Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - August 20, 2012

Aug 20, 2012 1:31AM PDT
AMD blog taken offline amid hacking claims

AMD has taken its blog offline amid claims that it has been hacked.

A hacking group calling themselves r00tbeer claimed responsibility for the attack just before 7am AEST, defacing the website and posting a message to its own Twitter account. AMD has since taken its blog down, replacing it with a message stating that it is undergoing "routine maintenance".

' #AMD - R.I.P blogs.amd.com, database will be released in few minutes. #r00tbeersec
— r00tbeer (@r00tbeer_) August 19, 2012
'

AMD appeared to be using the popular blogging tool WordPress to power its site. Once broken into, the hackers stole and dumped the WordPress user database. No customer details appear to be present in the leaked database, but it did contain the details of 190 internal accounts. These included usernames, email addresses, hashed passwords and, in some cases, full names of AMD employees or public relations staff that had access to the blog. Only one email address appeared to be a personal account.

Continued : http://www.zdnet.com/amd-blog-taken-offline-amid-hacking-claims-7000002849/

Also:
AMD's blog hacked, user data leaked
Hackers get into AMD and steal over 30,000 - wait for it - BYTES!
AMD's Blog Defaced and Breached
AMD Blogs Hacked By R00tbeer Group

Discussion is locked

- Collapse -
Resilient 'SMSZombie' Infects 500,000 Android Users in China
Aug 20, 2012 1:36AM PDT

"Resilient "SMSZombie" Exploits China Mobile's Payment System - Over 500,000 Android Devices Infected, Firm Says."

Researchers from mobile security firm TrustGo have recently discovered a new, resilient mobile threat targeting Android phones that is said to have infected roughly 500,000 devices, mainly in China.

SMSZombie Android MalwareCalled "SMSZombie", the malware is stubborn and hard to remove, but users outside of China have little to worry about with this latest discovery. The prime function of the mobile malware is to exploit a vulnerability in the mobile payment system used by China Mobile, making it of little value to the fraudsters outside of China.

According to TrustGo, the malware is being spread through online forums and has been found in several packages on China's largest mobile app marketplace, GFan. TrustGo has contacted GFan, but so far, the apps are still readily available and continue to be actively downloaded.

Cataloged as SMSZombie.A, it was first discovered by TrustGo on Aug 8, Jerry Yang, Vice President of Engineering at TrustGo told SecurityWeek on Saturday.

Continued : https://www.securityweek.com/resilient-smszombie-infects-500000-android-users-china

Also:
SMS Payment Virus Identified in China, 500,000 Android Device Infected
SMSZombie Malware Infecting Android Devices, Stealing Money
Android 'SMSZombie' Trojan infects 500,000 Chinese users

- Collapse -
Inside the Grum Botnet
Aug 20, 2012 2:09AM PDT

KrebsOnSecurity has obtained an exclusive look inside the back-end operations of the recently-destroyed Grum spam botnet. It appears that this crime machine was larger and more complex than many experts had imagined. It also looks like my previous research into the identity of the Grum botmaster was right on target.

A source in the ISP community who asked to remain anonymous shared a copy of a Web server installation that was used as a controller for the Grum botnet. That controller contained several years' worth of data on the botnet's operations, as well as detailed stats on the spam machine's size just prior to its takedown.

[Screenshot: A "Stats" page from a Grum Botnet]

At the time of Grum's demise in mid-July 2012, it was responsible for sending roughly one in every six spams delivered worldwide, and capable of blasting 18 billion spam emails per day. Anti-spam activists at Spamhaus.org estimated that there were about 136,000 Internet addresses seen sending spam for Grum.

But according to the database maintained on this Grum control server prior to its disconnection in mid-July, more than 193,000 systems were infected with one of three versions of the Grum code, malware that turned host systems into spam-spewing zombies. The system seems to have kept track of infected machines not by Internet address but with a unique identifier for each PC, although it's not immediately clear how the Grum botnet system derived or verified those identifying fingerprints.

Continued : https://krebsonsecurity.com/2012/08/inside-the-grum-botnet/

- Collapse -
Former DNSChanger addresses out in the wild again
Aug 20, 2012 4:16AM PDT

European IP address authority RIPE NCC has reallocated two IP address blocks that were previously used by the DNSChanger malware. The FBI and the Internet Systems Consortium (ISC) had control over the addresses from last November through to mid-July of this year, in accordance with a US court order, as there was concern about a total blackout for private users' manipulated computers. It's much too soon for reallocation, say some members of the DNS Changer Working Group, which has been working with the FBI. Former ISC CEO Barry Greene is at the forefront of the protest. RIPE NCC, on the other hand, believes that the reallocation is a completely normal procedure.

Administrators in the North American Network Operator Group (NANOG) worry that millions of the computers affected by DNSChanger could still be pointing to those new addresses, which would also be a problem for the new owners. Neither network provider Inevo in Romania (former DNSChanger block 93.188.160.0 to 93.188.167.255) nor Aurimas Rapalis in Lithuania (former DNSChanger block 85.255.112.0 to 85.255.127.255) are using the addresses for servers that can be accessed by outside parties at the moment. The companies have not yet said whether they will keep the addresses in their own "quarantine" or how they would handle a potential flood of redirected DNS queries; requests from The H's associates at heise Security for a statement have so far been unanswered.

Continued : http://www.h-online.com/security/news/item/Former-DNSChanger-addresses-out-in-the-wild-again-1670648.html

- Collapse -
Pirated Mobile Apps Get Hacked, Cracked, and Smacked
Aug 20, 2012 4:16AM PDT

"Arxan study claims 90% of top 100 paid Android and iOS apps ending up criminalized in hackers' hands"

Those popular mobile apps that everyone's buying from the official Android and Apple apps stores for business and fun are being torn apart by hackers who turn around and post these abused apps filled with malware, their content pirated or otherwise tampered, according to a study out today.

Security vendor Arxan, which makes tools for hardening applications from tampering, says it wants to make this point about apps abuse with its study that describes how it found that 92% of the top 100 paid apps being sold in the Apple App Store had been hacked in various ways, and so had a full 100% of the top 100 apps originally found in Google Play.

"As a hacker, you can take the official application and make it free, and have hidden malware -- the original app owner doesn't know," says Jukka Alanen, vice president of business development at Arxan Technologies and author of the study, "Mobile Apps under Attack."

Beyond its look to find pirated and malware-laden versions of paid apps, Arxan also says it found that 40% of the top 15 free Apple iOS apps and 80% of the top 15 free Android apps (based on May 2012) were found to be hacked in a similar way.

The hacked apps that Arxan discovered included not just knock-offs of the popular Angry Birds app, but also an app for voice translation, games like Flick Homerun and tools such as Beautiful Widgets from LevelUpStudio.

Continued : http://www.networkworld.com/news/2012/082012-pirated-app-malware-261702.html

Also: 92% of the top 100 mobile apps have been hacked

- Collapse -
Suspicious eFax Spear Phishing Messages
Aug 20, 2012 4:16AM PDT

From SANS ISC:

Chad sent us a report today that they have been receiving strange eFax messages. Users who are using eFax are receiving "spear phishing" emails.

The emails are using the default eFax account (From: eFax <message@inbound.efax.com&gtWink and avoiding most corporate SPAM filters. The link contained in this fax is suspicious which redirect to 3 different sites with the same Javascript. [Screenshot]

We are looking for additional information that could help us understand if this new "spear phishing" method is widespread. If you have been receiving similar messages or have any tips on how you managed to filter this type of activity, please use our contact form, or share in the comments below.

[1] http:// wepawet.iseclab.org/view.php?hash=dc41d8a1e845994cb01e3223ab51cbf1&t=1345162214&type=js
[2] http:// wepawet.iseclab.org/view.php?hash=5c8c6f3205e7aa28bfd32d59f320e069&t=1345162348&type=js
[3] http:// wepawet.iseclab.org/view.php?hash=f990f01593e5b603ee319c92f8cf3e94&t=1345162442&type=js

Update 1: What we have learned so far:

• You don't need to be an eFax subscriber to receive these eFax via email. Anyone can be a target
• It appears to be part of a Blackhole Exploit campaign
• The following seems to actively block suspicious eFax: Symantec Enterprise Protection 11, Barracuda and Mailmarshal emailgateway

Update 2:

Continued : https://isc.sans.edu/diary.html?storyid=13921

- Collapse -
iPhone 5 Rumors Used as Bait for Adobe Exploit CVE-2012-1535
Aug 20, 2012 7:12AM PDT

From the Symantec Security Response Blog:

Thanks to Santiago Cortes for his assistance with this research.

Some samples exploiting the Adobe Flash Player CVE-2012-1535 Remote Code Execution Vulnerability through malicious Word documents have been captured. These samples were observed on Adobe Flash Player 11 Active X, version 11.0.1.152.

The attackers spread the malicious Word documents through email and entice their victims with file names referencing Apple's iPhone. [Screenshot]

The .doc files attached to the email contain hidden malicious .swf files. The .swf files then drop more files onto the compromised computer, which are then opened, for example:

• %Temp%\~WRD0001.doc
• %Temp%\Word8.0\ShockwaveFlashObjects.exd
• %Temp%\Word8.0\ShockwaveFlashObjects.exd
• %Temp%\Word8.0\ShockwaveFlashObjects.exd
• %UserProfile%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol

Meanwhile, the threat is also downloaded and then executed.

Continued : http://www.symantec.com/connect/blogs/iphone-5-rumors-used-bait-adobe-exploit-cve-2012-1535

- Collapse -
Royal Mail malware attack distributed via email
Aug 20, 2012 7:12AM PDT

It's wise to be wary when it comes to unsolicited email, even when the email appears to come from a legitimate organisation.

Today we're warning internet users to be careful not to be tricked into open attachments that have been spammed out, posing as communication from the British Royal Mail. [Screenshot]

A typical email reads:

Royal Mail Group Shipment Advisory

The following 1 piece(s) have been sent via Royal Mail on Mon, 20 Aug 2012 15:43:14 +0530, REF# 5646597645

SHIPMENT CONTENTS: Documents

SHIPPER REFERENCE: PLEASE REFER TO ATTACHED FILE

ADDITIONAL MESSAGE FROM SHIPPER: PLEASE REFER TO ATTACHED FILE

Royal Mail Group Ltd 2012. All rights reserved


It should go without saying that the emails are not connected with the real Royal Mail in anyway, despite them appearing to arrive from noreply@royalmail.com and containing the Royal Mail's logo.

Continued : http://nakedsecurity.sophos.com/2012/08/20/royal-mail-malware/

- Collapse -
Scam alert: Watch out for WhatsApp requests on Facebook
Aug 20, 2012 7:29AM PDT

Heads up folks, for I was just sent a WhatsApp request from a Facebook friend that promptly forwarded me to some shady URL (see second screenshot below because I prefer not to share it here) and this totally legit-looking page: [Screenshot]

That page leads to the app in the screenshot below, which looks sorta kinda authentic until you spend half a second looking at the icky URL, the low number of users, the fact that the app's name is not capitalized properly and whatnot. [Screenshot]

Should I mention that the person who sent me the initial Facebook request in the first place is someone who works at antivirus and Internet security software juggernaut Kaspersky Lab? I should, because it's only a little embarrassing and I guess it means anyone can get fooled. For what it's worth, this person says he never approved anything (though he isn't terribly sure either).

Either way, it's viral, and the end goal appears to be fetching your private Facebook information.

Now I'm an old man and I don't really understand this Faceboook thing, but I'm pretty sure there aren't supposed to be this many WhatsApp Facebook apps on its platform in the first place (see screenshot). Especially given that WhatsApp is a mobile messaging company and DOESN'T ACTUALLY HAVE a Facebook app. [Screenshot]

Continued : http://thenextweb.com/facebook/2012/08/20/scam-alert-watch-whatsapp-requests-facebook/