19 total posts
Spam Site Registrations Flee China for Russia
A crackdown by the Chinese government on anonymous domain name registrations has chased spammers from Chinese registrars (.cn) to those that handle the registration of Russian (.ru) Web site names, new spam figures suggest. Yet, those spammy domains may soon migrate to yet another country, as Russia is set to enforce a policy similar to China?s beginning April 1.
In mid-December 2009, the China Internet Network Information Center (CNNIC) announced that it was instituting steps to make it much harder to register a Web site anonymously in China, by barring individuals from registering domains ending in .cn. Under the new policy, those who want to register a new .cn domain name need to hand in written application forms, complete with a business license and an identity card.
Chinese authorities called the move a crackdown on phishing and pornographic Web sites, but human rights and privacy groups marked it as yet another effort by Chinese leaders to maintain tight control over their corner of the Internet. Nevertheless, the policy clearly caught the attention of the world?s most profligate spammers, who spam experts say could always count on Chinese registrars as a cheap and reliable place to buy domains for Web sites that would later be advertised in junk e-mail.
Continued here: http://www.krebsonsecurity.com/2010/03/spam-site-registrations-flee-china-for-russia/
Technical paper: SEO poisoning attacks
From SophosLabs Blog:
Regular readers will have seen numerous recent SophosLabs blogs describing how attackers are poisoning search engine results in order to hit victims with malware [1,2,3,4]. In recent months, these type of Search Engine Optimisation (SEO) attacks have become a route through which fake anti-virus malware is being distributed .
One thing common to the attacks is that the SEO pages are hosted within legitimate sites. This makes it harder for the search engines to identify the rogue pages, and exclude them from search results. It also lets the SEO pages piggyback on the reputation of that host site, which may help boost the search engine ranking. As an example, the map below shows the global distribution of sites that SophosLabs have seen over the last week which are (unknowingly) hosting one specific SEO attack. [...]
As you can see, in this case the problem is not limited to a single hosting provider. Sites hosted by numerous hosting providers have been compromised, and are being used to host the SEO pages that lure victims to malware.
Continued here: http://www.sophos.com/blogs/sophoslabs/?p=9264
Mozilla updates Thunderbird, SeaMonkey and older FF browsers
Mozilla has announced the release of updates for its Thunderbird email client, the SeaMonkey "all-in-one internet application suite" and older versions of its Firefox web browser. In addition to the usual bug fixes, all of the updates address several security vulnerabilities ? many of them rated as critical.
Less than two years after its initial release, Mozilla has issued version 3.0.19 of Firefox, the last security and stability update to the 3.0.x branch. Mozilla had originally planned to discontinue support for Firefox 3.0 in January of this year, however, delays in releasing Firefox 3.6 extended its life for a few more months. On top of stability improvements, Firefox 3.0.19 fixes several security issues found in previous versions of the end-of-life legacy browser. Details of the security updates in version 3.0.19, however, have yet to be posted to Mozilla's Security Center site.
Alongside version 3.0.19, the Mozilla developers also announced the release of Firefox 3.5.9. The update corrects a total of eight vulnerabilities, five of them rated by Mozilla as critical. These include a privilege escalation to dangling pointer vulnerabilities and a memory corruption issue that could lead to the execution of arbitrary code on a users system. The Firefox 3.5.x branch will continue to receive security and stability updates until August 2010, although the developers strongly encourage users to upgrade to the latest Firefox 3.6 release.
Continued here: http://www.h-online.com/security/news/item/Mozilla-updates-Thunderbird-SeaMonkey-and-older-Firefox-browsers-968158.html
Additional Information in Vulnerabilities & Fixes Thread:
Mozilla SeaMonkey Multiple Vulnerabilities
Mozilla Thunderbird Multiple Vulnerabilities
Mozilla Firefox Multiple Vulnerabilities
Mozilla Firefox Multiple Vulnerabilities (2)
Google frets over Vietnam hacktivist botnet
Hackers used malware to establish a botnet in Vietnam as part of an apparently politically motivated attack with loose ties to the Operation Aurora attacks that hit Google and many other blue chip firms late last year, according to new research from McAfee and Google.
Unknown miscreants used malware disguised as Vietnamese language support software to create a botnet. The malware masqueraded as a VPSKeys keyboard driver software and was discovered in computers inside a subset of the organisations hit by Aurora. Infected systems were controlled by command and control systems accessed predominantly from IP addresses inside Vietnam.
Continued here: http://www.theregister.co.uk/2010/03/31/vietnam_botnet/
At the Google Online Security Blog: The Chilling Effects of Malware
Facebook bug exposes private emails
"Addresses were visible for up to 30 minutes"
Facebook has been hit by another privacy scandal after an apparent technical glitch led to the site disclosing the private email addresses of its users.
The privacy mishap, which according to reports lasted for half an hour yesterday, was discussed by angry users on Twitter.
"Last night during Facebook?s regular code push, a bug caused hidden email addresses to be visible briefly,? said a Facebook spokesman.
Although Facebook maintained that the bug was noticed and corrected within minutes, this was not quick enough for some eagle-eyed users, who warned others via Twitter.
?Everyone?s email addresses are now visible on Facebook, even those of people who are not your friends,? said Twitter user atakan.
?Check your Facebook profile your email will be exposed to the public. There is no privacy settings to hide your email,? said another Tweet by isatwhoville.
Continued here: http://www.v3.co.uk/v3/news/2260541/facebook-bug-discloses-private
Yahoo targeted in China cyber attacks
The Yahoo e-mail accounts of foreign journalists based in China and Taiwan have been hacked, according to a Beijing-based press association.
Rival Google has been involved in a high-profile row with the Chinese government following similar cyber-attacks against Gmail accounts.
The Foreign Correspondents' Club of China (FCCC) has confirmed eight cases of Yahoo e-mail hacks in recent weeks.
Yahoo said it condemned such cyber-attacks.
But the FCCC accused Yahoo of failing to update users about the situation.
"Yahoo has not answered the FCCC's questions about the attacks, nor has it told individual mail users how the accounts were accessed," a spokesman told the news agency.
Continued here: http://news.bbc.co.uk/2/hi/technology/8596410.stm
Also: China cyber attack targets journalists
Spike in File Infectors Highlight Continuing Threat
From the TrendLabs Malware Blog:
In the past week, TrendLabs noticed a significant growth in the number of file infectors in the wild, particularly in Latin America. A significant increase in PE_SALITY.BA cases was particularly spotted in the region. A rise in VIRUX variants, particularly PE_VIRUX.R, was also spotted at around the same time.
File infectors are not a new threat nor do they have the notoriety of much-talked-about threats like ZBOT, KOOBFACE, and FAKEAV. However, this does not make them any less of a problem, particularly for enterprise users. In addition, these attacks are growing in sophistication as well.
According to TrendLabs? Escalation Team, previous versions of SALITY file infectors such as PE_SALITY.SA used simpler encryption techniques. In particular, they used only one layer of encryption, making analysis a simpler affair by looking at sections of the file that have only zeroes as shown in Figure 1. [...]
Continued here: http://blog.trendmicro.com/spike-in-file-infectors-highlight-continuing-threat/
From the Kaspersky Lab Weblog: A new version of Sality at large
Java 6 Update 19 closes 26 security holes
Security updates for Java SE and Java for Business have been released as Java 6 Update 19. The novel part of this announcement is that, for the first time since the Oracle acquisition of Sun, the advisory appears as an Oracle Critical Patch Update (CPU). The change in format makes the advisory much easier to read and includes ratings on the Common Vulnerability Scoring System (CVSS) making it easier to asses how critical a vulnerability is and what priority should be given to closing the problem.
The holes include buffer overflows within the Java Runtime Environment (JRE) in ImageIO, Java 2D, WebStart, the Java plug-in from browsers, sound and in the HotSpot server. The issues affect Java 6 update 16, Java 5.0 update 23, Java 1.4.2_25 and Java 1.3.1_27.
Continued here: http://www.h-online.com/security/news/item/Java-6-Update-19-closes-26-security-holes-967976.html
From Vulnerabilities & Fixes: Sun Java JDK / JRE Multiple Vulnerabilities
From Updates Thread: Java Runtime Environment (JRE) 6 Update 19
I've just read this elsewere myself.
Is "this" scary thing you read about elsewhere..
Of the above 9 items, my guess would be the "PDF exploit". Most of the news I post, I find scary. Even it's only about 26 security holes in Java.
It's why I ask.
And speaking of PDF.... Does PDF stand for Problematic Document Format?
Stupid of me Carol!
I meant the PDF exploit, that isn't a vulnerability exploit.
Ouch, I read that article about spcifications for the PDF file format. I begin to understand why PDF readers are scary.
I wish you hadn't shown me that.
PDF Arbitrary Code Execution - vulnerable by design.
Didier Stevens, who probably knows the PDF format better then most and has written some great PDF analysis tools, published a very interesting and concerning blog post .
In this post, he outlines how PDFs can be used to execute code. Nothing new you may say... plenty of exploits have done this in the past. This is different: He is not using a vulnerability, but a feature. Evidently, PDFs have the ability to execute code by design. Since this is not an implementation, but a design problem, various PDF readers are vulnerable. In his blog, Didier show a video of the exploit using Adobe's PDF reader. Adobe's reader will show a warning and ask the user for permission. However, the wording of this warning may be changed by the attacker. Foxit, a popular alternative to Adobe's reader, will show no warning.
At this point, Didier does not provide a public PoC exploit. However, he says he is in contact with vendors.
Continued here: http://isc.sans.org/diary.html?storyid=8545
From Didier Stevens:
Escape From PDF
Escape From Foxit Reader
Email Vampires Claim to Protect Your Privacy
Keeping personal information private on the Internet is always a concern for computer users. In a new spam tactic, spammers seem keen to bring disrepute to social networking sites and Webmail services by introducing fear, uncertainty, and doubt regarding the security of private online data.
In this spam attack, spammers allege that social networking and Webmail service providers are spying on and reading every email that users send and this can seriously impact use, privacy, and safety. Spammers are targeting human emotions, such as concern for children?s safety and personal online security. The spam message states that a privacy protection service will help users keep social networking and email accounts from being spied on.
Sample email: [...]
The so-called ?privacy protectors? claim to give subscribers audio updates about the privacy invaders. To protect the privacy of personal information such as email, videos, photos, etc., spammers ask users to subscribe to their service. After clicking the subscribe link, the user is asked to make the payment: [...]
Continued here: http://www.symantec.com/connect/blogs/email-vampires-claim-protect-your-privacy
Persistent Domain-Renewal Scam Alive and Kicking
From the McAfee Labs Blog:
A friend of mine forwarded a suspicious email message recently. I?ve replaced the domain, order number, etc. below:
From: Customer Support <firstname.lastname@example.org>
Subject: Order Confirmation for <domain>, Order ######
To <registered domain holder>,
Thank you for registering/renewing the following domains with the Domain Registry of America, America?s fastest growing Domain Registrar.
We take pride in offering you superior customer service and competitive pricing.
The order number for <domain> is #####.
Your check ##### for $30.00 has been received.
Domain Registry of America
I validated for my friend that the email was bogus. The domain was not held by Domain Registry of America (DROA), and never had been. The domain was not expiring in the next 90 days.
Later he received a follow-up email: [...]
Continued here: http://www.avertlabs.com/research/blog/index.php/2010/03/30/persistent-domain-renewal-scam-alive-and-kicking/
QuickTime update patches 16 vulnerabilities
Apple has released version 7.6.6 of its QuickTime multimedia player. The update closes a total of 16 critical vulnerabilities, all of which could be used by an attacker to inject and execute arbitrary code with the users current privileges. According to Apple, for an attack to be successful a user need only open a manipulated image, audio or video file. It is also sufficient to visit a specially crafted web page.
All users are advised to update as soon as possible. QuickTime 7.6.6 is available to download for Windows XP SP2, Vista, Windows 7 and Mac OS X 10.5.8. The QuickTime vulnerabilities for Snow Leopard were already fixed in yesterdays 10.6.3 update for Mac OS X.
Continued here: http://www.h-online.com/security/news/item/QuickTime-update-patches-16-vulnerabilities-968472.html
In Vulnerabilities & Fixes thread: Apple QuickTime Multiple Vulnerabilities
Millions in China have no antivirus software, survey shows
"The number of Chinese Internet users without security software rose in 2009"
The massive number of Chinese Internet users running no antivirus software increased last year, a survey showed, even though online security risks continued to multiply in the country.
The percentage of Internet users in China with no security software was 4.4 percent last year, up from 3.9 percent the previous year, according to survey results released late Tuesday by the China Internet Network Information Center (CNNIC) and China's National Computer Network Emergency Response Technical Team (CNCERT).
CNNIC estimates that 384 million people in China used the Internet in the second half of last year. By that calculation, the number of people in the country surfing the Internet with no antivirus software was nearly 17 million, representing a huge pool of PCs that attackers could easily infect and use for malicious ends.
Continued here: http://www.computerworld.com.au/article/341621/millions_china_no_antivirus_software_survey_shows/
Mozilla to Fix CSS History Leak Soon
The developers at Mozilla soon will be adding a new privacy enhancement to the Firefox browser that will help prevent attackers and the operators of third-party Web sites from seeing which other sites a user has visited.
The technology is meant to address one of the older privacy problems on the Web, namely the fact that Web sites can see which links a user has visited. On most sites, any link that a user clicks on will turn a different color after the user clicks. This was designed as a convenience for Web users, enabling them to see where they'd gone on a given site.
Continued here: http://threatpost.com/en_us/blogs/mozilla-fix-css-history-leak-soon-033110
Microsoft runs fuzzing botnet, finds 1,800 Office bugs
"Finds, fixes huge number of Office 2010 bugs by tapping idle company PCs"
Microsoft uncovered more than 1,800 bugs in Office 2010 by tapping into the unused computing horsepower of idling PCs, a company security engineer said today.
Office developers found the bugs by running millions of "fuzzing" tests, said Tom Gallagher, senior security test lead with Microsoft's Trustworthy Computing group.
Fuzzing, a practice employed by both software developers and security researchers, searches for flaws by inserting data into file format parsers to see where programs fail by crashing. Because some crash bugs can be further exploited to successfully hack software, allowing an attacker to insert malicious code, fuzzing is of great interest to both legitimate and criminal researchers looking for security vulnerabilities.
Continued here: http://www.computerworld.com/s/article/9174539/Microsoft_runs_fuzzing_botnet_finds_1_800_Office_bugs