10 total posts
Hybrid Hydras and Green Stealing Machines
Hybrids seem to be all the rage in the automobile industry, so it's unsurprising that hybrid threats are the new thing in another industry that reliably ships updated product lines: The computer crime world. The public release of the source code for the infamous ZeuS Trojan earlier this year is spawning novel attack tools. And just as hybrid cars hold the promise of greater fuel efficiency, these nascent threats show the potential of the ZeuS source code leak for morphing ordinary, run-of-the-mill malware into far more efficient data-stealing machines.
Researchers at Trusteer have unearthed evidence that portions of the leaked ZeuS source code have been fused with recent versions of Ramnit, a computer worm first spotted in January 2010. Amid thousands of other password-stealing, file-infecting worms capable of spreading via networked drives, Ramnit is unremarkable except in one respect: It is hugely prolific. According to a report (PDF) from Symantec, Ramnit accounted for 17.3 percent of all malicious software that the company detected in July 2011.
Trusteer says this Ramnit strain includes a component that allows it to modify Web pages as they are being displayed in the victim's browser. It is this very feature - code injection - that has made ZeuS such a potent weapon in defeating the security mechanisms that many commercial and retail banks use to authenticate their customers.
Continued : http://krebsonsecurity.com/2011/08/hybrid-hydras-and-green-stealing-machines/#more-11255
Related: Trusteer warns of evolving 'Ramnit' online banking attack
That UK.gov Firefox cookie leakage snafu explained
If you've used the latest version of Firefox to visit a UK government website in the last few weeks, you may have noticed something unusual in the browser address bar.
Instead of highlighting, for example, direct.gov.uk, as you might expect from Firefox 6.0's new domain-conscious security behaviour, only the gov.uk portion is shown in bold type. [Screenshot]
Far from merely a cosmetic change, this actually indicates potentially insecure behaviour that could enable user cookies to be shared between different government-run websites.
Firefox uses Mozilla's volunteer-maintained Public Suffix List to break down domain names into their component parts, enabling it essentially to determine which level of an address indicates its owner.
While anybody can register second-level domains such as example.com, some extensions require you to use the third level, such as example.co.uk and example.com.au.
Continued : http://www.theregister.co.uk/2011/08/25/cookie_leak_bug_hits_gov_uk/
Scan from a Xerox WorkCentre? Trojan attack spammed widely
Emails claiming to come from a Xerox WorkCentre Pro photocopier have been spammed widely across the internet, containing a malicious file as an attachment.
Modern photocopiers don't just copy your confidential documents, or see the downside of inebriated staff antics at the office party, they can also email you your documents these days.
Which makes them a possibly all-too-convincing disguise for today's spammed-out malware campaign.
Although the precise wording varies from email to email, they all claim to be a scan (or sometimes a forwarded scan) from a Xerox WorkStation Pro. [Screenshot
Scan from a Xerox WorkCentre Pro #[number]
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: Guest
Number of Images: 1
Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set
Device Name: [random]
The names of attached files can vary but are along the lines of Xerox_Document_08.23_C11125.zip and Xerox_Scan_08.23_K1274.zip.
Continued : http://nakedsecurity.sophos.com/2011/08/25/scan-from-a-xerox-workcentre-trojan-attack-spammed-out-widely/
Anonymous eyes Wall Street after BART protests
Anonymous has apparently set its sights on Wall Street after leading multiple protests against BART (Bay Area Rapid Transit) in San Francisco.
Although many commuters who depend on the train system say they could do without station shutdowns and delays, the digital collective shows little sign of halting their hacktivist expansion into the physical realm.
"On September 17th, Anonymous will flood into lower Manhattan, set up tents, kitchens, peaceful barricades and occupy Wall Street for a few months," a purported Anonymous member claimed on YouTube. [Video]
"Once there, we shall incessantly repeat one simple demand in a plurality of voices. We want freedom. The abuse and corruption of corporations, banks and governments ENDS HERE!!"
However, the activist emphasized that the protest would be a "non-violent one," as Anonymous does "not encourage violence" in any way.
Obviously, Wall Street traders are unlikely to react positively to Anonymous setting up shop outside the Exchange, but what about the rest of NYC? [Video]
Continued : http://www.tgdaily.com/security-features/58103-anonymous-eyes-wall-street-after-bart-protests
"Free Facebook Credits" scam
After a rather long time, Facebook users are again seeing offers of "Free Facebook Credits!" on their News Feed.
Those users who are not aware of the fact that they can only get Facebook Credits if they buy them, earn them or receive them from friends, can be easy targets for this rather legitimate looking scam: [Screenshot]
The page in question - located at freefb-5000.blogspot.com and still available - continues to convince the user of the legitimacy of the offer: "You might be thinking how this works. Well, this works because of the advertisers and sponsors who pay us for every promotion. So don't thank us for the free credits, thank our great sponsors!"
To get the free FB Credits, the user is required to jump through a few hoops. He must share the page, post about it and then "Like" four other pages.
In the end, the user is taken to a page where he is asked to complete a survey. Do I need to point that there are no free FB Credits waiting for him once he has performed all this?
Firm at heart of biggest oil spill spews toxic web attack
Transocean, the offshore drilling contractor at the center of the world's biggest marine oil spill in the history of petroleum production, has been caught spewing a virtual sort of toxic sludge, according to a report released Thursday.
Researchers at web security firm Websense said deepwater.com, Transocean's official website, has been hosting malicious exploit code that attempts to install malware on the machines of people who visit the site. The researchers counted at least two separate attacks included in several deepwater.com pages that exploit known vulnerabilities in Microsoft's Internet Explorer browser and Adobe's Flash media player.
Only 16 percent of the top 44 antivirus programs detected the latter exploit, the Websense report said, citing this analysis from Virustotal. The exploit code is stashed in invisible iframe tags planted on Transocean's site, the report said.
As of 10:30 am California time, about 26 hours after the exploit code was first detected, the attacks were continuing unabated, Patrik Runald, a senior manager for security research at Websense, told The Register. They stopped shortly after The Reg asked a Transocean spokesman to comment.
"We don't know exactly how the compromise happened but as the attackers were able to upload the exploit files to the server it's not a SQL injection attack (which usually involves redirection to an external server)," he wrote in an email.
Continued : http://www.theregister.co.uk/2011/08/25/transocean_website_compromise/
From Websense Security: Transocean oil/gas rig contractor compromised (deepwater.com) - UPDATE: NOW FIXED
Microsoft Releases New Versions of Software Security Tools
Microsoft has released new versions of several of its software security tools, including its Threat Modeling Tool and a pair of fuzzers. All of the tools are part of the company's Security Development Lifecycle program, which it has been sharing with external organizations for a few years now.
Microsoft's internal teams developed a number of tools that they use in writing and assessing software and the company has making some of them available publicly. One of the key tools in the SDL arsenal is the company's Threat Modeling Tool, which is used by developers and engineers at the beginning of a project to help find potential threats before they start writing code. The new version of the tool includes more stable support for Visio 2010 and Team Foundation Server.
Microsoft also released new versions of two specialized fuzzers: RegExFuzz and MiniFuzz. Both fuzzers are meant to be used in the Verification Phase of the SDL program. MiniFuzz is a basic fuzzer and the RegExFuzz tool is designed specifically for finding problems with regular expressions in software.
Continued : http://threatpost.com/en_us/blogs/microsoft-releases-new-versions-software-security-tools-082511
UPnP-enabled routers allow attacks on LANs
Routers from various manufacturers support UPnP (Universal Plug and Play) on their WAN interfaces, which apparently makes it possible for attackers to reconfigure them remotely via the internet and, for example, misuse them as surfing proxies or to infiltrate internal LANs. The problem was discovered by IT security specialist Daniel Garcia, who has developed the Umap tool to demonstrate the problem; the tool is available to download free of charge. [Screenshot]
Umap detects UPnP-enabled end devices such as DSL routers and cable modems on the internet by directly retrieving the devices' XML descriptions. The required URLs and ports for some models are hard-coded into the tool. This enables the software to bypass the usual restriction that only allows UPnP to search for compatible hardware via multicast in local networks. Garcia says that entire device series by Edimax, Linksys, Sitecom or Thomson (SpeedTouch) respond to UPnP requests on their WAN interfaces.
Since UPnP isn't designed to include any authentication, the XML description can always be retrieved. Garcia said that, by performing an internet scan, he managed to detect 150,000 potentially vulnerable devices within a short period of time. Once initial contact has been made, the scanner sends such UPnP commands as AddPortMapping or DeletePortMapping to the devices via SOAP requests. LAN devices usually use these commands to access the internet via NAT. However, the devices from the manufacturers in question allow the port to be opened - and redirected to any other LAN device - via the WAN interface. Umap attempts to guess the internal IP address that is required to do so.
Continued : http://www.h-online.com/security/news/item/UPnP-enabled-routers-allow-attacks-on-LANs-1329727.html