|
ASK
Technologies, Inc.
Technical
Alerts
.......................................................................
Phishing
site spams contacts of Twitter users
from blogs.computerworld.com
May
28, 2009
Twitter users have
been tricked into divulging their login and password details to a Web
site that then spammed their contacts.
The culprit is a Web
site called TwitterCut. Some Twitter users began getting a message that
appeared to be from one of their friends and included a link to the TwitterCut
Web site. The message implied they could gain more Twitter contacts by
following the link. If a person entered their login details, TwitterCut
would then send the same message via Twitter to all of the victim's contacts,
a kind of phishing attack with worm-like characteristics.
No malicious software
is installed on a user's machine.
Back
to Top
........................................................................
Adobe
promises fixes for latest flaws
from www.infoworld.com
May
4, 2009
Adobe Systems expects
to have patches ready to fix the latest flaws in Acrobat and Reader by
next week.
"We are in the process of fixing the issue and expect to make available
product updates for the relevant supported Adobe Reader and Acrobat versions
and platforms by May 12th," wrote David Lenoe, a security program
manager, on Adobe's security blog.
Writing in the current
issue of Virus Bulletin (subscription required), researchers Mario Ballano
Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice
and OSX.Iservice.B — using different techniques to obtain the user’s
password and take control of the infected Mac machine.
The update will fix the problem in versions 7.x, 8.x and 9.x for Reader
and Acrobat on Windows, versions 8.x and 9.x of Reader and Acrobat for
Macintosh, and Reader versions 8.x and 9.x for Unix. It will repair bug
CVE-2009-1492, which concerns Adobe's implementation of JavaScript in
Reader and Acrobat.
That flaw could allow a hacker to create a malicious PDF file that could
allow execution of other arbitrary code. Attack code was published last
week on the SecurityFocus Web site.
Adobe has also identified a second vulnerability in Reader for Unix, CVE-2009-1493.
That will also be fixed in the upcoming updates, Lenoe wrote. That flaw
doesn't appear to affect Windows or Macintosh, he wrote.
Until the patches come out, people should disable JavaScript in both of
the applications. Under the preferences menu of the "edit" function,
JavaScript can be de-selected, which would then stop an attack.
Adobe has battled bugs in Reader and Acrobat for some time. The vulnerabilities
are valuable to hackers since they can create malicious documents to exploit
the flaw and gain control over a computer. Since PDF files are widely
used, there's a higher chance that a victim can be tricked into opening
one and ceding control of their computer.
Back
to Top
........................................................................
iBotnet:
Researchers find signs of zombie Macs
from blogs.zdnet.com
April
16, 2009
Malware hunters at Symantec
have discovered a direct link between a malicious file embedded in pirated
copies of Apple’s iWork 09 software and what appears to be the first
Mac OS X botnet launching denial-of-service attacks.
Writing in the current
issue of Virus Bulletin (subscription required), researchers Mario Ballano
Barcena and Alfredo Pesoli found two malware variants — OSX.Iservice
and OSX.Iservice.B — using different techniques to obtain the user’s
password and take control of the infected Mac machine.
The variants have been found inside bogus copies of iWork ’09 and
Adobe Photoshop CS4 which were shared on the popular p2p torrent network.
The author of the malware downloaded the original/trial versions of each
program and introduced a copy of the malicious binary into the packages.
Users who then downloaded and installed the applications from the torrent
download would have been infected. It is estimated that thousands of people
have downloaded the infected torrent files.
They describe this as the “first real attempt to create a Mac botnet”
and notes that the zombie Macs are already being used for nefarious purposes.
The researchers pointed
to this blog entry that describes a a PHP script, running as root, launching
attacks against an unknown Web site.
The article goes into
detail on the botnet’s peer-to-peer engine, startup and encryption
capabilities and configuration file structure and concludes that the person
who wrote the malware is not the same as the person who actually ‘used’
it.
“The code indicates
that, wherever possible, the author tried to use the most flexible and
extendible approach when creating it – and therefore we would not
be surprised to see a new, modified variant in the near future,”
the researchers added.
Back
to Top
........................................................................
Googling
for Conficker clean-up information? Be careful
from ZDNet Alerts
April
1, 2009
If you’re trawling the
Web for information on disinfecting the Conficker worm, be very, very
careful.
Cyber-criminals are
latching onto the hype around the Windows malware threat and have started
registering domain names linked to Conficker and poisoning search results
to trick users into installing fake anti-virus software programs.
According to this growing list maintained by the Conficker Working Group,
at least one of the domains is actively serving malware. F-Secure dug
into one of the domains and found an a rogueware (fake anti-virus) campaign
attempting to bilk users out of $39.95 for non-existent Conficker clean-up.
Yesterday, just hours
after the release of enterprise scanning tools to help fingerprint the
virulent worm, search results on Google were poisoned to serve malware
for queries related to that news. In one instance, the top Google result
for “nmap conficker” was serving up a redirect to a drive-by
download exploit site.
Back
to Top
........................................................................
Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari
from ZDNet Alerts
March
18, 2009
VANCOUVER, BC —
It took a while, but Microsoft’s Internet Explorer 8 did not survive
the hacker onslaught at this year’s CanSecWest Pwn2Own contest.
A security researcher named “Nils” (he declined to provide
his full name) performed a clean drive-by download attack against the
world’s most widely used browser to take full control of a Sony
Vaio machine running Windows 7.
He won a cash prize and got
to keep the hardware. Details of the vulnerability, which was described
by contest sponsor TippingPoint ZDI as a “brilliant IE8 bug!”
are being kept under wraps.
Several members of Microsoft’s
security response team were on hand to witness the successful exploit.
“Nils” also scored
a clean hit against Apple’s Safari (he was the second hacker to
exploit Safari) and, later in the afternoon, he exploited a Firefox zero-day
flaw to claim the trifecta.
Back
to Top
........................................................................
Diebold ATMs infected with credit card skimming malware
from ZDNet Alerts
March
18, 2009
Sophos Principal Virus
Research Vanja Svacjer posted an analysis of Troj/Skimer-A, a malware
affecting Windows-based Diebold cash machines and capable of intercepting
credit card details and their associated PINs.
The malware is exclusively coded to target Russian, Ukranian and American
currency transactions, with isolated incidents confirmed by Diebold in
January, 2009. What’s particularly interesting about the ATM-based
malware, is that it requires an insider access to the machine compared
to the mainstream external attack in the form of using an ATM skimming
device.
“The main executable is a dropper with the drop object stored in
one of the PE resources, as often is the case with Trojan droppers. The
code stops and modifies the Protected storage service to launch the dropped
file lsass.exe from the Windows folder, not the original one in Windows
System folder and attempts to replace some files belonging to the software
used by ATMs.
The main Trojan executable contains the code to handle the magnetic card
reader using undocumented Diebold Agilis 91x functions, inject code to
ATM’s processes, parse transactions in Ukrainian, Russian and US
currencies and use printer, probably for printing the stolen data. I am
also fairly sure that some of the instructions to the keyboard for typing
PIN numbers are connected with hooks to log the captured PINs.”
Given the potential of infiltrating the assembly line and shipping the
machines malware pre-infected, next to tampering with public machines
through social engineering, ATM based malware isn’t going mainstream
just yet. How come? Better “alternatives” from a scammer’s
perspective.
In October, 2008, Zero Day provided an exclusive overview of what may
easily be the future of ATM skimming (External ATM skimmers with built-in
SMS notification for secure extraction of stolen data) which ultimately
solves two of the ATM skimmer’s biggest problems - securely recovering
the obtained data without the risk of getting caught when coming back
to obtain the device, and the lack of trust between the scammers orchestrating
the attack and the involved insiders who can potentially scam them —
according to Sophos, Troj/Skimer-A is capable of encrypting the intercepted
financial data, a practice aimed to ensure that the insiders that infected
the ATM machine wouldn’t scam the rest of the people participating.
Capable of sending 1,856 SMS messages, namely 1,856 transactions without
recharging, this $8,500 device empowers scammers with both, anonymity
and flexibility allowing them to build an infrastructure of tampered ATMs
across the globe. Of course, their approach isn’t perfect since
financial institutions across the globe are considering adapting to the
threat by jamming cell phone communications around ATM machines. Last
month, South Korea’s National Police Agency indicated a similar
intention following Japan’s ban on cell phones around ATMs.
Whether the insider access prerequisite drives scammers away from the
malware infecting approach, external ATM skimming attacks are definitely
here to stay.
Back
to Top
........................................................................
Spammers break Live Hotmail's CAPTCHA yet again
from infoworld.com
February
17, 2009
The battle by Microsoft
to secure its Live Hotmail system from spammers appears to have failed
yet again with the news that the latest version of its CAPTCHA authentication
system has been broken.
According to a detailed analysis of the latest hack by security company
Websense, spammers have come up with a new scheme to fool the CAPTCHA
(Completely Automated Public Turing test to tell Computers and Humans
Apart) that takes possible attack scenarios to new levels of sophistication.
The process starts
in the same way as did previous CAPTCHA-breaking attacks, using bot-controlled
zombie PCs under remote control to fill in the main fields -- name, password,
country -- asked for by Hotmail during signup. The CAPTCHA image presented
by Hotmail is then uploaded to a remote server for image decoding, before
being sent back to the client for the attempt to create the fake account
to proceed.
The latest hack comes only months after Microsoft had previously altered
CAPTCHA to beat similar attacks, having suffered more than one "break"
in 2008.
Websense's analysis of the hack suggests that this process will be successful
in every 5 to 8 attempts, or between 12 and 20 percent of the time, more
than enough given the possible volume of account creation to offer the
spammers a healthy return. The CAPTCHA image analysis itself is said to
take only 20 to 25 seconds per attempt, per machine.
CAPTCHA matters to Microsoft because it is supposed to stop spammers creating
large numbers of fake accounts to use as spam relays, taking advantage
of the fact that the Hotmail domain is treated as a trusted source by
anti-spam gateways and filtering services. Exploiting such trusted domain
status simply increases the chances of a particular piece of spam getting
past these barriers.
An innovative feature of the latest attack is that communication between
the zombie PC and the remote host takes place using an encrypted channel,
which makes detection or blocking of such traffic that much more difficult.
Microsoft's main weapon in the fight against Hotmail abuse is its ability
to keep changing the image algorithm used to create the CAPTCHA images,
buying time against abuse. Equally, the spammers appear able to catch
up some time later by changing the decoding algorithms used by their software.
"As we've seen from previous patterns, spammers just attack whatever
system is in place. They are financially motivated to get hold of details,
and will increase the sophistication of attacks, in a persistent cycle,"
said Carl Leonard, Websense's European threat research manager.
The underlying change has been the rapid spread of automated tools for
breaking CAPTCHA across a range of service providers, including Google
and Yahoo. The same hacks are used to break CAPTCHAs protecting blogging
accounts, creating a surge in fake Web sites running in parallel to fake
e-mail accounts. A range of suggestions have been put forward as replacements
to the flawed system, including the use of 3-D images that might be beyond
current image-decoding technology.
Back
to Top
........................................................................
Microsoft plans critical patches for IE, Exchange
from infoworld.com
February
6 , 2009
Microsoft Thursday
said it will deliver four security updates on Tuesday, two of them
pegged "critical," and
will finally issue a patch for SQL Server that it's been working on
since last April.
The four updates detailed in the advance notice published Thursday
will quash bugs in Internet Explorer 7 (IE7); its Exchange mail server
software; the Visio application that's part of the Office lineup; and
SQL Server. The IE and Exchange vulnerabilities will be labeled "critical," the
company's highest threat ranking, while the SQL Server and Visio bugs
will be marked as "important," one step lower.
The SQL Server update
will fix the vulnerability Microsoft acknowledged in late December
2008, said Andrew Storms, director of security operations at nCircle
Network Security Inc. "I did a lineup between the advisory
with the affected versions of SQL Server," he said Thursday morning. "It's
almost a one-for-one match."
That bug is notable for several reasons. When Microsoft confirmed the
vulnerability in a Dec. 22 advisory, it noted that exploit code had been
published. Several days later, the company admitted that it first received
a report on the bug from Bernhard Mueller of SEC Consult Security, a
Vienna-based security consulting company, in April 2008.
Some security analysts
had expected Microsoft to act faster. In late December, for example,
Wolfgang Kandek, chief technology officer at security company Qualys,
predicted that Microsoft would deliver a fix "out
of band," a term used when patches are issued outside Microsoft's
normal once-a-month schedule.
"Three of these are all equally important, at least with the information
we have today," Storms said about the IE, Exchange and SQL Server
patches. "It all depends on an enterprise's infrastructure."
Companies are always
sensitive to Exchange fixes, Storms continued, so the critical fix
set for Exchange Server 2000, 2003 and 2007 will be parsed carefully. "Messaging is so important to the enterprise," Storms
said, "that they'll want to spend a little extra time making sure
the patch works." One plus, he said, is a "Does not require
restart" note by Microsoft in Thursday's bulletin.
"That could mean it's not necessarily a giant hole, or that we're
just going to get lucky," said Storms. Because they won't have to
restart their Exchange servers, IT administrators should be able to deploy
the patch more quickly, he said.
"The IE vulnerability has to be something unique to IE7," wagered
Storms. According to Microsoft, the critical vulnerability affects only
that version of the browser, not IE6 or IE5.01, the latter edition specific
to Windows 2000, and the oldest browser that the company still supports
with security updates. Storms hesitated to guess what IE7-only issue
might be patched. "It could be any number of things," he said. "Could
be scripting or the antiphishIng filter."
Microsoft's advance
notice reported that the IE7 bug will be rated critical for both Windows
XP and Windows Vista, but only "moderate" on
Server 2003 and Server 2008.
Back
to Top
........................................................................
Bug
in AutoRun on Windows
from blogs.pcmag.com/security
January
21, 2009
The
National Cyber Alert System of US-CERT (part of the Department of Homeland
Security) is issuing an alert on flaws in Microsoft Windows' AutoRun
functionality.
AutoRun is the feature through which the attachment of new drives to
the system can run programs on those drives. The drives can be anything:
A CD, a mapped network drive, a USB hard drive or thumb drive, for example.
Windows includes facilities to disable AutoRun, but the advisory states
that these don't work in all cases.
It's not hard to see how AutoRun could lead to abuses. A lot of malware
attempts to spread itself by writing AutoRun files to various drives,
such as thumb drives, so that it will execute if the drive is attached
to another system.
Windows Vista attempts to give the user more information about various
AutoRun options, but the Conficker/Downadup worm attempts to trick users
past this information. Vista lists AutoRun programs and some other options,
such as opening Windows Explorer on the drive.
It's unlikely that many users have been compromised this way, but it
is a clever attack and pretty much the only way that worm can get
at Vista.
According to the advisory,
the Autorun and NoDriveTypeAutorun registry values do not work as advertised.
Even setting the NoDriveTypeAutorun
registry value to 0xFF, which should "[disable] Autoplay on all
types of drives," can still result in problems.
CERT recommends the following registry setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\IniFileMapping\Autorun.inf to "@SYS:DoesNotExist"
US-CERT has issued an update to this advisory:
Microsoft has provided support document KB953252, which describes how
to correct the problem of NoDriveTypeAutoRun registry value enforcement.
After the update is installed, Windows will obey the NoDriveTypeAutorun
registry value. Note that this fix has been released via Microsoft
Update to Windows Vista and Server 2008 systems as part of the MS08-038
Security Bulletin. Windows 2000, XP, and Server 2003 users must install
the update manually. Our testing has shown that installing this update
and setting the NoDriveTypeAutoRun registry value to 0xFF will disable
AutoRun as well as the workaround described above.
Back
to Top
........................................................................
Twitter
Hacked and Phished
from blogs.pcmag.com/security
January
5, 2009
Twitter
revealed that 33 users of the service, including President-Elect Barack
Obama, had their accounts hacked recently. The attacker who did it
compromised some Twitter tools to do so, although details of the hack
are not provided.
Other reports indicate that the Britney Spears, Rick Sanchez, FoxNews, Facebook,
and Huffington Post accounts also were hacked.
Separately, phishing attacks are underway to try to get your Twitter
credentials. The phish comes as an e-mail with a link to a web page and
an enticing message. Click the link and you are brought to a phony Twitter
home page and asked for your password.
The motive in both cases, as evidenced by the screen capture above,
is to push other links out through the Twitter account.
Back
to Top
........................................................................
|
