Gumblar authors crash WordPress sites
FYI...
Gumblar authors crash WordPress sites
- http://www.networkworld.com/news/200...s.html?hpg1=bn
11/04/2009 - "Webmasters who find an annoying error message on their sites may have caught a big break, thanks to a slip-up by the authors of the Gumblar botnet. Tens of thousands of Web sites, many of them small sites running the WordPress blogging software, have been broken, returning a "fatal error" message in recent weeks. According to security experts those messages are actually generated by some buggy malicious code sneaked onto them by Gumblar's authors... Gumblar's authors apparently made some changes to their Web code... and as a result "the current version of Gumbar effectively breaks WordPress blogs"*... WordPress sites that have crashed because of the buggy code display the following error message: Fatal error: Cannot redeclare xfm() (previously declared in /path/to/site/index.php(1) : eval()'d code:1)
in /path/to/site/wp-config.php(1) : eval()'d code on line 1
Other sites running software such as Joomla get different fatal-error messages... In effect, the messages warn Gumblar's victims that they've been compromised..."
* http://blog.unmaskparasites.com/2009...lex-php-sites/
04 Nov 09
WordPress Exploit Scanner
- http://wordpress.org/extend/plugins/exploit-scanner/
• Version: 0.6
• Last Updated: 2009-11-4
• Requires WordPress Version: 2.7.1 or higher
• Compatible up to: 2.8.5
:fear::mad:
Gumblar malware domain reactivated
FYI...
Gumblar malware domain reactivated
- http://blog.scansafe.com/journal/200...s-baaaack.html
November 5, 2009 - "... some of the compromises were following a different pattern than we'd been seeing over the past couple of weeks. Further investigation revealed the newest iframe injection was pointing once again to gumblar .cn - the malware domain that originally earned Gumblar its name. The domain's reactivation occurred less than 24 hours ago, but it has ramifications that could stretch back for months. Any sites compromised in the May Gumblar attacks that were not yet cleaned up (unfortunately an all-to-common occurrence) could now start becoming vectors of Gumblar infection once again. This is in addition to new compromises pointing to the newly activated gumblar .cn and the already very active Gumblar compromises which are using compromised websites as malware hosts*...
Edited to add: This is not the first example of registrars releasing malware domain names back into use..."
* http://blog.scansafe.com/journal/200...et-awakes.html
October 15, 2009
- http://www.iss.net/threats/gumblar.html
- http://google.com/safebrowsing/diagn...te=gumblar.cn/
"... last time Google visited this site was on 2009-11-06, and the last time suspicious content was found on this site was on 2009-11-06... It infected 5918 domain(s)..."
- http://google.com/safebrowsing/diagn...ite=martuz.cn/
"... last time Google visited this site was on 2009-11-06, and the last time suspicious content was found on this site was on 2009-11-06... It infected 8558 domain(s)..."
- http://www.sophos.com/blogs/sophoslabs/v/post/7342
November 8, 2009
:fear::mad::fear:
Max Power - many malware domains
FYI...
Max Power - many malware domains
- http://isc.sans.org/diary.html?storyid=7693
Last Updated: 2009-12-04 19:46:31 UTC - "Who Max Power is? Well, we don't know either. It's a pseudonym of a gang or guy who has a decent-sized spyware racket going. Max has been sitting on the same IP address for the past three months, 210.51.166.119, in AS9929. ChinaNet. Even Google knows that 10% of the sites in this AS are malicious. Looking at the IP address in Reverse DNS or MalwareURL.com, we can see the many malware domains "Max Power" has been using in the recent past. Some of the names are associated with the Koobface and Zeus malware families. The address lay dormant for the last week of November, but just woke up again yesterday morning, and is currently serving the malware domain "tempa3-dot-cn". This domain is at the moment linked to from various questionable "pharmaceuticals" web sites, and it currently pushes a bunch of exploits which, if successful, download and run a backdoor of the "TDSS"/"Tidserv" family. Detection was dismal at first*, but has improved a bit over the last 24 hours**."
* http://www.virustotal.com/en/analisi...43f-1259872180
File load.exe received on 2009.12.03 20:29:40 (UTC)
Result: 6/40 (15.00%)
** http://www.virustotal.com/en/analisi...43f-1259949728
File load.exe received on 2009.12.04 18:02:08 (UTC)
Result: 18/41 (43.90%)
:mad::fear::mad:
Zeus bot using Amazon as C&C server
FYI...
Zeus bot using Amazon as C&C server
- http://www.theregister.co.uk/2009/12...ntrol_channel/
9 December 2009 - "... a new variant of the Zeus banking trojan has been spotted using the popular Amazon service as a command and control channel for infected machines. After marks get tricked into installing the password-logging malware, their machines began reporting to EC2 for new instructions and updates, according to researchers from CA's internet security business unit*... Over the past few months, accounts on Twitter, Google's app engine, and Facebook have also been transformed into master control channels for machines under the spell of surreptitious malware... According to analysis** from Zero Day blogger Dancho Danchev, the cybercriminals behind Zeus appear to have plugged into Amazon's Relational Database Service as a backend alternative in case they lose access to their original domain..."
* http://community.ca.com/blogs/securi...the-cloud.aspx
** http://blogs.zdnet.com/security/?p=5110
- http://sunbeltblog.blogspot.com/2009...for-cloud.html
December 10, 2009
:mad::mad:
Conficker worm hotbeds...
FYI...
Group IDs hotbeds of Conficker worm outbreaks
- http://voices.washingtonpost.com/sec...conficker.html
December 16, 2009 - "Internet service providers in Russia and Ukraine are home to some of the highest concentrations of customers whose machines are infected with the Conficker worm, new data suggests. The report comes from the Shadowserver Foundation*, a nonprofit that tracks global botnet infections. Shadowserver tracks networks and nations most impacted by Conficker, a computer worm that has infected more than 7 million Microsoft Windows PCs since it first surfaced last November... Shadowserver's numbers indicate that the largest numbers of Conficker-infested PCs are in the East, more specifically China, India and Vietnam. For example, Chinanet, among the nation's largest ISPs, has about 92 million routable Internet addresses, and roughly 950,000 - or about 1 percent of those addresses - appear to be sickened with Conficker. Security Fix decided to use the group's data in a slightly different way, to showcase the concentration of Conficker victims as viewed against the total number of each ISP's customers. Viewed this way, Russian and Ukrainian ISPs have the highest concentration of customers with Conficker-infected systems... Shadowserver offers all ISPs and Web hosting providers free daily feeds** that can alert network providers to new bot infections on their networks."
* http://www.shadowserver.org/wiki/pmw...tats/Conficker
** http://www.shadowserver.org/wiki/pmw...sOnYourNetwork
Conficker Eye Chart
- http://www.confickerworkinggroup.org...feyechart.html
- http://www.shadowserver.org/wiki/pmw...endar/20091216
16 December 2009
:fear::mad:
Citibank hacked for millions...
FYI...
Citibank hacked for millions...
- http://www.pcworld.com/businesscente...bank_hack.html
December 21, 2009 - "U.S. authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by hackers partly using Russian software tailored for the attack, according to a news report. The security breach at the major U.S. bank was detected mid-year based on traffic from Internet addresses formerly used by the Russian Business Network gang, The Wall Street Journal said Tuesday*, citing unnamed government sources. The Russian Business Network is a well-known group linked to malicious software, hacking, child pornography and spam. The Federal Bureau of Investigation is probing the case, the report said. It was not known whether the money had been recovered and a Citibank representative said the company had not had any system breach or losses, according to the report. The report left unclear who the money was stolen from but said a program called Black Energy, designed by a Russian hacker, was one tool used in the attack. The tool can be used to command a botnet, or a large group of computers infected by malware and controlled by an attacker, in assaults meant to take down target Web sites. This year a modified version of the software appeared online that could steal banking information, and in the Citi attack a version tailored to target the bank was used, the Journal said. The attackers also targeted a U.S. government agency and one other unnamed entity, the report said, adding that it was unknown if the attackers accessed Citibank systems directly or through other parties."
* http://online.wsj.com/article/SB126145280820801177.html
- http://finance.yahoo.com/news/Report...10519.html?x=0
December 22, 2009 - "... Citigroup denied the report. "We had no breach of the system and there were no losses, no customer losses, no bank losses," said Joe Petro, managing director of Citigroup's Security and Investigative services. "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true"..."
:fear::fear: