NEWS - August 29, 2012

Java 0-day exploit added to Blackhole kit, still no news about patch

The recently discovered Java zero-day flaw that has been spotted being used in limited targeted attacks in the wild has created quite a stir.

A module that exploits the vulnerability is already available to users of the Metasploit pentesting tool and, according to F-Secure researchers, the developer of the Blackhole exploit kit has outfitted it with an exploit that takes advantage of the flaw, too.

By comparing this exploit code to that of the proof-of-concept exploit recently published by Joshua Drake, research scientist with Accuvant Labs, they discovered that it's almost an exact copy.

Symantec researchers have already spotted two websites created to exploit the flaw, and additional ones can't be far behind.

In the meantime, researchers from Security Explorations have confirmed for Softpedia that Oracle has already been working on a patch for the two flaws that allow the attack. According to Adam Gowdiak, the firm's CEO, they had reported both to Oracle back in April 2012.

Continued :

Unpatched Java Vulnerability Exploited in Blackhole-based Attacks
The Current Web-Delivered Java 0day
Researchers Identify Second New Java Bug
Discussion is locked
Reply to: NEWS - August 29, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - August 29, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Second Alleged LulzSec Sony Hacker Arrested

An alleged member of the LulzSec hacktivist group has been arrested in the US in an investigation into last year's hack of Sony Pictures Entertainment's database.

Sony was pummelled by cyber attacks last year, the most significant one targeting its PlayStation Network (PSN) in April, which saw data of 77 million users compromised. In June, it emerged was hacked. LulzSec claimed to be behind the attack, saying it had published several lists with extracts from over a million compromised user accounts.

Raynaldo Rivera, a 20-year-old from Arizona, was taken into custody in Phoenix Arizona yesterday, the FBI said, charging him with conspiracy and unauthorised impairment of a protected computer. He could be jailed for up to 15 years, according to various reports.

Breaking LulzSec apart

The FBI has been cracking down on the hacktivist group. Another alleged LulzSec member, 24-year-old Cody Kretsinger, was arrested last year and pleaded guilty to charges relating to the same hit on Sony.

Continued :

Second Accused LulzSec Member Arrested for Attacking Sony
Suspected LulzSec member arrested by FBI for Sony Pictures hack
LulzSec: Another Sony hacker arrested
FBI arrests LulzSec member over Sony Pictures hack

- Collapse -
Thunderbird 15 activates instant messaging

Following the arrival of Firefox 15, the Mozilla Project has released version 15 of its open source Thunderbird email client, which includes security improvements, some new features, instant messaging support and an updated user interface. The release is the second since Mozilla announced plans to halt new development on Thunderbird by the time Thunderbird 17 was released. Features that have been in development at Mozilla are being included in the Thunderbird releases running up to Thunderbird 17.

For example, the instant messaging feature has been in development for some time. The developers had previously added support for instant messaging in Thunderbird 13 and 14, but had decided to disable it by default while they were polishing the implementation. Instant messaging conversations can be displayed in their own tabs within the standard Thunderbird user interface. Supported chat networks currently include Facebook Chat, Google Talk, IRC, Twitter and XMPP/Jabber. Instructions for configuring and using chat are provided.

Thunderbird 15 is the first version of the email client to have full support for the "Do Not Track" (DNT) header. The DNT privacy setting is a developing standard being used to tell web sites that the browser user wishes to opt-out of online behavioural tracking; Firefox has had support for DNT since version 4.0.

Continued :

- Collapse -
Wiper Malware That Hit Iran Left Possible Clues of Origins

[Screenshot: Wiper Registry Keys]

How does a security company study a strain of malware that systematically wipes a hard drive clean, including any traces of its own code? And is there any evidence that Wiper, one particular flavor of malware that hit computers in Iran's oil industry in the spring, is connected to nation-state tools such as Stuxnet?

In an attempt to answer these questions and others about several pieces of malware that have cropped up recently, Kaspersky Lab has released new details about its investigation of Wiper.

According to Kaspersky, Wiper shares a couple of characteristics with the DuQu and Stuxnet attacks that suggest it might have been developed by Israel and the U.S. - the nations believed to be behind DuQu and Stuxnet. But, the researchers say in a blog post published Wednesday, that the similarities are circumstantial and not enough to draw firm conclusions just yet.

They also say Wiper is not related to Shamoon, a piece of malware that attacked computers in Saudi Arabia this month. Kaspersky believes, however, that Wiper was likely the inspiration for the less sophisticated attackers behind Shamoon.

Continued :

- Collapse -
Malicious Email Messages Posing as Antivirus Notifications

From Websense Security:

Websense ThreatSeeker Network intercepted a malicious email campaign posing as antivirus notifications that warn users that their accounts may be blocked. These fake messages state that the victim's email address has been sending infected email to the mail server, and that the situation may be remedied if the user clicks a URL to download a free removal tool. The "free tool" is, of course, a malicious executable that connects to malicious websites, and then drops more executables on the victim's computer.

This looks like a low-volume campaign, as we have seen (and blocked) approximately 2700 of this type of email yesterday and today.

The email may contain a subject like this:

[Symantec] - Your e-mail account may be blocked.

The "from" address varies and may appear as:

Here's a sample: [Screenshot]

Notice that the email text contains the phrase "Scanning sytem...", which is completely false. No scan is taking place. The victim is notified that the computer is infected with the worm W32.Swizzor.C-WORM and is urged to download the removal tool for protection.

Continued :

- Collapse -
Toyota says it was hacked by ex-IT contractor, sensitive..
.. information stolen

Toyota has accused an IT contractor that the car manufacturer fired just last week of breaking into its computer systems, and stealing sensitive information including trade secrets.

In a complaint filed at the US District Court in Lexington, Kentucky, the North American branch of the Toyota Motor company claimed that Ibrahimshah Shahulhameed illegally accessed one of its websites, after being dismissed from his contracting job on August 23rd.

Within hours of his dismissal, Shahulhameed is said to have logged into the website without authorisation, and spent hours downloading proprietary plans for parts, designs and pricing information.

The website is used by Toyota's suppliers to exchange highly sensitive information with the company about current and future products. [Screenshot]

Toyota claims that if the information were shared with competitors, or made public, "it would be highly damaging to Toyota, and its suppliers, causing immediate and irreparable damage."

Continued :

Toyota accuses ex contractor of hacking, stealing trade secrets
Toyota Accuses Former Contractor of Hacking Website to Steal Trade Secrets
Federal judge stops ex-Toyota employee from leaving country over computer hacking allegations
- Collapse -
Video: FBI ransomware: exposed, explained & eliminated
Reveton/FBI ransomware - exposed, explained and eliminated

Ransomware is malicious software that locks you out of your computer or your data, and demands money to let you back in.

One "brand" of ransomware, widely known as Reveton, has been very widely circulated in recent months.

Reveton pretends to be a warning from your country's national police service, locks you out of your PC, and threatens criminal proceedings within 48 hours - usually for unspecified copyright offences.

Of course, you can bypass the prosecution if you pay a "fine" to the cybercriminals. The amount they extort is typically about $200.

If you run across this sort of malware, it's tempting just to wear the cost and hope that the crooks live up to their promise of giving your PC back.

We recommend that you don't do that, so here's a short video to advise you, and your friends and family, on what to do instead:

Continued :
- Collapse -
Beware of Spam Links that Look Like File Extensions!

From the Symantec Security Response Blog:

Since mid-August, Symantec have been observing spam samples containing links with file extensions in the URLs. If these links are clicked they do not open any files, instead they redirect the user to an online pharmacy website. The following file extensions are used in the URLs:


The following URLs were seen in spam samples examined by Symantec:

• http:// [REMOVED].be/HOOK2_txt
• http:// [REMOVED]
• http:// [REMOVED].com/677115_php
• http:// [REMOVED].com/686112_asp
• http:// [REMOVED].ru/706060_mp3
• http:// [REMOVED].ru/HOOK2_htm
• http:// [REMOVED].ru/vern_html
• http://[REMOVED].org/521862_pdf
• http:// [REMOVED].com/139097_mpeg

Spam email examples: [Screenshot]

The links redirect users to the following online pharmacy website:

Continued :

- Collapse -
'FIRST ever' Linux, Mac OS X-only password sniffing Trojan
.. spotted

Security researchers have discovered a potential dangerous Linux and Mac OS X cross-platform trojan.

Once installed on a compromised machine, Wirenet-1 opens a backdoor to a remote command server, and logs key presses to capture passwords and sensitive information typed by victims.

The program also grabs passwords submitted to Opera, Firefox, Chrome and Chromium web browsers, and credentials stored by applications including email client Thunderbird, web suite SeaMonkey, and chat app Pidgin. The malware then attempts to upload the gathered data to a server hosted in the Netherlands.

The software nastie was intercepted by Russian antivirus firm Dr Web, the company that carried out much of the analysis of the infamous Flashback trojan. Dr Web describes Wirenet-1 as the first Linux/OSX cross-platform password-stealing trojan.

Multi-platform virus strains that infect Windows, Mac OS X and Linux machines are extremely rare but not unprecedented. One example include the recent Crisis super-worm. Creating a strain of malware that infects Mac OS X and Linux machines but not Windows boxes seems, frankly, weird given the sizes of each operating system's userbase - unless the virus has been designed for some kind of closely targeted attack on an organisation that uses a mix of the two Unix flavours.

Continued :
- Collapse -
Robert Duvall Falls to His Death in New Zealand, Hoax

Robert Duvall has apparently died while filming a movie in New Zealand, according to posts circulating on social media websites. In reality, the actor is alive and well, but he did join the ranks of celebrities who have been recently declared dead.

A couple of days ago, Twitter started buzzing with news that the actor might have died in an accident in New Zealand. Many of the posts contained a link that apparently led to a legitimate news website that confirmed the news.

"Preliminary reports from New Zealand Police officials indicate that the actor fell more than 60 feet to his death on the Kauri Cliffs while on-set. Specific details are not yet available," the article reads.

However, a closer look at the website shows that it's not an actual news site, but a service that's specially designed for such pranks. The user simply replaces the name of the subdomain with the name of the victim and they're presented with an apparently legitimate news story.

We will not share the name of the site because there are enough such hoaxes as it is, and advertising it even more certainly doesn't help.

Continued :

- Collapse -
Radware Discovers New Trojan Keylogger Used in Attacks

Security researchers from Radware have discovered a new Trojan Key Logger named "Admin.HLP" that they say captures sensitive user information and attempts to export it to a server in a remote location.

The malicious file came hidden within a standard Windows help file named Amministrazione.hlp, and has been used in targeted attacks, against at least one Radware customer, Ronen Kenig, Director, Product Marketing, Security Products at Radware told SecurityWeek.

Admin.HLP Used In Targeted AttackRadware would not disclose the industry vertical for the customer that had been targeted and infected with the malware.

"The file is being spread through email", Kenig said. "The malware is attached to a Windows help file, and when a user attempts to open the help file, they will see the help menu, but it will also invoke the Trojan which installs itself on the victim's computer.

The tactic to use Windows help files as the infection vector is rarely seen, unlike other common .exe files that even novice users know could be dangerous.

"The general population are not aware the help files can be malicious as well," Kenig said.

"By using HLP-script language, the attacker is able to inject the encrypted malicious payload and execute the stub to decrypt the Trojan code," a threat analysis document obtained by SecurityWeek explained.

Continued :

- Collapse -
Oracle Knew About Currently Exploited Java Vulnerabilities..
.. for Months, Researcher Says

Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.

Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day -- unpatched -- vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said Wednesday via email.

The company continued to report Java 7 vulnerabilities to Oracle in the following months until the total number reached 29. "We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs," Gowdiak said.

According to security researchers from security firm Immunity, the Java exploit published online earlier this week and integrated into the Blackhole attack toolkit makes use of two Java vulnerabilities not one, as it was previously believed.

"The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check," Immunity developer Esteban Guillardoy said Tuesday in a blog post.

Continued :
- Collapse -
How I cracked my neighbor's WiFi password without breaking..
.. a sweat

Last week's feature explaining why passwords are under assault like never before touched a nerve with many Ars readers, and with good reason. After all, passwords are the keys that secure Web-based bank accounts, sensitive e-mail services, and virtually every other facet of our online life. Lose control of the wrong password and it may only be a matter of time until the rest of our digital assets fall, too.

Take, for example, the hundreds of millions of WiFi networks in use all over the world. If they're like the ones within range of my office, most of them are protected by the WiFi Protected Access or WiFi Protected Access 2 security protocols. In theory, these protections prevent hackers and other unauthorized people from accessing wireless networks or even viewing traffic sent over them, but only when end users choose strong passwords. I was curious how easy it would be to crack these passcodes using the advanced hardware menus and techniques that have become readily available over the past five years. What I found wasn't encouraging.

Continued :
- Collapse -
Facebook friend added a new photo of you? Beware ..
.. spammed-out malware attack

Computer users are being warned to be careful about opening unsolicited email attachments, after a malicious Trojan horse was spammed out posing as a Facebook notification that the recipient is featured in a newly uploaded photograph.

The emails, which pretend to come from Facebook, look like the following (click here for a larger version of the image). [Screenshot]

Subject: Your friend added a new photo with you to the album

Attached file: New_Photo_With_You_on_Facebook_PHOTOID[random].zip

Message body:


One of Your Friends added a new photo with you to the album.

You are receiving this email because you've been listed as a close friend.

[View photo with you in the attachment]

Of course, the emails don't really come from Facebook.

But there are surely many people who could be duped into believing that they have been tagged by one of their friends in a photograph, and want to see if they look overweight, unattractive or simply fabulous (delete as applicable).

Continued :

CNET Forums