NEWS - September 19, 2012

Microsoft pledges temporary fix for critical IE bug under attack

"Promise comes as 3 more attack sites are spotted exploiting the vulnerability."

Microsoft plans to release a temporary fix for a critical Internet Explorer vulnerability that attackers are exploiting to install malicious software when unsuspecting end users visit booby-trapped websites.

Microsoft's announcement on Tuesday afternoon that it will make available a temporary patch known as a Fixit in the next few days came as a security researcher spotted three more websites that have exploited the vulnerability. The sites include,, and, an India-based news portal dedicated to coverage of the defense industry. The sites install the Poison Ivy and PlugX remote access trojans, which allow attackers to remotely issue commands and monitor e-mail and instant message communications on infected machines.

"It seems the guys behind this 0day were targeting specific industries," Blasco wrote in a blog post published Tuesday. "We've seen that they compromised a news site related to the defense industry and they created a fake domain related to LED technologies that can be used to perform spearphishing campaigns to those industries."

Yunsun Wee, director of Microsoft's Trustworthy Computing group, didn't address the number of sites targeting the previously undocumented flaw, but her post also suggested the attacks were targeted.

Continued :

Microsoft to close critical IE hole with a temporary Fix-it
Microsoft says IE zero-day fix on the way
Microsoft: IE Patch to be Released Soon to Plug Brower's Security Hole

See: Additional information about Internet Explorer and Security Advisory 2757760
Discussion is locked
Reply to: NEWS - September 19, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 19, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
New TDL4 malware variant infects ISPs, Fortune 500 companies
.. gov't agencies

"Damballa researchers believe a new variant of the sophisticated TDL4 bootkit affected over 250,000 victims in the past few months"

Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.

The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.

On July 8, Damballa sensors that operate on the networks of telecommunication operators and ISPs that partnered with the company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA). Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts.

Continued :

Also: New Iteration of TDSS/TDL-4 Botnet Uses Domain Fluxing to Avoid Detection
- Collapse -
Malicious UPS/FedEx notifications for iPhone 5
Watch out for malicious UPS/FedEx notifications when waiting for iPhone 5

From the Websense Security Labs Weblog:

The first batch of iPhone 5s will be delivered on Friday of this week. Apple sold more than 2 million of the new phone in less than 24 hours so clearly there's a huge interest in getting the device. This means that many people are eagerly waiting for their shipping notifications, to learn when the phone will arrive. I'm one of the people who pre-ordered an iPhone 5, and I'm still waiting for my delivery notification. From reading discussion forums online, I know that all orders from Apple's online store will ship with UPS. So when I received a UPS notification email today, I obviously expected it to be about my iPhone. Turns out, it wasn't. [Screenshot]

Instead the email contained an attached HTML page that, when loaded, displayed the page below:


When I look at the emails monitored by our Cloud Email Security service, I can see that we've intercepted and blocked over 45,000 emails similar to this one. UPS/FedEx lures are not new, but in times like this -- when people are eagerly waiting for an email of this type -- the risk is great that recipients will have their guards down and will run the attached file.

The page above isn't as innocent as it looks. There's a hidden, obfuscated script on the page that deobfuscates to this:

Continued :
- Collapse -
Bogus "Windows Email Security Update" email lead to phishing

Hot on the heels of the malicious spam emails posing as Microsoft notifications about changes to Microsoft Services Agreement comes a Microsoft-themed phishing attempt.

"It has come to our attention that your Microsoft windows Installation records are out of date," claims the email. "Every Windows installation has to be tied to an email account for update. This requires you to verify your email account being the recipient of this update. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records."

By clicking on the offered link, the users are taken to a bogus website that asks them to choose their email service and login: [Screenshot]

Of course, any of the submitted credentials will end up in the phishers' hands, and the users will be redirected to a genuine Microsoft support page.

"While such phishing expeditions are all too common, this one casts a wider net than most by targeting users of several well-known email service providers rather than just one," points out Hoax-Slayer. "In fact, by including 'Other emails' as a choice on the scam website, the criminals are effectively targeting users of virtually any email service."

Continued :

- Collapse -
Mobile Pwn2Own: iPhone 4S hacked by Dutch team

"How long would it take a determined attacker to hack into Apple's iPhone 4S from scratch? A Dutch research team uses the Pwn2Own contest to provide the answer."

How long would it take a determined attacker to hack into Apple's iPhone device from scratch?

That was the intellectual challenge that drove a pair of Dutch researchers to start looking for an exploitable software vulnerability that would allow them to hijack the address book, photos, videos and browsing history from a fully patched iPhone 4S.

The hack, which netted a $30,000 cash prize at the mobile Pwn2Own contest here, exploited a WebKit vulnerability to launch a drive-by download when the target device simply surfs to a booby-trapped web site.

"It took about three weeks, starting from scratch, and we were only working on our private time," says Joost Pol (photo left), CEO of Certified Secure, a nine-person research outfit based in The Hague. Pol and his colleague Daan Keuper used code auditing techniques to ferret out the WebKit bug and then spent most of the three weeks chaining multiple clever techniques to get a "clean, working exploit."

Continued :

Also: iPhone 4S exploited in Mobile Pwn2Own hacking contest in Amsterdam

- Collapse -
Galaxy S3 hacked via NFC at Mobile Pwn2Own competition

"Using this exploit attackers can take full control of a Galaxy S3 smartphone, researchers demonstrated"

The Samsung Galaxy S3 can be hacked via NFC, allowing attackers to download all data from the Android smartphone, security researchers demonstrated during the Mobile Pwn2Own contest in Amsterdam on Wednesday.

Researchers from security company MWR Labs showed the audience at the Mobile Pwn2Own competition at the EUSecWest security conferenceA that it is possible to beam an exploit over a NFC (Near Field Communication) connection by holding two Galaxy S3s next to each other.

Using this technique, a file is loaded on the targeted S3. The file is then automatically opened and gets full permissions, meaning that the attacker has full control over the phone, explained Tyrone Erasmus, security researcher at MWR. The app runs in the background so the victim is unaware of the attack, he added.

The attacker, for instance, gets access to all SMS messages, pictures, emails, contact information and much more. The payload is very advanced, so attackers can "basically do anything on that phone," the researchers said.

Continued :

- Collapse -
Eastern European hackers posing bigger threat than Asian..
.. cyber crooks

Businesses should be far more concerned about Eastern European hackers for hire than Asian cyber snoops, according to security firm Trend Micro.

Trend Micro warned that European mercenary hackers are currently mounting far more sophisticated campaigns and attacks that their East Asian counterparts in a report entitled: Peter the Great vs Sun Tzu.

The report highlighted a significant disparity in the two regions hacker methodologies.

"The Eastern European custom-written, carefully crafted tools are designed for very specific attacks," Trend Micro security director Rik Ferguson told V3.

"Asian teams use more off the shelf stuff, things like Spyeye, Zeus, exploit kits. They go after targets that aren't bulletproof and are more widespread."

Ferguson highlighted the importance of reputation among Eastern bloc hackers as a key reason for the difference.

Continued :

Peter the Great beats Sun Tzu in cybercrime
Report Examines Eastern European Hackers Vs. East Asian Hackers
- Collapse -
Over 9 million PCs infected - ZeroAccess botnet uncovered

ZeroAccess is a hugely widespread malware threat that has plagued individuals and enterprises for years. It has evolved over time to cater for new architectures and new versions of Windows.

Here at SophosLabs we have looked at previous incarnations of the ZeroAccess rootkit in depth, describing how it enslaves victim PCs, adding them to a peer-to-peer botnet which can receive commands to download further malware.

Most recently, Sophos's researchers explored how ZeroAccess took a major shift in strategy, operating entirely in user-mode memory.

Due to the continued high profile of this malware family we felt it was necessary to examine the threat in greater detail, not only the latest version of ZeroAccess, but also the ZeroAccess botnet as a whole.

SophosLabs researchers can reveal that the current version of ZeroAccess has been installed on computers over nine million times with the current number of active infected PCs numbering around one million. [Screenshot: Total Installs of ZeroAccess]

Continued :

- Collapse -
Malware Dragnet Snags Millions of Infected PCs

Last week, Microsoft Corp. made headlines when it scored an unconventional if not unprecedented legal victory: Convincing a U.S. court to let it seize control of a Chinese Internet service provider's network as part of a crackdown on piracy.

I caught up with Microsoft's chief legal strategist shortly after that order was executed, in a bid to better understand what they were seeing after seizing control over more than 70,000 domains that were closely associated with distributing hundreds of strains of malware. Microsoft said that within hours of the takeover order being granted, it saw more than 35 million unique Internet addresses phoning home those 70,000 malicious domains.

First, the short version of how we got here: Microsoft investigators found that computer stores in China were selling PCs equipped with Windows operating system versions that were pre-loaded with the "Nitol" malware, and that these systems were phoning home to subdomains at The software giant subsequently identified thousands of sites at that were serving Nitol and hundreds of other malware strains, and convinced a federal court in Virginia to grant it temporary control over portions of the dynamic DNS provider. [Screenshot]

Microsoft was able to do that because - while is owned by a firm in China — the dot-org registry is run by a company based in Virginia. Yet, as we can see from the graphic above provided by Microsoft, Nitol infections were actually the least of the problems hosted at (more on this later).

Continued :

CNET Forums