Friday, January 18, 2008

Poisoned websites attack visitors


Thousands of small web shops have been unwittingly poisoned with malicious code that infects PC users who visit.

Security experts said the sophisticated attack had succeeded on a larger scale than many other similar attacks.

Once installed on a Windows machine the malicious code steals passwords, browser data as well as login names for bank accounts and online games.

The attack is proving hard to defend against for both sites being hit and PC users who are caught out.

Big hitter

Security researchers at ScanSafe, Finjan and Secure Works separately discovered the nest of poisoned websites. Estimates of how many sites have been enrolled into the attack vary. ScanSafe said it knew of about 230 but Secure Works and Finjan believe the total could be as high as 10,000.

Yuval Ben-Itzhak, chief technology officer of Finjan, said it had been following the attack since early December when it noticed an increase in the number of attacks using poisoned websites.

"It's safe to say that there are thousands of these out there," he said. He added that it was hard to get an accurate picture of just how many had been hit because security firms had limited resources to scan all potential targets.

Writing on the ScanSafe blog Mary Landesman said many of the poisoned sites were small "mom and pop" web shops rather than large web retailers. Despite this, she wrote, many had large numbers of visitors because they did well in web searches for particular products and services.

Sites enrolled by the ongoing attack include trade papers, travel firms, ad brokers, estate agents, butchers, hotel booking sites and car spare specialists.

Although all the websites that have become poisoned hosts use the same server and remote administration software, researchers have struggled to spot all the ways they are being compromised.

"We know some of the methods," said Mr Ben-Itzhak, "they are trying to exploit known vulnerabilities in open source content management software that the sites are using."

Spotting the attack code on a site was very difficult, he said, because every time a new user visited the code got a new, random five character name. If a visitor returned the malicious code identified them and did not launch a second attack.

Open Windows

Simon Heron, managing director of security firm Network Box, said: "It looks like the rootkit type technique that we have been worried about for the last two or three years. It's very clever."

A rootkit hides itself deep inside an operating system in an attempt to avoid detection.

Mr Heron said the code injected on the websites scanned the machine of any visiting Windows user to see if any one of 13 separate vulnerabilities were present.

It looked for vulnerabilities in browsers, instant messaging programs, document readers and media players, he said.

The code installs a small trojan through any one of these loopholes then lies dormant until a user types in data that it is interested in - such as login names for online banks or games such as World of Warcraft.

As yet the trojan installed on a PC is not recognised by many widely used anti-virus programs.

Philippe Courtot, founder and head of security firm Qualys, said small web shops and companies were increasingly becoming a target for criminally-minded hackers.

"Small businesses do not have the money to protect themselves," he said.

He added that hosting firms who owned and ran the servers on which these firms place their websites, viewed security as something extra they had to do rather than build it in.

"Hosting companies, for them today, adding security is a cost," he said.

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7193993.stm

Read More......
Monday, January 14, 2008

Warning on stealthy Windows virus


Security experts are warning about a stealthy Windows virus that steals login details for online bank accounts.

In the last month, the malicious program has racked up about 5,000 victims - most of whom are in Europe. Many are falling victim via booby-trapped websites that use vulnerabilities in Microsoft's browser to install the attack code. Experts say the virus is dangerous because it buries itself deep inside Windows to avoid detection.

Old tricks

The malicious program is a type of virus known as a rootkit and it tries to overwrite part of a computer's hard drive called the Master Boot Record (MBR). This is where a computer looks when it is switched on for information about the operating system it will be running.

"If you can control the MBR, you can control the operating system and therefore the computer it resides on," wrote Elia Florio on security company Symantec's blog. Mr Florio pointed out that many viruses dating from the days before Windows used the Master Boot Record to get a grip on a computer.

Once installed the virus, dubbed Mebroot by Symantec, usually downloads other malicious programs, such as keyloggers, to do the work of stealing confidential information. Most of these associated programs lie in wait on a machine until its owner logs in to the online banking systems of one of more than 900 financial institutions. The Russian virus-writing group behind Mebroot is thought to have created the torpig family of viruses that are known to have been installed on more than 200,000 systems. This group specialises in stealing bank login information.

Security firm iDefense said Mebroot was discovered in October but started to be used in a series of attacks in early December. Between 12 December and 7 January, iDefense detected more than 5,000 machines that had been infected with the program. Analysis of Mebroot has shown that it uses its hidden position on the MBR as a beachhead so it can re-install these associated programs if they are deleted by anti-virus software. Although the password-stealing programs that Mebroot installs can be found by security software, few commercial anti-virus packages currently detect its presence. Mebroot cannot be removed while a computer is running.

Independent security firm GMER has produced a utility that will scan and remove the stealthy program. Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are not fully patched are all vulnerable to the virus.

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7183008.stm

Read More......
Wednesday, January 9, 2008

Copying CDs could be made legal


Copying music from a CD to a home computer could be made legal under new proposals from the UK government.

Millions of people already "rip" discs to their computers and move the files to MP3 players, although the process is technically against copyright law.

Intellectual property minister Lord Triesman said the law should be changed so it "keeps up with the times".

Music industry bodies gave a cautious welcome to the proposals, which are up for public consultation until 8 April.

The changes would apply only to people copying music for personal use - meaning multiple copying and internet file-sharing would still be banned.

Owners would not be allowed to sell or give away their original discs once they had made a copy.

Sales concerns

"To allow consumers to copy works and then pass on the original could result in a loss of sales," the proposals warn.

UK music industry body the BPI said it supported the move to clarify the law for consumers, but warned that any changes should not damage the rights of record companies.

The Association of Independent Music (Aim) said the proposals did not go far enough - pointing out that CDs could become obsolete in the next decade.

It said that, once CDs are replaced, the law could be misused to "open the floodgates to unstoppable copying", adding that it would like to see copyright holders compensated when music was copied.

Lord Triesman said the proposed changes would explore "where the boundaries lie between strong protection for right holders and appropriate levels of access for users".

The proposals also suggest schools and libraries should be given greater flexibility in how they use copyrighted material like CDs and DVDs, and suggests parodies of songs and films could be made exempt from copyright law.

The consultation follows the Gowers Review of Intellectual Property, which recommended that aspects of the intellectual property system should be reformed.

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/2/hi/entertainment/7176538.stm

Published: 2008/01/08 12:07:30 GMT

© BBC MMVIII

Read More......