Easily can happen when a visitor to ANY site enters the "names and e-mail addresses of...friends...". If you really want them to visit the site, just send them the URL yourself in an e-mail:

- http://www.techweb.com/article/printableArticle.jhtml?articleID=183702655&site_section=700028
March 24, 2006
"The Federal Trade Commission on Thursday nailed a spammer with a record-setting $900,000 fine for violating the CAN-SPAM Act. According to a complaint filed by the FTC, JumpStart Technologies of San Francisco, Calif. has spammed consumers since 2002, sending millions of messages disguised as personal e-mails in an attempt to hype its FreeFlixTix Web site. JumpStart, charged the FTC, collected e-mail addresses by offering free movie tickets to consumers in exchange for ratting out the names and e-mail addresses of five or more friends...
The spam scam also misled consumers who took the bait and went to FreeFlixTix, with some of the "free" ticket offers requiring credit card registration that in many cases resulted in charges made to the account. JumpStart's FreeFlixTix site is now offline..."

:(

FYI...

- http://antiphishing.org/crimeware.html
"The Phishing and Crimeware map displays the most recent data collected by Websense Security Labs (WS Labs) and provides a historical look into where Phishing and Crimeware related websites are hosted on the Internet. Upon discovery, each site is looked up via its IP Address to track the country of origin through the appropriate IP registrars and plotted on the map. The data is updated approximately 15 minutes after discovery."


:eek:

FYI...

- http://isc.sans.org/diary.html?storyid=2612
Last Updated: 2007-04-12 20:54:39 UTC ...(Version: 10) ~ "...The Subject of the email (that we have seen so far) say:
"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Dream of You"
"Virus Activity Detected!"
It has two attachments, one being an image with 'panic-worded text', and the other is a password protected zip file, whose password is revealed in the image. The zip file appears to be named:
"patch-<random 4 or 5 digit number>.zip"
"bugfix-<random 4 or 5 digit number>.zip"
"hotfix-<random 4 or 5 digit number>.zip"
"removal-<random 4 or 5 digit number>.zip" ..."

- http://www.pcworld.com/printable/article/id,130686/printable.html
April 12, 2007 03:00 PM PDT ~ "...Postini*, an e-mail security company, says that over the last 24 hours it has seen about 55 million virus e-mails, about 60 times the daily average. The first e-mails had romance-themed subjects: "A kiss so gentle," or "I dream of you," for instance. The latest batch attempts to fool readers--with subjects like "Worm Alert!" or "Virus Alert!"--into thinking they are already infected and need to apply a supplied patch--an attached virus... Cloudmark, another e-mail security company, says it sees similar outbreak numbers. Today's flood is ten times as large as one this past Sunday, which also involved the virulent Storm Worm..."
* http://www.postini.com/stats/index.php

> http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199000691
--------------------------------------

> http://www.f-secure.com/weblog/archives/archive-042007.html#00001167
Friday, April 13, 2007 - Posted @ 02:19 GMT
--------------------------------------

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199000950
April 13, 2007 ~ "...The Internet Storm Center reported detecting at least 20,000 infections, while the Security Response Team at Symantec said they received several hundred thousand reports of the malicious e-mail making the rounds. That all changed on Friday morning when the attack went quiet... Encrypting the malicious code makes it much more difficult for anti-virus programs to catch it, and if they can't catch it, they can't stop it. If a user opens the file, his machine is infected with the malware and it then connects to a peer-to-peer network where it can upload data, including personal information from the infected computer. It also can download additional malware onto the infected system. The fact that infected computers connect through a peer-to-peer system and not to a standalone server or even a node makes it extremely hard to shut down... Paul Henry, VP of technology evangelism with Secure Computing, said in an interview that this latest Storm attack was aimed at building out the hackers' botnet. "The whole end game is building a bigger, better botnet," he said..."

(Arrgghh!)

FYI...

- http://www.f-secure.com/weblog/archives/archive-042007.html#00001172
April 19, 2007 ~ "It's been awhile since the last attack of the Warezov gang. But it seems now they're back in action... e-mail of the new Warezov... being spammed... The zip file attachment contains an executable file that uses a text file icon as a decoy (Update-KB4765-x86.exe)... This executable file is a downloader for its other components. The link is encrypted with a simple XOR. For system administrators, you may want block network traffic from the following malicious link: linktunhdesa .com /h[REMOVED]2.exe ..."

(Screenshots available at the F-secure URL above.)


:fear:

FYI...

- http://blog.washingtonpost.com/securityfix/2007/04/virus_writers_taint_google_ad.html
April 25, 2007 ~ "Virus writers have been gaming Google's "sponsored links" -- the paid ads shown alongside search engine results*. They are aiming to get their malicious software installed on computers whose users click onto ad links after searching for legitimate sites such as BBBonline.org, the official Web site of the Better Business Bureau. Sponsored links allow customers to buy advertisements attached to a particular search term. When a Google user enters a term into the firm's search engine, the ad belonging to the advertiser that bid the highest price for that search term appears at the top of the list of search results. According to a report at Exploit Prevention Labs**, while the top sponsored links that showed up earlier this week when users searched for "BBB," "BBBonline" or "Cars.com" appeared to direct visitors to those sites, they initially would route people who clicked on the ads through an intermediate site. The intermediate site attempted to exploit a vulnerability in Microsoft Windows to silently install software designed to steal passwords and other sensitive information from infected PCs. The attackers exploited a flaw in Microsoft's Internet Explorer Web browser, a problem that the company issued a patch to fix..."
>>> * http://blog.washingtonpost.com/securityfix/gnh.html

** http://explabs.blogspot.com/2007/04/google-sponsored-links-not-safe.html

- http://weblog.infoworld.com/zeroday/archives/2007/04/google_adwords.html
April 25, 2007 ~ "...A closer inspection by Exploit Prevention Labs researchers revealed that the attacks were actually coming from a site called smarttrack.org, a Russian Web site that serves up a variety of Web exploits..."

:fear: :mad:

FYI...

- http://www.f-secure.com/weblog/archives/archive-052007.html#00001190
May 11, 2007 ~ "...Mobile spyware and spying tools have been active lately. This week, we have received samples of two new mobile spying tools – running on new platforms. There is now spyware for both Windows Mobile and Symbian S60 3rd Edition devices... Spyware is being developed by commercial companies that have a lot more resources, skills, and motivation to get their creations to work. Both new spying tools are rather similar in their capabilities. After being installed on the device, they hide from the user and report information from the phone to a central server. From there, it can be accessed through a web page interface. An interesting fact is that the spyware for the Symbian 3rd Edition platform is Symbian signed. Therefore it can be installed without any warnings and is capable of operating without Symbian security alerting the user that something is going on... The fact that the spy tool authors could get their software certified indicates a potential issue when using digital signatures and certificates as the only security measure. On one hand the software is technically exactly what it claims to be, an application that backs up user data to a server. One the other hand, when the software is installed onto the device without the primary user's knowledge and permission, it can be used as a spying tool that compromises the said user's personal privacy. Thus if suspect applications cannot break security components, they can then play with the process of certification..."

(Screenshots and more detail at the URL above.)


:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782
June 18, 2007 ~ "Websense® Security Labs™ has received reports of a large scale attack in Europe that is using the MPACK* web exploit toolkit... At the time of this alert our ThreatSeeker technology has discovered more than *10,000* sites that have been compromised and have IFRAMES pointing to the hub infection site. Assuming users connect to one of the compromised sites and are vulnerable to one of several loaded exploits a Trojan Horse is downloaded onto their machine which is designed to steal banking, and potentially other confidential information through a (series) of web infection downloads. The main site has a statistics page and it has shown very large numbers of users connecting to the infected sites and high levels of users who have been compromised... The top regions are Italy, Spain, and the United States..."

(Graphics and sample statistics available at the URL above.)

* http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/05/11/MPack-uncovered_2100_.aspx
------------------------------------------------

- http://blog.trendmicro.com/another-malware-pulls-an-italian-job/
June 18, 2007 ~ "Remember LINKOPTIM, which exploited a number of legitimate Italian Web sites to spread malicious JavaScripts? Since early Saturday morning (June 16, 2007), Trend Micro has been receiving several reports of a new batch of hacked Italian Web sites that trigger a series of malware downloads once a user visits them. These infection series begin with a malicious IFRAME tag. Trend Micro detects Web pages hosting the said malicious tag as HTML_IFRAME.CU. All the compromised sites are hosted in Italy...Most of the legitimate Web sites that were compromised by the malware authors are related to tourism, automotive industry, movies and music, tax and employment services, some Italian city councils, and hotels sites. Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy..."

(Sample screenshot of a compromised Web site at the URL above.)

:fear::fear:

More...

- http://www.theregister.com/2007/06/18/hijacked_sites_install_malware/
18 June 2007 ~ "More than 10,000 websites have been infected by a sophisticated and fast-acting Trojan downloader that attempts to install malware on visiting PCs. At least one security firm, Trend Micro, is working with the FBI to contain the damage and track down the perpetrators. The attack is noteworthy for the number of sites it has managed to infect in a relatively short period of time. Between Friday and Sunday night, the number jumped from 1,100 to about 2,500. By Monday afternoon, California time, there were more than 10,000 infected sites, according to Paul Ferguson, a network architect for Trend Micro... The hacked websites cover the gamut, from a site connected to the rock musician Bon Jovi to one that tries to raise money for charity work of the late Mother Teresa. Most of the compromised sites are mom-and-pop run affairs and are concerned with travel or entertainment.

An iframe buried underneath the hacked sites redirects users to a server that's hosted at a San Francisco-area co-location site that's been used previously by cyber criminals, Ferguson says. That site redirects to yet another server hosted in Chicago. The San Francisco server is registered to a front-company based in Hong Kong.

Ferguson said researchers and authorities are trying to contain the attacks by getting the San Francisco and Chicago sites shut down. MPack is a powerful kit that bundles together many different malware tools. Among other things, it logs detailed information about the machines it attacks, including the IP addresses of machines it has infected and what exploits a particular user is vulnerable to. It is similar to another malkit called WebAttacker. The attack resembles one from February which targeted certain Miami Dolphins Web sites on the same day the National Football League team hosted the Super Bowl. The legions of fans who visited the site were redirected to third party sites that attempted to install malware on their machines. Such attacks are increasing, largely thanks to the growing use of powerful javascript that vastly improves the functionality of websites. Unfortunately, programmers haven't paid close enough attention to how these scripts can be abused..."
-----------------------------------------

- http://www.computerworld.com.au/index.php/id;1851322309;fp;16;fpid;1;pf;1
19/06/2007 ~ "..."The usual advice we give, 'avoid the bad neighborhoods of the Web,' just doesn't hold water anymore" when legitimate sites have been hacked and are serving up exploits left and right, Ferguson said. "Everywhere could be a bad neighborhood now."

...

Notes: As always, follow "Best practice...": Keep systems updated with all current MS patches and update/check 3rd party applications [Test here: http://secunia.com/software_inspector/ ].

Hacks -will- take advantage when users don't.


:spider:

FYI...

- http://isc.sans.org/diary.html?storyid=3015
Last Updated: 2007-06-20 21:42:28 UTC ~ "...Earlier today VeriSign/iDefense released some pretty good analysis of how it works, what the value of it is, and other goodies. This summary does not exist online but has been spread via email to the media and other outlets. Rather than trying to summarize it, iDefense gave the Internet Storm Center permission to reprint it in its entirety...
'...More than 10,000 referral domains exist in a recent MPack attack, largely successful MPack attack in Italy, compromising at least 80,000 unique IP addresses. It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server. When a legitimate page with a hostile iFrame is loaded the tool silently redirects the victim in an iFrame to an exploit page crafted by MPack. This exploit page, in a very controlled manner, executes exploits until exploitation is successful, and then installs malicious code of the attacker's choice...
...MPack leverages multiple exploits, in a very controlled manner, to compromise vulnerable computers. Exploits range from the recent animated cursor (ANI) to QuickTime exploitation. The latest version of mPack, .90, includes the following exploits:
MS06-014
MS06-006
MS06-044
MS06-071
MS06-057
WinZip ActiveX overflow
QuickTime overflow
MS07-017...' "

(Complete analysis at the URL above.)

.

FYI...

- http://isc.sans.org/diary.html?storyid=3054
Last Updated: 2007-06-26 22:46:51 UTC ...(Version: 3)
"Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected... You can see in the body of the email... that the spelling is bad and the license key is not in the right format for XP nor Outlook. Microsoft pointed us to a couple of web pages they maintain that should help you recognize fraudulent email...

> http://www.microsoft.com/protect/yourself/phishing/msemail.mspx

> http://www.microsoft.com/canada/athome/security/email/ms_genuine_mail.mspx

=====================================
From Norman Sandbox:
MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)
[ DetectionInfo ]
* Sandbox name: W32/Malware
* Signature name: NO_VIRUS
[ General information ]
* Drops files in %WINSYS% folder.
* File length: 20480 bytes.
* MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
* Creates file C:\france.html.
* Deletes file c:\france.html.
[ Changes to registry ]
* Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.
* Modifies other process memory.
* Creates a remote thread.
[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\sdoctor.exe (20480 bytes) : no signature detection...

We notified one of the support teams at a hosting provider that a virus was found on one of there customers systems. Their auto responder responded within a minute. A support person removed the malware and responded within 30 minutes. When I tried to verify that I found the malware was still there or back. When I notified the hosting provider that the malware was back the support person analysised logs, determined it was being uploaded via ftp and immediately disabled the ftp account involved."


:fear::buried:

FYI...

- http://isc.sans.org/diary.html?storyid=3063
Last Updated: 2007-06-28 23:33:56 UTC ~ "...There is a new round of emails with malicious links that is making its way to the inbox of many folks. If you haven't gotten one yet, just give it time. Here is quick summary of what we have found. The subject line that we have gotten examples of have all been identical. You may have gotten something else.

"Subject: You've received a postcard from a family member!" ...

The ecard numbers in the URL above are variable across SPAM samples.
There are 3 exploits available and they are tried in order.

The first one is for QuickTime.
If that fails a Winzip exploit is attempted
If that fails, the "hail mary" is the WebViewFolderIcon exploit...

Here are a few more of the malware hosting servers they've relied on in recent months in addition to the HopOne and Softlayer host above:
27645 | 205.209.179.15 | 205.209.128.0/18 | US | arin | ASN-NA-MSG-01 - Managed Solutions Group, Inc
27595 | 216.255.189.214 | 216.255.176.0/20 | US | arin | INTERCAGE - InterCage, Inc
14361 | 66.148.74.7 | 66.148.64.0/19 | US | arin | HOPONE-DCA - HopOne Internet Corporation
36351 | 75.126.21.162 | 75.126.0.0/17 | US | arin | SOFTLAYER - SoftLayer Technologies Inc
36351 | 75.126.226.224 | 75.126.0.0/16 | US | arin | SOFTLAYER - SoftLayer Technologies Inc..."

- http://preview.tinyurl.com/2g58ud
June 28, 2007 (Computerworld) - "..."This is widespread, and leads the user to multiple IP addresses," said Shimon Gruper, vice president at Aladdin Knowledge Systems Inc., a security company known for its eSafe antivirus software. "There's not a single server, there are multiple exploits, [and the e-mail] has no attachments. This will be very difficult to detect." Two days ago, a Symantec honeypot captured a similar Web site-hosted attack that had an arsenal of exploits at its disposal. That attack, however, featured an unusual, if rudimentary, browser detector that sniffed out whether the target computer is running Microsoft's Internet Explorer (IE) or Mozilla Corp.'s Firefox. If the attack detects IE, it feeds the machine a Windows animated cursor exploit. If it finds Firefox, however, the sites spit out a QuickTime exploit."

- http://www.us-cert.gov/current/#new_storm_worm_variant_spreads
June 29, 2007

--------------------------------------

- http://asert.arbornetworks.com/2007/06/you-got-postcard-malware/
June 29, 2007 ~ "...Pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram* shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits - QuickTime, WinZIP, and WebViewFolderIcon - all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader... If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe..."

(*Diagram shown at the URL above.)

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3186
Last Updated: 2007-07-24 22:15:22 UTC - "We have received several reports today from people that are getting flooded with SPIM on their IM accounts. These messages are providing a link to various web sites. These sites all seem to point to one site www dot messenger-tips dot com. This site purports to check your IM friends/contacts and report back to you which of them have blocked you. All you have to do is give them your login and password information. You also have to agree to their terms and conditions. Ok so we read their Terms and Conditions page and what do we find, first
They will NOT be responsible for any misuse of the information you provide. They also have no liability for content, views, advice or guidance because they provide a service that is for entertainment purposes only. (Huh? what entertainment). You provide them with the id and password, of course they won't store the information with anyone without your consent. (And if you believe that I have a bridge I will sell you.) Now here is the real catch-22. By agreeing to the terms and conditions you agree to allow them to SPIM all of your friends and contacts. Wonderful.
I am not sure if this program installs any malware or sets up any hole in your computer for them to crawl through... Bottom line folks, DO NOT CLICK ON LINKS."

("Spam Over Internet Messaging" - Unsolicited commercial messages sent via an instant messaging system.)

.

FYI...

- http://www.networkworld.com/news/2007/072707-akonix-im-attacks-up.html
July 27, 2007 - "Malicious code attacks over instant messaging networks are up almost 80% over last year, according to a new study from vendor Akonix*. In July, the company, which develops IM hygiene and compliance appliances and services, said it uncovered 20 malicious code attacks over IM in July. The total number of threats for 2007 so far is 226, the company said. That number is a 78% increase over the last year. The company also said attacks on peer-to-peer networks, such as Kazaa and eDonkey, increased 357% in July 2007 over July 2006, with 32 attacks. That report comes on the heels of a report by peer-to-peer network monitoring vendor Tiversa**, which found contractors and U.S. government employees are sharing hundreds of secret documents on peer-to-peer networks. In many cases, those users were overriding the default security settings on their peer-to-peer software to do so, according to Tiversa...."

* http://www.akonix.com/press/releases-details.asp?id=138

** http://preview.tinyurl.com/2ut2of
(Computerworld)

:mad::fear::spider:

FYI...

- http://isc.sans.org/diary.html?storyid=3200
Last Updated: 2007-07-30 19:07:36 UTC - "A reader alerted us to a bunch of malware that he had found after starting to unravel a pile of interlinked exploit pages. The exploit pages are spammed with "adult movie" kinda themes into search engines, etc, and thus most likely find enough "volunteers" who click on the links. Domains involved are clipsforadults-dot-com and several of 9u???-free-movies-dot-cn, with the ??? standing for several letter combinations like eyd,gfo,fdo, etc. Someone's been busy registering throw-away domains. The one bit that was of interest to us is ... that at the very end of this pile, the links try to download a "codec" off the site installobject-dot-com. The link used contains a 4-digit number, and each number, over a wide range, seems to return a slightly different binary. Installobject-dot-Com resolves to 85.255.113.235, a known bad address range for years - see http://isc.sans.org/diary.html?storyid=1873
AV detection is still thin, we are trying to help it along some. The files are of the W32/Zlob family, Kaspersky calls it Trojan-Downloader.Win32.Zlob.bxt, Trend Micro has it as TROJ_ZLOB.DND, and McAfee has protection coming up as Puper.DR. Adult sites from China, nasty trojans from Ukraine..."

> http://preview.tinyurl.com/yqj5pq
July 30, 2007 - (Infoworld) - "...Last week, a new ransomware Trojan appeared on the radar of security researchers, and was quickly identified as a modified version of the GpCode nasty that first hit the Internet as long ago as Spring 2005, and was tracked to a Russian site. As with its predecessors, the new Trojan, also named "Glamour," sets out to encrypt data files on any PC it infects, demanding a ransom of $300 in return for a key to unlock files. Now an analysis from security research outfit Secure Science Corporation (SSC) has plotted the large number of similarities between the new GpCode and another version that appeared in 2006. Of the 168 functions identified in the code of the new variant, 63 were identical to the older 2006 version... "In the 8 months since November, we've recovered stolen data from 51 unique drop sites [...]. The 14.5 million records found within these files came from over 152,000 unique victims," says the report..."
- http://www.securescience.com/home/newsandevents/news/decoder.html
Jul 19, 2007

:fear:

FYI...

> http://www.us-cert.gov/current/#cisco_releases_security_advisories_for1
August 8, 2007 - " Cisco has issued four Security Advisories to address several vulnerabilities in their Internetwork Operating System (IOS) and Unified Communications Manager. These vulnerabilities may allow an attacker to overwrite or retrieve arbitrary files, cause a denial-of-service condition, or execute arbitrary code on an affected system..."

(Cisco links available at the URL above.)

- http://www.us-cert.gov/current/#cisco_releases_security_advisories_for1
updated August 9, 2007
"...US-CERT is aware of publicly available exploit code for one of these vulnerabilities..."

.

FYI...

- http://www.guardian.co.uk/technology/2007/sep/21/hacking.ebay
September 21 2007 - "Kits that claim to help people hack into computers have been discovered for sale on the auction website eBay. Security experts found a selection of CDs, DVDs and programs for sale on eBay that promise to help buyers learn how to break into computers over the net. One CD - claiming to be on sale "for educational use only" - promises details of how to access other people's computers and contains a selection of programs commonly used for hacking. It is available through the site for £5.99. Many of the programs form the basic building blocks for computer crime, allowing even inexperienced hackers to find ways to get inside their victims' computers, or of masking their identities..."


:fear::mad:

FYI...

* http://www.adobe.com/support/security/advisories/apsa07-04.html
October 5, 2007 - "...Vulnerability identifier: APSA07-04...
Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed
Affected Software Versions:
Adobe Reader 8.1 and earlier versions
Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
Adobe Acrobat 3D
Summary:
Adobe is aware of a recently published report of a critical security vulnerability in Adobe Reader and Acrobat.
Solution:
To protect Windows XP systems with Internet Explorer 7 installed from this vulnerability, administrators can disable the mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying the application options in the Windows registry*... the Secure Software Engineering team is working with the Adobe Reader Engineering team on an update to versions 8.1 of Adobe Reader and Acrobat that will resolve this issue. A security bulletin will be published on http://www.adobe.com/support/security as soon as that update is available. We expect the update to be available before the end of October. In the meantime, Adobe recommends that Acrobat and Reader customers use caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links..."

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5020

:fear:

FYI...

- http://www.theinquirer.net/gb/inquirer/news/2007/10/10/linux-kernel
10 October 2007 - "...There will probably be a few more patches as this new kernel sees use in a wider variety of systems - including yours, should you choose to play with it but it should be fairly stable within a couple of months, at which time you'll begin to see the major Linux distributions start releasing systems based upon it."

Release notes:
- http://kernelnewbies.org/Linux_2_6_23
9 October 2007

:spider:

FYI...

- http://secunia.com/advisories/27223/
Release Date: 2007-10-12
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
...The vulnerabilities are reported in version 5.35. Other versions may also be affected.
Software: Winamp 5.x
Solution: Update to version 5.5.
http://www.winamp.com/player ...

> http://www.winamp.com/player/version-history

:fear:

FYI...

- http://secunia.com/advisories/26619/
Release Date: 2007-10-16
Critical: Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IrfanView 3.x, IrfanView 4.x
...The vulnerability is confirmed in version 4.00. Other versions may also be affected.
Solution: Update to version 4.10.
http://www.irfanview.com/main_download_engl.htm

.

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=809
October 17, 2007 - "Websense® Security Labs™ has discovered a new Trojan Horse being distributed via spam email in Latin America. The email message is written in Spanish, and includes the subject line: "Espero que te guste"
The email acts as a lure, attempting to get users to click a link and download a greeting card. There are several versions of the spam message, but the main difference is the location where the malicious code is stored. In all versions discovered to date, the file name is always "mexico.exe", and the MD5 is "ce073c460ec25d7e40efe3f717f75c38". In all samples, the file has been stored on compromised websites. If users click on the link and run the code, a browser window to Univision.com opens as a means of hiding what is happening in the background. The malicious code also connects to one or more additional websites to download an additional binary file, "file56.gif". This file is actually a Windows executable. The "file56.gif" binary can come from any of five different compromised sites. The file is downloaded to the Windows system32 directory and given the name "html.txt". The "html.txt" file is then renamed "html.exe" and run. The payload of the code is written in Delphi and packed with RLpack. It disables Task Manager, deletes the host file, and changes some startup options and Start menu options. It also includes an information stealing component..."

(Screenshot available at the URL above.)

.

FYI...

- http://preview.tinyurl.com/36awux
October 19, 2007 (Computerworld) - "Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score. According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited, and malicious code downloaded to any PC that wanders to a specially-crafted site. Only systems on which both RealPlayer and IE have been installed are vulnerable. Symantec ranked the attack as a "10" on its urgency scale because it has confirmed that attacks are being conducted in the wild; those attacks have resulted in malicious code downloaded to victimized PCs. The only bright spot: "We are not currently aware of widespread exploitation of this issue," the company's warning read... Symantec also referenced a blog* that had posted some information about the RealPlayer vulnerability Wednesday morning..."

* http://www.infosecblog.org/2007/10/nasa-bans-ie.html
October 18, 2007 - "I heard that NASA is telling employees and contractors not to use IE due to malware affecting Internet Explorer and Real Player..."

:fear:

Real Has issued a patch--
http://service.real.com/realplayer/security/191007_player/en/

FYI...

- http://isc.sans.org/diary.html?storyid=3531
Last Updated: 2007-10-22 20:58:04 UTC

" http://www.adobe.com/support/security/bulletins/apsb07-18.html
...Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat
Release date: October 22, 2007
Vulnerability identifier: APSB07-18
CVE number: CVE-2007-5020
Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed
> Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
> Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier"

The acrobat patch is available here http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

The reader patch is available here http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows ..."

.

FYI...

- http://secunia.com/advisories/27279/
Release Date: 2007-10-23
Critical: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: IBM Lotus Notes 6.x, IBM Lotus Notes 7.x ...
Solution: Update to version 7.0.3 or 8.0.
NOTE: Version 8.0 does not fix the vulnerability in wp6sr.dll.
http://www-306.ibm.com/software/lotus/support/upgradecentral/index.html ...

http://www-1.ibm.com/support/docview.wss?uid=swg21271111
"...Fixed in Lotus Notes 7.0.3 / Proposed for 8.0.1..."

.

FYI...

- http://isc.sans.org/diary.html?storyid=3537
Last Updated: 2007-10-23 20:16:52 UTC - "The vulnerability initially reported here http://isc.sans.org/diary.html?storyid=3406 and confirmed here (with workaround) http://isc.sans.org/diary.html?storyid=3477 and patched here http://isc.sans.org/diary.html?storyid=3531 now appears to have been spotted in the wild. The proof of concept code had been released, and a number of people have reported receiving the PDFs which exploit the vulnerability. Obviously please patch, apply the workarounds, and/or ensure you can detect and block the exploit. File names seen so far are 'BILL.pdf' and 'INVOICE.pdf'."

> http://forums.spybot.info/showpost.php?p=129812&postcount=17

-----------------------------------

PDF Exploit Spam Used to Install Gozi Trojan in New Attack
- http://www.secureworks.com/research/threats/gozipdf/
October 23, 2007 - "...The attachment may instead be represented by an icon used to represent PDF files. These attachments use filenames such as BILL.pdf or INVOICE.pdf, but those filenames, as well as the sender and message content itself, may change. The attached exploit may be detected by some anti-malware vendors as Downloader.PDF, Pidief.A or similar names. The exploit downloads executes a first-stage downloader EXE file from an RBN (Russian Business Network) server via anonymous FTP and executes it. That downloader installs a variant of the Gozi Trojan which steals data as described in the Threat Analysis posted on the SecureWorks website:
* http://www.secureworks.com/research/threats/gozi/
The latest Gozi variant (Gozi.F) installed by this exploit was detected by 26% of 32 of the largest anti-malware vendors at the time of release..."

:fear::fear:

FYI...

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=152
Oct 25 2007 - "...Most of you have heard by now San Diego and some surrounding Los Angeles areas are suffering from devastating fires. Since our head quarters is in San Diego we have certainly been affected by the fires and several employees were evacuated and some have lost homes. One very amazing thing has been the outpouring of support both locally within the communities, state-wide, and internationally. We have received several offers for people to house folks who have had to relocate and several others offers for help.
Unfortunately, as we saw with Katrina and several other emergencies, there are also criminals who attempt to take advantage of the supporters who are willing to help. Please make sure you are dealing with legitimate organizations and, if possible, contact them on your own. Be very careful of people reporting to be agencies such as the Red Cross asking for donations or requesting you to visit their websites. They may be fraudulent or hosting malicious code designed to steal information such as banking details. For example, many suspicious eBay auctions have appeared requesting donations..."

(Screenshot available at the URL above.)

FYI...

RealPlayer/RealOne/HelixPlayer multiple vulns - update available
- http://secunia.com/advisories/27361/
Release Date: 2007-10-26
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Helix Player 1.x, RealOne Player 1.x, RealOne Player 2.x, RealPlayer 10.x, RealPlayer Enterprise 1.x ...
Solution: Update to the latest versions. Please see the vendor's advisory for details.
http://service.real.com/realplayer/security/10252007_player/en/ ..."

:fear:

FYI...

Malicious PDF files being spammed out in volume
- http://www.f-secure.com/weblog/archives/00001303.html
October 26, 2007 - " Malicious PDF file (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf or so) has been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further... The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report
More information in our full description*.
More on the scope of the vulnerability from a ZDNet article**."

* http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml

** http://blogs.zdnet.com/security/?p=614

:fear:

------------------
Adobe rdr patch info: >>> http://forums.spybot.info/showpost.php?p=129812&postcount=17

.

FYI...

Bogus email claims to come from FTC
- http://www.ftc.gov/opa/2007/10/bogus.shtm
October 29, 2007 - "A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments. The spoof email includes a phony sender’s address, making it appear the email is from “frauddep@ftc.gov” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to spam@uce.gov and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations. Simply opening the email does not appear to cause harm. However, it is likely that anyone who has opened the email’s attachment or clicked on the links has downloaded the virus on their computer, and should run an anti-virus program. The virus appears to install a “key logger” that could potentially grab passwords and account numbers..."

=======================

Malicious Code: World Bank Deception: Trojan Horse
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=812
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan horse using real data from the World Bank. As in past targeted attacks, the samples that we have captured appear to be using names and email addresses taken from the contact pages of the legitimate site. In this case, the email body includes the name of a real World Bank employee.

The message reads:

Subject: WorldBank report
Dear Colleagues,
This three-year Country Partnership Strategy (CPS) builds on Bulgaria's considerable achievements over the last eight years .. *snipped for brevity* .. and the surveillance roles played by the International Monetary Fund (IMF) and the EU's Stability and Growth Pact upon Bulgaria's EU accession.
At the following link you'll find our report:
http : // <URL REMOVED> /
Thank you!
Best Regards,
Ivelina Taushanova
Associate Professor of Management Science
<USERNAME REMOVED> @ worldbank . org
http: // WorldBank . org

The link leads to the malicious executable WorldBank_doc_36146.txt.exe, which is displayed with the standard notepad.exe icon. Unless the user has configured Windows to explicitly show the file extension (which most people do not, since it requires changing the default configuration), there is no way to visually tell that this file is actually an executable. When run, the initial executable drops a plain text document with information from a real World Bank document, displayed in IE. Also dropped is a packed Trojan horse (bifrose) whose file name makes it appear to be an MSN Messenger plugin. When this article was created, no anti-virus vendors detected the initial executable as malicious. The initial executable downloaded by the victim does not actually make any outbound connection from the victim's desktop to obtain the two dropped files. Because both dropped files are derived from the initial executable, no suspicious network traffic is generated. The dropped Trojan horse (msnmsgr_plugin.exe) maintains a persistent connection to a host name on the dyndns.org domain..."

(Screenshot available at the URL above.)

=======================================

Malicious Code: Halloween Deception: Info Stealing Trojan
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=813
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico. To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe" and has an MD5 of (65cd5a35bc70075f86cb6404f54d67b8). It is also poorly detected by anti-virus signatures. Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://www.messagelabs.com/resources/press/6418
October 30, 2007 - "...The new data reveals that spammers have introduced MP3 music files into the expanding toolbox of stock spam techniques, with 15 million emails shaping the first spam run. Use of MP3 files is the latest tactic designed to sneak messages past spam filters and ultimately control the value of stock for nefarious reasons. On October 17, MessageLabs intercepted the first copies of an estimated 15 million email spam run which lasted 36 hours and used StormWorm infected computers to disseminate the emails...

Other report highlights:
Web Security: Analysis shows that 45.9 percent of all web based malware intercepted was new in October. MessageLabs identified approximately 1,100 -new- sites per day which harbored malware, an increase of 63 percent compared to September levels. Gambling sites appeared back in the top ten of policy-based filtering triggers and rouse to fourth place for large enterprises.
Spam: In October, the global ratio of spam in email traffic from new and unknown bad sources, for which the recipient addresses were deemed valid, was 74.5 percent (1 in 1.34 emails), an increase of 1.0 percent on the previous month.
Viruses: This month, the global ratio of email-born viruses in email traffic from new and previously unknown bad sources destined for valid recipients, was 1 in 161.5 emails (0.62 percent) in October, a decrease of 1.43 percent since the previous month. This decline is almost certainly linked with the fall in the number of Storm Worm related emails, particularly active in August and September. This takes the email virus rate to the lowest level since April 2007 when virus traffic accounted for 1 in 145.5 emails.
Phishing: October saw a decrease of 0.57 percent in the proportion of phishing attacks with one in 174.0 emails comprised of some form of phishing attack. Viewed as a proportion of all email-borne threats such as viruses and trojans, the number of phishing emails has risen by 36.8 percent to 92.8 percent of the malware threats intercepted in October, the highest level on record...
The full report is available at http://www.messagelabs.com/intelligence.aspx ..."

:fear:

FYI...

Trick or Treat with Stormy Halloween
- http://www.f-secure.com/weblog/archives/00001304.html
October 30, 2007 - "New tactics from the Storm gang can be seen as they celebrate with Halloween... With an unpatched system, visiting the site will trigger an exploit to automatically download and execute a malicious file. The new filename is halloween.exe. We already detect this as Email-Worm.Win32.Zhelatin.LJ . This may be a Trick, and a bad Treat from the Storm gang so remember to keep your databases updated."

(Screenshot available at the URL above.)

:fear:

FYI...

Apple Releases Fix For iMacs That Freeze Up
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202801705
Nov. 2, 2007 - "Apple has released software updates to fix the problem of the latest iMacs freezing up during normal use. The updates, released Thursday, are recommended for 20-inch and 24-inch models with 2.0 GHz and 2.4 GHz Intel Core 2 Duo processors and with the 2.8 GHz Core 2 Extreme processor. The name of the updates, which are on Apple's Web site, are Software Update 1.3* for Leopard, the latest version of Mac OS X; and Software Update 1.2** for Leopard's predecessor Tiger. Apple acknowledged in early October that it had received complaints about iMacs freezing up suddenly and becoming unusable. Users had to reset the machines to bring them back to life. The iMacs affected by the problem were introduced in August, along with new versions of Apple's iLife and iWork software suites... Apple is advising customers to update their machines either through the company's automatic update mechanism or a download from the Web site... Last month, the company posted a fix on its Web site for a serious flaw that caused its Mac computers to seize up when users attempted to upgrade to Leopard***, officially known as OS X 10.5. Leopard was released Oct. 26..."

* http://www.apple.com/support/downloads/imacsoftwareupdate13leopard.html

** http://www.apple.com/support/downloads/macbookprosoftwareupdate12.html

*** http://docs.info.apple.com/article.html?artnum=306857

.

FYI...

- http://isc.sans.org/diary.html?storyid=3621
Last Updated: 2007-11-06 20:37:50 UTC - "Zack wrote to us yesterday to inform us of a mass defacement involving one of his web sites. After a brief look, we were able to confirm that the following script tag (obfuscated) had been injected in over 40,000 pages across the internet:

script src="hXXp://yl 18.net/0.js"

This script generates a page containing several hidden iframe components. These link to other pages that contain browser specific exploit code, such as the common ADODB exploit. This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems. Upon review, most of the binaries downloaded appeared to be password stealers for online games, but not all have been reviewed yet. Anti virus coverage differed greatly between several binaries...
This type of widespread attack can incur a serious toll and requires follow up. At the ISC, we not only try to assess how to have a piece of malicious code taken down, but also what the attacker's next steps will be. We generally take at least the following steps to contain the incident:
* Inform the ISP hosting the malicious code. In this case, this was CHINANET, who have a massive deployed base and are not always able to respond promptly;
* If we receive no response or suspect a language issue, we inform the local incident response team (CSIRT/CERT) and ask them for assistance;
* We gather samples of the affected malicious code and distribute it to anti virus vendors to have them build coverage;
* If it’s an important issue, we report it here on the diary so organizations can implement controls to protect themselves against infection.
We also assess what the attacker spent most time working on. In this case, compromising a single server in China and hosting a malicious script is low effort and can easily be repeated. Attacking thousands of sites and adding a link to them is his actual investment. As such, once the server is taken offline, the attacker will promptly move hosting for the yl18.net domain to another server. If the domain is likely fully malicious, we try to pre-empt this and inform the registrar that the domain is used for illegal activities and should be disabled.
This is a problem – most registrars do not really care what a domain is used for. Generally malicious domains are however paid for with fake credit cards, and if this can be identified, they have the legal ability to disable the domain. These efforts take lots of time, and at this point in time, the server hosting yl18.net is still online and serving malicious code. Various .com web sites have been defaced with the script tag, most likely through SQL injection or cross site scripting, and are infecting their users. If you have the ability to do so, we suggest blocking traffic to yl18.net at your gateway."

.

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=817
November 07, 2007 - "Websense® Security Labs™'s ThreatSeeker™ technology has discovered that MSNBC's Turkish site has been compromised. At the time of this writing, the site was infected with malicious code designed to infect the site's visitors through the use of an external JavaScript file. The file contained the malicious JavaScript code that was hosted in China. Visitors to the Web site were infected with an exploit code tailored to their browser. Assuming that the visitors were vulnerable, password stealing code was installed and executed on their desktops, without requiring any user intervention. The widespread of this malicious code has been confirmed by the SANS Internet Storm Center in their most recent incident handler's diary: http://isc.sans.org/diary.html?storyid=3621
This is a Microsoft site, hosted by a partner. We are actively working with Microsoft's security personnel to fix the issue..."

(Screenshot available at the Websense URL above.)

.

FYI...

Hidden IFRAMEs Launch Malware En Masse
- http://blog.trendmicro.com/hidden-iframes-launch-malware-en-masse/
November 8, 2007 - "SANS reports that last November 6, hundreds of Web sites across the Internet were believed to have been compromised by a yet unknown hacker. Details about how and why the attack was perpetrated remain murky. What we know so far is that a certain script which loads http://{BLOCKED}8.net/0.js has been injected into the said sites, the said script leads to a page riddled with invisible IFRAMEs, and these IFRAMEs link to certain pages to automatically download several files... A rundown of the forty-plus files give us Trojans, spyware, backdoors, and a worm belonging to families such as, but are not limited to ONLINEG, WOW, QQPASS, and QQGAME, which are known information stealers targeting gamers and QQ users. File sizes ranged from 177KB to 2KB, with the largest being backdoor programs. Backdoors open an infected machine’s ports, allowing remote malicious users control over the system. Users who visit any of the compromised sites run the risk of getting infected, so gateway admins had better block traffic coming from yl18.net..."

:fear:

FYI...

- http://news.yahoo.com/s/cmp/20071110/tc_cmp/202804433
November 9, 2007 - "Visitors to IndiaTimes .com, a major English-language Indian news site, risk infecting their computers with a deluge of malware, according to Mary Landesman, senior security researcher at ScanSafe. "It's an entire cocktail of downloader Trojans and dropper Trojans," Landesman said Friday, putting the number of malicious files involved at 434. This includes scripts, binaries, cookies, and images. Landesman characterized the size of the malicious payload as unusually large. She also noted that the attack involved a large number of Web sites. Analyzing just two of the binaries, she said that ScanSafe had identified at least 18 different IP addresses involved in the attack. "Only certain pages of the IndiaTimes .com are infected," ScanSafe said in its Nov. 9 Threat Alert*. "The impacted pages contain a script which points to a remote site containing iframes pointing to two additional sites. One of the sites included cookie scripts and an iframe pointing to a non-active site. The other iframe pointed to an encrypted script which exploits multiple vulnerabilities in an attempt to download malicious software onto susceptible systems of users visiting indiatimes .com..."

* http://blog.scansafe.com/journal/2007/11/9/indiatimes-hack-leads-to-cocktail-of-compromise.html
"...Unfortunately, the person we spoke with indicated that it was a holiday in India and they would be unlikely to fix the problem until Monday..."

:fear::fear::fear:

FYI...

- http://secunia.com/advisories/27648/
Release Date: 2007-11-12
Critical: Moderately critical
Impact: Unknown, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
...vulnerabilities and weaknesses have been reported in PHP, where some have unknown impacts and others can be exploited to bypass certain security restrictions.
Solution: Update to version 5.2.5.
http://www.php.net/downloads.php ...
Original Advisory:
http://www.php.net/releases/5_2_5.php

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3625
Last Updated: 2007-11-11 01:57:16 UTC ...(Version: 2)
"Update:
...We're now at 66K links in Google for the yl18.net/o.js scripts, will it get to the 200K plus numbers we saw with the Super Bowl? worldofwarcraftn .com has now been confirmed as containing malicious content, and you can add rnmb .net to the list which also belongs to the same group. From the whois records it looks like the domain is refreshed daily, which tends to indicate that they are not paying for it, but are using a registrar where you can start using the domain immediately, but pay later. In this case the pay later part is probably not happening. If I were the registrar I might get miffed with people registering the same domain on a daily basis and never pay, but then that's me. If you like IP numbers then today the IPs to block for your web users are 125.65.77.25 & 61.188.39.218 "

( http://forums.spybot.info/showpost.php?p=133586&postcount=28 )
----------------------------------------------------------------------------

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=160
Nov 12 2007 - "Websense® Security Labs™'s ThreatSeeker™ technology has identified more than 350 sites to date containing malicious code designed to infect the site's visitors through the use of an external JavaScript file. This is a follow-up on our previous alert of a mass infection involving MSNBC's Turkish site. Notable sites discovered include the Swedish parliament’s web site and an Australian financial services web site (FICS). At time of writing, the sites in the screenshots below are still infected and we do not recommend visiting them without adequate protection. Vulnerable visitors will have password stealing code installed and executed on their desktops without their consent."

(Screenshots of a selected few sites available at the URL above.)

:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=822
November 19, 2007 - "Websense® Security Labs™ has discovered a new -email- attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ)... The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f. None of the major anti-virus vendors detected the malicious code..."
(Screenshot available at the URL above.)

--------------------------------------------
More...
- http://blog.washingtonpost.com/securityfix/2007/11/a_fresh_round_of_targeted_emai.html
November 19, 2007; 10:30 PM ET - "Another series of sophisticated e-mail attacks were launched over the past 24 hours, addressing recipients by name and warning of complaints filed against them and/or their company with the Justice Department -and- the Better Business Bureau. E-mail security firm MessageLabs said it spotted the spike in targeted e-mail attacks designed to look as though they were sent from the Better Business Bureau. The messages address recipients by name and list corresponding employer information both in the body of the e-mail and the subject line. The missives reference an attached "complaint," which is actually a screensaver file that harbors password-stealing software..."

:fear:

FYI...

- http://preview.tinyurl.com/39mtqc
November 20, 2007 (Computerworld) - "Monster.com took a portion of its Web site offline Monday as researchers reported that it had been compromised by an IFRAME attack and was being used to infect visitors with a multi-exploit attack kit. According to Internet records, the Russian Business Network (RBN) hacker network may be involved. Parts of the Monster Company Boulevard, which lets job hunters search for positions by company, were unavailable Monday; by evening, the entire section was dark. Most major American companies are represented on the site -- Google Inc.'s cache of the page that shows only those firms which begin with the letter "B", for example, included Banana Republic, Bank of America, Black & Decker, Boeing, Broadcom and Budget Car Rental. Job seekers who used Monster's by-company directory on Monday before the site was yanked were pounced on by Neosploit, an attack toolkit similar to the better-known Mpack, said Roger Thompson*, chief technology officer at Exploit Prevention Labs Inc... The injection of the malicious IFRAME code into the Monster.com site probably happened Monday, he added... "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500"... Monster.com last made security news in August, when the company admitted hackers had looted its database for weeks, perhaps months, then used that information to craft and send targeted e-mails that pitched money laundering jobs or tried to trick recipients into downloading malware. Monster.com was not available for comment Monday night."
* http://explabs.blogspot.com/2007/11/big-hack-today.html

:fear:

FYI...

Malicious Code: Tabasco state/Banamex email lure banker trojan
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=824
November 20, 2007 - "Websense® Security Labs™ has discovered -emails- that claim to solicit humanitarian support for flood victims in the state of Tabasco, Mexico. If users click an embedded link, they are prompted to download a banker Trojan horse, disguised as an HTML file. The file is displayed with the blue Internet Explorer icon. When a user opens the file, the Trojan horse modifies the hosts file to replace the legitimate Banamex with the IP address of a host controlled by the attacker. If users attempt to go to the Banamex site, they receive no visual indicators that they are not at a legitimate site. The phishing toolbars that were tested did not detect this fake site as a fraud. Neither the downloaded banker Trojan horse nor the subsequent executable that it drops (win32.exe) are detected as malicious by the 32 anti-virus products tested..."

(Screenshots available at the URL above.)

:fear:

FYI...

- http://preview.tinyurl.com/39qspa
November 26, 2007 (Computerworld) - "...Safe-shopping tips. Here are a dozen to get you started:
* Shop with online merchants you know and trust.
* Order from secure Web sites, which can be identified by a locked padlock or unbroken key icon in your Web browser (unsecured sites may show an unlocked padlock or a broken key).
* Keep printouts of everything, including copies of your order; Web pages describing what you ordered; Web pages that tell the seller’s name, address and telephone number; and any e-mail confirmations you get. And make sure you add the date if it doesn’t automatically appear on the printouts.
* Use credit cards for online purchases, which will limit your loss to $50 if your credit is used without authorization. But it has to be a real credit card, not a debit or check card. You may want to use just one credit card for all online payments, to make it easier to detect wrongful charges.
* Don’t give out your Social Security number.
* Don’t give out unnecessary information.
* Don’t send your credit card number by e-mail.
* Don’t give out your passwords for e-commerce Web sites to anyone.
* Don’t give out your bank information; no one needs it for an online order.
* Double-check every Web site address.
* Don’t click on links within e-mails. Type in the Web site’s address yourself -- very carefully.
* Remember, if the deal seems too good to be true, it probably is.

You can also direct users to online sources of additional information, including the Better Business Bureau Web site ( www.bbbonline.org/OnlineShopTips ), the Privacy Rights Clearinghouse ( www.privacyrights.org/fs/fs23-shopping.htm ) and the Federal Trade Commission Web site ( www.ftc.gov/onlineshopping )..."

:spider:

FYI...

The 2008 Internet Security Trends Report from IronPort Systems estimates that 98 per cent of all email traffic is now spam.
- http://www.ironport.com/securitytrends/
Dec 04, 2007 - "Spam volume increased 100 percent, to more than 120 billion spam messages daily worldwide. That's about 20 spam messages per day for every man, woman and child on the planet.
TRENDS OVERVIEW
The overall trends in spam and malware can be characterized by a larger number of more targeted, stealthy and sophisticated attacks. Specific observations include:
> Spam has become more dangerous.
...In 2007, more than 83 percent of spam contained a URL to a rogue Web server that was frequently serving malware. In accordance with a trend towards the blending of different malware techniques, URL-based viruses increased 256 percent.
> The "Self Defending Bot Network" was introduced...
> Viruses no longer make headlines..."
(Full report and links available at the URL above.)

------------------------------------------------

F-Secure - Malware Grew by 100% during 2007
As much malware produced in 2007 as in the previous 20 years altogether
- http://www.f-secure.com/f-secure/pressroom/news/fs_news_20071204_1_eng.html
Dec 4, 2007 - "In its 2007 data security summary, F-Secure reports of a steep increase in the amount of new malware detected during 2007. In fact the amount of cumulative malware detections doubled during the year, reaching the amount of half a million. This indicates that network criminals are producing new malware variants in bulk... The full 2007 Data Security Wrap-Up is available at http://www.f-secure.com/2007/2/ ... F-Secure predicts the increase in malware volume will continue in 2008. The criminals are successfully creating a network-based underground ecosystem, trading both malware development tools, skills, capabilities and resources ever more effectively. At the same time the reach of the law enforcement agencies remain limited in the global network domain..."

:sad:

FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=204700531
Dec. 4, 2007 - "...Message Labs said following Thanksgiving that it was seeing holiday-themed spam coming across its infrastructure at a rate of about 300,000 an hour. Symantec security researcher Jitender Sarda documented* one such attack on Tuesday that uses e-cards. "These e-cards are purportedly sent from a legitimate source and try to lure the victim to click on the link to view the e-cards, which have underlying tricks to try and infect the computer," said Sarda in a blog post. "With the Xmas bells starting to ring, here is the first incidence where Xmas e-cards have started doing the rounds." While these e-cards may appear to come from a familiar brand name, the "From:" field is forged. And the spammer responsible, perhaps aware that e-cards have acquired an air of disrepute, has even gone so far as to include the phrase "(no worm, no virus)" in the e-card's text, as if such an assurance made the message safe. In fact, the link provided attempts to download a file named "sos385.tmp" which is itself a downloader that connects to the Internet and attempts to download other malicious files."
* http://preview.tinyurl.com/2u5z7n
(Symantec Security Response Weblog)
---------------------------------------

More Christmas Card Action
- http://www.f-secure.com/weblog/archives/00001330.html
December 5, 2007 - "We've just seen another fake Christmas card malware run... The links are masked and point to a fake Yahoo Greeting card site. Do note the fake URL (abuse messages have been sent about the site)... The site prompts the user to download malicious
macromedia-flashplayerupdate.exe (md5: 506744BF870B5B0E410087BD6F3EFD37). We detect this file as an Agent variant. It collects various types of information from the infected machine and sends it back to the malware author via a website."

(Screenshots available at the F-secure URL above.)

:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=830
December 13, 2007 - "Websense® Security Labs™ has discovered a new -email- attack that uses a spoofed email claiming to be from the United States Department of Treasury. This is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have been tracking all of these attacks, and reporting them as they are discovered. The message claims that a complaint to the Department of Treasury has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email. The attached "complaint" is a Trojan downloader with some backdoor capabilities. It is a ".pif" file with an MD5 of 9e19d23f27ebf9cfe1b9103066a3019e. It appears, however, that different versions of the Trojan are sent, based on the targeted recipient or company..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://www.us-cert.gov/current/#hp_hp_info_center_software
updated December 14, 2007 - "US-CERT is aware of a vulnerability affecting HP Info Center Software, which allows one-touch access to features on HP laptops. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands or to view or alter the system registry on affected systems. These reports also refer to publicly available exploit code for this vulnerability. HP has published an HP Quick Launch Buttons Critical Security Update* to address this issue. US-CERT encourages users to apply this update to mitigate this risk.
* ftp://ftp.hp.com/pub/softpaq/sp38001-38500/sp38166.html

- http://preview.tinyurl.com/2jhrxc
(HP Customer Care)
Release Date: 2007-12-12
Version: 1.00 A
Description:
This package provides a critical security update for HP Quick Launch Buttons on the supported notebook models and operating systems. This patch removes a security vulnerability by disabling HP Info Center...
» sp38166.exe 1/1 (1.61M)

:fear:

FYI...

- http://www.itbusiness.ca/it/client/en/home/news.asp?id=46368
12/14/2007 - "...Since 1 December 2007, 114,891 new users have run Prevx CSI with rootkit-detection features enabled. Of those PCs, 1,678 had what Prevx describes as 'significant rootkit infections'. That equates to 1.46% or approximately one in 70 systems, which is almost 15 times higher than the one in 1,000 rootkit-infected PCs previously estimated by industry experts. In the first nine days of this month alone, 93 companies used the free Business scan feature of Prevx CSI. Of these companies, 68 had one or more infected PCs. Thirteen companies, or 14%, had one or more PCs harboring rootkit infections.
These stats don't take into account the fact that users who scan their PCs are more likely to have concerns about infections..."

> http://info.prevx.com/downloadcsi.asp
"822,006 people have already checked their PC with Prevx CSI free, 182,018 were infected..."

:fear:

FYI...

- http://www.gartner.com/it/page.jsp?id=565125
December 17, 2007 - "Phishing attacks in the United States soared in 2007 as $3.2 billion was lost to these attacks, according to a survey by Gartner, Inc. The survey found that 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before. According to a survey of more than 4,500 online U.S. adults in August 2007 (which was representative of the online U.S. adult population) the attacks were more successful in 2007 than they were in the previous two years. Of consumers who received phishing e-mails in 2007, 3.3 percent say they lost money because of the attack, compared with 2.3 percent who lost money in 2006, and 2.9 percent who did so in 2005...
The average dollar loss per incident declined to $886 from $1,244 lost on average in 2006 (with a median loss of $200 in 2007), but because there were more victims, $3.2 billion was lost to phishing in 2007, according to surveyed consumers. There was a bit of relative good news, however; the amounts that consumers were able to recover also increased. Some 1.6 million adults recovered about 64 percent of their losses in 2007, up from the 54 percent that 1.5 million adults recovered in 2006.
PayPal and eBay continue to be the most-spoofed brands, but phishing attacks increasingly employ devious social engineering attacks, impersonating, for example, electronic greeting cards, charities and foreign businesses.
Thieves are increasingly stealing debit card and other bank account credentials to rob accounts — targeting areas where fraud detection is weaker than it is with credit card accounts. According to the survey, of those consumers who lost money to phishing attacks, 47 percent said a debit or check card had been the payment method used when they lost money or had unauthorized charges made on their accounts. This was followed by 32 percent of respondents who listed a credit card as the payment method, and 24 percent who listed a bank account as the method (multiple responses were allowed)...
Phishing and malware attacks will continue to increase through 2009 because it's still a lucrative business for the perpetrators, and advertising networks will be used to deliver up to 30 percent of malware that lands on consumer desktops.
Gartner sees no easy way out of this dilemma unless e-mail providers have incentives to invest in solutions to keep phishing e-mails from reaching consumers in the first place, and unless advertising networks and other "infection point" providers (which theoretically can be any legitimate Web site or service) have incentives to keep malware from being planted on their Web sites to reach unsuspecting consumers..."

:fear::spider:

FYI...

McAfee false positive on some JavaScripts
- http://isc.sans.org/diary.html?storyid=3803
Last Updated: 2008-01-02 21:36:16 UTC - "Some users reported that their AV was detecting JS/Exploit-BO virus, on sites like ESPN and Friendster, for instance. The problem is with the McAfee AV. McAfee just released an Emergency DAT to fix the false on some JavaScripts, detecting as JS/Exploit-BO on virus database (DAT file) 5197 released today. The new DAT just released is 5198 and the url to download it is: http://www.mcafee.com/apps/downloads/security_updates/dat.asp "

(In the wake of "CA false positive for certain Javascript apps":
http://isc.sans.org/diary.html?storyid=3797 Last Updated: 2007-12-31 23:07:19 UTC)

:oops:

FYI...

Phish (Face)book!
- http://www.f-secure.com/weblog/archives/00001353.html
January 3, 2008 - " We recently came across a phishing attack targeting Facebook. Phishers are apparently using hacked Facebook accounts to post links to a fake login page on other people's "Wall posts"... The phishing site is still currently online. Be wary of clicking on those links out there, even if they seem to (genuinely) come from your friends! Hat tip to Techcrunch*."
* http://www.techcrunch.com/2008/01/02/phishing-for-facebook

(Screenshots available at both URL's above.)
---------------------------------------------------
More... Zango adware on Facebook

- http://www.vnunet.com/vnunet/news/2206462/facebook-hit-adware-attack
3 Jan 2008 - "Facebook users are being warned about a new application on the social networking site that contains adware. 'Secret Crush' contains a download of the Zango adware program which automatically sends itself to five friends. It has already infected three per cent of Facebook users, over one million computers, according to security firm Fortinet*..."

Facebook Widget Installing Spyware
* http://www.fortiguardcenter.com/advisory/FGA-2007-16.html
2008.January.02

:fear::spider:

FYI...

- http://sunbeltblog.blogspot.com/2008/01/malicious-ads-on-myspace-excite-blick.html
January 03, 2008 - "We worked earlier today with Brain Krebs at the WP about malicious banner ads on Myspace. (Malware is being delivered through exploits, but fully patched systems won’t be affected.) Sandi Hardmeier has also been tracking ads at Excite and, now, Blick** (a popular German site). These are different than the Myspace ads (in that they don’t seem to be dumping an exploit-driven payload)."

* http://blog.washingtonpost.com/securityfix/2008/01/malwarelaced_banner_ads_at_mys.html

** http://msmvps.com/blogs/spywaresucks/archive/2008/01/04/1435836.aspx

:fear:

FYI...

- http://www.us-cert.gov/current/#public_exploit_code_for_realplayer
January 2, 2008

- http://secunia.com/advisories/28276/
Release Date: 2008-01-03
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: RealPlayer 11.x
...Successful exploitation allows execution of arbitrary code. The vulnerability is reported in version 11 build 6.0.14.748. Other versions may also be affected.
Solution:
Do not open untrusted media files or browse untrusted websites...

- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 00:34:02 UTC ...(Version: 4)
"> Update 15:10 UTC: While you're at it, consider blocking access to uc8010-dot-com. If you do a Google Search for this domain, you'll understand why: Lots of injecting of a mailicious 0.js from this domain is currently going on, plenty of web sites seem to contain this booby trap. One of the IFRAMES fetched from this site, the file "r.htm" contains a RealPlayer exploit. Still the one from last month ( www.kb.cert.org/vuls/id/871673 ) but if they happen to re-tool to the new vulnerability, things might get ugly.
> Update 16:30 UTC: One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain. Upon review, I see that some of these have already been cleaned up. However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain. As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week.
I recommend that our readers check to see if their site shows any references to uc8010 via google. Alternatively, look on their webservers to see if there are any unauthorized change to webpages in the past week.
> Update 00:30 UTC 5 JAN 08: Looks like there is another domain hosting a similar script. In addition to uc8010 check your flows for "ucmal.com"
----------------------------------------------------------

CA web site hacked
http://preview.tinyurl.com/2wdxkw
January 04, 2008 (Computerworld) - "Part of security software vendor CA's Web site was cracked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center. The hack is similar to last year's attack on the Dolphin Stadium Web site, which infected visitors looking for information on the Super Bowl football game, Sachs said. "It's exactly the same setup," he said. "It's JavaScript that they've managed to insert into the title or the body of the HTML"..."

:fear:

FYI...

- http://preview.tinyurl.com/2lgp5u
January 05, 2008 (Donna's SecurityFlash) -"In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC). This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System. This rootkit is using the MBR flaw. The MBR can be written to from within Windows.
The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it."

> http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/

> http://www2.gmer.net/mbr/

:fear::spider:

FYI...

- http://preview.tinyurl.com/27hohx
January 07, 2008 (Computerworld) -- Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Roger Thompson, the chief research officer of Grisoft SRO, pointed out that the hacked sites could be found via a simple Google search for the domain that hosted the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass-hack," said Thompson, in a post to his blog*. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared." Symantec Corp. cited reports by other researchers - including one identified only as "websmithrob" - that fingered an SQL vulnerability as the common thread..."
* http://explabs.blogspot.com/2008/01/so-this-is-kind-of-interesting.html
January 05, 2008 - "This domain uc8010(dot)com was registered just a few days ago (Dec 28th), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains... If you google for uc8010(dot)com, you still get about 50k hits..."

- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 20:13:55 UTC ...(Version: 5) - "Update 17:52: We have gotten reports of embeded script links to ucmal on MySpace. It is probably safe to assume that other social networking sites have it as well."

:fear::fear::devilpoin:

More...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205600157
Jan. 8, 2008 - "Web sites that naively call for user input, then fail to put strict checks on what that input may be, are susceptible to SQL injection attacks. That vulnerability appears to be the cause of up to 70,000 Web pages getting hacked by malicious code between Dec. 28 and Jan. 5. The intrusions represent a whole new level of threat to users on the Internet. Instead of the attack seeking to launch a virus or worm at individual computers, it invaded Web databases and used them to host its malicious code and distribute it every time site visitors sought information beyond a home page or product page from the database. But for the fact it used an old and already guarded against Windows exploit, it might still be spreading across the Internet... it was Microsoft SQL Server databases that ended up as the target of the attack because the tables targeted are specific to SQL Server... The intrusion of each database is massive, with a JavaScript string being attached to all text items in the database. A site user's request for an information item then leads to the attacker's JavaScript response attempting to plant code on the user's computer. The attack typically invades a site with a catalogue or other large text files stored on a SQL Server database. As a site visitor clicks on a Web site's button or link for more information, such as "more information" from a catalogue, the database is activated to send a JavaScript plant onto the user's computer... The plants take advantage of a widely publicized Windows vulnerability, listed as the MS06-014* exploit... Google and Yahoo's cached pages from Web site databases may still contain the JavaScript, untouched by site efforts to clean it up, the experts warned."
* http://support.microsoft.com/kb/911562/en-us
Last Review: March 27, 2007
Revision: 3.6

:fear:

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=835
January 08, 2008 - "Websense® Security Labs™ has discovered a new email attack that uses a spoofed email message which claims to be from the National Payroll Reporting Consortium (NPRC). This attack is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have tracked all of these attacks, and reported them as they were discovered. The message claims that the recipient's company has made numerous misrepresentations regarding worker classification,in an attempt to lower compensation costs. The email asks the recipient to fill out an attached form and fax it to NPRC's fraud department in order to resolve the issue. An email attachment contains a Trojan downloader with some backdoor capabilities. It is a malicious Windows executable file, with an MD5 of 854e259c7c0ac6fb2a26963a9d77600d ... At time of writing, only one anti-virus vendor had detected this malicious code."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
January 11, 2008 - "...TrendLabs researchers have received reports of what appears to be an attempt of a massive DNS poisoning attack in Mexico... the attack begins with the exploitation of a known vulnerability in 2Wire modems*. The said vulnerability allows an attacker to modify the local DNS servers and hosts. One of the main Internet Service Providers in Mexico offers 2Wire modems to their customers, and it is estimated that more than 2 million users are at risk... exploit arrives with a newsy email message... once an unsupecting user opens the email in its full HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database to redirect all requests for banamex.com — the Web site of one of the largest banks in Mexico — to a fraudulent site... The malicious email message also promises a “video” and includes a link that points to the a malicious URL where the .RAR acrhive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe..."
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3826
Last Updated: 2008-01-11 20:19:06 UTC - "Come April, we will reach the FIFTH anniversary of the ByteVerify vulnerability (MS03-011). Untangling some seriously obfuscated JavaScript coming from a couple of web sites in China earlier today, I ended up with - yes, a ByteVerify exploit. Also in the package was an MDAC exploit (MS06-014), whose second anniversary will be up this April as well.
> To see these exploits still in use can only mean one thing: They still work.
And they seem to work well enough that the bad guys can instead sink their time into developing new obfuscation techniques and other ways to make analysis more difficult -- only to deliver a five year old exploit in the end. Not a very stellar testament to patching efforts."

:fear:

FYI...

Adobe (Flash) Server vulns - updates available
>>> http://www.us-cert.gov/current/#adobe_releases_security_bulletins_to
January 17, 2008

- http://www.adobe.com/support/security/bulletins/apsb08-02.html
APSB08-02 Update available for Adobe Connect Enterprise Server cross-site scripting issue - 01/16/2008

- http://www.adobe.com/support/security/bulletins/apsb08-01.html
APSB08-01 Update to Dreamweaver and Contribute to address potential cross-site scripting vulnerabilities - 01/16/2008

"...issue previously described in Security Advisory APSA07-06*..."
- http://www.adobe.com/support/security/advisories/apsa07-06.html
January 16, 2008 – Advisory updated with information on Dreamweaver and Connect fixes

:fear::fear:

FYI...

- http://www.theinquirer.net/gb/inquirer/news/2008/01/22/apache-sites-scalped-hack
22 January 2008 - "...more than 10,000 sites running the Linux based Apache software may be hacked and trying to control visitors' computers. Don Jackson, from Secureworks* said that the hackers probably used stolen log-in details to gain access and then infected the Apache servers with a pair of files that generate constantly-changing JavaScript. If a punter visits the hacked site they get walloped with nine exploits including a recent QuickTime vulnerability, the long-running Windows MDAC bug, and a fixed flaw in Yahoo Messenger. Once a hole is opened, the victim receives (a variant of) the Trojan Rbot and are added to a botnet. When the systems administrators, who owned the Apache boxes, were notified and reinstalled the software, the hack came back, apparently. This lead Jackson to believe that it was a direct hack to the Linux server and not based on a vulnerability. He thinks that the only way the hacks will stop is when the Administrators change all the passwords and not just the FTP and Cpanel passwords..."
* http://www.secureworks.com/research/threats/linuxservers/?threat=linuxservers
"...The compromised websites, in turn, can infect website visitors. If infected, the malicious code can steal bank usernames and passwords, SSNs, credit card numbers, online payment accounts, basically any information a computer user puts into their web browser. The malicious code can also own the victim’s computer...
> Protection for Organization’s Websites: In order for an organization to protect their website from this attack they need to disable dynamic loading in their Apache module configurations.
> Protection for Website visitors: This is designed to attack Windows PCs. Website visitors can avoid infection by the malware this attack distributes by making sure all anti-virus signatures are up to date and that all vulnerable software is patched. No previously unknown or 0-day vulnerabilities are used in this attack..."

:fear::fear::fear:

Ongoing...

- http://www.theregister.co.uk/2008/01/23/booby_trapped_web_botnet_menace/
23 January 2008 - "...Security watchers at Sophos are discovering 6,000 new infected webpages every day, the equivalent of one every 14 seconds. Four in five (83 per cent) of these webpages actually belong to innocent companies and individuals, unaware that their sites have been hacked. Websites of all types, from those of antique dealers to ice cream manufacturers and wedding photographers, have hosted malware on behalf of virus writers, Sophos reports. The study sheds fresh light on the well-understood problem of drive-by-downloads from compromised sites, a tactic that's come to eclipse virus-infected email as a means of spreading malware. Cybercrooks target users by spamvertising emails containing links to poisoned webpages, exposing unsuspecting victims to malware. At least one in ten web pages are booby-trapped with malware, according to a separate study by Google published last May. Often these malware packages are designed to put compromised zombie PCs under the control of hackers. Around half a million computers are infected by bots every day according to data compiled by PandaLabs*, the research arm of anti-virus firm Panda Software. Approximately 11 percent of computers worldwide have become a part of criminal botnets..."

- http://www.sophos.com/security/blog/2008/01/1010.html
22 January 2008

- http://www.cpanel.net/security/notes/random_js_toolkit.html

* http://www.pandasecurity.com/usa/about/corporate-news/new-31.htm
Jan. 18, 2008

- http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3

> http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts#week

Also noteworthy:
> http://blog.trendmicro.com/technology-shift-the-world-wide-compromise-of-the-web/
January 22, 2008 - "...We’ve recently seen literally thousands of compromised Web sites and Web pages that, if an unsuspecting users happens upon the content (and has some arbitrary unpatched vulnerability), they are victimized. I cannot stress how important this issue has become, and how this will fundamentally change the way we use The Internet if we do not take dramatic steps to correct these basic deficiencies. The lifeblood of the Internet depends on it. When Vint Cerf spoke at the World Economic Forum in Davos, Switzerland, last year, he pretty much nailed the issue spot on — 'Criminals may indeed overwhelm the web' as we (collectively) sit idly by..."

:fear::fear::fear:

FYI...

- http://blog.washingtonpost.com/securityfix/2008/01/report_51_of_malicious_web_sit.html
January 22, 2008 - "...Dan Hubbard, Websense's vice president of security research, said that at any given time there are about two million compromised and malicious sites online, and that slightly more than half of those are hacked sites that range from mom-and-pop type stores to household brand names. The company scans about 600 million sites per week for signs that the sites are trying to foist malicious software on visitors or redirect them to sites that will. The report follows recent discoveries* that almost 100,000 Web sites - including that of security company Computer Associates, the Commonwealth of Virginia, the City of Cleveland - were hacked via Web application vulnerabilities in an apparently coordinated attack. In that attack, the code stitched into hacked sites was designed to perpetrate click fraud and steal online gaming credentials. All Web software applications have flaws, and all need to be updated from time to time to keep the site healthy and to keep opportunistic predators away..."
* http://www.theregister.co.uk/2008/01/08/malicious_website_redirectors/

:fear:

FYI...

SEO Manipulation Begins for Super Bowl Malware Campaign
- http://blog.trendmicro.com/seo-manipulation-begins-for-super-bowl-malware-campaign/
January 24, 2008 - "...When users search for 'Superbowl', Google search results turn up the following (malware links)... Is the Super Bowl on cyber criminals’ social engineering lists? It does seem somewhat passé (even if the event is in two weeks). But what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."

(Screenshot available at the URL above.)

:fear:

FYI...

Attackers Abuse Google Blogger
Blogger is flooded with phony blogs – including some that inject malware
- http://www.darkreading.com/document.asp?doc_id=144171&print=true
JANUARY 25, 2008 - "Hackers are currently littering Google's Blogger site with phony blogs -- some containing malware, pornographic images, or pure spam. "Google Blogger is being used as a malware delivery mechanism," says Ken Steinberg, CTO and president of Savant Protection, who discovered the attack while working on his own blog this morning. The attackers apparently are automatically generating the blogs with scripts. The blogs come with nonsensical names and content that's obviously been generated using English-compliant engines and keyword focuses, he says. "They've upped the game. Mostly [blog attacks] have been through comments or postings," he says. Steinberg noted that some of the fake blogs were using malware-insertion techniques: "One of the more common ways of inserting malware is using overflow techniques found in movie [viewers]... When you click through a few of these blogs, up pops images set to auto-load -- some are images, some are movies" that can infect a visitor with malware, he says. Google says it's investigating the event..."

- http://preview.tinyurl.com/2v59aq
January 25, 2008 (Computerworld) - "...The spammers have borrowed other malware techniques, too. Just as some recent attacks have been launched using frequently changing JavaScript, the redirect code placed on the Google Pages or on blogs may fluctuate depending on the originating spam message. The scams are also using fast-flux techniques to rapidly change the resolving destinations of the links.."

:devil:

FYI... (apologies for the long post; 'included details for admins):

- http://prweb.com/releases/2008/1/prweb656233.htm
January 26, 2008 - "cPanel announced today that it's security team has identified several key components of a hack known as the Random JavaScript Toolkit. The systems affected by this hack appear to be Linux® based and are running a number of different hosting platforms. While this compromise is not believed to be specific to systems running cPanel software, cPanel has worked with a number of hosting providers and server owners to investigate this compromise. The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have password-based authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers. Once an attacker manually gains access to a system they can then perform various tasks. The hacker can download, compile, and execute a log cleaning script in order to hide their tracks. They also can download a customized root-kit based off of Boxer version 0.99 beta 3. Finally, the attacker searches for files containing credit card related phrases such as cvc, cvv, and authorize. The actual root-kit has been the subject of much speculation. The cPanel security team asserts that the Boxer variant includes a small web-server which is how the Javascript is distributed to unsuspecting users of any website on the server. It is believed that the Javascript include is injected into the HTML code after Apache has served the file but before it has traveled through the TCP transport back to the user of the website. The web-server is not loaded onto the hard drive directly but loaded directly into memory from the infected Boxer binaries... The JavaScript being loaded by this web-server is directing users to another server that scans the website user for a number of known vulnerabilities. These vulnerabilities are then used to add the website user to a bot net. More information about the JavaScript hacks can be found at: http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3. Cleaning the Random JavaScript Toolkit requires the server to be booted into single user mode and the removal of all infected binaries. More details on how to do this can be found at: http://www.cpanel.net/security/notes/random_js_toolkit.html. The cPanel security team believes that the hacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether."

:fear::spider:

FYI...

- http://blog.trendmicro.com/spyware-removal-site-delivers-malware/
January 28, 2008 - "Looks can be deceiving, and malware authors are relying on that old adage to lure potential victims into their most recent scheme... The site hxxp ://removal-tool .com manages to do all that... who’d suspect that a professional-looking anti-spyware site will give them just the opposite of what they’re looking for — and even more? With most of the pages hosting malicious iFrames, here’s a list of what could be lurking in your system after a visit to their site:
* HTML_IFRAME.IY
* VBS_PSYME.BCC
* EXPL_EXECOD.A
* HTML_SHELLCOD.AE
* JS_AGENT.AXX
* HTML_DLOADER.XCZ
* WORM_DISKGEN.AF
* HTML_SHELLCOD.AZ
* HTML_SHELLCOD.AW
* JS_REALPLAY.AA
* PE_PAGIPEF.AP-O
* TROJ_AGENT.DDG
* TROJ_PAGIPEF.AP
The use of legitimate-looking Web sites is a regular (yet undoubtedly still very effective) tactic in disseminating Web threats, mainly used to fool users into downloading fake codecs (see here and here), though security applications have also been reported in the past. Any Web-savvy developer knows that professional design and robust content attract customers, and is most likely to earn their trust to initiate one more click. Sadly, even those with malicious intent abide by this rule, and most users can hardly tell a good site from a bad one..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://blog.trendmicro.com/malicious-banners-target-expediacom-and-rhapsodycom/
January 29, 2008 - "... Earlier this month, we’ve seen malicious banner ads being served on popular Web sites, such as Myspace, Excite, and Blick. This time, TrendLabs was alerted to malicious banner ads infiltrating legitimate special interest Web sites such as Expedia.com and Rhapsody.com. According to Trend Micro security experts, certain malicious .SWF banners have managed to work their way into Expedia.com, a popular site for travel enthusiasts worldwide. Trend Micro detects this particular malicious flash banner as SWF_ADHIJACK.A. Based on initial analysis, clicking on this ad leads to several redirections, which eventually results to the installation of a rogue antispyware (detected as TROJ_GIDA.A). Music lovers are also targeted by malware-laden .SWF banners at Rhapsody.com, a music site owned by RealNetworks, which was also found to be employing malicious flash banners. The malicious .SWF URL found in Rhapsody.com is said to be similar to the notorious Skyauction advertisements that were also found to infiltrate the Blick website...
Hat-tip: Spyware Sucks - http://msmvps.com/blogs/spywaresucks/archive/2008/01/28/1483997.aspx "

:fear::spider:

FYI...

- http://secunia.com/advisories/28715
Last Update: 2008-02-05
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: MySpace Uploader Control 1.x
...The vulnerability is confirmed in MySpaceUploader.ocx version 1.0.0.5 and reported in version 1.0.0.4. Other versions may also be affected.
Solution: Update to version 1.0.0.6. <<<
( http://forums.spybot.info/showpost.php?p=162448&postcount=44 )

- http://secunia.com/advisories/28713/
Release Date: 2008-02-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Facebook Photo Uploader 4.x
...The vulnerability is confirmed in version 4.5.57.0. Other versions may also be affected.
Solution: Update to version 4.5.57.1. <<<

- http://secunia.com/advisories/28757/
Last Update: 2008-02-07
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Yahoo! Music Jukebox 2.x ...
NOTE: Working exploit code is publicly available.
The vulnerabilities are confirmed in Yahoo! Music Jukebox version 2.2.2.056. Other versions may also be affected...
Solution: Set the kill-bit for the affected ActiveX controls. <<<
Other References:
US-CERT VU#101676: http://www.kb.cert.org/vuls/id/101676
US-CERT VU#340860: http://www.kb.cert.org/vuls/id/340860
---------------------
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0623
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0624
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0625
release date: 2/6/2008 - MediaGrid ActiveX control (mediagrid.dll)

:fear:

FYI...

Adobe Reader v8.1.2 released
- http://secunia.com/advisories/28802/
Release Date: 2008-02-06
Last Update: 2008-02-11
Critical: Highly critical
Impact: Unknown, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D, Adobe Acrobat 8 Pro, Adobe Acrobat 8.x, Adobe Reader 8.x
CVE reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0667 ...
Solution: Update to version 8.1.2...
Acrobat 8 on Windows:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3849 ...
Changelog:
2008-02-08: Updated advisory based on additional information from the vendor. Updated link to vendor's advisory.
2008-02-11: Updated advisory based on additional information from iDefense Labs and Fortinet. Added links and CVE references.
Original Advisory: Adobe APSA08-01:
http://www.adobe.com/support/security/advisories/apsa08-01.html

FYI...

MySpace Uploader ActiveX Exploited in the Wild
- http://preview.tinyurl.com/22vn4d
February 7, 2008 (Symantec Security Response Weblog) - "Yesterday our honeypots picked up a browser attack toolkit that I had not encountered before. This toolkit uses dynamic function and variable names and wraps its exploits in two levels of dynamic encoding. Finding a new toolkit on our honeypots always piques my interest as a new toolkit often yields new exploit payload. Lo and behold, once the encoder layers are peeled away, the toolkit is found to contain an exploit for the MySpace Uploader 'MySpaceUploader.ocx' ActiveX Control Buffer Overflow that was announced on the 31st of January*..."
* http://securityresponse.symantec.com/avcenter/attack_sigs/s50096.html
"...issue leads to a crash in 'MySpaceUploader.ocx' 1.0.0.4 and 1.0.0.5..."

> http://secunia.com/advisories/28715
Solution: Update to version 1.0.0.6.

:fear:

FYI...

> http://secunia.com/blog/20
7 February 2008
"...During the last 24 hours, we have seen security updates for some very popular Windows programs from four major vendors: Sun, Adobe, Apple, and Skype. Based on these four security updates, we have gathered some statistics from our free Secunia PSI that shows a startling picture, detailing the amount of users who need to patch their computers, in order to safely do something as ordinary as surfing the Internet...
A little in-depth information about the four security updates
1) Adobe Reader 8.x (PDF Files) (Secunia Advisory: http://secunia.com/SA28802 )...
2) Sun Java 1.5.x (Web content, games, etc.) (Secunia Advisory: http://secunia.com/SA28795 )...
3) Apple Quicktime (Movies, music, etc.) (Secunia Advisory: http://secunia.com/SA28423 )
4) Skype (Chat and VOIP) (Secunia Advisory: http://secunia.com/SA28791 )..."

(Add the Firefox update to that: http://secunia.com/SA28758/ , and most should have a busy weekend!)

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=3958
Last Updated: 2008-02-09 02:38:22 UTC - "The Adobe Reader vulnerability... is being exploited in the wild! A malicious PDF file (called 1.pdf in this example) served from IP address "85.17.221.2" (not active at this time) contains a malware specimen called Trojan, a variant of Zonebac. The IP address belongs to LeaseWeb, a hosting provider in The Netherlands we already notified..."

- http://secunia.com/advisories/28802/
Software: Adobe Reader 8.x ...
Solution: Update to version 8.1.2 ...
Original Advisory: Adobe Reader 8.1.2 Release Notes:
http://www.adobe.com/go/kb403079

:fear:

FYI...

New Facebook Photo Uploader ActiveX Vulnerability
- http://atlas.arbor.net/briefs/index#-1074023979
(...Scroll down to):
Severity: Elevated Severity
Published: Wednesday, February 13, 2008 18:57
Facebook Photo Uploader ActiveX control is prone to a buffer-overflow vulnerability. Attackers can exploit this issue and execute arbitrary code in the context of the browser. Exploit is available. Until this issue fixed by the vendor, a workaround would be to set the kill bit for the ActiveX control.
Analysis: The ActiveX control in question is ImageUploader4.1.ocx. The 'FileMask' method is vulnerable. Attackers need to make a user view a crafted HTML to exploit this issue. A workaround would be to set the kill bit for the Control till it is fixed...

:fear:

FYI...

- http://www.theregister.co.uk/2008/02/15/browser_exploitation/
15 February 2008 - "Cybercriminals are stepping up their efforts to exploit vulnerabilities in web browsers to spread malware using drive-by download techniques. Research by Google's anti-malware team on three million unique URLs on more than 180,000 websites automatically installed malware onto vulnerable PCs. Hackers are increasingly trying to trick search sites into pointing surfers onto maliciously constructed sites. More than one per cent of all search results contain at least one result that points to malicious content, Google reports*, adding that incidents of such attacks has grown steadily over recent months and continues to rise. Google's team also reports that two per cent of malicious websites are delivering malware via tainted banner ads. Israeli security firm Finjan has also observed a rise in the tactic over recent months, noting that many malicious ads are served from legitimate websites. A security report from IBM's X-Force division said cybercriminals are "stealing the identities and controlling the computers of consumers at a rate never before seen on the internet"..."
* http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html

> http://www.us-cert.gov/current/#mozilla_firefox_and_opera_browser
February 18, 2008
> http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
MS08-010 - Updated: February 13, 2008

(Keep things patched! Is your browser up-to-date?...)

Opera v9.26 released
- http://forums.spybot.info/showthread.php?p=166220#post166220
Release Date: 2008-02-20

:fear::spider:

FYI...

- http://www.theregister.co.uk/2008/02/20/symantec_enpoint_security_error_bug/
20 February 2008 - "Symantec is working to patch a bug that generates errors in corporate security protection updates. Workarounds enabling virus signature definition updates to Symantec Endpoint Protection are available, but a more comprehensive fix is still in testing. The glitch in the Symantec's LiveUpdate package has left sysadmins managing Symantec Endpoint Protection coping with "broken" clients... Symantec has published an advisory* detailed workarounds. Posts on Symantec forums indicate that the problem first reared its head on 11 February... looks like every Symantec customer worldwide has been affected by the issue..."
* http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021213593948
Last Modified: 02/15/2008

:lip:
-----------

- http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021213593948
Last Modified: 02/20/2008 - "...Solution:
Symantec has released a new Decomposer to the LiveUpdate Servers to resolve this issue. If you used this previous stated workaround, please re-check the Decomposer signatures and select "Use latest available"..."

.

FYI...

- http://preview.tinyurl.com/ytx4dc
02/20/08 (NetworkWorld) - "People-driven security, an approach that pools the judgments of individual participants to identify new threats, is gathering momentum, with uses popping up in everything from antimalware and spam blocking to site filtering. OpenDNS's Domain Tagging, introduced in February, is the latest example of this kind of strength in numbers. The free Web-filtering service allows subscribers to block sites in their choice of categories... "The good guys need to out-share the bad guys to help counter them," says Johannes Ullrich, chief research officer at the Internet Storm Center (ISC)... Together, people-powered tools and sites work to build genuine security that benefits the entire online community."

:spider::cool::spider:

FYI...

Netscape multiple Vulns - update available
- http://secunia.com/advisories/29049/
Release Date: 2008-02-21
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Netscape 9.x
...can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, conduct spoofing attacks, or to compromise a user's system.
Solution: Update to version 9.0.0.6:
http://browser.netscape.com/downloads
"Official support for all Netscape client products will end on March 1st, 2008..."
http://blog.netscape.com/2007/12/28/end-of-support-for-netscape-web-browsers

FYI...

- http://blog.washingtonpost.com/securityfix/2008/02/wall_street_reports_higher_pc_1.html
February 22, 2008 - "...In the first half of 2007, companies involved in managing securities and futures trades reported a 47 percent increase in the number of fraudulent or suspicious transactions attributed to computer break-ins, according to data released last month by the Financial Crimes Enforcement Network (FinCEN). Financial institutions are required to file suspicious activity reports (SARs) when a suspected fraudulent or illegal transfer of funds exceeds $5,000. According to FinCEN, trading institutions filed more computer intrusion-related securities fraud reports in the first half of 2007 than they reported in all of 2006... The report doesn't provide any guesses as to what factors might be responsible for those notable increases. But here's my take: Cyber crooks are going after and compromising online stock trading accounts just as they are online banking accounts*..."
* http://blog.washingtonpost.com/securityfix/2008/02/banks_losses_from_computer_int.html
02/20/2008

:fear::fear:

FYI...

- http://blog.trendmicro.com/better-business-bureau-phish-with-trojan-downloader/
March 23, 2008- "The Better Business Bureau (BBB) is the target of a new phishing scam, in which a user is asked to download a rogue ActiveX installer upon visiting the Web site... installer is actually a Trojan downloader file named Acrobat.exe... The BBB has a history of being a target of malware authors and spammers, besides phishers. Previously, it has been used as a subject of spam that contained malware detected as TROJ_ARTIEF.A."

(Screenshots available at the URL above.)

:fear::spider:

FYI...

- http://isc.sans.org/diary.html?storyid=4187
Last Updated: 2008-03-24 10:18:07 UTC - "...Over the last week or two there have been more instances of the Death Threat SPAM emails. These particularly nasty messages explain how someone you know wants you dead and the hired killer is contacting you to make a deal. These can be very upsetting for the recipient. Whilst they are typically spam messages treat them seriously and report them if you feel it is necessary..."

- http://mobile.fbi.gov/pressrel/2007/extortion070707.htm
"...The message from the FBI... do NOT respond, and to file a complaint through the IC3.gov website. Due to the threat of violence in these extortion e-mails, if an individual receives an e-mail that contains personal information that might differentiate their e-mail from the general e-mail spam campaign, the recipient should contact the FBI immediately at 251-438-3674..."

:fear:

FYI...

Malicious Flash Banner Ad - USATODAY.com
- http://securitylabs.websense.com/content/Alerts/3061.aspx
04.08.2008 - "Websense® Security Labs™ has received reports of a malicious Flash banner ad on USATODAY.com, a prominent news web site. The banner ad leads to the download of various spyware and ransomware, appearing as legit anti-virus scanners to the uninitiated... More details about this malicious binary from Microsoft:
http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fRenos ..."

(Screenshots of banner ad from USATODAY at the Websense URL above.)
----------------------------

Flash Player version 9.0.124.0 released
- http://forums.spybot.info/showpost.php?p=180537&postcount=5
"...Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 9.0.124.0..."

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4319
Last Updated: 2008-04-22 00:39:28 UTC - "...“Apocalyptic NEWS Usama Ben Laden” is being SPAMMED out with malicious links in it. This is an attempt to get people to load a version of Zlob. The links... are malicious. DO NOT VISIT THEM. Here is the VirusTotal report on the malware I found there: http://www.virustotal.com/analisis/a914b92b454eff25407a61fa52af9d67 ..."
[Result: 13/32 (40.62%)]

:fear:

FYI...

MySpace - Maximus root kit downloads...
- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-22 22:26:50 UTC - "...A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.
“Clicking anywhere on the page (on large css layer on top) and your browser initiates a download session from an ftp at microsofpsupports .cn and you are asked to download and/or run (no!) the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image.
hxxp ://img404.imageshared.cn/img/20048/removaltool6gx87.gif “
This appears to be a new version of Maximus
Virustotal results here:
http://www.virustotal.com/analisis/3a29d07603a0430a74e8aa77bc81e6bb ..."
Result: 10/32 (31.25%)

- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-23 17:56:24 UTC ...(Version: 3)
"UPDATE - Thanks to Ned who pointed out that "!Maximus" is the name of the heuristic detection engine for F-Prot (and hence Authentium) rather than the name of the rootkit."

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4346
Last Updated: 2008-04-26 18:23:13 UTC - "A new virus was submitted to us today by a friend of ours known as SPAM_Buster. The Spamvertized URL redirects to
hxxp ://www .tera .cartoes1.com/saudlov.scr
This thing had several download stages and to do a complete analysis could take a long time. Ultimately it is some type of spyware/Trojan. I will use VirusTotal and CWSandbox to analysis some of the binaries involved. Saudlov.src 12/32 “recognized” it. Virus Total Results
http://www.virustotal.com/analisis/021d7c1131b1130f35051d41dfb05370 ...
CWSandbox analysis for saudlov.scr
https://cwsandbox.org/?page=details&id=220785&password=vyagd
Interesting strings in sadlov.scr:
c:\windows\mdword.exe
hxxp ://caixa .nexenservices .com/game/game01.exe
c:\windows\mdword.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
hxxp ://www .terra .com .br/avisolegal/
Looks like it downloads game01.exe and something from
www[dot]terra[dot]com/br/avisolegal/
So I downloaded game01.exe and ran it thru VirusTotal. 1/32 “recognized” it. F-Secure called it "Suspicious:W32/Malware/Gemini"
http://www.virustotal.com/analisis/00e6839634881c4b247c0fa98332ea95 ..."
(Further analysis available at the ISC URL above)

- http://isc.sans.org/diary.html?storyid=4343
Last Updated: 2008-04-26 13:57:49 UTC - "There is something in the air at the moment... my mail box is chock a block full of SPAM this week... On Gmail I typically get 5-10 per week, now about 500. On my own mail the anti SPAM throws away a few hundred per week, this week about 2000..."
(Long list available at the ISC URL above)

:fear::fear:

FYI...

(A weekend mess/uptick of SPAM not helping any - AV's in "catch-up" mode.)

- http://mtc.sri.com/
Most Effective Antivirus Tools Against New Malware Binaries (only "Top 10" shown...)
Sat Apr 26 17:20:29 2008
detects = Antivirus system overall detection rate based on exposure to 1752 malware binaries
rank detects missed analyzed country vendor
1st 95% 78 1752 AT Ikarus Security Software
2nd 92% 133 1752 CZ Grisoft Inc
3rd 89% 182 1752 DE Avira
4th 89% 193 1752 RO BitDefender Inc
5th 88% 208 1752 US Secure Computing
6th 87% 222 1752 IN Quick Heal Technologies
7th 83% 284 1752 NO Norman Inc
8th 82% 309 1752 FI F-Secure Corporation
9th 82% 310 1752 RU Kaspersky Lab
10th 80% 334 1752 PL GNU Open Source..."
-----^^^

More...
- http://mtc.sri.com/live_data/av_rankings/

- http://isc.sans.org/diary.html?storyid=4346
Last Updated: 2008-04-26 18:23:13 UTC

- http://isc.sans.org/diary.html?storyid=4343
Last Updated: 2008-04-26 13:57:49 UTC

- http://www.virus-radar.com/index_c168h_enu.html

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4355
Last Updated: 2008-04-29 00:13:50 UTC - "Recently one of our readers, Doug, sent us an ASF file that does something interesting: when you open it in Windows Media Player, it will immediately launch Internet Explorer which will then prompt you to download an executable file. As I don't see this every day, I went to investigate this a bit further. According to Microsoft, the ASF file format (and possibly other formats) allows creation of a script stream. The script stream can use certain, simple, script commands in Windows Media Player. This information is available at http://msdn2.microsoft.com/en-us/library/aa390699(VS.85).aspx

Now, the malicious ASF file we received opened Internet Explorer with the URL pointing to
hxxp ://www.fastmp3player.com/affiliates/772465/1/?embedded=false.
This web site had a further 302 redirect to
hxxp: //www.fastmp3player.com/affiliates/772465/1/PLAY_MP3.exe
(both links are still working), which is some adware and is reasonably detected by 20 out of 32 AV programs on VirusTotal..."

:fear:

FYI...

- http://msmvps.com/blogs/spywaresucks/archive/2008/04/28/1607314.aspx
April 28, 2008 11:52 PM sandi - "The malvertizements discovered on Yahoo are STILL there..."

- http://msmvps.com/blogs/spywaresucks/archive/2008/04/27/1605974.aspx
April 27, 2008 12:21 PM by sandi - "Yahoo aren't listening... And still the problems continue... I wonder how many hits Yahoo gets per day, and how many people are being exposed to fraudware, while these advertisements are allowed to remain online..."

(Screenshots available at the URLs above.)

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4361
Last Updated: 2008-04-30 09:27:16 UTC - "Back in November last year we published a diary about Mac DNS changer malware*. The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more... the way it was packed showed that the attackers meant real business. All the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready... Only couple of anti-virus programs detected the original sample (a DMG file). This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it... it changes the DNS servers and reports to a C&C server. However, one thing I noticed was that the attackers started obfuscating the installation code... it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs... same network as before, so make sure that you are monitoring any DNS requests going there since they indicate you have infected machines on your network..."
* http://isc.sans.org/diary.html?storyid=3595
Last Updated: 2007-11-02 02:36:39 UTC ...(Version: 2) - "... This is a professional attempt at attacking Mac systems... The second thing that folks at Sunbelt noticed ( http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html ) is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this..."

(More detail at each URL above)

--------------------------------------
Update...

Windows-malware already exists in some ZLOB variants (fake codecs) that will attempt the DNS client hijack - one reference:
- http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119651
Latest DAT Release 03 13 2008 - "This fake codec is actually a hijacker that will change your DNS settings whether you acquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121 (RBN).... rogue DNS servers..."

-or- SpybotS&D
- http://www.safer-networking.org/en/updatehistory/2007-02-02.html
Win32.DNSChanger
- http://www.safer-networking.org/en/updatehistory/2007-03-14.html
Zlob.DNSChanger

:fear:

FYI...

PHP multiple vulns - update available
- http://secunia.com/advisories/30048/
Release Date: 2008-05-02
Critical: Moderately critical
Impact: Unknown, Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
...The vulnerabilities are reported in versions prior to 5.2.6.
Solution: Update to version 5.2.6.
http://www.php.net/downloads.php

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2051
5/5/2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2050
5/5/2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0599
5/5/2008

:fear:

FYI...

- http://www.finjan.com/MCRCblog.aspx?EntryId=1949
May 07, 2008 - "During our ongoing research we came up against one curious site. The site is hacking/security oriented, and is written in Russian (hmm... last time I've checked it was in Netherlands), and not significantly different from many other similar sites. The same "news" section with recent exploits. The same "articles" section with same "How to get root on server" paper. And the forum with common "SQL Injection FAQ" thread for newbies. What makes difference is the "download" section.... I think it's the first time (we've seen) such a comprehensive, well arranged and recently updated collection of trojans, keyloggers, back-door web-shells and, the most interesting for us, attacker toolkits..."
(Screenshots available at the URL above.)
-----------------------------------------------

- http://www.finjan.com/Pressrelease.aspx?id...=1819&lan=3
May 6, 2008 - "Finjan... today announced its discovery of a server controlled by hackers (Crimeserver) containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data consisted of 5,388 unique log files. Both email communications and web-related data were among them. The compromised data came from all around the world and contained information from individuals, businesses, as well as renowned organizations, including healthcare providers. To illustrate the scope; the server contained among others 571 log files from the US, 621 from Germany (DE), 322 from France (FR), 308 from India (IN), 232 from Great Britain (GB), 150 from Spain (ES), 86 from Canada (CA), 58 from Italy (IT), 46 from the Netherlands (NL), and 1,037 from Turkey (TR). Due to the sheer impact, Finjan followed its company guidelines and promptly notified over 40 major international financial institutions located in the US, Europe and India whose customers were compromised as well as various law enforcements around the world.
The report contains examples of compromised data that Finjan found on the Crimeserver, such as:
* Compromised patient data
* Compromised bank customer data
* Business-related email communications
* Captured Outlook accounts containing email communication..."

:fear::fear:

FYI...

Neosploit Updated to Include an Acrobat Exploit
- http://preview.tinyurl.com/6mlnq6
05-05-2008 (Symantec Security Response Blog) - "On about April 18th, Symantec's DeepSight honeypots began capturing a new iteration of the Neosploit exploit toolkit. It appears that the pervasive exploit kit has been updated to take advantage of a circa February 2008 vulnerability in Adobe Acrobat Professional and Reader. What makes this attack vector of particular concern is that it will work reasonably silently through most browsers. If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the browser of their choice, it is reasonably likely that their computer will become infected provided that they have Acrobat installed on their computer. Although the vulnerability has been patched since early February, I suspect that many users have not applied this patch yet. We highly recommend that if you haven’t done so, go and get the latest patched versions of Adobe Acrobat Reader and Professional from here: http://www.adobe.com/support/security/advisories/apsa08-01.html ..."

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2042
Last revised: 5/8/2008

Security Updates available for Adobe Reader and Acrobat 7 and 8
- http://www.adobe.com/support/security/bulletins/apsb08-13.html
"...Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2...
....Users with Adobe Reader 7.0 through 7.0.9, who cannot upgrade to Reader 8.1.2, should upgrade to Reader 7.1.0..."

Adobe Reader 7.1.0 released
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=3952
5/7/2008 - "The Adobe® Reader® 7.1.0 update addresses a number of customer issues and security vulnerabilities..."

Release notes:
- http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403541&sliceId=1

:fear:

FYI...

- http://securitylabs.websense.com/content/Alerts/3089.aspx
05.09.2008 - "Websense... has detected malicious code hosted on China.com's game site. The malware is a variant of VBS/Redlof and is known to commonly infect files with the extension of "html", "htm", "php", "jsp", "htt", "vbs", and "asp". This malicious download (MD5: e6df57ea75a77112e94036e5138bd063) is placed in a directory that appears to be reserved for game patch downloads. This virus attempts to spread itself by infecting all outbound emails sent by the victim with MS Outlook or Outlook Express. More details on the Microsoft VM ActiveX component vulnerability (MS00-075*)..."
* http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx

(Screenshot available at the Websense URL.)

:fear:

FYI...

- http://preview.tinyurl.com/5zvnrx
May 9, 2008 (Avert Labs blog) - "Sometime back we had come across this interesting vulnerability posted by a Chinese researcher in his blog, claiming to have found a zero day vulnerability in php 5.2.3. We got a chance to dig a bit deeper into this and were able to reproduce the vulnerability based on the information provided in the blog. After investigation, we found that this vulnerablility affects not only verion 5.2.3 but also version 5.2.5. It is a heap overflow which can be triggered when a web server with PHP receives a malformed URI request, it can be a simple request like “GET /index.php/aa HTTP/1.1″ . Successful exploitation of this can result in arbitrary code execution with the privileges of the WEB Server... We highly recommend users to update with the latest version of PHP 5.2.6 released*. This patch besides this issue, fixes a host of other security related fixes, some of which we deem as critical..."
* http://forums.spybot.info/showpost.php?p=188217&postcount=61

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0599
Last revised: 5/9/2008
CVSS v2 Base score: 10.0 (High)

:fear:

- http://isc.sans.org/diary.html?storyid=4421
Last Updated: 2008-05-15 23:16:38 UTC ...(Version: 3)
- http://www.us-cert.gov/current/#debian_openssl_vulnerability
May 15, 2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166
Threatcon - Symantec
- http://www.symantec.com/security_response/threatconlearn.jsp
2008-05-16 05:28 - "ThreatCon is currently at Level 2: Elevated.
The ThreatCon is at level 2. Advisories have been released addressing an issue related to weak key generation in Debian and its variants, such as Ubuntu. Using a weak random number generator in the OpenSSL package, the system generates a weak key when installing services such as Secure Shell (SSH) and OpenVPN. To fix this issue, users are advised to apply available updates for the OpenSSL library and to regenerate all cryptographic keys generated previously by the library. Keys generated from GNUPG and GNUTLS packages are reportedly unaffected. Several tools are already available that allow a brute-force attack against the weak keys. H D Moore has released a database of all weak keys generated for a typical encryption key space:
( http://metasploit.com/users/hdm/tools/debian-openssl/ )
A script to brute-force the keys using that database has also been released on milw0rm by M. Mueller:
( http://www.milw0rm.com/exploits/5622 )
These tools could be used to bypass key-based login for shell services such as SSH. Other potential tools could be used to decrypt traffic such as login information or to forge digital signatures.
The Debian advisory addressing the issue provides information on how to tell if your system was using vulnerable keys. The following Debian and Ubuntu advisories are available:
DSA-1571-1 openssl -- predictable random number generator
( http://www.debian.org/security/2008/dsa-1571 )
USN-612-1: OpenSSL vulnerability
( http://www.ubuntu.com/usn/USN-612-1 ) ."

-----------

FYI...

- http://www.us-cert.gov/current/#cisco_releases_security_advisories2
May 22, 2008 - "Cisco has released three security advisories to address multiple vulnerabilities in Cisco IOS Secure Shell, Service Control Engine, and Voice Portal. These vulnerabilities may allow an attacker to take control of the affected system or cause a denial-of-service condition. US-CERT encourages users to review the following Cisco Security Advisories and apply any necessary updates or workarounds.

* Cisco IOS Secure Shell Denial of Service Vulnerabilities
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099567f.shtml
* Cisco Service Control Engine Denial of Service Vulnerabilities
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099bf65.shtml
* Cisco Voice Portal Privilege Escalation Vulnerability
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099beae.shtml

:fear:

FYI...

- http://sunbeltblog.blogspot.com/2008/05/no-this-is-not-castlecops.html
May 22, 2008 - "No, this is not CastleCops
mezzicodec(dot)net masquerades as the legitimate CastleCops site... The site is mirroring, in near real-time, CastleCops. It seems to be primarily used for SEO purposes and possibly to steal valid user accounts, but could serve malware or exploits. Avoid this site."

- http://sunbeltblog.blogspot.com/2008/05/rash-of-fake-sites-copying-pc-world.html
May 22, 2008 - "As a follow-up to my post earlier today about a fake CastleCops page, there’s more to the story. There are other domains sharing the same IP (207.226.177.250):
pepato org
slim-cash com
spyware-wiper com
Cpaypal com
Crazycounter net
All are copying legitimate sites. Pepato is loading a fake dvdplanet.com page... These domains belong to the "Vladzone" malware gang. A while back, we believe that they were responsible for DDoS attacks against webhelper4u.com (Patrick Jordan, who works for Sunbelt) and spamhuntress.com — and maybe a few others. I would not visit these sites."

(Screenshots available at both Sunbeltblog URLs above.)

:fear::sad::mad::yuck:

FYI...

- http://secunia.com/advisories/30309/
Release Date: 2008-05-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IBM Lotus Sametime 7.x, IBM Lotus Sametime 8.x
...Successful exploitation may allow execution of arbitrary code.
Solution: Update to version 8.0.1 or apply hotfix ICAE-7DPP83 for Lotus Sametime 7.5.1 Cumulative Fix 1 (CF1). Contact IBM support for the patch if Sametime 7.5.1 CF1 is not deployed or if unable to update to 8.0.1.
http://preview.tinyurl.com/5s6mz9
Original Advisory:
IBM: http://www-1.ibm.com/support/docview.wss?uid=swg21303920

- http://www.us-cert.gov/current/#ibm_lotus_sametime_vulnerability
May 22, 2008

- http://isc.sans.org/diary.html?storyid=4460
Last Updated: 2008-05-26 23:54:12 UTC - "Take a look at port 1533*. That's quite an increase in targeted computers reporting via DShield over the past few days..."

* http://isc.sans.org/port.html?port=1533
"...tcp 1533 used by Lotus Sametime for chat and awareness..."

:fear:

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://isc.sans.org/diary.html?storyid=4465
Last Updated: 2008-05-27 18:12:46 UTC ...(Version: 2) - "A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available...
Update1: Symantec has observed that this issue is being actively exploited in the wild and have elevated their ThreatCon*.
Update2: A SecurityFocus article is now live here**."

ThreatCon is currently at Level 2: Elevated
* http://www.symantec.com/security_response/threatconlearn.jsp
"The DeepSight ThreatCon is being raised to Level 2 in response to the discovery of in-the-wild exploitation of an unspecified and unpatched vulnerability affecting Adobe Flash Player. The flaw occurs when processing a malicious SWF file. At the time of writing, details related to this vulnerability are scarce, but Symantec Security Response has been able to trigger the flaw in some scenarios. We're currently investigating the vulnerability to uncover additional details, including the sites used to host the attack... Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173 .cn and woai117 .cn. The sites appear to be exploiting the same flaw, but are using different payloads... Network administrators are advised to blacklist these domains to prevent clients from inadvertently being redirected to them. Further analysis into these attacks, specifically the woai117 .cn attack, uncovered another domain involved dota11 .cn . We have discovered that this site is being actively injected into sites through what is likely SQL injection vulnerabilities. A google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site..."

** http://www.securityfocus.com/bid/29386

Malicious swf files?
- http://isc.sans.org/diary.html?storyid=4468
Last Updated: 2008-05-27 18:46:44 UTC ...(Version: 2) - "...potentially malicious site found at hxxp ://www .play0nlnie .com/pcd/topics/ff11us/20080311cPxl31/07.jpg
The JPG file is actually a script... Unknown at this time if these SWF files are related to this vulnerability."

:fear:

FYI...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527
May 27, 2008 - 11:16 PM - "...important that you make sure you have updated your Adobe Flash Player to the latest version* (9.0.124.0 at the time of this writing)... it seems that several websites are now taking advantage of a flaw in the Adobe Flash Player previously covered by CVE-2007-0071**. It appears that Symantec started noticing this activity being exploited in the wild and initially labeled it a 0-day threat as they thought it affected 9.0.124.0. However, they have since posted an update*** potentially changing this view. Both Symantec and the Internet Storm Center have posted information surrounding the vulnerability and some of the websites that are actively exploiting it. It would appear this is in fact fully patched with the latest version and is the same vulnerability described by CVE-2007-0071. We decided to look into this a bit more and see what other websites are out there exploited this vulnerability and what they attempted to install. It did not take us long to find several other websites beyond those already mentioned. It would appear that this exploit has been pretty widely known within the Chinese community for the past two days or so... Did we mention that you should UPGRADE YOUR FLASH PLAYER (if you haven't already)? It's always a good idea to keep your software up-to-date, but it should surely be a priority to do so now..."

* http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

** http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
Last revised: 4/25/2008 - "...Adobe Flash Player 9.0.115.0 and earlier..."

*** http://www.symantec.com/security_response/threatcon/index.jsp

- http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue_u_1.html
May 28, 2008 11:09AM - "...This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere – customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. We’re still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0*..."
* http://www.adobe.com/go/getflashplayer

---------------

Retired: Adobe Flash Player SWF File Remote Code Execution Vulnerability
- http://www.securityfocus.com/bid/29386/discuss
Updated: May 28 2008 07:53PM - "...Further research indicates that this vulnerability is the same issue described in BID 28695** (Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability), so this BID is being retired."

** http://www.securityfocus.com/bid/28695/solution
"...The vendor released Flash Player 9.0.124.0 to address this issue..."

FYI...

- http://securitylabs.websense.com/content/Alerts/3096.aspx
05.29.2008 - "Websense... has detected thousands of web sites infected with the recent mass JavaScript injection that exploits a vulnerability in Adobe Flash (CVE-2007-0071*) to deliver its malicious payload... This vulnerability is not a 0-day and users with the latest version of Flash Player (version 9.0.124.0) are safe. However, there are still many on older versions of Flash that are unaware of this mass web infection and are susceptible to this drive-by attack. An update to the latest version of Flash Player is highly recommended**.
Websense ThreatSeeker has been tracking these malicious web sites and have discovered numerous reputable web sites that are now unwilling participants, infecting their very own visitors. These sites are from various industries such as government, education, healthcare, finance, media, and entertainment. This attack also attempts to exploit other popular vulnerabilities such as MDAC, RealPlayer, and various ActiveX controls... drive-by threat... site screenshots from: Microsoft, Dept. of Education (Australia), PBS, Durex, CDC (Centers for Disease Control and Prevention), Discovery Channel, various universities and a Pakistani district government."

* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
Last revised: 4/25/2008 - "...Adobe Flash Player 9.0.115.0 and earlier..."

** http://www.adobe.com/go/getflashplayer

(Screenshots available at the Websense URL above.)

:fear:

FYI...

DHS PDF
- http://www.f-secure.com/weblog/archives/00001449.html
June 1, 2008 - "...The only information we have on this 130kB sample is that it was named f1be1cdea0bcc5a1574a10771cd4e8e8.pdf (after it's MD5 hash) and that it was submitted on the 23rd of May. 'Looks like a Department of Homeland Security form G-325A.
Look again. What's the filename? It's -not- f1be1cdea0bcc5a1574a10771cd4e8e8.pdf. It's 0521.pdf. This is -not- the document we opened. So what happens here? Apparently this PDF has been used in a targeted attack against an unknown target. When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files. Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf. Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user that everything is all right. D50E.tmp.exe is a backdoor that creates lots of new files with innocent-sounding filenames, including:
\windows\system32\avifil16.dll
\windows\system32\avifil64.dll
\windows\system32\drivers\pcictrl.sys
\windows\system32\drivers\Nullbak.dat
\windows\system32\drivers\Beepbak.dat
The SYS component is a -rootkit- that tries to hide all this activity on the infected machine. The backdoor tries to connect to port 80 of a host called nbsstt .3322 .org. Anybody operating this machine would have full access to the infected machine. Well, 3322 .org is one of the well-known Chinese DNS-bouncers that we see a lot in targeted attacks. Does nbsstt mean something? Beats me, but Google will find a user with this nickname posting to several Chinese military-related web forums, such as bbs .cjdby .net. Where does nbsstt .3322 .org point to? IP address 125.116.97.19 is in Zhejiang, China. And it's live right now, answering requests at port 80."

(Screenshots available at the URL above.)

:fear:

FYI...

- http://www.skype.com/security/skype-sb-2008-003.html
Impact: Exploitation of this issue allows an attacker to execute arbitrary code on the targeted victim's machine. An attacker would need to construct a malicious file: URI and send it to the intended victim. Upon clicking the link execution of arbitrary code on the victim's machine will be possible.
Affected software: ...The following Skype clients are vulnerable to this attack:
Skype for Windows: All releases prior to and including 3.8.*.115
Solution: Skype has fixed the vulnerability in version 3.8.0.139
Download:
x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/download/skype/windows/
x86 platform, Linux: http://www.skype.com/download/skype/linux/
PPC and x86 platforms, Mac OS X v10.3.9 or later: http://www.skype.com/download/skype/macosx/
Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/download/skype/pocketpc/

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1805
Original release date: 6/6/2008

:fear:

FYI...

Security Update available for Adobe Reader and Acrobat 8.1.2
- http://www.adobe.com/support/security/bulletins/apsb08-15.html
Release date: June 23, 2008
Vulnerability identifier: APSB08-15
CVE number: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2641
Platform: All platforms
Affected software versions:
* Adobe Reader 8.0 through 8.1.2
* Adobe Reader 7.0.9 and earlier
* Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
* Adobe Acrobat Professional, 3D and Standard 7.0.9 and earlier
NOTE: Adobe Reader 7.1.0 and Acrobat 7.1.0 are not vulnerable to this issue. Adobe Reader 9 and Acrobat 9, expected to be available by July 2008, are also not vulnerable to this issue.

Summary:
A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch.

Solution:
Acrobat 8 and Adobe Reader: Adobe recommends Adobe Reader 8 users update to Adobe Reader 8.1.2 Security Update 1, available at the links below:
For Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3967
For Macintosh: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3966
Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3976
Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3977
Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3975
Users with Adobe Reader 7.0 through 7.0.9 should upgrade to Adobe Reader 7.1.0: http://www.adobe.com/go/getreader.
Acrobat 7
Adobe recommends Acrobat 7 users on Windows update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Adobe recommends Acrobat 7 users on Macintosh update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Severity rating:
Adobe categorizes this as an critical issue and recommends affected users update their installations...
NOTE: there are reports that this issue is being exploited in the wild..."

- http://blog.trendmicro.com/pdf-exploit-causes-bsod/
June 25, 2008 - "...According to the Adobe Security Bulletin on this issue*, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2... As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads..."
* http://www.adobe.com/support/security/bulletins/apsb08-15.html
---

Adobe Reader patch, now you see it, now you don't
- http://news.cnet.com/8301-13554_3-9979638-33.html
June 27, 2008

:fear:

FYI...

- http://blogs.zdnet.com/security/?p=1356
June 26, 2008 - "What happens when the official domain names of the organizations that issue the domain names in general, and provide all the practical guidance on how (to) prevent DNS hijacking, end up having their own domain names hijacked? A wake up call for the Internet community. The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today... NetDevilz left the following message on all of the domains:
“You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha ... (Lovable Turkish hackers group)”..."
- http://www.zone-h.org/content/view/14973/30/
27 June 2008 - "...Hijacked domains include "icann.com", "icann.net", "iana.com" and "iana-servers.com". We reached the defacers by email but they refused to tell us how they changed the DNS records, however a cross-site scripting or cross-site request forgery vulnerability might have been exploited..."

(Screenshots available at the ZDnet URL above.)

:fear::spider::fear:

FYI...

- http://www.securityfocus.com/news/11526
2008-07-08 - "...The CERT vulnerability note* describing the issue lists more than 90 software developers and network equipment vendors that may be affected by the issue...Internet service providers and companies each received the fix on Tuesday... The goal: To have every major service provider and company apply their software patches in 30 days..."

* U.S.CERT: http://www.kb.cert.org/vuls/id/800113

- http://isc.sans.org/diary.html?storyid=4687
Last Updated: 2008-07-08 23:09:39 UTC ...(Version: 4)

Microsoft MS08-037: http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
Internet Software Consortium (BIND): http://www.isc.org/sw/bind/bind-security.php ...

DNSSEC Overview: http://www.dnssec.org
DNSSEC Deployment Initiative: http://www.dnssec-deployment.org
DNSSEC HowTo: http://www.nlnetlabs.nl/dnssec_howto

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
7/8/2008
- http://www.us-cert.gov/cas/techalerts/TA08-190B.html
7/8/2008

DNS Checker:
- http://www.doxpara.com/?p=1162
Dan Kaminsky - July 9, 2008

:fear:

FYI...

* http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Last Revised: 9 July 2008
"Overview: Microsoft Update KB951748 [MS08-037] is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.
Impact: Sudden loss of internet access
Platforms Affected: ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite ...
Recommended Actions:
Download and install the latest versions which solve the loss of internet access problem here*..."

//

FYI...

Oracle Critical Patch Update Advisory - July 2008
- http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
2008-JUL-15 - Initial release
"...Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible..."

- http://isc.sans.org/diary.html?storyid=4732
Last Updated: 2008-07-15 20:45:56 UTC ...(Version: 2) - "...first time patches for BEA, Hyperion and TimesTen technology are included in the release. If you are running software from these recently-acquired vendors, please be aware..."

- http://www.us-cert.gov/current/#oracle_releases_critical_patch_update3
July 15, 2008 - "Oracle has released their Critical Patch Update for July 2008 to address 45 vulnerabilities across several products. This update contains the following security fixes:
* 11 updates for Oracle Database
* 3 updates for Times Ten In-Memory Database
* 9 updates for Oracle Application Server
* 6 updates for Oracle E-Business Suite and Applications
* 2 updates for Oracle Enterprise Manager
* 7 updates for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
* 7 updates for BEA Product Suite ..."

:fear::spider:

RE: http://forums.spybot.info/showpost.php?p=210672&postcount=77

FYI... http://isc.sans.org/diary.html?storyid=4765
Last Updated: 2008-07-22 11:01:30 UTC - "It seems the cat might be out of the bag regarding Dan Kaminsky's upcoming presentation at Blackhat. Since this now means the bad guys have access to it at will - I found the speculations using Google, I'm sure they have done so already, the urgency of patching your recursive DNS servers just increased significantly..."

- http://preview.tinyurl.com/64wtnc
July 21, 2008 (Computerworld)

- http://www.us-cert.gov/current/#dns_implementations_vulnerable_to_cache
updated July 22, 2008 - "...UPDATE: Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch vulnerable systems immediately..."

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
CVSS v2 Base score: 7.5 (High)

:fear:

FYI...

- http://securitylabs.websense.com/content/Alerts/3139.aspx
07.23.2008 - "...At time of this alert, an exploit targeting this flaw has been added to Metasploit, an open source penetration testing tool that is free and publicly available. The US-CERT advisory also makes the several important “DNS best practices” recommendations. Please reference the advisory for complete details. http://www.kb.cert.org/vuls/id/800113 "

- http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
Revisions
• V2.1 (July 23, 2008): Affected Software table revised to add MS06-064, MS07-062, and MS08-001 as bulletins replaced by this update.

//

FYI...

DNS Exploit in the Wild...
- http://isc.sans.org/diary.html?storyid=4765
Last Updated: 2008-07-24 13:15:25 UTC ...(Version: 6) - "... A second module has been released for domains, which replaces the nameservers of the target domain. Unlike the first module which will not replace a cached entry, this exploit will do cache overwrites.
See http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html
...Emerging Threats is offering a freely available snort signature* for DNS servers. As always, test before using in critical production environments."

* http://www.emergingthreats.net/content/view/87/1/
24 July 2008

:fear:

FYI...

- http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/
25 July 2008 - "More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, BT, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks. According to an informal survey of Register readers, 15 ISPs failed the "Check my DNS" test*... Now that attack code exploiting the vulnerability has been leaked into the wild, millions of subscribers are at risk of being silently redirected to impostor sites that try to install malware or steal sensitive information. Comcast and Plusnet were the only two ISPs we found that weren't vulnerable... Subscribers of ISPs that are still vulnerable ought to hardwire an alternate DNS server into their operating system. We're partial to OpenDNS**. They've been vulnerability free... Other ISPs that were reported vulnerable include: Skybroadband, Carphone Warehouse Broadband, Opal Telecom, T-Mobile, Videotron Telecom, Roadrunner, Orange, Enventis Telecom, Earthlink, Griffin Internet and Jazztel. Demon Internet was reported as potentially being vulnerable..."

* http://www.doxpara.com/

** http://opendns.org/

:fear:

FYI...

- http://db.tidbits.com/article/9706
24 Jul 2008 - "...Apple has yet to patch this vulnerability, which affects both Mac OS X and Mac OS X Server. While individual computers that look up DNS are vulnerable, servers are far more at risk due to the nature and scope of the attack. Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date. All users of Mac OS X Server who use it for recursive DNS must immediately switch to an alternative* or risk being compromised and traffic being redirected..."

Apple server alternative:
* https://www.opendns.com/start?device=apple-osx-server

Apple client alternatives:
* OS X Leopard: https://www.opendns.com/start?device=apple-osx-leopard
* OS X Tiger: https://www.opendns.com/start?device=apple-osx-tiger
* OS 9: https://www.opendns.com/start?device=apple-os9

:fear:

FYI...

- http://www.securityfocus.com/brief/783
2008-07-28 - "A group of security researchers demonstrated on Monday one way to use the recent domain-name service (DNS) security issue to compromise computers by redirecting insecure update services to fake servers that install malicious code instead. The attack tool - dubbed Evilgrade by its creators at non-profit Infobyte Security Research - will enable penetration testers to exploit computers using the automated update feature of Sun Microsystems' Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit, according to the group*..."
* http://blog.metasploit.com/2008/07/evilgrade-will-destroy-us-all.html

:fear:

FYI...

DNS patches cause problems...
The patches have caused slowdown in servers running BIND and have have crippled some machines running Windows Server
- http://preview.tinyurl.com/65ujxu
July 29, 2008 (Infoworld) - "Patches released earlier this month to quash a critical bug in the DNS (Domain Name System) have slowed servers running BIND (Berkeley Internet Name Domain), the Internet's most popular DNS software, and crippled some systems versions of Windows Server. Paul Vixie, who heads the Internet Systems Consortium (ISC), the group responsible for the BIND software, acknowledged issues with the July 8 fix that was rolled out... Vixie wasn't specific about the extent of the performance problems facing high-volume DNS servers, but said that a second round of patches, due later this week, will remedy port allocation issues and "allow TCP queries and zone transfers while issuing as many outstanding UDP queries as possible." Versions of the second update, which will be designated P2 when they're unveiled, are currently available in beta form for BIND 9.4.3* and BIND 9.5.1**...
ISC wasn't the only vendor involved in first-round DNS patching that has issued a mea culpa. Two weeks ago, Microsoft confirmed that the July 8 DNS update, tagged as MS08-037, was crippling machines running Windows Small Business Server, a suite based on, among other programs, Windows Server 2003... Last Friday, the company unveiled a pair of support documents that spelled out the patch's unintended side effects, but also added Exchange Server 2003 and Internet Security and Acceleration (ISA) Server to the affected list***. A second issue involves every supported version of Windows, ranging from Windows 2000, XP and Vista to Server 2003 and Server 2008.****..."

* http://www.isc.org/sw/bind/view?release=9.4.3b2

** http://www.isc.org/sw/bind/view?release=9.5.1b1

*** http://support.microsoft.com//kb/956189
Last Review: July 25, 2008 - Revision: 1.0

**** http://support.microsoft.com/kb/956188
Last Review: July 25, 2008 - Revision: 1.1

:fear:

FYI...

Apple Security Update 2008-005...
- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 08:27:35 UTC - "Apple released their patch overnight... Most importantly it contains the workaround for the DNS bug CVE-2008-1447. Also included is an upgrade to PHP 5.2.6 (which was released in source code at http://www.php.net/ on May 1st). Seems we all need to urge Job's gang to release patches significantly faster: it's the price to pay to base parts of your system on open source code. Apple Mac OS X users get it though software update. As always it's one big patch, given that little choice, you'll want to PATCH NOW."

- http://support.apple.com/kb/HT2647
August 01, 2008

- http://www.apple.com/support/downloads/
07/31/2008

- http://secunia.com/advisories/31326/
Release Date: 2008-08-01
Critical: Highly critical
Impact: Security Bypass, Spoofing, Privilege escalation, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X ...
Solution: Apply Security Update 2008-005...

---

- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 20:06:50 UTC ...(Version: 3) "...UPDATE ...Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness..."

---

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy

:fear:

FYI...

BIND: -P2 patches are released
- http://isc.sans.org/diary.html?storyid=4816
Last Updated: 2008-08-02 11:12:39 UTC - "As expected, the Internet Systems Consortium released patches today addressing stability and performance issues some of those having significant load on their systems were struggling with.
* BIND 9.5.0-P2: http://www.isc.org/sw/bind/view/?release=9.5.0-P2
* BIND 9.4.2-P2: http://www.isc.org/sw/bind/view/?release=9.4.2-P2
* BIND 9.3.5-P2: http://www.isc.org/sw/bind/view/?release=9.3.5-P2 ..."

:fear:

For the end-user, to recap all this, IMHO, the bottom line is here:

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you still have problems, go here and DO IT:
- http://www.opendns.com/


.

FYI...

- http://securitylabs.websense.com/content/Alerts/3151.aspx
08.06.2008 - "Websense... has discovered that a CNET Networks <http://www.cnet.com/about/?tag=ft> site has been compromised. The main page of the CNET Clientside Developer Blog contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host.

The malicious code is observed to exploit a known integer overflow vulnerability in Adobe Flash ( http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071 ). At the time of this alert, the site is still hosting the malicious code. Visitors who are not patched against this vulnerability will be infected without any user interaction.
Software vulnerable to this attack includes:
- Adobe, Flash Player, 9.0.115.0*, and previous
- Adobe, Flex, 3.0
- Adobe, AIR, 1.0 ..."

(Screenshot available at the Websense URL above.)

* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0

:fear::spider:

FYI...

- http://securitylabs.websense.com/content/Alerts/3163.aspx
08.19.2008 - "Websense... has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.
When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker. These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability... The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player..."

(Screenshots available at the URL above.)

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4919
Last Updated: 2008-08-22 14:51:00 UTC - "A RedHat list post* acknowledges that last week "some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline. Security specialists and administrators have been working since then to analyze the intrusion and the extent of the compromise as well as reinstall Fedora systems".
* https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

===

- http://isc.sans.org/diary.html?storyid=4921
Last Updated: 2008-08-22 15:45:39 UTC ...(Version: 2) - "...RedHat has released "shell script* which lists the affected packages and can verify that none of them are installed on a system".
* http://www.redhat.com/security/data/openssh-blacklist.html

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4937
Last Updated: 2008-08-26 21:52:26 UTC - "...Sources of compromised keys could include the weak key vulnerability in Debian-based systems a few months ago, so if you haven't updated and replaced those keys, you ought to do so now. The biggest defense is to have any keys, especially those used to authenticate to remote machines and certainly internet facing ones, require a passphrase to use. Check your logs, especially if you use SSH key-based auth, to identify accesses from remote machines that have no business accessing you. If you have IPs, that would be good. To detect if you have Phalanx2, look for /etc/khubd.p2/ (access by cd, not ls) or any directory that is called "khubd.p2". /dev/shm/ may contain files from the attack as well. Tripwire, AIDE and friends should also be able to detect filesystem changes."

- http://www.us-cert.gov/current/#ssh_key_based_attacks
August 26, 2008 - "US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2" is installed.
Phalanx2 appears to be a derivative of an older rootkit named "phalanx". Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site. Detection of phalanx2 as used in this attack may be performed as follows:
* "ls" does not show a directory "/etc/khubd.p2/", but it can be entered with "cd /etc/khubd.p2".
* "/dev/shm/" may contain files from the attack.
* Any directory named "khubd.p2" is hidden from "ls", but may be entered by using "cd".
* Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in "/etc" against the number of directories shown by "ls".

US-CERT encourages administrators to perform the following actions to help mitigate the risks:
* Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
* Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
* Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, US-CERT recommends the following actions:
* Disable key-based SSH authentication on the affected systems, where possible.
* Perform an audit of all SSH keys on the affected systems.
* Notify all key owners of the potential compromise of their keys.
US-CERT will provide additional information as it becomes available."

:fear::mad::fear:

FYI...

- http://preview.tinyurl.com/5e65le
September 5, 2008 (Computerworld) - "...Symantec urged users* of Norton Internet Security 2008 to first update to Version 15.5, which in turn would allow them to download and install a Firefox 3.0 compatibility update. A separate Firefox 3.0 compatibility patch is available for Norton 360**. Both patches can be obtained by launching Symantec's Live Update feature from within the security applications. This wouldn't be the first time that Symantec's Norton software has created problems for other vendors.."

* http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=3365

** http://community.norton.com/norton/board/message?board.id=Norton_360&thread.id=1475

:thud: :sad:

FYI...

Vista 'BSOD' caused by iTunes 8.0
- http://preview.tinyurl.com/4xaol6
September 11, 2008 (Computerworld) - "Apple Inc.'s latest version of iTunes crashes Windows Vista when an iPod or iPhone is connected to the PC, scores of users have reported on Apple's support forum..."


:fear:

FYI...

Cisco - multiple alerts
- http://www.us-cert.gov/current/#cisco_releases_security_alerts
September 24, 2008 - "Cisco has released multiple security alerts to address vulnerabilities in the Unified Communications Manager and IOS. These vulnerabilities may allow a remote unauthenticated attacker to cause a denial-of-service condition, obtain sensitive information, or operate with escalated privileges..."

Direct links available here:
- http://www.cisco.com/en/US/products/products_security_advisories_listing.html
(See those dtd. 24-Sept-2008)

Cisco IOS multiple vulnerabilities
- http://secunia.com/advisories/31990/
Release Date: 2008-09-25
Critical: Moderately critical

ISC analysis
- http://isc.sans.org/diary.html?storyid=5078
Last Updated: 2008-09-26 03:16:41 UTC

:fear:

FYI...

- http://www.us-cert.gov/current/#adobe_pdf_exploit_toolkits_circulating
September 25, 2008 - "US-CERT is aware of public reports* of improved attack toolkits for exploiting vulnerabilities in PDF reader software..."

* http://www.trustedsource.org/blog/153/Rise-Of-The-PDF-Exploits
September 22, 2008 - "...Secure Computing... spotted a new and yet unknown exploit toolkit which exclusively targets Adobe’s PDF format. This toolkit is dubbed the “PDF Xploit Pack”... This new toolkit targets only PDFs, no other exploits are used to leverage vulnerabilities. Typical functions like caching the already infected users are deployed by this toolkit on the sever-side. Whenever a malicious PDF exploit is successfully delivered, the victim’s IP address is remembered for a certain period of time. During this “ban time” the exploit is not delivered to that IP again, which is another burden for incident handling. Other existing toolkits have also been enhanced with PDF exploits lately..."

** http://www.trustedsource.org/blog/118/Recent-Adobe-Reader-vulnerability-exploited-in-the-wild
"...users should make sure to upgrade to Adobe Reader 8.1.2*** as soon as possible..."
*** http://www.adobe.com/support/security/#readerwin

:fear:

FYI...

- http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt089.shtm
October 2008 - "If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.
Phishers may send attention-getting emails that look like they’re coming from the financial institution that recently acquired your bank, savings and loan, or mortgage. Their intent is to collect or capture your personal information, like your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. Their messages may ask you to “update,” “validate,” or “confirm” your account information..."

(More detail at the URL above.)

:fear::fear:

FYI... http://isc.sans.org/diary.html?storyid=5312
Last Updated: 2008-11-07 15:54:09 UTC - "...at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad. The payload is in a JavaScript object embedded in the PDF document... if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild."
---

Security Update available for Adobe Reader 8 and Acrobat 8
- http://www.adobe.com/support/security/bulletins/apsb08-19.html
Release date: November 4, 2008
Vulnerability identifier: APSB08-19 ...
Platform: All Platforms
Summary:
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe Reader 9 and Acrobat 9 are -not- vulnerable to these issues.
Adobe recommends users of Acrobat 8 and Adobe Reader 8 who can’t update to Adobe Reader 9 install the 8.1.3 update to protect themselves from potential vulnerabilities...

Adobe Reader:
> Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader [AdbeRdr90_en_US.exe]
> Users with Adobe Reader 8.0 through 8.1.2, who can’t update to Adobe Reader 9, should update to Adobe Reader 8.1.3:
http://www.adobe.com/products/acrobat/readstep2_allversions.html [AdbeRdr813_en_US.exe] ..."

- http://secunia.com/advisories/29773
Last Update: 2008-11-05
Critical: Highly critical
Impact: Privilege escalation, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x. Adobe Reader 8.x
Solution: Upgrade to version 9 or update to version 8.1.3...

:fear::fear:

---
If you were thinking of replacing your Adobe Reader with Foxit, -now- would be the time...

Adobe Reader v9... 33.5MB
- http://www.adobe.com/go/getreader
-OR-
- http://www.foxitsoftware.com/downloads/
Latest version: Foxit Reader 2.3 (.exe) 2.3 Build 3309 - 2.57 MB - 10/14/08

- http://asert.arbornetworks.com/2008/11/pdf-exploit-in-the-wild-and-how-to-decode/
November 7th, 2008 - "...We keep seeing Acrobat get hosed with JS exploits, this won't be the last time."

:wink:

More PDF exploits...

- http://blog.trendmicro.com/adobe-reader-vulnerability-actively-being-exploited/
Nov. 11, 2008 - "Several active exploits targeting a vulnerability in Adobe Reader are now in the wild... Users with unpatched Adobe Reader software may be infected when they unknowingly access a certain remote website or are redirected there from malicious banners and ads. Upon execution, TROJ_PIDIEF.CB could crash Reader and then allow a malicious user to take control of an affected system. This compromises system security and exposes it to more threats as malicious users could easily dump adware and malicious programs..."

:fear::spider:

FYI...

Adobe Reader v9 users w/AIR v1.1 installed
- http://isc.sans.org/diary.html?storyid=5363
Last Updated: 2008-11-17 22:21:15 UTC - "...Adobe has released a bulletin and update to Adobe AIR* that they classify as critical. It fixes some of the same vulnerabilities announced earlier in Flash player. Time to update if you are using AIR..."
* http://www.adobe.com/support/security/bulletins/apsb08-23.html

> http://get.adobe.com/air/
Adobe AIR v1.5 Installer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5108

- http://secunia.com/advisories/32772/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

:fear:

FYI...

How to Protect Your Wi-Fi Network from the WPA Hack
- http://lifehacker.com/5079721/how-to-protect-your-wi+fi-network-from-the-wpa-hack
Nov 7 2008 - "WEP Wi-Fi security has been known as an easy-to-crack security protocol for a while now, which is why it was superseded by the more secure Wi-Fi Protected Access (WPA) standard. But now a PhD candidate studying encryption has found an exploit in the WPA standard that would allow a hacker to "send bogus data to an unsuspecting WiFi client," completely compromising your Wi-Fi security and opening your network to all sorts of hacking. Lucky for you, it's not terribly difficult to protect yourself against the new exploit.
The key: Just log into your router, switch off Temporal Key Integrity Protocol (TKIP) as an encryption mode, and use Advanced Encryption System (AES) only. TKIP is the only protocol that the hack applies to, so switching to AES-only will ensure that your Wi-Fi network is safe again. It's quick and easy, so do yourself a favor and make the adjustment now so you don't run into any problems in the future."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5230
Last revised: 11/26/2008

:fear:

FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187605
November 21, 2008 - "Some of you might have seen the blogpost* that our colleague Ryan Naraine has put at ZDNET about malware being distributed along with a pack of Lenovo Thinkpad drivers. Here are some more details on that story. Working together with fellow researchers in Microsoft we discovered an URL that pointed to a file on IBM’s ftp site that looked like a false positive, so we sent them a ‘heads up’ message. Careful analysis of the file, which was named ‘q3tsk04us13.exe’ (Lenovo Trust Key Software for WinXP) showed that the file in question did indeed contain a virus named Virus.Win32.Drowor.a. Luckily, the virus was broken and it didn’t work. Naturally, we've notified IBM immediately – and IBM took the file offline... We’d like to salute IBM's prompt response and to thank our friends at MS for their initial analysis."
(Screenshot available at the URL above.)

* http://blogs.zdnet.com/security/?p=2203

:fear:

FYI...

- http://www.theregister.co.uk/2008/12/03/checkfree_hijacked/
3 December 2008 - "Online payment service CheckFree lost control of at least two of its domains on Tuesday in an attack that sent customers to servers run by a notorious crime gang believed to be based in Eastern Europe... Security experts say the 91.203.92.63 IP address has long served as a conduit for online crime. Spamhaus offers this laundry list* of alleged dirty deeds that includes running botnet command channels and various drive-by download sites. According to security researcher Paul Ferguson of anti-virus software provider Trend Micro, the IP address was recently observed handing off booby-trapped PDF files that infected those unfortunate enough to open them... It's unclear how long checkfree .com and mycheckfree .com were redirected to the rogue servers or whether customers have been warned they may have been compromised... It's also unclear how the culprits managed to hijack the domains. While security experts say DNS poisoning wasn't out of the question, the more likely explanation is malicious transfer of the domains through their registrar..."
* http://www.spamhaus.org/sbl/listings.lasso?isp=uatelecom.co.ua

Follow-up...
- http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html
December 3, 2008 - "... CheckFree regained control over its site by 5 a.m. on Dec. 2... It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar... a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine..."

:fear::mad::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=5434
Last Updated: 2008-12-05 00:29:47 UTC - "Fellow researchers from Symantec posted technical details about an interesting variant of a well known DNSChanger malware. The analysis is available at http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=1
The DNSChanger malware has been in the wild for quite some time and already drew our attention previously when authors started attacking popular ADSL modems. As the name says, the malware changed DNS server settings, typically to servers in the "popular" 85.255 network. We published several diaries about this malware, the most recent one... is available at http://isc.sans.org/diary.html?storyid=5390 . The evolution went from changing local DNS servers in the operating system (for both Windows and Mac!) to changing DNS server settings in ADSL modems/routers/cable modems. The malware described by Symantec goes a step further – it installs a rogue DHCP server on the network... we can confirm that this malware is in the wild. What does it do? The malware installs a legitimate driver, NDISProt which allows it to send and receive raw Ethernet frames. Once the driver is installed, the malware "simulates" a DHCP server. It starts monitoring network traffic and when it sees a DHCP discover packet it replies with its own DHCP Offer packet. As you can guess, the offered DHCP lease will contain malicious DNS servers... While not too sophisticated, the whole attack is very interesting. First, it's about a race between the rogue DHCP server and the legitimate one. Second, once a machine has been poisoned it is impossible to detect how it actually got poisoned in the first place – you will have to analyze network traffic to see the MAC address of those DHCP Offer packets to find out where the infected machine actually is. As we wrote numerous times before, it's probably wise to at least monitor traffic to 85.255.112.0 – 85.255.127.255, if not block it."
Also see: https://forums.symantec.com/syment/blog/article?blog.id=emerging&thread.id=118
12-04-2008

- http://isc.sans.org/diary.html?storyid=5437
Last Updated: 2008-12-05 00:30:36 UTC - "...a new wave of rogue "Flash Player" updates is making the rounds. This latest version is pretty artfully done - the pages hosting this malware actually do contain a real flash movie that is not malicious and plays in a Youtube-like embedded frame. After the movie has been running for a couple seconds though, a pop-up opens that indicates that a "Flash Player Update is available". It all looks credibly enough like one of those usual auto-update pop-ups, but if you click OK, you get an EXE which isn't really a Flash player update of course. So far, the URLs where the malware is coming from all seem to have in common that port 7777 is used. This is rare enough that trolling through your proxy logs for any of your users going to a URL containing :7777/dt might give you a better indication than your anti-virus. Because AV coverage (VirusTotal*) is only slowly improving."
* http://www.virustotal.com/analisis/17fa41ce1d124a653141a7469f9d0e5a

:fear::mad::fear::mad:

FYI...

- http://blog.trendmicro.com/most-abused-infection-vector/
Dec. 7, 2008 - "We gathered malware data from January to November 2008 to give us an idea of just how dangerous surfing the Internet is. We analyzed the arrival methods of the top 100 malware infecting the most number of systems for the said period... a majority of the top 100 malware that was most prevalent during this year arrived by surfing malicious or unknown sites. A sad confirmation that despite all awareness campaigns for safe computing, users still tend to victimize themselves out of curiosity."

Coverage: Malware Analyzed by Trend Micro Researchers
Date Range: January 1, 2008 to November 25, 2008

(Charts available at the URL above.)

:fear:

FYI...

- http://www.theregister.co.uk/2008/12/09/stolen_german_bank_accounts_for_sale/
9 December 2008 - "Identity thieves who claim they stole details of 21 million German bank accounts are offering to sell the data on the black market for €12 million (US $15.3 million), a German magazine reported over the weekend. To prove they weren't bluffing, the crooks produced the compact disc containing the names, addresses, phone numbers, birthdays account numbers, and bank routing numbers of 1.2 million accounts. Two investigative reporters for WirtschaftsWoche* say they obtained the CD during a face-to-face meeting at a hotel in Hamburg with two individuals involved with the theft. The journalists were posing as interested buyers working for a gambling operation. "We took away with us the first delivery, a CD with 1.2 million accounts, that we couldn't imagine," said one of the editors overseeing the investigation. "In the worst case, three out of four German households would have to be afraid that some money could be taken from their checking account without their authorisation, and perhaps even without their realising it," the magazine stated. The information was most likely collected from call center employees, the magazine said. It's Germany's second mega heist of personal information in as many months. In October, T-Mobile admitted losing records belonging to 17 million customers that included their names, addresses, dates of birth, phone numbers, and email addresses..."
* http://preview.tinyurl.com/6drwpg
(Untranslated - in German)

:fear::mad::sad::devil:

FYI...

QuickTime v7.6 released
- http://support.apple.com/kb/HT3403
January 21, 2009

Download:
- http://support.apple.com/downloads/QuickTime_7_6_for_Windows

- http://www.us-cert.gov/current/#apple_releases_quicktime_7_6

- http://secunia.com/advisories/33632/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Apple QuickTime 7.x ...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0001
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0002
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0003
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0004
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0005
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0006
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0007
...Successful exploitation of these vulnerabilities may allow execution of arbitrary code.
Solution: Update to version 7.6 ...

:fear:

FYI...

- http://www.intego.com/news/ism0901.asp
January 22, 2009 - "Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg... When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password... Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users. Intego VirusBarrier X4 and X5 with virus definitions dated January 22, 2009 or later protect against this Trojan horse. Intego recommends that users never download and install software from untrusted sources or questionable web sites..."

- http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infects.html
"Update, 11:16 p.m. ET: ...While the attackers may indeed be targeting other sites, dollarcardmarketing .com remains under a fairly consistent DDoS attack as of this writing..."

:fear:

FYI...

Novell releases updates for GroupWise
- http://www.us-cert.gov/current/#novell_releases_updates_for_groupwise
January 30, 2009 - "Novell has released updates for GroupWise 7 and 8 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, compromise a GroupWise account, conduct cross-site scripting attacks, or obtain sensitive information. US-CERT encourages users to review the Novell download page* and apply the appropriate patch to help mitigate the risks."
* http://preview.tinyurl.com/4et673

- http://secunia.com/advisories/33744/
Release Date: 2009-02-02
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, DoS, System access
Where: From remote
Solution Status: Vendor Patch...

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=5779
Last Updated: 2009-01-31 18:17:26 UTC - "... it appears to be reporting that every site might contain malware (i.e. it shows the "This site may harm your computer" warning with every result)...UPDATE X3: Google's reponse*..."

Google: This Internet May Harm Your Computer
- http://voices.washingtonpost.com/securityfix/2009/01/google_this_internet_will_harm.html
January 31, 2009 - "A glitch in a computer security program embedded deeply into Google's search engine briefly prevented users of the popular search engine from visiting any Web sites turned up in search results this morning. Instead, Google users were redirected to page that warned: "This site may harm your computer"..."
* http://googleblog.blogspot.com/2009/01/this-site-may-harm-your-computer-on.html
January 31, 2009 - "...the URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes..."
- http://blog.stopbadware.org/2009/01/31/google-glitch-causes-confusion
January 31, 2009 - "...Users who attempted to click through the results saw the "interstitial" warning page that mentions the possibility of badware and refers people to StopBadware.org for more information. This led to a denial of service of our website, as millions of Google users attempted to visit our site for more information... [Update 2:35] Hopefully this will be the last update, as Google has acknowledged the error, apologized to its customers, and fixed the problem. As many know, we have a strong relationship with Google, which is a sponsor and partner of StopBadware.org. The mistake in Google’s initial statement, indicating that we supply them with badware data, is a common misperception. We appreciate their follow up efforts in clarifying the relationship on their blog and with the media. Despite today’s glitch, we continue to support Google’s effort to proactively warn users of badware sites, and our experience is that they are committed to doing so as accurately and as fairly as possible..."

:spider::lip::red:

FYI...

- http://preview.tinyurl.com/cjkx72
February 20, 2009 (Computerworld) - "...nearly one-third of the estimated 200,000 DNS servers worldwide still remain unprotected against the cache-poisoning threat and need to be patched as soon as possible, Kaminsky said, adding that many of them are being attacked on a daily basis. "We are seeing attacks where people are redirecting major sites to places where they shouldn't be going," he said. "It's happening right now." The cache-poisoning flaw was publicly disclosed last July... The flaw could be used by attackers to spoof DNS traffic, potentially enabling them to redirect Web traffic and e-mail messages to systems under their control..."

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you are still having problems, try this:
- http://www.opendns.com/

.

FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=215600307
March 2, 2009 - "IBM said a recent firmware update could cause the Seagate disk drives on more than two dozen models of its business servers to fail, leading to a situation that could cause customers to lose access to critical corporate data. In a current support bulletin*, the company said the bug affects a range of models in its BladeCenter, xSeries, and System x lines of servers. "After a power cycle, the SATA drive is no longer available and becomes unresponsive," IBM warned. "Data may become inaccessible due to the drive not responding," according to the bulletin, which lists numerous IBM server configurations at risk from the problem. IBM said customers should use the ServeRAID manager or other tools to determine their disk drive model and firmware. IBM said it plans to fix the problem in a firmware update "scheduled for first quarter 2009." The company did not offer further specifics on a release date. The update, when available, will be accessible as a download from IBM's System x support Web site... IBM said the warning applies to server products sold worldwide."
* http://preview.tinyurl.com/c8fy3l
Last modified: 2009-02-18

:fear::sad::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6001
Last Updated: 2009-03-11 00:34:49 UTC - "...attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet...
ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets... The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary. The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying...
A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites...
AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help)..."

(More detail at the ISC URL above.)

> http://en.wikipedia.org/wiki/ARP_spoofing

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6025
Last Updated: 2009-03-16 19:49:12 UTC - "...new version of rogue DHCP server malware... The malware appears to be similar to Trojan.Flush.M which was found last December. Like back then, after infecting its target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS server IP address... summary of the differences:
• The new version sets the DHCP lease time to 1 hour.
• It sets the MAC destination to the broadcast address, rather then the MAC address of the DHCP client.
• It does not specify a DNS Domain Name.
• The options field does not contain an END option followed by PAD options.
• Unlike Trojan.Flush.M, the BootP Broadcast Bit is set.

The malicious DNS server is 64.86.133.51 and 63.243.173.162.
Recommendation: Monitor connections to DNS servers other then the approved one pushed out by your DHCP server. This should help you spot this kind of malware. Yes, you can block the two IP addresses listed above, but it will likely do little good."

:fear::fear:

FYI...

- http://www.us-cert.gov/current/index.html#autonomy_keyview_sdk_vulnerability
March 18, 2009 - "US-CERT is aware of reports of a vulnerability that affects the Autonomy KeyView SDK wp6sr.dll library. This library is used by certain products, including Lotus Notes and Symantec, to support the handling of Word Perfect documents. By convincing a user to open a specially crafted Word Perfect document with an application using the affected Autonomy KeyView SDK library, a remote attacker may be able to execute arbitrary code...
• IBM Lotus Notes users should review the IBM Flash Alert and implement the listed fixes or workarounds.
http://www-01.ibm.com/support/docview.wss?uid=swg21377573
• Symantec users should review Symantec Security Advisory SYM09-004 and implement the listed fixes or workarounds.
http://www.symantec.com/avcenter/security/Content/2009.03.17a.html
• Registered Autonomy Users should review the related Autonomy alert (login required).
https://customers.autonomy.com/support/secure/docs/Updates/Keyview/Filter%20SDK/10.4/kv_update_nti40_10.4.zip.readme.html ..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4564
Last revised: 03/20/2009
CVSS v2 Base Score: 9.3 (HIGH)

:fear:

FYI...

Thunderbird v2.0.0.21 released
- http://www.mozillamessaging.com/en-US/thunderbird/
March 18, 2009

Fixed in Thunderbird 2.0.0.21
- http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html#thunderbird2.0.0.21
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)

- http://secunia.com/advisories/33802/2/
Last Update: 2009-03-20
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch ...
Solution: Update to version 2.0.0.21...
CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0352
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0353
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0772
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0774
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0776

:fear:

FYI...

IBM Access Support ActiveX control stack buffer overflow
- http://www.kb.cert.org/vuls/id/340420
Date Last Updated: 2009-03-25 - "... IBM Access Support ActiveX control, which is provided by IbmEgath.dll, contains a stack buffer overflow in the GetXMLValue() method. We have confirmed that version 3.20.284.0 is vulnerable. Other versions may also contain the flaw.
... Impact: By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.
... Solution: We are currently unaware of a practical solution to this problem. Please consider the following workarounds: Disable the IBM Access Support ActiveX control in Internet Explorer
The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: {74FFE28D-2378-11D5-990C-006094235084} ..."

- http://secunia.com/advisories/34470/2/
Critical: Highly critical
Solution Status: Unpatched...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0215
Last revised: 03/25/2009
CVSS v2 Base Score:9.3 (HIGH)...

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-03 21:35:44 UTC - "We've been keeping an eye on the issues affecting the domain servers of Register.com. Several readers have written to us with concerns ofer the lack of availability of Register.com's servers, which seem to have been under a DDoS attack. There are also reports that DNS provider NeuStar (UltraDNS) may be under DDoS, too. We don't have any information at the moment about these incidents, beyond what is reported in the following articles:
- http://www.theinquirer.net/inquirer/news/638/1051638/register-com-suffers-dos-attack
- http://www.scmagazineus.com/DDoS-attacks-hit-major-web-services/article/130060/
Register.com issues are causing lots of issues across the web. One reader told us, "We are struggling to keep our websites available. DNS is the problem. We are being told by Register.com that the April 1 issues are affecting them. It sounds like they are being DOS'd and are filtering certain ISPs from querying them." Another reader said, "Register.com's DNS servers have gone offline for the second time in 24 hours. They were down yesterday from about 15:45 - 18:45 and just went down again today at about 14:30 (all times EST)..."

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-04 02:53:13 UTC ...(Version: 2)
"Update: ... We are using all available means to restore services to every one of our customers and halt this criminal attack on our business and our customers’ business. We are working round the clock to make that happen. We are committed to updating you in as timely manner as possible, please check your inbox or our website for additional updates.
Thank you for your patience.
Larry Kutscher
Chief Executive Officer
Register.com"

:fear::fear:

FYI...

- http://blog.wired.com/27bstroke6/2009/04/cable-sabotage.html
April 09, 2009 | 3:58:39 PM - "Deliberate sabotage is being blamed for a sizable internet and telephone service outage Thursday in Silicon Valley. At 1:30 a.m., someone opened a manhole cover on a railroad right-of-way in San Jose, climbed down and cut four AT&T fiber optic cables. A second AT&T cable, and a Sprint cable, were cut in the same manner two hours later, farther north in San Carlos. Service for Sprint, Verizon and AT&T customers in the southern San Francisco Bay Area has been lost, according to the San Francisco Chronicle*. Police departments have put more units on the street, because nobody can call 9-1-1. A much smaller Comcast outage affecting around 4,500 customers in San Jose began at around 1:00 p.m. Pacific time. Spokesman Andrew Johnson says the company is investigating the cause.
Update: AT&T is offering a $100,000 reward** for information leading to the arrest and conviction of the vandal."

* http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/04/09/BAP816VTE6.DTL&tsp=1
April 10, 2009 - "... Ten fiber-optic cables... were cut at four locations in the predawn darkness..."

AT&T Offering $100,000 Reward in Bay Area Network Vandalism
** http://www.att.com/gen/press-room?pid=4800&cdvn=news&newsarticleid=26715
April 9, 2009

:mad::mad::mad:

FYI... http://isc.sans.org/diary.html?storyid=6373

- http://technet.microsoft.com/sysinternals/bb963902.aspx
Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution.
- http://technet.microsoft.com/sysinternals/bb897544.aspx
PsLoglist v2.7: This version of PsLoglist, a command-line event log display utility, now properly displays event log entries for default event log sources on Windows Vista and higher and accepts wildcard matching for event sources.
- http://technet.microsoft.com/sysinternals/bb897553.aspx
PsExec v1.95: This version of PsExec, a utility for executing applications remotely, fixes an issue that prevented the -i (interactive) switch from working on Windows XP systems with a recent hotfix and includes a number of minor bug fixes.

May 08, 2009

:bigthumb:

FYI...

- http://googleblog.blogspot.com/2009/05/this-is-your-pilot-speaking-now-about.html
5/14/2009 - "... An error in one of our systems caused us to direct some of our web traffic through Asia, which created a traffic jam. As a result, about 14% of our users experienced slow services or even interruptions. We've been working hard to make our services ultrafast and "always on," so it's especially embarrassing when a glitch like this one happens. We're very sorry that it happened, and you can be sure that we'll be working even harder to make sure that a similar problem won't happen again..."

- http://isc.sans.org/diary.html?storyid=6388
Last Updated: 2009-05-14 22:36:04 UTC ...(Version: -13-)

- http://asert.arbornetworks.com/2009/05/the-great-googlelapse/
May 14th, 2009 at 4:36 pm

:fear::spider::confused:

FYI...

- http://preview.tinyurl.com/rbxxwa
May 14, 2009 PC World - "A new round of website hijacks is attempting to install malicious, Google-focused software on unpatched PCs, according to security company ScanSafe, further cementing the drive-by-download approach as a bad-guy tactic of choice. The attack, dubbed "Gumblar" by ScanSafe*, starts by hijacking legitimate sites and inserting attack code. The more than 1,500 hacked sites, including Tennis.com and Variety.com, don't represent an especially huge number, but it's growing rapidly. Since last week, the attack has grown by 80 percent, according to the company, and has spiked 188 percent since yesterday.
The inserted attack code attempts to identify old, unpatched vulnerabilities on a victim PC that browses a hacked site, and will take advantage of any discovered hole to install malware. These kinds of drive-by-download attacks are sneaky and dangerous, but the good news is that while the actual exploits used vary as time passes, the company says none have yet gone after zero-day holes that don't yet have a fix available. The attack code has largely gone after PDF and Flash flaws discovered in the last year..."
* http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html

- http://www.theregister.co.uk/2009/05/14/viral_web_infection/
14 May 2009 - "... The exploit code is unique for every website, making it impossible to identify a compromised site until someone has accidentally surfed there. It uses obfuscated Javascript that's burrowed deep into a website's source code to exploit unpatched vulnerabilities in a visitor's Adobe Flash and Reader programs. Victims then join a botnet that manipulates their Google search results... By injecting ads and links into certain searches, infected users see results that are different than they would otherwise be..."

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=217500218
May 14, 2009 - "... difficult to find and bring down... its source IP addresses have been traced to Latvia and Russia, and its servers are located in the U.K..."

Gumblar .cn exploit
- http://preview.tinyurl.com/r5cplm
07 May 09 (Unmask Parasites blog)

More Facts about the Gumblar attack
- http://preview.tinyurl.com/qg5c8d
15 May 09 (Unmask Parasites blog)

Troj/JSRedir-R attacks
- http://www.sophos.com/blogs/sophoslabs/v/post/4422
May 14, 2009

• http://google.com/safebrowsing/diagnostic?site=gumblar.cn/
"... Malicious software includes 24 scripting exploit(s), 6 trojan(s)... site has hosted malicious software over the past 90 days. It infected 12799 domain(s)..."

:fear::mad:

FYI...

- http://www.cpsc.gov/cpscpub/prerel/prhtml09/09221.html
May 14, 2009 - "... recall of the following consumer product. Consumers should stop using recalled products immediately unless otherwise instructed.
Name of Product: Lithium-Ion batteries used in Hewlett-Packard and Compaq notebook computers
Units: About 70,000
Importer: Hewlett-Packard Co., of Palo Alto, Calif.
Hazard: The recalled lithium-ion batteries can overheat, posing a fire and burn hazard to consumers..."
(HP Pavilion, Compaq Presario, HP, HP Compaq - see link above for specific models)

- http://www.theinquirer.net/inquirer/news/1137353/hp-recalls-lithium-ion-batteries
15 May 2009 - "... Hewlett-Packard is voluntarily recalling about 70,000 lithium-ion batteries that shipped with several models of its HP and Compaq laptops. Nine models of HP Pavilions, nine models of Compaq Presarios, two HP laptop models, and one HP Compaq laptop model sold between August 2007 and March 2008 all shipped with the dodgy battery... HP said that owners of the affected laptop models should pull the battery out of the machine and give it a ring* so it can ship a free replacement."
* http://bpr.hpordercenter.com/hbpr/M14.aspx

:fear::fear:

More...

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-18 17:54:18 UTC - "... Gumblar/JSRedir-R drive-bys. Although this malware has been around for a while, several A/V vendors and some relatively mainstream news outlets have recently reported a large increase in websites injected with JSRedir-R/Gumblar. According to Sophos* this malware accounted for approximately 42% of all infected websites detected in the last week, nearly 6 times its closest rival. Although the infection method is not clear, given the variety of servers and platforms, it is most likely weak login credentials..."
* http://www.sophos.com/blogs/gc/g/2009/05/14/malicious-jsredir-javascript-biggest-malware-threat-web
May 14, 2009

> http://forums.spybot.info/showpost.php?p=312220&postcount=82

FYI...

- http://preview.tinyurl.com/qlr9ba
05-19-2009 Symantec Security Response Blog - "The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to Who.is, is located in the UK with a 95.129.x.x IP Address. The JavaScript appearing on the websites has also become more obfuscated, making the attacks slightly harder for IT managers and Web administrators to detect. The attackers are easily able to change the obfuscation by substituting portions of the domain name with variables instead of spelling out the domain all at once. The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains. The drive-by download tries to exploit a number of underlying vulnerabilities, including some for Adobe Acrobat and Adobe Flash. Users should make sure that their systems are running the latest versions of these and other third-party applications to help mitigate the risk of being compromised.
So how is that so many websites are compromised at one time? Often it is due to SQL injection errors or direct hacking into the back end of the hosting companies, but it appears that this recent problem may be more about compromised FTP passwords that belonged to the people that administer the websites. In any case, it means the bad guys are able to continually change the malicious code until the admin changes the FTP passwords and blocks the trespassing... We expect the domains and malicious JavaScript appearing on the websites to continually change as one mole is whacked, and another pops up..."

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-19 13:02:01 UTC - "... the dropbox for this trojan, gumblar .cn has been offline since last friday, but a successor has come online, martuz .cn..."

- http://blog.scansafe.com/journal/2009/5/19/gumblar-up-another-7-martuzcn-is-down.html
May 19, 2009
- http://blog.scansafe.com/journal/2009/5/18/japans-geno-gumblar.html
- http://blog.scansafe.com/journal/2009/5/18/gumblar-a-botnet-of-compromised-websites.html

- http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating
May 18, 2009

:fear::fear:

FYI...

QuickTime vuln - unpatched
- http://secunia.com/advisories/35091/
Release Date: 2009-05-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Apple QuickTime 7.x ...
... The vulnerability is caused due to an error in the processing of "0x77" tags within PICT images, which can be exploited to cause a heap-based buffer overflow when the user opens a specially crafted PICT image or visits a malicious web site...
Solution: Do not browse untrusted web sites. Do not open files from untrusted sources..."

Fix/patch released:
- http://forums.spybot.info/showpost.php?p=315588&postcount=2
2009-06-01

:sad::fear:

FYI...

Gumblar/Martuz/Geno attack
- http://isc.sans.org/diary.html?storyid=6430
Last Updated: 2009-05-21 19:29:48 UTC - "... client side analysis* and writeup of recent gumblar malware attacks..."
* http://preview.tinyurl.com/pc26gr
May 21, 2009 InfoSec from the trenches - "... Once compromised by the Gumblar/Martuz/Geno, victims will have many pieces of malware loaded onto their machines, this malware does the following:
• Steals FTP credentials
• Sends SPAM
• Installs fake anti virus
• Highjacks Google search queries
• Disables security software
The exploits used are for Adobe Acrobat and Adobe Flash Player...
...this is a very large attack encompassing many malicious payloads..."

// http://forums.spybot.info/showpost.php?p=312220&postcount=82

FYI...

QuickTime v7.6.2 released
- http://support.apple.com/kb/HT3591
June 01, 2009 - "This document describes the security content of QuickTime 7.6.2, which can be downloaded and installed via Software Update preferences, or from Apple Downloads*..."
* http://support.apple.com/downloads/

> http://support.apple.com/kb/HT1222

- http://secunia.com/advisories/35091/2/
Last Update: 2009-06-02 <<<
Critical: Highly critical
Solution: Update to version 7.6.2...
> http://support.apple.com/downloads/QuickTime_7_6_2_for_Windows

CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0010
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0185
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0188
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0951
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0952
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0953
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0954
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0955
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0956
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0957

Also: iTunes 8.2 released
- http://support.apple.com/kb/HT3592
June 01, 2009
> http://secunia.com/advisories/35314/2/
Release Date: 2009-06-02
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: iTunes 8.x ...
Solution: Update to version 8.2...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0950

:fear:

FYI...

- http://www.theregister.co.uk/2009/06/04/3fn_shut_down/
4 June 2009 - "Federal authorities have shut down what they said was the worst US-based web hosting provider after convincing a judge it actively participated in the distribution of child pornography, spam, malware, and other net-based menaces. The US Federal Trade Commission obtained the court order against 3FN.net, a service provider with servers mostly located in San Jose, California that also operated under the name Pricewert. Dated June 2, it commanded all companies providing upstream services to 3FN to immediately pull the plug. The order was issued in secret to prevent the operators from being able to destroy evidence or find new hosts, something FTC attorneys said was necessary given the extreme nature of the data it hosted. "This content includes a witches' brew of child pornography, botnet command and control servers, spyware, viruses, trojans, phishing-related sites, and pornography featuring violence, bestiality, and incest," they wrote in court documents. "In addition to recruiting and willingly distributing this illegal, malicious and harmful content, Pricewert actively colludes with its criminal clientele in several areas, including the maintenance and deployment of networks of compromised computers known as botnets." This week's action is the most significant shutdown since the shuttering in November of McColo, another Northern California-based service provider with ties to online crime... One of the biggest complaints among white hat hackers is the difficulty of shutting down networks that flagrantly violate the law. This week's action is the first time the FTC has used its congressional mandate to protect US consumer to sever a service provider suspected of illegal activity... Court documents are available here*."
* http://www.ftc.gov/os/caselist/0923148/index.shtm

- http://news.cnet.com/8301-1009_3-10257588-83.html
June 4, 2009 - "... In its filings with the district court, the FTC estimates that more than 4,500 malicious software programs are controlled by command-and-control servers hosted by 3FN. This malware includes programs capable of keystroke logging, password and data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution. This case was brought to light with the assistance of multiple agencies and people including NASA's Office of Inspector General; the Department of Justice's Computer Crime Division; Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham; the National Center for Missing and Exploited Children; the Shadowserver Foundation; the Spamhaus Project; and Symantec..."

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=217701956
June 4, 2009 - "... The only entity named in the case is Pricewert. Ethan Arenson, an attorney with the FTC's Bureau of Consumer Protection, said that the individuals behind the company are overseas in Eastern Europe. He declined to comment on a possible extradition effort or coordination with authorities abroad. Whether the individuals doing business as Pricewert will face charges remains an open question. Pricewert is essentially an Oregon shell corporation with some servers in San Jose..."

- http://voices.washingtonpost.com/securityfix/pushdo.htm

- http://asert.arbornetworks.com/2009/06/things-in-3fn/

:bigthumb:

FYI...

- http://blog.trendmicro.com/beware-of-repackaged-hijackthis-downloads/
June 9, 2009 - "HijackThis™ is one of the well-known free utilities of Trend Micro that quickly scans a user’s Windows computer to find settings that may have been changed by spyware, malware, or other unwanted programs. By itself, it does not determine what is good or bad but it lists registry keys and files system of the scanned system where unwanted programs potentially could reside. Only experienced users and IT experts with outstanding practice in HijackThis could use the initial text information without the community help. Almost all users of this tool rely on the online evaluation and analysis of the report, provided by several HijackThis communities. A list of some of these communities can be found here*. Edgardo Diaz, Jr., Escalation Engineer in TrendLabs, found a certain executable program (Loaris Trojan Remover) that contained the HijackThis program repackaged using Delphi-based packager InnoSetup. Upon extraction, the user interface (UI) gives the user the option of running HijackThis from an external source. The application really does install HijackThis on the user’s computer. Unlike the real version, however, Loaris’ repackaged version sells its own antivirus solution using HijackThis as a come-on. Users who are really interested in using HijackThis, may thus be tricked into buying the antivirus by accepting the end-user license agreement (EULA - see Screenshot at the Trendmicro URL above) that comes with the installer.
>>> Beware, Trend Micro does NOT sell nor intend to sell HijackThis. Trend Micro supports its communities by providing information and updates to registry keys, validity of system or BHO (browser helper object) files. Details and free downloads are available at TrendSecure web site**.
** http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
This is not the first, not the only and not the last software used in illicit schemes. Users are strongly advised to download software only from the official vendor sites or highly trusted communities."
* http://hjt-data.trendmicro.com/hjt/analyzethis/index.php

:mad:

FYI...

Apple iPhone / iPod touch multiple vulns - update available
- http://secunia.com/advisories/35449/2/
Release Date: 2009-06-18
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple iPhone, Apple iPod touch
Original Advisory: Apple: http://support.apple.com/kb/HT3639 ...

iPhone OS 3.0 Software Update
> http://www.apple.com/iphone/softwareupdate/

:fear:

FYI...

IrfanView vuln - update available
- http://secunia.com/advisories/35359/2/
Release Date: 2009-06-18
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IrfanView 4.x ...
Solution: Update to version 4.25.
http://irfanview.com/main_download_engl.htm ...

Also: The current PlugIns version is: 4.25
- http://www.software.com/irfanview-plugin

- http://www.irfanview.net/main_history.htm
Release date: 2009-06-16

:fear::spider:

FYI...

- http://isc.sans.org/diary.html?storyid=6619
Published: 2009-06-21 - "...Upon further investigation it appears that her server had been compromised by exploitation of the vulnerability detailed in PMASA-2009-4**. The attacker uploaded a lot of the same old types of tools such as a misnamed EnergyMech IRC bot, a perl based UDP flodding tool, and an automated tool to attempt phpMyAdmin. It is now past time to update to phpMyAdmin 3.1.3.2* (or higher) and/or updating firewall rules to limit the public Internet from touching this web application...
06/22/2009 22:30 UTC - ...more reports locally about activity which seems to point to phpMyAdmin scanning and exploitation..."

* http://www.phpmyadmin.net/home_page/index.php
phpMyAdmin 3.2.0
File Release Notes and Changelog
- http://sourceforge.net/project/shownotes.php?release_id=690019
Last Update: Jun 15 2009

** http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php

:fear:

FYI...

Thunderbird v2.0.0.22 released
- http://www.mozillamessaging.com/thunderbird/
June 22, 2009

- http://secunia.com/advisories/35440/2/
Last Update: 2009-06-23
Critical: Highly critical
Impact: Security Bypass, Spoofing, DoS, System access
Where: From remote...
Solution: Update to version 2.0.0.22, which fixes some of the vulnerabilities...

- http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html#thunderbird2.0.0.22
Fixed in Thunderbird 2.0.0.22
MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

:fear:

FYI...

Koobface worm infections exploding
- http://www.threatpost.com/blogs/koobface-worm-infections-exploding
July 6, 2009 - "In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing... Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well... the pool of potential victims is growing day by day - just take a look at the Alexa stats* for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often."
* http://www.alexa.com/siteinfo/facebook.com
"... Percent of global Internet users who visit facebook.com:
... 7 day avg: 20.01% ..."

:fear::mad::fear:

FYI...

Imageshack - pwned
- http://isc.sans.org/diary.html?storyid=6769
Last Updated: 2009-07-11 03:43:37 UTC - "... Imageshack was attacked by the anti-sec group. This seems to be affecting other sites that draw images from imageshack such as user pages on blogger.com. Details were posted on Full Disclosure by anti-sec*. The "session" they display reminds us of the log file they made public following their attack on SSANZ** last weekend..."

* http://seclists.org/fulldisclosure/2009/Jul/0095.html
11 Jul 2009 05:15:36 +0300

** http://seclists.org/fulldisclosure/2009/Jul/0028.html
04 Jul 2009

:fear::mad:

FYI...

- http://countermeasures.trendmicro.eu/apache-ssh-key-compromised/
Aug. 28, 2009 - "... Details of the attack/compromise are few at the moment, as this is breaking news. It is worth remembering however that a compromised SSH key led to in-the-wild exploitation of Linux based systems exactly this time last year, for the purposes of installing rootkits. Keep your eye on how this story develops. Apache servers account for around 50% of all web servers in the July 2009 web server survey*."
* http://news.netcraft.com/archives/2009/07/28/july_2009_web_server_survey.html

- https://blogs.apache.org/infra/entry/apache_org_downtime_initial_report
Aug 28, 2009

> http://isc.sans.org/diary.html?storyid=7030
Last Updated: 2009-08-28 14:32:28 UTC ...(Version: 2) - "... compromised due to an SSH key being exposed. The SSH key was used by an account to perform backups. No vulnerabilities in apache or ssh software was used in this attack. When the incident was identified apache cut access to all of their services as a containment measure. Their web sites are now back online..."

> https://blogs.apache.org/infra/entry/apache_org_downtime_report
Sep 02, 2009

:fear::spider::fear:

FYI...

- http://news.cnet.com/8301-1009_3-10345900-83.html
September 5, 2009 - "A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software... The vulnerability allowing the attack was discovered August 11, at which point WordPress encouraged users to upgrade to version 2.8.4... The worm does not affect the current version 2.8.4 and the one prior to it. And it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected..."

- http://wordpress.org/development/2009/09/keep-wordpress-secure/
September 5, 2009

WordPress v2.8.4 released
- http://wordpress.org/download/
August 12, 2009 - "The latest stable release of WordPress (Version 2.8.4) is available..."

- http://secunia.com/advisories/36237/2/
Release Date: 2009-08-12

:fear::mad:

FYI...

QuickTime v7.6.4 released
- http://support.apple.com/kb/HT3661
September 09, 2009

- http://secunia.com/advisories/36627/2/
Last Update: 2009-09-11
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Apple QuickTime 7.x
Solution: Update to version 7.6.4...

CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2202
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2203
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2798
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2799

- http://www.apple.com/quicktime/download/

:fear:

FYI...

Hotmail user info leaked...
- http://blog.trendmicro.com/windows-live-hotmail-user-information-leaked/
Oct. 6, 2009

Time to change your hotmail password
- http://isc.sans.org/diary.html?storyid=7276
Last Updated: 2009-10-05 23:33:47 UTC - "... Microsoft has confirmed that thousands of Windows Live accounts have been compromised with their passwords posted online... Some information is posted here*..."
* http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry?wa=wsignin1.0&sa=363915619
10/5/2009

:fear::fear:

FYI...

Gmail, AOL, Yahoo all hit by webmail phishing scam
- http://www.theregister.co.uk/2009/10/06/gmail_webmail_phish/
6 October 2009 - "Google has confirmed that Gmail has also been targeted by an "industry-wide phishing scheme" which first hit Hotmail accounts. Yahoo! and AOL are also reportedly affected. Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports*. Both lists have been taken offline, so are no longer directly accessible. The search engine giant confirmed that an unspecified number of accounts were compromised, adding that it had reset the passwords of the compromised accounts... The combined incidents serve to further illustrate the importance of password security. Using a different, hard-to-guess password on every site is a very good start in this direction."
* http://news.bbc.co.uk/2/hi/technology/8292928.stm

- http://www.eset.com/threat-center/blog/2009/10/06/webmail-hacks
October 6, 2009 - "... If you receive an email telling you to provide your password it is a phish. That is as simple as it gets. Never give out your password..."

:fear::fear:

FYI...

FBI warns public of fraudulent SPAM email
- http://www.us-cert.gov/current/#federal_bureau_of_investigation_warns
October 6, 2009 - "The Federal Bureau of Investigation (FBI) has released information warning the public about fraudulent email messages purporting to come from the FBI or the Department of Homeland Security. These email messages contain a malicious attachment that claims to provide an intelligence report or bulletin, but in reality attempts to launch malware on the user's system. More information regarding these messages can be found in the Federal Bureau of Investigation's New E-Scams and Warnings web site*. To help protect against this type of attack, US-CERT recommends that users avoid opening attachments contained in unsolicited email messages..."
* http://www.fbi.gov/cyberinvest/escams.htm

:fear:

FYI...

Adobe PDF Reader exploit in the wild
- http://blog.trendmicro.com/asprox-resurfaces-with-a-mass-compromise-in-tow/
Oct. 15, 2009 - "A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to have infected several Indian, Thai, and New Zealand websites. The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates*. The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list. Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files. The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity..."
* http://www.adobe.com/support/security/bulletins/apsb09-15.html
October 13, 2009

:fear::fear:

FYI...

Guardian Jobs website hacked...
- http://www.sophos.com/blogs/gc/g/2009/10/25/guardian-jobs-website-hacked-personal-data-risk/
October 25, 2009 - "... the UK version of the Guardian Jobs website has been broken into by hackers. The site, which is described as one of the top five job websites in the UK, with some two million users a month, would be a rich data mine for identity thieves who would be rubbing their hands in glee at the prospect of getting their hands on confidential information from innocent people's CVs and job applications. Details of how the hack was committed have not been revealed, but warning emails sent to people who have used the jobs.guardian.co.uk site to make job applications described the attack as "sophisticated and deliberate"... this isn't the first time that online recruitment websites have suffered at the hands of cybercriminals. Earlier this year... the databases of Monster.com and USAJobs.gov were compromised*, and contact and account information was stolen..."
* http://www.sophos.com/blogs/gc/g/2009/01/24/security-alert-monstercom-usajobs-users/

:fear::mad:

See the site - use menu at top of display "Modes > Attacks":

- http://www.akamai.com/html/technology/dataviz1.html
2009.10.27 - 34% above normal ...!

- http://www.akamai.com/html/technology/realtime_web_methodology.html
"Attack Traffic:
Akamai measures attack traffic in real time across the Internet with our diverse network deployments. We collect data on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. The attack traffic depicts the total number of attacks over the last twenty-four hours.
Values are measured in attacks per 24 hours (attacks/24hrs). Regions are displayed as countries or states."
___

- http://www.v3.co.uk/v3/news/2252011/trend-micro-sees-blocked
27 Oct 2009 - "The sheer scale of the cyber security threat to businesses was highlighted again today, after new statistics from security vendor Trend Micro revealed that its Smart Protection Network (SPN) now blocks an average of more than four billion threats a day. SPN is Trend Micro's newest technology designed to fight today's threats as effectively as possible, combining cloud-based reputation technology with behavioural analysis techniques. The system stops many of the threats in the cloud, crucially negating the problems associated with traditional security tools, such as eating up processing power and network bandwidth... SPN has been up and running for 16 months, but saw significant growth between the third quarter of 2008 and the second quarter of 2009, when the number of global user queries jumped 289 per cent to over 29 billion a day. The number of threats blocked over the same period rose 277 per cent to just over four billion, the company said. Threats in this instance include infected files, as well as web destinations reached through the browser and infected PCs trying to connect to a resource on the internet..."

:sad::fear::spider:

FYI...

87% of web apps - "serious vulnerabilities..."
- http://sunbeltblog.blogspot.com/2009/11/3100-vulnerabilities-connected-with-web.html
November 10, 2009 - "If anyone ever needed a great example for the lectures they give friends, relatives or employees about the importance of installing software updates, here it is. Security firm Cenzic* has made public a report documenting 3,100 vulnerabilities that affect the software used on web sites and in browsers! The report included patched and unpatched vulnerabilities. Cenzic, which provides software as a service, said in their report “Web Application Security Trends Report Q1-Q2, 2009” that Cross Site Scripting and SQL Injection vulnerabilities were a factor in half of all web attacks. They said 87 per cent of web applications their researchers looked at "had serious vulnerabilities that could potentially lead to the exposure of sensitive or confidential user information during transactions"..."
* http://www.cenzic.com/resources_reg-not-required_trends/
Q1-Q2 2009
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

:fear::mad:

FYI...

Apple Safari v4.0.4 released
- http://secunia.com/advisories/37346/2/
Release Date: 2009-11-12
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Apple Safari 4.x
Solution: Update to version 4.0.4...
Original Advisory:
http://support.apple.com/kb/HT3949

CVE reference: CVE-2009-2414, CVE-2009-2416, CVE-2009-2804, CVE-2009-2816, CVE-2009-2841, CVE-2009-2842, CVE-2009-3384

- http://support.apple.com/downloads/

:fear:

FYI...

Still - "It's a jungle out there...".

2009 - Top Internet Security Trends
- http://www.symantec.com/connect/blogs/breadth-security-issues-2009-stunning
November 17, 2009 - "... Top Internet Security Trends of 2009...
• Malware-Bearing Spam...
• Social Networking Site Attacks Become Commonplace...
• Rogue Security Software...
• Ready-Made Malware...
• Bot Networks Surge...
• Intra- and Cross-Industry Cooperation to Stamp Out Internet Threats...
• Current Events Leveraged More Than Ever...
• Drive-by-Downloads Lead the Way...
• The Return of Spam to Pre-McColo Levels...
• The Rise of Polymorphic Threats...
• An Increase in Reputation Hijacking...
• Data Breaches Continue..."

(Detail available at the URL above.)

:fear::spider:

FYI...

PHP v5.3.1 released
- http://secunia.com/advisories/37412/2/
Release Date: 2009-11-20
Critical: Moderately critical
Impact: Unknown, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.3.x ...
Solution: Update to version 5.3.1.
Original Advisory: PHP:
http://www.php.net/releases/5_3_1.php
CVE reference: CVE-2009-3292, CVE-2009-3557, CVE-2009-3558

ChangeLog
- http://www.php.net/ChangeLog-5.php#5.3.1

- http://isc.sans.org/diary.html?storyid=7615
"... With many of the websites on the net relying on PHP and the number of attacks we see, consider upgrading. This release has over 100 bug fixes..."

:fear:

FYI...

2009 Riskiest country domains - McAfee
- http://www.theregister.co.uk/2009/12/02/mal_hosting_survey/
2 December 2009 - "... McAfee analysed 27 million websites and 104 top-level domains using its SiteAdvisor and TrustedSource technology in compiling its report*. SiteAdvisor tests websites for browser exploits, phishing, excessive pop-ups and malicious downloads, while TrustedSource offers a reputation system that tracks web traffic patterns, site behaviour, hosted content and more, to gauge site security risks. The security firm reckons 5.8 per cent (or more than 1.5 million web sites) pose a security risk of one kind or another. The top five riskiest country domains online for 2009, according to McAfee:
1. Cameroon (.cm)
2. PR of China (.cn)
3. Samoa (.ws)
4. Phillipines (.ph)
5. Former Soviet Union (.su) "

* http://newsroom.mcafee.com/article_display.cfm?article_id=3600
December 02, 2009

:fear:

FYI...

PDF – Pretty Darned Fatal
- http://www.eset.com/threat-center/blog/2009/12/18/pdf-%E2%80%93-pretty-darned-fatal
December 18, 2009 - "Adobe PDF files were supposed to be a safe alternative to Microsoft Word documents in a time when Microsoft offered no effective protection against macro viruses and had virtually no security model in Office at all. Times change. Microsoft Word documents rarely spread macro viruses and have not for a long time if you are using versions of Word newer than Office XP.
In a dazzling display of arrogant refusal to learn from history, Adobe has configured their products for inferior security by deliberately choosing not to learn security lessons that Microsoft learned years ago.
Security flaws in Adobe reader and Adobe Acrobat are a major problem, but in most cases the technology that allows the exploits to work is JavaScript. Adobe Reader and Acrobat support JavaScript and insanely leave it enabled by default. In practice most PDFs do not require JavaScript and many that do are quite usable without it anyway. If you want to do something simple to help protect yourself against drive-by malware infections – the kind where you simply go to a webpage and get infected, then disable JavaScript in Acrobat and Reader. In Adobe Reader version 9, you go to the edit menu, select preferences, then JavaScript, and then -uncheck- the box that says “Enable Acrobat JavaScript”.
This is how Adobe would set the defaults if they listened to their security experts instead of the marketing department..."

- http://voices.washingtonpost.com/securityfix/2009/12/hackers_exploit_adobe_reader_f.html
December 18, 2009

0-Day Malware Drops Payloads Signed with a Forged Microsoft Certificate
- http://blog.webroot.com/2009/12/15/zero-day-malware-drops-payloads-signed-with-a-forged-microsoft-certificate/
December 15, 2009

:fear::mad:

FYI...

Winamp v5.57 released
- http://secunia.com/advisories/37495/2/
Last Update: 2009-12-18
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Winamp 5.x ...
Solution: Update to version 5.57.
http://www.winamp.com/media-player

- http://www.theregister.co.uk/2009/12/21/winamp_update/

:fear:

FYI...

Sendmail vuln - update available
- http://secunia.com/advisories/37998/2/
Release Date: 2009-12-31
Critical: Moderately critical
Impact: Spoofing
Where: From remote
Solution Status: Vendor Patch
Software: Sendmail 8.x...
Solution: Update to version 8.14.4...
Original Advisory: http://www.sendmail.org/releases/8.14.4

Release notes:
- http://www.sendmail.org/releases/8.14.4#RS

- http://securitytracker.com/alerts/2009/Dec/1023393.html

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4565
Last revised: 01/05/2010
CVSS v2 Base Score: 7.5 (HIGH)

:fear:

FYI...

Malicious PDF docs exploiting CVE-2009-4324
- http://isc.sans.org/diary.html?storyid=7867
Last Updated: 2010-01-04 06:29:59 UTC - "... Quick analysis of the document confirmed that it is exploiting this vulnerability (CVE-2009-4324 – the doc.media.newPlayer vulnerability). This can be easily seen in the included JavaScript in the PDF document, despite horrible detection (only 6 out of 40 AV vendors detected this when I initially submitted it here*). After extracting the included JavaScript code, the shellcode that it uses looked quite a bit different than what we can usually see in such exploits: this shellcode was only 38 bytes long!... Since this exploit has not been patched yet, I would like to urge you all to, at least, disable JavaScript in your Adobe Reader applications. We are getting more reports about PDF documents exploiting this vulnerability, and it certainly appears that the attackers are willing to customize them to get as many victims to open them as possible. Also keep in mind that such malicious PDF documents can go to a great length when used in targeted attacks – the fake PDF that gets opened can easily fool any user into thinking it was just a mistakenly sent document..."
* http://www.virustotal.com/analisis/40e22d52c00b76ad58c3c8daa644b7cfdc4f07a50718743f8e67e89bab386eab-1262223143
File Requset.pdf received on 2009.12.31 01:32:23 (UTC)
Result: 6/40 (15.00%)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4324

More on malicious PDF's
- http://isc.sans.org/diary.html?storyid=7903
Last Updated: 2010-01-07 01:01:21 UTC- "While we are still waiting for the patch and the malicious PDFs which exploit CVE-2009-4324 become more and more nasty, here's another quick excursion in dissecting and analyzing hostile PDF files... we find a recent ThreatExpert analysis http://www.threatexpert.com/report.aspx?md5=b0eeca383a7477ee689ec807b775ebbb that matches perfectly to what we found within this PDF..."
___

Adobe Reader v9.3 released
- http://forums.spybot.info/showpost.php?p=355307&postcount=134
January 12, 2010

:fear:

FYI...

PowerDNS update - multiple vulns
- http://www.us-cert.gov/current/#powerdns_recursor_version_3_1
January 7, 2010 - v3.1.7.2 released...

- http://doc.powerdns.com/powerdns-advisory-2010-01.html
Impact: Denial of Service, possible full system compromise ...

- http://doc.powerdns.com/powerdns-advisory-2010-02.html
Impact: ... possible to fool the PowerDNS Recursor into accepting unauthorized data...

:fear::fear:

FYI...

USB flash drive vuln...
- http://isc.sans.org/diary.html?storyid=7894
Last Updated: 2010-01-11 15:34:41 UTC - "... security flaw recently exposed on USB flash drive. The issue of the attack is with a software bug in the password verification mechanism. This affects Kingston, SanDisk and Verbatim...
SanDisk Update Information: http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009
Verbatim Update Information: http://www.verbatim.com/security/security-update.cfm
Kingston Recall Information: http://www.kingston.com/driveupdate/
UPDATE: An ISC reader has contacted Kingston support and confirmed they will be releasing a firmware patch to fix the issue. They have described it as a randomization error and it will affect some of the drives..."

Kingston
- http://secunia.com/advisories/38136/2/
SanDisk
- http://secunia.com/advisories/37927/2/
Verbatim
- http://secunia.com/advisories/38137/2/

Kingston
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0221
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0222
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0223
Sandisk
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0224
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0225
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0226
Verbatim
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0227
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0228
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0229

:fear:

FYI...

Firefox-based attack wreaks havoc on IRC users
- http://www.theregister.co.uk/2010/01/30/firefox_interprotocol_attack/
30 January 2010 01:41 GMT - "Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat. Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has has caused major disruptions for almost a month... The malicious javascript exploits a feature that allows Firefox to send data over a variety of ports that aren't related to web browsing. By relaying the scripts over port 6667, users who click on the link automatically connect to the IRC server and begin spewing a tirade of offensive text and links. The attack doesn't work with Internet Explorer or Apple Safari, but "might" work with other browsers... IRC networks such as Efnet and OFTC have managed to block the attacks, but at time of writing Freenode operators were still struggling to repel them..."

:fear::mad:

FYI...

- http://blog.mozilla.com/addons/2010/02/09/update-on-the-amo-security-issue/
February 9, 2010 - "... the suspected trojan in Version 4.0 of Sothink Video Downloader was a false positive and the extension does not include malware. The same investigation also confirmed that the Master Filer extension included a valid instance of a trojan. Our estimate of 6,000 affected downloads has been revised to under 700. The Sothink Video Downloader has been re-enabled on AMO. We apologize to our users and the developers of Sothink for any inconvenience this has caused..."

Mozilla add-ons - 2 infected...
- http://blog.mozilla.com/addons/2010/02/04/please-read-security-issue-on-amo/
February 4, 2010 - "Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.
Impact to users:
If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan. Uninstalling these add-ons does -not- remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an antivirus program should be used to scan and remove any infections...
Versions of Sothink Web Video Downloader greater than 4.0 are not infected. Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010. AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered..."

:sad::mad::fear:

FYI...

WordPress iframe injection?
- http://isc.sans.org/diary.html?storyid=8164
Last Updated: 2010-02-05 23:57:23 UTC - "... some strange entries he found in his Apache logs (see below) and some rumblings of a number of WordPress blogs being compromised. He was in contact with one of the affected bloggers and they figured out that the compromise resulted in the injection of some obfuscated javascript that created a hidden iframe. We haven't heard exactly what the vulnerability was that was exploited, but if the log entries are actually related there may be a permission problem or perhaps some sort of SQL injection issue with joomla or the tinymce editor (at least, that is what the log entries showed that someone is looking for)... The particular log entry that caught Neal's attention was:
GET /joomla/plugins/editors/tinymce/jscripts/tiny_mce/license.txt
So you may want to be on the lookout for those in your own logs."

:fear::fear:

FYI...

SpybotS&D update
- http://www.safer-networking.org/en/updatehistory/index.html
2010-02-17
Total: 2,033,341 fingerprints in 769409 rules for 5235 products...

Thank you, PepiMK!
> http://forums.spybot.info/showthread.php?p=360109#post360109

:fear:

FYI...

2010 State of Enterprise Security
- http://www.symantec.com/about/news/release/article.jsp?prid=20100221_01
February 22, 2010 – Symantec... today released the findings of its global 2010 State of Enterprise Security study... 75 percent of organizations experienced cyber attacks in the past 12 months. These attacks cost enterprise businesses an average of $2 million per year. Finally, organizations reported that enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues. The study is based on surveys of 2,100 enterprise CIOs, CISOs and IT managers from 27 countries in January 2010...
Study Highlights:
• Forty-two percent of enterprises rank cyber risk as their top concern, more than natural disasters, terrorism, and traditional crime combined...
• Enterprises are experiencing frequent attacks. In the past 12 months, 75 percent of enterprises experienced cyber attacks, and 36 percent rated the attacks somewhat/highly effective. Worse, 29 percent of enterprises reported attacks have increased in the last 12 months.
• Every enterprise (100 percent) experienced cyber losses in 2009. The top three reported losses were theft of intellectual property, theft of customer credit card information or other financial information, and theft of customer personally identifiable information. These losses translated to monetary costs 92 percent of the time. The top three costs were productivity, revenue, and loss of customer trust...
• Enterprise security is becoming more difficult due to a number of factors..."

(More detail and recommendations at the URL above.)

:fear:

FYI...

Adobe Reader exploit/vuln active in the Wild - CVE-2010-0188
- http://blogs.technet.com/mmpc/archive/2010/03/08/cve-2010-0188-patched-adobe-reader-vulnerability-is-actively-exploited-in-the-wild.aspx
March 08, 2010 - "While recently analyzing a malicious PDF file, I noticed a vulnerability exploited by the sample which I've never encountered before. After a bit of research I came to the conclusion that this specific sample exploited CVE-2010-0188*. This is a fresh vulnerability, information about which was just published this February. It is described as possibly leading to arbitrary code execution, which is exactly what’s happening. When the PDF file is loaded, Adobe Reader opens and then closes, while an executable file named a.exe is dropped directly onto the C:\ drive. The dropped executable, which is actually embedded into the PDF file, tries to connect to a .biz registered domain to download other files. JavaScript is again used to successfully exploit this vulnerability, so disabling it for unknown documents might be a good idea..."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0188
CVSS v2 Base Score: 9.3 (HIGH) - "... Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1**..."
** http://www.adobe.com/support/security/bulletins/apsb10-07.html

- http://techblog.avira.com/2010/03/09/pdf-exploit-for-recently-closed-security-hole/en/
March 9, 2010

- http://www.f-secure.com/weblog/archives/targeted_attacks_2008_2009_2010.png
March 9, 2010

> http://forums.spybot.info/showpost.php?p=360063&postcount=44

:mad::mad:

FYI...

Vodafone Android Phone: Complete with Mariposa Malware
- http://isc.sans.org/diary.html?storyid=8389
Last Updated: 2010-03-09 14:20:25 UTC - "Panda Security has a post up on one of their employees buying a brand -new- Android phone from Vodafone and discovering it was spreading Mariposa*. It didn't infect the phone proper, but it did have autoexec.inf and autoexec.bat files designed to infect whatever Windows machine the phone was plugged into via USB cable. Unlike the Engergizer story from yesterday, this one is happening now. Standard USB defenses apply, don't automatically execute autoexec.bat/inf files from USB devices. This Microsoft KB article** discusses how to disable the "Autoplay" functionality that leads to this problem..."
* http://research.pandasecurity.com/vodafone-distributes-mariposa/
March 8, 2010

** http://support.microsoft.com/kb/967715

- http://www.internetnews.com/security/article.php/3869871/Mariposa+Bot+Shipped+With+Vodafone+Smartphone.htm
March 10, 2010 - "... Confiker, Mariposa -and- Lineage password stealing malware samples installed on a recently purchased Vodafone HTC Magic smartphone..."

- http://news.cnet.com/8301-27080_3-20000676-245.html
March 17, 2010 - "... an employee at -another- Spanish security company, S21Sec, checked his recently-acquired HTC Magic and found the Mariposa malware lurking on it, according to a PandaLabs blog post* on Wednesday..."
* http://research.pandasecurity.com/vodafone-distributes-mariposa-part-2/
___

- http://www.pcworld.com/businesscenter/article/191931/malware_infected_memory_cards_of_3000_vodafone_mobiles.html
March 19, 2010 - "Malware-tainted memory cards may have ended up on as many as 3,000 HTC Magic phones, a greater number than first suspected, Vodafone said Friday..."
- http://www.theregister.co.uk/2010/03/19/voda_spain_mariposa_latest/
19 March 2010 - "... suggesting 3,000 users were exposed to the malware make it one of the biggest incidents of an IT supplier shipping pre-pwned mobile kit."

:mad::blink:

FYI...

Apple QuickTime v7.6.6 released
- http://secunia.com/advisories/39133/
Last Update: 2010-04-05
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Solution: Update to version 7.6.6.
Original Advisory: Apple:
http://support.apple.com/kb/HT4104
CVE Reference(s): CVE-2009-2837, CVE-2010-0059, CVE-2010-0060, CVE-2010-0062, CVE-2010-0514, CVE-2010-0515, CVE-2010-0516, CVE-2010-0517, CVE-2010-0518, CVE-2010-0519, CVE-2010-0520, CVE-2010-0526, CVE-2010-0527, CVE-2010-0528, CVE-2010-0529, CVE-2010-0536.

- http://www.apple.com/quicktime/download/

- http://isc.sans.org/diary.html?storyid=8566
Last Updated: 2010-04-02 12:30:26 UTC

:fear:

FYI...

Foxit Reader v3.2.1.0401 released
- http://www.foxitsoftware.com/downloads/index.php
04/01/10

Fixed in Foxit Reader 3.2.1.0401
- http://www.foxitsoftware.com/pdf/reader/bugfix.htm
1. Fixed a security issue that Foxit Reader runs an executable embedded program inside a PDF automatically without asking for user’s permission.

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1239
Last revised: 04/06/2010
CVSS v2 Base Score: 9.3 (HIGH)

From an admin. account, update is available through the "Check for Updates" function:
> Help > Check for Updates now > FoxIt Reader 3.2.1.0401 Upgrade

RE: http://isc.sans.org/diary.html?storyid=8545
Last Updated: 2010-03-31 19:04:25 UTC
...and: http://www.f-secure.com/weblog/archives/00001923.html
March 31, 2010

- http://www.kb.cert.org/vuls/id/570177
2010-04-02 - "... issue is addressed in Foxit Reader 3.2.1.0401..."

- http://secunia.com/advisories/39291/
Release Date: 2010-04-05
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Foxit Reader 3.x
Solution: Update to version 3.2.1.0401.

- http://www.h-online.com/security/news/item/New-version-of-Foxit-closes-executable-security-hole-970102.html
5 April 2010

:fear:

FYI...

PDF security hole 'Proof of concept' released...
- http://www.theregister.co.uk/2010/04/06/wormable_pdfs/
6 April 2010 - "... "wormable PDF" research comes days after another security researcher, Didier Stevens, showed how it was possible to both embed malicious executables in PDFs and manipulate pop-up dialog boxes to trick victims into running a malicious payload. Both Adobe and FoxIT* are working on a fix against the security shortcomings in their respective PDF viewing packages illustrated by the research..."
* http://forums.spybot.info/showpost.php?p=366164&postcount=63

- http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html
April 6, 2010 - "... users can use the following method to further mitigate against this risk. For consumers, open up the Preferences panel and click on "Trust Manager" in the left pane. Clear the check box 'Allow opening of non-PDF file attachments with external applications'..."

- http://sunbeltblog.blogspot.com/2010/04/poc-is-out-worm-that-spreads-via-pdfs.html
April 06, 2010

Also:
- http://isc.sans.org/diary.html?storyid=8545
Last Updated: 2010-03-31 19:04:25 UTC
- http://www.f-secure.com/weblog/archives/00001923.html
March 31, 2010

- http://www.eset.com/blog/2010/04/06/pdfs-exploitable-im-shocked
"... Patches are due out April 13th for the Adobe Acrobat Reader..."

:fear:

FYI...

PDF ...used to Install Zeus
- http://www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp
Apr, 14, 2010 - "Today we began seeing emails... claiming to be from Royal Mail with an attached PDF file... This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF file. This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot... When this PDF is opened In Adobe Reader with JavaScript enabled, the exportDataOject function causes a dialog box to be displayed asking the user to “Specify a file to extract to”. The default file is the name of the attachment, Royal_Mail_Delivery_Notice.pdf. This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder... Once the exportDataOject function has completed, the Launch action is run. The Launch action is used to execute the Windows command interpreter (cmd.exe) and is given a command line to execute... This command line searches for the previously saved Royal_Mail_Delivery_Notice.pdf file in some commonly used folders such as My Documents and Desktop and then tries to run the file. (Remember that this is actually the executable file). Adobe Reader will pop up the box shown below and the command will only be run it the user clicks ‘Open’. The latest version of Foxit reader (released April 1st - v3.2.1.0401**) will display a similar warning, older versions will go ahead and execute the command without asking... If this command if successfully run, the Zeus data stealing bot is installed..."

(Screenshots available at the URL above.)

- http://www.m86security.com/newsImages/TRACE/adobeLaunch.PNG
DO NOT OPEN (Image shown)

Zbot campaign comes in a PDF
- http://securitylabs.websense.com/content/Alerts/3593.aspx
04.14.2010

* http://www.virustotal.com/analisis/95638f2fedf39f97c30394bb26603b4252f5d14334bcff73a8fc951de1501d09-1271254281
File sdra64.exe received on 2010.04.14 14:11:21 (UTC)
Result: 8/40 (20%)

Adobe v9.3.2 Reader update
- http://forums.spybot.info/showpost.php?p=367597&postcount=47
April 13, 2010

Foxit v3.2.1.0401 Reader update
** http://forums.spybot.info/showpost.php?p=366164&postcount=63

:mad::mad:

FYI...

OWASP Top 10 Security Risks for 2010
- http://www.owasp.org/index.php/Top_10
April 19, 2010 - "... The OWASP Top 10 Web Application Security Risks for 2010 are:
• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards
... The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list..."

(More detail at the URL above.)

:fear:

FYI...

FoxIt Reader v3.3.0.0430 released
- http://www.foxitsoftware.com/downloads/index.php
05/04/10

What’s New in Foxit Reader 3.3
- http://www.foxitsoftware.com/downloads/reader/reader3.3.html
New features:
* Secure Trust Manager - The new Secure Trust Manager enables users to allow or deny unauthorized actions and data transmission, including URL connection, attachments PDF actions, and JavaScript functions; efficiently avoiding the attack from malicious contents and viruses.
* Improved Ask Search Button Setting - Enables users to show or hide the Ask Search Button in the Preferences menu.
* Many Bug Fixes - Fixes some bugs from previous versions including an issue where Ask Toolbar may be installed by default.
- http://forums.foxitsoftware.com/showthread.php?t=18365
May 4, 2010 - "... The new Trust Manager allows users to select a safe mode operation, once selected; no external commands will be executed by the Foxit Reader. The Trust Manager feature is easy-to-use and can be selected or deselected within the reader at the discretion of the reader.
A second feature within the new reader is an improved Foxit toolbar installation menu. In version 3.2, a number of Reader users reported that the Foxit toolbar was being installed without being notified. Foxit acknowledges this error and has resolved the issue in this new release..."

- http://www.foxitsoftware.com/pdf/reader/bugfix.htm
Fixed in Foxit Reader 3.3: Fixes some bugs from previous versions including an issue where Ask Toolbar may be installed by default.

Update available through the "Check for Updates" function:
From an admin. account > Help > Check for Updates now > FoxIt Reader 3.3.0.0430 Upgrade

- http://www.zdnet.com/blog/security/foxit-reader-intros-new-safe-reading-feature/6376
May 7, 2010
- http://i.zdnet.com/blogs/foxit_reader_safe_reading_malicious_pdf_in_action.png

:fear:

FYI...

phpnuke .org ...compromised
- http://community.websense.com/blogs/securitylabs/archive/2010/05/07/phpnuke-org-has-been-compromised.aspx
7 May 2010 07:25 AM - "... PHP-Nuke is a popular Web content management system (CMS), based on PHP and a database such as MySQL, PostgreSQL, Sybase, or Adabas. Earlier versions were open source and free software protected by GNU Public License, but since then it has become commercial software. As it is still very popular in the Internet community, it is not surprising that it has become a target of blackhat attacks... The injected iframe hijacks the browser to a malicious site, where through several steps of iframe redirections the user finally ends up on a highly obfuscated malicious page... After de-obfuscating the code, we can see three different exploits, two of them targeting Internet Explorer and the third one targeting Adobe Reader. The first exploit targets a vulnerability in MDAC (CVE-2006-0003), described in Microsoft Security Bulletin MS06-014. If it succeeds, a malicious application is downloaded and stored in "%temp%\updates.exe". After this the downloaded trojan is executed, at which point it installs itself on the computer and attempts to access several Web sites... The second exploit uses a Java vulnerability to spawn shellcode, which then initiates the download action... The third exploit is a PDF exploit -- this actually merges three exploits targeting Adobe Reader. First the JavaScript in the HTML page checks if Adobe Reader is exploitable by checking its version number. The version should be between 7 and 7.1.4, 8 and 8.1.7, or 9 and 9.4. When a vulnerable version is found, the exploit downloads the malicious PDF file and as it is loaded by Adobe Reader, the malicious ActionScript in the file is executed automatically. The PDF itself contains an obfuscated ActionScript that utilizes one of the three different PDF exploits it hides. These are CVE-2009-4324, CVE-2007-5659, and CVE-2009-0927. If it succeeds, the download and installation of updates.exe happens in a similar manner to that described earlier. The downloaded executable is detected by 12% of antivirus products, according to VirusTotal*.
WARNING: At the time of writing the front page of phpnuke .org still contains the malicious iframe, so we advise users to stay away from the site until it has been fixed..."
* http://www.virustotal.com/analisis/db60cc585e33887f7bf0d8a72e644ddf26c1565026dc71712b9a391953fb9d24-1273013683
File 1e99dab3abd728300f055a047626d1211 received on 2010.05.04 22:54:43 (UTC)
Result: 5/41 (12.20%)

- http://pandalabs.pandasecurity.com/php-nuke-hacked-with-injected-iframe/
5/7/10

- http://www.theregister.co.uk/2010/05/11/phpnuke_infection_purged/
11 May 2010 - "The official website for content management system PHP-Nuke was purged of a nasty infection on Tuesday that for four days attempted to install malware on visitors' machines. The website, which used an out-of-date version of PHP, was compromised as long ago as Friday, according to reports from Websense and Panda Labs. The infection redirected anyone visiting the PHP-Nuke front page to a series of attack sites and wasn't cleaned up until Tuesday, Sophos said*..."
* http://www.sophos.com/blogs/sophoslabs/?p=9585
May 11th, 2010 - "... While writing this post the site has been cleaned up."

:mad::mad:

FYI...

Irfanview vulns - update available
- http://secunia.com/advisories/39036/
Last Update: 2010-05-17
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Solution: Update to version 4.27.
- http://irfanview.com/main_download_engl.htm

Current PlugIns
- http://fileforum.betanews.com/download/IrfanView-PlugIns/1099412658/1
irfanview_plugins_427_setup.exe

- http://irfanview.com/main_history.htm
Release date: 2010-05-09

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1509
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1510
Last revised: 05/21/2010

:fear:

FYI...

OpenDNS - Palo Alto – DDoS ...resolved
- http://system.opendns.com/2010/05/18/117/
May 18, 2010 6:20 am UTC* - "Starting at 10:15 PM PDT... all of our global locations suffered a significant denial of service attack. All sites withstood the attack with the exception of Palo Alto, which had sporadic reachability issues lasting for almost 30 minutes. This interruption took our engineers longer to diagnose than it normally would have due to some difficulty removing some routing advertisements between our routers and one of our ISPs... By 10:45 PM PDT, all DNS traffic was routed to alternate locations, including Los Angeles and Seattle, which were online serving traffic the entire time... By 11:10 PM PDT, all website services returned to normal and all services were online. As with any interruption of service, we will be evaluating our procedures, capacity planning models and will ultimately take whatever steps necessary to ensure it does not happen again.
* Update: To clarify some misunderstandings, DNS was not significantly impacted at any site besides Palo Alto (even though all sites were attacked). At Palo Alto, we have numerous connections to the Internet and peering partners and for reasons we are still investigating, one of our connections to the Internet had a prolonged service interruption and did not behave as designed."

- http://system.opendns.com/

:fear:

FYI...

HP notebook battery recall
- http://bpr.hpordercenter.com/hbpr/M14.aspx
May 19, 2010 - "On May 19, 2010, HP expanded a worldwide voluntary recall and replacement program in cooperation with various government agencies, adding battery packs to the replacement program announced on May 14, 2009 and revised on October 15, 2009. Product model series were also added to the list of products that may have been sold with affected batteries. HP customers affected by this program will be eligible to receive a replacement battery pack for each verified, recalled battery pack at no cost... HP and the battery manufacturers believe that certain battery packs shipped in HP notebook PC products manufactured between August 2007 and May 2008 may pose a potential safety hazard to customers. The batteries can overheat, posing a fire and burn hazard..."

- http://www.cpsc.gov/cpscpub/prerel/prhtml09/09221.html
Revised October 15, 2009"... Consumers should stop using recalled products immediately unless otherwise instructed... The recalled lithium-ion batteries can overheat, posing a fire and burn hazard to consumers... two reports of batteries that overheated and ruptured, resulting in flames/fire that caused minor property damage. No injuries have been reported... The recalled lithium-ion rechargeable batteries are used with various HP and Compaq notebook computers..."

- http://www.cpsc.gov/cpscpub/prerel/prhtml10/10240.html
May 21, 2010
Name of Product: Lithium-Ion batteries used in Hewlett-Packard and Compaq notebook computers
Units: About 54,000 (70,000 units were previously recalled in May 2009)

(Additional detail at all URLs above.)

:fear::fear:

FYI...

Foxit Reader v3.3.1.0518 released
- http://www.foxitsoftware.com/downloads/index.php
May 20, 2010

What's New...
- http://www.foxitsoftware.com/pdf/reader/whatsnew331.htm
"... A pop-up dialog contains an area which is reserved for a message that is generated by the rendered PDF. Due to Foxit's concern that this message may mislead users to take an unadvisable action, Foxit Reader will no longer display the content of the message and removes any parameters within the Pop-up message that can be manipulated by the PDF."

Bug Fix List
- http://www.foxitsoftware.com/pdf/reader/bugfix.htm

Update available through the "Check for Updates" function:
From an admin. account > Help > Check for Updates now > FoxIt Reader 3.3.1.0518 Upgrade

:fear:

FYI...

MySQL v5.1.47 update available
- http://www.mysql.com/downloads/mysql/

Changes in MySQL 5.1.47
- http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html

- http://secunia.com/advisories/39792/
Last Update: 2010-05-21
Criticality level: Moderately critical
Impact: Security Bypass, DoS, System access
Where: From local network
Software: MySQL 5.x
CVE Reference(s): CVE-2010-1848, CVE-2010-1849, CVE-2010-1850
...The vulnerabilities are reported in versions prior to 5.1.47.
Solution: Update to version 5.1.47.

:fear:

FYI...

Akami - Attack traffic at 206% above normal
- http://www.akamai.com/html/technology/dataviz1.html
2010.06.05 @08:53AM edt - 765 attacks / 24 hours ...

- http://www.akamai.com/html/technology/realtime_web_methodology.html
"Attack Traffic: ... The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. The attack traffic depicts the total number of attacks over the last twenty-four hours. Values are measured in attacks per 24 hours (attacks/24hrs). Regions are displayed as countries or states..."

:fear::fear:

FYI...

Skype 'Extras Manager' vuln found In The Wild...
- http://www.m86security.com/labs/i/Skype-Extras-Manager-Vulnerability-Found-In-The-Wild,trace.1347~.asp
June 16, 2010 - "On October 12th, 2009, Skype released an updated version (4.1.0.179) of their popular VoIP client, which fixed an unspecified vulnerability in their plug-in component for Skype called EasyBits Extras Manager. The EasyBits software is intended to protect commercial software, such as plug-ins, from illegal redistribution or unlicensed use... Vulnerability disclosures are one of the most common ways cybercriminals craft their exploits, including those seen in the exploit kits themselves. In this scenario, our Security Labs team has identified a working exploit in the wild that targets this vulnerability... the malicious code exploits a Skype ActiveX vulnerability using primitive obfuscation techniques in order to bypass Antivirus security solutions. We can confirm this exploit code works successfully against vulnerable Skype installations. Testing this exploit page with VirusTotal, illustrates the dismal results (1/41 - 2.44%)... It is interesting to note that within Skype's own release notes for the security vulnerability, they provide a recommendation to their users to "use virus protection services in case of any problems." Unfortunately for those users, the virus protection would have failed. However, the core issue here is not the antivirus solution's ability to mitigate this threat, but the fact that the update process remains problematic for many companies. Many users continue to run outdated applications for months, even years, and these old versions continue to be exploited by cybercriminals. Even with the disclosure and security fixes provided by application developers, cybercriminals know that most users rarely update, making it not only easy but beneficial to monitor sites that post disclosures and proof of concept code. Ask yourself: Do you know what version of Skype you're running?"

- http://secunia.com/vulnerability_scanning/online/?task=start

:fear::fear:

FYI...

iTunes v9.2 released
- http://secunia.com/advisories/40196/
Release Date: 2010-06-17
Criticality level: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution: Update to version 9.2.
Apple: http://support.apple.com/kb/HT4220
CVE Reference(s): CVE-2009-1726, CVE-2010-0544, CVE-2010-1119, CVE-2010-1387, CVE-2010-1390, CVE-2010-1392, CVE-2010-1393, CVE-2010-1395, CVE-2010-1396, CVE-2010-1397, CVE-2010-1398, CVE-2010-1399, CVE-2010-1400, CVE-2010-1401, CVE-2010-1402, CVE-2010-1403, CVE-2010-1404, CVE-2010-1405, CVE-2010-1408, CVE-2010-1409, CVE-2010-1410, CVE-2010-1411, CVE-2010-1412, CVE-2010-1414, CVE-2010-1415, CVE-2010-1416, CVE-2010-1417, CVE-2010-1418, CVE-2010-1419, CVE-2010-1421, CVE-2010-1422, CVE-2010-1749, CVE-2010-1758, CVE-2010-1759, CVE-2010-1761, CVE-2010-1763, CVE-2010-1769, CVE-2010-1770, CVE-2010-1771, CVE-2010-1774

- http://support.apple.com/downloads/
"... iTunes 9.2 provides a number of important bug fixes..."

- http://securitytracker.com/alerts/2010/Jun/1024108.html
June 16, 2010

:fear::fear:

FYI...

Foxit Reader v4.0 released
- http://www.foxitsoftware.com/downloads/index.php
06/29/10

- http://www.foxitsoftware.com/pdf/reader/bugfix.php

- http://www.foxitsoftware.com/pdf/reader/security.php
"... Foxit Reader 4.0 security options include, Security Warning Dialog, Trust Manager (Safe Mode), and in extreme situations the ability to Disable JavaScript completely..."

- http://www.foxitsoftware.com/pdf/reader/features_benefits.php

Update now available through the "Check for Updates" function:
From an admin. account > Help > Check for Updates now > FoxIt Reader 4.0.0.0619 Upgrade
07.02.2010

:fear:

FYI...

iTunes accounts hacked...
- http://isc.sans.edu/diary.html?storyid=9136
Last Updated: 2010-07-05 19:31:16 UTC - "... iTunes accounts have been hacked to make mass purchases of one developer's app. As a safety measure, I recommend to change your ITunes password ASAP and, if you feel paranoid like me, delete your credit card info from the account until this issue is clarified. More information at: http://www.alexbrie.com/archives/205 , http://thenextweb.com/apple/2010/07/04/app-store-hacked ..."

- http://www.theregister.co.uk/2010/07/05/itunes_app_store_manipulation/
5 July 2010 11:29 GMT

- http://blog.trendmicro.com/cybercriminals-make-money-out-of-app-store/
July 6, 2010 - "... cybercrime groups have now found a working business model in monetizing phished user accounts in Apple’s App Store. They’ve circumvented Apple’s “strict” app review process by submitting nonmalicious apps (doesn’t matter if the app is worthless) then used phished iTunes accounts to buy (and make money from) the worthless apps... by targeting user accounts, cybercriminals attacked the weakest link in the system (the user), only using Apple’s App Store as platform and the worthless apps as means to cash in on phished accounts. May this incident serve as a glaring reminder on the importance of our online accounts, especially if our credit and/or debit cards are tied to them."

:fear::mad::fear:

FYI...

1H 2010 - Security bug count up - 3rd party apps ...
- http://www.theregister.co.uk/2010/07/12/secunia_threat_report/
12 July 2010 - "The number of vulnerabilities in the first half of 2010 was close to the number recorded in the whole of 2009, security notification firm Secunia reports*... Secunia reckons the security threat landscape is shifting from operating system vulnerabilities to bugs in third-party applications. Secunia reckons a typical end-user PC with 50 programs installed will be faced with 3.5 times more security bugs in the 24 third party programs running on their systems than in the 26 Microsoft programs installed. Secunia expects this ratio to increase to 4.4 in 2010. Patching to defend against these vulnerabilities is further complicated by the 13 different software update mechanisms running on each PC... study can be found here*."
* http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf
"... The overall conclusion is that despite considerable security investments, the software industry at large still proves unable to produce software with substantially less vulnerabilities, highlighting the continued need for Vulnerability Intelligence and Patch Management... the report shows an alarming development in 3rd party program vulnerabilities, representing an increasing threat to both users and business..."

- http://www.pcmag.com/article2/0,2817,2366015,00.asp
07.02.2010

- http://isc.sans.edu/diary.html?storyid=9172
Last Updated: 2010-07-14 14:36:45 UTC

- http://www.bitdefender.com/files/News/file/H1_2010_E-Threats_Landscape_Report.pdf
"... During the last six months, China has been the most active country in terms of malware propagation, followed by the Russian Federation. Both countries are known for their lax legislation regarding cybercrime, as well as for the plethora of “bulletproof hosting” companies – such as the officially dead Russian Business Network (but extremely active in practice), Troyak (taken down in March 2010) or PROXIEZ-NET (gone as of May 2010). If both the Russian Federation and China are the main hosters for Zeus C & C panels / exploit packs, and medicine spam mass-mailers, Brazil – ranked third – has an industry of its own: the highly dangerous banker Trojans... "

:fear::fear:

FYI...

Oracle Critical Patch Update Advisory - July 2010
- http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html
2010-July-13 - "... Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 59 new security fixes..."
(More details at the URL above.)

- http://www.us-cert.gov/current/#oracle_releases_critical_patch_update13
"... security fixes:
• 6 for Oracle Database Server
• 2 for TimesTen In-Memory Database
• 5 for Oracle Secure Backup
• 7 for Oracle Fusion Middleware
• 1 for Oracle Enterprise Manager
• 7 for Oracle E-Business Suite
• 2 for Oracle Supply Chain Products Suite
• 8 for Oracle PeopleSoft and JDEdwards Suite
• 21 for Oracle Sun Products Suite ..."

- http://www.securitytracker.com/archives/summary/9000.html
2010-07-13 // 2010-07-14 - Oracle...
- http://www.securityfocus.com/
2010-07-13 // 2010-07-14 - Oracle...

:fear::fear:

FYI...

Winamp v5.58 released
- http://secunia.com/advisories/40534/
Release Date: 2010-07-13
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 5.58 or later.
Original Advisory:
http://www.winamp.com/help/Version_History#Winamp_5.581_.28Latest.29

- http://www.winamp.com/media-player/en

- http://securitytracker.com/alerts/2010/Jul/1024207.html
Jul 14 2010

:fear:

FYI...

iTunes v9.2.1 released
- http://secunia.com/advisories/40660/
Release Date: 2010-07-20
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
...The vulnerability is reported in versions prior to 9.2.1.
Solution: Update to version 9.2.1.
Original Advisory: Apple:
http://support.apple.com/kb/HT4263

- http://securitytracker.com/alerts/2010/Jul/1024220.html

- http://support.apple.com/downloads/

:fear:

FYI...

vBulletin vuln - update available
- http://secunia.com/advisories/40675/
Last Update: 2010-07-23
Criticality level: Moderately critical
Impact: Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch
Software: vBulletin 3.x
... The vulnerability is reported in version 3.8.6. Prior versions may also be affected.
Solution: Apply patch 3.8.6 PL1...
Original Advisory: vBulletin:
http://www.vbulletin.com/forum/showthread.php?357818-Security-Patch-Release-3.8.6-PL1 ...
vbfans.com:
http://vbfans.com/wtn-official-products-services/251578-wtn-patch-vbulletin-3-8-6-faq-php/

:fear:

FYI...

- http://www.safer-networking.org/en/updatehistory/index.html
2010-07-28 - "... Total: 4,158,967 fingerprints in 1,278,273 rules for 5,686 products..."

:blink:

FYI...

* http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/

- http://preview.tinyurl.com/37d8rea
"... Key findings of the 2010 report:
• Most data breaches (69%) caused by external sources
• Many breaches (48%) involved privilege misuse
• Nearly all data is breached from servers and online applications
• Most breaches (85%) were not difficult to carry out
• Most victims (87%) missed evidence of security breaches in their log files
• Recommendations for enterprises:
- Restrict and monitor privileged users
- Watch for minor policy violations
- Implement measures to stop the use of stolen credentials
- Focus on the size and volume of log files
- Share incident information with other organisations"

- http://krebsonsecurity.com/2010/07/hacked-companies-hit-by-the-obvious-in-2009/
July 28, 2010

:fear:

FYI...

Foxit Reader v4.1.1.0805 available
- http://www.foxitsoftware.com/announcements/2010861227.html
Fixed in Foxit Reader 4.1.1
• Foxit Reader 4.1.1.0805 addresses vulnerability associated with the rendering of the PDF's embedded in the new iPhone/iPad jailbreak program.
CVE-2010-1797: http://www.f-secure.com/weblog/archives/00002004.html
August 6, 2010

Direct download - latest version
- http://www.foxitsoftware.com/downloads/download_links/downloadreader.php?tag=exe

Update now available through the "Check for Updates" function:
From an admin. account: > Help > Check for Updates now > FoxIt Reader 4.1.1.0805 Upgrade
8.6.2010

- http://www.foxitsoftware.com/pdf/reader/security_bulletins.php

- http://securitytracker.com/alerts/2010/Aug/1024294.html
Aug 6 2010

- http://www.us-cert.gov/current/#foxit_releases_foxit_reader_4

:fear:

FYI...

Google Chrome v5.0.375.126 released
- http://googlechromereleases.blogspot.com/search/label/Stable%20updates
August 10, 2010 - "Google Chrome 5.0.375.126 has been released to the Stable channel on Linux, Mac, and Windows. This version contains an updated version of the Flash plugin..."

- http://secunia.com/advisories/40917/
Release Date: 2010-08-11
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 5.0.375.126...

:fear:

FYI...

QuickTime v7.6.7 released
- http://support.apple.com/kb/HT4290
Aug. 12, 2010 - CVE-2010-1799*

- http://www.apple.com/quicktime/download/
(32.9 MB)

Apple security updates
- http://support.apple.com/kb/HT1222

- http://secunia.com/advisories/40729/
Last Update: 2010-08-13
Criticality level: Highly critical
Impact: System access
Where: From remote
... The vulnerability is confirmed in version 7.6.6 (1671) for Windows. Other versions may also be affected.
Solution: Update to version 7.6.7.

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1799
Last revised: 08/21/2010 - "... Apple QuickTime before 7.6.7..."
CVSS v2 Base Score: 9.3 (HIGH)

- http://securitytracker.com/alerts/2010/Aug/1024336.html
Aug 13 2010

- http://isc.sans.edu/diary.html?storyid=9382
Last Updated: 2010-08-13 00:15:28 UTC

:fear:

Thunderbird 3.1.2 fixes the following issues in Thunderbird 3.1.1:


Several fixes to improve stability.
Several fixes to the user interface.


Release Notes:
http://www.mozillamessaging.com/en-US/thunderbird/3.1.2/releasenotes/

Manual Download:
http://www.mozillamessaging.com/en-US/thunderbird/all.html

FYI...

Google Chrome v5.0.375.127 released
- http://secunia.com/advisories/41014/
Release Date: 2010-08-20
Criticality level: Highly critical
Impact: Unknown, Spoofing, System access
Where: From remote...
Solution: Update to version 5.0.375.127.
Original Advisory: Google:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates
August 19, 2010

:fear:

FYI...

iTunes v10 released
- http://support.apple.com/kb/HT4328
September 02, 2010
WebKit: CVE-ID:
CVE-2010-1780, CVE-2010-1782, CVE-2010-1783, CVE-2010-1784, CVE-2010-1785, CVE-2010-1786, CVE-2010-1787, CVE-2010-1788, CVE-2010-1789, CVE-2010-1790, CVE-2010-1791, CVE-2010-1792, CVE-2010-1793

- http://support.apple.com/downloads/

- http://secunia.com/advisories/41149/
Release Date: 2010-09-02
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution: Upgrade to version 10.
Original Advisory: Apple:
http://support.apple.com/kb/HT4328

>> http://forums.spybot.info/showpost.php?p=382439&postcount=129

:fear:

FYI...

Google Chrome v6.0.472.53 released
- http://secunia.com/advisories/41242/
Release Date: 2010-09-03
Criticality level: Highly critical
Impact: Security Bypass, Spoofing, Exposure of sensitive information, System access
Where: From remote
Software: Google Chrome 5.x
Solution: Fixed in version 6.0.472.53.
Original Advisory:
http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-channel-updates.html

:fear:

FYI...

Thunderbird v3.1.3 released
- http://secunia.com/advisories/41304/
Release Date : 2010-09-08
Criticality level: Highly critical
Impact: Cross Site Scripting, Exposure of sensitive information, System access
Where: From remote
CVE Reference(s): CVE-2010-2760, CVE-2010-2762, CVE-2010-2763, CVE-2010-2764, CVE-2010-2765, CVE-2010-2766, CVE-2010-2767, CVE-2010-2768, CVE-2010-2769, CVE-2010-2770, CVE-2010-3166, CVE-2010-3167, CVE-2010-3168, CVE-2010-3169
Solution: Update to version 3.1.3 or 3.0.7...

- http://www.mozillamessaging.com/en-US/thunderbird/3.1.3/releasenotes/
v.3.1.3, released September 7, 2010

- http://www.mozillamessaging.com/thunderbird/all.html

- http://securitytracker.com/alerts/2010/Sep/1024403.html
- http://securitytracker.com/alerts/2010/Sep/1024407.html
Sep 8 2010

:fear:

FYI...

Safari v5.0.2 / v4.1.2 released
- http://secunia.com/advisories/41085/
Release Date: 2010-09-08
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Apple Safari 4.x, Apple Safari 5.x
CVE Reference(s): CVE-2010-1805, CVE-2010-1806, CVE-2010-1807
Solution: Update to version 5.0.2 (Mac OS X 10.5.8, Mac OS X 10.6.2 or later, or Windows 7, Vista, or XP SP2) or 4.1.2 (Mac OS X 10.4.11 or Mac OS X 10.5.8 ).
Original Advisory: Apple: http://support.apple.com/kb/HT4333

- http://support.apple.com/downloads/
Safari 4.1.2 for Tiger: Fixes an issue that could prevent users from submitting web forms.
Safari 5.0.2: This update contains improvements to performance, usability, compatibility and security.

- http://securitytracker.com/alerts/2010/Sep/1024400.html
Sep 8 2010

:fear:

FYI...

Google Chrome v6.0.472.62 released
- http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_17.html
September 17, 2010 - "Google Chrome has been updated to 6.0.472.62 for Windows, Linux and Mac on the Stable channel... this version includes an updated version of the Flash Plugin with a fix for a security vulnerability*...
* http://www.adobe.com/support/security/advisories/apsa10-03.html

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2884
Last revised: 09/18/2010 - "... as exploited in the wild in September 2010..."
CVSS v2 Base Score: 9.3 (HIGH)
___

Google Chrome v6.0.472.59 released
- http://secunia.com/advisories/41390/
Release Date: 2010-09-15
Criticality level: Highly critical
Impact: Unknown, System access
Where: From remote
Solution: Update to version 6.0.472.59 ...
Original Advisory:
http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_14.html

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3408
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3409
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3410
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3412
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3414
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3415
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3416
"... before 6.0.472.59..."

:fear::fear:

FYI...

Quicktime v7.6.8 released
- http://support.apple.com/kb/HT4339
September 15, 2010
CVE-ID: CVE-2010-1818
CVE-ID: CVE-2010-1819

- http://www.apple.com/quicktime/download/

Apple security updates
- http://support.apple.com/kb/HT1222

- http://secunia.com/advisories/41213/
Last Update: 2010-09-16
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 7.6.8...

- http://securitytracker.com/alerts/2010/Sep/1024452.html
Sep 15 2010 "... prior to 7.6.8..."

:fear:

FYI...

Thunderbird v3.1.4 released
- http://www.mozillamessaging.com/thunderbird/all.html

- http://www.mozillamessaging.com/thunderbird/3.1.4/releasenotes/
v.3.1.4, released September 16, 2010
• Several fixes to improve stability.
• Several fixes to improve the user interface.

- https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_status_thunderbird31;type0-0-1=equals;field0-0-1=cf_status_192;query_format=advanced;value0-0-1=.10-fixed;type0-0-0=equals;value0-0-0=.4-fixed
4 bugs fixed.

:fear:

FYI...

FoxIt Reader v4.2.0.0928 released
- http://www.foxitsoftware.com/downloads/index.php
09/29/10

- http://www.foxitsoftware.com/pdf/reader/security_bulletins.php#identity
"... Fixed identity theft issue caused by the security flaw of the digital signature..."

- http://www.foxitsoftware.com/pdf/reader/bugfix.php

Update now available through the "Check for Updates" function:
From an admin. account: > Help > Check for Updates now > FoxIt Reader 4.2.0.0928 Upgrade
9.29.2010

- http://secunia.com/advisories/41656/
Release Date: 2010-10-06
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: Update to version 4.2.0.0928, which also provides a security enhancement to the handling of PDF signatures.

- http://www.foxitsoftware.com/company/press.htm
"... 70 million users worldwide..."

:fear:

FYI...

Thunderbird v3.1.5 released
- http://www.mozillamessaging.com/thunderbird/all.html

- http://www.mozillamessaging.com/en-US/thunderbird/3.1.5/releasenotes/
v.3.1.5, released October 19, 2010
• Several fixes to improve performance, stability and security, see the Security Advisory.
• Several fixes to improve the user interface and add-ons experience.

- https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_status_thunderbird31;type0-0-1=equals;field0-0-1=cf_status_192;query_format=advanced;value0-0-1=.11-fixed;type0-0-0=equals;value0-0-0=.5-fixed
59 bugs found.

:fear::fear:

FYI...

Google Chrome v7.0.517.41 released
- http://secunia.com/advisories/41888/
Release Date: 2010-10-20
Criticality level: Highly critical
Impact: Unknown, Security Bypass, Spoofing, System access
Where: From remote ...
Solution: Fixed in version 7.0.517.41 ...
Original Advisory:
http://googlechromereleases.blogspot.com/2010/10/stable-channel-update.html
... Updates from the previous stable release include:
• Hundreds of bug fixes
• An updated HTML5 parser
• File API
• Directory upload via input tag ...

:fear::fear:

FYI...

Thunderbird v3.1.6 released
- http://secunia.com/advisories/41975/
Release Date: 2010-10-28
Criticality level: Moderately critical
Impact: System access
Where: From remote
Solution: Update to version 3.0.10 and 3.1.6.
Original Advisory: Mozilla:
http://www.mozilla.org/security/announce/2010/mfsa2010-73.html

- http://www.securitytracker.com/id?1024651
Oct 28 2010
___

Firefox updated, too:
- http://forums.spybot.info/showpost.php?p=387136&postcount=6

:fear:

FYI...

Google Chrome v7.0.517.44 released
- http://secunia.com/advisories/42109/
Release Date: 2010-11-04
Criticality level: Highly critical
Impact: Unknown, System access
Where: From remote
Solution: Update to version 7.0.517.44.
Original Advisory:
http://googlechromereleases.blogspot.com/2010/11/stable-channel-update.html
November 4, 2010 - "... Along with the security fixes... this build has an updated version of Flash..."

:fear:

FYI...

Safari v5.0.3 released
- http://secunia.com/advisories/42264/
Release Date: 2010-11-19
Criticality level: Highly critical
Impact: System access, Spoofing, Security Bypass
Where: From remote
Solution Status: Vendor Patch ...
Solution: Update to Safari 5.0.3 (Mac OS X 10.5.8, Mac OS X 10.6.4 or later, Windows 7, Vista, XP) or Safari 4.1.3 (Mac OS X 10.4.11)...

- http://support.apple.com/kb/DL1070

- http://support.apple.com/kb/HT4455

- http://support.apple.com/kb/HT1222

- http://support.apple.com/downloads/

- http://www.securitytracker.com/id?1024757
Nov 18 2010
CVE Reference: CVE-2010-3803, CVE-2010-3804, CVE-2010-3805, CVE-2010-3259, CVE-2010-3808, CVE-2010-3809, CVE-2010-3810, CVE-2010-3811, CVE-2010-3812, CVE-2010-3813, CVE-2010-3116, CVE-2010-3257, CVE-2010-3816, CVE-2010-3817, CVE-2010-3818, CVE-2010-3819, CVE-2010-3820, CVE-2010-3821, CVE-2010-3822, CVE-2010-3823, CVE-2010-3824, CVE-2010-3826

- http://nakedsecurity.sophos.com/2010/11/19/safari-5-0-34-1-3-fixes-27-vulnerabilities/
November 19, 2010 - "... If you are a Safari user make sure you apply these updates as soon as possible, as it won't be long before our criminal adversaries attempt to use their disclosure against us..."

:fear:

FYI...

FoxIt Reader v4.3.0.1110 released
- http://www.foxitsoftware.com/downloads/index.php
11/16/10

- http://www.foxitsoftware.com/pdf/reader/bugfix.php
• Fixed an issue where Foxit Reader crashes when scrolling back after the user scrolls down to view the last page (actual image) of a PDF file.
• Fixed a crash issue when opening certain PDFs.

Update available through the "Check for Updates" function: From an admin. account: > Help > Check for Updates now > FoxIt Reader 4.3.0.1110 Upgrade

:fear:

FYI...

Winamp v5.6...
- http://secunia.com/advisories/42004/
Release Date: 2010-11-30
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Solution: Update to version 5.6.
Original Advisory: Winamp:
http://forums.winamp.com/showthread.php?threadid=159785

- http://www.winamp.com/media-player/en
Winamp 5.6, Build 3080 (5.6.0.3080)

- http://www.winamp.com/help/Version_History#Winamp_5.6_.28Latest.29

:fear:

FYI...

Kerio Control v7.1.0 released
- http://secunia.com/advisories/42388/
Release Date: 2010-11-30
Criticality level: Moderately critical
Impact: Unknown
Where: From remote
Solution Status: Vendor Patch
Software: Kerio Control 7.x
... vulnerability is reported in versions prior to 7.1.0.
Solution: Update to version 7.1.0.
Original Advisory:
http://www.kerio.com/control/history
(formerly Kerio WinRoute Firewall)
Version 7.1.0 - November 30, 2010

:fear:

FYI...

WordPress v3.0.2 released
- http://wordpress.org/download/
"The latest stable release of WordPress (Version 3.0.2) is available..."

- http://wordpress.org/news/2010/11/wordpress-3-0-2/
November 30, 2010 - "... mandatory security update for all previous WordPress versions..."

WordPress SQL Injection Vuln
- http://secunia.com/advisories/42431/
Release Date: 2010-12-01
Solution: Update to version 3.0.2.

- http://www.securitytracker.com/id?1024809
Dec 1 2010

- http://www.us-cert.gov/current/#wordpress_releases_wordpress_3_0
December 2, 2010

Over 500,000 Windows Live Spaces blogs migrated to WordPress.com
- http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/29/over-500-000-windows-live-spaces-blogs-migrated-to-wordpress-com.aspx
29 November 2010 - "... nearly 1 million new people now blogging on WordPress... those of you who haven’t gotten around to it yet, we want to remind you that you’ll need to do so before March 2011..."

:fear:

FYI...

Google Chrome v8.0.552.215 released
- http://secunia.com/advisories/42472/
Release Date: 2010-12-03
Impact: Unknown, Exposure of sensitive information, DoS, System access
Where: From remote
Solution: Fixed in version 8.0.552.215.

- http://googlechromereleases.blogspot.com/search/label/Stable%20updates
December 2, 2010 - "... over 800 bug fixes and stability improvements..."

- http://www.securitytracker.com/id?1024821
Dec 3 2010

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=228400159
Nov. 29, 2010

- http://weblogs.mozillazine.org/asa/archives/2010/11/why_do_they_think_th.html
November 28, 2010

:fear:

FYI...

Winamp v5.601 released
- http://secunia.com/advisories/42475/
Release Date: 2010-12-07
Criticality level: Moderately critical
Impact: Unknown
Where: From remote
Solution Status: Vendor Patch
... The vulnerability is reported in versions prior to 5.601.
Solution: Update to version 5.601.
Original Advisory: http://forums.winamp.com/showthread.php?s=&threadid=159785

- http://www.winamp.com/help/Version_History#Winamp_5.601_.28Latest.29
___

- http://secunia.com/advisories/44600/
Release Date: 2011-05-16
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
"... vulnerability is confirmed in version 5.61. Other versions may also be affected..."

- http://www.winamp.com/help/Version_History#Winamp_5.61

:fear:

FYI...

QuickTime v7.6.9 released
- http://support.apple.com/kb/DL837
Version: 7.6.9
Post Date: December 07, 2010
Download ID: DL837
File Size: 32.86 MB
Windows XP (SP2 or later), Windows Vista, Windows 7

- http://support.apple.com/kb/HT4447
CVEs: CVE-2010-3787, CVE-2010-3788, CVE-2010-3789, CVE-2010-3790, CVE-2010-3791, CVE-2010-3792, CVE-2010-3793, CVE-2010-3794, CVE-2010-3795, CVE-2010-3800, CVE-2010-3801, CVE-2010-3802, CVE-2010-1508, CVE-2010-0530, CVE-2010-4009

- http://apple.com/quicktime/download
... or update via Apple Software Update.

- http://www.securitytracker.com/id?1024829
Dec 7 2010
- http://www.securitytracker.com/id?1024830
Dec 7 2010

- http://secunia.com/advisories/39259/
Last Update: 2010-12-08
Criticality level: Highly critical
Impact: Exposure of sensitive information, System access, Manipulation of data
Where: From remote...
Solution: Update to version 7.6.9.

:fear:

FYI...

WordPress v3.0.3 released
- http://wordpress.org/download/
December 8, 2010 - "The latest stable release of WordPress (Version 3.0.3) is available..."

- http://wordpress.org/news/2010/12/wordpress-3-0-3/
"...security update for all previous WordPress versions. This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts. These issues only affect sites that have remote publishing enabled. Remote publishing is disabled by default, but you may have enabled it to use a remote publishing client such as one of the WordPress mobile apps. You can check these settings on the “Settings ? Writing” screen..."

- http://www.securitytracker.com/id?1024842
Dec 9 2010

:fear:

FYI...

Thunderbird v3.1.7 released
- http://www.mozillamessaging.com/thunderbird/
released December 9, 2010

- http://www.mozillamessaging.com/thunderbird/3.1.7/releasenotes/

- http://www.mozilla.org/security/known-vulnerabilities/thunderbird31.html#thunderbird3.1.7
Fixed in Thunderbird 3.1.7
MFSA 2010-78 Add support for OTS font sanitizer
MFSA 2010-75 Buffer overflow while line breaking after document.write with long string
MFSA 2010-74 Miscellaneous memory safety hazards (rv:1.9.2.13/ 1.9.1.16)

- https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_status_thunderbird31;type0-0-1=equals;field0-0-1=cf_status_192;query_format=advanced;value0-0-1=.13-fixed;type0-0-0=equals;value0-0-0=.7-fixed
85 bugs fixed...

- http://secunia.com/advisories/42519/
Release Date: 2010-12-10
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 3.1.7 or 3.0.11.
Original Advisory:
http://www.mozilla.org/security/announce/2010/mfsa2010-74.html
http://www.mozilla.org/security/announce/2010/mfsa2010-75.html
http://www.mozilla.org/security/announce/2010/mfsa2010-78.html

- http://www.securitytracker.com/id?1024846
Dec 10 2010

FYI...

Chrome v8.0.552.224 released
- http://secunia.com/advisories/42605/
Release Date: 2010-12-14
Criticality level: Highly critical
Impact: Unknown, DoS, System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 8.0.552.224.
Original Advisory:
http://googlechromereleases.blogspot.com/2010/12/stable-beta-channel-updates_13.html

:fear:

FYI...

IrfanView v4.28 released
LuraDocument Format PlugIn Memory Corruption Vulnerability
- http://secunia.com/advisories/41439/
Release Date: 2010-12-17
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution: No updated version of the plugin will be made available. The vendor has removed the plugin in version 4.28 of the plugins distribution.
Original Advisory:
http://irfanview.com/main_history.htm
Version 4.28 ( - CURRENT VERSION - ) (Release date: 2010-12-16)

:fear:

FYI...

Kerio Firewall vuln - patch available
- http://www.securitytracker.com/id?1024913
Dec 20 2010
Solution: The vendor has issued a fix (7.1.0 Patch 1).
The vendor's advisory is available* ...
* http://www.kerio.com/support/security-advisories#1012
Date: December 20, 2010
Severity: High
Name: HTTP cache poisoning vulnerability
Affected products: Kerio WinRoute Firewall all versions, Kerio Control up to version 7.1.0
Fix availability: The following product versions are not vulnerable: Kerio Control version 7.1.0 Patch 1 and higher.
Description: By sending a specially crafted HTTP data over a non-HTTP TCP connection a malicious web site could trick the HTTP cache to store arbitrary data. That data would then be served to clients instead of the legitimate content.
Mitigation factors: HTTP cache is disabled by default. It must be enabled in order for this attack to succeed.
Workaround: Disable HTTP cache...
> http://www.kerio.com/node/588
Release history

:fear:

FYI...

Mozilla - password Security Breach
"... partial database of addons.mozilla.org user accounts..."
- http://isc.sans.edu/diary.html?storyid=10162
Last Updated: 2010-12-28 17:14:52 UTC - "Mozilla has published a blog* and sent out an e-mail notifying users.. User IDs and password hashes for users were available for public access briefly. Users who have not been active before April 2009, however, had their password hashes stored in MD5 hashes which could be retrieved via password cracking. This method of storing passwords has been retired by Mozilla which is why users who logged in after April 2009 are safe. The problem would come in for those users who use the same password across multiple sites (particularly the same password to access the e-mail account they registered with).
As a quick tip, we all have dozens (at least) of "low-impact" sites we have passwords for: new sites, blogs, etc. The impact of those accounts being compromised is trivial, at best. However, if the same password is used (and that password is mapped to an e-mail address or username) it can be used to access other, more sensitive accounts. You could have a different password for each site, which quickly becomes impractical. Sites using centralized logins are few and far-between (say Open ID). A solution I've tried to use is to have an insecure password but salt it with some designation for the site I'm accessing. Say the insecure password is qwerty. I can add two characters designating what I'm accessing for each site. So qwertyFF (FF for Firefox) for addons.mozilla.org. This allows for different passwords at each site, but in a way that is easy to remember multiple passwords. Obviously, you -won't- want to user "qwerty" as the base for those passwords, but you get the idea."
* http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
"... partial database of addons.mozilla.org user accounts..."

:fear::sad:

FYI...

Malware Domains 2234.in, 0000002.in & co
- http://isc.sans.edu/diary.html?storyid=10165
Last Updated: 2010-12-29 00:04:58 UTC - "... recent increase of malicious sites with ".in" domain names. The current set of names follow the four-digit and seven-digit pattern. Passive DNS Replication like RUS-CERT/BFK shows that a big chunk of these domains currently seems to point to 91.204.48.52 (AS24965) and 195.80.151.83 (AS50877). The former Netblock is in the Ukraine (where else), the latter likely in Moldavia. Both show up prominently on Google's filter (AS24965, AS50877), Zeustracker, Spamhaus (AS24965, AS50877) and many other sites that maintain filter lists of malicious hosts. A URL block system that can do regular expressions comes in pretty handy for these - \d{4}\.in and \d{7}\.in takes care of the whole lot, likely with minimal side effects, since (benign) all-numerical domain names under ".in" are quite rare. If you're into blocking entire network ranges, zapping 91.204.48.0/22 and 195.80.148.0/22 should nicely take care of this current as well as future badness..."
[ 91.204.48.* / 195.80.148.* ]

- http://cidr-report.org/cgi-bin/as-report?as=AS24965

- http://cidr-report.org/cgi-bin/as-report?as=AS50877

:fear::fear: