Spyware, Viruses, & Security forum


NEWS - April 17, 2013

by Carol~ Forum moderator / April 17, 2013 1:59 AM PDT
ACLU Complaint Shows Android Insecurity Getting Political

The American Civil Liberties Union has filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the Federal Government to take action to stem an epidemic of unpatched and insecure Android mobile devices - a public scourge that the ACLU blames on recalcitrant wireless carriers.
Android operating system adoption

Adoption of the latest versions of Android have lagged, according to data released by Google.

The civil liberties group's complaint for injunctive relief with the FTC, noting that "major wireless carriers have sold millions of Android smartphones to consumers" but that "the vast majority of these devices rarely receive software security updates."

Calling the unpatched phones "defective and unreasonably dangerous," the ACLU says that carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to" third parties.

"A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners," the ACLU said.

Continued : http://securityledger.com/aclu-complaint-shows-android-insecurity-getting-political/

ACLU asks feds to probe wireless carriers over Android security updates
ACLU Asks FTC to Probe 'Dangerous' Android Bugs
Taming of the shrewd: can the ACLU free Android from carrier control?
ACLU complains to FTC that mobile carriers leave Android phones unsecured
Post a reply
Discussion is locked
You are posting a reply to: NEWS - April 17, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - April 17, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Apple updates Safari and Java 6 support
by Carol~ Forum moderator / April 17, 2013 3:20 AM PDT
In reply to: NEWS - April 17, 2013

Apple has furnished its Safari web browser with a new security feature that allows Java applet loading permissions to be granted on a web-site-specific basis. The feature is included in Safari 6.0.4, which is being deployed as a software update for Lion and Mountain Lion users, and in Safari 5.1.9 for Snow Leopard, which is available for direct download (about 48MB) and via Apple's software update service.

The new feature will prompt Safari to ask users what to do with each newly encountered Java applet. A new setting allows users to permanently block or permanently allow applets, or trigger confirmation requests, on a web-site-specific basis. When "allowing" applets, users can either choose "always allow" or they can allow applets only if the installed version of Java contains no known critical security issues. Safari 6.0.4 also closes a security hole in WebKit which was used during this year's Pwn2Own security competition.

Apple has also released two new Java updates that correspond to Oracle's Java 7 Update 21. Java for Mac OS X 10.6 Update 15 (just under 70MB) updates Java SE 6 under Snow Leopard to version 1.6.0_45 and enables the previously mentioned security feature in Safari 5.1.9. Java for OS X 2013-003 is intended for Lion and Mountain Lion, where it also updates Java SE 6 to version 1.6.0_45. The Java updates close numerous security holes, including critical ones - and should, therefore, be installed as soon as possible. As usual, the latest version of Java 7 is provided by Oracle and can be downloaded from the Oracle Java SE Download pages.


Oracle and Apple ship critical Java updates - get yours today!
New security protection, fixes for 39 exploitable bugs coming to Java

Also See:
April 2013 Critical Patch Update for Java SE Released
Vulnerabilities / Fixes - April 17, 2012

Collapse -
Sick malware authors exploit Boston Marathon bombing with..
by Carol~ Forum moderator / April 17, 2013 3:20 AM PDT
In reply to: NEWS - April 17, 2013
..Trojan attack

With sick inevitability, cybercriminals have exploited interest in the breaking news story of the explosions at the Boston Marathon by spreading malware.

Messages spammed out by attackers claim to contain a link to video footage of Monday's terrorist activity in Boston, with subject lines such as "2 Explosions at Boston Marathon". [Screenshot]

Other subject lines used in the campaign include:

• Aftermath to explosion at Boston Marathon
• Boston Explosion Caught on Video
• Video of Explosion at the Boston Marathon 2013

It's no surprise to see that the links used in the malicious email can vary - no doubt in an attempt to avoid rudimentary email filtering but they all appear to be based in Ukraine and Latvia.

Continued : http://nakedsecurity.sophos.com/2013/04/17/malware-boston-marathon-bombing/
Collapse -
Within Hours of Boston Bombing, Related Keywords Spread to..
by Carol~ Forum moderator / April 17, 2013 3:29 AM PDT
.. 20% of Spam, Bitdefender Study Shows

Hours after the Boston Marathon tragic incident, the words "marathon," "Boston" or "explosion" had made their way into the subject headers of one in five spam messages, according to a Bitdefender study. The data reveal a disturbing cycle of spammers and scammers seeking to take profits from people concerned about terrorism.

Bitdefender anti-spam labs first spotted the trend in the hours after the bombing and, an analysis of the spam pool collected within hours shows that 20 per cent of the messages had one of the three keywords. The increasingly rapid adaptation of spam to ongoing current events comes as the spam business has grown more dangerous in the past several months, spicing up old messages with malicious attachments and links with vicious intent.

The reaction to the Boston bombings is an example of that - the dust has barely settled on the streets of Boston, and hackers, spammers and others are launching their own assault on those interested in finding out details about the April 15 Boston Marathon bombings.

Continued : http://www.hotforsecurity.com/blog/within-hours-of-boston-bombing-related-keywords-spread-to-20-of-spam-bitdefender-study-shows-5955.html
Collapse -
Fake Boston Marathon Scams Update
by Carol~ Forum moderator / April 17, 2013 3:29 AM PDT

From the SANS ISC Diary:

Yesterday, TheDomains reported there was 125 potentially fake domains registered just hours after the attack in Boston. By my current count, I see 234. Some of these are just parked domains, some are squatters who are keeping the domains from bad people. A couple are soliciting donations (one is soliciting bitcoins, oddly enough). So far, there has been no reports of any spam related to this but there have been a few fake twitter accounts which are fairly quickly getting squashed. Oh, and one lawsuit-lawyer related site in connection to the event but that's a different kind of scum then we typically deal with here. But so far, most of the domains are parked (typically at GoDaddy, but don't read that as a swipe at them) or they don't resolve anywhere.
In short, I would have thought this would have picked up quicker than it had.

That said, it did give me the impetus to finish scripting a few things to basically monitor these domains automagically to start looking for indicators and to see when (or if) they ever come out of "parked" status.

As usual, the standard advice applies in events like these. If you want to donate (or have friends/family/collegaues who do) work through well-known and established charities to do so.

Continued : https://isc.sans.edu/diary.html?storyid=15617

* * * * * * * * * * * * * * * * *

Also from SANS:

Published: 2013-04-17,
Last Updated: 2013-04-17 15:24:48 UTC
by John Bambenek (Version: 1)

Boston-Related Malware Campaigns Have Begun

About mid-afternoon yesterday (Central time - US), Boston related spam campaigns have begun. The general "hook" is that it sends a URL with a subject about the video from the explosions. Similar to when Osama Bin Laden was killed and fake images were used as a hook, in this case, the video is relevant to the story and being used as a hook. Right now, very roughly 10-20% of all spam is related to this (some spamtraps reporting more, some less). Similar IPs have also been sending pump & dump scams so likely the same group has re-tasted itself.

Here is a list of subjects I've seen hit spam traps:

Subject: 2 Explosions at Boston Marathon
Subject: Aftermath to explosion at Boston Marathon
Subject: Arbitron. Dial Global. Boston Bombings
Subject: Boston Explosion Caught on Video
Subject: BREAKING - Boston Marathon Explosion
Subject: Explosion at Boston Marathon
Subject: Explosion at the Boston Marathon
Subject: Explosions at Boston Marathon
Subject: Explosions at the Boston Marathon
Subject: Opinion: Boston Marathon Explosions made by radical Gays? Really? - CNN.com
Subject: Opinion: Boston Marathon Explosions - Romney Benefits? - CNN.com
Subject: Opinion: Boston Marathon Worse Sensation - Osama bin Laden still alive!? - CNN.com
Subject: Opinion: FBI knew about bombs 3 days before Boston Marathon - Why and Who Benefits? - CNN.com
Subject: Opinion: Osama Bin Laden video about Boston Marathon Explosions - bad news for all the world. - CNN.com
Subject:[SPAM] 2 Explosions at Boston Marathon
Subject:[SPAM] Boston Explosion Caught on Video
Subject:[SPAM] Explosions at the Boston Marathon
Subject:[SPAM] Video of Explosion at the Boston Marathon 2013
Subject: Stiri:EXPLOZIILE de la maratonul din Boston/Spaga este negociata la granita Romaniei/A inventat bautura care INLOCUIESTE MANCAREA/TUNELUL cu mecanisme de NEINTELES al lui STALIN/70 % din infrastructura RCS-RDS este amplasata ILEGAL/BOMBA ANULUI IN SHOWBIZ
Subject: Video of Explosion at the Boston Marathon 2013
Here is a list of malicious URLs in those messages (use at your own risk):

Continued : https://isc.sans.edu/diary.html?storyid=15629

Collapse -
Boston Aftermath
by Carol~ Forum moderator / April 17, 2013 3:29 AM PDT

From the Kaspersky Labs Weblog:

While many are still in shock after the Boston Marathon bombings on 16 April, it didn't take long for cyber criminals to abuse that tragic incident for their dirty deeds. [Screenshot]

Today we already started receiving emails containing links to malicious locations with names like "news.html". These pages contain URLs of non-malicious youtube clips covering the recent event. After a delay of 60 seconds, another link leading to an executable file is activated. [Screenshot]

The malware, once running on an infected machine, tries to connect to several IP addresses in Ukraine, Argentina and Taiwan. Kaspersky Lab detects this threat as "Trojan-PSW.Win32.Tepfer.*".

MD5sums of some of the collected samples:

Our thoughts and prayers are with our colleagues in Massachusetts and others affected by the tragic events in Boston.


Collapse -
KELIHOS Worm Emerges, Takes Advantage of Marathon Blast
by Carol~ Forum moderator / April 17, 2013 4:30 AM PDT

From the Trendlabs Security Intelligence Blog:

Within a short time period of less than 24 hours, cybercriminals have already taken advantage of Monday's explosion at the Boston Marathon as a newsworthy item. My colleague Mary Ermilano-Aquino noted a spam outbreak of more than 9,000 Blackhole Exploit Kit spammed messages, all related to the said tragedy that killed at least three people and injured many more. Some of the spammed messages used the subjects "2 Explosions at Boston Marathon," "Aftermath to explosion at Boston Marathon," "Boston Explosion Caught on Video," and "Video of Explosion at the Boston Marathon 2013" to name a few. Below is a spam sample she found:

The spammed message only contains the URL http://{BLOCKED}/boston.html , but once you click it, it displays a web page with an embedded video, supposedly from YouTube. At this point, users who click the link may have already downloaded malware unknowingly, aka drive-by-download attacks. Here's a screenshot of the web page with the embedded video: [Screenshot]

Continued: http://blog.trendmicro.com/trendlabs-security-intelligence/kelihos-worm-emerges-takes-advantage-of-boston-marathon-blast/

Collapse -
ColdFusion hack steals hosting provider's customer data
by Carol~ Forum moderator / April 17, 2013 3:21 AM PDT
In reply to: NEWS - April 17, 2013
ColdFusion hack used to steal hosting provider's customer data

"Linode hit by possible zero-day exploit patched by Adobe on April 9."

A vulnerability in the ColdFusion Web server platform, reported by Adobe less than a week ago, has apparently been in the wild for almost a month and has allowed the hacking of at least one company website, exposing customer data. Yesterday, it was revealed that the virtual server hosting company Linode had been the victim of a multi-day breach that allowed hackers to gain access to customer records.

The breach was made possible by a vulnerability in Adobe's ColdFusion server platform that could, according to Adobe, "be exploited to impersonate an authenticated user." A patch had been issued for the vulnerability on April 9 and was rated as priority "2" and "important." Those ratings placed it at a step down from the most critical, indicating that there were no known exploits at the time the patch was issued but that data was at risk. Adobe credited "an anonymous security researcher," with discovering the vulnerability.

But according to IRC conversation including one of the alleged hackers of the site, Linode's site had been compromised for weeks before its discovery. That revelation leaves open the possibility that other ColdFusion sites have been compromised as hackers sought out targets to use the exploit on.

Continued : http://arstechnica.com/security/2013/04/coldfusion-hack-used-to-steal-hosting-providers-customer-data/

Linode Hacked Through ColdFusion Zero Day
Linode hackers say they will release stolen customer data
Collapse -
Microsoft Account Gets More Secure
by Carol~ Forum moderator / April 17, 2013 3:54 AM PDT
In reply to: NEWS - April 17, 2013

Posted by Eric Doerr @ The Official Microsoft Blog:

Over the next couple days we will roll out a major upgrade to Microsoft account, including optional two-step verification to help keep your account more secure.

Microsoft has increasingly focused on delivering connected devices and services that are currently used by more than 700 million people around the world. A Microsoft account is the key that unlocks your experience across these products—from your Windows PC to your Windows Phone, from Xbox to Outlook.com, from SkyDrive and Skype to Office and much more.

Given this critical role for Microsoft account, we remain vigilant in working hard to protect your account, which is why we're adding an option so you can enable two-step verification to further protect yourself. You should see this option show up in your account in the next few days. You can enable this capability at https://account.live.com/proofs/Manage.

One account connects your digital world

Continued : http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx

Collapse -
Undisclosed Glitch Disrupts Gmail for Two Hours
by Carol~ Forum moderator / April 17, 2013 3:54 AM PDT
In reply to: NEWS - April 17, 2013

WASHINGTON - Google suffered disruptions on several of its cloud-based services including Google Mail for about two hours Wednesday for reasons that were not disclosed.

The apps status dashboard of the world's most popular search engine indicated "service disruptions" for Google Mail, Google Drive, Google Documents, Google Spreadsheets and Google Presentations.

It also reported a total "service outage" for its "admin control panel / API" used by administrators of Google Apps domains. By 11:30 am (1530 GMT) however, the dashboard indicated that all services were back in full service.

There was no explanation for the outage, but Google said "less than 0.007 percent" of its Google Mail user base was affected.

"We apologize for the inconvenience and thank you for your patience and continued support," it said.

"Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better."

Continued : http://www.securityweek.com/undisclosed-glitch-disrupts-gmail-two-hours

Collapse -
Spamhaus-themed ransomware delivered through exploit kits
by Carol~ Forum moderator / April 17, 2013 3:54 AM PDT
In reply to: NEWS - April 17, 2013

It seems that users are starting to recognize ransomware accompanied with fake notifications by copyright enforcement and law enforcement agencies for what it is, and cyber crooks are trying out new approaches.

PC Risk has spotted a variant that is misusing the name, logo and reputation of the Spamhaus Project, an international organization dedicated to tracking email spammers and spam-related activity: [Screenshot]

"You have lost control over your computer. Your system and all your files has been blocked and encrypted because you were spreading the Malware (viruses, Trojans, worms). You are breaking numerous International and USA laws," claims the message.

Continued : http://www.net-security.org/malware_news.php?id=2470

Collapse -
'Magic' Malware Using Custom Communication Protocol ..
by Carol~ Forum moderator / April 17, 2013 3:55 AM PDT
In reply to: NEWS - April 17, 2013
.. Discovered

Researchers from Seculert have discovered a new malware they dubbed "Magic", due to "magic code" used within a custom communication protocol that the threat uses to communicate with its command and control servers.

The sample came to Seculert from a customer sometime during the past month, after it was uploaded to Seculert Swamp, the company's cloud-based, automated malware analysis service.

According to Seculert, the sample was flagged because its behavior seemed out of the ordinary for a legitimate executable.

"Usually, when a malware initiates a communication with a C2 server, the first response is a setting, telling the malware what to do next," Aviv Raff, CTO of Seculert, explained in a blog post.

In this case, the C2 (Command and Control) server instructed the malware to start communicating with the same IP address and port, Raff said.

Continued : http://www.securityweek.com/magic-malware-using-custom-communication-protocol-discovered
Collapse -
Pirate Bay Founder Charged With Hacking Companies and a Bank
by Carol~ Forum moderator / April 17, 2013 4:30 AM PDT
In reply to: NEWS - April 17, 2013

A Swedish prosecutor has announced new hacking related charges against Pirate Bay co-founder Gottfrid Svartholm. Together with three others he is suspected of hacking several companies including a bank, from where the defendants allegedly attempted to transfer money. The new changes will most likely mean that Svartholm will remain in prison when his Pirate Bay sentence concludes next month.

In late August 2012, Pirate Bay co-founder Gottfrid Svartholm was deported from Cambodia to Sweden.

Initially it was thought that Gottfrid had been taken to serve the prison time he was handed for his involvement in The Pirate Bay, but quickly it become clear the authorities also had other things on their minds.

Once he landed in Sweden the authorities claimed Gottfrid had been involved in several instances of hacking, and today prosecutor Henry Olin of the International Public Prosecution Office in Stockholm announced several charges against the Pirate Bay co-founder.

Continued : http://torrentfreak.com/pirate-bay-founder-charged-with-hacking-companies-and-a-bank-130416/

Pirate Bay co-founder charged with hacking offences, attempt to steal money from bank accounts
Pirate Bay co-founder charged with hacking and fraud
Pirate Bay co-founder charged with hacking IBM mainframes, stealing money

Collapse -
Microsoft Discovers Trojan That Erases Evidence Of Its ..
by Carol~ Forum moderator / April 17, 2013 7:52 AM PDT
In reply to: NEWS - April 17, 2013
.. Existence

Researchers at Microsoft have spotted a Trojan downloader that does something very savvy yet rare: It deletes its own components so researchers and forensics investigators can't analyze or identify it.

The so-called Win32/Nemim.gen!A Trojan is also unusual in that unlike most Trojan downloaders that are put in place to deliver the real payload, this Trojan is also the payload, according to Jonathan San Jose, a member of Microsoft's Malware Protection Center.

But the researchers lucked out and found some pieces of the malware. "Most URLs that this trojan attempts to connect to for downloading are currently unavailable, but we got lucky and were able to find some of its components to investigate further," San Jose wrote in a blog post.

Nemim.gen's ability to delete its components can wreak havoc for forensics investigators and malware hunters. "This prevents the files from being isolated and analysed. Thus, during analysis of the downloader, we may not easily find any downloaded component files on the system; even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file," San Jose said.

Continued: http://www.darkreading.com/vulnerability/microsoft-discovers-trojan-that-erases-e/240152960
Collapse -
Malware & Search Engines: Yandex Challenges AV-Test Results
by Carol~ Forum moderator / April 17, 2013 7:53 AM PDT
In reply to: NEWS - April 17, 2013

Last week, independent lab AV-Test released its findings from an 18-month study looking at malware being delivered through search engines. The big piece for us and our readers was that Bing returned almost five times as much malware than Google, but it still wasn't the leader according to AV-Test. That title went to the Russian search engine Yandex, who has since challenged AV-Test's results.

Yandex Wants Answers
In a statement, Yandex posed several questions—some of which were echoed in our comments—about AV-Test's methodology. Yandex wanted to know how AV-Test defined malware, why the sample sizes varied so dramatically, how the information for the study was gathered, and so on

Yandex also pointed out that the company does not, as a rule, filter its results for malware. "Yandex uses its own proprietary antivirus technology to protect users from malicious software," reads an email from the company. "Yandex marks the infected webpages in its search results in order to notify users of unsafe content. We just notify users of possible consequences and do not block access to the webpage completely."

AV-Test Responds

Continued : http://securitywatch.pcmag.com/malware/310413-malware-and-search-engines-yandex-challenges-av-test-results

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions


Free trip to the Grand Prix

Don't miss your chance to win a trip to the Formula 1 Grand Prix in Monaco for you and a plus-one.