- 31 July 2007 - Worm eats music on infected PCs
Virus writers have unleashed a worm that attempts to delete MP3 files from infected machines.
The Deletemusic worm spreads via removable devices. As soon as an infected device is accessed the worm will be executed. Thereafter it copies itself onto all drives, including removable devices, and executes whenever Windows is started up on compromised PCs.
The worm is spreading, albeit modestly, causing a small number of infections. Anti-virus vendors such as Symantec rate it as a low to no-risk threat.
Malware capable of zapping MP3 files is rare but far from unprecedented. The Klez-F worm, for example, which was widespread in 2002, overwrote MP3 files (and other file types) on certain days of the month. The Scrambler worm was programmed to scramble MP3 files to sound like a scratched record while the Mylife-G worm overwrote MP3 files with the words "my lIfE".
None of these items of malware made any attempt to differentiate between legitimate and illegitimately obtained music files.
The authors of Deletemusic - the latest example of the genre - remain unknown. Vigilante virus writers or mischief makers are the probable perps though the involvement of music industry itself in some form or another isn't entirely implausible, given past form.
Either way the consequences of infection are serious for infected Windows users.
"With so many people relying on their PCs to store their digital music, rather than physical CDs, a worm capable of deleting an entire MP3 collection could leave someone thousands of pounds out of pocket," said Orla Cox, Security Operations Manager, Symantec Security Response. "We would recommend all users with MP3 files on their PCs to remain cautious about the removable media devices they are using in their machines."
Source : theregister.co.uk
- 26 July 2007 -
Data loss blights US military, Aussie bank, and Fox network
After a spate of data losses traced to the use of Winny filesharing software in various sensitive Japanese environments (military warships, hospitals, police departments), it has been reported that a Japanese police officer has been sacked over a disclosure where several thousand sensitive police records went missing from his system.
While there is some argument about the efficacy of this step, a number of senior officers are also facing scrutiny over the incident.
Unfortunately, major new disclosures continue to make news. US military personnel have again been affected by the loss of data from a service provider. This time, SAIC, a support services contractor, acknowledged that more than 500,000 serving military members could be at risk of identity theft after SAIC failed to adequately protect and transfer data (unencrypted and across the internet).
As more details were released after the initial disclosure, it became known that almost 900,000 personnel may have been affected, including family members and government employees.
In an admission that is concerning in the modern data risk management environment, SAIC admitted that the data at risk was stored completely unprotected on a single server at a smaller SAIC site. While the data was at risk during unprotected transmission across the internet, SAIC indicated that the disclosure took place while the data was being processed.
Even though the USAF alerted SAIC to the breach in late May, the information wasn't disclosed until much later.
While reporting of mass personal and financial data losses has largely been focused on North America, other countries are not unaffected by the problem. The Australian Westpac banking group has reissued thousands of Visa cards after a disclosure at an unnamed third party vendor.
Finally, after a curious web surfer discovered that Fox had left a number of their directories without no-index protection (i.e. entering the URL for that directory would lead to a list of the contents), a basic shell script was found that provided FTP access to a ZDNet server. While the disclosure of directory contents isn't much of a concern for most sites, the FTP account that was discovered provided access to records for around 1.5 million individuals, along with access to sensitive ZDNet business documents.
It has been reported that the hole has since been closed off, but in this instance the initial reporting and management of the discovery reflects poorly on the information security researchers who discovered it and publicised the discovery.
Even if the first set of people to be notified of the breach did not actually access the ZDNet server, the complete disclosure of the authentication parameters meant that someone would soon be poking around in the system for malicious purposes.
While ultimate responsibility for the disclosure rests with Fox, the incident displays a significant ethical lapse for the researchers involved (and for the wider industry - as the details were replicated across numerous sites without consideration for their sensitivity).
Source : theregister.co.uk
- 24 July 2007 - As many as 1.5 million email addresses may have been revealed to visitors arriving at an unsecured FTP server courtesy of a login left available by an error on the Fox News website.
The configuration error on the Fox News website allowed outsiders to find a shell script for logging in to a FTP server run by Ziff-Davis.
Though administrators later disabled the login, it now appears plenty of mischief took place while it was open. Someone will have to explain to Fox News and Ziff-Davis bosses reports of email addresses being available for downloading.
A report on Wikinews suggested outsiders could access names and contact information for upwards of 1.5 million people.
"The FTP site, used for collaboration between different global aspects of Ziff-Davis business, contains data ranging from expense sheets to resumes to opt-out lists used by customers who wish to avoid receiving unsolicited emails," said the report.
"Many of the compromised files make reference to Acxiom, a data management company that, in 2003, experienced a similar theft of personal information."
However, Social Security numbers have not been reported as being in the data that people arriving through the FTP server could access.
Source : securitypronews.com
- 20 July 2007 - EBay Scammers Working Hard Against Sellers
If anything, the scammers have a good understanding of human nature. They play on greed to entice people into handing over their goods in exchange for a richer than expected payday. It's also the reason why 419 scams persist to this day: people still fall for them.
An example of how fraudsters misuse eBay played out on the McAfee Avert Labs blog. Research Seth Purdy put an item up for bids, and was delighted when his $250 asking price ended up with a winning bid of $395.
Joy turned to frustration quickly as an eBay takedown notice hit Purdy's inbox. EBay picked up on fraudulent bidding that took place without the account owner's authorization, and canceled the listing.
"I didn't think much of it, other than being mildly frustrated at later having to relist the item and wait for another auction to complete," said Purdy.
That was just the start of the scam. The persistent criminals sent Purdy a fake PayPal confirmation email. A greedier person may have been tempted by the bonus "paid" by the winner - an additional $100 in shipping.
The message contained a few easily spotted inconsistencies with typical email correspondence. It also listed a delivery address in Nigeria.
It gets stranger from here. The auction that Purdy placed on the US eBay site had been duplicated on eBay UK. He believes the criminals did this in case the original auction ended up canceled by eBay, which is what happened.
However, eBay canceled the UK auction as well. After that, Purdy received emails from the "winning bidder" advising payment had been made and demanding immediate shipment of the item. The scammer goes as far as threatening to involve law enforcement if the auction isn't fulfilled.
Naturally, no payment had ever been made for the item. Purdy recognized the scam for what it was, but other people might not have done so. Until more people start taking the time to recognize a supposed windfall as a criminal deception, scams like these will persist.
Source : securitypronews.com
- 16 July 2007 - Password Stealers targeting games are growing more than ever
Months after months, we receive new password stealers and keyloggers. They enlarge our collections. When they arrive in our hands, some are already generically detected while others must be added into our DAT files. All are itemized and contribute to the global increase of malware which you can observe on our DAT Readme Web page.
In a recent Identity Theft white paper, I made a first count and established the number increased by 250% between January 2004 and May 2006. In order to update that figure, I established some new and more accurate lists.
By and large, when June ended, malware classified in that category came close to 35,000. If the trend goes on, we will reach 45,000 items at the dawn of the next year.
With the load of malware we see, many of them are classified as “such or such” generic PWS families. However, when it is possible or needed we categorize them more precisely. In December 2006, I explained that collecting data to gain access to Massive Multi-Player Online Role Playing Games (MMORPG) and others social networking communities were highly valued activities. Less known than banking fraud, this activity can be very profitable.
The next charts summarize the 5 main families for which we added new items in 2007.
At McAfee Avert Labs the main PWS families are the following :
| Targets |
VirusScan Name |
TOP-5 rank |
| Q1-2007 |
Q1/Q2-2007 |
| Banks and e-commerce |
PWS-BANKER |
1 |
1 |
| Games (MMORPG) |
PWS-LINEAGE
PWS-LEGMIR
PWS-MMORPG
PWS-GAMANIA
PWS-WoW |
2
3
4
5 |
4
3
2 |
| ICQ, Instant Messaging, Social Networking |
PWS-LDPINCH |
|
5 |
Crooks not only win money by collecting, selling or using usernames and passwords from online banking and e-commerce. There is more and more talk of a virtual economy and electronic cash. Some, like Second Life or Entropia Universe, boast about having brought about success stories or rich virtual account holders who have seen their fortune grow into a million actual dollars. Blizzard recently banned more than 5,000 World of Warcraft accounts that were suspected of participating in gold farming activities. eBay made decision to stop posting virtual object property auctions apart from Second Life.
When the money circulates, it attracts greed. These latest figures confirm this trend. The bridge between virtual economy and real economy is generating a new form of crime and a new form of illegal profit.
Source : AVERT Labs - Mcafee
- 10 July 2007 -Microsoft issued six security bulletins, patching 11 vulnerabilities -- eight of them critical
Security researchers are warning IT managers to obviously patch all of the bugs being fixed today, but to quickly turn their attention to two vulnerabilities in Active Directory implementations in Windows 2000 Server and Windows 2003 Server. Amol Sarwate, manager of vulnerability research lab at Qualys Inc., called this the most important of the 11 bugs that Microsoft is patching this month.
"If you are managing servers, this is the most critical because a hacker can crash your machine or anonymously run programs or steal information from your Active Directory," said Sarwate.
The Active Directory issue was discovered by IBM X-Force Researcher Neel Mehta, who also created proof-of-concept exploit code for it. The flaw was reported to Microsoft a year ago this month.
"Active Directory is the corner stone of the Windows network. The Active Directory server is used to manage things like user accounts on your domain. If a bad guy had that, he could add or delete accounts," said Tom Cross, an IBM Internet Security Systems X-Force researcher, in an interview. Another IBM researcher, David Dewey noted that if a hacker adds himself to the directory as an administrator, he could do anything he wants to the network.
Because the two vulnerabilities are in such a key part of Microsoft's software, both Cross and Dewey said they're glad Microsoft took so much time to work on the patch.
"This one carries quite a few complexities that led it down quite the development path," said Dewey in an interview. "We were in lock step with them during the entire path. As it turns out, it brought to light other coding issues that needed to be corrected. Active Directory is the corner stone of the Microsoft enterprise network. Anytime someone pokes a hole in that, they need to make sure the fix they put in place is thorough and correct. This is extraordinarily critical and they handled it appropriately, in my opinion."
Sarwate also noted that a critical bug in Microsoft Excel, as well as critical bug in the .Net framework also are worthy of immediate attention.
With the Excel flaw, if a user opens a malicious Excel attachment, code can be executed on her computer. It's a buffer overflow vulnerability that causes remote code execution.
The .Net framework is an environment for building and running applications, including Web services. The bug that Microsoft patched in the .Net framework also can be used to execute code remotely and anonymously.
Three of the vulnerabilities being fixed this month don't rate Microsoft's highest risk rating of critical. But Symantec's researchers noted that one "moderate" vulnerability that's being patched lies in the Windows Vista firewall. Symantec discovered the bug this past February.
This vulnerability exposes network services which should only be accessible from the local area network to the Internet, reported Symantec in an e-mail to InformationWeek. By tunneling traffic over the Teredo protocol, an attacker can access network services, which would otherwise have been blocked from the Internet. Even though it's classified as an "information disclosure vulnerability," if the flaw was combined with a vulnerability in one of the exposed services, this vulnerability could have widespread implications.
"As this month's patch release demonstrates, Microsoft's decision to rewrite the Windows network stack and its accompanying firewall continues to have long-term security implications," said Oliver Friedrichs, director of emerging technologies at Symantec Security Response. "A network stack can take decades of heavy scrutiny in order to become battle hardened. As an operating system's first line of defense, its quality is directly related to its ability to withstand attack."
Last month, Microsoft issued six security bulletins that patched 15 vulnerabilities. The June batch of vulnerability fixes affected 12 critical bugs. In May, Microsoft released seven security bulletins, patching 19 bugs. All seven of those advisories were rated critical.
Source : Informationweek
- 09 July 2007 - Fake advertising attempting to discredit Spamhaus
Last Thursday we noticed a large spam campaign atempting to discredit Spamhaus and DDOS their phone lines. This is undoubtedly linked somehow to the massive and long term DDOS attacks on the three major blacklists run by Spamhaus, URIBL and SURBL (The latter two are currently being protected buy the DDOS Jedi at Prolexic). DDOS’s on this scale are risky for the botmasters since it exposes the botnets to those interested in such things.
Here is a copy of the mail:
From: Christy June <fake-sender@fake_place.com>
Date: Fri, 5 Jul 2007 20:34:52 +0100
To: “some, one” <spamme@mcafee.com>
Conversation: Which shalom myself magnetic
Subject: What shalom herself magneticWORKING TO PROTECT INTERNET NETWORKS WORLDWIDE
Spamhaus tracks the Internet’s Spammers, Spam Gangs and Spam Services, provides dependable realtime anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide.The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and - just as importantly - to delist resolved issues.The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.The Exploits Block List can be used by all modern mail servers, by setting your mail server’s anti-spam DNSBL feature (sometimes called “Blacklist DNS Servers” or “RBL servers”) to query xbl.spamhaus.org. Use of the XBL is free for users with normal mail servers (but networks with high email traffic should see DataFeed).You can get MUCH MORE if you contact us:The Spamhaus Project Ltd. 50 Churchill Square, Suite 6, Kings Hill, West Malling ME19 4YU United Kingdom, Tel (+44) 870 766 xxx
This is not an uncommon event for RBL owners, however this one is only unusual because of the size, duration and indescriminate nature of the campaign.
The spammer in this case also had to fake the senders address because Spamhaus’s SPF record is of the “-all” variety which sensibly denotes that they *only* permit one IP address to send mail for their domain and so affecting the bots ability to deliver further.
Obviously Spamhaus do not use botnets to send out promotional material
(If this all sounds a bit too fishy to be true you can read more about the traditional “Joe-Job” attack right here).
Source : AVERT Labs - Mcafee
- 07 July 2007 - Beware of Data Dumpster Divers
Trashing an old PC with sensitive data on the hard drive can be almost as bad as leaving it out on the sidewalk in terms of data security. Even e-recycling programs sometimes don't take proper precautions to ensure the computer leaves its original owner with no private information intact. The best recyclers will erase a PC's hard drive or, better yet, crush it before it moves on to its next destination.
Some 30 percent of businesses in the UK leave data, some of it sensitive, on their PCs when they dispose of them, according to research findings released this week by computer maker Lenovo.
In the survey of 300 businesses commissioned by the UK-Ireland arm of the company, 29 percent of IT managers in large companies with 1,000 or more employees and 30 percent of them in mid-sized ones with 250 to 999 workers revealed that they had possibly, probably or definitely left data on PCs when they disposed of them.
"It is essential for organizations to consider secure data disposal when refreshing end-of-life computers in order to avoid becoming susceptible to potentially immeasurable business risk," Chris Wells, Lenovo's vice president for the UK and Ireland, said.
Source : Technewsworld
- 05 July 2007 - WFP ( Windows File Protection ) hack redefined!!!
McAfee Avert Labs we came across an interesting malware, W32/Crimea that uses an undocumented feature of Windows File Protection.
Windows File Protection (WFP) is a feature of the Windows operating system, which prevents other programs from modifying/replacing/deleting critical system files. SFC.dll and SFC_OS.dll are the files that contain the functions used to monitor system files. Earlier malware used to patch these dlls or modify the registries to disable this feature. We had earlier blogged about some of the techniques used by malware targeting Windows Files.
Patching SFC.dll and SFC_OS.dll rendered many some of the system defenses useless, but Anti-Virus companies found out a way to identify these patched dlls and provided remedies to clean the user’s computer from this malice. Again malware authors have found an alternate method with help of undocumented functions in SFC_OS.dll itself.
Those interested explored it, and voila! Didn’t they hit a Jackpot! The important functions that are worth mentioning here are:
1. Ordinal 2: SfcTerminateWatcherThread
2. Ordinal 5: SetSfcFileException
The Ordinal 2 function terminates the System File watcher thread, as the name implies, and the system is open to any directory/file modifications by malware until the next reboot. This method requires the malware to inject code into winlogon.exe in order to call this function, since sfc_os.dll is used by winlogon process to achieve this protection.
Ordinal 5 function disables the WFP for a particular file for one minute normally. This is the time needed by the malware to do their work successfully!!! Now the system is back in form but is infected by the malware. Even though these techniques were out for more than a year, we are seeing these techniques used by malware these days. The second method is used by W32/Crimea to infect a system file imm32.dll.
One might start thinking, why in the world should Microsoft provide such APIs in Windows that makes the operating system vulnerable to many malware. One of the reasons could be to update system files and install the patches. But it does provide a way for the malware to infect the system easily.
Fate it seems, Microsoft is providing a way to disable their own protection using their own APIs. So, is this API a feature? Or it’s a flaw?
Source : AVERT Labs - Mcafee
- >> June 2007 Updates >>
- >> May 2007 Updates >>
|
More Quick Links