General discussion

NEWS - October 25, 2010

SpyEye v. ZeuS Rivalry Ends in Quiet Merger

Leading malware developers within the cyber crime community have conspired to terminate development of the infamous ZeuS banking Trojan and to merge its code base with that of the up-and-coming SpyEye Trojan, new evidence suggests. The move appears to be aimed at building a superior e-banking threat whose sale is restricted to a more exclusive and well-heeled breed of cyber crook.

Underground forums are abuzz with rumors that the ZeuS author - a Russian hacker variously known by the monikers "Slavik" and "Monstr" - is no longer planning to maintain the original commercial crimeware kit.

According to numerous hacker forums, the source code for ZeuS recently was transferred to the developer of the SpyEye Trojan, a rival malware maker who drew attention to himself by dubbing his creation the "ZeuS Killer." The upstart banking Trojan author constantly claimed that his bot creation kit bested ZeuS in functionality and form (SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself).

In an era when it has become a truism to say that malicious hackers seek riches over renown, the SpyEye author ? a coder known as either "Harderman" and "Gribodemon" on different forums ? appears to have sought both, boasting on numerous forums about the greatness of his malware, using flashy logos to promote it (see below), and granting an interview with security researchers about the riches it will bring him. Although the ZeuS author chose to license his botnet creation kit to private groups through multiple intermediaries, the SpyEye creator has peddled his kit directly to buyers via online forums and instant messages.

Discussion is locked

Reply to: NEWS - October 25, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 25, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Italy Demands 3-Day Warning for Google Street View Trips

Life's about to get a bit more frustrating for Google's international Google Maps teams. That's because regulators in Italy have mandated that Google take additional measures to warn local populaces when its Street View cars are out and about?and, more importantly, taking pictures of unsuspecting passersby and locations alike.

According to Italian newspaper La Stampa, Google will now have to ensure that its Street View cars are clearly and obviously marked?as if the giant cameras on top weren't enough of a giveaway.

The company will also have to publish in local papers and issue reports across the radio whenever and wherever it plans to use said cars to snap new images. A three-day warning is being demanded by regulators, hoping that it will be enough of an advanced notice for those in the path of the exact locations where Google's Street View cars will be operating.

"There has been strong alarm and also hostility in a lot of European countries against Google taking photos. We have received protests even from local administrations," said Privacy Authority President Francesco Pizzetti.

The move comes right in the wake of Google's big admission Friday that its Street View cars had unintentionally collected data from unsecured wireless networks during the performance of their street-snapping tasks.,2817,2371365,00.asp?kc=PCRSS05079TX1K0000992

Related news: Google: Wi-Fi Sniffing Collected Whole E-Mails, URLs, Passwords

- Collapse -
ICO reopens Google Street View privacy probe

The Information Commissioner's Office is reopening its investigation into Google's collection of unsecured Wi-Fi by its fleet of Street View cars.

The change of heart by the regulator comes in the light of tougher stances taken by other countries, and Google's confession on Friday that its cars collected entire emails, URLs and passwords.

A spokesman for the ICO told the Guardian that it would look again at the data slurp.

The spokesman said:
Earlier this year the ICO visited Google's premises to make a preliminary assessment of the payload data it inadvertently collected while developing Google Street View. While the information we saw at the time did not include meaningful personal details that could be linked to an identifiable person, we have continued to liaise with, and await the findings of, the investigations carried out by our international counterparts."

"Now that these findings are starting to emerge, we understand that Google has accepted that in some instances entire URLs and emails have been captured. [...]

We will be making enquires to see whether this information relates to the data inadvertently captured in the UK, before deciding on the necessary course of action, including a consideration of the need to use our enforcement powers.?[/]

Google has appointed a director of privacy to oversee improvements in its practises and promised to train all staff and consider the privacy implications of all its products.

- Collapse -
SCADA Vendors Still Need Security Wake Up Call

Companies that make supervisory control and data acquisition (SCADA) and industrial control software are still dangerously lax when it comes to application security and vulnerable to attack, according to a researcher from security firm Tenable Inc. who warned that the use of coded administrative "backdoor" passwords of the type used by the Stuxnet worm isn't uncommon.

Speaking at the ToorCon Security Conference in San Diego, Jeremy Brown, a vulnerability researcher at security firm Tenable said that many SCADA software vendors lag far behind other IT firms in vulnerability research and lack even a basic awareness of modern security principles.
Despite the recent, high profile Stuxnet worm, which made headlines around the world by targeting Siemens industrial control system (ICS) software used in power plants and other critical infrastructure, SCADA vendors are not receptive to vulnerability reports from security researchers and often lack the internal processes to properly handle and address vulnerabilities discovered by outside researchers, Brown said.

In a world of near constant scrutiny of high profile operating systems and applications and real time security updates, the world of SCADA and ICS software still operates largely on assumptions made decades ago: that SCADA and ICS systems aren't of interest to malicious hackers, and that SCADA systems are isolated from the public Internet and, therefore, safe.
"Security is more often an add-on rather than a core component of SCADA systems," Brown said. "These are systems that are designed for long term deployments, in which software updates often require hardware updates."

Related news: Former US Official: Invest in Secure Internet Protocols

- Collapse -
6 year old's Happy Meal from McDonalds leads to Facebook,,,
clickjacking scam

If you imagined that the legal action that Facebook is taking against alleged survey scammers would scare other spammers off the social network, then think again.

Over the weekend a number of scams have been spreading virally, using clickjacking techniques to fool Facebook users into "liking" and "sharing" links with their online friends without realising it.

A typical message reads:

OMG... Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! on CLICK HERE TO SEE.

If you do make the mistake on clicking on the link you will be taken to a webpage which pretends to be hosted on Facebook, but in fact is designed to
trick you into unknowingly sharing the links with your online acquaintances, and spreading the messages further.

If you click on what appears to be the "Play" button on the video, you are really being clickjacked. You may believe you are just asking the video to play, but in fact your mouse clicks are invisibly confirming that you "Like" the "Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds!" page, and sharing it with your friends via your newsfeed.

Similar virally-spreading messages are pointing to similar pages claiming that you will never send another text message once you watch a video.
- Collapse -
Researchers hack toys, attack iPhones at ToorCon

From "weaponized" iPhone software to hacked toys and leaked cookies, researchers at the ToorCon security conference here this weekend showed how easy it can be to poke holes in software and hardware with the right tools, know-how, and curiosity.

One researcher demonstrated how to take control of an iPhone using an exploit that targets a hole in Safari, which has been patched. The iPhone had an app installed that allowed it to process credit card numbers, which could then be stolen if this were an attack in the wild.

Eric Monti, a senior security researcher at Trustwave, "weaponized" an exploit that was launched as the program this summer, designed to allow iPhone owners to use unauthorized apps.

For the demo, he directed the "victim" iPhone to a Web address that opened a PDF file that contained the exploit code. Then a rootkit was downloaded giving him complete control of the iPhone. Once a rootkit is downloaded an attacker has access to all data, e-mails, voicemails, and text messages, as well as the microphone and speaker. "You can easily eavesdrop on someone if you're on their iPhone remotely," Monti said.

If the iPhone has the free Square app installed, which is used for processing credit card numbers, the attacker could also steal those numbers, he said, adding that there is not a security issue with the Square app. "We will see people processing credit cards in stores using iPhone apps," transactions using highly sensitive data that should be on only secured devices, Monti told CNET in an interview after his talk.

Two researchers gave a light-hearted talk, titled "Real Men Carry Pink Pagers," about how they turned a toy into a wireless tool that could be used to open garage doors and clone RFID tags used for inventory control on shipping docks and RFID-based passports, among other uses. The pink plastic IM-Me device, with a "Girl Tech" brand on it, was designed to allow young girls to send instant messages with friends on a private network.

- Collapse -
One In 10 UK Websites Spams Their Visitors

A report published by anti-spamming firm, Clean Ventures, found out that 10 per cent of UK websites are responsible for "dangerous and malicious spamming" with the number of dangerous spam having doubled in the past year alone.

The data, published on CV's Spam Ratings website, has been collected over a period of 12 months, using a sample of 10,000 UK websites and more than 150,000 emails.

A whopping 75 per cent of emails received were either unwanted, nuisance or worse, classified as "dangerous" spam email with the latter containing either pharmaceutical or sex related content, phishing attempts or simply malware.

- Collapse -
Norton Error Identifies Websites of UK ISP BE Broadband as..

Customers of UK ISP Be Broadband were left feeling somewhat despondent over the weekend after a popular piece of anti-virus software, Norton Internet Security, mistakenly identified the providers entire website domain ( as being fraudulent or containing dangerous scripts.

The issue affected not just but all of its sub-domains too, such as and customer web server connections. Even visits to were issued with a warning, which hampered customers while trying to access their email through BE's webmail interface.

However we note that none of these websites have any kind of malicious code installed upon them and the warning is in fact being made in error. According to the BE Usergroup, Norton imposed the notice after an individual customer's server ( was hacked and infected with phishing malware (i.e. software designed to steal personal and financial details).

BE are currently working with the customer to clean-up their server and have Norton's warning removed before it causes too many problems.
- Collapse -
'Warpigs' VXer pleads guilty

A veteran Scottish virus writer faces a likely spell behind bars after pleading guilty to computer crime offences.

Matthew Anderson aka Warpigs, 33, a franchise manager from Drummuir, Aberdeenshire, admitted his key role in a malware for profit scam at a hearing at Southwark Crown Court on Friday.

Anderson distributed spam messages containing virus-infected attachments created by his fellow cybercrooks from the group "m00p". If successfully planted, the malware allowed Anderson and his cohorts to spy on victims, who would normally have been unaware that anything was amiss.

An investigation into the scam, led by officers from Scotland Yard's MPS Police Central e-Crime Unit together with the Finnish National Bureau of Investigation (NBI Finland) and the Finnish Pori Police Department, led to the arrest of three men on 27 June 2006 in Suffolk, Scotland and Finland.

DC Bob Burls, from the Police Central e-Crime Unit, said: "This organised online criminal network infected huge numbers of computers around the world, especially targeting UK businesses and individuals.

- Collapse -
Twitter phish aims for the big players

From Sunbelt Blog:

Over the weekend we saw a link being pinged around in various chatrooms, which was directing users to a "mobile" version of Twitter. The page was a phish located on a free webhost.

What particularly caught my eye was when I dug around on Twitter itself for the URL

We have a Twitter account with "Facebook" in the name (a dirty big clue that something isn?t right here), sending out links to a "lighter version of Facebook"...which takes you to the fake Twitter page.

I'm sure it made sense to the creator at the time, but anyway. This was a clear attempt to grab some high profile accounts and use them for shenanigans.

- Collapse -
Microsoft: Windows 8 About Two Years Away

In its most concrete comments yet about the next version of Windows, Microsoft said in a blog post on its Dutch Web site that Windows 8 is about two years from hitting the market.

Microsoft is working on the next version of Windows, the blog says in Dutch, but it will be about two years before Windows 8 is on the market.

Microsoft's Dutch subsidiary posted a blog Sunday that says the company is working on Windows 8 but that the new operating system is not due for about two years. (Credit: CNET)

The comments, noted earlier Sunday by, came at the end of a post celebrating Windows 7's first birthday. Microsoft also posted about that milestone on its U.S. Web site this week but made no mention of the timing of Windows 8.

A Microsoft representative, reached on Sunday morning, declined to comment or elaborate on the blog posting.

Indeed, Microsoft executives from Windows unit president Steven Sinofsky on down have been hesitant to say anything about the company's future Windows plans. While the desktop team has been quiet, Microsoft's server team did say last year that a major release of Windows Server was due in 2012 and server versions typically slightly lag a desktop release.

Two-year wait for Windows 8, MS blurts

A posting on Microsoft's Dutch site suggests we'll have to wait until 2012 for the next release of Windows.

Microsoft declined to comment and the message was rapidly deleted, but was grabbed by Ina Fried at CNet and a host of bloggers.

The post, celebrating the first birthday of Windows 7, said that Microsoft was hard at work on Windows 8 but the release was about two years away.

In place of the offending paragraph the Dutch site now says that Windows 7 Service Pack 1 is currently in testing and will be released in the first six months of next year.

- Collapse -
Firefox extension steals Facebook, Twitter, etc. sessions

Presented at ToorCon, Firefox extension Firesheep demonstrates how easy it is for attackers to access accounts belonging to other users on the same network, such as a Wi-Fi hotspot. After launching the program, user accounts belonging to other users gradually appear in the sidebar as users navigate to any of the many supported web sites, which currently include Facebook, Twitter, Flickr, Amazon, Windows Live and Google. By clicking on one of the sidebar entries (which generally display the victim's name and photo), an attacker is able to access the site in question with all the legitimate user's privileges.

Firesheep does not concern itself with passwords, instead it just takes over the active session using the cookie, which is sent ? usually in unencrypted form ? each time a new page is accessed. [...]

Firesheep runs under Mac OS X and Windows. Under Windows, it requires WinPcap to be installed. Attackers can use scripts to add support for other web sites. Many affected web sites offer the option of performing all queries via encrypted HTTPS, which prevents cookie stealing.

- Collapse -
12-year old awarded $3,000 for Firefox vulnerability

The Mozilla Foundation regularly rewards security specialists for supplying information on critical vulnerabilities in its Firefox browser. Now a 12-year old has been awarded $3,000 for discovering a security vulnerability in the open source web browser.

Alexander Miller, from the USA, discovered and reported a critical bug in a JavaScript function. He found that a buffer overflow would result when very long strings where submitted to document.write, one of the most frequently used JavaScript functions. This error condition could potentially be exploited to inject and execute code. The development team has fixed this and other bugs in Firefox versions 3.6.11 and 3.5.14 and in Thunderbird 3.1.5 and 3.0.9. Alex Miller is listed in the credits as a Security Researcher.

- Collapse -
Facebook pages very much public, even when set as private

Privacy theater

Facebook settings that are supposed to cloak user profiles can easily be bypassed to reveal the friends, pictures, and other attributes of users who have configured their accounts to be private.

The inability to keep profile pages private would seem to contradict Facebook's promise that "The settings you choose control which people and applications can see your information." In fact, profiles configured to be private remain viewable when manually browsing through the pages of users who are friends.

"My problem with this issue is actually how I found the bug," said Justin E. Dian, a software developer who brought the setting bypass to the attention of The Register. "People I didn't want requesting me as friends kept somehow finding me and requesting friendship. I keep my Facebook security settings pretty much as tight as possible and I soon realized this is how they were finding me."

The privacy settings were put in place following outcries that Facebook accounts spilled users' birthdates, friends, home towns, current location, and other information that could jeopardize their privacy. The new settings made it possible to share specific details with the world at large, a user's Facebook friends, friends of friends, or no one at all.

A Facebook spokesman said certain information, including the URL to the user's profile page, the user's picture, sex, and networks remain public no matter what settings are chosen.

"You can make it harder for people to find your profile in searches, but people may still be able to get to it in other ways (e.g., if they know your vanity URL or navigate there through a friend list or News Feed story)," the spokesman said. "The basic information that allows friends to find and connect with people is available to everyone and has no privacy settings."

The spokesman didn't respond to repeated questions asking whether Facebook had plans to change the settings so the information was no longer public.

- Collapse -
Fraud Advisory for Consumers Released: Involvement in ...
Criminal Activity Through Work from Home Scams

As part of a joint effort, the United States Secret Service, the Federal Bureau of Investigation, the Internet Crime Complaint Center (IC3) and the Financial Services Information Sharing and Analysis Center (FS-ISAC) have released Fraud Advisory for Consumers: Involvement in Criminal Activity through Work from Home Scams (PDF). The document explains that criminal syndicates are using newspaper ads, online employment services, and unsolicited emails to recruit consumers to launder stolen money. Individuals who are knowing or unknowing participants in this type of scheme could be prosecuted and may have their own identities or bank accounts stolen.

CNET Forums

Forum Info