Easily can happen when a visitor to ANY site enters the "names and e-mail addresses of...friends...". If you really want them to visit the site, just send them the URL yourself in an e-mail:

- http://www.techweb.com/article/printableArticle.jhtml?articleID=183702655&site_section=700028
March 24, 2006
"The Federal Trade Commission on Thursday nailed a spammer with a record-setting $900,000 fine for violating the CAN-SPAM Act. According to a complaint filed by the FTC, JumpStart Technologies of San Francisco, Calif. has spammed consumers since 2002, sending millions of messages disguised as personal e-mails in an attempt to hype its FreeFlixTix Web site. JumpStart, charged the FTC, collected e-mail addresses by offering free movie tickets to consumers in exchange for ratting out the names and e-mail addresses of five or more friends...
The spam scam also misled consumers who took the bait and went to FreeFlixTix, with some of the "free" ticket offers requiring credit card registration that in many cases resulted in charges made to the account. JumpStart's FreeFlixTix site is now offline..."

:(

Notes: As always, follow "Best practice...": Keep systems updated with all current MS patches and update/check 3rd party applications [Test here: http://secunia.com/software_inspector/ ].

Hacks -will- take advantage when users don't.


:spider:

FYI...

* http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Last Revised: 9 July 2008
"Overview: Microsoft Update KB951748 [MS08-037] is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.
Impact: Sudden loss of internet access
Platforms Affected: ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite ...
Recommended Actions:
Download and install the latest versions which solve the loss of internet access problem here*..."

//

For the end-user, to recap all this, IMHO, the bottom line is here:

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you still have problems, go here and DO IT:
- http://www.opendns.com/


.

FYI...

- http://www.intego.com/news/ism0901.asp
January 22, 2009 - "Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg... When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password... Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users. Intego VirusBarrier X4 and X5 with virus definitions dated January 22, 2009 or later protect against this Trojan horse. Intego recommends that users never download and install software from untrusted sources or questionable web sites..."

- http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infects.html
"Update, 11:16 p.m. ET: ...While the attackers may indeed be targeting other sites, dollarcardmarketing .com remains under a fairly consistent DDoS attack as of this writing..."

:fear:

FYI...

Novell releases updates for GroupWise
- http://www.us-cert.gov/current/#novell_releases_updates_for_groupwise
January 30, 2009 - "Novell has released updates for GroupWise 7 and 8 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, compromise a GroupWise account, conduct cross-site scripting attacks, or obtain sensitive information. US-CERT encourages users to review the Novell download page* and apply the appropriate patch to help mitigate the risks."
* http://preview.tinyurl.com/4et673

- http://secunia.com/advisories/33744/
Release Date: 2009-02-02
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, DoS, System access
Where: From remote
Solution Status: Vendor Patch...

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=5779
Last Updated: 2009-01-31 18:17:26 UTC - "... it appears to be reporting that every site might contain malware (i.e. it shows the "This site may harm your computer" warning with every result)...UPDATE X3: Google's reponse*..."

Google: This Internet May Harm Your Computer
- http://voices.washingtonpost.com/securityfix/2009/01/google_this_internet_will_harm.html
January 31, 2009 - "A glitch in a computer security program embedded deeply into Google's search engine briefly prevented users of the popular search engine from visiting any Web sites turned up in search results this morning. Instead, Google users were redirected to page that warned: "This site may harm your computer"..."
* http://googleblog.blogspot.com/2009/01/this-site-may-harm-your-computer-on.html
January 31, 2009 - "...the URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes..."
- http://blog.stopbadware.org/2009/01/31/google-glitch-causes-confusion
January 31, 2009 - "...Users who attempted to click through the results saw the "interstitial" warning page that mentions the possibility of badware and refers people to StopBadware.org for more information. This led to a denial of service of our website, as millions of Google users attempted to visit our site for more information... [Update 2:35] Hopefully this will be the last update, as Google has acknowledged the error, apologized to its customers, and fixed the problem. As many know, we have a strong relationship with Google, which is a sponsor and partner of StopBadware.org. The mistake in Google’s initial statement, indicating that we supply them with badware data, is a common misperception. We appreciate their follow up efforts in clarifying the relationship on their blog and with the media. Despite today’s glitch, we continue to support Google’s effort to proactively warn users of badware sites, and our experience is that they are committed to doing so as accurately and as fairly as possible..."

:spider::lip::red:

FYI...

- http://preview.tinyurl.com/cjkx72
February 20, 2009 (Computerworld) - "...nearly one-third of the estimated 200,000 DNS servers worldwide still remain unprotected against the cache-poisoning threat and need to be patched as soon as possible, Kaminsky said, adding that many of them are being attacked on a daily basis. "We are seeing attacks where people are redirecting major sites to places where they shouldn't be going," he said. "It's happening right now." The cache-poisoning flaw was publicly disclosed last July... The flaw could be used by attackers to spoof DNS traffic, potentially enabling them to redirect Web traffic and e-mail messages to systems under their control..."

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you are still having problems, try this:
- http://www.opendns.com/

.

FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=215600307
March 2, 2009 - "IBM said a recent firmware update could cause the Seagate disk drives on more than two dozen models of its business servers to fail, leading to a situation that could cause customers to lose access to critical corporate data. In a current support bulletin*, the company said the bug affects a range of models in its BladeCenter, xSeries, and System x lines of servers. "After a power cycle, the SATA drive is no longer available and becomes unresponsive," IBM warned. "Data may become inaccessible due to the drive not responding," according to the bulletin, which lists numerous IBM server configurations at risk from the problem. IBM said customers should use the ServeRAID manager or other tools to determine their disk drive model and firmware. IBM said it plans to fix the problem in a firmware update "scheduled for first quarter 2009." The company did not offer further specifics on a release date. The update, when available, will be accessible as a download from IBM's System x support Web site... IBM said the warning applies to server products sold worldwide."
* http://preview.tinyurl.com/c8fy3l
Last modified: 2009-02-18

:fear::sad::fear:

FYI...

Foxit Reader multiple vulns - update available
- http://secunia.com/advisories/34036/2/
Release Date: 2009-03-09
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Foxit Reader 2.x, Foxit Reader 3.x
...This vulnerability is confirmed in version 3.0.2009.1301 and reported in versions 2.3 and 3.0.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code...
Solution: Update to version 3.0 Build 1506 or version 2.3 Build 3902 * ...
Original Advisory: Foxit Software: http://www.foxitsoftware.com/pdf/reader/security.htm
Release Date: Mar. 9, 2009
Stack-based Buffer Overflow in Foxit Reader 3.0
Security Authorization Bypass in Foxit Reader 2.3 and 3.0
JBIG2 Symbol Dictionary Processing in Foxit Reader 2.3 and 3.0...
2009-03-09: Foxit released fixed version 3.0 Build 1506...
Secunia Research: http://secunia.com/secunia_research/2009-11/
CVE reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0191

* http://www.foxitsoftware.com/downloads/index.html
Last Updated: 2009-03-09
OS: Windows 2000/XP/2003/Vista

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0191

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0836

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0837

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6001
Last Updated: 2009-03-11 00:34:49 UTC - "...attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet...
ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets... The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary. The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying...
A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites...
AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help)..."

(More detail at the ISC URL above.)

> http://en.wikipedia.org/wiki/ARP_spoofing

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6025
Last Updated: 2009-03-16 19:49:12 UTC - "...new version of rogue DHCP server malware... The malware appears to be similar to Trojan.Flush.M which was found last December. Like back then, after infecting its target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS server IP address... summary of the differences:
• The new version sets the DHCP lease time to 1 hour.
• It sets the MAC destination to the broadcast address, rather then the MAC address of the DHCP client.
• It does not specify a DNS Domain Name.
• The options field does not contain an END option followed by PAD options.
• Unlike Trojan.Flush.M, the BootP Broadcast Bit is set.

The malicious DNS server is 64.86.133.51 and 63.243.173.162.
Recommendation: Monitor connections to DNS servers other then the approved one pushed out by your DHCP server. This should help you spot this kind of malware. Yes, you can block the two IP addresses listed above, but it will likely do little good."

:fear::fear:

FYI...

- http://www.us-cert.gov/current/index.html#autonomy_keyview_sdk_vulnerability
March 18, 2009 - "US-CERT is aware of reports of a vulnerability that affects the Autonomy KeyView SDK wp6sr.dll library. This library is used by certain products, including Lotus Notes and Symantec, to support the handling of Word Perfect documents. By convincing a user to open a specially crafted Word Perfect document with an application using the affected Autonomy KeyView SDK library, a remote attacker may be able to execute arbitrary code...
• IBM Lotus Notes users should review the IBM Flash Alert and implement the listed fixes or workarounds.
http://www-01.ibm.com/support/docview.wss?uid=swg21377573
• Symantec users should review Symantec Security Advisory SYM09-004 and implement the listed fixes or workarounds.
http://www.symantec.com/avcenter/security/Content/2009.03.17a.html
• Registered Autonomy Users should review the related Autonomy alert (login required).
https://customers.autonomy.com/support/secure/docs/Updates/Keyview/Filter%20SDK/10.4/kv_update_nti40_10.4.zip.readme.html ..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4564
Last revised: 03/20/2009
CVSS v2 Base Score: 9.3 (HIGH)

:fear:

FYI...

Thunderbird v2.0.0.21 released
- http://www.mozillamessaging.com/en-US/thunderbird/
March 18, 2009

Fixed in Thunderbird 2.0.0.21
- http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html#thunderbird2.0.0.21
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)

- http://secunia.com/advisories/33802/2/
Last Update: 2009-03-20
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch ...
Solution: Update to version 2.0.0.21...
CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0352
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0353
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0772
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0774
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0776

:fear:

FYI...

IBM Access Support ActiveX control stack buffer overflow
- http://www.kb.cert.org/vuls/id/340420
Date Last Updated: 2009-03-25 - "... IBM Access Support ActiveX control, which is provided by IbmEgath.dll, contains a stack buffer overflow in the GetXMLValue() method. We have confirmed that version 3.20.284.0 is vulnerable. Other versions may also contain the flaw.
... Impact: By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.
... Solution: We are currently unaware of a practical solution to this problem. Please consider the following workarounds: Disable the IBM Access Support ActiveX control in Internet Explorer
The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: {74FFE28D-2378-11D5-990C-006094235084} ..."

- http://secunia.com/advisories/34470/2/
Critical: Highly critical
Solution Status: Unpatched...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0215
Last revised: 03/25/2009
CVSS v2 Base Score:9.3 (HIGH)...

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-03 21:35:44 UTC - "We've been keeping an eye on the issues affecting the domain servers of Register.com. Several readers have written to us with concerns ofer the lack of availability of Register.com's servers, which seem to have been under a DDoS attack. There are also reports that DNS provider NeuStar (UltraDNS) may be under DDoS, too. We don't have any information at the moment about these incidents, beyond what is reported in the following articles:
- http://www.theinquirer.net/inquirer/news/638/1051638/register-com-suffers-dos-attack
- http://www.scmagazineus.com/DDoS-attacks-hit-major-web-services/article/130060/
Register.com issues are causing lots of issues across the web. One reader told us, "We are struggling to keep our websites available. DNS is the problem. We are being told by Register.com that the April 1 issues are affecting them. It sounds like they are being DOS'd and are filtering certain ISPs from querying them." Another reader said, "Register.com's DNS servers have gone offline for the second time in 24 hours. They were down yesterday from about 15:45 - 18:45 and just went down again today at about 14:30 (all times EST)..."

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-04 02:53:13 UTC ...(Version: 2)
"Update: ... We are using all available means to restore services to every one of our customers and halt this criminal attack on our business and our customers’ business. We are working round the clock to make that happen. We are committed to updating you in as timely manner as possible, please check your inbox or our website for additional updates.
Thank you for your patience.
Larry Kutscher
Chief Executive Officer
Register.com"

:fear::fear:

FYI...

- http://blog.wired.com/27bstroke6/2009/04/cable-sabotage.html
April 09, 2009 | 3:58:39 PM - "Deliberate sabotage is being blamed for a sizable internet and telephone service outage Thursday in Silicon Valley. At 1:30 a.m., someone opened a manhole cover on a railroad right-of-way in San Jose, climbed down and cut four AT&T fiber optic cables. A second AT&T cable, and a Sprint cable, were cut in the same manner two hours later, farther north in San Carlos. Service for Sprint, Verizon and AT&T customers in the southern San Francisco Bay Area has been lost, according to the San Francisco Chronicle*. Police departments have put more units on the street, because nobody can call 9-1-1. A much smaller Comcast outage affecting around 4,500 customers in San Jose began at around 1:00 p.m. Pacific time. Spokesman Andrew Johnson says the company is investigating the cause.
Update: AT&T is offering a $100,000 reward** for information leading to the arrest and conviction of the vandal."

* http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/04/09/BAP816VTE6.DTL&tsp=1
April 10, 2009 - "... Ten fiber-optic cables... were cut at four locations in the predawn darkness..."

AT&T Offering $100,000 Reward in Bay Area Network Vandalism
** http://www.att.com/gen/press-room?pid=4800&cdvn=news&newsarticleid=26715
April 9, 2009

:mad::mad::mad:

FYI... http://isc.sans.org/diary.html?storyid=6373

- http://technet.microsoft.com/sysinternals/bb963902.aspx
Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution.
- http://technet.microsoft.com/sysinternals/bb897544.aspx
PsLoglist v2.7: This version of PsLoglist, a command-line event log display utility, now properly displays event log entries for default event log sources on Windows Vista and higher and accepts wildcard matching for event sources.
- http://technet.microsoft.com/sysinternals/bb897553.aspx
PsExec v1.95: This version of PsExec, a utility for executing applications remotely, fixes an issue that prevented the -i (interactive) switch from working on Windows XP systems with a recent hotfix and includes a number of minor bug fixes.

May 08, 2009

:bigthumb:

FYI...

- http://googleblog.blogspot.com/2009/05/this-is-your-pilot-speaking-now-about.html
5/14/2009 - "... An error in one of our systems caused us to direct some of our web traffic through Asia, which created a traffic jam. As a result, about 14% of our users experienced slow services or even interruptions. We've been working hard to make our services ultrafast and "always on," so it's especially embarrassing when a glitch like this one happens. We're very sorry that it happened, and you can be sure that we'll be working even harder to make sure that a similar problem won't happen again..."

- http://isc.sans.org/diary.html?storyid=6388
Last Updated: 2009-05-14 22:36:04 UTC ...(Version: -13-)

- http://asert.arbornetworks.com/2009/05/the-great-googlelapse/
May 14th, 2009 at 4:36 pm

:fear::spider::confused:

FYI...

- http://preview.tinyurl.com/rbxxwa
May 14, 2009 PC World - "A new round of website hijacks is attempting to install malicious, Google-focused software on unpatched PCs, according to security company ScanSafe, further cementing the drive-by-download approach as a bad-guy tactic of choice. The attack, dubbed "Gumblar" by ScanSafe*, starts by hijacking legitimate sites and inserting attack code. The more than 1,500 hacked sites, including Tennis.com and Variety.com, don't represent an especially huge number, but it's growing rapidly. Since last week, the attack has grown by 80 percent, according to the company, and has spiked 188 percent since yesterday.
The inserted attack code attempts to identify old, unpatched vulnerabilities on a victim PC that browses a hacked site, and will take advantage of any discovered hole to install malware. These kinds of drive-by-download attacks are sneaky and dangerous, but the good news is that while the actual exploits used vary as time passes, the company says none have yet gone after zero-day holes that don't yet have a fix available. The attack code has largely gone after PDF and Flash flaws discovered in the last year..."
* http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html

- http://www.theregister.co.uk/2009/05/14/viral_web_infection/
14 May 2009 - "... The exploit code is unique for every website, making it impossible to identify a compromised site until someone has accidentally surfed there. It uses obfuscated Javascript that's burrowed deep into a website's source code to exploit unpatched vulnerabilities in a visitor's Adobe Flash and Reader programs. Victims then join a botnet that manipulates their Google search results... By injecting ads and links into certain searches, infected users see results that are different than they would otherwise be..."

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=217500218
May 14, 2009 - "... difficult to find and bring down... its source IP addresses have been traced to Latvia and Russia, and its servers are located in the U.K..."

Gumblar .cn exploit
- http://preview.tinyurl.com/r5cplm
07 May 09 (Unmask Parasites blog)

More Facts about the Gumblar attack
- http://preview.tinyurl.com/qg5c8d
15 May 09 (Unmask Parasites blog)

Troj/JSRedir-R attacks
- http://www.sophos.com/blogs/sophoslabs/v/post/4422
May 14, 2009

• http://google.com/safebrowsing/diagnostic?site=gumblar.cn/
"... Malicious software includes 24 scripting exploit(s), 6 trojan(s)... site has hosted malicious software over the past 90 days. It infected 12799 domain(s)..."

:fear::mad:

FYI...

- http://www.cpsc.gov/cpscpub/prerel/prhtml09/09221.html
May 14, 2009 - "... recall of the following consumer product. Consumers should stop using recalled products immediately unless otherwise instructed.
Name of Product: Lithium-Ion batteries used in Hewlett-Packard and Compaq notebook computers
Units: About 70,000
Importer: Hewlett-Packard Co., of Palo Alto, Calif.
Hazard: The recalled lithium-ion batteries can overheat, posing a fire and burn hazard to consumers..."
(HP Pavilion, Compaq Presario, HP, HP Compaq - see link above for specific models)

- http://www.theinquirer.net/inquirer/news/1137353/hp-recalls-lithium-ion-batteries
15 May 2009 - "... Hewlett-Packard is voluntarily recalling about 70,000 lithium-ion batteries that shipped with several models of its HP and Compaq laptops. Nine models of HP Pavilions, nine models of Compaq Presarios, two HP laptop models, and one HP Compaq laptop model sold between August 2007 and March 2008 all shipped with the dodgy battery... HP said that owners of the affected laptop models should pull the battery out of the machine and give it a ring* so it can ship a free replacement."
* http://bpr.hpordercenter.com/hbpr/M14.aspx

:fear::fear:

More...

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-18 17:54:18 UTC - "... Gumblar/JSRedir-R drive-bys. Although this malware has been around for a while, several A/V vendors and some relatively mainstream news outlets have recently reported a large increase in websites injected with JSRedir-R/Gumblar. According to Sophos* this malware accounted for approximately 42% of all infected websites detected in the last week, nearly 6 times its closest rival. Although the infection method is not clear, given the variety of servers and platforms, it is most likely weak login credentials..."
* http://www.sophos.com/blogs/gc/g/2009/05/14/malicious-jsredir-javascript-biggest-malware-threat-web
May 14, 2009

> http://forums.spybot.info/showpost.php?p=312220&postcount=82

FYI...

- http://preview.tinyurl.com/qlr9ba
05-19-2009 Symantec Security Response Blog - "The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to Who.is, is located in the UK with a 95.129.x.x IP Address. The JavaScript appearing on the websites has also become more obfuscated, making the attacks slightly harder for IT managers and Web administrators to detect. The attackers are easily able to change the obfuscation by substituting portions of the domain name with variables instead of spelling out the domain all at once. The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains. The drive-by download tries to exploit a number of underlying vulnerabilities, including some for Adobe Acrobat and Adobe Flash. Users should make sure that their systems are running the latest versions of these and other third-party applications to help mitigate the risk of being compromised.
So how is that so many websites are compromised at one time? Often it is due to SQL injection errors or direct hacking into the back end of the hosting companies, but it appears that this recent problem may be more about compromised FTP passwords that belonged to the people that administer the websites. In any case, it means the bad guys are able to continually change the malicious code until the admin changes the FTP passwords and blocks the trespassing... We expect the domains and malicious JavaScript appearing on the websites to continually change as one mole is whacked, and another pops up..."

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-19 13:02:01 UTC - "... the dropbox for this trojan, gumblar .cn has been offline since last friday, but a successor has come online, martuz .cn..."

- http://blog.scansafe.com/journal/2009/5/19/gumblar-up-another-7-martuzcn-is-down.html
May 19, 2009
- http://blog.scansafe.com/journal/2009/5/18/japans-geno-gumblar.html
- http://blog.scansafe.com/journal/2009/5/18/gumblar-a-botnet-of-compromised-websites.html

- http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating
May 18, 2009

:fear::fear:

FYI...

Gumblar/Martuz/Geno attack
- http://isc.sans.org/diary.html?storyid=6430
Last Updated: 2009-05-21 19:29:48 UTC - "... client side analysis* and writeup of recent gumblar malware attacks..."
* http://preview.tinyurl.com/pc26gr
May 21, 2009 InfoSec from the trenches - "... Once compromised by the Gumblar/Martuz/Geno, victims will have many pieces of malware loaded onto their machines, this malware does the following:
• Steals FTP credentials
• Sends SPAM
• Installs fake anti virus
• Highjacks Google search queries
• Disables security software
The exploits used are for Adobe Acrobat and Adobe Flash Player...
...this is a very large attack encompassing many malicious payloads..."

// http://forums.spybot.info/showpost.php?p=312220&postcount=82

FYI...

- http://www.theregister.co.uk/2009/06/04/3fn_shut_down/
4 June 2009 - "Federal authorities have shut down what they said was the worst US-based web hosting provider after convincing a judge it actively participated in the distribution of child pornography, spam, malware, and other net-based menaces. The US Federal Trade Commission obtained the court order against 3FN.net, a service provider with servers mostly located in San Jose, California that also operated under the name Pricewert. Dated June 2, it commanded all companies providing upstream services to 3FN to immediately pull the plug. The order was issued in secret to prevent the operators from being able to destroy evidence or find new hosts, something FTC attorneys said was necessary given the extreme nature of the data it hosted. "This content includes a witches' brew of child pornography, botnet command and control servers, spyware, viruses, trojans, phishing-related sites, and pornography featuring violence, bestiality, and incest," they wrote in court documents. "In addition to recruiting and willingly distributing this illegal, malicious and harmful content, Pricewert actively colludes with its criminal clientele in several areas, including the maintenance and deployment of networks of compromised computers known as botnets." This week's action is the most significant shutdown since the shuttering in November of McColo, another Northern California-based service provider with ties to online crime... One of the biggest complaints among white hat hackers is the difficulty of shutting down networks that flagrantly violate the law. This week's action is the first time the FTC has used its congressional mandate to protect US consumer to sever a service provider suspected of illegal activity... Court documents are available here*."
* http://www.ftc.gov/os/caselist/0923148/index.shtm

- http://news.cnet.com/8301-1009_3-10257588-83.html
June 4, 2009 - "... In its filings with the district court, the FTC estimates that more than 4,500 malicious software programs are controlled by command-and-control servers hosted by 3FN. This malware includes programs capable of keystroke logging, password and data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution. This case was brought to light with the assistance of multiple agencies and people including NASA's Office of Inspector General; the Department of Justice's Computer Crime Division; Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham; the National Center for Missing and Exploited Children; the Shadowserver Foundation; the Spamhaus Project; and Symantec..."

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=217701956
June 4, 2009 - "... The only entity named in the case is Pricewert. Ethan Arenson, an attorney with the FTC's Bureau of Consumer Protection, said that the individuals behind the company are overseas in Eastern Europe. He declined to comment on a possible extradition effort or coordination with authorities abroad. Whether the individuals doing business as Pricewert will face charges remains an open question. Pricewert is essentially an Oregon shell corporation with some servers in San Jose..."

- http://voices.washingtonpost.com/securityfix/pushdo.htm

- http://asert.arbornetworks.com/2009/06/things-in-3fn/

:bigthumb:

FYI...

- http://blog.trendmicro.com/beware-of-repackaged-hijackthis-downloads/
June 9, 2009 - "HijackThis™ is one of the well-known free utilities of Trend Micro that quickly scans a user’s Windows computer to find settings that may have been changed by spyware, malware, or other unwanted programs. By itself, it does not determine what is good or bad but it lists registry keys and files system of the scanned system where unwanted programs potentially could reside. Only experienced users and IT experts with outstanding practice in HijackThis could use the initial text information without the community help. Almost all users of this tool rely on the online evaluation and analysis of the report, provided by several HijackThis communities. A list of some of these communities can be found here*. Edgardo Diaz, Jr., Escalation Engineer in TrendLabs, found a certain executable program (Loaris Trojan Remover) that contained the HijackThis program repackaged using Delphi-based packager InnoSetup. Upon extraction, the user interface (UI) gives the user the option of running HijackThis from an external source. The application really does install HijackThis on the user’s computer. Unlike the real version, however, Loaris’ repackaged version sells its own antivirus solution using HijackThis as a come-on. Users who are really interested in using HijackThis, may thus be tricked into buying the antivirus by accepting the end-user license agreement (EULA - see Screenshot at the Trendmicro URL above) that comes with the installer.
>>> Beware, Trend Micro does NOT sell nor intend to sell HijackThis. Trend Micro supports its communities by providing information and updates to registry keys, validity of system or BHO (browser helper object) files. Details and free downloads are available at TrendSecure web site**.
** http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
This is not the first, not the only and not the last software used in illicit schemes. Users are strongly advised to download software only from the official vendor sites or highly trusted communities."
* http://hjt-data.trendmicro.com/hjt/analyzethis/index.php

:mad:

FYI...

Apple iPhone / iPod touch multiple vulns - update available
- http://secunia.com/advisories/35449/2/
Release Date: 2009-06-18
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple iPhone, Apple iPod touch
Original Advisory: Apple: http://support.apple.com/kb/HT3639 ...

iPhone OS 3.0 Software Update
> http://www.apple.com/iphone/softwareupdate/

:fear:

FYI...

IrfanView vuln - update available
- http://secunia.com/advisories/35359/2/
Release Date: 2009-06-18
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IrfanView 4.x ...
Solution: Update to version 4.25.
http://irfanview.com/main_download_engl.htm ...

Also: The current PlugIns version is: 4.25
- http://www.software.com/irfanview-plugin

- http://www.irfanview.net/main_history.htm
Release date: 2009-06-16

:fear::spider:

FYI...

- http://isc.sans.org/diary.html?storyid=6619
Published: 2009-06-21 - "...Upon further investigation it appears that her server had been compromised by exploitation of the vulnerability detailed in PMASA-2009-4**. The attacker uploaded a lot of the same old types of tools such as a misnamed EnergyMech IRC bot, a perl based UDP flodding tool, and an automated tool to attempt phpMyAdmin. It is now past time to update to phpMyAdmin 3.1.3.2* (or higher) and/or updating firewall rules to limit the public Internet from touching this web application...
06/22/2009 22:30 UTC - ...more reports locally about activity which seems to point to phpMyAdmin scanning and exploitation..."

* http://www.phpmyadmin.net/home_page/index.php
phpMyAdmin 3.2.0
File Release Notes and Changelog
- http://sourceforge.net/project/shownotes.php?release_id=690019
Last Update: Jun 15 2009

** http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php

:fear:

FYI...

Foxit Reader vuln - update available
- http://secunia.com/advisories/35512/2/
Release Date: 2009-06-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Foxit Reader JPEG2000/JBIG Decoder Add-On 2.x
Solution: Update to version 2.0 Build 2009.616.
http://www.foxitsoftware.com/downloads/addons/jpg_decoder2.0.20096.html
Original Advisory: US-CERT VU#251793:
http://www.kb.cert.org/vuls/id/251793
"...This issue is addressed in Foxit Reader 3.0 Build 1817 ..."
Foxit Software:
http://www.foxitsoftware.com/pdf/reader/security.htm#0602

- http://www.foxitsoftware.com/downloads/
Foxit Reader 3.0 Build 1817(exe) 3.57MB 06/19/09
JPEG2000/JBIG Decoder 2.0 Build 2009.616(fzip) 169KB 06/19/09

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0690
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0691

-OR-
From an Admin account >Start Foxit Reader >Help >Check for Updates (select/add) ...Build 1817 ...Install

:fear:

FYI...

Thunderbird v2.0.0.22 released
- http://www.mozillamessaging.com/thunderbird/
June 22, 2009

- http://secunia.com/advisories/35440/2/
Last Update: 2009-06-23
Critical: Highly critical
Impact: Security Bypass, Spoofing, DoS, System access
Where: From remote...
Solution: Update to version 2.0.0.22, which fixes some of the vulnerabilities...

- http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html#thunderbird2.0.0.22
Fixed in Thunderbird 2.0.0.22
MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

:fear:

FYI...

Koobface worm infections exploding
- http://www.threatpost.com/blogs/koobface-worm-infections-exploding
July 6, 2009 - "In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing... Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well... the pool of potential victims is growing day by day - just take a look at the Alexa stats* for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often."
* http://www.alexa.com/siteinfo/facebook.com
"... Percent of global Internet users who visit facebook.com:
... 7 day avg: 20.01% ..."

:fear::mad::fear:

FYI...

Imageshack - pwned
- http://isc.sans.org/diary.html?storyid=6769
Last Updated: 2009-07-11 03:43:37 UTC - "... Imageshack was attacked by the anti-sec group. This seems to be affecting other sites that draw images from imageshack such as user pages on blogger.com. Details were posted on Full Disclosure by anti-sec*. The "session" they display reminds us of the log file they made public following their attack on SSANZ** last weekend..."

* http://seclists.org/fulldisclosure/2009/Jul/0095.html
11 Jul 2009 05:15:36 +0300

** http://seclists.org/fulldisclosure/2009/Jul/0028.html
04 Jul 2009

:fear::mad:

FYI...

- http://countermeasures.trendmicro.eu/apache-ssh-key-compromised/
Aug. 28, 2009 - "... Details of the attack/compromise are few at the moment, as this is breaking news. It is worth remembering however that a compromised SSH key led to in-the-wild exploitation of Linux based systems exactly this time last year, for the purposes of installing rootkits. Keep your eye on how this story develops. Apache servers account for around 50% of all web servers in the July 2009 web server survey*."
* http://news.netcraft.com/archives/2009/07/28/july_2009_web_server_survey.html

- https://blogs.apache.org/infra/entry/apache_org_downtime_initial_report
Aug 28, 2009

> http://isc.sans.org/diary.html?storyid=7030
Last Updated: 2009-08-28 14:32:28 UTC ...(Version: 2) - "... compromised due to an SSH key being exposed. The SSH key was used by an account to perform backups. No vulnerabilities in apache or ssh software was used in this attack. When the incident was identified apache cut access to all of their services as a containment measure. Their web sites are now back online..."

> https://blogs.apache.org/infra/entry/apache_org_downtime_report
Sep 02, 2009

:fear::spider::fear:

FYI...

Foxit Reader v3.1.1.0901 released
- http://www.foxitsoftware.com/pdf/reader/bugfix.htm
Fixed in Foxit Reader 3.1.1.0901
1. The reported issue of Foxit Reader 3.1.0.0824 crashing when users are viewing certain PDF files has been updated and is no longer a problem.
2. Fixed an issue where Foxit Reader may not be launched in the system without installing Microsoft Visual C++ 2005 Redistributable.

- http://www.foxitsoftware.com/downloads/index.php
Foxit Reader 3.1.1.0901(exe) - 5.05 MB - 09/03/09
-OR-
From an Admin account >Start Foxit Reader >Help >Check for Updates (select/add) ...FoxIt Reader 3.1.1.0901 Upgrade ...Install

:fear:

FYI...

- http://news.cnet.com/8301-1009_3-10345900-83.html
September 5, 2009 - "A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software... The vulnerability allowing the attack was discovered August 11, at which point WordPress encouraged users to upgrade to version 2.8.4... The worm does not affect the current version 2.8.4 and the one prior to it. And it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected..."

- http://wordpress.org/development/2009/09/keep-wordpress-secure/
September 5, 2009

WordPress v2.8.4 released
- http://wordpress.org/download/
August 12, 2009 - "The latest stable release of WordPress (Version 2.8.4) is available..."

- http://secunia.com/advisories/36237/2/
Release Date: 2009-08-12

:fear::mad:

FYI...

Hotmail user info leaked...
- http://blog.trendmicro.com/windows-live-hotmail-user-information-leaked/
Oct. 6, 2009

Time to change your hotmail password
- http://isc.sans.org/diary.html?storyid=7276
Last Updated: 2009-10-05 23:33:47 UTC - "... Microsoft has confirmed that thousands of Windows Live accounts have been compromised with their passwords posted online... Some information is posted here*..."
* http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry?wa=wsignin1.0&sa=363915619
10/5/2009

:fear::fear:

FYI...

Gmail, AOL, Yahoo all hit by webmail phishing scam
- http://www.theregister.co.uk/2009/10/06/gmail_webmail_phish/
6 October 2009 - "Google has confirmed that Gmail has also been targeted by an "industry-wide phishing scheme" which first hit Hotmail accounts. Yahoo! and AOL are also reportedly affected. Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports*. Both lists have been taken offline, so are no longer directly accessible. The search engine giant confirmed that an unspecified number of accounts were compromised, adding that it had reset the passwords of the compromised accounts... The combined incidents serve to further illustrate the importance of password security. Using a different, hard-to-guess password on every site is a very good start in this direction."
* http://news.bbc.co.uk/2/hi/technology/8292928.stm

- http://www.eset.com/threat-center/blog/2009/10/06/webmail-hacks
October 6, 2009 - "... If you receive an email telling you to provide your password it is a phish. That is as simple as it gets. Never give out your password..."

:fear::fear:

FYI...

FBI warns public of fraudulent SPAM email
- http://www.us-cert.gov/current/#federal_bureau_of_investigation_warns
October 6, 2009 - "The Federal Bureau of Investigation (FBI) has released information warning the public about fraudulent email messages purporting to come from the FBI or the Department of Homeland Security. These email messages contain a malicious attachment that claims to provide an intelligence report or bulletin, but in reality attempts to launch malware on the user's system. More information regarding these messages can be found in the Federal Bureau of Investigation's New E-Scams and Warnings web site*. To help protect against this type of attack, US-CERT recommends that users avoid opening attachments contained in unsolicited email messages..."
* http://www.fbi.gov/cyberinvest/escams.htm

:fear:

FYI...

Adobe PDF Reader exploit in the wild
- http://blog.trendmicro.com/asprox-resurfaces-with-a-mass-compromise-in-tow/
Oct. 15, 2009 - "A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to have infected several Indian, Thai, and New Zealand websites. The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates*. The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list. Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files. The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity..."
* http://www.adobe.com/support/security/bulletins/apsb09-15.html
October 13, 2009

:fear::fear:

FYI...

Foxit PDF Reader Firefox Plugin Memory Corruption vuln
- http://secunia.com/advisories/37049/2/
Release Date: 2009-10-15
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched * (?)
Software: Foxit Reader 3.x ...
Solution: Do not visit untrusted websites or follow untrusted links.
Disable the Foxit Reader plugin in Firefox.
Original Advisory: http://seclists.org/fulldisclosure/2009/Oct/198
14 Oct 2009 - "It would appear that Foxit reader version 3.1.1.0928 is also vulnerable to this memory corruption flaw. Foxit reader was also vulnerable to the JPEG2000/JBIG2 decoder bug..."
Other References: SA36983: http://secunia.com/advisories/36983/2/

* http://www.foxitsoftware.com/pdf/reader/bugfix.htm
Fixed in Foxit Reader 3.1.2.1013: Fix the memory leak issue where the memory usage will continuously grow while viewing PDF files with Foxit Reader.
- http://www.foxitsoftware.com/downloads/index.php
Foxit Reader 3.1.2.1013(exe) 5.06 MB - 10/13/09

:fear:

FYI..

FoxIt PDF Reader - print rendering problem noted w/v3.1.2.1013
- http://forums.foxitsoftware.com/showpost.php?p=35481&postcount=7
October 21, 2009 - "... with this version when printing a pdf - only part of the document is printed..."

:confused::fear:

FYI...

Guardian Jobs website hacked...
- http://www.sophos.com/blogs/gc/g/2009/10/25/guardian-jobs-website-hacked-personal-data-risk/
October 25, 2009 - "... the UK version of the Guardian Jobs website has been broken into by hackers. The site, which is described as one of the top five job websites in the UK, with some two million users a month, would be a rich data mine for identity thieves who would be rubbing their hands in glee at the prospect of getting their hands on confidential information from innocent people's CVs and job applications. Details of how the hack was committed have not been revealed, but warning emails sent to people who have used the jobs.guardian.co.uk site to make job applications described the attack as "sophisticated and deliberate"... this isn't the first time that online recruitment websites have suffered at the hands of cybercriminals. Earlier this year... the databases of Monster.com and USAJobs.gov were compromised*, and contact and account information was stolen..."
* http://www.sophos.com/blogs/gc/g/2009/01/24/security-alert-monstercom-usajobs-users/

:fear::mad:

See the site - use menu at top of display "Modes > Attacks":

- http://www.akamai.com/html/technology/dataviz1.html
2009.10.27 - 34% above normal ...!

- http://www.akamai.com/html/technology/realtime_web_methodology.html
"Attack Traffic:
Akamai measures attack traffic in real time across the Internet with our diverse network deployments. We collect data on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. The attack traffic depicts the total number of attacks over the last twenty-four hours.
Values are measured in attacks per 24 hours (attacks/24hrs). Regions are displayed as countries or states."
___

- http://www.v3.co.uk/v3/news/2252011/trend-micro-sees-blocked
27 Oct 2009 - "The sheer scale of the cyber security threat to businesses was highlighted again today, after new statistics from security vendor Trend Micro revealed that its Smart Protection Network (SPN) now blocks an average of more than four billion threats a day. SPN is Trend Micro's newest technology designed to fight today's threats as effectively as possible, combining cloud-based reputation technology with behavioural analysis techniques. The system stops many of the threats in the cloud, crucially negating the problems associated with traditional security tools, such as eating up processing power and network bandwidth... SPN has been up and running for 16 months, but saw significant growth between the third quarter of 2008 and the second quarter of 2009, when the number of global user queries jumped 289 per cent to over 29 billion a day. The number of threats blocked over the same period rose 277 per cent to just over four billion, the company said. Threats in this instance include infected files, as well as web destinations reached through the browser and infected PCs trying to connect to a resource on the internet..."

:sad::fear::spider:

FYI...

87% of web apps - "serious vulnerabilities..."
- http://sunbeltblog.blogspot.com/2009/11/3100-vulnerabilities-connected-with-web.html
November 10, 2009 - "If anyone ever needed a great example for the lectures they give friends, relatives or employees about the importance of installing software updates, here it is. Security firm Cenzic* has made public a report documenting 3,100 vulnerabilities that affect the software used on web sites and in browsers! The report included patched and unpatched vulnerabilities. Cenzic, which provides software as a service, said in their report “Web Application Security Trends Report Q1-Q2, 2009” that Cross Site Scripting and SQL Injection vulnerabilities were a factor in half of all web attacks. They said 87 per cent of web applications their researchers looked at "had serious vulnerabilities that could potentially lead to the exposure of sensitive or confidential user information during transactions"..."
* http://www.cenzic.com/resources_reg-not-required_trends/
Q1-Q2 2009
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

:fear::mad:

FYI...

Apple Safari v4.0.4 released
- http://secunia.com/advisories/37346/2/
Release Date: 2009-11-12
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Apple Safari 4.x
Solution: Update to version 4.0.4...
Original Advisory:
http://support.apple.com/kb/HT3949

CVE reference: CVE-2009-2414, CVE-2009-2416, CVE-2009-2804, CVE-2009-2816, CVE-2009-2841, CVE-2009-2842, CVE-2009-3384

- http://support.apple.com/downloads/

:fear:

FYI...

Still - "It's a jungle out there...".

2009 - Top Internet Security Trends
- http://www.symantec.com/connect/blogs/breadth-security-issues-2009-stunning
November 17, 2009 - "... Top Internet Security Trends of 2009...
• Malware-Bearing Spam...
• Social Networking Site Attacks Become Commonplace...
• Rogue Security Software...
• Ready-Made Malware...
• Bot Networks Surge...
• Intra- and Cross-Industry Cooperation to Stamp Out Internet Threats...
• Current Events Leveraged More Than Ever...
• Drive-by-Downloads Lead the Way...
• The Return of Spam to Pre-McColo Levels...
• The Rise of Polymorphic Threats...
• An Increase in Reputation Hijacking...
• Data Breaches Continue..."

(Detail available at the URL above.)

:fear::spider:

FYI...

PHP v5.3.1 released
- http://secunia.com/advisories/37412/2/
Release Date: 2009-11-20
Critical: Moderately critical
Impact: Unknown, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.3.x ...
Solution: Update to version 5.3.1.
Original Advisory: PHP:
http://www.php.net/releases/5_3_1.php
CVE reference: CVE-2009-3292, CVE-2009-3557, CVE-2009-3558

ChangeLog
- http://www.php.net/ChangeLog-5.php#5.3.1

- http://isc.sans.org/diary.html?storyid=7615
"... With many of the websites on the net relying on PHP and the number of attacks we see, consider upgrading. This release has over 100 bug fixes..."

:fear:

FYI...

2009 Riskiest country domains - McAfee
- http://www.theregister.co.uk/2009/12/02/mal_hosting_survey/
2 December 2009 - "... McAfee analysed 27 million websites and 104 top-level domains using its SiteAdvisor and TrustedSource technology in compiling its report*. SiteAdvisor tests websites for browser exploits, phishing, excessive pop-ups and malicious downloads, while TrustedSource offers a reputation system that tracks web traffic patterns, site behaviour, hosted content and more, to gauge site security risks. The security firm reckons 5.8 per cent (or more than 1.5 million web sites) pose a security risk of one kind or another. The top five riskiest country domains online for 2009, according to McAfee:
1. Cameroon (.cm)
2. PR of China (.cn)
3. Samoa (.ws)
4. Phillipines (.ph)
5. Former Soviet Union (.su) "

* http://newsroom.mcafee.com/article_display.cfm?article_id=3600
December 02, 2009

:fear:

FYI...

PDF – Pretty Darned Fatal
- http://www.eset.com/threat-center/blog/2009/12/18/pdf-%E2%80%93-pretty-darned-fatal
December 18, 2009 - "Adobe PDF files were supposed to be a safe alternative to Microsoft Word documents in a time when Microsoft offered no effective protection against macro viruses and had virtually no security model in Office at all. Times change. Microsoft Word documents rarely spread macro viruses and have not for a long time if you are using versions of Word newer than Office XP.
In a dazzling display of arrogant refusal to learn from history, Adobe has configured their products for inferior security by deliberately choosing not to learn security lessons that Microsoft learned years ago.
Security flaws in Adobe reader and Adobe Acrobat are a major problem, but in most cases the technology that allows the exploits to work is JavaScript. Adobe Reader and Acrobat support JavaScript and insanely leave it enabled by default. In practice most PDFs do not require JavaScript and many that do are quite usable without it anyway. If you want to do something simple to help protect yourself against drive-by malware infections – the kind where you simply go to a webpage and get infected, then disable JavaScript in Acrobat and Reader. In Adobe Reader version 9, you go to the edit menu, select preferences, then JavaScript, and then -uncheck- the box that says “Enable Acrobat JavaScript”.
This is how Adobe would set the defaults if they listened to their security experts instead of the marketing department..."

- http://voices.washingtonpost.com/securityfix/2009/12/hackers_exploit_adobe_reader_f.html
December 18, 2009

0-Day Malware Drops Payloads Signed with a Forged Microsoft Certificate
- http://blog.webroot.com/2009/12/15/zero-day-malware-drops-payloads-signed-with-a-forged-microsoft-certificate/
December 15, 2009

:fear::mad:

FYI...

Winamp v5.57 released
- http://secunia.com/advisories/37495/2/
Last Update: 2009-12-18
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Winamp 5.x ...
Solution: Update to version 5.57.
http://www.winamp.com/media-player

- http://www.theregister.co.uk/2009/12/21/winamp_update/

:fear:

FYI...

Sendmail vuln - update available
- http://secunia.com/advisories/37998/2/
Release Date: 2009-12-31
Critical: Moderately critical
Impact: Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: Sendmail 8.x...
Solution: Update to version 8.14.4...
Original Advisory: http://www.sendmail.org/releases/8.14.4

Release notes:
- http://www.sendmail.org/releases/8.14.4#RS

- http://securitytracker.com/alerts/2009/Dec/1023393.html

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4565
Last revised: 01/05/2010
CVSS v2 Base Score: 7.5 (HIGH)

:fear:

FYI...

Malicious PDF docs exploiting CVE-2009-4324
- http://isc.sans.org/diary.html?storyid=7867
Last Updated: 2010-01-04 06:29:59 UTC - "... Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included JavaScript in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here*). After extracting the included JavaScript code, the shellcode that it uses looked quite a bit different than what we can usually see in such exploits: this shellcode was only 38 bytes long!... Since this exploit has not been patched yet, I would like to urge you all to, at least, disable JavaScript in your Adobe Reader applications. We are getting more reports about PDF documents exploiting this vulnerability, and it certainly appears that the attackers are willing to customize them to get as many victims to open them as possible. Also keep in mind that such malicious PDF documents can go to a great length when used in targeted attacks – the fake PDF that gets opened can easily fool any user into thinking it was just a mistakenly sent document..."
* http://www.virustotal.com/analisis/40e22d52c00b76ad58c3c8daa644b7cfdc4f07a50718743f8e67e89bab386eab-1262223143
File Requset.pdf received on 2009.12.31 01:32:23 (UTC)
Result: 6/40 (15.00%)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4324

More on malicious PDF's
- http://isc.sans.org/diary.html?storyid=7903
Last Updated: 2010-01-07 01:01:21 UTC- "While we are still waiting for the patch and the malicious PDFs which exploit CVE-2009-4324 become more and more nasty, here's another quick excursion in dissecting and analyzing hostile PDF files... we find a recent ThreatExpert analysis http://www.threatexpert.com/report.aspx?md5=b0eeca383a7477ee689ec807b775ebbb that matches perfectly to what we found within this PDF..."
___

Adobe Reader v9.3 released
- http://forums.spybot.info/showpost.php?p=355307&postcount=134
January 12, 2010

:fear:

FYI...

PowerDNS update - multiple vulns
- http://www.us-cert.gov/current/#powerdns_recursor_version_3_1
January 7, 2010 - v3.1.7.2 released...

- http://doc.powerdns.com/powerdns-advisory-2010-01.html
Impact: Denial of Service, possible full system compromise ...

- http://doc.powerdns.com/powerdns-advisory-2010-02.html
Impact: ... possible to fool the PowerDNS Recursor into accepting unauthorized data...

:fear::fear:

FYI...

USB flash drive vuln...
- http://isc.sans.org/diary.html?storyid=7894
Last Updated: 2010-01-11 15:34:41 UTC - "... security flaw recently exposed on USB flash drive. The issue of the attack is with a software bug in the password verification mechanism. This affects Kingston, SanDisk and Verbatim...
SanDisk Update Information: http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009
Verbatim Update Information: http://www.verbatim.com/security/security-update.cfm
Kingston Recall Information: http://www.kingston.com/driveupdate/
UPDATE: An ISC reader has contacted Kingston support and confirmed they will be releasing a firmware patch to fix the issue. They have described it as a randomization error and it will affect some of the drives..."

Kingston
- http://secunia.com/advisories/38136/2/
SanDisk
- http://secunia.com/advisories/37927/2/
Verbatim
- http://secunia.com/advisories/38137/2/

Kingston
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0221
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0222
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0223
Sandisk
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0224
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0225
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0226
Verbatim
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0227
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0228
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0229

:fear:

FYI...

Firefox-based attack wreaks havoc on IRC users
- http://www.theregister.co.uk/2010/01/30/firefox_interprotocol_attack/
30 January 2010 01:41 GMT - "Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat. Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has has caused major disruptions for almost a month... The malicious javascript exploits a feature that allows Firefox to send data over a variety of ports that aren't related to web browsing. By relaying the scripts over port 6667, users who click on the link automatically connect to the IRC server and begin spewing a tirade of offensive text and links. The attack doesn't work with Internet Explorer or Apple Safari, but "might" work with other browsers... IRC networks such as Efnet and OFTC have managed to block the attacks, but at time of writing Freenode operators were still struggling to repel them..."

:fear::mad:

FYI...

- http://blog.mozilla.com/addons/2010/02/09/update-on-the-amo-security-issue/
February 9, 2010 - "... the suspected trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware. The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan. Our estimate of 6,000 affected downloads has been revised to under 700. The Sothink Video Downloader has been re-enabled on AMO. We apologize to our users and the developers of Sothink for any inconvenience this has caused..."

Mozilla add-ons - 2 infected...
- http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/
February 4, 2010 - "Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.
Impact to users:
If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan. Uninstalling these add-ons does -not- remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an antivirus program should be used to scan and remove any infections...
Versions of Sothink Web Video Downloader greater than 4.0 are not infected. Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010. AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered..."

:sad::mad::fear:

FYI...

WordPress iframe injection?
- http://isc.sans.org/diary.html?storyid=8164
Last Updated: 2010-02-05 23:57:23 UTC - "... some strange entries he found in his Apache logs (see below) and some rumblings of a number of WordPress blogs being compromised. He was in contact with one of the affected bloggers and they figured out that the compromise resulted in the injection of some obfuscated javascript that created a hidden iframe. We haven't heard exactly what the vulnerability was that was exploited, but if the log entries are actually related there may be a permission problem or perhaps some sort of SQL injection issue with joomla or the tinymce editor (at least, that is what the log entries showed that someone is looking for)... The particular log entry that caught Neal's attention was:
GET /joomla/plugins/editors/tinymce/jscripts/tiny_mce/license.txt
So you may want to be on the lookout for those in your own logs."

:fear::fear:

FYI...

SpybotS&D update
- http://www.safer-networking.org/en/updatehistory/index.html
2010-02-17
Total: 2,033,341 fingerprints in 769409 rules for 5235 products...

Thank you, PepiMK!
> http://forums.spybot.info/showthread.php?p=360109#post360109

:fear:

FYI...

2010 State of Enterprise Security
- http://www.symantec.com/about/news/release/article.jsp?prid=20100221_01
February 22, 2010 – Symantec... today released the findings of its global 2010 State of Enterprise Security study... 75 percent of organizations experienced cyber attacks in the past 12 months. These attacks cost enterprise businesses an average of $2 million per year. Finally, organizations reported that enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues. The study is based on surveys of 2,100 enterprise CIOs, CISOs and IT managers from 27 countries in January 2010...
Study Highlights:
• Forty-two percent of enterprises rank cyber risk as their top concern, more than natural disasters, terrorism, and traditional crime combined...
• Enterprises are experiencing frequent attacks. In the past 12 months, 75 percent of enterprises experienced cyber attacks, and 36 percent rated the attacks somewhat/highly effective. Worse, 29 percent of enterprises reported attacks have increased in the last 12 months.
• Every enterprise (100 percent) experienced cyber losses in 2009. The top three reported losses were theft of intellectual property, theft of customer credit card information or other financial information, and theft of customer personally identifiable information. These losses translated to monetary costs 92 percent of the time. The top three costs were productivity, revenue, and loss of customer trust...
• Enterprise security is becoming more difficult due to a number of factors..."

(More detail and recommendations at the URL above.)

:fear:

FYI...

Adobe Reader exploit/vuln active in the Wild - CVE-2010-0188
- http://blogs.technet.com/mmpc/archive/2010/03/08/cve-2010-0188-patched-adobe-reader-vulnerability-is-actively-exploited-in-the-wild.aspx
March 08, 2010 - "While recently analyzing a malicious PDF file, I noticed a vulnerability exploited by the sample which I've never encountered before. After a bit of research I came to the conclusion that this specific sample exploited CVE-2010-0188*. This is a fresh vulnerability, information about which was just published this February. It is described as possibly leading to arbitrary code execution, which is exactly what’s happening. When the PDF file is loaded, Adobe Reader opens and then closes, while an executable file named a.exe is dropped directly onto the C:\ drive. The dropped executable, which is actually embedded into the PDF file, tries to connect to a .biz registered domain to download other files. JavaScript is again used to successfully exploit this vulnerability, so disabling it for unknown documents might be a good idea..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188
CVSS v2 Base Score: 9.3 (HIGH) - "... Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1**..."
** http://www.adobe.com/support/security/bulletins/apsb10-07.html

- http://techblog.avira.com/2010/03/09/pdf-exploit-for-recently-closed-security-hole/en/
March 9, 2010

- http://www.f-secure.com/weblog/archives/targeted_attacks_2008_2009_2010.png
March 9, 2010

> http://forums.spybot.info/showpost.php?p=360063&postcount=44

:mad::mad:

FYI...

Vodafone Android Phone: Complete with Mariposa Malware
- http://isc.sans.org/diary.html?storyid=8389
Last Updated: 2010-03-09 14:20:25 UTC - "Panda Security has a post up on one of their employees buying a brand -new- Android phone from Vodafone and discovering it was spreading Mariposa*. It didn't infect the phone proper, but it did have autoexec.inf and autoexec.bat files designed to infect whatever Windows machine the phone was plugged into via USB cable. Unlike the Engergizer story from yesterday, this one is happening now. Standard USB defenses apply, don't automatically execute autoexec.bat/inf files from USB devices. This Microsoft KB article** discusses how to disable the "Autoplay" functionality that leads to this problem..."
* http://research.pandasecurity.com/vodafone-distributes-mariposa/
March 8, 2010

** http://support.microsoft.com/kb/967715

- http://www.internetnews.com/security/article.php/3869871/Mariposa+Bot+Shipped+With+Vodafone+Smartphone.htm
March 10, 2010 - "... Confiker, Mariposa -and- Lineage password stealing malware samples installed on a recently purchased Vodafone HTC Magic smartphone..."

- http://news.cnet.com/8301-27080_3-20000676-245.html
March 17, 2010 - "... an employee at -another- Spanish security company, S21Sec, checked his recently-acquired HTC Magic and found the Mariposa malware lurking on it, according to a PandaLabs blog post* on Wednesday..."
* http://research.pandasecurity.com/vodafone-distributes-mariposa-part-2/
___

- http://www.pcworld.com/businesscenter/article/191931/malware_infected_memory_cards_of_3000_vodafone_mobiles.html
March 19, 2010 - "Malware-tainted memory cards may have ended up on as many as 3,000 HTC Magic phones, a greater number than first suspected, Vodafone said Friday..."
- http://www.theregister.co.uk/2010/03/19/voda_spain_mariposa_latest/
19 March 2010 - "... suggesting 3,000 users were exposed to the malware make it one of the biggest incidents of an IT supplier shipping pre-pwned mobile kit."

:mad::blink: