Volume 6, Number 3 March 2009

In This Issue 1. Consumer Awareness: Botnets – 2. Scams and Hoaxes – 3. Microsoft and Apple Security Updates – 4. Security Newsbytes

1. Consumer Awareness: Botnets 1. What is a botnet? Computers that are taken over by secret, hidden software planted by hackers and scammers often become part of a robot network, known as a “botnet” for short. A botnet, also known as a “zombie army,” is usually made up of tens to hundreds of thousands of home computers sending emails by the millions. Computer security experts estimate that most spam is sent by home computers that are controlled remotely by their criminal masters, and that millions of these home computers are part of botnets.

How do botnets get started? Criminals install hidden software on your computer in several ways. First, they scan the Internet to find computers that are unprotected, and then install software through those “open doors.” Spammers may send you an email with attachments, links or images which once you click on or open them, will install hidden software. Sometimes just visiting a website or downloading files may cause a “drive-by download,” which installs malicious software that could turn your computer into a “bot”. The consequences can be more than just annoying. Your Internet Service Provider (ISP) may shut down your account if your computer is detected sending out spam.

How can I tell if my computer is part of a botnet? It can be difficult to tell if a spammer has installed hidden software on your computer, but there are some warning signs. - You may receive emails accusing you of sending spam. - You may find email messages in your “outbox” that you didn’t send. - Your computer may suddenly operate more slowly or sluggishly. - Programs that used to run on your computer no longer run. - Your hard drive is spinning (making a noise) when you are not using your computer.

What should I do if I think my computer has been botnetted? - Take action immediately. - Disconnect your computer from the Internet right away. - Have your entire computer scanned by a knowledgeable computer professional. If botnet software is found, it will probably require restoring your computer to the state it was in when it came from the factory. (You DO have backups of your important files, don't you?) - Report any verified tampering with your computer to your Internet Service Provider (ISP). - Change your passwords immediately. If you need help, call the company or service on the phone.

SANS OUCH! Volume 6, Number 3 Page 1

What can I do to prevent botnetting? Botnets are not inevitable. You can help reduce the chances of your computer becoming part of a botnet by: - Using anti-virus and anti-spyware software and keeping it up to date. - Setting your operating system to download and install security patches automatically. - Being cautious about opening or downloading email attachments. - Using a firewall to protect your computer from hacking attacks. - Disconnecting your computer from the Internet when you’re away from it - Checking your “sent items” or “outgoing” mailbox for messages you did not intend to send.

More information: http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt132.shtm VIDEO: http://www.youtube.com/watch?v=BRhauoXpNSs http://www.msisac.org/awareness/news/2007-09.cfm

2. Scams and Hoaxes

Federal Wire Transfer Phishing Scheme Bogus emails, claiming to be from the Federal Reserve Bank claim that a number of banks and credit unions have been affected by a “large-scale phishing attack”, which has prompted the Federal Deposit Insurance Corporation (FDIC) and the U.S. Treasury Department to apply restrictions to all Federal wire transfers. The messages urge recipients to click a link, supposedly to open a website that provides more detailed information about the restrictions. But the emails are not from the Federal Reserve Bank and are designed to trick users into clicking links to a bogus web page that attempts to download malicious Trojan horse programs onto the user's computer. Fedwire services have not been restricted and are operating normally. More information: http://www.fdic.gov/news/news/SpecialAlert/2009/sa09020.html

U.S. Customs and Border Protection Scam Criminals have sent out scam emails purporting to be from W. Ralph Basham, the Commissioner of U.S. Customs and Border Protection. While W. Ralph Basham really is the Commissioner of U.S. Customs and Border Protection, neither he nor any other staff member at the agency is responsible for the email. The scammers have simply added the Commissioner's name and the name of the agency to the email in the hope that their claims will seem legitimate. Once the potential victim responds and has taken the bait, the scammers begin to reel him in by claiming that a large consignment of cash is his for the taking if only he will pay an upfront fee of $250 for an “Origin of Funds Certificate.” But the supposed cash consignment does not exist, and the scammers may also try to extract confidential personal and financial data from the victim with the aim of stealing his or her identity. More information: http://www.hoax-slayer.com/customs-border-protection-package- scam.shtml

President Obama Approves Palestinian Resettlement in US An e-mail containing an article titled, "Obama Decrees: Massive Immigration of Hamas Refugees from Gaza To U.S." has been circulating falsely attributed to CNN's Lou SANS OUCH! Volume 6, Number 3 Page 2

Dobbs. According to this protest message, President Barack Obama signed a Presidential Determination allowing “hundreds of thousands of Palestinians” to resettle in the United States. It claims that the Presidential Determination appeared in the Federal Register on February 4, 2009. The message questions the wisdom of the decision, and complains that many people who support Hamas and extremist tactics will be allowed to move to the US and will even be provided with housing and food allowances. But President Obama has not authorized resettlement of Palestinians to the US, and the claims in the message are untrue. More information: http://www.wnd.com/index.php/index.php?fa=PAGE.view&pageId=89032

McDonald's Survey Scam According to this email, the recipient will be rewarded with an $80 cash bonus from McDonald's just for filling out a very short and simple web-based “Customer Satisfaction Survey.” The message instructs recipients to click a link included in the email to participate in the survey. But the email is not from McDonald's and the survey and the promised bonus are entirely bogus--a ruse designed to fool victims into submitting their credit card information to Internet criminals. More information: http://idtheft.about.com/b/2009/02/21/warning-mcdonalds-survey- email-is-phishing.htm

3. Microsoft and Apple Security Updates

Microsoft and Apple provide free security updates for their software products. Windows: Microsoft issues patches for all Microsoft products on the second Tuesday of each month as well as out-of-cycle patches on any day of the month. The next scheduled release date is March 10th. Check manually too, once every two weeks, to make sure all of the updates have been installed. More information: http://www.microsoft.com/athome/security/default.mspx OS X: Updates are issued frequently, and their contents may differ depending on which processor is in your Mac (PPC or Intel). More information: http://www.apple.com/support/downloads/ iPhones & iPods: Must be updated manually: http://docs.info.apple.com/article.html?artnum=305744 http://support.apple.com/kb/HT1483

4. Security Newsbytes

“Tigger” Trojan Targets Stock traders A relatively unknown data-stealing Trojan horse program has claimed more than a quarter-million victims in the span of a few months. Equipped with a virtual invisibility cloak and a host of tricks designed to prevent its detection, Tigger exploits a known, previously patched vulnerability in Windows and appears designed to target mainly customers or employees of stock and options trading firms at E-Trade, ING Direct ShareBuilder, Vanguard, Options XPress, TD Ameritrade and Scottrade. Tigger starts by removing a long list of other malicious software titles, most likely because the in-your- face “Hey, your-computer-is-infected-go-buy-our-software!” alerts generated by such programs might tip off the victim that something is wrong. Then it installs a "rootkit"--a SANS OUCH! Volume 6, Number 3 Page 3 set of tools designed to allow malware authors to better hide their creations so that they are extremely stealthy and difficult to remove. It is not clear how Tigger is spreading. More information: http://voices.washingtonpost.com/securityfix/2009/02/the_t-i- double-guh-r_trojan_ic.html?hpid=sec-tech

Koobface Variant Invades Facebook and MySpace Facebook, MySpace and other social networking communities are under attack by a new strain of the Koobface worm, which spreads by tricking users into responding to a message, apparently sent by one of their friends, that invites the recipient to click on a link and view a video at a counterfeit YouTube site. Visitors are told they need to install a bogus Adobe Flash plug-in to view the video. The bogus plug-in installs a Trojan horse program that gives Koobface author(s) control over the infected user's computer, hijacks the victim's social networking account and uses it to send out additional invites to spread the worm to the victim's friends and contacts. The worm currently is spreading across other social networks, including hi5.com, friendster.com, myyearbook.com, bebo.com, and livejournal.com. More information: http://voices.washingtonpost.com/securityfix/2009/03/koobface_worm_resurfaces_on_fa. html

University of Florida Admits to Third Data Breach in Three Months The University of Florida in Gainesville has disclosed that a breach discovered in January exposed personal data on 97,200 students, faculty and staffers who attended or worked at the school between 1996 and 2009. The latest breach involved servers that hosted free email services and online course offerings for faculty members, as well as websites for fraternities and sororities. Hackers accessed names and Social Security numbers. The University is notifying those affected by the breach, but does not have current contact information for about 5,000 potential victims. Meanwhile, the school said in November that the names, birth dates, Social Security numbers and addresses of more than 330,000 current and former College of Dentistry patients had been exposed in a computer intrusion discovered on October 3, 2008. An undated statement now on its website says a configuration error in the school's online directory service opened a path for hackers to access personal information for about 100 people. More information: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId =335087&intsrc=news_ts_head

********************* Copyright 2009, SANS Institute (http://www.sans.org) Editorial Board: Bill Wyman, Alan Reichert, Walt Scrivens, Barbara Rietveld, Alan Paller. Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product. We request that redistributions include attribution for the source of the material. Readers are invited to subscribe for free at https://www.sans.org/newsletters/ouch.

SANS OUCH! Volume 6, Number 3 Page 4