since the user doesn’t notice anything wrong with the transaction, they will enter the second authentication password, in effect handing over their money to the attackers. The Trojan intercepts all of this traffic before it is encrypted, so even if the transaction takes place over SSL the attack is still valid. Unfortunately, we were unable to reproduce exactly such a transaction in the lab. However, through analysis of the Trojan’s code it can be seen that this feature is available to the attackers.

The Trojan does not use this attack vector for all banks, however. It only uses this route when an easier route is not available. If a transaction can occur at the targeted bank using just a username and password then the Trojan will take that information, if a certificate is also required the Trojan can steal that too, if cookies are required the Trojan will steal those. In fact, even if the attacker is missing a piece of information to conduct a transaction, extra HTML can be added to the page to ask the user for that extra information. (In the example below the user is asked to enter their encryption key, in addition to the regular information.)

Here is the login form viewed on a clean machine:

Below the form presented to an infected user is shown, the input box added by the Trojan has been marked in red:

When instructed, the Trojan can also redirect users to an attacker-controlled server instead of the real bank in order to perform a classic man-in-the-middle attack. Currently there is only one bank targeted in this way; however, recent updates to the Trojan change the user’s DNS settings to point to an attacker-controlled server. Using this technique the Trojan can start redirecting any site to an attacker site at any time. This feature could also mean that if the Trojan is removed but the DNS settings are left unchanged then the user may still be at risk. (See below for the attackers’ DNS server addresses.)

Add to all of the above the ability to steal FTP, POP, Web mail, protected storage, and cached passwords and then we start to see the capabilities of this Trojan. But, it doesn’t stop there – don’t forget the porn! The Trojan also contains over 600 pornographic Web site URLs that can be shown to the infected user so that the attacker can make money from the referrals.

Lastly, the Trojan can also download updates, which it regularly does. It can also download other executables and it can use the infected machine as a proxy or as a Web server on any chosen port (in tests the http port used was 18102).

The multiple configuration files that the Trojan downloads are updated several times per day and currently the Trojan is capable of injecting HTML into about 200 different URLs. The configuration files are compressed and encrypted; however, after decrypting them we can see how the Trojan works in more detail.

The configuration files are structured as .ini files and each section of an .ini file represents a different task. Here is a snippet from the configuration file that was used to inject HTML into the banking form shown in the example above:

jhw21]
pok=insert
qas=someBankSite.com/xpage/loginxxxxxxxxxs.htm
njd=name="oppasswd;
dfr=14
xzn=/>n
xzq=2
rek=<div class="clear sep4"></div>
<label for="clave">Clave de firma: </label>
<input name="ESpass" type="password" size="8" maxlength="8"
class="input01 aleft w180"/>’
req=166

The configuration options in the snippet above are as follows:

The Trojan searches for the string name=”oppasswd; then it finds the end tag /> then it inserts the string into the page:

<div></div>

<label for="clave">Clave de firma: </label>

<input name="ESpass" type="password" size="8" maxlength="8"

class="input01 aleft w180"/>

Shown below is the HTML shown to the user on a non-infected computer:

<label for="clave">Clave personal: </label>

<input id="clave" name="oppasswd" type="password" size="8" maxlength="8"

class="input01 aleft w180"/>

</div>

And on an infected computer:

<label for="clave">Clave personal: </label>

<input id="clave" name="oppasswd" type="password" size="8" maxlength="8"

class="input01 aleft w180"/>

<div class="clear sep4"></div>

<label for="clave">Clave de firma: </label>

<input name="ESpass" type="password" size="8" maxlength="8"

class="input01 aleft w180"/>

</div>

The Trojan can take any of the following actions when altering the HTML of a page: insert, delete, replace, and replace all. The Trojan uses the keyword “ESpass” (see the form above) as a keyword when the user sends a page to the bank and the Trojan checks if the page contains that keyword. Using this technique the Trojan can recognize pages it has altered and can extract the relevant data from the page and send it to the attacker as well as to the bank.

The configuration files for this Trojan currently contain over 200kb of data; however, new URLs and HTML are being added to the configuration files on a daily basis. The Trojan is easily updated since the full HTML of any banking-related Web site is sent to the attackers. Using these submissions they can target banks for which they do not have bank accounts already. We are currently monitoring all of the updates to this Trojan.

The Trojan accesses the following URLs for configuration, updates, and to send stolen data:

• iloveie.info
• webcounterstat.info
• microcbs.com
• reservaza.com
• screensaversfor-fun.com
• mystabcounter.info
• 85.255.119.218

The Trojan also downloads a copy of Trojan.Flush.J, which changes the users DNS settings to the following attacker settings:

• 85.255.116.133
• 85.255.112.87

For protection, please keep your antivirus definitions up to date and block the above addresses at the firewall.

Note: Not only did this Trojan grab my attention for obvious reasons, but the Trojan also installed itself as a .midi driver, causing my music to stop! For the record, the Trojan adds itself the following registry key so that it is loaded in all applications that use sound:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\”midi1”

Posted by Liam OMurchu on January 14, 2008

The PC had been infected with Spam-Thru B and it was spewing out hundreds of Spam emails to non-existent addresses. This PC had been hijacked and made part of a Zombie Network.

Repairs involved Backing-up all useful data, re-formatting the Hard Disk Drive, Re-installing Windows and all User programs, re-configuring all User settings and Re-storing the previously Backed-Up User Data.

What Hyam Lee discovered led him to do a lot of follow up research which he then presented to the customer.

The following edited article from the New York Times Online edition tells the rest of the story.

“The bad guys are honing their weapons and increasing their firepower, they are taking advantage of programs that secretly install themselves onto thousands or even millions of personal computers; band these computers together into an army of zombies, and then use the collective power of the dragooned network to commit Internet crimes.

These networks are called Botnets and are being blamed for the huge spike in spam email, fraud and data theft that has bedevilled the Internet in recent times.

What is new is the vastly escalating scale of the problem — and the precision with which some of the programs can scan computers and steal specific information, like corporate and personal data, to drain money from online bank accounts and to get users to buy almost worthless shares.

So far, botnets have predominantly infected Windows-based computers, although there have been scattered reports of botnet-related attacks on computers running the Linux and Macintosh operating systems.

These programs are often created by small groups of code writers in Eastern Europe and elsewhere and distributed in a variety of ways, including by e-mail attachments and downloads by users who do not know they are getting something malicious. They can even be present in pirated software sold on online auction sites. Once installed on Internet-connected PCs, they can be controlled using a widely available communications system called Internet Relay Chat (I.R.C.) Command & Control servers.

Botnet authors assume that any personal document that a computer owner has used recently will also be of interest to a data thief.

Botnets systematically harvest stolen information and then hide it in a secret location where the data can be retrieved by the Botnet Master.

According to the annual intelligence report of security firm MessageLabs, more than 80 percent of all spam now originates from botnets.

The extent of the botnet threat was highlighted in late 2006 and early 2007; by the emergence of a stealth program called “rustock” that adds computers to the botnet.

Rustock has infected several hundred thousand Internet-connected computers including Mr Lee’s customer in Toowoomba and then began generating vast quantities of spam e-mail messages as part of a “pump and dump” stock scheme.

The author of the program, who is active on Internet technical discussion groups and claims to live in Zimbabwe, has found a way to hide the infecting agent in such a way that it leaves none of the traditional digital fingerprints that have been used to detect such programs.

Moreover, while rustock is currently being used to distribute spam, it is a general tool that can be used with many other forms of illegal Internet activity.

In late 2006, Mr. Stewart tracked trading of a penny stock being touted in a spam campaign. The Diamant Art Corporation was trading at 8 cents on Dec. 15 when a series of small transactions involving 11,532,726 shares raised the price of the stock to 11 cents. After the close of business on that day, a Friday, a botnet began spewing out millions of spam messages.

On the following Monday, the stock went first to 19 cents per share and then ultimately to 25 cents a share. He estimated that if the spammer then sold his shares at the peak on Monday he would have realized a $20,000 profit. By Dec. 20, those shares were back down to 12 cents.