Spyware, Viruses, & Security forum


NEWS - May 04, 2012

Microsoft Names Chinese Firm Hangzhou DPTech as Source of RDP Code Leak

Two months after exploit code the Microsoft RDP MS12-020 vulnerability made its way into the open before the company released a patch, Microsoft has put the blame for the leak on a Chinese security company, Hangzhou DPTech Technologies. Microsoft said Thursday that it has removed the company from its MAPP information-sharing program.

Microsoft officials said that after word of the leak got out in March they began an investigation to find the source. The security researcher who originally found the RDP bug and reported to Microsoft through the Zero Day Initiative, Luigi Auriemma, said at the time that he suspected that the leak had come from somewhere in the MAPP program, either through one of the partner companies or inside Microsoft itself. The proof-of-concept exploit code that appeared on a Chinese site included a packet that Auriemma wrote himself and forwarded to ZDI.

"The packet I gave to ZDI was unique because I modified it by hand. There are no doubts on this thing," he said in an email interview at the time of the leak. "Microsoft is the source of the leak, probably during the distribution to MAPP partners, but I still have some doubts."

Continued : http://threatpost.com/en_us/blogs/microsoft-names-chinese-firm-hangzhou-dptech-source-rdp-code-leak-050312

Microsoft kicks Chinese company out of vulnerability sharing program
Microsoft boots Chinese firm for leaking Windows exploit
Microsoft names source of RDP code leak
Discussion is locked
You are posting a reply to: NEWS - May 04, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - May 04, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Rogue Firefox extension hijacks browser sessions

In reply to: NEWS - May 04, 2012

Security researchers from StopMalvertising have spotted a rogue Firefox extension, capable of hijacking browser sessions and posting content on Facebook. [Screenshot]

The rogue extension is currently distributed across multiple adult web sites, and across Facebook, attempting to trick users into thinking that they're running an outdated version of their Adobe Flash Player.

What happens one the user installs the bogus extension?

' The internet user will visit additional websites in the background with the viral add-on installed, possibly participate in click-fraud and expose themselves to malware while surfing on those unwanted sites.Furthermore, when logged in on Facebook, the victim will spam a viral video to their friends, spreading the Trojan clicker even more.

When visiting Google for example, the script will fetch additional web pages in the background which may lead to malware. The page at footprintsit.com contains a list of URL's to visit. The URL also contains an affiliate ID / Name ... Foreste. This is the criminal who will earn money from your surfing.

If the affected user is logged into Facebook, the rogue extension will distribute a viral video with the title "Kristen Stewart Was Taped Drunk & Having S#x!", in an attempt to trick even more people into downloading and installing the bogus extension. Affected Facebook users will be served a bogus Facebook landing page, prompting them to install Flash_Player_11.exe.

Continued : http://www.zdnet.com/blog/security/rogue-firefox-extension-hijacks-browser-sessions/11856

Collapse -
BBB assistance malware attack strikes again

In reply to: NEWS - May 04, 2012

Once again, cybercriminals have spammed out emails claiming to come from the Better Business Bureau (BBB), with the intention of infecting Windows computers with malware.

SophosLabs has intercepted a widespread malware attack that is being spammed out as an attachment to an email claiming to come from the BBB.

The emails vary in their wording, but all claim that a consumer has complained about the company receiving the email. The details of the complaint, naturally, are contained inside the attached "BBB Report.zip" file (which, of course, contains malware).

It should go without saying that the emails do not really come from the Better Business Bureau. The criminals behind the campaign are simply adopting the disguise of the BBB in the hope that you will take the message seriously and open the attached file.

Continued : http://nakedsecurity.sophos.com/2012/05/04/bbb-assistance-malware-attack-strikes-again/

Collapse -
PHP patch quick but inadequate

In reply to: NEWS - May 04, 2012

The updates to PHP versions 5.3.12 and 5.4.2 released on Thursday do not fully resolve the vulnerability that was accidentally disclosed on Reddit, according to the discoverer of the flaw. The bug in the way CGI and PHP interact with each other leads to a situation where attackers can execute code on affected servers. The issue remained undiscovered for eight years.

The best protection at present is offered by setting up filter rules on the web server. However, the RewriteRule workaround described on PHP.net is also, according to security expert Christopher Kunz, inadequate. He suggests a slightly modified form of the rule as an alternative.

Because the PHP interpreter for CGI does not comply with the specifications laid out in the CGI standard, URL parameters can, under certain circumstances, be passed to PHP as command line arguments. Servers which run PHP in CGI mode are affected; FastCGI PHP installations are not...

Continued : http://www.h-online.com/security/news/item/PHP-patch-quick-but-inadequate-1568454.html

Related: Serious Remote PHP Bug Accidentally Disclosed

See Vulnerabilities & Fixes: PHP PHP-CGI QUERY_STRING Parameter Vulnerability

Collapse -
1,000+ WordPress sites compromised through automatic update

In reply to: NEWS - May 04, 2012

.. feature

More than 1,000 WordPress blogs have been modified to redirect visitors to sites serving malware, affiliate and pay-per-click redirectors, and low quality PPC search result aggregators, through the WordPress' automatic update feature.

The discovery was made by Denis Sinegubko, the founder of the helpful Unmask Parasites website, who points out the irony of webmasters trying to keep their sites safe by using automatic updating, and then having them compromised through the same means.

The individuals behind the attack have discovered how to add the malicious code to the update.php file, which prompts WordPress to update. This code then injects other code in the wp-settings.PHP file, and effects the redirects.

The update.php file contains the "wp_update_core" function, which is used by the WordPress Automatic Update feature, says Sinegubko.

"Behind the scenes, the 'wp_update_core' function checks for available updates, downloads new files, replaces old files and does all the rest stuff required to successfully complete WordPress upgrades," he explains.

Continued : http://www.net-security.org/secworld.php?id=12865
Collapse -
Adobe warns: Flash Player malware hitting IE on Windows user

In reply to: NEWS - May 04, 2012

Adobe has shipped an extremely urgent Flash Player patch to block in-the-wild malware attacks against Windows users.

Adobe described the attacks as "targeted" and warned that malicious Flash files are being delivered in e-mail messages.

Although the vulnerability affects Flash Player on all platforms, the malware attacks target Flash Player on Internet Explorer for Windows only.

According to Adobe's advisory, the patch is available for Adobe Flash Player and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player and earlier versions for Android 4.x, and Adobe Flash Player and earlier versions for Android 3.x and 2.x.

"These updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system," Adobe said.

There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only.

Windows users should treat this update with the utmost priority, Adobe said.


Adobe Releases Patch for Flash Bug Being Used in Targeted Attacks
Adobe Flash Player update closes critical object confusion hole

See : Security Update Available for Adobe Flash Player (APSB12-09)

Collapse -
Java 7 arrives for (nearly) all

In reply to: NEWS - May 04, 2012

Last week, the fourth update release of Java 7 from Oracle was announced. Now, the users of Java, rather than just the developers, are being offered the chance to update to Java 7. Although Java 7 came out in July 2011, Oracle, Java owner and producer of the binary Java releases for end users, continued to give priority to Java 6. The Java 6 release continued to receive updates from Oracle, but developers have been waiting for Oracle to start updating users to a Java 7 based JRE (Java Runtime Environment) so they can be confident that, when shipping a Java 7 based application, the user will be able to run the application. Oracle says that it is beginning the update process for all users with Java already installed and that they should get an automatic upgrade in the coming months.

Oracle recommends that end users should always use the latest version of the Java platform as it contains the latest features and, more importantly, security updates. Users can check which version of Java they are running by consulting the Java.com web site. Oracle also recommends that users remove older versions of Java from their system and offers instructions on how to accomplish that.

The update to Java 7 for end users only applies to Windows users though. Linux users are still being offered Java 6 Update 32, the "All Java Downloads" page only offers Java 6 Update 32 for Windows, Linux and Solaris, and an FAQ page still directs users to Oracle.com for Java 7.

Continued: http://www.h-online.com/security/news/item/Java-7-arrives-for-nearly-all-1568033.html

Collapse -
Targeted Attacks in Syria

In reply to: NEWS - May 04, 2012

From F-Secure Antivirus Research Weblog:

Syria has been the center of much international attention lately. There's unrest in the country and the authoritarian government is using brutal tactics against dissidents. These tactics include using technology surveillance, trojans and backdoors.

Some time ago we received a hard drive via a contact. The drive had an image of the system of a Syrian activist who had been targeted by the local authorities.

The activist's system had become infected as a result of a Skype chat. The chat request came from a fellow activist. The problem was that the fellow activist had already been arrested and could not have started the chat.

Initial infection occurred when the activist accepted a file called MACAddressChanger.exe over the chat. This utility was supposed to change the hardware MAC address of the system in order to bypass some monitoring tools. Instead, it dropped a file called silvia.exe which was a backdoor — a backdoor called "Xtreme RAT".

Xtreme Rat is a full-blown malicious Remote Access Tool.

Sold for 100 euro (Paypal) via a page hosted at Google Sites: https:/ /sites.google.com/site/nxtremerat [Screenshot]

We have reasons to believe this infection wasn't just bad luck. We believe the activist's computer was specifically targeted. In any case, the backdoor calls home to the IP address This IP block belongs to Syrian Arab Republic — STE (syrian Telecommunications Establishment).

Continued : http://www.f-secure.com/weblog/archives/00002356.html

Syrian regime uses Skype to fire Trojan at opposition activists
Syria pushing malware via Skype to spy on activists

Collapse -
Walmart gift card scam targets smartphone users

In reply to: NEWS - May 04, 2012

Online survey scams are most often propagated through social network and sharing websites, but occasionally users are "assaulted" directly through their smartphones.

Hoax-Slayer warns about a bogus offer of a $1000 Walmart gift card for free hitting mobile phone users via the following text message:

' You've been selected for a free $1,000 Walmart Giftcard! Enter the code 'FREE' at to get it now. Only 116 left! Text OUT to stop'

Users who follow the link to the website and insert the code are redirected to another one where they are asked to complete a quiz or a survey, or to share their name and contact details in order to compete for the prize.

At the end of each quiz or survey, the users are asked to enter their mobile phone number in order to get the results. Unfortunately for those who don't spot the text written in very small letters below the "Submit" button, by doing so they are automatically subscribing to extremely pricey SMS services.

Continued : http://www.net-security.org/secworld.php?id=12868

Also: $1,000 (€760) Walmart Gift Card Scam Inflates Phone Bills

Collapse -
Email Product Looks to Reduce Spam False Positives

In reply to: NEWS - May 04, 2012

A new product from TrustSphere is tackling the problem of email incorrectly flagged as spam, an irritating and potentially costly error for businesses.

The product, called TrustVault, analyzes the communication between the sender and recipient of an email over a few weeks, looking at how many messages are sent, how often in a day and how quickly.

TrustVault builds a kind of social graph between senders and receivers, and can overrule spam filters that might normally flag a message as suspicious when it isn't. It doesn't look at an email's content.

"When we see an email from a known trusted sender that is blocked, we are able to release it from quarantine or prevent it from going into quarantine if it [the product] is configured that way," said Manish Goel, TrustSphere's CEO.

Estimates of the percentage of messages incorrectly labeled as spam vary wildly. Goel said a typical figure cited is 3.5 false positives per million emails, but he said TrustSphere has audited companies that have a much higher error rate.

Continued : http://www.pcworld.com/businesscenter/article/255030/email_product_looks_to_reduce_spam_false_positives.html

Collapse -
Microsoft to Botmasters: Abandon Your Inboxes

In reply to: NEWS - May 04, 2012

If the miscreants behind the ZeuS botnets that Microsoft sought to destroy with a civil lawsuit last month didn't already know that the software giant also wished to unmask them, they almost certainly do now. Google, and perhaps other email providers, recently began notifying the alleged botmasters that Microsoft was requesting their personal details.

Microsoft's unconventional approach to pursuing dozens of ZeuS botmasters offers a rare glimpse into how email providers treat subpoenas for account information. But the case also is once again drawing fire from a number of people within the security community who question the wisdom and long-term consequences of Microsoft's strategy for combating cybercrime without involving law enforcement officials.

Last month, Microsoft made news when it announced a civil lawsuit that it said disrupted a major cybercrime operation that used malware to steal $100 million from consumers and businesses over the past five years. That legal maneuver may have upset some cyber criminal operations, but it also angered many in the security research community who said they felt betrayed by the action. Critics accused Microsoft of exposing sensitive information that a handful of researchers had shared in confidence, and of delaying or derailing international law enforcement investigations into ZeuS Trojan activity.

Continued : http://krebsonsecurity.com/2012/05/microsoft-to-botmasters-abandon-your-inboxes/

Collapse -
FBI: We need wiretap-ready Web sites -- now

In reply to: NEWS - May 04, 2012

"CNET learns the FBI is quietly pushing its plan to force surveillance backdoors on social networks, VoIP, and Web e-mail providers, and is asking Internet companies not to oppose a law making those backdoors mandatory."

The FBI is asking Internet companies not to oppose a controversial proposal that would require the firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance.

In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned.

The FBI general counsel's office has drafted a proposed law that the bureau claims is the best solution: requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly.

"If you create a service, product, or app that allows a user to communicate, you get the privilege of adding that extra coding," an industry representative who has reviewed the FBI's draft legislation told CNET. The requirements apply only if a threshold of a certain number of users is exceeded, according to a second industry representative briefed on it.

Continued : http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/

Collapse -
Android malware used to mask online fraud, says expert

In reply to: NEWS - May 04, 2012

Android malware being automatically distributed from hacked websites looks like it's being used to mask online purchases, and could be part of a fraud gang's new push into mobile, researchers said today.

"The malware essentially turns your Android phone into a tunnel that can bounce network traffic off your phone," said Kevin Mahaffrey, co-founder and CTO of Lookout Security, a San Francisco-based firm that focuses on Android.

Lookout first published information about the new malware, dubbed "NotCompatible," on Wednesday. Further analysis, however, has revealed the most likely reason why cyber criminals are spreading the malware.

"There are a couple of ways they can profit from this," said Mahaffrey in an interview. "One is general online fraud, the other is targeted attacks against enterprises. We haven't seen any evidence [of the latter], and have confirmed that it is engaged in online purchasing activity."

Once installed, NotCompatible turns an infected Android device into a proxy, through which hackers can then direct data packets, in essence disguising the real source of that traffic by using the compromised devices as middlemen.

Continued : http://www.computerworld.com/s/article/9226899/Android_malware_used_to_mask_online_fraud_says_expert

Related: Android malware opens back door to the intrane

From the Lookout Blog: Update: Oh no, my phone bought tickets to the One Direction concert

Collapse -
Brace for Big Batch of Microsoft Patches

In reply to: NEWS - May 04, 2012

Microsoft says it will ship seven security updates next week, three critical, to patch 23 bugs in Windows, Office, and its Silverlight and .Net development platforms.

The number of patches -- nearly two dozen -- is higher than usual for an odd-numbered month; for some time, Microsoft has used an even-odd schedule, patching more vulnerabilities in the even months, when it also regularly updates Internet Explorer.

"May has been a light month, historically, very light," said Andrew Storms, director of security operations at nCircle Security, who tracks the number of patches and updates Microsoft issues each month.

In May 2011, Microsoft shipped two update that patched three vulnerabilities. The year before, it delivered two updates that patched two bugs.

"So, this is a big number," said Storms.

The pace so far this year -- Microsoft's collections during the first five months have included seven, nine, six, six, and seven updates -- puts to rest the idea that Microsoft still hews to a wave-and-trough practice.

Continued : http://www.pcworld.com/businesscenter/article/255046/brace_for_big_batch_of_microsoft_patches.html

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Best Black Friday Deals

CNET editors are busy culling the list and highlighting what we think are the best deals out there this holiday season.