11 total posts
Sality & Stuxnet - Not Such a Strange Coincidence
Kaspersky Lab announces the publication of its Monthly Malware Statistics for September 2010. The onset of autumn brought with it advances in the Sality virus and an increase in the number of adware programs on the web.
According to Kaspersky Lab statistics, a new variant of the notorious polymorphic Sality virus, dubbed 'bh', was found to be particularly widespread on users' computers. A newcomer to the ranking, Sality.bh claimed eleventh position and spread with the help of Trojan-Dropper.Win32.Sality.cx which uses vulnerability in Windows LNK files. This is the first detected zero-day vulnerability to be used by the now infamous Stuxnet worm. This same vulnerability was exploited by Trojan-Dropper.Win32.Sality.r back in August. The geographical distribution of the droppers in question mirrors that of the Stuxnet worm, both of them appearing most prolifically in India, followed by Vietnam and then Russia.
"Cybercriminals are usually very quick to release exploits when new vulnerabilities are discovered. The fact that huge numbers of users fail to update their software on a regular basis only encourages them. The extensive media coverage afforded to Stuxnet has only served as an advertisement for the vulnerabilities used by various cybercriminal groups," commented Vyacheslav Zakorzhevsky, Senior Virus Analyst and author of the review. [...]
The full version of the September malware ranking from Kaspersky Lab is available at:
The Recent Burst of HTML Attachment Spam
During the last 4 months, SophosLabs has seen an explosion in the resurgence of HTML attachment spam. As shown in the following figure, it accounts for 8% of all the spam in the June and September, and about 2-3% in July, August and October.
The Security Effects of Internationalized Domain Names
Over the years, many changes have been made to the Domain Name System (DNS). Some of these changes were made to allow internationalized domain names, or IDNs. The concept behind these is simple: to allow language-specific scripts or characters that are not part of the usual Latin alphabet to become part of domain names.
However, the security and cybercrime implications of international domain names have to be considered. We know that criminals jump at every new technological development to make money? and that some open the doors to cybercrime more easily than others.
This is a subject I?ve been thinking about for a while. There are a number of facets to the IDN discussion, and a number of associated risks.[...]
The first threat that comes to mind is domain squatting in these new country-code domains. Let?s consider a theoretical example of the (fictional) company Bingo. Suppose someone registers bingo.?? before Bingo gets around to it.
The customers of Bingo would be exposed to phishing from bingo.?? before the legitimate Bingo organization is able to register their domain. (This threat would occur anytime a new TLD is approved that is applicable to an existing organization.)
It gets worse. With a valid registration, it would not be hard to prove that a domain is legitimately owned and thus get an SSL certificate. This could lead users to believe they are visiting the legitimate site.The only real solution here is vigilance on the part of the domain owners and registrars, and careful scrutiny on the part of computer users.
Comcast Pushes Bot Alert Program Nationwide
Comcast, the nation?s largest residential Internet service provider, announced last week that it is expanding an initiative to contact customers whose PCs appear to be infected with a malicious bot program.
The Philadelphia-based cable Internet company is expanding nationwide a pilot program that began in Denver last year, which automatically informs affected customers with an e-mail urging them to visit the company?s security page. The system also sends the customer?s browser a so-called ?service notice,? a semi-transparent banner that overlays a portion of whatever page is being displayed in the user?s Web browser.
Customers can then either move or close the alert, or click Go to Anti-Virus Center, for recommended next-steps, which for Windows customers includes:
Downloading any missing Microsoft security updates.
Making sure the customer has some kind of up-to-date anti-virus software running.
Downloading and running Microsoft?s malicious software removal tool.
Downloading and installing Secunia?s free Personal Software Inspector tool, a program that periodically scans the user?s computer for missing security updates for commonly used third party applications, such as Adobe Reader, Flash, and Java, and QuickTime.
Comcast also is offering free subscriptions to Norton Security Suite for up to 7 computers per customer ? including Mac versions of the Symantec suite.
Largest Fake Pharmacy Spam Affiliate Program Closes
From the Cisco Blog:
On Monday morning, I woke up and started my weekly routine by looking through the spam captured by our traps over the weekend. It feels as though I am still dreaming, because the most notorious pharmacy affiliate program, Spamit, seems to have made good on its threat of closing its doors. Brian Krebs blogged about this last week, citing that "Spamit administrators blamed the impending closure on increased public attention to its program." So far, we have seen no sign of spam advertising "Canadian Pharmacy" and our SenderBase and SpamCop services are both showing a significant decrease in global spam volumes.
Sun Tzu famously said, "Keep your friends close, and your enemies closer." Spamit, along with the rest of the fake online pharmacy community, has been very near and dear to us at Cisco Security Intelligence Operations (SIO) for several years. We visited the Subway restaurant in Toronto, Canada supposedly occupied by "My Canadian Pharmacy," an affiliate program run by bulker.biz, Spamit?s main competitor.
These affiliate programs solve an interesting problem faced by criminal spammers. It is difficult to accept payments and deliver a physical product while also competing with computer security professionals who are blocking spam email and shutting down websites. The affiliate programs serve the spammers by designing website templates, operating hidden back-end order fulfillment servers, processing credit card payments, shipping and tracking the physical goods and ultimately paying a substantial commission to the spammer.
I wnder if that means the end to the spam posts in these forums for the famous, (infamous?), 'male pill' we so often see?
We can only hope, although I see from the article that in any case this may only be a temporary reprieve.
Believe It Or Not..
I had you and Kees in mind, when I read it. And.. when I posted it.
"Wouldn't it be loverly", if those "little blue pill" spam posts were gone??!!
Add to that, the "sports" spam posts and your weekends will be forever free!
Whistleblower site Cryptome hacked, defaced, all files..
The whistleblowing, government-document sharing site Cryptome was hacked and defaced this weekend. All 54,000 Cryptome hosted files were deleted.
According to Cryptome, "A person wrote claiming to know who did the hack. No way to know if this claim is true. Hackers, like spies, often blame one another to cover their tracks. Blocking attacks is nearly impossible due to the purposefully weak security of the Internet. Nearly all security methods are bogus. A competent hacker or spy, or the two working together, can penetrate easily. We monitor and keep back-ups ready. And do not trust our ISP, email provider and officials to tell the truth or protect us."
After its site was restored and Cryptome could view emailed notifications, Cryptome posted the steps of the hack. First, its EarthLink email account was "accessed by unknown means and its access password changed." Using that email address, the hacker then requested information about Cryptome's multiple accounts. The Cryptome.org management account was accessed at Network Solutions (NSI) and all "54,000 files (some 7GB) were deleted and the account password changed."
Also: Hackers Hijack Cryptome and Delete Everything
Fake Apple iTunes Receipts Used as Malware Tool
PandaLabs said Monday that the company has discovered fake iTunes receipts that have begun to be sent to users in an attempt to steal personal details.
Ironically, the attack vector is via Flash - a technology Apple refuses to use for its alleged security weaknesses.
According to PandaLabs, the research arm of antivirus vendor Panda Security, users are sent a "receipt" from iTunes that looks completely authentic, with no telltale spelling errors or issues with the image's source code. However, an image posted to the PandaLabs blog had obvious problems with the bill's total, most likely to provoke the user to take action.
The attack begins when the user is invited to click a link to "report a problem".
"After clicking the link, the victim is asked to download a fake PDF reader," PandaLabs said. "Once installation is complete, the user is redirected to an infected Web page containing the Zeus Trojan, which is specifically designed to steal personal data. This phishing attack was uncovered shortly after a similar phishing attack targeting LinkedIn users appeared last week, which appears to have originated in Russia."