Dark Reading, Kelly Jackson Higgins - The number of new malware samples hit 75 million worldwide last year even as PC malware counts declined, with mobile malware rapidly emerging, according to new data from McAfee Adam Wosotowsky, McAfee, senior anti-spam research analyst and an author of McAfee’s new Fourth Quarter 2011 Threat Report, says there was a significant uptick in mobile malware — mostly for Android platforms — between the third and fourth quarters of last year. “We saw the rate of increase in mobile malware really take off compared with [the period] before,” Wosotowsky says.

Mobile malware hit more than 400 unique samples in Q4, up from over 100 in the third quarter, and less than 50 samples in the first quarter of last year. McAfee also found that PC malware counts declined during Q4, and were lower than in Q4 of 2010. Even so, the total number of unique malware samples is more than 75 million as of Q4, the report says.

“I expected mobile malware to increase, but I didn’t expect to see mobile malware shoot up like it did,” Wosotowsky says. “I was really expecting to see that when they start porting SpyEye and Zeus to” mobile platforms at some point, he says.

Wosotowsky says McAfee also saw a shift in how the bad guys are deploying malware. “They are moving to a persistent model, where they are trying to get into corporations and steal intellectual property, more money, and to maintain the infection for a long period of time,’ he says. “At the same time, it’s important to note that’s because so malware and Trojans under SpyEye now have that capability … and botmasters can give control of an infected machine to another botmaster” who wants access to a particular organization, he says.

Rootkits dipped slightly in Q4, while Autorun and password-stealing Trojans decreased slightly.

There was an average of 9,300 malicious websites per day in Q4, up from 6,500 in Q3, according to McAfee. On average, one in every 400 URLs was malicious, and the total number of active malicious websites is more than 700,000. The U.S. hosts the most new malicious URLs, followed by the Netherlands, Canada, South Korea, and Germany. North America is home to more than 73 percent of servers hosting malicious content.

McAfee says attacks on Windows remote procedure calls was the number one threat in Q4, followed by SQL injection and cross-site scripting attacks.

WSJ.com, Jennifer Valentino-DeVries - After a Wall Street Journal story last week about Google bypassing the privacy settings on Apple’s Safari Web browser, Microsoft has written a blog post accusing Google of doing similar things on Internet Explorer.

But what is happening on IE is a bit different, and it involves a problem that has been known about for some time by Microsoft and privacy researchers.

Here’s what’s going on: By default, IE is designed to block little files called “cookies” if they come from tracking companies. But the way it does this is fairly complicated.

IE uses something called P3P – the Platform for Privacy Preferences Project – a computer protocol that allows websites to share their privacy policies with the Web browser, rather than forcing the user to read each policy. P3P is a good idea, but it’s one that has never really caught on, and other Web browsers don’t support it.

IE supports P3P by default; if a Web company tells IE that it tracks users, or if it doesn’t have a P3P policy at all, IE stops it from placing “third party” cookies, the kind usually used by advertisers and tracking companies.

But there’s a big loophole in this setting: If a Web company doesn’t follow the right format in its P3P policy, it’s allowed to set cookies anyway. The P3P policy for Google.com simply says “This is not a P3P policy!” and then provides a link to a further explanation.

Privacy researchers have been complaining for years about this IE loophole and the companies that use it. Lorrie Cranor, a professor at Carnegie Mellon University, wrote a blog post on Saturday pointing out yet again that “lots of companies do this,” including Google and Facebook. She also has been calling on Microsoft to make changes to close the loophole.

Back in 2010, Ms. Cranor’s research team found that thousands of sites, including a few of Microsoft’s own, had problems in their P3P policies that allowed them to set cookies in IE. Many of the problems were due to typos and other mistakes; others were found to be deliberate misrepresentations.

Generally, nobody has put a stop to this, but Microsoft said in its Monday post that it is now “actively investigating” whether to prevent the setting of cookies in these circumstances.

The link provided by Google explains that the company doesn’t follow the P3P syntax for Google.com because doing so interferes with things like +1 social networking buttons and with Google gadgets on iGoogle.

Google’s advertising technology – doubleclick.net and googleadservices.com – follows the P3P protocol, according to the Journal’s tests. This makes the IE situation different from the one on Safari, where Google put its doubleclick.net advertising trackers on people’s computers in spite of Safari’s privacy settings.

Google did not immediately respond to a request for comment.

Facebook’s page about P3P says the following: “the P3P standard is now out of date and does not reflect technologies that are currently in use on the web.”

And it’s worth pointing out that Microsoft has been eager to attack Google over privacy missteps, even taking out ads about Google’s new privacy policy.

Still, Ms. Cranor says such behavior “looks like a circumvention.”

So what should you take away from all this brouhaha about cookies and P3P and IE and Safari? Simple: Keeping track of your privacy preferences online is complicated to the point of being nearly impossible.

Every time a tool attempts to block something – like tracking cookies – companies come up with workarounds. And sometimes these privacy tools end up creating problems for honest Web developers, further complicating the situation.

Microsoft, for its part, is using the recent controversies to point users to its Tracking Protection Lists, a new feature in IE9 that lets users create lists to block trackers. Microsoft even introduced a new one on Monday that aims to block Google tracking. These lists block more than just cookies and aim to prevent any requests at all from tracking companies.

But the privacy arms race seems likely to rage on.

eWeek.com,  Fahmida Y. Rashid - Malware that specifically targeted mobile operating systems increased in 2011 as smartphones became more popular with enterprise users, as well as consumers. These cyber-criminals also developed affection for the Google Android OS, which saw the biggest jump in malware during the past 12 months, according to a new report from Juniper Networks.

Malware targeting the Android mobile operating system grew by a whopping 3,325 percent in the last seven months of 2011, according to the 2011 Mobile Threat Report, which Juniper released Feb. 15. Android malware accounted for about 46.7 percent of unique malware samples that targeted mobile platforms, followed by 41 percent for Java Mobile Edition.

Overall, mobile malware more than doubled in 2011, growing by 155 percent across all platforms, which included Apple’s iOS, Research In Motion’s BlackBerry and Symbian. New malware samples targeting Java Mobile Edition increased by a little less than 50 percent in 2011. Java ME is popularly used on Symbian and Windows Mobile devices.

Juniper saw a “significant increase in the amount of mobile malware, its sophistication, as well as new nimble social-engineering-based attacks,” said Daniel Hoffman, chief mobile security evangelist at Juniper Networks.

The Mobile Threat Center at Juniper Networks examined more than 793,631 applications and 28,472 unique malware samples to compile the report. Despite the eye-popping growth numbers, the total number for mobile malware remains minuscule, compared with malware targeting traditional computers.

The explosion in Android malware is a direct result of the platform’s diverse and open marketplace where developers are free to post their apps as well as growing market share, according to Juniper. Google’s market share in the mobile space, at 46.9 percent, is statistically the same as the proportion of Android malware detected by Juniper.

“Hackers are incented to target Android, because there are simply more Android devices as compared to the competition,” said Hoffman.

Google’s “Bouncer” service has been scanning apps in the Android Malware and removing offenders toward the second half of the year to make it harder for scammers to upload malicious apps. Bouncer will “certainly help” reduce infection rates from downloads on the official market of known threats, said Hoffman.

Apple is slightly more secure due to its screening policies and closed marketplace, but iOS users have their own set of mobile security challenges, according to the report. Jailbreaking remains common and users with iOS devices are vulnerable to malicious jailbreaking services that infect the device during the rooting process.

Mobile devices are just as vulnerable to browser-based attacks triggered when a user navigates to a malicious Website as computers. There are fewer choices available for iOS users when it comes to security products to protect them from these kinds of threats.

“This lack of software protection and a competitive security market leave users with little protection if malware were ever to make it through Apple’s application-vetting process,” the report found.

In fact, there are several examples of developers slipping apps past Apple’s screeners last year. The most prominent example was when Apple researcher Charlie Miller got a seemingly innocuous app approved for the App Store, and then was able to use the app to remotely execute code on devices.

Malicious apps and scams targeting mobile users have become more sophisticated and many rely on social engineering tactics to trick users into downloading and installing, Juniper found.

“Industrious hackers” moved from proof-of-concept samples to developing profitable malware, according to the report.

Mobile malware can be classified into two different groups, Short Message Service (SMS) Trojans and spyware. Spyware was the most common form, accounting for about 63 percent of malware. Spyware on mobile devices generally goes after GPS data, text messages, contacts and browser activity and transmits it to a third-party.

SMS Trojans, accounting for 46 percent of malware, trick users into agreeing to send premium SMS messages to attackers. As they generally run in the background, users are usually unaware these messages are being sent until they see the charges on their bills.

Scammers often piggyback SMS Trojans onto “fake installers,” which are apps that trick users into paying for them even though they may be legitimately available for free.

These fake installers create a “low barrier to entry” for cyber-criminals interested in mobile scams but lacking the technical skills, according to the report. Application stores are the prime delivery mechanism for infected apps, and it’s far easier to turn around these types of apps rather than those targeting actual vulnerabilities.

Dark Reading, Kelly Jackson Higgins - If you were wondering how safe your medical records are at your doctor’s office, then this might make you sick: Ninety-one percent of small healthcare practices in North America say they have suffered a data breach in the past 12 months.

The survey, conducted by the Ponemon Institute and commissioned by MegaPath, queried more than 700 IT and administrative personnel in healthcare organizations of no more than 250 employees.

Among the findings: Only 31 percent say their management considers data security and privacy a top priority, and 29 percent say their breaches resulted in medical identity theft. “Cybercriminals are hunting for medical records,” said Larry Ponemon, chairman and founder of Ponemon Institute. “The most serious issue is just the complacency small healthcare providers seem to exhibit with respect to securing patient records.”

Around 70 percent say their organizations don’t have — or they don’t know if they have — enough budget to meet risk management, compliance, and governance requirements. In more than one-third of the practices, there’s no one responsible for overall patient data protection. And budgets are tight: About half say that less than 10 percent of their IT budget goes to data security tools.

Ponemon said a majority say their healthcare organizations are taking the right steps to comply with HIPAA, however.

Mobile devices are rampant in small healthcare organizations: Nearly 75 percent say they are permitted to access business or clinical applications via their laptops, netbooks, smartphones, and tablets. More than half say they use these devices at work; forty-eight percent have proper use policies for these devices, and 45 percent don’t do anything to secure the devices.

“Their [continued] orientation to paper files, ad hoc use of mobile technologies … just creates an environment that’s a perfect storm for data loss and theft,” Ponemon said.

SC Magazine, Dan Kaplan - Researchers from Symantec and North Carolina State University may have stumbled upon one of the largest and most lucrative mobile botnets yet.

First discovered by N.C. State researcher Saxon Jiang and then confirmed by Symantec, the botnet consists of of hundreds of thousands of infected nodes, said Cathal Mullaney, a Symantec security response engineer, in a blog post.

The malware used to grow the bot is being served on close to 30 rogue applications, available for download in third-party Chinese markets, not the official Android Market, Mullaney said. Once a phone is botted with the trojan, dubbed “Android.Bmaster,” it is used to send out premium-rate text messages, make premium phone calls or connect to pay-per-view videos.

Symantec researchers were able to get their hands on the command-and-control server that was administering the botnet to determine that the number of compromised phones reach into the hundreds of thousands. In addition, they estimate the botmasters generate up to $10,000 per day and up to $3.5 million annually.

“The botmaster has a fine-grained level of control over the infected devices,” Mullaney wrote. “Depending on which premium service [it] is attempting to contact, a number of configuration options are available to the botmaster.”

He noted that the botnet is capable of additional malicious activity.

“Since this is a remote administration tool, the malware is capable of receiving commands from the remote server,” Mullaney wrote.

Dark Reading, Kelly Jackson Higgins - Stealing credentials via Trojans like Zeus and SpyEye has become so simple and prevalent that cybercriminals are finding themselves with a surplus: Two cybercrime gangs are now advertising bulk-rate Facebook, Twitter, and cPanel credentials in order to clean out their inventory.

Researchers at Trusteer say these credential factory outlets are a way for the bad guys to cash in on other credentials they pilfered while stealing online banking credentials. It’s like making money off the chaff that comes along with the ultra-valuable online banking credentials lifted by Trojans and keyloggers: “They harvest a lot of things” unrelated to the stolen online banking credentials, says Yishay Yovel, vice president of marketing for Trusteer, whose company discovered the sales. “This is how they monetize the [leftover] assets they harvest.”

The ads were running in underground forums infiltrated by the researchers from Trusteer.

In one of the advertisements in the underground, the thieves are offering bulk and country-specific credentials, as well as other personal information they nabbed, such as emails. They claim to have some 80 gigabytes worth of stolen victim information.

Another ad apparently from a botnet operators sells cPanel credentials and URLs that would allow you to wrest control of the victim websites. cPanel is a control-panel application used for managing hosted websites.

“That was very interesting, with cPanel control software for websites,” Yovel says. Getting access to user credentials for that application would provide attackers with another more targeted way to infect websites.

Trusteer believes attackers could then lure users to those sites via phishing emails and social networking messages.

This bold, open-market style sale reflects the maturity of the stolen credentials market, says Chris Wysopal, CTO at Veracode. “I think this is an interesting development. The more or less open-market credential sale shows the market is maturing much like the market for stolen credit cards did in the mid-2000s. This makes it easier for the password thieves to monetize their work,” Wysopal says. “It will likely lead to wider damage from having your password stolen by a Trojan.”

Wysopal wonders whether some of the stolen credentials overload is related to recent major breaches like that of Zappos and Stratfor, where millions of usernames and passwords were copied. “There are many examples posted for free to Pastebin from these types of attacks. There must be some for sale, too,” he says.

Meanwhile, Trusteer says the Facebook and Twitter credentials can be used for social engineering, phishing, and intelligence-gathering. “Facebook tells us so much about a person. There’s a link between this data-gathering … and a potential data breach. You can’t dismiss Facebook as a consumer issue and not a [security] problem,” he says. It’s all interrelated today, he says.