Security | Jason Palmer, CPA, CITP

Preventing Cybercrime with Transactional and Point in Time Alerts

July 7, 2012 By Jason Palmer Leave a Comment

Cybercrime is a little like the weather. Everyone reads and talks about it but nobody does anything about it. Congress like Mother Nature, has a will of its’ own and the likelihood of seeing any real legislation forcing Big Business to take care of our personal information is suspect.

However, the same way that we can prepare for a Hurricane there are things that we as individuals and business owners can do to prevent or minimize the effects of the Cybercrime storms that are upon us. We can use Transactional and Point in Time Alerts in the same manner as the National Weather Service alerts us that a Tornado is on the way.

All of us have heard the never ending mantras of “Use Strong Passwords”, “Change your Passwords periodically”, and “Be suspect of providing personal information unless you have verified the recipient.” That goes almost without saying and most articles on Cybercrime protection would probably end right here – but not this one.

The focus of this article is on behavior and transactional monitoring of your online and offline financial habits. This is similar to the spending profiles that the Credit Card companies create for you to monitor your purchase patterns for possible Fraud. At least once a quarter, I get a frantic phone call, email, and text from Citibank VISA asking for additional information on a recent purchase. In some cases, they hold the authorization (not letting the charge to my account go through) until they have positively verified that I am who I say I am and that I personally made or approved the transaction. I appreciate this minor inconvenience as it lets me know Citibank may actually care about my financial security after all.

In a perfect world, most Credit Card companies and to some degree Banks do this in the normal course of business to protect their customers. But we do not live in a perfect world so some personal responsibility needs to be taken. Fortunately, the tools to do so exist and are readily available – if you just take a few minutes to set them up.

As mentioned above, the Credit Card companies will flag things that look “out of the ordinary” to them based purely on statistical modeling and your spending patterns. Cybercriminals know this and therefore it makes it easier for them to match the pattern.

I will give a real world example: My American Express Corporate Card number was lifted by an unidentified group or person operating at a local restaurant in New York City near a particular client where I order in from frequently for lunch or dinner. To American Express, the pattern looked normal. No flag was raised. I use my Corporate Card for meals all across Manhattan. None of the amounts were particularly outside the normal range and it is not uncommon to see the same establishments appear multiple times in a month. I, like most, am a creature of habit. I tend to shop and eat at the same places on a regular basis.

What was out of the ordinary for me was two charges in one day from this particular restaurant and that caused me to check my Date Book and see that there were at least six additional charges at this Restaurant on days when I was not even in Manhattan.

Of course American Express, as will all Credit Card companies, held me completely harmless, gave me full credit for the fraudulent charges, and “promised to investigate the matter fully.” (Yes. I am sure…)

What could I have done and what can you do to protect yourself help uncover this type of fraud in a more timely manner? Signup for and enable Transactional Alerts on your credit card and bank accounts wherever they are available.

Chase exceeds my expectations in that within minutes of swiping my Chase Freedom Card at a Gas Station; I get an email alert telling me my credit card has been presented for authorization. After the sale is completed, I get another email telling me the exact amount of the charge.

Each Financial Institution varies with the level of Transactional and “Point in Time” alerting available but most seem to offer all or some of the following:

Transactional: Notice of Card Authorization; Notice of Charge to Card; Notice of Charge over a certain dollar amount; Notice of Receipt of Payment; Notice of Presentment of Check to Bank Account; Notice of ATM/Cash Machine withdrawal; Notice of Teller Activity (Bank Deposit/Withdrawal);

Point in Time: Daily Bank Account Balance or Amount Owed on Credit Card; Notice when Amount Owed exceeds a certain dollar amount; Notice when Checking/Savings balance goes below a certain dollar amount; Daily Summary of All Balances; Daily Summary of All Transactions;

Everyone who has online banking access, especially business owners, should make sure that alerts are in place for all transactions, where possible. Most importantly, if wire transfer or Bill Pay options are offered through your Bank, make sure that transactions over certain dollar limits above and beyond your normal activity range require “Secondary Verbal Approval” and/or additional authentication measures to allow them to proceed. Otherwise, if access to your Bank account is compromised, (a Cybercrimnal has your password or token), you could find a zero balance in your account with an almost insurmountable challenge ahead to try to retrieve the missing funds.

Using the combination of alerts mentioned above that is right for your personal financial spending habits and need can make all the difference between be “prepared” to catch a fraudulent event in near real time and prevent further Cybercrime vs. having a maxed out Credit Card, Zero Bank Balance, and spending months filing reports and signing affidavits that state, “No, you did not purchase that 60” Plasma Flat screen for $2,799 at Best Buy in Houston, TX” and having to prove that you were actually in New York at the time. Or worse, you now having to completely rebuild your credit file because you were a victim of Identity Theft and did not discover the damage until well after the fact.

Transactional and Point in Time Alerts are you best defense.

DNSChanger Malware – Am I Infected?

July 5, 2012 By Jason Palmer Leave a Comment

DNSChanger malware is set to kick 277,000 computers off the web Monday.

DNSChanger malware is DNS changing virus that directs your computer to malicious Domain Name Servers, (the specialized servers that translate a web site name (jasonpalmer.com) in to a web site address (209.212.81.40) so your computer can find the web site), instead of the legitimate Domain Name Services provided by your Internet Service Provider. The DNSChanger virus was created by a group of cyber criminals known as “Rove Digital.”

These malicious DNS servers would give back fraudulent information with altered search results, or directing users to sites with fake and dangerous products. Because every search starts with a DNS query, DNSChanger provided a completely different, and usually bad, Internet experience to infected users.

On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. In an effort not to disrupt the hundreds of thousands of users affected, under a court order which expires Monday, July 9, the Internet Systems Consortium has been operating replacement DNS servers for the Rove Digital network. This was to allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.

Now that July 9th is upon us, the day that these special temporary servers are set to shut down, there are still over 277,000 machines worldwide with over 64,000 in the United States that have yet to be cleaned and disinfected of the DNSChanger virus.

The DNSChange Working Group at http://www.dcwg.org was setup specifically to address the detection of, fix for, and protection against the DNSChanger malware virus.

Visit: http://www.dns-ok.us where the site will tell you are if you are or are not infected
•   No Software is Downloaded! The tools do not need to to load any software on your computer to perform the check.
•   No changes are performed on your computer!
•   No scanning! The “are you infected with DNS Changer” tool does not need to scan your computer.

If you think your computer is infected with DNS Changer or any other malware, please refer to the security guides from your operating system or the self -help references from our fix page (http://www.dcwg.org/fix).

Of course, if on July 10th, you can no longer access the Internet and get “Page Not Found” no matter what web site you try to visit, then there is a good chance that you ignored this post and you are probably infected with the DNSChanger malware virus.

There is a wealth of information at the http://www.dcwg.org site regarding both automated and manual tests for the DNSChanger malware virus as well as resources for disinfection and protection.

If you find that you are infected, are unable to remove the virus using the resources available at the DCWG, please feel free to contact me directly via my contact page for assistance.

Google Safe Web Browsing 5 Year Anniversary

June 19, 2012 By Jason Palmer Leave a Comment

Five years ago Google launched the Safe Web Browsing initiative designed to help protect users from malicious content unintentionally returned in Google Search Results. The Google Safe Web Browsing infrastructure specifically detects and protects users from malware, (Software that is intended to damage or disable computers and computer systems), and phishing web sites, (the activity of defrauding an online account holder of financial or personal information by creating a replica of and posing as a legitimate commercial website.)

For the past five years, everyday, Google Safe Web Browsing:

Through built-in protection in Chrome, Firefox and Safari issues several million security warning alerts to over 600 million users.
Finds about 9,500 new malicious web sites, and alerts users with a visible warning.
For approximately 12-14 million Google Search queries and around 300,000 downloads warns users of current malware threats.
Sends Webmasters thousands of notification warnings of potential malicious issues with their websites. (Sign up with Google Webmaster Tools here to receive these notifications.)
Sends Internet Service Providers (ISP’s) similar notifications of potential malicious activity on their networks. (Sign up for Safe Browsing Alerts for Network Administrators here to receive these notifications.)

Phishing attacks are becoming more clever and complex. Google Safe Web Browsing has continued to evolve over time to respond to the challenges of today’s phishing techniques, which include:

Shorter attacks with webpages (URLs) remaining active for less than an hour to evade discovery.
“Spear phishing” attacks, whereby the spoofed email message appears to come from the targeted company and from someone of authority that might reasonably request the confidential information from the recipient. (These include nearly perfect replicas of legitimate commonly emails sent from Banks and Financial Institutions as well as eBay and PayPal which use the correct logo, formatting, color scheme and disclaimers – except for the one link to the phishing site and the improper request to divulge sensitive, personal information and/or passwords.)
Phishing sites that, just like the luring fake email, exactly replicate a legitimate site but will prompt the visitor to download a Web Browser Extension or some other executable program to enable fake content or re-direct the user to a malicious site.

Google Safe Browsing specifically identifies two main categories of Malware websites:

Legitimate websites that have had their content altered to redirect legitimate users to fake sites, provide fake content, or provide a “Drive-by-download” whereby the visitor receives a malicious program without their knowledge usually due to an exploit in the Web Browser.
Websites that are purpose built to deliver malware.

Google has some important safety tips to make sure you don’t become a victim:

Don’t ignore Google Safe Browsing Warnings! Do not visit an infected site until the site has been cleaned up. Many legitimate sites get “hacked” everyday with malicious content. Would you purposely ignore a sign that said, “Danger – Bridge Out?”
Help Google find Bad Websites. Users of the Google Chrome web browser can select a check box on the red warning page to alert Google and help protect other users. (Get Google Chrome here.)
Register your website with Google Webmaster Tools. This will allow Google to alert you of suspicious activity or code on your site.

Useful Links:

Google Webmaster Tools
– http://www.google.com/webmasters
Safe Browsing Alerts for Network Administrators
– http://www.google.com/safebrowsing/alerts
All about Google Safe Web Browsing in Google Chrome
– http://blog.chromium.org/2012/01/all-about-safe-browsing.html
StopBadware – Ads Integrity Alliance
– http://stopbadware.org

Get Google Chrome Web Browser
– http://www.google.com/chrome
Get Mozilla Firefox Web Browser
– http://www.mozilla.org/firefox
Get Apple Safari Web Browser
– http://www.apple.com/safari

Flame Virus: How to check if infected.

June 8, 2012 By Jason Palmer Leave a Comment

The main module of Flame is a DLL file called mssecmgr.ocx.

There are two known versions to this module: a large 6mb version, which includes the full virus package, and a small 900kb version containing only the core module – which once installed will connect to the source command and control server to download and install the remaining components.

Note: The Mssecmgr could have other names and moving forward may be best discovered with signature files that look at the content of the infected files instead of the file name.

Step 1

Search for the file ~DEB93D.tmp.

The presence of this file is positive confirmation that the system is infected by Flame.

Step 2

Check the registry key using: RegEdit

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Key Name: Authentication Packages

If the DATA contains the files:

mssecmgr.ocx or authpack.ocx

The system is infected with the Flame virus.

Step 3

Browse to: C:\Program Files\Common Files\Microsoft Shared

The system is infected with the Flame Virus if any of the following Directories are present:

MSSecurityMgr

MSAudio

MSAuthCtrl

MSAPackages

MSSndMix

Step 4

The system is most likely infected with the Flame virus if any of the following files are present. Search each one by one.

mssecmgr.ocx
advnetcfg.ocx
msglu32.ocx
nteps32.ocx
soapr32.ocx
ccalc32.sys
boot32drv.sys
~DEB93D.tmp
~8C5FF6C.tmp
~DF05AC8.tmp
~DFD85D3.tmp
~DFL*.tmp
~dra*.tmp
~fghz.tmp
~HLV*.tmp
~KWI988.tmp
~KWI989.tmp
~rei524.tmp
~rei525.tmp
~rf288.tmp
~rft374.tmp
~TFL848.tmp
~TFL849.tmp
~mso2a0.tmp
~mso2a1.tmp
~mso2a2.tmp
sstab*.dat
dstrlog.dat
lmcache.dat
mscrypt.dat
wpgfilter.dat
ntcache.dat
rccache.dat
audfilter.dat
ssitable
audache
secindex.dat
wavesup3.drv
svchost1ex.mof
Svchostevt.mof
frog.bat
netcfgi.ocx
authpack.ocx
~a29.tmp
rdcvlt32.exe
to961.tmp
authcfg.dat
Wpab32.bat
ctrllist.dat
winrt32.ocx
winrt32.dll
scsec32.exe
grb9m2.bat
winconf32.ocx
watchxb.sys
sdclt32.exe
scaud32.exe
pcldrvx.ocx
mssvc32.ocx
mssui.drv
modevga.com
indsvc32.ocx
comspol32.ocx
comspol32.dll
browse32.ocx

The Modules

A dissection of the Flame Virus shows that each component has a purpose. Identified modules and their functions are listed below. The names were extracted from the binary and the 146 resource.

BeetlejuiceBluetooth: enumerates devices around the infected machine.
May turn itself into a “beacon”: announces the computer as a discoverable device and encode the status of the malware in device information using base64.

Microbe

Records audio from existing hardware sources. Lists all multimedia devices, stores complete device configuration, tries to select suitable recording device.

Infectmedia

Selects one of the methods for infecting media, i.e. USB disks. Available methods: Autorun_infector, Euphoria.

Autorun_infector

Creates “autorun.inf” that contains the malware and starts with a custom “open” command. The same method was used by Stuxnet before it employed the LNK exploit.

Euphoria

Create a “junction point” directory with “desktop.ini” and “target.lnk” from LINK1 and LINK2 entries of resource 146 (were not present in the resource file). The directory acts as a shortcut for launching Flame.

Limbo

Creates backdoor accounts with login “HelpAssistant” on the machines within the network domain if appropriate rights are available.

Frog

Infect machines using pre-defined user accounts. The only user account specified in the configuration resource is “HelpAssistant” that is created by the “Limbo” attack.

Munch

HTTP server that responds to “/view.php” and “/wpad.dat” requests.

Snack

Listens on network interfaces, receives and saves NBNS packets in a log file. Has an option to start only when “Munch” is started. Collected data is then used for replicating by network.

Boot_dll_loader

Configuration section that contains the list of all additional modules that should be loaded and started.

Weasel

Creates a directory listing of the infected computer.

Boost

Creates a list of “interesting” files using several filename masks.

Telemetry

Logging facilities

Gator

When an Internet connection becomes available, it connects to the C&C servers, downloads new modules, and uploads collected data.

Security

Identifies programs that may be hazardous to Flame, i.e., anti-virus programs and firewalls.

Bunny, Dbquery, Driller, Headache and Gadget

Unknown function.

For a more comprehensive discussion of the Flame Virus direct from the Kaspersky Lab Expert, Aleks, please review:

The Flame: Questions and Answers

For more information on the modules themselves, please review:

Flame: Bunny, Frog, Munch and BeetleJuice…

« Previous Page