2072 replies to this topic

[AplusWebMaster]

FYI...

DEP & ASLR ignored...
- http://krebsonsecuri...ty-protections/
July 1st, 2010 - "... Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP SP2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run... Secunia found that at least 50 percent of the applications examined — including Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and AOL‘s Winamp — still do not invoke either DEP or ASLR. Secunia said DEP adoption has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors..."

- http://www.theregist...urity_defences/
2 July 2010

- http://secunia.com/g..._2010_paper.pdf
June 29, 2010

Edited by AplusWebMaster, 02 July 2010 - 05:59 AM.

[AplusWebMaster]

FYI...

Malware SPAM... Paypal fraud
- http://techblog.avir...ity-warning/en/
July 3, 2010 - "There is a new wave of emails pretending to come from Paypal having a ZIP archive attached. The email claims that your Paypal account has been accessed by a third party and, in order to protect your account, the Paypal account has been locked. The user is invited to review the report attached to the email, a ZIP archive, containing a single executable file a naming scheme like account-<number>-report.exe. There is no link inside the email, so everything is “easy to use”: the recipient of the mail needs just to extract the file and execute it... DON'T DO THAT as the ZIP archive contains a malware detected by all Avira products as dropper DR/Delphi.Gen."

- http://isc.sans.edu/...ml?storyid=9118
Last Updated: 2010-07-03 22:35:44 UTC - "... 'Delivery Status Notification Failure'... Trojan.bredo... now using NDR and Failure reports to attempt to further their malicious activity."

Edited by AplusWebMaster, 03 July 2010 - 08:15 PM.

[AplusWebMaster]

FYI...

SPAM with malware increases - botnet recruiting...
- http://www.informati...cleID=225702834
July 9, 2010 - "... According to Symantec*, spammers appear to be "trying to make up for the loss of several zombie networks, due to legal actions." In other words, they're pumping out spam with malware in an attempt to build their botnets back up to full strength, adding as many compromised - aka zombie - PCs as they can... attackers have also been creating more phishing websites that spoof Google's social networking site Orkut, especially in Brazilian Portuguese, since Orkut's biggest traction is in Brazil, said Symantec... This attention to detail may result from the need to trick the maximum number of people during the short window that a phishing site remains active - just 54 hours, according to Symantec - before it gets shut down."
* http://www.symantec....scape-july-2010

[AplusWebMaster]

FYI...

DynDNS - malware sites
- http://sunbeltblog.b...ware-sites.html
July 12, 2010 - "Over the past month or so we've seen quite a lot of malware coming from sub-domains of DynDNS .com, which is a dynamic DNS provider... The sub-domains are changing every (few) hours, though the folder and file name generally do not. The sub-domains, which appear to be semi-randomly named, usually resolve to this IP:
80.91.176.172
The files coming down are typically detected as Trojan.Win32.Alureon, Trojan-Downloader.Win32.FraudLoad, and Trojan.Win32.FakeAlert — although detection among major antivirus providers is spotty and varies wildly by file...
Bottom line: any company that makes available services allowing anonymous users to post or distribute content/files for free will become a preferred means for distributing malware. These services have a responsibility to police the use of their free services."

(More detail available at the Sunbelt URL above.)

[AplusWebMaster]

FYI...

More malicious ZBot SPAM...
- http://www.sophos.co...trikes-inboxes/
July 13, 2010 - "... Malicious hackers have spammed out the latest incarnation of a campaign designed to compromise your computer - this time disguising their emails as though they were payment requests from eBay. The emails have a blank message body, but have a file called form.html attached... Of course it's a sneaky piece of social engineering on the behalf of the hackers. Many people would be tempted to open the attachment to find out what on earth the email is about... And opening the attachment (which Sophos detects as Troj/JSRedir-BV) redirects your web browser to a recently compromised webpage on a legitimate site infected with Mal/Iframe-Q... Firstly, your browser is redirected to a spam-related website (for instance, a Canadian pharmacy store). This may make you believe that the attack is merely designed to advertise medications on behalf of the spammers... Furthermore, however, a malicious iFrame also downloads further malware from other third-party websites. This malware can obviously be changed at anytime, but we have seen versions of the ZBot family of malware be distributed in the attack... the emails don't have to pretend to be from eBay to be malicious. Recently we've seen other criminal email campaigns with dangerous html attachments involving Adult Friend Finder, romantic interest & Skype purchases, Facebook porn & Skype payment problems, and Facebook password resets amongst others."

[AplusWebMaster]

FYI...

Cyber fraud and banks ...
- http://krebsonsecuri...urance-part-ii/
July 14, 2010 - "... When consumers lose money due to cyber fraud, retail banks are required by law to refund the money — provided the victim doesn’t wait too long in reporting the unauthorized charges. Commercial banks, however, are under no such obligation, although they usually will work with the victim customer to try to reverse as many of the fraudulent transfers as possible... the attackers also evaded procedural security measures the company put in place to ensure that two employees signed off on every transaction..."

Further reading: The Case for Cybersecurity Insurance, Part I
- http://krebsonsecuri...surance-part-i/

[AplusWebMaster]

FYI...

Exploits, malware, and scareware courtesy of AS6851, BKCNET, Sagade Ltd.
- http://ddanchev.blog...e-courtesy.html
July 14, 2010 - "Never trust an AS whose abuse-mailbox is using a Gmail account (piotrek89@gmail.com), and in particular one that you've come across to during several malware campaigns over the past couple of months. It's AS6851, BKCNET "SIA" IZZI* I'm referring to, also known as Sagade Ltd... It's the Koobface gang connection in the face of urodinam .net, which is also hosted within AS6851, currently responding to 91.188.59.10... Currently active exploits/malware/scareware serving domain portfolios within AS6851: Parked at/responding to 85.234.190.15... Parked at/responding to 85.234.190.4... Parked at/responding to 91.188.60.225... Parked at/responding to 91.188.60.3... Parked at/responding to 91.188.59.74... Parked at/responding to 85.234.190.16... Detection rates for the currently active malware samples, including the HOSTS file modifications on infected hosts, for the purpose of redirecting users to cybercrime-friendly search engines, monetized through traffic trading affiliate programs:
- 78490.jar - Result: 0/42 (0%)
- ad3.exe - Result: 41/42 (97.62%)
- a-fast.exe - Result: 36/42 (85.72%)
- dm.exe - Result: 37/42 (88.1%)
- iv.exe - Result: 8/42 (19.05%)
- j2_t895.jar - Result: 0/42 (0%)
- movie.exe - Result: 40/42 (95.24%)
- tst.exe - Result: 35/42 (83.34%)
- wsc.exe - Result: 37/42 (88.1%) - HOSTS file modification ...
- rc.exe - Result: 41/42 (97.62%) - HOSTS file modification ...
- installer.0028.exe - Result: 9/42 (21.43%) - HOSTS file modification ...
- installer.0022.exe - Result: 9/42 (21.43%) - HOSTS file modification ..."
(More detail and links at the ddanchev blog URL above.)

* http://cidr-report.o...eport?as=AS6851

- http://google.com/sa...ic?site=AS:6851
"Of the 1035 site(s) we tested on this network over the past 90 days, 33 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... last time Google tested a site on this network was on 2010-07-15, and the last time suspicious content was found was on 2010-07-15.
Over the past 90 days, we found 50 site(s) on this network... that appeared to function as intermediaries for the infection of 2661 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 550 site(s)... that infected 16759 other site(s)..."

Edited by AplusWebMaster, 15 July 2010 - 07:21 AM.

[AplusWebMaster]

FYI...

SPAM via DHA on the increase...
- http://www.symantec....sting-high-gear
July 15, 2010 - "... observed a dramatic increase in the directory harvest attack (DHA*) method. There was a staggering 15 times increase in DHA attacks during the first week of July 2010 when compared to the same period in June 2010. The spike was observed in the second week of June and is still rife. *So what exactly is a directory harvest attack? It is one of the methods spammers use to gather valid email addresses. One of the ways to generate email addresses to carry out this attack is by creating all possible alphanumeric combinations that could be used for the username part of an email address (up to a maximum length) and appending it to a domain. Alternatively, the dictionary attack method is used to generate email addresses, which is the preferred tactic of spammers... The list of valid email addresses collected by this attack method potentially improves the spammers’ deliverability and conversion rate by targeting a set of only valid email addresses. In addition, these valid email addresses can also be sold as email lists in the underground economy..."

- http://isc.sans.edu/...ml?storyid=9175
Last Updated: 2010-07-15 15:18:33 UTC

It -will- take some time for SPAM blockers and AV to catch up with this...

Edited by AplusWebMaster, 15 July 2010 - 10:07 AM.

[AplusWebMaster]

FYI...

Fake MS Advisory SPAM...
- http://blog.trendmic...loit-bandwagon/
July 27, 2010 - "... exploits targeting the Windows shortcut zero-day vulnerability have risen in number. It is also now being used to spread ZBOT variants via malicious attachments to spammed messages... with the subject Microsoft Windows Security Advisory... the attached archive contains a malicious .LNK file that Trend Micro proactively detects as LNK_STUXNET.SM. Also included is a malicious .DLL file detected as TROJ_ZBOT.BXW. When the exploit code in the shortcut is triggered, it runs the malware component, which then downloads and executes the main malware, TROJ_ZBOT.BXW. TROJ_ZBOT.BXW is one of the ZBOT 2.0 variants that we spotted earlier this year, highlighting how widespread the vulnerability is now being exploited. SALITY file infectors are now using this vulnerability as well... malware using the LNK vulnerability can spread more easily than those that use the AUTORUN.INF file. Until a patch to resolve the vulnerability is released, even more malware families are likely to exploit it."

[AplusWebMaster]

FYI...

Fake jobs, fake checks...
- http://www.securewor...reats/big-boss/
July 28, 2010 - "... In April 2010, during the course of an unrelated investigation, SecureWorks' Counter Threat Unit (CTU) discovered a unique variant of the well-known ZeuS trojan... Analysis of the sample revealed that in addition to the ordinary ZeuS functionality of stealing credentials, two new functions had been added:
1. The infected system listens on a random TCP port in order to serve as a SOCKS proxy
2. The infected system establishes a VPN (Virtual Private Network) connection to a remote server using the PPTP (Point-to-Point Tunneling Protocol) functionality built-in to Windows.
Although it is very common for trojans (especially ones designed to aid in financial fraud) to employ proxy server capability, this is the first time that the CTU has seen the use of VPN technology in such software... by employing the very simple VPN functionality built right in to Windows, the criminal bypasses the need to develop complex systems, and can simply route his/her malicious traffic over the VPN... some of the activity CTU observed traversing the proxy botnet at different times.
• Money mule job offer spam through multiple webmail services
• Scraping of job websites to obtain new email addresses to spam...
Essentially, the hackers are logging into online job sites and pulling email addresses of those looking for jobs... criminals have developed sophisticated malware that can intercept and alter transactions in progress, even when two-factor authentication is in play. Antivirus engines are unlikely to catch these malicious programs until it is too late... it would be extremely beneficial if those signing up for a job site are required to read and understand about the different kinds of fraudulent job offers they might receive, what kinds of red flags they might see in a fraudulent offer, along with guidelines for checking out a prospective hirer's legitimacy. If all of these parties were able to block these kinds of abuses, the criminals would find it much more difficult to carry out an operation of this scale."

(More detail and screenshots at the Secureworks URL above.)

- http://www.theregist...counterfeiting/
28 July 2010

Edited by AplusWebMaster, 01 August 2010 - 12:48 PM.

[AplusWebMaster]

FYI...

Malware movies...
- http://blog.trendmic...lware-download/
July 30, 2010 - "... encountered two .MOV files (001 Dvdrip Salt.mov and salt dvdrpi [btjunkie][xtrancex].mov) that both used the recent movie Salt, starring Angelina Jolie. It looks suspicious enough because of its relatively small size compared with regular movie files. When the movie files are loaded to QuickTime, it doesn’t show any live action scenes but leads users to download malware pretending to be either an update codec or another player installation... According to Apple, the two .MOV files do not make use of an exploit, instead “they rely on social engineering to trick the user into downloading the malware disguised as a movie codec. This is -not- related to the vulnerability reported by Secunia*..."
* http://secunia.com/advisories/40729
Release Date: 2010-07-26
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
... The vulnerability is confirmed in version 7.6.6 (1671) for Windows..."

More "Salt":
- http://sunbeltblog.b...lickpotato.html
August 02, 2010

Edited by AplusWebMaster, 02 August 2010 - 06:21 AM.

[AplusWebMaster]

FYI...

Web 2.0 undermines Enterprise Security...
- http://www.informati...cleID=226500076
Aug. 2, 2010 - "More than 80% of security administrators think that Web 2.0 applications - social networking tools, widgets, instant messaging programs, and their ilk - are undermining enterprise security. Furthermore, one in five think that employees rarely or never consider the consequences to corporate security of engaging in such activities as downloading applications from the Internet, streaming video, or using peer-to-peer file-sharing sites. Those results come from a new survey of more than 2,100 IT security administrators in the United States, United Kingdom, France, Japan, and Australia. The survey was conducted by the Ponemon Institute and sponsored by Check Point Software Technologies... The survey also found that nearly half of security managers think that minimizing Web 2.0 risks is an urgent priority. According to respondents, the top threats posed by Web 2.0 applications are, in order, poor workplace productivity, malware, data loss, and viruses..."

[AplusWebMaster]

FYI...

(More) tax-themed malicious emails
- http://community.web...ous-Emails.aspx
4 Aug 2010 - "Websense... has detected a wave of tax-themed malicious email. While the tax theme in spam email is common all year round, it is interesting to see the different strategies malicious authors use in their campaigns. We have seen reports last June about email with the subject "Notice of Underreported Income". Today, we have seen a couple of email having the same subject but with different attack strategies. The first sample below uses a malicious link just like those distributed earlier. Unlike earlier malicious email, which redirects to a fake IRS site that instructs the user to download a malicious file (tax-statement.exe), this link saves the victim a couple of clicks by prompting to download a file (adobe_flash_install.exe) immediately without going to a fake IRS site... The second sample below is more aggressive in that the malicious zip [MD5:dfbb95730b2377cccf8372107bdef503] is attached in the email. It is recognized by 1/42 AV engines via VirusTotal*... In addition to these, we are seeing malicious email with the subject “You are in a higher tax bracket”. It also has a malicious zip [MD5: 3b9c60c761734fcd4ac7a753c93ec5d1] attached to it and is recognized by 1/42 AV engines via VirusTotal*..."
* http://www.virustota...7d85-1280939399
File tax_statement.zip received on 2010.08.04 16:29:59 (UTC)
Result: 1/42 (2.38%)

[AplusWebMaster]

FYI...

100+ sites compromised - Media Temple host svrs...
- http://community.web...xploit-Kit.aspx
05 Aug 2010 - "Websense... has discovered that over 100 Web sites on the Media Temple Web host servers have been compromised, and will lead visitors to the Phoenix Exploit Kit. It's not the first time they have had a WordPress injection, but a quick investigation suggests that only 46% of these sites have WordPress installed, and Sucuri Scanner* reveals that they do have multiple vulnerabilities... According to the statement from Media Temple, neither Media Temple’s architecture nor the up-to-date versions of WordPress is the source of these compromises. Some insecure 3rd-party software applications installed on customer servers are the root cause, which has been verified by Sucuri... The Phoenix Exploit Kit** is a sophisticated hacker tool set that exploits several of the latest vulnerabilities on popular vectors to execute arbitrary code..."
* http://sucuri.net/?page=scan

** http://community.web...367.Capture.PNG
___

- http://weblog.mediat...acts/#more-2365
updated 8/6/10 5:10 pm - Recent Attacks...

- http://www.m86securi...trace.1427~.asp
m86security (Last Reviewed: August 3, 2010)

Edited by AplusWebMaster, 07 August 2010 - 10:51 AM.

[AplusWebMaster]

FYI...

Rogue AV SPAM...
- http://community.web...Rogue-Mail.aspx
06 Aug 2010 - "Websense... has detected thousands of malicious emails purporting to be from big-brand companies like Target, Macy’s, Best Buy, and Evite... All the malicious URLs associated in the emails above redirect to the same fake AV web site. Users are then prompted to run a malicious executable called "antivirus_24.exe" [MD5: 5be4b708a68687cb5490fe2caea49c82], currently detected by 11/42 AV engines*..."
* http://www.virustota...98d6-1281107011
File antivirus_24.exe received on 2010.08.06 15:03:31 (UTC)
Current status: finished
Result: 11/41 (26.83%)

- http://ddanchev.blog...-evite-and.html
August 09, 2010

Edited by AplusWebMaster, 09 August 2010 - 01:31 PM.