General discussion

NEWS - April 06, 2010

GhostNet 2.0 espionage network uses cloud services

Espionage network GhostNet, first identified about a year ago, is much larger and more sophisticated than previously assumed. This is according to a study entitled "Shadows in the Cloud", released today (Tuesday) by the Munk Centre for International Studies, the Information Warfare Monitor, the SecDev Group and the Shadowserver Foundation. GhostNet is essentially a botnet for distributing and controlling spyware.

In March 2009, whilst investigating a computer system belonging to the Tibetan government-in-exile in India, researchers at the Toronto-based Munk Centre for International Studies discovered the largest computer-controlled espionage network ever seen. The network, which they dubbed GhostNet, was controlled almost exclusively by computers located in China and had infiltrated 1,295 computers in 103 countries over a two year period.

Continued here:

Discussion is locked

Reply to: NEWS - April 06, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 06, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Vietnam denies involvement with cyberattacks

The Vietnam government dismissed what it called "groundless" accusations that it was involved in recent cyberattacks used to intimidate opponents of a mining project in Vietnam.

Malware disguised as a popular Vietnamese-language keyboard driver was used to create a botnet that targeted blogs rallying against a bauxite mining project in Vietman, according to blog posts from Google's Neel Mehta and McAfee Chief Technical Officer George Kurtz.

"The perpetrators may have political motivations and may have some allegiance to the government of the Socialist Republic of Vietnam," Kurtz said in his blog.

"The comments are groundless," Foreign Ministry spokesperson Nguyen Phuong Nga said in a statement posted to the Ministry's Web site Monday. "We have on many occasions clearly expounded our view on issues relating to access to and use of information and information technology, including the Internet. Vietnam law puts in place specific antivirus and malware regulations and information security and confidentiality."

Continued here:

- Collapse -
iPad launch marred by technical glitches

Apple sold more than 300,000 iPads on the tablet computer?s first day in stores, the company said yesterday, but reports claimed that some users had problems connecting to wi-fi networks.

New owners posted comments on Apple forums saying that their iPad had little or no wi-fi signal, where other devices worked fine.

The initial version of the touchscreen tablet computer connects to the internet only via wi-fi. Commentators have speculated that the problem could be a weak wi-fi antenna, located behind the logo on the back of the iPad.

?Casa de Trevino? from California said: ?Having same problem with wi-fi being weak and constantly fluctuating. I have to keep entering my password to regain access to my network after having lost a signal. Two iPhones and two MacBooks showing full signal with no interrupts. Certainly hope this is fixable. Too pricey of a toy for it to have this issue right out of box.?

Continued here:

- Collapse -
Privacy service knocked offline by 'no bullsh*t' registrar

"GoogleSharing kneecapped by"

A recently launched anonymization service suffered a setback last week when, a France-based registrar that bills itself as a "no bullsh*t company," revoked its secure sockets layer certificate without warning.

Last week's move against GoogleSharing caused its 30,000 users to instantly lose service, according to Moxie Marlinspike, the hacker who announced the anonymization proxy in mid January. It took him four days to get the site operational again, and by then, the vast majority of those users had stopped using the service.

In an email sent more than 24 hours later, a member of's abuse department said the certificate was revoked "due to multiple and deliberate serious breaches" of the registrar's terms of service. Specifically, the violations were incorrect information provided to's Whois database, a trademark violation for the unauthorized use of "google" in the domain name and the use of the certificate for unspecified "fraudulent activities."

Continued here:

- Collapse -
Things You Need to Remember About DOWNAD/Conficker

From the TrendLabs Malware Blog:

A year after the much-hyped April 1st D-day for DOWNAD/Conficker, the world can only hope that it has heard the last of the notorious network worm. As we have seen, DOWNAD variants have effectively infected millions of systems and paralyzed networks in just a matter of months. And while there seems to be very little news on DOWNAD recently, users are still advised to adhere to best computing practices and to implement necessary preventive measures.

As a timely reminder of the extent of this network worm?s capabilities, here is a rundown of the important things we need to remember about DOWNAD.

DOWNAD can infect an entire network through a single machine. In most cases, all it takes is a single unpatched system for the worm to infect an entire network. It is thus crucial that each and every system is updated with the appropriate patch for the Microsoft OS vulnerability exploited by each threat.

DOWNAD can attack in more ways than one. There are several ways by which a system?and consequently an entire network?can get infected by DOWNAD. It may arrive via a malicious URL, a spammed message, or a removable drive...

Continued here:

- Collapse -
iPad Spam has entered the building

From the Sunbelt Blog:

It was only a matter of time before the merest of ?iPad? mentions on sites such as Twitter would result in autospammed messages like this: [...]

These bots will fire a message claiming ?we need someone to test and keep one iPad? (or simply ?Free iPad here?) to anyone discussing the latest gadget to hit the streets, sending you to various promotional sites like the one below: [...]

You?ll have to fill in a big chunk of personal information and ?receive the incentive gift package by completing two reward offers from each of the Top, Prime and Premium reward offer page options?completion of reward offers most often requires a purchase or filing a credit application and being accepted for a financial product such as a credit card or consumer loan.?

Continued here:

- Collapse -
Windows 7 grabs 10 percent of OS market

"Microsoft boasts steady growth"

Windows 7 reached the 10% usage share milestone almost a year faster than its berated predecessor Vista, web analytics company said yesterday. But the growth of Windows 7 has yet to have an impact on Microsoft's overall share, which returned to its usual downward trend last month after a one-month advance. Windows dropped to a 91.6% share, down half a percentage point from February.

The new OS again grabbed share from both Windows XP and Vista, with the former losing twice as much as the latter. Windows XP slid to 64.5%, down a full point, while Vista lost 0.5 of a percentage point to end at 16%.

Windows Vista appears to be on a fast slide to nowhere: March was the fifth consecutive month that the beleaguered edition lost share, and the sixth month of the last seven in which it did so. If Vista maintains its trajectory from the last three months, it will drop under 10% before the end of this year. Windows 7 and Vista's paths should cross in June 2010, when the former is projected to become Microsoft's second-most-used operating system.

Continued here:

- Collapse -
PDF security hole opens can of worms

"Proof of concept out"

The security perils of PDF files have been further highlighted by new research illustrating how a manipulated file might be used to infect other PDF files on a system.

Jeremy Conway, an application security researcher at NitroSecurity, said the attack scenario he has discovered shows PDFs are "wormable". Computer viruses are capable, by definition, of overwriting other files to spread. Conway's research is chiefly notable for illustrating how a benign PDF file might become infected using features supported by PDF specification, not a software vulnerability as such, and without the use of external binaries or JavaScript.

The "wormable PDF" research comes days after another security researcher, Didier Stevens, showed how it was possible to both embed malicious executables in PDFs and manipulate pop-up dialog boxes to trick victims into running a malicious payload. Both Adobe and FoxIT are working on a fix against the security shortcomings in their respective PDF viewing packages illustrated by the research.

Continued here:

- Collapse -
No, Facebook isn't about to start charging a monthly fee

From Graham Cluley's Blog:

Don't panic! Facebook isn't about to start charging you a monthly fee to use Facebook from July 9th 2010, but there's undoubtedly some scammers who would like you to believe that that's true.

Yesterday I received an update from one of my Facebook friends, informing me that she had joined a group called:


- Collapse -
Account notification email warning? Don't follow ...
Account notification email warning? Don't follow the instructions

If you're returning to an overflowing inbox after the Easter holiday weekend, make sure that you don't fall for the latest scam being distributed widely by spammers.

Emails claiming that recipient's accounts have been temporarily suspended are being seen around the world today, attempting to trick users into believing that their email account has been accessed by somebody else.

The spammed-out emails try to hoodwink users into running the attached file ( which is, predictably, carrying a malicious payload.

Dear Customer,

This e-mail was send by to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions


In an attempt to make the email more convincing, the attackers reference the domain name (for instance, used by the recipients' email account in the emails they are spamming out.

Continued here:
- Collapse -
Blunder reveals Gordon Brown's email address

"Leak on election day one."

With the UK election campaign barely hours old, a government official has gaffed by revealing the private email addresses of many senior politicians to journalists.

The data accident happened in an email sent out without using the BCC (blind courtesy copy) feature to lobby journalists, giving the Downing Street official's contact details for use during the forthcoming campaign.

The email embedded the full address list in open text, which made public email contacts for an unnamed but long list of members of the government also sent the email, reportedly including Prime Minister, Gordon Brown himself.

Of all the journalists to inadvertently spread such information to, lobby journalists are probably the least worse option. The point of lobby journalists is to take unattributed briefings from government officials, a system that has been widely criticised for its secrecy and the degree to which governments can use it to scheme and manipulate.

Continued here:

- Collapse -
New BlackEnergy Trojan Targeting Russian, Ukrainian Banks

"Botnet lets attackers steal online banking credentials and DDoS Russian and Ukrainian banks "

Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated with the 2008 cyberattacks against Georgia that now targets Russian and Ukrainian online banking customers.

Joe Stewart, a security researcher with SecureWorks, says Russian hackers are using the Trojan spread via the BlackEnergy botnet to hit Russian and Ukrainian banks with a two-pronged attack that steals their customers' online banking credentials and then wages a distributed denial-of-service (DDoS) attack on the banks as a cover: "They may be emptying the bank accounts while the banks are busy cleaning up from the DDoS," Stewart says.

Dubbed by Stewart as "BlackEnergy 2," this new version of the Trojan is a full rewrite of the code that features a modular architecture that supports plug-ins that can be written without access to its source code. It currently comes with three different DDoS plug-ins, as well as one for spamming and two for online banking fraud, according to Stewart.

Continued here:

- Collapse -
e-Banking Guidance for Banks & Businesses

From Krebs on Security:

One bit of criticism I?ve heard about my stories on small businesses losing their shirts over online banking fraud is that I don?t often enough point out what banks and customers should be doing differently to lessen the chance of suffering one of these incidents. As it happens, a source of mine was recently at a conference where one of the key speakers was a senior official from the Office of the Comptroller of the Currency, one of the main banking industry regulators.

The official had been asked to speak about steps that banks and businesses can take to stem the rash of online banking fraud against small to mid-sized businesses. The speaker was trying to get across to financial institutions the types of security measures that bank examiners will be looking for in upcoming inspections. But the highlights of his talk offer sound advice for businesses as well, and they give company owners some ideas about key questions to ask when shopping around for a bank that takes customer security seriously.

Continued here:

- Collapse -
Computer Crooks Steal $100,000 from Ill. Town

From Krebs on Security:

A rash of home foreclosures and abandoned dwellings had already taken its toll on the tax revenue for the Village of Summit, a town of 10,000 just outside Chicago. Then, in March, computer crooks broke into the town?s online bank account, making off with nearly $100,000.

?As little as we are, $100,000 represents a good chunk of money, and it hurts,? said Judy Rivera, the town?s administrator. ?We were already on a very lean budget, because the tax money just isn?t coming in.?

Summit is just the latest in a string of towns, cities, counties and municipalities across America that have seen their coffers cleaned out by organized thieves who specialize in looting online bank accounts. Recently, crooks stole $100,000 from the New Jersey township of Egg Harbor; $130,000 from a public water utility in Arkansas; $378,000 from a New York town; $160,000 from a Florida public library; $500,000 from a New York middle school district; $415,000 from a Kentucky county (this is far from a comprehensive list).

Continued here:

- Collapse -
RSA says it fathered orphan credential in Firefox, Mac OS

"Ultra-sensitive root cert no longer homeless"

Digital certificate authority RSA Security on Tuesday acknowledged it issued a root authentication credential shipped in in the Mac operating system and Mozilla web browsers and email programs, ending four days of confusion about who controlled the ultra-sensitive document.

The "RSA Security 1024 V3" certificate is a master credential that can be used to digitally validate the certificates of an unlimited number of websites and email servers. It's one of several dozen "certificate authority certificates" that by default are shipped with Mac OS X and Mozilla's Firefox browser and Thunderbird email client. It's valid from 2001 to 2026.

But until a few minutes after this article was first published, no one knew who issued or controlled the credential. Both RSA and competing certificate issuer VeriSign previously said it wasn't theirs. Further compounding the mystery, recent audits of certificate authority credentials made no reference of it, according to this bug report posted to Mozilla's website for developers and a follow-up post on Google Groups.

Continued here:

- Collapse -
Spy Network Pilfered Classified Docs From Indian Government

In addition to (first) News Item: GhostNet 2.0 espionage network uses cloud services :

Spy Network Pilfered Classified Docs From Indian Government and Others

A spy network targeting government networks in India and other countries has been pilfering highly classified and other sensitive documents related to missile systems, the movement of military forces and relations among countries, according to a report released Tuesday.

It also grabbed nearly a year?s worth of personal correspondence from the Dalai Lama?s office, even after reports published last year indicated that the Dalai Lama?s network had been compromised in what is believed to be a separate breach.

The researchers say the spying is an example of a sophisticated shift that has occurred in malware networks from ?what were once primarily simple to increasingly complex, adaptive systems spread across redundant services and platforms? and from ones that primarily focused on exploitation for criminal purposes to ones that are focused on ?political, military, and intelligence-focused espionage.?

Continued here:

CNET Forums

Forum Info