General discussion

NEWS - April 14, 2010

Unpatched Java Exploit Spotted In-the-Wild

Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.

On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he?d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site. Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user?s system.

As of this morning,, a site that according to traffic analysis firm receives about 1.7 million visits each month, was loading code from, a Russian Web site with a history of pushing rogue anti-virus. The domain name servers for also serve:

According to Roger Thompson, chief research officer at AVG, the site appears to use the very same code mentioned in Ormandy?s proof-of-concept to silently redirect visitors to a site that loads the ?Crimepack? exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers (see screenshot of a Crimepack administration page below).

Continued here:
Discussion is locked
Reply to: NEWS - April 14, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 14, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Microsoft acts to avoid Windows blue screen repeat

"Blocks rootkit-infected PCs from getting latest kernel update to prevent Blue Screen of Death"

Microsoft took steps Tuesday to avoid repeating the debacle two months ago that left Windows XP users staring at the notorious "Blue Screen of Death" error message after they applied a patch.

In February, a security update that fixed two flaws in the Windows kernel -- the operating system's most important component -- wreaked havoc when it was applied by users, who almost immediately flooded Microsoft 's support forum with reports of crippled computers .

As the number of reports grew, Microsoft first stopped automatically serving the MS10-015 update, then confirmed that a rootkit caused the crashes . Only PCs that had been previously infected with the Alureon rootkit were incapacitated, Microsoft's investigation found.

Microsoft restarted distribution of the update only after it had come up with a way to block rootkit-infected PCs from receiving the patches. "If detection logic included in Automatic Update discovers abnormal conditions in certain operating system file configurations, the update will fail and customers will be presented with an error message that offers alternative support options," said Jerry Bryant, general manager with the Microsoft Security Response Team, in early March.

Continued here:

- Collapse -
Phishers Send Out Standard Chartered Spam

From TrendLabs Malware Blog:

TrendLabs recently encountered a phishing email specifically targeting Standard Chartered Bank clients. The spammed message instructs recipients to log in to their online accounts and to visit the Secure Messages section to read a specific message. The email body includes an embedded link, which when clicked leads to a phishing page. [...][...]

The use of bogus login pages has become a typical attack vector that phishers continue to use. Similar phishing attacks via spammed messages have been documented here in the Malware Blog:

Phishing Pages Pose as Secure Login Pages
Caisse d?Epargne Customers, Beware!
Citi Prepaid Phishing Services

While this is an old trick, clients who visit the page may still unwittingly provide their bank credentials to cybercriminals? waiting hands. Users are then advised to constantly exercise caution when opening email messages and when clicking embedded links. Standard Chartered Bank likewise reminds its clients to be wary of the reality of online threats, including phishing attacks.

Continued here:

- Collapse -
Twitter Spammers get creative with rearranged spelling

From the Sunbelt Blog:

It seems spammers on Twitter are using some curious methods to get their message across (thanks to David Cawley for pointing me in the right direction).

Check this out: [...]

Yes, that is vaguely peculiar. Here?s another one: [...]

The spammers are using a system of writing that involves jumbling up the middle letters in the words, which means they?re still readable. There?st some confusion as to whether or not this ?system? was developed through research at Cambridge University ? this person says ?yes?, while this person says ?no?.

Continued here:

- Collapse -
RIP Windows Vista RTM

From the F-Secure Weblog:

Avid readers of the Microsoft Support Lifecycle Blog (and really, how can you not be?) know that yesterday, April 13th, marked the end of support for Windows Vista RTM, also known as Windows Vista SP0.

We'd like to say that we'll miss Vista RTM. We'd like to say that? but, well? [...]

On a related note, Windows XP Service Pack 2 (SP2) will reach its end of support this summer on July 13th. There are more positive memories of XP SP2, largely because of its emphasis on security.

However, that emphasis did come at a cost. Development resources at Microsoft were diverted from Vista and were given to XP SP2. Ironic? In any case, if you have Vista RTM or XP SP2 you should visit the Microsoft Download Center and update to the latest Service Pack sooner than later.

Just in case you were wondering, Windows 7 will be supported until January 13th, 2015.

Continued here:

- Collapse -
Rogue Anti Virus: Scaring people with Task Manager

From the Kaspersky Lab Weblog:

Rogue antivirus programs have been around for years now, trying to scare people into buying fake products. This time, Desktop Security 2010 RogueAV comes with an interesting new trick to frighten users.

The main rogue component creates a remote thread in taskmgr.exe in order to call LoadLibrary from its dll component: taskmgr.dll.

This dll is part of the scare tactics.

As you can see in the screenshot below, the words "virus free" and "infected" were inserted in front of process names: [...]

The dll is packed with a custom packer. Once the dll has been unpacked, it's easy to find out how it performs the modification.

Here is a small snippet from the unpacked dll to understand how it manipulates Task Manager: [...]

Continued here:

- Collapse -
Facebook beefs up site against hackers

Facebook is employing aggressive legal means in combination with technical measures in order to stop hackers from abusing its social-networking site, according to its chief security officer, Max Kelly.

The company is constantly under fire from hackers trying to spam its 400 million registered users, harvest their data, or run other scams.

Facebook's security team started off with just a few people, said Kelly, who began working at Facebook in 2005 after a stint as a computer forensic analyst for the U.S. Federal Bureau of Investigation. He gave a keynote presentation at the Black Hat security conference on Tuesday.

Now, as many as 10 percent of Facebook's 1,200 employees are involved in security-related functions for the site, Kelly said. Its core security team consists of 20 people, a site integrity team of around 15 people and 200 others that are part of a user operations team that monitors illegal activity.

Continued here:

- Collapse -
Apache project server hacked, passwords compromised

Hackers broke into a server used by the Apache Software Foundation to keep track of software bugs.

The attack did not compromise the open-source Web server's source code repository, but it did give hackers access to a server used by the project to keep track of bugs, and they also obtained low-privilege accounts on another server used to maintain the Web site, according to Philip Gollucci, vice president of Apache infrastructure. "None of the source code was affected in any way," he said.

By taking advantage of a common Web programming error known as a cross-site scripting bug, and then using another password-guessing attack, hackers were able to break into the Atlassian JIRA software used by Apache. They then installed a password stealing program on that software, ultimately seizing full control of the machine. That gave them access to two other programs hosted by Apache on the same server, the Confluence wiki program and Bugzilla.

Continued here:

- Collapse -
From XSS to root: Lessons Learned From a Security Breach

From the McAfee Labs Blog:

In an excellent blog, the people from Apache did a very good job analyzing and documenting how a security breach happened?going through all the stages of the attack and drawing conclusions. Should you ever become the unfortunate victim of an attack, this blog offers an example of how to document it!

I quote:?If you are a user of the Apache-hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised.? So if you are a user, please act accordingly after reading this blog Wink

But let?s take a look at the early stages of the attack; I feel there are some important conclusions missing:

Apache reports two simultaneous attacks that were launched. A brute-force attack against the JIRA login and an attempt to exploit a (previously unknown) cross-site scripting attack. They later say that just one of the attacks was successful, but not which one. From their blog:

'The attackers via a compromised Slicehost server opened a new issue, INFRA-2591. This issue contained the following text:..

Continued here:

- Collapse -
Gmail spam uses fake addresses to spread malware

Gmail spam is on the rise. Spammers are using fake Gmail accounts to clog up inboxes, making ? the most abused domain name, according to Commtouch?s quarterly Internet Threats Trend Report, released Wednesday.

Only 1 percent of spam e-mails sent from Gmail addresses are actually from real Gmail accounts, and ?this small percentage is likely to represent a mix of spammers and compromised Gmail accounts,? Commtouch says.

Overall, ?between 5 to 10 percent of all spam appears to originate from Gmail accounts,? Commtouch says. ?Addresses are typically faked in order to fool anti-spam systems and to give the impression of a reputable, genuine source.?

Spammers are becoming more skilled at using familiar domain names to fool users, and the trend is not just limited to Gmail. ?Gmail?s message style, as well as those of PayPal and Facebook, is frequently used by spammers and phishers as standard templates to prompt action by targets of spam and phishing,? Commtouch says.

Continued here:

- Collapse -
New Zbot campaign comes in a PDF

Alert from Websense Security Labs:

Websense Security Labs? has received several reports of a Zbot trojan campaign spreading via email. We have seen over 2200 messages so far.

Zbot (also known as Zeus) is an information stealing trojan (infostealer) collecting confidential data from each infected computer. The main vector for spreading Zbot is a spam campaign where recipients are tricked into opening infected attachments on their computer.

This new variant uses a malicious PDF file which contains the threat as an embedded file. When recipients open the PDF, it asks to save a PDF file called Royal_Mail_Delivery_Notice.pdf. The user falsely assumes that the file is just a PDF, and therefore safe to store on the local computer. The file, however, is really a Windows executable. The malicious PDF launches the dropped file, taking control of the computer. At time of writing this file has a 20% anti-virus detection rate (SHA1 : f1ff07104b7c6a08e06bededd57789e776098b1f).

The threat creates a subdirectory under %SYSTEM32% with the name "lowsec" and drops the "local.ds" and "user.ds" files. These are configuration files for the threat. It also copies itself into %SYSTEM32% as "sdra64.exe" and modifies the registry entry "%SOFTWARE%\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit" to launch itself during system startup. When it runs, it injects malicious code into the Winlogon.exe instance in memory. This Zbot variant connects to malicious remote sever in China using an IP address of 59.44.[removed].[removed]:6010.

Screen shot of the email message: [...]

Continued here:

CNET Forums

Forum Info