Threat Weekly – A Situational Awareness Report from our Technical Security Team

Facebook said it has rid its site of most of the pornographic and violent images posted as part of a spam attack. The social network blamed a browser vulnerability and said it was improving its systems to defend itself against similar attacks in the future. Thousands of the website's 800 million users have complained about the pictures over recent days. A source told the BBC that Facebook knew who was responsible - and it was not an Anonymous hacktivist. The firm is understood to be working with its legal department to take action against the suspected attacker.

Facebook said the spam attack worked via a "self-XSS vulnerability in the browser". It added: "During this attack, users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content.”No user data or accounts were compromised during this attack." The firm said its engineers had built enforcement mechanisms to shut down malicious pages and accounts that attempt to exploit the vulnerability. It also offered the following advice to help guard against further attacks:

• Never copy and paste unknown code into the address bar
• Always use an up-to-date browser
• Use the report links on Facebook to flag suspicious behaviour or content on friends' accounts

Facebook allows children above the age of 13 to be members, and polices a ban against inappropriate images. However, security experts said it was difficult for the firm to respond to this threat, bearing in mind it exploited a vulnerability in an unnamed web browser rather than the site itself. They also said that the attack was very unusual because most other scams on the social network are designed to deliver a financial payout. "This seems to be a purely malicious act. Facebook has a reputation for maintaining a reasonably family-friendly environment," wrote Chester Wisniewski, a senior security advisor at Sophos, on his company's blog. "Hopefully whichever browser it is that has the flaw will provide a fix ASAP, but as we know most people are slow to apply updates regardless of which browser they use (except Chrome)." "The flaw being exploited could likely be used against other sites as well if users can be tricked into pasting malicious JavaScript into the browser."

• http://www.bbc.co.uk/news/technology-15753549
• http://nakedsecurity.sophos.com/2011/11/16/facebook-explains-pornographic-shock-spam-hints-at-browser-vulnerability/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

Source: http://bbc.co.uk

The FBI has unsealed a federal indictment that includes details of the two-year FBI investigation called Operation Ghost Click, as announced today in New York. The article describes the arrest of six Estonian nationals who have been charged with "running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry."

This cybercrime ring used "DNSChanger to redirect unsuspecting users to rogue servers controlled by the cyber thieves, allowing them to manipulate users’ web activity."

The DNS Changer Working Group (DCWG), with cooperation from SANS handlers, will be publishing more details soon as they have been closely monitoring this class of malware. As you may well be aware, several different malware families modify DNS to redirect customer traffic in the past, including Zlob and others. This particular version uses TDSS and possibly other malware; while it has been installed in many different ways, it isn't a single malware, but more a class of malware that exhibits certain characteristics.

The FBI put up a website where people can check if their computer is infected: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

• http://www.scmagazineus.com/fbi-arrests-six-in-click-fraud-cyber-scam-that-netted-14m/article/216399/
• http://www.informationweek.com/news/security/attacks/231902762
• http://www.v3.co.uk/v3-uk/news/2124002/trend-micro-fbi-claim-landmark-cybercrime-bust
• http://www.theregister.co.uk/2011/11/09/dns_malware_scam
• http://www.h-online.com/security/news/item/Operation-Ghost-Click-FBI-busts-DNSChanger-botnet-1376746.html
• http://www.wired.com/threatlevel/2011/11/14-million-clickjack-scheme
• http://www.computerworld.com/s/article/9221699/Feds_lead_biggest_botnet_takedown_ever_end_massive_clickjack_fraud

Source: Internet Storm Centre: https://isc.sans.edu/diary.html?storyid=11986

The creators of the Duqu malware that penetrated industrial manufacturers in at least eight countries tailored each attack with exploit files, control servers, and booby-trapped Microsoft Word documents that were different for each victim, according to research published on Friday.

What's more, two of the drivers the sophisticated, highly modular rootkit used in one attack showed compilation dates of 2007 and 2008, Alexander Gostev, the Kaspersky Lab expert and author of the report said. If the dates are genuine, they suggest the Duqu architects may have spent the past four years developing the malware.

Like forensics investigators combing through a homicide scene for the tiniest scraps of evidence, security researchers around the world are examining every email and computer file associated with Duqu for clues about who created and for what purpose. They have yet to establish a direct link to the Stuxnet worm that was unleashed to sabotage uranium-enrichment plants in Iran, but the aggregate picture of Duqu that's emerging is that like Stuxnet, it was painstakingly developed by a world-class team of disciplined and well-financed engineers.

The Duqu version examined in Friday's report was recovered by the Sudan Computer Emergency Response Team from an undisclosed company that the attackers targeted in advance. Like attacks on other targets, it was launched using a booby-trapped Word document with content that was tailored to the receiving organization and exploited a previously unknown vulnerability in the kernel of all supported versions of Microsoft Windows. The first attempt at infection in the incident studied by Kaspersky failed because the email containing the Word document wound up in a spam folder. On May 21, four days after the first email was sent, the attackers tried again with a slightly modified message. Both the subject line and the title of the attached file referenced the targeted company specifically. Interestingly, the DLL file that served as the Trojan’s main module was dated April 17, the same day as the first attempt to infect the target.

When the recipient of the second email opened the Word document, a malicious payload immediately hijacked the computer, but sat dormant for about 10 minutes, Gostev said. The exploit didn't actually install the spy components until the end user went idle. The infected computer used a command and control server researchers have never seen before. So far, investigators have identified at least four such servers, and each one was used to send and receive data from only one target.

In late May, a second computer in the attack examined by Kaspersky was infected over the targeted company's local network. Gostev didn't say how the Duqu infection was able to spread. Separate research from Symantec has suggested the malware is was able to spread across networks through SMB connections used to share files from machine to machine. For all the skill and care the attackers took, they also showed an intriguing sense of humour. The malicious Shellcode for their exploit was embedded in a fictitious font called “Dexter Regular,” and contained the line “Copyright (c) 2003 Showtime Inc.” The hidden message is an obvious reference to the Dexter television series, which depicts a ritualistic serial killer who works as a crime-scene investigator for the Miami Police Department. “This is another prank pulled by the Duqu authors,” Gostev wrote.

• http://www.computerworld.com/s/article/9221760/Hackers_may_have_spent_years_crafting_Duqu?taxonomyId=85

Source: http://www.theregister.co.uk/2011/11/11/duqu_analysis

A French court handed disgraced former U.S. cyclist Floyd Landis a suspended one-year jail sentence for his part in a cyberespionage scheme against the anti-doping laboratory that proved he cheated at the 2006 Tour de France.

The sentence is another layer of shame for the 2006 Tour de France winner, who was subsequently stripped of the title after the Chatenay-Malabry lab in France found excessive levels of testosterone in his blood. Much like that scandal, which rocked the international sports community, the events that put Landis and his former coach Arnie Baker in their current predicament read like a made-for-TV thriller.

The case, Cycling News reported, starts in November 2006, several months after that year's Tour de France had concluded. The anti-doping lab contacted police after discovering that someone had used a Trojan horse to put spyware on the lab's computer network. During the hack, which was traced back to Landis' coach, information from Landis' file was taken, which the cyclist used in a bid to clear his name and reputation by showing sports authorities that he had been clean all along and the lab work had been flawed. Baker was given the same sentence as Landis.

Last year, Landis finally admitted to doping after years of denials. The story could very well end here, but the international hacking plot extended beyond Landis and Baker, and ultimately implicated three other defendants.

French authorities in 2009 arrested hacker Alain Quiros, a French national living in Morocco, for hacking into the Chatenay-Malabry lab. Quiros said he'd been paid a few thousand dollars to infiltrate not just the anti-doping lab's system, but also the networks of several other European corporations including Greenpeace France, all on the orders of Thierry Lorho, a former French government secret agent and head of the Paris-based investigative firm Kargus Consultants.

Lorho, prosecutors said, passed the stolen files — Landis' included — to former paratrooper Jean-Francois Dominguez, who then handed them off to another person, who has not yet been identified. The stolen and forged files made their way from this final person to the media, and formed the basis for Landis' plea to clear his name for the Tour de France disqualification.

Quiros was given a two-year prison sentence, 18 months of which will be suspended, and ordered to pay a fine of $4,000 euros. The court gave Lorho a three-year sentence, two of which will be suspended, and ordered him to pay a $4,000 euro fine.

• http://www.theregister.co.uk/2011/11/12/floyd_landis_sentenced
• http://www.cyclingnews.com/news/landis-convicted-in-hacking-case
• http://www.npr.org/blogs/thetwo-way/2011/11/10/142211319/french-court-convicts-cyclist-floyd-landis-in-hacking-of-doping-lab
• http://www.usatoday.com/sports/cycling/story/2011-11-10/floyd-landis-convicted/51152204/1

Source: http://www.securitynewsdaily.com/floyd-landis-hacking-doping-1330

The full scale of phone hacking at News International, Britain's largest and most powerful newspaper group finally began to emerge on Monday when the Leveson inquiry into press standards heard that 28 of the company's staff are named in notes seized from a private investigator who specialised in the practice.

On a dramatic opening day at the high court in London, Robert Jay QC, counsel for the inquiry, said evidence held by the Metropolitan police for five years showed "at least 27 other NI employees", in addition to the former News of the World royal editor Clive Goodman, appear in notes taken by Glenn Mulcaire. Goodman and Mulcaire were jailed for intercepting voicemails in January 2007.

The suggestion that the identities of more than two dozen NI staff were scribbled in the margins of Mulcaire's notes is the clearest indication yet that journalists at the company engaged in the practice systematically. "This fact alone suggests wide-ranging, illegal activity within the organisation at the relevant time," Jay said.

The evidence has been in police possession since it was seized in a 2006 raid on Mulcaire's offices.

• http://edition.cnn.com/2011/11/14/world/europe/uk-phone-hacking-scandal/

Source: http://www.guardian.co.uk/media/2011/nov/14/phone-hacking-news-international-staff-named?newsfeed=true

Energy Company EDF has been fined €1.5m (£1.3m) for hacking into the computer systems of environmental campaign organisation Greenpeace.

Two high-ranking EDF employees were given prison sentences on Thursday for hiring investigators to hack into Greenpeace systems in France, Greenpeace said in a blog post on Thursday. "The evidence presented at the trial showed that the espionage undertaken by EDF in its efforts to discredit Greenpeace was both extensive and totally illegal," Greenpeace UK's executive director, John Sauven, said in the blog post. "The company should now give a full account of the spying operation it mounted against its critics."

Investigators from private detective agency Kargus Consultants hacked into Greenpeace systems in 2006 looking for plans concerning a campaign against new EDF nuclear power plants, a French court found.

• http://www.zdnet.co.uk/news/security-threats/2011/11/11/edf-greenpeace-hack-leads-to-13m-fine-and-jail-40094402/?s_cid=165

Source: http://www.zdnet.co.uk/

A flaw in an update to the Juniper software that runs large routers that Juniper supplies to ISPs caused a widespread Internet outage - disabling large segments of the Internet. The outage appears to have originated early Monday following a set of updates to a core Internet routing protocol [BGP] triggered a software glitch in some of Juniper's routers. When those routers crashed, key Internet pathways went down with them.

That "event" took down systems big and small. Many BlackBerry users -- already skittish from last month's widespread outage -- found their devices temporarily knocked offline. BlackBerry maker Research in Motion was quick to point out that its systems weren't to blame, citing "a global Internet issue."

• https://isc.sans.edu/diary.html?storyid=11965
• http://money.cnn.com/2011/11/07/technology/juniper_internet_outage/?hpt=hp_t3

Source: www.cnn.com

In a Monday court filing, Warner Brothers admitted that it has issued takedown notices for files without looking at them first. The studio also acknowledged that it issued takedown notices for a number of URLs that its adversary, the locker site Hotfile, says were obviously not Warner Brothers' content.

Hotfile has been locked in a legal battle with Hollywood studios since February; the studios accuse the site of facilitating copyright infringement on a massive scale. Hotfile counters that it is immune from liability for the infringements of its users because it complies with the notice-and-takedown procedures established by the Digital Millennium Copyright Act. But Hotfile has also tried to turn the tables by arguing that one of the studios, Warner Brothers, has itself violated the DMCA by issuing bogus takedown requests.

The studio also "admits that it did not (and did not need to) download every file it believed to be infringing prior to submitting the file's URL" to the Hotfile takedown tool. That's because "given the volume and pace of new infringements on Hotfile, Warner could not practically download and view the contents of each file prior to requesting that it be taken down."

• http://arstechnica.com/tech-policy/news/2011/11/warner-admits-it-issues-takedowns-for-files-it-hasnt-looked-at.ars
• http://arstechnica.com/tech-policy/news/2011/02/mpaa-sues-hotfile-for-copyright-infringement-on-a-staggering-scale.ars

Source: www.arstechnica.com