NEWS - August 29, 2012

An alleged member of the LulzSec hacktivist group has been arrested in the US in an investigation into last year's hack of Sony Pictures Entertainment's database.

Sony was pummelled by cyber attacks last year, the most significant one targeting its PlayStation Network (PSN) in April, which saw data of 77 million users compromised. In June, it emerged SonyPictures.com was hacked. LulzSec claimed to be behind the attack, saying it had published several lists with extracts from over a million compromised user accounts.

Raynaldo Rivera, a 20-year-old from Arizona, was taken into custody in Phoenix Arizona yesterday, the FBI said, charging him with conspiracy and unauthorised impairment of a protected computer. He could be jailed for up to 15 years, according to various reports.

Breaking LulzSec apart

The FBI has been cracking down on the hacktivist group. Another alleged LulzSec member, 24-year-old Cody Kretsinger, was arrested last year and pleaded guilty to charges relating to the same hit on Sony.

Continued : http://www.techweekeurope.co.uk/news/lulzsec-sony-arrest-fbi-90668

Also:
Second Accused LulzSec Member Arrested for Attacking Sony
Suspected LulzSec member arrested by FBI for Sony Pictures hack
LulzSec: Another Sony hacker arrested
FBI arrests LulzSec member over Sony Pictures hack

Following the arrival of Firefox 15, the Mozilla Project has released version 15 of its open source Thunderbird email client, which includes security improvements, some new features, instant messaging support and an updated user interface. The release is the second since Mozilla announced plans to halt new development on Thunderbird by the time Thunderbird 17 was released. Features that have been in development at Mozilla are being included in the Thunderbird releases running up to Thunderbird 17.

For example, the instant messaging feature has been in development for some time. The developers had previously added support for instant messaging in Thunderbird 13 and 14, but had decided to disable it by default while they were polishing the implementation. Instant messaging conversations can be displayed in their own tabs within the standard Thunderbird user interface. Supported chat networks currently include Facebook Chat, Google Talk, IRC, Twitter and XMPP/Jabber. Instructions for configuring and using chat are provided.

Thunderbird 15 is the first version of the email client to have full support for the "Do Not Track" (DNT) header. The DNT privacy setting is a developing standard being used to tell web sites that the browser user wishes to opt-out of online behavioural tracking; Firefox has had support for DNT since version 4.0.

Continued : http://www.h-online.com/security/news/item/Thunderbird-15-activates-instant-messaging-1677823.html

[Screenshot: Wiper Registry Keys]

How does a security company study a strain of malware that systematically wipes a hard drive clean, including any traces of its own code? And is there any evidence that Wiper, one particular flavor of malware that hit computers in Iran's oil industry in the spring, is connected to nation-state tools such as Stuxnet?

In an attempt to answer these questions and others about several pieces of malware that have cropped up recently, Kaspersky Lab has released new details about its investigation of Wiper.

According to Kaspersky, Wiper shares a couple of characteristics with the DuQu and Stuxnet attacks that suggest it might have been developed by Israel and the U.S. - the nations believed to be behind DuQu and Stuxnet. But, the researchers say in a blog post published Wednesday, that the similarities are circumstantial and not enough to draw firm conclusions just yet.

They also say Wiper is not related to Shamoon, a piece of malware that attacked computers in Saudi Arabia this month. Kaspersky believes, however, that Wiper was likely the inspiration for the less sophisticated attackers behind Shamoon.

Continued : http://www.wired.com/threatlevel/2012/08/wiper-possible-origins/

From Websense Security:

Websense ThreatSeeker Network intercepted a malicious email campaign posing as antivirus notifications that warn users that their accounts may be blocked. These fake messages state that the victim's email address has been sending infected email to the mail server, and that the situation may be remedied if the user clicks a URL to download a free removal tool. The "free tool" is, of course, a malicious executable that connects to malicious websites, and then drops more executables on the victim's computer.

This looks like a low-volume campaign, as we have seen (and blocked) approximately 2700 of this type of email yesterday and today.

The email may contain a subject like this:

[Symantec] - Your e-mail account may be blocked.

The "from" address varies and may appear as:
scanner@symantec.com
scanonline@f-secure.com
symantec@verisign.com
scan@sophos.com
symantec@sophos.com
virscan@secureroot.com
noreply@verisign.com

Here's a sample: [Screenshot]

Notice that the email text contains the phrase "Scanning sytem...", which is completely false. No scan is taking place. The victim is notified that the computer is infected with the worm W32.Swizzor.C-WORM and is urged to download the removal tool for protection.

Continued : http://community.websense.com/blogs/securitylabs/archive/2012/08/28/malicious-e-mails-posing-as-anti-virus-notifications.aspx

From the Symantec Security Response Blog:

Since mid-August, Symantec have been observing spam samples containing links with file extensions in the URLs. If these links are clicked they do not open any files, instead they redirect the user to an online pharmacy website. The following file extensions are used in the URLs:

.asp
.doc
.htm
.html
.mp3
.mpeg
.pdf
.php
.txt

The following URLs were seen in spam samples examined by Symantec:

• http:// [REMOVED].be/HOOK2_txt
• http:// [REMOVED].com.br/897110_doc
• http:// [REMOVED].com/677115_php
• http:// [REMOVED].com/686112_asp
• http:// [REMOVED].ru/706060_mp3
• http:// [REMOVED].ru/HOOK2_htm
• http:// [REMOVED].ru/vern_html
• http://[REMOVED].org/521862_pdf
• http:// [REMOVED].com/139097_mpeg

Spam email examples: [Screenshot]

The links redirect users to the following online pharmacy website:

Continued : http://www.symantec.com/connect/blogs/beware-spam-links-look-file-extensions

Robert Duvall has apparently died while filming a movie in New Zealand, according to posts circulating on social media websites. In reality, the actor is alive and well, but he did join the ranks of celebrities who have been recently declared dead.

A couple of days ago, Twitter started buzzing with news that the actor might have died in an accident in New Zealand. Many of the posts contained a link that apparently led to a legitimate news website that confirmed the news.

"Preliminary reports from New Zealand Police officials indicate that the actor fell more than 60 feet to his death on the Kauri Cliffs while on-set. Specific details are not yet available," the article reads.

However, a closer look at the website shows that it's not an actual news site, but a service that's specially designed for such pranks. The user simply replaces the name of the subdomain with the name of the victim and they're presented with an apparently legitimate news story.

We will not share the name of the site because there are enough such hoaxes as it is, and advertising it even more certainly doesn't help.

Continued : http://news.softpedia.com/news/Robert-Duvall-Falls-to-His-Death-in-New-Zealand-Hoax-288780.shtml

Security researchers from Radware have discovered a new Trojan Key Logger named "Admin.HLP" that they say captures sensitive user information and attempts to export it to a server in a remote location.

The malicious file came hidden within a standard Windows help file named Amministrazione.hlp, and has been used in targeted attacks, against at least one Radware customer, Ronen Kenig, Director, Product Marketing, Security Products at Radware told SecurityWeek.

Admin.HLP Used In Targeted AttackRadware would not disclose the industry vertical for the customer that had been targeted and infected with the malware.

"The file is being spread through email", Kenig said. "The malware is attached to a Windows help file, and when a user attempts to open the help file, they will see the help menu, but it will also invoke the Trojan which installs itself on the victim's computer.

The tactic to use Windows help files as the infection vector is rarely seen, unlike other common .exe files that even novice users know could be dangerous.

"The general population are not aware the help files can be malicious as well," Kenig said.

"By using HLP-script language, the attacker is able to inject the encrypted malicious payload and execute the stub to decrypt the Trojan code," a threat analysis document obtained by SecurityWeek explained.

Continued : http://www.securityweek.com/radware-discovers-new-trojan-keylogger-used-targeted-attack