2072 replies to this topic

[AplusWebMaster]

FYI...

73,000 daily malware threats created...
- https://www.computer...d_based_malware
November 11, 2011 - "... CI uses the Internet "community" - users of Panda's free CloudAntivirus, along with other companies and collaborators - to locate malware... ranging from viruses to worms, Trojans, spyware and other attacks. CI now has a database of more than 25 terabytes of cloud-based classification data... According to Panda, a third of all the malware in existence was created in the first 10 months of 2010. The average number of threats created daily rose from 55,000 in 2009 to 63,000 in 2010 to 73,000 this year..."
> http://dashboard.csoonline.com/

- http://www.av-test.o...istics/malware/

Edited by AplusWebMaster, 13 November 2011 - 02:36 PM.

[AplusWebMaster]

FYI...

Virus Outbreak In Progress
- http://www.ironport.com/toc/
November 14, 2011

- http://tools.cisco.c...Outbreak.x?i=77

Fake Secret File Malicious Link E-mail Messages...
- http://tools.cisco.c...x?alertId=24569
Fake Payment Details Spreadsheet E-mail Messages...
- http://tools.cisco.c...x?alertId=24566
Fake Royal Mail Service Delivery Failure E-mail Messages...
- http://tools.cisco.c...x?alertId=24264
___

Global Attacks
- http://atlas.arbor.n...attacks#sources
Summary Report - (Past 24 hours)
"... by Country... by ASN..."

1. http://www.google.co...ic?site=AS:4134

2. http://www.google.co...ic?site=AS:4812

3. http://www.google.co...ic?site=AS:4837

Edited by AplusWebMaster, 14 November 2011 - 09:37 AM.

[AplusWebMaster]

FYI...

Htaccess redirection - malware ...
- http://blog.sucuri.n...fo-dot-com.html
November 14, 2011 - "Since last week we started to see a large increase in the number of sites compromised with a .htaccess redirection to hxxp ://sweepstakesandcontestsinfo .com/ nl-in .php?nnn=555. This domain has been used to distribute malware for a while (generally through javascript injections), but only in the last few days that we started to see it being done via .htaccess... anyone that visits the compromised sites from a search engine will get redirected (and some times have their personal computer compromised). This is what happens on the browser of the visitor:
• Visits compromised site by clicking from a search engine
• Browser is redirected to sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 (and variations)
• Browser is redirected to hxxp ://www4.personaltr-scaner.rr.nu/?gue5mx=i%2BrOmaqtppWomd%2FXxa.. (or www3 .bustdy .in or www3 .strongdefenseiz .in and variations)
• Browser is again redirected to hxxp ://rdr.cz.cc/ go.php?6&uid=7&isRedirected=1 (and other domains)
From there, it can be sent to online surveys
(hxxp ://www.nic.cz.cc/redir2/?hxxp ://surveyfinde.com/d/local-job-listings .net), malware web sites, fake search engines and anywhere the attackers decide.
>> If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here:
- http://sitecheck.sucuri.net
... we are seeing it being used in combination with timthumb.php attacks and on outdated Joomla/WordPress sites. So you have make sure all of them are updated to avoid getting reinfected. *Also, the site is -not- blacklisted by Google (or in any major blacklist)..."
? - http://forums.whatth...=...st&p=757571
____

Bash commands to detect script injections and malware
- http://www.malwaredo...rdpress/?p=2184
November 14th, 2011 - "This was posted a while ago on stopbadware and it’s too good not to repost… The first one will find any javascript file that contains the string “eval(unescape” which is the most common way of injecting malicious code. The second is a similar method for PHP files (source*)... If you run a CMS, making this a “cron” script to run on a regular interval may not be a bad idea* .. (Note: Linux only… If anyone is running the equivalent commands on windows, please let us know)... [In addition to using a “sitecheck” service like sucuri...]"

* https://badwarebuste...ries/show/20712
"Not so long ago my site and other domains hosted on my server were injected with malware PHP scripts that caused all sorts of damage, including amending javascript files to display ads to people who visited my sites. The scripts also self-replicated, and accepted commands from an external source to run on my server. These 2 bash commands saved my life and I would like to share them with the world. The first one will find any javascript file that contains the string “eval(unescape” which is the most common way of injecting malicious code. The second is a similar method for PHP files.
find . -name “*.js” | xargs grep -l “eval(unescape”
find . -name “*.php” | xargs grep -l “eval(base64_decode”
Seek and destroy!"

Edited by AplusWebMaster, 14 November 2011 - 10:11 PM.

[AplusWebMaster]

FYI...

2011-Q3 Security threat report - Trend Micro
- http://blog.trendmic...vectors-for-q3/
Nov. 15, 2011 - "... Google replaced Microsoft as the software vendor with the greatest number of reported vulnerabilities for the quarter — 82. This is due to the increasing number of vulnerabilities found in Chrome, which continues to grow in popularity. Oracle came in second place, with 63 vulnerabilities, while Microsoft fell to third place with 58 vulnerabilities. Furthermore, the United States, which normally takes the top spot in the list of spam-sending countries dropped out of the top 10 list and was replaced by India and South Korea... researchers also witnessed a significant shift in terms of cybercriminal attack targets. The attacks have changed from being massive in nature — those aimed at affecting as many users as possible, to targeted, particularly those against large enterprises and government institutions... trends seen during the third quarter are already taking place halfway into the fourth quarter, with the addition of attacks leveraging the holidays. Attackers will further hone their attacks to target specific entities and will continue leveraging mobile platforms and social media..."
(More detail available at the trendmicro URL above - the complete report [PDF] here*)
* http://us.trendmicro...eat_roundup.pdf

Edited by AplusWebMaster, 16 November 2011 - 06:13 AM.

[AplusWebMaster]

FYI...

Virus outbreak in Progress
- http://www.ironport.com/toc/
November 16, 2011

... times are GMT and in 24 hour format
Troj/Agent-UBA 11/15/2011 15:25
Troj/DwnLdr-JME 11/15/2011 13:59
Mal/EncPk-ABA 11/15/2011 10:52 - http://www.threatexp...p...2&find=zbot *
Troj/FakeAV-ETK 11/15/2011 10:15
W32/Gamarue-C 11/15/2011 06:52
W32/Gamarue-D 11/15/2011 01:09

* http://www.threatexp...?find=zbot&tf=2
11/16/2011 Results 1 - 20 of 38
___

- http://techblog.avir.../risk-level/en/
2011.11.16 - Malware risk - HIGH

Atlas - summary reports (Past 24 hours)
- http://atlas.arbor.net/summary/attacks
... Sources
- http://atlas.arbor.n...attacks#sources

- http://atlas.arbor.net/summary/botnets
...C&C Servers
- http://atlas.arbor.n...botnets#servers

- http://atlas.arbor.n...ummary/fastflux
...Servers
- http://atlas.arbor.n...astflux#servers
___

- http://tools.cisco.c...Outbreak.x?i=77

Fake Electronic Payment Cancellation E-mail Messages...
- http://tools.cisco.c...x?alertId=23517
Fake Order Document E-mail Messages...
- http://tools.cisco.c...x?alertId=23854
Fake UPS Shipment Error E-mail Messages...
- http://tools.cisco.c...x?alertId=19743
Fake USPS Package Delivery Notification E-mail Messages...
- http://tools.cisco.c...x?alertId=24212
Fake Missing Tax Document Notification E-mail Messages...
- http://tools.cisco.c...x?alertId=24064
Fake Royal Mail Service Delivery Failure E-mail Messages...
- http://tools.cisco.c...x?alertId=24264
Fake DHL Shipment E-mail Messages...
- http://tools.cisco.c...x?alertId=19661
Malicious UPS Delivery Notification E-mail Messages...
- http://tools.cisco.c...x?alertId=24586
Fake Facebook Profile Image E-mail Messages...
- http://tools.cisco.c...x?alertId=24574

Edited by AplusWebMaster, 16 November 2011 - 09:55 AM.

[AplusWebMaster]

FYI...

(Yet another) Virus Outbreak In Progress
- http://www.ironport.com/toc/
November 21, 2011

- http://tools.cisco.c...Outbreak.x?i=77

Fake USPS Package Delivery Notification E-mail Messages...
- http://tools.cisco.c...x?alertId=24212
"... sample of the e-mail message that is associated with this threat outbreak:
Subject: USPS service. Get your parcel ID92082..."
___

5 Top malicious spam subjects
- http://community.web...m-subjects.aspx
17 Nov 2011 - "... campaigns are sent in a short period of time, and then disappear for a while. Usually, campaigns will last for about one hour or less, therefore some companies might struggle with blocking these emails. Below are the top 5 campaigns that we've seen over the last several days.
1. ORDERS:
Order N21560 (numbers vary)...
2. TICKETS:
FW: Re: UNIFORM TRAFFIC TICKET (ID: 239127922) (numbers vary and subject might appear without FW: or RE:)
Fwd: Your Flight Order N125-9487755 (numbers vary)...
3. DELIVERY COMPANIES:
USPS Invoice copy ID46298 (numbers vary)
FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
DHL Express Notification for shipment 90176712199 (numbers vary)...
4. Test
... Emails with "test" in the Subject line are commonly used by criminals to spread their malicious software. Users are used to seeing legitimate emails with "test" in the Subject line when an email system is being checked, and also spammers use such techniques to validate an email address.
5. Payment/TAX systems:
FRAUD ALERT for ACH, Your Wire Transfer, Wire transfer rejected, IRS requires new EIN, IRS Tax report..."
(Screenshots and more detail available at the websense URL above.)

Edited by AplusWebMaster, 21 November 2011 - 05:23 PM.

[AplusWebMaster]

FYI...

Fake FBI email threatens recipients with jail
- https://www.net-secu...ld.php?id=11995
23 November 2011 - "An e-mail purportedly coming from the FBI Anti-Terrorist and Monetary Crimes Division has been hitting inboxes and threatening recipients with jail time if they don't respond, reports Cyberwarzone*.
"We have warned you so many times and you have decided to ignore our e-mails or because you believe we have not been instructed to get you arrested and today if you fail to respond back to us with the payment then we would first send a letter to the mayor of the city where you reside and direct them to close your bank account until you have been jailed and all your properties will be confiscated by the fbi," says in the email. "We would also send a letter to the company/agency that you are working for so that they could get you fired until we are through with our investigations because a suspect is not suppose to be working for the government or any private organization."
The crooks continue with the threats, accusing the recipient of being an "internet fraudster"... there is no way that the email is legitimate..."
* http://www.cyberwarz...official-notice

[AplusWebMaster]

FYI...

Java attack rolled into Exploit Kits
- https://krebsonsecur...o-exploit-kits/
November 28, 2011 - "A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground. The exploit, which appears to work against all but the latest versions of Java, is being slowly folded into automated attack tools. The exploit attacks a vulnerability* that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update... a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized... the hacker principally responsible for maintaining and selling BlackHole said the new Java exploit was being rolled out for free to existing "license" holders..."
* http://web.nvd.nist....d=CVE-2011-3544
CVSS v2 Base Score: 10.0 (HIGH)
"... Java SE JDK and JRE 7 and 6 Update 27 and earlier..."

Check your version here: https://www.java.com...d/installed.jsp

- https://blogs.techne...e...&GroupKeys=
28 Nov 2011 - "... the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits..."
Charted: * https://blogs.techne...00_5E607283.png

- http://www.darkreadi...le/id/232200604
Dec 01, 2011 - "... Metasploit... added a new module for the latest Java attack that abuses a recently patched vulnerability... then was quickly "productized" into a crimeware kit in the underground... the attack also was getting rolled into the BlackHole crimeware kit..."

Edited by AplusWebMaster, 03 December 2011 - 02:23 PM.

[AplusWebMaster]

It's 'Black Monday' ...

... and of course, we have the obligatory Monday:

Virus Outbreak In Progress
- http://www.ironport.com/toc/
Nov. 28, 2011

- http://tools.cisco.c...Outbreak.x?i=77

Fake Invoice Document E-mail Msgs... updated November 23, 2011
- http://tools.cisco.c...x?alertId=24591
Fake United Parcel Service Invoice Notification E-mail Msgs... updated November 23
- http://tools.cisco.c...x?alertId=24615
Fake Electronic Payment Cancellation E-mail Msgs... updated November 23
- http://tools.cisco.c...x?alertId=23517
Fake iTunes Gift Certificate E-mail Msgs... updated November 23, 2011
- http://tools.cisco.c...x?alertId=24604
___

- http://nakedsecurity...-email-inboxes/
November 28, 2011

- https://www.examiner...goes-a-long-way
November 27, 2011

Edited by AplusWebMaster, 28 November 2011 - 09:22 AM.

[AplusWebMaster]

FYI...

Fake -Intuit- online payroll E-mail...
- http://security.intu.../alert.php?a=31
Last updated 11/28/2011 - "Customers have reported receiving a fake Intuit Online Payroll Free Trial email... copy of the fake email:
"Dear,
Thank you for choosing the Intuit Online Payroll Free Trial.
Please refer to attached file for detailed information.
During your free trial, you'll discover just how quick and easy it is to run payroll online:
Easy to set up and use
Run payroll anywhere, anytime - 24 hours a day, 7 days a week.
Includes everything from instant paycheck calculations and free direct deposit to electronic tax filing and payments and W-2 forms
Free support by phone or online
Let's set up your account.
Setting up your Intuit Online Payroll account is easy. All you need is your User ID and password to sign in and get started. To make signing in easier in the future, be sure to bookmark this page.
If you have your current payroll information handy, you can even run your payroll today. We're here to help...":

HELP steal your "User ID and password", that is.

[AplusWebMaster]

FYI...

Facebook worm in the Wild...
- http://sunbeltblog.b...rm-in-wild.html
November 29, 2011 - "... the worm is said to be "a classic" one in terms of how it infects Internet users: uses stolen credentials to log in to Facebook accounts and then spam contacts. The message is said to contain a link to a file purporting to be an image—Screenshot* of the file shows it has a .JPG extension—but it's actually a malicious screensaver. Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems. The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare. Please keep in mind that securing your information, including your social network credentials, is a must..."
* https://www.csis.dk/images/sn-worm.png

Edited by AplusWebMaster, 29 November 2011 - 03:12 PM.

[AplusWebMaster]

FYI...

Cybercrime svcs ramp up - demand from fraudsters ...
- https://www.trusteer...mand-fraudsters
November 30, 2011 - "... recent Trusteer Research has indicated changes in service scope and price due to service convergence and demanding buyers... One-stop-shop - Trusteer Research came across a new group that besides offering infection services (for prices between 0.5 and 4.5 cents for each upload, depending on geography) also provides polymorphic encryption and AV checkers... For Polymorphic encryption of malware instances they charge from $25 to $50 and for prevention of malware detection by anti-virus systems (AV checking) they charge $20 for one week and $100 for one month of service... final paid price depends on percentage of infections... Some malware services like AV checking and Encryption are becoming a commodity, driving cybercriminals to consolidate services to stay competitive and introduce new offerings like the Phone Service... advise banks and their online banking users to maintain constant vigilance, apply software updates, maintain an awareness of new threats... complement desktop hygiene solutions like Anti Virus with security controls specifically designed to protect against Financial Malware... Some fraudster groups specialize in infecting hosts with malware, either by creating a botnet of hosts that could be infected at will, or by inserting exploit code to sites and routing victims to these sites to infect them using drive-by-downloads."

- http://krebsonsecuri...n-cyber-heists/
November 30, 2011 - "The FBI* is warning that computer crooks have begun launching debilitating cyber attacks against banks and their customers as part of a smoke screen to detract attention away from simultaneous high-dollar cyber heists. The bureau says the attacks coincide with corporate account takeovers perpetrated by thieves..."
* http://www.fbi.gov/d...ishing-campaign

[AplusWebMaster]

FYI...

Cutwail SPAM campaigns lure users to Blackhole Exploit Kit
- http://labs.m86secur...le-exploit-kit/
December 1st, 2011 - "Over the past few days the Cutwail botnet has been sending out malicious spam campaigns with a variety of themes such as airline ticket orders, Automated Clearing House (ACH), Facebook notification, and scanned document. These campaigns do -not- have malware attachments, instead the payload is delivered via links to malicious code hosted on the web... The message body may look like a legitimate Facebook notification*. However, further inspection reveals the underlying link redirecting to a malicious webpage...
* http://labs.m86secur...CutwailSpam.png
Another campaign spammed out by Cutwail claims to be a flight ticket order. The spam can be easily spotted by its subject lines. It looks seemingly like a “forwarded” or “reply” email and uses the subject format shown in the image**...
** http://labs.m86secur...tOrder-copy.png
... example of the message***
*** http://labs.m86secur...erScreensho.png
... There are two things you should notice about this particular spam campaign. Firstly, the visible URL shown does not conform to the URI naming scheme of not having a top level domain, a clumsy mistake from the spammers. Other similar messages use “www.airlines.com” which is a parked domain. Secondly, “Airlines America” in the signature block is not a real airline company unless the spammers meant to imply American Airlines.
> Two other spam campaigns resurfaced this week, namely the “Automated Clearing House (ACH)” and the “scanned document”[1]...
[1] http://labs.m86secur...1/11/ACH_HP.gif
... The URL link in these campaigns points to a compromised web server that serves a small HTML file. The HTML file then contains a malicious iframe that opens up a Blackhole exploit kit landing page. This is the same exploit kit used in previous spam campaigns such as the Steve Jobs is Alive and fake LinkedIn notifications... If you are a system administrator, you may want to block the following exploit kit landing pages.
crredret[dot]ru/main.php
www[dot]btredret[dot]ru/main.php
bqredret[dot]ru/main.php
At the time of analysis, loading the exploit kit webpage downloaded SpyEye and the Bobax spambot on to our vulnerable hosts."

[AplusWebMaster]

FYI...

SSH password brute forcing... on the rise
- https://isc.sans.edu...l?storyid=12133
Last Updated: 2011-12-04 23:26:51 UTC
"... received a report of ongoing SSH account brute forcing against root. This activity has been ongoing for about a week now from various IPs... A review of the DShield data*, shows a spike can easily be observed starting 15 Nov and has been up/down ever since...
* https://isc.sans.edu...SH_4Dec2011.png
Some Defensive Tips...
- Never allow root to log in, no matter what: always login in as a regular user and then use su/sudo as needed.
- Change port number: why go stand in the line of fire ?
- Disallow password authentication (use keys)
In addition to the above, you should also consider using TCP Wrappers with the SSH service to limit access to only those addresses that need access..."
(More at the first isc URL above.)

Atlas:
- http://atlas.arbor.n.../tcp/22#attacks

- http://atlas.arbor.n.../tcp/22#sources

Edited by AplusWebMaster, 05 December 2011 - 09:15 AM.

[AplusWebMaster]

FYI...

CNET Download.Com is now bundling Nmap with malware...
- http://seclists.org/...-hackers/2011/5
5 Dec 2011 - "... C|Net's Download.Com site has started wrapping their Nmap downloads (as well as other free software like VLC) in a trojan installer which does things like installing a sketchy "StartNow" toolbar, changing the user's default search engine to Microsoft Bing, and changing their home page to Microsoft's MSN. The way it works is that C|Net's download page (screenshot attached) offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer. Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs..."

- https://www.virustot...48f6-1323239699
File name: 29d0ca5df3dd63a69630a1bbdbfbcfdad6271702
Submission date: 2011-12-07 06:34:59 (UTC)
Result: 7/43 (16.3%)

- https://isc.sans.edu...l?storyid=12148
Last Updated: 2011-12-06 06:40:53 UTC

Caution: downloads can be hazardous to your PC's health...
- http://h-online.com/-1392501
8 December 2011 - "... much of the proprietary freeware and trial software on Download .com will retain its Download .com Installer packaging. Initial reactions on the net also noted that a number of popular open source programs still had an installer wrapping them and there appears to have been no apology for specifically bundling GPL, or enhanced GPL in the case of Nmap, software with closed source installers."

- http://insecure.org/...co.html#updates
Dec 9...
___

- http://www.extremete...out-motivations
August 22, 2011

Edited by AplusWebMaster, 09 December 2011 - 01:05 PM.