General discussion

NEWS - April 22, 2010

Bank theft Trojan aims at Firefox users

"Zeus/Zbot evolves beyond IE attacks"

The world's most feared banking Trojan, Zeus, is going after Mozilla Firefox users for the first time, security company Trusteer has reported.

Also known as Zbot, Zeus is designed to steal banking logins from its victims using sophisticated web form spoofing as well as keyloggging. It has previously steered towards Internet explorer thanks to security layers built into Firefox.

According to Trusteer, version 2.0 of the Zeus Trojan has cracked Firefox security, and real examples targeting the browser are now being seen at a rate of one in 3,000 PCs scanned by the company's Rapport service.

Trusteer describes this as a ?unprecedented rate of distribution', which is probably not an unfair characterisation given the malware's known tendency to deliberately under-infect available victims as a way of staying out of the detection range of honeypots. Variants of Zeus also have a history of evading many antivirus scanners when they first appear.

"We expect this new version of Zeus to significantly increase fraud losses, since nearly 30 percent of internet users bank online with Firefox and the infection rate for this piece of malware is growing faster than we have ever seen before," said Trusteer's CTO, Amit Klein.

Continued here:

Discussion is locked

Reply to: NEWS - April 22, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 22, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Rogue McAfee update strikes police, hospitals and Intel

"It's bad, but is it Blaster-bad?"

Many enterprises, including police departments and hospitals in the US, were hit by a false positive from McAfee on Wednesday that labelled a core Windows file as potentially malign.

A detection update from McAfee (DAT 595Cool falsely labelled the svchost.exe as the Wecorl-A virus, sending a core Windows system file into quarantine in the process. Infected computers became inoperable and went into a continuous reboot cycle. Clean up operations were further complicated by the fact that the dodgy update disabled network access.

McAfee responded to the problem by withdrawing the definition update and later releasing a clean one. The security giant also published advice on how to manually fix affected computers. The influx of interested parties trying to look up this advice through McAfee's forum caused the site to become unavailable for a short time on Wednesday evening.

Cybercrooks wasted little time in exploiting the situation for their own purposes, poisoning search results so that links to scareware portals appeared prominently in indexes. As a result users are advised to be especially careful if they choose to search for information on solving the problem. Getting advice directly from McAfee is a far better option.

The timing of the update - mid-afternoon on Wednesday (European time) - meant that US enterprise systems configured to automatically apply new updates were among those worst affected. Reported victims include Kansas City Police Department and and the University of Kansas Hospital and about a third of the hospitals in Rhode Island. PCs also went haywire at Intel, the New York Times reports, citing Twitter updates from workers at the chip giant as a source.

First hand experiences from an Iowa community emergency response centre, ironically running a disaster recovery exercise at the time, can be found in a posting to the Internet Storm Centre here. The Register has heard from a senior security officer at a net infrastructure firm that was also hard hit by the snafu, as reported in our earlier story here.

Continued here:

- Collapse -
Rogue Antivirus Gangs Seize on McAfee Snafu

Purveyors of rogue anti-virus, a.k.a. ?scareware,? often seize upon hot trending topics in their daily efforts to beef up the search engine rankings of their booby-trapped landing pages. So it?s perhaps no surprise that these scammers are capitalizing on search terms surrounding McAfee, which just yesterday shipped a faulty anti-virus update that caused serious problems for a large number of customers.

Searching for McAfee?s free scanning tool along with the name of yesterday?s bad update returns page after page of results that when visited launch the familiar come-ons that try to frighten visitors into purchasing bogus (if not also malicious) anti-virus products. I took the screen shots here with Internet Explorer 8, because as usual the booby-trapped pages simply would not load with the noscript add-on enabled in my version of Firefox.

Update 11:08 a.m. ET: Panda Security just published a similar post which lists a number of McAfee-related search terms that can lead to sites like those in the screen shots below. [...] [...][...]

Continued here:

- Collapse -
Scareware hackers exploit McAfee false positive problem

From Graham Cluley's Blog:

Hackers are exploiting a problem with McAfee's anti-virus product that has caused hundreds of thousands of computers around the world to repeatedly reboot themselves.

The New York Times (and many other news outlets) have reported on the problems businesses suffered after a detection update issued by McAfee yesterday caused its anti-virus product to mistakenly detect a harmless Windows file, svchost.exe, as "W32/Wecorl.a" and caused computers to become inoperable.

To its credit, McAfee is discussing the problem on its online community forum, has apologised, withdrawn the buggy update, and advised customers on how to manually fix the affected computers.

But what might be making McAfee's job of getting reliable information about the false positive problem out to the masses that much harder is that malicious hackers are exploiting the situation.

By using blackhat SEO techniques, cybercriminals have managed to get poisoned webpages high in the search rankings if you hunt for information on the McAfee false positive. [...]

Continued here:

From TrendLabs : Cybercriminals Ride on the Back of Security Woes with FAKEAV

- Collapse -
Stored images on photocopiers a security risk

A report by CBS News is causing controversy in the US ? many (professional, digital) photocopiers store copies of scanned documents on an internal hard drive and these images can easily be extracted, often long after the original copy was made. This could be significant if, for example, a copier is sold on and the seller neglects to delete this data. Such copiers store scanned images in order to be able to make multiple copies without having to continuously re-scan the original document.

CBS reporters purchased several used copiers and, after removing the hard drives from the copiers, found medical records, police reports, design plans, payment orders and copies of cheques. Although, in some cases, retrieving these documents did require the use of forensic or file retrieval software.

The content of the report is nothing new; like reports of payroll records turning up on hard drives purchased off eBay, reports like this turn up year after year. According to CBS, Sharp, in a 2008 survey, found that 60% of users were unaware that their data was being saved to a hard drive.

Continued here:

- Collapse -
KOOBFACE IP Taken Down, Gang Transfers Hosting to China

From TrendLabs Malware Blog:

The KOOBFACE FTP grabber component, which is a variant of the LDPINCH Trojan family, usually drops stolen FTP user names and passwords to a remote server controlled by the KOOBFACE gang. This remote server, located in Hong Kong, was taken down last week, thanks largely to the efforts of the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT). However, the KOOBFACE gang was quick to move their server to another hosting company located in China.

The FTP grabber sends stolen credentials to the remote server using the word ?malware? as user-agent and HTTP POST request to the the URL, http://{BLOCKED} [...]

Continued here:

- Collapse -
Mobile network hack reveals sensitive cellphone data

Researchers have demonstrated structural cracks in GSM mobile networks that make it easy to find the number of most US-based cellphone users and to track virtually any GSM-enabled handset across the globe.

The hack builds off research by Tobias Engel who in late 2008 showed how to track the whereabouts of cellphones by tapping into mobile network databases. At the Source Conference in Boston Wednesday, independent researcher Nick DePetrillo and Don Bailey of iSec Partners demonstrated how to use similar techniques to track an individual's location even when his number isn't known and to glean other details most users presume are untraceable.

"Now, we can even assign a name to a number and we can find someone's number," DePetrillo told The Register by phone shortly after his presentation. "The scary thing is that you can give me a random cellphone number and I can tell you, usually, who owns it. So if I want to find Brad Pitt's number I can dump all the cellular phone caller ID information out of California and hunt for his number."

Continued here:

- Collapse -
MS10-025 Security Update to be Re-released

From The Microsoft Security Response Center (MSRC):


MS10-025 is a security update that only affects Windows 2000 Server customers who have installed Windows Media Services (this is a non-default configuration). Today we pulled the update because we found it does not address the underlying issue effectively. We are not aware of any active attacks seeking to exploit this issue and are targeting a re-release of the update for next week.

Customers should review the bulletin for mitigations and workarounds and those with internet facing systems with Windows Media Services installed should evaluate and use firewall best practices to limit their overall exposure. We will continue to share updates here on the blog as available.


Jerry Bryant
Group Manager, Response Communications

See the updated bulletin here : Microsoft Security Bulletin MS10-025

CNET Forums

Forum Info