Alert

NEWS - September 10, 2012

Saudi Aramco Says Networks Back Online, But No Results From Malware Investigation Yet

Saudi Aramco says that the virus attack that compromised tens of thousands of the company's workstations last month never endangered the company's oil production capabilities and that all of the affected systems have been brought back online and restored. The attack on Aramco has been linked by researchers to the Shamoon malware, but company officials did not comment on the nature or provenance of the malware.

The attack hit Aramco, one of the larger oil producers in the world, on August 15 and the company soon took its main Web sites offline as it investigated the extent and nature of the compromise. A group of attackers calling itself the Cutting Sword of Justice took credit for the attack through a post on Pastebin, saying that the operation had destroyed data on 30,000 machines, including both workstations and servers. The company originally did not comment on the extent of the damage to its network, simply saying that it had suffered an attack and was in the process of cleaning it up.

Later, however, Aramco officials acknowledged that the malware infestation had damaged about 30,000 computers, but emphasized that none of its oil-production facilities were affected and that its oil output would not be diminished as a result of the attack. On Monday, company officials said that security staffers had restored all of the infected machines and that its operations were back to normal.

Continued : https://threatpost.com/en_us/blogs/saudi-aramco-says-networks-back-online-no-results-malware-investigation-yet-091012

Related:
'Shamoon' attack on Saudi oil industry had inside help
Insiders Implicated in Saudi Aramco Attack
Insiders Suspected in Aramco Attack
Discussion is locked
Follow
Reply to: NEWS - September 10, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 10, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Donkey Express: Mules Take Over the Mail

This blog has featured several stories on reshipping scams, which recruit willing or unwitting U.S. citizens ("mules") to reship abroad pricey items that are paid for with stolen credit cards. Today's post highlights a critical component of this scheme: the black-market sale of international shipping labels fraudulently purchased from the U.S. Postal Service.

USPS labels that are purchased via card fraud, known in the Underweb as simply "cc labels," are an integral part of any reshipping scheme. So it should be no surprise that the leading proprietors in this obscure market run Atlanta Alliance, one of the largest and most established criminal reshipping rackets in the underground.

The service, at fe-ccshop.com, makes it simple for any reshipping scam operator to purchase international shipping labels at a fraction of their actual cost. For example, USPS Express Mail International labels for items 20 pounds or less that are headed from the United States to Russia start at about $75, but this service sells them for just $14. The same label for an item that weighs 25 pounds would cost upwards of $150 at the Post Office, but can be had through this service for just $19. [Screenshot]

Continued : http://krebsonsecurity.com/2012/09/donkey-express-mules-take-over-the-mail/

- Collapse -
Foxit Reader 5.4 fixes DLL hijacking vulnerability

The recent 5.4 release of Foxit Software's proprietary PDF Reader addresses a DLL hijacking vulnerability that could be exploited by an attacker to compromise a victim's system. According to the company, previous versions of its software contained a security hole that allowed it to call and execute malicious code stored in an infected Dynamic Link Library (DLL) file.

For an attack to be successful, a victim must first open a PDF file in the same directory as a specially crafted version of a system DLL file. This could occur, for example, when an attacker publishes a PDF file on a WebDAV or SMB share and places the crafted DLL in the same shared folder. When the file is opened, Foxit is loaded and begins to load system libraries, but because of a programming oversight, it will first look for some of these libraries in the directory it loaded the PDF from. So a malicious DLL with the same name as a system library that is searched for can inject itself into the application and have its code executed.

Versions up to and including Foxit Reader 5.3.1.0606 are affected. The company credits Remy Brands with discovering the issue on 24 August. While Foxit notes that it corrected the problem just two days later, it only released Foxit Reader 5.4, which contains the fix, on 6 September.

Further information about the 5.4 update, including a list of new features, can be found in the release announcement. Foxit Reader 5.4 is available to download from the company's site; existing users can upgrade to the new version by selecting the "Check for Updates Now" option under the Reader help menu.

http://www.h-online.com/security/news/item/Foxit-Reader-5-4-fixes-DLL-hijacking-vulnerability-1703878.html

- Collapse -
Phishing/Spam Pretending to be from BBB

From the SANS ISC Diary:

We received another piece of spam (thanks Curtis) pretending to be from the Better Business Bureau. Analysis of the file transferred (W6w8sCyj.exe) from prog.it appears to be a piece of malware (Win32/Cridex.Q) use to communicates via SSL with a C&C server. [Screenshot]

List of domains/IP to watch for and block:

ajaxworkspace.com
prog.it
la-liga.ro
ejbsa.com.ar
technerds.ca
108.178.59.12

The email looks like this:

Better Business Bureau
Start With Trust
Sat, 08 Sep 2012 01:54:02 +0700

RE: Case # 78321602 <http[:]//prog.it/EH564Bf/index.html>

Dear Sirs,

The Better Business Bureau has got the above mentioned complaint from one of your customers concerning their business relations with you. The details of the consumer's concern are contained in attached document. Please give attention to this case and advise us of your opinion as soon as possible. We encourage you to open the COMPLAINT REPORT to answer on this complaint.

We look forward to your prompt response.

Faithfully yours,
Ann Hegley
Dispute Counselor
Better Business Bureau


Continued : https://isc.sans.edu/diary.html?storyid=14053

- Collapse -
Apache HTTP Server set to ignore IE10's Do Not Track request

Microsoft's decision to make Internet Explorer 10 in Windows 8 have the "Do Not Track" (DNT) option turned on by default has stirred a heated discussion among browser developers, online analytics companies, privacy advocates, advertisers, and the Tracking Protection Working Group of the World Wide Web Consortium (W3C).

The latest oil to that particular fire has been added by the Apache Foundation, which added a patch to its open source Apache HTTP Server that will make it ignore the DNT header if sent by the IE10 browser.

Apache HTTP Server is the world's most popular web server, and the patch - named "Apache does not tolerate deliberate abuse of open standards" by its creator Roy Fielding - will effectively ignore the header even if the actual choice was made by a human.

"The only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization," explained Fielding, who is one of the founders of the Apache HTTP Server Project but also a scientist at Adobe and one of the editors of the DNT standard.

Continued : http://www.net-security.org/secworld.php?id=13555

Also:
Apache Blocks IE 10 Do Not Track Privacy Setting
Apache webserver updated to ignore Do Not Track settings in IE 10
Apache ignores Internet Explorer 10's do-not-track header

- Collapse -
Apple Device ID's Leaked by Anonymous Traced to App ..
.. Developer Blue Toad

Those Apple device IDs that an Anonymous offshoot claimed to have hacked from an FBI agent's computer in March appear to have actually originated just weeks ago from the hack of a little-known app development company in Florida.

Thanks to some stellar sleuthing by a computer security consultant, the source of the Apple device ID's leaked to the internet by AntiSec last week has been traced to an application developer called Blue Toad.

David Schuetz, a security consultant with Intrepidus Group, described his method for tracking the IDs to Blue Toad in a blog post on Monday.

Schuetz said he searched for device ID's that made multiple appearances in the database and connected those ID's to the device names that the owners had created for their devices. Among those names, the words Blue Toad and BT appeared four times. More in-depth analysis helped Scheutz trace several of the devices to what appeared to be employees of Blue Toad.

Continued : http://www.wired.com/threatlevel/2012/09/udid-leak-traced-to-blue-toad/

Also: Publishing firm says leaked Apple IDs came from their servers

Related : Apple denies handing UDIDs over to FBI
- Collapse -
How a malicious help file can install a spyware keylogger

Do you think that Windows help file is safe? Think again.

Malware authors can create boobytrapped .HLP files, designed to infect your computer.

Take for instance, the strange .HLP file which was sent to SophosLabs by some of our customers at the end of August.

The file, Amministrazione.hlp ("Amministrazione" is Italian for "Administration") was an example of how cybercriminals can use social engineering to trick unsuspecting users into infecting their computers. [Screenshot]

If opened, the help file displays an error message: [Screenshot]

Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)


In the background, however, a file called Windows Security Center.exe is being dropped onto the computer, which in turn creates a file called RECYCLER.DLL. [Screenshot]

Continued : http://nakedsecurity.sophos.com/2012/09/10/keylogger-help-file/

- Collapse -
'Emma Watson Nude'? Not So Fast, McAfee Warns

Harry Potter star Emma Watson has displaced Heidi Klum as the riskiest person to search for online.

According to McAfee's sixth annual ranking of the "Most Dangerous Celebrity," those going online to find the latest pictures and videos of the 22-year-old British star have a one in eight chance of clicking into a website that contains an online threat, such as spyware, adware, spam, phishing, viruses, and other malware.

"Cybercriminals follow the latest trends, often using the names of popular celebrities to lure people to sites that are actually laden with malicious software that are designed to steal passwords and personal information. Anyone looking for the latest videos or files to download could end up with a malware-ridden computer along with the trendy content," McAfee wrote in a blog post.

And no surprises here, but McAfee also noted that women were the most popular types of celebrity bait. Late-night talkshow host Jimmy Kimmel was the only male in the top 20, securing number 13. Brad Pitt and CNN's Piers Morgan dropped off the list this year.

Continued : http://securitywatch.pcmag.com/none/302474-emma-watson-nude-not-so-fast-mcafee-warns

Also: Who is the most dangerous cyber celebrity?

- Collapse -
PlugX: New Tool For a Not So New Campaign

From TrendLabs Malware Blog:

Earlier this year, a new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug) surfaced in the wild. PlugX, reportedly used on limited targeted attacks, is an example of custom-made RATs developed specifically for this purpose.

The idea behind using this new tool is simple: less recognition and more elusiveness from security researchers. However, this does not mean that this attack is new. Our monitoring reveals that PlugX is part of a campaign that has been around since February 2008.

The said campaign used the Poison Ivy RAT and was reported to target specific users in Japan, China, and Taiwan. This campaign was also part of a large, concerted attack as documented earlier this year. True to its origins, we have observed that Plugx was distributed mainly to government-related organizations and a specific corporation in Japan.

Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear-phished emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We,ve encountered an instance of Plugx aimed at a South Korean Internet company and a U.S. engineering firm. [Screenshot: PlugX Email Sample]

Continued : http://blog.trendmicro.com/plugx-new-tool-for-a-not-so-new-campaign/

CNET Forums