Spyware, Viruses, & Security forum

General discussion

NEWS - July 08, 2010

by Carol~ Moderator / July 7, 2010 8:18 PM PDT
No Sign Of Attacks Exploiting Latest Windows Zero-Day, Microsoft Says

"Unpatched buffer overflow bug in Windows 2000 and XP revealed along with Vista, Windows 2008 flaws"

Microsoft says it's still investigating claims of a zero-day bug in Windows 2000 and XP published earlier this week by Secunia. So far, the software giant says it hasn't seen any sign of attacks exploiting the reported bug.

The software giant referred to the disclosed flaw as "the claimed vulnerability," but left the door open for issuing a patch or workaround for it. "Microsoft is investigating new public claims of a possible vulnerability in Windows 2000 and Windows XP. We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-band update or additional guidance to help customers protect themselves," said Jerry Bryant, group manager, response communications for Microsoft in a statement today.

Continued here: http://www.darkreading.com/vulnerability_management/security/client/showArticle.jhtml?articleID=225702616
Discussion is locked
You are posting a reply to: NEWS - July 08, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - July 08, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Free antivirus software dominates security market
by Carol~ Moderator / July 7, 2010 8:25 PM PDT
In reply to: NEWS - July 08, 2010

"Avast Free Antivirus, Avira AntiVir and AVG lead over paid antivirus software"

High brand visibility from large security vendors doesn't necessarily mean that their products dominate the market, according to a new study of security software.

The study was released Wednesday by Opswat, whose primary product, Oesis, is a development toolkit used to manage third-party security applications.

Opswat's study focused on what kind of endpoint security software users employed, primarily in English-speaking markets.

Opswat gathered the data from Windows users running AppRemover, an application designed to completely uninstall security applications, and Am I Oesis OK?, which can detect whether security applications are compatible with other third-party applications. Both are free tools and have "hundreds of thousands" of deployments, according to Opswat.

Continued here: http://news.techworld.com/security/3229807/free-antivirus-software-dominates-security-market/

Opswat Study: OPSWAT Issues Groundbreaking Report on Worldwide Antivirus Application Market Share

Collapse -
Pirate Bay Hack Exposes User Booty
by Carol~ Moderator / July 7, 2010 9:16 PM PDT
In reply to: NEWS - July 08, 2010

Security weaknesses in the hugely popular file-sharing Web site thepiratebay.org have exposed the user names, e-mail and Internet addresses of more than 4 million Pirate Bay users, according to information obtained by KrebsOnSecurity.com.

An Argentinian hacker named Ch Russo said he and two of his associates discovered multiple SQL injection vulnerabilities that let them into the user database for the site. Armed with this access, the hackers had the ability to create, delete, modify or view all user information, including the number and name of file trackers or torrents uploaded by users.

Russo maintains that at no time did he or his associates alter or delete information in The Pirate Bay database. But he acknowledges that they did briefly consider how much this access and information would be worth to anti-piracy companies employed by entertainment industry lobbying groups like the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA), each of which has assiduously sought to sink The Pirate Bay on grounds that the network facilitates copyright infringement.

Continued here: http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/

Collapse -
Skype's encryption procedure partly exposed
by Carol~ Moderator / July 7, 2010 11:05 PM PDT
In reply to: NEWS - July 08, 2010

Developer Sean O'Neill, famous in cryptographic circles for designing the EnRUPT hash algorithm, has released an open source Skype library that emulates the modified version of the RC4 encryption algorithm used by Skype. Skype chose to modify key generation for the stream cipher to make its product incompatible with other IM clients and ensure that it remained a closed system. However, initial analysis suggests that O'Neill's publication does not mean that Skype's encryption can be considered 'cracked'. Further study will be needed to determine whether key expansion and initialisation vector generation are secure.

Because Skype has not released details of its encryption procedures, for years researchers have been trying and failing to reverse engineer the company's encryption. What is clear is that Skype uses a variety of encryption procedures. AES-256 is used to communicate with Skype's login server, SMS/event server and search servers. Supernodes and clients use the modified version of RC4 for the actual communication.

Continued here: http://www.h-online.com/security/news/item/Skype-s-encryption-procedure-partly-exposed-1034577.html

Collapse -
GAO slams White House for failing to lead on cybersecurity
by Carol~ Moderator / July 7, 2010 11:05 PM PDT
In reply to: NEWS - July 08, 2010

"Lack of a cybersecurity R&D agenda puts nation at risk, report says"

The White House Office of Science and Technology Policy has so far failed to live up to its responsibility to coordinate a national cybersecurity R&D agenda, the Government Accountability Office (GAO) said in a report released this week.

As a result, the U.S risks falling behind other countries on cybersecurity matters, and being unable to adequately protect its interests in cyberspace, the 36-page report (PDF document) warned.

The GAO report was prepared at the behest of the House Committee on Homeland Security, and called on the OSTP to show more leadership in pulling together a focused and prioritized short, medium- and long-term R&D strategy for cybersecurity.

The report noted that the White House's National Strategy to Secure Cyberspace from 2003 tasks the OSTP with coordinating the development of such a strategy and for updating it on an annual basis.

Continued here: http://www.computerworld.com/s/article/9178959/GAO_slams_White_House_for_failing_to_lead_on_cybersecurity

Collapse -
Mozilla Releases Firefox 4 Beta
by Carol~ Moderator / July 7, 2010 11:05 PM PDT
In reply to: NEWS - July 08, 2010

The Mozilla Foundation has released an early beta of the upcoming version 4 of Firefox, its flagship cross-platform browser for Windows, OS X, and Linux.

The long-awaited release introduces a number of improvements and additions over previous versions of Firefox. Firefox 3 came out two years ago, while version 3.5 of the Web browser debuted in 2009.

HTML 5 and CSS 3, the standards that are slated to power next-generation Websites, are clearly at the forefront of Mozilla's development efforts. Firefox 4 includes extended support for many of the new features that those two technologies introduce, including the Websocket API, which enables Web-based applications to access servers using arbitrary protocols like, for example, the one used by e-mail clients.

Most interestingly, Mozilla has chosen to support HTML 5 video playback by implementing Google's WebM video codec, which, like Firefox, is open-source and (at least in theory) unencumbered by patents. The non-profit has made it clear in the past that it has no intention of supporting H.264, a competing format backed by companies like Apple and Microsoft and currently licensed under a royalty-free scheme by the MPEG-LA Consortium.

Continued here: http://www.pcworld.com/businesscenter/article/200622/mozilla_releases_firefox_4_beta.html

Collapse -
Symbian malware creating mobile botnet
by Carol~ Moderator / July 7, 2010 11:59 PM PDT
In reply to: NEWS - July 08, 2010

Mobile security firm NetQin claims to have found malware spreading via Symbian Series 60 handsets which is being used to build a mobile botnet.

The company has identified three piece of malware masquerading as mobile games or special offers, which infect versions three and five of the Series 60 Symbian platform.

NetQin estimates that 100,000 handsets have been infected and could be used to form a mobile botnet similar to those seen in the PC world.

"Our team found that these botnets do one of two things: send messages to all the contacts of the address book directly; or send messages to random phone numbers by connecting to a server," said the company in a blog post.

"The viruses will delete the sent messages from the user's outbox and SMS log. All messages contain URLs linked to malicious sites that users won't be able to see until after they've fallen into the virus trap."

Continued here: http://www.v3.co.uk/v3/news/2266108/symbian-malware-creating-mobile

Collapse -
Beware 'Your log 05.07.2010' emails - they carry malware
by Carol~ Moderator / July 7, 2010 11:59 PM PDT
In reply to: NEWS - July 08, 2010

Malicious hackers are spamming out emails around the world disguised as a changelog, with the intention of infecting recipient's Windows computers with the attachment. [ Screenshot ]

A typical email reads as follows, although there can be minor variations in the message body:

Subject: Your log 05.07.2010

Message body:
Dear Customers,
as promised your changelog is attached,

Attached file: Changelog_05_07_2010.zip

The emails, by the way, are always signed off by the first name of the person who is mentioned in the message's from: field. That field is, of course, forged - it's not really that person who sent you the email so don't blame them if you get infected!

Clearly the attachment's filename has been chosen to make the email seem more timely, and the hackers are banking on users who receive the message being inquisitive enough to open the file to see what it is regarding. Once again, that would be a bad decision - don't forget that curiousity killed the cat.

Continued here: http://www.sophos.com/blogs/gc/g/2010/07/08/beware-your-log-05072010-emails-carry-malware/

Collapse -
Scammers hack into senator's Yahoo account
by Carol~ Moderator / July 7, 2010 11:59 PM PDT
In reply to: NEWS - July 08, 2010

Bob Dvorsky, a Democrat senator for the state of Iowa, is the latest public figure to have had his email system broken into by cybercriminals.

The politician would probably not have realised that his Yahoo account had been broken into unless they had sent a scam email to his friends and online contacts.

The fraudulent email claimed that Senator Dvorsky was stranded in Scotland, and needed to be wired money in order to return to his home.

Subject: Emergency please

Hope you get this on time, sorry I didn't inform you about my trip in Scotland for a Program, I'm presently in Edinburgh and am having some difficulties here because i misplaced my wallet on my way to the hotel where my money and other valuable things were kept. presently i have limited access to internet, I will like you to assist me with a loan of 10,000 Pounds to sort-out my hotel bills and to get myself back home.

i have spoken to the embassy here but they are not responding to the matter effectively, I will appreciate whatever you can afford to assist me with, I'll Refund the money back to you as soon as i return, let me know if you can be of any help. I don?t have a phone where i can be reached.

Please let me know immediately.

Regards. Sen. Bob Dvorsky.

Of course, the reality was that anyone who wired money would in fact be putting cash in the pockets of the hackers.

Continued here: http://www.sophos.com/blogs/gc/g/2010/07/08/scammers-hack-senators-email-account/

Collapse -
The Rocky Road to IPv6
by Donna Buenaventura / July 8, 2010 12:01 AM PDT
In reply to: NEWS - July 08, 2010

The Internet is slowly but surely running out of IPv4 addresses. The day the last one is used, though, won't be the day that the growth of the Internet tragically grinds to a halt. A new system is waiting in the wings: IPv6. The transition, however, may be rather complex. There will be new costs, as well as compatibility issues.

The Internet as we know it is apparently running out of space. No, this does not mean that existing websites will not be able to add more content. But sometime in the next few years the space for new IP addresses -- the kind normally used up to this point, anyway -- will be nearly depleted, according to IPv6.net.

The ubiquitous growth of mobile devices and never-ending tide of malware and other browser exploits are hogging all the allocated space. So are the mega address blocks that large corporations swept up over the last decade, explained Michael Sutton, vice president for security research at Zscaler.

Despite his agreement that the industry is running out of IP address space, his company's researchers recently issued a report stating that ample space remains -- if better usage is applied.


Collapse -
Security experts urge caution on Frash
by Donna Buenaventura / July 8, 2010 12:31 AM PDT
In reply to: NEWS - July 08, 2010

Jail-broken phones could be exposed to malicious third-party apps, warns Fortify

Security experts have renewed warnings to iPhone users thinking about jail-breaking their handset's operating system to run unauthorised software, as it will increase the risk of downloading malicious applications in the future.

The warnings come after Apple jail-break developer Comex revealed earlier this week that its Frash offering can allow Flash content to run on the iPad.

A description next to a YouTube clip showing Frash in action reads: "Frash can run most Flash programs natively in the MobileSafari browser. It currently only runs on the iPad, but support for other devices (3GS+ only due to technical restrictions) is planned, as well as support for iOS 4."

However, software assurance firm Fortify Software has warned users against jail-breaking their iPhones because it allows the devices to run third-party apps which have not been sanctioned or security vetted by Apple, and could therefore be infected with malware.


Collapse -
New Phishing Attack Guised as Fake PDF Reader Update
by Donna Buenaventura / July 8, 2010 12:36 AM PDT
In reply to: NEWS - July 08, 2010

On the June 18, MessageLabs Intelligence spotted a new malicious email attack, using PDFs as a hook. A little different to the usual PDF related e-mails, this doesn?t attempt to exploit vulnerabilities in the PDF format, or attempt to get the victim to download malware masquerading as a new PDF reader. Instead, this one is after credit card details.

The email tells you that there is a new version of their PDF reader available, and gives a bit of a sales pitch for this new software.

Clicking on the link takes the recipient to a professional-looking page made to advertise the fictitious software.

Clicking on the download link takes the victim to a different site altogether, which asks for some personal details. The URL claims to be a secure signup, though it uses no encryption whatsoever. The section to the left explains that once a member, the recipient is entitled to "free" software.


Collapse -
Three more Microsoft zero-day bugs pop up
by Donna Buenaventura / July 8, 2010 12:52 AM PDT
In reply to: NEWS - July 08, 2010
Hit with reports of additional unpatched vulnerabilities in Windows, IE and IIS

Microsoft faces a rash of zero-day vulnerabilities in some of its most important software, according to recent disclosures of unpatched bugs, including flaws in Windows XP, Internet Explorer and its flagship Web server.

Along with the unveiling of a vulnerability by a group of disgruntled security researchers who have dubbed themselves the Microsoft-Spurned Researcher Collective (MSRC), Microsoft has been served notice of at least three other flaws in the last few weeks.

Last Thursday, researcher Soroush Dalili published information about a vulnerability in Internet Information Services (IIS) , Microsoft's Web server software. According to Dalili, who works as an information security analyst in the gambling and casino industry, authentication in older editions of IIS can be bypassed, giving attackers a leg up in any assault on a companies Web server.

The bug can be exploited in IIS 5.1, but not the newer IIS 6, IIS 7 or IIS 7.5, said Dalili.

Microsoft said it was investigating the vulnerability, but as it did Tuesday when it commented on the Microsoft-Spurned Researcher Collective-issued bug report, the company downplayed the threat. "IIS is not installed by default and users must change the default configuration in order to be vulnerable," said Jerry Bryant, a group manager with the Microsoft Security Response Center, in an e-mail today.

Collapse -
Establishing expectations for AV vendors
by Donna Buenaventura / July 8, 2010 1:09 AM PDT
In reply to: NEWS - July 08, 2010

At StopBadware, we're currently revising our guidelines for badware applications. The goal of these guidelines is to distinguish between applications that are badware (defined as "software that fundamentally disregards a user's choice about how his or her computer or network connection is used") and those that aren't. One major reason for distinguishing badware from non-badware applications is to help people make informed choices before installing software that may compromise their privacy or security.

It is in this context that we ask a question that has been troubling us: if a "legitimate" anti-virus or security product has to send data about your computer use (e.g., your web search or browsing history) back to the vendor's servers to protect you as promised, how clearly should that data usage be disclosed?

Historically, we have thought of surreptitious collection of this type of data as a badware behavior. But what if the data isn't really being collected or used in any nefarious way, and the transmission of the data is necessary to make the product work as intended?

Consider a product like McAfee SiteAdvisor, a free browser plug-in that informs you of the safety of websites as you visit them or while browsing through search results. SiteAdvisor has to query a McAfee server with the URL (or the hash of the URL) of every site you visit or find during a search. This means that, if McAfee wanted to (or if a rogue employee gained access), a profile of your browsing history could be compiled and tied back to your IP address. Yet this is never disclosed in any visible way prior to or during installation. In fact, it's not even in the Privacy Policy. (It could be considered covered by a vague provision in the EULA about the collection of personal information from your computer necessary to the function of McAfee's security products.)

This is not unique to SiteAdvisor. Many AV products now query a centralized database about URLs and/or executables to ensure users are protected. In our experience, most of these products fail to disclose this potential threat to a user's privacy in any meaningful way.

So, back to the question. Is this a badware behavior, one that in this case is being perpetuated by several well-respected software companies?


Collapse -
Avira AntiVir triggers false alarms in GWT-generated JavaScr
by Donna Buenaventura / July 8, 2010 1:22 AM PDT
In reply to: NEWS - July 08, 2010

The sorry state of Avira anti-virus heuristics, part II

The current Protoreto version (0.3.1) uses the Google Web Toolkit (GWT) version 1.7.1 to export prototypes as AJAX web applications. For 0.3.2, we'd like to upgrade to GWT 2.0.3 which has many advantages (e.g. better platform independence). We have it all up and running in our development version, and finally the web export feature works fine on Linux computers.

As you may know, the GWT compiler generates JavaScript code. Lots and lots of JavaScript code. About 2 MB for some prototypes. Unfortunately, the Avira AntiVir virus scanner often triggers false alarms on one of the generated script files, reporting detection of the "HTML/Crypted.Gen trojan". My co-developer Jenny has reported this issue to Avira about two months ago [1] and submitted a sample script file. They acknowledged the mistake and promised a fix for the next engine update. Unfortunately, the problem is not solved at all. The current version of Avira AntiVir Personal (engine V8.02.04.10, 2010-07-02; virus definition file V7.10.09.17, 2010-07-07) still triggers false alarms [2]. We can submit script files to the Avira labs, but they only whitelist them instead of fixing their heuristics. Of course, whitelisting is of no use for us because the files are dynamically generated.

In March 2010, Matt Mastracci (the developer of a Chrome extension developed with GWT) experienced similar false alarms. His report is well worth a read. He tracked the problem down by systematically deleting parts of his script code until he found a minimal, obviously harmless example that was detected as HTML/Crypted.Gen by Avira.

In the meantime, Avira has modified their heuristics so that they no longer report Matt's code as malware. As this seems to have solved Matt's problem, I thought: why not waste some time as well, trying to find out why Avira's heuristics don't like my files? [[..]

And if you're an Avira user, uninstalling AntiVir seems to be a good idea.

More in Protoreto
Discussion is in Avira Forums

Collapse -
Google Image Searches for "Raoul Moat" have been poisoned
by Donna Buenaventura / July 8, 2010 1:27 AM PDT
In reply to: NEWS - July 08, 2010

If you?ve been keeping an eye on the news you?ll probably be aware of a chap called Raoul Moat. If not, all you need to know is that he?s popping up in articles with titles such as ?Timeline of a gun rampage? ? and there are more armed police walking around than you can shake a very large stick at.

They still haven?t found him, mind, but let's move on to the security angle in all of this.

It seems our favourite friends the Blackhat SEO Poison Brigade are out in force, utterly trashing the Image Search results and filling them up with dubious links.

At time of writing, ALL of the image searches from the top line of Google Image Search will redirect you to serveradobe(dot)co(dot)cc. As you?ve probably guessed from the name, you?ll get a fake Flash ?install this? prompt from the website in question, followed by an attempted download of a file called V11_adobe_flash.exe

Sunbelt Blog

Collapse -
?The chase is better than the catch?, perhaps not always
by Carol~ Moderator / July 8, 2010 2:28 AM PDT
In reply to: NEWS - July 08, 2010

AntiVirus users may not be aware just how much effort malware authors put into their creations.

The main aims from that side of the fence are to design malware that:
- will avoid any existing detections when first released
- must be easy to update, so that detections too specific can be avoided with new releases

The global strategy of these gangs consists of trying to make a single piece of malware last for as long as possible, making few changes on each update, in order to maximize their ROI.

For us the challange lies in identifying the base building blocks, that are not going to be changed, and thus provide a proper generic detection.

This week I stumbled upon a couple of Fake AV samples, from which you can clearly see the ?update as less as possible? scheme in action.

Continued at the SophosLab Blog: http://www.sophos.com/blogs/sophoslabs/?p=10461

Collapse -
S.Korea attacked by reactivated computer virus
by Donna Buenaventura / July 8, 2010 4:00 AM PDT
In reply to: NEWS - July 08, 2010

South Korean government and private websites have come under cyber-attack a year after a major attack briefly crippled sites domestically and in the United States, officials said Thursday.

Five websites including those of the presidential Blue House and the foreign ministry were attacked Wednesday but little damage was done, the Korea Communications Commission (KCC) said.

On July 7, 2009, the so-called distributed denial-of-service (DDoS) attacks shut down 25 Internet sites for hours -- 11 in South Korea and 14 in the United States.

"The DDos attacks resumed exactly a year later as some contaminated PCs were left untreated," the KCC said in a statement.


Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?