NEWS - January 24, 2013

A broad variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. based Barracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners.

Barracuda's hardware devices are broadly deployed in corporate environments, including the Barracuda Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPN. Stefan Viehbock, a security researcher at Vienna, Austria-based SEC Consult Vulnerability Lab., discovered in November 2012 that these devices all included undocumented operating system accounts that could be used to access the appliances remotely over the Internet via secure shell (SSH).

Viehbock found that the username "product" could be used to login and gain access to the device's MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort.

Continued : http://krebsonsecurity.com/2013/01/backdoors-found-in-barracuda-networks-gear/

Also:
Backdoors in many Barracuda appliances
Barracuda Networks confirms exploitable backdoors in its appliances

From the GFI Labs blog:

Following the return of fake Google Chrome browser updates almost two weeks ago, online criminals are now banking on fake Adobe Flash Player updates to lure the unwary user into downloading malware onto their system.

Matthew and Robert, two of our researchers in the AV Labs, discovered this upon digging deeper into spam emails claiming to be from the Better Business Bureau (BBB) and eFax Corporate. Complete email details of these spam have documented in our GFI Software Tumblr site.

The BBB email contains an attachment that is found to be a Pony downloader that, once opened, downloads a variant of the ZeuS banking Trojan onto the affected user's system. The said downloader also steals various passwords related to FTP sites.

Continued : http://www.gfi.com/blog/fake-adobe-flash-updates-resurfaces-in-the-web/

From the GFI Labs blog:

We've seen a number of cases wherein phishers have used compromised Twitter accounts to send direct messages (DMs) to their followers. We're now beginning to see this same tactic used in Facebook in the form of private messages (PMs), and this isn't just some spam mail in your inbox claiming you have received a "private message".

As of writing, the PM looks like this: [Screenshot]

WARNING: Your account is reported to have violated the policies that are considered annoying or insulting Facebook users.system will disable your account within 24 hours if you do not do the reconfirmation. Please confirm your Facebook account below:



Recipients can act on this message in two ways: they can click the link to confirm their account, or simply ignore the message and delete it from their message inbox. Users who do the latter are guaranteed to be safe from this sort of scam. Users who do the former, however, are led to a single site where they can enter all personal information asked from them. Below are screenshots of the pages in the order of how they will appear to users:

Continued : http://www.gfi.com/blog/phishing-scam-spreads-via-facebook-pm/

Researchers at Symantec say a massive botnet impacting Google Android users in China is built on a new, sophisticated variant of the Backscript Trojan.

Last week, researchers at Kingsoft Security identified the MDK botnet, which they stated has infected up to one million devices. According to Symantec, an analysis of the code of MDK has shown strong similarities to Android.Backscript, and they use the same certificate to sign APKs (Android Application Packages). Unlike previous versions of the malware however, this new variant uses an Advanced Encryption Standard (AES) algorithm to encrypt data in a new file.

"Once installed, the Trojan enables the attacker to remotely control users' devices, consequently allowing the attacker to harvest user data, download additional APKs, and generate nuisance adware," blogged Symantec researcher Flora Liu.

The server app.looking3g.com is used to download scripts and additional APKs, according to Liu.

Continued : http://www.securityweek.com/massive-android-botnet-built-backscript-trojan

Also: Android MDK Trojan Found Lurking in 11K Apps, Using AES Encryption

The scammers must be getting more and more desperate to get their claws on our money.

Their criminal business model is messed up somewhat by anti-spam filters blocking their fraudulent messages from reaching potential victims.

What's a bad guy to do?

Well, they could do what this scammer has done - wrap their scam email up into a format that anti-spam software might not look at so closely.

Subject: Please quote your !
From: Arsenal <notification@hqsportslottery.com>
Attached file: Arsenal.ppt

Message body:
Please find attachement

The scammer doesn't give away much information in the email itself, but only the attachment (a PowerPoint file) and you'll read that Arsenal Football Club have awarded you a £2,350,000 prize in their lottery. [Screenshot]

All you have to do is contact their representative in China, a Dr Cheng Dingxiang, with your personal information (presumably he will request your bank information soon and an administration fee) and before you know it riches will be yours!

Continued : http://nakedsecurity.sophos.com/2013/01/24/arsenal-lotto-powerpoint-scam/