Source code for Skype eavesdropping trojan in the wild

Earlier this week, Swiss programmer Ruben Unteregger who has been reportedly working for a Swiss company ERA IT Solutions responsible for coding government sponsored spyware, has released the source code of a trojan horse that injects code into the Skype process in order to convert the incoming and outgoing voice data into an encrypted MP3 available at the disposal of the attacker.

Here’s how the trojan, currently detected as Trojan.Peskyspy, works:


“When the Trojan is executed, it injects a thread into the Skype process and hooks a number of API calls, allowing it to intercept all PCM audio data going between the Skype process and underlying audio devices. Note: Since the Trojan listens to the data coming to and from the audio devices, it gathers the audio independently of any application-specific protocols or encryption applied by Skype when it passes voice data at the network level.

Note: The incoming and outgoing audio data are stored in separate .mp3 files. The Trojan also opens a back door on the compromised computer, allowing an attacker to perform the following actions:
- Send the .mp3 to a predetermined location
- Download an updated version
- Delete the Trojan from the compromised computer”

Skype is often dubbed a “national security threat” by governments all across the globe due to their — at least publicly acknowledged — inability to crack the 256-bit encryption VoIP calls.

And while some of these governments are reportedly spending surreal amounts of tax payer’s money (Rental of the Skype-Capture-Unit per month and instance EUR 3.500) in order to achieve their objectives, others are taking the cost-effectiveness path by attacking the weakest link in the process - the end user infected with a targeted DIY government sponsored spyware recording all ongoing and incoming Skype calls, thereby bypassing the need to attack the encryption algorithm.

Thousands of web sites compromised, redirect to scareware

According to eSoft, they’ve been monitoring the campaign since September, with another 720,000 affected sites back then.

There are now over a million affected sites serving scareware, with only a small percentage of them currently marked as harmful. Google has been notified. As always, NoScript and your decent situational awareness are your best friends.

Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe), commonly referred to as scareware.

More details on the campaign:


The compromised sites are hosting legitimately looking templates, using automatically generated bogus content, with a tiny css.js (Trojan-Downloader.JS.FraudLoad) uploaded on each of them which triggers the scareware campaign only if the visitor is coming a search engine listed as known http referrer by the gang - in this case Google, Yahoo, Live, Altavista, and Baidu :

“Cyveillance has discovered a complex attack vector that uses Google search results to distribute malicious software (malware) to unsuspecting Internet users. Using this attack vector, users click on links within Google search results and are routed to sites that attempt to download malware to their computers. The attack method also relies on inattentive webmasters who do not update the software on their sites and often unknowingly provide the material that appears in the search results.

The common string albums/bsblog/category is found in the URLs for all these blogs. By simply using the Google search parameter allinurl, along, you can see how many other sites contain the same string. As can be seen in the image above, more than 260,000 URLs are presented in Google’s search index leading to blogs similar to the ones illustrated in our example.

As you can see, only a small portion of sites in the search results carry a warning provided by Google. The reason for the small number of warnings is likely because the actual attacks do not take place on the website URLs in the search results, but on the sites you’re redirected to thereby decreasing the chances that Google will designate the destination sites as harmful.”

At first, it would appear that the campaign is an isolated one and is maintained by a cybercrime enterprise yet to be analyzed. However, analyzing it reveals a rather anticipated connection - the massive blackat SEO campaign has been launched by the same people who operate/or manage the campaigns for the Koobface botnet. For instance, the domains mentioned by Cyveillance, as well as the newly introduced ones over the past couple of hours, are the very same domains currently embedded on Koobface infected hosts.

Go through related posts - The ultimate guide to scareware protection; My scareware night and how McAfee lost a customer; Scareware scammers hijack Twitter trending topics; 9/11 related keywords hijacked to serve scareware; Koobface Botnet’s Scareware Business Model - Part One; Koobface Botnet’s Scareware Business Model - Part Two
How did they manage the compromise the sites? Through web application vulnerabilities as the attack vector, with OWASP’s recently updated Top 10 most critical web application security risks, highlighting some of the riskiest ones.

IE8 outperforms competing browsers in malware protection

A recently released study by NSS Labs is once again claiming that based on their internal tests, Microsoft’s Internet Explorer 8 outperforms competing browsers like Google’s Chrome, Mozilla’s Firefox, Opera and Apple’s Safari in terms of protecting their users against “socially engineered malware” and phishing attacks.


Not only did IE8 top the chart, but also, the rest of the browsers have in fact degraded their “socially engineered malware” and phishing block rate in comparison to the results released by the company in the March’s edition of the study.

How objective is the study? For starters, it’s Microsoft-sponsored one. Here’s how it ranks the browsers:

Socially engineered malware block rate:

Microsoft Internet Explorer v8 - 81% block rate
Mozilla Firefox v3 - 27% block rate
Apple Safari v4 - 21% block rate
Google Chrome 2 - 7% block rate
Google Chrome 2 - 7% block rate
Phishing attacks block rate:

Microsoft Internet Explorer v8 - 83% block rate
Mozilla Firefox v3 - 80% block rate
Opera 10 Beta - 54% block rate
Google Chrome 2 - 26% block rate
Apple Safari v4 - 2% block rate

What is “socially engineered malware” anyway?

Basically, it’s the direct download dialog box that appears on a, for instance, scareware or Koobface video page spoofing Facebook’s layout, like the one attached. using “socially engineered malware” as a benchmark for malware block rate isn’t exactly the most realistic choice in today’s threatscape.

And even if it is, some pretty realistic conclusions can be drawn by using some internal traffic statistics from Koobface worm’s ongoing malware campaigns. The Koobface worm, one of the most efficient social engineering driven malware, is a perfect example of how security measures become obsolete when they’re not implemented on a large scale.
The stats themselves:

- MSIE 7 - 255,891 visitors - 43.33%
- MSIE 8 - 189,380 visitors - 32.07%
- MSIE 6 - 76,797 visitors - 13.01%
- Javascript Enabled - 585,374 visitors - 99.13%
- Java Enabled - 576,782 visitors - 97.68%

What does this mean? It means that with or without the supposedly working “socially engineered malware” block filter using a modest sample of several hundred URLs, the Koobface botnet is largely driven by MSIE 7 users. The previous edition of the study dubbed IE7 a browser which “practically offers no protection against malware” with the lowest block rate achieved back than - 4%.

Just like the previous edition of the study, this one also excludes the notion that client-side vulnerabilities continue contributing to the “rise and rise” of web malware exploitation kits. By excluding client-side vulnerabilities, the study isn’t assessing IE8’s DEP/NX memory protection, as well as omitting ClickJacking defenses and IE8’s XSS filter, once pointed out as a less sophisticated alternative to the Firefox-friendly NoScript.

Socially engineered malware is not the benchmark for a comprehensive assessment of a browser’s malware block rate. It’s a realistic assessment of the current and emerging threatscape combined with comprehensive testing of all of the browser’s currently available security mechanisms, a testing methodology which I think is not present in the study.

Demo exploits posted for unpatched MS Word vulnerability

A security researcher has released demo exploits for what appears to be a critical – unpatched — memory corruption vulnerability affecting the ubiquitous Microsoft Word software program.
The proof-of-concept exploits accompany a warning that the flaw affects Microsoft Office 2000 and Microsoft Office 2003. In addition to the rigged .docs, there are two videos demonstrating an attack scenario that crashes the program.
From the advisory:
An attacker could exploit this issue by enticing a victim to open and interact with malicious Word files.
Successfully exploiting this issue will corrupt memory and crash the application. Given the nature of this issue, attackers may also be able to execute arbitrary code in the context of the currently logged-in user.
Here are the proof-of-concept documents (download and run at your own risk!):

crash-word-1.doc
crash-word-2.doc
crash-word-3.doc
crash-word-4.doc
[ ALSO SEE: Free Sourcefire tool pinpoints hostile MS Office files ]
The SANS Institute issued a warning in its @Risk newsletter, noting that the issue occurs in the way Microsoft Word handles unordered (bulleted) lists.
Successfully exploiting this vulnerability would allow an attacker to execute arbitrary code with the privileges of the current user. Note that, on recent versions of Microsoft Office, Word documents are not opened upon receipt without first prompting the user.
I’ve asked Microsoft for confirmation of this issue and will update this post when I hear from them.
UPDATE: Microsoft e-mailed the following statement on this issue:
Microsoft is investigating new public claims of a possible vulnerability in Microsoft Office. We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. We will take steps to determine how customers can protect themselves should we confirm the vulnerability.
Once we’re done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.

Is Chrome a security risk?

My lovely bride of 30 years worked from home yesterday, hoping to save our city some gas.
An e-mail came in from her administrator around mid-day which she decided to share with me.
It told all users to shut down Chrome.
The e-mail called Chrome a security risk. It told all users within the company to use Firefox or Internet Explorer, to shut Chrome down.
I don’t know how serious those concerns are. Without identifying my wife’s employer I will say it’s a conservative company, very security conscious, and often proactive.
But this is a good time to ask how well Chrome is doing. Google Analytics says 1 in 40 visits to ZDNet Open Source are now done with Chrome. It’s currently on build 2200, Version 0.2.149.30. (Click the wrench, then the About tab.)
Personally I have noticed that Chrome often crashes Shockwave and Flash pages. Thanks to its redundant tab-based design, whole browser sessions don’t die, but these plug-in crashes are more common than with Firefox.
I have also found that, despite its promise, it pays to shut Chrome down every once in a while and re-start it. The lack of add-ons can be annoying, as when I’m asked for personal information or want to search a page for a word or phrase.
Other reviewers have not been so kind. Some bloggers are already calling it a failure, and the criticism is global in scope.
On the other hand, this open source browser is already being forked, as with a German version dubbed Iron.
This, to me, is good news. It may be the most important news.
It is wrong to evaluate Chrome as you would a new TV show. It is wrong to consider it solely in terms of Google because, like Firefox, this is an open source product subject to the open source process.
But what I think or what any other reporter thinks really does not matter. What do you think? Are you using Google Chrome now? Do you plan to? When? And if not, why not?

(I refers to Dana Blankenhorn)

Free Sourcefire tool pinpoints hostile MS Office files

Sourcefire, the company behind the popular Snort intrusion detection system, has released a freeware utility to help identify potentially threatening Microsoft Office files.

The tool, called OfficeCat, can be used to process Microsoft Office documents — Word, PowerPoint, Excel and Publisher — determine if possible exploit conditions exist.

Unlike products that detect attempts to exploit known Microsoft vulnerabilities, Sourcefire said OfficeCat can determine if a file contains hostile content before it is opened.

From the Sourcefire announcement:

OfficeCat provides reference information on discovered vulnerabilities so users can remediate risks. By detecting these hostile files before they are opened, OfficeCat enables users to proactively increase the effectiveness of their security efforts.

…To create effective rules, the VRT conducts ongoing research into Microsoft Office vulnerabilities and will regularly update OfficeCat with the latest vulnerability information.

The command-line utility ships with rules for a total of six Microsoft Office bulletins and about 45 CVE entries related to Microsoft Office vulnerabilities.

There has been a noticeable surge in attacks exploiting critical security vulnerabilities in the Microsoft Office software suite.

In addition to using Sourcefire’s OfficeCat, I strongly recommend Microsoft Office users to run Microsoft Office Update to ensure installations are fully patched.

Local root escalation vulnerability in Mac OS X 10.4 and 10.5 discovered

Yesterday, an anonymous reader released details on a local root escalation vulnerability in Mac OS x 10.4 and 10.5, whichworks by running a local AppleScript that would set the user ID to root through ARDAgent’s default setuid root state. Here’s how it’s done :

“Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through AppleScript: osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘; Works for normal users and admins, provided the normal user wasn’t switched to via fast user switching. Secure? I think not.”

Find out how to fix it.


You’ve got several possible workarounds, you can remove the Apple Remote Desktop located in /System/Library/CoreServices/RemoteManagement/, or you can go through the visual Workaround for the ARDAgent ’setuid root’ problem.

Moreover, the AppleInsider speculates on the potential for abuse :

The effects of malicious code run as root may range from deleting all the files on the Mac to more pernicious attacks such as changing system settings, and even setting up periodic tasks to perform them repeatedly. Not all Macs are vulnerable, however. If a user has turned on Remote Management in the Sharing pane of System Preferences under Mac OS X 10.5, or if a user has installed Apple Remote Desktop client under Mac OS X 10.4 or earlier and has activated this setting in the Sharing preferences, the exploit will not function. Mac OS X 10.5’s Screen Sharing function has no effect on this vulnerability.

And even though the vulnerability can also be executed via a remote connection under specific circumstances based on the configuration, physical security to prevent the unauthorized local access is as applicable as it’s always been.

Code execution vulnerability found in Firefox 3.0

It’s not all about world records for Firefox 3.0.

Just hours after the official release of the latest refresh of Mozilla’s flagship browser, an unnamed researcher has sold a critical code execution vulnerability that puts millions of Firefox3.0 users at risk of PC takeover attacks.

According to a note from TippingPoint’s Zero Day Initiative (ZDI) , a company that buys exclusive rights to software vulnerability data, the Firefox 3.0 bug also affects earlier versions of Firefox 2.0x.

Technical details are being kept under wraps until Mozilla’s security team ships a patch.

According to ZDI’s alert, it should be considered a high-severity risk:

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. TippingPoint researchers continue to see these types of “user-interaction required ” browser-based vulnerabilities - such as clicking on a link in email or inadvertently visiting a malicious web page.

It looks very much like the vulnerability researcher was hoarding this vulnerability and saving it for Firefox 3.0 final release to make the sale.

In the absence of a fix, Firefox users should practice safe browsing habits and avoid clicking on strange links that arrive via e-mail or IM messages.

There are no reports of this issue being exploited but, if you are worried about being at risk of drive-by attacks, consider using a different browser.

Phoenix Mars Lander’s mission site hacked

With the world’s eyes on the latest multimedia streaming straight from Mars, during the weekend the Phoenix MarsMission’s site got hit twice, first by an Ukrainian web site defacer who posted a message at the site’s blog, and hours later, the Turkish “sql loverz crew 2008″ redirected the official mission’s site, as well as the Lunar and Planetary Laboratory site to a third-part location serving the defaced page. The Phoenix Mars Lander mission’s security staff are aware of the issue, and seem to have fixed it already, right before making an announcement - Hacker changes Phoenix Mars Lander Web site

A spokeswoman for the Phoenix Mars Lander mission says a hacker took over the mission’s public Web site during the night and changed its lead news story. Spokeswoman Sara Hammond says a mission update posted Friday was replaced with a hacker’s signature and a link redirecting visitors to an overseas Web site. Hammond says the site hosted by the University of Arizona has been taken off line while computer experts work to correct the problem.

Meet the latest group of script kiddies empowered by publicly obtainable remote SQL injection scanners, that each andevery site that’s been affected in the past could have downloaded, and self-audited itself. The perspective that if you don’t take care of your site’s web application vulnerabilities, someone else would, fully applies here. No malware, or false information was distributed despite that the defacer linked to what looks like his homepage and therefore could have embedded malicious links or directly pointed the surfer to them.

And while this doesn’t seem to be what them wanted to achieve, in three of the most recent web site defacement incidents, we have defacers fully abusing the access they have. Last month for instance, Russian nuclear power websites were attacked and nuclear accident rumors spread using them, the Pro-Serbian hacktivists attacking Albanian web sites to spread propaganda messages, as well as a fake rumor for upcoming earthquake spread on the site of a Chinese seismological bureau.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and E-crime incident response. Dancho is also involved in business development, marketing research and competitive intelligence as an independent contractor. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis.