Threat Update
New variant of mebroot detected as vendors criticised for failing to react to threat
3 June 2009 | SC Magazine UK by Dan Raywood
Security vendors have been criticised for failing to react to the MBR rootkit and offer protection against it. Prevx malware technology specialist Marco Giuliani claimed in his blog that in the two months since a new variant of the MBR rootkit was detected and isolated there has been hardly any response. Giuliani said: “Unfortunately only a couple of security vendors and independent researchers implemented a working detector for it. This is not good, especially if we are talking about the same threat that has infected tens of thousands of PC around the globe last year, stealing password, bank accounts and personal information. “Actually, as written in one of my previous posts, first version of MBR rootkit could have still been used with a large success by its creators. (Comments by Prevx)
Software crack site hides malware repository
2 June 2009 | SC Magazine by Chuck Miller
A website found by a security research organization serves malicious files to people who are looking for cracks to software applications. “The website supposedly offers a wide collection of cracks for different applications,” said Joseph Pacamarra, threats analyst for TrendLabs, in a blog post. “However, attempting to download any of these files will always lead to the same page.” When a user clicks on a program in the list of supposedly pirated software, they get a download link that in the background transfers a .zip file containing two files, both of which are malicious trojans. The .zip file is actually hosted on another domain, where more trouble awaits.
ITWEB: Cybercrooks target YouTube
3 June 2009 | IT Web
Up to 4 900 videos on YouTube contain links that point to a Web page designed to download malware, says Panda Security. Cyber criminals have latched onto YouTube to distribute malware by adding comments and a link in an attempt to lure unsuspecting users onto a malware-infected Web site. “The comments are normally suggestive, claiming the link will take users to a legal Web page with pornographic content,” says Jeremy Matthews, head of Panda’s sub-Saharan operations. “However, when users click the link, they are taken to a page that spoofs the original and which is really designed to download malware. On this page, users will be prompted to download a file in order to be able to view the video. If they take the bait, users will really be downloading a copy of the Privacy Centre fake anti-virus.” (Comments by Panda)
3 June 2009 | Security Watch
Several weeks ago Mary Landesman at ScanSafe began blogging about Gumblar, a series of attacks against web sites, inducing them to serve interesting malware to clients. Gumblar is apparently unrelated to the other recent reports of tens of thousands of compromised web sites. The client malware is not your average malware: it sits in the browser process and looks for Google searches, substituting malicious ones for the legit ones. It also looks for FTP credentials, which appears to be the way it compromises web sites. Nothing was wrong on Google’s end; the malicious activities all occurred on client PCs and 3rd party web servers. It was a nasty set of attacks, but it appears that the sites involved in it, including their nameservers, are being shut down. Landesman, who probably deserves some credit for this, reports that ScanSafe is seeing ever-diminishing traffic from these sources.
Scammers using search optimization on Twitter, Google
2 June 2009 | CNET by Elinor Mills
Online scammers are targeting people looking for popular topics on Twitter and Google to lure them to Web sites that display fake security warnings and try to sell them antivirus products, PandaLabs said on Wednesday. This technique isn’t new, but seems to be widening on Google and is particularly successful on Twitter where links are spread fast and furiously and people often don’t think before they click. In the Twitter scam, hundreds of fake accounts have been posting tweets that reference the band Phish, which has a cult-like following, according to a PandaLabs blog. There were so many of the tweets, which say “PhishTube Broadcast,” that the term showed up in the Trending Topics list. The tweets contain links that eventually lead to spoof porn pages that infect victims with the fake antivirus malware if they click anywhere on the page, PandaLabs said. (Comments by Panda)
Bank of America certificate scam propgating Waledac, Virut
2 June 2009 | SC Magazine US by Angela Moscaritolo
A new spam campaign disguised as a Bank of America email telling users they need to update their digital certificate is attempting to lure users into installing the Waledac worm. The messages, which first started being detected this past weekend, seemingly come from Bank of America, and tell users, “The digital certificate for your Bank of America direct online account has expired. You need to update the certificate using Bank of America direct digital certificate updating procedure” (see photo below). Recipients are then instructed to click on a link and follow the given instructions, Phil Hay, lead threat analyst at web and email security firm Marshal8e6 told SCMagazineUS.com in an email Monday. The spam originates from the Pushdo botnet, which has been active in similar malicious phishing attacks, Hay said.
Twitter Hit with Fake Security Software Scam
1 June 2009 | eWeek by Brian Prince
Twitter has been hit with a scam that tries to rope users into buying bogus security software. According to Kaspersky Lab, Twitter users who were tricked into clicking on a link in a tweet were taken to a site that attempted to download the scareware. Researchers at Kaspersky Lab have uncovered what may be the first attempt by attackers to use Twitter for scareware scams. The attack begins with a tweet with the message “Best Video” laced with a malicious link. Those tricked into clicking the link find themselves on a rogue site with a YouTube video. Once on the site however, users are hit with a malicious PDF file via a hidden IFRAME. The PDF file hosts several different exploits targeting known bugs. If the user’s computer is vulnerable to any, the malware installs bogus security software. (Kaspersky)
Plague of web bugs descend on British sites
1 June 2009 | The Register by Dan Goodin
It’s been a busy week for high-profile web vulnerabilities, with discoveries of careless bugs on the sites of three British companies. Online banking sites for HSBC and Barclays Group and the website for The Telegraph were caught with their pants down, as hackers published screenshots and other details that showed all three were susceptible to attacks that could compromise the security of people who visit the properties. The XSS, or cross-site scripting, errors on HSBC were still present on a variety of HSBC sites on Monday afternoon California time, some 48 hours after the XSSed blog first reported them. The bugs allowed attackers to inject java-script and content into HSBC websites simply by tricking a user into clicking on a specially manipulated web address.
Gumblar attacks worse than Conficker, experts warn
29 May 2009 | CNET News by Elinor Mills
The website compromise attack known as Gumblar has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with web traffic, a security firm said on Thursday. The Gumblar attack started in March with websites being compromised and attack code hidden on them. Originally, the malware downloaded onto computers accessing those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the UK, ScanSafe said last week. As website operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated java-script, making it difficult for security tools to identify. (Comments by ScanSafe)
PS-pwning infections hits 30 000 legit websites
30 May 2009 | The Register by Dan Goodin
A nasty infection that attempts to install a potent malware cocktail on the machines of end users has spread to about 30,000 websites run by businesses, government agencies and other organizations, researchers warned Friday. The infection sneaks malicious java-script onto the front page of websites, most likely by exploiting a common application that leads to a SQL injection, said Stephan Chenette, manager for security research at security firm Websense. The injected code is designed to look like a Google Analytics script, and it uses obfuscated java-script, so it is hard to spot. The malicious payload silently redirects visitors of infected sites to servers that analyze the end-user PC. Based on the results, it attempts to exploit one or more of about 10 different unpatched vulnerabilities on the visitor’s machine. If none exist, the webserver delivers a popup window that claims the PC is infected in an attempt to trick the person into installing rogue anti-virus software.
Katrina Kaif screensaver can bring virus in your computer: McAfee Report
31 May 2009 | Khabrein.Info
Katrina Kaif screensaver can bring virus in your computer: McAfee report. Be careful while uploading a free Katrina Kaif screensaver or any other hot star that you love and admire. A virus or Trojan may be waiting to attack your computer in the garb of the screensaver. A McAfee report says that virus and Trojans attack computer mostly with free thing that are available on the net. It may be a free misuc, free video or free screen saver. McAfee is an antivirus software and computer security company headquartered in Santa Clara, California. It markets McAfee VirusScan and related security products and services, including the IntruShield, Entercept, and Foundstone brands. The company was founded in 1987 as McAfee Associates, named for its founder John McAfee.
FBI e-mail clobbered after virus
29 May 2009 | Computer World by Robert McMillan
A virus has reportedly disrupted Web-based e-mail services at the FBI. The FBI confirmed today that it had been forced to shut down its Internet-facing unclassified network, but disputed a report that the incident had left the agency unable to e-mail counterparts in other intelligence and law enforcement agencies. “The external, unclassified network was shut down by the FBI as a precautionary measure,” the FBI said in a statement. “Within 48 hours of identifying the issue and mitigating risks, e-mail traffic was largely restored to the external, unclassified network.” FBI agents can send e-mail on the agency’s more secure internal network or via BlackBerry, but many use this unclassified network to send messages via a Web-based e-mail system, said a source familiar with the situation.
Hacks and Website Attacks
Hacked version of Windows 7 in circulation 31 May 2009 | Earth Times
Hackers exploit unpatched Windows bug 29 May 2009 | Computer World by Gregg Keizer
40 000 sites hit by PC pwning hack attack 2 June 2009 | The Register by Dan Goodin
Beladen Loads Hacked Web Sites with Badness 2 June 2009 | Washington Post by Brian Krebs
Hacker disrupts economy of annoying Twitter-based game 3 June 2009 | The Register by John Leyden
Anti-U.S Hackers Infiltrate Army Servers 28 May 2009 | Information Week by Paul McDouggall
Phishing Scams
CommBank cops sustained online fraud attack
2 June 209 | The Age by Asher Moses
Commonwealth Bank customers are being inundated with phishing attacks, some at a rate of several scam emails a day, sent by cyber criminals seeking to steal passwords and credit card details. The scammers, who are specifically targeting the bank in a sustained assault, are bombarding customers with several clever variations of the email ruse – such as using bogus call centres – in an attempt to hook even tech-savvy web users. The emails have largely managed to evade spam filters using methods such as images instead of text. Commonwealth Bank spokesman Steve Batten said the bank was working closely with the Australian Federal Police’s Australian High Tech Crime Centre to track down the scammers. However, the bank appears to be losing the war.
Fake Outlook config scam aims to harvest logins
3 June 2009 | The Register by John Leyden
Cybercrooks have come up with a new way to trick prospective marks into handing over login credentials or installing fake security (scareware) packages. The first of two similar batches of scam emails doing the rounds claim that users have a new message in Microsoft Outlook – which can supposedly only be seen after users reconfigure their settings. This might sound technically tricky but the dubious emails come complete with a handy link, which serves only to hand over email settings to internet hackers. Graham Cluley, senior technology consultant at Sophos, explained that earlier versions of the scam emails appeared to be geared towards harvesting email login credentials. (Sophos)
Related News: New Phish Attempt Asks you for Your Server (2 June 2009 | PC Magazine by Larry Seltzer)
Industry News
Obama’s Cybersecurity Initiative Wins Praise
30 May 2009 | IDG News Services by Grant Gross
U.S. President Barack Obama’s announcement Friday of a new cybersecurity push by the U.S. government won widespread praise from the technology industry, with many people saying his attention to the issue is a major step toward better securing the nation’s computer networks. Obama’s announcement and an accompanying cybersecurity report largely contained ideas long called for by various cybersecurity experts, but the largest benefit of Friday’s announcement was that Obama lent his name to the fight against cybercrime, said Larry Clinton, president of the Internet Security Alliance, a trade group focused on cybersecurity. “A lot of the things that were discussed this morning have been said before, but it is a very big deal when the president says them,” Clinton said.
Related News:
Cybersecurity is broader than critical infrastructure (30 May 2009 | David Lacey’s IT Security Blog)
PROMISES, PROMISES: Battle cyber turf wars (29 May 2009 | AP by Lolita C Baldor)
Fed Video on Cybersecurity States the Obvious (31 May 2009 | Channel Insider by Lawrence Walsh)
Obama creates top job for guarding online security (29 May 2009 | CNN)
Obama: Hackers accessed campaign files in 2008 (28 May 2009 | CNET News by Stephanie Condon)
Contractors Vie for Plum Work, Hacking for the United States (30 May 2009 | New York Times by Christopher Drew and John Markoff)
Pentagon Plans New Arm to Wage Cyberspace Wars (28 May 2009 | NY Times by David E Sanger & Thom Shanker)
Is the hacking Threat to National Security Overblown? (3 June 2009 | Wire.com by Ryan Single)
WH cybersecurity plan needs private sector guidance (2 June 2009 | searchsecurity by Eric Ogren)
What Obama’s Cybersecurity Plans Mean for Businesses (2 June 2009 | Dark Reading by Kelly Higgins)
US cyber-security made ‘shovel ready’ (1 June 2009 | Techworld by John E Dunn)
UK chases Obama on cybersecurity (1 June 2009 | The Register by Chris Williams)
Google rates Gumblar distribution URL as top malware site
4 June 2009 | SC Magazine US by Angela Moscaritolo
The URL hosting the Gumblar attack, which has compromised thousands of legitimate websites with code that silently redirects users to a single Chinese domain, heads its list of Top 10 malware sites, according to Google. Google sorted its rankings based on the number of compromised sites that reference some 4,000 different domains used by cybercriminals to ultimately distribute malware, according to a post on the Google Online Security Blog Wednesday. Of those 4,000 domains, Gumblar.cn came out on top, with approximately 60,000 infected sites referencing as of Tuesday, Niels Provos, an engineer on Google’s security team, told SCMagazineUS.com in an email Thursday. That URL was followed by Martuz.cn, which has been referenced by about 35,000 sites. Google said that of the 4,000 domains, about 1,400 were hosted in the .cn top-level domain.
Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities
4 June 2009 | Search Security by Robert Westerfelt
Microsoft plans to release 10 security bulletins as part of its Patch Tuesday update cycle next week, including critical updates affecting Internet Explorer, Word, Excel and Office. On Thursday in a June advance notification on Microsoft’s TechNet site, the software giant said six of the 10 security bulletins are rated critical. The Patch Tuesday release will not include a Microsoft security fix addressing a DirectShow vulnerability being actively targeted in the wild. Microsoft said it would release a fix either next month or in an out of band release. “Our security teams are working hard on a security update that addresses this issue to protect customers, but we do not yet have an update that has reached the appropriate level of quality for broad distribution,” Christopher Budd, Microsoft security response communications lead said in a statement.
Stolen FTP credentials likely in massive website attacks
3 June 2009 | SearchSecurity by Robert Westerfelt
Stolen FTP credentials are suspected as the root cause of a massive attack compromising over 40,000 websites. Attackers have targeted legitimate websites in the latest wave, and so far researchers at security vendor Websense Inc. say it isn’t likely that SQL injection, cross-site scripting or other website vulnerabilities are to blame. Instead, the attackers are easily injecting malicious java-script code into sites by logging in with stolen usernames and passwords. “Across the board, none of the sites that we’ve seen compromised are running some common piece of vulnerable software,” said Stephen Chenette, manager of security research at Websense. It’s the second time in less than a month that attackers used stolen FTP credentials to successfully pull off a large scale attack. (Symantec. Comments by Websense)
Twitter Trends exploited to promote scareware *
4 June 2009 | The Register by John Leyden
Hackers are manipulating a hot topics feature of Twitter to promote malware-infected websites. The gaming of the Twitter Trends feature recalls the manipulation of Google search results using black-hat search engine optimisation techniques. In the case of the Twitter attack, cyber-criminals created hundreds of accounts and posted multiple messages under the topic “PhishTube Broadcast”, a reference to the US rock band Phish, but containing links to a spoof pornographic Web page. The topic appeared in the Trending Topic list, achieving greater visibility and therefore more user traffic to comments made under that category. Users intrigued enough to visit the supposed websites promoted through the Twitter social-engineering ruse risk exposure to the PrivacyCenter fake antivirus (scareware) package.
Related News: Hackers tweet, infect Twitter users with scareware (1 June 2009 | Computer World by Gregg Keizer)
Brit’s Facebook & amp, Twitter use dwarfed by US
3 June 2009 | PC Advisor by Carrie Ann Skinner
Brits spend less time social networking than their US counterparts, says OfficeMetrics. According to the research company, on average, Brits spent 44 minutes a week on sites such as Facebook, MySpace and Twitter in April 2009, compared to Americans who spent over two hours and 20 minutes on the sites. That’s three times more than UK-based social networkers. “Only a small percentage of users are spending excessive time social networking in the office,” said Jon Mulligan, managing director of OfficeMetrics. “Blocking these sites in the workplace is certainly not the answer as this can result in a further lowering of morale and can impede collaboration and creativity and can reduce productivity.”
Malware allows criminals to control cash machines
4 June 2009 | IT PRO by Asavin Wattanajantra
Malware found installed on cash machines can allow an attacker to take full control, according to a security vendor. Trustwave SpiderLabs analysed malware found on compromised ATMs running Windows XP in Eastern Europe. The malware allowed an attacker to takeover the ATM through a customised user interface, accessible by inserting controller cards into its card reader. This allowed an attacker to capture the magnetic stripe data and PIN codes necessary for fraud from the private memory space of transaction-processing applications. Although the researchers didn’t find networking functionality that could send the data to remote locations using the web, it did allow card data to be recorded using the receipt printer or a storage device.
Insurance giant coughs at malware-related data breach
3 June 2009 | The Register by John Leyden
The US arm of insurance giant Aviva has blamed a computer virus infection for the potential disclosure of sensitive personal information. Aviva (Norwich Union, before a recent rebranding) admitted the breach in a letter to the Attorney General of New Hampshire, one of several states that maintain strict information security breach disclosure laws. Data potentially leaked included names, addresses and social security numbers. Approximately 550 records were involved. Aviva said it had removed the affected hardware from service. Workers whose login details were potentially disclosed by the breach have been issued with new credentials.
Cambridge hospital cleans up after mystery malware infection
3 June 2009 | The Register by John Leyden
An unnamed computer virus infection forced a UK hospital to temporarily shut down part of its network earlier this week An unspecified number of computers at Addenbrooke’s Hospital, Cambridge were hit by the malware. A spokesman explained that the hospital continued to operate normally while IT staff grappled with the infection. He stressed that patients were not affected by the incident, which was resolved in a matter of hours. Malware infections at hospitals in the UK are by no means unprecedented. Back in November, for example, computers at the three hospitals that are part of Barts and the London NHS Trust were taken offline following infection by the MyTob worm.
Examining Conficker: When a worm becomes a botnet
2 June 2009 | Search Security by Brian Sears
I recently read an article where two experts expressed different ideas of what Conficker represented. One expert argued that Conficker was clearly not a botnet, as it lacked some of the basic abilities typically found in botnets. While the other expert said Conficker indeed was a botnet, In the end they both agreed Conficker represented a significant threat. So what is Conficker? Well in the case of our two experts, they were both right and wrong. In my opinion, Conficker appears as a package or a mesh of several different threats, each one with its own purpose For example, the attacker has to find a way to deliver Conficker to its target. Delivery is performed via phishing emails, email attachments, spam and enticing websites. This represents the first component in the complete package. The second component is the delivery device; for Conficker it is in the form of a worm (W32.Downadup).
US company invents ‘Turning test’ to beat bots
3 June 2009 | IDG News Services by Jeremy Kirk
A US security company has come up with a technology it says can block automated programs responsible for perpetuating nuisances such as spam, fake email registrations and click fraud. The software, HumanPresent, essentially ferrets out, for example, whether a human is filling out a web-based form and stopping those actions that appear to come from automated programs, said Sanjay Sehgal, CEO of Pramana. Next month, Pramana expects to fully launch both a SaaS (software-as-a-service) offering and an appliance that monitor web applications for intrusions by bots, Sehgal said. Pramana’s software can be applied to web-based forms, whether they be email registrations, e-commerce transactions or detecting click fraud related to banner advertising.
Email service provider: ‘Hack into our CEO’s email, win $10k’
2 June 2009 | Zero Day by Dancho Danchev
A newly launched startup called StrongWebMail is aiming to add a new layer of secure authentication for its customers – phone verification prior to logging in and alert services for potential email compromises. The company is in fact so confident in its approach that it’s currently offering $10,000 reward to the person who breaks into the CEO’s email. To make things even easier, they have in fact provided his user name and password (CEO at StrongWebmail.com; Mustang85). The catch? Aspired participants would have to figure out a way to intercept the 3 digit PIN send over SMS/phone call required for logging in : “StrongWebmail.com is offering $10,000 to the first person that breaks into our CEO’s email account’
Australia in top 10 for phishing attacks *
2 June 2009 | Dynamic Business by Jessica Stanic
RSA’s Online Fraud Report for March/April 09 has revealed Australia is in the top 10 for hosted phishing attacks by country. The report found the total number of phishing attacks globally increased by 18 percent in February, representing an increase of 1,500 attacks. The number of hosted phishing attacks in Australia jumped up, placing us in the top 10 for country hosted attacks. The United States topped the list, hosting 43 percent of the world’s phishing attacks, while the United Kingdom ranked 2nd, hosting 17 percent of the world’s total attacks. Online fraud has evolved quite dramatically over the past couple of years, with hackers employing more sophisticated techniques to steal people’s information and infiltrate systems.
Once Crude, Phishing Attacks Grow More Sophisticated and Dangerous
3 June 2009 | CU Times by Marc Rapport
Untold numbers of computer users, perhaps in the millions, are sitting there right now sending out spam and participating in phishing attacks. And they don’t even know it. That’s because phishers and other fraudsters are once again taking a technology that can do so much good and twisting it for criminal use. In this case, it’s the computer-sharing technology that space scientists used to recruit thousands of people willing to donate their computers’ idle processing time to enormous calculations needed to understand the universe. They’re called botnets, and they’re planted by Trojans and other malware in personal computers around the world, turning them into spam-spewing zombies and helping to host attacks aimed at gathering account numbers and other information that can be used to drain banking accounts.
The 10 faces of computer malware
2 June 2009 | ZDNet Asia by Michael Kassner
The complexity of today’s IT environment makes it easy for computer malware to exist, even flourish. Being informed about what’s out there is a good first step to avoid problems. With all the different terms, definitions, and terminology, trying to figure out what’s what when it comes to computer malware can be difficult. To start things off, let’s define some key terms that will be used throughout the article: Malware: malicious software that’s specifically developed to infiltrate or cause damage to computer systems without the owners knowing or their permission. Malcode: malicious programming code that’s introduced during the development stage of a software application and is commonly referred to as the malware’s payload.
Security group calls for ‘report abuse’ button on web sites
1 June 2009 | VNUNet by David Neal
Web sites aimed at consumers should feature a ‘report abuse’ button as standard to alert firms to security problems on their own sites, according to the Information Security Awareness Forum (ISAF). The ISAF said that, while some web sites do feature a button which lets users offer feedback when they encounter a security issue, many do not. At the very least, sites should have a mechanism to report security issues, and links to external sites that provide targeted security advice. The ISAF today said that such an option should be included on all sites visited by consumers, including social networking, gaming and e-commerce sites. “The simplest routine might be to use a button or click entry which leads to a semi-standard ‘Security Advice’ page”
1 June 2009 | PC Advisor by Carrie Ann Skinner
Around 7m Brits are using a file-sharing network once a week to illegally download music files, says the Strategic Advisory Board for Intellectual Property (SABIP). The board estimated that these downloads are costing the economy £12bn (US$19.4 billion) a year but said many of the downloaders were unsure that their actions were actually illegal. “This report gives us some baseline evidence from which we can develop a clear research strategy to support policy development in this fast moving area,” said Dame Lynne Brindley, a member of the SABIP. The SABIP’s report also recommended that consumers should be educated rather than prosecuted.
Spam Finds New Paths Into Corporate Nets *
1 June 2009 | Computer World by Robert McMillan
Unsolicited e-mail accounted for 90.4% of all messages received on corporate networks during April, an increase of 5.1% from a month earlier, according to a report released May 26 by Symantec Corp.’s MessageLabs Intelligence unit. The monthly MessageLabs report on threat trends also found that nearly 58% of all spam can be traced to botnets. Adam O’Donnell, a researcher at Cloudmark Inc., a provider of antispam tools, noted that in addition to using botnets, spammers in recent months have been experimenting with a new way to sneak unwanted email past corporate filters. Often, he said, a spammer will rent legitimate network services, often in an Eastern European country, and then blast a large amount of spam at the network of a specific ISP.
A guide to practicing safe clicks
30 May 2009 | Edmonton Journal
More money is spent by the aver-age consumer annually on computer antivirus software than on the PC’s operating system. If you are not one of them, you should be. Viruses, bots and sophisticated phishing scams online–plus unknowingly opening your PC to serious threats by even clicking on someone’s social network site–makes running an unprotected computer a high-risk affair. Deciding which security software to buy is a challenge. Many computer buyers end up staying with the security software their PC comes with after the free trial ends. That doesn’t have to be so.Simply uninstalling that software takes it off your PC, allowing you to choose what you want. A recent visit to local computer stores showed up to a dozen different security programs ranging from $29 to $79. All bragged about how good they were compared to the competition. (Symantec, McAfee, BitDefender, Kaspersky, Trend Micro and Panda Security)
The top 10 most dangerous internet search terms
29 May 2009 | Telegraph by Claudine Beaumont
Users surfing the web for song lyrics, free music tracks and screen savers are most at risk of accidentally downloading malicious software, a study has found. Many of the websites purporting to contain this content also harbour virus, Trojans and other malware, the computer security experts at McAfee found. As a result, many web users are unwittingly exposing themselves to dangerous content that could compromise their machine and even lead to hackers and cybercriminals gaining access to their personal information or banking login details. Among the most dangerous search terms were “free music downloads”, which carried a 20.7 per cent risk of exposing web users to malicious software, “game cheats”, which carried a 16.7 per cent risk, “word unscrambler”, which carried a 16.1 per cent risk, and “lyrics”, which carried a 14.8 per cent risk. (McAfee)
Microsoft to patch DirectX hole
29 May 2009 | CNET News by Elinor Mills
Microsoft on Thursday said it is working on a security patch for a vulnerability in its DirectX streaming media technology in Windows. The flaw could allow someone to take complete control of a computer using a maliciously crafted QuickTime file. The remote-code execution vulnerability exists in the way Microsoft DirectShow, audio and video sourcing and rendering software handles supported QuickTime format files, the company said. “Microsoft is aware of limited, active attacks that use this exploit code,” Microsoft’s security advisory said. “If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
U.S. cyber-spy report leaves czar role open
30 May 2009 | iTnews Australian by Susan Bartz
The White House report on cyber-spying to be released on Friday is business-friendly and privacy-conscious but leaves the tech community waiting anxiously for a hint of how powerful a new “cyberczar” may be, a cybersecurity expert who has read the draft said. The draft calls for a series of actions to be taken soon to secure Internet traffic, a critical part of the U.S. economy, said James Lewis, who is with the Center for Strategic and International Studies think tank. But a second source and Lewis said the draft does not say whether the lead agency in securing the Internet should be the National Security Agency (NSA), which does cyber-spying, or the Department of Homeland Security.
Related News: ‘Czar’ to thwart cyber spies, hackers (30 May 2009 | Reuters by Stephen Collinson)
29 May 2009 | SC Magazine US by Chuck Miller
VMware has released fixes for multiple vulnerabilities in several of its products, including VMware Workstation, Player, ACE, Server, Fusion, ESX and ESXi. One of the vulnerabilities was caused by an error in the VMware Descheduled Time Accounting driver, which could open a way for hackers to launch a denial-of-service attack in Windows-based virtual machines. Another vulnerability identified by VMware could have enabled an attacker to execute arbitrary code. — CAM
Gotcha!
4 June 2009 | Federal Trade Commission
A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP’s upstream providers and data centers have disconnected its servers from the Internet. According to the FTC, the defendant, Pricewert LLC, which does business under a variety of names including 3FN and APS Telecom, actively recruits and colludes with criminals seeking to distribute illegal, malicious, and harmful electronic content including child pornography, spyware, viruses, trojan horses, phishing, botnet command and control servers, and pornography featuring violence, bestiality, and incest. The FTC alleges that the defendant advertised its services in the darkest corners of the Internet, including a forum established to facilitate communication between criminals.
Feds quiz former worker over Texas power plant hack
1 June 2009 | The Register by John Leyden
A former employee at a Texas power utility was arrested late last week over accusations he crippled its energy forecast system after launching a hacking attack. FBI agents made the arrest on Thursday after raiding the home of Dong Chul Shin, a former worker at Energy Future Holdings. EFH owns three Texas electricity generating outfits that run facilities including the Comanche Peak nuclear power plant. Dong was dismissed back in March over allegations he failed to pull his weight at work. Hours after the no-notice sacking, Dong’s VPN access account (which was left active) was allegedly used to log into the corporate intranet before modifying and deleting files. Proprietary company information was also transferred to a personal webmail account linked to Dong, investigators further allege.
Identity theft ring busted in New York
28 May 2009 | SC Magazine US by Chuck Miller
Using financial information purchased from crooked bank insiders, a ring of thieves compromised the checking accounts of nearly 350 New York-based corporations, religious institutions, hospitals and schools, as well as city and state government agencies, to steal millions of dollars, prosecutors said this week. In an indictment unsealed Wednesday, the District Attorney’s office charged 18 people, including alleged ringleaders Jasper Grayson, 25, and James Malloy, 26. All were said to have been involved in operating an identity theft and bank fraud scheme that cashed more than a thousand counterfeit payroll checks, which were created to look exactly like those for the accounts of the victims, Manhattan District Attorney Robert Morgenthau said.
PC Tools Blogs
Software for youtubeview Moves to a New House at 65.110.50.141
3 June 2009 | ThreatFire Research Blog
We posted a couple of weeks ago on the continued success of a group in distributing FakeAv/Rogueware/Scareware. Please note that their downloaders have been moved to a new home at 65.110.50.141. There are multiple domains currently resolving to that ip managed by “Sago Networks”. One we know of currently serving softwarefortubeview.40019.exe executables is wile-exe.com. The move appears to have happened on June 1st. Avoid executables from that domain for now. The downloads appear to be committing some sort of click fraud, although they have been known to pop fake alerts to move FakeAv software.
Undetected Autorun/Injector Variant on the Loose
2 June 2009 | ThreatFire Research Blog
A new variant of an Autorun worm is on the loose, probably created by another childish and angry ex-lover. The little multithreaded beast injects into windows explorer, and attempts to communicate with one of several Irc servers at June.IRCdevils.net, June.helldark.biz, and June.a7aneek.net with a “VirUS/Virus” user/pass and a “VirUS-randstring” nick. We noticed it this morning on multiple machines, and it seems to be spreading. The worm injects itself into the Windows explorer shell, and from there attempts to update multiple locations in the registry and removable drives like usb sticks with SETUP\DATA\June.exe.
29 May 2009 | ThreatFire Research Blog
If you’re looking for the 60-page cybersecurity policy review that President Barack Obama discussed this morning, you can find it here. Considering that AlephOne’s article on “Smashing the Stack for Fun and Profit” was released in 1996, Iloveyou in 2000, CodeRed in 2001, the Slammer worm in 2003, the Witty worm event in 2004, the thousands of system intrusions and compromises since (reported and unreported), and the list goes on, the review seems around fifteen years late on delivery. But better late than never. It addresses badly needed subjects and planning in thoughtful and creative ways. Some of the document is predictably clumsy.
