Security Watch

Pirate's Booty in Bootlegged Win7

Plus: Worms that start with Win; Facebook phishing.

• By Jabulani Leffall
• 05/05/2009

You know there are serious security problems when even bootleg copies of a program aren't safe. Microsoft is playing damage control after it was revealed that illegal copies of Windows 7 Release Candidate (RC) contain malware.

Copies first appeared April 24 on BitTorrent, the Internet download clearinghouse for movies, games and music that often originate from dubious origins. In an irony to end all ironies, users who downloaded programs complained about the Trojan horses and other dormant but nasty bugs that crept onto their systems when they installed the illegal Windows 7.

Microsoft essentially stated via its blog that, beyond the fact that Windows 7 RC isn't even out yet, the prospect of user infections is reason enough to stay away from downloading off BitTorrent affiliated sites.

"Wow that was fast, though I don't suppose I should be surprised," wrote Alex Kochis, director of Microsoft's Genuine Windows anti-piracy technology group. He went on to say that these incidents show "that there are those out there who see the significant interest in something such as Windows 7 as an opportunity to try to take advantage of others."

'Family' Business
Microsoft recently identified new malware families that are cropping up on several thousand systems around the globe every month based on activity in the second half of last year. Many have the application programming interface prefix of "Win." For instance, Redmond said Win32/Horst attacked around 235,318 systems during July 2008.

Another malware strain, Win32/Matcash, caused a blight on workstations and enterprise systems and is able to install spyware, adware and other malware from various servers and sources via Internet Explorer. Microsoft researchers said this bug was discovered August 2008, after it had caused havoc on almost 217,610 systems.

Win32/Slenfbot, Win32/FakeSecSen, Win32/FakeXPA, Win32/Yektel are some other new offenders, according to Microsoft's Malware protection blog, which tracks worms and other nasty IT varmints. Some of these names, such as Win32/Taterf, in the months to come will likely become more familiar to IT administrators, Redmond said.

Reports: It's In the Software
Given the emphasis in this post on malicious code embedding itself in software programs, it's necessary to get further confirmation of the prevalence of new threats to show how wide-reaching they are throughout the tech ecosystem. According to a recent survey by Forrester, more than 62 percent of the companies who responded had breaches because of problems at the application level. Forrester's "Application Risk Management in Business Survey" interviewed more than 200 respondents from 180 different businesses in myriad industries in the U.S. and U.K.

Meanwhile, in more not-so-good-news department, a report from IT security company ESET reveals that of its top ten software security threats, at least nine have a direct effect on Windows programs and the way they operate. Conficker led that pack, but most of the botnets, Trojan horses and distributed denial of service bugs that were listed all had the prefix "Win" for Windows. Among the different attack vectors were Windows DNS Server, Windows Autorun and other downloading mechanisms on the OS.

"Conficker is a real danger, but there are plenty of other threats around that constitute just as much of a problem. And some pose much more of a problem detection-wise," the report said.

Facebook Phishing
Much like a virus or cold can spread through human contact, so it is with worms virus and other attack mechanisms on social networking sites. Recently mentioned in this blog was Twitter's cross-site scripting attacks, and now hackers feel inclined to do a little phishing on Facebook. The way it works is your "friend," unbeknownst to them, might send you a link to a Web site for you to click on to see what they sent. Problem is, more often than not it's not your friend but a program looking to take advantage of user curiosity and gain carte blanche access to a given system.

Ryan McGeehan, threat analyst for Facebook, said in an e-mail statement that "phishing attacks are a fairly commonplace occurrence at the Facebook site, occurring every few weeks." No one is sure how many of Facebook's estimated 200 million users have had this happen, but he further assured fellow Facebookers in his blog that when the Facebook IT staff finds "a new phishing site, we send the information to MarkMonitor, a company that adds these phony sites to blacklists. If you've ever visited a website and seen a red sign indicating that it was a 'Web Forgery,' you've probably seen their work."

With friends like these worms and botnets, who needs Facebook enemies? The best thing to do in a situation like this is check the source.