PhoenixDzine

The word ‘leak’ has become rather popular in recent times, but few of us actually realize just how likely it is that our own personal information could be leaked. We protect our computers, our mobile devices, keep up to speed with the latest security issues, but there are still times when we become careless. In particular, I’m speaking about public computers like this one here:

This is a genuine public access computer I came across in a hotel I was staying at last week during a short vacation. I had to use the Internet quite urgently, and of course I understood that my personal data wasn’t completely safe and could end up in someone else’s hands. I decided to try a little experiment and the results clearly demonstrated that any of us could quite easily fall victim to our own personal ‘(Wiki)leaks’:

1. The computer was infected with several malicious programs that a rather well known up-to-date antivirus solution had not detected. There was a backdoor that stole the passwords for the online banking systems of five banks – four Brazilian and one Spanish. Closer inspection showed that the computer had been infected via the Orkut social networking website on 11 July 2010. Since then the malicious program had been gathering bank account passwords from goodness knows how many people. There was also a downloader based on Java technology.
2. The option to ‘save passwords’ was ticked in the browser settings. Of course, users were not informed about it. All the passwords entered on the computer were saved under a master password that was obviously only known to the person who activated the setting.
3. In the My Documents and Downloads folders there were lots of files and photographs that users had downloaded from the Internet or their email accounts and forgotten to delete. Here are a few examples of the things I found:
   • Documents about legal proceedings and a court subpoena.
   • A report about configuration work carried out on a series of computers at an organization.
   • The schedule for a business event at a company.
   • Personal photos of people with their friends and family.
   • A property deed of conveyance.
   • A work timetable.

I’m sure very few people would want their documents, especially of this nature, falling into the hands of strangers, competitors or cybercriminals.

So, if you want to experience your own (Wiki)leaks, all you have to do is use public access computers on a regular basis at airports, in hotels, cafes, libraries etc. If you really have to use a public computer and you know a thing or two about IT security, check first of all to see if the computer is infected. Remember that antivirus scanning results don’t always reflect the real picture.

Secondly, check if the ‘save passwords’ option is activated in the browser.

Thirdly, if you are working with documents or photographs, try not to download them. Many of today’s email services allow you to work with them directly from your email account. If you do download something, don’t forget to delete it afterwards and clear it from the Recycle Bin.

It’s also worth looking at the computer itself to ensure that there are no devices between the port where the keyboard is plugged in and the keyboard itself. These devices can gather information and look something like this:

Other precautionary measures include either cleaning your Internet Activity History or, before going online, switching on the privacy mode that is included in numerous browsers these days.

I cleaned up the aforementioned computer and informed the hotel administration. I didn’t get a discount, but the hotel management was very grateful and promised that no more cybercriminals would be stealing money from their customers (although I’m not so sure about that).

On 14 January, my colleague Vyacheslav Zakorzhevsky published a blog on the dangers of using cracks and keygens.

The malware in question was primarily for stealing registration keys for popular software.

A few days ago, we found a new malicious application that disguises itself as a Kaspersky Trial Resetter (an application that can be used to reset a software evaluation period that has expired).

The new malware is detected as Trojan-PSW.MSIL.Agent.wx and only two vendors, including Kaspersky Lab, currently detect it.

The twist here is that instead of re-setting your trial period, it steals information saved on the computer, be it browser-saved passwords, or passwords saved by an application.

According to the PE header, the malicious software was created on 31 January 2011, although the first infection reports appeared on 6 February. One can only wonder how successful such an application can be? Read below to find out:

In 23 days, a total number of 1109 computers were infected with this password-stealing Trojan, with an average of 48 infections per day.

The top 5 targeted countries were:

What about the type of stolen accounts?

Among the stolen data, hundreds of website credentials were found, such as data for: web hosting, online stores, internet/mobile provider, social networks (LinkedIn, Twitter, Facebook, MySpace etc.), webmail, blogs, banking, instant messaging, online gaming etc.

Here is a list of the browsers targeted by the malicious program, as well as the number of users whose data were stolen:

Kaspersky Lab contacted the hosting provider of the drop zone who closed and deleted the accounts.

I hope these statistics will convince you that downloading pirated software is not a good idea.

1109 users who thought they were downloading a crack for a security solution ended up being infected.

It’s also clear that saving your passwords within your browser isn’t the best idea.

You may want to consider using a Password Management program, such as the Kaspersky Password Manager, which keeps all your passwords encrypted and immune to these sorts of attacks.

We are currently in the process of contacting the victims and informing them about the infection.

Twice every year, analysts from Kaspersky meet for a couple of days to brainstorm over ongoing security issues, think about new ways to protect the users and fight against new breeds of threats.

The first summit for 2011 took place earlier in February, and brought together over 100 people from various departments inside the company. Although the exact subjects of the talks are secret as usual, the discussions revolved around subjects such as Android threats, targeted attacks, whitelisting and digital certificates.

A few days ago, users who frequent some of the Russian websites that distribute software for smartphones and PDAs started complaining that virtually every new CAB file (i.e., Windows Mobile installation archives) contained two ‘extra’ executable files. Both files had been spotted in archives with completely different programs and games.

Not surprisingly, both files turned out to be malicious. The first of the two, which installs on the device under the name srvupdater1.exe, is a Trojan downloader, which is detected by Kaspersky Lab products as Trojan-Downloader.WinCE.MobUn.a. The second file (which installs as msservice.exe) is an SMS Trojan, detected as Trojan-SMS.WinCE.MobUn.a.

Both Trojans download their operating parameters from a URL that has the following format: http://m*******t.ru/index.php?******=param.

Trojan-SMS.WinCE.MobUn attempts to connect to the above URL and, if the attempt is successful, downloads the following information from the URL:

• param1 = 9;
• param2 = 1;
• param3= 1121;
• param4= 2*************s;
• param5=.

The above parameters have the following meanings: param1 is the interval between SMS messages, param2 is the Trojan’s version number, param3 is the number to which SMS messages are sent (in this case, messages are sent to the number 1121; each SMS costs 3.5 rubles or just over 10 cents to send), param4 is the text sent in SMS messages, and param5 is the URL for downloading a new version of the Trojan.

At the time of writing, param5 remained empty.

Trojan-Downloader.WinCE.MobUn downloads the same data from the same URL, but what this piece of malware looks for is namely param5. In the event that this parameter isn’t empty, the Trojan downloads the new version of Trojan-SMS.WinCE.MobUn from the URL specified in param5. Then it removes the SMS Trojan’s old version and executes the new one:

We have already seen SMS Trojans that download the data for their operation from a remote server maintained by cybercriminals. As far back as 2008, we detected malicious programs for mobile devices that attempted to download new files from a remote server (Worm.WinCE.InfoJack was the first to do so). However, a bundle consisting of a Trojan downloader and an SMS Trojan heralds a new phase in the evolution of mobile malware.