Spyware, Viruses, & Security forum


NEWS - March 06, 2013

by Carol~ Forum moderator / March 6, 2013 12:52 AM PST
Oracle releases new Java patch to address this week's McRat problem

Oracle has released an emergency Java patch addressing the latest in-the-wild exploit targeting the software. The company suggests users apply this update "as soon as possible" due to "the severity of these vulnerabilities." The full patch description and download is available through Oracle's Technology Network (you can also get the patch through the software's auto-update).

This particular vulnerability is being exploited to install a remote-access trojan dubbed McRat. The attacks targeted Java versions 1.6 Update 41 and 1.7 Update 15, which are the latest available releases of the widely used software. Security Editor Dan Goodin reported on the issue just three days ago, as attacks were being triggered when people with a vulnerable Java version visited a booby-trapped website.

It almost goes without saying—Java security has left something to be desired lately. High profile companies such as Facebook, Apple, and Twitter all fell at the hands of Java recently. These businesses disclosed that their computers were compromised by exploits later linked to a developer website hacked into a platform for Java exploits. Here at Ars, you can peruse nine separate stories involving Java exploits within the last month alone.


Oracle Updates Both Java 6, Java 7, Install Now!
Emergency Java Security Patch - Update Now!
Oracle plugs critical Java vulnerability it knew of in February
Post a reply
Discussion is locked
You are posting a reply to: NEWS - March 06, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - March 06, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Mobile Malcoders Pay to (Google) Play
by Carol~ Forum moderator / March 6, 2013 12:55 AM PST
In reply to: NEWS - March 06, 2013

An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale.

I recently encountered an Android malware developer on a semi-private Underweb forum who was actively buying up verified developer accounts at Google Play for $100 apiece. Google charges just $25 for Android developers who wish to sell their applications through the Google Play marketplace, but it also requires the accounts to be approved and tied to a specific domain. The buyer in this case is offering $100 for sellers willing to part with an active, verified Play account that is tied to a dedicated server.

Unsurprisingly, this particular entrepreneur also sells an Android SMS malware package that targets customers of Citibank, HSBC and ING, as well as 66 other financial institutions in Australia, France, India, Italy, Germany, New Zealand, Singapore, Spain, Switzerland and Turkey (the complete list is here). The targeted banks offer text messages as a form of multi-factor authentication, and this bot is designed to intercept all incoming SMS messages on infected Android phones.

Continued : https://krebsonsecurity.com/2013/03/mobile-malcoders-pay-to-google-play/

Collapse -
Google reports on non-court ordered FBI data requests
by Carol~ Forum moderator / March 6, 2013 12:55 AM PST
In reply to: NEWS - March 06, 2013

With every new Transparency Report that Google releases biannually since 2009, new information about data requests from government agencies are included.

This last report, which spans July to December 2012, contains vague data about National Security Letters. NSLs are a form of request for information that the FBI can make when they or other U.S. agencies are conducting national security investigations.

NSLs are an alternative to court ordered warrant and subpoena, and require only that the FBI director or another senior designee provides a written certification that proves that that the information requested is "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities."

Continued : http://www.net-security.org/secworld.php?id=14559

Google Outs FBI National Security Letter Requests in Annual Transparency Report
Google For First Time Reports FBI Non-Warrant Requests for User Data

Collapse -
Seven-Year Facebook Study Warns of 'Silent Listeners'
by Carol~ Forum moderator / March 6, 2013 3:10 AM PST
In reply to: NEWS - March 06, 2013

Facebook users are sharing less information publicly, yet continue to share countless bits of information with what one group of researchers has dubbed "silent listeners."

The researchers, from Carnegie Mellon University, recently wrapped up the world's first multiyear, longitudinal privacy study of the site. The study relies on a slew of information harvested from Facebook users who were members of the school's network over the course of seven years.

In the corresponding paper, "Silent Listeners: The Evolution of Privacy and Disclosure on Facebook," (.PDF) researchers Alessandro Acquisti, Ralph Gross and Fred Stutzman analyze the security practices of 5,076 Facebook users over time, comprising what the researchers call the Carnegie Mellon Yearly Snapshot Dataset, a swathe of information taken from users of the site spanning Facebook's infancy in 2005 through the site's rapid public expansion to 2011.

Across that time it was found that users gradually began to limit how much personal information they divulged on the internet, as most individuals elected to share less information with unconnected, public profiles. [Screenshot]

Continued: https://threatpost.com/en_us/blogs/seven-year-facebook-study-warns-silent-listeners-030613

Collapse -
The Chinese Time Bomb
by Carol~ Forum moderator / March 6, 2013 3:10 AM PST
In reply to: NEWS - March 06, 2013

From the Seculert blog:

At Seculert, when we analyze a targeted attack, we are trying to help our customers understand the intention of the attackers, as we look how the attack evolves over time. In some cases, understanding the intention behind the attack requires attribution to a specific group or region.

For instance, with the Mahdi campaign, we were able to find that the attackers were fluent in Farsi and even used a persian calendar in the communication with the C2 (Command & Control) server.

Two weeks ago, Mandiant revealed that multiple attacks throughout the recent years are presumably attributed to one group of attackers, unit 61398 in the Chinese PLA. Two days later, we discovered two different spear-phishing attacks which were using a fake Mandiant report to target Japanese and Chinese journalists.

Today, we would like to add additional interesting information in regards to the targeted attack against the Japanese.

Continued : http://blog.seculert.com/2013/03/the-chinese-time-bomb.html

Malware linked to Chinese hackers aims at Japanese government
APT1-Themed Spear Phishing Campaign Linked to China

Collapse -
New exploit kit concentrates on Java flaws
by Carol~ Forum moderator / March 6, 2013 3:10 AM PST
In reply to: NEWS - March 06, 2013

Webroot's Dancho Danchev is known for combing through the wilds of the Internet for places where cyber criminals congregate and reporting back with interesting news about tools and services offered for sale.

Among those is a brand new exploit kit that, for now, concentrates only on exploiting Java flaws. The vulnerabilities in questions are CVE-2012-1723 and CVE-2013-0431, but more exploits are to be added soon, say its creators.

Cyber crooks can rent the kit for 24 hours, a week or a month, paying respectively $40, $150 and $450 for the service. But, is it worth it?

The infection rate for a campaign using this kit is 9.5 percent, which is considerably lower than that promised by sellers of more popular - and versatile - exploit kits.

In terms of innovation, there's not much to note.

"For the time being, customers can choose whether they want to manually rotate the client-side exploits serving domains/IPs, or whether they'd want the cybercriminals selling the kit to do it for them as a managed service. Customers of the exploit kit will also receive notifications one their domains start getting detected by security vendors, through the Domain Check service," says Danchev.

Continued : http://www.net-security.org/secworld.php?id=14550

Collapse -
Java malware spotted using stolen certificate
by Carol~ Forum moderator / March 6, 2013 4:12 AM PST
In reply to: NEWS - March 06, 2013

March 5, 2013

If you haven't already run in the latest Java patch (issued yesterday), here's another good reason to do so: someone has turned up an exploit that uses signed code.

In this post, Eric Romang looks at a malicious applet that comes with a signature using credentials stolen from Clearesult Consulting in the US.

The stolen private key was posted to Pastebin. Even though the applet is using a now-revoked certificate, it seems that it's up to the user to check the revocation lists. Otherwise, if they trusted the assertion that the applet is signed, they would be well on the way to an infection.

The malicious applet probably had only limited exposure, since it was hosted at a German dictionary (http://dict.tu-chemnitz.de/) site that was infected with the g01pack exploit kit.

However, according to the Twitter message that first raised the alarm, the exploit was spotted on a machine running the version of Java that Oracle made obsolete yesterday (March 4, US time).

Continued : http://www.theregister.co.uk/2013/03/05/java_self_signed_exploit_spotted/

Attackers Beat Java Default Security Settings with Social Engineering
Malicious Java applet uses stolen certificate to run automatically

Collapse -
Yahoo Mail Accounts Have Been Getting Hacked for Months
by Carol~ Forum moderator / March 6, 2013 7:24 AM PST
In reply to: NEWS - March 06, 2013
Despite its efforts to fix vulnerabilities, Yahoo's Mail users continue reporting hacking incidents

Yahoo Mail users have been seeing their accounts broken into for months. While Yahoo says it has plugged at least two separate security holes leading to accounts getting hijacked, it appears the problem persists.

It's unclear how long these attacks have been going on for, though we did first report Yahoo Mail users were seeing their accounts compromised back in early January. We're now in March, and it appears that Yahoo still has a big problem on its hands.

Not only are we still getting reports from individual Yahoo users about their accounts getting hacked, but we are seeing spikes in traffic from Google to our previous stories. We believe these clicks represent a rise in users realizing their inboxes have been hijacked after hackers send out a bunch of emails from already compromised accounts.

Continued: http://thenextweb.com/insider/2013/03/06/despite-its-efforts-to-fix-vulnerabilities-yahoos-mail-users-continue-reporting-hacking-incidents/
Collapse -
Google Hardens Chrome Ahead of Hacking Contests
by Carol~ Forum moderator / March 6, 2013 7:25 AM PST
In reply to: NEWS - March 06, 2013

With millions of dollars on the line, Google took the smart money this week and patched Chrome ahead of today's Pwn2Own and Pwnium competitions at the CanSecWest conference taking place this week in Vancouver.

The search and development giant fixed 10 flaws on Monday, which may help it outlast attacks as hackers compete to earn $100,000 for cracking a current version of Chrome on a Windows 7 laptop. This is in addition to the $3.14 (get it?) million that Google has offered up for their Pwnium contest, for researchers who can bust the Chrome operating system. Of the flaws patched on Monday, six of them were listed as High on the severity scale, four of those earning bounty awards of up to $2,000.

It's unknown if Google's move will help them beat the researchers gunning for them, but they're not alone. Microsoft patched Internet Explorer, the low hanging fruit of the contest, and Mozilla hardened Firefox some last month too. CanSecWest has more than $500,000 up for grabs this year, so in addition to the browsers, contestants are encouraged to attack Java and Adobe products.

Continued : http://www.securityweek.com/google-hardens-chrome-ahead-hacking-contests

Find a new way of exploiting Chrome, IE, Java, etc.. and you could win millions of dollars
Google blats bugs in Chrome - days before $560k hacking contest

Collapse -
Russian ransomware takes advantage of Windows PowerShell
by Carol~ Forum moderator / March 6, 2013 7:25 AM PST
In reply to: NEWS - March 06, 2013

For us in SophosLabs, ransomware is a common sight. We see many different versions every day. But as to be expected, the authors think up a new gimmick that makes us take notice. This is one of those cases.

Recently we received a ransomware sample from one of our customers, which immediately piqued our interest as it used Windows PowerShell program to perform file encryption.

For those who may not be aware, Windows PowerShell is a scripting language from Microsoft designed to help system administrators automate some the tasks required to run a Windows network. It's included with Windows 7 and later but can be installed on earlier Windows operating systems too.

This latest ransomware uses this Windows PowerShell program to perform file encryption using "Rijndael symmetric key encryption". This variant also targets Russian users with a ransom message displayed in the Russian language.

Here's how this ransomware works:

Continued : http://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

Smart Home Help

Light bulbs you shouldn't buy

There are plenty of dimmable LED light bulbs, but make sure you don't buy the ones that flicker when you dial them down.