In other words, if you're the owner of a jailbroken phone, you should now be concerned.

Unlike the relatively innocuous iKee worm which the creator designed more as a "public service" to alert users to the potential for malware on the iPhone, the new hacker tool, dubbed "iPhone/Privacy.A," is the real deal. Where iKee simply switched the iPhone wallpaper to display a photo of singer Rick Astley (a nod to the internet meme of rickrolling), Privacy.A gives the user no indication that it is running on the device.

The new hacker tool also operates a bit differently than iKee does, as it doesn't have to sit on the iPhone itself in order to inflect its damage or spread. The hacker can either load the worm onto their personal device and then monitor the network for jailbroken devices to attack or they can load the malicious program onto a computer. As Intego points out in their post, this computer could be on a public network at an Internet cafe or retail store. In that scenario, the tool would then scan for any other jailbroken iPhones that came within range of the Wi-Fi network and attack them.

How to Secure your iPhone

Although many jailbreakers are tech-savvy enough to know how to lock down their devices to protect themselves from attack, there are quite a few who have simply followed online instructions such as these to perform the jailbreak. This group, while arguably somewhat tech-savvy, doesn't necessarily know all the nitty-gritty details about the iPhone filesystem or its security mechanisms.

To make it easy on these users, we've provided steps on how to change your iPhone's root password - the common denominator required in order for the malware to gain access to your device.

While some may argue there's no need to change your root password if you haven't also installed the SSH program, another necessary element for these attacks to work, we think that's a little short-sighted. It would be easy enough for a malicious hacker to trick jailbreakers into installing SSH by bundling it with some other third-party application offered through underground App Stores like Cydida or Icy. By masquerading as something innocent like a wallpaper-changer or ringtone bundle, a hacker could easily set up a number of jailbreakers with SSH without the victims even being aware that it has been installed. Although we haven't heard of anything like this happening yet, if we thought of it then you can bet that the hackers out there have thought of it too.

Changing the Root Password

The best protection is to simply change your iPhone root password. That will keep you safe from the current iPhone malware...as least for now. Here's how:

1. Install the MobileTerminal application from Cydia.
2. Reboot your iPhone.
3. Launch MobileTerminal and type in the command: passwd
4. At the prompt which asks for the "Old Password," type in: alpine
5. At the new password prompt, type in a new password of your choosing, making sure to pick something strong.
6. Re-enter the password to confirm.
7. You'll then be returned to the Mobile$ prompt which means the change was successful.
8. Now you'll need to change the password for the secondary admin. Type in the command login root.
9. Again, you're prompted for the old password. Type in alpine.
10. Now type in the command passwd
11. You'll then go through the change password routine a second time, entering in alpine as the old password, creating a new password and then re-entering it to confirm.
12. When you are finished, close the application.

Note: these instructions assume you are running iPhone OS 3.0 or higher.

Currently, the worm doesn't appear to be all that malicious - it simply changes the phone's background image to a photo of singer Rick Astley, the man whose song "Never Gonna Give You Up" has become a well-known internet meme called "rickrolling," a joke where users are tricked into clicking links that redirect them to Astley's YouTube video.

Despite the relatively innocuous nature of this particular attack, it may be the precursor to future attacks of a more malicious nature. But how dangerous will these attacks be to the iPhone-owning population as a whole? Is there really a need for concern?

According to the hacker, 21-year-old Ashley Towns, a student living in New South Wales, Australia, iKee was created to highlight the iPhone's poor security. Apparently unrepentant about his creation, Towns has made no attempt to hide his identity, posting on internet forums and on his Twitter page about his hack. He even cheekily tweets a response to a post on security firm's Sophos blog where the writer had sought out the hacker's identity via Google searches: "You know man if you wanted my number you could have asked." And he wasn't kidding - Towns has been happily responding to media requests via his Twitter account. For example, he told ABC News that he had personally infected 100 iPhones with the worm. From those phones, he explained, the worm will then try to spread to other devices.

Perhaps the reason for his transparency has to do with the relatively harmless nature of the attack. The worm just changes the iPhone wallpaper on the affected devices. However, as the Sophos' post points out, "accessing someone else's computing device and changing their data without permission is an offence in many countries."

While that may be true, it's clear that Towns feels as if he's almost doing a public service by exposing a security vulnerability that many jailbroken iPhones face.

More Hacks Expected?

While this particular worm appears to be localized to Australia, it could have spread to other countries and eventually, worldwide. It also comes directly on the heels of another similar attack on jailbroken devices. Only last week, a Dutch hacker broke into jailbroken iPhones and then displayed a message on the comprised devices demanding a ransom of 5 Euros. This attack was also made possible through the same vulnerability that the iKee worm uses.

Graham Cluley of Sophos predicts that other hackers will be tempted to write their own code now that they've seen what's possible. In addition, some hackers may be more malicious with their creations than what we've seen so far.

But Who is Really Being Affected?

However, even if the attacks escalate, the fact of the matter is that the potential victims are a minor subset of Apple iPhone users. To begin with, they're relatively tech-savvy to have managed to jailbreak their phones to begin with - a process which involves using downloadable software tools that unlock Apple's control mechanisms on the device. While not overly complex, most mainstream iPhone users won't bother to take this action, content with the iTunes App Store and its 100,000 or so available applications.

And then there is the fact that the attacks don't even affect all jailbroken iPhone owners - they only affect those who have also installed a program called SSH on their devices. The program allows users to access the iPhone's filesystem with the username of "root" and password of "alpine." Since few SSH users had bothered to change this root password, that left their phones open to attack.

Still, how many people are we talking about here? And what sort of iPhone user are they? Although exact numbers of jailbreakers are unknown, mobile analytics firm Pinch Media recently revealed data showing there are at least 4 million of these jailbroken devices in the iPhone ecosystem. It's not known how many of these users have also installed SSH.

For the most part, it's likely that those who have done so are knowledgeable enough to prevent future attacks on their devices even if they had become a victim of one of these recent hacks. At the very least, they're now aware of the issue and can follow the straightforward instructions available on the web that explain how to change the root password so it's no longer the default.

More Dangerous than the iPhone Worm: Dishonest Developers

Despite all the media hoopla over this "first iPhone worm," it's not something that most iPhone owners will have to worry about. What's more concerning are the claims that a supposedly legitimate iPhone development firm has been collecting personally identifiable information from the users of its App Store-approved iPhone games which have been installed over 20 million times. According to a suit filed in the U.S. District Court in Northern California, the firm, Storm8, has been using a backdoor method which allowed them to collect the phone numbers of anyone who had installed their applications. This wouldn't be the first time that an iPhone developer has done this, either. Apple actually provides an easy way for developers to tap into this information, if they so desire.

If anything, this is the real threat that the media should be focused on, not the iPhone worm.

Without sufficient anti-virus and malware protection programs installed, social networking users can easily become victims to these ever-evolving attacks. However, the best way to avoid becoming a victim yourself is to be aware of what's out there and what sorts of things you should avoid. Below are the best practices which you should use on Facebook and Twitter in order to keep yourself safe.

The Problem with Malicious Links

One of the most common vectors for attacks are malicious links posted either to Twitter or to your Facebook wall. In the past, such as with the malware known as Kooface, the troublesome links could be easily identified because they would often use a consistent phrase followed by a URL. For example, in August, Koobface was posting links that read "my home video :)" which was followed by a URL and then a random component on the end such as "HA-HA-HA!!", "W.O.W.", "WOW", "L.O.L.", "LOL", ";)" or "OMFG!!!"

Although the end piece changed from tweet to tweet, the message itself remained the same. However, security researcher Costin Raiu of Kaspersky Lab tells us that easy-to-identify messages are not as common anymore. Today, it's much harder to identify malicious links thanks to two newer techniques being used by hackers. Below those two newer methods are described in more detail as is the tried-and-true method of spreading malware via email.

Method 1: Hijacking Twitter's Trending Topics

The first technique, which really became popular in August of this year, involves hackers creating Twitter new accounts and then posting messages related to whatever trending, or "hot," topic was being heavily discussed on Twitter at that time. This would allow the post to be aggregated in Twitter search results where unsuspecting users would click on the included link. The text accompanying the link would be intriguing to those interested in the subject, enticing them to click through.

Method 2: Hijacking Legitimate Accounts

The second technique involves infiltrating legitimate accounts through phishing attempts and other methods so that the hacker essentially has control over a "real" account. After control has been established, if on Twitter, the hacker will then tweet out links that redirect users to malware-infected sites. Because the tweets come from an account that already has an established set of followers, those reading the tweets assume it's safe and don't hesitate to click the links.

After infecting the account of a Facebook user, malware often uses that particular person's account to spread, too. As with the malicious links on Twitter, because it appears that the links posted are from a trusted friend, other users don't realize that the posted link is harmful.

On Facebook, one of the most problematic malware programs is Koobface, a particular type of malicious software that sees 20 to 30 new variations per day. Despite the number of variants out there, Koobface's M.O. is relatively consistent: it tricks people into clicking links. These links appear on social networks like Facebook and Twitter, but also on MySpace, hi5, Bebo, Friendster, and others.

Method 3: Dangerous Email

A third method to encourage social networking users to click on infected links is the old but still effective technique of sending out spoofed email. Hackers can create email messages that appear to be sent from a social networking site. The messages prompt you to "update your account" or open an attachment containing your new password among other things.

Image Credit: Last Watchdog

Image Credit: Last Watchdog

Although many users are now wary of email, these techniques are still being seen in the wild, so it's clear that to some extent they still work.

How To Stay Safe

There are a number of best practices that you should follow in order to stay safe and avoid infection. They are as follows:

1. Don't assume a link is "safe" because it's from a friend: As noted above, your friend's account may be infected. You should never assume that a link is safe just because a friend tweeted it or posted it to your wall. Use your common sense. If it doesn't sound like something they would say, be wary, don't click. If you're unsure, try to contact them through another channel and see if the link is legit.
2. Don't assume Twitter links are safe because Twitter is now scanning for malware: In August, Twitter partnered with Google to use Google's Safe Browsing API, a technology that checks URLs against Google's blacklist. This prevents spammers from posting malicious URLs to Twitter, but it does NOT prevent them from posting shortened URLs which direct users to those same malicious sites. It's better than no protection at all, but it's not going to keep you entirely safe.
3. Don't Assume Bit.ly Links are Safe: Earlier this year, Twitter's default URL-shortening service Bit.ly, began warning users of malware. Bit.ly also uses Google's Safe Browsing API along with two other blacklists to identify malicious links. Although the service doesn't prevent users from posting these links, it will warn upon clicking that the site being linked to is infected. However, as Raiu tells us, this is not 100% effective either. Kaspersky has identified a number of malicious links which Bit.ly did not block. However, you can assume that Bit.ly is generally safer than the other URL-shortening services because it uses this technology and because the hackers are generally avoiding this service at the moment because of its built-in protection. But it is not completely safe - nothing ever is.
4. Use an up-to-date web browser: Kaspersky recommends using the latest version of your web browser and keeping it up-to-date with the necessary patches. That means Internet Explorer users should be on IE8 - and since this browser is attacked the most, it's critical that you make sure it stays updated as needed. Firefox is the second most attacked browser, but fortunately, it has a self-updating feature built in. Google Chrome is also good because it has a self-updating feature as well as another security feature that runs plugins in "sandboxes," or restricted environments. If an attacker was able to exploit the browser and run malicious code, it would be isolated to this sandbox and would not able to effect the entire machine. Opera and Safari are also good browsers and should be kept current, too.
5. Keep Windows up-to-date: As always, Windows users should make sure their systems are current with the latest patches from Microsoft. Automatic updates should be turned on.
6. Keep Adobe Reader and Adobe Flash up-to-date: At the moment, Adobe Reader and Flash are the two most targeted programs by hackers. A lot of malware specifically goes after known vulnerabilities within Adobe's software. In addition, a common method of attack, such as that used by Koobface, is to redirect a victim to a malware-infested site where the user is prompted to update their Flash player or Adobe Reader in order to see the website content. NEVER do this. Always go to Adobe's site on your own to download the latest version or update the software on your computer using its own built-in update mechanisms.
7. Don't assume you're safe because you use a Mac: While it's true that Mac users are less targeted than Windows users, they are not immune to malware, despite what those commercials may say. Although Apple did include some malware protection in their latest operating system, it only protects users from two trojans; you cannot count on it alone to protect you. There are a couple of hundred of trojans currently in the wild that specifically target Mac machines, according to Kaspersky. In fact, there may even be as many as a thousand, but researchers are unable to identify all of them because Mac users don't typically run anti-virus software which is how much of the data is collected. These days, when a user clicks an infected link, the malicious web page will now sometimes identify whether that user is coming from a Windows or Mac machine and then display the appropriate version of the trojan accordingly. A particular family of trojans known as "DNS Changer" trojans are the most common ones used to attack Mac machines. The only way to really be sure that you're protected against these malicious programs is to run anti-malware software on your Mac, but most Mac users won't do so, preferring to take their chances since their risk is lower.
8. Be wary of email messages from social networks: Because email addresses can be "spoofed" by hackers, you can't assume that an email from Facebook or Twitter is really from those the site it claims to be from. As always, you should never open attachments you were not expecting to receive and you should be wary of clicking on links - especially if you're being told to "update your account." If you do click on a link and are taken to a web page that asks you to log into the site, DON'T DO IT. It would be handing over your password to the hackers. Instead, you should always access the sites directly by typing in their URL in your browser or clicking a saved link in your Favorites.

It's Not Just a Matter of Common Sense Anymore

As the above best practices show, a lot of the things you can do to protect yourself from malware are the same as they have been in the past - keep your computer and browser up-to-date, don't open attachments, etc. However, malware is trickier to identify these days thanks to social networking sites. It now uses the trusted identities of your friends in order to lull its victims into a false sense of safety. You can no longer simply assume that because someone you know posted a link, it's automatically safe. You can't even assume that the networks themselves are safe, either. They're not always scanned for malware-laden links, and when they are, such as is the case with Twitter, it's not a 100% effective method.

Security researchers are actively working on better ways to fight this problem - for example, Kaspersky just announced their "Krab Krawler" project which will help keep their blacklists current by scanning for malicious links on Twitter, but it's not a tool that end-users can download to protect themselves; it's only one of many methods that security firms use to collect data about the malware on the internet. The best way to stay safe is to follow through with all the best practices - not just one or two. Malware isn't ever going away, so everyone must do their own part in order to stay safe on the web.

Says Microsoft Associate General Counsel Tim Cranton in a recent blog post, "Although we don't yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits."Those involved in the current lawsuit include Soft Solutions, Direct Ad, qiweoqw, ITmeter INC, and ote2008.

In addition to this current civil suit, Microsoft is actively pursuing actions against a number of instant messaging spammers and bot-powered click frauders. It will be interesting to see if the public education campaigns for web security can keep up with the influx of ad delivered trojan horse viruses. The public is directed to the Microsoft Online Safety page for more information.

Photo Credit: Dirk Heuer

Security researchers at Symantec recently uncovered a backdoor trojan whose spread is being dictated by commands hosted in Google Groups, Google's online discussion forums. The backdoor trojan, named Trojan.Grups, appears to be the first ever malware to use an online newsgroup as the "command and control" center for botnet communications. It's certainly the first time that Google Groups specifically has been compromised in this way. This new discovery points to what appears to be the latest trend in what you could call "Web 2.0 malware," that is, nasty computer programs that don't just spread in social networks, but actually use the infrastructure of the social networks themselves to do the spreading.

Botnets are groups of computers compromised by malware programs, often called "zombie computers," which are controlled by "bot herders," the person or persons responsible for remotely controlling the infected PCs, unbeknownst to the PCs' owners. Traditionally, a centralized server of some sort would issue the commands that instruct the computers what action to perform. In many cases, the zombie machines are used to send out spam, to perform click fraud, to aid in identity theft, or are directed to attack another web server on the internet, as was recently seen with the Twitter/Facebook/LiveJournal attacks of last month.

With this particular new trojan, the command-and-control center for issuing the botnet commands is not a single server on the internet. It's Google Groups itself. Using a private newsgroup, the trojan executes a command which logs it into the newsgroup and requests a specific page. The page contains the encrypted commands the malware is to carry out. The responses from the compromised machines are then sent back to Google Groups and are uploaded as posts to the newsgroup.

According to security company Symnatec's analysis of this new trojan, it appears that it is a prototype implementation meant to test the feasibility of using newsgroups in this way. The trojan is attempting to remain discreet and undetected, being used to subtly gather information and potentially determine its future attack targets. The researchers think that the trojan may have been developed for targeted corporate espionage where anonymity and discretion are priorities.

Using Web 2.0 as the C&C for Botnets

This latest trojan isn't the first to use a social network to aid in its spread. What is unusual about it, though, is that it actually uses the social network that is Google Groups to host the commands which control the malware's actions. This is a different sort of scenario than your typical social networking-based malware which simply uses popular online networks as the vector for the attack. This is using the network as the brains.

Another recent example of this sort of Web 2.0-controlled malware involves the recent discovery of a botnet which used Twitter.com to issue commands. In an arguably ingenious move, Brazilian identity thieves created a Twitter account for the sole purpose of sending out commands to its associated malware. Each command was posted as a status update to the Twitter account. As researchers noted at the time, this sort of setup could have used any number of web sites or services on the internet to do the same - all that was needed was an RSS feed. In fact, the same malware was later seen on both Jaiku.com, a Twitter-like service acquired by Google in 2007, and Tumblr, a simple blogging platform.

Given the open, "anyone-can-post" nature of Web 2.0 and social networking services, the online communities that have become the de facto standard on today's web, it was only a matter of time before that openness was compromised by hackers wishing to use the services for more nefarious purposes than just "sharing with your friends."

For now, there are still relatively few incidents where a botnet has been discovered as using a Web 2.0 service as the command-and-control center for operations. However, the idea must surely appeal to botnet operators as hiding these sorts of messages in the larger social networking infrastructures that house valid communications makes the botnets harder to identify and shut down. You can't simply blacklist the IP or URL once discovered - you have to rely on the social networking vendor to remove the malicious accounts. If any of these recent efforts at web 2.0-controlled malware are successful (and the Google Groups trojan has been - it's been around since November 2008!), then it's likely we'll begin to see even more programs like this in the future.

Says Sophos' Senior Technology Consultant Graham Cluely in a blog post, "The bogus warnings look near identical to previous fake anti-virus software attacks that we have seen in the past - with a scrolling green progress bar and a list of alleged threats found on your computer displayed in a dramatic red colour scrolling up."

Phishers are designing site pop ups that mimic system anti-virus warnings in order to lure users into giving up personal information and in some cases, downloading malware. According to the Anti-Phishing Working Group more than 9000 scareware packages have been in circulation since late 2008.

For a list of some of these potential issues, check out ReadWriteWeb's Top Online Security Threats for 2009 or visit the US Computer Emergency Readiness Team site for industry updates.

According to ESET's report, the attackers created slide decks which would contain a link to a malware-laden website and would then lure unsuspecting victims to Slideshare using traditional social engineering tactics. The presentations themselves should have raised a red flag for careful users, we think, but we have no way of knowing how successful they were at this time.

One of the presentations found included just one slide with a single link. The slideshow was purportedly offering a cracked download of ESET's own NOD32 scanner, an antivirus software program. To lend credibility to the download, the attackers added in the SourceForge logo (as if the open-source application directory SourceForge was a place to find cracked warez!) Of course, when the user clicked the link, they wouldn't end up on SourceForge, but on a spoofed site that looked very similar. A window would then pop up prompting the user to download a .EXE file. Since the user already thought they were accessing a link for a software installation program, they would click the link and let their computer be infected with the malware.

Of course you may scoff at these victims since they were trying to get "something for nothing" - in this case, a free anti-virus program when really they were being given a free virus instead. However, while you may not have fallen for this particular scam, it's only one example of how the SlideShare platform could be used for nefarious purposes such as this. It's not far-fetched to imagine that in the future attackers could create even harder-to-detect malware-infused slideshows. We foresee them copying a legitimate slideshow from the site and then including an extra page with their malicious link. News like this is all the more reason to run a good anti-virus program on your PC.

SlideShare Responds Quickly

In SlideShare's defense, they took action quickly against this threat. As soon as it was brought to their attention by way of the ESET blog post, SlideShare CoFounder Amit Ranjan responded in the comments saying:

"I just wanted to let readers know that the offending user account has been removed. Thanks a ton for bringing this to our notice. Spam slideshows are a problem for us. And as this example shows, they can be turned malicious as well. In case anyone comes across any other user account from where this is happening, please email us, and we shall take immediate action. As a company we are committed to stop all such malpractices."

However, the rogue account which had been used to spread the malware had joined the SlideShare community in June 2009 and had uploaded as many as 2473 presentations before they were banned this week.

Social Sites Need to Think About Security

The more popular the site becomes, the more likely it will be used to spread malware, so perhaps SlideShare should be somewhat flattered that they've reached this level of notoriety. They've now joined the ranks of many other social networking sites who have seen regular malware threats invade their platforms. Facebook, for instance, has come under attack multiple times in the past, the most memorable of which was the Koobface trojan which leaped outside of Facebook to spread to other social networking sites. It continues to evolve, even infecting Twitter as recently as last month. But Facebook isn't the only example by any means of social sites under attack. Unfortunately, any website or social community where users are allowed to post content could become victim to threats such as this.

What's odd, though, is how many sites seem to think of security as an afterthought. Case in point, it was only on Monday of this week that we saw Twitter start filtering malicious links from being posted. These are the sort of features that really should have been included from the get-go. In SlideShare's case, they may eventually have to go the same route as Twitter and partner with a malware-scanning service like Google's Safe Browsing API to make sure their hosted content isn't dangerous to their users. In fact, they may want to start looking into that right now.

This serious vulnerability (which apparently Apple sat on for over a month) is probably the first time that most people have heard of mobile phones being used to create botnets. However, this isn't the first sighting of a mobile phone hijacking attempt for the purpose of botnet creation - a similar exploit was discovered earlier this month. Does this mean we're on the verge of a new and dangerous trend: the creation of "zombie" phones?

According to Forbes, the SMS exploit being demonstrated at Black Hat today involves sending short, mostly invisible SMS bursts which would allow a potential hacker to entirely take over the phone. The only warning you would have to alert you to the hack would be a text messaging that contained a single square character. If you received something like that, your only recourse would be to turn the phone off immediately.

The researchers said they alerted Apple to this vulnerability over a month ago, but no patch has been released. Apple isn't returning calls requesting a comment, either.

The First Mobile Botnet?

Assuming the iPhone exploit described above was able to make it into the wild, it could effectively compromise all the unprotected iPhones in the world (which, in theory, would be all of them, if no patch is distributed). The hack would essentially turn the phones into "zombies" - a term usually used to refer to PCs compromised by a hack, virus, or trojan horse in order to do the bidding of a hacker. Along with other compromised PCs like them, this group of computers would form a botnet of "zombie" machines.

While botnets are common in the PC world - it's estimated that these machines are used to send anywhere from fifty to eighty percent of spam worldwide - botnets consisting of mobile phones are practically unheard of...or are they?

Earlier this month, Symantec revealed an SMS threat dubbed "Sexy Space" created using malware known as SymbOS.Exy.C, a revision of older variations also used to create similar threats. Using simple social engineering tactics, this hack involves sending SMS spam with names like "Sexy View," "Sexy Girl," and "Sexy Space" to encourage victims to click an included link in the text message.

This particular exploit, only found on Symbian-powered devices so far, is smart enough to end certain programs on the hijacked phone that would make it possible to manually end the threat. At first, the hack was only being seen in China, but later an English version was discovered in the Middle East.

What's most frightening about this particular threat is that it's controlled by a central server. That means hackers could control the attacked phones the same way hackers today control zombie PCs. This led the Symantec researchers to wonder if this was, in fact, the first case of a mobile botnet being spotted in the wild.

But My Phone Has Never Been Attacked!

Security researchers have been warning us about the upcoming mobile risks for some time and yet few people have ever actually had their phone compromised by malware, it seems. To date, mobile exploits have been few and far between and have had no major impact on the industry as a whole or on consumer confidence levels regarding these devices. Perhaps lulled into a false sense of security since mobile phones were once much more basic devices without internet access and data plans, most people don't even realize that their phone could be at risk of an attack.

In a paper released this past fall from the Georgia Tech Information Security Center, Tom Cross, a researcher with the IBM Internet Security Systems X-Force team was quoted as saying how surprised he was that there haven't been more attacks to date on smartphone devices like Apple's iPhone. However, he noted that "financial motivation and increased adoption will increase attacks to smartphones in the years to come. As more payment infrastructure gets placed on these devices, they will become a more attractive target."

In other words, mobile phones just aren't worth hacking yet. That will change once more financial transactions take place over phones, agreed Dave Amster, VP of security investigations at Equifax, in that same report. "Consumers are ordering credit reports from their Blackberrys, which puts valuable information at risk," he said.

Still, hacking the mobile platform will remain a challenge. According to Patrick Traynor, a computer science professor at Georgia Tech and member of GTISC, the lifecycle for mobile phones is much shorter than that of PCs. Most people buy a new mobile device every two years - a cycle which allows manufacturers to keep up with security design - and potentially stay ahead of hackers.

But if there's one thing we've all learned over the years, it's that you should never count out the hackers. If there's something to be gained by creating mobile botnets - beyond simply proving that it's possible to do so - then there's no doubt that hackers will attempt to create them.

That seems to us like he's picking on the semantics of Google's statement just a bit. Google says that users "won't have to deal with viruses," and Schneier is noting that it's simply not possible to create an OS that can't be taken down by malware. While that may be the case, it's likely that Chrome OS is going to be arguably more secure than the other consumer operating systems currently in use today. In fact, we didn't take Google's statement to mean that Chrome OS couldn't get a virus EVER; we just figured they meant it was a lot harder to get one on their new OS - didn't you?

Even Schneier himself admits that an OS redesign which takes security into account "all the way up and down" could make for a more secure OS than the ones available today. However, that's different than saying that users won't have to deal with malware, he added.

Carl Leonard, security research manager of Websense EMEA, also shares Schneier's beliefs. "All software is susceptible to issues - it just depends on how much effort the malware author wants to go to and how much profit can be made," he said. "Already we have seen vulnerabilities and issues with the Chrome browser, and Google even ran a contest in which two well-known security researchers found 12 exploitable security flaws in the company's Native Client system."

OK, we get it: Chrome OS can get malware...technically speaking. But won't it get less of it?

Forrester Research analyst Andrew Jaquith, on the other hand, has more positive things to say about Google's new OS. He notes that the company has made strong security strides through its Native Client code technology and Chrome web browser, which includes features such as "sandboxing" which could help contain malware. "If [Google] brings that kind of thinking to the operating system and looks at it from a clean sheet of paper, they should be able to introduce some significant improvements," he said.

Do you think the security community is making a mountain out of a molehill when it comes to Google's security claims? Or do you think they were right to point out that no OS is invulnerable to attack?

Or was Facebook simply following through on a TOS violation because Chris had accidentally sent out duplicate messages to group members, thereby getting flagged as a spammer and subsequently booted from the network?

On Monday, the anonymous blogger over on Social Hacking posted a link that demonstrated a gaping hole in Facebook which revealed private profile data upon clicking. The hack worked (I tried it at the time) although now the hole has been closed. He later revealed the technical details of this hack on his blog.

However, even before those technical explanations were posted, Chris Almond was spreading the word via the Rogue Facebook Apps Early Warning Group, a group whose members like to stay informed about the latest and greatest threats happening on the social network. All he was doing was publicizing the information - he was not involved in the hack's creation in any way.

Shortly after sharing the information with the group, Chris found his account was disabled.

And because it was disabled, Chris's collection of links and articles he had posted since the group's creation in 2009 as well as all the discussions he had with other group members were gone, too. The group's archive was emptied out.

Does that sound suspicious to you? TheHarmonyGuy (aka Mr. Anonymous from Social Hacking) thinks so. He writes, "While I hope I'm wrong (and I very well could be), it appears that at least part of the reason for the account shutdown was that this user was spreading word about my Facebook attack. It saddens me that other people are having to suffer on my account..."

Flip Side: Just a Simple TOS Violation?

Of course, there are always two sides to any story and this story is no exception. In Facebook's defense, Chris Almond was guilty of a TOS (Terms of Service) violation. You see, Chris had decided to send out personal emails to group members with information about the hack and to invite them to a group event. Unfortunately, he accidentally sent out duplicate emails to some of the group's members.

This triggered Facebook's spam detection feature - most likely an automated system that detects such behavior on the part of group admins. Chris received the warning and realized his mistake. Though accidentally, he had in fact violated Facebook's TOS. He stopped sending any further messages after receiving the message.

But apparently, it was too late for contrition because Facebook soon thereafter disabled his account.

At the moment, Chris is busy pleading for reinstatement. He has sent Facebook the following emails to state his case:

Email 1

Hello

My Facebook account, registered with this email account [EMAIL ADDRESS REMOVED] has been disabled.

I'm not going to argue that I didn't violate terms of use, only that I did so unknowingly and in completely good faith.

Please allow me to explain my activity that led to the disabling. I am admin of a group called Rogue Facebook Apps Early Warning Group. I wished to send an invite to members to a group event I'd created in which information about facebook security issues was shared, containing links to a site that after personal contact with the author I am satisfied is legitimate and non-threatening.

Here is the link I shared: http://theharmonyguy.com/2009/06/22/illustrating-facebook-privacy-problems/

Due to the size of the group, it was impossible to send a group invite, so I decided to personally message members of the group who had posted on the wall. My reasoning was that they were voluntary members of the group and so this was probably an acceptable course of action. Obviously I was wrong about that.

I assume that somebody to whom I sent a message has reported my activity as spam. I can certainly see, in light of what has happened, that it could be construed as such but my intention was to share information about Facebook security awareness, and absolutely not to trouble anyone at all.

Please reinstate my account. I run a small business, promoting music in my local area, and my business will suffer if I can't use facebook for that purpose.

Yours contritely

Chris Almond

Email 2

Hello

I wrote the other day about how I'd shared a link with members of the Facebook group I co-administrate, and how that action has led to the disabling of my Facebook account registered with [EMAIL ADDRESS REMOVED]

I don't know if the manner in which I distributed the message or its contents were the main transgressions in your opinion. I accept that by duplicating a message I triggered an automatic spam alert, and I sincerely regret that particular course of action. Please note, I stopped sending the messages as soon as the first warning appeared.

The link itself was to a hack, described here by its author http://theharmonyguy.com/2009/06/24/facebook-attack-technical-details/

The purpose of the Facebook group I help to run, Rogue Facebook Apps Early Warning Group, is to spread awareness about the weaknesses in Facebook platform that allow unscrupulous Facebook app developers to access users' private information without their explicit authorisation. I am not a hacker, nor particularly technically informed in that area, but I am somebody who is concerned by the implications of such weaknesses. Neither am I, as my group co-admin erroneously stated in an email to you yesterday, working with theharmonyguy. I merely follow his work and believe that the kind of activism he engages in is an honorable, and practical way, of encouraging greater security on Facebook.

A hallmark of my personal experience of Facebook is the worrying amount of applications that find their way onto my account without my permission. Error Check System, the notorious app attack of February 2009 that led to the formation of our group, was merely one of the most aggressive, visible, and widely remarked-upon.

I don't publish sensitive personal info on my account, but many do, and I believe it is legitimate behavior to be proactive in spreading awareness of the issue.

Having accepted that the sending of duplicate messages is in contravention of the Facebook terms of use, I must say it is intolerable that I have been singled out for suppression when, over the course of my time using Facebook I have seen many groups containing material that by any reasonable assessment is racist, homophobic, or in some other regard hate-filled and offensive, and whose admins are allowed to continue their activities.

I am not a spammer. I have never, before this incident, done anything that could be viewed as spamming. I accept that I was naïve in the way I went about promoting the activities of my group. I do not think that what I did warrants permanent expulsion from the Facebook community, and I hope you will agree.

Yours sincerely

Chris Almond

What Do You Think?

So is this a clear-cut case of a Facebook TOS violation being acted upon? Or was Facebook just looking for an excuse to shut this group down? Surely they couldn't have liked the fact that Facebook users were using their very own platform to share news and links about ways to attack Facebook! Still, there wasn't anything Facebook could do about it...unless somebody crossed the line, of course.

Luckily for us, Facebook has not yet succeeded in completely destroying this group. The Rogue Apps Early Warning group itself lives on thanks to co-admin, Stuart Forbes, who is now in charge of the group's activities. Chris's account is currently still suspended.

UPDATE:After this article was published, Facebook reactivated Chris's account.

Launching today, Dasient, a San Jose Palo Alto start-up founded by a couple of ex-Googlers, hopes to change all that with its new Web anti-malware service. By monitoring Web sites for infected pages, providing instant diagnostics and giving site owners a two-click quarantining option within moments of a compromise, Dasient's subscription based security service (free and paid, from $50/month) aims to help businesses retain control of their Web site and remain clear of the dreaded blacklist.

There has never been a shortage of security problems on the Internet, but one of the most significant threats has come from the fundamental changes in the way malware is being distributed across the social Web. No longer are the majority of viruses spread by email attachments; cybercriminals are turning to the Web, planting malicious code on innocent Web sites, and then sitting back and waiting until the code silently infects visitors.

According to the 2009 Sophos Security Threat Report (PDF), this global criminal operation has reached such proportions that one new infected Web page is discovered every 4.5 seconds - 24 hours a day, 365 days a year. And according to Dasient, there are three underlying and converging trends that are behind these ridiculously high numbers.

1. The Web itself is becoming more complex and sophisticated, and Web sites now come with rich functionality ( Ajax, dynamic HTML, JavaScript), along with content and ads from various sources.
2. Non-expert developers with little or no computer science background and little or no security training are building user facing applications.
3. Attackers are automating and building attack scripts and launching them against thousands of Web sites in attack waves.

This expansion of the Web, while great for users, increases the attack surface and allows for an entirely new class of attacks that didn't exist even a few years ago. And a new class of attacks, according to Dasient, requires a new way of thinking, and a new class of solutions.

Dasient: Web Anti-Malware at Web Scale and at Web Speed

Founded by Neil Daswani, a former Google security engineer and product manager, Shariq Rizvi, a former member of Google's Webserver and App Engine teams, and Ameet Ranadive, a former McKinsey strategy consultant, Dasient hopes to confront today's Web malware problems by using automated mechanisms in an attempt to stay ahead of the bad guys and their automated and systematic attacks against Web sites.

The company, which raised its seed round of funding (just over $2 million) in December 2008 from investors Stratton Sclavos (former VeriSign CEO), Mike Maples (one of the key investors in Twitter) and Eric Benhamou, (former 3Com/Palm chairman), has been running its services in alpha and is advancing its monitoring and diagnostic service to public beta.

Launching today:

1. A free monitoring service which will alert webmasters when their site gets blacklisted (public beta).
2. A premium monitoring service ($50/month for a site with less than 1000 pages) that continuously scans a site for malware infections and alerts webmasters when their site has been compromised (public beta).
3. A quarantining service through a web server module (private beta).

How Dasient Works

When the service determines that a site has been compromised, it sends an e-mail to the webmaster that details the number of infected pages, their URLs, and the malicious code that caused the infection. From there, the webmaster, with only two clicks, can authorize Dasient to execute quarantine instructions on the infected site.

Although it may take up to a few minutes for the quarantining instructions to propagate across all of the Web servers on the site and/or all of the processes running on the server, once executed, the malicious code will be quarantined off the page and will not be served to visitors - including the Googlebot - resulting in less likelihood of the site being flagged and fewer headaches for the webmaster.

Is Your Site Blacklisted by Google?

Determining whether your site is blacklisted by Google is fairly simple; type this into your browser http://www.google.com/safebrowsing/diagnostic?site= and add your URL at the end (e.g. this is the link to view Google's listing status for ReadWriteWeb http://www.google.com/safebrowsing/diagnostic?site=http://www.readwriteweb.com/), however, determining which part of your site has been compromised is a lot more difficult.

But, it shouldn't be that hard.

"Instead of expecting every business to have security engineers of their own, what we need to do is take security services and make them available as a utility to companies just like electricity is a utility these days, and no one needs to keep an electrical engineer on staff like they did back in the nineteen twenties," Daswani noted.

Good point. And that's exactly where Dasient comes in.

While earlier variations of the Conficker worm prevented infected machines from accessing the servers of most antivirus companies, this new variant also blocks access to sites that offer tools for removing the worm like BitDefenders bdtools.net.

Oddly, the Conficker worm now also includes an instruction that tells the worm to remove itself on May 3 (the hackers clearly like deadlines), though after that, it will keep a port open on these machines that will allow the hackers to get back into these computers at any time.

The Big Picture: Spyware, Spambots, Pop-Ups

According to both Trend Micro and Symantec, Conficker, after downloading its update, also downloads a variant of the well-known Waledac malware. Waledac is one of the world's most active spambots.

Security researchers are still trying to understand the connection between Waledac and Conficker's new E variant (only a small number of antivirus products can currently detect this version of Waledac, by the way). Some, however, speculate that this connection could mean that Conficker was created by the same group of hackers that created Waledac and its predecessor, the infamous Storm botnet.

Business Model?

According to Kaspersky Labs' Alex Gostev, Waledac will download a rogue antivirus application onto infected machines, as well as an email-worm that can steal data and send spam. The fake antivirus software will ask users to pay $49.95 for "Spyware Protect 2009," which, of course, is anything but an antispyware product.

Protect Yourself (and others)

Of course, if your Windows machine is up to date and if you have kept your antivirus software up to date then chances are very good that you are well protected against Conficker.

If you want to learn more about Conficker and how to protect yourself, have a look at this list of resources we put together last month. If you want to see if you are infected, head over to this site from the University of Bonn.

What's interesting about this new attack vector is the fact that the worm is customizing the relevancy of its message by using geo-awareness... and this isn't the first time the worm has done so. Although an IP lookup isn't going to yield pinpoint accuracy, it will usually get the city name correct and for now, that may be good enough. But if we know malware writers, then we know that it's only a matter of time before they attempt to exploit the new geo-aware services, too, in order to deliver even more precisely targeted messages.

Are Mobile-Based Geo-Aware Exploits Next?

For truly accurate geo-aware targeting, attacks would have to come across the mobile front where people carry pocket-sized GPS units integrated into their handhelds. Mobile computing is on the rise and where the people go, so go the hackers.

In a relatively short period of time, we've seen the rise of mobile social networks like Brightkite, Loopt and others; Google's new location-based tracking service Latitude made its debut; and more recently, Yahoo's Fire Eagle technology arrived on Facebook and in Firefox. With any one of these services, a user's exact location could be plotted. Armed with that info, what could a malware author do? Send you news stories about the restaurant where you're dining? Text you drink specials when you're at a bar? Who knows! But combine that level of accuracy with mobile-ready malware-laden web sites and we could have a real threat on our hands.

Mobile Malware is Still Quiet... for Now

However, this is all just speculation at this point. Today's mobile malware incidents are few and far between. Still, the treasure troves of personal information stored on our smartphones make them appealing targets to malware writers. No matter how tight the security of these modern devices is, eventually, hackers can find their way in.

According to Andrew Storms, director of information technology at nCircle Network Security, bigger phone-based threats are just around the corner. "No one should be surprised if we see the first major threat of the migration of botnets from traditional computing devices to mobile platforms," Storms says. "Some smartphones already have more memory and higher processing power than laptops from just a few years ago. A constantly moving and adapting mobile botnet presents a compelling business proposition for hackers and an interesting real-world case study in chaos theory."

Patrik Runald, Chief Security Advisor at F-Secure, agrees. "At some point, the criminals now developing PC malware will start focusing on mobile devices," Runald said. "It's not a question of if, but when and how. I'm keeping a close eye on the iPhone -- it may be the tipping point that sets the mobile malware field afire."

Frankly, we're surprised it isn't here already. Are modern smartphones really that much more secure or do they still not yet exist in large enough numbers to make them worth attacking?

Image credit: kmevans

Stevens created a PDF which exploits the vulnerability not within the main document information, but rather, its metadata. Using this technique, he was able to crash Windows Explorer by doing the following:

1. Selecting a vulnerable PDF document within the folder
2. Viewing thumbnails of a folder containing a vulnerable PDF document.
3. Hovering the mouse over a vulnerable PDF document

"Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability. Just like it would when you would explicitly open the document," Stevens explained.

Stevens proof of concept caused Explorer to crash, however, someone with dubious intentions can exploit the vulnerability to potentially do anything they like on your system.

Adobe acknowledged this vulnerability in all versions of Adobe Reader on February 19, 2009 and categorized it as a critical issue. An update is expected next week for Reader 9 and Acrobat 9.

Unfortunately, Adobe's advice to disable JavaScript is useless when it comes to this new twist and therefore we recommend you take John Paczkowski's advice from a few weeks ago: Adobe\Acrobat\Uninstall.exe

Note: Stevens has produced a short video showing how these vulnerabilities can be triggered; we've embedded it below.

Was MemoryUp a "Rogue" Application?

Whether or not MemoryUp actually destroyed personal data and spammed people's contacts, as it was said to have done, is unknown. However, it would have been difficult for it to have accomplished those things. The app required no special privileges to install, so it's hard to imagine how it could have accessed the data and email addresses or how it could have sent out the spam. Also, for what it's worth, the company behind the app adamantly denies the claims. Says Robert Lee, chief technical associate for eMobiStudio, "We are very disturbed by these reports. Whatever damage is out there has not been done by our product."

...Or a Victim of Community Backlash?

The truth about this application may be that it just wasn't very good, not that it was dangerous malware. Many comments about the app in the Android store (prior to the app's removal) and in the forums weren't about losing data but about how the app wasn't worth installing because it provided no real value to the user.

What's even more apparent, though, in reading through the posts and comments about MemoryUp, is that many members of the Android community seemed to have a grudge against the app's creator, Peter Liu, whose drive-by advertising in forum postings got under people's skin. "How many times are you going to advertise this on here?" wrote one user. Later, others bragged and joked about running the "Memory folks out of town." "Peter needs to get a life," said yet another user.

It stands to reason that a handful of Android community members decided to disparage the application to get back at the app's developer...but something like that could never be proven, only suspected.

Yet, if that was the case, those people inadvertently ended up hurting Android in the process. By raising questions about the safety and security of Android platform, they helped to spread "FUD" (fear, uncertainty, and doubt) about this new mobile OS. Even worse, these rumors make the iPhone's closed and "by approval only" model look like the safer, smarter choice when it comes to phones. But as anyone involved in the open movement will tell you, that is not necessarily the case.