Spyware, Viruses, & Security forum


NEWS - May 13, 2013

by Carol~ Forum moderator 2 / May 13, 2013 4:01 AM PDT
Updated data shows prevalence of Java malware in 2012

From the Microsoft Malware Protection Center Blog:

Recently we released the Microsoft Security Intelligence Report volume 14. The report initially presented data showing reduced Java malware detections in Q3 2012 and gaining prevalence in Q4 of 2012. During a later review of the backend data, we found that we were missing some detection counts from our initial calculations. We have revised the data, and Figure 1 shows the updated graph. [Screenshot :Figure 1. Machine count of detections for each exploit categories]

From Figure 1, what we can see clearly is the sudden rise in Java exploitation, as explained in the conclusion. As the HTML/JS category is usually used in delivering other exploit vectors (for example, Blacole pages leading to other Java and PDF, SWF exploits), Java malware is the most prevalent exploit vector that actually tries to exploit vulnerabilities in the software since 2011 .

Figure 2 shows the breakdown of individual Java exploits. In 2012 we saw four different Java vulnerabilities were used most, CVE-2012-1723, CVE-2012-0507, CVE-2012-4681, CVE-2012-5076. Details or guidelines for each vulnerability are available in the following articles:

Continued : https://blogs.technet.com/b/mmpc/archive/2013/05/12/updated-data-shows-prevalence-of-java-malware-in-2012.aspx
Post a reply
Discussion is locked
You are posting a reply to: NEWS - May 13, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - May 13, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Browser extension hijacks Facebook profiles
by Carol~ Forum moderator 2 / May 13, 2013 4:07 AM PDT
In reply to: NEWS - May 13, 2013

From the Microsoft Malware Protection Center Blog:

We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A. The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox.

When installed, it attempts to update itself using the following URLs:

Chrome browser:


Mozilla Firefox browser:


Note: Updated versions of this threat have been verified and are still detected as Trojan:JS/Febipos.A.

To begin with, this Trojan monitors a user to see if they are currently logged-in to Facebook. It then attempts to get a configuration file from the website <removed>.info/sqlvarbr.php. The file includes a list of commands of what the browser extension will do.

Depending on the file, this malware can do any of the following in the Facebook profile of an infected system:

Continued : http://blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx

Collapse -
DDoS Services Advertise Openly, Take PayPal
by Carol~ Forum moderator 2 / May 13, 2013 4:40 AM PDT
In reply to: NEWS - May 13, 2013

The past few years have brought a proliferation of online services that can be hired to knock Web sites and individual Internet users offline. Once only found advertised in shadowy underground forums, many of today's so-called "booter" or "stresser" services are operated by U.S. citizens who openly advertise their services while hiding behind legally dubious disclaimers. Oh, and they nearly all rely on Paypal to receive payments.

Many of these booter sites are based on the same source code, meaning that any vulnerabilities in that code can be used to siphon data from the back-end databases of multiple, competing services. This happened in March to booter.tw, a service that was used to launch a volley of attacks against this blog, among others.

Today we'll be taking a closer look at another booter service whose customer database was recently leaked: asylumstresser.com (a.k.a. asylumbooter.com/net/us). Like other booter services, asylumstresser.com isn't designed to take down large Web sites that are accustomed to dealing with massive attacks from Internet extortionists. But these services can and are used to sideline medium-sized sites, although their most common targets are online gaming servers.

Continued : http://krebsonsecurity.com/2013/05/ddos-services-advertise-openly-take-paypal/

Collapse -
Font apps on Google Play deliver spyware
by Carol~ Forum moderator 2 / May 13, 2013 4:40 AM PDT
In reply to: NEWS - May 13, 2013

Everybody should know by now that downloading apps from Google Play is not as safe as we all would like. Admittedly, the probability of downloading malware is much smaller than on third party online Android markets, but it still exists.

Webroot researchers have recently unearthed two apps that install additional fonts on an Android device, but also offer a way in for spyware.

The apps in question, Free Galaxy Classic Fonts and Galaxy Fonts, have since been removed from Google Play, but are still offered on their developer's official website.

Once the user downloads and runs one of the apps, and requests it to download and implement a new font, the app downloads the ikno.apk file - a spying app that forwards SMS, call logs, and location information to a web portal where the person doing the spying can review the information.

Continued: http://www.net-security.org/malware_news.php?id=2488

Also: Android Font Apps Hosted on Google Play Install Spyware

Collapse -
Report: U.S. cyberwar strategy stokes fear of blowback
by Carol~ Forum moderator 2 / May 13, 2013 4:42 AM PDT
In reply to: NEWS - May 13, 2013

Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.

The strategy is spurring concern in the technology industry and intelligence community that Washington is in effect encouraging hacking and failing to disclose to software companies and customers the vulnerabilities exploited by the purchased hacks.

That's because U.S. intelligence and military agencies aren't buying the tools primarily to fend off attacks. Rather, they are using the tools to infiltrate computer networks overseas, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems.

The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired.

Continued : http://www.reuters.com/article/2013/05/10/us-usa-cyberweapons-specialreport-idUSBRE9490EL20130510

Related: U.S. government becomes 'biggest buyer' of malware

Collapse -
USAID Workers Also Targeted by DoL Watering Hole Attackers
by Carol~ Forum moderator 2 / May 13, 2013 5:21 AM PDT
In reply to: NEWS - May 13, 2013

One of the nine sites serving malware tied to the recent watering hole attack on the U.S. Department of Labor was located in Cambodia and has ties to the United States Agency for International Development (USAID).

Speculation has it that the DoL attack was targeting downstream employees at the Department of Energy who work on nuclear weapons programs. This site, meanwhile, was apparently after employees of USAID, which is a federal organizations that funnels assistance to impoverished or oppressed nations.

Researcher Eric Romang found a connection to University Research Co. of Cambodia, a USAID partner in that country, and the dol[.]ns01[.]us backend serving malware to visitors of the DoL's Site Matrices Exposures website. The sites were compromised and serving javascript that redirects victims using Internet Explorer 8 to sites where additional malware, such as the Poison Ivy remote access Trojan, is downloaded and backdoor connections are established. The IE 8 zero day vulnerability, CVE-2013-1347, is expected to be patched tomorrow by Microsoft, which released a Fix It temporary mitigation last Thursday.

Continued: http://threatpost.com/usaid-workers-also-targeted-by-dol-watering-hole-attackers/

Collapse -
Bloomberg Apologises Over 'Inexcusable' Access To Client..
by Carol~ Forum moderator 2 / May 13, 2013 5:21 AM PDT
In reply to: NEWS - May 13, 2013
... Information

"After a complaint from Goldman Sachs, Bloomberg says it is sorry it let workers access data on clients to guide news coverage"

Bloomberg News has admitted some of its journalists could access client information from terminals used for market updates, after claims employees used the data to guide their coverage and chase leads.

Goldman Sachs had complained about the practice last month, leading Bloomberg to change its policy.

According to a person familiar with the matter, the investment banking firm became concerned when a Bloomberg reporter, contacted them to investigate what she believed was the departure of a Goldman employee. Her interest had apparently been sparked because the worker had not accessed a Bloomberg terminal for a number of weeks, AP reported.

For Bloomberg's journalists to access this information would be a breach of customer privacy, Goldman complained.

Continued: http://www.techweekeurope.co.uk/news/bloomberg-goldman-sachs-data-privacy-breach-115998

Also: Bloomberg Journalists Accused of Spying on Customers [Bloomberg]
Collapse -
Police unable to decrypt iPhones, asks Apple to do it
by Carol~ Forum moderator 2 / May 13, 2013 5:21 AM PDT
In reply to: NEWS - May 13, 2013

Court documents from a drug trial in Kentucky have revealed that the U.S. federal Bureau of Alcohol, Tobacco, Firearms and Explosives nor any other U.S. local, state, or federal law enforcement agency are able to break the hardware encryption on an iPhone 4S device or higher, so they have resorted to asking Apple to do it for them.

In fact, the move is so popular with law enforcement agencies, that Apple has been forced to create a "waiting list" to handle all requests.

In this particular case the agents had to wait at least seven weeks for their request to be handled, and the whole process seems to have taken at least four months.

It is also largely unknown how Apple does it - it is only confirmed that once Apple analysts bypass the passcode, they download the (probably decrypted) contents of the phone to an external memory device and ship it to the law enforcement agency that requested it.

Continued : http://www.net-security.org/secworld.php?id=14899

Collapse -
Lookout targets privacy-invading mobile ad networks
by Carol~ Forum moderator 2 / May 13, 2013 7:10 AM PDT
In reply to: NEWS - May 13, 2013

Mobile security vendor Lookout plans to start flagging as adware mobile apps that use aggressive ad networks if they don't obtain explicit consent from users before engaging in behavior that potentially invades privacy.

Ad networks, advertisers and app developers have until June 24 to start conforming to the company's set of privacy and security best practices for mobile app advertising if they want to avoid being blacklisted.

"In 45 days, Lookout will classify as adware, ad networks that do not request explicit and unambiguous user consent for the following actions: display advertising outside of the normal in-app experience; harvesting unusual personally identifiable information; perform unexpected actions as a response to ad clicks," Jeremy Linden, security product manager at Lookout, said Friday in a blog post.

According to a study released by Bitdefender in March, the number of adware apps for Android devices increased by 61 percent during a five-month period ending in January. In the U.S. in particular, the number of adware apps increased by 35 percent during the same period.

Continued: http://www.pcworld.com/article/2038608/lookout-will-intercept-privacyinvading-mobile-ad-networks-apps.html

Collapse -
Adblock Plus hits back at German newspapers urging readers..
by Carol~ Forum moderator 2 / May 13, 2013 7:10 AM PDT
In reply to: NEWS - May 13, 2013
Adblock Plus hits back at German newspapers urging readers to disable the free-to-use ad blocker

Adblock Plus, a free-to-use service that blocks unwanted adverts across the Web, has responded to a number of news outlets in Germany that are encouraging their readers to disable the free-to-use adblocker on their respective sites.

Spiegel Online, Sueddeutsche.de, Faz.net, Zeit, Golem.de and RP Online launched a joint campaign asking users to abandon the tool, or at the very least setup an exception rule for their particular site.

The top of the Spiegel Online front page says (translated): "Spiegel Online is for you free of charge. We're entirely funded by advertising. Adblocker means for us that we do not get paid for our work. We therefore ask you to refrain from Adblocker or allow an exception rule for Spiegel Online."

A link then redirects users to a separate webpage explaining, in detail, how they can set up an exception rule for any of the supported browsers.

Till Faida, co-founder of Adblock Plus, defended the service and said it was "part of the solution, not the problem."

Continued : http://thenextweb.com/insider/2013/05/13/adblock-plus-hits-back-at-german-newspapers-urging-readers-to-disable-their-ad-blocker/
Collapse -
A Phone Call, a Phish, and a Remote Access Trojan
by Carol~ Forum moderator 2 / May 13, 2013 7:10 AM PDT
In reply to: NEWS - May 13, 2013

From the Symantec Security Response Blog:

In April 2013, Symantec was alerted to a series of sophisticated social-engineering attacks targeting a limited set of organizations in Europe. The most distinguishing feature of these attacks is that the victim will receive a phone call from the attacker who impersonates an employee or business associate of the organization. The caller spoke in French and asked the victim to process an invoice that they were to receive in an email.

Here is an example of an email that was received during one of the attacks. The email typically contains a malicious link or an attachment, which is actually a variant of W32.Shadesrat, a Remote Access Trojan (RAT). [Screenshot]

There is evidence to suggest that these attacks began as early as February 2013, however, it was only more recently in April that phone calls were being placed prior to sending the victim the phishing email. The attacks are currently localized to French organizations but have also included subsidiaries that operate outside of France. [Screenshot]

Continued : http://www.symantec.com/connect/blogs/phone-call-phish-and-remote-access-trojan

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

CNET Holiday Gift Guide

Looking for great gifts under $100?

Trendy tech gifts don't require a hefty price tag. Choose from these CNET-recommended useful and high-quality gadgets.