Old Alerts

[AplusWebMaster]

FYI...

Bogus email claims to come from FTC
- http://www.ftc.gov/opa/2007/10/bogus.shtm
October 29, 2007 - "A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments. The spoof email includes a phony sender’s address, making it appear the email is from “frauddep@ftc.gov” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to spam@uce.gov and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations. Simply opening the email does not appear to cause harm. However, it is likely that anyone who has opened the email’s attachment or clicked on the links has downloaded the virus on their computer, and should run an anti-virus program. The virus appears to install a “key logger” that could potentially grab passwords and account numbers..."

=======================

Malicious Code: World Bank Deception: Trojan Horse
- http://www.websense.com/securitylabs...hp?AlertID=812
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan horse using real data from the World Bank. As in past targeted attacks, the samples that we have captured appear to be using names and email addresses taken from the contact pages of the legitimate site. In this case, the email body includes the name of a real World Bank employee.

The message reads:

Subject: WorldBank report
Dear Colleagues,
This three-year Country Partnership Strategy (CPS) builds on Bulgaria's considerable achievements over the last eight years .. *snipped for brevity* .. and the surveillance roles played by the International Monetary Fund (IMF) and the EU's Stability and Growth Pact upon Bulgaria's EU accession.
At the following link you'll find our report:
http : // <URL REMOVED> /
Thank you!
Best Regards,
Ivelina Taushanova
Associate Professor of Management Science
<USERNAME REMOVED> @ worldbank . org
http: // WorldBank . org

The link leads to the malicious executable WorldBank_doc_36146.txt.exe, which is displayed with the standard notepad.exe icon. Unless the user has configured Windows to explicitly show the file extension (which most people do not, since it requires changing the default configuration), there is no way to visually tell that this file is actually an executable. When run, the initial executable drops a plain text document with information from a real World Bank document, displayed in IE. Also dropped is a packed Trojan horse (bifrose) whose file name makes it appear to be an MSN Messenger plugin. When this article was created, no anti-virus vendors detected the initial executable as malicious. The initial executable downloaded by the victim does not actually make any outbound connection from the victim's desktop to obtain the two dropped files. Because both dropped files are derived from the initial executable, no suspicious network traffic is generated. The dropped Trojan horse (msnmsgr_plugin.exe) maintains a persistent connection to a host name on the dyndns.org domain..."

(Screenshot available at the URL above.)

=======================================

Malicious Code: Halloween Deception: Info Stealing Trojan
- http://www.websense.com/securitylabs...hp?AlertID=813
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico. To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe" and has an MD5 of (65cd5a35bc70075f86cb6404f54d67b8). It is also poorly detected by anti-virus signatures. Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines..."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

- http://www.messagelabs.com/resources/press/6418
October 30, 2007 - "...The new data reveals that spammers have introduced MP3 music files into the expanding toolbox of stock spam techniques, with 15 million emails shaping the first spam run. Use of MP3 files is the latest tactic designed to sneak messages past spam filters and ultimately control the value of stock for nefarious reasons. On October 17, MessageLabs intercepted the first copies of an estimated 15 million email spam run which lasted 36 hours and used StormWorm infected computers to disseminate the emails...

Other report highlights:
Web Security: Analysis shows that 45.9 percent of all web based malware intercepted was new in October. MessageLabs identified approximately 1,100 -new- sites per day which harbored malware, an increase of 63 percent compared to September levels. Gambling sites appeared back in the top ten of policy-based filtering triggers and rouse to fourth place for large enterprises.
Spam: In October, the global ratio of spam in email traffic from new and unknown bad sources, for which the recipient addresses were deemed valid, was 74.5 percent (1 in 1.34 emails), an increase of 1.0 percent on the previous month.
Viruses: This month, the global ratio of email-born viruses in email traffic from new and previously unknown bad sources destined for valid recipients, was 1 in 161.5 emails (0.62 percent) in October, a decrease of 1.43 percent since the previous month. This decline is almost certainly linked with the fall in the number of Storm Worm related emails, particularly active in August and September. This takes the email virus rate to the lowest level since April 2007 when virus traffic accounted for 1 in 145.5 emails.
Phishing: October saw a decrease of 0.57 percent in the proportion of phishing attacks with one in 174.0 emails comprised of some form of phishing attack. Viewed as a proportion of all email-borne threats such as viruses and trojans, the number of phishing emails has risen by 36.8 percent to 92.8 percent of the malware threats intercepted in October, the highest level on record...
The full report is available at http://www.messagelabs.com/intelligence.aspx ..."

[AplusWebMaster]

FYI...

Trick or Treat with Stormy Halloween
- http://www.f-secure.com/weblog/archives/00001304.html
October 30, 2007 - "New tactics from the Storm gang can be seen as they celebrate with Halloween... With an unpatched system, visiting the site will trigger an exploit to automatically download and execute a malicious file. The new filename is halloween.exe. We already detect this as Email-Worm.Win32.Zhelatin.LJ . This may be a Trick, and a bad Treat from the Storm gang so remember to keep your databases updated."

(Screenshot available at the URL above.)

[AplusWebMaster]

FYI...

Apple Releases Fix For iMacs That Freeze Up
- http://www.informationweek.com/share...leID=202801705
Nov. 2, 2007 - "Apple has released software updates to fix the problem of the latest iMacs freezing up during normal use. The updates, released Thursday, are recommended for 20-inch and 24-inch models with 2.0 GHz and 2.4 GHz Intel Core 2 Duo processors and with the 2.8 GHz Core 2 Extreme processor. The name of the updates, which are on Apple's Web site, are Software Update 1.3* for Leopard, the latest version of Mac OS X; and Software Update 1.2** for Leopard's predecessor Tiger. Apple acknowledged in early October that it had received complaints about iMacs freezing up suddenly and becoming unusable. Users had to reset the machines to bring them back to life. The iMacs affected by the problem were introduced in August, along with new versions of Apple's iLife and iWork software suites... Apple is advising customers to update their machines either through the company's automatic update mechanism or a download from the Web site... Last month, the company posted a fix on its Web site for a serious flaw that caused its Mac computers to seize up when users attempted to upgrade to Leopard***, officially known as OS X 10.5. Leopard was released Oct. 26..."

* http://www.apple.com/support/downloa...13leopard.html

** http://www.apple.com/support/downloa...eupdate12.html

*** http://docs.info.apple.com/article.html?artnum=306857

.

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=3621
Last Updated: 2007-11-06 20:37:50 UTC - "Zack wrote to us yesterday to inform us of a mass defacement involving one of his web sites. After a brief look, we were able to confirm that the following script tag (obfuscated) had been injected in over 40,000 pages across the internet:

script src="hXXp://yl 18.net/0.js"

This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems. Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries...
This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:
* Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
* If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
* We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
* If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.
We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment. As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.
This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain. These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users. If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway."

.

[AplusWebMaster]

FYI...

- http://www.websense.com/securitylabs...hp?AlertID=817
November 07, 2007 - "Websense® Security Labs™'s ThreatSeeker™ technology has discovered that MSNBC's Turkish site has been compromised. At the time of this writing, the site was infected with malicious code designed to infect the site's visitors through the use of an external JavaScript file. The file contained the malicious JavaScript code that was hosted in China. Visitors to the Web site were infected with an exploit code tailored to their browser. Assuming that the visitors were vulnerable, password stealing code was installed and executed on their desktops, without requiring any user intervention. The widespread of this malicious code has been confirmed by the SANS Internet Storm Center in their most recent incident handler's diary: http://isc.sans.org/diary.html?storyid=3621
This is a Microsoft site, hosted by a partner. We are actively working with Microsoft's security personnel to fix the issue..."

(Screenshot available at the Websense URL above.)

.

[AplusWebMaster]

FYI...

Hidden IFRAMEs Launch Malware En Masse
- http://blog.trendmicro.com/hidden-if...ware-en-masse/
November 8, 2007 - "SANS reports that last November 6, hundreds of Web sites across the Internet were believed to have been compromised by a yet unknown hacker. Details about how and why the attack was perpetrated remain murky. What we know so far is that a certain script which loads http://{BLOCKED}8.net/0.js has been injected into the said sites, the said script leads to a page riddled with invisible IFRAMEs, and these IFRAMEs link to certain pages to automatically download several files... A rundown of the forty-plus files give us Trojans, spyware, backdoors, and a worm belonging to families such as, but are not limited to ONLINEG, WOW, QQPASS, and QQGAME, which are known information stealers targeting gamers and QQ users. File sizes ranged from 177KB to 2KB, with the largest being backdoor programs. Backdoors open an infected machine’s ports, allowing remote malicious users control over the system. Users who visit any of the compromised sites run the risk of getting infected, so gateway admins had better block traffic coming from yl18.net..."

[AplusWebMaster]

FYI...

- http://news.yahoo.com/s/cmp/20071110/tc_cmp/202804433
November 9, 2007 - "Visitors to IndiaTimes .com, a major English-language Indian news site, risk infecting their computers with a deluge of malware, according to Mary Landesman, senior security researcher at ScanSafe. "It's an entire cocktail of downloader Trojans and dropper Trojans," Landesman said Friday, putting the number of malicious files involved at 434. This includes scripts, binaries, cookies, and images. Landesman characterized the size of the malicious payload as unusually large. She also noted that the attack involved a large number of Web sites. Analyzing just two of the binaries, she said that ScanSafe had identified at least 18 different IP addresses involved in the attack. "Only certain pages of the IndiaTimes .com are infected," ScanSafe said in its Nov. 9 Threat Alert*. "The impacted pages contain a script which points to a remote site containing iframes pointing to two additional sites. One of the sites included cookie scripts and an iframe pointing to a non-active site. The other iframe pointed to an encrypted script which exploits multiple vulnerabilities in an attempt to download malicious software onto susceptible systems of users visiting indiatimes .com..."

* http://blog.scansafe.com/journal/200...ompromise.html
"...Unfortunately, the person we spoke with indicated that it was a holiday in India and they would be unlikely to fix the problem until Monday..."

[AplusWebMaster]

FYI...

- http://secunia.com/advisories/27648/
Release Date: 2007-11-12
Critical: Moderately critical
Impact: Unknown, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
...vulnerabilities and weaknesses have been reported in PHP, where some have unknown impacts and others can be exploited to bypass certain security restrictions.
Solution: Update to version 5.2.5.
http://www.php.net/downloads.php ...
Original Advisory:
http://www.php.net/releases/5_2_5.php

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=3625
Last Updated: 2007-11-11 01:57:16 UTC ...(Version: 2)
"Update:
...We're now at 66K links in Google for the yl18.net/o.js scripts, will it get to the 200K plus numbers we saw with the Super Bowl? worldofwarcraftn .com has now been confirmed as containing malicious content, and you can add rnmb .net to the list which also belongs to the same group. From the whois records it looks like the domain is refreshed daily, which tends to indicate that they are not paying for it, but are using a registrar where you can start using the domain immediately, but pay later. In this case the pay later part is probably not happening. If I were the registrar I might get miffed with people registering the same domain on a daily basis and never pay, but then that's me. If you like IP numbers then today the IPs to block for your web users are 125.65.77.25 & 61.188.39.218 "

( http://forums.spybot.info/showpost.p...6&postcount=28 )
----------------------------------------------------------------------------

- http://www.websense.com/securitylabs...php?BlogID=160
Nov 12 2007 - "Websense® Security Labs™'s ThreatSeeker™ technology has identified more than 350 sites to date containing malicious code designed to infect the site's visitors through the use of an external JavaScript file. This is a follow-up on our previous alert of a mass infection involving MSNBC's Turkish site. Notable sites discovered include the Swedish parliament’s web site and an Australian financial services web site (FICS). At time of writing, the sites in the screenshots below are still infected and we do not recommend visiting them without adequate protection. Vulnerable visitors will have password stealing code installed and executed on their desktops without their consent."

(Screenshots of a selected few sites available at the URL above.)