Alarm raised over Adobe PDF zero-day vulnerability

If you are one of the world's many users of Adobe's Acrobat PDF Reader software then there's good reason to prick up your ears and listen today, as details emerge of a critical zero-day vulnerability in the software that could allow hackers to run malicious code on computers.

According to a warning from the security response team at Adobe, a serious vulnerability in all currently supported versions of Adobe Reader and Acrobat ((Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are affected by the flaw.

The vulnerability, which is not limited to Windows users but also affects Mac and Unix users, means that Adobe users are being advised to disable JavaScript in Adobe Reader and Acrobat until a proper fix is available.

Adobe advises that JavaScript can be disabled by following these instructions:

1. Launch Acrobat or Adobe Reader.
2. Select Edit/Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Of course, this is far from the first time that critical vulnerabilities have been found in Adobe's software, and there is growing concern that the vendor's dominant market share of the PDF reader market is proving extremely attractive for hackers hellbent on infecting as many PCs as possible.

As we predicted in the Sophos 2009 Security Threat Report, hackers are increasingly looking at commonly used browser plugins like Adobe Flash and PDF in their attempts to infect innocent computer users.

In the past I've suggested that computer users may want to use FoxIt, an alternative to Adobe PDF Reader. However, on reflection, I think that advice wasn't that great because if everyone switched en masse to the same alternative to Adobe Reader we'd all be in the same pickle again.

A world of everyone using the same software as everyone else is never healthy for security.

Instead, make your own choice of which PDF reader to use. You can find a helpful list of some suggestions at http://pdfreaders.org/

Posted on April 29th, 2009 by Graham Cluley, Sophos

Sophos.com

Ever been spammed on a social network?

How about received a phishing message? Or sent a malicious link?

It seems occurrences of cybercrime on social networking sites like Twitter and Facebook are becoming more and more commonplace. Today, we've published some research looking into just how common it is to be hit, and how companies are trying to control access to the various Web 2.0 sites.

Our survey quizzed over 700 security professionals - I wonder how much higher the percentages would have been if we had also asked teenagers who typically spend longer on these kinds of sites.

Posted on April 28th, 2009 by Graham Cluley, Sophos

Sophos.com

Guest blog: Canadian anti-spam laws take an important step forward

Guest blogger Michael Argast, director of global sales engineering at Sophos, discusses changes in anti-spam legislation in his home country of Canada. Over to you Michael..

The Conservative government in Canada last week introduced the Electronic Commerce Protection Act to help cull sources of spam and other malicious activity from within Canadian borders.

Although it was introduced as "the Government of Canada protecting Canadians" those of us in the industry recognize that this is a global problem, and the amount of spam and other malicious stuff ending up on Canadian's computers will not likely be significantly impacted as a result.

Our latest threat report had Canadian sources of spam being only 1.1% of the global total, and of course most of that will be from compromised machines forming parts of a botnet.

However, I do think this is a positive step for Canada as a "good neighbour" in the global community. We have seen a lot of previously US-based spam operations move to Canada due to a lack of this type of legislation – hopefully those same people will find it more inconvenient to move further overseas and cease operations.

Another nice thing about this legislation are specific prohibitions on installation of non-desired software such as spyware, keyloggers, adware, etc, during commercial operations.

So, while this is an important step forward, ultimately the spam and malware problem requires a global response.

The person breaking into your house to steal your flatscreen TV likely lives in your community. The one sending you malware via a spam campaign likely lives in Russia, breaks into a site in the US to get you to into the threat tree, delivers the code off a compromised machine in Brazil and fires the spam off a botnet with compromised machines in Canada, China and South Africa. He then sells your credit card number or identity to a mule in your neighbourhood, who may not even be aware they’re part of a global operation.

This sort of problem requires a global response, and the Electronic Commerce Protection Act is a good local step in a global effort.

Posted on April 27th, 2009 by Michael Argast, Sophos

Sophos.com

Salma Hayek's email account is hacked

Acording to reports, Hollywood actress Salma Hayek has fallen victim to hackers, who have broken into her email account and released images of her private communications.

The actress, remembered equally well for her Oscar-nominated role in the biopic of Frida Kahlo as her erotic snake-dancing performance in "From Dusk Till Dawn", had her MobileMe account hacked after hackers reset her account password by correctly entering her date or birth and guessing her secret question (reportedly the name of her most famous film role).

As a result, the world knows details of what iPhone applications Salma Hayek has download from the Apple iTunes Store, when she has arranged to have her Japanese face massage, and that her billionaire French husband François-Henri Pinault pays her bills.

Of course, it's worth remembering that Salma Hayek is the victim of a crime.

Maybe she did choose to protect her online email account with weak security that anyone with access to Wikipedia could probably bypass, but breaking into her MobileMe account is still an offence.

The public should take this as a warning to be very careful about what "secret answers" they choose in case they need to ever reset their passwords. Too many people when they are asked "What was your mother's maiden name?" or "Tell us the name of your favourite pet" choose to answer honestly with information that is a matter of public record, or can be found out by visiting their Facebook profile.

My advice is if you're asked to tell website what your mother's name is, answer something memorable that no-one else will be able to guess, like "Xena Warrior Princess" or "Artichoke Sandwich".

By the way, Salma Hayek isn't the first figure in the public eye to have her email hacked. Watch this video: "Paris Hilton & Sarah Palin - what's the connection?".

Posted on April 25th, 2009 by Graham Cluley, Sophos

Sophos.com

New Zealand websites hijacked

Turkish hackers have managed to break into New Zealand domain registrar Domainz.net, redirecting unsuspecting surfers to defaced versions of popular websites by changing DNS records.

Websites such as www.hsbc.co.nz, www.sony.co.nz, coca-cola.co.nz, www.xerox.co.nz, www.msn.co.nz, www.microsoft.co.nz and hotmail.co.nz as well as security vendors www.f-secure.co.nz and www.bitdefender.co.nz had their traffic redirected to third party servers containing a defaced page after hackes took advantage of a SQL Injection attack.

In the case of the Microsoft site, the usual webpage was replaced with an image of Bill Gates being on the receiving end of a custard pie. (Funnily enough, this isn't the first time the image has been used by hackers.)

The hackers responsible for the attack are believed to members of the Turkish "Peace Crew" defacement gang.

You can't help but feel sorry for the innocent companies affected by this attack. It's not as though they did anything wrong in terms of security - the attack was against the domain registrar looking after their internet records. Rival domain registrars would be wise not to feel too smug at Domainz.net's misfortune, but asking themselves urgently if they might be vulnerable to similar attacks.

Posted on April 23rd, 2009 by Graham Cluley, Sophos

Sophos.com

RBS, Rapport and OITC anti-virus test results

An email from a customer today brought my attention to some anti-virus test results that have been published on the website of RBS (Royal Bank of Scotland).

At first glance, the test results look quite bad for Sophos (and even worse for Symantec and McAfee).

But if you dig a little deeper into the methodology used by OITC to come up with the results - published by RBS on their page promoting a security add-on called Rapport - then you actually find that the methodology is flawed, and that these test scores are about as useful as a chocolate teapot.

As Stuart Taylor describes in a post on the SophosLabs blog, OITC's methodology actually penalises the likes of Sophos for their ability to proactively detect brand new malware using (in our case) behavioral genotype protection. That's because they exclude from their tests any piece of malware which they find 25% or more of security products already detect.

That's bonkers. (They did this I presume in the mistaken hope of determining if a piece of malware was new or not, but in the process penalised products which proactively detected it).

Furthermore, these results don't give any allowance for layers of protection such as run-time suspicious activity or buffer overflow detection, both of which would be defending customers in the real world.

My advice? Check out the independent comparative tests from the likes of AV-Test, AV-Comparatives and Virus Bulletin. They may not always put Sophos top of the class for virus detection, but I sure trust their testing methodology more than OITC.

I hope in the future RBS might link to some of those tests for a more helpful indicator of the performance of anti-virus products in the future.

Posted on April 22nd, 2009 by Graham Cluley, Sophos

Sophos.com

Twitter users swamped by TheSmartECard messages

It seems that Twitter is becoming a major new playground for spammers and malware authors keen to target social networking users. Today we are seeing a new series of messages being posted to the streams of hundreds of unsuspecting Twitterers:

You'll like this one! Check out www.TheSmartEcard.com

and

Retweet: You'll love this one! Check out www.TheSmartEcard.com

Note that the "retweet" isn't really a retweet as it says "love" whereas all the original messages seen so far say "like".

Twitter's security department have described the problem as a "scam/phishing site" rather than a virus problem.

Hopefully it should be obvious from the website's opening page of legalese banning staff from Twitter, MySpace, Facebook, Microsoft and Google, that something odd is afoot - even before it starts to quiz you for personal information. But if not, let me just say that visiting the website is not recommended.

Anyone who has passed on their credentials to a third party website like TheSmartECard would be wise to change their passwords at the earliest opportunity.

Posted on April 20th, 2009 by Graham Cluley, Sophos

Sophos.com

New Mikeyy worm makes jokes at Twitter's expense

Another day, another Twitter worm. After yesterday's attack referencing the likes of Ashton Kutcher and Oprah Winfrey we are now seeing many Twitter users spreading messages on behalf of a new version of the Mikeyy worm, this time their common denominator is that they're all jokes including the (somewhat bizarre) word "womp".

Here are some of the messages that are being sent from compromised accounts on Twitter right now:

Ninety-nine percent of all lawyers give the rest a bad name. Womp. mikeyy.
If your father is a poor man, it is your fate, but if your father-in-law is a poor man, it's your stupidity. Womp. mikeyy.
If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy.
Money is not the only thing, it's everything. Womp. mikeyy.
Every man should marry. After all, happiness is not the only thing in life. Womp. mikeyy.
Success is a relative term. It brings so many relatives. Womp. mikeyy.
Be nice to your kids. They'll choose your nursing home. Womp. mikeyy.
'Your future depends on your dreams', So go to sleep. Womp. mikeyy.

Once again, Twitter is left looking amateurish in its response as it clearly hasn't properly hardened its systems from these kind of cross-site scripting attacks. Until they get their act together, users need to remember to turn off scripting (the combination of Firefox and NoScript is a good one) if viewing users' profiles.

One thing's for sure, this just isn't funny.

Posted on April 18th, 2009 by Graham Cluley, Sophos

Sophos.com

Firm hires Twitter worm author Mikeyy Mooney

Mikeyy Mooney, the 17-year old hacker who caused mayhem on Twitter with a series of worms on the micro-blogging website last weekend, has been rewarded with a job in web applications development according to media reports.

Frankly, the news that exqSoft Solutions has approached and hired Mikeyy Mooney, the teenager behind the StalkDaily and Mikeyy worm attacks, has really got my goat.

What did Mikeyy actually achieve with his worms? Okay, so he proved that there was a problem with Twitter. But the other thing he showed was that was irresponsible.

If you find a flaw in a piece of software or website, you don't write a worm to exploit it impacting thousands of innocent users. Instead, you should act responsibly and inform the affected company instead, and work with them to get the problem fixed.

Mikeyy Mooney may be skilled in some areas of computing, but there are many other talented people out there who have never shown such a disregard for established and accepted ways of reporting security flaws, and haven't shown such questionable judgement.

Mikeyy could have gained so much kudos, and proven that he was a responsible security researcher if he had acted more maturely.

Travis Rowland, the CEO and founder of exqSoft Solutions (by the way, I really have a problem with firms who insist on spelling their name with a lower case letter.. what's up with that?) had previously posted a public message to Twitter founder Biz Stone, asking that legal action should not be taken against the young hacker:

Judging by other messages posted by Rowland, his hiring of Mikeyy Mooney is being used at the moment as a publicity stunt, and has got it some cheap exposure in the press:

But lets think about this. ExqSoft Solutions are in effect encouraging other youngsters to behave like irresponsible idiots. The last thing we want is a wave of other kids exploiting software and websites, in the hope that they might be rewarded with a job offer.

Thanks for nothing ExqSoft Solutions.

Do you think the firm was right to hire Twitter worm author Mikeyy Mooney?

Yes
No

View Results

Of course, Mikeyy Mooney isn't the first malware author to be offered a job after publicising their "skills" with an attack.

For instance, the author of the Anna Kournikova worm was told by his town's mayor that he would be welcome to work on their systems, the notorious teenager behind the Sasser and Network worms was hired by a security firm, and the creator of a Chinese worm which displayed pictures of pandas burning incense was offered a job by one of his victims.

* Image source: wonderferret's Flickr photostream (Creative Commons)

Posted on April 17th, 2009 by Graham Cluley, Sophos

Sophos.com

Beware of PowerPoint boobies traps

In just a few hours time Microsoft will be releasing its regular month "Patch Tuesday" bundle of security fixes - this month including patches for critical vulnerabilities in the likes of Internet Explorer and Microsoft Excel.

But according to the advance bulletin the software giant issued on Friday, there is no sign of a Microsoft fix for a PowerPoint zero day vulnerability that is being actively exploited in the wild.

As revealed earlier this month, hackers are crafting booby-trapped PowerPoint files that, when opened on a victim's computer, run malicious code without authorisation.

Once a PC has been infected by malware like a backdoor Trojan horse, hackers can gain access to the computer to steal information, to plant further malicious software, or to launch spam and denial-of-service attacks.

As is errmm.. illustrated on the blog of our friends at CA, hackers aren't afraid to use images of Asian women bathing to lure into opening their "booby-trapped" PowerPoint files.

Of course, no-one wants Microsoft to rush out a fix for a newly discovered vulnerability without proper testing, but the question remains on when will people receive an official fix for the PowerPoint problem? Will they have to wait until the next Patch Tuesday, which isn't until 12th May? Or will it be determined that the problem is serious enough that a special out-of-bound release should be issued?

While we're waiting, please be sure to patch your systems with the vulnerability fixes that Microsoft has released. If Microsoft thinks they're serious enough to publicise, they're important enough for you to protect against.

Posted on April 14th, 2009 by Graham Cluley, Sophos

Sophos.com

More Mikeyy worm madness on Twitter

What on earth is going on at Twitter?

That's the question that many people will be asking after the Easter break, following a wave of cross-site scripting worms that hit the micro-blogging site. After each attack Twitter said that it had resolved the problem, only for hackers to return hours later with another attack effectively rubbing Twitter's nose in it.

The latest cross-site scripting worm we've seen on Twitter urges the website to hire Mikeyy Mooney, the suspected author of at least the earlier attacks and give a phone number. Journalists who have spoken to 17-year-old Mooney have confirmed to Sophos that the phone number used in the latest worm messages is genuine.

We've chosen to obscure the phone number, although it is trivial for anyone to discover it if they search on the Twitter site for archived messages. If Mooney is responsible for the worms that have troubled Twitter and its many users today then the correct course of action is for the authorities to investigate - not for the internet community to take the law into its own hands.

Of course, it's understandable that some may feel very aggrieved by a worm messing with their Twitter profile settings but it's up to Twitter to decide if it wants to make a complaint to the police.

But the worm suggesting that Mikeyy could help Twitter out with its security problems wasn't the end of it.

Yet another cross-site scripting worm hit Twitter, pretending to be a link to removal instructions for the earlier attacks. Unfortunately, if you clicked on the bit.ly link you were redirected to an infected Twitter profile page, which - yes, you guessed it - would infect your profile too and continue the spread of the worm.

What's most alarming to me though is that it seems Twitter was caught with its pants down in the aftermath of all of these attacks. To be hit by one cross-site scripting worm may be regarded as a misfortune, to be struck three or four times over a weekend looks like carelessness.

Posted on April 13th, 2009 by Graham Cluley, Sophos

Sophos.com

StalkDaily - Twitter users warn each other of worm attack

Thousands of Twitter users are warning each other about what appears to be a fast-moving attack affecting the system.

Affected Twitter profiles appear to be directing unsuspecting users to the website stalkdaily.com. (Please do not visit this site)

Curiously, a lot of Twitter users appear to be posting status updates all containing phrases such as :

Dude, www.StalkDaily.com is awesome. What's the fuss?

and

Virus!? What? www.StalkDaily.com is legit!

That last one is particularly sneaky, as it appears to try and discredit the genuine warnings that have been spreading through the micro-blogging site.

Ironically, some Twitter users have compounded the problem by posting warning messages about the StalkDaily website on the network, giving a live link to the suspicious website in the process.

Twitter has responded by shutting down the @StalkDaily profile, claiming it has shown suspicious activity, and has reset passwords of Twitter users who it believes have been hit.

If you believe you may have been affected by this latest attack, don't just change your Twitter password - make sure you change your credentials on any other site where you may have been using the same password.

Of course, this isn't the first time that Twitter users have suffered an attack. Last month, fans of the popular micro-blogging site, were barraged with messages being sent from compromised accounts trying to drive traffic to a pornographic website called ChatWebCamFree.

We'll post more information as it becomes available. Obviously, in the meantime, it would be wise not to click on any links directing you to StalkDaily.com.

StalkDaily update

Some more information is beginning to emerge about the attack.

The hackers behind the attack planted an additional script into users' profiles alongside the StalkDaily link, meaning that you could become infected just by viewing an infected users' details.

You can read more about this in this blog entry by Damon Cortesi.

For their part, Twitter has confirmed that what occurred was a cross-site scripting (XSS) attack, spreading links across the system without users' consent. The site has reassured users that they have taken steps to close the holes that allowed the worm to spread, and that "no passwords, phone numbers, or other sensitive information were compromised" as part of the attack.

In the latest development it is being reported that a 17-year-old man called Mikeyy Mooney has claimed responsibility for the attack.

Although StalkDaily originally denied any involvement in the attack with a statement on their website, this was later replaced with an admission that a newspaper interview with worm creator Mikeyy Mooney was genuine.

Posted on April 12th, 2009 by Graham Cluley, Sophos

Sophos.com

Bogus lottery letter ring busted by UK police

Normally this blog focuses on computer-related threats, but postal lottery scams are a menace that are particularly worth considering if you have elderly or vulnerable family members.

Although many of us are all too accustomed to receiving their email-based cousins on a regular basis, I was driven to think of lottery scams arriving via the regular post after reading the news that police have recovered more than half a million pounds after raiding a house in the UK county of Somerset.

Scammers were in line to earn over £35 million a year if their scam operation had not been busted, according to officers at the Serious Organised Crime Agency (Soca). Payments worth over half a million pounds were recovered and are being returned to 22,000 people who fell for a fake lottery winning notification sent via the regular mail.

You may think that the people who fell for their scam were idiots and deserved to lose money, but I think it's more likely that many of them are elderly and vulnerable. Ask yourself this, how would you feel if it was your ageing grandfather who was conned in this way?

Computer software can't help fight against scammers fleecing the vulnerable when it's not happening via the net. As I've discussed before, we all need to play our part in protecting those around us who might be most at risk of being conned.

By the way, according to BBC News, the masterminds behind this particular scheme are said by Soca to be overseas and beyond the jurisdiction of the UK authorities. Who knows which country they will target next.

Posted on April 11th, 2009 by Graham Cluley, Sophos

Sophos.com

Many PCs still not patched against Conficker vulnerability

Scott Lewis in our Columbus office has been doing some number crunching, and come up with some disturbing statistics after examining the data produced by Sophos's free endpoint assessment test.

The Sophos Endpoint Assessment Test is a free tool that scans a computer and assesses whether it is a security risk to your organization. A single scan checks that your Microsoft service pack is the current one for your operating system, your Microsoft patches are all up to date, anti-virus protection is installed, running and current, and that a personal firewall is installed and running.

Scott examined the results for all users who took the test since January 1st 2009 to date, and found that 11% of the users did not have the Microsoft MS08-067 patch installed which can, amongst other things, help protect against the spread of Conficker.

Scott assumed that over time the percentage would drop dramatically due to the huge amount of press and publicity regarding Conficker in the last few months. However, his assumption appears to have been incorrect.

For the month of March 2009, 10% of all users who have used our free Endpoint Assessment Test are missing the essential Microsoft patch. That's despite all of the newspaper headlines, and despite the fact that the patch has been available since October.

That's pretty depressing news. Of course, we can't extrapolate this to mean that 10% of all PCs around the world aren't running the Microsoft patch, but it certainly tells a sorry story for a notable percentage of those who took our test. It appears that the percentage of computers (I refuse to call them endpoints.. I mean, who ever talks about "booting up their endpoint?") not patched against the exploit used by Conficker is holding steady.

If you're in charge of a large number of computers inside your business, then maybe statistics like this will remind you that there's a strong case for better patch vulnerability assessment/remediation alongside Network Access Control (NAC).

If you haven't already done so why not take Sophos's free Endpoint Assessment Test yourself?

And, of course, if you are infected by the Conficker worm now would be a very good time to download a free Conficker removal tool.

Posted on April 10th, 2009 by Graham Cluley, Sophos

Sophos.com

Fixing a hole? Paul McCartney's website hacked

I have been on holiday for a couple of days, so sorry if the Clu-blog has been a bit quiet.. but I thought this story was worth a mention.

Paul "Thumbs aloft!" McCartney has had his website hacked according to media reports.

The Fab one, known to his millions of fans as "Macca", apparently had his website fall foul of an obfuscated Javascript that was designed to spy on computer users as they went about their online banking.

Intriguingly, the hack occurred shortly after McCartney made a rare appearance onstage alongside fellow Beatle, drummer Ringo Starr. It wouldn't be too far fetched to imagine that the hackers may have deliberately timed their attack to capitalise on interest in the former moptops.

McCartney, widely considered to be the best drummer in the surviving Beatles, is of course not the first world-famous brand to be hit by a website attack. Previous examples have included the likes of Sony PlayStation.

Everyone needs to remember that the old days of only getting infected if you visit the seedy areas of the internet are long gone. You can be visiting legitimate well-known company's website, or that of a celebrity like Paul McCartney, and still fall foul of an infection.

So, if you own a website - big or small - make sure you are doing everything to keep it as secure as possible. If you haven't already done so, read this informative paper by SophosLabs, "Securing websites", which covers some of these issues.

And if you're just a humble web surfer, or look after a company with many people surfing the internet, make sure that you are properly defending them from these kind of attacks with a comprehensive web security solution.

Posted on April 9th, 2009 by Graham Cluley, Sophos

Sophos.com

Julie Christie supports NASA hacker Gary McKinnon

Legendary actress Julie Christie has followed in the footsteps of celebrities such as Sting, Boris Johnson, Terry Waite, Pink Floyd's David Gilmour, and Marillion's keyboard player by supporting hacker Gary McKinnon in his fight to avoid extradition to the United States.

Janis Sharp, the mother of Gary McKinnon, posted on Twitter that the Oscar-winning actress famous for her roles in films such as "Dr Zhivago", "The Go-Between" and "Far from the Madding Crowd", was lending her support to the campaign.

It's hard not to feel some sympathy for McKinnon's plight. After all, he doesn't appear to have very much in common with the organised financially-motivated cybercriminals that firms like Sophos are protecting companies against most of the time.

Furthermore, it would seem utterly out of proportion if he was punished severely for what appears, from what has been heard so far, to be an interest in UFOs and conspiracy theories rather than a desire to undermine systems.

Gary McKinnon has received much more support in the IT community than the typical hacker. Indeed, we ran an online poll in February which found 67% of the 245 people we surveyed believed he should not be extradited. When you consider that the typical visitor to our website is normally involved in securing their company's systems from hackers that's a pretty strong endorsement.

Posted on April 7th, 2009 by Graham Cluley, Sophos

Sophos.com

Real estate agents accused of hacking into rival's account

Three estate agents (known as realtors in the United States) have been charged with hacking into a rival's account in Rockingham, North Carolina.

Between March 1st and March 20th, three agents with RE/MAX Tri City Realty of Rockingham are accused of illegally accessing a Hotmail email account belonging to Nicole Hayden of rival firm Exit Realty. Two of the accused agents, Jamie Moss-Godfrey, 43, and 40-year-old Kim Dawn Whitley, are listed as the owners of RE/Max Tri City Realty.

The alleged victim, realtor Nicole Hayden, was described by journalists as still being in shock.

Whether you're a business small or large, or just use a computer for personal use, you must take proper care of information security to ensure that your usernames and passwords remain private, and don't fall into the wrong hands.

The true facts in this case are still to emerge, but there have been incidents in the past where companies have used the tactics of cybercriminals to spy upon their commercial rivals and try and seek an advantage. As competition gets stiffer and we see more firms struggling during the credit crunch we shouldn't be surprised if we see workers in some firms break the law to keep their necks above water.

What people need to realise is that unauthorised access of someone else's computer system is a crime, and can carry stiff penalties. It may feel quite different to type in someone else's username and password into a PC than to break into an office in the dead of night to rifle through their filing cabinets, but it's still against the law.

Posted on April 6th, 2009 by Graham Cluley, Sophos

Sophos.com

Conficker headline competition - we have a winner!

Thanks to everyone who entered the Conficker news headline competition I was running earlier this week.

Here's just a few of the entries:

• Conficker: world's greatest April Fool's joke or 'digital Pearl Harbor'?
• Conficker: Doomsday or Rickroll?
• Brainy worm might jack the world's PCs
• Virus threat to 9 million computers: Will your PC be hijacked on April 1?
• Conficker - The Paris Hilton of Botnets
• Conflicker virus expected to hit bank accounts from April 1
  (hey, at least get the name of the virus correct)

and I'm a bit disappointed that no-one submitted this inspired headline from CNet:

• The Dancing Woz eliminated--Conficker to blame?

But, of course, I had to choose a winner and here it is:

Congratulations to Brian from the Datacenter at California State University San Bernardino for submitting the "Tick. Tick. Tick" headline (some others submitted it too, but Brian was first).

I must admit that my vote was swayed a little by one of the other headlines..

• Man charged with drunk driving on bar stool

Fact fans may be interested to know that Brian, who takes a medium-sized T-shirt, works as a Systems Administrator at the university, helping out with end user support.

Thanks to everyone once again for taking part in the competition. We'll do another one again soon.

Posted on April 4th, 2009 by Graham Cluley, Sophos

Sophos.com

What web browser do security-savvy folks use?

Angela Moscaritolo reported in SC Magazine last night that Internet Explorer's marketshare has dropped considerably in the last 12 months.

Who's eating away at Internet Explorer's chunk of the browser market? Firefox, Safari and Chrome it seems, according to the statistics produced by Net Applications.

Net Applications have still put Internet Explorer in a comfortable first place at 66.8% to Firefox's 22%, but it does seem that Internet Explorer popularity is on a steady decline.

I'm pretty interested in this, so I thought I would look at the statistics for people who come to the Clu-blog.

You would expect people visiting this blog to be more aware of security issues than the typical guy in the street I would argue - and so it's interesting to see what that threat-conscious audience is running as their browser.

And it reveals something quite significant.

As you can see in the graphic, Internet Explorer and Firefox are just about neck-and-neck when it comes to visitors to this blog with 41.70% and 41.07% respectively.

Why is this interesting to us? Well, so much malware is distributed via the web today, and one of the tricks that hackers use when trying to infect your computer is to exploit vulnerabilities in the software running on your PC or Mac.

Although there are plenty of attacks which use social engineering to fall you into making a bad decision - and these typically don't rely upon a software security hole - we're seeing constant evidence that hackers are not just targeting Internet Explorer users. As more and more users switch to alternative browsers like Firefox we're likely to see even more cybercriminals hunt for holes in the software that they can use to infect your computer.

So, don't make the mistake of thinking that by not using the "default" web browser, PDF viewer or operating system that you're somehow immune to attacks. There may be less arrows being thrown at you at the moment, but it's still going to hurt if you get hit.

Posted on April 3rd, 2009 by Graham Cluley, Sophos

Sophos.com

Data leakage double time

The Sydney branch of SophosLabs has discovered an interesting phishing campaign against a local bank today. Interesting because it carries a double whammy for any unsuspecting soul dragged into it.

The first contact from the phishers arrives in the tried-and-test traditional way as an email. Here are its characteristics:

Subject: 1 new message
From: "ANZ"

The message body contains a link which brings up a fake logon page for Australian financial institution ANZ, inviting donations to the Bushfire Appeal.

If you make the mistake of entering your username and password at this point it will be posted to a web server in Italy.

The double whammy here is that the Italian server hasn't been secured properly, so any username and password you enter is not only uploaded to the cybercriminals, but subsequently open to anyone with a web browser. Ouch!

There's a silver lining, however, to this particular phish. When SophosLabs examined a selection of the usernames and passwords logged on the server it became obvious that few had actually fallen for it.

Indeed, many of the "usernames" are actually suggestions for err.. activities which the cybercriminals might wish to undertake, destinations for journeys they might wish to make, or fates which might befall them. :)

All very amusing - but I would advise against playing "phishing roulette" by knowingly visiting phishing websites to see what happens. Although it can be tempting to leave abusive messages for the phishers, you can't tell in advance whether the phishing page might also be using an exploit or drive-by installer designed to infect your PC.

Check out the SophosLabs blog for more information on this phishing attack.

Posted on April 2nd, 2009 by Graham Cluley, Sophos

Sophos.com

So, who did hype up Conficker?

Charles Arthur has written a curious piece on The Guardian website this morning: "Antivirus companies' worst fears realised as Conficker does... nothing".

Charles argues that it was some parts of the anti-virus industry that started the panic, but unfortunately doesn't give any examples so we don't know who to lynch.

I actually think most of the computer security industry were remarkably reserved and sane during the build up to Conficker, reminding people that there was no guarantee that the worm would do anything noticable at all and that it was quite prossible (prosibble is a combination of the words "probable" and "possible") that hackers wouldn't give Conficker-infected PCs any new instructions.

In fact, in my own experience, it has been some of the newspapers and media organisations who have been guilty of dreaming up apocalyptic headlines and the security vendors who have been pouring the cold water.

Quite often when you dug down into the article, past the hysterical headlines, you would find a member of the computer security industry downplaying the significance of the April 1st date, and actually saying something quite sensible.

Of course, as I've been saying all along, the people behind Conficker could choose any day to instruct it to do something malicious - there was nothing which made it more likely on April 1st. So the need for you to remove Conficker is just as necessary today as it was yesterday, and will be tomorrow.

By the way, if you have seen a crazy Conficker-related headline do enter the competition I'm running. I'll announce the winner on Friday.

Posted on April 1st, 2009 by Graham Cluley, Sophos

Sophos.com