Better late than never, Apple has been releasing updates to its customized OSX build of Java, kind-of-fast on the heels of a new malware nemesis, Flashback.K. Windows users have had access to Java version 6.30 since Oracle released that operating system’s update to the ubiquitous runtime engine in February, but Mac users have been hanging in limbo, waiting for Apple to release the update. Well, not exactly waiting on the edge of their seats.

In February, I described some of my experiences investigating botnets (and the schemes which result in infections) in a webinar cohosted with Sonicwall (free registration required to view). The webinar has a “pop quiz” feature, so I preconfigured a bunch of poll type questions, to keep the audience engaged. The response to one question really floored me, though. I had asked the audience members to choose what they thought was the software component of a Windows computer they thought was the most “attacked” or targeted by malicious code.

As you can see in the screenshot above, lots of people chose the “E: All of them” answer, but that’s really just a throwaway. I was honestly shocked to see that none of the (admittedly small) number of people people who completed this survey question chose Java (or, to be more specific, application/java-archive) as the MIME type most frequently abused by exploit kits. Not even a single person, and this among an audience of security professionals at least some of whom investigate precisely these kinds of infections in the course of their duties.

Wow, just wow. Now that’s low profile. But no longer.

With all the attention the issue is getting, the updates are churning out. Apple is finally getting around to releasing patches for OSX Lion. That’s good, but is the problem tied to how Apple controls its software distribution model: If Apple allowed the third parties who write software for the OSX platform to release their own fixes, rather than insisting on releasing only Apple-approved code, would the flood of Flashback.K infections – currently numbering just below half of the peak of 600,000 machines estimated to be infected by antivirus companies DrWeb and Symantec – have reached such a fevered pitch?

It’s telling that the Mozilla foundation pushed an add-on “blacklist” for the vulnerable versions of Java earlier this month. Even on installations of Firefox where the browser is configured not to check in with Mozilla for updates, the program began alerting users about a week ago that they really should disable Java 6.29. In fact, Firefox pretty much strongarms you into disabling vulnerable Java, as does Thunderbird, if you have it installed. You know what? That’s OK with me. Even though I use NoScript, I don’t need the trouble of another vulnerable plugin hanging around in my browser.

The screenshot above illustrates how the open source software jsunpack-n interprets the initial infection vector of a driveby download site hosting the Blackhole Exploit Kit. The script decodes the heavily-obfuscated Javascript common to Exploit Kit pages, then retrieves any payloads, and performs analysis on some of them. This example is just one of many where, as you can see in the highlighted boxes, at least two malicious Java JAR applets are pushed down to the targeted browser in the course of the initial infection process.

I tried to uninstall Java 6.24 and 6.29 installations from a Windows 7 64-bit laptop over last weekend. First, the uninstaller claimed it had lost the original installer, which rendered it unable to remove Java. When I pointed it in the right direction, it eventually self-removed, but left behind the Registry keys that list the two outdated products in Windows’ Programs and Features control panel. Removing those erroneously left-behind listings required a little hedge-trimming work in Regedit.

Java’s appeal as a vehicle to deliver malware appears to be tied to its ability to run in nearly every modern variety of computational device on the planet. Why wouldn’t a criminal want to build multiplatform malware? It’s an efficient use of development time, broadening the potential usefulness of the mal “product.” Add in the fact that not everyone treats Java updates with the seriousness they should, and it’s a perfect target platform for infecting the Macs or PCs of unsuspecting victims.

If this doesn’t demonstrate some of the more harmful risks posed by compromise of FTP credentials, I don’t know what will. A spam email that’s been circulating since the beginning of the month leads unwary victims not to one or two traps, but nineteen different URLs, all pointing to legitimate Web sites that have been compromised, and (at the time, anyway) hosted malicious content.

The spam poses as an AT&T bill for $920.30, and seems engineered to inspire the classic freakout reaction from the recipient. As a con, it wouldn’t work so well if it wasn’t a plausible scenario. Who hasn’t received one of those panic-moment mobile bills at one time or another?

Within a day, the dangerous links were shut down, but their variety and quantity in a single – and to be honest, kind of terse – email surprised me. As you can see from the screenshot, hotlinked text throughout the message body leads the recipient to believe the links point to various parts of the AT&T Web site. In fact, they point to myriad others.

The compromised Web sites don’t share much in common; While it didn’t appear that any were registered by the same organization or person, most had addresses in Latin America or Spain in their WHOIS information. All hosted an identical exploit kit delivering a Zbot payload.

While it appears, at first, that the malware distributors generated random folder names for their traps, in fact there’s a pattern of repetition of some of the directory names.

Zbot steals any stored FTP credentials, and can turn a victim’s legitimate Web site into an online pariah with no warning, weeks or months after the compromise. Assuming desktops will be compromised, an IT admin might consider ramping up the rate at which the server requires users to change credentials to every 60 or even 30 days. At least that narrows the window of opportunity for stolen passwords to be used.

With the RSA Conference and Security B-Sides San Francisco just around the corner, I’d like to invite readers of the blog to a webinar I’m cohosting tomorrow morning with Sonicwall’s Daniel Ayoub. The talk, titled Today’s Threats Are Overachievers–Are You Prepared to Respond, will feature a deep dive into examples of really fresh malware attacks and their aftermath.

The talk topic is especially intriguing because Sonicwall’s technology is capable of eliminating the vast majority of known threats that traverse a network. However, modern threats evolve more rapidly than the speed at which even the best systems can adapt and block those threats. Those infections which make it through the sieve are more dangerous, because once they run the gauntlet, their presence may remain concealed for some time, posing an ever-greater risk. The current threat climate is such that being prepared to respond to an attack is fast becoming a requirement, a must-do rather than a nice-to-do. Having a complete, easily searched, reconstructable record of network traffic makes it easy to answer the “how long” and “what was stolen” questions that keep IT people awake at night.

If you’re interested in learning about the intersection of social engineering and malware techniques, and what you can do about it, come and check it out. For those following along on Twitter, please use the hashtag #solera if you post about it. Thanks!

A small trickle of badly-malformed spam email turned into a flood last week as hundreds of copycat messages per minute flooded inboxes we use to collect samples. The malware delivered by the spammed links isn’t your garden variety bank phishing Trojan. This one has its eyes on a specific prize: It wants the credentials for online banks that cater specifically to business users — both the employees’ passwords and those of the banks’ customers.

The campaign, covered in its early stages in the previous post, employs Google’s shortlinking service, goo.gl. The exploit, delivered at the other end of that shortlink, rapidly snares victims. In several test runs, the victim computer was infected in well under 30 seconds.

The first malware payload appears to function as a traffic controller of sorts, helping guide additional payloads to the victim PC. It does this work at the behest of a botmaster using 95.57.120.104, an IP address that geolocation services place in Kazakhstan. The malware communicates with its command-and-control server using SSL encryption, but we have a secret weapon: We can decrypt your CnC traffic, and we see what you did here.

The spam messages delivering the link are horribly malformed. The From: address in the message is a random-looking group of numbers, followed by names that sound like some sort of business department, with occasional random characters strewn throughout. A lot of them look like Network_RulesDepartment or Business_Account Departmentu. Sounds legit.

The subject line references several banks and investment service companies with a focus on commercial customers, including BPD Bank Online, Webster Bank, Bank of the West, NetTeller (a UK-based payment service similar to PayPal), and First Data’s FundsXpress, and contained the usual (fragmentary) social engineering hook: Phrases like ACH Transfer Rejected, Transfer was disallowed, and Account frozen occur with regularity; There are too many examples to list them all here.

But what happened after the infection took place was the most interesting part. AV companies call the initial infectious code SmokeLoader, Cridex, Dofoil, or Qbot, depending on who you ask. Payloads, unfortunately, were detected by fewer antivirus engines (initially none), but the results Virustotal does return includes some of these same names.

Immediately, we began to see the initial malware executable beacon out to its command-and-control server. It used four different domains on a rotating schedule — the four URLs embedded in the executable, all of which resolve to one IP address. It makes this connection about once an hour, shrinkwrapped in a protective layer of SSL encryption, and performs a DNS lookup of one CnC domain every 20 minutes.

Normally, this traffic would be completely unreadable. The most you might see under normal circumstances is the SSL certificate from the host, which in this case came from the Kazakh server hosted by gohost.kz, a regional ISP.

But these were not normal circumstances. We cracked that SSL connection like an egg on the sidewalk, and this is what we put back together again:

Hey there, Humpty. This is the unencrypted pingback from Qbot. Smallest name wins. As you can see, it’s sending the name of the user account under which the Trojan is running (Hi!), as well as the name of the process it hooked (explorer.exe) on the infected box, and a timestamp (in UNIX epoch format).

We didn’t try to decode the string of hex circled in yellow; It looks a bit like what two other botnet Trojans — RBot and SDbot — use as a unique identifier for the infected machine, but to say that’s what’s happening here would be pure speculation. I am, however, the botnet owner’s F0E, so at least he/she/it got that part right.

Filtering out all other traffic, the heartbeat packets even look kind of like a heartbeat, as shown on an ECG.

Within seconds of the first infection, however, the bot was pulling down additional malware, which we could reconstruct from the packets. Note that this was also transmitted over SSL (port 443).

One of the payloads set itself up as a file named KB00124251.exe in the Application Data directory of the currently logged-in user’s profile, and sets a run key to start itself at reboot. It all sounds pretty rudimentary until you see the other registry key it sets: Under the HKEY_CURRENT_USER hive, it creates a new key in Software\Microsoft\Windows Media Center\ with a random, eight-hexadecimal-character name.

Inside that key, it creates one massive value. By comparison, the longest that most registry key values get are only a few tens of characters long. This one was 208,160 characters long. And you can bet there was some interesting stuff in there.

Inside that registry key, virtually in plain view, is a huge amount of text. For lack of a better name, I’m going to call the parts which determine the Web site the Trojan targets URI fragments. These strings, wrapped on either end in an asterisk, are made up of full domain names, or fragments of domain names, or fragments of domain names with specific paths, or just paths without domains. It seems to use the fragments in its triggering mechanism.

All told, a URI fragment tripwire has been placed in front of the domain names of roughly 300 banks, credit unions, and financial institutions, most based in the US. The paths listed in the tripwire code point unquestionably to the banks’ and credit unions’ business account holders — or in some cases, employees — as the primary target.

The bot process, hooked into explorer.exe and rootkitted, apparently can inject HTML into browser pages. To carefully control this process, the bot only performs the HTML injection when the right URI fragment appears in the browser’s Address Bar. The screen above demonstrates just how specific some of this injection can be; Employees of Central Corporate Credit Union in Southfield, Michigan: The Kazakh botmasters want your passwords, and they have figured out how to get them.

Some of the injections are very simple.

One of the things it tries to inject is a stylesheet from https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.11/themes/hot-sneaks/jquery-ui.css. It target 127 different banks with this specific injection. I’m not sure what hot sneaks it’s trying to pull with this one, but I’m sure they aren’t what the jquery team envisioned, and the study of just that piece of the attack deserves closer scrutiny. But, in the short term, whoever is in charge of that ajax server could render this element of the attack useless just by moving that css to a different directory path, permanently.

And some of the injections are really, really complex, like this one, which targets Sberbank, Russia’s largest bank:

Wow, is that a bit of commentary from the injection code author? Does the author think Sberbank’s protection is so fragile, so delicate, and that this injection scripting they built is so sophisticated, that they can shatter Sberbank’s protection like it was porcelain, so they named a variable they use to inject code after something breakable…fine bone china, anyone?

Well it might be, but even after creating all that weirdly obfuscated injected Javascript code, these MENSA candidates can’t double-check the spelling of the word. Nice one, morons.

If you’re feeling left out, social network users, don’t: The tripwire also lists the domains for Twitter, Facebook, Blogger, Flickr, and LiveJournal (really?) login pages, as well. I hear LJ is popular in Russia.

And the most bizarre twist: The injection code includes a reference to the Web site of the Russian industrial designer Artemy Lebedev, who operates a no bullshit design studio from Moscow, Kiev, and New York. Every hardcore geek I know drools over the company’s Optimus keyboards, but I don’t know any who would go to this length to get one. Funny thing, there is a connection between Art. Lebedev Studio and one target: The GIF icon that appears at the bottom of the login page for telebank.ru, one of the banking targets and, presumably, a Web design customer.

The thing I can’t get over with stuff like this, is the realization that someone — seemingly, a well-funded, dedicated,  intelligent collective of sociopaths — spent an awful lot of time putting together specific lists of targeted login pages, and their unique characteristics, and built this thing with sophisticated knowledge of how to attack hundreds of different Web sites, solely for the purpose of stealing. What a waste of human potential.

Looks like someone’s spam campaign got up on the wrong side of the bed this morning: A badly malformed message appears to be trying to convince the reader it originates with LinkedIn, the business-centric social network.

Hardly any message at all, the spam body consists entirely of ReportIDA161580AD75, which precedes a goo.gl shortlink. The laughable pidgin-English quality of the spam’s subject – last login was Failed xxxxxxxxxxxxx — breaks the illusion completely.  The fact that whoever sent this didn’t even try to mask the message’s true origin (a Yahoo mail account) just makes this kind of sad, really.

And yet, on any campaign such as this, some people will be taken in by this phony, broken down soundstage of a ruse, peeling paint and all. When that happens, if those likely-victims happen to click the wrong link in the wrong spam, on a computer with a vulnerable browser, and do so quickly enough to hit the malicious Web site while it’s still online. Well, it’s a bit like this.

The shortlink pointed the browser at k3yrt7a.frontscheeky.com. Early in the morning, DeepSee identified the geolocation of the IP address to which this domain resolved as Lahore, Pakistan.

Later in the day, however, the IP address had changed and pointed to a server located in Mexico. Then it went haywire. The domain now has a crazy amount of DNS diversity — at least twenty IP addresses from around the world all resolve to this bizarre domain name.

The frontscheeky link immediately bounces the browser into the waiting arms of stoneheadge.net, which is operating the Blackhole exploit kit. The first page we hit on stoneheadge, main.php, consists of a single Javascript that decodes a ginormous (and yes, that’s a technical term) array of hexadecimal-encoded data.

The script isn’t even all that complicated. But that array — hoo boy.

That’s a big array. It takes the browser a few seconds to crunch the numbers. Then it looks like a fairly typical Blackhole driveby: The Javascript instructs the browser to download and open a maliciously-crafted PDF; next, two Adobe Flash files, and finally an executable payload (the w.php URI at the end)

The security community seem to have come to a broad consensus on this point.

Check out the timestamps in the attack shown above; it only took the exploit kit 21 seconds to deliver malware, from the moment I clicked that malicious link.

The attack seems to always progress the same way: main.php; malicious PDF call (fdp2.php above but the names change frequently); field.swf & score.swf; w.php (.exe payload, Microsoft calls it Cridex.B). Of course, now that I’ve called attention to their extremely repetitive and boringly predictable infection routine, it will be up to the Blackholers to decide whether they want to change up their game.

The executable payload exhibited a skillful mastery of the art of word salad tossing, most thoroughly in its file properties. Clearly, if malware ever ceases to be a lucrative career for these guys, they could transition to publishing, writing hard-boiled pulp detective novels by committee, and coming up with titles like The Herr Lane Drugs Vain Gulls Caper. How gauche.exe

When we detonated the malware on our test system, we discovered two things. First, the file has an alternate name for itself, in a default location. Just to make sure we don’t miss it, the malware creators were kind enough to put it in there—twice. Sure enough, we found a copy of the executable with that name, in that location.

Second, the Trojan likes to handle its private business in private, so it phones home using SSL, this time with jahramainso.com, a Web domain hosted in that central Asian hub of high tech, Kazakstan. You know, the Silicon Steppes, home to Baikonur, the Cape Canaveral of the Caspian?

Jahramainso.com seems to be hosted on an IP range with a very poor reputation. I can’t imagine how such a thing could occur. It is an immense coincidence, no doubt.

It pays to dump the process from memory. We also found references there to jahramainso, as well as to volondoko.com, bubenlor.com, and jahenkos.net.

Looks like our future command and control network all ready for us. All four domains were registered on January 11th, just a little over a week ago. They all are hosted on the same Kazakh IP address, but all use nameservers based in China, and were registered through a Chinese registrar, Bizcn.

With the exception of Jahramainso.com, they lack the full WHOIS data in their registration details. It’s not as if it matters; it’s all going to be falsified anyway, so why waste everyone’s time? I just don’t know why anyone with oversight authority over domain registrars lets registrars get away with this kind of shenanigans.

So, your campaign is well and truly pwned now, your secrets laid open. Remember malware guys, there’s no need to torture yourself in a job you’re obviously terrible at and hate to do. You could just switch gears now, throw in the towel. There’s no shame in the admission of defeat, especially when you suck at it this hard. Look towards the future. You could be doing something you’re good at, something that you love to do — tossing salads — by the end of next week.

Both the installer and payloads of a rogue system utility named System Restore (a type of fraudulent software that, in this case, is named exactly like the Windows system utility) sport an unusual characteristic: a digital signature. Digitally signed Trojans such as these are less rare than they used to be, but still unusual, so it was notable that the entire soup-to-nuts infection package being delivered to victims since November uses signed executables.

The rogue installer was delivered by a spam email claiming to originate with the US postal service. The message’s attachment is, allegedly, a PDF document with details about a failed delivery. Of course, as you can see at right, the “PDF documents” are just executable files with an Adobe Reader icon (from the Adobe Reader program, not the icon used by a real PDF document).

One theory that attempts to explain why they’d go to the trouble goes something like this: Some network admins set security policies that only permit digitally-signed executable files to traverse the networks they control. But these policies don’t actually check the validity of the certificates, only that the code itself is signed. Therefore, even invalidly-signed code could, in this hypothetical situation, bypass this rudimentary policy check.

I’m not sure I buy into that. I want to believe that CSOs and IT admins know that such a policy is brain-dead, but you have to assume there’s a reason the malware creator would go to the trouble to generate crypto keys and go through the signing process. However, because we’re talking about subgenius-class malware creators here, it’s not as if this new “feature” bypasses any real security checks. In fact, the certificate is demonstrably false, but it’s only clear this is the case if you go looking for the information.

We’ve been seeing System Restore propagate using two common methods: Spam email containing a link to a malicious Web site; and spam email with a zipped, executable file attachment. Follow the link or trigger the attachment and it starts the ball rolling.

Here’s the not-so-cool-story, bro story: Two months ago, I found myself standing in a hotel lobby, waiting to speak to a hotel staffer, when another guest, standing at the hotel’s public-access computer, cursed the computer’s inability to print a boarding pass. I leaned over and saw my first System Restore infection, and recommended that the guest use a different computer, because that one really didn’t look right.

What I saw looked a bit like this. A nested stack of error dialogs, all saying the same thing:

Failed to save all the components for the file \\System325604. The file is corrupted or unreadable. This error may be caused by a PC hardware problem.

Just as a rogue antivirus app elaborately mimics the effects and consequences of a (hoaxed) malware infection, System Restore elaborately mimics the effects and consequences of a failure of multiple hardware devices, with improbable and (sometimes) laughable dire warnings of imminent disaster. In the rogue AV paradigm, we’d call this fake error-generating component the fakealert. The warnings this thing generates, on the other hand, puts it in a class by itself. Call it a fake-fail.

By the time you see this list of “problems,” you’re already well on your way to having an infected PC.

The program displays all manner of popups and error dialogs, some of which have a cancel button in them, but it doesn’t matter what you click because the program will, in any case, download at least one payload and execute it. In our test scenario, it downloaded two: the rogue (downloaded twice, from different locations, but helpfully named roge.exe for easy identification), and a Zeus keylogger/data theft Trojan (labeled 531-direct in the screenshot of network traffic shown above).

It’s hard to argue the description when the creator himself calls his file roge. Who am I to argue?

The rogue payload sets itself up in the %appdata% directory with a really long, random filename, and gets to work with its initial “scan.”

Only, as you can see here, it isn’t actually using even a millicycle of CPU time. The screen above shows the System Restore rogue running, while Process Explorer watches its activity in the background. The entire fake scan takes about as much processing power to render as an animated GIF, which is why the uncompleted “scan” shown above looks like it’s doing zero work. It really is doing zero work. The red box, above, is where you would see how much work this ‘repair’ is actually doing, if it were doing anything. This is what it claimed to be doing:

I love the conceit that moving data around in memory can somehow reduce the temperature of the physical RAM chips, or that a mechanical device that’s moving slower than normal would generate more heat than something that is moving faster. Yet that’s exactly what the error report displayed by the System Restore rogue says. It’s not just a blatant fraud; the errors it claims to correct violate fundamental laws of physics.

The file properties for the rogue’s initial downloader, the rogue executable, and another payload reveal another intriguing detail: The copyright information field for several installers and payloads contain the text ifsystems Corp but in each case, the capitalization of the word ifsystems was randomized, and the creators placed a copyright © symbol in a random position within the ifsystems name, as well.

The Properties sheet for this payload, which returns mostly Zeus botnet results on Virustotal, also has this bizarre ifsystems nomenclature, but it looks like the malware creators may have misspelled their own ‘company’ name. The rest of the data populated into the Properties sheet seems to be random nonsense.

Of course, the key to this scam is convincing a victim to willingly hand over card payment details. The fraud hook loads what looks like a Web page that appears to come from the domain technocago.com, but the page is framed in a fake browser window, and is actually loaded from paymenbit.com, a domain that was only registered two weeks before the rogue was being distributed in earnest. Even this reveals additional information: the rogue’s payment processor refers to the program as Defrag Pro Basic, but the particular version of Defrag Pro Basic that it wants you to purchase is called System Restore.

Bottom line, the fraud is the same, and the only difference is the digital signature. These kinds of incremental improvements in technology don’t come along in every revision of a rogue, but it’s quite possible that, from now on, we’ll only see digitally signed versions of this family of rogues. If your network security policies blindly permit signed executables to traverse the network, without validating those signatures, I’m putting you on notice that, as of at least two months ago, your policy is broken and will not block this highly intrusive, destructive, and dangerous fraudware.

Welcome back to the office, everyone (except postal and some bank workers). The first Monday after the new year is a great time to jot down a quick list of business-related resolutions. You can even put them into your calendar app, if you’re so inclined, to give yourself an extra nudge.

Here are my (security-themed) new year’s resolutions for 2012:

•  I’ll change my passwords at least once a month

This one could be tough, but not to remember. I’m going to schedule the reminder in my phone’s calendar. For my own sake, the password itself has to meet some stringent standards, including a minimum length and some diversity of character types. But what’s tough is the sheer number of passwords this entails. I already use a different password for all of my various online accounts, but the idea of changing them all, so often, seems daunting.

It has to be done, but fortunately, you don’t have to do it alone. In my case, I’m also going to rely heavily on a biometric finger scanner, helpfully preinstalled in the bezel of my laptop, and some third-party password manager software to keep up. You could also use a password manager like KeePass, which generates an optional password “best before” date, to keep you honest.

I’m doing this today, so listen up any criminals who might have been handed on a platter ahem, stolen, or audio-captcha-cracked any of my ‘victim test account’ passwords: use ‘em if you got ‘em.

•  More frequent backups

This isn’t so much a security resolution as a security blanket resolution. I bought myself a nice, large external hard drive and I know how just to use it: A liberal application of Microsoft SyncToy to the data directories I want to back up.

I’m a proponent of frequent backups, but I don’t live up to my own standards and don’t back up the non-work computers often enough. No more. 2012 will be the year of 52 weekly backups of everything, with more frequent, perhaps daily, backups of things like email.

• Dump bloatware from any computing device as soon as possible

Whether it’s a phone, a computer, or something in between, if it’s loaded up with some app that engages in any unwanted or undesirable behavior — or even if it just rubs me the wrong way — I’m getting rid of it.

No, I’m not going to just leave it there, running in the background, doing who-knows-what. Manufacturer warranties be damned: I will assert my right to total control over any technological device I have paid for, and will remove software that proves burdensome, irritating, or intrusive.

To the bitbucket you go, programs. And stay down.

• Harden my computing environment

I already do this, so this resolution is more about the thoroughness than the execution. I’m making it a personal mission to really dig into the settings within applications and the operating system, with the goal to ensure I’ve done everything I can to lock down the computing devices I use. It’s also a catchall resolution, meant to include all the small stuff like disabling links in Outlook, and some of the unmentioned big stuff, like uninstalling vulnerable applications or disabling exploitable browser plugins.

• Cleaning up my personal power environment

I use a lot of wireless devices, and many of those devices require the use of disposable batteries. Over the past year, I’ve reduced the number of batteries I produce as waste, but in 2012 I’m going full recharge. I’ve picked up a bundle of NiMH AAA and AA batteries and will attempt to use those, and (hopefully) occasional replacements, exclusively.

Unfortunately, I won’t be able to eliminate all of the tiny watch-battery-powered devices I use, but I’ll try to find alternatives, like this solar-powered LED flashlight. What does this have to do with security? All that chemical-soaked metal poses a threat to some physical security things all humans require in order to live in meatspace, like clean water and soil. My disposable battery habit is a menace to society. So is yours. Let’s fix it.

T’was the night before Christmas, and all over the ‘net
hardly a packet was stirring; Well…’bout 6 gigs a sec.
The Internet background noise whizzes nonstop
– even after the last Admin has punched off the clock.

But buried deep in that noise was a stray protocol.
A command-and-control message within the firewall.
A lone zombie replies to a ping and chirps out
secret signals, to a group who carry some clout.

Legion elves, running ops, scan the networks they’ve pwned;
Seek out mischief, find the troublemakers entrenched in their zones.
With this singular mission they tap at their keys,
and run nmap with umit, and Nessus, as they please.

While sniffing the wires and logging results,
the elf Red Team trades barbs and exchanges insults.
Not with other elves, but with their botmaster rivals,
who work feverishly to pump out some network denials.

For the malware guys knew Santa’s spies were inside,
and they knew their activities they couldn’t hide.
The fat man frowns on phishing, spam attacks,
and false accusations of unpaid income tax.

The bad guys fired off withering DDoS volleys
hoping their adversaries wouldn’t recover from the follies.
But the wily elves weren’t put off by that distraction,
and launched, in return, their own group action:

A packet flood of Christmas cheer so profound
it drove the cybercriminals deeper underground.
It killed all their malware, delisted bad ISPs,
and brought the miscreant operators to their knees.

And today we give thanks to those noble cyberelves,
who took it upon their little elf-hatted selves
to do battle with bad nerds in the middle of the night,
so we could sleep soundly, for once, and with no end in sight.

– Andrew Brandt

(with apologies to Clement Clarke Moore)

If you know me, you know I’m not really prone to spreading security FUD. I’ve been asked to prognosticate a bit about the near-term future, and I have to say, without intending to sound like a fearmonger, the next year is shaping up to be pretty messy from a security perspective. I have a hard time finding any silver linings to the massive storm clouds that seem to hang all around and on top of us.

Right now, the climate for attacks is just brutal. Based on what I’ve been seeing since Halloween, if the pace and volume of attacks keep up, the coming year doesn’t look like it’s going to be pretty. Rampant spam-driven attacks, multiple manifestations of classic social engineering scams, corporate espionage, and malware malware malware look to be on the table for 2012. It was hard to winnow my worst-of-the-worst list down to only five items, but I had to draw the line somewhere, and it seems like a nice, round number.

So, with that in mind, click through the jump to read my top five threats to watch for in 2012.

Increasing use of compromised, legitimate sites from which to stage attacks

It doesn’t matter whether you own a tiny art collective or you operate an organization as large as Amnesty International: The continued existence of unpatched, vulnerable Web site code — in particular, vulnerable WordPress.org blog plugins — are set to become a big problem in the near future; that, and a massive flood of keylogger malware washing across the net means we’ll see a lot of sites get pwned in the coming year and used, like the one in the screenshot above, to redirect victims into an exploit kit.

The WordPress.org plugin vulnerabilities permit malware guys to upload their code onto someone else’s Web pages; Keylogger malware, such as Zeus/Zbot, just rips saved FTP passwords and other stored credentials and ships them directly to People You Don’t Want In Control Of Your Web Site.

It’s already happening, with “TimThumb“-style attacks propagating against other vulnerable WordPress.org code, and the results have been pretty scarily effective. Most of the code we’ve seen uploaded to legit sites redirects the browser into the maw of one or another exploit kits.

Scripted exploits targeting vulnerable browser plug-ins

If you’re not running Firefox with NoScript installed, you need to do so right now. As far as I can tell, it’s the only surefire method of preventing an accidental infection of a Windows PC by exploit-kitted Web pages. It all starts with a blob of heavily-obfuscated Javascript and ends within a few minutes with the victim’s PC pwned and the victim’s passwords in the hands of some Asian or eastern European goon squad.

It couldn’t get any more obvious that you need to act immediately. Update Flash, Acrobat, Office, and other vulnerable applications today, right now. Disable Javascript within PDF documents in your PDF reader’s preferences. And at least for the time being, the safest thing to do is to uninstall Java from any system you control, at least until a patch gets released to address CVE-2011-3544.

Give us a break with the spam, already

As patently ridiculous as some of the spam campaigns this year have been, they must be effective, because the bad guys haven’t spared a moment for months coming up with new and innovative social engineering tricks.

If the spam we’ve seen is any indication, malicious spam we receive in 2012 will come in every available delivery method — email, social networks, IM — and continue to take every conceivable form: shipping confirmations, missed deliveries, reversed credit warnings, utility bills, credit card statements, complaints about you to the Better Business Bureau (whether or not you operate a business), online order confirmations from small boutique etailers, bank statements, electronic funds transfer rejection notices, poorly-spelled ‘friend notification’ emails from a wide variety of social networking sites. And yes, even I got drunk, had a stranger drive me home, but then the stranger got a ticket for running a red light, and now I need to find him contrivances. Seriously, who comes up with this crap?

The list just never seems to end. It’s getting ridiculous. The big question remains which infection method will take the crown: zipped malware attached to the messages, or links to malicious pages and driveby downloads. Right now the two distribution techniques are running neck-and-neck.

Is that your SCADA system hanging out there for everyone to see?

When people mention SCADA systems and security risks, many first think of attacks against secretive nuclear facilities in a hot desert. But SCADA systems don’t just control plutonium enrichment centrifuges. They control things as mundane as the hot water boilers in large steam heating systems, the electrical systems of large office buildings, and the telephone switches in hospitals and universities. They’re everywhere, all around us, and there are just a huge number of them wide open to the world, where people can simply poke at them until they break open the crown jewels.

‘Messing around’ is already happening, and the false alarm over the Springfield, IL water treatment plant should have served as a wake-up call. Even though the water system’s network had never been penetrated by outsiders, the idea of such a thing happening is well within the realm of possibility and edging ever closer to “actually happened” every day. If the operators of these systems, worldwide, don’t take immediate action to lock down the public Web interface to their SCADA-controlled devices, it could be only a matter of time before some sociopath decides to cause deliberate harm, shutting off a critical system in a time of need.

Smartphones, personal data, and malicious apps (oh my!)

I don’t want to leave my friends in the mobile world out of the fun list. The sheer volume of copycat Android malware coming out of, in particular, China is just astonishing. There are whole Markets hosted overseas just rippling with malicious badness, as well as ripoff artists on this side of the pond trying to scam whatever they can.

Here’s my Cool Story, Bro Android malware story for 2011: This year, I bought a cheapo knockoff Android tablet for research purposes; I won’t name the seller or manufacturer at this time. The tablet didn’t come with the Google Market installed. Instead it came with a link to some alternative market I’d never heard of. Literally every single app I downloaded (and I spent a few whole days just grabbing one file after another) asked for every conceivable permission upon installation. Every. One. Seven screens worth of descriptive text. The photo above a small number of those permission requests.

I don’t see this slowing down anytime soon, so take great care with anything you install to your smartphone (or even your cheapo tablet), especially if you’ve rooted or jailbroken it.

Someone in the office stumbled upon the domain name Firefox.io and passed the info along to me. Apparently, the person had mistyped the domain name of a Web site (one unrelated to Firefox), adding an additional character. The domain he ended up on was parked, registered but unused; However, one of the ads that loaded on the parked page opened a popunder ad, which redirected this person’s browser to a page on Firefox.io.

This is what he found. I dunno…looks bogus to me. It resembles a really, really out of date Firefox installer download page.

The .io top-level domain, by the way, belongs to the British Indian Ocean Territories, and its TLD is administered from a charming village in England. At least, that’s where they pick up their mail. Not so with Firefox.io.

I have no idea how many Indian Ocean Territories Web sites the Mozilla Foundation own, but I surmise that they would most likely register said domain to point to their business address in California, and not to some random apartment building with a foyer decorated to look like a two-story high shower stall, located in the Sinsing District of Kaohsiung City, Taiwan.

The icon for the executable I downloaded from there vaguely resembles the currently-released, legit Firefox installer, but it has no properties of any kind, let alone the digital signature that authenticates the genuine Firefox 8.0.1 installer. It is a generic NSIS installer package that anyone can unpack using UniExtract.

Upon execution, though, it’s clear that something is wrong here.

As soon as it executes, an installer for…RealPlayer?…fires up. That installer pulls down a 57KB file from the same firefox.io Web site. Something else downloads the current RealPlayer installer from Real’s legit server. If you cancel out of the installation process, as I did, the “Fakefox” installer launches another instance of the RealPlayer installer.

But it only does this twice, then quits trying.

Next, it gets an older installer (Firefox 7.0.1) from one of the Mozilla mirror sites

During the installation, I saw some other odd traffic. Apparently, the RealPlayer installer pulls down some components from Symantec. There was chatter with both liveupdate and stats.norton.com after those files came down the pipe.

So, what are we really seeing here? A rogue Real affiliate? The truth is, it’s unclear why the installer is such a vigorous pusher of anything-but-Firefox.

There isn’t much advice I can give other than to pay attention to what’s in your address bar. That’s what my coworker did, and it kept him from downloading something that turned out to be relatively benign, but still undesirable.