General discussion

NEWS - April 20, 2010

Report: Symantec says PDF readers and IE are biggest targets

According to a Symantec study, Germany is becoming the biggest disseminator of malware in Europe. The study shows that 12% of the malware circulating in Europe in 2009 was being actively disseminated by German computers, making it number one in the field, ahead of the UK (9%) and Russia (8%). Germany also leads the field in botnets, largely used for sending huge volumes of spam, where it has a 14% share of the worldwide total.

The ten largest botnets control at least five million compromised computers and are reported to be responsible for 85% of the 107 billion spam e-mails sent daily. The UK, by contrast, leads the field in attacks using fake websites, having knocked last year's leaders, the Ukraine, off the top spot.

Continued here: http://www.h-online.com/security/news/item/Report-Symantec-says-PDF-readers-and-IE-are-biggest-targets-981756.html
Discussion is locked
Follow
Reply to: NEWS - April 20, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 20, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Mozilla Disables Insecure Java Plugin in Firefox

Mozilla is disabling older versions of the Java Deployment Toolkit plugin for Firefox users, in a bid to block attacks against a newly-discovered Java security hole that attackers have been exploiting of late to install malicious code.

On April 15, Oracle Corp. pushed out an update to its Java software to fix a dangerous security flaw in the program. The patch came just a day after it became clear that criminals were using the flaw to break into vulnerable systems.

Java installs a Java Deployment Toolkit plugin into Internet Explorer and Mozilla browsers. According to comments in the Firefox bug database entry for this issue, Mozilla developers began discussing the forced removal of the plugin days before Oracle pushed the Java update. Even after the Java patch shipped, the developers apparently were concerned that the Oracle update didn?t fix the exploit for all Firefox users. An advisory from the U.S. Computer Emergency Readiness Team supported that finding (US-CERT says the fixed version of the plugin is 6.0.200.2).

There was another problem: Oracle?s patch, which brings the software to Java 6 Update 20, in some cases leaves behind older, vulnerable versions of the Firefox plugin (the Java update application seems to have updated the associated plugin for Internet Explorer just fine).

Indeed, even if you took my advice and uninstalled Java from your computer, this stubborn add-on may still be hanging around in Firefox. And you?ll probably at some point see a prompt like the one above, if you haven?t already. If you want to disable it manually, go to Tools, Add-ons, click the Plugins icon, select the Toolkit and hit the ?Disable? button.

Not everyone is happy with Mozilla?s decision to kill this add-on, at least judging from comments #31 and 33 in the Mozilla bug database.

Continued here: http://krebsonsecurity.com/2010/04/mozilla-disables-insecure-java-plugin-in-firefox/#more-2502

- Collapse -
Cyberattack on Google Said to Hit Password System

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google?s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company?s Web services, including e-mail and business applications.

The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google?s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as ?cloud? computing, a single breach can lead to disastrous losses.

Continued here: http://www.nytimes.com/2010/04/20/technology/20google.html

- Collapse -
MS preps fix for IE 8 flaw that makes safe sites unsafe
Microsoft preps fix for IE 8 flaw that makes safe sites unsafe

"Third time's the charm"

Microsoft will release an update intended to rid Internet Explorer 8 of a vulnerability that can enable serious security attacks against websites that are otherwise safe.

The change, which will be introduced in June, will be the third time in six months that Microsoft has tweaked a feature used to filter out XSS, or cross-site scripting filter, attacks against websites. The filter, which Microsoft introduced with the release of IE 8, is designed to strip out malicious commands that exploit the vulnerabilities, which plague many websites.

As The Register reported in November, the new XSS filter could be exploited to introduce XSS attacks on sites that otherwise weren't vulnerable. Microsoft has twice made changes to the feature, once in January and again in March, but last week, researchers at the Black Hat Security Conference in Barcelona showed the filter still injected threats into sites that included Google, Wikipedia, Twitter and even Microsoft's own Bing.

Continued here: http://www.theregister.co.uk/2010/04/20/microsoft_ie_xss_fix/
- Collapse -
PDF Launch Feature Abused to Carry ZeuS/ZBOT

From the TrendLabs Malware Blog:

The ZeuS/ZBOT malware continues to uphold its notorious reputation. As we have seen in the past, ZBOT variants steal account credentials when users visit various social networking, online shopping, and bank-related websites.

Another social engineering tactic that has been employed by ZeuS/ZBOT perpetrators is the use of .PDF files. Specially crafted .PDF files have been used as a vehicle for malware propagation by exploiting different vulnerabilities discovered in Adobe Reader and Acrobat.

Recently, however, we spotted a specially crafted .PDF file that drops a ZBOT variant without exploiting a vulnerability. Instead, this malicious file exploits a legitimate Adobe Reader feature. The said feature is the /launch function in the PDF specification, as security researcher Dieder Stevens demonstrated in his blog. This function allows a portable document author to attach an executable file and, via social engineering, trick users to save and run the embedded file.

Continued here: http://blog.trendmicro.com/pdf-launch-feature-abused-to-carry-zeuszbot/

- Collapse -
New Microsoft support service offers XP users Windows 7 ...
New Microsoft support service offers XP users Windows 7 goodies

"Beta of 'Fixit Center' software ports Windows 7-style troubleshooters to older OSes"

MIcrosoft has launched a new self-support service for Windows XP and Vista users that relies on technology baked into Windows 7.

The combination of desktop client and back-end service gives users of older versions of Windows some of the same functionality that only Windows 7 provides by default, Lori Brownell, Microsoft's general manager of product quality and online support, said Friday. The Fixit Center client is currently in beta, and can be downloaded free of charge.

"Irrespective of what versions people are running, and many aren't running Windows 7 today, we need to support those customers just as well," said Brownell, explaining Microsoft's decision.

Microsoft used the same technology that powers the scripted diagnostic feature within Windows 7, dubbed "Action Center" -- in some cases, the same code -- to craft the client software for Windows XP and Vista.

Continued here: http://www.networkworld.com/news/2010/041910-new-microsoft-support-service-offers.html
- Collapse -
Amazon purges account hijacking threat from site

Amazon.com administrators on Tuesday closed a security vulnerability that made it possible for attackers to steal user login credentials for the highly trafficked e-commerce website.

The XSS, or cross-site scripting, bug on Amazon Wireless allowed attackers to steal the session IDs that are used to grant users access to their accounts after they enter their password. It exposed the credentials of customers who clicked on this link while logged in to the main Amazon.com page.

It was discovered by Nir Goldshlager, a researcher from security consulting company Avnet. It was purged from Amazon about 12 hours after The Register brought it to the attention of the website's security team.

Continued here: http://www.theregister.co.uk/2010/04/20/amazon_website_treat/

- Collapse -
Mass hack attack or a Gmail bug?

From the Kaspersky Lab Weblog:

For over a week users of Gmail have been exchanging stories about incidents of email accounts being compromised and the uncontrolled distribution of spam, trying to guess what?s behind this strange epidemic.

The spam mailings are being sent from hacked accounts to addresses that the account owners have communicated with ? these are primarily addresses from the contact list. There is no message subject and the body contains nothing more than a link to an online drug store in the .co.cc domain. This is a redirect to the recently registered website mrapgyan.net which, incidentally, doesn?t work. A copy of the message is saved to the ?Sent Mail? folder just like any other sent message, and sometimes it can be found in the ?Trash? folder. Some of the messages don?t make it to their recipients and remain flagged as undelivered.

It turns out that every time the spammers connected to someone?s account they did so via a mobile interface and most probably using bots. The IP addresses used to gain unauthorized access were in locations dotted around the world ? the USA, Western Europe, the Middle East, Asia, Africa?

It?s worth pointing out that the cybercriminals only used their victims? contacts to send out spam ? they didn?t modify passwords to email accounts and didn?t delete any messages or contact lists.

Continued here: http://www.securelist.com/en/blog/217/Mass_hack_attack_or_a_Gmail_bug

- Collapse -
PC owners being used as 'malware mules'

"Hacked email accounts used to spread viruses"

Hackers are using unsuspecting web users as 'malware mules' to infect other PC users with viruses, says Symantec.

According to the security vendor's annual 'internet security threat' report, cybercriminals can purchase email login details and passwords for as little as 65p each.

The hackers then gain access to the email accounts and send messages containing the virus to the contacts listed in the account.

Symantec says the recipients of spam email are much more likely to trust the validity of a message coming from a recognised email address.

"'Malware Mules' are one of the most worrying trends identified in Symantec's Internet Security Threat report," said Con Mallon, security expert at Symantec.

"One of many ways to prevent this from happening is by keeping a close eye on what you do on the internet. Some email accounts show when your last login was and consumers are advised to check this each time they log in to make sure their last login was by themselves and not by a hacker."

Continued here: http://www.pcworld.com/article/194587/pc_owners_being_used_as_malware_mules.html

- Collapse -
Bot installs adware along with video player

From the Sunbelt Blog:

"Actually your computer will run MUCH BETTER without this adware crap"

Our researcher Adam Thomas found this little nugget while investigating a botnet that auto installed FLV Direct Player. The player bundles Zugo Search adware, also known as LoudMo, on victims? machines. FLV Direct is available freely on the web. The bot, however, uses an AutoIT script to script through the installation screens so the victim never sees the install: [...]

It also changes the victim machine?s home page to bing.zugo.com.

Apparently this is some kind of affiliate operation ? the malefactor affiliates get paid for installing LoudMo adware on the machines of unknowing victims and they just decided to do it wholesale with a botnet.

Affiliates also are spamming heavily on Twitter (and who else knows where else) trying to get people to install the FLV Player: [...]

The FLV site (http://www.loudmo.com/products/flv/) describes their program:

?Use this free FLV Player to promote and target a wide variety of niches.

?Both affiliates and users will benefit from this free flash media player. Affiliates can boost revenue with the pay-per-install compensation method, while users will enjoy playing and saving flash videos from various tube sites. There is a completely transparent downloading process and the FLV player is easy to uninstall.

?FLV Player is a media player for MPEG-4 and Flash Videos (FLV). Most video sites on the web (including YouTube) stream FLV content. With the FLV Player, we offer an easy way to download and enjoy this content on your desktop. FLV Player comes with no viruses or spyware, and at just 2.12 Mb, it's a quick download.
?

One FINAL gimmick [...]

Continued here: http://sunbeltblog.blogspot.com/2010/04/bot-installs-adware-along-with-video.html

- Collapse -
Call Centers for Computer Criminals

A call service that catered to bank and identity thieves has been busted up by U.S. and international authorities. The takedown provides a fascinating glimpse into a bustling and relatively crowded niche of fraud services in the criminal hacker underground.

In an indictment unsealed on Monday, New York authorities said two Belarusian nationals suspected of operating a rent-a-fraudster service called Callservice.biz were arrested overseas. Wired.com?s Kim Zetter has the lowdown:

According to the indictment (.pdf), the two entrepreneurs launched the site in Lithuania in June 2007 and filled a much-needed niche in the criminal world ? providing English- and German-speaking ?stand-ins? to help crooks thwart bank security screening measures.

In order to conduct certain transactions ? such as initiating wire transfers, unblocking accounts or changing the contact information on an account ? some financial institutions require the legitimate account holder to authorize the transaction by phone.

Thieves could provide the stolen account information and biographical information of the account holder to CallService.biz, along with instructions about what needed to be authorized. The biographical information sometimes included the account holder?s name, address, Social Security number, e-mail address and answers to security questions the financial institution might ask, such as the age of the victim?s father when the victim was born, the nickname of the victim?s oldest sibling or the city where the victim was married.


U.S. authorities have seized the Callservice.biz Web site, which now features the seals for the FBI and Justice Department prominently on its homepage. The feds also seized Cardingworld.cc, a highly-restricted online criminal forum where Callservice.biz was hosted.

Continued here: http://krebsonsecurity.com/2010/04/call-centers-for-computer-criminals/

Also (at F-Secure) See : Case callservice.biz

- Collapse -
Young People, Privacy, and the Internet

From Bruce Schneier's "Schneier on Security":

There's a lot out there on this topic. I've already linked to danah boyd's excellent SXSW talk (and her work in general), my essay on privacy and control, and my talk -- "Security, Privacy, and the Generation Gap" -- which I've given four times in the past two months.

Last week, two new papers were published on the topic.

"Youth, Privacy, and Reputation" is a literature review published by Harvard's Berkman Center. It's long, but an excellent summary of what's out there on the topic:

Conclusions: The prevailing discourse around youth and privacy assumes that young people don't care about their privacy because they post so much personal information online. The implication is that posting personal information online puts them at risk from marketers, pedophiles, future employers, and so on. Thus, policy and technical solutions are proposed that presume that young would not put personal information online if they understood the consequences. However, our review of the literature suggests that young people care deeply about privacy, particularly with regard to parents and teachers viewing personal information. Young people are heavily monitored at home, at school, and in public by a variety of surveillance technologies. Children and teenagers want private spaces for socialization, exploration, and experimentation, away from adult eyes.......

Continued here: http://www.schneier.com/blog/archives/2010/04/young_people_pr.html

- Collapse -
Gov't regulators call on Google to respect users' privacy

Ten government regulators responsible for protecting the private information of their countries' citizens have sent an open letter to Google calling on the company to respect national laws on privacy.

The regulators say the letter is also intended for other companies offering services over the Internet, but the version published is addressed to Google CEO Eric Schmidt (pdf) and takes particular issue with the roll out of the company's Buzz social networking service.

Buzz came in for criticism for the way it revealed users' most-mailed contacts in a public feed, without warning them this would happen.

Google later modified the service's behavior, but that wasn't enough to satisfy the privacy commissioners.

"It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world," they wrote in the open letter to Schmidt.

Continued here: http://www.computerworld.com/s/article/9175831/Gov_t_regulators_call_on_Google_to_respect_users_privacy

Also See: Google Shrugs Off Privacy Lecture

- Collapse -
Phishers target students with fake student loans pages

From the Sunbelt Blog:

In the UK, there?s a good chance you took out a loan with the Student Loans Company if you went to University. It?s been brought to my attention that there?s currently a number of sites being hacked and becoming hosts for rather nasty phishes.

So far, all of the phish pages we?ve seen look like the below. The scam begins with a page claiming to be a login for ?Student Finance?, asking the victim to enter their customer reference number. The page steals design elements from legitimate Directgov websites and looks identical to the real thing: [...]

Should the victim proceed, they?ll find they?re suddenly asked for every type of personal information you can possibly imagine: [...]

Continued here: http://sunbeltblog.blogspot.com/2010/04/phishers-target-students-with-fake.html

CNET Forums