Spyware, Viruses, & Security forum


NEWS - January 18, 2013

by Carol~ Forum moderator / January 17, 2013 10:29 PM PST
New Version of Shylock Malware Spreading Through Skype

There is a new version of the Shylock malware that is now capable of spreading through Skype. The new version is spreading mainly in the U.K., Europe and the U.S. and is playing off the fact that Microsoft is about to kill its Messenger application in favor of Skype.

The new version of Shylock has a number of new capabilities, but its goal is the same: stealing sensitive financial data from infected machines. Shylock has been known publicly for more than a year and researchers have watched it morph and adapt its tactics in the last few months. The malware, like other Trojan bankers of its ilk, is designed specifically to steal credentials for online banking sites, and also has the ability to perform code-injection attacks.

One recent change in the Shylock malware's capabilities was the addition of a feature that can detect whether the malware is being installed on a remote machine via the RDP protocol. That method is one that malware analysts and researchers use to analyze the behavior of malware.

Continued : https://threatpost.com/en_us/blogs/new-version-shylock-malware-spreading-through-skype-011713

The Shylock banking trojan now travels by Skype
Shylock banking malware can now spread via Skype, researchers say
New slicker Shylock Trojan hooks into Skype
Post a reply
Discussion is locked
You are posting a reply to: NEWS - January 18, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - January 18, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Malware Poses as an Update for Java 0-Day Fix
by Carol~ Forum moderator / January 17, 2013 10:46 PM PST

From Trendlabs Security Intelligence:

Just a word of caution those who will update their systems with the recent Java zero-day security patch: make sure to get it from a reliable source or else face the possibility of a malware infection.

Oracle has recently released its fix to the much talked-about Java zero-day (CVE-2012-3174) incident though with lukewarm reception from certain sectors, which include the US Department of Homeland Security. However, we encountered a malware under the veil of a Java update.

We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport.com/cybercrime-suspect-arrested/javaupdate11.jar.

[Screenshot: Website hosting fake Java update]

Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Collapse -
Microsoft AVs not good enough, says AV-Test
by Carol~ Forum moderator / January 17, 2013 11:58 PM PST

AV-Test, the well-known independent organization that tests security software for home and corporate users, has released the results of the latest testing - and it's bad news for Microsoft.

The Redmond giant's Security Essentials 4.1 has failed to gain AV-Test's certification for the second time in a row, and its Forefront Endpoint Protection 2010 is the only corporate solution of the eight that have been tested that similarly failed to pass the test.

Joe Blackbird, a program manager with Microsoft, commented the results in a post on Microsoft's Malware Protection Center official blog by pointing out the well known fact that it's "difficult for independent antimalware testing organizations to devise tests that are consistent with the real-world conditions that customers live in."

He also noted that while AV-Test reports on samples hit or missed by category, Microsoft reports and prioritizes its work based on customer impact.

Continued : http://www.net-security.org/malware_news.php?id=2380

Related: Microsoft fights back on antivirus certification fail, claims malware tests aren't realistic

Collapse -
How Twitter users can fake a verified account - and how..
by Carol~ Forum moderator / January 17, 2013 11:58 PM PST
... you can tell the difference

Verified accounts on Twitter can help you tell the difference between a real celebrity's account, and those of imposters and over-enthusiastic fans.

In this way, you can tell the real @britneyspears apart from the likes of @britney_spears and @britneyspear.

A Naked Security reader got in touch this morning asking us how on earth a fictional character (Percy Jackson) had managed to get his Twitter account verified:

"How is an RP account verified by Twitter?"

We took a look, and sure enough there's a blue verified badge beside @PerseusJackscn's name. [Screenshot]

Has Twitter messed up, and erroneously marked an account as verified?

After all, they don't have an unblemished record in this regard. Who can forget when it appeared as though Rupert Murdoch's wife Wendi Deng appeared to be flirting with Ricky Gervais on Twitter from a verified account?

In this case, however, the verified badge is bogus. Our reader was duped by a simple trick.

Here's how it works.

Continued : http://nakedsecurity.sophos.com/2013/01/17/twitter-fake-verified-account/
Collapse -
Pwn2Own hacking contest puts record $560K on the line
by Carol~ Forum moderator / January 18, 2013 12:57 AM PST

HP TippingPoint, the long-time organizer of the annual Pwn2Own hacking contest, has revamped the challenge for the second year running and will offer cash awards exceeding half a million dollars, more than five times the amount paid out last year, the company said yesterday.

The 2013 edition of the contest will offer $560,000 in potential prize money to hackers who demonstrate exploits of previously-unknown vulnerabilities in Chrome, Firefox, Internet Explorer (IE) or Safari, or the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.

Prizes will be awarded on a sliding schedule, with $100,000 for the first to hack Chrome on Windows 7 or IE10 on Windows 8. From there, payments will fall to $75,000 for IE9 and slide through a number of targets before ending at $20,000 for Java. Prizes will also be given for exploiting Adobe Flash and Adobe Reader ($70,000 each), Safari ($65,000) and Firefox ($60,000).

Continued : http://www.computerworld.com/s/article/9235950/Pwn2Own_hacking_contest_puts_record_560K_on_the_line

Related: Pwn2Own Rules Change Again, Flash, Java Now Fair Game for Contestants

Collapse -
Latest Java Update Broken; 2 New Sandbox Bypass Flaws Found
by Carol~ Forum moderator / January 18, 2013 1:40 AM PST

Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11," Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.

Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.

Reports surfaced earlier this week that the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc., said that attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue was corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.

Continued : https://threatpost.com/en_us/blogs/latest-java-update-broken-two-new-sandbox-bypass-flaws-found-011813

Collapse -
Polish Takedown Targets 'Virut' Botnet
by Carol~ Forum moderator / January 18, 2013 1:41 AM PST

Security experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals.

NASK, the domain registrar that operates the ".pl" Polish top-level domain registry, said that on Thursday it began assuming control over 23 .pl domains that were being used to operate the Virut network. The company has redirected traffic to those domains to sinkhole.cert.pl, a domain controlled by CERT Polska — an incident response team run by NASK. The company says it will be working with Internet service providers and security firms to help alert and clean up affected users.

"Since 2006, Virut has been one of the most disturbing threats active on the Internet," CERT Polska wrote. "The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut."

Some of the domains identified in the takedown effort — including ircgalaxy.pl and zief.pl — have been used as controllers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent threats. Security giant Symantec recently estimated Virut's size at 300,000 machines; Russian security firm Kaspersky said Virut was responsible for 5.5 percent of malware infections in the third quarter of 2012.

Continued : https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/

Collapse -
Foxit PDF Vulnerability Patched - Mozilla Moves to Render..
by Carol~ Forum moderator / January 18, 2013 3:11 AM PST
... PDFs Internally

A recently disclosed vulnerability in the Foxit PDF viewer has been patched in the latest software release. The issue, first discovered by Italian security researcher Andrea Micalizzi, centered on a code execution flaw that could have been exploited remotely.

According to Micalizzi, the flaw would allow an attacker to write to the memory location of their choosing. As mentioned previously, the vulnerability wasn't found within Foxit's software, but the DLL file that creates the link between Foxit and Firefox (npFoxitReaderPlugin.dll).

Foxit released an updated version of the vulnerable DLL file on the eleventh, but a fully patched download was released on Thursday.

The software firm is encouraging everyone to update. Foxit is a popular alternative to Adobe's PDF Reader, and the application often recommended as a more secure alternative. However, the continuous attacks on PDF-centric add-on software has led Mozilla to discuss plans to include a PDF reader as part of the core functions of their Firefox browser. "For a number of years there have been several plugins for viewing PDF's within Firefox. Many of these plugins come with proprietary closed source code that could potentially expose users to security vulnerabilities," a blog post from Mozilla, giving a slight poke to Adobe, explained.

Continued : http://www.securityweek.com/foxit-pdf-vulnerability-patched-mozilla-moves-render-pdfs-internally

Related: How to mitigate: Vulnerability reported in Foxit PDF plugin for Firefox
Collapse -
ESPN's ScoreCenter for iOS sends passwords in clear-text,
by Carol~ Forum moderator / January 18, 2013 3:11 AM PST
... susceptible to XSS flaw

Which mobile application do you use to check the scores of your favorite games? If that's ESPN's ScoreCenter for iOS, then you have a problem, and it's called a "false feeling of security".

According to Zscaler, the application is not only transmitting the accounting data in plain-text, but is also susceptible to a XSS flaw, allowing the potential injection of active content.

A logical question emerges - what would an attacker do with your ESPN member account in case its gets compromised by a malicious party that's sniffing for passwords across insecure networks, and is the scenario I'm about to discuss feasible enough for a real world fraudulent operation?

Once compromised, an ESPN account offers a potential attacker access to your birth date, as well as complete access to your groups and friends' lists, allowing the attacker to attempt launching fraudulent campaigns on your behalf, such as, disseminating links to client-side exploits and malware serving sites, campaigns directly impersonating ESPN, or "need cash now" type of scams.

Continued : http://www.zdnet.com/espns-scorecenter-for-ios-sends-passwords-in-clear-text-susceptible-to-xss-flaw-7000009976/

Also: Security vulnerabilities in ESPN ScoreCenter mobile app
Collapse -
Silent installs of add-ons still possible in Firefox
by Carol~ Forum moderator / January 18, 2013 5:06 AM PST

A security researcher has demonstrated how it is still possible to silently install extensions, or as Mozilla calls them add-ons, for the open source Firefox web browser. In a blog post, Julian Sobrier of ZScaler detailed the process, which makes use of the fact that Firefox uses an Sqlite3 database to maintain information about which add-ons are installed and, of those, which ones have been approved by the user.

This feature, introduced in Firefox 8, was designed to stop toolbars and other applications adding in their own add-ons without informing the user. Sobrier's technique shows though that the mechanism is relatively easy to overcome. Add-ons have privileged access to the browser and therefore a malicious add-on could do anything including stealing the user's history, modifying pages' contents or disabling security features in the browser. The add-on doesn't have to be malicious either, just unexpected; back in 2009 Mozilla found itself blocking a silently installed Microsoft extension which happened to expose Firefox users to a .NET Framework flaw. Without a user knowing what is installed, it becomes hard to react to security threats when they appear.

Continued : http://www.h-online.com/security/news/item/Silent-installs-of-add-ons-still-possible-in-Firefox-1787297.html

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions


Free trip to the Grand Prix

Don't miss your chance to win a trip to the Formula 1 Grand Prix in Monaco for you and a plus-one.