2072 replies to this topic

[AplusWebMaster]

FYI...

JBoss worm-in-the-wild
- https://isc.sans.edu...l?storyid=11860
Last Updated: 2011-10-21 02:06:15 UTC ...(Version: 2) - "A worm is making the round infecting JBoss application servers. JBoss is an open source Java based application server and it is currently maintained by RedHat. The worm exploits and older configuration problem in JBoss, which only authenticated GET and POST requests. It was possible to use other methods to execute arbitrary code without authentication. The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there. If you do run JBoss, please make sure to read the instructions posted by RedHat here:
- http://community.jbo...lication-server
Analysis of the worm: http://pastebin.com/U7fPMxet "
___

- http://www.theregist.../26/jboss_worm/
26 October 2011 - "... The malware behind the attack is significant both because it targets servers rather than PCs and for its reliance on exploiting a vulnerability that is over a year old – a flaw in JBoss Application Server patched by Red Hat in April 2010 – in order to attack new machines. The worm's payload includes a variety of Perl scripts, one of which builds a backdoor on compromised machines... exploits with a patch available for over a year accounted for 3.2 per cent of compromises..."

Edited by AplusWebMaster, 26 October 2011 - 08:19 AM.

[AplusWebMaster]

FYI...

Fake jobs: jobbworld .com and yourjobb .com
- http://blog.dynamoo....ourjobbcom.html
23 October 2011 - "Two new domains being used to recruit for fake jobs, which actually turn out to be illegal activities such as money laundering.
jobbworld .com
yourjobb .com
This is part of a long-running scam that has been going on for ages. One characteristic of the spam received is that it appears to come from your own email address..."

Fake jobs: canada-newjob .com, netherlandjobb .com and newjobrecruit .com
- http://blog.dynamoo....-newjobcom.html
20 October 2011 - "Another bunch of domains being used to peddle fake jobs:
canada-newjob .com
netherlandjobb .com
newjobrecruit .com
These domains form part of this long running scam. You may find that the emails appear to come from your own email address..."

[AplusWebMaster]

FYI...

Targeted malware attack shows how Fast Fingerprinting works
- http://nakedsecurity...printing-works/
October 24, 2011 - "... technology is helping anti-virus researchers detect malicious Microsoft Office files, by examining if they fail to confirm to the OLE2 file format specification... two differences between the new malware sample and previous ones are:
- The case of the Workbook stream had been changed to workbook...
- Previous incarnations had contained the unicode string "HP LaserJet" at offset 0x638 and the new version has had the first four characters "HP L" overwritten with nulls.
At the time of analysis, detection of this malware by other vendors wasn't very good... according to VirusTotal, detection has improved*. If your computer wasn't updated with Microsoft's MS09-067** security patch, then the cybercriminal could have installed the Mal/Gyplit-A malware onto your PC."
* https://www.virustot...0241-1319198077
File name: e6d3bf9d5ba93ec6444612f819029e52942100f7.bin
Submission date: 2011-10-21 11:54:37 (UTC)
Result: 17/43 (39.5%)

Microsoft Office Excel ...
** http://www.microsoft...n/MS09-067.mspx

[AplusWebMaster]

FYI...

Facebook spams evolved
- http://techblog.avir...ams-evolved/en/
October 25, 2011 - "... links usually redirect in two steps to a Canadian Pharmacy website where various (fake) meds are offered at unbelievable prices. We have noticed a new type of mail which at the first glance seems to be from the mentioned category . This time, there is a text:
“Please call +7 951 xyzq”.
According to its prefix, the number is from Russia. I am not an expert in international phone numbers, but if we consider that the numbers starts with “9" then I think I can assume that it is a very expensive number... Can it be that the Canadian Pharmacy spam doesn’t bring anymore enough money to the spammers and they are searching for new methods of getting some easy money? Fortunately for us, the spam is malformed and it is quite easy to detect it as spam. But this opens a new chapter in Facebook related spam – now those who are not aware of such scams can lose some serious money. Facebook will never ask you to call any number. They will also never sent you such a notification and definitely your Facebook Inbox will never get full. We strongly advise all users to never call any number present in such emails."

[AplusWebMaster]

FYI...

URL shorteners actively circumvent spam filters

Bulk Registrars, URL Shorteners, Dynamic DNS Providers
- http://www.malwaredo...rdpress/?p=2147
October 27th, 2011 - "We’ve been maintaining lists of Bulk Registrars, Dynamic DNS Providers, and URL Shorteners...
http://www.malwaredo...rdpress/?p=1991
We just added a new list of “unverified” URL Shorteners here: http://mirror1.malwa...-unverified.txt
We’ll be going through the URLs and adding them to the main list once they have been verified. If anyone wishes to help in this effort, please let us know."

- http://www.digitaltr...-to-hide-links/
October 25, 2011 - "According to new information from researchers at Symantec, a group of spammers have created a group of 87 spam-friendly, public URL shortening services and are actively using them to circumvent spam filters on popular sites. Using URL shortening scripts that are free and open source, the spammers are churning spam through the service..."

[AplusWebMaster]

FYI...

“ce.ms” free domains... host malicious code
* http://research.zsca...ng-used-to.html
October 27, 2011 - "...it appears that attackers are leveraging free “.ce.ms” domains. Likewise, we have identified a number of .ce.ms domains exploiting various known client side vulnerabilities. Here are a few of the URL’s being used:
hxxp ://27glshegbslijels .ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp ://hhhjjjjj111111 .ce.ms/main.php?page=423b262d0a1a9f70
hxxp ://00000000000000 .ce.ms/main.php?page=423b262d0a1a9f70
hxxp ://24sjegohmjosee .ce.ms/main.php?page=66c6ce3c7bc4b20c
hxxp ://44444444444444444 .ce.ms/main.php?page=423b262d0a1a9f70
The aforementioned domains suggest that random domain names are being registered to host these attacks. Once visited, the victim will be presented with obfuscated JavaScript code, formatted in such way to evade IDS, IPS and antivirus solutions. The numbers in the arrays used by the scripts are intentionally spread across separate lines. This way the size of HTML file becomes huge and the total code spans 29K lines... Attackers keep registering different random domains to spread their attacks, often targeting free registration services. Due to obfuscation used by the attackers, security solutions relying on regular expressions designed to match known patterns can often be evaded due to the code being spread of over numerous lines..."

- http://sunbeltblog.b...c-now-cems.html
October 30, 2011 - "... Late last week, our friends at Zscaler* discovered that cyberciminals have now moved to hosting their wares on "ce.ms" domains (.ms being the top-level domain for Montserrat, an island in the West Indies). A simple Google search led me to several forums and personal blog posts as early as June of this year complaining about getting fake AVs from such sites, with the Zscaler discovery looking much more complex..."

[AplusWebMaster]

FYI...

The Market for stolen credit cards data...
- http://ddanchev.blog...edit-cards.html
October 31, 2011 - "What's the average price for a stolen credit card? How are prices shaped within the cybercrime ecosystem? Can we talk about price discrimination within the underground marketplace? Just how easy is to purchase stolen credit cards known as dumps or full dumps, nowadays?... the market for stolen credit cards data... 20 currently active and responding gateways for processing of fraudulently obtained financial data.
Key summary points:
• Tens of thousands of stolen credit cards a.k.a. dumps and full dumps offered for sale in a DIY market fashion
• The majority of the carding sites are hosted in the Ukraine and the Netherlands...
• Four domains are using Yahoo accounts and one using Live.com account for domain registration...
• Several of the fraudulent gateways offered proxies-as-a-service, allowing cybercriminals to hide their real IPs by using the malware infected hosts as stepping stones.
The dynamics of the cybercrime ecosystem share the same similarities with that of a legitimate marketplace. From seller and buyers, to bargain hunters, escrow agents, resellers and vendors specializing in a specific market segment, all the market participants remains active throughout the entire purchasing process. With ZeuS and SpyEye crimeware infections proliferating, it's shouldn't be surprising that the average price for a stolen credit card is decreasing. With massive dumps of credit card details in the hands of cybercriminals, obtained through ATM skimming and crimeware botnets, the marketplace is getting over-crowded with trusted propositions for stolen credit card details..."
(More detail at the ddanchev URL above.)

More here:
- https://krebsonsecur...into-hot-stuff/
October 31st, 2011
___

- http://www.businessi...t-score-2011-11
Nov. 1, 2011

Edited by AplusWebMaster, 01 November 2011 - 02:30 PM.

[AplusWebMaster]

FYI...

New cyber attack targets chemical firms: Symantec
- http://www.reuters.c...E79U4K920111031
Oct 31, 2011 - "At least 48 chemical and defense companies were victims of a coordinated cyber attack that has been traced to a man in China, according to a new report from security firm Symantec... Computers belonging to these companies were infected with malicious software known as "PoisonIvy", which was used to steal information such as design documents, formulas and details on manufacturing processes... The cyber campaign ran from late July through mid-September..."

"Nitro" attacks
- http://www.symantec....tro_attacks.pdf

> http://www.h-online....iew=zoom;zoom=1

Edited by AplusWebMaster, 01 November 2011 - 12:03 PM.

[AplusWebMaster]

FYI...

Duqu: status - 0-Day Exploit
- http://www.symantec....ero-day-exploit
Nov. 1, 2011 - "... an installer has recently been recovered due to the great work done by the team at CrySyS. The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries...
Key updates...
• An unpatched zero-day vulnerability is exploited through a Microsoft Word document and installs Duqu
• Attackers can spread Duqu to computers in secure zones and control them through a peer-to-peer C&C protocol
• Six possible organizations in eight countries have confirmed infections
• A new C&C server (77.241.93.160) hosted in Belgium was discovered and has been shutdown..."
(More detail at the symantec URL above.)

Graphic:
- http://www.symantec....s/duqu_flow.png

[AplusWebMaster]

FYI...

Webinjects - underground market
- http://www.trusteer....erground-market
November 02, 2011 - "... cybercriminals have been busy developing webinjects for Zeus and Spyeye to orchestrate and develop malevolent attacks against certain brands. Webinjects are malware configuration directives that are used to inject rogue content in the web pages of bank websites to steal confidential information from the institution’s customers... Trusteer’s research team has discovered that these webinjects are being offered for sale on many open internet forums... developers are earning a decent income from selling the Zeus/Spyeye webinjects service to an increasingly diverse customer base... the developers have gone to the trouble of obfuscating the Zeus/Spyeye webinjects, not because they want to confuse malware researchers, but to try and prevent piracy of their software... webinjects can’t be modified by the 'customer', if they need localization for a specific country and language, this can only be carried out by the developers... for a price... resale is rife. Those that have purchased a copy of webinject are openly -reselling- their version to anyone wanting to steal the same information from victims... From the advertisements we’ve seen there are multiple targets, including British, Canadian, American, and German banks..."
(More detail at the trusteer URL above.)

- http://www.abuse.ch/?p=2986
December 21, 2010 - "... the Bozvanovna botnet is also using so-called Webinjects to phish credentials and steal money from the victims online bank account..."

[AplusWebMaster]

FYI...

MIT server hijacked - used by hacks to compromise other websites
- https://www.computer...attack_campaign
November 3, 2011 - "A server belonging to the Massachusetts Institute of Technology was commandeered by hackers who used it to launch attacks against other websites as part of a larger drive-by download campaign, according to antivirus vendor BitDefender*... The rogue script hosted on the MIT server searched for vulnerable installations of phpMyAdmin, a popular Web-based database administration tool. When the script finds a server with phpMyAdmin version 2.5.6 through 2.8.2, it exploits a vulnerability in the application and injects malicious code into the underlying databases. This attack campaign started in June and resulted in over 100,000 compromised websites so far... The company's researchers believe that the attacks are related to the Blackhole Exploit Pack, one of the most popular drive-by download toolkits currently used by cybercriminals. Users visiting websites compromised in this campaign will be redirected to exploits for vulnerabilities in Java and other browser plug-ins, which try to install malware on their computers... As far as the BitDefender researchers could tell, the server is still online, but no longer attacking websites... The fact that these servers have considerable resources and bandwidth at their disposal is also appealing to cybercriminals and could cause problems for less powerful systems that find themselves attacked. The denial-of-service effect on the smaller systems can be easily mitigated by filtering traffic from the offending IP addresses. However, most of the time hackers don't care if that happens because they use a hit-and-run approach... Webmasters are advised to remove old applications from their servers or keep them updated even if they are only rarely used. They should also review the server logs regularly for unusual requests that could be an indication of an attack in progress. Drive-by download toolkits like Blackhole continue to be popular with cybercriminals because a large number of users do a poor job of keeping their operating systems, browsers and other Internet-facing software up to date."
* http://www.malwareci...t-dos-1199.html
2 November 2011

[AplusWebMaster]

FYI...

5 million new malware samples - Q3 2011
- http://pandalabs.pan...report-q3-2011/
Nov 3 - PandaLabs Report – Q3 2011 - "... PandaLabs Report Q3 11 is out... In this quarter 5 million new malware samples have been created and the record of new Trojans has been broken as it the preferred category by cybercriminals to carry out their theft of information... The highlight of this third quarter is the record set in the creation of new Trojan samples. 3 out of 4 new malware samples created by cybercriminals are Trojans and this is just another proof that they are focused on stealing users information."
* http://press.pandase...ort-Q3-2011.pdf
PDF file 2.9MB - 18 pgs.

[AplusWebMaster]

FYI...

Pirate Bay - malware for Macs
- http://www.f-secure....s/00002265.html
November 4, 2011 - "We recently analyzed DevilRobber.A, a Mac OS X malware that has both backdoor and trojan-like capabilities. All the samples we've collected so far were from torrents uploaded by a single user account on The Pirate Bay website... The files shared were legitimate Mac applications, but modified to include the malware's components... the malware author had varying purposes for each of his creations. One variant steals the Keychain of the infected machine and logs the number of files on the system... Graham Cluley* speculates may be referring to "pre-teen hardcore pornography". It appears as though the malware author is trying to find illegal child abuse materials, by spotting which infected machine has the most pornography and using its credentials to gain access to the materials. Other variants install applications related to Bitcoin mining. These applications use both the CPU and GPU computational power of the infected machines, which improves the mining operations at the computer owner's expense... all the variants we've seen log the number of files that match a certain set of criteria, and also steal the Terminal command history and Bitcoin wallet. All variants also perform the following:
• Opens a port where it listens for commands from a remote user.
• Installs a web proxy which can be used by remote users as a staging point for other attacks.
• Steals information from the infected machine and uploads the details to an FTP server for later retrieval..."
* http://nakedsecurity...bitcoin-mining/

[AplusWebMaster]

FYI...

Phone scam targets PC users with phony virus reports
- http://www.zdnet.com...us-reports/4198
Updated 7-November with additional details - "Online con artists are targeting PC users worldwide in a brazen scam. It starts with a phone call from a “tech support specialist” who warns that your computer is infected with a virus. To fix things, all you have to do is give the caller remote access to your PC... it starts with a phone call from someone who claims to be affiliated with Microsoft or another legitimate company or government agency. The caller then asks for the primary computer user in the house, who is told: “Your computer has downloaded a virus.” And, of course, the caller is ready and willing to fix the problem. All you have to do is navigate to a web site, click a link to install some remote-control software, and allow the “technician” to get to work. [NOT] The perps are using legitimate remote-assistance software, like the Ammyy Admin program from Ammyy Software Development, which posted a warning* that included some reports the company has received from scam victims..."
(More details at the zdnet URL above.)
* http://www.ammyy.com/en/admin_mu.html
___

- https://www.trusteer...ourself-offline
November 08, 2011

Edited by AplusWebMaster, 08 November 2011 - 02:29 PM.

[AplusWebMaster]

FYI...

Fake USPS e-mail w/PDF malware...
- http://sunbeltblog.b...-in-season.html
November 10, 2011 - "... an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it's either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer... seeing an uptick of this particular campaign, which pose as a message from the United States Postal Service (USPS) and bears the subject "Package is was not able to be delivered please print out the attached label"... When executed, it connects to the IP address, 91(dot)221(dot)98(dot)29, and downloads the file named step.exe, which is a variant of FakeSysDef, a rogue malware. It also checks on the following websites, all of which are from Russia:
followmego12(dot)ru
hidemyfass87111(dot)ru
losokorot7621(dot)ru
mamtumbochka766(dot)ru ...
... we detect this malware as Trojan.Win32.Generic!BT. As always, steer clear from these kinds of emails..."

Fake USPS Package Delivery Notification E-mail Messages...
- http://tools.cisco.c...x?alertId=24212
November 10, 2011 - "... The text in the e-mail message attempts to convince the recipient to open the attachment and view the details. However, the .zip attachment contains a malicious .exe file that, when executed, attempts to infect the system with malicious code..."

Edited by AplusWebMaster, 12 November 2011 - 08:18 AM.