Fake MS patch email -> Fake Spyware Doctor!
FYI...
- http://isc.sans.org/diary.html?storyid=3054
Last Updated: 2007-06-26 22:46:51 UTC ...(Version: 3)
"Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected... You can see in the body of the email... that the spelling is bad and the license key is not in the right format for XP nor Outlook. Microsoft pointed us to a couple of web pages they maintain that should help you recognize fraudulent email...
> http://www.microsoft.com/protect/you...g/msemail.mspx
> http://www.microsoft.com/canada/atho...uine_mail.mspx
=====================================
From Norman Sandbox:
MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)
[ DetectionInfo ]
* Sandbox name: W32/Malware
* Signature name: NO_VIRUS
[ General information ]
* Drops files in %WINSYS% folder.
* File length: 20480 bytes.
* MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
* Creates file C:\france.html.
* Deletes file c:\france.html.
[ Changes to registry ]
* Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
* Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.
* Modifies other process memory.
* Creates a remote thread.
[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\sdoctor.exe (20480 bytes) : no signature detection...
We notified one of the support teams at a hosting provider that a virus was found on one of there customers systems. Their auto responder responded within a minute. A support person removed the malware and responded within 30 minutes. When I tried to verify that I found the malware was still there or back. When I notified the hosting provider that the malware was back the support person analysised logs, determined it was being uploaded via ftp and immediately disabled the ftp account involved."
:fear::buried:
IM attacks up nearly 80 percent ...P2P is worse
FYI...
- http://www.networkworld.com/news/200...ttacks-up.html
July 27, 2007 - "Malicious code attacks over instant messaging networks are up almost 80% over last year, according to a new study from vendor Akonix*. In July, the company, which develops IM hygiene and compliance appliances and services, said it uncovered 20 malicious code attacks over IM in July. The total number of threats for 2007 so far is 226, the company said. That number is a 78% increase over the last year. The company also said attacks on peer-to-peer networks, such as Kazaa and eDonkey, increased 357% in July 2007 over July 2006, with 32 attacks. That report comes on the heels of a report by peer-to-peer network monitoring vendor Tiversa**, which found contractors and U.S. government employees are sharing hundreds of secret documents on peer-to-peer networks. In many cases, those users were overriding the default security settings on their peer-to-peer software to do so, according to Tiversa...."
* http://www.akonix.com/press/releases-details.asp?id=138
** http://preview.tinyurl.com/2ut2of
(Computerworld)
:mad::fear::spider:
Multiple new trojans in the wild
FYI...
- http://isc.sans.org/diary.html?storyid=3200
Last Updated: 2007-07-30 19:07:36 UTC - "A reader alerted us to a bunch of malware that he had found after starting to unravel a pile of interlinked exploit pages. The exploit pages are spammed with "adult movie" kinda themes into search engines, etc, and thus most likely find enough "volunteers" who click on the links. Domains involved are clipsforadults-dot-com and several of 9u???-free-movies-dot-cn, with the ??? standing for several letter combinations like eyd,gfo,fdo, etc. Someone's been busy registering throw-away domains. The one bit that was of interest to us is ... that at the very end of this pile, the links try to download a "codec" off the site installobject-dot-com. The link used contains a 4-digit number, and each number, over a wide range, seems to return a slightly different binary. Installobject-dot-Com resolves to 85.255.113.235, a known bad address range for years - see http://isc.sans.org/diary.html?storyid=1873
AV detection is still thin, we are trying to help it along some. The files are of the W32/Zlob family, Kaspersky calls it Trojan-Downloader.Win32.Zlob.bxt, Trend Micro has it as TROJ_ZLOB.DND, and McAfee has protection coming up as Puper.DR. Adult sites from China, nasty trojans from Ukraine..."
> http://preview.tinyurl.com/yqj5pq
July 30, 2007 - (Infoworld) - "...Last week, a new ransomware Trojan appeared on the radar of security researchers, and was quickly identified as a modified version of the GpCode nasty that first hit the Internet as long ago as Spring 2005, and was tracked to a Russian site. As with its predecessors, the new Trojan, also named "Glamour," sets out to encrypt data files on any PC it infects, demanding a ransom of $300 in return for a key to unlock files. Now an analysis from security research outfit Secure Science Corporation (SSC) has plotted the large number of similarities between the new GpCode and another version that appeared in 2006. Of the 168 functions identified in the code of the new variant, 63 were identical to the older 2006 version... "In the 8 months since November, we've recovered stolen data from 51 unique drop sites [...]. The 14.5 million records found within these files came from over 152,000 unique victims," says the report..."
- http://www.securescience.com/home/ne...s/decoder.html
Jul 19, 2007
:fear:
Cisco - multiple advisories, multiple vulns in IOS
FYI...
> http://www.us-cert.gov/current/#cisc...dvisories_for1
August 8, 2007 - " Cisco has issued four Security Advisories to address several vulnerabilities in their Internetwork Operating System (IOS) and Unified Communications Manager. These vulnerabilities may allow an attacker to overwrite or retrieve arbitrary files, cause a denial-of-service condition, or execute arbitrary code on an affected system..."
(Cisco links available at the URL above.)
- http://www.us-cert.gov/current/#cisc...dvisories_for1
updated August 9, 2007
"...US-CERT is aware of publicly available exploit code for one of these vulnerabilities..."
.
Hacking kits found for sale on eBay
FYI...
- http://www.guardian.co.uk/technology...1/hacking.ebay
September 21 2007 - "Kits that claim to help people hack into computers have been discovered for sale on the auction website eBay. Security experts found a selection of CDs, DVDs and programs for sale on eBay that promise to help buyers learn how to break into computers over the net. One CD - claiming to be on sale "for educational use only" - promises details of how to access other people's computers and contains a selection of programs commonly used for hacking. It is available through the site for £5.99. Many of the programs form the basic building blocks for computer crime, allowing even inexperienced hackers to find ways to get inside their victims' computers, or of masking their identities..."
:fear::mad:
Linux kernel v2.6.23 released
FYI...
- http://www.theinquirer.net/gb/inquir...0/linux-kernel
10 October 2007 - "...There will probably be a few more patches as this new kernel sees use in a wider variety of systems - including yours, should you choose to play with it but it should be fairly stable within a couple of months, at which time you'll begin to see the major Linux distributions start releasing systems based upon it."
Release notes:
- http://kernelnewbies.org/Linux_2_6_23
9 October 2007
:spider:
Winamp FLAC Media File Processing Integer Overflows
FYI...
- http://secunia.com/advisories/27223/
Release Date: 2007-10-12
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
...The vulnerabilities are reported in version 5.35. Other versions may also be affected.
Software: Winamp 5.x
Solution: Update to version 5.5.
http://www.winamp.com/player ...
> http://www.winamp.com/player/version-history
:fear: