18 total posts
Malwarebytes declares Windows 'malicious', nukes 1,000s ..
.. of PCs
A dodgy software update for virus-killer Malwarebytes disabled thousands of PCs before a fix was issued this week.
Malwarebytes' database version v2013.04.15.12 erroneously flagged core Windows system files as malicious, resulting in unstable - and in some cases unbootable - machines. Windows system files were wrongly identified as Trojan-Downloader-ED.
The antivirus firm quickly pulled Monday's update and issued instructions on how to nurse crippled machines back to health. Despite its prompt response within minutes of the problem flaring up, thousands were still affected. Both consumer and enterprise users of Malwarebytes' technology were affected.
Marcin Kleczynski, Malwarebytes' chief exec, apologised for the botched update before later promising improvements in its update process.
Continued : http://www.theregister.co.uk/2013/04/19/malwarebytes_false_positive/
Blackhole Spam Campaigns Disguised as Top Service Brands
Blackhole Exploit Kit Spam Campaigns Disguised as Top Service Brands
From McAfee Labs Blog Central:
Spam campaigns based on the Blackhole Exploit Kit send messages that contain links to compromised legitimate websites, which serve hidden iframes and redirections that exploit vulnerabilities across operating systems-from Android to Windows. Spam themes we have seen vary rapidly and are disguised to appear as legitimate messages from familiar services.
Campaigns spoofing Facebook, LinkedIn, American Airlines, and various banking services carry embedded links to malware. Spammers abuse email templates from familiar service providers by capturing automated emails, replacing links in the template with links to malware, and rebroadcasting those messages to harvested or predicted recipients.
This tactic has proven effective for spammers. Recipients are likely to click links in familiar-looking emails and often create custom whitelist entries for common sending domains without enforcing Sender Policy Framework or DomainKeys Identified Mail validation.
The Messaging Security Team at McAfee Labs has closely monitored this trend and would like to share a few common traits from recent campaigns to aid in identification:
Continued : http://blogs.mcafee.com/mcafee-labs/blackhole-exploit-kit-spam-campaigns-disguised-as-top-service-brands
Related: Facebook and LinkedIn used in Blackhole exploit kit spam campaigns
Shock Waves from Texas & Boston Blasts Hit Internet in ..
.. Form of Spam Waves
The blasts that killed 15 people and injured 160 at a Texas fertilizer plant yesterday triggered a global wave of malicious spam today, even as the internet is still infested with spam messages that exploit the Boston Marathon bombings to spread password-stealing malware.
Only hours after the blasts in Texas, spammers injected keywords and subject headers related to the explosion into about 5 per cent of all spam that hit the internet, according to the Bitdefender anti-spam labs. The Texas-related spam, which is expected to intensify in coming hours, comes as 20 percent of spam hitting the internet exploits the Boston bombings.
The Bitdefender research, based on a sample pool of 2 million unsolicited e-mails, turned up hundreds of thousands of spam messages that had been altered at the last minute to promise breaking news, graphic videos and more related to the Boston Marathon attacks.
In the spam wave, Bitdefender found spam harboring a component of the infamous Red Kit exploit pack. Threats downloaded by RedKit include Trojan.GenericKDZ.14575, a password stealer that grabs users' account passwords. It also watches the network traffic of the infected machine by dropping three legitimate WinPcap components, some of which were reported to also steal bitcoin wallets and send e-mails.
Continued : http://www.hotforsecurity.com/blog/shock-waves-from-texas-and-boston-blasts-hit-internet-in-form-of-spam-waves-5973.html
Related: Cybercriminals Leverage Boston Marathon Bombing, Texas Explosion in Malware Attacks
Bank Sues Cyberheist Victim to Recover Funds
A bank that gave a business customer a short term loan to cover $336,000 stolen in a 2012 cyberheist is now suing that customer to recover the fronted funds, after the victim company refused to repay or even acknowledge the loan.
On May 9, 2012, cyber crooks hit Wallace & Pittman PLLC, a Charlotte, N.C. based law firm that specializes in handling escrow and other real-estate legal services. The firm had just finished a real estate closing that morning, initiating a wire of $386,600.61 to a bank in Virginia Beach, Virginia. Hours later, the thieves put through their own fraudulent wire transfer, for exactly $50,000 less.
At around 3 p.m. that day, the firm's bank — Charlotte, N.C. based Park Sterling Bank (PSB)- received a wire transfer order from the law firm for $336,600.61. According to the bank, the request was sent using the firm's legitimate user name, password, PIN code, and challenge/response questions. PSB processed the wire transfer, which was sent to an intermediary bank — JP Morgan Chase in New York City — before being forwarded on to a bank in Moscow.
Facebook closes cross-site scripting holes
Facebook has closed various cross-site scripting (XSS) holes that were discovered by security firm Break Security and which have now been described in greater detail. Break Security's CEO, Nir Goldshlager, explains that the social network was vulnerable to attacks through its Chat feature as well as its "Check in" and Messenger for Windows components. [Screenshot]
Continued : http://www.h-online.com/security/news/item/Facebook-closes-cross-site-scripting-holes-1845850.html
Mobile Scam: Winning Without Playing
From the Symantec Security Response Blog:
We have blogged before about mobile spam messages, and while email spam declined in the past year to around 66%, mobile spam—although not yet that prevalent—is now gaining ground.
Currently the "winning ticket" theme is making its rounds through central Europe. Eight friends of mine received it over the space of a few days and I am proud that none of them fell for it, even though some were sorely tempted. The message states that you have won two million pounds sterling with some numbers that you never selected, in a non-specified lottery that you have certainly never played. There are a lot of variations of this particular scam that we have observed over the years, with a range of different prizes including cars and holidays. Unfortunately, there is no money behind it—at least not for you—as of course if you never play the lottery, you will definitely never win it. It is just another advance fee scam, where the scammer will eventually try to trick the victim into paying some release fee or expenses in order to get the alleged prize.
Continued : http://www.symantec.com/connect/blogs/mobile-scam-winning-without-playing
An ambush for peculiar Koreans
The Kaspersky Labs Weblog:
While researching PlugX propagation with the use of Java exploits we stumbled upon one compromised site that hosted and pushed a malicious Java applet exploiting the CVE 2013-0422 vulnerability. The very malicious Java application was detected heuristically with generic verdict for that vulnerability and it would have been hardly possible to spot that particular site between tons of other places where various malicious Java applications were detected with that generic verdict. But it was a very specific search conducted back then and this site appeared in statistics among not so many search results. Well, to be honest it was a false positive in terms of search criteria, but in this case it was a lucky mistake.
The infectious website was an Internet resource named - minjok.com and it turned out to be a news site in Korean and English languages covering mostly political events around the Korean peninsula. We notified an editor of this site about the compromise and although he has not responded, the site got closed after a while.
This is how minjok.com is described at http://www.northkoreatech.org/the-north-korean-website-list/minjok-tongshin/: [Screenshot]
Continued : http://www.securelist.com/en/blog/208194231/An_ambush_for_peculiar_Koreans
Antivirus Fails 1 in 500 PCs
[Screenshot: Infection rate (CCM) by operating system and service pack in 4Q12]
The latest Microsoft Security Intelligence Report reveals that PC users who lack up-to-date antivirus protection are 5.5 times more likely to get hit with a malware infection than those who correctly install and update such protection. Looked at from a different angle, though, the figures reveal a surprising conclusion: one in 500 PCs that do have up-to-date protection will get hit by malware regardless. It's a sobering thought.
Patch Tuesday Protection
Every month on Patch Tuesday, Microsoft releases patches for any new security vulnerabilities via Windows Update. For quite some time now, each Windows Update session has also launched the latest Microsoft Malicious Software Removal Tool (MSRT). The MSRT notifies Microsoft about any malware it removed, and about the security status of your computer—anonymously, of course, and only with your permission.
Also: Microsoft: You're 5.5 Times More Likely to Be Infected Without AV
How do you know if an anti-virus test is any good?
Anti-virus or, as we say now in the industry, anti-malware testing has been around for years.
These tests and comparatives are the consumer reports of the IT security industry, aimed at educating both the anti-malware developer and the consumer on how a product performs.
There's been a fair bit of activity in the anti-malware testing world lately - both AV-Test and AV-Comparatives released major reports last week, and at Virus Bulletin we're putting the finishing touches to our latest comparative on Windows XP, due out in the next week or so.
As usual at this time of year I've been getting a lot of people asking me, why are they all different? How do I know who to believe? What makes one test better than another, or are they all equally brilliant/useless/biased/random?
They're never easy questions to answer.
Continued : http://nakedsecurity.sophos.com/2013/04/19/how-do-you-know-if-an-anti-virus-test-is-any-good/
Oracle takes a leaf from Microsoft's book, Java prioritized
Oracle takes a leaf out of Microsoft's book, prioritizes Java security
"Java 8 being delayed into the first quarter of 2014"
The release of Java 8, originally due in September this year, has been pushed back. The new version's headline feature—Project Lambda, which brings anonymous functions to Java—isn't yet finished.
The reason for this delay is, in part, security. Over the past eight months, a large number of critical security flaws have been found and patched. This has damaged Java's reputation, with Apple, for example, reacting by removing the Java plugin from its Safari browser.
In response, Mark Reinhold, chief architect of the Java Platform Group at Oracle, has announced a "renewed focus on security" that will tie up engineering efforts. As a result, Java 8 has now been pushed back until the first quarter of 2014.
Continued : http://arstechnica.com/security/2013/04/oracle-takes-a-leaf-out-of-microsofts-book-prioritizes-java-security/
Google Play apps used to hide 'BadNews' mobile botnet,
.. security firm discovers
Google's Play store security has once again been embarrassed by the discovery of an ambitious botnet that sneaked past its app vetting systems to infect possibly huge numbers of Android users.
Lookout Mobile Security, which spotted the ruse, said it had tracked down 32 apps that seemed to be tied into what at first looked like just another advertising network with its own SDK, now dubbed 'BadNews'.
The dastardly part is that the apps themselves appear innocent but come with the ability to contact a command and control server in order to push a range of genuinely malicious apps, including the AlphaSMS toll fraud app widely circulated by East European gangs.
In an attempt to remain unnoticed for as long as possible, the designers of BadNews designed the apps to behave legitimately for a period of time before hitting the user with bogus update requests at which point trouble begins.
Continued : http://news.techworld.com/security/3443185/google-play-apps-used-hide-badnews-mobile-botnet-security-firm-discovers/
New Android Trojan downloaded from Google Play by millions
Millions of Android users have been tricked into downloading a new Trojan masquerading a slew or legitimate apps directly from Google Play, warns Lookout researcher Marc Rogers.
The newly discovered malware family has been dubbed BadNews, and it's capable of harvesting and sending information about the device to its C&C server, send out fake news messages, and prompt users to install additional malicious applications such as the AlphaSMS premium rate SMS Trojan.
BadNews was packaged with games, wallpaper apps, dictionary and dieting apps, and many others, the majority of which were obviously aimed at Russian-speaking users. [Screenshot]
"It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network," says Rogers. "However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization software development kit."
Continued : http://www.net-security.org/malware_news.php?id=2473
New version of Gozi financial malware bundles MBR rootkit
"The malware installs code into the computer's master boot record in order to achieve persistence, Trusteer researchers say"
Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer's Master Boot Record (MBR) in order to achieve persistence.
The Master Boot Record (MBR) is a boot sector that resides at the beginning of a storage drive and contains information about how that drive is partitioned. It also includes boot code that runs before the operating system starts.
Some malware authors have leveraged the MBR in order to give their malicious programs a head start over antivirus programs installed on the computer.
Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS, are part of the reason why Microsoft built the Secure Boot feature into Windows 8. This malware is hard to detect and remove and can even survive operating system reinstallation procedures.
Continued : http://www.networkworld.com/news/2013/041913-new-version-of-gozi-financial-268921.html
You won't believe how crazy this password infomercial is..
.. (and neither did Ellen DeGeneres)
Oh, the joys of late night television in the United States!
When there's nothing funny on American TV, you can always rely upon an infomerical selling some crazy product to have you chuckling or simply agog in disbelief that anyone would ever buy such a thing.
Ellen DeGeneres clearly feels the same, and she recently focused some attention on a product that claimed to solve a computer security problem experienced by many internet users - how to remember your passwords.
Take a look at the video below about the "Internet Password Minder":
As one of the customers featured in the infomerical breathlessly explains:
"I don't have to worry anymore about security or identity theft... I now have all my passwords in one place. It's great"
At first I thought perhaps the people behind the "Ellen" show had made the infomercial as a spoof, but now I'm not so sure. After all, I find it hard to believe that *any* infomericals are real.
Continued : http://nakedsecurity.sophos.com/2013/04/19/ellen-password-security-infomercial/