Spyware, viruses, & security forum: NEWS - May 07, 2012

.. against dangerous plugins

Jared Wein of Mozilla blogged last month about a new feature he was developing for Firefox 14 called "click-to-play". The idea is to block the default loading of plugins like Java and Flash when surfing to reduce the memory footprint and provide protection against exploitation of plugin vulnerabilities.

If you have ever used NoScript, ScriptNo or Flashblock you will be familiar with this idea. When you load a page like YouTube that has an embedded Flash/PDF/Java object, instead of it instantly loading the video you will see a black box with a logo representing the plugin. When you click on the box it will launch the plugin and the video or other content will be rendered.

Writing in ZDNet's Zero Day blog, Dancho Danchev expressed his opinion yesterday that all Firefox's adoption of this technique will accomplish is slowing down the systematic exploitation of plugins and not really provide meaningful protection.

Sorry Dancho, I don't think I agree with you on this one. While Danchev makes some valid points regarding the continuing prevalence of social engineering to propagate threats, implementing more secure default options are always a good thing.

Continued : http://nakedsecurity.sophos.com/2012/05/05/firefox-to-introduce-click-to-lay-option-to-protect-against-dangerous-plugins/

Adobe's Flash Player 11.3, currently in its third beta release, will introduce a protected mode for Firefox users on Windows Vista or later. Adobe says the mode, also known as a sandbox, is comparable to the protected mode that the player uses when running with Google Chrome, the Protected Mode in Adobe Reader, or the Office 2010 Protected View. It is designed to restrict how attacks from malicious SWF files can impact the safe operation of the Flash Player. It is hoped this will reduce the use of Flash as a springboard to introduce malicious code on systems. Despite the protected mode possibly causing problems with some existing Flash content, Adobe asks users to keep it enabled at all times.

Another security enhancement in Flash Player 11.3 will be background updating for Mac OS X systems. The feature, introduced for Windows in Flash Player 11.2, will allows a background service to regularly check for Flash Player updates and, if present, download and silently install them. The user can disable this behaviour if they so wish and manually update Flash Player instead. The updater functionality is "temporarily disabled" in the beta release, according to the release notes.

Continued : http://www.h-online.com/security/news/item/Flash-11-3-to-bring-protected-mode-for-Firefox-1569608.html

In the first quarter of 2012 alone, six million new malware samples were created, following the trend of increasingly prevalent malware statistics of previous years, according to PandaLabs.

Trojans set a new record as the preferred category of cybercriminals for carrying out information theft, representing 80 percent of all new malware. [Screenshot]

In 2011, Trojans 'only' accounted for 73 percent of all malware; worms took second place, comprising 9.30 percent of samples; followed by viruses at 6.43 percent. Interestingly in 2012, worms and viruses swapped positions from the 2011 Annual Report, where viruses stood at 14.25 percent and worms at 8 percent of all circulating malware.

When it comes to the number of infections caused by each malware category, the ranking supports the hierarchy of new samples in circulation with Trojans, worms and viruses occupying the top three spots. Interestingly, worms caused only 8 percent of all infections despite accounting for more than 9 percent of all new malware. This is quite noteworthy as worms typically caused many more infections due to their ability to propagate in an automated fashion.

Continued : http://www.net-security.org/malware_news.php?id=2097

Also:
Trojans Dominate New Malware Development Sampled
Four Out Of Five New Malware Samples Are Trojans, According To PandaLabs Q1 Report

A new wave of malware freezes a computer and demands payment to unlock it, this time falsely alleging victims have infringed copyright.

The campaign, spotted by Roman Hussy, who authors the abuse.ch blog, targets users in the U.K., Switzerland, Germany, Austria, France and the Netherlands.

Hussy posted a screenshot of the warning that users in the U.K. would see. It bears the logos of the Performing Right Society (PRS), a royalties collection organization, and the Metropolitan Police.

It falsely alleges that material protected by copyright has been found on the computer and subsequently has been moved to an encrypted folder "to prevent further damage."

"To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of £50 (US$80)," it reads.

The ransom can be paid with Paysafecard, a prepaid payment card offered throughout Europe and a few other countries such as the U.S. Hussy wrote the scam's perpetrators even included information on where victims could purchase a Paysafecard.

Continued: http://www.pcworld.com/businesscenter/article/255108/malware_demands_payment_for_alleged_copyright_infringement.html

Also:
Is a German criminal behind the latest ransomware campaign?
New malware strain locks up computers unless ransom is paid

Roman Hussy @ The Swiss Security Blog: Ransomware Gets Professional, Targeting Switzerland, Germany And Austria

Flash-Based Cookie-Stuffer Using Google AdSense to Claim Unearned Affiliate Commissions from Amazon

From Ben Edelman:

Merchants face special challenges when operating large affiliate marketing programs: rogue affiliates can claim to refer users who would have purchased from those merchants anyway. In particular, rogue "cookie-stuffer" affiliates deposit cookies invisibly and unrequested -- knowing that a portion of users will make purchases from large merchants in the subsequent days and weeks. This tactic is particularly effective in defrauding large merchants: the more popular a merchant becomes, the more users will happen to buy from that merchant within a given referral period.

To cookie-stuff at scale, an attacker needs a reliable and significant source of user traffic. In February we showed a rogue affiliate hacking forum sites to drop cookies when users merely browse forums. But that's just one of many strategies. I previously found various cookie-stuffing on sites hoping to receive search traffic. In a 2009 complaint, eBay alleges that rogue affiliates used a banner ad network to deposit eBay affiliate cookies when users merely browsed web pages showing certain banner ads. See also my 2008 report of an affiliate using Yahoo's Right Media ad network to deposit multiple affiliate cookies invisibly -- defrauding security vendors McAfee and Symantec.

As the eBay litigation indicates, display advertising networks can be a mechanism for cookie-stuffing. Of course diligent ad networks inspect ads and refuse cookie-stuffers (among other forms of malvertising). So we were particularly surprised to see Google AdSense running ads that cookie-stuff Amazon.

The Imgwithsmiles attack

We have uncovered scores of web sites running the banner ad shown at right. On 40 sites, on various days from February 6 to May 2, our crawlers found this banner ad dropping Amazon Associates affiliate cookies automatically and invisibly. All 40 sites include display advertising from Google AdSense. Google returns a Flash ad from Imgwithsmiles. To an ordinary user, the ad looks completely innocuous .....

Continued : http://www.benedelman.org/news/050712-1.html