Page 2 of 35 FirstFirst 12345612 ... LastLast
Results 11 to 20 of 350

Thread: Old Alerts

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Fake MS patch email -> Fake Spyware Doctor!

    FYI...

    - http://isc.sans.org/diary.html?storyid=3054
    Last Updated: 2007-06-26 22:46:51 UTC ...(Version: 3)
    "Several of our readers reported an email that lead to a fake Microsoft patch being spammed on the net today. The email had their full names and in one case the company they worked for included in the body of the email. So far I have seen 4 different urls. We are working on getting the systems hosting the malware cleaned or shutdown. We have submitted the malware itself to most of the AV vendors so detection should improve but currently it is not detected... You can see in the body of the email... that the spelling is bad and the license key is not in the right format for XP nor Outlook. Microsoft pointed us to a couple of web pages they maintain that should help you recognize fraudulent email...

    > http://www.microsoft.com/protect/you...g/msemail.mspx

    > http://www.microsoft.com/canada/atho...uine_mail.mspx

    =====================================
    From Norman Sandbox:
    MSOUTRC2007Update-KB863892.exe : INFECTED with W32/Malware (Signature: NO_VIRUS)
    [ DetectionInfo ]
    * Sandbox name: W32/Malware
    * Signature name: NO_VIRUS
    [ General information ]
    * Drops files in %WINSYS% folder.
    * File length: 20480 bytes.
    * MD5 hash: c7a8bde380043b5d8d7229e82db1c2fc.
    [ Changes to filesystem ]
    * Creates file C:\WINDOWS\SYSTEM32\sdoctor.exe.
    * Creates file C:\france.html.
    * Deletes file c:\france.html.
    [ Changes to registry ]
    * Creates value "SpywareDoctor"="C:\WINDOWS\SYSTEM32\sdoctor.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
    [ Process/window information ]
    * Will automatically restart after boot (I'll be back...).
    * Attemps to NULL C:\COMMAND.COM /c del c:\sample.exe >> NUL.
    * Modifies other process memory.
    * Creates a remote thread.
    [ Signature Scanning ]
    * C:\WINDOWS\SYSTEM32\sdoctor.exe (20480 bytes) : no signature detection...

    We notified one of the support teams at a hosting provider that a virus was found on one of there customers systems. Their auto responder responded within a minute. A support person removed the malware and responded within 30 minutes. When I tried to verify that I found the malware was still there or back. When I notified the hosting provider that the malware was back the support person analysised logs, determined it was being uploaded via ftp and immediately disabled the ftp account involved."


    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Another "Storm" Wave

    FYI...

    - http://isc.sans.org/diary.html?storyid=3063
    Last Updated: 2007-06-28 23:33:56 UTC ~ "...There is a new round of emails with malicious links that is making its way to the inbox of many folks. If you haven't gotten one yet, just give it time. Here is quick summary of what we have found. The subject line that we have gotten examples of have all been identical. You may have gotten something else.

    "Subject: You've received a postcard from a family member!" ...

    The ecard numbers in the URL above are variable across SPAM samples.
    There are 3 exploits available and they are tried in order.

    The first one is for QuickTime.
    If that fails a Winzip exploit is attempted
    If that fails, the "hail mary" is the WebViewFolderIcon exploit...

    Here are a few more of the malware hosting servers they've relied on in recent months in addition to the HopOne and Softlayer host above:
    27645 | 205.209.179.15 | 205.209.128.0/18 | US | arin | ASN-NA-MSG-01 - Managed Solutions Group, Inc
    27595 | 216.255.189.214 | 216.255.176.0/20 | US | arin | INTERCAGE - InterCage, Inc
    14361 | 66.148.74.7 | 66.148.64.0/19 | US | arin | HOPONE-DCA - HopOne Internet Corporation
    36351 | 75.126.21.162 | 75.126.0.0/17 | US | arin | SOFTLAYER - SoftLayer Technologies Inc
    36351 | 75.126.226.224 | 75.126.0.0/16 | US | arin | SOFTLAYER - SoftLayer Technologies Inc..."

    - http://preview.tinyurl.com/2g58ud
    June 28, 2007 (Computerworld) - "..."This is widespread, and leads the user to multiple IP addresses," said Shimon Gruper, vice president at Aladdin Knowledge Systems Inc., a security company known for its eSafe antivirus software. "There's not a single server, there are multiple exploits, [and the e-mail] has no attachments. This will be very difficult to detect." Two days ago, a Symantec honeypot captured a similar Web site-hosted attack that had an arsenal of exploits at its disposal. That attack, however, featured an unusual, if rudimentary, browser detector that sniffed out whether the target computer is running Microsoft's Internet Explorer (IE) or Mozilla Corp.'s Firefox. If the attack detects IE, it feeds the machine a Windows animated cursor exploit. If it finds Firefox, however, the sites spit out a QuickTime exploit."

    - http://www.us-cert.gov/current/#new_...ariant_spreads
    June 29, 2007

    --------------------------------------

    - http://asert.arbornetworks.com/2007/...tcard-malware/
    June 29, 2007 ~ "...Pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram* shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits - QuickTime, WinZIP, and WebViewFolderIcon - all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader... If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe..."

    (*Diagram shown at the URL above.)

    Last edited by AplusWebMaster; 2007-07-01 at 02:44. Reason: Added ArborNetworks analysis...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default Alerts Q3-2007

    FYI...

    - http://isc.sans.org/diary.html?storyid=3186
    Last Updated: 2007-07-24 22:15:22 UTC - "We have received several reports today from people that are getting flooded with SPIM on their IM accounts. These messages are providing a link to various web sites. These sites all seem to point to one site www dot messenger-tips dot com. This site purports to check your IM friends/contacts and report back to you which of them have blocked you. All you have to do is give them your login and password information. You also have to agree to their terms and conditions. Ok so we read their Terms and Conditions page and what do we find, first
    They will NOT be responsible for any misuse of the information you provide. They also have no liability for content, views, advice or guidance because they provide a service that is for entertainment purposes only. (Huh? what entertainment). You provide them with the id and password, of course they won't store the information with anyone without your consent. (And if you believe that I have a bridge I will sell you.) Now here is the real catch-22. By agreeing to the terms and conditions you agree to allow them to SPIM all of your friends and contacts. Wonderful.
    I am not sure if this program installs any malware or sets up any hole in your computer for them to crawl through... Bottom line folks, DO NOT CLICK ON LINKS."

    ("Spam Over Internet Messaging" - Unsolicited commercial messages sent via an instant messaging system.)

    .
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation IM attacks up nearly 80 percent ...P2P is worse

    FYI...

    - http://www.networkworld.com/news/200...ttacks-up.html
    July 27, 2007 - "Malicious code attacks over instant messaging networks are up almost 80% over last year, according to a new study from vendor Akonix*. In July, the company, which develops IM hygiene and compliance appliances and services, said it uncovered 20 malicious code attacks over IM in July. The total number of threats for 2007 so far is 226, the company said. That number is a 78% increase over the last year. The company also said attacks on peer-to-peer networks, such as Kazaa and eDonkey, increased 357% in July 2007 over July 2006, with 32 attacks. That report comes on the heels of a report by peer-to-peer network monitoring vendor Tiversa**, which found contractors and U.S. government employees are sharing hundreds of secret documents on peer-to-peer networks. In many cases, those users were overriding the default security settings on their peer-to-peer software to do so, according to Tiversa...."

    * http://www.akonix.com/press/releases-details.asp?id=138

    ** http://preview.tinyurl.com/2ut2of
    (Computerworld)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Multiple new trojans in the wild

    FYI...

    - http://isc.sans.org/diary.html?storyid=3200
    Last Updated: 2007-07-30 19:07:36 UTC - "A reader alerted us to a bunch of malware that he had found after starting to unravel a pile of interlinked exploit pages. The exploit pages are spammed with "adult movie" kinda themes into search engines, etc, and thus most likely find enough "volunteers" who click on the links. Domains involved are clipsforadults-dot-com and several of 9u???-free-movies-dot-cn, with the ??? standing for several letter combinations like eyd,gfo,fdo, etc. Someone's been busy registering throw-away domains. The one bit that was of interest to us is ... that at the very end of this pile, the links try to download a "codec" off the site installobject-dot-com. The link used contains a 4-digit number, and each number, over a wide range, seems to return a slightly different binary. Installobject-dot-Com resolves to 85.255.113.235, a known bad address range for years - see http://isc.sans.org/diary.html?storyid=1873
    AV detection is still thin, we are trying to help it along some. The files are of the W32/Zlob family, Kaspersky calls it Trojan-Downloader.Win32.Zlob.bxt, Trend Micro has it as TROJ_ZLOB.DND, and McAfee has protection coming up as Puper.DR. Adult sites from China, nasty trojans from Ukraine..."

    > http://preview.tinyurl.com/yqj5pq
    July 30, 2007 - (Infoworld) - "...Last week, a new ransomware Trojan appeared on the radar of security researchers, and was quickly identified as a modified version of the GpCode nasty that first hit the Internet as long ago as Spring 2005, and was tracked to a Russian site. As with its predecessors, the new Trojan, also named "Glamour," sets out to encrypt data files on any PC it infects, demanding a ransom of $300 in return for a key to unlock files. Now an analysis from security research outfit Secure Science Corporation (SSC) has plotted the large number of similarities between the new GpCode and another version that appeared in 2006. Of the 168 functions identified in the code of the new variant, 63 were identical to the older 2006 version... "In the 8 months since November, we've recovered stolen data from 51 unique drop sites [...]. The 14.5 million records found within these files came from over 152,000 unique victims," says the report..."
    - http://www.securescience.com/home/ne...s/decoder.html
    Jul 19, 2007

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default Cisco - multiple advisories, multiple vulns in IOS

    FYI...

    > http://www.us-cert.gov/current/#cisc...dvisories_for1
    August 8, 2007 - " Cisco has issued four Security Advisories to address several vulnerabilities in their Internetwork Operating System (IOS) and Unified Communications Manager. These vulnerabilities may allow an attacker to overwrite or retrieve arbitrary files, cause a denial-of-service condition, or execute arbitrary code on an affected system..."

    (Cisco links available at the URL above.)

    - http://www.us-cert.gov/current/#cisc...dvisories_for1
    updated August 9, 2007
    "...US-CERT is aware of publicly available exploit code for one of these vulnerabilities..."

    .
    Last edited by AplusWebMaster; 2007-08-09 at 18:51.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Hacking kits found for sale on eBay

    FYI...

    - http://www.guardian.co.uk/technology...1/hacking.ebay
    September 21 2007 - "Kits that claim to help people hack into computers have been discovered for sale on the auction website eBay. Security experts found a selection of CDs, DVDs and programs for sale on eBay that promise to help buyers learn how to break into computers over the net. One CD - claiming to be on sale "for educational use only" - promises details of how to access other people's computers and contains a selection of programs commonly used for hacking. It is available through the site for 5.99. Many of the programs form the basic building blocks for computer crime, allowing even inexperienced hackers to find ways to get inside their victims' computers, or of masking their identities..."


    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default Alerts - 2007-Q4

    FYI...

    * http://www.adobe.com/support/securit...apsa07-04.html
    October 5, 2007 - "...Vulnerability identifier: APSA07-04...
    Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed
    Affected Software Versions:
    Adobe Reader 8.1 and earlier versions
    Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
    Adobe Acrobat 3D
    Summary:
    Adobe is aware of a recently published report of a critical security vulnerability in Adobe Reader and Acrobat.
    Solution:
    To protect Windows XP systems with Internet Explorer 7 installed from this vulnerability, administrators can disable the mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying the application options in the Windows registry*... the Secure Software Engineering team is working with the Adobe Reader Engineering team on an update to versions 8.1 of Adobe Reader and Acrobat that will resolve this issue. A security bulletin will be published on http://www.adobe.com/support/security as soon as that update is available. We expect the update to be available before the end of October. In the meantime, Adobe recommends that Acrobat and Reader customers use caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links..."

    > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5020

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow Linux kernel v2.6.23 released

    FYI...

    - http://www.theinquirer.net/gb/inquir...0/linux-kernel
    10 October 2007 - "...There will probably be a few more patches as this new kernel sees use in a wider variety of systems - including yours, should you choose to play with it but it should be fairly stable within a couple of months, at which time you'll begin to see the major Linux distributions start releasing systems based upon it."

    Release notes:
    - http://kernelnewbies.org/Linux_2_6_23
    9 October 2007

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Winamp FLAC Media File Processing Integer Overflows

    FYI...

    - http://secunia.com/advisories/27223/
    Release Date: 2007-10-12
    Critical: Highly critical
    Impact: System access
    Where: From remote
    Solution Status: Vendor Patch
    ...The vulnerabilities are reported in version 5.35. Other versions may also be affected.
    Software: Winamp 5.x
    Solution: Update to version 5.5.
    http://www.winamp.com/player ...

    > http://www.winamp.com/player/version-history

    Last edited by AplusWebMaster; 2008-01-14 at 19:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •