Appeals court raises standard for laptop searches at US border

Citizens' rights to be free from searches don't hold everywhere. At border crossings, as in airports, people can be searched by authorities as a matter of routine course. But what should the standard be for not just rummaging through a briefcase, but for when the government wants to dig deep into the files on our electronic gadgets—even looking at deleted files?

A "watershed" decision from a federal appeals court today ruled that the government must have "reasonable suspicion" to do such an intensive computer search. However, the judges also ruled that standard was met in the search in question, which involved child pornography being brought across the border from Mexico. The US Court of Appeals for the 9th Circuit, sitting "en banc," reversed a lower court's decision to suppress an intensive forensic analysis of a laptop belonging to a traveler, Howard Cotterman, which resulted in a discovery of child pornography. 

The search started out as a "cursory review at the border but transformed into a forensic examination of Cotterman's hard drive." The court acknowledged it was a "watershed case" with implications for what kind of privacy rights all Americans can expect with regards to password-protected files on their computers.

Read 16 remaining paragraphs | Comments

An Overview of Messaging Botnets

In the quarterly McAfee Threats Reports we offer our readers some charts on the prevalence of messaging botnets. For the last quarter of 2012, we announced the continuing decline in global messaging botnet infections as well as in former leaders Festi and Cutwail (see page 23).

In this blog, I will detail the evolution of the most representative botnet families that we have hunted since October 2010.

First we have dead and the dying. The dead include Bobax, Donbot, Grum, Fivetoone and Rustock; and those in poor health include Bagle:


  • Bobax (alias Kraken) was with Bagle one of the first spam botnets. Different spammers used several variants from May 2004 to mid-2012.
  • Donbot variants were frequently encountered from December 2008 to December 2011. They had their time of “glory” during the first quarter 2009, with a short revival in the second quarter of 2011. They are frequently merged with Trojan.Buzus (AVP in December 2007), TROJ_BUZUS (Trend in February 2008), and Win32/Bachsoy.A (Vet in August 2008).
  • Grum (alias Win32/Tedroo) and its kernel-mode rootkit appeared in October 2007. Its control servers were taken down in July 2012.
  • Fivetoone (alias DMSSpammer) began in October 2007, but disappeared in March 2012.
  • Rustock (alias RKRustok, Costrat, Meredrop) appeared in 2006. It reached its peak between August and December 2010, but was stopped in February-March 2011 after law enforcement action.
  • Unlike the previous five, Bagle is not fully defunct. This malware family appeared in January 2004. The variant we still watch is nicknamed Bagle-CB.

Second we have the survivors, present from 2010 to date. They are Festi, Cutwail, Lethic, and Maazben:


  • Festi was first encountered in January 2009. It is now the most prevalent.
  • Cutwail (alias Pandex, Wigon, Pushdo) appeared in September 2007. After a long time as number 1, it is now number 2.
  • Lethic was discovered around September 2009. Shut down in January 2010, it reappeared not long afterward and is now in decline.
  • Maazben appeared in May 2008. It is still in our top 5 but has dropped over three quarters from rank 3 to rank 5.

Finally we have the newcomers: Darkmailer, Waledac, Slenfbot, and Kelihos:


  • Darkmailer is a spam tool first released in 2003. Each month for three years a small number of senders has been systematically detected by our sensors. In January 2013, we saw a dramatic increase in senders–suggesting a possible evolution in its spamming technique.
  • Waledac (alias Waled, SLM) has been in the wild since October 2008. It was shut down for the first time in February 2010 (operation b49) but reappeared soon thereafter. It reached its highest level in 2012, but was recently affected when Polish authorities seized domains used to control the Virut botnet.
  • Slenfbot is an IRC bot family known since 2008. Described in a Threat Advisory, a new variant has spread suddenly. It is distributed through links attached in different chat windows like ICQ, Skype, GTalk, Pidgin, AIM, MSN, and YIM, as well as Facebook.
  • Controlled through a peer-to-peer network, Kelihos (alias Hilux) was first detected in December 2010, and appeared finished in September 2011. It reappeared during the last months of 2012, reaching rank 6.

The situation among messaging botnets is changing. Besides Festi and Cutwail, the challengers struggle is survive. Yet when a botnet fails or disappears, another one takes its place.


Pwn2Own carnage continues as exploits take down Adobe Reader, Flash

Thursday was another grim day for Internet security as contestants at the Pwn2Own hacker competition exploited flaws in Adobe's Reader and Flash programs, allowing them to take full control of the computers they ran on. Oracle's Java was also, once again, felled.

The exploits, which fetched more than $160,000 in prizes, were impressive because they pierced a wall of defenses erected by some of the brightest minds in the field of software engineering. Those defenses included an anti-exploit "sandbox," which Adobe engineers added to Reader in 2010 and have been improving ever since. The mechanism isolates Web content in a restricted container that's sealed off from sensitive operating-system functions, such as writing files to disk or making system changes.

Until last month, no active attack had successfully bypassed the Reader sandbox protection. On Thursday, the defense suffered another significant blow when George Hotz, who hacked Sony's PlayStation 3 in 2010 at age 21, was also able to circumvent the Reader sandbox. The feat won him $70,000.

Read 5 remaining paragraphs | Comments

Microsoft Releases March 2013 Security Bulletin

Original release date: March 08, 2013 | Last revised: March 12, 2013

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Office, Internet Explorer, Silverlight, and Server Software as part of the Microsoft Security Bulletin summary for March 2013.  These vulnerabilities could allow remote code execution, elevation of privilege, or information disclosure.

US-CERT encourages users and administrators to review the bulletin and follow best practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.