Old Alerts

Adobe (Flash) Server vulns - updates available

FYI...

Adobe (Flash) Server vulns - updates available
>>> http://www.us-cert.gov/current/#adobe_releases_security_bulletins_to
January 17, 2008

- http://www.adobe.com/support/security/bulletins/apsb08-02.html
APSB08-02 Update available for Adobe Connect Enterprise Server cross-site scripting issue - 01/16/2008

- http://www.adobe.com/support/security/bulletins/apsb08-01.html
APSB08-01 Update to Dreamweaver and Contribute to address potential cross-site scripting vulnerabilities - 01/16/2008

"...issue previously described in Security Advisory APSA07-06*..."
- http://www.adobe.com/support/security/advisories/apsa07-06.html
January 16, 2008 – Advisory updated with information on Dreamweaver and Connect fixes

:fear::fear:
 
Last edited:
10,000 Apache sites hacked

FYI...

- http://www.theinquirer.net/gb/inquirer/news/2008/01/22/apache-sites-scalped-hack
22 January 2008 - "...more than 10,000 sites running the Linux based Apache software may be hacked and trying to control visitors' computers. Don Jackson, from Secureworks* said that the hackers probably used stolen log-in details to gain access and then infected the Apache servers with a pair of files that generate constantly-changing JavaScript. If a punter visits the hacked site they get walloped with nine exploits including a recent QuickTime vulnerability, the long-running Windows MDAC bug, and a fixed flaw in Yahoo Messenger. Once a hole is opened, the victim receives (a variant of) the Trojan Rbot and are added to a botnet. When the systems administrators, who owned the Apache boxes, were notified and reinstalled the software, the hack came back, apparently. This lead Jackson to believe that it was a direct hack to the Linux server and not based on a vulnerability. He thinks that the only way the hacks will stop is when the Administrators change all the passwords and not just the FTP and Cpanel passwords..."
* http://www.secureworks.com/research/threats/linuxservers/?threat=linuxservers
"...The compromised websites, in turn, can infect website visitors. If infected, the malicious code can steal bank usernames and passwords, SSNs, credit card numbers, online payment accounts, basically any information a computer user puts into their web browser. The malicious code can also own the victim’s computer...
> Protection for Organization’s Websites: In order for an organization to protect their website from this attack they need to disable dynamic loading in their Apache module configurations.
> Protection for Website visitors: This is designed to attack Windows PCs. Website visitors can avoid infection by the malware this attack distributes by making sure all anti-virus signatures are up to date and that all vulnerable software is patched. No previously unknown or 0-day vulnerabilities are used in this attack..."

:fear::fear::fear:
 
10,000 Apache sites hacked... more info

Ongoing...

- http://www.theregister.co.uk/2008/01/23/booby_trapped_web_botnet_menace/
23 January 2008 - "...Security watchers at Sophos are discovering 6,000 new infected webpages every day, the equivalent of one every 14 seconds. Four in five (83 per cent) of these webpages actually belong to innocent companies and individuals, unaware that their sites have been hacked. Websites of all types, from those of antique dealers to ice cream manufacturers and wedding photographers, have hosted malware on behalf of virus writers, Sophos reports. The study sheds fresh light on the well-understood problem of drive-by-downloads from compromised sites, a tactic that's come to eclipse virus-infected email as a means of spreading malware. Cybercrooks target users by spamvertising emails containing links to poisoned webpages, exposing unsuspecting victims to malware. At least one in ten web pages are booby-trapped with malware, according to a separate study by Google published last May. Often these malware packages are designed to put compromised zombie PCs under the control of hackers. Around half a million computers are infected by bots every day according to data compiled by PandaLabs*, the research arm of anti-virus firm Panda Software. Approximately 11 percent of computers worldwide have become a part of criminal botnets..."

- http://www.sophos.com/security/blog/2008/01/1010.html
22 January 2008

- http://www.cpanel.net/security/notes/random_js_toolkit.html

* http://www.pandasecurity.com/usa/about/corporate-news/new-31.htm
Jan. 18, 2008

- http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3

> http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.BotCounts#week

Also noteworthy:
> http://blog.trendmicro.com/technology-shift-the-world-wide-compromise-of-the-web/
January 22, 2008 - "...We’ve recently seen literally thousands of compromised Web sites and Web pages that, if an unsuspecting users happens upon the content (and has some arbitrary unpatched vulnerability), they are victimized. I cannot stress how important this issue has become, and how this will fundamentally change the way we use The Internet if we do not take dramatic steps to correct these basic deficiencies. The lifeblood of the Internet depends on it. When Vint Cerf spoke at the World Economic Forum in Davos, Switzerland, last year, he pretty much nailed the issue spot on — 'Criminals may indeed overwhelm the web' as we (collectively) sit idly by..."

:fear::fear::fear:
 
10,000 Apache sites hacked... (ongoing)

FYI...

- http://blog.washingtonpost.com/securityfix/2008/01/report_51_of_malicious_web_sit.html
January 22, 2008 - "...Dan Hubbard, Websense's vice president of security research, said that at any given time there are about two million compromised and malicious sites online, and that slightly more than half of those are hacked sites that range from mom-and-pop type stores to household brand names. The company scans about 600 million sites per week for signs that the sites are trying to foist malicious software on visitors or redirect them to sites that will. The report follows recent discoveries* that almost 100,000 Web sites - including that of security company Computer Associates, the Commonwealth of Virginia, the City of Cleveland - were hacked via Web application vulnerabilities in an apparently coordinated attack. In that attack, the code stitched into hacked sites was designed to perpetrate click fraud and steal online gaming credentials. All Web software applications have flaws, and all need to be updated from time to time to keep the site healthy and to keep opportunistic predators away..."
* http://www.theregister.co.uk/2008/01/08/malicious_website_redirectors/

:fear:
 
Superbowl malware campaign begins

FYI...

SEO Manipulation Begins for Super Bowl Malware Campaign
- http://blog.trendmicro.com/seo-manipulation-begins-for-super-bowl-malware-campaign/
January 24, 2008 - "...When users search for 'Superbowl', Google search results turn up the following (malware links)... Is the Super Bowl on cyber criminals’ social engineering lists? It does seem somewhat passé (even if the event is in two weeks). But what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."

(Screenshot available at the URL above.)

:fear:
 
FYI...

Attackers Abuse Google Blogger
Blogger is flooded with phony blogs – including some that inject malware
- http://www.darkreading.com/document.asp?doc_id=144171&print=true
JANUARY 25, 2008 - "Hackers are currently littering Google's Blogger site with phony blogs -- some containing malware, pornographic images, or pure spam. "Google Blogger is being used as a malware delivery mechanism," says Ken Steinberg, CTO and president of Savant Protection, who discovered the attack while working on his own blog this morning. The attackers apparently are automatically generating the blogs with scripts. The blogs come with nonsensical names and content that's obviously been generated using English-compliant engines and keyword focuses, he says. "They've upped the game. Mostly [blog attacks] have been through comments or postings," he says. Steinberg noted that some of the fake blogs were using malware-insertion techniques: "One of the more common ways of inserting malware is using overflow techniques found in movie [viewers]... When you click through a few of these blogs, up pops images set to auto-load -- some are images, some are movies" that can infect a visitor with malware, he says. Google says it's investigating the event..."

- http://preview.tinyurl.com/2v59aq
January 25, 2008 (Computerworld) - "...The spammers have borrowed other malware techniques, too. Just as some recent attacks have been launched using frequently changing JavaScript, the redirect code placed on the Google Pages or on blogs may fluctuate depending on the originating spam message. The scams are also using fast-flux techniques to rapidly change the resolving destinations of the links.."

:devil:
 
10,000 Apache sites hacked... (ongoing)

FYI... (apologies for the long post; 'included details for admins):

- http://prweb.com/releases/2008/1/prweb656233.htm
January 26, 2008 - "cPanel announced today that it's security team has identified several key components of a hack known as the Random JavaScript Toolkit. The systems affected by this hack appear to be Linux® based and are running a number of different hosting platforms. While this compromise is not believed to be specific to systems running cPanel software, cPanel has worked with a number of hosting providers and server owners to investigate this compromise. The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have password-based authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers. Once an attacker manually gains access to a system they can then perform various tasks. The hacker can download, compile, and execute a log cleaning script in order to hide their tracks. They also can download a customized root-kit based off of Boxer version 0.99 beta 3. Finally, the attacker searches for files containing credit card related phrases such as cvc, cvv, and authorize. The actual root-kit has been the subject of much speculation. The cPanel security team asserts that the Boxer variant includes a small web-server which is how the Javascript is distributed to unsuspecting users of any website on the server. It is believed that the Javascript include is injected into the HTML code after Apache has served the file but before it has traveled through the TCP transport back to the user of the website. The web-server is not loaded onto the hard drive directly but loaded directly into memory from the infected Boxer binaries... The JavaScript being loaded by this web-server is directing users to another server that scans the website user for a number of known vulnerabilities. These vulnerabilities are then used to add the website user to a bot net. More information about the JavaScript hacks can be found at: http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3. Cleaning the Random JavaScript Toolkit requires the server to be booted into single user mode and the removal of all infected binaries. More details on how to do this can be found at: http://www.cpanel.net/security/notes/random_js_toolkit.html. The cPanel security team believes that the hacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether."

:fear::spider:
 
Spyware Removal site delivers malware

FYI...

- http://blog.trendmicro.com/spyware-removal-site-delivers-malware/
January 28, 2008 - "Looks can be deceiving, and malware authors are relying on that old adage to lure potential victims into their most recent scheme... The site hxxp ://removal-tool .com manages to do all that... who’d suspect that a professional-looking anti-spyware site will give them just the opposite of what they’re looking for — and even more? With most of the pages hosting malicious iFrames, here’s a list of what could be lurking in your system after a visit to their site:
* HTML_IFRAME.IY
* VBS_PSYME.BCC
* EXPL_EXECOD.A
* HTML_SHELLCOD.AE
* JS_AGENT.AXX
* HTML_DLOADER.XCZ
* WORM_DISKGEN.AF
* HTML_SHELLCOD.AZ
* HTML_SHELLCOD.AW
* JS_REALPLAY.AA
* PE_PAGIPEF.AP-O
* TROJ_AGENT.DDG
* TROJ_PAGIPEF.AP
The use of legitimate-looking Web sites is a regular (yet undoubtedly still very effective) tactic in disseminating Web threats, mainly used to fool users into downloading fake codecs (see here and here), though security applications have also been reported in the past. Any Web-savvy developer knows that professional design and robust content attract customers, and is most likely to earn their trust to initiate one more click. Sadly, even those with malicious intent abide by this rule, and most users can hardly tell a good site from a bad one..."

(Screenshot available at the URL above.)

:fear:
 
Malicious .SWF banner ads - Expedia.com and Rhapsody.com

FYI...

- http://blog.trendmicro.com/malicious-banners-target-expediacom-and-rhapsodycom/
January 29, 2008 - "... Earlier this month, we’ve seen malicious banner ads being served on popular Web sites, such as Myspace, Excite, and Blick. This time, TrendLabs was alerted to malicious banner ads infiltrating legitimate special interest Web sites such as Expedia.com and Rhapsody.com. According to Trend Micro security experts, certain malicious .SWF banners have managed to work their way into Expedia.com, a popular site for travel enthusiasts worldwide. Trend Micro detects this particular malicious flash banner as SWF_ADHIJACK.A. Based on initial analysis, clicking on this ad leads to several redirections, which eventually results to the installation of a rogue antispyware (detected as TROJ_GIDA.A). Music lovers are also targeted by malware-laden .SWF banners at Rhapsody.com, a music site owned by RealNetworks, which was also found to be employing malicious flash banners. The malicious .SWF URL found in Rhapsody.com is said to be similar to the notorious Skyauction advertisements that were also found to infiltrate the Blick website...
Hat-tip: Spyware Sucks - http://msmvps.com/blogs/spywaresucks/archive/2008/01/28/1483997.aspx "

:fear::spider:
 
Multiple ActiveX vulnerabilities alert

FYI...

- http://secunia.com/advisories/28715
Last Update: 2008-02-05
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: MySpace Uploader Control 1.x
...The vulnerability is confirmed in MySpaceUploader.ocx version 1.0.0.5 and reported in version 1.0.0.4. Other versions may also be affected.
Solution: Update to version 1.0.0.6. <<<
( http://forums.spybot.info/showpost.php?p=162448&postcount=44 )

- http://secunia.com/advisories/28713/
Release Date: 2008-02-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Facebook Photo Uploader 4.x
...The vulnerability is confirmed in version 4.5.57.0. Other versions may also be affected.
Solution: Update to version 4.5.57.1. <<<

- http://secunia.com/advisories/28757/
Last Update: 2008-02-07
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Yahoo! Music Jukebox 2.x ...
NOTE: Working exploit code is publicly available.
The vulnerabilities are confirmed in Yahoo! Music Jukebox version 2.2.2.056. Other versions may also be affected...
Solution: Set the kill-bit for the affected ActiveX controls. <<<
Other References:
US-CERT VU#101676: http://www.kb.cert.org/vuls/id/101676
US-CERT VU#340860: http://www.kb.cert.org/vuls/id/340860
---------------------
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0623
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0624
release date: 2/6/2008 - YMP Datagrid ActiveX control (datagrid.dll)
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0625
release date: 2/6/2008 - MediaGrid ActiveX control (mediagrid.dll)

:fear:
 
Last edited:
Adobe Reader v8.1.2 released

FYI...

Adobe Reader v8.1.2 released
- http://secunia.com/advisories/28802/
Release Date: 2008-02-06
Last Update: 2008-02-11
Critical: Highly critical
Impact: Unknown, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D, Adobe Acrobat 8 Pro, Adobe Acrobat 8.x, Adobe Reader 8.x
CVE reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0667 ...
Solution: Update to version 8.1.2...
Acrobat 8 on Windows:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3849 ...
Changelog:
2008-02-08: Updated advisory based on additional information from the vendor. Updated link to vendor's advisory.
2008-02-11: Updated advisory based on additional information from iDefense Labs and Fortinet. Added links and CVE references.
Original Advisory: Adobe APSA08-01:
http://www.adobe.com/support/security/advisories/apsa08-01.html
 
Last edited:
MySpace Uploader ActiveX Exploited in the Wild

FYI...

MySpace Uploader ActiveX Exploited in the Wild
- http://preview.tinyurl.com/22vn4d
February 7, 2008 (Symantec Security Response Weblog) - "Yesterday our honeypots picked up a browser attack toolkit that I had not encountered before. This toolkit uses dynamic function and variable names and wraps its exploits in two levels of dynamic encoding. Finding a new toolkit on our honeypots always piques my interest as a new toolkit often yields new exploit payload. Lo and behold, once the encoder layers are peeled away, the toolkit is found to contain an exploit for the MySpace Uploader 'MySpaceUploader.ocx' ActiveX Control Buffer Overflow that was announced on the 31st of January*..."
* http://securityresponse.symantec.com/avcenter/attack_sigs/s50096.html
"...issue leads to a crash in 'MySpaceUploader.ocx' 1.0.0.4 and 1.0.0.5..."

> http://secunia.com/advisories/28715
Solution: Update to version 1.0.0.6.

:fear:
 
Rough 24 hours for Windows users - 81.01% affected

FYI...

> http://secunia.com/blog/20
7 February 2008
"...During the last 24 hours, we have seen security updates for some very popular Windows programs from four major vendors: Sun, Adobe, Apple, and Skype. Based on these four security updates, we have gathered some statistics from our free Secunia PSI that shows a startling picture, detailing the amount of users who need to patch their computers, in order to safely do something as ordinary as surfing the Internet...
A little in-depth information about the four security updates
1) Adobe Reader 8.x (PDF Files) (Secunia Advisory: http://secunia.com/SA28802 )...
2) Sun Java 1.5.x (Web content, games, etc.) (Secunia Advisory: http://secunia.com/SA28795 )...
3) Apple Quicktime (Movies, music, etc.) (Secunia Advisory: http://secunia.com/SA28423 )
4) Skype (Chat and VOIP) (Secunia Advisory: http://secunia.com/SA28791 )..."

(Add the Firefox update to that: http://secunia.com/SA28758/ , and most should have a busy weekend!)

:fear:
 
Adobe Reader exploit in the wild

FYI...

- http://isc.sans.org/diary.html?storyid=3958
Last Updated: 2008-02-09 02:38:22 UTC - "The Adobe Reader vulnerability... is being exploited in the wild! A malicious PDF file (called 1.pdf in this example) served from IP address "85.17.221.2" (not active at this time) contains a malware specimen called Trojan, a variant of Zonebac. The IP address belongs to LeaseWeb, a hosting provider in The Netherlands we already notified..."

- http://secunia.com/advisories/28802/
Software: Adobe Reader 8.x ...
Solution: Update to version 8.1.2 ...
Original Advisory: Adobe Reader 8.1.2 Release Notes:
http://www.adobe.com/go/kb403079

:fear:
 
FYI...

New Facebook Photo Uploader ActiveX Vulnerability
- http://atlas.arbor.net/briefs/index#-1074023979
(...Scroll down to):
Severity: Elevated Severity
Published: Wednesday, February 13, 2008 18:57
Facebook Photo Uploader ActiveX control is prone to a buffer-overflow vulnerability. Attackers can exploit this issue and execute arbitrary code in the context of the browser. Exploit is available. Until this issue fixed by the vendor, a workaround would be to set the kill bit for the ActiveX control.
Analysis: The ActiveX control in question is ImageUploader4.1.ocx. The 'FileMask' method is vulnerable. Attackers need to make a user view a crafted HTML to exploit this issue. A workaround would be to set the kill bit for the Control till it is fixed...

:fear:
 
Browsers under attack

FYI...

- http://www.theregister.co.uk/2008/02/15/browser_exploitation/
15 February 2008 - "Cybercriminals are stepping up their efforts to exploit vulnerabilities in web browsers to spread malware using drive-by download techniques. Research by Google's anti-malware team on three million unique URLs on more than 180,000 websites automatically installed malware onto vulnerable PCs. Hackers are increasingly trying to trick search sites into pointing surfers onto maliciously constructed sites. More than one per cent of all search results contain at least one result that points to malicious content, Google reports*, adding that incidents of such attacks has grown steadily over recent months and continues to rise. Google's team also reports that two per cent of malicious websites are delivering malware via tainted banner ads. Israeli security firm Finjan has also observed a rise in the tactic over recent months, noting that many malicious ads are served from legitimate websites. A security report from IBM's X-Force division said cybercriminals are "stealing the identities and controlling the computers of consumers at a rate never before seen on the internet"..."
* http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html

> http://www.us-cert.gov/current/#mozilla_firefox_and_opera_browser
February 18, 2008
> http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
MS08-010 - Updated: February 13, 2008

(Keep things patched! Is your browser up-to-date?...)

Opera v9.26 released
- http://forums.spybot.info/showthread.php?p=166220#post166220
Release Date: 2008-02-20

:fear::spider:
 
Last edited:
Symantec LiveUpdate "glitch"

FYI...

- http://www.theregister.co.uk/2008/02/20/symantec_enpoint_security_error_bug/
20 February 2008 - "Symantec is working to patch a bug that generates errors in corporate security protection updates. Workarounds enabling virus signature definition updates to Symantec Endpoint Protection are available, but a more comprehensive fix is still in testing. The glitch in the Symantec's LiveUpdate package has left sysadmins managing Symantec Endpoint Protection coping with "broken" clients... Symantec has published an advisory* detailed workarounds. Posts on Symantec forums indicate that the problem first reared its head on 11 February... looks like every Symantec customer worldwide has been affected by the issue..."
* http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021213593948
Last Modified: 02/15/2008

:lip:
-----------

- http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008021213593948
Last Modified: 02/20/2008 - "...Solution:
Symantec has released a new Decomposer to the LiveUpdate Servers to resolve this issue. If you used this previous stated workaround, please re-check the Decomposer signatures and select "Use latest available"..."

.
 
Last edited:
People-driven security...

FYI...

- http://preview.tinyurl.com/ytx4dc
02/20/08 (NetworkWorld) - "People-driven security, an approach that pools the judgments of individual participants to identify new threats, is gathering momentum, with uses popping up in everything from antimalware and spam blocking to site filtering. OpenDNS's Domain Tagging, introduced in February, is the latest example of this kind of strength in numbers. The free Web-filtering service allows subscribers to block sites in their choice of categories... "The good guys need to out-share the bad guys to help counter them," says Johannes Ullrich, chief research officer at the Internet Storm Center (ISC)... Together, people-powered tools and sites work to build genuine security that benefits the entire online community."

:spider::cool::spider:
 
FYI...

Netscape multiple Vulns - update available
- http://secunia.com/advisories/29049/
Release Date: 2008-02-21
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Netscape 9.x
...can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, conduct spoofing attacks, or to compromise a user's system.
Solution: Update to version 9.0.0.6:
http://browser.netscape.com/downloads
"Official support for all Netscape client products will end on March 1st, 2008..."
http://blog.netscape.com/2007/12/28/end-of-support-for-netscape-web-browsers
 
Wall St. reports increase in PC intrusions in '07

FYI...

- http://blog.washingtonpost.com/securityfix/2008/02/wall_street_reports_higher_pc_1.html
February 22, 2008 - "...In the first half of 2007, companies involved in managing securities and futures trades reported a 47 percent increase in the number of fraudulent or suspicious transactions attributed to computer break-ins, according to data released last month by the Financial Crimes Enforcement Network (FinCEN). Financial institutions are required to file suspicious activity reports (SARs) when a suspected fraudulent or illegal transfer of funds exceeds $5,000. According to FinCEN, trading institutions filed more computer intrusion-related securities fraud reports in the first half of 2007 than they reported in all of 2006... The report doesn't provide any guesses as to what factors might be responsible for those notable increases. But here's my take: Cyber crooks are going after and compromising online stock trading accounts just as they are online banking accounts*..."
* http://blog.washingtonpost.com/securityfix/2008/02/banks_losses_from_computer_int.html
02/20/2008

:fear::fear:
 
You must log in or register to reply here.
Back
Top