Internet Security News

DOD Prohibits Removable Storage Devices To Stop Worm

"Lockdown" must be the Department of Defense's middle name. As a worm seems to be making its way through the military's computers, the DOD has responded by banning flash drives, CDs, and just about everything else that can store data and be moved from one machine to another.

DOD Prohibits Removable Storage Devices To Stop Worm

Noah Schactman reports, "The problem, according to a second Army e-mail, was prompted by a 'virus called Agent.btz.' That's a variation of the 'SillyFDC' worm, which spreads by copying itself to thumb drives and the like. When that drive or disk is plugged into a second computer, the worm replicates itself again - this time on the PC."

The DOD's response should effectively stop the worm's spread, then, and give experts a chance to track down and clean up affected machines. It might even help with other military security issues, since it'll be harder for important information to get lost or stolen when it's not being shuttled around as much.

But since the length of the new ban hasn't been determined (or at least announced), everyone from suits in the Pentagon to soldiers in the field may be faced with data-movement nuisances for quite some time.

This situation hasn't, at least, led to any real problems so far.

Microsoft Announces Free PC Security Product

If you heard a deafening swallowing sound sometime in the past day or so, we can explain its origin. The corporate makers of security software must have collectively gulped when Microsoft announced its plans to offer a free consumer security product.

Microsoft Announces Free PC Security Product

"Morro," as the product's called at the moment (probably named after Morro Castle), is supposed to take care of a lot of stuff. Viruses, spyware, rootkits, and Trojans are all on its kill list. It should require little in the way of bandwidth and computing resources, too, giving Microsoft an "in" with the growing netbook audience.

Amy Barzdukas, Microsoft's senior director of product management for the Online Services and Windows Division, explained in a statement how Microsoft got the idea for Morro, saying, "Customers around the world have told us that they need comprehensive, ongoing protection from new and existing threats, and we take that concern seriously."

She then continued, "This new, no-cost offering will give us the ability to protect an even greater number of consumers, especially in markets where the growth of new PC purchases is outpaced only by the growth of malware."

So when does the rush of consumers getting Morro and software makers going out of business begin? Not for a while. Windows Live OneCare is scheduled to remain on sale through June 30th, 2009, and it's during the phasing out of this product that Morro is supposed to become available for download.

What's more, Morro may not achieve omnipresence even then. Since Microsoft has only advertised it as a security solution for Windows XP, Windows Vista, and Windows 7, a few people are sure to be left out in the cold. Internet Explorer's also mentioned, which might mean Firefox users will be ignored.

Then there are the intentional gaps and potential for problems to consider. In regards to that first subject: encryption, firewalls, password protection, parental controls, and backup programs haven't been addressed.

Still, Morro's introduction looks to be a revolutionary moment in the PC security solution industry. Like that first collective gulp, listen for the sound of Tylenol bottles being opened as the end of June draws closer.

Google Unveils Calculators To Promote Security Products

The economy's nasty condition is making people rethink all sorts of things: whether trucks and SUVs are cooler than clown cars, whether steak is that much better than ramen, and so on. Google wants to help when it comes time to decide whether to embrace its security offerings.

Google Unveils Calculators To Promote Security Products

To see how much security measures of some sort can help a business, Google's introduced a simple Return on Investment Calculator. Users can see an estimate of how much time/money's wasted on spam by entering stats relating to employees, workdays, salaries, and spam messages. Expect big numbers if you start typing away.

But as for the matter of choosing Google's products instead of something else, there's an entirely separate tool. The Total Cost of Ownership Calculator compares the expense of on-premise solutions to Google Message Security over the course of three years.

Here, you can probably expect to see some stark differences, too. On the Official Google Enterprise Blog, Amanda Kleha mentions a situation in which a law firm found that, "[w]ith the hourly rate of their lawyers . . . choosing Google Message Security paid for itself in 1 day."

The tools make for an interesting combination. IT people who are worried about layoffs may regret their existence, but lots of companies are liable to appreciate Google's effort to both get their business and save them some money.

McColo Takedown = Street Justice?

When McColo was stopped in its tracks last week, most of the online world cheered. The rhyme and reason behind the development mattered little in light of seeing less spam. Only now, there's at least some question of whether or not things went through the right channels.

McColo Takedown = Street Justice?

No official ruling against McColo was involved, after all. Law enforcement officials weren't even in figurative sight, since a tip from The Washington Post was what spurred McColo's service providers to take action. McColo didn't get a chance to respond, and it might have just been oblivious to all the spammy activity.

There's also a concern over what could be considered collateral damage. If not all of McColo's customers were involved in "bad" stuff, some of them must rightly view the situation they've been placed in as being rather unfair.

Individuals participating in a Slashdot discussion tended to agree that what happened to McColo is not a case of vigilantism, however, since McColo's service providers were just informed of TOS violations.

And even if what happened last week can be called vigilantism, we should all remember that movie audiences tended to side with the Charles Bronson-type characters in "Death Wish" and similar movies.

Are You Ready For� Black Monday?

Security experts from PC Tools have pinpointed November 24 as potentially the peak of malicious activity for 2008. They reached their conclusion on the specific date after analyzing well over 500,000 machines from around the world.

Guardian.co.uk states that "the number of people shopping online this Christmas is expected to grow again this year, with internet sales in the UK alone predicted to hit �13.16bn - an increase of 15% over 2007."

It should be noted that November 28 will be the busiest shopping day of the year, a day so popular in fact that it even has its own name, "Black Friday".

So logically thinking� the increase of malicious attacks, spam, spyware, and everything else evil should be expected to climb just mere days before people start entering in their private data for online purchases.

Spam and all the other wrongdoing of others shouldn't sway anyone from shopping online, as this stuff is going on everyday. Just remember to use your common sense� if something sounds fishy, it probably is.

Safari Update May Add Equal Measures Security, Instability

It seems that the newest version of Safari is operating under the motto "better safe or sorry." The Safari 3.2 update is supposed to have fixed several vulnerabilities, but at the same time, users are reporting frequent crashes.

Safari Update May Add Equal Measures Security, Instability

Let's start with the positive stuff. A full 11 issues have been addressed, so we won't dwell on them all, but Kelly Fiveash writes, "Safari 3.2 comes with an update to Webkit - which is the framework that underpins Apple's browser - that restricts the types of URLs that can be launched through the plug-in interface."

Also, "The firm has also stitched together a hole in Safari's JavaScript handling of array indices to prevent random code execution and it's also fixed a bug with its form field. The browser previously had a flaw in its autocomplete feature, which meant that disabling it didn't guarantee data wouldn't be stored."

As for the negative side effects, things appear to be limited to those annoying crashes.

Downloading Safari 3.2 is probably worth users' while, then (and fans of other browsers won't get to tease them too much). Just don't download it while you've got some time-sensitive task in your lap, and perhaps make sure that you can get back to the previous version, regardless.

Microsoft Fixes Flaw After Seven Years

If you've ever forgotten an appointment, anniversary, or birthday, you know that being late by even a little bit can be terribly awkward. It almost seems worth it to get an arm or leg set in plaster just so you have a proper excuse. Now Microsoft's trotted out its version of a cast story to explain a seven-year patch delay.

Microsoft Fixes Flaw After Seven Years

Microsoft security bulletin MS08-068 addresses a flaw in the Microsoft Server Message Blog protocol, and in a post on the Microsoft Security Response Center, Christopher Budd acknowledged, "We've received some questions from customers about MS08-068 and its relationship to an issue that was first discussed in 2001, called the SMBRelay attack. Specifically, we've gotten some questions about why, in 2008, we're releasing an update that addresses an issue first discussed in 2001."

Budd, a security communications program manager, then stated, "[W]e could not make changes to address this issue without negatively impacting network-based applications. And to be clear, the impact would have been to render many (or nearly all) customers' network-based applications then inoperable."

So, according to Budd (and/or Microsoft, since it's hard to believe someone would volunteer to be the messenger), Microsoft kept tinkering with things, and finally figured out a way to address the issue without bringing everything else to a halt. And, the Security Response Center post implies, perhaps people shouldn't complain too much, since implementing SMB signing remains a better idea than applying MS08-068.

Take or leave the explanation as you see fit.

Skype Scrambles After Breach And Censorship Revelations

American companies operating in China have what might be considered a tradition of getting in trouble over privacy and censorship, and Skype, the Internet communications company, is the latest to encounter hot water. Its president has done his best to explain the situation.

Skype Scrambles After Breach And Censorship Revelations

As Josh Silverman wrote, "In China, TOM is the majority local partner in our joint venture that brings Skype functionality to Chinese citizens." Skype - and anyone who bothered to listen to an old announcement - has known for some time that TOM obeyed Chinese laws requiring them to block messages containing certain terms.

The problems began when it turned out that TOM stored the messages; there's a real concern about what government authorities might have seen them. And what's more, a security breach may have exposed the messages to all other sorts of people.

Silverman wrote, "We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach. In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM."

Still, Skype's reputation has taken a big hit due to these developments, and we may see the security and censorship issues have a similar effect on the eBay property's growth.

Defense Companies Hit By Malicious Code

Some security stories relate to fairly harmless issues, but this one might go well beyond "whoops." It seems that LIGNex1 and Hyundai Heavy Industries, two Korean companies that construct things for the military, have had malicious code planted within their computer systems.

Defense Companies Hit By Malicious Code

So you know the (potential) scale of the problem: LIGNex1 deals with missiles, radar, and communications systems. Hyundai Heavy Industries is the world's largest shipbuilder. And it was the National Security Research Institute that found the malicious code. This sounds like the start of some near-apocalypse novel by Tom Clancy, right?

As for who planted the code, how they did it, and what files were affected, details are scarce right now. Chalk it up to government secrecy or (and this is a slightly scarier possibility) true ignorance at the same level.

Anyway, as reported by SC Magazine UK, a National Security Research Institute representative said, "The research institute suspects the culprits are Chinese or North Korean hackers but doesn't know specifically what information they stole. In the worst case, the blueprints of missiles and Aegis ship could have been stolen."

There are a few silver linings and good signs in all of this, however. One came as the spokesperson acknowledged, "It's shocking that our major defense industries are open to attacks from hackers and that our missiles are vulnerable to theft by cyber terrorists. A general review of our cyber security system is needed."

And in all honesty, having the blueprints to something doesn't necessarily mean that a person or country can build it. There are matters of resources and skill to consider, even as spy satellites presumably keep an eye on large factories and shipbuilding facilities.

Finally, at least the blueprints secrets were (maybe) stolen from companies connected to a close ally like South Korea, instead of a government less willing to cooperate with the U.S.

So, assuming we aren't all soon destroyed in either an economic or military sense, things at Korean defense companies may be better in the long term. And hopefully defense corporations located elsewhere in the world will also learn from this development.

After Airport Stop, Kevin Mitnick Shares Travel Tips

The next time you have to take off your shoes and belt at an airport, keep in mind that things could be much worse. You might get detained and questioned for four hours, for example, which is something hacker-turned-security-consultant Kevin Mitnick recently experienced on a return trip from Colombia.

After Airport Stop, Kevin Mitnick Shares Travel Tips

People and companies needn't worry too much that Mitnick's fallen back to the proverbial dark side; accusations weren't really made, and charges were never brought. As told by Elinor Mills, his detainment instead seems like a cautionary tale about wrongful accusations and the defensive measures traveling computer owners should take.

Mills writes, "Agents from the Immigrations Customs Enforcement arrived to question him. They asked why he was in Atlanta and he told them; he was there to moderate a panel at a security conference sponsored by the American Society for Industrial Security. Asked for proof, he fired up a laptop to show them the itinerary in his e-mail. But when he clicked 'yes' to have Firefox clear his private data--an automatic response to a default setting--the agents snatched the laptop away from him, thinking he was deleting evidence."

So be careful about every click and keystroke, for one thing. Otherwise, "To protect his privacy and that of his clients, Mitnick encrypts all the confidential data on his laptops, transmits it over the Internet for storage on servers in the U.S., and wipes it from the computer before returning from any international trips, just in case officials decide to search or seize his equipment. He also encrypts his hard drive. And now, he says he is going to keep a 'clone' of his MacBook at home so he will have an exact duplicate of it if it is ever seized."

Depending on what sort of stuff you keep on your computers - and whether or not laws about laptop searches are changed - these steps may be worth imitating. The average business traveler isn't as likely to get stopped as Kevin Mitnick, of course, but the story seemed worth relating.

Live Search Updates Webmaster Center With Malware Sniffer

Worried about the possibility part of your website has been hijacked by malicious hackers without you knowing it? It happens sometimes, and sometimes a webmaster can link out to a site with undiscovered malicious code.

Live Search Updates Webmaster Center With Malware Sniffer

Though playing some catch-up with the other search engines, Live Search updated its Webmaster Center this week to include what's been called a "malware sniffer." Plus, it's free.

Google and Yahoo both have been vigilant lately about identifying dangerous websites. Google allows a person to proceed from the search results only after a clear warning has been issued. Yahoo scans all the pages in its index as well.

Microsoft is following suit by disabling links appearing its search results Live Search identifies as containing malware and often removes those dangerous sites from the index. For any website owner, demotion or ejection from search results is, to say the least, counterproductive. It's worse if your site gets a sudden reputation for hosting viruses.

Live Search's Webmaster Center is pretty comprehensive when it comes to diagnosing problems with a website. The latest addition-comprehensive malware detection-is a welcome one.

The update includes:

Detection of malware present on all webpages or on pages linked to from those pages, all of which are disabled and flagged in the search results.

Downloadable reports detailing which pages are affected and advice on how to fix it and be reincluded in the index.

Indeed, if malware is detected, a reinclusion request to all of the search engines is likely necessary to speed up the process.

Post McColo, Spam On The Rise Again

It seemed from the beginning something that would only be temporary as spammers regrouped. Though spam levels dropped by as much 75 percent in the hours following McColo Corp.'s now infamous booting, spam's already making a comeback.

Post McColo, Spam On The Rise Again

A couple of weeks ago, McColo Corp. was kicked offline due to some nice investigative reporting tracing back swaths of malicious material to servers there. As expected, spammers scrambled, presumably just long enough to regroup elsewhere, likely in less consolidated places.

Symantec's MessageLabs told SecurityProNews today that spam levels are back on the rise, reclaiming about two-thirds of the ground they lost. The lag between takedown and reprisal is attributed to the time it took for botnet owners to find a new ISP and bandwidth provider.

"The Asprox and Rustock botnets are back with a vengeance after having found new command and control," said MessageLabs senior anti-spam technologist Matt Sergeant. "Cutwail never went away and it seems its owners have used the opportunity to increase output. Mega-D is also on the rise again, he said. Srizbi, having once been responsible for 50 percent of all spam, is now completely defunct. Without this botnet, spam levels won't return to what they had been. As always, businesses and consumers are urged to make sure their spam filters and anti-virus engines are up to date."

One thing seems certain, though. Security companies and researchers are getting better at tracking down and identifying the malware underground. Recent exposes from CNet, Berkley, and Symantec show that at least it will be harder and harder for them to organize, a development that will move them to a sort of diaspora.

Good thing too, especially as they get more clever about things. Microsoft just reported the removal of nearly 1 million fake Microsoft antivirus programs from PCs, or one five in every one thousand.

Underground Economy Booming

There's good news and bad news regarding Symantic's underground Internet economy report, released today. The good news is that the bad guys have steely eyes upon them at all times. The bad news is that the bad guys' business is booming.

Underground Economy Booming

It would seem that economies of scale have grown to the point that wholesale access to your and many others' bank accounts is relatively cheap. Between June 2007 and July 2008, close to 70,000 cybercriminals advertised their services in underground online forums.

Need a good hosting kit for a phishing scam? Average price is $10, but as cheap as $2 or as high as $80, with guaranteed uptime and virtual hosts. Daily, weekly, and monthly hosting services available for as little as a dollar a day.

Need a good botnet? You can rent one, upgrade your old one, or buy a new one for an average price of $225. You can pay for it all with a stolen credit card number, which can cost as little as 10 cents, or as much as $25 for a card with an average limit of $4,000.

Credit cards are the most popular offerings, offered in bulk with discounts or free bonus numbers with larger orders. The second most popular purchase is access to someone's bank account, running between $10 and $1,000, but with an average account balance of $40,000.

In the report, Symantec's Security Technology and Response (STAR) organization estimated the potential worth of all the credit cards advertised was $5.3 billion and would sell for an estimated total worth of $276 million last year. Potential combined bank account worth was tallied to be about $1.7 billion.

Over the 12 month period Symantec monitored 44,752 unique samples of sensitive information publicly posted on underground economy servers, a small percentage of the millions of messages posted with tags like "100% successful," "fast," or "legit."

Where are all these underground economy servers located? Symantec said about close to half (45 percent) were in North America, but, perhaps thanks to heavy law enforcement monitoring, North American fraudsters are scattered out, obtaining information from acquaintances. They are far less organized and efficient than their Russian and Eastern European counterparts.

Locating them isn't so easy, though. Symantec notes one case where financial accounts were cashed out to untraceable locations in under 15 minutes.

"As evidenced by the Report on the Underground Economy, today's cybercriminals are thriving off of information they are gathering without permission from consumers and businesses," said Stephen Trilling, vice president, Symantec Security Technology and Response. "As these individuals and groups continue to devise new tools and techniques to defraud legitimate users around the globe, protection and mitigation against such attacks must become an international priority."

75 Percent Of World�s Spam Knocked Offline

Score one for the security industry-a big one, a massively ginormous and temporary strike against spam. A slew of security companies and the Washington Post tracked massive amounts of spam back to one San Jose-based hosting company, now offline, and 75 percent of the world's spam went offline with it-for about 12 hours.

75 Percent Of World's Spam Knocked Offline

But hey, that's a pretty good leap right?

Alert after alert went out about spam operations tracing back to McColo Corp. servers. Complaints were made to the company, which gave lip service about addressing the issue before simply moving offending clients to different addresses.

Spam traced back to McColo servers covered pretty much all forms, from pharmaceutical spam to child pornography hosted there. Upon the evidence, two providers, Global Crossing and Hurricane Electric took the company offline.

"MessageLabs documented a massive drop in spam volume to levels eight times less than typical volumes for a period of 12 hours immediately following the takedown before spam levels began to rise again, proving that taking out the kingpin members of the underground spam economy can have a massive effect on global spam levels," Matt Sergeant, Senior Anti-Spam Technologist for MessageLabs told SecurityProNews.

"First with Atrivo and now the demise of McColo is a testament to how community action is absolutely vital in the fight against spam."
Said community, which also includes the investigative security reporting from the Washington Post, was made up of SecureNetworks, FireEye, ThreatExpert, and SysInternals, and published data confirming McColo as the host for all of the top botnets.

It's unclear what, if any, criminal charges can be made against McColo. Most laws regarding hosting companies protect them from liability for third-party content. However, there may be grounds for exception if the company knowingly hosted illegal content, which in this case includes copyright infringing content and child pornography.

While this is a major coup, realists understand that massive takedowns like this only spread out offenders across the Web as they relocate to other dummy hosting providers. But recent actions by service providers and by ICANN, which used a contract breach to takedown a Russian network, have shown more aggression toward where malicious content is known to be hosted.

Indeed, researchers seem to be getting more skilled at locating, even manipulating sources of spam. For a recent study out of Berkeley and UCSD, researchers successfully hijacked the Storm botnet to study the profitability of spam. The study concluded it was unlikely offenders were spread out over third-party affiliate networks. Spammers and the malicious websites they attempt to lure people to were likely run by the same central operation. For example, to generate a profit, a pharmaceutical site selling knockoff drugs is likely to be run by the same people generating botnets.

In the future, then, it's likely security experts will find ways to target hives of malicious material, as it seems taking one offender down could be highly efficient.

Zombies, How to Fight Them

Just so you're warned: If the zombies come back it could be your fault. "It is only a matter of time until the next W32/ZMist heads our way," premonishes McAfee's Vinoo Thomas. And it could all be because of something stupid.

Zombies, How to Fight Them

Thomas warns IT security may be so focused on the more sophisticated threats of the day-botnets, rootkits, and spyware-that they may be letting their guards down when it comes to good old-fashioned parasitic file-infectors out there in the wild. Such carelessness could result in "widespread damage to computer systems."

"We regularly come across simple parasitic infectors that manage to infect every workstation and server on the network," writes Thomas in a free whitepaper he presented at the 3rd International Conference on Malicious and Unwanted Software. "And administrators are at their wits' end trying to figure how the simplest of viruses managed to spread and infect every networked machine in so little time and with such stunning effect."

File-infecting viruses are on the rise, says Thomas, and they're getting more sophisticated, but IT administrators can avoid them with common sense practices. If for example an employee with low computer skills has managed to contract the simplest of worms, the virus is likely blocked from the company network for lack of administrator access to the network.

But what happens with apparent alarming frequency is IT administrators log onto the computer using their own account and password in order to address the employee's computer problem.

"[W]hen an administrator logs to the affected machine using their domain admin account, the worm now runs on the affected machine using the elevated credentials of a domain administrator. Straight away the worm can now infect and spread to any host on the domain using these newly acquired administrative credentials. And in a matter of minutes the entire network with thousands of machines gets infected-by the dumbest of worms. And all this because an ignorant administrator committed the cardinal sin of logging into an infected machine using their own account."

He uses lots of other condescending adjectives like "dumbest" and "hapless" in his whitepaper, too. But he also recommends a course of action that mimics systems in place at McAfee. Thomas proposes using area networks (VLANs) technology to mass deploy a SAMBA-based honeypot to the entire site. In addition, Thomas recommends setting up a server message block (SMB) based sniffer to capture file-infector activity.

Maybe then you won't be the hapless harbinger of network-brain-eating zombies.

AVG Update Labeled Windows File As Trojan

File this one under super embarrassing: Some users of the latest two versions of AVG's free virus scanner ended up with a computer in eternal boot mode. The antivirus software had falsely identified a critical Windows XP file as a Trojan virus.

AVG Update Labeled Windows File As Trojan

And when you remove that, see, Windows doesn't work anymore.

Alarms went up soon after the release of an update to AVG 7.5 and 8.0, when forum posters reported an incorrect virus signature identifying Windows XP file user32.dll as containing Trojans PSW.Banker4.APSA or Generic9TBN. AVG recommended deleting this file, which is a really, really bad recommendation.

Fortunately English speakers, the problem only affected users of the Dutch, French, Italian, Portuguese, and Spanish language versions of Windows XP.

AVG was pretty quick about addressing the problem, even though it was the middle of the night in Amsterdam, so kudos to them on that. The company confirmed it was a false positive and offered instructions for how to fix the problem from safe mode or recovery console. Soon after that, they issued this press release:

AVG is actively working to remedy the problem some users are experiencing related to the most recent update to commercial and free versions of AVG 7.5 and AVG 8.0 in some languages. A number of users who installed the update mistakenly received a warning that the Windows system file user32.dll product version 5.1.2600.3099 was infected with a Trojan virus and were prompted to delete a file essential to the operation of Windows XP.

The problem only affects users of the Dutch, French, Italian, Portuguese, and Spanish language versions of Windows XP.

AVG is taking these steps to assist users in remedying the problem:

- Immediate release of a new update to correct the problem.
- Creation of a specific informational section on the AVG website that enables users to resolve the problem.
Affected users should follow the weblinks below for further information and to download the fix tool:
(1) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll
(2) http://www.avg.com/support/HotTopics1574 FalsePositiveuser32.dll - fix tool

Affected users unable to use their PCs should contact their AVG reseller or ask a friend to download the information and fix tool for them. After running the fix tool, users should run the AVG update program to download and install the correct AVG update.

AVG sincerely regrets the inconvenience users have experienced. We are working to remedy the problem and ensure that any other potential vulnerabilities are identified and eliminated before they can impact users.

Spam Alert: Obama In Sex Tape Scandal (Again)

Malicious spammers/hackers are continuing their efforts via shocking Obama-related subject lines. And why not? With a success rate of 1 in 12.5 million, that's at least 30 dopes in the US who might fall for it.

Spam Alert: Obama In Sex Tape Scandal (Again)

Apparently, thanks to Bill Clinton perhaps, Democrat President is synonymous with pervert. The recent rash of malicious emails come with the promise of a Barack Obama sex tape.

The text of the email reads: "Barak Obama p0rn video, file attached, watch him".

Once again they've proven their skill with spelling, and this particular strategy isn't new either. They tried it back in September, too, at the beginning of the great political spam surge.

Attachments to the emails prompt the download of a zip file labeled zeland-01.zip, but Sophos says it's actually Troj/Agent-IDO Trojan horse.

According to a recent BBC report, it doesn't take much to encourage spammers to continue. What we might consider utter futility they view as reasonable return on investment, at least as far as closing an actual sale. Researchers found that out of 350 million spam messages sent, 28 sales resulted.

It's unclear how much malware makes it through.

This week it was an Obama sex tape, and last week was a fatal heart attack (they said "heart stroke") for one John McCane. Uncanny name. Fortunately, John McCain is still alive and ticking. Perhaps the heart attack was caused by the news of Cindy McCane's private video.

Express Scripts Reports Massive Data Breach

Pharmacy benefit management company Express Scripts sent out warning that millions of patient records could be exposed by extortionists following a data breach.

Express Scripts Reports Massive Data Breach

The St. Louis-based company received a ransom note from an unknown entity asking an undisclosed sum of money to prevent the leakage of the records. The letter included the personal information of 75 Express Scripts members, along with their names, birthdays, social security numbers, and some prescription information.

The company notified affected members along with the FBI and began conducting its own internal investigation regarding the information in the letter, which arrived in early November. The company said it wanted to give authorities a chance to be on the trail before alerting the rest of the public.

We have been conducting a thorough investigation since we received this threat and we are taking it very seriously," said George Paz, chairman and chief executive officer. "We are cooperating with the FBI and are committed to doing what we can to protect our members' personal information and to track down the person or persons responsible for this criminal act."

Paz called the breach and threat "outrageous."

The company has set up a special website for members looking to get more information about the data breach. The web address is www.esisupports.com.

"As security experts know," said Paz, "no data system is completely invulnerable.We continue to conduct our investigation. We are notifying our members and clients to enable them to take steps to protect themselves from possible identity theft."

Beware of Presidential Malware

As the United States celebrates, or for about 46% of the population-mourns, the election of Barack Obama and the world continues its keen interest in this particular race, malware developers are in full attack mode trying to capitalize on a patriotic meme.

Beware Of Presidential Malware

They've been busy since at least last summer, but the increase in spam and trickery has been marked in the past couple of days. Attackers appear even to be buying AdWords ads to lure victims. Suffice to say computer users and IT pros should be wary and on guard against unsolicited or unknown sources of email, links, even ads, pertaining to Barack Obama, John McCain, or other personalities now exiting the campaign trail.

The rapid influx has inspired several security company blog posts warning against specific threats as a result of the US elections. Most focus on Obama, but one has emerged targeting McCain, a shocking announcement that McCain had a fatal heart attack the day after the election.

Actually, the spam says "McCane died of heart stroke," which should be any discerning recipient's clue that it's not on the up and up. The email links to a supposed Canadian pharmacy with a special discount on Viagra. Other subject lines have included promises of private videos of Cindy "McCane," and "McCane caught nude in public."

Other subject lines tease that both candidates-or people with similar but spelled differently names-were both killed.

Wednesday, Sophos reported that 60 percent of malicious spam intercepted carried Obama-related subject lines and claim to have originated at news@president.com. Clicking on the link in those emails led to a download purporting to be an Adobe Flash file, but was actually Trojan horse Mal/Behav-027. Another Trojan, called Mal/Heuri-E, has also been discovered. Sophos' analysis revealed:

� The malware contains rootkit technology to conceal itself.
� It's designed to steal information from an infected computer.
� It also has general backdoor functionality.
� It spies on user's keyboard and mouse inputs and can take screenshots.
� It looks for passwords.
� It submits the information it discovers to a webserver located in Kiev, Ukraine.

Others include an American flag icon, or promises that the file to be downloaded is "100% checked by Antivirus." Some are labeled, tellingly, BarackObama.exe, and carry the PWS-Banker Trojan. The AdWords link leads to a PDF file executing an exploit in Acrobat Reader.

Campaigns Hacked, Obama Spam Commences

In case it's possible you're not sick of political news yet, here's the tidbit to set you over: Both Obama's and McCain's computer systems were hacked during the presidential campaign by foreign agents.

Campaigns Hacked, Obama Spam Commences

In a preview of Newsweek's special elections project report, the magazine teased about how the presidential candidates' systems were compromise. This summer, Obama's IT crew though they were dealing with a nasty virus, and upon the likelihood of it being a phishing attack. But it was worse than that:

. . .by the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." The McCain campaign confirmed they're computers had been hacked, too. No evidence was offered, but technicians suspected hackers in Russia or China. The reigning theory was that foreign government agents were looking for information they could use as leverage in future negotiations.

The worldwide attention of this particular campaign has made the US a huge target in general. The day after it's all over (phew!), attackers have gone full force, sending out malware-packing spam offering details about the President-Elect. Clicking on the link prompts a supposed download of Adobe Flash, but transfers instead a Trojan horse named Mal/Behav-027.

Crooks are getting more creative and brazen, too. They're buying AdWords now. Sophos reported a link appearing on "a search engine" (Google's interface is in the screen shot) that, when clicked, brought up a download installer screen promising the file was "100% checked by Antivirus." It carries an Acrobat Reader exploit called CVE-2007-5659.