Spyware, Viruses, & Security forum


NEWS - January 31, 2012

by Carol~ Moderator / January 31, 2012 1:34 AM PST
Hackers Infect WordPress 3.2.1 Blogs to Distribute TDSS Rootkit

Hackers are compromising WordPress 3.2.1 blogs in order to infect their visitors with the notorious TDSS rootkit, according to researchers from Web security firm Websense.

It's not clear how the websites are being compromised, but there are publicly known exploits for vulnerabilities that affect WordPress 3.2.1, which is an older version of the popular blog publishing platform.

Once they gain unauthorized access to a blog, the attackers inject malicious JavaScript code into its pages in order to load a Java exploit from a third-party server.

"From our analysis the number of infections is growing steadily (100+)," said Websense principal security researcher Stephan Chenette in a blog post on Monday. The company's research into this mass code injection campaign indicates that whoever is behind it is experienced.

The Java vulnerability exploited in the attack is known as CVE-2011-3544 and allows the remote execution of arbitrary code. In this case, the attackers are leveraging it to install a version of the TDSS rootkit on the computers of people visiting the website.

Continued : http://www.pcworld.com/businesscenter/article/249024/hackers_infect_wordpress_321_blogs_to_distribute_tdss_rootkit.html

As referenced from M86 Security Labs: Massive Compromise of WordPress-based Sites but 'Everything will be Fine'

Massive Compromise of Wordpress Sites Leads To Phoenix Exploit Kit
Compromised WordPress sites lead to Phoenix exploit kit
WordPress targeted in malware attack
Discussion is locked
You are posting a reply to: NEWS - January 31, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - January 31, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
An Update on Android.Counterclank
by Carol~ Moderator / January 31, 2012 1:54 AM PST

From the Symantec Security Response Blog:

Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank. The blog generated a bit of discussion over whether these new versions should be a concern to Android users. When classifying applications, our focus is on whether users want to be informed of the application's behavior, allowing them to make a more informed choice regarding whether to install it.

The situation we find ourselves in is similar to when Adware, Spyware, and Potentially Unwanted Applications first made appearances on Windows. Many security vendors did not initially detect these applications, but eventually, and with the universal approval of computer users, security companies chose to notify users of these types of applications.

Since our initial blog post, we have determined the code in the Tonclank and Counterclank applications comes from the same vendor. The vendor is a company who distributes a SDK (software development kit) to third parties to help them monetize their applications, primarily through search.

In particular, the SDK code will connect to a remote server (apperhand.com) and send the following information:

Continued : http://www.symantec.com/connect/blogs/update-androidcounterclank

Related posts:
Symantec's trojan warning criticised as scaremongering
Android.Counterclank Found in Official Android Market

Collapse -
Megaupload Server Purge Delayed
by Carol~ Moderator / January 31, 2012 5:40 AM PST

A scheduled purging of Megaupload's data was tentatively shelved Tuesday to give its millions of account holders an opportunity to attempt to retrieve their content from the file-sharing service, whose top officials were indicted on criminal copyright charges.

The authorities shuttered the Hong Kong-based site Jan. 19, and indicted seven of its top officials in what the Justice Department said was "among the largest criminal copyright cases ever brought by the United States."

As part of its prosecution, the government had copied an undisclosed amount of data from Megaupload's servers in the United States.

The entire contents of Megaupload were set to be purged later this week by Carpathia and Cogent, two of Megaupload's U.S.-based server hosts. The United States has frozen Megaupload's assets, and it has been unable to pay its hosting bill, said Ira Rothken, Megaupload's attorney.

Rothken said in a telephone interview he is negotiating with the government to unfreeze Megaupload assets to keep Megaupload's servers active so the company can "deliver consumer data back to consumers." He said the two companies have agreed not to purge data for at least two weeks.

Continued : http://www.wired.com/threatlevel/2012/01/megaupload-server-purge/?intcid=postnav

Collapse -
Kelihos/Hlux botnet returns with new techniques
by Carol~ Moderator / January 31, 2012 5:41 AM PST

From Kaspersky Lab Weblog:

It has been four months since Microsoft and Kaspersky Lab announced the disruption of Kelihos/Hlux botnet. The sinkholing method that was used has its advantages - it is possible to disable a botnet rather quickly without taking control over the infrastructure. However,as this particular case showed, it is not very effective if the botnet's masters are still at large.

Not long after we disrupted Kehilos/Hlux, we came across new samples that seemed to be very similar to the initial version. After some investigation, we gathered all the differences between the two versions. This is a summary of our findings:

Let's start with the lowest layer, the encryption and packing of Kelihos/Hlux messages in the communication protocol. For some reason, in the new version, the order of operations was changed. Here are the steps of processing an encrypted data for retrieving a job message which is organized as a tree structure:

Continued : http://www.securelist.com/en/blog/655/Kelihos_Hlux_botnet_returns_with_new_techniques

Collapse -
MSUpdater Trojan and link to targeted attacks
by Carol~ Moderator / January 31, 2012 9:48 AM PST

From the Zscaler Threat Lab Blog:

This blog post is based on a joint report (pdf) by Zscaler and Seculert (their blog post). Researchers from both companies separately identified attacks which used a remote access tool (RAT) malware that apparently targeted defense-related organizations. With joined forces, we analyzed the incidents that we observed and those published in the open-source to identify attack patterns and incidents from early 2009 to present. [Screenshot of Report (pdf) heading]

The threat arrives in phishing emails with a PDF attachment, possibly related to conferences for the particular targeted industry. The PDF exploits a vulnerability within Adobe (for example, a 0-day exploit was used against CVE-2010-2883) which then drops a series of files to begin communicating with the command and control (C&C). [Screenshot: Example Conference PDF "Lure"]

The malware dropped and launched from the PDF exploit has been seen to be virtual machine (VM) aware in order to prevent analysis within a sandbox. The Trojan functionality is decrypted at run-time, and includes expected functionality, such as, downloading, uploading, and executing files driven by commands from the C&C. Communication with the C&C is over HTTP but is encoded to evade detection. The Trojan file name (e.g., "msupdate.exe") and the HTTP paths used in the C&C (e.g., "/microsoftupdate/getupdate/default.aspx") are used to stay under the radar by appearing to be related to Microsoft Windows Update - hence the name given to this Trojan.

Continued : http://research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html

From Seculert: MSUpdater Trojan and the Conference Invite Lure

Collapse -
Firefox 10 Now Available for Download
by Carol~ Moderator / January 31, 2012 9:51 AM PST

Mozilla today made the latest update of its open-source Web browser, Firefox 10, available for download in Windows, Mac, and Linux editions. The update, the latest in the organization's "rapid release" program, improves the way the browser handles add-on updating, and adds a gaggle of new tools and capabilities for Web developers to use, which in turn, means more powerful and compelling sites for end users.

For example, the new browser version allows site creators to run their Web apps in full screen, and offers new 3D graphics capabilities—both of which are well suited to browser-based gaming, among other applications.

One of Firefox's hallmarks has long been its rich extension support, and many of the browser's users list that as the primary reason for choosing Firefox. Version 10 will make the browser and extension upgrades smoother, less interruptive processes for end users. Now, instead of requiring an extension to explicitly be marked by its coder as Firefox 10-compatible, the browser will assume that the extension is compatible if it was programed for any Firefox version back to version 4.

Before, the add-on would have been disabled, unless it was obtained through Mozilla's Add-ons for Firefox page. But Mozilla reports that 75 percent of all extensions in use were not acquired there. An exception here is binary add-ons, coded in compiled languages like C++, which, according to Mozilla's Wiki, "are never compatible between releases and are also the highest risk of negative side effects."

Continued : http://www.pcmag.com/article2/0,2817,2399625,00.asp

From the Mozilla Blog: Firefox Adds Powerful New Developer Tools

Firefox 10 arrives with new dev tools and full-screen API
Firefox 10 hits the streets

See: Update - January 31, 2012

Collapse -
Rising Cyber-War Threat Forcing Nations to Bolster Defenses
by Carol~ Moderator / January 31, 2012 9:51 AM PST

"The threat of cyber-war and cyber-attacks are serious enough that countries need to beef up their defenses as part of their military strategy."

Cyber-security experts are concerned about the prospect of cyber-war and growing number of cyber-threats, according to a recent report released by McAfee.

Over half, or 57 percent, of cyber-security specialists surveyed in the "Cyber-security: the Vexed Question of Global Rules" (pdf) report said a global arms race was taking place in cyber-space, McAfee said Jan. 30. Addionally, 84 percent of those surveyed said cyber-attacks threatened national and international security as well as trade.

Respondents felt cyber-security should be considered a part of the country's military defense. About 36 percent of respondents said cyber-security was more important than missile defense. Another 45 percent believed cyber-security was as important as border security.

"For the moment, the 'bad guys' have the upper hand-whether they are attacking systems for industrial or political espionage reasons, or simply to steal money," the researchers wrote in the report.

Criminals are able to "choreograph well-orachestrated attacks" because they have large funding streams, are more agile, and don't operate under any legal restrictions when it comes to sharing data, Phyllis Schneck, McAfee's vice-president and CTO, said in the report. "Until we can pool our data and equip our people and machines with intelligence, we are playing chess with only half the pieces," Schneck said.

Continued : http://www.eweek.com/c/a/Security/Rising-CyberWar-Threat-Forcing-Nations-to-Bolster-Defenses-McAfee-855097/

Also: Report Warns of Woeful Readiness For Cyber Attacks Globally

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!