FYI...

- http://antiphishing.org/crimeware.html
"The Phishing and Crimeware map displays the most recent data collected by Websense Security Labs (WS Labs) and provides a historical look into where Phishing and Crimeware related websites are hosted on the Internet. Upon discovery, each site is looked up via its IP Address to track the country of origin through the appropriate IP registrars and plotted on the map. The data is updated approximately 15 minutes after discovery."


:eek:

FYI...

Apple Releases Fix For iMacs That Freeze Up
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202801705
Nov. 2, 2007 - "Apple has released software updates to fix the problem of the latest iMacs freezing up during normal use. The updates, released Thursday, are recommended for 20-inch and 24-inch models with 2.0 GHz and 2.4 GHz Intel Core 2 Duo processors and with the 2.8 GHz Core 2 Extreme processor. The name of the updates, which are on Apple's Web site, are Software Update 1.3* for Leopard, the latest version of Mac OS X; and Software Update 1.2** for Leopard's predecessor Tiger. Apple acknowledged in early October that it had received complaints about iMacs freezing up suddenly and becoming unusable. Users had to reset the machines to bring them back to life. The iMacs affected by the problem were introduced in August, along with new versions of Apple's iLife and iWork software suites... Apple is advising customers to update their machines either through the company's automatic update mechanism or a download from the Web site... Last month, the company posted a fix on its Web site for a serious flaw that caused its Mac computers to seize up when users attempted to upgrade to Leopard***, officially known as OS X 10.5. Leopard was released Oct. 26..."

* http://www.apple.com/support/downloads/imacsoftwareupdate13leopard.html

** http://www.apple.com/support/downloads/macbookprosoftwareupdate12.html

*** http://docs.info.apple.com/article.html?artnum=306857

.

FYI...

- http://isc.sans.org/diary.html?storyid=3621
Last Updated: 2007-11-06 20:37:50 UTC - "Zack wrote to us yesterday to inform us of a mass defacement involving one of his web sites. After a brief look, we were able to confirm that the following script tag (obfuscated) had been injected in over 40,000 pages across the internet:

script src="hXXp://yl 18.net/0.js"

This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems. Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries...
This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:
* Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
* If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
* We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
* If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.
We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment. As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.
This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain. These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users. If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway."

.

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=817
November 07, 2007 - "Websense® Security Labs™'s ThreatSeeker™ technology has discovered that MSNBC's Turkish site has been compromised. At the time of this writing, the site was infected with malicious code designed to infect the site's visitors through the use of an external JavaScript file. The file contained the malicious JavaScript code that was hosted in China. Visitors to the Web site were infected with an exploit code tailored to their browser. Assuming that the visitors were vulnerable, password stealing code was installed and executed on their desktops, without requiring any user intervention. The widespread of this malicious code has been confirmed by the SANS Internet Storm Center in their most recent incident handler's diary: http://isc.sans.org/diary.html?storyid=3621
This is a Microsoft site, hosted by a partner. We are actively working with Microsoft's security personnel to fix the issue..."

(Screenshot available at the Websense URL above.)

.

FYI...

Hidden IFRAMEs Launch Malware En Masse
- http://blog.trendmicro.com/hidden-iframes-launch-malware-en-masse/
November 8, 2007 - "SANS reports that last November 6, hundreds of Web sites across the Internet were believed to have been compromised by a yet unknown hacker. Details about how and why the attack was perpetrated remain murky. What we know so far is that a certain script which loads http://{BLOCKED}8.net/0.js has been injected into the said sites, the said script leads to a page riddled with invisible IFRAMEs, and these IFRAMEs link to certain pages to automatically download several files... A rundown of the forty-plus files give us Trojans, spyware, backdoors, and a worm belonging to families such as, but are not limited to ONLINEG, WOW, QQPASS, and QQGAME, which are known information stealers targeting gamers and QQ users. File sizes ranged from 177KB to 2KB, with the largest being backdoor programs. Backdoors open an infected machine’s ports, allowing remote malicious users control over the system. Users who visit any of the compromised sites run the risk of getting infected, so gateway admins had better block traffic coming from yl18.net..."

:fear:

FYI...

- http://news.yahoo.com/s/cmp/20071110/tc_cmp/202804433
November 9, 2007 - "Visitors to IndiaTimes .com, a major English-language Indian news site, risk infecting their computers with a deluge of malware, according to Mary Landesman, senior security researcher at ScanSafe. "It's an entire cocktail of downloader Trojans and dropper Trojans," Landesman said Friday, putting the number of malicious files involved at 434. This includes scripts, binaries, cookies, and images. Landesman characterized the size of the malicious payload as unusually large. She also noted that the attack involved a large number of Web sites. Analyzing just two of the binaries, she said that ScanSafe had identified at least 18 different IP addresses involved in the attack. "Only certain pages of the IndiaTimes .com are infected," ScanSafe said in its Nov. 9 Threat Alert*. "The impacted pages contain a script which points to a remote site containing iframes pointing to two additional sites. One of the sites included cookie scripts and an iframe pointing to a non-active site. The other iframe pointed to an encrypted script which exploits multiple vulnerabilities in an attempt to download malicious software onto susceptible systems of users visiting indiatimes .com..."

* http://blog.scansafe.com/journal/2007/11/9/indiatimes-hack-leads-to-cocktail-of-compromise.html
"...Unfortunately, the person we spoke with indicated that it was a holiday in India and they would be unlikely to fix the problem until Monday..."

:fear::fear::fear:

FYI...

- http://secunia.com/advisories/27648/
Release Date: 2007-11-12
Critical: Moderately critical
Impact: Unknown, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
...vulnerabilities and weaknesses have been reported in PHP, where some have unknown impacts and others can be exploited to bypass certain security restrictions.
Solution: Update to version 5.2.5.
http://www.php.net/downloads.php ...
Original Advisory:
http://www.php.net/releases/5_2_5.php

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3625
Last Updated: 2007-11-11 01:57:16 UTC ...(Version: 2)
"Update:
...We're now at 66K links in Google for the yl18.net/o.js scripts, will it get to the 200K plus numbers we saw with the Super Bowl? worldofwarcraftn .com has now been confirmed as containing malicious content, and you can add rnmb .net to the list which also belongs to the same group. From the whois records it looks like the domain is refreshed daily, which tends to indicate that they are not paying for it, but are using a registrar where you can start using the domain immediately, but pay later. In this case the pay later part is probably not happening. If I were the registrar I might get miffed with people registering the same domain on a daily basis and never pay, but then that's me. If you like IP numbers then today the IPs to block for your web users are 125.65.77.25 & 61.188.39.218 "

( http://forums.spybot.info/showpost.php?p=133586&postcount=28 )
----------------------------------------------------------------------------

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=160
Nov 12 2007 - "Websense® Security Labs™'s ThreatSeeker™ technology has identified more than 350 sites to date containing malicious code designed to infect the site's visitors through the use of an external JavaScript file. This is a follow-up on our previous alert of a mass infection involving MSNBC's Turkish site. Notable sites discovered include the Swedish parliament’s web site and an Australian financial services web site (FICS). At time of writing, the sites in the screenshots below are still infected and we do not recommend visiting them without adequate protection. Vulnerable visitors will have password stealing code installed and executed on their desktops without their consent."

(Screenshots of a selected few sites available at the URL above.)

:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=822
November 19, 2007 - "Websense® Security Labs™ has discovered a new -email- attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ)... The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f. None of the major anti-virus vendors detected the malicious code..."
(Screenshot available at the URL above.)

--------------------------------------------
More...
- http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html
November 19, 2007; 10:30 PM ET - "Another series of sophisticated e-mail attacks were launched over the past 24 hours, addressing recipients by name and warning of complaints filed against them and/or their company with the Justice Department -and- the Better Business Bureau. E-mail security firm MessageLabs said it spotted the spike in targeted e-mail attacks designed to look as though they were sent from the Better Business Bureau. The messages address recipients by name and list corresponding employer information both in the body of the e-mail and the subject line. The missives reference an attached "complaint," which is actually a screensaver file that harbors password-stealing software..."

:fear:

FYI...

- http://preview.tinyurl.com/39mtqc
November 20, 2007 (Computerworld) - "Monster.com took a portion of its Web site offline Monday as researchers reported that it had been compromised by an IFRAME attack and was being used to infect visitors with a multi-exploit attack kit. According to Internet records, the Russian Business Network (RBN) hacker network may be involved. Parts of the Monster Company Boulevard, which lets job hunters search for positions by company, were unavailable Monday; by evening, the entire section was dark. Most major American companies are represented on the site -- Google Inc.'s cache of the page that shows only those firms which begin with the letter "B", for example, included Banana Republic, Bank of America, Black & Decker, Boeing, Broadcom and Budget Car Rental. Job seekers who used Monster's by-company directory on Monday before the site was yanked were pounced on by Neosploit, an attack toolkit similar to the better-known Mpack, said Roger Thompson*, chief technology officer at Exploit Prevention Labs Inc... The injection of the malicious IFRAME code into the Monster.com site probably happened Monday, he added... "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500"... Monster.com last made security news in August, when the company admitted hackers had looted its database for weeks, perhaps months, then used that information to craft and send targeted e-mails that pitched money laundering jobs or tried to trick recipients into downloading malware. Monster.com was not available for comment Monday night."
* http://explabs.blogspot.com/2007/11/big-hack-today.html

:fear:

FYI...

Malicious Code: Tabasco state/Banamex email lure banker trojan
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=824
November 20, 2007 - "Websense® Security Labs™ has discovered -emails- that claim to solicit humanitarian support for flood victims in the state of Tabasco, Mexico. If users click an embedded link, they are prompted to download a banker Trojan horse, disguised as an HTML file. The file is displayed with the blue Internet Explorer icon. When a user opens the file, the Trojan horse modifies the hosts file to replace the legitimate Banamex with the IP address of a host controlled by the attacker. If users attempt to go to the Banamex site, they receive no visual indicators that they are not at a legitimate site. The phishing toolbars that were tested did not detect this fake site as a fraud. Neither the downloaded banker Trojan horse nor the subsequent executable that it drops (win32.exe) are detected as malicious by the 32 anti-virus products tested..."

(Screenshots available at the URL above.)

:fear:

FYI...

- http://preview.tinyurl.com/39qspa
November 26, 2007 (Computerworld) - "...Safe-shopping tips. Here are a dozen to get you started:
* Shop with online merchants you know and trust.
* Order from secure Web sites, which can be identified by a locked padlock or unbroken key icon in your Web browser (unsecured sites may show an unlocked padlock or a broken key).
* Keep printouts of everything, including copies of your order; Web pages describing what you ordered; Web pages that tell the seller’s name, address and telephone number; and any e-mail confirmations you get. And make sure you add the date if it doesn’t automatically appear on the printouts.
* Use credit cards for online purchases, which will limit your loss to $50 if your credit is used without authorization. But it has to be a real credit card, not a debit or check card. You may want to use just one credit card for all online payments, to make it easier to detect wrongful charges.
* Don’t give out your Social Security number.
* Don’t give out unnecessary information.
* Don’t send your credit card number by e-mail.
* Don’t give out your passwords for e-commerce Web sites to anyone.
* Don’t give out your bank information; no one needs it for an online order.
* Double-check every Web site address.
* Don’t click on links within e-mails. Type in the Web site’s address yourself -- very carefully.
* Remember, if the deal seems too good to be true, it probably is.

You can also direct users to online sources of additional information, including the Better Business Bureau Web site ( www.bbbonline.org/OnlineShopTips ), the Privacy Rights Clearinghouse ( www.privacyrights.org/fs/fs23-shopping.htm ) and the Federal Trade Commission Web site ( www.ftc.gov/onlineshopping )..."

:spider:

FYI...

The 2008 Internet Security Trends Report from IronPort Systems estimates that 98 per cent of all email traffic is now spam.
- http://www.ironport.com/securitytrends/
Dec 04, 2007 - "Spam volume increased 100 percent, to more than 120 billion spam messages daily worldwide. That's about 20 spam messages per day for every man, woman and child on the planet.
TRENDS OVERVIEW
The overall trends in spam and malware can be characterized by a larger number of more targeted, stealthy and sophisticated attacks. Specific observations include:
> Spam has become more dangerous.
...In 2007, more than 83 percent of spam contained a URL to a rogue Web server that was frequently serving malware. In accordance with a trend towards the blending of different malware techniques, URL-based viruses increased 256 percent.
> The "Self Defending Bot Network" was introduced...
> Viruses no longer make headlines..."
(Full report and links available at the URL above.)

------------------------------------------------

F-Secure - Malware Grew by 100% during 2007
As much malware produced in 2007 as in the previous 20 years altogether
- http://www.f-secure.com/f-secure/pressroom/news/fs_news_20071204_1_eng.html
Dec 4, 2007 - "In its 2007 data security summary, F-Secure reports of a steep increase in the amount of new malware detected during 2007. In fact the amount of cumulative malware detections doubled during the year, reaching the amount of half a million. This indicates that network criminals are producing new malware variants in bulk... The full 2007 Data Security Wrap-Up is available at http://www.f-secure.com/2007/2/ ... F-Secure predicts the increase in malware volume will continue in 2008. The criminals are successfully creating a network-based underground ecosystem, trading both malware development tools, skills, capabilities and resources ever more effectively. At the same time the reach of the law enforcement agencies remain limited in the global network domain..."

:sad:

FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=204700531
Dec. 4, 2007 - "...Message Labs said following Thanksgiving that it was seeing holiday-themed spam coming across its infrastructure at a rate of about 300,000 an hour. Symantec security researcher Jitender Sarda documented* one such attack on Tuesday that uses e-cards. "These e-cards are purportedly sent from a legitimate source and try to lure the victim to click on the link to view the e-cards, which have underlying tricks to try and infect the computer," said Sarda in a blog post. "With the Xmas bells starting to ring, here is the first incidence where Xmas e-cards have started doing the rounds." While these e-cards may appear to come from a familiar brand name, the "From:" field is forged. And the spammer responsible, perhaps aware that e-cards have acquired an air of disrepute, has even gone so far as to include the phrase "(no worm, no virus)" in the e-card's text, as if such an assurance made the message safe. In fact, the link provided attempts to download a file named "sos385.tmp" which is itself a downloader that connects to the Internet and attempts to download other malicious files."
* http://preview.tinyurl.com/2u5z7n
(Symantec Security Response Weblog)
---------------------------------------

More Christmas Card Action
- http://www.f-secure.com/weblog/archives/00001330.html
December 5, 2007 - "We've just seen another fake Christmas card malware run... The links are masked and point to a fake Yahoo Greeting card site. Do note the fake URL (abuse messages have been sent about the site)... The site prompts the user to download malicious
macromedia-flashplayerupdate.exe (md5: 506744BF870B5B0E410087BD6F3EFD37). We detect this file as an Agent variant. It collects various types of information from the infected machine and sends it back to the malware author via a website."

(Screenshots available at the F-secure URL above.)

:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=830
December 13, 2007 - "Websense® Security Labs™ has discovered a new -email- attack that uses a spoofed email claiming to be from the United States Department of Treasury. This is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have been tracking all of these attacks, and reporting them as they are discovered. The message claims that a complaint to the Department of Treasury has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan downloader with some backdoor capabilities. It is a ".pif" file with an MD5 of 9e19d23f27ebf9cfe1b9103066a3019e. It appears, however, that different versions of the Trojan are sent, based on the targeted recipient or company..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://www.us-cert.gov/current/#hp_hp_info_center_software
updated December 14, 2007 - "US-CERT is aware of a vulnerability affecting HP Info Center Software, which allows one-touch access to features on HP laptops. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands or to view or alter the system registry on affected systems. These reports also refer to publicly available exploit code for this vulnerability. HP has published an HP Quick Launch Buttons Critical Security Update* to address this issue. US-CERT encourages users to apply this update to mitigate this risk.
* ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html

- http://preview.tinyurl.com/2jhrxc
(HP Customer Care)
Release Date: 2007-12-12
Version: 1.00 A
Description:
This package provides a critical security update for HP Quick Launch Buttons on the supported notebook models and operating systems. This patch removes a security vulnerability by disabling HP Info Center...
» sp38166.exe 1/1 (1.61M)

:fear:

FYI...

- http://www.itbusiness.ca/it/client/en/home/news.asp?id=46368
12/14/2007 - "...Since 1 December 2007, 114,891 new users have run Prevx CSI with rootkit-detection features enabled. Of those PCs, 1,678 had what Prevx describes as 'significant rootkit infections'. That equates to 1.46% or approximately one in 70 systems, which is almost 15 times higher than the one in 1,000 rootkit-infected PCs previously estimated by industry experts. In the first nine days of this month alone, 93 companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14%, had one or more PCs harboring rootkit infections.
These stats don't take into account the fact that users who scan their PCs are more likely to have concerns about infections..."

> http://info.prevx.com/downloadcsi.asp
"822,006 people have already checked their PC with Prevx CSI free, 182,018 were infected..."

:fear:

FYI...

- http://www.gartner.com/it/page.jsp?id=565125
December 17, 2007 - "Phishing attacks in the United States soared in 2007 as $3.2 billion was lost to these attacks, according to a survey by Gartner, Inc. The survey found that 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before. According to a survey of more than 4,500 online U.S. adults in August 2007 (which was representative of the online U.S. adult population) the attacks were more successful in 2007 than they were in the previous two years. Of consumers who received phishing e-mails in 2007, 3.3 percent say they lost money because of the attack, compared with 2.3 percent who lost money in 2006, and 2.9 percent who did so in 2005...
The average dollar loss per incident declined to $886 from $1,244 lost on average in 2006 (with a median loss of $200 in 2007), but because there were more victims, $3.2 billion was lost to phishing in 2007, according to surveyed consumers. There was a bit of relative good news, however; the amounts that consumers were able to recover also increased. Some 1.6 million adults recovered about 64 percent of their losses in 2007, up from the 54 percent that 1.5 million adults recovered in 2006.
PayPal and eBay continue to be the most-spoofed brands, but phishing attacks increasingly employ devious social engineering attacks, impersonating, for example, electronic greeting cards, charities and foreign businesses.
Thieves are increasingly stealing debit card and other bank account credentials to rob accounts — targeting areas where fraud detection is weaker than it is with credit card accounts. According to the survey, of those consumers who lost money to phishing attacks, 47 percent said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts. This was followed by 32 percent of respondents who listed a credit card as the payment method, and 24 percent who listed a bank account as the method (multiple responses were allowed)...
Phishing and malware attacks will continue to increase through 2009 because it's still a lucrative business for the perpetrators, and advertising networks will be used to deliver up to 30 percent of malware that lands on consumer desktops.
Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers..."

:fear::spider: