The RDV Group InfoSec Blog

Thursday, March 30, 2006

New Trojan Named rootkit.hearse

Sana security was apparently the first to discover a new Trojan rootkit, which they named "Hearse", that sends financial info back to a central server. You can read about it on their site here (pdf).

Evidently the "... malware components work together to capture user information by discovering passwords previously used on the machine. The Trojan communicates with a server where the stolen information is stored. The Trojan is hidden through the rootkit technology and survives reboot, meaning it remains on the machine indefinitely. Types of information that can be compromised include bank accounts, email logins, and insurance information. "

Sana has some great screen shots of the bug. It's not a keylogger, but works a little differently: "... The Trojan does not rely on capturing keystrokes. Instead, it finds previously used account and password information, in particular through the Internet Explorer autocomplete feature. The types of information include any transaction that requires an account: banking, online auctions, insurance, airlines, etc."

The potential for big losses is great, as Sana says: " ... Rootkit.hearse has been active since March 16th, ... The logs contain almost 40,000 records of user account information, spanning 6,500 sites... Sana Labs estimates the number of unique accounts at 20,000."

This is the face of phishes to come. On this blog I've referred to how sophisticated the malware writes/distributors are becoming. While regular virus vandals and spoofed web pages are slowing down, the phishers are getting smarter and more mercenary.

For more info on Sana Security Advisories, look here. And for the latest security news, always go to the RDV Group's RSS Security News Reader.

My interview on BusinessWeek TV

... will be broadcast this weekend (4/1-4/2), on BusinessWeek Weekend. I was interviewed about a phishing exploit that's just staring to hit some major financial institutions and costing in the millions. Next week's BusinessWeek magazine will have an article about the phish, but the TV show will have an advance piece.

Here in the NYC metro area, BusinessWeek TV airs Sunday AM at 11:30 on channel 7, WABC. To find out the times in your area, Business Week has a zip code finder on the web that locates stations that nationally syndicate the program.

I haven't seen it yet, and some of you will see it before I can, so I can't promise how much of me will be on the air vs. the cutting room floor.
Although the NYC air time is fine, BWTV airs at some pretty odd times in other markets, owing to its syndicated nature. You might want to tape or TIVO it.

I'll have more later about this interesting exploit...

Tuesday, March 28, 2006

IRS warns taxpayers to beware ID theft scams

It's that time of year, and the AP reports on the latest IRS warning to avoid tax-related phishing scams. A variation in the old email phish, these e-mails are "... purporting to come from the IRS (and) often tell taxpayers they're due a refund and direct them to a false IRS Web site. The e-mail address may include "," such as or"

If you practice safe computing these phishes aren't too dangerous. Like much real financial email communication, "... The IRS does not communicate with taxpayers via e-mail, nor does the IRS ask people for passwords, personal identification numbers or other secret information about financial accounts."

But with all the problems with privacy violations by tax return preparers, exorbitant interest rates on "instant refunds", and re-sale of your personal information to third parties by the IRS, this is another in a long list of irritants that make April 15 even a bigger pain.

Saturday, March 25, 2006

Illinois Man Fined For Piggybacking On Wi-Fi Service

It's getting tougher to piggyback on Wi-Fi.

Yahoo recently noted that "...David M. Kauchak, 32, pleaded guilty this week in Winnebago County to remotely accessing someone else's computer system without permission ... a judge fined Kauchak $250 and sentenced him to one year of court supervision."

Evidently it's a precedent: "... Kauchak has the dubious distinction of being the first person to face the charge in Winnebago County, and prosecutors say they're taking the crime seriously. "We just want to get the word out that it is a crime. We are prosecuting it, and people need to take precautions," Assistant State's Attorney Tom Wartowski told the newspaper."

The bust is interesting ..."A police officer arrested Kauchak in January after spotting him sitting in a parked car with a computer. A chat with the suspect led to the arrest, Wartowski said."

I know piggybacking can be problematic, as I mentioned here, but I think this is kind of crazy.

Monday, March 20, 2006

Good Article on Phishing

Crystal Ferraro recently posted this article on about recent Phishing targets. It was originally a white paper she presented at the RSA conference last month, and posted this excerpt on 3/17. I have a short quote in the article, which is intended to convey the extent to which phishers are getting more sophisticated and efficient.

Ed Skoudis does a great job of explaining some of the latest trends: "[Attackers are] getting better at making the keystroke loggers difficult to find," Skoudis said. Some are embedded with rootkits, or they attack antivirus and antispyware tools. Some spyware and other malcode purposely try to foil their own analysis to buy time..."

I have more on keyloggers here and here...

Wednesday, March 15, 2006

Keylogging Basics Part II

We looked at keylogging a little bit in Part I, let's continue (excerpted from "Phishing: Cutting the Identity Theft Line.")

"Once installed on the target machine, either direct through interaction with the user, or through a more stealthy means, the keylogger program runs continually in the background. After the keystrokes are logged, they can be hidden in the machine for later retrieval or transmitted to the attacker via the Internet. The attacker then examines the reports for passwords or information that can be used to compromise the system or engineer an attack. A keylogger may reveal the contents of emails composed by the victim."

"Some rare keyloggers include routines that secretly turn on video or audio recorders, and transmit what they capture over your Internet connection. Other products capture screens, rather than keystrokes. However, most criminal keyloggers are hoping to steal bank account numbers or other financial data."

“A software keystroke logger program does not require physical access to the user's computer. It can be installed intentionally by someone who wants to monitor activity on a particular computer or downloaded unwittingly as spyware and executed as part of a rootkit or a RAT.”

“A rootkit is a collection of software tools that a cracker uses to obtain administrator-level access to a computer or computer network. The intruder installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. The rootkit then collects userids and passwords to other machines on the network, thus giving the hacker root or privileged access. A rootkit may consist of utilities that also monitor traffic and keystrokes, create a "backdoor" into the system for the hacker's use, alter log files, attack other machines on the network, and alter existing system tools to circumvent detection.

I'll bring more later...

Thursday, March 09, 2006

PINs Aren't a Magic Bullet

Bob Sullivan, a top expert on Identity theft, has a dead-on piece in today's (03/09) MSNBC's Tech & Sci Security area. There's some interesting exploits afoot using what was previously thought to be a secure technology, pairing your ATM with it's PIN.

He and I have discussed this issue, and think there's interesting ramifications re: what I call "residual data". That is, all the little places personal data (in this case the PINs) can hide and resist scrubbing. Commonly called "data remanance" (you CISSP'ers know this term), it's like owning a home. Water is getting in somewhere and it's not obviously coming in from where it looks like it is.

Your CISSP'ers also know the drill: two-factor authentication is a combination of "something you have", the ATM card with "something you know", a password, or a PIN. But the PINs are supposed to be sacrosanct, and now we know they're not.

From Bob's article: "... The incident calls into question the security of the four-digit code that for years has made PIN-based transactions less subject to fraud than signature-based credit card transactions. 'This is the absolute worst hack that has happened, the biggest scam to date," said Gartner analyst Avivah Litan'"

Maybe it's from one source: "... In each case, the banks have blamed a third-party company — in some cases, more specifically identified as a merchant or retailer. Speculation has been rampant that the source of the stolen data is office supply store OfficeMax, starting with an article last month in the San Francisco Chronicle indicating 200,000 account numbers had been stolen from the firm. OfficeMax denies it's to blame."

But it's beginning to look like it's not: "... many merchants incorrectly store PIN information they should be destroying after customers enter the secret code on PIN pads in stores around the country. While the information is often encrypted into something called a PIN block, the keys necessary to decrypt the information are often stored on the same network, she said. That makes stealing the PINs as easy as breaking into an office computer using a password a careless employee has taped to the screen."

And here's where the data remanance comes in: " ...The software is storing PINS just because it can. No one is paying attention to this stuff, it's deep in the software... "

My wife knows this exploit, because she was a victim over the holidays. Her credit card and ATM card were stolen, and to her surprise, it was no problem to drain the $ out of her checking. The PIN was absolutely no barrier to the thief.

UPDATE: Bob was on NBC Nightly News tonight (03/09) to discuss this problem further. We definitely haven't heard the last of this yet.

Porn Billing Leak Exposes Buyers

Quinn Norton of Wired has a post today (03/09) that probably sends shudders down the spine of many of my friends: "Seventeen million customers of the online payment service iBill have had their personal information released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers ..."

Norton goes on to say that the compromised information was intentionally stolen, not lost through incompetence, and Wired got a look at it: "... The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included."

If credit card #s are not included, as Wired says, that's good. But the troubling thing about this loss is that it may have been perpetrated by the foundering company (or someone in the company) that was custodian of the data: " ... the company's troubles may have left them vulnerable to information embezzlement: The breach, they say, has all the markings of an inside job. The files appear to have been generated by exporting an SQL database into a CSV format -- a procedure that would be unusually extravagant for a quick, furtive hack attack.

"Moreover, at 4.5 gigabytes in size, the larger file would have been tough to download unnoticed over iBill's internet connection. Thomas speculates that an employee or other insider may have simply walked out of iBill with the transaction records to sell on the data black market."

The list is being used by spammers, and may be used for identity theft.

Be careful where you leave your personal info! And don't expect integrity from porn sites!

UPDATE: Keith Olbermann referred to this story as the #1 article on "Countdown" tonight (03/09), and made a funny: "Remember to keep it in your pants. ..Your credit card, that is."

The Danger of Wireless Piggybacking

Michel Marriott had an excellent article in the NY Times on Sunday (03/05) about the growing phenomenon of "wireless piggybacking", using someone else's wireless router to jump on the Internet: "... Piggybacking, the usually unauthorized tapping into someone else's wireless Internet connection, is no longer the exclusive domain of pilfering computer geeks or shady hackers cruising for unguarded networks. Ordinarily upstanding people are tapping in. As they do, new sets of Internet behaviors are creeping into America's popular culture"

The hacker magazine 2600 frequently has pieces about wireless hacking, and one writer says that he often changes the default admin password after attaching to the router to prevent the real owner from disconnecting him later. Although this is easy to remedy through resetting the router to its default state and applying MAC address filtering, it shows how the proliferation of these devices has outstripped the ability of the common owner to control them. The admin password is easily found on the web, say by downloading a pdf of the manual for the router, and is the first thing the owner of the router should change when installing.

I admit I'll jump on my neighbor's Linksys when I'm having trouble with my router; the signal is weak but usable (remind me to tell him how to configure filtering on it some day). And there is a movement to allow free wireless access, not just in coffee shops, but in whole cities, like Cambridge and Philadelphia (I'll have a post about how to protect yourself while using public Wi-Fi later). even provides a directory of free wireless "hot spots": " ...The Wi-Fi-FreeSpot Directory is a listing of Wi-Fi enabled locations that offer Free Wireless High Speed Internet Access. USA State-by-State listings come first with Europe and other regions of the World listed further down the page.."

But a larger, more problematic issue arises from wireless piggybacking. Mr. Marriott briefly touches upon the issue in one paragraph: " ... savvy users could piggyback into unprotected computers to peer into files containing sensitive financial and personal information, release malicious viruses and worms that could do irreparable damage, or use the computer as a launching pad for identity theft or the uploading and downloading of child pornography."

But this needs to be really emphasized, because here's the rub: there is no way to convince the government that it wasn't you who accessed the pornography or terrorist site. Or the RIAA that it wasn't you downloading the latest hit music or video.

And especially that the Justice Department want to know what you're Googling, you really can't legally afford to let unknown parties surf the web through your router.

If determined hackers wanted to use your router, they'll be able to no matter what you do. A $89 Wi-Fi router from CompUSA is not going to have strong security, but please at least change the admin password and set up MAC filtering.

Monday, March 06, 2006

My PC is slow!

I just got an email from a friend who works for a major metropolitan newspaper. Her boss is having PC problems, and asks for a bit of help:

"... My new boss mentioned this morning that his old computer is all clogged up and moving very slowly. So he's going to get a new, updated computer. In the past when he has switched computers, he has just had system support move all his stuff onto the new computer. But this time he is wondering if that will simply clog up and slow down his new computer. Do you have any general advice I could pass along to him? For example, I wondered if he should just put all the old stuff on CD's. Or are there any tricks to get the important documents to switch over without the viruses and spyware?..."

I thought I'd post my response, because I think it has useful info:

" ... Above all, anything he does with the PC needs to be okayed by systems. The company owns the PC and the data on it, and if he does anything I recommend here and the data goes poof, he might be in violation of employee computer-use compliance policies. These policies may seem counter-productive, but they are usually there for a reason.

If, on the other hand (and this is more likely), systems doesn't really care what he does with the PC as long as it doesn't result in more work for them, or they don't have any kind of policy about this, he should think about a couple of things. PCs slow down primarily for just a few reasons:

1) The PC has spyware or viruses intercepting processes and hogging resources;
2) The amount of data stored on the PC is growing, especially large email attachments can do this (video/music);
3) The file allocation links are fragmented throughout the hard drive, slowing performance by making the drive work harder to find all the related pieces of data on the drive.

The solutions to these three is:
1) Virus and spyware removers. Systems must have recommendations to make. You probably have decent email virus scanning and virus protection included in the company's standard PC build. If not, the usual Symantec or McAfee work fine. A good, free spyware remover is Ad-Aware Personal

2) You make a good suggestion to clear off old data. If he has a CDR or CDRW burner he should clear off as much old junk before the move, by burning to the CD then erasing from the PC (empty the trash, too). He needs to be careful, however, to be sure he knows what files he's removing and not Windows systems files or the like.

3) Symantec System Works has a good Disk Optimizer that should be run occasionally (monthly). Microsoft has a defragmenter built-in to the OS also, which isn't very good but is free. Caveat: don't turn off or lose power during the defrag process; you may lose everything.

One important point about #3: if systems is backing up and restoring his old data to a new PC, the disk will be optimized anyway by the nature of the migration, and probably won't need it on the new PC anytime soon.

Another point is that we eventually get used to the newer, faster machine, and if the slow-down isn't dramatic, we're probably just jaded..."

Now I know there's a lot of back and forth about which virus scanner or spyware detector is better. The point is that any of these are better than not having any at all, and corporate systems will most likely have a standard to follow.

Thursday, March 02, 2006

Republican Spyware?

Minnesota Public Radio had an eye-opening piece yesterday (03/01) about a GOP informational CD being distributed: "On Monday, the Minnesota Republican Party announced that it will send out CD videos on Friday to inform voters about the importance of a constitutional amendment to ban gay marriage."

So far so good. But it appears that there's an element to the CD that users may not know about: "It turns out the CD is also being used to add to the GOP voter database. Officials with the Republican Party say certain voter data is being collected by the party...
At the CD's unveiling, he (Republican Party Chair Ron Carey) never mentioned that the party is also using the video to collect information about those who view the video...It's not clear on the Republican CD that the data is being transmitted back to the Republicans, or even what other data about the user is being extracted and sent."

The CD is now coming under fire from privacy advocates: "Internet privacy experts say they're concerned that the party isn't telling the viewer that it's collecting the data and worry where the information will end up...
They argue that someone who submits a survey on those sites is actively providing information."

EPIC also has something to say: "Lillie Coney, the associate director of the Electronic Privacy Information Center in Washington, says the GOP CD should clearly indicate that the packet is not only a video on gay marriage, but a tool to collect voter data."

Spyware is often defined as software that: "... that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else."

Although the information gleaned may be used innocuously, it still qualifies as spyware.