Mobile virus writer arrested in Spain

Spanish police have caught their first mobile virus writer with the arrest of a 28 year-old man in Valencia.

The man allegedly wrote more than 20 different variants of the Cabir and Commwarrior worms, and sought to install them on mobile phones.

Police estimate that over 100000 phones may have been infected with the malware, and said that the damage may cost mobile operators and phone owners millions of euros.

"Mobile phone viruses are not nearly as common as the malware that strikes Windows desktops on a regular basis, but they are just as illegal in their intent," said Graham Cluley, senior technology consultant at Sophos.

"Viruses are not harmless pranks; they cause real harm disrupting business and personal communications as well as destroying and stealing sensitive data.

"The computer crime authorities around the globe are becoming more experienced at tracking down hackers and virus writers and, given this latest arrest, malware authors should be asking themselves whether it is really worth taking the risk."

The viruses were installed by users who thought they were downloading erotic photos, sports information or antivirus software.

One of the clues that led Spanish police to the arrest was the frequent inclusion of personal names, including 'Leslie' which is thought to be the man's fiancée.

Zlob malware hijacks YouTube

YouTube is again being used to distribute malware, this time a variant of the nuisance Zlob malware.
According to Secure Computing, attackers are using a fake video link on the site to initiate infection with the Trojan, which bombards its victims with porn adware, before installing data-stealing code.

What makes matters worse is that the only defence against such attacks on the popular video-hosting website is the diligence of YouTube’s security personnel, who can remove attacks as soon as they find them. However, according to Secure’s Paul Henry, this still gives the malware distributors a window of opportunity of at least hours.

“The fact is, no one expects to find malware hidden in YouTube files. Yet the medium’s popularity is highly alluring as a mass distribution vehicle for malicious code. What’s alarming is that - from a security perspective - many users and organisations will be blindsided and potentially seriously exposed,” he said. “Hackers look at cost of ownership. On YouTube it [the period of opportunity] is half a day.”

The trend to compromise legitimate websites to distribute malware was the latest frontier for criminals, with a string of well-known sites having been hacked in recent times, he said. YouTube’s allure was its massive and trusting user base, which cuts across every demographic.

Secure’s solution was for companies to invest in ‘reputation services’ such Secure Computing’s own, TrustedSource. Equally, companies might choose just to block access to YouTube.

YouTube-related hacks are nothing new. Last November, one appeared on MySpace that posed as a video from the site, but which turned out to be a similar malware scam to the Zlob hack without actually using the site itself.

More recently, hacks hosted on the site itself have started appearing, or using the promise of a YouTube video as bait.

One researcher even claimed to have uncovered a nest of vulnerabilities on the site, none of which YouTube’s owners, Google, had been willing to discuss until he threatened to go public.

Hackers hit 10000 sites

Attackers armed with an exploit toolkit have launched massive attacks in Europe from a network of at least 10,000 hacked websites, with infections spreading worldwide.

As early as Friday, analysts reported the opening salvos of a large-scale attack based on the multi-exploit hacker kit dubbed "Mpack". The mechanics of the attacks are involved, but essentially attackers taint each compromised site with code that then redirects visitors to a server hosting the Mpack kit — a professional, Russian-made collection of exploits that comes complete with a management console to detail which exploits are working, and against what countries' domains.

Infected computers are fed a diet of malicious code, largely keyloggers that spy out usernames and passwords for valuable accounts, such as online banking sites.

"The gang behind the attack has successfully compromised the homepages of hundreds of legitimate Italian websites," said Symantec researcher Elia Florio in a posting to the vendor's security response blog on Friday. "The list of compromised sites is huge and from Mpack statistics this attack is working efficiently."

Florio says Symantec is uncertain how the sites were originally hacked, but suspected a common vulnerability or configuration problem at the hosting level. Paul Ferguson, a network architect with Trend Micro, would only guess at how sites were hijacked, but said that the 'how' is mostly moot. What's important: "The hackers seem to be able to find a lot of sites to compromise no matter where they look."

By Friday night, Symantec had pegged the number of compromised sites feeding Mpack exploits at 6,000; by yesterday, security vendor Websense said it had tracked more than 10,000. "That's a phenomenal number," argued Ferguson, who said that previous compromised-site attacks using hacker kits could be counted as "several hundred here, a couple hundred there".

Screenshots of the Mpack management console posted by Websense on Monday and Symantec on Friday illustrate the large numbers of computers that have surfed to the compromised sites, and the high success rate of the Mpack-delivered exploits.

"The lion's share of the sites we're seeing are in Italy still," said Ferguson, "but we're seeing sites all over the world as well." For instance, Trend Micro has identified hacker-controlled sites hosted in California and Illinois. The California site is hosted by a company Ferguson called "notorious", but he wouldn't divulge the hosting vendor's name.

"The usual advice we give, 'avoid the bad neighbourhoods of the web', just doesn't hold water anymore" when legitimate sites have been hacked and are serving up exploits left and right, Ferguson said. "Everywhere could be a bad neighbourhood now."

House committee antispyware effort

USA House of Representatives committee on Thursday unanimously approved a pair of bills that would impose a slew of new regulations in the name of spyware crackdowns and new limits on the use of Social Security numbers.

In a meeting that lasted scarcely 10 minutes and was void of debate, the House Energy and Commerce Committee paved the way for amended versions of the controversial Spy Act and the Social Security Number Protection Act to go to the full House for a vote.

Rep. John Dingell (D-Mich.), the committee's chairman, said both bills "strike a blow" in a fair and balanced way against what he called the "scourge" of identity theft.

The Social Security number bill, chiefly sponsored by Rep. Ed Markey (D-Mass.), prescribes new rules, to be issued by the Federal Trade Commission, that would generally bar the sale or purchase of Social Security numbers and allow state attorneys general to sue for civil penalties of up to $11,000 per violation.

The ban on trafficking in the identifiers would not be absolute, though: The bill asks that exceptions be considered for a number of purposes, including law enforcement, national security, public health, emergency situations and research "for the purpose of advancing public knowledge."

The bill would also prohibit display of Social Security numbers on any Web site that is generally accessible to the public or on any membership or identity cards, and it would make it unlawful to require that the numbers be used to log into accounts.

Those restrictions are a good move, albeit one that many corporations and universities are already adopting, said Marc Rotenberg, executive director of the Electronic Privacy Information Center. But he said he believed the bill leaves "too many exceptions" on the numbers' sale and purchase. He also voiced disappointment that the measure would pre-empt all state laws, which, by his estimation, have been "taking the lead" on protecting privacy regarding Social Security numbers.

The newly approved antispyware bill also continued to draw reservations from online advertisers concerned it could unwittingly threaten their business models.

The Spy Act, among other things, attempts to make it unlawful to engage in various means of "taking control" of a user's computer, to collect personally identifiable information through keystroke loggers, and to modify a user's Internet settings, such as the browser's home page. It also includes a broad prohibition on collecting information about users or their behavior without notice and explicit consent.

Online advertisers and marketing groups have sharply opposed that requirement, arguing it would unintentionally threaten the viability of Web sites that rely on cookies and other tactics to target ads and to provide free content to their users. Although the bill says it exempts cookies from that notice requirement, the industry has argued that new, non-cookie technologies down the pipe could be threatened by the bill.
Now on News.com
FAQ: What to do with your Yahoo photos Coming attractions for history's first cyber-war Photos: Stanford passes first DARPA test Extra: Michael Moore's 'Sicko' leaked onto Web before studio release

The politicians refused to strip that provision in an amendment approved Thursday, opting instead to direct the FTC to study the issues it raises. (Law enforcement and national security activities, and software intended to prevent fraud would also be exempt from the notice requirements.)

Mike Zaneis, vice president of public policy with the Interactive Advertising Bureau, said in a telephone interview that the changes to the bill didn't satisfy the industry's concerns. The fundamental problem with the approach the bill takes, he suggested, is "we're not going to be able to predict and carve out all these new technologies that don't make sense to regulate."

The Spy Act is the second antispyware bill that House committees have passed in recent weeks. A dueling measure, approved last week by the House Judiciary Committee, proposes up to five years in prison for malicious spyware-related activities. It has been applauded by high-tech companies because it does so in a way that does not attempt to regulate the technology involved, but focuses instead on punishing shady actions.

Although they have won overwhelming approval from politicians in previous congressional sessions, it's not clear that either of the antispyware measures is necessary. The most worrisome forms of spyware already are illegal, as demonstrated by civil cases brought by the FTC and criminal prosecutions brought by the U.S. Department of Justice.

New suite of security products

Robot Genius, an Oakland, Calif.-based start-up, announced Monday that it has created a new suite of security products designed to combat malicious software attacks like spyware, adware, and rootkits through a threefold approach of prevention, detection, and remediation. The products can be downloaded individually or used in collaboration.

The first component of the software package is RGcrawler Data, an automated Web crawler for locating and testing out potentially malicious software on the Internet; the second is RGguard, a browser plug-in that warns the user of potential attacks; and the third is Spyberus, a behavior-based security client designed to track down and reverse the effects of malicious software installed on a PC. The company claims that Spyberus has a 99 percent success rate in reversing spyware, adware, rootkits, and other forms of malicious software. Free trial versions of RGcrawler Data and Spyberus are available now on Robot Genius' Web site; RGguard is "coming soon."

Politicians press for antispyware law

Leaders of a House Energy and Commerce subcommittee focused on consumer protection issues said they were mystified that earlier versions of the so-called Spy Act overwhelmingly passed the House in 2004 and in 2005 but were ignored by the Senate. Politicians from both parties said they hoped the third time would be the charm.

"Spyware is simply nasty stuff that clogs computers, slows down processing power and is costly to remove," Rep. Bobby Rush (D-Ill.), the panel's chairman, said at a morning hearing here about the proposed legislation.

Rep. Joe Barton (R-Texas), the co-chairman of the full Energy and Commerce Committee, said that unlike some issues, such as Net neutrality, "there's 100 percent unanimity" that antispyware legislation is necessary. "This legislation ought to be an automatic-passage bill," he said.

The latest effort, chiefly sponsored by Reps. Edolphus Towns (D-N.Y.) and Mary Bono (R-Calif.) but backed by many others, would impose extensive regulations on what types of actions software may perform.

Among other things, the proposal would make it unlawful to engage in various means of "taking control" of a user's computer, to collect personally identifiable information through keystroke loggers, and to modify a user's Internet settings, such as the browser's home page.

The bill would also broadly prohibit collection of information about users or their behavior without notice and consent, and it prescribes specific notice requirements. Exemptions from the regulations would go to Web cookies, law enforcement and national security activities, and software intended to prevent fraud.

Previous versions of the bill drew support from a number of high-tech companies, including Yahoo, eBay, AOL Time Warner, Dell, Microsoft and EarthLink, according to Rush and Barton.

But some companies have questioned the necessity of such legislation. Under current federal and state laws, the Federal Trade Commission has already brought 11 spyware enforcement cases, and four states have brought a total of 10 spyware lawsuits, according to research compiled by the Center for Democracy and Technology, which generally supports the bill.

The FTC has also lamented not having the ability to levy large monetary penalties on spyware purveyors. The Spy Act would put in place such an increase, allowing the FTC to seek fines as hefty as $3 million for the most egregious violations.

Online advertisers said they generally support the bill, but they argued that some parts of it go too far beyond combating insidious software. At Thursday's hearing, industry representatives said they remained concerned that its proposed notice and consent requirements, which ask consumers to opt in to have their information collected, could unintentionally threaten Web sites that rely on cookies and other tactics to target ads and to provide free content to their users.

"As all media advertising increasingly migrates to interactive platforms, we are concerned that this bill may unnecessarily limit business interaction with consumers," said Dave Morgan, founder and chairman of New York-based Tacoda, an online advertising company. Morgan was also representing the Interactive Advertising Bureau, of which News.com parent company CNET Networks is a member.
Now on News.com
MLB aims brushback pitch at Slingbox Photos: Corbis to take 'microstock' plunge YouTube founders: Video ads coming Extra: '86 Mac Plus vs. '07 AMD DualCore

Bono, one of the Spy Act's primary authors, said she "didn't really have a problem with cookies...because anyone with a slight degree of sophistication on the Internet knows how to delete the cookies. That's not hard to do."

Also on Thursday, the Anti-Spyware Coalition released final versions of "best practices" documents for makers of antispyware. The guidelines are designed to help companies identify malicious software and overcome conflicts with each other.

Later on Thursday, Reps. Zoe Lofgren (D-Calif.) and Bob Goodlatte (R-Virginia) reintroduced an identical version of their own spyware bill, known as the Internet Spyware Prevention Act. That bill also passed the House in two previous sessions of Congress but died in the Senate.

It differs from the Spy Act in several ways, including its shorter length. Rather than attempting to define what illicit software is, it would make it a crime to copy computer code on a machine without authorization if doing so divulges personal information about a user or "impairs" a computer's security. It also proposes criminal penalties of up to five years in prison for violators.

Sponsors said the bill is designed to combat spyware without stifling software development or issuing heavy-handed regulations. Goodlatte said in a statement that it would "punish the bad actors while protecting legitimate online companies."