General discussion

NEWS - April 12, 2010

Chinese ISP 'hijacks' bits of the web

According to reports, a configuration error on a Border Gateway Protocol (BGP) router resulted in IDC China, a small Chinese ISP, briefly declaring itself responsible for routing to around 37,000 IP networks. The Border Gateway Protocol is used by routers to indicate which networks (autonomous systems, AS) they are responsible for and which other networks they can access.

The networks (BGP prefixes) to which the Chinese ISP announced routes primarily belonged to ISPs in the US and China. The affected networks are reported to have included Dell, CNN, Apple, www.amazon.de, www.rapidshare.com and www.geocities.jp.

On attempting to visit affected websites, some users found themselves directed to the Chinese ISP's network. According to BGPmon.net, Deutsche Telekom also temporarily adopted the erroneous routes, but because existing known routes to the networks in question were generally shorter, in most cases the packets were not misdirected via IDC China. BGPmon.net reports that this was also the case for the majority of US ISPs. Users in Asia are likely to have been most affected by the problem.

Continued here: http://www.h-online.com/security/news/item/Chinese-ISP-hijacks-bits-of-the-web-975344.html

Also See: Glitch diverts net traffic through Chinese ISP
Discussion is locked
Follow
Reply to: NEWS - April 12, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 12, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Hundreds of Wordpress Blogs Hit by ?Networkads.net? Hack

A large number of bloggers using Wordpress are reporting that their sites recently were hacked and are redirecting visitors to a page that tries to install malicious software.

According to multiple postings on the Wordpress user forum and other blogs, the attack doesn?t modify or create files, but rather appears to inject a Web address ? ?networkads.net/grep? ? directly into the target site?s database, so that any attempts to access the hacked site redirects the visitor to networkads.net. Worse yet, because of the way the attack is carried out, victim site owners are at least temporarily locked out of accessing their blogs from the Wordpress interface.

It?s not clear yet whether the point of compromise is a Wordpress vulnerability (users of the latest, patched version appear to be most affected), a malicious Wordpress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider.

Continued here: http://krebsonsecurity.com/2010/04/hundreds-of-wordpress-blogs-hit-by-networkads-net-hack/

- Collapse -
TrendMicro Toolbar + Long URL = Fail

Many anti-virus products ? particularly the ?Internet security suite? variety ? now ship with various Web browser toolbars, plug-ins and add-ons designed to help protect the customer?s personal information and to detect malicious Web sites. Unfortunately, if designed poorly, these browser extras can actually lower the security posture of the user?s system by introducing safety and stability issues.

The last time I caught up with security researcher Alex Holden, he was showing me a nifty way to crash IE6 and prevent the user from easily reopening the badly outdated and insecure browser version ever again. Just the other day, Holden asked me to verify a crash he?d found that affects users who have Trend Micro Internet Security installed, which installs a security toolbar in both Internet Explorer and Mozilla-based browsers on Microsoft Windows. [...]

The video here was made on a virgin install of Windows XP SP3, with the latest Firefox build and a brand new copy of Trend Micro Internet Security. Paste a really long URL into the address bar with the Trend toolbar enabled, and Firefox crashes every time. Do the same with the toolbar disabled, and the browser lets the Web site at whatever domain name you put in front of the garbage characters handle the bogus request as it should. This isn?t limited to Firefox: The same long URL crashes IE8 with the Trend toolbar enabled, although for some strange reason it fails to crash IE6. I didn?t attempt to test it against IE7.

Continued here: http://krebsonsecurity.com/2010/04/trendmicro-toolbar-long-url-fail/

- Collapse -
Ikea gift card scam takes in nearly 40,000 Facebook users

A scam Facebook page offering the site's users a US$1,000 Ikea gift card took in nearly 40,000 victims Friday.

It's the latest example of a new and pernicious trend on the social-networking site as scammers -- usually disreputable online marketers trying to earn review by generating Web traffic -- have flooded Facebook with these fake gift card pages over the past months.

In late March, a similar $1,000 Ikea gift card scam took in more than 70,000 victims, and just last week another scam Facebook page offering a $500 Whole Foods gift certificate was widely reported.

Friday's scam page had taken in more than 37,000 users by 11:30 a.m. Pacific Time, offering them a $1,000 gift certificate in exchange for promoting Ikea to their friends. At that time, the page was gaining new fans at the rate of about 5,000 per hour. The promotion, the page said, was only available for one day.

Continued here: http://www.computerworld.com.au/article/342617/ikea_gift_card_scam_takes_nearly_40_000_facebook_users/

- Collapse -
Site speed to fuel search results

"Google has started ranking webpages by the speed with which they load."

The search giant is using the loading speeds to help rank the lists of sites it produces in response to keyword queries.

Google said it had taken the action because studies have shown that web users much prefer to visit sites that load quickly.

However, it said the change would only affect the rankings of a very small number of webpages.

Long load
Before now Google's ranking of results has been based on the relevance of the text on a webpage and how many other sites refer to it as a good source of information.

To this Google has decided to add an extra metric in the form of the speed with which pages show up when users click on a link or type in an address.

Continued here: http://news.bbc.co.uk/2/hi/technology/8615052.stm

- Collapse -
NYT journalist: My email was hacked in Beijing

From Graham Cluley's Blog:

A journalist with the New York Times, based in Beijing, China, has written about how his Yahoo email account was hacked in order to surreptitiously forward his incoming messages to an unknown third party.

It was only after reporter Andrew Jacobs had struggled with peculiarities with his email setup for a few weeks that he explored his online settings, and discovered someone had breached his Yahoo account, as he explained in a recent article:

For weeks, friends and colleagues complained I had not answered their e-mail messages. I swore I had not received them.

My e-mail program began crashing almost daily. But only when all my contacts disappeared for the second time did suspicion push me to act.

I dug deep inside my Yahoo settings, and I shuddered. Incoming messages had been forwarding to an unfamiliar e-mail address, one presumably typed in by intruders who had gained access to my account.

I?d been hacked.


According to Jacobs, scores of foreign correspondents in China have reported similar intrusions into their email accounts.

Continued here: http://www.sophos.com/blogs/gc/g/2010/04/12/nyt-journalist-email-hacked-beijing/

- Collapse -
New Vuln Hits Popular Japanese Word Processor ?Ichitaro"

The most high-profile vulnerabilities tend to target either commonly used applications such as Adobe Acrobat and Flash Player or Windows itself, but in an attack which demonstrates that criminals are becoming ever more targeted, a vulnerability in Ichitaro, a popular Japanese language word processing application has been exploited.

Like similar vulnerabilities in Microsoft applications, the vulnerability allows random code to be executed on affected systems by opening a specially crafted .JTD file (JTD is the extension Ichitaro uses for its files). This can allow a malicious user to take complete control of an affected system.

Targeted attacks using this vulnerability have already been spotted. The malicious files have also been detected as TROJ_TARODROP.AV. This Trojan drops and executes BKDR_AHNSY.A. The backdoor can carry out the following commands upon receiving instructions from a third-party server:

Continued here: http://blog.trendmicro.com/new-vulnerability-hits-popular-japanese-word-processor-ichitaro/

- Collapse -
ICPP Copyright Foundation is Fake

From the F-Secure Weblog:

There's a new extortion trojan in circulation.

This one attempts to steal victims' money by bullying them to pay a "pre-trial settlement" to cover a "Copyright holder fine".

The victim is informed that an "Antipiracy foundation scanner" has found illegal torrents from the system. If he won't pay $400 (via a credit card transaction), he might face jail time and huge fines. [...]

And the warnings will not go away. They will reappear every time the user reboots his system. [...]

All of this is completely fake. There is no "ICPP Foundation", and the messages will appear even if the system contains no illegal material whatsoever.

Most importantly: Refuse to pay money to these clowns! If people pay them, the problem will only grow bigger.

The group behind this have even set up an official-looking website at icpp-online.com. [...]

Continued here: http://www.f-secure.com/weblog/archives/00001931.html

- Collapse -
Malicious Facebook ad redirects to fake antivirus software
Malicious Facebook ad redirects to fake antivirus software (Updated)

"Issue highlights the continuing problem with malicious advertisements on Web sites"

A malicious advertisement has been found within an application for Facebook that redirected users to fake antivirus software, according to a security researcher.

The banner advertisement for greeting cards was intermittently displayed with an application called Farm Town, which has more than 9 million monthly users according to information published on Facebook.

If the bad Shockwave Flash advertisement was displayed, the user was redirected from Facebook through several domains and ended up on a Web site selling fake antivirus software, said Sandi Hardmeier, who studies malicious advertisements and blogged about the issue.

Farm Town's developer, SlashKey, has a notice on its Web site saying it has notified its developers of the problem.

"We believe at this time that it is harmless to your computer and a result of one or more of the ads on the site, but you should not follow any links to any software claiming to 'clean your system,'" the notice reads. "Most good antivirus/malware program will catch and quarantine this malware."

Continued here: http://www.macworld.co.uk/digitallifestyle/news/index.cfm?newsid=3220026&pagtype=samechandate

Also See:
Farm Town virus warning: Malvertising at work?
Popular Facebook game caught serving malvertisements

CNET Forums

Forum Info