Example of a QR code. Scan this and you’ll be taken to…?

QR codes are another way to connect people with content online. These small squares of black and white dots can be scanned with mobile devices like iPhones and Blackberries to quickly deliver the user to more information (“QR” meaning “quick response”). They’re most often found offline, in the “real world” in places like store fronts, in printed materials, and in advertisements. When you use your mobile phone or other mobile device to scan the QR code, it should bring you to online content about the product associated with the QR code.

As Gartner blogger Mark Raskino recently noted, Japanese consumers have been exposed to QR codes for some time, and the adoption of QR codes here in the west is growing. “Over the last 12 to 18 months, many major Western airlines have started to push mobile phone based Check-in services that use also use matrix barcodes on mobile phones, to replace the paper boarding pass”, writes Raskino.

There are many consumer benefits to QR codes, but let’s stop and think about ways to use Q-R codes the way an attacker might and the potential consumer risks.

• Botnet operators wishing to infect mobile devices are likely to turn to the tried-and-true method of sending out millions of spam emails to attack consumers. However instead of a photo or a graphic designed to get naive consumers to click on it (“Like pictures of Britney Spears? Click the image below for more!!1!1!!”), we can expect to see Q-R codes to be used maliciously (“Download the new Twitter app onto your phone! Just scan the QR Code below!”).
• If a large, global corporation wants to neutralize the market advantage of a competitor, a dummy corporation with false contact information could easily be set up; this dummy corporation then takes out an alluring advertisement in a local magazine or publication that is likely to be read by an educated labor force in the region near my competitor’s facilities. The advertisement contains a QR code that, when scanned, delivers the end user’s mobile device to a website that contains enough superficial information that matches the original print advertisement so as to not be suspicious, but in the background there is mobile malware being inserted on the user’s device. This malware can in turn infect home or work computers that the mobile device is later plugged into.
• Most of us know we should not access wifi hotspots titled “Free Public WiFi”. But what about a mall parking lot on the day after Thanksgiving that is peppered with flyers containing a QR code reading “Get a free hot cocoa with your holiday shopping receipt! Just scan this QR code!”. Of course, there’s no free hot cocoa on the way, just a mobile malware drive by download.

Consider the following two photos which contain a large QR code pasted on to a sign warning drivers of nearby construction. The sign happened to be found by the author in between drafts of this Cyveillance blog post. Below the QR code it reads, “Using a smartphone, Download ZXING, Scan and Open Browser, Get 10 Free Itune [sic] Songs”.

A flyer containing a QR Code pasted on a local sign. (QR Code modified in this image to prevent it from working).

Note the incentive of 10 free “ITune” [sic] songs for scanning this QR code. (QR Code modified in this image to prevent it from working).

While ZXING appears to be software that allows smartphones to read QR codes, and should not be harmful to one’s mobile device, the QR code shown above simply delivers one to a politically-oriented news website. (There were, not surprisingly, no “ITune” songs upon arrival.)

Despite years of internet security experts reminding users to not click links they do not trust, users continue to click links in email and on websites without knowing where they will take them. While QR codes are not as familiar to most end users today, their use is on the rise. They may never become a mainstay of malware distribution, but it is reasonable to expect malware distributors and other attackers at a minimum to experiment with QR codes, especially while consumers are still learning about them.

Until the message of pervasive online threats really hits home and consumers always think before clicking whatever is put in front of them, we still have a big problem on our hands. Given that data from 2009 shows that approximately fifteen percent of drivers still don’t use a seat belt, a situation with life or death consequences, we probably still have many years to go before lessons about safe internet browsing really take root.

For more information or to download the report, please visit this press release.

The recent report from Cyveillance regarding AV detection lag-time rates has sparked some interesting responses and we welcome the discussion around the ever increasing threats on the Internet. Specifically, Randy Abrams raises several interesting critiques about the methodology used in our report. The first weakness (in his view) is that ESET sees a lot more malware than we do at Cyveillance. This point may be true, though, in fairness, the paper was very clear about the “threats” covered, which is not “all malware”. It is the Web-borne malware that Cyveillance predominantly sees being distributed and installed (without user consent i.e. by exploit/drive-by install) in real time as we visit live, infected and malicious Web pages on any given day. Of those threats, the results are accurate. While this may be less malware in a day than all the samples ESET analyzes, it is representative of the kinds of Web-delivered threats that users encounter as they surf the Web, click on links, download content, on that given day. We find it by emulating real user web surfing behavior.

The second point, and much more important, Randy raises as a flaw is that our methodology relies on the leading brands in the industry to say what is and isn’t malware. (I should note this is an admirable criticism to raise, since, at least within the specific lens used in our study, Randy’s company fared the best and may very well be the leading brand in the industry.) Still it is a methodological choice we had to make. We made it partly for objectivity and because if we relied solely on our own analysis of “what it does”, we would expect the industry response to be a chorus of “but what does Cyveillance know about analyzing malware? They’re not an anti-virus company!”

One key point we feel many readers of the paper may have missed is this study was intended to illustrate detection lag times by the leading AV companies. If you read the paper thoroughly, then you will see that the lag time stats in Figure 3 show how long each vendor takes to recognize those things and that each vendor eventually did identify as malware, i.e. the final chart displays the lag time between when we were infected with a malware in the wild – by a nasty Web page or malicious Tweet or PPC link or whatever – and when that vendor eventually recognized the threat.”

Randy’s complaint appears to say “you shouldn’t call something malware and penalize me for having missed it because my competitors call it malware and I don’t. Maybe I’m right and they’re wrong”. This is a fair comment. However, the central point of this study is to say that, “we’re not comparing you to the other guy. What the paper is actually saying is ‘for the things you, yourself said are malware, you didn’t say so until X days or weeks after I got infected with it.’” That was the point of the study.

Regardless of the difference of opinion in the methodology used, as mentioned in the article, the conclusions in the report are on target – you can’t rely solely on signature based protection for today’s Internet threats. This is validated time and again by our corporate customers, who use these same leading security programs, and who spend significant resources cleaning and re-imaging company machines that are constantly being infected by the many threats that pass right through them.

If you don’t mow the lawn often enough, you may find unwelcome guests in your yard.
Image courtesy dnatheist.

Hosting companies are a major component of criminal resources online. Like all for-profit enterprises, cybercrime relies on solid, dependable infrastructure that will allow them to distribute viruses and other malware. While some hosting companies actively support cybercriminals by explicitly offer so-called “bullet proof hosting” environments to those looking for havens from law enforcement, many hosting companies simply turn a blind eye to cyber crime. After all, they are making profit and they are not getting in trouble for providing services to criminals, so why would they stop? A new report by HostExploit sheds light on hosting companies that likely are aware that criminals use their services to further their ends.

Of course, cybercriminals do not always pay for the services they use. A tried and true method used by online thieves is to borrow the resources of a server someone else is paying for.

How does one take over someone else’s server? The variety of techniques used are beyond the scope of this article but in the same manner a person’s home computer is likely to be infected by a virus if the software it uses is out of date, if a hosting environment is not keeping up with updates to software and applications it is running, it is more likely to be hijacked by cyber criminals because unpatched vulnerabilities exist. Just this week Google’s Matt Cutts discussed the growing threat of web server hacking in Google Webmaster Videos, saying:

I think web servers on the web are going to be exploited a lot more. The hackers are going to stop putting viruses and malware on individual people’s machines and they’re going to start attacking web servers across the entire world wide web.

So today we focus on those hosting companies that are negligent in updating their infrastructure, in essence opening the door for criminals to illicitly host their own content like illegal online pharmacies or to infect internet users’ computers. Once the users’ machines are infected, the criminals will steal banking passwords, use the computers to send spam or even participate in phishing attacks to steal money from victims’ bank accounts.

The Study

Profile of 100,000 Most Popular Websites

Cyveillance recently performed a scan of the 100,000 most popular websites on the entire internet, as defined by Alexa. (A daily listing of Alexa’s top 1 million websites can be downloaded from this page.) We simply requested the headers from each of the sites, which will return details about what systems the website’s hosting platform uses. This type of information is included virtually every time any web surfer visits any web page, so requesting it once from each site would not impose any burden on these 100,000 websites.

We then simply compared what versions of common hosting variables were used by these popular sites. We have used very conservative standards for what are acceptable, up to date versions. That being said, here’s what we learned…

Apache HTTP Server

Current Version: Version 2.2.15 is the current stable release, released four months ago according to Wikipedia.

What We Considered Out of Date and Why: Any version that was version 2.0.x is way out of date. Version 2.2 appears to have been released in the year 2007.

Internet Information Services (IIS)

Current Version: Version 7.5 was released in October 2009 and is the current stable release according to Wikipedia.

What We Considered Out of Date and Why: Anything using version 6.0 and older. Version 6.0 was released as part of Windows Server 2003.

PHP

Current Version: Version 5.3.2 was released in March 2010 and is the current stable release according to Wikipedia.

What We Considered Out of Date and Why: Anything using version 5.1 or older. Version 5.2.0 was released in November 2006. It’s hard to justify not upgrading in the last 3.5 years. Also note that PHP exploits are available through the software that is installed on a website (like forums, blogs, etc) and that PHP in and of itself is not a vector for attack. But PHP updates routinely include security fixes to prevent such abuse so running more recent versions is good hosting hygiene.

To recap:

Perhaps it’s also useful to know how what percentage of the top 100,000 have upgraded to the newest version.

So there is a very large percentage of sites not running up to date versions of these services. If your definition of safe is “must run the most recent version” then the web is very vulnerable indeed.

Caveats

A few items are worth mentioning.

• Sometimes a website has a bad day and for whatever reason did not return any response to our request for its headers. Stuff happens. Perhaps the site was offline, perhaps the site has a policy of not answering requests just for headers. We did not screen these out of the results because we wanted to preserve the integrity of the top 100,000 dataset. It would have been rather arbitrary to keep going deeper past the 100,000 site mark just to make up for some absentees.
• Some webmasters will modify their sites so that the headers do not reveal very much information about what systems they run. This is very clever because in the same way we scanned the sites to do a health check up on the most popular 100,000 sites, criminals will scan the web looking for out of date software to attack. The sites that did not offer any such information were not removed from our dataset.
• Also, there are certainly situations where the same “hosting environment” was found multiple times in the top 100,000 sites we polled. For instance, a good number of sites from blogspot.com, wordpress.com, etc were present. But again, we didn’t pull those out because we wanted to maintain the notion of the top 100,000 sites on the web.

Conclusion

As can be seen, a noteworthy percentage of hosting environments out there do not run very recent versions of important system components. And to reiterate, we have used generous allowances for what we considered unarguably out of date in general terms. This is especially surprising given the commercial value of sites in the 100,000 most popular sites on the entire internet. With the stiff competition to become highly-trafficked, we were surprised to see that so many of these sites have not kept up with such fundamental components to their software.

Of course, this certainly doesn’t mean that by going to these sites you will be infected with malware, or that you will visit a compromised server. What it does mean is that a significant portion of highly valuable sites are not as well protected as they should be, and that less popular sites even farther down the food chain may be even more risky because there is less monetary incentive for their owners to protect them.

We want to make clear that we are not calling out any individual site for not being up to date. There are many reasons a site may not be completely up to date with the most recent software out there. Maybe their web application was not future-proofed and would not run on newly updated versions, so they have not been able to bring things up to speed. That’s a business decision for the site owners. Maybe the site in question is a security researcher honeypot and is out of date on purpose! In any case, our aim is simply to paint a picture of the overall landscape.

What can be done?

Clearly, in the same way a computer owner regularly applies updates to the software running on his or her machine, hosting companies need to be very diligent about offering the most recent versions of the types of services we describe above. Webmasters should also only use hosting companies running up to date software. This will not only help keep the webmasters’ sites safe from hacks by cybercriminals, it promotes a healthier web for everyone if hosting companies know they lose business to more security-minded competitors.

Of course, in the same way that even a fully-patched, updated laptop can still be infected by malware, the most carefully maintained hosting environments can be compromised. Our intention is not to suggest that if a hosting company gets infected and is used to spread malware to internet users that it was negligent. Zero-day exploits are sadly not uncommon. We are suggesting that hosting environments which are not updated and get infected or compromised by cybercriminals are in fact making the internet a more dangerous place than it would be otherwise, and that action should be taken to correct the situation.

Let’s say you are travelling in your car and needed a place to eat. You come upon a town. If you knew that 10% of a town’s restaurants did not meet health code standards and that there was a nontrivial chance you could get food poisoning, would you want to eat in that town? No, we wouldn’t want to eat in that town either, and we hope for a time when the internet’s hosting environments are far safer than they are now.

PC World recently reviewed Norton Internet Security 2010 praising the tool as “one of the top performers in detecting and cleaning up active malware infections on a PC.” While it is important to recognize the inherent need for anti-virus (AV) security tools, reports like these published by PC World may in fact be a disservice to consumers and businesses by creating a false sense of security for those using these tools.

PC World stated that Norton “found all bad software, disabled 93 percent of it and removed all traces of two-thirds of the software—the best score of any product [they] tested.” While these may have been the best scores that they saw, according to the report, their lab environment included only known signatures, thus not representing the “real” Internet where zero-day threats and malware with unknown signatures appear in abundance every day.

Since the testing of the top AV products was conducted against known signatures, anything less than a 100% detection rate should be unacceptable. As illustrated in the graph below, we have found that even the most popular AV solutions detect less than half of the latest malware threats:

Furthermore, after at least a week from the release of a new malware threat, AV companies still only have about a 50% chance of protecting against the threat – strengthening the argument for a comprehensive proactive security approach. More information regarding our testing can be found in the Cyveillance Intelligence Report.

We strongly encourage vigilant testing of security products but the methods should be based realistic online environments, provide insight into the realities of what AV solutions can do and report an accurate level of security for those using the products.

Hundreds of Thousands of Links Leading to Malware Found in Google Results

Cyveillance has discovered a complex attack vector that uses Google search results to distribute malicious software (malware) to unsuspecting Internet users. Using this attack vector, users click on links within Google search results and are routed to sites that attempt to download malware to their computers. The attack method also relies on inattentive webmasters who do not update the software on their sites and often unknowingly provide the material that appears in the search results.

The screenshots below display examples of blogs with posts that are simply images and contain no text or stories:

The common string albums/bsblog/category is found in the URLs for all these blogs. By simply using the Google search parameter allinurl, along, you can see how many other sites contain the same string.

More than 260,000 poisoned Google results. If you carry out the same Google search, DO NOT click on the results.

As can be seen in the image above, more than 260,000 URLs are presented in Google’s search index leading to blogs similar to the ones illustrated in our example. Beware: if you were to visit one of the above blogs after clicking on the URLs in Google search results, then you would be taken to two different websites. The second site would attempt to install fake anti-virus software on your computer. (For safety purposes, we are not directly linking to infected search results, but if you enter the query shown in the image, you can recreate the above results.)

Readers can simply copy and paste the destination URL into your browser to direct it to the desired website, you would be taken to the boring but otherwise harmless blog posting like those pictured earlier in this discussion. The attack only happens when the compromised blog site determines that you arrived by way of Google by checking the HTTP referrer.

An earlier search similar to the one above produced 104,000 infected URLs:

Another 104,000 results that will lead to malware. Again, if you carry out the same Google search, DO NOT click on the results.

As you can see, only a small portion of sites in the search results carry a warning provided by Google. The reason for the small number of warnings is likely because the actual attacks do not take place on the website URLs in the search results, but on the sites you’re redirected to thereby decreasing the chances that Google will designate the destination sites as harmful.

Digging Deeper

On all the infected sites found there is rogue blog publishing software installed, sometimes in the popular online photo gallery software Coppermine. (The most recent version of Coppermine we observed being used in this attack was 1.4.24, and Coppermine is now on release 1.4.25.) These rogue blogs automatically and regularly publish new posts that are titled with esoteric terms like “las vegas rental no credit check”, “real world melinda and danny”, or “uninvited song lyrics alanis morrissette morissette”. These posts are intentionally not titled just with simple terms that are very popular like “Britney Spears”, “Obama” or “Paris Hilton” to avoid having to compete in search rankings with the millions of pages which already exist for these topics. Instead, the authors of this exploit take advantage of the long-tail of search where rare combinations of search terms in aggregate make up a very large portion of the queries made by web surfers in search engines. In fact, a surprising amount of internet searches contain four and five words, and the authors of this attack appear to have titled their blogs’ titles with this in mind to be exposed to as many potential victims as possible.

No words are to be found in these blog posts. The content of each post consists solely of images that are found among images.google.com results of queries for the same terms found in the post’s title. Each of the images are then presented inside the new blog post and contain alt and title tags which also match the post’s title in an attempt to maximize the relevancy in Google’s eyes for any query matching those terms. For example, if one of these blog postings was titled “common and kanye west”, the blog posting would simply contain four or five of the images shown in the results of a Google image search for “common and kanye west”, and each of these images would in turn be given alt and title tags that read “common and kanye west”.

The repetition of the same terms in the post title and image tags is a clumsy but straightforward mechanism of suggesting to Google that the page contains highly relevant information about those topics, hoping that Google will then present these pages to searchers. When the searchers click on these links in Google search results, the blog will redirect that visitor to the fake anti-virus installation site.

The Attack

Image of an attack site in progress.

The fake anti-virus site displays what appears to be the results of a computer scan, warning the user that “31 Malware programms was found!” (sic). The fake notifications display illegitimate Windows anti-virus warnings regardless of the user visiting the site on a Macintosh, as happened in the pictured example. Interestingly however, it did correctly dynamically insert this researcher’s computer’s IP address into the image (which has now been blurred out). Clicking on anything in the fake infection findings, including the blue framed popup, will result in a file named Inst_58s6.exe being downloaded to the user’s computer.

Where the Wild Things Are

The path from the infected websites to the fake anti-virus software drop sites is swift and likely not noticed by the user. A user will click on one of the innocent-looking Google search results and is transported to a “middle man” domain like ionisationtools.cn or moored2009.cn. The server at these domains will then redirect the web surfer to a final destination where the fake anti-virus is pushed on the user, as described above.

The middlemen domains like ionisationtools.cn or moored2009.cn are “live” for just a day or two and quickly go offline. Their DNS records briefly point to the free DNS service provider EveryDNS.net.

The actual fake anti-virus drop sites are found on domains such as:

• premium-protection6.com
• file-antivirus3.com
• checkalldata.com
• foryoumalwarecheck4.com
• antispy-scan1.com

All these domains observed by Cyveillance were registered with Chinese registrar TodayNIC.com and like the middlemen sites above, these domains are registered one or two days before the inbound Google search traffic will be arriving, suggesting that the software now directing search traffic from the infected websites may know in advance where the drop sites will be in advance.

Only Google?

It appears that Google is the only search engine with knowledge of these infected sites. We learned this by taking several domains that contained the infected Coppermine installs and used Bing’s site: command and Yahoo!’s Site Explorer; neither of these search engines returned any URLs which contained this particular exploit in action, suggesting that Google is the only major search engine being used as the attack vector by these malware distributors.

It is possible that the attackers took advantage of the ability to submit .xml sitemaps in Google to stimulate the search engine to visit and index the rogue blogs’ postings. A suitable .xml file was found on the sites examined to support this technique.

What Can Be Done?

Cyveillance recommends that Google investigate all URLs in its main index which contain albums/bsblog/category or bmsblog/category in the URLand take the appropriate action to minimize the potential danger to users. Additionally, webmasters need to ensure that software is constantly kept up-to-date with the latest revisions and site content is periodically reviewed for potential malicious activity.

While not necessarily practical, users can minimize the exposure to the attack vector described in this writing by copying and pasting the link in the Google search results directly in their browser rather than a directly clicking on the search result link. Additional steps to minimize the harm from the attack vector are ensuring all computer software is up-to-date and practicing safe Web surfing habits.

Heading in to 2010 and beyond, Cyveillance will continue to make the investments in personnel and technology needed to warn the Internet community of new threats, protect our customers, and stay one step ahead of the bad guys.

In recent phishing attacks targeting Cyveillance and numerous other organizations, cyber criminals are exploiting outward facing Microsoft Exchange Mail Servers to customize/personalize emails in order to spoof the address of internal email addresses. Once the email addresses are spoofed, the bogus messages are sent to addresses of the organizations’ personnel. The messages ask the recipients to click on a link in order to update their Microsoft Exchange settings. Once clicked, the user is routed to a fake site that appears to be authentic. If the user clicked on the link to the executable file on the fake site, then malware was downloaded to his or her computer. After the malware is downloaded and installed, the user’s computer becomes part of a larger botnet capable of a multitude of malicious acts.

Email screenshot:

This attack type was originally reported by SANS earlier this week. The SANS report can be found at https://isc.sans.org/diary.html?storyid=7333. Since the time of the report, the attack has become even more dangerous by adding fast flux technology to the attack. Fast flux is a method of phishing where the attacks are moved throughout a group of servers in order to evade detection and takedown.

The malware used in the attack is a Trojan-Spy virus. More information about sample… It is detected by only 4 of the top 41 anti-virus vendors according to VirusTotal.

It appears on the surface that the goal of the attacks is to increase the computing power of botnets by increasing the number of bots that belong to the network. Given the numerous organizations targeted and the methods used, this approach clearly demonstrates the sophistication of modern phishers and their ability to amplify the potential danger of attacks targeted at specific victims. By being more creative in their approach, this mixing of phishing methods increase the likelihood that the phisher’s emails will successfully reach their intended recipients. Users can minimize the potential for falling victim to these types of attacks by never clicking on links within emails and only accessing their online applications through known Web sites and pages.

A story published recently by a researcher at Cisco does a great job of illustrating what it takes to setup, manage, and profit from a botnet. The story details many of the typical activities performed by the criminals who manage and sell botnets. What is unique about the story is that the information is obtained directly from correspondence and discussions with an actual criminal behind the botnet. The story can be found at: http://www.cisco.com/web/about/security/intelligence/bots.html

What is especially unnerving about the story to many security professionals is the ease of which the criminals are able to perpetrate their activities. The criminals behind the botnets can bypass many security technologies through malware and phishing attacks. Additionally, these criminal enterprises can be extremely profitable despite recent claims to the contrary by researchers at Microsoft.

Further evidence of the relative ineffectiveness of some of the most well-known security technologies is illustrated by test results in one of our recent reports, Cyveillance Intelligence Report 1^st Half 2009. The report can be downloaded at http://www.cyveillance.com/web/forms/request.asp?getFile=115

Despite the success of the more sophisticated online criminals, some progress in the fight against online crime has been been made. Cyveillance long noticed the trend of criminals being forced to develop very sophisticated methods to bypass detection and security countermeasures. This is a clear indication that the efforts of Cyveillance and others in the security industry are working. As we enter a new era in Security and Intelligence with our acquisition by Qinetiq NA, Cyveillance will continue to make the investments in personnel and technology needed to protect our customers and always stay one step ahead of the bad guys.

Antivirus and Anti-Phishing Tools Provide Inadequate Detection of Cyber Attacks During Critical First 24-Hour Period

In addition to the AV, Web browser anti-phishing and consumer protection application testing, other key findings in the report include:

• Cyveillance tracked an online “fraud chain” which included malware components that store and serve malware executables, distribute malware to consumers and receive and store confidential information collected from infected computers.
  • The United States and China continue to host the majority of malware executables representing 33 percent and 21 percent of attacks, respectively, which make up over half of the malware found during the first half of this year.
• During the first half of 2009, there was an average of over 23,000 unique phishing attacks per month, which makes phishing still one of the top threats on the Internet.
• Popular consumer applications used for detecting phishing attacks do not provide adequate protection. Initially, Symantec’s Norton SafeWeb only blocked/warned against 4.4 percent of phishing attacks and increased to only 5 percent after the first 24-hour period.
• During the first half of 2009, 200 unique brands were first-time targets of phishing attacks, which represents a 26 percent increase over new brands phished in the second half of 2008.

View the report: http://www.cyveillance.com/web/forms/request.asp?getFile=115

Phishers have been targeting software updates to distribute malicious software (malware). In the example below, the phisher sent the email from a spoofed Microsoft account to a Cyveillance email address, prompting the user to click on the update link in the body of the message. The link itself appears to be a legitimate Microsoft update site (update.microsoft.com). However, the link is actually obfuscated and when clicked, routes the user to a malicious Website infected with malware.

While attacks such as the one above are not new, it is only recently that this method has truly become a mainstream vector. It is likely that we will continue to see more of this type of attacks in the future.

Clicking on links within emails presents potential danger to users. Cyveillance recommends only updating software from the update feature within the application or actually downloading the update from the software vendor’s Website.