FYI...

McAfee false positive on some JavaScripts
- http://isc.sans.org/diary.html?storyid=3803
Last Updated: 2008-01-02 21:36:16 UTC - "Some users reported that their AV was detecting JS/Exploit-BO virus, on sites like ESPN and Friendster, for instance. The problem is with the McAfee AV. McAfee just released an Emergency DAT to fix the false on some JavaScripts, detecting as JS/Exploit-BO on virus database (DAT file) 5197 released today. The new DAT just released is 5198 and the url to download it is: http://www.mcafee.com/apps/downloads/security_updates/dat.asp "

(In the wake of "CA false positive for certain Javascript apps":
http://isc.sans.org/diary.html?storyid=3797 Last Updated: 2007-12-31 23:07:19 UTC)

:oops:

FYI...

Phish (Face)book!
- http://www.f-secure.com/weblog/archives/00001353.html
January 3, 2008 - " We recently came across a phishing attack targeting Facebook. Phishers are apparently using hacked Facebook accounts to post links to a fake login page on other people's "Wall posts"... The phishing site is still currently online. Be wary of clicking on those links out there, even if they seem to (genuinely) come from your friends! Hat tip to Techcrunch*."
* http://www.techcrunch.com/2008/01/02/phishing-for-facebook

(Screenshots available at both URL's above.)
---------------------------------------------------
More... Zango adware on Facebook

- http://www.vnunet.com/vnunet/news/2206462/facebook-hit-adware-attack
3 Jan 2008 - "Facebook users are being warned about a new application on the social networking site that contains adware. 'Secret Crush' contains a download of the Zango adware program which automatically sends itself to five friends. It has already infected three per cent of Facebook users, over one million computers, according to security firm Fortinet*..."

Facebook Widget Installing Spyware
* http://www.fortiguardcenter.com/advisory/FGA-2007-16.html
2008.January.02

:fear::spider:

FYI...

- http://sunbeltblog.blogspot.com/2008/01/malicious-ads-on-myspace-excite-blick.html
January 03, 2008 - "We worked earlier today with Brain Krebs at the WP about malicious banner ads on Myspace. (Malware is being delivered through exploits, but fully patched systems won’t be affected.) Sandi Hardmeier has also been tracking ads at Excite and, now, Blick** (a popular German site). These are different than the Myspace ads (in that they don’t seem to be dumping an exploit-driven payload)."

* http://blog.washingtonpost.com/securityfix/2008/01/malwarelaced_banner_ads_at_mys.html

** http://msmvps.com/blogs/spywaresucks/archive/2008/01/04/1435836.aspx

:fear:

FYI...

- http://www.us-cert.gov/current/#public_exploit_code_for_realplayer
January 2, 2008

- http://secunia.com/advisories/28276/
Release Date: 2008-01-03
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: RealPlayer 11.x
...Successful exploitation allows execution of arbitrary code. The vulnerability is reported in version 11 build 6.0.14.748. Other versions may also be affected.
Solution:
Do not open untrusted media files or browse untrusted websites...

- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 00:34:02 UTC ...(Version: 4)
"> Update 15:10 UTC: While you're at it, consider blocking access to uc8010-dot-com. If you do a Google Search for this domain, you'll understand why: Lots of injecting of a mailicious 0.js from this domain is currently going on, plenty of web sites seem to contain this booby trap. One of the IFRAMES fetched from this site, the file "r.htm" contains a RealPlayer exploit. Still the one from last month ( www.kb.cert.org/vuls/id/871673 ) but if they happen to re-tool to the new vulnerability, things might get ugly.
> Update 16:30 UTC: One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain. Upon review, I see that some of these have already been cleaned up. However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain. As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week.
I recommend that our readers check to see if their site shows any references to uc8010 via google. Alternatively, look on their webservers to see if there are any unauthorized change to webpages in the past week.
> Update 00:30 UTC 5 JAN 08: Looks like there is another domain hosting a similar script. In addition to uc8010 check your flows for "ucmal.com"
----------------------------------------------------------

CA web site hacked
http://preview.tinyurl.com/2wdxkw
January 04, 2008 (Computerworld) - "Part of security software vendor CA's Web site was cracked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center. The hack is similar to last year's attack on the Dolphin Stadium Web site, which infected visitors looking for information on the Super Bowl football game, Sachs said. "It's exactly the same setup," he said. "It's JavaScript that they've managed to insert into the title or the body of the HTML"..."

:fear:

FYI...

- http://preview.tinyurl.com/2lgp5u
January 05, 2008 (Donna's SecurityFlash) -"In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC). This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System. This rootkit is using the MBR flaw. The MBR can be written to from within Windows.
The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it."

> http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/

> http://www2.gmer.net/mbr/

:fear::spider:

FYI...

- http://preview.tinyurl.com/27hohx
January 07, 2008 (Computerworld) -- Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Roger Thompson, the chief research officer of Grisoft SRO, pointed out that the hacked sites could be found via a simple Google search for the domain that hosted the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass-hack," said Thompson, in a post to his blog*. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared." Symantec Corp. cited reports by other researchers - including one identified only as "websmithrob" - that fingered an SQL vulnerability as the common thread..."
* http://explabs.blogspot.com/2008/01/so-this-is-kind-of-interesting.html
January 05, 2008 - "This domain uc8010(dot)com was registered just a few days ago (Dec 28th), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains... If you google for uc8010(dot)com, you still get about 50k hits..."

- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 20:13:55 UTC ...(Version: 5) - "Update 17:52: We have gotten reports of embeded script links to ucmal on MySpace. It is probably safe to assume that other social networking sites have it as well."

:fear::fear::devilpoin:

More...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205600157
Jan. 8, 2008 - "Web sites that naively call for user input, then fail to put strict checks on what that input may be, are susceptible to SQL injection attacks. That vulnerability appears to be the cause of up to 70,000 Web pages getting hacked by malicious code between Dec. 28 and Jan. 5. The intrusions represent a whole new level of threat to users on the Internet. Instead of the attack seeking to launch a virus or worm at individual computers, it invaded Web databases and used them to host its malicious code and distribute it every time site visitors sought information beyond a home page or product page from the database. But for the fact it used an old and already guarded against Windows exploit, it might still be spreading across the Internet... it was Microsoft SQL Server databases that ended up as the target of the attack because the tables targeted are specific to SQL Server... The intrusion of each database is massive, with a JavaScript string being attached to all text items in the database. A site user's request for an information item then leads to the attacker's JavaScript response attempting to plant code on the user's computer. The attack typically invades a site with a catalogue or other large text files stored on a SQL Server database. As a site visitor clicks on a Web site's button or link for more information, such as "more information" from a catalogue, the database is activated to send a JavaScript plant onto the user's computer... The plants take advantage of a widely publicized Windows vulnerability, listed as the MS06-014* exploit... Google and Yahoo's cached pages from Web site databases may still contain the JavaScript, untouched by site efforts to clean it up, the experts warned."
* http://support.microsoft.com/kb/911562/en-us
Last Review: March 27, 2007
Revision: 3.6

:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=835
January 08, 2008 - "Websense® Security Labs™ has discovered a new email attack that uses a spoofed email message which claims to be from the National Payroll Reporting Consortium (NPRC). This attack is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have tracked all of these attacks, and reported them as they were discovered. The message claims that the recipient's company has made numerous misrepresentations regarding worker classification,in an attempt to lower compensation costs. The email asks the recipient to fill out an attached form and fax it to NPRC's fraud department in order to resolve the issue. An email attachment contains a Trojan downloader with some backdoor capabilities. It is a malicious Windows executable file, with an MD5 of 854e259c7c0ac6fb2a26963a9d77600d ... At time of writing, only one anti-virus vendor had detected this malicious code."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
January 11, 2008 - "...TrendLabs researchers have received reports of what appears to be an attempt of a massive DNS poisoning attack in Mexico... the attack begins with the exploitation of a known vulnerability in 2Wire modems*. The said vulnerability allows an attacker to modify the local DNS servers and hosts. One of the main Internet Service Providers in Mexico offers 2Wire modems to their customers, and it is estimated that more than 2 million users are at risk... exploit arrives with a newsy email message... once an unsupecting user opens the email in its full HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database to redirect all requests for banamex.com — the Web site of one of the largest banks in Mexico — to a fraudulent site... The malicious email message also promises a “video” and includes a link that points to the a malicious URL where the .RAR acrhive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe..."
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3826
Last Updated: 2008-01-11 20:19:06 UTC - "Come April, we will reach the FIFTH anniversary of the ByteVerify vulnerability (MS03-011). Untangling some seriously obfuscated JavaScript coming from a couple of web sites in China earlier today, I ended up with - yes, a ByteVerify exploit. Also in the package was an MDAC exploit (MS06-014), whose second anniversary will be up this April as well.
> To see these exploits still in use can only mean one thing: They still work.
And they seem to work well enough that the bad guys can instead sink their time into developing new obfuscation techniques and other ways to make analysis more difficult -- only to deliver a five year old exploit in the end. Not a very stellar testament to patching efforts."

:fear:

FYI...

Adobe (Flash) Server vulns - updates available
>>> http://www.us-cert.gov/current/#adobe_releases_security_bulletins_to
January 17, 2008

- http://www.adobe.com/support/security/bulletins/apsb08-02.html
APSB08-02 Update available for Adobe Connect Enterprise Server cross-site scripting issue - 01/16/2008

- http://www.adobe.com/support/security/bulletins/apsb08-01.html
APSB08-01 Update to Dreamweaver and Contribute to address potential cross-site scripting vulnerabilities - 01/16/2008

"...issue previously described in Security Advisory APSA07-06*..."
- http://www.adobe.com/support/security/advisories/apsa07-06.html
January 16, 2008 – Advisory updated with information on Dreamweaver and Connect fixes

:fear::fear:

FYI...

- http://www.theinquirer.net/gb/inquirer/news/2008/01/22/apache-sites-scalped-hack
22 January 2008 - "...more than 10,000 sites running the Linux based Apache software may be hacked and trying to control visitors' computers. Don Jackson, from Secureworks* said that the hackers probably used stolen log-in details to gain access and then infected the Apache servers with a pair of files that generate constantly-changing JavaScript. If a punter visits the hacked site they get walloped with nine exploits including a recent QuickTime vulnerability, the long-running Windows MDAC bug, and a fixed flaw in Yahoo Messenger. Once a hole is opened, the victim receives (a variant of) the Trojan Rbot and are added to a botnet. When the systems administrators, who owned the Apache boxes, were notified and reinstalled the software, the hack came back, apparently. This lead Jackson to believe that it was a direct hack to the Linux server and not based on a vulnerability. He thinks that the only way the hacks will stop is when the Administrators change all the passwords and not just the FTP and Cpanel passwords..."
* http://www.secureworks.com/research/threats/linuxservers/?threat=linuxservers
"...The compromised websites, in turn, can infect website visitors. If infected, the malicious code can steal bank usernames and passwords, SSNs, credit card numbers, online payment accounts, basically any information a computer user puts into their web browser. The malicious code can also own the victim’s computer...
> Protection for Organization’s Websites: In order for an organization to protect their website from this attack they need to disable dynamic loading in their Apache module configurations.
> Protection for Website visitors: This is designed to attack Windows PCs. Website visitors can avoid infection by the malware this attack distributes by making sure all anti-virus signatures are up to date and that all vulnerable software is patched. No previously unknown or 0-day vulnerabilities are used in this attack..."

:fear::fear::fear:

Ongoing...

- http://www.theregister.co.uk/2008/01/23/booby_trapped_web_botnet_menace/
23 January 2008 - "...Security watchers at Sophos are discovering 6,000 new infected webpages every day, the equivalent of one every 14 seconds. Four in five (83 per cent) of these webpages actually belong to innocent companies and individuals, unaware that their sites have been hacked. Websites of all types, from those of antique dealers to ice cream manufacturers and wedding photographers, have hosted malware on behalf of virus writers, Sophos reports. The study sheds fresh light on the well-understood problem of drive-by-downloads from compromised sites, a tactic that's come to eclipse virus-infected email as a means of spreading malware. Cybercrooks target users by spamvertising emails containing links to poisoned webpages, exposing unsuspecting victims to malware. At least one in ten web pages are booby-trapped with malware, according to a separate study by Google published last May. Often these malware packages are designed to put compromised zombie PCs under the control of hackers. Around half a million computers are infected by bots every day according to data compiled by PandaLabs*, the research arm of anti-virus firm Panda Software. Approximately 11 percent of computers worldwide have become a part of criminal botnets..."

- http://www.sophos.com/security/blog/2008/01/1010.html
22 January 2008

- http://www.cpanel.net/security/notes/random_js_toolkit.html

* http://www.pandasecurity.com/usa/about/corporate-news/new-31.htm
Jan. 18, 2008

- http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3

> http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts#week

Also noteworthy:
> http://blog.trendmicro.com/technology-shift-the-world-wide-compromise-of-the-web/
January 22, 2008 - "...We’ve recently seen literally thousands of compromised Web sites and Web pages that, if an unsuspecting users happens upon the content (and has some arbitrary unpatched vulnerability), they are victimized. I cannot stress how important this issue has become, and how this will fundamentally change the way we use The Internet if we do not take dramatic steps to correct these basic deficiencies. The lifeblood of the Internet depends on it. When Vint Cerf spoke at the World Economic Forum in Davos, Switzerland, last year, he pretty much nailed the issue spot on — 'Criminals may indeed overwhelm the web' as we (collectively) sit idly by..."

:fear::fear::fear:

FYI...

- http://blog.washingtonpost.com/securityfix/2008/01/report_51_of_malicious_web_sit.html
January 22, 2008 - "...Dan Hubbard, Websense's vice president of security research, said that at any given time there are about two million compromised and malicious sites online, and that slightly more than half of those are hacked sites that range from mom-and-pop type stores to household brand names. The company scans about 600 million sites per week for signs that the sites are trying to foist malicious software on visitors or redirect them to sites that will. The report follows recent discoveries* that almost 100,000 Web sites - including that of security company Computer Associates, the Commonwealth of Virginia, the City of Cleveland - were hacked via Web application vulnerabilities in an apparently coordinated attack. In that attack, the code stitched into hacked sites was designed to perpetrate click fraud and steal online gaming credentials. All Web software applications have flaws, and all need to be updated from time to time to keep the site healthy and to keep opportunistic predators away..."
* http://www.theregister.co.uk/2008/01/08/malicious_website_redirectors/

:fear:

FYI...

SEO Manipulation Begins for Super Bowl Malware Campaign
- http://blog.trendmicro.com/seo-manipulation-begins-for-super-bowl-malware-campaign/
January 24, 2008 - "...When users search for 'Superbowl', Google search results turn up the following (malware links)... Is the Super Bowl on cyber criminals’ social engineering lists? It does seem somewhat passé (even if the event is in two weeks). But what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."

(Screenshot available at the URL above.)

:fear:

FYI...

Attackers Abuse Google Blogger
Blogger is flooded with phony blogs – including some that inject malware
- http://www.darkreading.com/document.asp?doc_id=144171&print=true
JANUARY 25, 2008 - "Hackers are currently littering Google's Blogger site with phony blogs -- some containing malware, pornographic images, or pure spam. "Google Blogger is being used as a malware delivery mechanism," says Ken Steinberg, CTO and president of Savant Protection, who discovered the attack while working on his own blog this morning. The attackers apparently are automatically generating the blogs with scripts. The blogs come with nonsensical names and content that's obviously been generated using English-compliant engines and keyword focuses, he says. "They've upped the game. Mostly [blog attacks] have been through comments or postings," he says. Steinberg noted that some of the fake blogs were using malware-insertion techniques: "One of the more common ways of inserting malware is using overflow techniques found in movie [viewers]... When you click through a few of these blogs, up pops images set to auto-load -- some are images, some are movies" that can infect a visitor with malware, he says. Google says it's investigating the event..."

- http://preview.tinyurl.com/2v59aq
January 25, 2008 (Computerworld) - "...The spammers have borrowed other malware techniques, too. Just as some recent attacks have been launched using frequently changing JavaScript, the redirect code placed on the Google Pages or on blogs may fluctuate depending on the originating spam message. The scams are also using fast-flux techniques to rapidly change the resolving destinations of the links.."

:devil:

FYI... (apologies for the long post; 'included details for admins):

- http://prweb.com/releases/2008/1/prweb656233.htm
January 26, 2008 - "cPanel announced today that it's security team has identified several key components of a hack known as the Random JavaScript Toolkit. The systems affected by this hack appear to be Linux® based and are running a number of different hosting platforms. While this compromise is not believed to be specific to systems running cPanel software, cPanel has worked with a number of hosting providers and server owners to investigate this compromise. The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have password-based authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers. Once an attacker manually gains access to a system they can then perform various tasks. The hacker can download, compile, and execute a log cleaning script in order to hide their tracks. They also can download a customized root-kit based off of Boxer version 0.99 beta 3. Finally, the attacker searches for files containing credit card related phrases such as cvc, cvv, and authorize. The actual root-kit has been the subject of much speculation. The cPanel security team asserts that the Boxer variant includes a small web-server which is how the Javascript is distributed to unsuspecting users of any website on the server. It is believed that the Javascript include is injected into the HTML code after Apache has served the file but before it has traveled through the TCP transport back to the user of the website. The web-server is not loaded onto the hard drive directly but loaded directly into memory from the infected Boxer binaries... The JavaScript being loaded by this web-server is directing users to another server that scans the website user for a number of known vulnerabilities. These vulnerabilities are then used to add the website user to a bot net. More information about the JavaScript hacks can be found at: http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3. Cleaning the Random JavaScript Toolkit requires the server to be booted into single user mode and the removal of all infected binaries. More details on how to do this can be found at: http://www.cpanel.net/security/notes/random_js_toolkit.html. The cPanel security team believes that the hacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether."

:fear::spider:

FYI...

- http://blog.trendmicro.com/spyware-removal-site-delivers-malware/
January 28, 2008 - "Looks can be deceiving, and malware authors are relying on that old adage to lure potential victims into their most recent scheme... The site hxxp ://removal-tool .com manages to do all that... who’d suspect that a professional-looking anti-spyware site will give them just the opposite of what they’re looking for — and even more? With most of the pages hosting malicious iFrames, here’s a list of what could be lurking in your system after a visit to their site:
* HTML_IFRAME.IY
* VBS_PSYME.BCC
* EXPL_EXECOD.A
* HTML_SHELLCOD.AE
* JS_AGENT.AXX
* HTML_DLOADER.XCZ
* WORM_DISKGEN.AF
* HTML_SHELLCOD.AZ
* HTML_SHELLCOD.AW
* JS_REALPLAY.AA
* PE_PAGIPEF.AP-O
* TROJ_AGENT.DDG
* TROJ_PAGIPEF.AP
The use of legitimate-looking Web sites is a regular (yet undoubtedly still very effective) tactic in disseminating Web threats, mainly used to fool users into downloading fake codecs (see here and here), though security applications have also been reported in the past. Any Web-savvy developer knows that professional design and robust content attract customers, and is most likely to earn their trust to initiate one more click. Sadly, even those with malicious intent abide by this rule, and most users can hardly tell a good site from a bad one..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://blog.trendmicro.com/malicious-banners-target-expediacom-and-rhapsodycom/
January 29, 2008 - "... Earlier this month, we’ve seen malicious banner ads being served on popular Web sites, such as Myspace, Excite, and Blick. This time, TrendLabs was alerted to malicious banner ads infiltrating legitimate special interest Web sites such as Expedia.com and Rhapsody.com. According to Trend Micro security experts, certain malicious .SWF banners have managed to work their way into Expedia.com, a popular site for travel enthusiasts worldwide. Trend Micro detects this particular malicious flash banner as SWF_ADHIJACK.A. Based on initial analysis, clicking on this ad leads to several redirections, which eventually results to the installation of a rogue antispyware (detected as TROJ_GIDA.A). Music lovers are also targeted by malware-laden .SWF banners at Rhapsody.com, a music site owned by RealNetworks, which was also found to be employing malicious flash banners. The malicious .SWF URL found in Rhapsody.com is said to be similar to the notorious Skyauction advertisements that were also found to infiltrate the Blick website...
Hat-tip: Spyware Sucks - http://msmvps.com/blogs/spywaresucks/archive/2008/01/28/1483997.aspx "

:fear::spider:

FYI...

- http://secunia.com/advisories/28715
Last Update: 2008-02-05
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: MySpace Uploader Control 1.x
...The vulnerability is confirmed in MySpaceUploader.ocx version 1.0.0.5 and reported in version 1.0.0.4. Other versions may also be affected.
Solution: Update to version 1.0.0.6. <<<
( http://forums.spybot.info/showpost.php?p=162448&postcount=44 )

- http://secunia.com/advisories/28713/
Release Date: 2008-02-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Facebook Photo Uploader 4.x
...The vulnerability is confirmed in version 4.5.57.0. Other versions may also be affected.
Solution: Update to version 4.5.57.1. <<<

- http://secunia.com/advisories/28757/
Last Update: 2008-02-07
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Yahoo! Music Jukebox 2.x ...
NOTE: Working exploit code is publicly available.
The vulnerabilities are confirmed in Yahoo! Music Jukebox version 2.2.2.056. Other versions may also be affected...
Solution: Set the kill-bit for the affected ActiveX controls. <<<
Other References:
US-CERT VU#101676: http://www.kb.cert.org/vuls/id/101676
US-CERT VU#340860: http://www.kb.cert.org/vuls/id/340860
---------------------
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0623
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0624
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0625
release date: 2/6/2008 - MediaGrid ActiveX control (mediagrid.dll)

:fear:

FYI...

Adobe Reader v8.1.2 released
- http://secunia.com/advisories/28802/
Release Date: 2008-02-06
Last Update: 2008-02-11
Critical: Highly critical
Impact: Unknown, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D, Adobe Acrobat 8 Pro, Adobe Acrobat 8.x, Adobe Reader 8.x
CVE reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0667 ...
Solution: Update to version 8.1.2...
Acrobat 8 on Windows:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3849 ...
Changelog:
2008-02-08: Updated advisory based on additional information from the vendor. Updated link to vendor's advisory.
2008-02-11: Updated advisory based on additional information from iDefense Labs and Fortinet. Added links and CVE references.
Original Advisory: Adobe APSA08-01:
http://www.adobe.com/support/security/advisories/apsa08-01.html

FYI...

MySpace Uploader ActiveX Exploited in the Wild
- http://preview.tinyurl.com/22vn4d
February 7, 2008 (Symantec Security Response Weblog) - "Yesterday our honeypots picked up a browser attack toolkit that I had not encountered before. This toolkit uses dynamic function and variable names and wraps its exploits in two levels of dynamic encoding. Finding a new toolkit on our honeypots always piques my interest as a new toolkit often yields new exploit payload. Lo and behold, once the encoder layers are peeled away, the toolkit is found to contain an exploit for the MySpace Uploader 'MySpaceUploader.ocx' ActiveX Control Buffer Overflow that was announced on the 31st of January*..."
* http://securityresponse.symantec.com/avcenter/attack_sigs/s50096.html
"...issue leads to a crash in 'MySpaceUploader.ocx' 1.0.0.4 and 1.0.0.5..."

> http://secunia.com/advisories/28715
Solution: Update to version 1.0.0.6.

:fear:

FYI...

> http://secunia.com/blog/20
7 February 2008
"...During the last 24 hours, we have seen security updates for some very popular Windows programs from four major vendors: Sun, Adobe, Apple, and Skype. Based on these four security updates, we have gathered some statistics from our free Secunia PSI that shows a startling picture, detailing the amount of users who need to patch their computers, in order to safely do something as ordinary as surfing the Internet...
A little in-depth information about the four security updates
1) Adobe Reader 8.x (PDF Files) (Secunia Advisory: http://secunia.com/SA28802 )...
2) Sun Java 1.5.x (Web content, games, etc.) (Secunia Advisory: http://secunia.com/SA28795 )...
3) Apple Quicktime (Movies, music, etc.) (Secunia Advisory: http://secunia.com/SA28423 )
4) Skype (Chat and VOIP) (Secunia Advisory: http://secunia.com/SA28791 )..."

(Add the Firefox update to that: http://secunia.com/SA28758/ , and most should have a busy weekend!)

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3958
Last Updated: 2008-02-09 02:38:22 UTC - "The Adobe Reader vulnerability... is being exploited in the wild! A malicious PDF file (called 1.pdf in this example) served from IP address "85.17.221.2" (not active at this time) contains a malware specimen called Trojan, a variant of Zonebac. The IP address belongs to LeaseWeb, a hosting provider in The Netherlands we already notified..."

- http://secunia.com/advisories/28802/
Software: Adobe Reader 8.x ...
Solution: Update to version 8.1.2 ...
Original Advisory: Adobe Reader 8.1.2 Release Notes:
http://www.adobe.com/go/kb403079

:fear:

FYI...

New Facebook Photo Uploader ActiveX Vulnerability
- http://atlas.arbor.net/briefs/index#-1074023979
(...Scroll down to):
Severity: Elevated Severity
Published: Wednesday, February 13, 2008 18:57
Facebook Photo Uploader ActiveX control is prone to a buffer-overflow vulnerability. Attackers can exploit this issue and execute arbitrary code in the context of the browser. Exploit is available. Until this issue fixed by the vendor, a workaround would be to set the kill bit for the ActiveX control.
Analysis: The ActiveX control in question is ImageUploader4.1.ocx. The 'FileMask' method is vulnerable. Attackers need to make a user view a crafted HTML to exploit this issue. A workaround would be to set the kill bit for the Control till it is fixed...

:fear:

FYI...

- http://www.theregister.co.uk/2008/02/15/browser_exploitation/
15 February 2008 - "Cybercriminals are stepping up their efforts to exploit vulnerabilities in web browsers to spread malware using drive-by download techniques. Research by Google's anti-malware team on three million unique URLs on more than 180,000 websites automatically installed malware onto vulnerable PCs. Hackers are increasingly trying to trick search sites into pointing surfers onto maliciously constructed sites. More than one per cent of all search results contain at least one result that points to malicious content, Google reports*, adding that incidents of such attacks has grown steadily over recent months and continues to rise. Google's team also reports that two per cent of malicious websites are delivering malware via tainted banner ads. Israeli security firm Finjan has also observed a rise in the tactic over recent months, noting that many malicious ads are served from legitimate websites. A security report from IBM's X-Force division said cybercriminals are "stealing the identities and controlling the computers of consumers at a rate never before seen on the internet"..."
* http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html

> http://www.us-cert.gov/current/#mozilla_firefox_and_opera_browser
February 18, 2008
> http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
MS08-010 - Updated: February 13, 2008

(Keep things patched! Is your browser up-to-date?...)

Opera v9.26 released
- http://forums.spybot.info/showthread.php?p=166220#post166220
Release Date: 2008-02-20

:fear::spider:

FYI...

- http://www.theregister.co.uk/2008/02/20/symantec_enpoint_security_error_bug/
20 February 2008 - "Symantec is working to patch a bug that generates errors in corporate security protection updates. Workarounds enabling virus signature definition updates to Symantec Endpoint Protection are available, but a more comprehensive fix is still in testing. The glitch in the Symantec's LiveUpdate package has left sysadmins managing Symantec Endpoint Protection coping with "broken" clients... Symantec has published an advisory* detailed workarounds. Posts on Symantec forums indicate that the problem first reared its head on 11 February... looks like every Symantec customer worldwide has been affected by the issue..."
* http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021213593948
Last Modified: 02/15/2008

:lip:
-----------

- http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021213593948
Last Modified: 02/20/2008 - "...Solution:
Symantec has released a new Decomposer to the LiveUpdate Servers to resolve this issue. If you used this previous stated workaround, please re-check the Decomposer signatures and select "Use latest available"..."

.

FYI...

- http://preview.tinyurl.com/ytx4dc
02/20/08 (NetworkWorld) - "People-driven security, an approach that pools the judgments of individual participants to identify new threats, is gathering momentum, with uses popping up in everything from antimalware and spam blocking to site filtering. OpenDNS's Domain Tagging, introduced in February, is the latest example of this kind of strength in numbers. The free Web-filtering service allows subscribers to block sites in their choice of categories... "The good guys need to out-share the bad guys to help counter them," says Johannes Ullrich, chief research officer at the Internet Storm Center (ISC)... Together, people-powered tools and sites work to build genuine security that benefits the entire online community."

:spider::cool::spider:

FYI...

Netscape multiple Vulns - update available
- http://secunia.com/advisories/29049/
Release Date: 2008-02-21
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Netscape 9.x
...can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, conduct spoofing attacks, or to compromise a user's system.
Solution: Update to version 9.0.0.6:
http://browser.netscape.com/downloads
"Official support for all Netscape client products will end on March 1st, 2008..."
http://blog.netscape.com/2007/12/28/end-of-support-for-netscape-web-browsers

FYI...

- http://blog.washingtonpost.com/securityfix/2008/02/wall_street_reports_higher_pc_1.html
February 22, 2008 - "...In the first half of 2007, companies involved in managing securities and futures trades reported a 47 percent increase in the number of fraudulent or suspicious transactions attributed to computer break-ins, according to data released last month by the Financial Crimes Enforcement Network (FinCEN). Financial institutions are required to file suspicious activity reports (SARs) when a suspected fraudulent or illegal transfer of funds exceeds $5,000. According to FinCEN, trading institutions filed more computer intrusion-related securities fraud reports in the first half of 2007 than they reported in all of 2006... The report doesn't provide any guesses as to what factors might be responsible for those notable increases. But here's my take: Cyber crooks are going after and compromising online stock trading accounts just as they are online banking accounts*..."
* http://blog.washingtonpost.com/securityfix/2008/02/banks_losses_from_computer_int.html
02/20/2008

:fear::fear:

FYI...

- http://blog.trendmicro.com/better-business-bureau-phish-with-trojan-downloader/
March 23, 2008- "The Better Business Bureau (BBB) is the target of a new phishing scam, in which a user is asked to download a rogue ActiveX installer upon visiting the Web site... installer is actually a Trojan downloader file named Acrobat.exe... The BBB has a history of being a target of malware authors and spammers, besides phishers. Previously, it has been used as a subject of spam that contained malware detected as TROJ_ARTIEF.A."

(Screenshots available at the URL above.)

:fear::spider:

FYI...

- http://isc.sans.org/diary.html?storyid=4187
Last Updated: 2008-03-24 10:18:07 UTC - "...Over the last week or two there have been more instances of the Death Threat SPAM emails. These particularly nasty messages explain how someone you know wants you dead and the hired killer is contacting you to make a deal. These can be very upsetting for the recipient. Whilst they are typically spam messages treat them seriously and report them if you feel it is necessary..."

- http://mobile.fbi.gov/pressrel/2007/extortion070707.htm
"...The message from the FBI... do NOT respond, and to file a complaint through the IC3.gov website. Due to the threat of violence in these extortion e-mails, if an individual receives an e-mail that contains personal information that might differentiate their e-mail from the general e-mail spam campaign, the recipient should contact the FBI immediately at 251-438-3674..."

:fear: