NEWS - June 01, 2011

Researcher Creates Database of 35 Million Identifiable Google Profiles

A Dutch researcher has discovered that he could convert most of the data within Google Profiles into a single SQL statement and expose, among other data, the usernames and Gmail addresses of some 35,000,000 people.

The researcher, Matthijs R. Koot explained in a blogpost that there is an xml file known inside and outside of Google which points to more than 7000 sitemap-NNN(N).txt containing 5000 hyperlinks to Google profiles, with some 35,000,000 links in all. Koot spent roughly a month assembling this information into a database, and claims that in that time Google neither throttled, blocked, CAPTHCAd, or otherwise made his mass-downloading experience difficult in any way.

Koot claims that Google Profiles gives users the choice of using their username in their Google Profile URL, but warns that doing so could make an individual's email address publicly accessible. The 35,000,000 profiles he assembled are those which chose to use their usernames to make a Google Profile URL easier to find and remember.

Continued :

35 million Google profiles were *already* exposed on the internet
Entire Google Profile database acquired by a user
Discussion is locked
Reply to: NEWS - June 01, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 01, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Apple ships removal tool for Mac-menacing malware

Apple has updated its Mac operating system to protect against a malicious application that has been hoodwinked untold numbers of users by masquerading as legitimate security software that warns they have serious infections on their machines.

Apple issued Security Update 2011-003 on Tuesday to update Mac OS X to detect for MacDefender, one of several trojans that gets installed through an elaborate ruse that's become almost a rite of passage for owners of machines running Microsoft Windows. Those behind the scareware hook their victims by presenting them with web images that depict an antivirus scan taking place on their machines. The images falsely claim users have serious malware infections and urge them to download and install the antivirus package. Those who fall for the scam are then infected.

A ZDNet blogger recently counted 200 separate discussion threads on in which users complained of infections that caused their Macs to behave erratically. Apple had instructed members of its support team to withhold any confirmation that a customer's Mac has been infected with malware or to assist in removing malicious programs, the blogger, Ed Bott, had said.

Continued :

Apple Adds Daily Malware Updates to OS X
New Apple antivirus signatures bypassed within hours by malware authors [Update]
Apple's MacDefender patch checks for new variants daily

- Collapse -
Mac trojan evades Apple's brand new security fix

Just hours after Apple updated a security update to protect Mac users against a rash of scareware attacks, a new variant began circulating that completely bypasses the malware-blocking measure.

The trojan arrives in a file called mdinstall.pkg and installs MacGuard, a malicious application that masquerades as security software the user needs to clean a Mac of some nasty infections said to be discovered during a recent hard drive scan. As reported repeatedly during recent days, a series of clever social engineering attacks on Google, Facebook and elsewhere have been besieging Mac users and tricking a fair percentage of them into installing the rogue antivirus packages.

On Tuesday, Apple updated OS X to detect MacDefender and its variants before users can install it, in what many are regarding as an admission by Cupertino that Mac fans, like users of Windows, need help keeping their machines free of malware. Underscoring that point, the purveyors of the Mac trojans responded, less than eight hours later, with the release of the latest MacGuard variant.

Continued :

- Collapse -
Old Trojan Tricks on Android

We recently did an analysis on a trojan, AdSMS, that's been spreading for the last week or so and thought it might make an interesting contrast to the rash of trojanized Android apps that we've been seeing lately.

AdSMS is distributed via a malicious link in a spammed SMS message. The malware appears to be targeted to Android users in mainland China, as the SMS is faked up to look like it's from a major Chinese telecom network and the download link deliberately spoofs a domain name associated with the network.

AdSMS is promoted as an "update for a security vulnerability". Sounds like a throwback to the old Symbian trojans (e.g. Merogo and MapUp), which used this exact same distribution and social engineering strategy.

If the user clicks the link, the malware is downloaded. These are the permissions the trojan requests: [Screenshot] [Screenshot]

An update that needs to send SMS messages? Hopefully an alert user would notice that and suspect something's amiss.

Once installed, AdSMS doesn't add an icon for itself on the application menu; it just runs silently in the background. Users need to check the Setttings > Applications > Manage Applications menu to see if it's present, under the name "andiord.system.providers":

Continued :

- Collapse -
IMF boss rape video? Mac malware spreads via Facebook links

Mac OS X malware is being spread by sick messages spreading virally across Facebook, claiming to be a video of controversial IMF boss Dominique Strauss-Kahn.

The fake anti-virus attack first appears in your timeline as a message apparently posted by one of your friends. [Screenshot]

oh shit, one more really freaky video O_O

IMF boss Dominique Strauss-Kahn Exclusive Rape Video - Black lady under attack!

IMF chief Dominique Strauss-Kahn rape scandal. Mother of Alleged Rape Victim: Dominique Strauss-Kahn Did Not Want To Be President of France - ABC News

(I have obscured the image used in the message in case it causes offence).

The message's text refers to the news story of IMF chief Dominique Strauss-Kahn who is facing charges in New York over charges that he tried to rape a hotel maid.

Continued :

Related : Facebook Attack Spreading both Windows AND Mac malware

- Collapse -
Microsoft releases free AV software that boots from CD or US

Microsoft has published a beta of its Standalone System Sweeper software, a bootable recovery tool that can be used to identify and remove rootkits, as well as other advanced malware. The bootable anti-virus solution uses the same AV engine as Microsoft Security Essentials (MSE) and supports both 32- and 64-bit installations of Windows.

The Microsoft Standalone System Sweeper application (.exe) downloads approximately 200 MB of data, including the latest virus and spyware definitions, from Microsoft's servers and walks users through creating a LiveCD, LiveDVD or LiveUSB - a blank CD, DVD or USB flash drive with at least 250 MB of space is required.

Alternatively, "advanced" users can opt to create an ISO image for later use, with, for example, a virtual machine. In tests by The H's associates at heise Security, the signatures on the LiveCD that was created were outdated, even though the files has just been downloaded from Microsoft. As such, users are advised to "Check for updates" before running the tool.

Continued :

Also: Free Microsoft Standalone System Sweeper Beta for Widows 7 SP1

- Collapse -
New Malware from the Developers of DroidDream
Update: Security Alert: DroidDreamLight, New Malware from the Developers of DroidDream

From the Lookout Blog:

The Threat:

This weekend, multiple applications available in the official Android Market were found to contain malware that can compromise a significant amount of personal data. Likely created by the same developers who brought DroidDream to market back in March, 26 applications were found to be infected with a stripped down version of DroidDream we're calling "Droid Dream Light" (DDLight). At this point we believe between 30,000 and 120,000 users have been affected by DroidDreamLight.

The Lookout Security Team identified the malware thanks to a tip from a developer who notified us that modified versions of his app and another developer's app were being distributed in the Android Market. Our security team confirmed that there was malicious code grafted into these apps and identified markers associating this code with previously analyzed DroidDream samples. We discovered 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developer accounts.

Who is affected?
Apps containing DroidDreamLight have been available for download from the official Android Market. Anyone who has downloaded the apps listed below may be affected. We believe the number of affected devices to be in the range of 30,000 and 120,000 users. If you have downloaded these apps, contact us at and we can assist you in removing them.

Continued :

New DroidDream Variant Found on Android Phones
Wave of Trojans breaks over Android
Android malware activates itself through incoming calls
- Collapse -
Adobe Issues Flash Player 10.3 Pre-Release Fix for IE9 Users
..Experiencing Issues

Adobe has provided an update, as well as a fix, for the hardware acceleration issues affecting some Internet Explorer 9 users running the latest Adobe Flash Player 10.3. The company has released a testing build that fixes the bug, but it needs people to confirm that it works for everyone, before releasing it via the regular channels.

"Thanks to everyone who has provided information on their system and driver versions. This has helped us work on identifying a fix for the SWF rendering issue," Adobe wrote.

"This bug was exposed due to some changes we made to blocklist certain incompatible drivers from using hardware acceleration in Flash Player," it explained the cause of the issues.

Adobe is now providing an Adobe Flash Player build which fixes the issues as far as the company has been able to test. However, it needs more reports from users experiencing problems to confirm that the fix is working.

"We have confirmed this fixes the SWF rendering in the wrong location on the machines where we have reproduced the problem. As there are many configurations and driver combinations that we don't have in our testing lab, your feedback is important to ensure we have a good resolution," Adobe explained.

After Adobe Flash Player 10.3 rolled out, some IE9 users started complaining about strange issues, such as Flash content rendering on the edge of the window rather than where it should have been located on the page.

Adobe acknowledged the problem last week and has been working on a solution. Temporary fixes proposed were turning off hardware acceleration in IE9 and updating the drivers for some Intel video adapters.

The pre-release build that fixes the issue is available from Adobe. It may not work for everyone, so you should look at the other temporary fixes if you still have problems.
- Collapse -
Second Defense Contractor L-3 ?Actively Targeted? With RSA
Second Defense Contractor L-3 'Actively Targeted' With RSA SecurID Hacks

An executive at defense giant L-3 Communications warned employees last month that hackers were targeting the company using inside information on the SecurID keyfob system freshly stolen from an acknowledged breach at RSA Security.

The L-3 attack makes the company the second hacker target linked to the RSA breach - both defense contractors. Reuters reported Friday that Lockheed Martin had suffered an intrusion.

"L-3 Communications has been actively targeted with penetration attacks leveraging the compromised information," read an April 6 e-mail from an executive at L-3's Stratus Group to the group's 5,000 workers, one of whom shared the contents with on condition of anonymity.

It's not clear from the e-mail whether the hackers were successful in their attack, or how L-3 determined SecurID was involved. L-3 spokeswomen Jennifer Barton declined comment last month, except to say: "Protecting our network is a top priority and we have a robust set of protocols in place to ensure sensitive information is safeguarded. We have gotten to the bottom of the issue." Barton declined further comment Tuesday.

Based in New York, L-3 Communications ranks eighth on Washington Technology's 2011 list of the largest federal-government contractors. Among other things the company provides command-and-control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to the Pentagon and intelligence agencies.

Continued :
- Collapse -
Rustock Botnet Suspect Sought Job at Google

Microsoft has fingered a possible author of the late Rustock spam botnet - a self-described software engineer and mathematician who aspired to one day be hired by Google. Microsoft has apparently allocated significant resources to finding the author, but has not been able to locate him.

Rustock remains dead, but Microsoft is still on the hunt for the Rustock author. In its Second Status Report (PDF) filed last week with a district court in Seattle, Microsoft said it inquired with virtual currency provider Webmoney about the owner of an account used to rent Rustock control servers, and confirmed that the account was affiliated with a man named Vladimir Alexandrovich Shergin. Microsoft also mentioned another suspect, "Cosma2k," possibly named Dmitri A. Sergeev, Artem Sergeev, or Sergey Vladomirovich Sergeev. Microsoft said it is continuing its investigation of these names, to determine whether additional contact information can be identified and to which notice and service can be effected.

To help in the hunt, I hereby offer some details about him.

Microsoft helped to dismantle Rustock in March after a coordinated and well-timed "stun" targeting the spam botnet's infrastructure, which was mainly comprised of servers based in U.S. hosting facilities. Two weeks after that takedown, I tracked down a Web hosting reseller in Eastern Europe who acknowledged renting some of those servers to the apparent Rustock author. That reseller shared the Webmoney account number used to purchase access to the servers, and Russian investigators I spoke with confirmed that the account had been registered by a Russian named Vladimir Shergin. By consulting a leaked database I obtained last year of the top earners for - at the time the world's largest rogue online pharmacy network - I discovered that the same Webmoney account was shared by three of the top ten Spamit affiliates.

Continued :

- Collapse -
AVAST Launches Beta Version of Free Mac Antivirus Product

AVAST Software, the company behind one of the most popular Windows antivirus solutions, has just launched a beta version of its upcoming free antivirus product for Mac OS X.

avast! Free Antivirus for Windows has over 160 million registered users and almost 130 active ones; that's unique installations that have queried the update servers during the past month.

Furthermore, the product is probably the most feature-rich free antivirus for Windows and regularly tops many commercial solutions in independent tests.

All this is good news for Mac users, because the company has tried its best to provide the level of malware protection for Apple's platform.

The upcoming avast! Free Antivirus for Mac is almost a complete rewrite of the company's older Mac paid-for solution.

It features scanning for files, web pages and emails, so it covers all major malware propagation routes.

Continued :

Additional Details @ the Avast forum: NEW PRODUCT - Avast for Mac Beta

- Collapse -
TimeSpentHere rogue app spreads virally on Twitter

Some Twitter users have fallen for yet another rogue application, tricking them into believing that they will discover how many hours they have spent tweeting their little hearts out. [Screenshot]

A typical message reads:

WOW --> I have spent 38.1 hours on Twitter! See how much you have:

If you are curious enough to click on the link, which - of course - you might do, seeing as it will appear as if one of your Twitter friends has posted it, then you will be asked to authorise a third party app's request to access your Twitter account.

The app is called TimeSpentHere, and it can only cause a problem for you if you grant it permission to access your Twitter account. If you do, then it will be able to read your Tweets, post in your name, and even change your profile. I'm sure you can imagine the potential for abuse there.

Continued :

- Collapse -
DNS Filtering Bill Riles Tech Experts, Hacktivists

A bill moving through the U.S. Senate that would grant the government greater power to shutter Web sites that host copyright-infringing content is under fire from security researchers, who say the legislation raises "serious technical and security concerns." Meanwhile, hacktivists protested by attacking the Web site of the industry group that most actively supports the proposal.

Earlier this month, the Senate Judiciary Committee passed the Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act (PDF), a bill offered by committee chairman, Sen. Patrick Leahy (D-Vt.), that would let the Justice Department obtain court orders requiring U.S. Internet service providers to filter customer access to domains found by courts to point to sites that are hosting infringing content. The bill envisions that ISPs would do this by filtering DNS requests for targeted domains. DNS, short for "domain name system," transforms computer-friendly IP addresses (such as into words that are easier for humans to remember. For example, typing "" into a browser brings you to, and vice versa.

But the idea of blocking piracy by asking ISPs to filter DNS requests has touched a nerve with several prominent security experts, who say it would be "minimally effective and would present technical challenges that could frustrate important security initiatives." The comments came in a whitepaper sent to Senate leaders this month by DNS experts Steve Crocker, David Dagon, Dan Kaminsky, Danny McPherson and Paul Vixie. For a brief explanation of why these individuals are worth hearing from on this subject, see the "About the Authors" section at the end of their paper (pdf).

Continued :

Related: Internet Researchers Decry DNS-Filtering Legislation

- Collapse -
McAfee Q1 Threats Report Reveals Surge in Malware & Drop in
McAfee Q1 Threats Report Reveals Surge in Malware and Drop in SPAM

McAfee Press Release:

Symbian and Android the most popular mobile malware environments; Spam dips due to Rustock takedown

June 1, 2011 - McAfee today released the McAfee Threats Report: First Quarter 2011 (pdf). With six million unique samples of recorded malware, Q1 2011 was the most active first quarter in malware history. The report revealed many of the trends that had a significant impact on the threat landscape, such as the takedown of the Rustock botnet, which resulted in spam remaining at its lowest levels since 2007, and confirmed that mobile malware is the new frontier of cybercrime.

"The Q1 Threats Report indicates that it's been a busy start to 2011 for cybercriminals," said Vincent Weafer, senior vice president of McAfee Labs. "Even though this past quarter once again showed that spam has slowed, it doesn't mean that cybercriminals aren't actively pursuing alternate avenues. We're seeing a lot of emerging threats, such as Android malware and new botnets attempting to take over where Rustock left off, that will have a significant impact on the activity we see quarter after quarter."

Busiest Quarter in History for Malware
With more than six million unique malware samples in Q1, this period far exceeds any first quarter in malware history. February 2011 saw the most new malware samples of the quarter, at approximately 2.75 million. Fake anti-virus software had a very active quarter as well, reaching its highest levels in more than a year, totaling 350,000 unique fake-alert samples in March 2011.

Malware Attacks on Android Devices
Malware no longer affects just PCs. As Android devices have grown in popularity, the platform solidified its spot as the second most popular environment for mobile malware behind Symbian OS during the first three months of the year.

- Collapse -
Wireshark updates close security holes

The Wireshark development team has announced the release of versions 1.2.17 and 1.4.7 of its open source, cross-platform network protocol analyser.

According to the developers, these maintenance and security updates address multiple vulnerabilities that could, for example, cause the application to crash "by injecting a series of malformed packets onto the wire or by convincing someone to read a malformed packet trace file". These include issues related to a large/infinite loop in the DICOM dissector in Wireshark 1.4.x, and, in the 1.2.x branch, bugs in the X.509if dissector. A number of bugs in some of the 1.4.x dissectors have also been fixed. All users are advised to update to the latest versions.

Details about these maintenance and security updates, including a full list of changes, can be found in the 1.2.17 and 1.4.7 release notes. Wireshark binaries for Windows and Mac OS X, as well as the source code, are available to download and documentation is provided.

Continued :

See Vulnerabilities & Fixes: Wireshark Multiple Denial of Service Vulnerabilities

- Collapse -
Google: Phishers stole e-mail from U.S. officials, others

"A phishing campaign compromised hundreds of accounts with targeted messages"

Google has disrupted what it believes to be a targeted phishing campaign aimed at stealing e-mail from government officials, contractors and military personnel.

The criminals behind the campaign have broken into hundreds of Gmail accounts belonging to "U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists," among others, Google said in a blog post published Wednesday.

The company believes that the accounts were compromised "likely through phishing" by a cyber campaign run out of Jinan, China. That's the city whose Lanxiang Vocational School was linked in a New York Times report last year to the December 2009 attacks on Google's back-end systems. The targets of the 2009 campaign were human rights activists, and activists were also hit by this recent phishing campaign, Google said.

The phishing campaign was first publicly disclosed by the blog Contagio Malware Dump, which reported in February that government personnel and contractors were being hit with what are known as spear-phishing attacks. These attacks use specially crafted e-mail messages, written to appear like they come from someone known to the victim.

Continued :

Also: Google Disrupts Chinese Spear-Phishing Attack on Senior U.S. Officials

CNET Forums