HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

NEWS - June 23, 2010

by Donna Buenaventura / June 22, 2010 7:15 PM PDT
Researcher 'Fingerprints' The Bad Guys Behind The Malware

Black Hat USA researcher will demonstrate how to find clues to help ID actual attackers, plans to release free fingerprinting tool

Malware writers actually leave behind a telling trail of clues that can help identify their native tongue, their geographic location, their ties to other attacks -- and, in some cases, lead law enforcement to their true identities. A researcher at Black Hat USA next month plans to give away a homemade tool that helps organizations glean this type of intelligence about the actual attacker behind the malware.

Greg Hoglund, founder and CEO of HBGary, for several months has been studying malware from the infamous Operation Aurora attack that hit Google, Adobe, Intel, and others, as well as from GhostNet; in both cases, he discovered key characteristics about the attackers themselves. Hoglund says the key is to gather and correlate all of the characteristic "markers" in the malware that can, in turn, be traced to a specific malware writer.

While anti-malware firms focus on the malware and malware kits and give them names, Hoglund says that model is all wrong. "That whole model is completely broken," he says. "Instead of tracking kits, we need to start tracking the attacker as a threat group. I want to take the fight back to the attacker."

Among his findings on GhostNet, an attack used to spy on Chinese dissidents, for example, was a common compression method for the video stream that was unique to those attacks. And in Operation Aurora, he found Chinese-language ties, registry keys, IP addresses, suspicious runtime behavior, and other anomalies that tied Aurora to the developer.
Discussion is locked
You are posting a reply to: NEWS - June 23, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - June 23, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Apple leaves iPad vulnerable after monster iPhone patch job
by Donna Buenaventura / June 22, 2010 7:18 PM PDT
In reply to: NEWS - June 23, 2010

Monday's iOS 4 patches record 65 bugs; iPad won't get fixes until the fall

As part of Monday's iOS 4 upgrade, Apple patched a record 65 vulnerabilities in the iPhone, more than half of them critical.

Apple released iOS 4 for the iPhone 3G and 3GS, and the second- and third-generation iPod Touch on Monday shortly after 1 p.m. ET, 10 a.m. PT.

However, the first-generation iPhone and iPod Touch, as well as the much newer iPad , may be vulnerable to some or all of the 65 bugs. iOS 4, which launched yesterday, cannot be installed on 2007's iPhone and iPod Touch, and the upgrade is not slated to reach iPad owners until this fall.

The bug count is a record for Apple's iPhone, surpassing the previous high mark of 46 vulnerabilities patched last summer with iPhone OS 3.0.

Collapse -
Google Voice Available for Every US Citizen
by Donna Buenaventura / June 22, 2010 7:29 PM PDT
In reply to: NEWS - June 23, 2010

As Google has removed the need for an invitation in order to use Google Voice on Tuesday, its telephony management solution has become open to everyone, meaning every US resident. There are already over one million people with Google Voice accounts, and their number is going to grow every day.

Google Voice offers a service that can be really useful: it offers a single telephone number that, when called, forwards the call to a number of other phone numbers such as the user?s home, office and cell phone as well as offers voice mail services with message transcription. Besides these services, Google Voice offers free calls to the US and Canada, low international rates, web-based voice mail inbox and the capability to make conference calls. The services offered by Google Voice can be used either with the free phone number offered by Google or with the users? existing telephone numbers.

RPT-Frontier Communications sues to block Google Voice

Frontier Communications Corp (FTR.N) is suing to stop Google Inc (GOOG.O) from offering a service that gives users one phone number connecting their home, work and cell phones because it infringes a patent, according to a lawsuit filed on Tuesday.

Frontier, which provides phone, Internet access and satellite TV, also asked a federal court to award it damages for the infringement by the Google Voice service.

"Google's deliberate infringement of the (Frontier patent) has greatly and irreparably damaged Frontier," said the complaint, which was filed in the U.S. District Court for the District of Delaware.

Users of Google Voice can request a new phone number from the Internet company. That number is assigned to the user, not any particular device. When someone calls it, the user can decide where that calls rings, such as on a cell phone or home phone.

Collapse -
Microsoft launches MSN health application
by Donna Buenaventura / June 22, 2010 7:35 PM PDT
In reply to: NEWS - June 23, 2010

Keeping MSN relevant and saving the NHS money, maybe

Microsoft has announced the availability of its brand new "health and wellness" HealthVault cloud platform in the UK.

HealthVault is an MSN-hosted store for users to enter their data directly and to use applications or widgets developed by charity Nuffield Health.

The announcement is full of well-meaning yadda yadda like putting "HealthVault put users in charge of their own health data" and "the security features built into HealthVault mean that users can take control over who can access and use their data".

UK users are in control of their own health data now, apart from their NHS records, and there's no way to get those into HealthVault, so Microsoft isn't offering anything new in that department.

HealthVault is a way for Microsoft to get its claws into consumers and have them use MSN as a place to store health records. But there isn't much of that available outside the NHS and private medical services, so it's presented as a way for consumers with families to record, monitor and manage the family members' health, while MSN serves them ads.

Collapse -
Lenovo Support Page Compromise Leads to BREDOLAB
by Carol~ Forum moderator / June 23, 2010 7:00 AM PDT
In reply to: NEWS - June 23, 2010

From TrendLabs Malware Blog:

Chinese PC manufacturer Lenovo is the latest high-profile company to be compromised. Sometime over the past weekend, its support pages, which allowed users to download drivers and manuals, were compromised with the addition of a malicious iframe.

The website in this malicious iframe led to the download of a BREDOLAB variant detected as TROJ_BREDOLAB.BY. This malware family is well-known for being a downloader of other malware onto affected systems, particularly ZBOT and FAKEAV variants.

BREDOLAB first gained prominence in late 2009 when the number of reported infections significantly grew. Upon investigation (PDF) by senior advanced threats researcher David Sancho, it was found that BREDOLAB was a new malware family similar to earlier PUSHDO variants.

Continued here:

Collapse -
The joys of file sharing: malware sharing
by Carol~ Forum moderator / June 23, 2010 7:00 AM PDT
In reply to: NEWS - June 23, 2010

From the Sunbelt Blog:

MyWebSearch, the old familiar toolbar, is still around

The team came across these yesterday on a file-sharing network in a file ?Power DVD 8 Cracked.rar.?

It installs, without proper notice, MyWebSearch, FLV Direct Player and other garbage. Adam Thomas found a similar surreptitious install of FLV in April ? clearly that was part of an affiliate program scheme in which someone was getting paid each time FLV got installed.

See Sunbelt Blog: ?Bot installs adware along with video player ?

The MyWebSearch Toolbar is a customizable Internet Explorer search toolbar which installs other tools, including pop-up blockers, screensavers, and cursors. Searches entered into the toolbar search field are directed to MyWebSearch has been around for five years.

Continued here:

Collapse -
Comodo says VeriSign?s SSL processes vulnerable to attack
by Carol~ Forum moderator / June 23, 2010 7:01 AM PDT
In reply to: NEWS - June 23, 2010

Comodo issued a press release yesterday that said they?ve alerted VeriSign to a security vulnerability that exposes a significant security concern for VeriSign?s customers. What they found is open to debate when it comes to risk level. Also, the method of disclosure raises some eyebrows.

Comodo managed to locate the certificate request page for a single VeriSign customer who is indeed a major financial institution. What the certificate request page does is act as a place where someone inside the financial institution goes to ask their certificate administrator for a new certificate. From there, the administrator will need to approve or deny the request, and select the type of certificate to issue.

The reason this portal exists in the first place is business convenience. Administrators can control the certificate environment, they can watch certificate expiration dates, assign certificates to various jobs, manage bulk purchases, as well as access several backend tools VeriSign offers to Enterprise customers who operate in scale.

Comodo was able to discover this site, which is hosted by VeriSign, due to a missing robots.txt file. VeriSign has since fixed the issue, but takes all the blame for not having the proper file in place. The discovery leads one to wonder why Comodo was searching for items related to VeriSign in the first place. When asked, VeriSign said they don?t have a similar practice for their competitors.

Continued here:

Prior Reference: ?Who?s your Verisign?? ? Malware faking digital signatures

Collapse -
Android apps: Shifty little bleeders
by Carol~ Forum moderator / June 23, 2010 7:01 AM PDT
In reply to: NEWS - June 23, 2010

"Bit malwarey here and there"

A fifth of Android applications aren't playing fair, according to SMobile Systems which reckons that mobile application marketplaces are rife with malware.

SMobile ran though more than 48,000 applications on the Android Marketplace (about three quarters of the whole marketplace) collecting details of the permissions the applications requested ? Android applications have to list resources required ? and SMobile bases is analysis (pdf) on those requests.

The more perceptive reader will have noticed a flaw in such an analysis ? it might be true that 20 per cent of Marketplace applications request access to personal information, but if those applications are social-networking-integration apps then they're going to need access to that data.

Continued here:

Collapse -
Shakira's World Cup song used to push FLVPro.exe
by Carol~ Forum moderator / June 23, 2010 7:01 AM PDT
In reply to: NEWS - June 23, 2010

It seems the last week or so has been a fun time to promote not only the World Cup, but also various bits of software you might not want on your PC. Here?s a collection of Shakira uploads on Youtube, all related to her ?Waka Waka? song created for the World Cup:
[See 3 Screenshots]

As you can see, there?s everything from the official video to ripped copies of her performing live. There are many more of these videos floating around Youtube, but all of them point to flvpro(dot)com and ask you to download "free movies and TV shows" with the aid of their "direct downloader".

What happens when you try to download the executable from that site?

Continued here:

Prior "song-related" reference: Waka Waka FIFA 2010: Targeted PDF attack uses World Cup theme

Collapse -
Cybercrime forum suspects arrested by British police
by Carol~ Forum moderator / June 23, 2010 10:11 AM PDT
In reply to: NEWS - June 23, 2010

Britain's Police Central e-crime Unit (PCeU) have announced today that they have arrested two men as part of an eight month investigation into what is said to be the world's largest English-speaking online cybercrime forum.

The underground website consisted of online forums where up to 8000 malicious hackers traded stolen bank account details, PIN details, phished passwords, offered to rent out botnets for the purposes of distributed denial-of-service (DDoS) attacks, and openly sold data stolen by the insidious Zbot (also known as Zeus) family of malware.

For instance, we've seen criminals rent out access to botnets of 10,000 compromised PCs to launch DDoS attacks for $200 per day.

The two men, aged 17 and 18, were arrested by appointment at a central London police station and currently remain in custody.

Continued here:

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.