Number 275 - April 2006
NEWS ITEMS
Submitted by Ray Mills


Chinese Bank's Server Used
in Phishing Attacks on US Banks
   A web server belonging to a state-operated Chinese bank is hosting phishing sites targeting U.S. banks and financial institutions. Phishing e-mails sent on Saturday (March 11) targeting customers of Chase Bank and eBay were directed to sites hosted on IP addresses assigned to The China Construction Bank (CCB) Shanghai Branch. The phishing pages are located in hidden directories with the server's main page.

   The attack on Chase offers recipients the chance to earn $20 by filling out a user survey which presents a series of questions about the usability of the Chase online banking site, followed by a request for user ID and password, so the $20 "reward" can be deposited to the proper account. The form also requests the victim's bankcard number, PIN number, card verification number, mother's maiden name and Social Security number. Any data submitted is then sent to a free form processing service on a server in India.

   The same IP address at CCB Shanghai was used Saturday to host a page spoofing the eBay login screen. The China Construction Bank is a state-owned commercial bank with more than 14,000 branches across China. Last October CCB became the first of China's "Big Four" state-owned banks to be listed on the Hong Kong Stock Exchange.

   Block ad-serving cookies in both IE and Firefox

   Most users want to surf with more confidence that sensitive information is not being collected by behavior tracking companies or worse.

   Internet Explorer users can add Web sites to lE's Restricted sites zone to block pop-ups, cookies, and browser helper objects (BHOs). But identifying sites you don't trust on your own is just about an impossible task, so many lE users rely on lE-SPY AD. lE-SPY AD is an enormous block list of sites that use annoying third party advertisers and are affiliated with spyware-caliber adware. Download and run the lE-SPY AD batch file utility, and the full list of sites to avoid automatically installs in your lE Restricted sites zone. Great stuff!

   Is there an equally effective solution for Firefox users? Yes. Adblock Plus is particularly effective when used in combination with Adblock Filterset.G Updater. You can configure Updater to automatically download new versions of Filterset.G block list.

VM Rootkits: The Next Big Threat?
   Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.

   The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.


   Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system.

   The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006, is the brainchild ofMicrosoft's Cybersecurity and Systems Management Research Group, the Redmond, Wash., unit responsible for the Strider GhostBuster anti-rootkit scanner and the Strider HoneyMonkey exploit detection patrol.

   Today, anti-rootkit clean-up tools compare registry and file system API discrepancies to check for the presence of user-mode or kemel-mode rootkits, but this tactic is useless if the rootkit stores malware in a place that cannot be scanned.

   "We used our proof-of concept (rootkits) to subvert Windows XP and Linux target systems and implemented four example malicious services," the researchers wrote in a technical paper describing the attack scenario.

   [We] assume the perspective of the attacker, who is trying to run malicious software and avoid detection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits.

   A virtual machine is one instance of an operating system running between the hardware and the "guest" operating system. Because the VM sits on the lower layer of the operating system, it is able to control the upper layers in a stealthy way.

   "The side that controls the lower layer in the system has a fundamental advantage in the arms race between attackers and defenders," the researchers said.

   "If the defender's security service occupies a lower layer than the malware, then that security service should be able to detect, contain and remove the malware. Conversely, if the malware occupies a lower layer than the security service, then the malware should be able to evade the security service and manipulate its execution."

   The group said the SubVirt project implemented VM-based rootkits on two platforms-Linux/VMWare and Windows/VirtualPC-and was able to write malicious services without detection.

   The paper describes how easy it is to get the VM-based malware on a target system. For example, a code execution flaw could be exploited to gain root or administrator rights to manipulate the system boot sequence.
  Number 275 - April 2006