12 total posts
PHP devs lob second patch at super-critical CGI bug
The developers of PHP have released updates to thwart fresh attacks against systems that use the scripting language to dynamically generate web pages.
All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13, as appropriate, after a serious security bug in PHP-CGI-based setups was disclosed. Developers attempted to fix this long-standing, but only recently discovered, flaw in a new version on 3 May, before deciding the fix was incomplete and releasing a new set of patches on Tuesday, 8 May.
This is just as well because the PHP-CGI vulnerability has become the target of a series of attacks against sites hosted by DreamHost and others over recent days. Attempts to exploit the bug were witnessed by net honeypots maintained by security researchers at TrustWave SpiderLabs. The assaults were ultimately designed to plant backdoors on vulnerable web servers, as an advisory by TrustWave explains.
The PHP-CGI remote code execution bug was discovered by security researchers, who traced the flaw to changes introduced in the codebase way back in 2004. The Eindbazen crew told PHP developers about the bug, and work was going on behind the scenes to develop a fix. However the wheels fell off this project after discussions surrounding the security hole were accidentally made public, exposing the existence of the flaw to world+dog before a patch was ready.
Continued : http://www.theregister.co.uk/2012/05/09/php_cgi_patch/
Another Set of PHP Releases Pushed Out to Fix CVE-2012-1823 Flaw
PHP team makes another attempt to close critical CGI hole
PHP 5.4.3 and PHP 5.3.13 Released
Police Trojan Crosses the Atlantic, Now Targets USA & Canada
From TrendLabs Malware Blog:
The Police Trojan has been targeting European users for about a year. It should come as no surprise that the latest incarnations of this obnoxious malware have started targeting the United States and Canada.
In the latest batch of C&C servers we have analyzed, not only has the list of countries increased but also their targets are now more specific. For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that spoofs the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method. The criminals also took the time in adding plenty of logos of local supermarkets and chain stores where the cash vouchers are available. [Screenshot]
Beyond the facade of this criminal attack, we know there is a Russian-speaking gang, which we theorized in our last paper, that had a link to the new Gamarue worm making the rounds in recent months. We can now add another compelling link: the fake police domain worldinternetpolice.net announced by the Trojan, has the same registrar as the confirmed Gamarue worm C&C server photoshopstudy10.in. The first time a researcher sees such a link, it might just be pure coincidence. The second and third times, the link starts to solidify.
Continued : http://blog.trendmicro.com/police-trojan-crosses-the-atlantic-now-targets-usa-and-canada/
FBI issues warning on hotel Internet connections
The FBI today warned travelers there has been an uptick in malicious software infecting laptops and other devices linked to hotel Internet connections.
The FBI wasn't specific about any particular hotel chain, nor the software involved but stated: "Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.
The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products through their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor's website if updates are necessary while abroad."
The FBI said typically travelers attempting to set up a hotel room Internet connection were presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.
Continued : http://www.networkworld.com/news/2012/050912-fbi-internet-259125.html
What the FBI didn't tell us about the hotel malware threat
Travelers Cautioned When Using Hotel Internet Connections Abroad
FBI fears Bitcoin's popularity with criminals
The FBI sees the anonymous Bitcoin payment network as an alarming haven for money laundering and other criminal activity—including as a tool for hackers to rip off fellow Bitcoin users.
That's according to a new FBI internal report that leaked to the Internet this week, which expresses concern about the difficulty of tracking the identity of anonymous Bitcoin users, while also unintentionally providing tips for Bitcoin users to remain more anonymous.
The report, titled "Bitcoin Virtual Currency: Unique Features Present Distinct Challenges for Deterring Illicit Activity," (PDF) was published April 24 and is marked For Official Use Only (not actually classified), but was leaked to the Internet on Wednesday.
In the document, the FBI notes that because Bitcoin combines cryptography and a peer-to-peer architecture to avoid a central authority, contrary to how digital currencies such as eGold and WebMoney operated, law enforcement agencies have more difficulty identifying suspicious users and obtaining transaction records.
Though the Bureau expresses confidence that authorities can still snag some suspects who use third-party Bitcoin services that require customers to submit valid identification or banking information in order to convert their Bitcoins into real-world currencies, it notes that using offshore services that don't require valid IDs can thwart tracking by law enforcement.
Continued : http://arstechnica.com/uncategorized/2012/05/fbi-fears-bitcoins-popularity-with-criminals/
Also: FBI Concerned About the Use of Bitcoins for Illicit Activities
Pirate Bay to Anonymous: Call Your Mom!
From F-Secure Antivirus Research Weblog:
UK Courts recently ordered Internet Service Providers to block access to The Pirate Bay. Yesterday, Virgin Media was attacked by some that claim associations to the Anonymous collective.
Well, The Pirate Bay had something to say about the attack on its Facebook page. [Screenshot]
TPB: We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us.
My take: Love thy enemy.
TPB: So don't fight them using their ugly methods. DDOS and blocks are both forms of censorship.
My take: Two wrongs don't make a right.
TPB: If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol...
My take: Don't be destructive. Better to be "subversive".
Continued : http://www.f-secure.com/weblog/archives/00002361.html
Virgin Media website 'hit by cyber attack' following Pirate Bay block
The Pirate Bay: We Do Not Encourage DDOS Attacks
"Fix your hard disk" with fake S.M.A.R.T. Repair tool
From the Avast Blog:
Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial - they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn't install such a program, you don't even know how it got installed on your computer. It's just there, wanting to trick you to buy a license.
Have you ever wondered what happens when you "buy" the activation key? Will the program really do something for you, will it just disappear... or, maybe, it will keep annoying you. Let's look at a program called "S.M.A.R.T. Repair". [Screenshot]
If we execute the "S.M.A.R.T. Repair", it disappears from its original location and copies itself into "Documents and Settings" under a randomly generated name, for example "@t)f9K70Sh&Z^.exe" (see figure 2) - this is the first sign of a suspicious behavior. [Screenshot]
Continued : https://blog.avast.com/2012/05/09/%E2%80%9Cfix-your-hard-disk%E2%80%9D-with-fake-s-m-a-r-t-repair-tool/
DHS Appeals to Users Still Infected with DNSChanger
The Department of Homeland Security is the latest agency to appeal to U.S. consumers to check their computers for signs of DNSChanger malware before they are knocked offline in a couple of months.
Rand Beers, undersecretary for the National Protection and Programs Directorate, implored users to test their home and office computers for the trojan, which infected more than 4 million machines in 100 countries before law enforcement officals took down the sophisticated fraud ring. As part of "Operation Ghost Click," authorities took command of implicated DNS servers and redirected compromised computers to surrogate servers. Those servers now must be taken down July 9 by court order. At that time, any machine still tethered to the temporary servers will be forced offline.
"I encourage everyone to keep your operating system, browser, and other critical software optimized by installing updates," Beers wrote in a blog post on the DHS Web site. "And, you can assess your own computer's susceptibility for the DNSChanger malware at the industry-wide DNSChanger Working Group website. In fact, I just tested my computer at home - the process was simple, straight-forward, and only took a few minutes."
As of last month, 84,000 U.S. computers were still tied to the "clean" servers put up for the FBI by the Internet Systems Consortium. The number worldwide is around 350,000. A Kindsight Security Lab malware report (pdf) released today for Q1 ranked DNSChanger as the most prevalent high-level infection with 1 in 400 households still infected.
Continued : http://threatpost.com/en_us/blogs/dhs-appeals-users-still-infected-dnschanger-050912
FTC Charges Myspace With Breaking US Law in Sharing User's..
.. Personal Information
Continuing its crackdown on Internet privacy violations, the Federal Trade Commission charged Myspace on Tuesday with violating federal law by breaching its promise not to share users' personal information, including their Web browsing habits, with advertising companies.
The advertisers that tracked the online browsing habits of Myspace users were not charged, reflecting a general lack of laws governing online privacy. On Wednesday, the Senate Commerce committee will question officials from the F.T.C. and the Obama administration about their recent proposals to require companies to obtain consumers' permission to be tracked online.
The F.T.C. asserted that from January 2009 through June 2010, and again from October 2010 through October 2011, Myspace, a social media Web site, transmitted information, including internal identification numbers of users, and their ages and genders, to outside ad networks that served ads to Myspace.
Continued : http://www.nytimes.com/2012/05/09/technology/myspace-agrees-to-privacy-controls.html
Java drive-by generator used in recent attack
A malware delivery campaign that doubles its infections efforts to really make sure the users get compromised has been recently spotted by F-Secure researchers.
One of them landed on a website that poses as a "Gmail Attachment Viewer", which tries to make the visitor run the offered application.
The pop-up warning from Windows identifies it as a "Microsoft" app but says that the app's digital signature cannot be verified and that the app's publisher is "Unknown".
If the user does choose to run the app, he is faced with a Cisco Foundation invitation to attend a conference, while the download and the quiet installation of a malicious binary is performed in the background.
Curiously enough, the message contains an embedded link that, if clicked, again tries to download the same malware.
The researcher does not mention how she ended up on the site in question in the first place, and what type of malware is actually pushed onto the user, but points out that the infection is generated using iJava Drive-by Generator: [Screenshot]
Twitter hack breaches thousands of accounts
A Twitter hacker on Monday revealed thousands of user names and passwords for the microblogging site, but here's the good news: Most of the compromised accounts appear to be spam.
Word of the breach began spreading Tuesday after hacking news and activist hub Airdemon posted a dispatch saying 55,000 accounts had been compromised. It linked to Pastebin pages containing the allegedly compromised user names and passwords.
A Twitter representative said the company is investigating. He also downplayed the extent of the potential breach, which hit a small sliver of Twitter's 140 million active users.
"It's worth noting that, so far, we've discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other)," Twitter spokesman Robert Weeks said.
Continued : http://money.cnn.com/2012/05/08/technology/twitter-hack/
Twitter Debunks Reports of 55,000 Hacked Accounts
Thousands of Twitter passwords allegedly exposed
Fraudulent Apps and Fake AV Found on Google Play
Researchers from the security firm AegisLab discovered more than 15 fake antivirus and free SMS applications on Google's recently rebranded content market place, Google Play.
The applications are redirecting users to a third party site run by the app's developer. AegisLab researchers could not say for certain whether the fraudulent apps were designed with malicious intent, or if the developer is merely trying to drive traffic to his site.
The applications appear to have been uploaded by one developer who operates under the handle Thasimola. According to AegisLab, the developer used AppsGeyser, an Android application webkit, to automatically generate the fake apps.
When AegisLab published its report on Tuesday, the writer noted that the number of fake apps had been increasing. As of now, Thasimola's developer profile is unreachable. Whether or not Google took action on the account is not clear.
You can read the AegisLab report here.
Also: Fake mobile AV apps offered on Google Play