Malicious ads on Myspace, Excite, Blick
FYI...
- http://sunbeltblog.blogspot.com/2008...ite-blick.html
January 03, 2008 - "We worked earlier today with Brain Krebs at the WP about malicious banner ads on Myspace. (Malware is being delivered through exploits, but fully patched systems won’t be affected.) Sandi Hardmeier has also been tracking ads at Excite and, now, Blick** (a popular German site). These are different than the Myspace ads (in that they don’t seem to be dumping an exploit-driven payload)."
* http://blog.washingtonpost.com/secur...ds_at_mys.html
** http://msmvps.com/blogs/spywaresucks...4/1435836.aspx
:fear:
RealPlayer v11 0-day exploit released
FYI...
- http://www.us-cert.gov/current/#publ...for_realplayer
January 2, 2008
- http://secunia.com/advisories/28276/
Release Date: 2008-01-03
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: RealPlayer 11.x
...Successful exploitation allows execution of arbitrary code. The vulnerability is reported in version 11 build 6.0.14.748. Other versions may also be affected.
Solution:
Do not open untrusted media files or browse untrusted websites...
- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 00:34:02 UTC ...(Version: 4)
"> Update 15:10 UTC: While you're at it, consider blocking access to uc8010-dot-com. If you do a Google Search for this domain, you'll understand why: Lots of injecting of a mailicious 0.js from this domain is currently going on, plenty of web sites seem to contain this booby trap. One of the IFRAMES fetched from this site, the file "r.htm" contains a RealPlayer exploit. Still the one from last month ( www.kb.cert.org/vuls/id/871673 ) but if they happen to re-tool to the new vulnerability, things might get ugly.
> Update 16:30 UTC: One of our readers noted that there are a number of state government and educational sites that appear to have been compromised with the uc8010 domain. Upon review, I see that some of these have already been cleaned up. However, the .gov and .edu sites are only a few of the many many sites that are turned up via google searches for the uc8010 domain. As that domain was only registered as of Dec 28th, compromises of websites probably occurred in the past week.
I recommend that our readers check to see if their site shows any references to uc8010 via google. Alternatively, look on their webservers to see if there are any unauthorized change to webpages in the past week.
> Update 00:30 UTC 5 JAN 08: Looks like there is another domain hosting a similar script. In addition to uc8010 check your flows for "ucmal.com"
----------------------------------------------------------
CA web site hacked
http://preview.tinyurl.com/2wdxkw
January 04, 2008 (Computerworld) - "Part of security software vendor CA's Web site was cracked earlier this week and was redirecting visitors to a malicious Web site hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that earlier this week the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center. The hack is similar to last year's attack on the Dolphin Stadium Web site, which infected visitors looking for information on the Super Bowl football game, Sachs said. "It's exactly the same setup," he said. "It's JavaScript that they've managed to insert into the title or the body of the HTML"..."
:fear:
Security vuln in Vista/XP - rootkit exploit in the wild
FYI...
- http://preview.tinyurl.com/2lgp5u
January 05, 2008 (Donna's SecurityFlash) -"In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC). This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System. This rootkit is using the MBR flaw. The MBR can be written to from within Windows.
The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it."
> http://www.antirootkit.com/blog/2008...t-in-the-wild/
> http://www2.gmer.net/mbr/
:fear::spider:
Mass hack on 70k sites (!?)
FYI...
- http://preview.tinyurl.com/27hohx
January 07, 2008 (Computerworld) -- Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. Roger Thompson, the chief research officer of Grisoft SRO, pointed out that the hacked sites could be found via a simple Google search for the domain that hosted the malicious JavaScript. On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass-hack," said Thompson, in a post to his blog*. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared." Symantec Corp. cited reports by other researchers - including one identified only as "websmithrob" - that fingered an SQL vulnerability as the common thread..."
* http://explabs.blogspot.com/2008/01/...teresting.html
January 05, 2008 - "This domain uc8010(dot)com was registered just a few days ago (Dec 28th), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains... If you google for uc8010(dot)com, you still get about 50k hits..."
- http://isc.sans.org/diary.html?storyid=3810
Last Updated: 2008-01-05 20:13:55 UTC ...(Version: 5) - "Update 17:52: We have gotten reports of embeded script links to ucmal on MySpace. It is probably safe to assume that other social networking sites have it as well."
:fear::fear::devilpoin:
Malicious Code: NPRC e-mail (SPAM) loaded with trojan horse
FYI...
- http://www.websense.com/securitylabs...hp?AlertID=835
January 08, 2008 - "Websense® Security Labs™ has discovered a new email attack that uses a spoofed email message which claims to be from the National Payroll Reporting Consortium (NPRC). This attack is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have tracked all of these attacks, and reported them as they were discovered. The message claims that the recipient's company has made numerous misrepresentations regarding worker classification,in an attempt to lower compensation costs. The email asks the recipient to fill out an attached form and fax it to NPRC's fraud department in order to resolve the issue. An email attachment contains a Trojan downloader with some backdoor capabilities. It is a malicious Windows executable file, with an MD5 of 854e259c7c0ac6fb2a26963a9d77600d ... At time of writing, only one anti-virus vendor had detected this malicious code."
(Screenshot available at the URL above.)
:fear:
Mexico: DNS poisoning via DSL modems
FYI...
- http://blog.trendmicro.com/targeted-...ng-via-modems/
January 11, 2008 - "...TrendLabs researchers have received reports of what appears to be an attempt of a massive DNS poisoning attack in Mexico... the attack begins with the exploitation of a known vulnerability in 2Wire modems*. The said vulnerability allows an attacker to modify the local DNS servers and hosts. One of the main Internet Service Providers in Mexico offers 2Wire modems to their customers, and it is estimated that more than 2 million users are at risk... exploit arrives with a newsy email message... once an unsupecting user opens the email in its full HTML format, the exploit code automatically attempts to access the modem’s Web console and modify the local host database to redirect all requests for banamex.com — the Web site of one of the largest banks in Mexico — to a fraudulent site... The malicious email message also promises a “video” and includes a link that points to the a malicious URL where the .RAR acrhive Video_Narco.rar can be downloaded. This archive contains the malicious file Video_Narco.exe..."
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389
:fear:
Obfuscated Java.ByteVerify exploit - web sites in China
FYI...
- http://isc.sans.org/diary.html?storyid=3826
Last Updated: 2008-01-11 20:19:06 UTC - "Come April, we will reach the FIFTH anniversary of the ByteVerify vulnerability (MS03-011). Untangling some seriously obfuscated JavaScript coming from a couple of web sites in China earlier today, I ended up with - yes, a ByteVerify exploit. Also in the package was an MDAC exploit (MS06-014), whose second anniversary will be up this April as well.
> To see these exploits still in use can only mean one thing: They still work.
And they seem to work well enough that the bad guys can instead sink their time into developing new obfuscation techniques and other ways to make analysis more difficult -- only to deliver a five year old exploit in the end. Not a very stellar testament to patching efforts."
:fear: