As I said, really good news

Will this mean the end of Anonymous? No. It will mean the end of LulzSec, but Anonymous existed before LulzSec and will continue existing. However we probably won’t see any more hacks as the ones LulzSec had been perpetrating, and Anonymous will only use their known childish tactic of DDoS using their LOIC tool.

Enjoy the story here

This happened after Sony was also hacked last year, when personal information from more than a 100 million customers was stolen in 2 different incidents affecting PlayStation Network and Sony Online Entertainment.

Looks like the cybercriminals involved in this Sony Music hack thought it should be easy to break into the company, and sadly they were right, even though this time they have been arrested and will face trial in January 2013.

It is likely that files from more music stars could have been stolen, unless Sony had it in an isolated server, so we could expect more news coming soon.

How can she even remember what she bought? She buys thousands of clothes online, probably she doesn’t remember it, this wouldn’t be the first time

After she told me 1,000 times she had not bought anything in that store, I decided to take a look at it, and it really looks like a legit message, so I asked her again. She looked at me in a way that only your better half can do, and at that moment I understood that my life was in risk if I dare to ask again.

I looked at it again and it turned out it was not a legit email. Usually cybercriminals use this kind of social engineering techniques but the messages are usually less elaborated than this one:

When you click in the URL to view the order, you go to a different place, as it is a html message and the real link cannot be seen in the text, so the user thinks he will see the actual order. Then you are asked to download the following file:

As you can see the file name is the same as the subject of the message and the fake order number, and it uses the Acrobat icon to fool users into open the file as they will think it is a PDF, as most users have their systems configured to hide known file extensions and they couldn’t see the .exe that you can see in the picture.

Once you have done it… bad news, this is a nasty Trojan with bot capabilities. It is designed to steal all kind of personal information: from Bank of America customers to players using the game platform Steam. And it will log everything you do in your computer, so the next time you go to Facebook, Gmail, etc. your passwords will be sent to the cybercriminals.

Doing some reversing I found out it also looks for some other Trojans, mainly bot competitors, to remove them in case they are in the system, such as Zeus, DarkComet, etc. As Sean Connery (Ramirez) said in the film Highlanders: “In the end there can be only one.”

Once installed in creates a registry entry to ensure it will be executed every time the computer is started. It uses the name “Windows Defender” for that registry entry, so if the user sees that he will think it is some kind of legit application. It also modifies some values in the registry to bypass the firewall (very important when you pretend to send out the stolen data).

Lessons learnt:

1.- Your wife is always right, and in case she tells you something you don’t have to ask about it anymore

2.- Remember everything you buy online to avoid being fooled.

I really hope you enjoy it, you can download the report here.

If the user clicks the link, they are taken to a fake Facebook page where they are invited to download a plug-in to watch the video.

The page indicates that over 4,000 people have already clicked the “Like” button, which is used by the scammers to trick victims into believing that the video is legitimate.

If the user tries to play the video, the worm will act differently depending on the browser used. If you use Firefox or Chrome, the worm installs a browser plug-in and uses it to post the scam to the victims’ friends’ pages. On Internet Explorer, the worm displays an age verification page to access an application called “X-Ray Scanner”.

Then, before the user can take any other action, the browser takes them to a typical scam site where they are asked to enter their phone number. However, if they do so, they will start receiving unwanted premium rate text messages.

Here you have some tips on how to avoid falling victim to this type of scam:

- Be wary of websites offering sensational videos or unusual stories.
- Before you click on a link sent by one of your contacts, make sure it has been intentionally sent by your friend and it is not the result of a massive scam like this one.
- Don’t accept friend requests from people you don’t know. This will help keep your privacy safe.
- Always keep your computer’s operating system and Web browsers up to date, and make sure you have an up-to-date antivirus solution installed.

If, however, you suspect you have fallen into the trap:

- Check your browser plug-ins and remove any suspicious ones.
- Check the applications that have permission to access your Facebook account, and delete those you don’t know.
- Change your Facebook account password. If you use the same credentials to sign in to other services as well, change them too. It is always better to take all necessary precautions.

No tweets so far, the only information about “her” is the message in her profile, where she’s looking for funny guys and gives us a link. Probably it is a spammer, but instead of tweeting links just put the spam link in the profile description. So let’s see what happens when we go there:

It looks like the typical dating site, maybe not for regular relationships but for more spicy moments… It is awesome the number of hot girls that are alone looking for some friends take a look at some of the pictures I could see there:

After checking there were no exploits, etc. I tried to get some more info about that domain, and this is what I got:

So the site was created the day before Alena started following us. Then I created a email address to register in the site,  filling all the fields. Once I did it I was registered, but not for that domain I was in, but for a new one, called XXXBlackBook. I was told I was going to receive an email from them to activate my account, so I went to check my inbox and I had the message:

Once I did it I could access as a regular member to the site. In the same website you have an inbox where other members can send you messages, and in a few minutes I got a new one:

To follow my research, I clicked on the message to take a look at it, but sadly I got this:

So you can get messages but to read them you have to upgrade to a silver or gold account… and it is not cheap:

When I took my credit card my wife came to the room and I had to stop the research

We should be concerned, as the next step could be to close Google or Bing, at the end of the day we all use it to find the stuff we want, and I have seen many times results in those search engines with Megaupoad links. And what next? Will they close Internet?

Anonymous has of course reacted, and has started DDoS attacks against a number of different websites, among the targets we can find the Department of Justice, the RIAA, and Universal Music. Again, the best way Anonymous is able to come up with is to launch DDoS attacks. They could try to give information to the people, etc. but that is boring for them, it  is way funnier to break the law.

Going back to the press release, you can also read this:

This case is part of efforts being undertaken by the Department of Justice Task Force on Intellectual Property (IP Task Force) to stop the theft of intellectual property.

Meanwhile, in the real world, thousands of millions of dollars are stolen every year by cybercriminals (real money, taken from users’ credit cards and bank accounts). But as long as there is no theft of intellectual property, that’s ok. Wait a moment, is that OK? Maybe some priorities should be adjusted.

While we are use to see this kind of fake messages in English, in this case the attacks are localized, we have seen English, German, Spanish or Dutch language (among others), depending on the targeted country. All of the attacks are targeting some European country, so it looks like that all of them are related and the same cibercriminal gang could be behind them.

The last one has appeared a couple of days ago, this time it is targeting Spain. The file is using as icon the following Internet meme:

Once infected, this is what you will see in your desktop:

In the message it says that it has been detected access to illegal material (such as child pornography and spam about terrorism) from that computer, and that the computer will be locked to prevent such a use. To solve that you have to pay a fine of €100:

The worst thing for the user is that it actually blocks the computer, so it is not easy to remove. To do it, restart the computer in safe mode and run a scan with an antivirus solution that is able to detect it.

These are different examples we have seen in the last months:

English

Italian

Dutch

German

Spanish

• Social networks: Social engineering techniques exploiting users’ weaknesses have become the leading attack method in social networks. Trending topics such as the Olympics or the next US Presidential elections will be used as a bait. Cybercriminals will continue to target social media sites to steal personal data.

• Malware increase: In the past few years, the number of malware threats has grown exponentially, and everything seems to indicate that the trend will continue in 2012. In fact, malware is the weapon use by cybercriminals to carry on their attacks.

• Trojans: they are cyber-crooks’ weapon of choice for their attacks, as shown by the fact that three out of every four new malware strains created in 2011 were Trojans, designed to sit silently on users’ computers and steal their information.

• Cyberwar: or maybe it is more accurate to say cyberespionage. 2011 has been the year with most intrusions ever aimed at companies and government agencies. From New Zealand to Canada, from Japan to the European Parliament, there have been countless attacks aimed at stealing secret or classified information. We live in a world where all the information is in digital form, so modern-day spies no longer need to infiltrate a building to steal information. As long as they have the necessary computer skills, they can wreak havoc and access the best-kept secrets of organizations without ever leaving their living-rooms. In 2012 we will see these kind of attacks even more.

• Mac malware: As the market share of Mac users continues to grow, the number of threats will grow. Fortunately enough, it seems that Mac users are now more aware that Mac is not immune to malware attacks and they are increasingly using antivirus programs, hindering cyber-crooks. The number of malware specimens for Mac will continue to grow in 2012, although much less than for PCs

• Mobile malware: Over ten years ago, antivirus companies started making dire predictions of a mobile malware epidemic. Years later, as the situation was not as apocalyptic as predicted, they started claiming that the installation of antivirus software on mobile phones had prevented the catastrophe. Well, they were wrong again. If having an antivirus solution were enough to solve all types of malware problems, the world would be a happier place. Unfortunately though, both users and security vendors alike are in the hands of cyber-crooks, who are the ones who decide which platform to target. In this context, last year PandaLabs predicted a surge in cyber attacks on mobile phones, and the fact that Android has become the number one mobile target for cyber-crooks in 2011 confirms that prediction. In 2012 there will be new attacks on Android, but it will not be on a massive scale. New mobile payment methods –via NFC for example– could become the next big target for Trojans but, as always, this will largely depend on their popularity.

• Malware for tablets: The fact that tablets share the same operating system as smartphones means that they will be soon targeted by the same malware as those platforms. In addition, tablets might draw a special interest from cyber-crooks as people are using them for an increasing number of activities and they are more likely to store sensitive data than, say, a smartphone.

• Cybercriminals targeting small to medium-sized companies: Why do cybercriminals target online banking customers instead of directly attacking banking institutions to steal money? The answer to this question has to do with the cost-benefit ratio of the attack: Financial entities are usually very well protected, and the chance of launching a successful attack is remote and very costly. However, attacking their customers to steal their identity and impersonate them is much simpler. The security of small to medium-sized companies is not that strong, and this makes them very attractive for cyberthieves, who can steal data from hundreds or thousands of users in one go. On many occasions, small to medium-sized companies do not have dedicated security teams, which makes them much more vulnerable.

• Windows 8: The next version of Microsoft’s popular operating system is scheduled for November 2012, so even though it is not supposed to have much on an impact on the malware landscape in the coming year, it will surely offer cyber-crooks new opportunities to create malicious software. Windows 8 will allow users to develop applications for virtually any device (PCs, tablets and smartphones) running Windows 8, so it will be possible to develop malicious applications like those for Android. This, in any event, will probably not take place until 2013.

NO (*)

(*): One of the characteristics of a targeted attack is that the attacker has previously studied the victim (who is a specific person or organization). This attacker will study the victim: Which systems he is running, where the most valuable information is located, what defenses are built in place, etc. And not only that, also the person(s) will be investigated, in which fields are they working, what hobbies they have, etc. This is why it is almost impossible to avoid these kinds of attacks. However, this is not a reason to lower our defenses, and that’s something that really puzzles me: taking a look at some of the major attacks we have seen in the last years, many of them were possible because there were servers with no antivirus protection, with an outdated operating system, etc. In a single word: negligence.

However, this is not always the case. If we take a look at the 2 most important attacks that have happened during 2011 (the RSA incident and the Duqu case) we will see that both attacks were really sophisticated, and that the way to start the intrusion was a mix of social engineering mixed with some kind of software vulnerability. I would like to point out that in both cases users were receiving a document, and once it was opened the document dropped and run a file in the system, and from that moment on the system was compromised. Of course, these kind of attacks can be done using known or unkown vulnerabilities, and you could argue that a user has no way to detect that a document is malformed in that way, and that the antivirus won’t detect a single thing as it will be new and the attacker has previously checked that the malware pieces involved were not detected: fair enough, I do agree with that.

And what if I tell you that if they had used Panda the attack would have failed? In 2004 we released TruPrevent technologies, with the goal to detect a portion of the brand new malware, that one that was still not detected with signatures. Since then we have included those technologies in our products, and one of those basically prevents that opening a document a file is downloaded and executed. Smart, nice, clean…

Conclusion: in case RSA, or any of the companies attacked by Duqu, had used even the free version of Panda Cloud Antivirus those intrusions wouldn’t have happened… IN THAT WAY. Anyway, remember the answer to the question (“NO”). Attackers would have figured out a way to circumvent it, probably trying a different kind of attack, but the harder we make it, the more chances we’ll have to avoid it.