Twitter worm out there...
FYI...
Twitter worm - out there...
- http://isc.sans.edu/diary.html?storyid=10297
Last Updated: 2011-01-20 16:41:39 UTC - "... new twitter worm out there. There are an increased number of messages... Those short URL points to the servers providing the malware. The following are some of the malicious URL I could gather (CAREFUL: THEY ARE STILL ACTIVE):
• http ://cainnoventa .it/m28sx.html
• http ://servizialcittadino .it/m28sx.html
• http ://aimos.fr/m28sx .html
• http ://lowcostcoiffure .fr/m28sx.html
• http ://s15248477.onlinehome-server .info/m28sx.html
• http ://www.waseetstore .com/m28sx.html
• http ://www.gemini .ee/m28sx.html
After clicking to the URL, you are sent to a faveAV web page..."
(Screenshots available at the ISC URL above.)
___
- http://www.pcworld.com/article/21730...ware_scam.html
Jan 21, 2011 "... Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that 'we're working to remove the malware links and reset passwords on compromised accounts.' 'Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?' she wrote. 'That's malware. Don't install'..."
- http://nakedsecurity.sophos.com/2011...-goo-gl-links/
January 20, 2011 - "... If you make the mistake of clicking on one of the malicious goo.gl links you are ultimately taken to a website which attempts to scare you into believing that you have a virus problem on your computer. You are then frightened into installing malicious code on your PC, and asked to pay money to disinfect your systems... Ukranian URL hosting the malware... The natural suspicion would be that their usernames and passwords have been stolen. It certainly would be a sensible precaution for users who have found their Twitter accounts unexpectedly posting goo.gl links to change their passwords immediately..."
:mad:
Fraud advisory... Web crawling with new Zbot/Zeus variants...
FYI...
Fraud advisory - FBI/iC3: e-mails...
- http://www.ic3.gov/media/2011/110119.aspx
January 19, 2011 - "... cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online. Recently, more than $150,000 was stolen from a US business via unauthorized wire transfer as a result of an e-mail the business received that contained malware. The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company. The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud US businesses. The FBI recommends that potential employers remain vigilant in opening the e-mails of perspective employees. Running a virus scan prior to opening any e-mail attachments may provide an added layer of security against this type of attack. The FBI also recommends that businesses use separate computer systems to conduct financial transactions..."
___
Zbot-Zeus variants attack online money transactions...
- http://www.theregister.co.uk/2011/01...versification/
21 January 2011 - "... Trusteer has detected 26 different ZeuS configurations targeting online payment provider Money Bookers. Configuration files are a set of instructions on what sites to target for the theft of login credentials, manipulation of HTML pages as presented to users of infected machines and other details. Another 13 variants of ZeuS, the last released only on 16 January, attempt to steal login credentials of Web Money users. Nochex, another online payment provider that specialises in providing payment processing services to small businesses, is the target of 12 different ZeuS configurations. Prepaid card provider netSpend and e-gold, a service abused as a payment clearing house by cybercrooks in the past, are also under attack by ZeuS wielding miscreants... More details... here*."
* http://www.trusteer.com/blog/zeus-la...ment-providers
January 20, 2011
:sad::mad:
SpyEye/ZeuS toolkit code shows up ...
FYI...
SpyEye/ZeuS toolkit code shows up ...
- http://www.theregister.co.uk/2011/01...e_zeus_merger/
25 January 2011 - "... first sample of code from the merger of the ZeuS and SpyEye cybercrime Trojan toolkits*... ZeuS has long been the root cause of many instances of banking fraud, while SpyEye is a much newer and even more aggressive addition... The malware-building tool includes options to build-in web injects, screenshot captures as well as hooks for various optional add-ins. Core functionality also includes code designed to evade Trusteer Rapport transactions security software, a security application offered to customers of many banks as a defence against banking Trojans. The latter feature shows that, once again, cybercrooks are attempting to up their game in response to developments by security defenders. Plug-ins include the ability to present users of compromised machines with fake pages and improved attacks against Firefox users... The cybercrime toolkit also includes improved credit-card grabbing functionality... Misdirection and misinformation... among the main tools of the cybercrime trade."
* http://blog.trendmicro.com/spyeyezeu...-v1-3-05-beta/
Toolkit detail ...
:mad::mad:
Carberp malware sniffs out A/V to maximize attack impact
FYI...
Carberp malware sniffs out A/V to maximize attack impact
- http://www.computerworld.com/s/artic..._attack_impact
January 24, 2011 - "... The authors of the new information-stealing trojan "Carberp" have added a feature that detects which antivirus program is running on victimized PCs, said Aviv Raff, the chief technology officer at Seculert, an Israeli security startup. Raff said the criminals added security software detection to make sure they're spending their money wisely... The test services Raff mentioned are similar to legitimate scanning services such as VirusTotal, which lets users upload suspicious files for scanning by scores of for-a-fee and free antivirus programs. Suspect samples that evade detection are shared with the anti-malware community for use in creating new signatures. But other, less scrupulous services have popped up to serve criminals. These services, which security blogger Brian Krebs reported on as early as December 2009*, do not alert security companies when a new piece of malware is detected. That makes them ideal for hackers to check whether code will be detected before they release it. Raff said hackers pay to run their malware through these gray-market services to check the detection status of their code before they release it... Raff expects that Carberp will follow in the footsteps of the SpyEye and Siberia attack kits, and like them, incorporate links to a scanning service. Last week, Raff published an analysis of Carberp** that described new features other than the antivirus polling, including encryption of all communication with the hacker command-and-control server..."
* http://krebsonsecurity.com/2009/12/v...virus-authors/
** http://blog.seculert.com/2011/01/new...evolution.html
:mad::mad:
Facebook - NEW security: Secure Browsing ...
FYI...
Facebook - NEW security: Secure Browsing (https)
- http://techblog.avira.com/2011/01/27...s-security/en/
"Facebook starts to roll out a new security feature: Secure Browsing (https). It will be available in the options of “Account Security”, below the “Account Settings” page.
This means that all data sent from and to Facebook will be transferred encrypted over the Internet if possible. Attacks to steal identities (for example in WiFi networks with Firesheep) will be rendered impossible this way...
Currently the feature seems to struggle with some problems though... some online games in Facebook don’t work properly together with activated Secure Browsing. This should be solved very soon... this is a step in the right direction and every Facebook user should activate that option as soon as it is available..."
(See screenshots available at the URL above.)
- http://news.cnet.com/8301-27080_3-20029670-245.html
January 26, 2011
- http://www.theregister.co.uk/2011/01/26/facebook_https/
26 January 2011 - "... The move comes a day after pranksters hacked into the Facebook page of CEO Mark Zuckerberg..."
- http://community.websense.com/blogs/...-comments.aspx
26 Jan 2011
:D:
Waledac [has stolen] almost 500,000 email passwords
FYI...
Waledac... [has stolen] almost 500,000 email passwords ...
- http://www.theregister.co.uk/2011/02...nt_compromise/
2 February 2011 - "Researchers* have taken a peek inside the recently refurbished Waledac botnet, and what they've found isn't pretty. Waledac, a successor to the once-formidable Storm botnet, has passwords for almost 500,000 Pop3 email accounts, allowing spam to be sent through SMTP servers, according to findings published on Tuesday by security firm Last Line*. By hijacking legitimate email servers, the Waledac gang is able to evade IP-based blacklisting techniques that many spam filters use to weed out junk messages. What's more, Waledac controllers are in possession of almost 124,000 FTP credentials. The passwords let them run programs that automatically infect the websites with scripts that -redirect- users to sites that install malware and promote fake pharmaceuticals. Last month, the researchers identified almost 9,500 webpages from 222 sites that carried poisoned links injected by Waledac. The discovery comes a month after a new malware-seeded spam run was spotted. This had all the hallmarks of the storm botnet... “The Waledac botnet remains just a shadow of its former self for now, but that's likely to change given the number of compromised accounts that the Waledac crew possesses,” the Last Line researchers wrote. In addition to a generous helping of compromised credentials, Waledac also comes with a new command and control system that disseminates a list of router nodes to infected machines."
* http://blog.tllod.com/2011/02/01/calm-before-the-storm/
February 1, 2011
- http://www.shadowserver.org/wiki/pmw...endar/20101230
- http://www.informationweek.com/share...leID=229200280
Feb. 2, 2011
Time for password changes...
- https://www.microsoft.com/protect/fr...s/checker.aspx
:fear::mad::fear:
Exploit rate - 61 percent of new vulnerabilities
FYI...
Exploit rate - 61 percent of new vulnerabilities...
- http://www.darkreading.com/taxonomy/...e/id/229201156
Feb 03, 2011 - "The number of exploited vulnerabilities jumped dramatically last month, with more than 60 percent of new vulnerabilities being exploited... Exploit activity is typically at a rate of 30 to 40 percent, according to Fortinet's newly released January 2001 Threat Landscape report*. Close to half of "critical" vulnerabilities were exploited by attackers..."
* http://blog.fortinet.com/january-201...s-another-hit/
:fear::fear: