2072 replies to this topic

[AplusWebMaster]

FYI...

Cybercriminals moving from TLD .ru to .su
- http://www.abuse.ch/?p=3581
Jan 29, 2012 - "... The Top Level Domain .ru is managed by the Coordination Center for TLD RU (cctld.ru). CCTLD.ru finally did their job well and addressed the reputation problem TLD.ru had by setting up new terms and conditions for domain name registration of .ru domains... .su is (... was) the Top Level Domain for the Soviet Union, which we all know doesn’t exist any more. Nevertheless, TLD .su (... operated by RIPN) is still active today which means that people can still register domain names with that TLD. As of today I’m seeing an increasing number of malicious .su domains being used by botnet herders. In fact this means that the criminals seem to be switching from .ru to .su ... If you don’t see any legit .su domains being hit/used in your company just simply -block- it."

Thanks for the link go to:
- http://www.malwaredo...rdpress/?p=2428
Jan 29, 2012

[AplusWebMaster]

FYI...

- http://community.web...xploit-kit.aspx
* Update 2012/02/06: After obtaining access to logs and PHP files from compromised Web servers, further analysis indicates that most of the compromised Web sites were running older versions of WordPress, but they were not all running 3.2.1. The attackers’ exact point of entry is uncertain. At first, we suspected vulnerable WordPress plugins, because a subset of analyzed sites were running vulnerable versions of the same WordPress plugins. Now that we have access to data from several compromised Web servers, the logs show us that, in some cases, the point of entry was compromised FTP credentials. In several instances, once attackers had access, they scanned WordPress directories and injected specific files (e.g., index.php and wp-blog-header.php) with malicious PHP code.
___

WordPress exploit in-the-wild for v3.2.1 sites ...
- http://community.web...xploit-kit.aspx
30 Jan 2012 - "... site was compromised because it was running an old version of Wordpress (3.2.1) that is vulnerable to publicly available exploits... more interesting is the redirection chain and resulting exploit site... From our analysis the number of infections is growing steadily (100+)... The Java exploit being served is CVE-2011-3544* (Oracle Java Applet Rhino Script Engine Remote Code Execution), which most Exploit Kits adopted in December 2011 because it is cross-platform and exploits a design flaw. Normally, kits use a variety of exploits... regardless of what OS or browser we used for testing, this Exploit Kit attempted to exploit ONLY our Java Runtime Environment (JRE). It did not attempt -any- other exploit... Websense... has found 100+ compromised Web sites, all with similar infection characteristics. The compromised Web sites all share these traits:
> Running WordPress 3.2.1
> Force a drive by download via iframe to the same malicious set of domains hosting a PHP Web page in the form of: [subdomain] .osa .pl/showthread.php?t=.*
> Attempt exploitation using CVE-2011-3544
If exploitation is successful, ( the Tdss rootkit will be installed ) on the user's machine.
If you're running WordPress 3.2.1, we recommend that:
You upgrade to the latest stable version of WordPress**.
Check the source code of all your Web pages to see if you've been infected (see the code above). If you have been infected, be sure to upgrade WordPress while simultaneously removing the injected code so that your Web pages aren't simply being reinfected after being cleaned.
** https://wordpress.org/download/
January 3, 2012 - "The latest stable release of WordPress (Version 3.3.1) is available..."

Massive Compromise of WordPress-based sites...
- http://labs.m86secur...siv...-fine’/
Jan 30, 2012 - "... hundreds of websites, based on WordPress 3.2.1... The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit... logs show that users from at least -400- compromised sites were -redirected- to Phoenix exploit pages..."
___

SiteCheck scanner
- http://sucuri.net/global
___

* http://web.nvd.nist....d=CVE-2011-3544
Last revised: 01/27/2012
"... vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier..."
CVSS v2 Base Score: 10.0 (HIGH)

Latest Java versions available here:
Downloads: http://www.oracle.co...oads/index.html

JRE 6u30: http://www.oracle.co...ad-1377142.html

JRE 7u2: http://www.oracle.co...ad-1377135.html
___

- https://www.virustot...0b73e/analysis/
File name: file-3486436_jar
Detection ratio: 12/41
Analysis date: 2012-01-31

- https://www.virustot...12483/analysis/
File name: 39301c3e4ae8ed0e4faf0c3c18cf54a0
Detection ratio: 10/43
Analysis date: 2012-01-30

- https://www.virustot...sis/1327739797/
File name: oleda0.027112496150291654.exe
Detection ratio: 9/43
Analysis date: 2012-01-28

Edited by AplusWebMaster, 07 February 2012 - 07:06 AM.

[AplusWebMaster]

FYI...

Malware redirects bank phone calls to Attackers
- http://www.trusteer....calls-attackers
Feb 01, 2012 - "... some new Ice IX configurations that are targeting online banking customers in the UK and US. Ice IX is a modified variant of the ZeuS financial malware platform. In addition to stealing bank account data, these Ice IX configurations are capturing information on telephone accounts belonging to the victims. This allows attackers to divert calls from the bank intended for their customer to attacker controlled phone numbers. We believe the fraudsters are executing fraudulent transactions using the stolen credentials and redirecting the bank’s post-transaction verification phone calls to professional criminal caller services (discussed in a previous Trusteer blog*) that approve the transactions. In one attack captured by Trusteer researchers, at login the malware steals the victim’s user id and password, memorable information/secret question answer, date of birth and account balance. Next, the victim is asked to update their phone numbers of record (home, mobile and work) and select the name of their service provider from a drop-down list. In this particular attack, the three most popular phone service providers in the UK are presented: British Telecommunications, TalkTalk and Sky... To enable the attacker to modify the victim’s phone service settings, the victim is then asked by the malware to submit their telephone account number. This is very private data typically only known to the phone subscriber and the phone company. It is used by the phone company to verify the identity of the subscriber and authorize sensitive account modifications such as call forwarding. The fraudsters justify this request by stating this information is required as a part of verification process caused by "a malfunction of the bank’s anti-fraud system with its landline phone service provider"... As we discussed in a recent blog**, fraudsters are increasingly turning to these post-transaction attack methods to hide fraudulent activity from the victim and block email and phone communication from the bank. This allows attackers to circumvent security mechanisms that look for anomalies once transactions have already been executed by the user..."
* http://www.trusteer....ourself-offline

** http://www.trusteer....ention-controls
___

- http://www.darkreadi...le/id/232600093
Feb 01, 2012

Edited by AplusWebMaster, 03 February 2012 - 10:09 AM.

[AplusWebMaster]

FYI...

Facebook malware scam ...
- http://nakedsecurity...status-updates/
Feb 3, 2012 - "... worrying number of Facebook users posting the same status messages today, claiming that the United States has attacked Iran and Saudi Arabia... If you visit the link mentioned in the status update, you are taken to a -fake- CNN news webpage which claims to contain video footage of conflict... clicking on the video thumbnail prompts the webpage to ask you to install an update to Adobe Flash... Of course, it's not a real Flash update, but malware instead. Remember, you should only ever download a Flash update from the genuine Adobe website. The malware - which Sophos is adding detection for as Troj/Rootkit-KK - drops a rootkit called Troj/Rootkit-JV onto your Windows computer. In addition, Sophos detects the behaviour of the malware as HPsus/FakeAV-J..."

- http://google.com/sa...e=facebook.com/
"... Part of this site was listed for suspicious activity 436 time(s) over the past 90 days... Of the 102194 pages we tested on the site over the past 90 days, 172 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-02-07, and the last time suspicious content was found on this site was on 2012-02-07... Malicious software includes 76 trojan(s), 60 scripting exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine. Malicious software is hosted on 147 domain(s)... 28 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site... This site was hosted on 74 network(s) including AS32934 (FACEBOOK), AS209 (QWEST), AS2914 (NTT).... Over the past 90 days, facebook.com appeared to function as an intermediary for the infection of 31 site(s)... It infected 6 domain(s)..."

- http://google.com/sa...c?site=AS:32934
"... over the past 90 days, 151 site(s)... served content that resulted in malicious software being downloaded and installed without user consent. The last time Google tested a site on this network was on 2012-02-07, and the last time suspicious content was found was on 2012-02-07... Over the past 90 days, we found 24 site(s) on this network... that appeared to function as intermediaries for the infection of 29 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 2 site(s)... that infected 6 other site(s)..."

Edited by AplusWebMaster, 07 February 2012 - 03:30 PM.

[AplusWebMaster]

FYI...

Mobile malware from German svr... 1,351 sites
- http://blog.trendmic...man-ip-address/
Feb 7, 2012 - "... recently found a server that hosts a great number of sites that are used to launch mobile malware, targeting Android OS and Symbian (specifically the J2ME platform). The server, located in Germany, is managed by a hosting provider known as a haven for cyber criminals. We found a total of 1,351 websites hosted on the said server and categorize the sites into five segments based on the type of guise they use for the distributed malware:
Android Market apps
Opera Mini/ Phone Optimizer apps
Pornographic apps (sites were unavailable during time of checking)
App storage sites
Others (sites that were inaccessible during time of checking)...
... the hosted Apps were still up thus making them available for download through the Android Market App and the Opera Mini/Photo Optimizer App sites. The sites under Android Market apps displayed a website very much similar to the legitimate one. They feature popular applications like WhatsApp, Facebook, Facebook Messenger, Barcode Scanner, Skype, Google Maps, Gmail, YouTube, and others. The files downloaded from such sites are now detected as ANDROIDOS_FAKENOTIFY.A... the sites that feature download links for Opera Mini and Phone Optimizer lead to J2ME_SMSSEND.E - a malware that can run on devices that support MIDlets... Among all the categories mentioned, most of sites promoted Opera Mini updates and Photo Optimizer Apps compared with others.. the attackers are not necessarily targeting only one platform... we also saw that cybercriminals use different social engineering lures. Also, despite the emergence and prevalence of platforms such as Android and iOS, the Symbian platform still seems to be targeted as well..."

[AplusWebMaster]

FYI...

Malware -redirects- to enormousw1illa .com
- http://google.com/sa...mousw1illa.com/
2012-02-08 - "Site is listed as suspicious... the last time suspicious content was found on this site was on 2012-02-08. Malicious software includes 8 trojan(s). This site was hosted on 2 network(s) including AS48691* (SPECIALIST), AS17937 (NDMC)... Over the past 90 days, enormousw1illa .com appeared to function as an intermediary for the infection of 177 site(s)... this site has hosted malicious software over the past 90 days. It infected 1090 domain(s)..."
* http://google.com/sa...c?site=AS:48691

- http://blog.sucuri.n...w1illa-com.html
Feb 2, 2012 - "... seeing a large number of sites compromised with a conditional redirection to the domain http ://enormousw1illa .com/ (194.28.114.102). On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get -redirected- to that malicious domain (http ://enormousw1illa com/nl-in .php?nnn=556)... this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past**, so we think it is all done by the same group..."
** http://blog.sucuri.n...fo-dot-com.html

[AplusWebMaster]

FYI...

Free Microsoft Points? Game Over ...
- http://www.gfi.com/b...-game-over-man/
Feb 8, 2012 - "There’s an Xbox code generator floating around on Youtube and other sites right now, and a pretty popular one at that. How popular?... 20,000+ views so far. The program promises all sorts of Xbox freebies – 1 month of Xbox Live, 12 months if you’re feeling particularly greedy and 1600 to 4000 free Microsoft points*. Of course, everything goes without a hitch in the Youtube video: we see the program boot up, the user selects his target – 1600 MS points – and hits the “Generate Code” button. After a short while, we see a “Hooray, it worked” type message and the person in the video is presented with a code.... [and]... Another survey. Does the creator of this program expect you to fill in a survey / sign up to a ringtone service not once but twice? Absolutely. Is it worth downloading this program, filling in some of those offers and trying it out? Absolutely - not."
* https://en.wikipedia...icrosoft_Points
"... currency of the Xbox Live Marketplace, Games for Windows - Live Marketplace, Windows Live Gallery, and Zune online stores..."

[AplusWebMaster]

FYI...

Cybercrime "factory outlets" – fraudsters selling bulk Facebook, Twitter and Web Site Admin credentials
- https://www.trusteer...te-admin-creden
Feb 08, 2012 - "... discovered two cybercrime rings that are advertising what we refer to as a “Factory Outlet” of login credentials for different web sites including Facebook, Twitter and a leading website administration software called cPanel. Financial malware, like Zeus, SpyEye and others, once it infects a machine, is configured to attack specific online banking web sites. In addition to online banking credentials, the malware also captures login credentials used by the victim’s machine to access other web sites and web applications. To monetize the login credentials that pile up, fraudsters have started setting up “Factory Outlets” to sell them off... cybercriminals are offering to sell login credentials to social network sites such as Facebook and Twitter belonging to users all over the world. These can be purchased in bulk, from specific countries (e.g. USA, UK, and Germany) and even coupled with additional personal information such as email addresses... the fraudsters claim that they have 80GB of stolen data from victims. In another so called “Credential Factory Outlet Sale” advertisement, a botnet operator offers to sell login and URL information that would allow a fraudster to take control of certain web sites. Specifically, the advertiser is offering cPanel credentials..."
(More detail at the trusteer URL above.)
___

Know your enemies Online (graphic)
- http://blog.trendmic...Enemies_WEB.jpg
___

How web threats spread (graphic)
- http://www.sophos.co.../...;h=594&as=1
Source: Sophos Security Threat Report

Edited by AplusWebMaster, 08 February 2012 - 03:23 PM.

[AplusWebMaster]

FYI...

Top 10 threats for January 2012
- http://www.gfi.com/p...ange-of-victims
Feb 08, 2012 - "... Report for January 2012, a collection of the 10 most prevalent threat detections encountered during the month. Last month saw malware attacks targeting a wide range of potential victims, including gamers looking for a Pro Evolution Soccer 2012 game crack, small business owners concerned about the reputation of their business, and government organizations receiving spoofed messages from the United States Computer Emergency Readiness Team (US-CERT)... malware writers installing rootkits on the systems of gamers who were looking for a pirated release of Pro Evolution Soccer 2012... scammers also latched onto the buzz surrounding the upcoming fourth installment of the Halo® video game series... by offering bogus beta invites in return for filling out surveys and recommending links on Facebook and Google+. These attacks leverage the popularity of these titles among the gaming community and are meant to take advantage of the mistakes some users might make when acting out of excitement about a favorite game franchise... phishing emails posing as notices from the Better Business Bureau, claiming that a customer had filed a complaint against the recipient. The messages contained links to malware created using the Blackhole exploit kit. Government body US-CERT served as another disguise for cybercriminals attempting to bait unwitting victims into opening a file that contained a variant of the Zeus/Zbot Trojan. Meanwhile, Tumblr users were baited with “free Southwest Airlines tickets” in exchange for taking surveys and submitting personal information by a phony “Tumblr Staff Blog.” Malware writers and internet scammers also sought to attack a wider cross-section of the population when opportunities presented themselves to creatively piggyback on hot news topics and highly trafficked websites. This past month, the shutdown of popular file hosting website Megaupload led to a domain typo scam targeting both the regular users of the website as well as visitors who were interested in seeing the FBI notice posted on the site. Once the victims reached the misspelled URL, they were -redirected- to various sites promising fake prizes and asking for personal information..."
(See "Top 10 Threat Detections for January" list at the gfi URL above.)

[AplusWebMaster]

FYI...

Bad news brings SCAMS ...
- http://blog.trendmic...houstons-death/
Feb 13, 2012 - "... cybercriminals are naturally out there taking advantage of this unfortunate incident... A fake video was seen spreading via the social networking site Facebook was found... which have the subject “I Cried watching this video. RIP Whitney Houston“, come in the form of a wall post with a link to the supposed video. Once users click on the video, it leads them to a Facebook page that contains a link to the video. However, clicking the said link only leads to several other redirections until users are lead to the usual survey scam site... we also found -101- more survey scam domains registered on the same IP where the domains are hosted.... also found tweets with malicious links that also took advantage of the tag RIP Whitney Houston, which was trending worldwide on Twitter... tweets contain a link to a particular blog dedicated to Whitney Houston. Users viewing this page are then -redirected- to another web site, even without them having to click on anything. The succeeding page is a site that supposedly features several Whitney Houston wallpapers, which users can download. Once users decide to download a wallpaper, a pop up window appear that asks users to donwload some “Whitney Houston ringtones”. Whatever users choose... they will be -redirected- to the a survey site that asks for mobile numbers... Using newsworthy events... is a common bait of cybercriminals to lure users into their schemes... always be cautious before clicking any -news- items in their Facebook or Twitter feeds..."
(Screenshots available at the trendmicro URL above.)

[AplusWebMaster]

FYI...

Greyware fog ...
- https://www.security...om/fog-greyware
Feb 13, 2012 - "... it was more than a little bit surprising when we observed downloads from Download.com behaving like spyware... Download.com had begun delivering freeware downloads in a wrapper that enticed users to click during the install in order to receive special offers and deals... When a user clicked on this option, the application took several steps that lowered the security of the user’s system, such as making changes to the security settings in the browser, changing proxy settings and also installed a service that leaked user information over HTTP POSTs. As it turns out, Download.com was under new management and had then intentionally developed this wrapper with those functions as a method to collect shopping data from their users. This led to a miniature scandal as antivirus vendors began rightly classifying the code as spyware, and Download.com then quickly reversed course. However, this is an example of a very broad problem... there are tons of applications and code out there that are not overtly malicious, yet do very spyware-like things without the user’s knowledge. Changes to security settings, browser settings, listening on backdoor ports, changing personal firewall settings. This is dangerous because it is -unlikely- that this type of behavior is going to be flagged as malicious, and yet it is materially reducing the security posture of the client machine. These things don’t compromise the host directly, but it certainly softens up the target for more malicious code or attackers... we will need to the ability to quickly determine which sorts of downloads and applets are safe for users to download in just the same way we are safely enabling applications today, applications such as webmail, SharePoint and other collaborative apps. Anything that affects the security posture of the client or the network needs to be seen by IT, and IT needs the policies in place that clearly define what sorts of behavior are allowed and which are not. The lesson here is that until we gain a credible level of control here in the grey end of the spectrum, we are simply trusting the Internet to provide reasonably safe code that doesn’t endanger users..."

[AplusWebMaster]

FYI...

Fake AICPA e-mail - Blackholes and Rootkits ...
- http://www.gfi.com/b...s-and-rootkits/
Feb 20, 2012 - "Be wary of emails claiming to be from AICPA – as per their alert here*, these are not real and any mention of “unlawful tax return fraud” is just a -bait- to convince the end-user to open up a malicious attachment (in this case, a .doc file** although there are rogue PDF files in circulation too). As with many of the malicious spam campaigns doing the rounds at the moment, this one will use the Blackhole exploit kit to serve up zbot from multiple compromised domains. Worse, a Sakura kit (typical example here***) will download Sirefef / ZeroAccess , which as we’ve seen elsewhere**** is not a good thing to have on your system. One of the more unpleasant spam campaigns we’ve seen recently."

* http://www.aicpa.org...lent-email.aspx
Feb 17, 2012

** http://www.gfi.com/b...xploitmails.jpg

*** http://xylibox.blogs...it-pack-10.html

**** http://www.cio.com/a..._Remove_Rootkit

[AplusWebMaster]

FYI...

ASERT Security Intelligence: Threat Briefings
- http://atlas.arbor.net/briefs/ - 2012.02.21
"Summary: A variety of security patches are released for Cisco NX-OS, Adobe Flash Player, and Java. Such third party software is often the vector used by attackers to compromise systems and install malware. Database systems are also compromised and recent data leaks point to the importance of protecting databases with basic security measures and encryption... The threat of a DNS attack on March 31st* may not be as deadly as it seems, and the trend of users bringing their own devices to work can pose grave risks to security."

* https://en.wikipedia...l_Blackout_2012

[AplusWebMaster]

FYI...

TL;DR: ICS ASLR = FUBAR ...
- http://h-online.com/-1440759
22 Feb 2012 - "Jon Oberheid has found the ASLR (Address Space Layout Randomisation) in Google's Android 4, Ice Cream Sandwich (ICS), somewhat wanting. In a detailed posting on the Duo Security blog*, one commenter eloquently concluded that "TL;DR: ICS ASLR = FUBAR". Specifically, he found that the lack of randomisation in executable and linker memory regions meant that it would be "largely ineffective for mitigating real-world attacks"... The Android Security Team responded to Oberheid's posting noting that they will, in 4.0.3, randomise the heap and future Android releases will randomise the linker and executable mappings."
* http://blog.duosecur...m-sandwich-4-0/

> https://en.wikipedia..._Cream_Sandwich

[AplusWebMaster]

FYI...

McAfee Q4 Threats Report...
- https://blogs.mcafee...samples-in-2011
Feb 21, 2012 - "... The overall growth of PC-based malware actually declined throughout Q4 2011, and is significantly lower than Q4 2010. The -cumulative- number of unique malware samples in the collection still exceeds the 75 million mark. In total, both 2011 and the fourth quarter were by far the busiest periods for mobile malware that McAfee has seen yet, with -Android- firmly fixed as the largest target for writers of mobile malware. Contributing to the rise in malware were rootkits, or stealth malware. Though rootkits are some of the most sophisticated classifications of malware, designed to evade detection and “live” on a system for a prolonged period, they showed a slight decline in Q4. Fake AV dropped considerably from Q3, while AutoRun and password-stealing Trojan malware show modest declines. In a sharp contrast to Q2 2011, Mac OS malware has remained at very low levels the last two quarters.
Web Threats: In the third quarter McAfee Labs recorded an average of 6,500 -new- bad sites per day; this figure shot up to -9,300- sites in Q4. Approximately one in every 400 URLs were malicious on average, and at their highest levels, approximately one in every 200 URLs were -malicious-. This brings the total of active malicious URLs to more than 700,000..."