General discussion

NEWS - April 21, 2010

Drug-dealing spammers hit Gmail accounts

"Hackers are breaking into Gmail accounts to flog Viagra and other drugs"

Google is investigating a growing number of reports that hackers are breaking into legitimate Gmail accounts and then using them to send spam messages.

The problem started about a week ago but seems to have escalated over the past few days.

"The Gmail team takes security very seriously and is investigating the reports we've seen in our user forums over the past few days," Google said Tuesday in an e-mailed statement. "We encourage users who suspect their accounts have been compromised to immediately change their passwords and to follow the advice at the following page: http://www.google.com/help/security/."

Gmail accounts are often compromised after phishing attempts or via malicious programs, which can seek out and log online credentials from a hacked computer.

It isn't clear what's behind this wave of Gmail compromises. But in forum posts, Gmail users note that the hackers appear to be sending spam via Gmail's mobile interface -- which gives mobile-phone users a way to check their Gmail accounts -- and wonder if there may be a bug in the mobile interface that is allowing criminals to send the spam.

Continued here: http://www.computerworld.com.au/article/343840/drug-dealing_spammers_hit_gmail_accounts/
Discussion is locked
Follow
Reply to: NEWS - April 21, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 21, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Google closes vulnerabilities in Chrome 4 for Windows

Google has released version 4.1.249.1059 of Chrome for Windows, a security update that addresses four high risk vulnerabilities in its WebKit-based browser. These vulnerabilities are; a memory corruption issue in Chrome's V8 JavaScript Engine, type confusion errors with forums, cross-site scripting (XSS) vulnerabilities on the Chrome downloads page and HTTP request errors that could lead to possible cross-site request forgeries (XSRF).

The update also addresses three medium risk issues, a cross-site scripting bug, an issue that could cause pages to load with privileges of the New Tab page and a local file reference through developer tools. Further details of the vulnerabilities are being withheld until "a majority of users are up to date with the fix".

The first two high risk holes earned a developer going by the name of "kuzzcc" $500 each as part of Google's experimental Chrome Security Reward programme. Launched at the end of January, the programme is aimed at encouraging users to report vulnerabilities in its browser. Subject to committee decision, the standard $500 reward for each bug may be increased up to $1,337 for special cases and particularly critical issues.

Continued here: http://www.h-online.com/security/news/item/Google-closes-vulnerabilities-in-Chrome-4-for-Windows-982745.html

Also See Vulnerabilities/Fixes : Google Chrome Multiple Vulnerabilities

- Collapse -
"Please attention!" fake DHL delivery emails contain malware

From Graham Cluley's Blog:

It's another day, which means (almost inevitably) there's another malicious email campaign carrying a fake anti-virus attack.

Once again the bad guys are packaging their attack in an email which claims to come from DHL Delivery Services. [...]

A typical email, which has the subject line "Please attention!", reads as follows:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.


Attached to the email is a file called label.zip, which Sophos detects as Troj/FakeAV-BEG. Even though there is some peculiar wording (and spelling) in the email it's possible that some unwary users might fall into the hacker's trap, and open the malicious attachment.

We are seeing many reports of this attack in our global network of traps right now. [...]

Continued here: http://www.sophos.com/blogs/gc/g/2010/04/21/attention-fake-dhl-delivery-emails-malware/

- Collapse -
Postal-themed PDF Spam

From SophosLabs Blog:

The Bredo malware-spammers are back, and they?ve been reading about how to run executable files from a PDF using /Launch, a trick we?d already started to see used by malware. This latest spam campaign uses this technique (it?s not really exploiting a vulnerability as such, since PDFs were specifically designed to be able to do this) in a slightly modified format.

Messages started coming in last week targeting the Brits, with subject lines such as ?IMPORTANT: Royal Mail Delivery Invoice #1092817 "; sent from ?Royal Mail <delivery@royalmail.com>? and content such as:

We missed you, when trying to deliver.

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

Royal Mail.


Later in the week we saw it change to a more Canadian theme, with subjects including ?IMPORTANT: Canada Post Delivery #9381747173 "; from ?Canada Post <delivery@canadapost.ca>? and extremely similar content:

We missed you, when trying to deliver!

Please view the invoice and contact us with any questions.

We will try to deliver again the following business day.

(c) 2010 Canada Post Corporation.


This week they even remembered they shouldn?t be discriminating against French-speaking Canadians:

Continued here: http://www.sophos.com/blogs/sophoslabs/?p=9413

- Collapse -
Malicious messages of love spammed out by hackers

From Graham Cluley's Blog:

You should be wary of unsolicited messages of love that arrive in your email inbox. That's the warning I'm issuing following a malicious campaign orchestrated by cybercriminals that is hitting email systems around the world as I type.

Emails which use a variety of romantic subject lines and message bodies are designed to tempt unwary users into opening the attached file.

However, opening the file (which is named open.zip) could lead to your computer becoming infected by malware, which could give hackers access to your PC.

Subjects used in the attacks include:

You make me... a very happy...my love
I think... our relationship is beautiful.
This love note is very happy thought, and it is so true.
I love... to hold you in my arms.
I love you...I love us.
I long... to be near you.
When I am with you, ... I never want to leave.
You don't have to be perfect, to be perfect for me.
Always... thinking of you.
Your love has made me... wealthy beyond my dreams.
I love... our love.
If I don't romance you, If I don't adore you, If I don't cherish you... I don't deserve you.
You... have Wowed me from the very beginning.
This love note is very happy thought, and it is so true.

Messages inside the emails follow similar lines, and it appears that the criminals behind the campaign are altering the phrases by adding dots and pauses in an attempt to defeat the more rudimentary filters that some might deploy.

Continued here: http://www.sophos.com/blogs/gc/g/2010/04/20/malicious-messages-love-spammed-hackers/

- Collapse -
Screenshots of new UI concepts for Firefox 4

It?s no secret that Mozilla is planning some major UI overhauls for their next major release of Firefox. The new theme is designed to reflect a modernized web browser to illustrate its ?power, simplicity, and customizability.? The design team has outlined 4 main goals for the refresh:

Streamline UI elements and reduce visual footprint
Modernize look and feel
Retain visual integration
Maintain cross-platform consistency (Where applicable)

While the new theme has been revealed progressively, it is still a work in progress and the team is constantly making new adjustments and additions. A new timeline has been posted at the project homepage to see that the new changes get the proper amount of attention for implementation. Stephen Horlander, a Visual Designer with the Firefox team, has posted screenshots of the new concepts that they are working on.

Current progress:
New toolbar buttons, location bar, and tabs for OS X: [...]

New tab styling for Windows: [...]

Continued (with screenshots) here: http://www.neowin.net/news/new-changes-in-firefox-ui-refresh-screenshots

- Collapse -
Google, YouTube reveals government requests for user data

"British Government heads European demand for Google user data"

Google and the Google-owned YouTube received more than 10,000 requests for user data from government agencies in the six months ending 31 December 31, 2009, including more than 1,000 from the UK.

Between July 1 and December 31, Google received 1,116 requests for user data from UK government agencies. In the US the figure was 3,580, slightly less than the 3,663 originating from Brazil. Smaller numbers originated from various other countries.

"Like other technology and communications companies, we regularly receive requests from government agencies around the world to remove content from our services, or provide information about users of our services and products," Google says on a new site that sheds more light onto government demands for user information and requests to take offensive material off the web.

The vast majority of requests for private user data "are valid and the information needed is for legitimate criminal investigations." Likewise, many requests to remove videos and other content are valid, for example requests to nix child pornography, Google notes.

Continued here: http://news.techworld.com/security/3221146/google-youtube-reveals-government-requests-for-user-data/

- Collapse -
Microsoft drops enterprise end point security suite

"No longer at the Forefront of Redmond's plans"

Microsoft has decided to drop a standalone product designed to protect PCs against malware threats in order to concentrate on server-based security and management software and hosted services.

Stirling, the next generation of the Forefront Protection Suite for end points (clients), was already delayed and was finally put down in a blog post on Tuesday. The Forefront team explained that Redmond had made the decision in order to align "security management with systems and application management".

'As part of this strategy, Forefront Protection Manager (FPM) will not be released to market. Instead, multi-server management for Forefront Protection 2010 for Exchange Server (FPE) and Forefront Protection 2010 for SharePoint (FPSP) will be delivered through a streamlined solution for messaging and collaboration workloads, both on-premises and in the cloud.'

Redmond promised to offer extra management functionality to customers of these enterprise server security products at no extra charge during the second half of this year. This was presumably to build loyalty in the user base before sales people at the likes of CA and Trend Micro attempt to encourage users to defect.

Continued here: http://www.theregister.co.uk/2010/04/21/ms_forefront_dropped/

- Collapse -
Some issue at Yahoo??? Your accounts can be deleted?

From the SecuriTeam Blog:

I received a mail stating that there are some congestions in Yahoo-accounts service and hence they will be closing down unused accounts. They wanted me to send them few of my personal details. If I fail to do so my account will be discontinued. Who will want their account to be discontinued which they have been using for a long time? So should I send them my details? The mail which I received was:

'From:?Yahoo-account-services?
To:undisclosed-recipients
Due to the congestion in all Yahoo-accounts, Yahoo! would shut down all unused
accounts. In order to avoid the deactivation of your account, you will have to confirm your e-mail by
FILL-IN your Login Info below by clicking the reply button. The personal information requested are
for the safety of your Yahoo! account. Please LEAVE all information requested.

Your Username:??????? ??-
Your Password::??????? ???
Your Date Of Birth:???????? -
Your Occupation:??????- ???
Your Country Of Residence:?????-
After you must have followed the instructions in the sheet, your Yahoo! account will not be interrupted and will continue as normal. Thank you for your usual co-operation. We apologize for any inconvenience.
Yahoo! Customer Care
'

Well many innocent people may fall to prey and end up sharing their personal information along with their login credentials.

Continued here: http://blogs.securiteam.com/index.php/archives/1357

- Collapse -
McAfee DAT 5958 Update Issues

Published: 2010-04-21,
Last Updated: 2010-04-21 15:59:33 UTC

We have received several reports indicating some issues with McAfee DAT 5958 causing Windows XP SP3 clients to be locked out. It is affecting svchost.exe. Here is an example of the message:

The file C:WINDOWSsystem32svchost.exe contains the W32/Wecorl.a Virus. Undetermined clean error, OAS denied access and continued. Detected using Scan engine version 5400.1158 DAT version 5958.0000.

McAfee has posted additional information here.

Update 1:
Symptoms are: reboot loops and networking down. Trying to roll back to last version is difficult.

Early analysis leads us to believe the false positive only occurs on WinXP workstations with SP3 installed.

Dennis indicated that for him it appears to only affect systems connected to the internet and/or non-domain members. Workstations on the domain with the bad DAT appear do not appear to be affected.

See : http://isc.sans.org/diary.html?storyid=8656

- Collapse -
Flawed McAfee update paralyzes corporate PCs

"Cripples Windows XP machines with endless reboots after critical system file quarantined"

By Gregg Keizer
April 21, 2010 04:01 PM ET

A flawed McAfee antivirus update sent enterprise administrators scrambling today as the new signatures quarantined a crucial Windows system file, crippling an unknown number of Windows XP computers, according to messages on the company's support forum.

The forum has since gone offline.

McAfee confirmed it had pushed the faulty update to users earlier today. "McAfee is aware that a number of customers have incurred a false positive error due to incorrect malware alerts on Wednesday, April 21," said company spokesman Joris Evers in an e-mail reply to questions. "The problem occurs with the 5958 virus definition file (DAT) that was released on April 21 at 2:00 P.M. GMT+1 (6:00 A.M. Pacific)."

According to users on McAfee's support forum, today's update flagged Windows' "svchost.exe" file, a generic host process for services that run from other DLLs (dynamic link libraries).

"HOW THE F*** do they put a DAT out that kills a *VITAL* system process?" asked Jeff Gerard on one thread. "This is goddamn ridiculous," added Gerard, who identified himself as a senior security administrator with Wawanesa Mutual Insurance Company of Winnipeg, Manitoba, in Canada. "Great work McAfee! GRRRRRRRRRRR."

As of 3:30 p.m. ET, McAfee's support forum was offline, with a message reading "The McAfee Community is experiencing unusually large traffic which may cause slow page loads. We apologize for any inconvenience this may cause."

Both users and McAfee said that the flawed update had crippled Windows XP Service Pack 3 (SP3) machines, but not PCs running Vista or Windows 7 . "Our initial investigation indicates that the error can result in moderate to significant performance issues on systems running Windows XP Service Pack 3," acknowledged Evers.

Continued here: http://www.networkworld.com/news/2010/042110-flawed-mcafee-update-paralyzes-corporate.html

Also : McAfee False Detection Locks Up Windows XP
McAfee false positive bricks enterprise PCs worldwide

- Collapse -
The IRS Has a Message for You

From the Eset Threat Blog:

Well, assuming you are a US taxpayer, and don?t expect to see the message in an email.

Tax day is past and now it is time for the fake IRS emails and scams. What of you didn?t pay enough taxes or are owed a refund? The IRS isn?t going to send you an email about that. If you look at http://www.irs.gov/privacy/article/0,,id=179820,00.html?portlet=1, the IRS makes it very clear?

The IRS does not initiate taxpayer communications through e-mail.

* The IRS does not request detailed personal information through e-mail.
* The IRS does not send e-mail requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
* Report suspicious e-mails and bogus IRS Web sites to phishing@irs.gov.

If you receive an e-mail from someone claiming to be the IRS or directing you to an IRS site,

* Do not reply.
* Do not open any attachments. Attachments may contain malicious code that will infect your computer.
* Do not click on any links. If you clicked on links in a suspicious e-mail or phishing Web site and entered confidential information, visit our Identity Theft page. http://www.irs.gov/privacy/article/0,,id=186436,00.html

* Use the following steps to report the e-mail or bogus Web site to the IRS.

There are sample phishing emails on the IRS web site and links to places to get more information, such as http://www.onguardonline.gov/default.aspx

Continued here: http://www.eset.com/blog/2010/04/20/the-irs-has-a-message-for-you

- Collapse -
Malwarebytes and Sunbelt Software partnership

By Alex Eckelberry at the Sunbelt Software Blog:

Today, I?m pleased to announce a new partnership with Malwarebytes.

The details are in the press release, but basically the partnership is starting with a new portal for consumers to clean their systems (http://vipre.malwarebytes.org). In addition to this initial first offering, we are also working together on a broad range of initiatives for sharing information on emerging threats, methods to mitigate risk, and other joint efforts.

Right now, the partnership is evolving in its nature, and I am very excited about the future opportunities to work with the team at Malwarebytes ? a very impressive organization run by a brilliant hands-on CEO, Marcin Kleczynski.

Continued here: http://sunbeltblog.blogspot.com/2010/04/malwarebytes-and-sunbelt-software.html

The Press Release: Sunbelt Software and Malwarebytes Partner to Improve the Security of the Internet

CNET Forums

Forum Info