General discussion

NEWS - November 03, 2010

Indefatigable Zeus and Fake Archives Set the Malware Tone for October

Kaspersky Lab announces the publication of its Monthly Malware Statistics for October 2010.

Despite the recent arrests of criminal gang members linked to the ZeuS botnet, new malicious programs are still emerging that support its spread. Zeus has become one of the most commonly used and best-selling spy programs on the online black market due mainly to the ease with which the Trojans in the Zeus family can be configured to steal online data.

Virus.Win32.Murofet, detected in early October, generates domain names that are later used to spread the ZeuS botnet. The links to downloadable and executable Zeus files are generated using the current date and time on the victim computer. The virus obtains the year, month, day and minute from the system, generates two double words, adds one of several popular domain zones, adds ?/forum? to the end of the string and uses it as a link.

?This piece of malware demonstrates just how inventive and eager the Zeus developers are to spread their creation around the world,? stated Vyacheslav Zakorzhevsky, Senior Virus Analyst at Kaspersky Lab and author of the report.

Another clear trend in October was the continuing growth in the popularity of fake archiving programs. These programs typically disguise themselves as popular freeware or tools to remove license protection from legal software. After a user launches a fake archiving program, they are asked to send an SMS to a premium number so they can access the contents of an archive. In most cases after a message is sent, the user receives instructions on how to use a torrent tracker and/or a link to it. [...]

For a complete version of Kaspersky Lab?s October malware report, please visit

Discussion is locked

Reply to: NEWS - November 03, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - November 03, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Scam Takes Aim At Military Families

From AppRiver Blog:

We are seeing heavy traffic related to a phishing campaign that is attempting to steal money as well as personal data from members of the US military and their families, demonstrating once again that cybercriminals have no trepidation about ripping off anyone and everyone they can. The phishing campaign is directed at members of the financial services firm USAA, a financial institution that is very popular among current and former members of the armed forces.

These emails come with subject lines such as USAA Notification, Security Alert, Urgent Message for USAA Customer, etc. A link in the email takes you to a fake login page that asks you for all your pertinent USAA login and personal financial data. Once the information is submitted you are directed to a faked USAA website that looks identical to the real thing. This is actually quite unique in an attack like this, as most of the time you would be redirected to the ACTUAL USAA website. Each unique domain is serving up a complete fake USAA website. At this time we are monitoring (and blocking) over 1500 unique domains that are all registered with the free .tk (tld).

- Collapse -
88 'high-risk' security defects found in Android kernel

A security audit of the Android kernel has turned up 88 "high-risk defects" with with significant potential to cause security vulnerabilities, data loss, or quality problems such as system crashes.

According to Coverity, a source code analysis firm, the high-risk defects included memory corruption flaws, memory illegal accesses and resource leaks.

The analysis was conducted against the Android kernel 2.6.32 (code named "Froyo"). This kernel is targeted for smartphones based on the Qualcomm MSM7xxx/QSD8?50 chipset, specifically the HTC Droid Incredible. In addition to the standard kernel, this version includes support for wireless, touchscreen, and camera drivers.

Also see: Coverity Scan 2010 Open Source Integrity Report Reveals High Risk Software Flaws in Android

- Collapse -
Keystroke dynamics block bots to boost security

Uses factors such as speed of typing.

Researchers have developed a software tool that records keystroke dynamics to create a fingerprint to identify who is using the computer, allowing it to distinguish human inputs from those of an automated software bot.

"The software uses things like the time between strokes, speed of typing, the most used keys and mouse actions to identify one user from another," said Danfeng Yao, assistant professor of computer science at Virginia Tech.

"But the software can also tell the difference between human users and bots - even if they try to mirror human behaviour."

The program is a response to a rise in automated malware attacks that use bots to create outgoing requests from a browser. According to Yao, the bots could be used to send out user passwords to control machines or attack external computers without the owner's knowledge. [...]

"This software can spot this with a high degree of accuracy, even though your browser sends out a lot of information without specific user permission - maybe 20 requests for one click."

According to Yao, the prototype software offers good protection against drive-by malware downloads because it effectively quarantines the malware.[...]

A working version of the security tool has already been licenced by an unnamed company, which plans on building a separate firm around the technology.,keystroke-dynamics-block-bots-to-boost-security.aspx

- Collapse -
New Bug in Internet Explorer Used in Targeted Attacks

There's a new flaw in all of the current versions of Internet Explorer that is being used in some targeted attacks right now. Microsoft has confirmed the bug and said it is working on a fix, but has no timeline for the patch release yet. The company did not rule out an emergency out-of-band patch, however.

The new bug in Internet Explorer affects versions 6, 7 and 8, but is not present in IE 9 beta releases, Microsoft said. The company has released an advisory on the IE vulnerability and says that some of the exploit protections it has added to recent versions of IE and Windows can help protect against attacks on the bug. Microsoft said that IE 8 running on Windows XP SP 3 and later versions of Windows has DEP (Data Execution Prevention) enabled by default, which helps stop attacks against this specific bug. IE running in Protected Mode also helps mitigate the effects of attacks.

"The vulnerability exists due to an invalid flag reference within Internet Explorer. It is possible under certain conditions for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

- Collapse -
'Evilgrade' Gets an Upgrade

"Evilgrade", a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles, recently received an upgrade of its own and is now capable of hijacking the update process of more than 60 legitimate programs.

Evilgrade's creator, Francisco Amato of InfoByte Security Research, says that by targeting widely deployed programs that don't properly implement digital signatures on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be downloading a package designed to compromise the security of their computer.

Software companies should include these signatures in all of their updates, so that a user's computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with a cryptographic key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key. But for whatever reason, many software vendors have overlooked this important security precaution, and have chosen not to sign their updates - or have implemented the signing verification process in a way that can be circumvented.

- Collapse -
YouTube Banned In Turkey (Again)

The battle between YouTube and Turkish officials continued this week as Turkey reportedly unblocked and then re-blocked the Google-owned video site in the country over unflattering videos of the country's political leaders.

Turkey re-instated a ban on YouTube this week, days after a 2.5-year ban was lifted last Saturday, according to a state-run news agency. On Tuesday night, a Turkish court banned YouTube again, this time over an old video purportedly showing former opposition leader Deniz Baykal in a hotel room with someone other than his wife. Baykal was forced to resign over the video in May, according to The Guardian.

Scott Rubin, Google's head of public policy and communications strategy for EMEA, said the company was investigating the reported ban.,2817,2372043,00.asp?kc=PCRSS05079TX1K0000992

Also see: Turkey lifts YouTube ban after more than 2 years

- Collapse -
Google Settles Buzz Lawsuit With No Payout to Gmail Users

Google on Tuesday said it won preliminary approval to settle a class-action lawsuit related to alleged privacy violations caused by its Buzz service.

The company will pay US$8.5 million into a fund, which will go to organizations focused on Internet privacy education and policy, it said in a statement. The company will also make additional efforts to educate users about the privacy aspects of Buzz.

Google Buzz is a social networking and messaging tool that Google made to be used with its Gmail e-mail service. The class-action against Google alleged that Gmail users were automatically enrolled in Buzz and that their data, including most frequent contacts, was publicly exposed without user consent. Google denied the accuracy of these claims.

Despite the cash settlement, the people represented in the class-action lawsuit, U.S. Gmail users, won't see a penny of the funds.

"Just to be clear, this is not a settlement in which people who use Gmail can file to receive compensation," the company said in an e-mail to Gmail users. Everyone in the U.S. who uses Gmail was included in the settlement, unless the user opts out prior to December 6, 2010.

Google said the settlement acknowledges that it quickly changed the Buzz service to address users' concerns.

- Collapse -
New browser add-on turns back IE's clock to 2001

"Unibrows lets enterprises run IE6 as a tab inside IE8, gives them a way to migrate to Windows 7 without ditching old Web apps"

A startup led by people who worked with and at Microsoft on Internet Explorer will soon release an add-on that lets customers run the aged IE6 within the newer IE8 browser.

The Unibrows add-on is aimed at companies that want to move off IE6 - and the almost-as-old Windows XP - to 2009's IE8 and a more modern operating system, such as Windows 7, said Matt Heller, the CEO of Washington-based Browsium.

"Companies need something simple that isn't virtualization based," said Heller. "Unibrows renders IE6 inside an IE8 tab without companies' having to change a single line of code in the sites or Web applications."

Even as Microsoft tries to put a stake in the heart of IE6, enterprises find it difficult, expensive and time consuming to dump the old program because IE8 often won't render sites designed specifically for the once-popular IE6, or won't work with IE6-era applications.

- Collapse -
DDoS attacks take out Asian nation

Myanmar was severed from the internet on Tuesday following more than 10 days of distributed denial of service attacks that culminated in a massive data flood that overwhelmed the Southeast Asian country's infrastructure, a researcher said.

The DDoS assault directed as much as 15 Gbps of junk data to Myanmar's main internet provider, more than 15 times bigger than the 2007 attack that brought some official Estonian websites to their knees, said Craig Labovitz, a researcher at Arbor Networks. It was evenly distributed throughout Myanmar's 20 or so providers and included multiple variations, including TCP SYN, and RST.

"While DDoS against e-commerce and commercial sites are common (hundreds per day), large-scale geo-politically motivated attacks -- especially ones targeting an entire country ? remain rare with a few notable exceptions," Labovitz wrote, referring to the Georgia attacks, which coincided with the country's armed conflict with Russia. "At 10-15 Gbps, the Myanmar [DDoS attack] is also significantly larger than the 2007 Georgia (814 Mbps) and Estonia DDoS."

- Collapse -
Facebook Responds to Congress Over User ID Controversy

Two House members on Wednesday made public the response they received from Facebook about its recent user ID controversy. The social-networking site defended its policies, and denied that recent revelations constituted a privacy breach.

"The sharing of UIDs by Facebook with third-party applications does not involve the sharing of any private user data and is in no sense a privacy 'breach,'" wrote Marne Levine, vice president of global public policy for Facebook. "On the contrary, the sharing of UIDs is critical to people's ability to use third-party applications on the Facebook Platform."

Nonetheless, Facebook has made recent privacy policy changes in the wake of the UID controversy. The company announced plans to encrypt UIDs going forward, and suspended several developers who were selling UIDs to data brokers.,2817,2372076,00.asp?kc=PCRSS05079TX1K0000992

Also see: Facebook to encrypt user IDs to block 'inadvertent sharing'

- Collapse -
FakeVimes rogue is lurking behind that Facebook message

"This is video ffrom yourd alst party"

Alert reader Wendy received a link to a dangerous-looking video link through her Facebook private messages that turned out to be malicious. Her Facebook friend, however, hadn't been suspicious enough.

Clicking on the icon to run the video presented a download ? an executable file. It just doesn't get any more suspicious than that.

It was one of the rogues from the FakeVimes family. To see descriptions of the latest in that family, check out the GFI Rogue Blog here.

CNET Forums

Forum Info