Google released Google Chrome 2.0.172.30 on May 22, 2009. However, as far as we see this latest Beta version still lacks a fundamental feature to protect users from the risks posed by its saved password option.

Password saving is a default setting in Chrome. Chrome users are offered to save their passwords so that they do not have to type the passwords on their subsequent website accesses.

However, Chrome does not provide a security solution for the saved passwords. This means that anyone using the authorized user’s computer is able to view all the passwords saved on it.

Unfortunately, being unaware of this risk, users may let other people use their computers for mail checking or web browsing. Consequently, a bad guy is capable of harvesting all the passwords saved on Chrome within some seconds.

Recommendations:

For Google Chrome Team

A master password which is once applied for Firefox 3 is a simple security solution in this case. Bkis recommends Google apply this mechanism to protect their users from password disclosure vulnerability.

Master password on Firefox

For Google Chrome users

Do not save your password on Google Chrome if you often share your computer with other people.

Additional information

Right after Google Chrome’s launch on September, 2009, Bkis discovered a Buffer Overflow Vulnerability in its SaveAs Function, the first Critical Chrome Vulnerability permitting hacker to perform a remote code execution attack and take complete control of the affected system: http://blog.bkis.com/?p=119

By Nguyen Minh Duc / Manager – Application Security Department, Bkis

I have just received a message from a friend on Yahoo! Messenger saying:

This is an “introduction” for a weight loss service while, ironically, my friend is so skinny. What he needs is to gain, not to lose weight.

Naturally, we immediately think of viruses spreading via Instant Messaging programs which has become popular since the middle of 2006. If the users’ computers are infected with this type of virus, the virus will silently sent out messages to users’ friends when they are chatting. The messages provide links to malicious files or websites.

However, this kind of spamming was completely different. I phoned my friend directly to affirm that he was not at his computer, and even not signed in his Yahoo Messenger account. He definitely had no idea about the weight loss service either. Obviously, the spam was not sent by an automatic program on my friend’s computer.

So who actually was sending spam from my friend’s account?

A high possibility was that spammers had successfully obtained my friend’s password. The hacker did not change the password, blackmail or threaten the victims as in other cases. They silently used the victims’ accounts for spamming purposes by using automatic programs to sign in Yahoo! Messenger.

In fact, this phenomenon has been noticed by Bkis since March 2009. Yahoo Messenger users received messages from their friends with a fixed structure: The advertisement for weight loss service follows a Buzz!!!

Right now, this is not a popular spamming type. However, in time to come, this may have an increasing trend involving other IM programs as well.

Following is the detailed information about the phenomenon:

1. Signs: 

- Spams spread via IM systems such as: Yahoo, MSN, etc.

- Account owners have no idea that their IDs are being taken advantage of.

- Spams can be sent even when the victims are not signing in the accounts.

2. Cause:  

- Passwords hacked/revealed

- When spammers have the username and password they can take advantage by signing in Yahoo! Messenger using tool then spread spams.

3. Purpose: 

- For money 

4. Prevention: 

The biggest possibility is your password has been stolen. The hackers, however, do not change your password; they just use it for spamming. Thus, the first thing to do is to change your password.

The second thing to consider is: why your password is disclosed? You should use antivirus software to scan your computer and to assure that there is no keylogger running on your system.

Nguyen Minh Duc / Manager – Application Security Department, Bkis

By Tran Minh Quang, Malware Researcher, Bkis

Fiala, originating from China, first appeared in 2008. Over the time, Fiala has ceaselessly changed and improved itself, resulting in the appearance of series of new variants. Fiala has long been capable of propagating via USB or LANs by using ARP poisoning technique to insert Iframe or Script containing dozens of exploit codes for vulnerabilities of different softwares into HTTP responses. Through this infection method, Fiala can spread quickly within a LAN, and sometimes can cause system breakdown.

Being able to overwriting system files like wuauclt.exe, spoolsv.exe, userinit.exe, linkinfo.dll (depending on variants), Fiala has well protected itself against being detected or removed by antivirus softwares. If the antivirus softwares delete the virus without trying to recover these original files, users might then have to face certain troubles. Examples are: it is impossible to log into the system or to use the printer, or Windows cannot be updated, etc.

In recent times, Bkis’ honeypot reports that new Fiala variants can now spread via the notorious vulnerability MS08-067. Fiala’s author might have learned from Conficker. However, unlike Conficker, Fiala makes use of the currently available exploit tool of ph4nt0m.org. This makes the worm become even more dangerous.

Fiala Modules

You can download our free tool BkavHome to remove Fiala here

1. Details about the latest Fiala variants:

• Name: W32.FialaQK.Worm
• Family: W32.Fiala.Worm
• Type: Worm
• Origin: China
• Discovered: May 09, 2009
• Size: 32KB
• Severity: High

2. Technical Details:

• Creates mutex:
  • AS21a669aSSE
• Deletes the services with the following names:
  • avp, RavCCenter, RsScanSrv, RavTask, RsRavMon, ekrn.
• Ends :
  • 360Safe.exe, 360tray.exe, 360rpt.EXE, Runiep.exe, Rsaupd.exe, RAv.exe, RSTray.exe, CCenter.EXE, RAVMON.EXE, Ravservice.EXE, ScanFrm.exe, rsnetsrv.EXE, RAVTRAY.EXE, RAVMOND.EXE, GuardField.exe, Ravxp.exe, GFUpd.exe, kmailmon.exe, kavstart.exe, KAVPFW.EXE, kwatch.exe, kav32.exe, kissvc.exe, UpdaterUI.exe, rfwsrv.exe, rfwProxy.exe , Rfwstub.exe, RavStub.exe, rfwmain.exe, rfwmain.exe, TBMon.exe, nod32kui.exe, nod32krn.exe, KASARP.exe, FrameworkService.exe, scan32.exe, VPC32.exe, VPTRAY.exe, AntiArp.exe, KRegEx.exe, KvXP.kxp, kvsrvxp.kxp, kvsrvxp.exe, KVWSC.ExE, Iparmor.exe, Avp.EXE, VsTskMgr.exe, EsuSafeguard.ex
• Stops the services:
  • McShield, KWhatchsvc, KPfwSvc, Kingsoft Internet Security Common Servi, Symantec AntiVirus, norton AntiVirus server, DefWatch, Symantec AntiVirus Drivers Services, Symantec AntiVirus Definition Watcher, Norton AntiVirus Server,McAfee Framework +
• Writes key Debugger to force the system to run the virus instead of the following files:
  • 360rpt.EXE, 360safe.EXE, 360tray.EXE, 360safebox.EXE, safeboxTray.EXE, AVP.EXE, AVP.COM, AvMonitor.EXE, Ravservice.EXE, RAVTRAY.EXE, CCenter.EXE, IceSword.EXE, Iparmor.EXE, KVMonxp.KXP, KVSrvXP.EXE, KVWSC.EXE, Navapsvc.EXE, Nod32kui.EXE, nod32krn.EXE, KRegEx.EXE, Frameworkservice.EXE, Mmsk.EXE, Ast.EXE, WOPTILITIES.EXE, Regedit.EXE, AutoRunKiller.EXE, VPC32.EXE, VPTRAY.EXE, ANTIARP.EXE, KASARP.EXE, RAV.EXE, kwatch.EXE, kmailmon.EXE, kavstart.EXE, KAVPFW.EXE, Runiep.EXE, GuardField.EXE, GFUpd.EXE, Rfwstub.EXE, rfwmain.EXE, RavStub.EXE, rsnetsvr.EXE, ScanFrm.EXE, RsMain.EXE, Rsaupd.EXE, rfwProxy.EXE, rfwsrv.EXE, SREngLdr.EXE, ArSwp.EXE, RSTray.EXE, QQDoctor.EXE, TrojanDetector.EXE, RSTray.EXE, Trojanwall.EXE, TrojDie.KXP, PFW.EXE, HijackThis.EXE, AutoRun.EXE, KPfwSvc.EXE, kissvc.EXE, kav32.EXE
• Closes windows of which the titles contain:
  • NOD32, Process, Mcafee, Firewall, virus, anti, worm, SREng,…
• Copies and saves original file named “%SysDir%\linkinfo.dll” under the name “%SysDir%\dllcache\linkinfo.dll”
• Overwrites original file named:
  • “%SysDir%\linkinfo.dll” so that the virus is automatically loaded on Windows startup
• Copies itself under the  name:
  • “GRIL.pif” together with the file “autorun.inf” onto the disk drives to run the virus when users double click on those drives
• Writes key:
  • “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\advanced\folder\hidden\showall” to ensure that hidden files cannot be displayed
• Deletes key:
  • “HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network”
  • “HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal”

so that the computer cannot start in Safe mode

• Deletes registry key to prevent the following antivirus programs to start on Windows startup:
  • 360Safetray, 360Safebox, KavStart, vptray, ccApp, RavTray, egui, essact.
• Downloads other malwares to the computer:
  • http://c.wu[removed]com/dd/33.exe – Module download
    • Sets the homepage in IE to be: http://moneymon[removed]88.com
    • Creates popup windows of:
      • http://msm.mo[removed]infom.com
      • http://joker.mo[removed]infom.com
    • Downloads file:
      • “http://c.wu[removed]com/dd/d.gif” under the name “%WinDir%\Tasks\SA.PIF” – a rar file having password
    • Creates file:
      • %WinDir%\Tasks\explorer.exe – MS08-067 exploit module
      • %WinDir%\Fonts\svchost.exe to decompress and run the recently downloaded file SA.PIF
    • Executes:
      • “%WinDir%\Tasks\explorer.exe” “<IP having the same IP range of the infected machine>” “http://c.wu[removed]com/t.css” to spread itself to all computers within a LAN
    • Writes key:
      • “HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\Run\360safe” to launch itself when Windows starts
  • http://c.wu[removed]com/dd/4.exe
    • Installs Malware Baiduc
  • http://c.wu[removed]com/dd/6.exe
    • Installs Malware PushWare
  • http://c.wu[removed]com/dd/99.exe
    • Installs WinPCap
    • Creates file:
      • “%SysDir%\360box.exe” to “disguise” itself as a gateway
  • http://c.wu[removed]com/dd/10.exe
    • Installs Adware IETimber

By Nguyen Minh Duc / Manager – Application Security Department, Bkis

Users have recently reported to Bkis that they received a SMS saying “You won $123,000 USD, contact (wu[removed]33@gmail.com) and send your email address by sms text message to (+856[removed]489) to get more information on how to claim the money.” According to our analysis, the number sending this SMS has Laos’ area code.

The SMS is in fact a kind of scam. Scams are often spread via emails which take advantage of the victims’ credulity or greed. Most of these emails are fake prize winning notices.

Lately, making use of SMS Scams like the SMS above, fraudsters tend to target mobile phone users. These scams are currently not as widespread as Email ones, but users are much more likely to be tricked. This is because using mobile phones makes people feel much closer to the one they are communicating with than when using computers.

If the victims reply the SMS or call the fraudsters, they will be enticed into paying a fee in order to receive big winning money. Of course, the victims will never get the promised sum of money. Additionally, the fraudsters might have successfully harvested the naives’ private details by requiring them to SMS back some personal information.