17 total posts
Bad BitDefender Antivirus Update Hobbles Windows PCs
A faulty update is being blamed for incapacitating an untold number of Microsoft Windows systems running anti-virus software from BitDefender.
BitDefender says the problem occurred Saturday morning with a faulty update for 64-bit Windows systems that caused multiple Windows and BitDefender files to be quarantined. The bad update causes the anti-virus program to flag thousands of legitimate Windows and BitDefender program files as a threat called ??FakeAlert.5″.
The Romanian software firm said the glitchy update has been removed and that the company is working on a fix for the problem. BitDefender?s user forum has lit up with complaints from customers, and the company appears to be fielding quite a number of inquiries on the problem via its Twitter page.
?We are creating a patch that will restore all quarantined files,? the company said in a statement on its site. ?The patch will be available shortly. We apologize for this error and we will work to prevent this from occurring again in the future.?
BitDefender has posted partial recovery instructions for users who are having trouble booting up Windows after this bad update, although several apparent users commenting on the company?s Twitter feed indicated they were still unable to boot after following the instructions.
Continued here: http://www.krebsonsecurity.com/2010/03/bad-bitdefender-antivirus-update-hobbles-windows-pcs/
Also see post titled: BitDefender Update Cripples Windows Computers
Google releases web security scanner
Google has released an open source scanner that allows web application developers to test their applications for security holes. The application, called Skipfish, offers a similar functionality to that of tools such as Nmap or Nessus, but it's said to be much faster. Using fully automated heuristics, it detects code that is vulnerable to cross-site scripting attacks (XSS), SQL and XML injection attacks and many other attack types. The tool's comprehensive post-processing of the individual test results is designed to help with the interpretation of the final report.
Skipfish is a pure C implementation and according to Google, can easily process 2,000 HTTP requests per second ? provided the tested server can handle such a high load. In individual tests across local networks, 7,000+ requests per second have reportedly been sent with a modest CPU load and memory footprint.
Continued here: http://www.h-online.com/security/news/item/Google-releases-web-security-scanner-960081.html
Malicious Medical Ads Flood Users? Inboxes
From the TrendLabs Malware Blog:
TrendLabs observed an increase in malicious medical advertisements spammed to users? e-mail inboxes. Two of the samples our engineers obtained looked legitimate, even had professional-looking graphics (see Figures 1 and 2). Another was just the normal, everyday, plain-text spam (see Figure 3). [...] [...] [...] [...]
The spammed messages enticed recipients to purchase the medicines the scammers were selling. These lured recipients with supposed huge discounts, ranging from 70?80% off of all products. The messages also sported links that when clicked redirected users to a spoofed online store that sold male organ-enhancing pills.
More recently, a spam run that uses a new feature was discovered. Instead of asking recipients to click an embedded link or an image, it asked them to open the .JPG file attachment?an image of Viagra and Cialis?along with the line, ?DO NOT CLICK, JUST ENTER (a particular URL) IN YOUR BROWSER.? The spammed messages also contained a series of salad words to avoid being filtered (see Figure 4).
Continued here: http://blog.trendmicro.com/malicious-medical-ads-flood-users%E2%80%99-inboxes/
Screenshots of the latest Twitter phishing attack
From the F-Secure Weblog:
Today there's a phishing run underway in Twitter, using Direct Messages ("DMs"). These are private one-to-one Tweets inside Twitter.
The messages look like these: [...]
If you follow the link, you end up to a fake Twitter page: [...]
If you mistakenly give out your credentials, the attackers will start sending similar Direct Messages to your contacts, posing as you.
The ultimate goal of the attackers is to gain access to a large amount of valid Twitter accounts, then use these account to post Tweets with URLs pointing to malicious websites which will take over users computers when clicked.
Lets have a closer look at the domain mhansenhome.org.
The front page seems to be an active Myspace phishing page. Nice.
Continued here: http://www.f-secure.com/weblog/archives/00001911.html
Vodafone Spain admits 3,000 smartphones shipped w/ Mariposa
"Pre-pwned snafu not so isolated after all"
Vodafone Spain has accepted that 3,000 customers were potentially exposed to malware after Mariposa botnet agents strayed onto the HTC Magic smartphone.
The admission to Spanish media on Thursday follows a meeting between the mobile phone giant's Iberian arm and representatives from Panda Security.
The infection of microSD cards for the HTC Magic with the Mariposa information-stealing client and other strains of malware was first reported after Vodafone Spain supplied a malware-infected Android phone to a Panda worker earlier this month. Earlier this week a second infection was reported, involving a HTC Magic phone supplied by Vodafone to a security consultant at S21Sec.
Continued here: http://www.theregister.co.uk/2010/03/19/voda_spain_mariposa_latest/
Follow up from: (Again) Vodafone Spain supplies pre-Mariposa'd smartphone
Norton ranks riskiest cities for cybercrime
You may want to start keeping a closer eye on where you click if you live in Seattle.
Among 50 U.S. cities studied for their vulnerability to cybercrime, Seattle came out on top as the riskiest place, followed by Boston, Washington, D.C., and San Francisco, according to the report "Norton's Top 10 Riskiest Online Cities," released Monday.
In an effort to study and rank the nation's riskiest cities for cybercrime, Symantec partnered with research firm Sperling's BestPlaces. The two companies used their own internal research and also checked out key facts and figures on each city, including the number of malware attacks, the number of spam zombies, the number of infected computers, the levels of Internet access, and the number of Wi-Fi hotspots.
Symantec then rated each city using different categories, such as risky online behavior (defined as buying items online and accessing financial information) and the number of cybercrimes per capita. [...]
Continued here: http://news.cnet.com/8301-1009_3-10469979-83.html
Icelandic Volcano Erupts, Fake Antivirus Spews Forth
Yesterday there was a volcanic eruption in Iceland, near the Eyjafjallajoekull glacier, that has led the Icelandic authorities to declare a state of emergency in southern Iceland. People living nearby have been evacuated in case of glacial melt water flooding and the airspace near the now active volcano is effectively closed off. As you have probably already guessed, any event which commands a high level of public interest will be pounced on quickly by the makers of fake antivirus software in order to make a quick buck. This incident is no exception.
Web searches for subjects relating to this eruption, such as "Iceland Volcanic Eruption" or "Iceland Volcano", will return results that may include dozens of hacked Web sites. It is not that difficult to spot the hacked sites with the fake antivirus redirection in the search results. Generally you should look for a pattern like this:
[LEGITIMATE DOMAIN]/[RANDOM STRING].php?[RANDOM PARAMETERS]
Continued here: http://www.symantec.com/connect/blogs/icelandic-volcano-erupts-fake-antivirus-spews-forth
No, you've not received a postcard from a family member
From Graham Cluley's Blog:
Over the weekend there has been a new wave of attacks spammed out, spreading a version of the Bredo Trojan horse via malicious emails.
The emails claim to be an ecard from a family member, but opening the attachment can infect your computer with the Troj/Bredo-BS Trojan horse. [...]
A typical email has the following characteristics:
Subject: You've received a postcard
Attached file: postcard.zip
Your family member has sent you an ecard
If you wish to keep the ecard longer, you may save it on your computer or take a print.
To view your ecard, open zip attached file.
This is clearly an old tactic to trick people into infecting their computers, but the reason why it's so familiar is that it really does work.
Continued here: http://www.sophos.com/blogs/gc/g/2010/03/22/received-postcard-family-member/
Russia arrests WorldPay hackers after FBI plea
"Feared FSB nabs three men"
Three men accused of being involved an audacious attack on US ATM machines in 2008 have been arrested by the feared Russian Security Service (FSB) in an event that is being interpreted as marking a sea change in Russian policy towards cybercrime.
The Financial Times reports that the FSB arrested the alleged Russian mastermind of the attack, Viktor Pleshchuk, and two alleged accomplices, Sergei Tsurikov and Oleg Covelin, all believed by the FBI to be involved in the high-profile $9 million (
Faking a fake
From the Sunbelt Blog:
We're all familiar with Rogue Antivirus products - but it seems script kiddies on numerous sites out there are starting to crank out their own phony security programs, many of which are confusingly based on the designs of - if you'll pardon the expression - "genuine" fake AV programs.
Shall we take a look at their handiwork? [...]
Note the shields, the yellow warning triangles, the fake scan results - these guys have clearly seen a lot of fake AV out in the wild! Unfortunately for the creator, it's a little too OTT and might give the end-user pause for thought if they had to physically click something before becoming infected.
This next one (designed to be entirely harmless, instead asking the user to voluntarily download a malicious file from a URL) almost gets away with being convincing, but ruins it all by including what appears to be a poorly ripped Rapidshare download button: [...]
Continued here: http://sunbeltblog.blogspot.com/2010/03/faking-fake.html
Pushu Variant Spams Hotmail, Cracks Audio Captchas
From the Webroot Threat Blog:
A new version of Trojan-Pushu is doing some interesting stuff to bypass captchas used by Microsoft?s Hotmail/Live.com/MSN webmail services in order to spam people with links to malicious Yahoo Groups pages.
The three-year-old spy (known by a variety of other aliases, including Cutwail, Pushdo, Diehard, and Rabbit) has always been, primarily, a spam bot. In this case, however, the spy is not sending spam by connecting to open mail relays or more traditional means; It?s spamming through the Hotmail/Live.com Web mail interface. Most interestingly, during the course of the spam sessions, the spy apparently pulls down ?audio captchas? and successfully sends back the correct response, which permits it to continue spamming.
Audio captchas are just what they sound like they are: A voice, often female, reads a sequence of 10 numbers in an artificially noisy background. The purpose is simple: to ensure that a human being, and not some automated process, is entering data into a form. Just as you would type in the scrambled-up letters from a captcha image to proceed, with an audio captcha you have to type the correct numbers from the recording, or the site won?t let you continue.
Continued here: http://blog.webroot.com/2010/03/22/pushu-variant-spams-hotmail-cracks-audio-captchas/
Opera 10.51 addresses vulnerabilities
Opera has announced the release of version 10.51 of its web browser for Windows-based systems, closing two "highly severe" security holes. The security and stability update addresses a previously reported vulnerability caused by an incorrectly set value in HTTP headers. This could allow attackers to provoke a buffer overflow, allowing them to execute arbitrary code on a vulnerable system. A disclosure of information issue that could allow XSLT (XSL Transformations) to be used to retrieve the contents of unrelated documents has also been fixed. Other changes include stability improvements and bug fixes.
All users are advised to upgrade to the latest release as soon as possible. The developers note that they are currently working on "bringing the Mac and Unix versions to product quality".
More details about the Windows-only release can be found in the change log. Opera 10.51 is available to download from the Opera web site. Alternatively, users with Opera 10.50 or older can use the built-in update function.
Continued here: http://www.h-online.com/security/news/item/Opera-10-51-addresses-vulnerabilities-960656.html
Google Shuts Down Its Chinese Search Service
The company is redirecting users to its uncensored Hong Kong site, after failing to reach an agreement with the Chinese government.
Google has announced that it will no longer offer a censored Chinese-language search service. Instead, the company plans to redirect users from Google.cn to its Hong Kong service, Google.com.hk, which offers uncensored Chinese-language results.
A statement from the company reads:
We want as many people in the world as possible to have access to our services, including users in mainland China, yet the Chinese government has been crystal clear throughout our discussions that self-censorship is a non-negotiable legal requirement. We believe this new approach of providing uncensored search in simplified Chinese from Google.com.hk is a sensible solution to the challenges we've faced--it's entirely legal and will meaningfully increase access to information for people in China. We very much hope that the Chinese government respects our decision, though we are well aware that it could at any time block access to our services.
Google also says it will maintain a Web page tracking the availability of its services within China.
Continued here: http://www.technologyreview.com/blog/editors/24958/
From the Official Google Blog: A new approach to China: an update
Phishers cast their nets at Neopets Users
From the Sunbelt Blog:
If you have children that play Neopets, you might want to warn them about this website or insert it into a blocklist of your choosing. The site is Neopoints(dot)tk, and promises lots of free Neopoints related items, with the help of a cute mascot called ?Tuma the Draik?. I think there was a Norwegian prog rock group from the 70s called that, but I could be wrong. [...]
Of particular note here is the fact the site claims to offer ?free magic paintbrushes?. These items are incredibly rare in Neopets land, and an excited child could easily wander into this particular trap as a result. [...]
Continued here: http://sunbeltblog.blogspot.com/2010/03/phishers-cast-their-nets-at-neopets.html
Another FakeAV, for Windows 7!
With Windows 7 becoming increasingly popular, more and more software companies have begun to upgrade their interface for the latest Microsoft operating system. Manufacturers seem to understand the need for a beautiful user interface for their products. However, not all software behaves as good as it looks.
Today, I saw a Fake Antivirus program with a newer, more jazzed up interface, which we detect as Troj/FakeAle-RK. [...]
This malware specifically targets users of Windows 7 and appears in the form of a pop-up dialogue box, which attempts to tell you that your Windows 7 PC has many serious threats. When a user clicks ?Remove all Threats immediately?, another pop-up will be generated asking them to download a file called win_protection_update.exe.
This file is malicious and is yet another Fake Antivirus program, which we proactively detect as Mal/FakeAV-AA. [...]
Continued here: http://www.sophos.com/blogs/sophoslabs/?p=9178
Start-up seeks to transform antivirus defense through cloud
"Immunet founded by former Symantec executive "
Although some like to say "antivirus is dead" because of the explosion in malware that makes signature-based desktop protection harder than ever, start-up Immunet wants to bring new life to antivirus scanning through cloud computing.
Founded by CEO Oliver Friedrichs, former director of emerging technologies at Symantec, Immunet is developing what Friedrichs calls "the next-generation antivirus product" that's based on a cloud-styled antivirus platform that will work with a fairly lightweight desktop agent to block and destroy malware. "Our goal is to re-invent the antivirus space."
"With the cloud-based antivirus platform, there's no downloading," Friedrichs says.The Windows-based desktop agent, about 4MB, "queries the Immunet cloud. All our knowledge base is in the cloud, and it can grow indefinitely. It also lets us remediate false positives immediately. We operate like a standard A/V product except we're a tenth of the usual size."
Continued here: http://www.networkworld.com/news/2010/032210-immunet-antivirus-cloud.html