FYI...

- http://antiphishing.org/crimeware.html
"The Phishing and Crimeware map displays the most recent data collected by Websense Security Labs (WS Labs) and provides a historical look into where Phishing and Crimeware related websites are hosted on the Internet. Upon discovery, each site is looked up via its IP Address to track the country of origin through the appropriate IP registrars and plotted on the map. The data is updated approximately 15 minutes after discovery."


:eek:

FYI...

- http://isc.sans.org/diary.html?storyid=2612
Last Updated: 2007-04-12 20:54:39 UTC ...(Version: 10) ~ "...The Subject of the email (that we have seen so far) say:
"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Dream of You"
"Virus Activity Detected!"
It has two attachments, one being an image with 'panic-worded text', and the other is a password protected zip file, whose password is revealed in the image. The zip file appears to be named:
"patch-<random 4 or 5 digit number>.zip"
"bugfix-<random 4 or 5 digit number>.zip"
"hotfix-<random 4 or 5 digit number>.zip"
"removal-<random 4 or 5 digit number>.zip" ..."

- http://www.pcworld.com/printable/article/id,130686/printable.html
April 12, 2007 03:00 PM PDT ~ "...Postini*, an e-mail security company, says that over the last 24 hours it has seen about 55 million virus e-mails, about 60 times the daily average. The first e-mails had romance-themed subjects: "A kiss so gentle," or "I dream of you," for instance. The latest batch attempts to fool readers--with subjects like "Worm Alert!" or "Virus Alert!"--into thinking they are already infected and need to apply a supplied patch--an attached virus... Cloudmark, another e-mail security company, says it sees similar outbreak numbers. Today's flood is ten times as large as one this past Sunday, which also involved the virulent Storm Worm..."
* http://www.postini.com/stats/index.php

> http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199000691
--------------------------------------

> http://www.f-secure.com/weblog/archives/archive-042007.html#00001167
Friday, April 13, 2007 - Posted @ 02:19 GMT
--------------------------------------

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199000950
April 13, 2007 ~ "...The Internet Storm Center reported detecting at least 20,000 infections, while the Security Response Team at Symantec said they received several hundred thousand reports of the malicious e-mail making the rounds. That all changed on Friday morning when the attack went quiet... Encrypting the malicious code makes it much more difficult for anti-virus programs to catch it, and if they can't catch it, they can't stop it. If a user opens the file, his machine is infected with the malware and it then connects to a peer-to-peer network where it can upload data, including personal information from the infected computer. It also can download additional malware onto the infected system. The fact that infected computers connect through a peer-to-peer system and not to a standalone server or even a node makes it extremely hard to shut down... Paul Henry, VP of technology evangelism with Secure Computing, said in an interview that this latest Storm attack was aimed at building out the hackers' botnet. "The whole end game is building a bigger, better botnet," he said..."

(Arrgghh!)

FYI...

- http://www.f-secure.com/weblog/archives/archive-042007.html#00001172
April 19, 2007 ~ "It's been awhile since the last attack of the Warezov gang. But it seems now they're back in action... e-mail of the new Warezov... being spammed... The zip file attachment contains an executable file that uses a text file icon as a decoy (Update-KB4765-x86.exe)... This executable file is a downloader for its other components. The link is encrypted with a simple XOR. For system administrators, you may want block network traffic from the following malicious link: linktunhdesa .com /h[REMOVED]2.exe ..."

(Screenshots available at the F-secure URL above.)


:fear:

FYI...

- http://blog.washingtonpost.com/securityfix/2007/04/virus_writers_taint_google_ad.html
April 25, 2007 ~ "Virus writers have been gaming Google's "sponsored links" -- the paid ads shown alongside search engine results*. They are aiming to get their malicious software installed on computers whose users click onto ad links after searching for legitimate sites such as BBBonline.org, the official Web site of the Better Business Bureau. Sponsored links allow customers to buy advertisements attached to a particular search term. When a Google user enters a term into the firm's search engine, the ad belonging to the advertiser that bid the highest price for that search term appears at the top of the list of search results. According to a report at Exploit Prevention Labs**, while the top sponsored links that showed up earlier this week when users searched for "BBB," "BBBonline" or "Cars.com" appeared to direct visitors to those sites, they initially would route people who clicked on the ads through an intermediate site. The intermediate site attempted to exploit a vulnerability in Microsoft Windows to silently install software designed to steal passwords and other sensitive information from infected PCs. The attackers exploited a flaw in Microsoft's Internet Explorer Web browser, a problem that the company issued a patch to fix..."
>>> * http://blog.washingtonpost.com/securityfix/gnh.html

** http://explabs.blogspot.com/2007/04/google-sponsored-links-not-safe.html

- http://weblog.infoworld.com/zeroday/archives/2007/04/google_adwords.html
April 25, 2007 ~ "...A closer inspection by Exploit Prevention Labs researchers revealed that the attacks were actually coming from a site called smarttrack.org, a Russian Web site that serves up a variety of Web exploits..."

:fear: :mad:

FYI...

- http://www.f-secure.com/weblog/archives/archive-052007.html#00001190
May 11, 2007 ~ "...Mobile spyware and spying tools have been active lately. This week, we have received samples of two new mobile spying tools – running on new platforms. There is now spyware for both Windows Mobile and Symbian S60 3rd Edition devices... Spyware is being developed by commercial companies that have a lot more resources, skills, and motivation to get their creations to work. Both new spying tools are rather similar in their capabilities. After being installed on the device, they hide from the user and report information from the phone to a central server. From there, it can be accessed through a web page interface. An interesting fact is that the spyware for the Symbian 3rd Edition platform is Symbian signed. Therefore it can be installed without any warnings and is capable of operating without Symbian security alerting the user that something is going on... The fact that the spy tool authors could get their software certified indicates a potential issue when using digital signatures and certificates as the only security measure. On one hand the software is technically exactly what it claims to be, an application that backs up user data to a server. One the other hand, when the software is installed onto the device without the primary user's knowledge and permission, it can be used as a spying tool that compromises the said user's personal privacy. Thus if suspect applications cannot break security components, they can then play with the process of certification..."

(Screenshots and more detail at the URL above.)


:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782
June 18, 2007 ~ "Websense® Security Labs™ has received reports of a large scale attack in Europe that is using the MPACK* web exploit toolkit... At the time of this alert our ThreatSeeker technology has discovered more than *10,000* sites that have been compromised and have IFRAMES pointing to the hub infection site. Assuming users connect to one of the compromised sites and are vulnerable to one of several loaded exploits a Trojan Horse is downloaded onto their machine which is designed to steal banking, and potentially other confidential information through a (series) of web infection downloads. The main site has a statistics page and it has shown very large numbers of users connecting to the infected sites and high levels of users who have been compromised... The top regions are Italy, Spain, and the United States..."

(Graphics and sample statistics available at the URL above.)

* http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/05/11/MPack-uncovered_2100_.aspx
------------------------------------------------

- http://blog.trendmicro.com/another-malware-pulls-an-italian-job/
June 18, 2007 ~ "Remember LINKOPTIM, which exploited a number of legitimate Italian Web sites to spread malicious JavaScripts? Since early Saturday morning (June 16, 2007), Trend Micro has been receiving several reports of a new batch of hacked Italian Web sites that trigger a series of malware downloads once a user visits them. These infection series begin with a malicious IFRAME tag. Trend Micro detects Web pages hosting the said malicious tag as HTML_IFRAME.CU. All the compromised sites are hosted in Italy...Most of the legitimate Web sites that were compromised by the malware authors are related to tourism, automotive industry, movies and music, tax and employment services, some Italian city councils, and hotels sites. Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy..."

(Sample screenshot of a compromised Web site at the URL above.)

:fear::fear:

More...

- http://www.theregister.com/2007/06/18/hijacked_sites_install_malware/
18 June 2007 ~ "More than 10,000 websites have been infected by a sophisticated and fast-acting Trojan downloader that attempts to install malware on visiting PCs. At least one security firm, Trend Micro, is working with the FBI to contain the damage and track down the perpetrators. The attack is noteworthy for the number of sites it has managed to infect in a relatively short period of time. Between Friday and Sunday night, the number jumped from 1,100 to about 2,500. By Monday afternoon, California time, there were more than 10,000 infected sites, according to Paul Ferguson, a network architect for Trend Micro... The hacked websites cover the gamut, from a site connected to the rock musician Bon Jovi to one that tries to raise money for charity work of the late Mother Teresa. Most of the compromised sites are mom-and-pop run affairs and are concerned with travel or entertainment.

An iframe buried underneath the hacked sites redirects users to a server that's hosted at a San Francisco-area co-location site that's been used previously by cyber criminals, Ferguson says. That site redirects to yet another server hosted in Chicago. The San Francisco server is registered to a front-company based in Hong Kong.

Ferguson said researchers and authorities are trying to contain the attacks by getting the San Francisco and Chicago sites shut down. MPack is a powerful kit that bundles together many different malware tools. Among other things, it logs detailed information about the machines it attacks, including the IP addresses of machines it has infected and what exploits a particular user is vulnerable to. It is similar to another malkit called WebAttacker. The attack resembles one from February which targeted certain Miami Dolphins Web sites on the same day the National Football League team hosted the Super Bowl. The legions of fans who visited the site were redirected to third party sites that attempted to install malware on their machines. Such attacks are increasing, largely thanks to the growing use of powerful javascript that vastly improves the functionality of websites. Unfortunately, programmers haven't paid close enough attention to how these scripts can be abused..."
-----------------------------------------

- http://www.computerworld.com.au/index.php/id;1851322309;fp;16;fpid;1;pf;1
19/06/2007 ~ "..."The usual advice we give, 'avoid the bad neighborhoods of the Web,' just doesn't hold water anymore" when legitimate sites have been hacked and are serving up exploits left and right, Ferguson said. "Everywhere could be a bad neighborhood now."

...

FYI...

- http://isc.sans.org/diary.html?storyid=3015
Last Updated: 2007-06-20 21:42:28 UTC ~ "...Earlier today VeriSign/iDefense released some pretty good analysis of how it works, what the value of it is, and other goodies. This summary does not exist online but has been spread via email to the media and other outlets. Rather than trying to summarize it, iDefense gave the Internet Storm Center permission to reprint it in its entirety...
'...More than 10,000 referral domains exist in a recent MPack attack, largely successful MPack attack in Italy, compromising at least 80,000 unique IP addresses. It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server. When a legitimate page with a hostile iFrame is loaded the tool silently redirects the victim in an iFrame to an exploit page crafted by MPack. This exploit page, in a very controlled manner, executes exploits until exploitation is successful, and then installs malicious code of the attacker's choice...
...MPack leverages multiple exploits, in a very controlled manner, to compromise vulnerable computers. Exploits range from the recent animated cursor (ANI) to QuickTime exploitation. The latest version of mPack, .90, includes the following exploits:
MS06-014
MS06-006
MS06-044
MS06-071
MS06-057
WinZip ActiveX overflow
QuickTime overflow
MS07-017...' "

(Complete analysis at the URL above.)

.

FYI...

- http://isc.sans.org/diary.html?storyid=3054
Last Updated: 2007-06-26 22:46:51 UTC ...(Version: 3)
"Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected... You can see in the body of the email... that the spelling is bad and the license key is not in the right format for XP nor Outlook. Microsoft pointed us to a couple of web pages they maintain that should help you recognize fraudulent email...

> http://www.microsoft.com/protect/yourself/phishing/msemail.mspx

> http://www.microsoft.com/canada/athome/security/email/ms_genuine_mail.mspx

=====================================
From Norman Sandbox:
MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)
[ DetectionInfo ]
* Sandbox name: W32/Malware
* Signature name: NO_VIRUS
[ General information ]
* Drops files in %WINSYS% folder.
* File length: 20480 bytes.
* MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
* Creates file C:\france.html.
* Deletes file c:\france.html.
[ Changes to registry ]
* Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.
* Modifies other process memory.
* Creates a remote thread.
[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\sdoctor.exe (20480 bytes) : no signature detection...

We notified one of the support teams at a hosting provider that a virus was found on one of there customers systems. Their auto responder responded within a minute. A support person removed the malware and responded within 30 minutes. When I tried to verify that I found the malware was still there or back. When I notified the hosting provider that the malware was back the support person analysised logs, determined it was being uploaded via ftp and immediately disabled the ftp account involved."


:fear::buried:

FYI...

- http://isc.sans.org/diary.html?storyid=3063
Last Updated: 2007-06-28 23:33:56 UTC ~ "...There is a new round of emails with malicious links that is making its way to the inbox of many folks. If you haven't gotten one yet, just give it time. Here is quick summary of what we have found. The subject line that we have gotten examples of have all been identical. You may have gotten something else.

"Subject: You've received a postcard from a family member!" ...

The ecard numbers in the URL above are variable across SPAM samples.
There are 3 exploits available and they are tried in order.

The first one is for QuickTime.
If that fails a Winzip exploit is attempted
If that fails, the "hail mary" is the WebViewFolderIcon exploit...

Here are a few more of the malware hosting servers they've relied on in recent months in addition to the HopOne and Softlayer host above:
27645 | 205.209.179.15 | 205.209.128.0/18 | US | arin | ASN-NA-MSG-01 - Managed Solutions Group, Inc
27595 | 216.255.189.214 | 216.255.176.0/20 | US | arin | INTERCAGE - InterCage, Inc
14361 | 66.148.74.7 | 66.148.64.0/19 | US | arin | HOPONE-DCA - HopOne Internet Corporation
36351 | 75.126.21.162 | 75.126.0.0/17 | US | arin | SOFTLAYER - SoftLayer Technologies Inc
36351 | 75.126.226.224 | 75.126.0.0/16 | US | arin | SOFTLAYER - SoftLayer Technologies Inc..."

- http://preview.tinyurl.com/2g58ud
June 28, 2007 (Computerworld) - "..."This is widespread, and leads the user to multiple IP addresses," said Shimon Gruper, vice president at Aladdin Knowledge Systems Inc., a security company known for its eSafe antivirus software. "There's not a single server, there are multiple exploits, [and the e-mail] has no attachments. This will be very difficult to detect." Two days ago, a Symantec honeypot captured a similar Web site-hosted attack that had an arsenal of exploits at its disposal. That attack, however, featured an unusual, if rudimentary, browser detector that sniffed out whether the target computer is running Microsoft's Internet Explorer (IE) or Mozilla Corp.'s Firefox. If the attack detects IE, it feeds the machine a Windows animated cursor exploit. If it finds Firefox, however, the sites spit out a QuickTime exploit."

- http://www.us-cert.gov/current/#new_storm_worm_variant_spreads
June 29, 2007

--------------------------------------

- http://asert.arbornetworks.com/2007/06/you-got-postcard-malware/
June 29, 2007 ~ "...Pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram* shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits - QuickTime, WinZIP, and WebViewFolderIcon - all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader... If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe..."

(*Diagram shown at the URL above.)

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3186
Last Updated: 2007-07-24 22:15:22 UTC - "We have received several reports today from people that are getting flooded with SPIM on their IM accounts. These messages are providing a link to various web sites. These sites all seem to point to one site www dot messenger-tips dot com. This site purports to check your IM friends/contacts and report back to you which of them have blocked you. All you have to do is give them your login and password information. You also have to agree to their terms and conditions. Ok so we read their Terms and Conditions page and what do we find, first
They will NOT be responsible for any misuse of the information you provide. They also have no liability for content, views, advice or guidance because they provide a service that is for entertainment purposes only. (Huh? what entertainment). You provide them with the id and password, of course they won't store the information with anyone without your consent. (And if you believe that I have a bridge I will sell you.) Now here is the real catch-22. By agreeing to the terms and conditions you agree to allow them to SPIM all of your friends and contacts. Wonderful.
I am not sure if this program installs any malware or sets up any hole in your computer for them to crawl through... Bottom line folks, DO NOT CLICK ON LINKS."

("Spam Over Internet Messaging" - Unsolicited commercial messages sent via an instant messaging system.)

.

FYI...

- http://www.networkworld.com/news/2007/072707-akonix-im-attacks-up.html
July 27, 2007 - "Malicious code attacks over instant messaging networks are up almost 80% over last year, according to a new study from vendor Akonix*. In July, the company, which develops IM hygiene and compliance appliances and services, said it uncovered 20 malicious code attacks over IM in July. The total number of threats for 2007 so far is 226, the company said. That number is a 78% increase over the last year. The company also said attacks on peer-to-peer networks, such as Kazaa and eDonkey, increased 357% in July 2007 over July 2006, with 32 attacks. That report comes on the heels of a report by peer-to-peer network monitoring vendor Tiversa**, which found contractors and U.S. government employees are sharing hundreds of secret documents on peer-to-peer networks. In many cases, those users were overriding the default security settings on their peer-to-peer software to do so, according to Tiversa...."

* http://www.akonix.com/press/releases-details.asp?id=138

** http://preview.tinyurl.com/2ut2of
(Computerworld)

:mad::fear::spider:

FYI...

- http://isc.sans.org/diary.html?storyid=3200
Last Updated: 2007-07-30 19:07:36 UTC - "A reader alerted us to a bunch of malware that he had found after starting to unravel a pile of interlinked exploit pages. The exploit pages are spammed with "adult movie" kinda themes into search engines, etc, and thus most likely find enough "volunteers" who click on the links. Domains involved are clipsforadults-dot-com and several of 9u???-free-movies-dot-cn, with the ??? standing for several letter combinations like eyd,gfo,fdo, etc. Someone's been busy registering throw-away domains. The one bit that was of interest to us is ... that at the very end of this pile, the links try to download a "codec" off the site installobject-dot-com. The link used contains a 4-digit number, and each number, over a wide range, seems to return a slightly different binary. Installobject-dot-Com resolves to 85.255.113.235, a known bad address range for years - see http://isc.sans.org/diary.html?storyid=1873
AV detection is still thin, we are trying to help it along some. The files are of the W32/Zlob family, Kaspersky calls it Trojan-Downloader.Win32.Zlob.bxt, Trend Micro has it as TROJ_ZLOB.DND, and McAfee has protection coming up as Puper.DR. Adult sites from China, nasty trojans from Ukraine..."

> http://preview.tinyurl.com/yqj5pq
July 30, 2007 - (Infoworld) - "...Last week, a new ransomware Trojan appeared on the radar of security researchers, and was quickly identified as a modified version of the GpCode nasty that first hit the Internet as long ago as Spring 2005, and was tracked to a Russian site. As with its predecessors, the new Trojan, also named "Glamour," sets out to encrypt data files on any PC it infects, demanding a ransom of $300 in return for a key to unlock files. Now an analysis from security research outfit Secure Science Corporation (SSC) has plotted the large number of similarities between the new GpCode and another version that appeared in 2006. Of the 168 functions identified in the code of the new variant, 63 were identical to the older 2006 version... "In the 8 months since November, we've recovered stolen data from 51 unique drop sites [...]. The 14.5 million records found within these files came from over 152,000 unique victims," says the report..."
- http://www.securescience.com/home/newsandevents/news/decoder.html
Jul 19, 2007

:fear:

FYI...

> http://www.us-cert.gov/current/#cisco_releases_security_advisories_for1
August 8, 2007 - " Cisco has issued four Security Advisories to address several vulnerabilities in their Internetwork Operating System (IOS) and Unified Communications Manager. These vulnerabilities may allow an attacker to overwrite or retrieve arbitrary files, cause a denial-of-service condition, or execute arbitrary code on an affected system..."

(Cisco links available at the URL above.)

- http://www.us-cert.gov/current/#cisco_releases_security_advisories_for1
updated August 9, 2007
"...US-CERT is aware of publicly available exploit code for one of these vulnerabilities..."

.

FYI...

- http://www.guardian.co.uk/technology/2007/sep/21/hacking.ebay
September 21 2007 - "Kits that claim to help people hack into computers have been discovered for sale on the auction website eBay. Security experts found a selection of CDs, DVDs and programs for sale on eBay that promise to help buyers learn how to break into computers over the net. One CD - claiming to be on sale "for educational use only" - promises details of how to access other people's computers and contains a selection of programs commonly used for hacking. It is available through the site for £5.99. Many of the programs form the basic building blocks for computer crime, allowing even inexperienced hackers to find ways to get inside their victims' computers, or of masking their identities..."


:fear::mad:

FYI...

* http://www.adobe.com/support/security/advisories/apsa07-04.html
October 5, 2007 - "...Vulnerability identifier: APSA07-04...
Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed
Affected Software Versions:
Adobe Reader 8.1 and earlier versions
Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
Adobe Acrobat 3D
Summary:
Adobe is aware of a recently published report of a critical security vulnerability in Adobe Reader and Acrobat.
Solution:
To protect Windows XP systems with Internet Explorer 7 installed from this vulnerability, administrators can disable the mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying the application options in the Windows registry*... the Secure Software Engineering team is working with the Adobe Reader Engineering team on an update to versions 8.1 of Adobe Reader and Acrobat that will resolve this issue. A security bulletin will be published on http://www.adobe.com/support/security as soon as that update is available. We expect the update to be available before the end of October. In the meantime, Adobe recommends that Acrobat and Reader customers use caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links..."

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5020

:fear:

FYI...

- http://www.theinquirer.net/gb/inquirer/news/2007/10/10/linux-kernel
10 October 2007 - "...There will probably be a few more patches as this new kernel sees use in a wider variety of systems - including yours, should you choose to play with it but it should be fairly stable within a couple of months, at which time you'll begin to see the major Linux distributions start releasing systems based upon it."

Release notes:
- http://kernelnewbies.org/Linux_2_6_23
9 October 2007

:spider:

FYI...

- http://secunia.com/advisories/27223/
Release Date: 2007-10-12
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
...The vulnerabilities are reported in version 5.35. Other versions may also be affected.
Software: Winamp 5.x
Solution: Update to version 5.5.
http://www.winamp.com/player ...

> http://www.winamp.com/player/version-history

:fear:

FYI...

- http://secunia.com/advisories/26619/
Release Date: 2007-10-16
Critical: Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IrfanView 3.x, IrfanView 4.x
...The vulnerability is confirmed in version 4.00. Other versions may also be affected.
Solution: Update to version 4.10.
http://www.irfanview.com/main_download_engl.htm

.

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=809
October 17, 2007 - "Websense® Security Labs™ has discovered a new Trojan Horse being distributed via spam email in Latin America. The email message is written in Spanish, and includes the subject line: "Espero que te guste"
The email acts as a lure, attempting to get users to click a link and download a greeting card. There are several versions of the spam message, but the main difference is the location where the malicious code is stored. In all versions discovered to date, the file name is always "mexico.exe", and the MD5 is "ce073c460ec25d7e40efe3f717f75c38". In all samples, the file has been stored on compromised websites. If users click on the link and run the code, a browser window to Univision.com opens as a means of hiding what is happening in the background. The malicious code also connects to one or more additional websites to download an additional binary file, "file56.gif". This file is actually a Windows executable. The "file56.gif" binary can come from any of five different compromised sites. The file is downloaded to the Windows system32 directory and given the name "html.txt". The "html.txt" file is then renamed "html.exe" and run. The payload of the code is written in Delphi and packed with RLpack. It disables Task Manager, deletes the host file, and changes some startup options and Start menu options. It also includes an information stealing component..."

(Screenshot available at the URL above.)

.

FYI...

- http://preview.tinyurl.com/36awux
October 19, 2007 (Computerworld) - "Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score. According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited, and malicious code downloaded to any PC that wanders to a specially-crafted site. Only systems on which both RealPlayer and IE have been installed are vulnerable. Symantec ranked the attack as a "10" on its urgency scale because it has confirmed that attacks are being conducted in the wild; those attacks have resulted in malicious code downloaded to victimized PCs. The only bright spot: "We are not currently aware of widespread exploitation of this issue," the company's warning read... Symantec also referenced a blog* that had posted some information about the RealPlayer vulnerability Wednesday morning..."

* http://www.infosecblog.org/2007/10/nasa-bans-ie.html
October 18, 2007 - "I heard that NASA is telling employees and contractors not to use IE due to malware affecting Internet Explorer and Real Player..."

:fear:

Real Has issued a patch--
http://service.real.com/realplayer/security/191007_player/en/

FYI...

- http://isc.sans.org/diary.html?storyid=3531
Last Updated: 2007-10-22 20:58:04 UTC

" http://www.adobe.com/support/security/bulletins/apsb07-18.html
...Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat
Release date: October 22, 2007
Vulnerability identifier: APSB07-18
CVE number: CVE-2007-5020
Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed
> Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
> Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier"

The acrobat patch is available here http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

The reader patch is available here http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows ..."

.

FYI...

- http://secunia.com/advisories/27279/
Release Date: 2007-10-23
Critical: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: IBM Lotus Notes 6.x, IBM Lotus Notes 7.x ...
Solution: Update to version 7.0.3 or 8.0.
NOTE: Version 8.0 does not fix the vulnerability in wp6sr.dll.
http://www-306.ibm.com/software/lotus/support/upgradecentral/index.html ...

http://www-1.ibm.com/support/docview.wss?uid=swg21271111
"...Fixed in Lotus Notes 7.0.3 / Proposed for 8.0.1..."

.

FYI...

- http://isc.sans.org/diary.html?storyid=3537
Last Updated: 2007-10-23 20:16:52 UTC - "The vulnerability initially reported here http://isc.sans.org/diary.html?storyid=3406 and confirmed here (with workaround) http://isc.sans.org/diary.html?storyid=3477 and patched here http://isc.sans.org/diary.html?storyid=3531 now appears to have been spotted in the wild. The proof of concept code had been released, and a number of people have reported receiving the PDFs which exploit the vulnerability. Obviously please patch, apply the workarounds, and/or ensure you can detect and block the exploit. File names seen so far are 'BILL.pdf' and 'INVOICE.pdf'."

> http://forums.spybot.info/showpost.php?p=129812&postcount=17

-----------------------------------

PDF Exploit Spam Used to Install Gozi Trojan in New Attack
- http://www.secureworks.com/research/threats/gozipdf/
October 23, 2007 - "...The attachment may instead be represented by an icon used to represent PDF files. These attachments use filenames such as BILL.pdf or INVOICE.pdf, but those filenames, as well as the sender and message content itself, may change. The attached exploit may be detected by some anti-malware vendors as Downloader.PDF, Pidief.A or similar names. The exploit downloads executes a first-stage downloader EXE file from an RBN (Russian Business Network) server via anonymous FTP and executes it. That downloader installs a variant of the Gozi Trojan which steals data as described in the Threat Analysis posted on the SecureWorks website:
* http://www.secureworks.com/research/threats/gozi/
The latest Gozi variant (Gozi.F) installed by this exploit was detected by 26% of 32 of the largest anti-malware vendors at the time of release..."

:fear::fear:

FYI...

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=152
Oct 25 2007 - "...Most of you have heard by now San Diego and some surrounding Los Angeles areas are suffering from devastating fires. Since our head quarters is in San Diego we have certainly been affected by the fires and several employees were evacuated and some have lost homes. One very amazing thing has been the outpouring of support both locally within the communities, state-wide, and internationally. We have received several offers for people to house folks who have had to relocate and several others offers for help.
Unfortunately, as we saw with Katrina and several other emergencies, there are also criminals who attempt to take advantage of the supporters who are willing to help. Please make sure you are dealing with legitimate organizations and, if possible, contact them on your own. Be very careful of people reporting to be agencies such as the Red Cross asking for donations or requesting you to visit their websites. They may be fraudulent or hosting malicious code designed to steal information such as banking details. For example, many suspicious eBay auctions have appeared requesting donations..."

(Screenshot available at the URL above.)

FYI...

RealPlayer/RealOne/HelixPlayer multiple vulns - update available
- http://secunia.com/advisories/27361/
Release Date: 2007-10-26
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Helix Player 1.x, RealOne Player 1.x, RealOne Player 2.x, RealPlayer 10.x, RealPlayer Enterprise 1.x ...
Solution: Update to the latest versions. Please see the vendor's advisory for details.
http://service.real.com/realplayer/security/10252007_player/en/ ..."

:fear:

FYI...

Malicious PDF files being spammed out in volume
- http://www.f-secure.com/weblog/archives/00001303.html
October 26, 2007 - " Malicious PDF file (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf or so) has been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further... The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report
More information in our full description*.
More on the scope of the vulnerability from a ZDNet article**."

* http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml

** http://blogs.zdnet.com/security/?p=614

:fear:

------------------
Adobe rdr patch info: >>> http://forums.spybot.info/showpost.php?p=129812&postcount=17

.

FYI...

Bogus email claims to come from FTC
- http://www.ftc.gov/opa/2007/10/bogus.shtm
October 29, 2007 - "A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments. The spoof email includes a phony sender’s address, making it appear the email is from “frauddep@ftc.gov” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to spam@uce.gov and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations. Simply opening the email does not appear to cause harm. However, it is likely that anyone who has opened the email’s attachment or clicked on the links has downloaded the virus on their computer, and should run an anti-virus program. The virus appears to install a “key logger” that could potentially grab passwords and account numbers..."

=======================

Malicious Code: World Bank Deception: Trojan Horse
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=812
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan horse using real data from the World Bank. As in past targeted attacks, the samples that we have captured appear to be using names and email addresses taken from the contact pages of the legitimate site. In this case, the email body includes the name of a real World Bank employee.

The message reads:

Subject: WorldBank report
Dear Colleagues,
This three-year Country Partnership Strategy (CPS) builds on Bulgaria's considerable achievements over the last eight years .. *snipped for brevity* .. and the surveillance roles played by the International Monetary Fund (IMF) and the EU's Stability and Growth Pact upon Bulgaria's EU accession.
At the following link you'll find our report:
http : // <URL REMOVED> /
Thank you!
Best Regards,
Ivelina Taushanova
Associate Professor of Management Science
<USERNAME REMOVED> @ worldbank . org
http: // WorldBank . org

The link leads to the malicious executable WorldBank_doc_36146.txt.exe, which is displayed with the standard notepad.exe icon. Unless the user has configured Windows to explicitly show the file extension (which most people do not, since it requires changing the default configuration), there is no way to visually tell that this file is actually an executable. When run, the initial executable drops a plain text document with information from a real World Bank document, displayed in IE. Also dropped is a packed Trojan horse (bifrose) whose file name makes it appear to be an MSN Messenger plugin. When this article was created, no anti-virus vendors detected the initial executable as malicious. The initial executable downloaded by the victim does not actually make any outbound connection from the victim's desktop to obtain the two dropped files. Because both dropped files are derived from the initial executable, no suspicious network traffic is generated. The dropped Trojan horse (msnmsgr_plugin.exe) maintains a persistent connection to a host name on the dyndns.org domain..."

(Screenshot available at the URL above.)

=======================================

Malicious Code: Halloween Deception: Info Stealing Trojan
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=813
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico. To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe" and has an MD5 of (65cd5a35bc70075f86cb6404f54d67b8). It is also poorly detected by anti-virus signatures. Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://www.messagelabs.com/resources/press/6418
October 30, 2007 - "...The new data reveals that spammers have introduced MP3 music files into the expanding toolbox of stock spam techniques, with 15 million emails shaping the first spam run. Use of MP3 files is the latest tactic designed to sneak messages past spam filters and ultimately control the value of stock for nefarious reasons. On October 17, MessageLabs intercepted the first copies of an estimated 15 million email spam run which lasted 36 hours and used StormWorm infected computers to disseminate the emails...

Other report highlights:
Web Security: Analysis shows that 45.9 percent of all web based malware intercepted was new in October. MessageLabs identified approximately 1,100 -new- sites per day which harbored malware, an increase of 63 percent compared to September levels. Gambling sites appeared back in the top ten of policy-based filtering triggers and rouse to fourth place for large enterprises.
Spam: In October, the global ratio of spam in email traffic from new and unknown bad sources, for which the recipient addresses were deemed valid, was 74.5 percent (1 in 1.34 emails), an increase of 1.0 percent on the previous month.
Viruses: This month, the global ratio of email-born viruses in email traffic from new and previously unknown bad sources destined for valid recipients, was 1 in 161.5 emails (0.62 percent) in October, a decrease of 1.43 percent since the previous month. This decline is almost certainly linked with the fall in the number of Storm Worm related emails, particularly active in August and September. This takes the email virus rate to the lowest level since April 2007 when virus traffic accounted for 1 in 145.5 emails.
Phishing: October saw a decrease of 0.57 percent in the proportion of phishing attacks with one in 174.0 emails comprised of some form of phishing attack. Viewed as a proportion of all email-borne threats such as viruses and trojans, the number of phishing emails has risen by 36.8 percent to 92.8 percent of the malware threats intercepted in October, the highest level on record...
The full report is available at http://www.messagelabs.com/intelligence.aspx ..."

:fear:

FYI...

Trick or Treat with Stormy Halloween
- http://www.f-secure.com/weblog/archives/00001304.html
October 30, 2007 - "New tactics from the Storm gang can be seen as they celebrate with Halloween... With an unpatched system, visiting the site will trigger an exploit to automatically download and execute a malicious file. The new filename is halloween.exe. We already detect this as Email-Worm.Win32.Zhelatin.LJ . This may be a Trick, and a bad Treat from the Storm gang so remember to keep your databases updated."

(Screenshot available at the URL above.)

:fear:

FYI...

Apple Releases Fix For iMacs That Freeze Up
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202801705
Nov. 2, 2007 - "Apple has released software updates to fix the problem of the latest iMacs freezing up during normal use. The updates, released Thursday, are recommended for 20-inch and 24-inch models with 2.0 GHz and 2.4 GHz Intel Core 2 Duo processors and with the 2.8 GHz Core 2 Extreme processor. The name of the updates, which are on Apple's Web site, are Software Update 1.3* for Leopard, the latest version of Mac OS X; and Software Update 1.2** for Leopard's predecessor Tiger. Apple acknowledged in early October that it had received complaints about iMacs freezing up suddenly and becoming unusable. Users had to reset the machines to bring them back to life. The iMacs affected by the problem were introduced in August, along with new versions of Apple's iLife and iWork software suites... Apple is advising customers to update their machines either through the company's automatic update mechanism or a download from the Web site... Last month, the company posted a fix on its Web site for a serious flaw that caused its Mac computers to seize up when users attempted to upgrade to Leopard***, officially known as OS X 10.5. Leopard was released Oct. 26..."

* http://www.apple.com/support/downloads/imacsoftwareupdate13leopard.html

** http://www.apple.com/support/downloads/macbookprosoftwareupdate12.html

*** http://docs.info.apple.com/article.html?artnum=306857

.

FYI...

- http://isc.sans.org/diary.html?storyid=3621
Last Updated: 2007-11-06 20:37:50 UTC - "Zack wrote to us yesterday to inform us of a mass defacement involving one of his web sites. After a brief look, we were able to confirm that the following script tag (obfuscated) had been injected in over 40,000 pages across the internet:

script src="hXXp://yl 18.net/0.js"

This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems. Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries...
This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:
* Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
* If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
* We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
* If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.
We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment. As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.
This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain. These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users. If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway."

.

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=817
November 07, 2007 - "Websense® Security Labs™'s ThreatSeeker™ technology has discovered that MSNBC's Turkish site has been compromised. At the time of this writing, the site was infected with malicious code designed to infect the site's visitors through the use of an external JavaScript file. The file contained the malicious JavaScript code that was hosted in China. Visitors to the Web site were infected with an exploit code tailored to their browser. Assuming that the visitors were vulnerable, password stealing code was installed and executed on their desktops, without requiring any user intervention. The widespread of this malicious code has been confirmed by the SANS Internet Storm Center in their most recent incident handler's diary: http://isc.sans.org/diary.html?storyid=3621
This is a Microsoft site, hosted by a partner. We are actively working with Microsoft's security personnel to fix the issue..."

(Screenshot available at the Websense URL above.)

.

FYI...

Hidden IFRAMEs Launch Malware En Masse
- http://blog.trendmicro.com/hidden-iframes-launch-malware-en-masse/
November 8, 2007 - "SANS reports that last November 6, hundreds of Web sites across the Internet were believed to have been compromised by a yet unknown hacker. Details about how and why the attack was perpetrated remain murky. What we know so far is that a certain script which loads http://{BLOCKED}8.net/0.js has been injected into the said sites, the said script leads to a page riddled with invisible IFRAMEs, and these IFRAMEs link to certain pages to automatically download several files... A rundown of the forty-plus files give us Trojans, spyware, backdoors, and a worm belonging to families such as, but are not limited to ONLINEG, WOW, QQPASS, and QQGAME, which are known information stealers targeting gamers and QQ users. File sizes ranged from 177KB to 2KB, with the largest being backdoor programs. Backdoors open an infected machine’s ports, allowing remote malicious users control over the system. Users who visit any of the compromised sites run the risk of getting infected, so gateway admins had better block traffic coming from yl18.net..."

:fear:

FYI...

- http://news.yahoo.com/s/cmp/20071110/tc_cmp/202804433
November 9, 2007 - "Visitors to IndiaTimes .com, a major English-language Indian news site, risk infecting their computers with a deluge of malware, according to Mary Landesman, senior security researcher at ScanSafe. "It's an entire cocktail of downloader Trojans and dropper Trojans," Landesman said Friday, putting the number of malicious files involved at 434. This includes scripts, binaries, cookies, and images. Landesman characterized the size of the malicious payload as unusually large. She also noted that the attack involved a large number of Web sites. Analyzing just two of the binaries, she said that ScanSafe had identified at least 18 different IP addresses involved in the attack. "Only certain pages of the IndiaTimes .com are infected," ScanSafe said in its Nov. 9 Threat Alert*. "The impacted pages contain a script which points to a remote site containing iframes pointing to two additional sites. One of the sites included cookie scripts and an iframe pointing to a non-active site. The other iframe pointed to an encrypted script which exploits multiple vulnerabilities in an attempt to download malicious software onto susceptible systems of users visiting indiatimes .com..."

* http://blog.scansafe.com/journal/2007/11/9/indiatimes-hack-leads-to-cocktail-of-compromise.html
"...Unfortunately, the person we spoke with indicated that it was a holiday in India and they would be unlikely to fix the problem until Monday..."

:fear::fear::fear:

FYI...

- http://secunia.com/advisories/27648/
Release Date: 2007-11-12
Critical: Moderately critical
Impact: Unknown, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
...vulnerabilities and weaknesses have been reported in PHP, where some have unknown impacts and others can be exploited to bypass certain security restrictions.
Solution: Update to version 5.2.5.
http://www.php.net/downloads.php ...
Original Advisory:
http://www.php.net/releases/5_2_5.php

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3625
Last Updated: 2007-11-11 01:57:16 UTC ...(Version: 2)
"Update:
...We're now at 66K links in Google for the yl18.net/o.js scripts, will it get to the 200K plus numbers we saw with the Super Bowl? worldofwarcraftn .com has now been confirmed as containing malicious content, and you can add rnmb .net to the list which also belongs to the same group. From the whois records it looks like the domain is refreshed daily, which tends to indicate that they are not paying for it, but are using a registrar where you can start using the domain immediately, but pay later. In this case the pay later part is probably not happening. If I were the registrar I might get miffed with people registering the same domain on a daily basis and never pay, but then that's me. If you like IP numbers then today the IPs to block for your web users are 125.65.77.25 & 61.188.39.218 "

( http://forums.spybot.info/showpost.php?p=133586&postcount=28 )
----------------------------------------------------------------------------

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=160
Nov 12 2007 - "Websense® Security Labs™'s ThreatSeeker™ technology has identified more than 350 sites to date containing malicious code designed to infect the site's visitors through the use of an external JavaScript file. This is a follow-up on our previous alert of a mass infection involving MSNBC's Turkish site. Notable sites discovered include the Swedish parliament’s web site and an Australian financial services web site (FICS). At time of writing, the sites in the screenshots below are still infected and we do not recommend visiting them without adequate protection. Vulnerable visitors will have password stealing code installed and executed on their desktops without their consent."

(Screenshots of a selected few sites available at the URL above.)

:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=822
November 19, 2007 - "Websense® Security Labs™ has discovered a new -email- attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ)... The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f. None of the major anti-virus vendors detected the malicious code..."
(Screenshot available at the URL above.)

--------------------------------------------
More...
- http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html
November 19, 2007; 10:30 PM ET - "Another series of sophisticated e-mail attacks were launched over the past 24 hours, addressing recipients by name and warning of complaints filed against them and/or their company with the Justice Department -and- the Better Business Bureau. E-mail security firm MessageLabs said it spotted the spike in targeted e-mail attacks designed to look as though they were sent from the Better Business Bureau. The messages address recipients by name and list corresponding employer information both in the body of the e-mail and the subject line. The missives reference an attached "complaint," which is actually a screensaver file that harbors password-stealing software..."

:fear:

FYI...

- http://preview.tinyurl.com/39mtqc
November 20, 2007 (Computerworld) - "Monster.com took a portion of its Web site offline Monday as researchers reported that it had been compromised by an IFRAME attack and was being used to infect visitors with a multi-exploit attack kit. According to Internet records, the Russian Business Network (RBN) hacker network may be involved. Parts of the Monster Company Boulevard, which lets job hunters search for positions by company, were unavailable Monday; by evening, the entire section was dark. Most major American companies are represented on the site -- Google Inc.'s cache of the page that shows only those firms which begin with the letter "B", for example, included Banana Republic, Bank of America, Black & Decker, Boeing, Broadcom and Budget Car Rental. Job seekers who used Monster's by-company directory on Monday before the site was yanked were pounced on by Neosploit, an attack toolkit similar to the better-known Mpack, said Roger Thompson*, chief technology officer at Exploit Prevention Labs Inc... The injection of the malicious IFRAME code into the Monster.com site probably happened Monday, he added... "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500"... Monster.com last made security news in August, when the company admitted hackers had looted its database for weeks, perhaps months, then used that information to craft and send targeted e-mails that pitched money laundering jobs or tried to trick recipients into downloading malware. Monster.com was not available for comment Monday night."
* http://explabs.blogspot.com/2007/11/big-hack-today.html

:fear:

FYI...

Malicious Code: Tabasco state/Banamex email lure banker trojan
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=824
November 20, 2007 - "Websense® Security Labs™ has discovered -emails- that claim to solicit humanitarian support for flood victims in the state of Tabasco, Mexico. If users click an embedded link, they are prompted to download a banker Trojan horse, disguised as an HTML file. The file is displayed with the blue Internet Explorer icon. When a user opens the file, the Trojan horse modifies the hosts file to replace the legitimate Banamex with the IP address of a host controlled by the attacker. If users attempt to go to the Banamex site, they receive no visual indicators that they are not at a legitimate site. The phishing toolbars that were tested did not detect this fake site as a fraud. Neither the downloaded banker Trojan horse nor the subsequent executable that it drops (win32.exe) are detected as malicious by the 32 anti-virus products tested..."

(Screenshots available at the URL above.)

:fear:

FYI...

- http://preview.tinyurl.com/39qspa
November 26, 2007 (Computerworld) - "...Safe-shopping tips. Here are a dozen to get you started:
* Shop with online merchants you know and trust.
* Order from secure Web sites, which can be identified by a locked padlock or unbroken key icon in your Web browser (unsecured sites may show an unlocked padlock or a broken key).
* Keep printouts of everything, including copies of your order; Web pages describing what you ordered; Web pages that tell the seller’s name, address and telephone number; and any e-mail confirmations you get. And make sure you add the date if it doesn’t automatically appear on the printouts.
* Use credit cards for online purchases, which will limit your loss to $50 if your credit is used without authorization. But it has to be a real credit card, not a debit or check card. You may want to use just one credit card for all online payments, to make it easier to detect wrongful charges.
* Don’t give out your Social Security number.
* Don’t give out unnecessary information.
* Don’t send your credit card number by e-mail.
* Don’t give out your passwords for e-commerce Web sites to anyone.
* Don’t give out your bank information; no one needs it for an online order.
* Double-check every Web site address.
* Don’t click on links within e-mails. Type in the Web site’s address yourself -- very carefully.
* Remember, if the deal seems too good to be true, it probably is.

You can also direct users to online sources of additional information, including the Better Business Bureau Web site ( www.bbbonline.org/OnlineShopTips ), the Privacy Rights Clearinghouse ( www.privacyrights.org/fs/fs23-shopping.htm ) and the Federal Trade Commission Web site ( www.ftc.gov/onlineshopping )..."

:spider:

FYI...

The 2008 Internet Security Trends Report from IronPort Systems estimates that 98 per cent of all email traffic is now spam.
- http://www.ironport.com/securitytrends/
Dec 04, 2007 - "Spam volume increased 100 percent, to more than 120 billion spam messages daily worldwide. That's about 20 spam messages per day for every man, woman and child on the planet.
TRENDS OVERVIEW
The overall trends in spam and malware can be characterized by a larger number of more targeted, stealthy and sophisticated attacks. Specific observations include:
> Spam has become more dangerous.
...In 2007, more than 83 percent of spam contained a URL to a rogue Web server that was frequently serving malware. In accordance with a trend towards the blending of different malware techniques, URL-based viruses increased 256 percent.
> The "Self Defending Bot Network" was introduced...
> Viruses no longer make headlines..."
(Full report and links available at the URL above.)

------------------------------------------------

F-Secure - Malware Grew by 100% during 2007
As much malware produced in 2007 as in the previous 20 years altogether
- http://www.f-secure.com/f-secure/pressroom/news/fs_news_20071204_1_eng.html
Dec 4, 2007 - "In its 2007 data security summary, F-Secure reports of a steep increase in the amount of new malware detected during 2007. In fact the amount of cumulative malware detections doubled during the year, reaching the amount of half a million. This indicates that network criminals are producing new malware variants in bulk... The full 2007 Data Security Wrap-Up is available at http://www.f-secure.com/2007/2/ ... F-Secure predicts the increase in malware volume will continue in 2008. The criminals are successfully creating a network-based underground ecosystem, trading both malware development tools, skills, capabilities and resources ever more effectively. At the same time the reach of the law enforcement agencies remain limited in the global network domain..."

:sad:

FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=204700531
Dec. 4, 2007 - "...Message Labs said following Thanksgiving that it was seeing holiday-themed spam coming across its infrastructure at a rate of about 300,000 an hour. Symantec security researcher Jitender Sarda documented* one such attack on Tuesday that uses e-cards. "These e-cards are purportedly sent from a legitimate source and try to lure the victim to click on the link to view the e-cards, which have underlying tricks to try and infect the computer," said Sarda in a blog post. "With the Xmas bells starting to ring, here is the first incidence where Xmas e-cards have started doing the rounds." While these e-cards may appear to come from a familiar brand name, the "From:" field is forged. And the spammer responsible, perhaps aware that e-cards have acquired an air of disrepute, has even gone so far as to include the phrase "(no worm, no virus)" in the e-card's text, as if such an assurance made the message safe. In fact, the link provided attempts to download a file named "sos385.tmp" which is itself a downloader that connects to the Internet and attempts to download other malicious files."
* http://preview.tinyurl.com/2u5z7n
(Symantec Security Response Weblog)
---------------------------------------

More Christmas Card Action
- http://www.f-secure.com/weblog/archives/00001330.html
December 5, 2007 - "We've just seen another fake Christmas card malware run... The links are masked and point to a fake Yahoo Greeting card site. Do note the fake URL (abuse messages have been sent about the site)... The site prompts the user to download malicious
macromedia-flashplayerupdate.exe (md5: 506744BF870B5B0E410087BD6F3EFD37). We detect this file as an Agent variant. It collects various types of information from the infected machine and sends it back to the malware author via a website."

(Screenshots available at the F-secure URL above.)

:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=830
December 13, 2007 - "Websense® Security Labs™ has discovered a new -email- attack that uses a spoofed email claiming to be from the United States Department of Treasury. This is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have been tracking all of these attacks, and reporting them as they are discovered. The message claims that a complaint to the Department of Treasury has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan downloader with some backdoor capabilities. It is a ".pif" file with an MD5 of 9e19d23f27ebf9cfe1b9103066a3019e. It appears, however, that different versions of the Trojan are sent, based on the targeted recipient or company..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://www.us-cert.gov/current/#hp_hp_info_center_software
updated December 14, 2007 - "US-CERT is aware of a vulnerability affecting HP Info Center Software, which allows one-touch access to features on HP laptops. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands or to view or alter the system registry on affected systems. These reports also refer to publicly available exploit code for this vulnerability. HP has published an HP Quick Launch Buttons Critical Security Update* to address this issue. US-CERT encourages users to apply this update to mitigate this risk.
* ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html

- http://preview.tinyurl.com/2jhrxc
(HP Customer Care)
Release Date: 2007-12-12
Version: 1.00 A
Description:
This package provides a critical security update for HP Quick Launch Buttons on the supported notebook models and operating systems. This patch removes a security vulnerability by disabling HP Info Center...
» sp38166.exe 1/1 (1.61M)

:fear:

FYI...

- http://www.itbusiness.ca/it/client/en/home/news.asp?id=46368
12/14/2007 - "...Since 1 December 2007, 114,891 new users have run Prevx CSI with rootkit-detection features enabled. Of those PCs, 1,678 had what Prevx describes as 'significant rootkit infections'. That equates to 1.46% or approximately one in 70 systems, which is almost 15 times higher than the one in 1,000 rootkit-infected PCs previously estimated by industry experts. In the first nine days of this month alone, 93 companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14%, had one or more PCs harboring rootkit infections.
These stats don't take into account the fact that users who scan their PCs are more likely to have concerns about infections..."

> http://info.prevx.com/downloadcsi.asp
"822,006 people have already checked their PC with Prevx CSI free, 182,018 were infected..."

:fear:

FYI...

- http://www.gartner.com/it/page.jsp?id=565125
December 17, 2007 - "Phishing attacks in the United States soared in 2007 as $3.2 billion was lost to these attacks, according to a survey by Gartner, Inc. The survey found that 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before. According to a survey of more than 4,500 online U.S. adults in August 2007 (which was representative of the online U.S. adult population) the attacks were more successful in 2007 than they were in the previous two years. Of consumers who received phishing e-mails in 2007, 3.3 percent say they lost money because of the attack, compared with 2.3 percent who lost money in 2006, and 2.9 percent who did so in 2005...
The average dollar loss per incident declined to $886 from $1,244 lost on average in 2006 (with a median loss of $200 in 2007), but because there were more victims, $3.2 billion was lost to phishing in 2007, according to surveyed consumers. There was a bit of relative good news, however; the amounts that consumers were able to recover also increased. Some 1.6 million adults recovered about 64 percent of their losses in 2007, up from the 54 percent that 1.5 million adults recovered in 2006.
PayPal and eBay continue to be the most-spoofed brands, but phishing attacks increasingly employ devious social engineering attacks, impersonating, for example, electronic greeting cards, charities and foreign businesses.
Thieves are increasingly stealing debit card and other bank account credentials to rob accounts — targeting areas where fraud detection is weaker than it is with credit card accounts. According to the survey, of those consumers who lost money to phishing attacks, 47 percent said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts. This was followed by 32 percent of respondents who listed a credit card as the payment method, and 24 percent who listed a bank account as the method (multiple responses were allowed)...
Phishing and malware attacks will continue to increase through 2009 because it's still a lucrative business for the perpetrators, and advertising networks will be used to deliver up to 30 percent of malware that lands on consumer desktops.
Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers..."

:fear::spider:

FYI...

McAfee false positive on some JavaScripts
- http://isc.sans.org/diary.html?storyid=3803
Last Updated: 2008-01-02 21:36:16 UTC - "Some users reported that their AV was detecting JS/Exploit-BO virus, on sites like ESPN and Friendster, for instance. The problem is with the McAfee AV. McAfee just released an Emergency DAT to fix the false on some JavaScripts, detecting as JS/Exploit-BO on virus database (DAT file) 5197 released today. The new DAT just released is 5198 and the url to download it is: http://www.mcafee.com/apps/downloads/security_updates/dat.asp "

(In the wake of "CA false positive for certain Javascript apps":
http://isc.sans.org/diary.html?storyid=3797 Last Updated: 2007-12-31 23:07:19 UTC)

:oops:

FYI...

Phish (Face)book!
- http://www.f-secure.com/weblog/archives/00001353.html
January 3, 2008 - " We recently came across a phishing attack targeting Facebook. Phishers are apparently using hacked Facebook accounts to post links to a fake login page on other people's "Wall posts"... The phishing site is still currently online. Be wary of clicking on those links out there, even if they seem to (genuinely) come from your friends! Hat tip to Techcrunch*."
* http://www.techcrunch.com/2008/01/02/phishing-for-facebook

(Screenshots available at both URL's above.)
---------------------------------------------------
More... Zango adware on Facebook

- http://www.vnunet.com/vnunet/news/2206462/facebook-hit-adware-attack
3 Jan 2008 - "Facebook users are being warned about a new application on the social networking site that contains adware. 'Secret Crush' contains a download of the Zango adware program which automatically sends itself to five friends. It has already infected three per cent of Facebook users, over one million computers, according to security firm Fortinet*..."

Facebook Widget Installing Spyware
* http://www.fortiguardcenter.com/advisory/FGA-2007-16.html
2008.January.02

:fear::spider:

FYI...

- http://sunbeltblog.blogspot.com/2008/01/malicious-ads-on-myspace-excite-blick.html
January 03, 2008 - "We worked earlier today with Brain Krebs at the WP about malicious banner ads on Myspace. (Malware is being delivered through exploits, but fully patched systems won’t be affected.) Sandi Hardmeier has also been tracking ads at Excite and, now, Blick** (a popular German site). These are different than the Myspace ads (in that they don’t seem to be dumping an exploit-driven payload)."

* http://blog.washingtonpost.com/securityfix/2008/01/malwarelaced_banner_ads_at_mys.html

** http://msmvps.com/blogs/spywaresucks/archive/2008/01/04/1435836.aspx

:fear:

FYI...

- http://www.us-cert.gov/current/#public_exploit_code_for_realplayer
January 2, 2008

- http://secunia.com/advisories/28276/
Release Date: 2008-01-03
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: RealPlayer 11.x
...Successful exploitation allows execution of arbitrary code. The vulnerability is reported in version 11 build 6.0.14.748. Other versions may also be affected.
Solution:
Do not open untrusted media files or browse untrusted websites...

- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 00:34:02 UTC ...(Version: 4)
"> Update 15:10 UTC: While you're at it, consider blocking access to uc8010-dot-com. If you do a Google Search for this domain, you'll understand why: Lots of injecting of a mailicious 0.js from this domain is currently going on, plenty of web sites seem to contain this booby trap. One of the IFRAMES fetched from this site, the file "r.htm" contains a RealPlayer exploit. Still the one from last month ( www.kb.cert.org/vuls/id/871673 ) but if they happen to re-tool to the new vulnerability, things might get ugly.
> Update 16:30 UTC: One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain. Upon review, I see that some of these have already been cleaned up. However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain. As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week.
I recommend that our readers check to see if their site shows any references to uc8010 via google. Alternatively, look on their webservers to see if there are any unauthorized change to webpages in the past week.
> Update 00:30 UTC 5 JAN 08: Looks like there is another domain hosting a similar script. In addition to uc8010 check your flows for "ucmal.com"
----------------------------------------------------------

CA web site hacked
http://preview.tinyurl.com/2wdxkw
January 04, 2008 (Computerworld) - "Part of security software vendor CA's Web site was cracked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center. The hack is similar to last year's attack on the Dolphin Stadium Web site, which infected visitors looking for information on the Super Bowl football game, Sachs said. "It's exactly the same setup," he said. "It's JavaScript that they've managed to insert into the title or the body of the HTML"..."

:fear:

FYI...

- http://preview.tinyurl.com/2lgp5u
January 05, 2008 (Donna's SecurityFlash) -"In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC). This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System. This rootkit is using the MBR flaw. The MBR can be written to from within Windows.
The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it."

> http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/

> http://www2.gmer.net/mbr/

:fear::spider:

FYI...

- http://preview.tinyurl.com/27hohx
January 07, 2008 (Computerworld) -- Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Roger Thompson, the chief research officer of Grisoft SRO, pointed out that the hacked sites could be found via a simple Google search for the domain that hosted the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass-hack," said Thompson, in a post to his blog*. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared." Symantec Corp. cited reports by other researchers - including one identified only as "websmithrob" - that fingered an SQL vulnerability as the common thread..."
* http://explabs.blogspot.com/2008/01/so-this-is-kind-of-interesting.html
January 05, 2008 - "This domain uc8010(dot)com was registered just a few days ago (Dec 28th), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains... If you google for uc8010(dot)com, you still get about 50k hits..."

- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 20:13:55 UTC ...(Version: 5) - "Update 17:52: We have gotten reports of embeded script links to ucmal on MySpace. It is probably safe to assume that other social networking sites have it as well."

:fear::fear::devilpoin:

More...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205600157
Jan. 8, 2008 - "Web sites that naively call for user input, then fail to put strict checks on what that input may be, are susceptible to SQL injection attacks. That vulnerability appears to be the cause of up to 70,000 Web pages getting hacked by malicious code between Dec. 28 and Jan. 5. The intrusions represent a whole new level of threat to users on the Internet. Instead of the attack seeking to launch a virus or worm at individual computers, it invaded Web databases and used them to host its malicious code and distribute it every time site visitors sought information beyond a home page or product page from the database. But for the fact it used an old and already guarded against Windows exploit, it might still be spreading across the Internet... it was Microsoft SQL Server databases that ended up as the target of the attack because the tables targeted are specific to SQL Server... The intrusion of each database is massive, with a JavaScript string being attached to all text items in the database. A site user's request for an information item then leads to the attacker's JavaScript response attempting to plant code on the user's computer. The attack typically invades a site with a catalogue or other large text files stored on a SQL Server database. As a site visitor clicks on a Web site's button or link for more information, such as "more information" from a catalogue, the database is activated to send a JavaScript plant onto the user's computer... The plants take advantage of a widely publicized Windows vulnerability, listed as the MS06-014* exploit... Google and Yahoo's cached pages from Web site databases may still contain the JavaScript, untouched by site efforts to clean it up, the experts warned."
* http://support.microsoft.com/kb/911562/en-us
Last Review: March 27, 2007
Revision: 3.6

:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=835
January 08, 2008 - "Websense® Security Labs™ has discovered a new email attack that uses a spoofed email message which claims to be from the National Payroll Reporting Consortium (NPRC). This attack is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have tracked all of these attacks, and reported them as they were discovered. The message claims that the recipient's company has made numerous misrepresentations regarding worker classification,in an attempt to lower compensation costs. The email asks the recipient to fill out an attached form and fax it to NPRC's fraud department in order to resolve the issue. An email attachment contains a Trojan downloader with some backdoor capabilities. It is a malicious Windows executable file, with an MD5 of 854e259c7c0ac6fb2a26963a9d77600d ... At time of writing, only one anti-virus vendor had detected this malicious code."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
January 11, 2008 - "...TrendLabs researchers have received reports of what appears to be an attempt of a massive DNS poisoning attack in Mexico... the attack begins with the exploitation of a known vulnerability in 2Wire modems*. The said vulnerability allows an attacker to modify the local DNS servers and hosts. One of the main Internet Service Providers in Mexico offers 2Wire modems to their customers, and it is estimated that more than 2 million users are at risk... exploit arrives with a newsy email message... once an unsupecting user opens the email in its full HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database to redirect all requests for banamex.com — the Web site of one of the largest banks in Mexico — to a fraudulent site... The malicious email message also promises a “video” and includes a link that points to the a malicious URL where the .RAR acrhive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe..."
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3826
Last Updated: 2008-01-11 20:19:06 UTC - "Come April, we will reach the FIFTH anniversary of the ByteVerify vulnerability (MS03-011). Untangling some seriously obfuscated JavaScript coming from a couple of web sites in China earlier today, I ended up with - yes, a ByteVerify exploit. Also in the package was an MDAC exploit (MS06-014), whose second anniversary will be up this April as well.
> To see these exploits still in use can only mean one thing: They still work.
And they seem to work well enough that the bad guys can instead sink their time into developing new obfuscation techniques and other ways to make analysis more difficult -- only to deliver a five year old exploit in the end. Not a very stellar testament to patching efforts."

:fear:

FYI...

Adobe (Flash) Server vulns - updates available
>>> http://www.us-cert.gov/current/#adobe_releases_security_bulletins_to
January 17, 2008

- http://www.adobe.com/support/security/bulletins/apsb08-02.html
APSB08-02 Update available for Adobe Connect Enterprise Server cross-site scripting issue - 01/16/2008

- http://www.adobe.com/support/security/bulletins/apsb08-01.html
APSB08-01 Update to Dreamweaver and Contribute to address potential cross-site scripting vulnerabilities - 01/16/2008

"...issue previously described in Security Advisory APSA07-06*..."
- http://www.adobe.com/support/security/advisories/apsa07-06.html
January 16, 2008 – Advisory updated with information on Dreamweaver and Connect fixes

:fear::fear:

FYI...

- http://www.theinquirer.net/gb/inquirer/news/2008/01/22/apache-sites-scalped-hack
22 January 2008 - "...more than 10,000 sites running the Linux based Apache software may be hacked and trying to control visitors' computers. Don Jackson, from Secureworks* said that the hackers probably used stolen log-in details to gain access and then infected the Apache servers with a pair of files that generate constantly-changing JavaScript. If a punter visits the hacked site they get walloped with nine exploits including a recent QuickTime vulnerability, the long-running Windows MDAC bug, and a fixed flaw in Yahoo Messenger. Once a hole is opened, the victim receives (a variant of) the Trojan Rbot and are added to a botnet. When the systems administrators, who owned the Apache boxes, were notified and reinstalled the software, the hack came back, apparently. This lead Jackson to believe that it was a direct hack to the Linux server and not based on a vulnerability. He thinks that the only way the hacks will stop is when the Administrators change all the passwords and not just the FTP and Cpanel passwords..."
* http://www.secureworks.com/research/threats/linuxservers/?threat=linuxservers
"...The compromised websites, in turn, can infect website visitors. If infected, the malicious code can steal bank usernames and passwords, SSNs, credit card numbers, online payment accounts, basically any information a computer user puts into their web browser. The malicious code can also own the victim’s computer...
> Protection for Organization’s Websites: In order for an organization to protect their website from this attack they need to disable dynamic loading in their Apache module configurations.
> Protection for Website visitors: This is designed to attack Windows PCs. Website visitors can avoid infection by the malware this attack distributes by making sure all anti-virus signatures are up to date and that all vulnerable software is patched. No previously unknown or 0-day vulnerabilities are used in this attack..."

:fear::fear::fear:

Ongoing...

- http://www.theregister.co.uk/2008/01/23/booby_trapped_web_botnet_menace/
23 January 2008 - "...Security watchers at Sophos are discovering 6,000 new infected webpages every day, the equivalent of one every 14 seconds. Four in five (83 per cent) of these webpages actually belong to innocent companies and individuals, unaware that their sites have been hacked. Websites of all types, from those of antique dealers to ice cream manufacturers and wedding photographers, have hosted malware on behalf of virus writers, Sophos reports. The study sheds fresh light on the well-understood problem of drive-by-downloads from compromised sites, a tactic that's come to eclipse virus-infected email as a means of spreading malware. Cybercrooks target users by spamvertising emails containing links to poisoned webpages, exposing unsuspecting victims to malware. At least one in ten web pages are booby-trapped with malware, according to a separate study by Google published last May. Often these malware packages are designed to put compromised zombie PCs under the control of hackers. Around half a million computers are infected by bots every day according to data compiled by PandaLabs*, the research arm of anti-virus firm Panda Software. Approximately 11 percent of computers worldwide have become a part of criminal botnets..."

- http://www.sophos.com/security/blog/2008/01/1010.html
22 January 2008

- http://www.cpanel.net/security/notes/random_js_toolkit.html

* http://www.pandasecurity.com/usa/about/corporate-news/new-31.htm
Jan. 18, 2008

- http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3

> http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts#week

Also noteworthy:
> http://blog.trendmicro.com/technology-shift-the-world-wide-compromise-of-the-web/
January 22, 2008 - "...We’ve recently seen literally thousands of compromised Web sites and Web pages that, if an unsuspecting users happens upon the content (and has some arbitrary unpatched vulnerability), they are victimized. I cannot stress how important this issue has become, and how this will fundamentally change the way we use The Internet if we do not take dramatic steps to correct these basic deficiencies. The lifeblood of the Internet depends on it. When Vint Cerf spoke at the World Economic Forum in Davos, Switzerland, last year, he pretty much nailed the issue spot on — 'Criminals may indeed overwhelm the web' as we (collectively) sit idly by..."

:fear::fear::fear:

FYI...

- http://blog.washingtonpost.com/securityfix/2008/01/report_51_of_malicious_web_sit.html
January 22, 2008 - "...Dan Hubbard, Websense's vice president of security research, said that at any given time there are about two million compromised and malicious sites online, and that slightly more than half of those are hacked sites that range from mom-and-pop type stores to household brand names. The company scans about 600 million sites per week for signs that the sites are trying to foist malicious software on visitors or redirect them to sites that will. The report follows recent discoveries* that almost 100,000 Web sites - including that of security company Computer Associates, the Commonwealth of Virginia, the City of Cleveland - were hacked via Web application vulnerabilities in an apparently coordinated attack. In that attack, the code stitched into hacked sites was designed to perpetrate click fraud and steal online gaming credentials. All Web software applications have flaws, and all need to be updated from time to time to keep the site healthy and to keep opportunistic predators away..."
* http://www.theregister.co.uk/2008/01/08/malicious_website_redirectors/

:fear:

FYI...

SEO Manipulation Begins for Super Bowl Malware Campaign
- http://blog.trendmicro.com/seo-manipulation-begins-for-super-bowl-malware-campaign/
January 24, 2008 - "...When users search for 'Superbowl', Google search results turn up the following (malware links)... Is the Super Bowl on cyber criminals’ social engineering lists? It does seem somewhat passé (even if the event is in two weeks). But what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."

(Screenshot available at the URL above.)

:fear:

FYI...

Attackers Abuse Google Blogger
Blogger is flooded with phony blogs – including some that inject malware
- http://www.darkreading.com/document.asp?doc_id=144171&print=true
JANUARY 25, 2008 - "Hackers are currently littering Google's Blogger site with phony blogs -- some containing malware, pornographic images, or pure spam. "Google Blogger is being used as a malware delivery mechanism," says Ken Steinberg, CTO and president of Savant Protection, who discovered the attack while working on his own blog this morning. The attackers apparently are automatically generating the blogs with scripts. The blogs come with nonsensical names and content that's obviously been generated using English-compliant engines and keyword focuses, he says. "They've upped the game. Mostly [blog attacks] have been through comments or postings," he says. Steinberg noted that some of the fake blogs were using malware-insertion techniques: "One of the more common ways of inserting malware is using overflow techniques found in movie [viewers]... When you click through a few of these blogs, up pops images set to auto-load -- some are images, some are movies" that can infect a visitor with malware, he says. Google says it's investigating the event..."

- http://preview.tinyurl.com/2v59aq
January 25, 2008 (Computerworld) - "...The spammers have borrowed other malware techniques, too. Just as some recent attacks have been launched using frequently changing JavaScript, the redirect code placed on the Google Pages or on blogs may fluctuate depending on the originating spam message. The scams are also using fast-flux techniques to rapidly change the resolving destinations of the links.."

:devil:

FYI... (apologies for the long post; 'included details for admins):

- http://prweb.com/releases/2008/1/prweb656233.htm
January 26, 2008 - "cPanel announced today that it's security team has identified several key components of a hack known as the Random JavaScript Toolkit. The systems affected by this hack appear to be Linux® based and are running a number of different hosting platforms. While this compromise is not believed to be specific to systems running cPanel software, cPanel has worked with a number of hosting providers and server owners to investigate this compromise. The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have password-based authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers. Once an attacker manually gains access to a system they can then perform various tasks. The hacker can download, compile, and execute a log cleaning script in order to hide their tracks. They also can download a customized root-kit based off of Boxer version 0.99 beta 3. Finally, the attacker searches for files containing credit card related phrases such as cvc, cvv, and authorize. The actual root-kit has been the subject of much speculation. The cPanel security team asserts that the Boxer variant includes a small web-server which is how the Javascript is distributed to unsuspecting users of any website on the server. It is believed that the Javascript include is injected into the HTML code after Apache has served the file but before it has traveled through the TCP transport back to the user of the website. The web-server is not loaded onto the hard drive directly but loaded directly into memory from the infected Boxer binaries... The JavaScript being loaded by this web-server is directing users to another server that scans the website user for a number of known vulnerabilities. These vulnerabilities are then used to add the website user to a bot net. More information about the JavaScript hacks can be found at: http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3. Cleaning the Random JavaScript Toolkit requires the server to be booted into single user mode and the removal of all infected binaries. More details on how to do this can be found at: http://www.cpanel.net/security/notes/random_js_toolkit.html. The cPanel security team believes that the hacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether."

:fear::spider:

FYI...

- http://blog.trendmicro.com/spyware-removal-site-delivers-malware/
January 28, 2008 - "Looks can be deceiving, and malware authors are relying on that old adage to lure potential victims into their most recent scheme... The site hxxp ://removal-tool .com manages to do all that... who’d suspect that a professional-looking anti-spyware site will give them just the opposite of what they’re looking for — and even more? With most of the pages hosting malicious iFrames, here’s a list of what could be lurking in your system after a visit to their site:
* HTML_IFRAME.IY
* VBS_PSYME.BCC
* EXPL_EXECOD.A
* HTML_SHELLCOD.AE
* JS_AGENT.AXX
* HTML_DLOADER.XCZ
* WORM_DISKGEN.AF
* HTML_SHELLCOD.AZ
* HTML_SHELLCOD.AW
* JS_REALPLAY.AA
* PE_PAGIPEF.AP-O
* TROJ_AGENT.DDG
* TROJ_PAGIPEF.AP
The use of legitimate-looking Web sites is a regular (yet undoubtedly still very effective) tactic in disseminating Web threats, mainly used to fool users into downloading fake codecs (see here and here), though security applications have also been reported in the past. Any Web-savvy developer knows that professional design and robust content attract customers, and is most likely to earn their trust to initiate one more click. Sadly, even those with malicious intent abide by this rule, and most users can hardly tell a good site from a bad one..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://blog.trendmicro.com/malicious-banners-target-expediacom-and-rhapsodycom/
January 29, 2008 - "... Earlier this month, we’ve seen malicious banner ads being served on popular Web sites, such as Myspace, Excite, and Blick. This time, TrendLabs was alerted to malicious banner ads infiltrating legitimate special interest Web sites such as Expedia.com and Rhapsody.com. According to Trend Micro security experts, certain malicious .SWF banners have managed to work their way into Expedia.com, a popular site for travel enthusiasts worldwide. Trend Micro detects this particular malicious flash banner as SWF_ADHIJACK.A. Based on initial analysis, clicking on this ad leads to several redirections, which eventually results to the installation of a rogue antispyware (detected as TROJ_GIDA.A). Music lovers are also targeted by malware-laden .SWF banners at Rhapsody.com, a music site owned by RealNetworks, which was also found to be employing malicious flash banners. The malicious .SWF URL found in Rhapsody.com is said to be similar to the notorious Skyauction advertisements that were also found to infiltrate the Blick website...
Hat-tip: Spyware Sucks - http://msmvps.com/blogs/spywaresucks/archive/2008/01/28/1483997.aspx "

:fear::spider:

FYI...

- http://secunia.com/advisories/28715
Last Update: 2008-02-05
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: MySpace Uploader Control 1.x
...The vulnerability is confirmed in MySpaceUploader.ocx version 1.0.0.5 and reported in version 1.0.0.4. Other versions may also be affected.
Solution: Update to version 1.0.0.6. <<<
( http://forums.spybot.info/showpost.php?p=162448&postcount=44 )

- http://secunia.com/advisories/28713/
Release Date: 2008-02-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Facebook Photo Uploader 4.x
...The vulnerability is confirmed in version 4.5.57.0. Other versions may also be affected.
Solution: Update to version 4.5.57.1. <<<

- http://secunia.com/advisories/28757/
Last Update: 2008-02-07
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Yahoo! Music Jukebox 2.x ...
NOTE: Working exploit code is publicly available.
The vulnerabilities are confirmed in Yahoo! Music Jukebox version 2.2.2.056. Other versions may also be affected...
Solution: Set the kill-bit for the affected ActiveX controls. <<<
Other References:
US-CERT VU#101676: http://www.kb.cert.org/vuls/id/101676
US-CERT VU#340860: http://www.kb.cert.org/vuls/id/340860
---------------------
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0623
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0624
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0625
release date: 2/6/2008 - MediaGrid ActiveX control (mediagrid.dll)

:fear:

FYI...

Adobe Reader v8.1.2 released
- http://secunia.com/advisories/28802/
Release Date: 2008-02-06
Last Update: 2008-02-11
Critical: Highly critical
Impact: Unknown, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D, Adobe Acrobat 8 Pro, Adobe Acrobat 8.x, Adobe Reader 8.x
CVE reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0667 ...
Solution: Update to version 8.1.2...
Acrobat 8 on Windows:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3849 ...
Changelog:
2008-02-08: Updated advisory based on additional information from the vendor. Updated link to vendor's advisory.
2008-02-11: Updated advisory based on additional information from iDefense Labs and Fortinet. Added links and CVE references.
Original Advisory: Adobe APSA08-01:
http://www.adobe.com/support/security/advisories/apsa08-01.html

FYI...

MySpace Uploader ActiveX Exploited in the Wild
- http://preview.tinyurl.com/22vn4d
February 7, 2008 (Symantec Security Response Weblog) - "Yesterday our honeypots picked up a browser attack toolkit that I had not encountered before. This toolkit uses dynamic function and variable names and wraps its exploits in two levels of dynamic encoding. Finding a new toolkit on our honeypots always piques my interest as a new toolkit often yields new exploit payload. Lo and behold, once the encoder layers are peeled away, the toolkit is found to contain an exploit for the MySpace Uploader 'MySpaceUploader.ocx' ActiveX Control Buffer Overflow that was announced on the 31st of January*..."
* http://securityresponse.symantec.com/avcenter/attack_sigs/s50096.html
"...issue leads to a crash in 'MySpaceUploader.ocx' 1.0.0.4 and 1.0.0.5..."

> http://secunia.com/advisories/28715
Solution: Update to version 1.0.0.6.

:fear:

FYI...

> http://secunia.com/blog/20
7 February 2008
"...During the last 24 hours, we have seen security updates for some very popular Windows programs from four major vendors: Sun, Adobe, Apple, and Skype. Based on these four security updates, we have gathered some statistics from our free Secunia PSI that shows a startling picture, detailing the amount of users who need to patch their computers, in order to safely do something as ordinary as surfing the Internet...
A little in-depth information about the four security updates
1) Adobe Reader 8.x (PDF Files) (Secunia Advisory: http://secunia.com/SA28802 )...
2) Sun Java 1.5.x (Web content, games, etc.) (Secunia Advisory: http://secunia.com/SA28795 )...
3) Apple Quicktime (Movies, music, etc.) (Secunia Advisory: http://secunia.com/SA28423 )
4) Skype (Chat and VOIP) (Secunia Advisory: http://secunia.com/SA28791 )..."

(Add the Firefox update to that: http://secunia.com/SA28758/ , and most should have a busy weekend!)

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3958
Last Updated: 2008-02-09 02:38:22 UTC - "The Adobe Reader vulnerability... is being exploited in the wild! A malicious PDF file (called 1.pdf in this example) served from IP address "85.17.221.2" (not active at this time) contains a malware specimen called Trojan, a variant of Zonebac. The IP address belongs to LeaseWeb, a hosting provider in The Netherlands we already notified..."

- http://secunia.com/advisories/28802/
Software: Adobe Reader 8.x ...
Solution: Update to version 8.1.2 ...
Original Advisory: Adobe Reader 8.1.2 Release Notes:
http://www.adobe.com/go/kb403079

:fear:

FYI...

New Facebook Photo Uploader ActiveX Vulnerability
- http://atlas.arbor.net/briefs/index#-1074023979
(...Scroll down to):
Severity: Elevated Severity
Published: Wednesday, February 13, 2008 18:57
Facebook Photo Uploader ActiveX control is prone to a buffer-overflow vulnerability. Attackers can exploit this issue and execute arbitrary code in the context of the browser. Exploit is available. Until this issue fixed by the vendor, a workaround would be to set the kill bit for the ActiveX control.
Analysis: The ActiveX control in question is ImageUploader4.1.ocx. The 'FileMask' method is vulnerable. Attackers need to make a user view a crafted HTML to exploit this issue. A workaround would be to set the kill bit for the Control till it is fixed...

:fear:

FYI...

- http://www.theregister.co.uk/2008/02/15/browser_exploitation/
15 February 2008 - "Cybercriminals are stepping up their efforts to exploit vulnerabilities in web browsers to spread malware using drive-by download techniques. Research by Google's anti-malware team on three million unique URLs on more than 180,000 websites automatically installed malware onto vulnerable PCs. Hackers are increasingly trying to trick search sites into pointing surfers onto maliciously constructed sites. More than one per cent of all search results contain at least one result that points to malicious content, Google reports*, adding that incidents of such attacks has grown steadily over recent months and continues to rise. Google's team also reports that two per cent of malicious websites are delivering malware via tainted banner ads. Israeli security firm Finjan has also observed a rise in the tactic over recent months, noting that many malicious ads are served from legitimate websites. A security report from IBM's X-Force division said cybercriminals are "stealing the identities and controlling the computers of consumers at a rate never before seen on the internet"..."
* http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html

> http://www.us-cert.gov/current/#mozilla_firefox_and_opera_browser
February 18, 2008
> http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
MS08-010 - Updated: February 13, 2008

(Keep things patched! Is your browser up-to-date?...)

Opera v9.26 released
- http://forums.spybot.info/showthread.php?p=166220#post166220
Release Date: 2008-02-20

:fear::spider:

FYI...

- http://www.theregister.co.uk/2008/02/20/symantec_enpoint_security_error_bug/
20 February 2008 - "Symantec is working to patch a bug that generates errors in corporate security protection updates. Workarounds enabling virus signature definition updates to Symantec Endpoint Protection are available, but a more comprehensive fix is still in testing. The glitch in the Symantec's LiveUpdate package has left sysadmins managing Symantec Endpoint Protection coping with "broken" clients... Symantec has published an advisory* detailed workarounds. Posts on Symantec forums indicate that the problem first reared its head on 11 February... looks like every Symantec customer worldwide has been affected by the issue..."
* http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021213593948
Last Modified: 02/15/2008

:lip:
-----------

- http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021213593948
Last Modified: 02/20/2008 - "...Solution:
Symantec has released a new Decomposer to the LiveUpdate Servers to resolve this issue. If you used this previous stated workaround, please re-check the Decomposer signatures and select "Use latest available"..."

.

FYI...

- http://preview.tinyurl.com/ytx4dc
02/20/08 (NetworkWorld) - "People-driven security, an approach that pools the judgments of individual participants to identify new threats, is gathering momentum, with uses popping up in everything from antimalware and spam blocking to site filtering. OpenDNS's Domain Tagging, introduced in February, is the latest example of this kind of strength in numbers. The free Web-filtering service allows subscribers to block sites in their choice of categories... "The good guys need to out-share the bad guys to help counter them," says Johannes Ullrich, chief research officer at the Internet Storm Center (ISC)... Together, people-powered tools and sites work to build genuine security that benefits the entire online community."

:spider::cool::spider:

FYI...

Netscape multiple Vulns - update available
- http://secunia.com/advisories/29049/
Release Date: 2008-02-21
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Netscape 9.x
...can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, conduct spoofing attacks, or to compromise a user's system.
Solution: Update to version 9.0.0.6:
http://browser.netscape.com/downloads
"Official support for all Netscape client products will end on March 1st, 2008..."
http://blog.netscape.com/2007/12/28/end-of-support-for-netscape-web-browsers

FYI...

- http://blog.washingtonpost.com/securityfix/2008/02/wall_street_reports_higher_pc_1.html
February 22, 2008 - "...In the first half of 2007, companies involved in managing securities and futures trades reported a 47 percent increase in the number of fraudulent or suspicious transactions attributed to computer break-ins, according to data released last month by the Financial Crimes Enforcement Network (FinCEN). Financial institutions are required to file suspicious activity reports (SARs) when a suspected fraudulent or illegal transfer of funds exceeds $5,000. According to FinCEN, trading institutions filed more computer intrusion-related securities fraud reports in the first half of 2007 than they reported in all of 2006... The report doesn't provide any guesses as to what factors might be responsible for those notable increases. But here's my take: Cyber crooks are going after and compromising online stock trading accounts just as they are online banking accounts*..."
* http://blog.washingtonpost.com/securityfix/2008/02/banks_losses_from_computer_int.html
02/20/2008

:fear::fear:

FYI...

- http://blog.trendmicro.com/better-business-bureau-phish-with-trojan-downloader/
March 23, 2008- "The Better Business Bureau (BBB) is the target of a new phishing scam, in which a user is asked to download a rogue ActiveX installer upon visiting the Web site... installer is actually a Trojan downloader file named Acrobat.exe... The BBB has a history of being a target of malware authors and spammers, besides phishers. Previously, it has been used as a subject of spam that contained malware detected as TROJ_ARTIEF.A."

(Screenshots available at the URL above.)

:fear::spider:

FYI...

- http://isc.sans.org/diary.html?storyid=4187
Last Updated: 2008-03-24 10:18:07 UTC - "...Over the last week or two there have been more instances of the Death Threat SPAM emails. These particularly nasty messages explain how someone you know wants you dead and the hired killer is contacting you to make a deal. These can be very upsetting for the recipient. Whilst they are typically spam messages treat them seriously and report them if you feel it is necessary..."

- http://mobile.fbi.gov/pressrel/2007/extortion070707.htm
"...The message from the FBI... do NOT respond, and to file a complaint through the IC3.gov website. Due to the threat of violence in these extortion e-mails, if an individual receives an e-mail that contains personal information that might differentiate their e-mail from the general e-mail spam campaign, the recipient should contact the FBI immediately at 251-438-3674..."

:fear: