2072 replies to this topic

[AplusWebMaster]

FYI...

If you see ads on Wikipedia, your computer is probably -infected- with malware
- https://blog.wikimed...fected-malware/
May 14, 2012 - "We -never- run ads on Wikipedia. Wikipedia is funded by more than a million donors, who give an average donation of less than 30 dollars. We run fundraising appeals, usually at the end of the year. If you’re seeing advertisements for a for-profit industry... or anything but our fundraiser, then your web browser has likely been infected with malware ...
> https://blog.wikimed...uit-700x273.jpg
One example that we have seen installs itself as a browser extension. The extension is called “I want this” and installs itself in Google Chrome. To remove it:
- Open the options menu via the “pipe-wrench” icon on the top right, and choose Settings.
- Open the Extensions panel and there is the list of extensions installed.
- Remove an Extension by clicking the Remove button next to an item.
There is likely other similar malware that injects ads into Chrome, Firefox, Internet Explorer and other popular browsers... Ads injected in this manner may be confined to some sites, even just to Wikipedia, or they may show up on -all- sites you visit. Browsing through a secure (HTTPS) connection (which you can automate using the HTTPS everywhere extension**) may cause the ads to disappear, but will -not- fix the underlying problem. Disabling browser add-ins is a good starting point to determine the source of these types of ads. This does not necessarily fix the source of the problem either, as malware may make deep changes to your operating system. If you’re comfortable attempting a malware scan and removal yourself, there are various spyware/malware removal tools. Popular and well-reviewed solutions include Ad-Aware and Malwarebytes... If in doubt, have your computer evaluated for malware by a competent and qualified computer repair center. There is one other reason you might be seeing advertisements: Your Internet provider may be injecting them into web pages. This is most likely the case with Internet cafes or “free” wireless connections. This New York Times blog post by Brian Chen gives an example*. But rest assured: you won’t be seeing legitimate advertisements on Wikipedia. We’re here to distribute the sum of human knowledge to everyone on the planet — ad-free, forever..."
* http://bits.blogs.ny...-marriott-wifi/

** https://www.eff.org/https-everywhere/
___

- https://krebsonsecur...ser-extensions/
May 21, 2012

Edited by AplusWebMaster, 21 May 2012 - 05:11 PM.

[AplusWebMaster]

FYI...

621 "Most Visited" sites are on Google's Black List
- https://threatpost.c...ack-list-051512
May 15, 2012 - "Legitimate Web sites that have been -hijacked- and used to serve malicious content greatly -outnumber- malicious sites on a list of the most-trafficked sites on Google's blacklist, according to analysis by security firm Zscaler*..."

* http://research.zsca...lacklisted.html
"Google Safe Browsing is the most popular security blacklist in use. It is leveraged by Firefox, Safari and Google Chrome. As such, being blacklisted by Google is a big deal - users of these three browsers are warned not to visit the sites and Google puts warnings in their search results... I've run Google Safe Browsing against the top 1 million (based on number of visits) websites according to Alexa. 621 of them are blacklisted by Google Safe Browsing. I've looked at the most popular to understand why they are considered malicious (charted at the Zscaler URL above). Most of the top-ranked websites that have been blacklisted are not malicious by nature, but they have been hijacked. Malicious JavaScript, similar to the code we found on a French government website, or a malicious IFRAME is generally the culprit. It is interesting to notice that Google decided to blacklist the infected site, rather than just blocking the external domain hosting the malicious content. I have also checked to see which country the blacklisted domain is hosted in. Here is the breakdown:
> http://1.bp.blogspot...per-country.png
... Most of the blacklisted sites are hosted in the US. Western Europe (especially Germany, France and the Netherlands) is number two, followed by China (8%)... Windows users with Internet Explorer 6 and 7 users get the old "iepeers.dll" exploit (a different version for each browser). No site is safe from hijacking. Personal websites and top-10,000 sites are all likely to be infected at some point."

[AplusWebMaster]

FYI...

Facebook worm spreads via Private Messages, Instant Messengers
- http://blog.trendmic...ant-messengers/
May 17, 2012 - "... recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www .facebook .com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www .facebook .com” and uses the extension “.COM”. Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself. Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites*..."
* http://about-threats...ocialmedia-101/

[AplusWebMaster]

FYI...

PHP v5.4.3 - PoC remote exploit in the wild
- https://isc.sans.edu...l?storyid=13255
Last Updated: 2012-05-19 - "There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port. Since there is no patch available for this vulnerability yet, you might want to do the following:
• Block any file upload function in your php applications to avoid risks of exploit code execution.
• Use your IPS to filter known shellcodes like the ones included in metasploit.
• Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336* registered at the beginning of the month.
• Use your HIPS to block any possible buffer overflow in your system."
* http://web.nvd.nist....d=CVE-2012-2336

> Last: http://www.php.net/a...#id2012-05-08-1

PHP 5.4 (5.4.3) Code Execution (Win32)
> http://www.exploit-d...exploits/18861/
___

- http://web.nvd.nist....d=CVE-2012-2376 - 10.0 (HIGH)

Edited by AplusWebMaster, 22 May 2012 - 04:06 AM.

[AplusWebMaster]

FYI...

Bogus Pinterest pins lead to Survey Scams
- http://blog.trendmic...o-survey-scams/
May 18, 2012 - "The continuing increase in visitors to the Pinterest site may be a primary cause why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams... new wave of survey scams found came from search using “pinterest” as keyword... Upon clicking the link, users are -redirected- to a Pinterest-like webpage offering prizes, vouchers, gift cards and others... Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are -not- clickable... After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message... the fake site requires an email address...
> http://blog.trendmic...st_repins_4.jpg
Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages..."

[AplusWebMaster]

FYI...

ZeuS ransomware feature: win_unlock
- https://www.f-secure...s/00002367.html
May 21, 2012 - "... new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock... this slightly modified ZeuS 2.x includes a ransomware feature. When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs .com/locker /lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline. The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first. Looking at the code that corresponds with a received win_unlock command, it's clear the unlock information is stored to the registry. Unlocking can therefore be performed quite easily with a registry editor:
1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot
SHA1: 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119 ..."

[AplusWebMaster]

FYI...

Facebook cancellation malware poses as Flash update
- http://nakedsecurity...e-flash-update/
May 21, 2012 - "Have you received an email asking you to confirm that you wish to cancel your account? Be on your guard... reader was in touch with us earlier today, after his suspicions were aroused by an email he had received - seemingly from Facebook. Malicious email claiming to come from Facebook
Hi [email address]
We are sending you this email to inform you that we have received an account cancellation request from you. Please follow the link below to confirm or cancel this request
Thanks,
The Facebook Team
To confirm or cancel this request, follow the link below:
click here
... The link doesn't point to an official Facebook page, but a third-party application running on the Facebook platform. Of course, that means that the link -does- go to a facebook .com address - something might fool those who are not cautious. The first thing you're likely to encounter if you did click on the link is a message asking you if you want to allow an unknown Java applet to run on your computer... they're pretty insistent that you allow it.. If you hit the "No thanks" button they'll just carry on pestering you to allow the Java applet to run... They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family... If you do allow the applet to run, you will see a message telling you that Adobe Flash must be updated... the code that is downloaded is not really Adobe Flash at all. Instead, the program drops additional files into your /WIN32 folder, which have the intention of allowing remote hackers to spy on your activities and take control of your computer..."

[AplusWebMaster]

FYI...

'LinkedIn Invitation’ SPAM serving exploits and malware
- http://blog.webroot....ts-and-malware/
May 22, 2012 - "... another round of malicious emails to millions of end and corporate users.
More details:
Once the user clicks on the link (hxxp ://hseclub .net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0
Upon execution the sample attempts to connect to the following hosts:
• janisjhnbdaklsjsad .ru:443 with user janisjhnbdaklsjsad .ru and password janisjhnbdaklsjsad .ru – 91.229.91.73, AS50939, SPACE-AS
• sllflfjsnd784982ncbmvbjh434554b3 .ru – 91.217.162.42, AS29568, COMTEL-AS
• kamperazonsjdnjhffaaaae38 .ru – 91.217.162.42, AS29568, COMTEL-AS
• iiioioiiiiooii2iio1oi .ru – 91.217.162.42, AS29568, COMTEL-AS
Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad .ru in particular..."
> https://webrootblog....its_malware.png
___

- http://www.google.co...c?site=AS:50939
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 26 site(s)... that infected 42 other site(s)..."

- http://www.google.co...c?site=AS:29568
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 668 site(s)... that infected 544 other site(s)..."

Edited by AplusWebMaster, 23 May 2012 - 05:33 AM.

[AplusWebMaster]

FYI...

Trojan bypasses mobile security to steal from Online Banking users ...
- https://www.trusteer...g-users-germany
May 22, 2012 - "... a complex new criminal scheme involving the Tatanga Trojan that conducts an elaborate Man in the Browser (MitB) attack to bypass SMS based transaction authorization to commit online banking fraud. The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitB webinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device. In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from. The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account. Even though the victim is presented with the fund transfer amount and the destination account information in the SMS message that contains the TAN, the injected HTML page claims that the process uses “experimental” data and that no money will leave their account... Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fraudulent transaction... By combining a MitB attack and social engineering, Tatanga is able to circumvent out-of-band authentication used by many banks. Then it goes one step further by hiding evidence of the fraudulent transaction from the victim using a post transaction attack mechanism. Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker... they are blending multiple attack methods in a single fraud scam... However, they still need to compromise the endpoint with malware, which can be prevented."

[AplusWebMaster]

FYI...

Flame: Questions and Answers
- https://www.secureli...ons_and_Answers
May 28, 2012 - "... Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage..."
(More detail at the kaspersky URL above.)

> https://www.secureli...g/208193524.png

- http://www.symantec....ets-middle-east
May 28 2012 - "... Several component files have been identified. These are:
• advnetcfg.ocx
• ccalc32.sys
• mssecmgr.sys
• msglu32.ocx
• boot32drv.sys
• nteps32.ocx ..."

- https://www.f-secure...s/00002371.html
May 28, 2012
> https://www.f-secure...hives/flame.png

- http://community.web...r-skywiper.aspx
29 May 2012
___

- http://www.symantec....cture-w32flamer
30 May 2012 - "... Full understanding of W32.Flamer requires analyzing each of the approximately 60 embedded Lua scripts, reversing each of the sub-components, and then building this all back together..."
___

UN to warn member nations on risk of Flame virus
- http://atlas.arbor.n...ndex#-264998726
Severity: Elevated Severity
May 30, 2012
Analysis: ... the threat from this malware or any other malware with the same types of capabilities can be significant, depending upon the motives of those driving the attack campaigns. Nation states may be involved and using this toolkit for spying purposes, but there is no clear attribution at this stage.
Source: http://www.reuters.c...E8GT7X120120529

Edited by AplusWebMaster, 31 May 2012 - 02:52 PM.

[AplusWebMaster]

FYI...

CareerBuilder fake SPAM serves exploits and malware
- http://blog.webroot....ts-and-malware/
May 30, 2012 - "... Cybercriminals are currently spamvertising millions of emails impersonating the popular jobs portal CareerBuilder in an attempt to trick users into clicking on client-side exploits serving links... they’re spamvertising a binary that’s largely detected by the security community...
Spamvertised URL: hxxp ://karigar .in/car.html
Client-side exploits served: CVE-2010-0188 and CVE-2010-1885
Malicious client-side exploitation chain: hxxp ://karigar .in/car.html -> hxxp ://masterisland .net/main.php?page=975982764ed58ec3 -> hxxp ://masterisland .net/data/ap2.php -sometimes- hxxp ://strazdini.net/main.php?page=c6c26a0d2a755294 is also included in the redirection.
Upon successful exploitation drops the following MD5: 518648694d3cb7000db916d930adeaaf
Upon execution it phones back to the following URLs/domains:
zorberzorberzu .ru/mev/in/ (146.185.218.122)
prakticalcex .ru – 91.201.4.142
nalezivmordu .in
internetsexcuritee4dummies .ru
Thanks to the overall availability of malware crypting on demand services, we believe that it’s only a matter of time before the cybercriminals behind this campaign realize that they’re spamvertising an already detected executable, crypt it and spamvertise it once again this time successfully slipping it through signatures-based antivirus scanning solutions..."

[AplusWebMaster]

FYI...

Pharma SPAM on Dropbox
- http://www.gfi.com/b...rks-on-dropbox/
May 31, 2012 - "Pharma Spam pages sometimes pop up on Dropbox accounts (along with more dubious content*, if you’re really unlucky), and it seems we have another one lining up to sell you some pills.
> http://www.gfi.com/b...xpillspam11.jpg
Clicking through will take the end-user to a typically generic pills website:
> http://www.gfi.com/b...oxpillspam2.jpg
... the best advice would be “don’t bother” (especially if it involves random spam in your mailbox)..."
* http://www.gfi.com/b...sh-this-cheque/

[AplusWebMaster]

FYI...

Small 20K trojan does damage
- http://h-online.com/-1588948
1 June 2012 - "Security experts at CSIS* say that they have discovered the smallest online banking trojan yet. Called Tiny Banker (Tinba), the malware is just barely 20KB in size, including its configuration files. Like Zeus, Tinba uses man-in-the-browser techniques and easily extendable configuration files to manipulate bank web sites via webinjects. Webinjects can be used, for example, to create additional fields for numerical single-use passwords that the attackers can then leverage to authorise fraudulent payments. Tinba can also uncover standard passwords and monitor network traffic. Tinba is a bot in the classical sense; it uses an encoded connection to deliver data it has collected to a command and control server, which in turn gives the bot new orders. According to CSIS, Tinba has only been used on a very small number of banking web sites so far, but its modular structure means that the perpetrators should not have any problems adding other sites to that list."
* https://www.csis.dk/en/csis/news/3566/

[AplusWebMaster]

FYI...

Fake Facebook SPAM e-mails...
- http://blog.commtouc...t-wikipharmacy/
June 4, 2012 - "Using phony Facebook emails to draw recipients to pharmacy websites is not a new trick... this is no ordinary Viagra shop – it’s the WikiPharmacy! The phony Facebook emails and the pharmacy destination are shown below...
> http://blog.commtouc...macy-images.jpg
... the links in the emails above lead to compromised websites. These unknowingly host -redirects- to the WikiPharmacy...
Email text:
'You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 3 ago. This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team ...' "
___

Facebook privacy notice chain letter - hoax
- http://nakedsecurity...tter-is-a-hoax/
June 5, 2012 - "... messages are simply another chain letter type hoax pinned upon wishful thinking. If you are uncomfortable with Facebook monetizing your content or making your content available to the US government you either need to avoid posting the content to Facebook, or more carefully control your privacy settings and hope the authorities don't seek a court order for your information. If you receive one of these messages from a friend, kindly notify them that it is not legally valid. You might also suggest they check with Snopes* or the Naked Security Facebook page** before propagating myths."
* http://www.snopes.co...ook/privacy.asp

** http://www.facebook.com/SophosSecurity

Edited by AplusWebMaster, 05 June 2012 - 08:18 AM.

[AplusWebMaster]

FYI...

284,000 WordPress sites hacked? Probably not.
- http://blog.commtouc...d-probably-not/
June 6, 2012 - "This Amazon order confirmation email is a fake:
> http://blog.commtouc...phony-email.jpg
Every link leads to malware. Every link leads to a different compromised WordPress site. And they all seem to be using one of the most common WordPress theme directory – check out the links:
http ://maximconsulting .us/wp-content/themes/twentyten/—e.html
http ://hampsteadelectrician .com/wp-content/themes/twentyten/—e.html
http ://mormonwomenvoices .com/wp-content/themes/twentyten/—e.html
http ://steppingstones-online .co.uk/wp-content/themes/twentyten/—e.html ... etc.
Notice a trend? – The evil redirect html file (—e.html) is located in the “twentyten” theme directory of all of these sites – and all of the sites we checked in every other version of the phony Amazon order. A Google search tells us that there are 284,000 sites with a similar structure:
> http://blog.commtouc...ress-themes.jpg
... this does not indicate an issue with the theme itself. Chances are that the exploit that has allowed hackers to take over these sites is in a plugin or maybe (less likely) the CMS itself. Using the “twentyten” directory is a safe bet for a hacking script since almost every WordPress installation will have it. The malware targets known Adobe Reader and Acrobat exploits."