Today we are publishing the PandaLabs report, where you can enjoy an overview of the main figures and security news that have happened in the last 12 months, as well as some figures. You will see how malware creation hit a new record high in 2011 with 26 million samples, that Trojans continue to be the most pervasive malware threat, and some nice stories about cybercrime and cyberwar, as well as some other information about social networks.

I really hope you enjoy it, you can download the report here.

Read the rest here:
PandaLabs Annual Report – 2011

While trying desperately to catch up with some email before flying out for the upcoming AMTSO workshop, I came upon a reference (tip of the hat to Rob Slade) to an article by Loren Grush about a “Supertrojan computer virus”.

Despite my inevitable supersighs at terminology that confuses “Trojan” and “virus”, this turns out not to be an “end of computing as we know it” hypefest (or a TEOTWAWKI, as Graham Cluley is apt to refer to overblown security stories. A pity, really, as I would have loved to get the chance to describe a Fox as a Chicken Little.

Hardly a day goes by that I don’t read the security news and shake my head. One article tells how thousands of records containing personally identifiable information were stolen from Another talks about password disclosures of hundreds of thousands of accounts to popular web services because of commonly exploited vulnerabilities such as weak passwords or SQL injection or cross-site scripting vulnerabilities that allowed criminals easy access into protected systems. Sometimes it feels like I am on a roller coaster that travels the same loop over and over again.

These days securing your information has become increasingly difficult. Not only does it appear in the databases of hundreds of marketers, banks, and online services, but your location, demographic info, and other sensitive details might also be shared without your permission via applications on your mobile device. Prediction: We aren’t far from real-time, location-based marketing. Think Groupon, but instead of an email with a “deal of the day,” try an SMS to your phone advertising daily dinner specials or sales as you drive close to those establishments!

What can we do? I’ll borrow steal a commonly used phrase: Think globally; act locally. In other words, there is only so much you can do to protect your sensitive information, but you need to do well the things that you can do.

I’m amazed that passwords are still the primary means of authentication for most online services. What amazes me even more is the simplicity of the passwords that people use. Passwords always have been the lowest barrier of entry to steal information. If they must be so common, we should do all we can to make them more than just a small speed bump to get to our data. What’s worse is that many people use the same password for every site they visit. This essentially gives criminals a single-sign on to every service once they know a single password. According to an analysis posted here the most commonly used password among the almost 200,000 that were decoded as part of the recent Gawker Media hack was “123456.” This was followed in second and third places by “password” and “12345678,” respectively. (Nice to know some people follow the advice to make their passwords at least eight characters.) If passwords are going to remain commonplace–and there is no reason to believe they won’t be–at least make your passwords difficult to guess. Use combinations of upper- and lowercase letters, numbers, and symbols.

Have you ever taken a look at the history of wireless networks that you connect to? I’ll bet the list is littered with free public WiFi hotspots from McDonald’s or Starbucks as well as airport and hotel networks. Of these public net, how many incorporate any form of encryption? Few to none. Some of the recent news about browser plug-ins such as Firesheep, which allows data thieves to “sidejack” your session on sites that do not encrypt their login cookies, should be enough to encourage you to always encrypt your wireless traffic, wherever you are. If you have a home server, there are several open-source solutions that allow you to configure your own virtual private network (VPN), and there are several commercial solutions that you can purchase for a few dollars per month that serve the same purpose. Ensure your data is encrypted whenever you are connected to a wireless network. If you don’t, you can bet that someone is watching what you are doing and where you are surfing.

Last but not least, share the least amount of information about yourself as possible. Social media sites, where personal privacy rules appear to have flown out the window, are a gold mine of information for any criminal to use in targeted attacks. Worms such as Koobface have made data compromise easy by using simple social engineering techniques: People will click links that lead to malicious websites, steal login credentials, and send messages to the friends and followers of the victims. Status updates may also be indexed and searchable by some of the most popular search engines. If you’ve posted something or otherwise made it known, someone can find it.

I don’t wish to paint a doom-and-gloom picture. But iin spite of what we have learned and the advancements that we have made in security awareness, we have lost sight of the fundamentals–the basis of everything that we know in security. Maybe the concept has become too complicated and causes some people to ignore the problem entirely? I hope that by breaking security into easy-to-understand concepts we’ll pay more attention to it. Right now cybercrime is way too easy for the bad guys–and they know it.

Go here to see the original:
Security Too Hard? Think Globally; Act Locally

“Malicious” Websites

Published: 2007-11-10,
Last Updated: 2007-11-10 21:26:57 UTC
by Koon Yaw Tan (Version: 1)

Previously, we often warn people from visiting unknown/suspicious websites as they could contain malicious content. But nowadays, even visiting known websites, you could be affected. It was reported that the India Times website contains hundreds of malicious files that could infected those visit the website.
http://www.theregister.co.uk/2007/11/10/india_times_under_attack/
Legitimate websites containing malicious content is not something new as it has already happened a couple of times. Web administrators must be prudent to ensure their websites are properly secure. Hackers are now clever enough not to deface your websites to alert you but rather plant malicious content on them and wait for victims. Periodically running a vulnerability scan on your web systems is necessary to avoid known holes. Let us know if you have other good tips for the web admin.

SANS Internet Storm Center; Cooperative Network Security Community – Internet Security – isc

CME-24 Analysis: The destruction does not appear to spread across Windows network shares (NEW)

Published: 2006-02-02,
Last Updated: 2006-02-02 17:39:40 UTC by Lorna Hutcheson (Version: 1)

I wanted to share some of the results of some long hours spent looking at this malware.  When the infection occurs, it immediately places copies of itself  locally on each share and on each share/mapped drive that it finds.  Based on this behavior, my initial thoughts were that the destructive payload would be carried out via shares and/or mapped drives as well.

I now have changed my initial thoughts on how the destruction would occur.  Here are some of my notes from my testing of this concept.  Here is the MD5 from the file I was using:
1c66904ecb846da5b1fb2072f9ea6e0e *New WinZip File.exe

The first test I did led me to believe that the destruction would be carried out via the shares and mapped drives.  In my intial test, I had two infected systems (one XP and one W2K) with drives mapped to each other.  I infected each box, changed the system time to Feb 2 at 11:50pm, launched ethereal, filemon and ran the the first shot using RegShot.  After an hour, I stopped the captures and launched my second shot of the hard drive with RegShot.  All my data files were now over written, zip files were corrupted, etc.  Everything was happening as I thought it would.  All my mapped drives had corrupted files. The security logs from each box showed accesses from the other.

For the rest of this in depth analysis, go here: SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Nyxem on a world map    Posted by Mikko @ 14:31 GMT

We have been co-operating with RCN, the company running the counter site that is used by the Nyxem worm. Last night we got the web access statistics, listing all the IP addresses that have accessed the Nyxem counter.

After filtering out the addresses of bots that have been hammering the counter lately, we used our WORLDMAP technology to map the addresses to a map. As a result we have a global view of the machines that will run into trouble unless they are disinfected before tomorrow:

- click the map for a high-resolution version –

Nyxem.E starts to overwrite files half an hour after the infected machines are started on the 3rd of the month.

We’d like to thank Jason Nealis and Chris Jackman at RCN for their generous help with this issue.

F-Secure : News from the Lab – February of 2006.

Prepraring for Feb 3rd(CME-24) (NEW)

Published: 2006-02-02,
Last Updated: 2006-02-02 16:07:43 UTC by Pedro Bueno (Version: 1)

Prepraring for Feb 3rd(CME-24)

We received a lot of suggestions about measures against CME-24. In other words,
how to prepare for Feb 3rd, in despite of the Anti-virus.

What follows bellow is a compiled list of those. Some were tested, but some not.

- The rule bellow, made by Per Kristian Johnsen with Telenor Security Center,
is said to detect attempts to copy WINZIP_TMP.exe to shares. According to the author,
they are being able to detect infected machines where the already published
snort/sourcefire rule couldn’t:

alert tcp any any -> any 135:139 (msg:”Nyxem attempting to copy WINZIP_TMP.exe to shares”; flow:to_server,established; content:”|57 00 49 00 4e 00 5a 00 49 00 50 00 5f 00 54 00 4d 00 50 00 2e 00 65 00 78 00 65|”; reference:url,www.lurhq.com/blackworm.html; classtype:trojan-activity; sid:5000173; rev:1;)

- We had another user that used sms to scan drives files with a size of 95,690 named (Bloggers note: I have been doing this query too, but missed the files size part)

%Windir%\Rundll16.exe
%System%\scanregw.exe
%System%\Winzip.exe
%System%\Update.exe
%System%\WINZIP_TMP.EXE
%System%\SAMPLE.ZIP
%System%\New WinZip File.exe
movies.exe
Zipped Files.exe

- A security Dweeb at a large California municipal government agency wrote a batch script that:

“1) looks for the infected file names existence
on %windir% and %sysdir% using simple DIR /B commands. Output is sent to
uniquely named text file (with a non-standard extension). Infected
workstations will show a non-zero file size. Batch file is below; uses
environment vars that are unique to user and computer name.
2) The batch file will be placed in the login script for all
computers.
3) Ensure that verified backups are completed tonight (Wed).

Batch file:
@echo off
dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
dir  /b %WinDir%\system\Update.exe  >> %username%_%computername%.rgh
dir /b  %WinDir%\system\scanregw.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\Rundll16.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b c:\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b %Temp%\word.zip                                        .exe  >>
%username%_%computername%.rgh

Although dangerous, we think we have a very low chance of a problem.
According to LURQ, there are only 15K computers in US that have
contacted the “counter” site. And we have other protections in place
(blocking of all executables in mail attachments, current anti-virus
updates, etc.)”

—————————————————————–
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org )

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

***************************************

Title: Microsoft Security Advisory Notification

Issued: February 1, 2006

***************************************
Security Advisories Updated or Released Today ==============================================

* Security Advisory (904420)

- Title: Win32/Mywife.E@mm

- Reason For Update: Additional information about the blank password restriction functionality in Windows XP Service Pack 1,

Windows XP Service Pack 2, Windows Server 2003, and Windows Server 2003 Service Pack 1. Added link to Virus Information

Alliance member Sophos.

- Web site: http://go.microsoft.com/fwlink/?LinkId=50423

Tuesday, January 31, 2006

First reports of Nyxem damage	Posted by Mikko @ 16:24 GMT

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you’re infected and your clock is not set right, things could start to happen at any time – even though the official activation time is the 3rd of the month. We’ve already received first reports from users who’ve had files on their system overwritten by the worm.

When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you’re taking daily automatic backups you might end up backing up the corrupted files over good files.

The number of machines that have been hit by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd – most of them in India, Turkey and Peru.

This worm family has been around since March 2004. The worm is named “Nyxem” because the original Nyxem.A variant launched a DDoS attack against the New York Mercantile Exchange website (www.nymex.com). We don’t know why.

We have a free tool available to help disinfect machines before the deadline passes.

F-Secure : News from the Lab – January of 2006.

For even more comprehensive information on this virus go here: http://www.isc.sans.org/blackworm

Microsoft Security Advisory (904420)

Win32/Mywife.E@mm

Published: January 30, 2006

Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.

Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.

On systems that are infected by Win32/Mywife@E.mm, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. For more information, see the Microsoft Virus Encyclopedia.

As with all currently known variants of the Mywife malware, this variant does not make use of a security vulnerability, but is dependant on the user opening an infected file attachment. The malware also attempts to scan the network looking for systems it can connect to and infect It does this in the context of the user. If it fails to connect to one of these systems, it tries again by logging on with “Administrator” as the user name together with a blank password.

Read the rest of this advisory here: Microsoft Security Advisory (904420): Win32/Mywife.E@mm.