Tuesday, June 26, 2012

Again! I’m Not Falling for That One!

From time to time I review my email junk folder to check if a legitimate message got stuck in there, and in order to keep myself updated of new techniques and methods utilized to scam people into disclosing their confidential information.
Recently I ran across an email message, apparently from paypal requesting me to update my records in order to continue using their services. 
Since I really don't have a paypal account yet, this email is definitely a scam.
Upon More Investigation, carefully following the link mentioned in the email in order to update my non existing records, I was redirected to a webpage that looks like the original Paypal.com website

The first thing that caught my attention was the address of this fake Paypal page was the URL of this page

I tried to login to this false paypal page using incorrect and offensive credentials, i was redirected to a "Session timed out" page, and of course the credentials I used where sent, stored (stolen) by the creators of this illegitimate page.

Note that, the first thing that a user should check before disclosing any confidential data is the correctness of the URL for the page requesting this information. 

Always look for the httpS.


I wonder how many people took the bait and were scammed by this scenario.
The good thing is that the Firefox browser started to alert people before accessing the false paypal webpage by displaying this message 

Finally, don't fall for these scams, exercise a keen sense of responsibility, awareness and an appropriate dose of suspicion before disclosing personal information.   

Monday, June 11, 2012

Suicide Ability: Update on the Flamer Virus

Being described as the largest, most sophisticated, most discreet,  and certainly the most complex virus ever created, The Flame virus shows more of its abilities before it disappears.

It has been Proven that Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, late last week, Flame’s creators decided to distribute a different self-removal module to infected computers that are still connected to the predefined servers and still under their control.

Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C (command and control) server sent them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. “The Disinfector”

The module “browser32.ocx” has not been seen and recovered from the field, but instead it was captured in honeypots. Any client receiving this file would have had all traces of Flamer removed, including this module itself.The suicide feature and the browse32.ocx module are designed to prevent further forensic analysis.

Meanwhile, an important question remains unanswered, since C&C servers are able to execute a command that kills the flamer virus, aren’t they able to plant the seeds of a new undiscovered virus that will reside undetected for several years performing the same or even more damage that the current Flame virus.

For more info about the files and folders removed by this “browser32.ocx” read the following from Symantec.

Tuesday, June 5, 2012

Avoiding the Flame

After reading many articles and expert reviews about the Flame Virus I came up with the following summary

What is the Flame: Worm or Trojan
Flame is a complex attack toolkit, it is a TROJAN modified to have WORM like features, allowing it to replicate within local networks and removable media.
The initial entry point of Flame is still unknown – but once a system is infected, sKyWIper, another name for Flame virus, begins a sophisticated set of operations, including:
  • Running on Windows XP, Windows Vista and Windows 7 systems;
  • Scanning network resources;
  • Stealing information as specified;
  • Communicating to Control Servers over SSH and HTTPS protocols;
  • Detecting the presence of over 100 security products (AV, Anti-Spyware, FW, etc);
  • loading itself as a part of Winlogon.exe then injects to Explorer and Services;
  • Concealing its presence as ~ named temp files, just like Stuxnet and Duqu;
  • Attacking new systems over USB Flash Memory and local network;
  • Creating screen captures, Recording voice conversations;
  • Using SQLite Database to store collected information;
  • Utilizing PE encrypted resources;

Flame Complexity: Master Piece  
Flame is a huge package of modules accumulating up to 20 MB in size when fully deployed. Because of this, antivirus companies state that it is an extremely difficult piece of malware to analyze.
The reason why Flame is so big is because it includes many different libraries, such as for compression (zlib, libbz2, ppmd) and database manipulation (sqlite3).

Flame creation date: unknown
The developers of Flame were able to change the dates of creation of the files associated with this virus to 1992, 1994, 1995 and so on, but it’s very obvious that these dates are incorrect and they aim only to give false data to investigators.
Analyzers believe that the main Flame project was created in 2010, but is still undergoing active development to date. But there is big possibility that an earlier version of this virus existed before 2010.

Why the Name: Flame
Flame aka Flamer aka SKyWIper all different call signs for the same malware. The Flame virus consists of multiple modules, one main module is called Flame – as the picture indicatesThe flame module is responsible for attacking and infecting additional computers, and this is mainly the reason behind this malware naming.
No one to claim the spoils
Although, no party has claimed responsibility for the creation and usage of this malware, but it is so obvious that it was not created by a group of hacktivists to send a certain message or anonymous hackers just for the lulz.
The complex anatomy of this malware along with the geographic spread of the targets leaves no doubt that great deal of resources were invested in the creation of this virus and that it was created by nation state in order to collect info on the operations of certain countries in the Middle East, including Iran, Lebanon, Syria, and so on. 
Here’s a map of the top 7 affected countries:
Stop the Flame: Update your Antivirus
In general, most of the recent malware are small in size to be easily hidden, usually between 100k and 700K, but in Flame's case things are totally different. The large size of the Flame malware is precisely why it wasn’t discovered two years ago. For who would doubt a nine megabytes ~ named temp file to be a malware database file.
Finally In order to remove this Malware follow one of the following links and install the appropriate removal tool / Antivirus:
  1. Mcafee Stinger
  2. BitDefender Flame Removal Tool
  3. AVG and Keep it updated

Friday, June 1, 2012

Six ways to secure your Facebook!

Facebook has become big part of our lives. It is integrated in our social and private life. Nevertheless, Facebook users still face an obstacle, an issue that will exploit their privacy. Security is an essential issue when it comes to social networking, and if you don't secure your Facebook, you are in trouble. Here are six ways to secure your Facebook.

1. Go to your "Account Settings" by clicking on the arrow in the top right corner of your Facebook and selecting "Account Settings". Next, select the "Security" tab on the left side of the page, this will take you to this page:

2. Click on the first item labeled "Secure Browsing" and check "Browse Facebook on a secure connection (https) when possible". Don't forget to save your changes.

3. Next click on "Login Notifications" and check either Email or Text message/Push notification or both.

4. Edit "Login Approvals" and check the box. This will send you a text message to your phone whenever a user attempts to login to your Facebook account from an unrecognized computer or browser.

5. Click on the "Facebook Ads" tab on the right left side of the page

Then click on "Edit third party ad settings" and "Edit social ad settings" set share to "no one" in both.

6. Finally, go to your "Privacy Settings" reachable from the top right corner by clicking on the arrow. Set the default sharing permission to "friends".