27th Week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 27th week of 2010. I am Jay Johnson and these are the headlines:

Thousands of PC's so far have been attacked with a new Windows XP zero-day exploit (pause)
50 individuals have been arrested in smartphone spyware dragnet while
Presentation on ATM security has been dropped after legal threats (pause)
Researchers disclose a zero-day bug in Windows and Finally
Trojan writers target UK banks with botnets

And now for this week's newswire details
Nearly a month after a Google engineer released details of a new Windows XP flaw, criminals have dramatically ramped up online attacks that leverage the bug. Microsoft reported that it has now logged more than 10,000 attacks. Microsoft said in a blog posting. At first, we only saw legitimate researchers testing innocuous proof-of-concepts. Then, early on June 15th, the first real public exploits emerged. Those initial exploits were targeted and fairly limited. In the past two weeks, however, attacks have picked up. The attacks, which are being launched from malicious Web pages, are concentrated in the U.S., Russia, Portugal, Germany and Brazil. Criminals are using the attack code to download different malicious programs, including viruses, Trojans and software called Obitel, which simply downloads more malware. The flaw that's exploited in all of these attacks lies in the Windows Help and Support Center software that comes with Windows XP. It was disclosed on June 10 by Google researcher Tavis Ormandy. This Help Center software also ships with Windows Server 2003, but that operating system is apparently not vulnerable to the attack.

(pause)
Romanian authorities have arrested 50 individuals accused of using off-the-shelf software to monitor cellphone communications of their spouses, competitors, and others, according to news reports. The Romanian Directorate for Investigating Organized Crime and Terrorism also arrested Dan Nicolae Oproiu, a 30-year-old IT specialist who allegedly sold the spyware for as much as $580 over the internet. Officials claim his software was available for handsets running the iPhone, Blackberry, Symbian, and Windows Mobile operating systems, and came in Light, Pro, and Pro-X versions that offered varying levels of services. According to Softpedia, Oproiu's customers included businessmen, doctors, and engineers, in addition to a judge, government official, police officer and former member of Parliament. They were rounded up earlier this week in simultaneous raids throughout the country. There is evidence that detective agencies and private investigators also illegally used the spyware. The publication goes on to speculate that Oproiu was reselling FlexiSPY, a package that's long been marketed to people who want to catch cheating spouses, stop employee espionage, protect children, and bug meeting rooms. The Pro-X version allows a user to listen to calls in real-time, surreptitiously read SMS, call logs, and email, and convert the targeted phone into a remote bugging device that can secretly capture the sounds in its immediate vicinity.

(pause)
A planned presentation about ATM security at the Hack in the Box conference in Amsterdam last week was cancelled following legal pressure from vendors. Italian ethical hacker Raoul Chiesa intended to explain how vulnerabilities and security shortcomings that that cyber criminals were using to break into ATMs as part of his Underground Economy presentation at Hack in the Box. However, this talk was cancelled at the last minute in favour of a presentation on Side Channel Analysis on Embedded Systems by Job de Haas. Oddly Chiesa had made the cancelled presentation at other security conferences without incident. The slides were even available online. The talk focused on security flaws that have been well understood among banking security experts, if not among the general public, for years. It remains to be seen whether ATM vendors will once again move to block Jack's Jackpotting presentation this year. The software-based hack involves fooling ATM machines into spewing out more money than requested, an approach Jack himself compares to the cash machines hack carried out by John Connor in Terminator 2.

(pause)
An anonymous group of security researchers last week published information about an unpatched Windows bug, saying that they were disclosing the vulnerability because of the way Microsoft treated a colleague. The flaw in Windows Vista and Server 2008 could be used by attackers to gain unauthorized access to a PC or cause it to crash. Microsoft downplayed the threat, saying that the vulnerability required an attacker to have physical access to the computer or have compromised it with another exploit. More intriguing than the vulnerability or its public disclosure both are commonplace with Windows was the declaration that began the message posted July 1 to the Full Disclosure security mailing list. The name of the group is a poke at the Microsoft Security Response Center, the group responsible for investigating vulnerabilities, which also goes by the acronym. Microsoft confirmed it was investigating the bug, but said the risk to users was minimal. Our initial analysis of the Proof-of-Concept code supplied has determined that an attacker must be able to log on locally or already have code running on the target system in order to cause a local Denial of Service, said Jerry Bryant, a group manager with the company's MSRC, in an e-mail late Monday.

(pause)
Cyber-criminals are building country-specific botnets to target UK bank consumers with dedicated malware, Security Company Trusteer has reported. The company identifies two pieces of malware the previously undetected Silon version 2 and the longer established Agent DBJP as the two bank Trojans being distributed by Zeus-based botnets using UK-infected PCs. Silon version 2 now affects 1 in every 500 UK based PCs connected to the Trusteer Flashlight system, 40 times the detection level for the US, with Agent DBJP affecting 1 in every 5,000 UK based PCs, again far higher than for the US. It's not clear whether these detection rates are partly a quirk of the Trusteer customer base, but it is clear that country-specific malware is now a defined strategy for the banking trojan botnets, with the UK high on the hit-list. Although country-specific malware can apply to any country, the motivation for attacking banks and their customers in this way is to make detection harder. Global Trojan campaigns are simply easier to spot.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.