Old Alerts

BBB website phish - with trojan...

FYI...

- http://blog.trendmicro.com/better-business-bureau-phish-with-trojan-downloader/
March 23, 2008- "The Better Business Bureau (BBB) is the target of a new phishing scam, in which a user is asked to download a rogue ActiveX installer upon visiting the Web site... installer is actually a Trojan downloader file named Acrobat.exe... The BBB has a history of being a target of malware authors and spammers, besides phishers. Previously, it has been used as a subject of spam that contained malware detected as TROJ_ARTIEF.A."

(Screenshots available at the URL above.)

:fear::spider:
 
Death Threat SPAM emails...

FYI...

- http://isc.sans.org/diary.html?storyid=4187
Last Updated: 2008-03-24 10:18:07 UTC - "...Over the last week or two there have been more instances of the Death Threat SPAM emails. These particularly nasty messages explain how someone you know wants you dead and the hired killer is contacting you to make a deal. These can be very upsetting for the recipient. Whilst they are typically spam messages treat them seriously and report them if you feel it is necessary..."

- http://mobile.fbi.gov/pressrel/2007/extortion070707.htm
"...The message from the FBI... do NOT respond, and to file a complaint through the IC3.gov website. Due to the threat of violence in these extortion e-mails, if an individual receives an e-mail that contains personal information that might differentiate their e-mail from the general e-mail spam campaign, the recipient should contact the FBI immediately at 251-438-3674..."

:fear:
 
Alert: Malicious Web Site / Malicious Code - USATODAY.com

FYI...

Malicious Flash Banner Ad - USATODAY.com
- http://securitylabs.websense.com/content/Alerts/3061.aspx
04.08.2008 - "Websense® Security Labs™ has received reports of a malicious Flash banner ad on USATODAY.com, a prominent news web site. The banner ad leads to the download of various spyware and ransomware, appearing as legit anti-virus scanners to the uninitiated... More details about this malicious binary from Microsoft:
http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32/Renos ..."

(Screenshots of banner ad from USATODAY at the Websense URL above.)
----------------------------

Flash Player version 9.0.124.0 released
- http://forums.spybot.info/showpost.php?p=180537&postcount=5
"...Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 9.0.124.0..."

:fear::fear:
 
Last edited:
ZLOB spam -today- Apocalyptic NEWS Usama Ben Laden

FYI...

- http://isc.sans.org/diary.html?storyid=4319
Last Updated: 2008-04-22 00:39:28 UTC - "...“Apocalyptic NEWS Usama Ben Laden” is being SPAMMED out with malicious links in it. This is an attempt to get people to load a version of Zlob. The links... are malicious. DO NOT VISIT THEM. Here is the VirusTotal report on the malware I found there: http://www.virustotal.com/analisis/a914b92b454eff25407a61fa52af9d67 ..."
[Result: 13/32 (40.62%)]

:fear:
 
FYI...

MySpace - Maximus root kit downloads...
- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-22 22:26:50 UTC - "...A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.
“Clicking anywhere on the page (on large css layer on top) and your browser initiates a download session from an ftp at microsofpsupports .cn and you are asked to download and/or run (no!) the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image.
hxxp ://img404.imageshared.cn/img/20048/removaltool6gx87.gif “
This appears to be a new version of Maximus
Virustotal results here:
http://www.virustotal.com/analisis/3a29d07603a0430a74e8aa77bc81e6bb ..."
Result: 10/32 (31.25%)

- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-23 17:56:24 UTC ...(Version: 3)
"UPDATE - Thanks to Ned who pointed out that "!Maximus" is the name of the heuristic detection engine for F-Prot (and hence Authentium) rather than the name of the rootkit."

:fear:
 
Last edited:
Spamvertized URL w/multistage downloads - lots of spyware

FYI...

- http://isc.sans.org/diary.html?storyid=4346
Last Updated: 2008-04-26 18:23:13 UTC - "A new virus was submitted to us today by a friend of ours known as SPAM_Buster. The Spamvertized URL redirects to
hxxp ://www .tera .cartoes1.com/saudlov.scr
This thing had several download stages and to do a complete analysis could take a long time. Ultimately it is some type of spyware/Trojan. I will use VirusTotal and CWSandbox to analysis some of the binaries involved. Saudlov.src 12/32 “recognized” it. Virus Total Results
http://www.virustotal.com/analisis/021d7c1131b1130f35051d41dfb05370 ...
CWSandbox analysis for saudlov.scr
https://cwsandbox.org/?page=details&id=220785&password=vyagd
Interesting strings in sadlov.scr:
c:\windows\mdword.exe
hxxp ://caixa .nexenservices .com/game/game01.exe
c:\windows\mdword.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
hxxp ://www .terra .com .br/avisolegal/
Looks like it downloads game01.exe and something from
www[dot]terra[dot]com/br/avisolegal/
So I downloaded game01.exe and ran it thru VirusTotal. 1/32 “recognized” it. F-Secure called it "Suspicious:W32/Malware/Gemini"
http://www.virustotal.com/analisis/00e6839634881c4b247c0fa98332ea95 ..."
(Further analysis available at the ISC URL above)

- http://isc.sans.org/diary.html?storyid=4343
Last Updated: 2008-04-26 13:57:49 UTC - "There is something in the air at the moment... my mail box is chock a block full of SPAM this week... On Gmail I typically get 5-10 per week, now about 500. On my own mail the anti SPAM throws away a few hundred per week, this week about 2000..."
(Long list available at the ISC URL above)

:fear::fear:
 
Caution: Unusually -low- hit rates on most AV's...

FYI...

(A weekend mess/uptick of SPAM not helping any - AV's in "catch-up" mode.)

- http://mtc.sri.com/
Most Effective Antivirus Tools Against New Malware Binaries (only "Top 10" shown...)
Sat Apr 26 17:20:29 2008
detects = Antivirus system overall detection rate based on exposure to 1752 malware binaries
rank detects missed analyzed country vendor
1st 95% 78 1752 AT Ikarus Security Software
2nd 92% 133 1752 CZ Grisoft Inc
3rd 89% 182 1752 DE Avira
4th 89% 193 1752 RO BitDefender Inc
5th 88% 208 1752 US Secure Computing
6th 87% 222 1752 IN Quick Heal Technologies
7th 83% 284 1752 NO Norman Inc
8th 82% 309 1752 FI F-Secure Corporation
9th 82% 310 1752 RU Kaspersky Lab
10th 80% 334 1752 PL GNU Open Source..."
-----^^^

More...
- http://mtc.sri.com/live_data/av_rankings/

- http://isc.sans.org/diary.html?storyid=4346
Last Updated: 2008-04-26 18:23:13 UTC

- http://isc.sans.org/diary.html?storyid=4343
Last Updated: 2008-04-26 13:57:49 UTC

- http://www.virus-radar.com/index_c168h_enu.html

:fear::fear:
 
Last edited:
Malicious adware ASF file in the wild

FYI...

- http://isc.sans.org/diary.html?storyid=4355
Last Updated: 2008-04-29 00:13:50 UTC - "Recently one of our readers, Doug, sent us an ASF file that does something interesting: when you open it in Windows Media Player, it will immediately launch Internet Explorer which will then prompt you to download an executable file. As I don't see this every day, I went to investigate this a bit further. According to Microsoft, the ASF file format (and possibly other formats) allows creation of a script stream. The script stream can use certain, simple, script commands in Windows Media Player. This information is available at http://msdn2.microsoft.com/en-us/library/aa390699(VS.85).aspx

Now, the malicious ASF file we received opened Internet Explorer with the URL pointing to
hxxp ://www.fastmp3player.com/affiliates/772465/1/?embedded=false.
This web site had a further 302 redirect to
hxxp: //www.fastmp3player.com/affiliates/772465/1/PLAY_MP3.exe
(both links are still working), which is some adware and is reasonably detected by 20 out of 32 AV programs on VirusTotal..."

:fear:
 
Malvertizements on Yahoo...

FYI...

- http://msmvps.com/blogs/spywaresucks/archive/2008/04/28/1607314.aspx
April 28, 2008 11:52 PM sandi - "The malvertizements discovered on Yahoo are STILL there..."

- http://msmvps.com/blogs/spywaresucks/archive/2008/04/27/1605974.aspx
April 27, 2008 12:21 PM by sandi - "Yahoo aren't listening... And still the problems continue... I wonder how many hits Yahoo gets per day, and how many people are being exposed to fraudware, while these advertisements are allowed to remain online..."

(Screenshots available at the URLs above.)

:fear::fear:
 
Mac DNS changer malware

FYI...

- http://isc.sans.org/diary.html?storyid=4361
Last Updated: 2008-04-30 09:27:16 UTC - "Back in November last year we published a diary about Mac DNS changer malware*. The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more... the way it was packed showed that the attackers meant real business. All the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready... Only couple of anti-virus programs detected the original sample (a DMG file). This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it... it changes the DNS servers and reports to a C&C server. However, one thing I noticed was that the attackers started obfuscating the installation code... it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs... same network as before, so make sure that you are monitoring any DNS requests going there since they indicate you have infected machines on your network..."
* http://isc.sans.org/diary.html?storyid=3595
Last Updated: 2007-11-02 02:36:39 UTC ...(Version: 2) - "... This is a professional attempt at attacking Mac systems... The second thing that folks at Sunbelt noticed ( http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html ) is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this..."

(More detail at each URL above)

--------------------------------------
Update...

Windows-malware already exists in some ZLOB variants (fake codecs) that will attempt the DNS client hijack - one reference:
- http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119651
Latest DAT Release 03 13 2008 - "This fake codec is actually a hijacker that will change your DNS settings whether you acquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121 (RBN).... rogue DNS servers..."

-or- SpybotS&D
- http://www.safer-networking.org/en/updatehistory/2007-02-02.html
Win32.DNSChanger
- http://www.safer-networking.org/en/updatehistory/2007-03-14.html
Zlob.DNSChanger

:fear:
 
Last edited:
PHP security updates

FYI...

PHP multiple vulns - update available
- http://secunia.com/advisories/30048/
Release Date: 2008-05-02
Critical: Moderately critical
Impact: Unknown, Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
...The vulnerabilities are reported in versions prior to 5.2.6.
Solution: Update to version 5.2.6.
http://www.php.net/downloads.php

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2051
5/5/2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2050
5/5/2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0599
5/5/2008

:fear:
 
Last edited:
Finjan finds: Attacker toolkits; Crimeserver...

FYI...

- http://www.finjan.com/MCRCblog.aspx?EntryId=1949
May 07, 2008 - "During our ongoing research we came up against one curious site. The site is hacking/security oriented, and is written in Russian (hmm... last time I've checked it was in Netherlands), and not significantly different from many other similar sites. The same "news" section with recent exploits. The same "articles" section with same "How to get root on server" paper. And the forum with common "SQL Injection FAQ" thread for newbies. What makes difference is the "download" section.... I think it's the first time (we've seen) such a comprehensive, well arranged and recently updated collection of trojans, keyloggers, back-door web-shells and, the most interesting for us, attacker toolkits..."
(Screenshots available at the URL above.)
-----------------------------------------------

- http://www.finjan.com/Pressrelease.aspx?id...=1819&lan=3
May 6, 2008 - "Finjan... today announced its discovery of a server controlled by hackers (Crimeserver) containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data consisted of 5,388 unique log files. Both email communications and web-related data were among them. The compromised data came from all around the world and contained information from individuals, businesses, as well as renowned organizations, including healthcare providers. To illustrate the scope; the server contained among others 571 log files from the US, 621 from Germany (DE), 322 from France (FR), 308 from India (IN), 232 from Great Britain (GB), 150 from Spain (ES), 86 from Canada (CA), 58 from Italy (IT), 46 from the Netherlands (NL), and 1,037 from Turkey (TR). Due to the sheer impact, Finjan followed its company guidelines and promptly notified over 40 major international financial institutions located in the US, Europe and India whose customers were compromised as well as various law enforcements around the world.
The report contains examples of compromised data that Finjan found on the Crimeserver, such as:
* Compromised patient data
* Compromised bank customer data
* Business-related email communications
* Captured Outlook accounts containing email communication..."

:fear::fear:
 
Acrobat exploit in Neosploit exploit toolkit

FYI...

Neosploit Updated to Include an Acrobat Exploit
- http://preview.tinyurl.com/6mlnq6
05-05-2008 (Symantec Security Response Blog) - "On about April 18th, Symantec's DeepSight honeypots began capturing a new iteration of the Neosploit exploit toolkit. It appears that the pervasive exploit kit has been updated to take advantage of a circa February 2008 vulnerability in Adobe Acrobat Professional and Reader. What makes this attack vector of particular concern is that it will work reasonably silently through most browsers. If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the browser of their choice, it is reasonably likely that their computer will become infected provided that they have Acrobat installed on their computer. Although the vulnerability has been patched since early February, I suspect that many users have not applied this patch yet. We highly recommend that if you haven’t done so, go and get the latest patched versions of Adobe Acrobat Reader and Professional from here: http://www.adobe.com/support/security/advisories/apsa08-01.html ..."

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2042
Last revised: 5/8/2008

Security Updates available for Adobe Reader and Acrobat 7 and 8
- http://www.adobe.com/support/security/bulletins/apsb08-13.html
"...Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2...
....Users with Adobe Reader 7.0 through 7.0.9, who cannot upgrade to Reader 8.1.2, should upgrade to Reader 7.1.0..."

Adobe Reader 7.1.0 released
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=3952
5/7/2008 - "The Adobe® Reader® 7.1.0 update addresses a number of customer issues and security vulnerabilities..."

Release notes:
- http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403541&sliceId=1

:fear:
 
Last edited:
Malicious Website/Code - China.com game site

FYI...

- http://securitylabs.websense.com/content/Alerts/3089.aspx
05.09.2008 - "Websense... has detected malicious code hosted on China.com's game site. The malware is a variant of VBS/Redlof and is known to commonly infect files with the extension of "html", "htm", "php", "jsp", "htt", "vbs", and "asp". This malicious download (MD5: e6df57ea75a77112e94036e5138bd063) is placed in a directory that appears to be reserved for game patch downloads. This virus attempts to spread itself by infecting all outbound emails sent by the victim with MS Outlook or Outlook Express. More details on the Microsoft VM ActiveX component vulnerability (MS00-075*)..."
* http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx

(Screenshot available at the Websense URL.)

:fear:
 
PHP exploit released

FYI...

- http://preview.tinyurl.com/5zvnrx
May 9, 2008 (Avert Labs blog) - "Sometime back we had come across this interesting vulnerability posted by a Chinese researcher in his blog, claiming to have found a zero day vulnerability in php 5.2.3. We got a chance to dig a bit deeper into this and were able to reproduce the vulnerability based on the information provided in the blog. After investigation, we found that this vulnerablility affects not only verion 5.2.3 but also version 5.2.5. It is a heap overflow which can be triggered when a web server with PHP receives a malformed URI request, it can be a simple request like “GET /index.php/aa HTTP/1.1″ . Successful exploitation of this can result in arbitrary code execution with the privileges of the WEB Server... We highly recommend users to update with the latest version of PHP 5.2.6 released*. This patch besides this issue, fixes a host of other security related fixes, some of which we deem as critical..."
* http://forums.spybot.info/showpost.php?p=188217&postcount=61

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0599
Last revised: 5/9/2008
CVSS v2 Base score: 10.0 (High)

:fear:
 
Debian/Ubuntu (Linux) OpenSSL vuln/update

- http://isc.sans.org/diary.html?storyid=4421
Last Updated: 2008-05-15 23:16:38 UTC ...(Version: 3)
- http://www.us-cert.gov/current/#debian_openssl_vulnerability
May 15, 2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166
Threatcon - Symantec
- http://www.symantec.com/security_response/threatconlearn.jsp
2008-05-16 05:28 - "ThreatCon is currently at Level 2: Elevated.
The ThreatCon is at level 2. Advisories have been released addressing an issue related to weak key generation in Debian and its variants, such as Ubuntu. Using a weak random number generator in the OpenSSL package, the system generates a weak key when installing services such as Secure Shell (SSH) and OpenVPN. To fix this issue, users are advised to apply available updates for the OpenSSL library and to regenerate all cryptographic keys generated previously by the library. Keys generated from GNUPG and GNUTLS packages are reportedly unaffected. Several tools are already available that allow a brute-force attack against the weak keys. H D Moore has released a database of all weak keys generated for a typical encryption key space:
( http://metasploit.com/users/hdm/tools/debian-openssl/ )
A script to brute-force the keys using that database has also been released on milw0rm by M. Mueller:
( http://www.milw0rm.com/exploits/5622 )
These tools could be used to bypass key-based login for shell services such as SSH. Other potential tools could be used to decrypt traffic such as login information or to forge digital signatures.
The Debian advisory addressing the issue provides information on how to tell if your system was using vulnerable keys. The following Debian and Ubuntu advisories are available:
DSA-1571-1 openssl -- predictable random number generator
( http://www.debian.org/security/2008/dsa-1571 )
USN-612-1: OpenSSL vulnerability
( http://www.ubuntu.com/usn/USN-612-1 ) ."

-----------
 
Cisco advisories

FYI...

- http://www.us-cert.gov/current/#cisco_releases_security_advisories2
May 22, 2008 - "Cisco has released three security advisories to address multiple vulnerabilities in Cisco IOS Secure Shell, Service Control Engine, and Voice Portal. These vulnerabilities may allow an attacker to take control of the affected system or cause a denial-of-service condition. US-CERT encourages users to review the following Cisco Security Advisories and apply any necessary updates or workarounds.

* Cisco IOS Secure Shell Denial of Service Vulnerabilities
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099567f.shtml
* Cisco Service Control Engine Denial of Service Vulnerabilities
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099bf65.shtml
* Cisco Voice Portal Privilege Escalation Vulnerability
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099beae.shtml

:fear:
 
Fake sites... copying CastleCops, PC World, others

FYI...

- http://sunbeltblog.blogspot.com/2008/05/no-this-is-not-castlecops.html
May 22, 2008 - "No, this is not CastleCops
mezzicodec(dot)net masquerades as the legitimate CastleCops site... The site is mirroring, in near real-time, CastleCops. It seems to be primarily used for SEO purposes and possibly to steal valid user accounts, but could serve malware or exploits. Avoid this site."

- http://sunbeltblog.blogspot.com/2008/05/rash-of-fake-sites-copying-pc-world.html
May 22, 2008 - "As a follow-up to my post earlier today about a fake CastleCops page, there’s more to the story. There are other domains sharing the same IP (207.226.177.250):
pepato org
slim-cash com
spyware-wiper com
Cpaypal com
Crazycounter net
All are copying legitimate sites. Pepato is loading a fake dvdplanet.com page... These domains belong to the "Vladzone" malware gang. A while back, we believe that they were responsible for DDoS attacks against webhelper4u.com (Patrick Jordan, who works for Sunbelt) and spamhuntress.com — and maybe a few others. I would not visit these sites."

(Screenshots available at both Sunbeltblog URLs above.)

:fear::sad::mad::yuck:
 
IBM Lotus Sametime - update available

FYI...

- http://secunia.com/advisories/30309/
Release Date: 2008-05-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IBM Lotus Sametime 7.x, IBM Lotus Sametime 8.x
...Successful exploitation may allow execution of arbitrary code.
Solution: Update to version 8.0.1 or apply hotfix ICAE-7DPP83 for Lotus Sametime 7.5.1 Cumulative Fix 1 (CF1). Contact IBM support for the patch if Sametime 7.5.1 CF1 is not deployed or if unable to update to 8.0.1.
http://preview.tinyurl.com/5s6mz9
Original Advisory:
IBM: http://www-1.ibm.com/support/docview.wss?uid=swg21303920

- http://www.us-cert.gov/current/#ibm_lotus_sametime_vulnerability
May 22, 2008

- http://isc.sans.org/diary.html?storyid=4460
Last Updated: 2008-05-26 23:54:12 UTC - "Take a look at port 1533*. That's quite an increase in targeted computers reporting via DShield over the past few days..."

* http://isc.sans.org/port.html?port=1533
"...tcp 1533 used by Lotus Sametime for chat and awareness..."

:fear:
 
Flash player exploit in the wild

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://isc.sans.org/diary.html?storyid=4465
Last Updated: 2008-05-27 18:12:46 UTC ...(Version: 2) - "A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available...
Update1: Symantec has observed that this issue is being actively exploited in the wild and have elevated their ThreatCon*.
Update2: A SecurityFocus article is now live here**."

ThreatCon is currently at Level 2: Elevated
* http://www.symantec.com/security_response/threatconlearn.jsp
"The DeepSight ThreatCon is being raised to Level 2 in response to the discovery of in-the-wild exploitation of an unspecified and unpatched vulnerability affecting Adobe Flash Player. The flaw occurs when processing a malicious SWF file. At the time of writing, details related to this vulnerability are scarce, but Symantec Security Response has been able to trigger the flaw in some scenarios. We're currently investigating the vulnerability to uncover additional details, including the sites used to host the attack... Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173 .cn and woai117 .cn. The sites appear to be exploiting the same flaw, but are using different payloads... Network administrators are advised to blacklist these domains to prevent clients from inadvertently being redirected to them. Further analysis into these attacks, specifically the woai117 .cn attack, uncovered another domain involved dota11 .cn . We have discovered that this site is being actively injected into sites through what is likely SQL injection vulnerabilities. A google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site..."

** http://www.securityfocus.com/bid/29386

Malicious swf files?
- http://isc.sans.org/diary.html?storyid=4468
Last Updated: 2008-05-27 18:46:44 UTC ...(Version: 2) - "...potentially malicious site found at hxxp ://www .play0nlnie .com/pcd/topics/ff11us/20080311cPxl31/07.jpg
The JPG file is actually a script... Unknown at this time if these SWF files are related to this vulnerability."

:fear:
 
You must log in or register to reply here.
Back
Top