Spyware, Viruses, & Security forum

General discussion

NEWS - July 05, 2010

by Donna Buenaventura / July 4, 2010 5:40 PM PDT
Reports: iTunes accounts, App Store hacked

Various blogs are reporting that it appears some iTunes customer accounts have been hacked and that funds from those accounts may have been used to purchase apps in the iTunes App Store.

Earlier Sunday, Engadget reported an inexplicable uptick in sales of book apps by a developer identified as Thuat Nguyen. According to the blog, at the time of writing its report, Nguyen apps accounted for 42 of the top 50 books by revenue in the Books section of the iTunes App Store. Engadget went on to mention "a number of people reporting up to hundreds of dollars being spent unwillingly from their [iTunes] account to these specific books."

Blog TNW Apple reported that the phenomenon appeared to extend beyond apps by one developer, and that it seemed to be international in scope. It also ran excerpts from several posts to the MacRumors: Forums Web site.

Discussion is locked
You are posting a reply to: NEWS - July 05, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - July 05, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Report: Google fixes cross-site scripting flaw
by Donna Buenaventura / July 4, 2010 5:44 PM PDT
In reply to: NEWS - July 05, 2010
that led to YouTube hack

According to reports, Google has fixed the cross-site scripting vulnerability which the hackers used on Sunday morning to swathe YouTube videos with off-color pop-ups as well as redirects to adult-site.

Going by an IDG News Service report, the vulnerability enabled them to insert code onto the viewer-comments pages of the popular video-sharing site. With the hackers largely focusing on video clips related to the teen pop icon Justin Bieber, it was the singer?s fans that first spotted the site?s hack.

Citing the information forwarded by Google representative, IDG reported that the exploits by the hackers disallowed access to Google accounts of YouTube visitors who had cone upon a hacked page. The representative also said that, as a safety measure, visitors should log out of their Google accounts and then log in again.

Further, IDG also quoted a source who revealed that though the hack itself did not involve malware, the landing pages to which visitors were redirected might possibly be malware-ridden. The source also added that most antivirus software would possibly be a sufficient safeguard against the malware.


Yesterday's news on the above in http://forums.cnet.com/5208-6132_102-0.html?messageID=3333619#3333619
Collapse -
KOOBFACE Spreading via Facebook DMs Again
by Donna Buenaventura / July 4, 2010 5:49 PM PDT
In reply to: NEWS - July 05, 2010

The infamous KOOBFACE botnet is sending direct messages (DMs) on Facebook. If this sounds familiar? it should be, as this tactic was previously discussed here in the Malware Blog back in March.

The hook is somewhat similar to a ZBOT attack also spotted in March. That attack claimed that someone posted pictures of the user; this one uses a video instead. The text and link in the message are:

Someobdy uplaod a vdieo wtih you on utbue. you shuold see.

http: // www. facebook.com /l/ae2d7CYBUtLFPs-LAKPMtRXKpBA;www.{BLOCKED}rotherz.ca./19mai/?

As is frequently the case in these kinds of attack, the English used in the message is comically bad. The URL, however, is somewhat disguised?the first domain name the user sees belongs to Facebook. This is because the link does legitimately go to Facebook first. Any URL with the format http: // www. facebook.com/l/{random character};{redirected URL} brings up the Facebook preview page for external links. Apparently, cybercriminals are betting that users will ignore the warnings and proceed to their site anyway.

TrendLabs Malware Blog

Collapse -
Microsoft offers Win 7 and Office 2010 via download stores
by Donna Buenaventura / July 4, 2010 6:22 PM PDT
In reply to: NEWS - July 05, 2010
Microsoft offers Windows 7 and Office 2010 via download stores

PC Advisor this week becomes the first UK technology website to host and sell downloads of Microsoft Windows 7 and Office 2010. The IDG-published magazine's PC Advisor Software Shop (http://shop.pcadvisor.co.uk) is one of only a handful of partners selected by the software giant to be the first ever UK ESD (electronic software delivery) vendors of Microsoft products.

This is the first time that Microsoft has allowed third parties to sell downloads of its products in the UK, and follows just weeks after the company's first ever trials of ESD in France and Germany.

PC Advisor has available for download a range of Microsoft products on its Software Shop, including upgrades and full versions of all flavours of Windows 7 and Microsoft Office 2010.

ESD is the practice of delivering software without the use of physical media, typically by downloading via the internet. Digital distribution bypasses conventional physical distribution media, such as paper or DVDs, reducing costs and waste. As broadband connections have become more widespread software downloads have become an increasingly popular method of purchasing programs.

Traditionally Microsoft has sold the majority of its operating system software via OEM (original equipment manufacturer) deals. Manufacturers would buy Windows licences from Microsoft and pass the cost of the OS on to customers when they buy desktop PCs and laptops.

Similarly, Office licences have typically been sold in large chunks to enterprises.

Response Source
Collapse -
Google closes vulnerabilities in Chrome 5
by Carol~ Forum moderator / July 4, 2010 11:36 PM PDT
In reply to: NEWS - July 05, 2010

Google has released version 5.0.375.99 of Chrome, a security update that addresses four "high" risk vulnerabilities in its WebKit-based browser. According to the developers, all four of the high risk issues could lead to memory corruption caused by either invalid PNG files or SVGs, issues in the Bidirectional algorithm or problems in CSS style rendering. The stable channel update also addresses one medium risk vulnerability related to sandboxed iframes and three low risk issues.

As part of its Chromium Security Reward programme, launched earlier this year, Google has been rewarding those reporting security vulnerabilities. Reported by Team 509 and the Oulu University Secure Programming Group (OUSPG), the discoverers of each of the four high risk vulnerabilities closed in the latest stable update were rewarded with $500 or $1,000. In special cases, a committee can decide to increase the amount to a maximum of $1,337, but the maximum is only awarded for vulnerabilities which are particularly critical, or for particularly clever reports on vulnerabilities and their exploitation.

Contined (with additional details) here: http://www.h-online.com/security/news/item/Google-closes-vulnerabilities-in-Chrome-5-1032881.html

See Vulnerabilities & Fixes: Google Chrome Multiple Vulnerabilities

Collapse -
Google's China license problem remains unresolved
by Carol~ Forum moderator / July 5, 2010 3:17 AM PDT
In reply to: NEWS - July 05, 2010

After five days of waiting, Google is still in the dark about whether the company's operating license in China will be renewed.

As of Monday morning, Beijing time, the search engine giant had yet to hear back from the Chinese government regarding the license, said Jessica Powell, a Google spokeswoman.

The license, which is issued by the Chinese authorities, is necessary for Google to continue operating its China-based Web site, Google.cn. But tensions between the company and Chinese officials have put the license's renewal in doubt.

In March, Google decided to stop censoring the results to its Google.cn search engine by shutting the site down. All Internet traffic from the site was then redirected to Google?s uncensored Hong Kong search engine. The move quickly angered Chinese officials, who demanded that the company comply with Chinese laws that require companies to censor search results.

Continued here: http://www.macworld.com/article/152500/2010/07/google_china.html

Collapse -
Spammers hacked pool
by Carol~ Forum moderator / July 5, 2010 3:17 AM PDT
In reply to: NEWS - July 05, 2010

From the Kaspersky Lab Weblog:

In recent spam mails we have often noticed links to *.html files with random names. Another trend is that the cybercriminals do not even bother to register domains for their dirty deeds, but simply plant their malicious code on compromised hosts. "Simply?" one may ask, and sadly the answer seems to be "yes" based on our observations.

For example, we have collected some hundred mails of a certain type promoting online software shops - a small portion is shown in the animated gif image below. [See gif image ]

All of the samples stick out by virtue of the fact that they contain colored text/links which point to compromised legitimate websites. The links also show that the locations of the files are directly on the root URLs and not in a subfolder of some vulnerable application as we usually see.

Continued here: http://www.securelist.com/en/blog/2220/Spammers_hacked_pool

Collapse -
Twitter Kit Out to Make Twitter a Spammers? Dream
by Carol~ Forum moderator / July 5, 2010 3:17 AM PDT
In reply to: NEWS - July 05, 2010

Cybercriminals leveraging social media is now basically a given, especially with users? current dedication to social media (specifically on social networks). Actually, we?ve reported quite a few instances that prove how cybercriminals used Twitter for their operation, most especially in spamming.

Twitter is, of course, fully aware of this. Twitter users have probably even noticed some of the Web page limitations designed to hamper spammers? efforts. One of the recent developments being the implementation of Twitter?s Link Service.

But the cybercriminals are definitely not willing to go down without a fight.

A tool kit that can be used to send Twitter spam is currently being promoted in underground forums. The kit, aptly named ?Twitter Kit,? has interesting functions, which include sending messages to thousands of followers using socks5 proxy. The said functionality is especially useful in search engine optimization (SEO) projects. The tool also enables the user to search through other users? followers and to send Follow invites to them as well as to break account limits set by Twitter. [Screenshot of the post that advertises the Twitter Kit]

Continued at the TrendLabs Malware Blog: http://blog.trendmicro.com/twitter-kit-out-to-make-twitter-a-spammers'-dream/

Collapse -
Never Texting Again: Facebook rogue app spreading quickly
by Carol~ Forum moderator / July 5, 2010 5:15 AM PDT
In reply to: NEWS - July 05, 2010

From Graham Cluley's Blog at Sophos:

Over 170,000 people have in the last few days clicked on a link that is spreading virally across Facebook, claiming to point to a video of someone who died after sending a text message on their cellphone.

The links are being posted on innocent Facebook users' walls by a rogue application. A typical message posted by the rogue application reads:

I am shocked!!! I'm NEVER texting AGAIN since I found this out. Video here: http: // bit. ly/a37TaB - Worldwide scandal!

If you do make the mistake of clicking on the link then you are taken to the rogue Facebook application: [ screenshot ] [ screenshot ]

The problem is that even though Facebook is warning users that they are giving the "I will never text again after seeing this" application permission to post to their wall (as well as access their personal information) many people are still go ahead and press "allow".

Why should you ever have to grant an application such permissions in order to watch a video?

Sigh.. Sometimes you just feel like you're hitting your head against a brick wall..

Sure enough - with the permission granted, the application begins to spread its links virally via your Facebook profile:

Continued here: http://www.sophos.com/blogs/gc/g/2010/07/05/texting-facebook-rogue-app-spreading-quickly/

Collapse -
Microsoft Office 2010 Security Flaw Reportedly Found
by Donna Buenaventura / July 5, 2010 10:14 AM PDT
In reply to: NEWS - July 05, 2010

Researchers at Vupen Security say they have uncovered a security vulnerability in Microsoft Office 2010. However, their discovery has been met with criticism from Microsoft, which complains that it has not received technical details of the bug.

A report of a security flaw in Microsoft Office 2010 has been greeted with criticism by Microsoft because researchers chose not to notify the company of their findings.

Researchers at Vupen Security said they discovered a memory corruption flaw that could be used by an attacker to execute code. The company June 22 said it "created a code execution exploit which works with Office 2010 and bypasses DEP (Data Execution Prevention) and Office File Validation features."

The bug, Vupen CEO Chaouki Bekrar told eWEEK, is caused by a heap corruption error when processing malformed data within an Excel document.

While technical details of the bug have not been disclosed by Vupen, the company said, "our [government] customers who are members of the Vupen Threat Protection Program have access to the full binary analysis of the vulnerability" as well as detection guidance. What the company has not done, however, is give the vulnerability details to Microsoft.

"Microsoft is aware of a claimed vulnerability but does not have the details to validate the claim," Jerry Bryant, group manager of response communications at Microsoft, said in a statement. "To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cyber-criminals learn of?and work to exploit?a vulnerability."

"Vupen did not and will not publicly disclose any technical details regarding these vulnerabilities," he wrote. "We used [them] to alert the affected vendors and governments or law enforcement agencies who are members of the Vupen Threat Protection Program to allow them protect national infrastructures from potential attacks.

"We did not provide the details of the Office 2010 vulnerability to Microsoft as discovering and researching that vulnerability was a very long process (many weeks) and an important investment for Vupen, so ... to just get our names in the credit section of a Microsoft advisory as a compensation for our work is not enough."


Collapse -
Malware visits Scroogle.org
by Donna Buenaventura / July 5, 2010 11:09 AM PDT
In reply to: NEWS - July 05, 2010

Since June 24, 2010, www.scroogle.org has been visited by malware. This has nothing to do with Google itself, as none of these visits were passed to Google. This malware continues despite the shutdown of Scroogle, and our blocking continues because we would like to identify the source. After 11 days of this, we have blocks in place for 20,000 unique IPs from all over the world. This page is a summary of what we know about how this malware behaves.

It might be nearly impossible to identify the source of this malware. Our best guess is that a fairly popular website is infected by malware, and visitors to that site trigger the fetch to Scroogle from their own computer. We suspect that nothing is displayed at all, because we tried showing an alert page for a day, and then tried redirecting to a SWF file that played a sound for a day. Now we just redirect to a one-pixel GIF.

We don't think it is viral, and the visitor to the malware site might even have a clean computer. We are continuing to block as soon as we see this coming into Scroogle. At most, any particular IP address gets in only two quick hits before our nbbw.cgi program is able to place the block. However, even before we fine-tuned our blocking, we noticed that multiple hits from the same IP were the exception rather than the rule.

The malware is easy to detect. The URL that comes in to Scroogle always looks like this:

http:// www. scroogle.org /cgi-bin/nbbw.cgi?Gw=

The user-agent always looks like this:

Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)


They published an update on their article:
Update 2010-07-04: One theory about what's happening
Update 2010-07-05: Curiouser and curiouser

Collapse -
Article Alley compromised
by Donna Buenaventura / July 5, 2010 11:19 AM PDT
In reply to: NEWS - July 05, 2010

Websense Security Labs? ThreatSeeker? Network has detected that Articlealley.com has been compromised and injected with obfuscated code.

Article Alley is a free article directory that aims to help authors promote and syndicate their content. It allows authors and promoters to get their articles out on the Web with the potential of being read by millions of readers. This site was compromised from the root domain, and as a result all subsequent sub-pages were infected by the attack.

The attack is targeting the Microsoft Help and Support Center 0-day vulnerability CVE-2010-1885, which you can get more details of here.

At the time of publishing this blog, the site has been cleaned and the malicious code removed.


Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.