Spyware, Viruses, & Security forum

General discussion

NEWS - December 13, 2010

by Carol~ Moderator / December 12, 2010 8:16 PM PST
"HDD Plus" malware spread through major ad networks, using malvertising and drive-by download


Over the past few days, we saw the quick spread of HDD Plus -- a malware that (somehow) gets installed on victim computers, and holds the computer hostage by displaying threatening message (that the system is failing), asking you to purchase a license so HDD Plus will fix the problems.

Information on HDD Plus can be found here and here.

We've realized that one of the means for HDD Plus to spread, was via drive-by download malvertising through (at least) DoubleClick and rad.msn.com, which are both the world's largest ad serving platforms.

This is detailed technical report.


Behavior: Users visit websites that incorporate banner ads from DoubleClick or rad.msn.com, the malicious javascript is served from ADShufffle.com (notice the three f's), starts a drive-by download process and if successful, HDD Plus and other malware are installed into the victim's machine, without having the need to trick the victim into doing anything or clicking on anything. Simply visiting the page infects the visitors.

Known sites affected: Sites that incorporate DoubleClick or rad.msn.com banners, including for example Scout.com (using DoubleClick), realestate.msn.com, msnbc.com (using both), and mail.live.com. We'd like to note here it's very possible that multiple exchanges, besides those listed here, have been serving the fake ADShufffle's ads.

Important dates:

Dec 2nd: Registration of the associated malicious domains

Dec 3rd: HackAlert first detected this drive-by download being served by DoubleClick (2010-12-04T02:18:50+00:00GMT). We were not aware at this time (HackAlert flags too many URLs per day of live Web malware)

Continued : http://blog.armorize.com/2010/12/hdd-plus-malware-spread-through.html

Major Ad Networks Found Serving Malicious Ads
Google, Microsoft Ad Networks Briefly Hit With Malware

Related: Google DoubleClick Caught Serving Malicious Ad
Discussion is locked
You are posting a reply to: NEWS - December 13, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - December 13, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
McDonald's, Walgreens Warn Customers of Data Theft
by Carol~ Moderator / December 12, 2010 9:01 PM PST

McDonald's is warning its customers of the theft of a database of customers who signed up for promotions, such as its Monopoly game. The data breach makes them vulnerable to phishing attacks and other scams and identity theft.

A similar warning was also issued by Walgreen's.

McDonald's stressed that its records don't include financial information or Social Security Numbers. But it would include customers' ages, phone numbers, email addresses and physical addresses.

The world's largest fast food chain said it hired Arc Worldwide to do its promotional email campaign. That company, in turn, hired another firm to coordinate and distribute emails. It was that unnamed company whose records were accessed, McDonald's said.

"Law enforcement officials have been notified and are investigating this incident," McDonald's said in an email to its customers.

Continued : http://www.walletpop.com/2010/12/11/mcdonalds-warns-customers-of-data-theft/

Also: Hackers Steal McDonald's Customer Data

Collapse -
Gawker wrestles with reader data breach, hacking
by Carol~ Moderator / December 12, 2010 9:01 PM PST


Gawker.com has apparently been the victim of a pair of security compromises this weekend, one of which put reader's data at risk.

The news, pop culture, and gossip site informed readers today in a blog post that its database of 1.5 million reader-commenting accounts had been compromised and urged its users to change their passwords:

' Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you've used the same passwords.
We're deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us.

Later in day, it was revealed that the site itself was compromised as well when a post appeared there reportedly linking to the site's source code at The Pirate Bay. The story appeared under the byline of Gawker writer Adrian Chen, but Chen tweeted that he had not written the story and the site had been hacked.

Continued : http://news.cnet.com/8301-1009_3-20025424-83.html

Hackers Disrupt Sites Run by Gawker Media
Gawker rooted by anonymous hackers

Collapse -
Twitter diet spam splurge blamed on Gawker compromise
by Carol~ Moderator / December 12, 2010 9:38 PM PST

Compromised Twitter accounts are being abused to post spam messages promoting a diet website.

Tens of thousands of messages promoting an acai berries diet website appeared on Sunday, prompting speculation that a worm was spreading across the micro-blogging service.

However, it seems the spam fest was not caused by twits tricked into visiting a maliciously constructed website. Rather it seems that the compromised Twitter accounts promoting the spam messages were hit as a result of last weekend's Gawker compromise.

Exposed users made the mistake of using the same login credentials for both Gawker and Twitter. The attack illustrates the importance of using different login credentials on different websites, as well as the common sense approach of using hard-to-guess passwords.

Twitter has begun pushing password resets to affected accounts. The micro-blogging service blames the snafu on the Gawker compromise and bad password security rather than anything under its direct control.

Continued : http://www.theregister.co.uk/2010/12/13/twitter_diet_spam_gawker_compromise/

Collapse -
Passwords compromised at Gawker, Gizmodo, Lifehacker, Kotaku
by Carol~ Moderator / December 12, 2010 11:38 PM PST
... Deadspin and more

Following a security breach at Gawker Media, computer users who have left comments on websites such as Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot are being advised to change their passwords as a matter of priority.

In a statement published on their websites, the media group said:

'We understand how important trust is on the internet, and we're deeply sorry for and embarrassed about this breach of security - and of trust. We're working around the clock to ensure our security (and our commenters' account security) moving forward.

If you've registered an account on any Gawker Media web site (that includes Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, io9, or Fleshbot), and you didn't log in using Facebook Connect, then it's best to assume that your username and password were included among the leaked data.

Up to 1.3 million passwords are said to have been stolen from the websites by a hacking group calling itself Gnosis. The grabbed credentials were then posted up on Pirate Bay, allowing others - potentially - to compromise accounts.

Continued : http://nakedsecurity.sophos.com/2010/12/13/gawker-gizmodo-lifehacker-password-change/
Collapse -
Connecticut AG Demands Google Street View WiFi Data
by Carol~ Moderator / December 12, 2010 9:01 PM PST

"Connecticut state Attorney General Richard Blumenthal compelled Google to turn over data collected from Connecticut citizens via insecure WiFi networks with Street View."

Connecticut state Attorney General Richard Blumenthal ratcheted up his July request for data Google collected from Connecticut citizens via insecure wireless networks by demanding the search engine to cough it up.

Blumenthal's office issued a civil investigative demand, or the equivalent of a subpoena, to make Google turn over the data its Street View cars inadvertently grabbed from personal and business WiFi networks across the state.

Google admitted in May its Street View cars, which rove streets all over the world to grab imagery for Google Maps, had grabbed 600GB of WiFi network data from more than 30 countries around the world since 2007.

Continued : http://www.eweek.com/c/a/Security/Connecticut-AG-Demands-Google-Street-View-WiFi-Data-234961/

Collapse -
Spammers Send Fake Twitter-Themed Emails About WikiLeaks
by Carol~ Moderator / December 12, 2010 9:01 PM PST

Spammers are trying to capitalize on the Twitter WikiLeaks buzz by sending out fake emails that purport to come from the microblogging site and direct users to rogue online pharmacy sites.

"The email is very well crafted, containing a fake version of the headers which Twitter is adding," warns Sorin Mustaca, a data security expert at German antivirus vendor Avira.

The spammers also make use of Twitter's real email template, which includes its logo, color scheme and disclaimer, in order to add credibility to the fake messages.

The emails bear a subject of "WikiLeaks on Twitter!" and read "Hello, Twitter-er! [date] @WIKILEAKS on Twitter! http://twitter.com/WIKILEAKS/[CENSORED]." They are signed by "The Twitter Team."

Instead of leading to WikiLeak's Twitter account, the included link takes users to rogue online pharmacy websites pushing the usual male enhancement pills.

WikiLeaks and the leaked U.S. Department of State cables are such a hot topic in the world right now that this kind of attacks were bound to happen.

Continued : http://news.softpedia.com/news/Spammers-Send-Fake-Twitter-Themed-Emails-About-WikiLeaks-172067.shtml

Collapse -
Overdue patches published for RealPlayer
by Carol~ Moderator / December 12, 2010 9:01 PM PST

RealNetworks has released a monster update that closes an impressive 27 security holes in Windows RealPlayer 11.1. Other versions, such as RealPlayer SP, RealPlayer Enterprise and the Mac / Linux versions are also partially affected. Apparently the current RealPlayer 14.0 does not exhibit any of the vulnerabilities.

RealNetworks does not comment on the severity of the flaws in its announcement. Most of the holes are related to flaws in the handling of certain multimedia formats, which cause buffer overflows and other memory management problems. Such errors can often be exploited to inject and execute malicious code; in extreme cases, computers can be infected with spy software.

iDefense comes to a similar conclusion [1, 2]. A look at its advisories also explains why RealPlayer 14 is not vulnerable. RealNetworks was notified of some of the holes six months ago, but apparently waited until now to patch older versions after the patched version 14 was published at the end of October.

Continued : http://www.h-online.com/security/news/item/Overdue-patches-published-for-RealPlayer-1151696.html

Further Details - Vulnerabilities & Fixes

Collapse -
Google, Twitter Tools Helped Protests
by Carol~ Moderator / December 12, 2010 9:01 PM PST

Student protesters last week turned to social media sites, including Twitter and Facebook, to co-ordinate their mass demonstration in Westminster, U.K. and other areas.

Google Maps was also used extensively as protesters pinpointed what was happening and where.

The sites were used equally by the police, who watched for information on the protesters' plans. Police officers were present in large numbers around the planned route and at changed locations.

The demonstration, which in places turned violent and led to police cordoning off parts of central London, was held in protest at the near trebling of university fees to ?9,000 a year. The change was narrowly passed in a controversial vote in the House of Commons the same day.

The extensive use of social networking sites to co-ordinate and track demonstrations comes in a week when Twitter and the blogosphere were alive with comments on US ambassadors' cables leaked by Wikileaks. Blogs and forums are also being extensively used to co-ordinate hacking attacks on businesses unwilling to work with the whistleblower website.

Students have claimed they were making easy use of social media and Google to co-ordinate their actions.

A few days ago I suggested the protesting students could do with some kind of "anti-kettling app," to outwit the efforts of the police to stop them protesting," said Ben Goldacre on his blog.

Continued : http://www.pcworld.com/article/213340/google_twitter_tools_helped_protests.html

Collapse -
Why GSM-Based ATM Skimmers Rule
by Carol~ Moderator / December 12, 2010 9:01 PM PST

Earlier this year, KrebsOnSecurity featured a post highlighting the most dangerous aspects of GSM-based ATM skimmers, fraud devices that let thieves steal card data from ATM users and have the purloined digits sent wirelessly via text message to the attacker's cell phone. In that post, I explained that these mobile skimmers help fraudsters steal card data without having to return to the scene of the crime. But I thought it might be nice to hear the selling points directly from the makers of these GSM-based skimmers.

So, after locating an apparently reliable skimmer seller on an exclusive hacker forum, I chatted him up on instant message and asked for the sales pitch. This GSM skimmer vendor offered a first-hand account of why these cell-phone equipped fraud devices are safer and more efficient than less sophisticated models - that is, for the buyer at least (I have edited his sales pitch only slightly for readability and flow).

Throughout this post readers also will find several images this seller sent me of his two-part skimmer device, as well as snippets from an instructional video he ships with all sales, showing in painstaking detail how to set up and use his product. The videos are not complete. The video he sent me is about 15 minutes long. I just picked a few of the more interesting parts.

Continued (with video) here : http://krebsonsecurity.com/2010/12/why-gsm-based-atm-skimmers-rule/#more-6782

Collapse -
Amazon knocked offline by 'hardware failure'
by Carol~ Moderator / December 12, 2010 9:37 PM PST

Online retailer Amazon has said its European websites were temporarily offline because of a "hardware failure".

British, French, German, Austrian and Italian sites were down for about 30 minutes on Sunday during a peak pre-Christmas shopping period.

The outage occurred during a time of ongoing threats against major sites by pro-Wikileak activists.

A group known as Anonymous is targeting firms, including Amazon, that withdrew services from the whistle-blowing site.

"The brief interruption to our European retail sites last night was due to hardware failure in our European datacentre network and not the result of a [distributed denial of service] attempt," said a spokesperson for the firm.

Amazon sites ending .it, .de, .uk, .fr and .at - which are all hosted in Dublin - were unavailable for about half an hour at about 2115 GMT on Sunday, according to a Twitter posting by web monitoring firm Netcraft.

Continued : http://www.bbc.co.uk/news/technology-11980125

Amazon goes offline in Europe
Amazon blames hardware - not hackers - for European outage

Collapse -
Debian and Red Hat close Exim hole
by Carol~ Moderator / December 12, 2010 9:37 PM PST

Four days after a security hole was discovered in the free Exim mail server, the developers of Debian and Red Hat have released corrected versions for their Linux distributions. While the Exim version provided by Red Hat blocks root access, Debian's new Exim contains fixes for a memory flaw that allows code to be executed with Exim user rights. However Debian's patched version does not provide any protection against the hole that allows attackers to get root rights. Before they fix that problem, the developers first want to clarify some "compatibility issues," which they plan to do as soon as possible.

The flaw has been remedied In the Exim sources since version 4.70, released at the end of 2008. The correction was not, however, marked as relevant for security and therefore was not included in older versions. Debian's stable Lenny distribution still uses Exim 4.69, while Red Hat has 4.43.

Continued : http://www.h-online.com/security/news/item/Debian-and-Red-Hat-close-Exim-hole-1151693.html

Also :
Exim code-execution bug, now with root access
Possible root vulnerability in Exim internet mailer

Further Details : Vulnerabilities & Fixes

Collapse -
IPv4 Unallocated Space Running Out, Film at 11
by Carol~ Moderator / December 12, 2010 11:38 PM PST

There is a tracker at http://twitter.com/IPv4Countdown which currently calculates that all of IPv4 address space will be allocated by the end of February 2011. The 100,000,000 address mark was broken on Sunday.

Prediction: A couple of years from now, we will scoff at this campaign sort of like we now scoff at the Y2K panic back in 1999, except this time, there's quite a lot less of alarmist coverage in the popular media.

Because, let's face it, this is not armageddon. "Allocated" does not mean "used". What we are seeing is a gold rush to stake out the last available unallocated pieces of IPv4 space. Or rather just a land grab, because it's unlikely that there is a lot of gold in them thar hills. But certainly, the operators who are now buying the remaining available pieces of IANA's unallocated address space are hoping to make some good money putting it up for sale or lease, or at least turn a profit. If the laws of demand and supply hold, and IPv6 doesn't suddenly take off spectacularly, IPv4 address prices can be expected to rise, and some actors are no doubt gambling that they will rise a lot.

Continued : http://www.f-secure.com/weblog/archives/00002074.html

Collapse -
Free makeup scam spreads rapidly across Facebook
by Carol~ Moderator / December 13, 2010 6:40 AM PST

A scam targeting women on Facebook is spreading very rapidly across the social network, pretending to offer free makeup.

If you see a message like the following being posted by one of your Facebook friends, do not click on the link. [Screenshot]

"anyone want some free makeup? ive just ordered mine for free and i thought i would post it here before the offer runs out. its stuff like mac, maybeline, estee lauder etc! The site is: "

Of course, many women on Facebook might be tempted by the offer of free makeup and (without thinking about the possible consequences) click on the link, especially as it appears to have been shared with them by one of their online friends.


Collapse -
Net neutrality lobbying to peak this week
by Carol~ Moderator / December 13, 2010 6:41 AM PST

Expect lobbying around net neutrality to reach fever pitch through Tuesday. After that, the Federal Communications Commission will go into its bunker to deliberate a draft of rules that will be voted on Dec. 21.

One group, Free Press, plans to let the FCC know that it doesn't like what it has heard so far. The public interest group will deliver a petition to the agency, with 2 million signatures, saying draft rules that don't regulate wireless networks with anti-discrimination provisions do not go far enough. The petition also will call for stronger rules that prohibit network operators from offering paid prioritization of some services that could effectively make the delivery of other Web sites worse. Free Press and dozens of other media reform and consumer advocacy groups jointly sent a letter along these lines last week.

Continued : http://voices.washingtonpost.com/posttech/2010/12/expect_lobbying_around_net_neu.html

Collapse -
Website Attackers Could Be Easily Traced, Researchers Say
by Carol~ Moderator / December 13, 2010 6:41 AM PST

People using a tool to conduct distributed denial-of-service (DDOS) attacks against other websites in support of WikiLeaks can easily be traced, according to computer security researchers.

Thousands of people have downloaded the "Low Orbit Ion Cannon," a tool that bombards a targeted website with garbled traffic in an attempt to knock it offline. The tool has been promoted by Anonymous, a loose-knit group of online campaigners that has attacked companies that cut off support for WikiLeaks since it began releasing secret U.S. diplomatic cables in late November.

But researchers at the University of Twente in Enschede, Holland, say it is easy for ISPs to identify those using the tool, as it takes no measures to protect the identity of its users, according to their paper.

There are several versions of the Low Orbit Ion Cannon: one is a client application that is downloaded by a user and can be remotely controlled via an IRC (Internet Relay Chat) or be manually configured. The other is a JavaScript-based Web site.

Continued : http://news.yahoo.com/s/pcworld/20101213/tc_pcworld/websiteattackerscouldbeeasilytracedresearcherssay

Collapse -
Operation Payback Has New Target: Corporate Fax Machines
by Carol~ Moderator / December 13, 2010 7:43 AM PST

The activists behind Operation Payback have come up with a new way to annoy corporations that have severed their ties with WikiLeaks: bombard them with faxes.

In online chats, group members have posted the fax numbers for about a half-dozen corporations and are calling volunteers to fill up the fax machines, using free online fax services such as MyFax.com and FaxZero.com. They're recommending that people use anonymizing software such as the Tor Project to access these sites, so that they cannot be traced by authorities.

The latest development comes after websites belonging to Visa, MasterCard International and PayPal have been hit with distributed denial of service attacks, launched by Operation Payback in an effort to pressure the companies to resume payment processing for WikiLeaks.

"The enemy is adapting to our strategies, Gentlemen, but they are a lumbering bureaucracy. We can change faster," the group said in a note being circulated on its chat servers Monday.

Continued : http://www.pcworld.com/businesscenter/article/213473/operation_payback_has_new_target_corporate_fax_machines.html

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!