Stration/Warezov worms prolific...
FYI...
- http://www.f-secure.com/weblog/archi....html#00001172
April 19, 2007 ~ "It's been awhile since the last attack of the Warezov gang. But it seems now they're back in action... e-mail of the new Warezov... being spammed... The zip file attachment contains an executable file that uses a text file icon as a decoy (Update-KB4765-x86.exe)... This executable file is a downloader for its other components. The link is encrypted with a simple XOR. For system administrators, you may want block network traffic from the following malicious link: linktunhdesa .com /h[REMOVED]2.exe ..."
(Screenshots available at the F-secure URL above.)
:fear:
Virus Writers Taint Google Ad Links
FYI...
- http://blog.washingtonpost.com/secur...google_ad.html
April 25, 2007 ~ "Virus writers have been gaming Google's "sponsored links" -- the paid ads shown alongside search engine results*. They are aiming to get their malicious software installed on computers whose users click onto ad links after searching for legitimate sites such as BBBonline.org, the official Web site of the Better Business Bureau. Sponsored links allow customers to buy advertisements attached to a particular search term. When a Google user enters a term into the firm's search engine, the ad belonging to the advertiser that bid the highest price for that search term appears at the top of the list of search results. According to a report at Exploit Prevention Labs**, while the top sponsored links that showed up earlier this week when users searched for "BBB," "BBBonline" or "Cars.com" appeared to direct visitors to those sites, they initially would route people who clicked on the ads through an intermediate site. The intermediate site attempted to exploit a vulnerability in Microsoft Windows to silently install software designed to steal passwords and other sensitive information from infected PCs. The attackers exploited a flaw in Microsoft's Internet Explorer Web browser, a problem that the company issued a patch to fix..."
>>> * http://blog.washingtonpost.com/securityfix/gnh.html
** http://explabs.blogspot.com/2007/04/...-not-safe.html
- http://weblog.infoworld.com/zeroday/...e_adwords.html
April 25, 2007 ~ "...A closer inspection by Exploit Prevention Labs researchers revealed that the attacks were actually coming from a site called smarttrack.org, a Russian Web site that serves up a variety of Web exploits..."
:fear: :mad:
Mobile spyware gets Certified...
FYI...
- http://www.f-secure.com/weblog/archi....html#00001190
May 11, 2007 ~ "...Mobile spyware and spying tools have been active lately. This week, we have received samples of two new mobile spying tools – running on new platforms. There is now spyware for both Windows Mobile and Symbian S60 3rd Edition devices... Spyware is being developed by commercial companies that have a lot more resources, skills, and motivation to get their creations to work. Both new spying tools are rather similar in their capabilities. After being installed on the device, they hide from the user and report information from the phone to a central server. From there, it can be accessed through a web page interface. An interesting fact is that the spyware for the Symbian 3rd Edition platform is Symbian signed. Therefore it can be installed without any warnings and is capable of operating without Symbian security alerting the user that something is going on... The fact that the spy tool authors could get their software certified indicates a potential issue when using digital signatures and certificates as the only security measure. On one hand the software is technically exactly what it claims to be, an application that backs up user data to a server. One the other hand, when the software is installed onto the device without the primary user's knowledge and permission, it can be used as a spying tool that compromises the said user's personal privacy. Thus if suspect applications cannot break security components, they can then play with the process of certification..."
(Screenshots and more detail at the URL above.)
:fear:
Malicious Code: Large scale European Web Attack
FYI...
- http://www.websense.com/securitylabs...hp?AlertID=782
June 18, 2007 ~ "Websense® Security Labs™ has received reports of a large scale attack in Europe that is using the MPACK* web exploit toolkit... At the time of this alert our ThreatSeeker technology has discovered more than *10,000* sites that have been compromised and have IFRAMES pointing to the hub infection site. Assuming users connect to one of the compromised sites and are vulnerable to one of several loaded exploits a Trojan Horse is downloaded onto their machine which is designed to steal banking, and potentially other confidential information through a (series) of web infection downloads. The main site has a statistics page and it has shown very large numbers of users connecting to the infected sites and high levels of users who have been compromised... The top regions are Italy, Spain, and the United States..."
(Graphics and sample statistics available at the URL above.)
* http://blogs.pandasoftware.com/blogs...red_2100_.aspx
------------------------------------------------
- http://blog.trendmicro.com/another-m...n-italian-job/
June 18, 2007 ~ "Remember LINKOPTIM, which exploited a number of legitimate Italian Web sites to spread malicious JavaScripts? Since early Saturday morning (June 16, 2007), Trend Micro has been receiving several reports of a new batch of hacked Italian Web sites that trigger a series of malware downloads once a user visits them. These infection series begin with a malicious IFRAME tag. Trend Micro detects Web pages hosting the said malicious tag as HTML_IFRAME.CU. All the compromised sites are hosted in Italy...Most of the legitimate Web sites that were compromised by the malware authors are related to tourism, automotive industry, movies and music, tax and employment services, some Italian city councils, and hotels sites. Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy..."
(Sample screenshot of a compromised Web site at the URL above.)
:fear::fear: