Web Threats

10 posts
ZeroAccess updated version released



How ZeroAccess manages to install itself on a target machine

  http://blogs.mcafee.com/mcafee-labs/zeroaccess-rootkit-launched-by-signed-instal lers


Analysis of ZeroAccess



Countering ZeroAccess - finding its Achilles Heel




Look out for the latest McAfee blogs at http://blogs.mcafee.com/mcafee-labs.  They're one of McAfee's better-kept secrets.

There isn't much to say about this except that the analysis is thorough and, as expected, shows unpatched Java installations to be responsible for allowing 60% of successful exploits using this Exploit Kit.


Read the document at http://www.secniche.org/papers/VB_2011_BRW_EXP_PACKS_AKS_RJE.pdf

There are a couple of articles at InfoWorld and one by Brian Krebs about PwnedList which are worth reading. Once you've read them, you won't be able to resist going to the Pwnedlist site to check your email address(es) to see if you too are on the list of 12million+ addresses and Logon ID's which have been stolen and spread around the web. Unless you spend a lot of time on Pastebin you won't realise just how many have been uploaded there, for a start. It's a free service, so why not use it?


From http://www.infoworld.com/t/hacking/how-find-out-if-your-email-address-has-been-c ompromised-177847 :


Ever had a sneaky suspicion that somebody, somewhere has cracked your email account?


A handful of researchers at well-known security firm HP/TippingPoint DVLabs spend their spare time looking for publicly posted lists of cracked email addresses. They've also written programs that comb repositories of dumped stolen data, including Pastebin. Their collection has grown to 5 million known compromised accounts, and it's growing daily.


If you're curious to see if your email address or username has appeared on any of those clandestine lists, drop by PwnedList and see if your email address has appeared on any of the lists DVLabs has accumulated.


The follow-up article is directed more at corporate users.  The PwnedList people now offer a subscription service (Domain Monitoring and Alerting Service) : sign up, and if an email address or ID from that domain appears anywhere in a stolen list they will send you an alert. The same service is also available to individuals, at $1 a day for a single email address.


More about this at http://www.infoworld.com/t/identity-management/have-any-of-your-corporate-accoun ts-been-compromised-189255

What exactly is the Russian Business Network, and what activities is it involved in?


For an answer see http://en.wikipedia.org/wiki/Russian_Business_Network and the list of site links at http://www.spamhaus.org/rokso/listing.lasso?file=1071


Noted for continuously hosting child pornography, malware, phishing and cybercrime. Provides "bulletproof hosting" but is probably involved in the crime, too. Said to pay well for upstream connectivity. Also known as, or closely related to, "SBT Telecom Network", "Russian Business Network", "Aki Mon Telecom", "Rusouvenirs Ltd.", "Too coin Software Limited", and "TcS Network". (Spamhaus)

The RBN has been described by VeriSign as "the baddest of the bad". It offers web hosting services and internet access to all kinds of criminal and objectionable activities, with individual activities earning up to $150 million in one year. Businesses that take active stands against such attacks are sometimes targeted by denial of service attacks originating in the RBN network. RBN has been known to sell its services to these operations for $600 per month.  (Wikipedia entry)


This list is a snapshot of sites serving malware or strongly suspected of being involved with malware. It dates from June 1st 2011 and can be found at

http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RBN_IP_List_Updat e_6-1-2011.txt


If for any reason the site is unavailable a copy of the list is appended here. If you come across a url or IP address that appears to be linked to a PC infection, look here to see if it is listed - some of the entries contain additional information about the type of malware exploit that the site delivers. See the excerpt below for a few examples.


virusprotection24.com                                                                                      fake anti-virus          IP address previously listed, Zeusv2














symantecantispywareupdate.com                                                         fake anti-virus

75ea.com          trojan




forbidden-erotica.com                                                                                      Blackhat Domains


The list and above link are taken from a post by Brian Krebs, whose security blogs can be found at http://krebsonsecurity.com/

Have a look at this Microsoft Update notification, captured in a screenshot. Can you spot what's wrong with it?

microsoft-update-big.jpg (890×545).png


It took me a moment to spot it, and I already knew that this was a fake. Hint : look at the browser.


That's right : this window came up in a Firefox browser session. And Microsoft Update always uses Internet Explorer.


If this happens to you, DO NOT CLICK on anything. Kill the tab, or the browser session. If you click on it what you get is a download of a fake antivirus program, which could be alarming if you were already expecting the Malicious Software Removal Tool to download and run.

Notably, this scareware represents a breed of malware that detects the user agent strings in Web browsers, then adapts itself accordingly to better target its victims. Sophos reported recently about a similar scareware app that determines whether a user is running Firefox or Internet Explorer. Users running Firefox get a fake Firefox security alert, warning of various viruses. Internet Explorer users, by contrast, get a My Computer dialog that feigns a system scan inside the browser window.


Whoever released this into the wild made one small mistake in checking for the user agent string, which has given the game away.


The golden rule is, as always : if you weren't expecting it, don't click on it. It's always safer to go the official website to get any updates or downloads.


Thanks to Sophos, InfoWorld and WinCert for picking up on this. The scareware authors are getting more professional, so we can expect more like this but even better.

The TrustedSource Web Database Reference Guide is a very informative document.


To access it, please go to: http://www.trustedsource.org/download/ts_wd_reference_guide.pdf


This document lists all category definitions. When we review the content of a web site, we make every attempt to adhere to our category definitions.


If you would like to submit a web site for review, please go to Trustedsource.org.

You can register for an account by going to: https://www.trustedsource.org/en/home/register

This is very easy to do. If you have a question for us, please send an email to sites@mcafee.com

Tax Season is almost complete.


Here is a phishing site we ran across claiming that the user will be getting a refund of $990.55 and asks for user's personal information.

It asks for the user's social  security number, data of birth, driver's license, address, and phone  number and claims that the refund will be credited to a credit card.




Did you know that the IRS rounds all refunds to the nearest dollar and doesn't issue refunds for cents, such as $990.55?


Did you notice the the site was hosted with a domain name with a top level domain of ".de" (Germany).  The US government certainly would not host a website in a foreign country.


And as a technical nore, the real IRS website does not use PHP pages to serve content.  It uses JSP pages.


A quick search on the Internet for $990.55 and IRS Phishing results in quite a few hits, which means that this scam was probably profitable enough in previous years for the scammers to try it again this year.

Quick, think of your credit card number.


Can you remember any of the numbers without looking at the card?


Chances are if you could not remember all of them, you either remembered the first few numbers or the last few.


I think most people have seen the privacy technique of masking out a social security number or credit card number by hiding digits with an “X”, like XXX-XX-1111.  Here is an interesting phishing site we encountered that tries to convey a false sense of privacy and security by hiding credit card digits to make the user trust the site that really is phishing for personal information.



Did you know that the first digit in your credit-card number signifies the system:


     3Travel/entertainment cards (such as American Express and Diners Club)
     4   Visa
     6Discover Card


As you can see, this site targets Visa card holders.


Someone who casually accesses the site and isn’t paying attention might be fooled into thinking that the site is legitimate should they have a Visa card.


According to 2006 data, 44% of all credit cards issued would start with a "4" as Visa held a 44% market share.

General Internet Safety Tips:


The internet is a great resource for everyone. Whether used for business purposes, in schools or in our homes, the internet provides us with some excellent resources and for many it has become an invaluable tool.  It has changed how information is collected and distributed.
There are also many risks involved when accessing the internet. Many users access the internet for the same reasons as you and I do, for practical and legitimate purposes.
Some use the internet to gain access to the personal information of others.


The risks are many; Phishing attempts to get your account information by pretending to be from your financial institution or the IRS. There are scams asking you to send money in order to receive “your inheritance” or other monetary reward. There are fake emails pretending to be from a social networking site, asking the recipient to reset their password for security purposes using a provided link.
There are scammers pretending to be someone you know on a social networking site, asking if you can help out with money because of an emergency.


Some scammers use tragedies such as the Haiti Earthquake pretending to be a not for profit organization, or use events such as March Madness or The Olympics to make users click on certain links.
Other risks can come from downloading free products promising to provide internet security or software updates for your system.


Some scams are easier to recognize as fake than others:
As in the examples below, the first 2 are fairly obvious, but for the “paypal” related email, it is harder to tell at first glance that this may not be legitimate.
When receiving any such email, please remember that financial institutions do not ask for your account information and/or password via email. Neither does the IRS.
By using scare tactics that your account is put on hold unless you contact them, the scammers try to intimidate the recipient into providing this information, promising that this will make the user's account "safe".
Another clue is if an email or web site contains “typos” or bad grammar. These are all indications that the information is not what it claims to be.




Example 1:

"My Dear Good Friend


My name is Mr.Hamilton J. Williams.  I work with well known reputable bank in  Ghana as a Audit Account clerk in the Ashanti Region of Ghana.
As an audit account clerk in the bank, I have access to a lot of documents because I handle some of the bank's sensitive files. On my course of duty recently I discovered $7.820 Million United States Dollars in our bank's escrow call account with no beneficiary. That means my bank has lost record of its owner. I can give you information of the account and put in your name in the account details as the beneficiary/next-of-kin of the account. So you can contact them and tell them you are the beneficiary of the money so they should transfer it to your country's account.


My bank will believe you because your proof is your ability to know the account details and with your name already in the bank's record as a beneficiary they will transfer this amount without questioning.
After you get the money, we will share in the ratio 60% to me and 40% to you simple. It is a straight forward deal. Meanwhile I demand that you keep this transaction very Private and confidential in view of our personal
involvement. Full details of the processes for the claim will be provided as soon as I receive your response and
acceptance to be part of this transaction. I expect the immediate indication of your interest by emailing my private address above e-mail
Thanks for your understanding and co-operation.


I remain Respectfully yours,
Mr. Hamilton J. Williams."


Example 2:


"Your kind Attention: Call me at  for more information. My Name Is Mr. Uche Hansome. I Am The 2010 Appointed Pay Master General Of Central Bank Of Nigeria. This Is To Notify You That Your Over Due Inheritance Funds worth US$10.5M Has Been Gazzeted To Be Released To You Via The Foreign Remmitance Department Of Our Bank. Meanwhile, A Woman Came To My Office Few Days Ago With A Letter, Claiming To Be Your Representative And Sent By You. If she is not your reprsentative or sent by you, kindly respond immediately reconfirming to me the following details to avoid any mistake. Full name; Full residential contact address; Direct telephone number number; Age and current occupation; Copy of your identification if available.However, We Shall Proceed To Issue All Payments Details To The Said Mrs.Barbara Kleihans If We Do Not Hear From You Within The Next Three Working Days From Today. Await for your prompt response You. Regards,Mr. Uche Hansome"


Example 3:

"Hello (name erased),


As part of our security measures, we regularly screen activity in the PayPal
system. We recently contacted you after noticing an issue on your account.


We requested information from you for the following reason:


A recent review of your account determined that we require some additional
information from you in order to provide you with secure service.


Case ID Number: PP-955-365-537


This is a second reminder to log in to PayPal as soon as possible. Once you log
in, you will be provided with steps to restore your account access.


Be sure to log in securely by using the following link:
Click here to login and restore your account access


Once you log in, you will be provided with steps to restore your
account access. We appreciate your understanding as we work to ensure account


In accordance with PayPal's User Agreement, your account access will remain
limited until the issue has been resolved. Unfortunately, if access to your
account remains limited for an extended period of time, it may result in further
limitations or eventual account closure. We encourage you to log in to your
PayPal account as soon as possible to help avoid this.


To review your account and some or all of the information that PayPal used to
make its decision to limit your account access, please visit the Resolution
Center. If, after reviewing your account information, you seek further
clarification regarding your account access, please contact PayPal by visiting
the Help Center and clicking "Contact Us".


We thank you for your prompt attention to this matter. Please understand that
this is a security measure intended to help protect you and your account. We
apologize for any inconvenience.




PayPal Account Review Department


Please do not reply to this email. This mailbox is not monitored and you
will not receive a response. For assistance, log in to your PayPal account
and click the Help link in the top right corner of any PayPal page.


Copyright © 1999-2010 PayPal. All rights reserved.


PayPal Email ID PP522"


If something does not seem right, proceed with caution. If you are not sure about the legitimacy of a certain email or website, don't click the link. Look up the domain in question and see where it's really registered and to whom. Does the information point to this being a legitimate site or sender?
If you receive any kind of offer via email or notification of reward, search for the name of this sender or product. Many times this will very quickly give you some idea of who the sender is. 
If concerned about a certain web site, it is always good to see what is known about this web site.
If no information is found and the sender claims to be a legitimate organization, this also tells us something. If you receive an email and you are not sure if this is legitimate, do not click on any links.
Go directly to the legitimate web site, log in and use the trusted company contact information to verify whether they sent such information or not and if there truly is an issue with the account. Another option is to pick up the telephone and call the legit company directly to verify.


It is important to use common sense and critical thinking when using the internet. Whether reviewing personal email, or accessing websites while searching for information, be careful.

SmartfFilter XL enables your organization to understand, filter and monitor internet use, while providing effective control over outbound web access and protection against the web-based threats you're likely to encounter, today and tomorrow.


Using a combination of real-time reputation scoring and category filtering, McAfee SmartFilter XL proactively and reliably detects and enables you to block spyware, phishing, malware and other ubiquitous security threats in today's Web 2.0 environment.


One important feature available in SmartFilter XL is the ability to identify and filter embedded URLs.


What are Embedded URL's

URL filtering is performed to prevent web traffic from inappropriate web use (as defined by the organization) as well as to prevent exposure to security threats.  An embedded URL (a url that is contained within another URL) can evade URL filtering rules and allow access to a  web site that should have been blocked.


Examples of embedded URL's are as follows:

  • URL in a path node:



  • URL as a cgi parameter:



  • Proxy with a redirect



  • Search result cached URLs

http://ipaddress/search?g=cash:regrJNMCw7vE:www.url.com/searchterm&cd=2&h1=en&ct =cink&gl=us


  • Multiple embedded URLs

http://www.domain.com/imgres?imgurl=http://embeddedurl.com&imgrefurl=http://www. embeddedurlalso.com/path


Why Embedded URL support is important

URL filtering should recognize and utilize embedded urls.  If the URL is only filtered based on the base domain, there is potential for allowing access to an inappropriate site, or worse, to a known malware site.  As the above examples show, the base domain will appear harmless, but the request is redirected to any of the embedded urls, completely undetected by the filtering process, unless embedded URL's are recognized by the URL parser.


The popularity of anonymizer sites increases embedded URL exposure.  Anonymizer sites are popular because it allows the user to surf the web without leaving traces of personal information or usage. The target web site becomes an embedded URL with the anonymizer domain as a base domain.  For example:  http://someanonymizer.com/brose.php?u=%3A%2Fwww.newwebsite.comb=60


How does McAfee protect against these threats

In SmartFilter XL, the URL shown above would return the base domain category (anonymizer) as well as the categories from the www.newwebsite.comand the worst web reputation of the two URLs.  The categories for www.newwebsite.com could be malicious or some other category that violates the organization's security policy, or they may be harmless.


Using SmartFilter XL, embedded URLs are correctly recognized and filtered against the organization's security policy, providing better overall web protection.


In some cases, it is not appropriate to let an embedded URL influence the base domain categorization.  For example, phishing URLs often change the base domain of a URL and include an embedded URL to a legitimate site.  The base domain will most likely be uncategorized, and the legitimate embedded URL categorization returns a legitimate category, thus allowing access.


SmartFilter XL can recognize some cases where it is not appropriate to let an embedded URL influence the base domain categorization.


Using SmartFilter XL with embedded URL processing activated provides state of the art URL filtering protection.

Filter Blog

By date:
By tag: