View Full Version : 2006 Alerts - Q4

2006-10-04, 19:40

- http://www.websense.com/global/en/PressRoom/PressReleases/PressReleaseDetail/?Release=0610031282
October 3, 2006
"...The report shows that the volume of attacks increased and malicious code became more covert, less recognizable and more targeted toward financial gain. Not only has malicious code become more sophisticated, but the infrastructure supporting its creation and spread has also become more complex. Of the sites designed to steal credentials, almost 15 percent are derived from toolkits, an emerging tactic from the hacker community. These kits, made by professional malicious code writers, are often for sale on the internet and allow non-sophisticated users to launch sophisticated attacks against operating system exploits and vulnerabilities. The criminal motive of attacks has also become more apparent as traditional hacking for fun has been replaced with activities designed to steal confidential data to reap financial rewards. The report notes a 100 percent increase in sites designed to install keyloggers, screen scrapers and other forms of crimeware. Conversely, Websense has seen more than a 60 percent drop in websites designed merely to change user preferences, such as browser settings..."

("Additional Highlights" and "Major Findings" available at the URL above.)

:fear: :spider:

2006-10-13, 22:02

- http://isc.sans.org/diary.php?storyid=1783
Last Updated: 2006-10-13 18:49:37 UTC
"Jan sent us a nice ( ? ) trojan he found on a friend's defaced website. After 20 seconds, the defaced site will redirect users to the java applet which appears to implement a full featured bot. You should see a java security popup notifying you that the applet is signed by an "Unknown User".

As always, do not click 'OK' but deny.

Given that it is written in Java, this bot could potentially work on different operating systems."

:fear: :spider:

2006-10-18, 00:38

- http://blog.washingtonpost.com/securityfix/2006/10/patches_issued_for_widely_depl.html
October 17, 2006
"Security flaws present in the software components that power wireless communications over Bluetooth on a number of popular laptop models could let attackers compromise vulnerable machines. Bluetooth is a communications technology that allows electronic devices to exchange information wirelessly over short distances (the theoretical range is between 10 to 100 meters, depending on the class of the devices used). The problem stems from Bluetooth device drivers made by Toshiba Corp., drivers that are present not only in many Toshiba notebooks but also in a number of machines made by Dell Computer... advisory from Atlanta-based SecureWorks: http://www.secureworks.com/press/20061011-dell.html ..."

(Use -both- URL's above for more detail.)

- http://secunia.com/advisories/22402/
Release Date: 2006-10-17
Critical: Moderately critical
Impact: DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Toshiba Bluetooth Stack 3.x, Toshiba Bluetooth Stack 4.x ...


2006-10-24, 15:37

- http://www.darkreading.com/document.asp?doc_id=108040&print=true
October 23, 2006
"Two resurgent email-borne exploits have been hitting users particularly hard over the last week, and researchers say the uptick could get worse. Stration.DS, a variant of a mass-mailing virus that was first spotted last month, is reproducing at alarming rates, according to researchers. Security vendor Fortinet says it has killed more than 350,000 instances today alone -- more than three times as many as it stopped on Friday; email security vendor Postini confirmed that estimate, saying it has slapped the virus down more than 363,000 times in the last 24 hours. Separately, Panda Software says it has spotted several variants of the Haxdoor Trojan -- a rootkit exploit that often uses email to steal confidential user information -- over the last seven days. Like Stration, Haxdoor is not new, but appears to be re-emerging in a particularly virulent strain.... "It will probably continue to proliferate at its current rate -until- more people update their antivirus software and it has a smaller base of machines to launch from," Lu says. "When most people have their antivirus products upgraded, we'll start to see the numbers go down"... Stration and Haxdoor join Netsky and Mytob as threats that have been attacking email users in wide variants for months at a time. In its monthly threat report issued Friday, Postini* said it blocked more than 4 million instances of Netsky alone in September..."

Spam, Phishing and Virus Attacks Rise to 80 Percent of All Email in September
* http://www.postini.com/news_events/pr/pr102006.php
October 20, 2006
"...At any given moment in September, Postini was tracking 50,000 computers that were exhibiting signs of malicious behavior..."
- http://www.postini.com/stats/

:fear: :spider:

2006-10-25, 23:15
Winamp v5.31 available:

- http://www.winamp.com/player/index.php

Version History
- http://www.winamp.com/player/version_history.php#5.31

- http://secunia.com/advisories/22580/
Release Date: 2006-10-25
Critical: Highly critical ...
...The vulnerabilities are reported in versions 2.666 through 5.3.
Solution: Update to version 5.31.
http://www.winamp.com/player/ ..."


2006-10-27, 21:31

- http://blog.washingtonpost.com/securityfix/2006/10/phishers_respond_to_web_bankin.html
October 27, 2006
"Financial institutions across the country are scrambling to meet a Dec. 31 deadline set by banking industry regulators to have security processes in place for online banking that go beyond simply requiring customers to enter a user name and password. While some of the protections being adopted should help people -feel- more confident about online banking, there are signs that criminals already are adapting their techniques to defeat those measures... Take, for example, a phishing e-mail from earlier this week targeting Bank of America customers with the usual message urging the recipient to "update their account information," in this case due to a supposed "server update" by the bank. Users who click on the included link are brought to a page that prompts the visitor to reset their account data by supplying their "old" password and user name, as well as their "previous" two SiteKey questions and answers... It would be interesting to compare the results of the anti-phishing technology built into the latest releases of both Microsoft's Internet Explorer 7 and Mozilla's Firefox 2.0 browsers. When I visited this particular site in Firefox, I received a pop-up alert from Netcraft's anti-phishing toolbar, but also from Firefox, which flagged the scam site as a "suspected web forgery" and included links I could click on to earn more about phishing scams. When I visited the Bank of America scam site in IE7, I received no such alert."


2006-11-01, 21:11

- http://blog.washingtonpost.com/securityfix/2006/11/exploit_released_for_unpatched_1.html
November 1, 2006
"Security researcher HD Moore today released computer code showing how attackers can exploit an unpatched flaw present in the wireless drivers in some Apple Macintosh computers... The vulnerability is the first in a series of daily bug details to be released over the next 29 days as part of the "Month of Kernel Bugs" project. LMH said we can expect at least five more Apple kernel bugs to be detailed in the coming days, as well as kernel flaws in Linux, BSD, and Solaris 10 systems..."

:fear: :sad:

2006-11-05, 18:58

- http://www.internetnews.com/security/article.php/3642011
November 3, 2006
"If Web 2.0 is built on trust, that may also be its downfall. Hackers entered a Web page into the German edition of Wikipedia that claimed there was a new variant of the Blaster virus floating around and provided a link to a download to remove the virus. The problem was, the supposed virus remover was the virus. The hackers then spammed German computer users, pretending to be from Wikipedia, and directed them to the bogus page about "new worm." Fortunately, antivirus vendor Sophos* caught the email, and it alerted Wikipedia about the bogus page. The page was quickly taken down. Because of the inherent nature of Wikipedia – an online encyclopedia that anyone can add to or edit – it makes this kind of opportunistic criminal easy. "This was another strong social engineering opportunity," Gregg Mastoras, vice president of marketing at Sophos, told internetnews.com..."
* http://www.sophos.com/pressoffice/news/articles/2006/11/wikipedia-malware.html
3 November 2006
"...Wikipedia has now confirmed that it has permanently erased the archived version of the page..."


2006-11-06, 19:47

- http://www.darkreading.com/document.asp?doc_id=109802&print=true
NOVEMBER 6, 2006
"PhishTank*, the neighborhood watch site for phishing exploits, has released its first round of monthly statistics on the phishing exploits it collected last month. Out of the 7,061 suspected phishes submitted to the PhishTank site, 3,678 were confirmed, but another 2,505 went offline before they could be validated by the site. PhishTank is a public clearinghouse for phishing emails and URLs run by OpenDNS**, where users and Web developers can post and track phishes... The top ten ISPs that hosted the most phishing attempts were (in order): Hanaro Telecom, National Internet Backbone, TELESC Telecomunicacoes de Santa Catarina SA, EMCATEL, Instituto Costarricense de Electricidad y Telecom, CQNET Chongqing Broadband Networks, Futures Cable Television, SAVVIS Savvi, CANTV Servicios, MobiFon S.A. Demographically, 24 percent of the phishing exploits came from the U.S., 14 percent from South Korea, and 8 percent from India. The rest were spread fairly evenly among China (6 percent), Great Britain (4 percent), Germany (4 percent), Brazil (4 percent), Russia (3 percent), Costa Rica (3 percent), and Columbia (3 percent). Other countries represented less than 2 percent of the phishing exploits, according to the PhishTank numbers."
* http://www.phishtank.com/stats.php

** http://www.opendns.com/


2006-11-08, 00:27

- http://isc.sans.org/diary.php?storyid=1831
Last Updated: 2006-11-07 20:29:51 UTC
- http://www.kaspersky.com/news?id=204900036
"Kaspersky Lab has intercepted a mass-mailing containing Trojan-Dropper.MSWord.Lafool.v. This mass mailing is unusual as messages appear to be sent from mcafee @ europe.com and allegedly originated from McAfee, an antivirus company. Kaspersky Lab believes that McAfee is in no way involved in the distribution of this Trojan and that the email address used in the messages (mcafee@europe.com) is faked and used in order to cause recipients to open infected messages. Lafool.v is a Word document called “McAfee Inc. Reports.doc”. The file is 80,635 bytes in size, and allegedly contains a report about the propagation of malicious programs on the Internet. The document contains a macro written in Visual Basic for Applications. Lafool.v extracts a new modification of LdPinch, a well known Trojan password stealing program, from itself, and launches it for execution. LdPinch steals passwords to a number of services and applications, including AOL Instant Messenger and ICQ, and other confidential user data. Kaspersky Anti-Virus detects the new variant of this program as Trojan-PSW.Win32.LdPinch.bbg* ...
* http://www.viruslist.com/en/viruses/encyclopedia?virusid=140927
"...Check the C: root directory for a file called “LS060E.eXE” and delete it: C:\LS060E5.eXE ..."


2006-11-08, 14:05

- http://isc.sans.org/diary.php?storyid=1834
Last Updated: 2006-11-08 04:58:08 UTC
"The Mozilla Foundation released version of both their popular Firefox web browser and Thunderbird email clients today. These versions address some security issues* covered in MFSA2006-65, MFSA2006-66 and MFSA2006-67. If you have not already upgraded to the new Firefox 2.0 web browser, you should be sure to update to Firefox You can download the new versions off their web site at:
http://www.mozilla.com/firefox/releases/ -and-

http://www.mozilla.com/thunderbird/ ..."

* http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.8

> http://secunia.com/advisories/22722/

- http://secunia.com/advisories/22722/
Last Update: 2006-11-09
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, DoS, System access ...
> Solution: Update to Mozilla Firefox*...
Changelog: 2006-11-09: Added links to US-CERT vulnerability notes.
Original Advisory:
MFSA-2006-65: http://www.mozilla.org/security/announce/2006/mfsa2006-65.html
MFSA-2006-66: http://www.mozilla.org/security/announce/2006/mfsa2006-66.html
MFSA-2006-67: http://www.mozilla.org/security/announce/2006/mfsa2006-67.html
Other References:
US-CERT VU#815432: http://www.kb.cert.org/vuls/id/815432
US-CERT VU#495288: http://www.kb.cert.org/vuls/id/495288
US-CERT VU#390480: http://www.kb.cert.org/vuls/id/390480
US-CERT VU#335392: http://www.kb.cert.org/vuls/id/335392
US-CERT VU#714496: http://www.kb.cert.org/vuls/id/714496 ..."

* http://www.mozilla.com/firefox/releases/
...with Firefox open in an admin account, >Help >Check for Updates .


2006-11-12, 05:48

- http://isc.sans.org/diary.php?storyid=1845
Last Updated: 2006-11-12 01:09:18 UTC

- http://isotf.org/advisories/zert-01-111106.htm
"...ZERT sees this vulnerability as critical, but can not patch it. This advisory comes to explain why this is a critical issue, why we can't patch it, and what can be done.
MoKB's advisory states: "The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field. The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers. Broadcom has released a fixed driver to their partners, which are in turn providing updates for the affected products. Linksys*, Zonet, and other wireless card manufactures also provide devices that ship with this driver...
Q: Is it possible for Microsoft to push this update through their automatic updates system?
A: We believe that has been done before (last week as an example, with a smaller Broadcom update). However, the only answer to that question can come from Microsoft. Patching third party software is never an easy task, even if in collaboration with the third party. Microsoft potentially helping to patch this third-party issue could be of a significant help to get ahead of this threat."
* Linksys driver:
- http://preview.tinyurl.com/jchla

- http://blog.washingtonpost.com/securityfix/2006/11/exploit_targets_widely_deploye.html
"A security researcher has released a set of instructions for exploiting a security flaw in the wireless Internet devices built into millions of new laptops from HP, Dell, Gateway and other computer makers. An attacker could use the flaw to take complete control over any vulnerable machine located within a few hundred feet... In the meantime, many laptops sold these days come with a button you can push to disable the built-in wireless card. If your laptop came with one of those, it might not be a bad idea to get into the habit of using it."

Broadcom Wireless Driver Probe Response SSID Buffer Overflow
- http://secunia.com/advisories/22831/
Release Date: 2006-11-13
Critical: Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Broadcom NIDS 5.0 Wireless Driver 3.x
...The vulnerability is caused due to a boundary error in the BCMWL5.SYS device driver when handling probe response requests with a long SSID. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet. The vulnerability is reported in version Other versions may also be affected.
Solution: Update to the latest version.
Linksys: http://preview.tinyurl.com/jchla
Turn off the wireless card when not in use..."

- http://blog.washingtonpost.com/securityfix/2006/11/microsoft_patches_9_security_h.html
November 14, 2006
"...It turns out that HP issued a patch in October to fix this flaw. HP users should be able to install this patch by visiting Microsoft Update, letting it scan, and then selecting the "Hardware/Optional" option at the left hand side of the screen. This worked on my HP laptop*, and there may be updates for this flaw from other affected PC makers (Dell and Gateway come to mind). I think it's great that Microsoft is offering Microsoft Update as a distribution mechanism for serious flaws in the PCs made by third parties, but most people probably would not know to check that portion of Microsoft Update, and I can't recall ever seeing any alerts from HP about this important patch."

* http://blog.washingtonpost.com/securityfix/hpmu.html


2006-11-14, 19:01

Codec No. 107
- http://www.f-secure.com/weblog/archives/archive-112006.html#00001021
November 14, 2006
"While browsing the Internet for movies – *cough* pr0n – people often end up downloading some DRM protected material, bundled with a license that uses social engineering tactics to push the victim into dowloading a "codec". These supposed codecs are downloading and installing malware... Sunbelt's blog* frequently posts fake codec site URL's to avoid. Good Guys. Kurt Wismer also has some good advice**: Get a good media player that handles multiple formats, and then be very suspicious of anything else prompting you for a new codec."

* http://sunbeltblog.blogspot.com/2006/11/more-fake-codecssecurity-scam-hijack.html

** http://anti-virus-rants.blogspot.com/2006/11/how-to-avoid-codec-roulette.html


2006-11-16, 00:06

- http://isc.sans.org/diary.php?storyid=1861
Last Updated: 2006-11-15 19:48:38 UTC
"WinZip Computing released a new build of WinZip 10 that fixes a critical security vulnerability in this popular ZIP program. The vulnerability exists in an ActiveX component that is shipped with WinZip 10 only (so if you are running previous versions of WinZip you are not affected by this vulnerability). This ActiveX component is marked safe for scripting which means that a remote attacker can exploit it if you visit a web page hosting the exploit. Build 7245 of WinZip 10 is available at http://www.winzip.com/wz7245.htm . If you, for some reason, cannot upgrade, you should disable the affected ActiveX control (WZFILEVIEW.FileViewCtrl.61) – its CLSID is A09AE68F-B14D-43ED-B713-BA413F034904.

*MS06-067 ( http://isc.sans.org/diary.php?storyid=1854 ) actually disables this vulnerability. Beside the other things that this update does, it also sets the kill bits for vulnerable ActiveX components...

Couple of exploits for this vulnerability have been already released, so be sure to either patch WinZip or install MS06-067*..."

- http://www.winzip.com/wz7245.htm
"...Previous versions of WinZip are not affected by this vulnerability..."


2006-11-22, 13:48

- http://secunia.com/advisories/23046/
Release Date: 2006-11-22
Critical: Less critical
Impact: Exposure of sensitive information
Where: From remote
Solution Status: Unpatched
Software: Mozilla Firefox 1.x, Mozilla Firefox 2.x
...This may be exploited to steal user credentials via malicious forms in the same domain.
The vulnerability is confirmed in version 2.0.0. Other versions may also be affected.
Solution: Disable the "Remember passwords for sites" option in the preferences...
Original Advisory: http://www.info-svc.com/news/11-21-2006/
Other References: https://bugzilla.mozilla.org/show_bug.cgi?id=360493 ..."

- http://isc.sans.org/diary.php?storyid=1879
Last Updated: 2006-11-22 14:43:18 UTC
"... This type of attack vector appears to also affect Internet Explorer... The workaround in this particular case would be to never use Firefox to save passwords for any web site. The option is under Tools, Options, Security. Here is a link* showing how to disable it..."
* http://www.mozilla.org/support/firefox/options#security

- http://www.sans.org/newsletters/newsbites/newsbites.php?vol=8&issue=93&rss=Y#sID306


2006-11-29, 18:59

Security Update 2006-007
- http://docs.info.apple.com/article.html?artnum=304829
Date Modified: November 28, 2006

Apple Patches 31 Security Holes
- http://blog.washingtonpost.com/securityfix/2006/11/apple_patches_fix_31_security_1.html
November 28, 2006
"...Users can download the free updates using OS X's Software Update feature*, or directly from Apple Downloads**..."

* http://docs.info.apple.com/article.html?artnum=106704

** http://www.apple.com/support/downloads/

- http://isc.sans.org/diary.php?storyid=1896

- http://secunia.com/advisories/23155/


2006-11-30, 15:49

SYM06-023 - Symantec NetBackup Vuln
> http://securityresponse.symantec.com/avcenter/security/Content/2006.11.28.html

- http://seer.support.veritas.com/docs/285984.htm
Last Updated: November 29 2006
"Symantec's Veritas NetBackup (tm) 6.0 PureDisk Remote Office Edition: PHP update to Address Reported Security Vulnerability...
Severity: High
...Related Documents:
> http://seer.support.veritas.com/docs/285985.htm
Last Updated: November 29 2006
...Download Patch...

- http://secunia.com/advisories/23139/


2006-11-30, 23:36

- http://www.adobe.com/support/security/advisories/apsa06-02.html
November 28, 2006
"... Platform: Windows
Summary: Adobe is aware of a recently published report of potential vulnerabilities in Adobe Reader and Acrobat. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Affected software versions: Adobe Reader 7.0.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0.0 through 7.0.8 on the Windows platform when using Internet Explorer. Users of other browsers are not affected...
Solution: The Secure Software Engineering team is working with the Adobe Reader Engineering team on an update to Adobe Reader and Acrobat 7.0.8 that will resolve these issues, which is expected to be available in the near future. A security bulletin will be published on http://www.adobe.com/support/security as soon as that update is available. The vulnerability is in an ActiveX control used by Internet Explorer; users of other browsers are not affected. The following workaround will prevent these vulnerabilities from occurring in Adobe Reader 7.0.X on Windows using Internet Explorer:
1. Exit Internet Explorer and Adobe Reader.
2. Browse to <volume>:\Program Files\Adobe\Acrobat 7.0\ActiveX.
Note: If you did not install Acrobat to the default location, browse to the location of your Acrobat 7.0 folder.
3. Select AcroPDF.dll and delete it.
NOTE: This workaround will prevent PDF documents from opening within an Internet Explorer window. After applying this workaround, clicking on PDF files within Internet Explorer will either open in a separate instance of Adobe Reader or the user will be prompted to download the file, which can then be opened in Adobe Reader. This workaround may disrupt some enterprise workflows and use of PDF forms..."

> http://secunia.com/advisories/23138/

- http://www.adobe.com/support/security/bulletins/apsb06-20.html
December 5, 2006
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 7.0 through 7.0.8 that could — although Adobe is not aware of any specific code exploits at this time — allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious file must be by the end user for an attacker to exploit these vulnerabilities. It is recommended that users update to Adobe Reader 8 or apply the workaround provided below.
> Affected software versions
Adobe Reader 7.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0 through 7.0.8 on the Windows platform when using Internet Explorer. Users of other browsers are not affected.
> Solution:
Adobe Reader 7.0 through 7.0.8 users should upgrade to Reader 8:
http://www.adobe.com/products/acrobat/readstep2.html .
Adobe Reader 7.0 through 7.0.8 users who cannot upgrade to Reader 8, as well as Adobe Acrobat 7.0 through 7.0.8 users, should follow the directions below to update their installations:
1. Exit Internet Explorer, Adobe Reader, and Adobe Acrobat, if necessary.
2. Browse to <volume>:\Program Files\Adobe\Acrobat 7.0\ActiveX.
Note: If you did not install Acrobat to the default location, browse to the location of your Acrobat 7.0 folder.
3. Select AcroPDF.dll and delete it.
4. Download the AcroPDF.dll file provided here*.
5. Copy the new AcroPDF.dll file in to the ActiveX directory..."

* http://www.adobe.com/support/security/bulletins/acropdf.dll


2006-12-02, 05:13

- http://isc.sans.org/diary.php?storyid=1903
Last Updated: 2006-12-01 21:31:39 UTC by Johannes Ullrich (Version: 1)
"...Site called "404dnserror/dot/com" (DO NOT VISIT)... User was infected with some spyware/adware. It kept redirecting them to the '404dnserror' page. The page looks like a generic server error, but also advertises an anti-spyware tool (System Doctor*) in the form of an ActiveX like installer toolbar at the top of the page. To save you the risk of exposing yourself to the site, I included a screen shot... Its probably safe to block/montor access to this domain."

(Screenshot available at the URL above.)

* Ref.: http://www.safer-networking.org/en/updatehistory/index.html
Updates - 10. November 2006
"...Malware ...+ Systemdoctor..."


2006-12-02, 13:32

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=708
December 01, 2006
"Websense® Security Labs™ has confirmed the existence of a worm spreading on the MySpace network. This worm is exploiting the Javascript support within Apple's embedded QuickTime player (1). This is used in conjunction with a MySpace vulnerability that was announced two weeks ago on the Full-Disclosure mailing list (2). The vulnerabilities are being used to replace the legitimate links on the user's MySpace profile with links to a phishing site.
Once a user's MySpace profile is infected (by viewing a malicious embedded QuickTime video), that profile is modified in two ways. The links in the user's page are replaced with links to a phishing site, and a copy of the malicious QuickTime video is embedded into the user's site. Any other users who visit this newly-infected profile may have their own profile infected as well.
An infected profile can be identified by the presence of an empty QuickTime video or modified links in the MySpace header section, or both.
1. http://www.gnucitizen.org/blog/backdooring-quicktime-movies/
2. http://seclists.org/fulldisclosure/2006/Nov/0275.html
3. http://www.apple.com/quicktime/tutorials/hreftracks.html ..."

(Site screenshot available at the Websense URL above.)

- http://www.f-secure.com/weblog/archives/archive-122006.html#00001038
December 2, 2006
"...Infected MySpace pages are easy to find. They've had their standard MySpace header replaced with a new one... The links here do not point to MySpace like they should. Instead they point to four different sites, hosting MySpace look-alike pages... When you visit an infected page with IE, an embedded MOV movie file (piAF2iuswo.mov) will be downloaded. The MOV file contains a Javascript snippet that will download a Javascript file (js.js) which will modify YOUR MySpace profile (if you have one). After that, everybody who visits your MySpace profile gets hit too.
The final target seems to be to steal MySpace logins in mass quantities. The infected files are hosted on several different sites..."

(Screenshots available at the URL above.)

Also see:
> http://www.f-secure.com/v-descs/js_quickspace_a.shtml

> http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-120313-2523-99&tabid=2


2006-12-06, 06:41

- http://www.adobe.com/support/security/bulletins/apsb06-19.html
December 5, 2006
A critical vulnerability has been identified in Adobe Download Manager 2.1 and earlier versions that could allow an attacker who successfully exploits this vulnerability to take control of the affected system. It is recommended that users uninstall Adobe Download Manager 2.1 and earlier using the instructions provided*...
Affected software versions: Adobe Download Manager 2.1 and earlier...
Severity rating: Adobe categorizes this as a critical issue and recommends affected users uninstall any affected software..."
* http://www.adobe.com/support/security/bulletins/apsb06-19.html#instructions


2006-12-12, 03:27

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=714
December 11, 2006
"Websense® Security LabsTM has received reports of a new form of cyber-extortion. Unlike previously documented cases (where end-users were infected with malicious code, certain file types were encoded or encrypted, and a ransom message was left on the machine), this attack compromises users' online web mail accounts. When end-users logged into their web mail accounts (in this case Hotmail), they noticed that all their 'sent' and 'received' emails were deleted along with all their online contacts. The only message that remained was one from the attacker that requested they contact them for payment in order to receive the data back. In this case, the end-users had recently visited an Internet cafe where their credentials may have been compromised..."

(Screenshots available at the URL above.)

Previous Cyber Extortion (AKA Ransomware) alerts:

:spider: :mad:

2006-12-15, 14:22

- http://secunia.com/advisories/23401/
Release Date: 2006-12-15
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Yahoo! Messenger 5.x, 6.x, 7.x, 8.x
...The vulnerability is reported in versions obtained prior to Nov 2, 2006.
Solution: Update to the latest version.
http://messenger.yahoo.com/ ...
Original Advisory: http://messenger.yahoo.com/security_update.php?id=120806
"...If you choose not to update and you have not updated via this page or Chat, the vulnerability will still exist."


2006-12-19, 15:38

- http://isc.sans.org/diary.php?storyid=1952
Last Updated: 2006-12-18 23:54:28 UTC

> http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121910-5339-99
Updated: December 19, 2006 10:20:42 AM GMT
W32.Chatosky - Risk Level 1: Very Low

> http://www.symantec.com/enterprise/security_response/weblog/2006/12/worm_targets_skype.html
December 18, 2006 09:52 PM

> http://www.websense.com/securitylabs/blog/blog.php?BlogID=101
Dec 18 2006 3:08PM

NOTE: http://en.wikipedia.org/wiki/Skype
"Skype is a proprietary peer-to-peer Voice over IP (VoIP) network founded by the entrepreneurs Niklas Zennström and Janus Friis, also founders of the file sharing application Kazaa..."

Malicious Code: Skype Trojan Horse
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=716
December 19, 2006
"...After investigation we have discovered that this is -not- a self propagating worm and is actually a Trojan Horse. After discussions with the very helpful Skype security team, the behavior of this Trojan using the Skype API is as per the specifications of the API. The end-user who is running Skype does get notified that a program is attempting to access it and must acknowledge it.
*there is -no- vulnerability in Skype at this time that has been uncovered*
For more details on the Skype API see
https://developer.skype.com/Docs/ApiDoc/Overview_of_the_Skype_API ."

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=196700896
Dec 19, 2006 01:43 PM
"..."The code isn't a worm," says Dan Hubbard (Websense)... "A user with Skype will get a message to download a program from a URL included in a chat message," says Hubbard. "If they click on that, a program runs in the background, then injects itself into the Explorer process. It looks like the Trojan is designed to grab forms and passwords from the browser"... The servers the attacker used to download malicious code to infected computers are now down, Hubbard confirmed..."

:fear: :spider:

2006-12-20, 02:52

- http://www.mozilla.org/security/#Security_Alerts
December 19, 2006
"Security updates have been issued for Firefox and Thunderbird that fix critical security vulnerabilities. All users should install these udpates as soon as possible.
Firefox - http://www.mozilla.com/firefox/
Firefox - http://www.mozilla.com/en-US/firefox/all-older.html
Thunderbird - http://www.mozilla.com/thunderbird/
Users should get an automatic update notification; users who have turned off update notification can use the "Check for Updates..." item on the Help menu..."

Fixed in Firefox &
> http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox

Fixed in Thunderbird
> http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird