Old Alerts

DNS cache poisoning - China Netcom

FYI...

- http://securitylabs.websense.com/content/Alerts/3163.aspx
08.19.2008 - "Websense... has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.
When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker. These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability... The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player..."

(Screenshots available at the URL above.)

:fear::fear:
 
RedHat - Fedora servers compromised

FYI...

- http://isc.sans.org/diary.html?storyid=4919
Last Updated: 2008-08-22 14:51:00 UTC - "A RedHat list post* acknowledges that last week "some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline. Security specialists and administrators have been working since then to analyze the intrusion and the extent of the compromise as well as reinstall Fedora systems".
* https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

===

- http://isc.sans.org/diary.html?storyid=4921
Last Updated: 2008-08-22 15:45:39 UTC ...(Version: 2) - "...RedHat has released "shell script* which lists the affected packages and can verify that none of them are installed on a system".
* http://www.redhat.com/security/data/openssh-blacklist.html

:fear::fear:
 
Last edited:
Attacks against Linux-based systems - compromised SSH keys

FYI...

- http://isc.sans.org/diary.html?storyid=4937
Last Updated: 2008-08-26 21:52:26 UTC - "...Sources of compromised keys could include the weak key vulnerability in Debian-based systems a few months ago, so if you haven't updated and replaced those keys, you ought to do so now. The biggest defense is to have any keys, especially those used to authenticate to remote machines and certainly internet facing ones, require a passphrase to use. Check your logs, especially if you use SSH key-based auth, to identify accesses from remote machines that have no business accessing you. If you have IPs, that would be good. To detect if you have Phalanx2, look for /etc/khubd.p2/ (access by cd, not ls) or any directory that is called "khubd.p2". /dev/shm/ may contain files from the attack as well. Tripwire, AIDE and friends should also be able to detect filesystem changes."

- http://www.us-cert.gov/current/#ssh_key_based_attacks
August 26, 2008 - "US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2" is installed.
Phalanx2 appears to be a derivative of an older rootkit named "phalanx". Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site. Detection of phalanx2 as used in this attack may be performed as follows:
* "ls" does not show a directory "/etc/khubd.p2/", but it can be entered with "cd /etc/khubd.p2".
* "/dev/shm/" may contain files from the attack.
* Any directory named "khubd.p2" is hidden from "ls", but may be entered by using "cd".
* Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in "/etc" against the number of directories shown by "ls".

US-CERT encourages administrators to perform the following actions to help mitigate the risks:
* Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
* Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
* Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, US-CERT recommends the following actions:
* Disable key-based SSH authentication on the affected systems, where possible.
* Perform an audit of all SSH keys on the affected systems.
* Notify all key owners of the potential compromise of their keys.
US-CERT will provide additional information as it becomes available."

:fear::mad::fear:
 
Last edited:
Symantec - Firefox issues...

FYI...

- http://preview.tinyurl.com/5e65le
September 5, 2008 (Computerworld) - "...Symantec urged users* of Norton Internet Security 2008 to first update to Version 15.5, which in turn would allow them to download and install a Firefox 3.0 compatibility update. A separate Firefox 3.0 compatibility patch is available for Norton 360**. Both patches can be obtained by launching Symantec's Live Update feature from within the security applications. This wouldn't be the first time that Symantec's Norton software has created problems for other vendors.."

* http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=3365

** http://community.norton.com/norton/board/message?board.id=Norton_360&thread.id=1475

:thud: :sad:
 
Vista 'BSOD' caused by iTunes...

FYI...

Vista 'BSOD' caused by iTunes 8.0
- http://preview.tinyurl.com/4xaol6
September 11, 2008 (Computerworld) - "Apple Inc.'s latest version of iTunes crashes Windows Vista when an iPod or iPhone is connected to the PC, scores of users have reported on Apple's support forum..."


:fear:
 
Cisco - multiple alerts...

FYI...

Cisco - multiple alerts
- http://www.us-cert.gov/current/#cisco_releases_security_alerts
September 24, 2008 - "Cisco has released multiple security alerts to address vulnerabilities in the Unified Communications Manager and IOS. These vulnerabilities may allow a remote unauthenticated attacker to cause a denial-of-service condition, obtain sensitive information, or operate with escalated privileges..."

Direct links available here:
- http://www.cisco.com/en/US/products/products_security_advisories_listing.html
(See those dtd. 24-Sept-2008)

Cisco IOS multiple vulnerabilities
- http://secunia.com/advisories/31990/
Release Date: 2008-09-25
Critical: Moderately critical

ISC analysis
- http://isc.sans.org/diary.html?storyid=5078
Last Updated: 2008-09-26 03:16:41 UTC

:fear:
 
Last edited:
PDF Xploit in the wild...

FYI...

- http://www.us-cert.gov/current/#adobe_pdf_exploit_toolkits_circulating
September 25, 2008 - "US-CERT is aware of public reports* of improved attack toolkits for exploiting vulnerabilities in PDF reader software..."

* http://www.trustedsource.org/blog/153/Rise-Of-The-PDF-Exploits
September 22, 2008 - "...Secure Computing... spotted a new and yet unknown exploit toolkit which exclusively targets Adobe’s PDF format. This toolkit is dubbed the “PDF Xploit Pack”... This new toolkit targets only PDFs, no other exploits are used to leverage vulnerabilities. Typical functions like caching the already infected users are deployed by this toolkit on the sever-side. Whenever a malicious PDF exploit is successfully delivered, the victim’s IP address is remembered for a certain period of time. During this “ban time” the exploit is not delivered to that IP again, which is another burden for incident handling. Other existing toolkits have also been enhanced with PDF exploits lately..."

** http://www.trustedsource.org/blog/118/Recent-Adobe-Reader-vulnerability-exploited-in-the-wild
"...users should make sure to upgrade to Adobe Reader 8.1.2*** as soon as possible..."
*** http://www.adobe.com/support/security/#readerwin

:fear:
 
Phishermans special: Bank Failures, Mergers, and Takeovers

FYI...

- http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt089.shtm
October 2008 - "If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.
Phishers may send attention-getting emails that look like they’re coming from the financial institution that recently acquired your bank, savings and loan, or mortgage. Their intent is to collect or capture your personal information, like your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. Their messages may ask you to “update,” “validate,” or “confirm” your account information..."

(More detail at the URL above.)

:fear::fear:
 
Adobe Reader vuln - exploit in the wild

FYI... http://isc.sans.org/diary.html?storyid=5312
Last Updated: 2008-11-07 15:54:09 UTC - "...at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad. The payload is in a JavaScript object embedded in the PDF document... if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild."
---

Security Update available for Adobe Reader 8 and Acrobat 8
- http://www.adobe.com/support/security/bulletins/apsb08-19.html
Release date: November 4, 2008
Vulnerability identifier: APSB08-19 ...
Platform: All Platforms
Summary:
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe Reader 9 and Acrobat 9 are -not- vulnerable to these issues.
Adobe recommends users of Acrobat 8 and Adobe Reader 8 who can’t update to Adobe Reader 9 install the 8.1.3 update to protect themselves from potential vulnerabilities...

Adobe Reader:
> Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader [AdbeRdr90_en_US.exe]
> Users with Adobe Reader 8.0 through 8.1.2, who can’t update to Adobe Reader 9, should update to Adobe Reader 8.1.3:
http://www.adobe.com/products/acrobat/readstep2_allversions.html [AdbeRdr813_en_US.exe] ..."

- http://secunia.com/advisories/29773
Last Update: 2008-11-05
Critical: Highly critical
Impact: Privilege escalation, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x. Adobe Reader 8.x
Solution: Upgrade to version 9 or update to version 8.1.3...

:fear::fear:

---
If you were thinking of replacing your Adobe Reader with Foxit, -now- would be the time...

Adobe Reader v9... 33.5MB
- http://www.adobe.com/go/getreader
-OR-
- http://www.foxitsoftware.com/downloads/
Latest version: Foxit Reader 2.3 (.exe) 2.3 Build 3309 - 2.57 MB - 10/14/08

- http://asert.arbornetworks.com/2008/11/pdf-exploit-in-the-wild-and-how-to-decode/
November 7th, 2008 - "...We keep seeing Acrobat get hosed with JS exploits, this won't be the last time."

:wink:
 
Last edited:
More PDF exploits...

More PDF exploits...

- http://blog.trendmicro.com/adobe-reader-vulnerability-actively-being-exploited/
Nov. 11, 2008 - "Several active exploits targeting a vulnerability in Adobe Reader are now in the wild... Users with unpatched Adobe Reader software may be infected when they unknowingly access a certain remote website or are redirected there from malicious banners and ads. Upon execution, TROJ_PIDIEF.CB could crash Reader and then allow a malicious user to take control of an affected system. This compromises system security and exposes it to more threats as malicious users could easily dump adware and malicious programs..."

:fear::spider:
 
FYI...

Adobe Reader v9 users w/AIR v1.1 installed
- http://isc.sans.org/diary.html?storyid=5363
Last Updated: 2008-11-17 22:21:15 UTC - "...Adobe has released a bulletin and update to Adobe AIR* that they classify as critical. It fixes some of the same vulnerabilities announced earlier in Flash player. Time to update if you are using AIR..."
* http://www.adobe.com/support/security/bulletins/apsb08-23.html

> http://get.adobe.com/air/
Adobe AIR v1.5 Installer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5108

- http://secunia.com/advisories/32772/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

:fear:
 
Last edited:
WPA hack and AES...

FYI...

How to Protect Your Wi-Fi Network from the WPA Hack
- http://lifehacker.com/5079721/how-to-protect-your-wi+fi-network-from-the-wpa-hack
Nov 7 2008 - "WEP Wi-Fi security has been known as an easy-to-crack security protocol for a while now, which is why it was superseded by the more secure Wi-Fi Protected Access (WPA) standard. But now a PhD candidate studying encryption has found an exploit in the WPA standard that would allow a hacker to "send bogus data to an unsuspecting WiFi client," completely compromising your Wi-Fi security and opening your network to all sorts of hacking. Lucky for you, it's not terribly difficult to protect yourself against the new exploit.
The key: Just log into your router, switch off Temporal Key Integrity Protocol (TKIP) as an encryption mode, and use Advanced Encryption System (AES) only. TKIP is the only protocol that the hack applies to, so switching to AES-only will ensure that your Wi-Fi network is safe again. It's quick and easy, so do yourself a favor and make the adjustment now so you don't run into any problems in the future."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5230
Last revised: 11/26/2008

:fear:
 
Last edited:
Malware in Lenovo

FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187605
November 21, 2008 - "Some of you might have seen the blogpost* that our colleague Ryan Naraine has put at ZDNET about malware being distributed along with a pack of Lenovo Thinkpad drivers. Here are some more details on that story. Working together with fellow researchers in Microsoft we discovered an URL that pointed to a file on IBM’s ftp site that looked like a false positive, so we sent them a ‘heads up’ message. Careful analysis of the file, which was named ‘q3tsk04us13.exe’ (Lenovo Trust Key Software for WinXP) showed that the file in question did indeed contain a virus named Virus.Win32.Drowor.a. Luckily, the virus was broken and it didn’t work. Naturally, we've notified IBM immediately – and IBM took the file offline... We’d like to salute IBM's prompt response and to thank our friends at MS for their initial analysis."
(Screenshot available at the URL above.)

* http://blogs.zdnet.com/security/?p=2203

:fear:
 
CheckFree domains hijacked

FYI...

- http://www.theregister.co.uk/2008/12/03/checkfree_hijacked/
3 December 2008 - "Online payment service CheckFree lost control of at least two of its domains on Tuesday in an attack that sent customers to servers run by a notorious crime gang believed to be based in Eastern Europe... Security experts say the 91.203.92.63 IP address has long served as a conduit for online crime. Spamhaus offers this laundry list* of alleged dirty deeds that includes running botnet command channels and various drive-by download sites. According to security researcher Paul Ferguson of anti-virus software provider Trend Micro, the IP address was recently observed handing off booby-trapped PDF files that infected those unfortunate enough to open them... It's unclear how long checkfree .com and mycheckfree .com were redirected to the rogue servers or whether customers have been warned they may have been compromised... It's also unclear how the culprits managed to hijack the domains. While security experts say DNS poisoning wasn't out of the question, the more likely explanation is malicious transfer of the domains through their registrar..."
* http://www.spamhaus.org/sbl/listings.lasso?isp=uatelecom.co.ua

Follow-up...
- http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html
December 3, 2008 - "... CheckFree regained control over its site by 5 a.m. on Dec. 2... It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar... a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine..."

:fear::mad::fear:
 
Last edited:
Rogue DHCP servers / Rogue "Flash Player" updates

FYI...

- http://isc.sans.org/diary.html?storyid=5434
Last Updated: 2008-12-05 00:29:47 UTC - "Fellow researchers from Symantec posted technical details about an interesting variant of a well known DNSChanger malware. The analysis is available at http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=1
The DNSChanger malware has been in the wild for quite some time and already drew our attention previously when authors started attacking popular ADSL modems. As the name says, the malware changed DNS server settings, typically to servers in the "popular" 85.255 network. We published several diaries about this malware, the most recent one... is available at http://isc.sans.org/diary.html?storyid=5390 . The evolution went from changing local DNS servers in the operating system (for both Windows and Mac!) to changing DNS server settings in ADSL modems/routers/cable modems. The malware described by Symantec goes a step further – it installs a rogue DHCP server on the network... we can confirm that this malware is in the wild. What does it do? The malware installs a legitimate driver, NDISProt which allows it to send and receive raw Ethernet frames. Once the driver is installed, the malware "simulates" a DHCP server. It starts monitoring network traffic and when it sees a DHCP discover packet it replies with its own DHCP Offer packet. As you can guess, the offered DHCP lease will contain malicious DNS servers... While not too sophisticated, the whole attack is very interesting. First, it's about a race between the rogue DHCP server and the legitimate one. Second, once a machine has been poisoned it is impossible to detect how it actually got poisoned in the first place – you will have to analyze network traffic to see the MAC address of those DHCP Offer packets to find out where the infected machine actually is. As we wrote numerous times before, it's probably wise to at least monitor traffic to 85.255.112.0 – 85.255.127.255, if not block it."
Also see: https://forums.symantec.com/syment/blog/article?blog.id=emerging&thread.id=118
12-04-2008

- http://isc.sans.org/diary.html?storyid=5437
Last Updated: 2008-12-05 00:30:36 UTC - "...a new wave of rogue "Flash Player" updates is making the rounds. This latest version is pretty artfully done - the pages hosting this malware actually do contain a real flash movie that is not malicious and plays in a Youtube-like embedded frame. After the movie has been running for a couple seconds though, a pop-up opens that indicates that a "Flash Player Update is available". It all looks credibly enough like one of those usual auto-update pop-ups, but if you click OK, you get an EXE which isn't really a Flash player update of course. So far, the URLs where the malware is coming from all seem to have in common that port 7777 is used. This is rare enough that trolling through your proxy logs for any of your users going to a URL containing :7777/dt might give you a better indication than your anti-virus. Because AV coverage (VirusTotal*) is only slowly improving."
* http://www.virustotal.com/analisis/17fa41ce1d124a653141a7469f9d0e5a

:fear::mad::fear::mad:
 
Last edited:
Most abused Infection Vector

FYI...

- http://blog.trendmicro.com/most-abused-infection-vector/
Dec. 7, 2008 - "We gathered malware data from January to November 2008 to give us an idea of just how dangerous surfing the Internet is. We analyzed the arrival methods of the top 100 malware infecting the most number of systems for the said period... a majority of the top 100 malware that was most prevalent during this year arrived by surfing malicious or unknown sites. A sad confirmation that despite all awareness campaigns for safe computing, users still tend to victimize themselves out of curiosity."

Coverage: Malware Analyzed by Trend Micro Researchers
Date Range: January 1, 2008 to November 25, 2008

(Charts available at the URL above.)

:fear:
 
21 million German bank accounts stolen...

FYI...

- http://www.theregister.co.uk/2008/12/09/stolen_german_bank_accounts_for_sale/
9 December 2008 - "Identity thieves who claim they stole details of 21 million German bank accounts are offering to sell the data on the black market for €12 million (US $15.3 million), a German magazine reported over the weekend. To prove they weren't bluffing, the crooks produced the compact disc containing the names, addresses, phone numbers, birthdays account numbers, and bank routing numbers of 1.2 million accounts. Two investigative reporters for WirtschaftsWoche* say they obtained the CD during a face-to-face meeting at a hotel in Hamburg with two individuals involved with the theft. The journalists were posing as interested buyers working for a gambling operation. "We took away with us the first delivery, a CD with 1.2 million accounts, that we couldn't imagine," said one of the editors overseeing the investigation. "In the worst case, three out of four German households would have to be afraid that some money could be taken from their checking account without their authorisation, and perhaps even without their realising it," the magazine stated. The information was most likely collected from call center employees, the magazine said. It's Germany's second mega heist of personal information in as many months. In October, T-Mobile admitted losing records belonging to 17 million customers that included their names, addresses, dates of birth, phone numbers, and email addresses..."
* http://preview.tinyurl.com/6drwpg
(Untranslated - in German)

:fear::mad::sad::devil:
 
QuickTime updated

FYI...

QuickTime v7.6 released
- http://support.apple.com/kb/HT3403
January 21, 2009

Download:
- http://support.apple.com/downloads/QuickTime_7_6_for_Windows

- http://www.us-cert.gov/current/#apple_releases_quicktime_7_6

- http://secunia.com/advisories/33632/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Apple QuickTime 7.x ...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0001
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0002
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0003
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0004
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0005
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0006
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0007
...Successful exploitation of these vulnerabilities may allow execution of arbitrary code.
Solution: Update to version 7.6 ...

:fear:
 
Last edited:
Trojan in pirated Apple iWork 09

FYI...

- http://www.intego.com/news/ism0901.asp
January 22, 2009 - "Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg... When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password... Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users. Intego VirusBarrier X4 and X5 with virus definitions dated January 22, 2009 or later protect against this Trojan horse. Intego recommends that users never download and install software from untrusted sources or questionable web sites..."

- http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infects.html
"Update, 11:16 p.m. ET: ...While the attackers may indeed be targeting other sites, dollarcardmarketing .com remains under a fairly consistent DDoS attack as of this writing..."

:fear:
 
Last edited:
Novell GroupWise updated

FYI...

Novell releases updates for GroupWise
- http://www.us-cert.gov/current/#novell_releases_updates_for_groupwise
January 30, 2009 - "Novell has released updates for GroupWise 7 and 8 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, compromise a GroupWise account, conduct cross-site scripting attacks, or obtain sensitive information. US-CERT encourages users to review the Novell download page* and apply the appropriate patch to help mitigate the risks."
* http://preview.tinyurl.com/4et673

- http://secunia.com/advisories/33744/
Release Date: 2009-02-02
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, DoS, System access
Where: From remote
Solution Status: Vendor Patch...

:fear:
 
Last edited:
You must log in or register to reply here.
Back
Top