Alert

NEWS - September 03, 2012

Attacks on Java security hole hidden in bogus Microsoft Services Agreement email

Online scammers are using a recent email from Microsoft as bait in a widespread spam campaign that exploits vulnerabilities in Oracle's Java software to install malicious programs on vulnerable systems.

Experts at The SANS Institute's Internet Storm Center warned on Saturday that operators there received multiple reports of a spam campaign that uses a recent Microsoft email regarding changes to its Services Agreement for products such as Hotmail and Skydrive to fool users.

The attacks have prompted renewed calls for internet users to disable Java on their systems pending a new update from Oracle Corp. to fix critical, remotely exploitable vulnerabilities in the ubiquitous web technology.

According to SANS, the malicious email is based on an August 27 communication from Microsoft titled "Important Changes to Microsoft Services Agreement and Communication Preferences."

The phishing email replaces links in the original messages with malicious links that send unwitting readers to websites that install a new variant of the Zeus malware, ISC handler Russ McRee warned in a post on September 1st.

The actual Microsoft message, dated August 27, can be viewed here.

Continued : http://nakedsecurity.sophos.com/2012/09/03/java-security-hole-microsoft/

Also:
Rogue Microsoft Services Agreement Email Notifications Lead to Latest Java Exploit
Spoofed Microsoft notification leads to Zeus

See: FAKE Microsoft Service Agreement Email Phish
Discussion is locked
Follow
Reply to: NEWS - September 03, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 03, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
'Win 8 Security System' Another Fake-Antivirus Malware

From the McAfee Labsl Blog:

We discovered another fake antivirus/antimalware tool late in August. The "Windows 8 Security system" claims to detect infections, and displays alerts to scare users into purchasing protection. The real infection, of course, is the Win 8 Security System itself. It's no surprise that developers of rogue antivirus software are playing up the connection to Windows 8, which Microsoft plans to release at the end of October.

Win 8 Security System is quite similar to fake AV product Windows Ultra-Antivirus and is extremely aggressive and hard to remove. A victim's system gets infected with Win 8 Security System after visiting an infected website. Recent exploits teach us it is easy to fall victim to rogue software like Win 8 Security System, which extort money from PC owners to "fix" their systems. McAfee Labs recommends disabling Java in your browsers and running your antimalware software with real-time protection enabled. You should also be careful with downloading files from torrents or clicking on email and chat links.

Win 8 Security System will display lots of fake alerts and messages and will show a scan window on each system boot. It will display lots of detections, though it is obvious these are fake. [Screenshot]

Continued : http://blogs.mcafee.com/mcafee-labs/win-8-security-system-another-fake-antivirus-malware

- Collapse -
The Shamoon Attacks Continue

From the Symantec Security Response Blog:

Symantec Security Response has been investigating further reports of infections of W32.Disstrack, the threat used in the Shamoon attacks. W32.Disttrack is a highly destructive threat that destroys files and the master boot record (MBR) of the infected machine, causing maximum disruption.

W32.Disttrack uses a hardcoded "wiping date" which is read from a variably named ".pnf" file it creates on the filesystem. It will periodically check this date and once it has been exceeded, it will then drop and execute the wiper component. The wiper component will wipe the following in order:

• A prioritized list of files
• Master Boot Record
• Active Partition

The list of prioritized files contain the wiper components themselves and files contained in the following folders:

• C:\Documents and Settings
• C:\Users
• C:\Windows\System32\Config

Continued : http://www.symantec.com/connect/blogs/shamoon-attacks-continue

CNET Forums