Internet Security Zone Blog

Just when you thought your computer wasn't listening to you, it turns out Vista is listening to you, that mp3 file someone just emailed you, and even a malicious website with recorded audio.

The SANS Internet Storm Center posted this article regarding Vista and its speech/voice system. Apparently, an attacker can record Vista voice commands, save it to a file, play it back on a target system, and thereby take control of a Vista computer by means of these voice commands.

Arrigo from SANS summarizes this type of attack:

The best picture in my mind of this attack vector is a large trading room, in the middle of the night, and one computer shouting out loud "start listening", "start", "internet explorer", "download <some tinyurl>", etc.

ZDNet writer George Ou even describes how a malicious website (or person -- think Myspace audio tracks) could abuse this.

We are looking into an OSFirewall protection that would alert the user if someone (or better yet, something) attempts to enable the Voice Recognition system. By using OSFirewall, we can prevent this type of attack from both known and unknown malware.

I don't expect this type of attack to become real common, despite the fact it requires no real technical skill, but rather, a clear and commanding speaking voice.

My friend called me last night and explained he recently had two security problems -- some malware on his computer and a stolen eBay account. I figured the two were connected, but it's interesting to understand how.

His eBay account had been compromised and someone loaded some fraudulent auctions under his account -- just in time for the holidays. Obviously the malware found on the machine had compromised his password. The question was, how did the malware get there?

The attacker had used an interesting way to deliver the malware onto the target machine and thereby compromise that specific eBay account:

1. Find an eBay account to target, preferably an eBay account with good standing.
2. Send the "mark" account a question using the built-in eBay messaging system.

Hello ,
Please confirm if your item is the same like this:
http: //www.evilwebsite.com/item.html
 i want to BUY your item ! i am very interested !
Tell me the Final Price with all the taxes.
Let me know asap ,
thank you

1. The message includes a URL to a hostile website. The website contains a 0-day attack for IE. The payload is a keylogger.
2. The attacker obtains the eBay password from the mark account and uses that account (and it's good eBay standing) to create fraudulent auction items.

My friend found the fraudulent items quickly, removed them, and changed his eBay password (from a known clean system). At this point, he thinks he has resolved the problem and will be wary of any new messages coming into his account -- especially if they contain URLs.

Ed Felten (a Princeton professor who does a lot of interesting security research) asks "Why so little attention to botnets?" He points out that the ongoing battle with botnets isn't going so well. I wanted to point out how ZoneAlarm users are protected from this malware and give you tips to prevent your system from becoming a part of a botnet.

First, what are botnets used for? One of the most prevalent uses is Spam. Attackers load spam-trojans on computers causing the infected systems become part of a SpamNet. A SpamNet is a group of systems that are used to send spam. Once infected, these systems become spam engines -- awaiting a new spam "seed" from the spammer and relaying that email out to thousands of other people.

How much spam do these hijacked systems send? As mentioned in a previous post, some estimates show 50%-80% of spam is sent by hijacked home PCs. From my experience, I'd say that seems like a reasonable estimate.

Some botnets are used to conduct Distributed Denial of Service (DDoS) attacks on target companies or networks. These types of attacks are very under reported, while working at a couple large ISPs in the past, I'd see these types of attacks weekly.

How do these DDoS attacks work? The attacker would launch a small, short attack lasting only a couple minutes to scare the target company and get their attention. Soon after the first attack, the company would receive an "extortion letter". This letter would request "protection money" -- a request for payment that would "protect" the company from future attacks. Some companies think the only option is to pay, but once they do that, they start a downward spiral of paying protection money to an attacker (who effectively has their network hostage). 

How can you protect yourself? Ensure your systems are patched and keep them clean. Run your AV/AS scanner regularly and ensure the signatures are up-to-date. ZoneAlarm offers a couple different protections specific to botnets. First, to protect against SpamNets, Za provides Outbound Mailsafe Protection:

As you can see, if your computer attempts to send more than 5 emails in 2 seconds, or email to more than 50 recipients, ZoneAlarm will warn you.

Next, is the Spy Site Blocking feature:

Unlike browsers that can only block web traffic to bad sites, ZoneAlarm is a firewall, so it can block all network traffic to sites distributing malware/spyware/adware, botnet IRC channels, etc. not just browsing activity. Furthermore, we've added specific protection from malicious botnet "Command and Control" channels to Spy Site Blocking. These Command and Control channels are usually IRC channels where the attacker can use the zombie machine to send spam or attack other networks.

This prevents your system from being remotely controlled and blocks participation in DDoS attacks. The AV/AS scanner can then find and remove malware that has infected the machine.

Discussing the state of malware with the press, we often explain the big, highly visible worms of the past are falling out of favor with attackers, being replaced with hack-for-hire type work. Attackers have found they can make more money creating trojans and setting up spamnets (using home PCs, DDoS botnets) than creating highly visible worms (iloveu virus).

This recent post to full-disclosure (security/vulnerability mailing list) provides a good example:

---------- Forwarded message ----------
From: [redacted]
Date: Nov 12, 2006 11:20 AM
Subject: [Full-disclosure] Keylogger

Yesterday I finished programming a keylogger, and have decided to sell it online for a small price.  I have posted here because I believe people would be interested in a hacking tool such as this - keyloggers are the easiest and quickest way to obtain an email password.  Here are its features:

-> Undetectable by ALL antivirus products in use today.
-> Remains on victim's computer permanently (adds to startup).
-> Bypasses Windows Firewall.
-> Sends logs via email to your chosen email account.
-> Logs include computer information, current window name, and of course
logged keystrokes.
-> Logs are sent hourly.
-> Displays fake error message to user.

My pricing plans are:

-> $11 = Keylogger.
-> $16 = Keylogger + Source code.
-> +$5 to either for access to all future updates.

I only accept paypal/credit card.

Fortunately, OSFirewall will warn you if something attempts to log your keystrokes -- without the need for AV/AS signatures:

Here's what happens after you select "Deny":

The FTC announced they have fined the people who make Elite Toolbar $2M dollars and prohibited them from making misleading claims regarding their software in the future. Specifically, the FTC prohibited the defendants from:

distributing software code that tracks consumers’ Internet activity or collects other personal information, changes their preferred homepage or other browser settings, inserts new advertising toolbars or other frames onto their browsers, installs dialer programs, inserts advertising hyperlinks into third-party Web pages, or installs other advertising software code, file, or content on consumers’ computers.

Elite Toolbar is a very difficult to remove type of spyware, and in certain incarnations, allegedly stole credit card information. Searching Google for "Elitebar" returns more than 10 "sponsored links" (people who paid for their ad to show) -- all of the ads purporting to assist the removal of Elitebar.

So, showing my inquisitive nature, I called some of the numbers listed at the bottom of the press release and spoke to an FTC PR contact. I wanted to know if this case was part of a stronger push by the FTC to address the overall spyware problem through legal means. The PR person explained that the FTC would continue pursuing spyware (and other unwanted software) companies and that this specific case is just part of their overall efforts -- it didn't really represent an increase in targeting spyware companies.

If you have been the victim of Identity Theft (by spyware stealing your credit card info, or other means), you should file a complaint with the FTC. At the very least, this lets the FTC keep track of the number of incoming complaints, the type of complaints and estimate the amount of resources they should spend on specific consumer concerns.

You may have heard, the word Spyware is now part of the Merriam-Webster's Collegiate Dictionary. Here is Wikipedia entry about the origins:

The first recorded use of the term spyware occurred on October 17, 1994 in a Usenet post that poked fun at Microsoft's business model. Spyware later came to refer to espionage equipment such as tiny cameras. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall. Since then, computer-users have used the term in its current sense.

While the origins may be interesting, it's unfortunate we need this term in the first place.