NEWS - January 18, 2013

From Trendlabs Security Intelligence:

Just a word of caution those who will update their systems with the recent Java zero-day security patch: make sure to get it from a reliable source or else face the possibility of a malware infection.

Oracle has recently released its fix to the much talked-about Java zero-day (CVE-2012-3174) incident though with lukewarm reception from certain sectors, which include the US Department of Homeland Security. However, we encountered a malware under the veil of a Java update.

We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport.com/cybercrime-suspect-arrested/javaupdate11.jar.

[Screenshot: Website hosting fake Java update]

Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

AV-Test, the well-known independent organization that tests security software for home and corporate users, has released the results of the latest testing - and it's bad news for Microsoft.

The Redmond giant's Security Essentials 4.1 has failed to gain AV-Test's certification for the second time in a row, and its Forefront Endpoint Protection 2010 is the only corporate solution of the eight that have been tested that similarly failed to pass the test.

Joe Blackbird, a program manager with Microsoft, commented the results in a post on Microsoft's Malware Protection Center official blog by pointing out the well known fact that it's "difficult for independent antimalware testing organizations to devise tests that are consistent with the real-world conditions that customers live in."

He also noted that while AV-Test reports on samples hit or missed by category, Microsoft reports and prioritizes its work based on customer impact.

Continued : http://www.net-security.org/malware_news.php?id=2380

Related: Microsoft fights back on antivirus certification fail, claims malware tests aren't realistic

HP TippingPoint, the long-time organizer of the annual Pwn2Own hacking contest, has revamped the challenge for the second year running and will offer cash awards exceeding half a million dollars, more than five times the amount paid out last year, the company said yesterday.

The 2013 edition of the contest will offer $560,000 in potential prize money to hackers who demonstrate exploits of previously-unknown vulnerabilities in Chrome, Firefox, Internet Explorer (IE) or Safari, or the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.

Prizes will be awarded on a sliding schedule, with $100,000 for the first to hack Chrome on Windows 7 or IE10 on Windows 8. From there, payments will fall to $75,000 for IE9 and slide through a number of targets before ending at $20,000 for Java. Prizes will also be given for exploiting Adobe Flash and Adobe Reader ($70,000 each), Safari ($65,000) and Firefox ($60,000).

Continued : http://www.computerworld.com/s/article/9235950/Pwn2Own_hacking_contest_puts_record_560K_on_the_line

Related: Pwn2Own Rules Change Again, Flash, Java Now Fair Game for Contestants

Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11," Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.

Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.

Reports surfaced earlier this week that the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc., said that attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue was corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.

Continued : https://threatpost.com/en_us/blogs/latest-java-update-broken-two-new-sandbox-bypass-flaws-found-011813

Security experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals.

NASK, the domain registrar that operates the ".pl" Polish top-level domain registry, said that on Thursday it began assuming control over 23 .pl domains that were being used to operate the Virut network. The company has redirected traffic to those domains to sinkhole.cert.pl, a domain controlled by CERT Polska — an incident response team run by NASK. The company says it will be working with Internet service providers and security firms to help alert and clean up affected users.

"Since 2006, Virut has been one of the most disturbing threats active on the Internet," CERT Polska wrote. "The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut."

Some of the domains identified in the takedown effort — including ircgalaxy.pl and zief.pl — have been used as controllers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent threats. Security giant Symantec recently estimated Virut's size at 300,000 machines; Russian security firm Kaspersky said Virut was responsible for 5.5 percent of malware infections in the third quarter of 2012.

Continued : https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/

A security researcher has demonstrated how it is still possible to silently install extensions, or as Mozilla calls them add-ons, for the open source Firefox web browser. In a blog post, Julian Sobrier of ZScaler detailed the process, which makes use of the fact that Firefox uses an Sqlite3 database to maintain information about which add-ons are installed and, of those, which ones have been approved by the user.

This feature, introduced in Firefox 8, was designed to stop toolbars and other applications adding in their own add-ons without informing the user. Sobrier's technique shows though that the mechanism is relatively easy to overcome. Add-ons have privileged access to the browser and therefore a malicious add-on could do anything including stealing the user's history, modifying pages' contents or disabling security features in the browser. The add-on doesn't have to be malicious either, just unexpected; back in 2009 Mozilla found itself blocking a silently installed Microsoft extension which happened to expose Firefox users to a .NET Framework flaw. Without a user knowing what is installed, it becomes hard to react to security threats when they appear.

Continued : http://www.h-online.com/security/news/item/Silent-installs-of-add-ons-still-possible-in-Firefox-1787297.html