T2W --> Trojan to Worm

We have detected an application whose main function is to turn an executable file into a worm, giving it the capacity to spread itself. Even though it’s aim is to give a Trojan the spread capability of a worm, it works with any executable file.

As you can see in the image below, Constructor/Wormer is an eye-catching tool and very easy to use. By checking different flags, you can design a worm with different functionalities, such as compress it with UPX, enable MuteX, select icons, etc.

It also has advanced options to select a certain infection date, disable different options of the operating system, such as the Task Manager, the Windows Registry Editor, Folder Options, and different browsers such as Internet Explorer, Firefox or Opera. Additionally, the worms can be configured to display a message when they are run or activate themselves when Windows is started.

One curious option is that you can avoid the infection of removable drives, such as PenDrives, indicating the username and the name of the drive.

The tool seems to have been created in Spain. You can switch the language of the tool to English, Spanish, Portuguese and Catalan. As you can see, nowadays there are tools that allow any user, no matter their technical knowledge, to create malware very easily.

Thanks to Oscar Anduiza for the information.

[Source: pandalabs]

An effective way to treat Web 2.0 vulnerabilities

I’m personally a huge fan of the Matasano blog, and have a lot of respect for their group. I took a peek over at their blog today and noticed an article by Dave Goldsmith that deals with “Vulnerability Reporting in a Web 2.0 World Continued“.

In this article, Dave recounts personal experiences dealing with a PITA vendor that treated his vulnerability report as if it was a feature request. That sounds crazy right? Have a look at Dave’s original communication chain with the vendor:

Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps.

They reply:

Thanks for the tip, David. It’s been noted.

I reply:

Can you give me some guidance on your response guidelines to security vulnerabilities? Is there a timeframe that you try and have vulnerabilities fixed by?

They reply:

Hi David,We’re always looking for new ideas and fixes to roll out in future updates but as as rule we don’t comment on possibilities or timeframes.

I reply:

How will I know when this vulnerability is fixed?

They reply:

Actually, they don’t reply at all.

Nice. I’ve been there before myself with a few vendors. This creates an interesting conundrum for the researcher.

Your ethics should probably say (assuming you’re ethical):

  1. I’d hate to blast out a vulnerability that will be exploited
  2. I’d hate to allow a vulnerability that I know about to be exploited

It’s a difficult situation to be in. Dave actually noted a blog post by the company that his original advisory targeted, 37signals, where they discuss how to say no to a feature request. From the 37signals blog post:

    1. The Hard No. If the feature is not aligned with the direction of the product, just be direct and say so.
    2. The Soft No. If it is something you might pursue in the future, but you don’t want to commit, say: thank you for the idea, we will consider it for a future version.

Interesting. So Dave got a soft no and a hard no (in the form of ignoring him) from the 37signals guys.

This is a problem. This is NOT an acceptable way of handling a vulnerability. I got to thinking the other day of how vulnerabilities should really be handled by a company. The problem of course is I’m saying how the companies should handle them, and I have no authority at any of these places, save people actually valuing my ideas. Personally, I’ve done some development in the past, and there was the concept of defects. Your bonus would depend on how many defects were in your application at delivery time. These were feature-based defects, but shouldn’t vulnerabilities be considered defects as well?

Many companies out their count security as one of their business objectives, well, time to step up. Count vulnerabilities as defects. Programmers understand that for sure. Of course, you can’t leave it all on them, because secure code development is not exactly taught in school (even today unfortunately), so go out and get them some training. Give them some lead in time to understand security vulnerabilities. Create a Secure SDLC process for your company that guides direction.

You know what? Be progressive. Don’t just ding your developers for defects (security vulnerabilities), reward them handsomely for extended time periods without flaws, security assessments that point out no flaws, etc.

Just my thoughts, but something has to change.

[Source: zdnet]

Verisign, McAfee and Symantec sites can be used for phishing due to XSS

Phished by Michael Jackson!! :-PLast Update: 18/06/08
Should they all be trusted at first sight by unsuspecting online users? Yes, unfortunately this is the case with the websites of renowned and respected IT security companies. However, now that are all vulnerable to cross-site scripting, the possibilities to get phished and infected with malware and crimeware are dramatically increased.

Verisign.com XSS vulnerabilities (6 unfixed/18-06-08):
registrar.verisign-grs.com XSS submitted by C1c4Tr1Z
blogs.verisign.com XSS submitted by Zeitjak
knowledge.verisign.com XSS submitted by Zeitjak
foreseeresults.verisign.com XSS submitted by Zeitjak
servicecenter.verisign.com Redirect submitted by Zeitjak
ispcenter.verisign.com XSS submitted by Zeitjak

digitalid.verisign.com XSS submitted by Zeitjak
www-apps.verisign.com XSS submitted by TreX / unfixed since 16/01/2008!
search.verisign.com XSS submitted by bill
search.verisign.com XSS submitted by bill
www.verisign.com XSS submitted by i-landet / unfixed since 16/02/2007!!!
search.verisign.com.au XSS submitted by Harry Sintonen

Many high profile sites are "Verisign Secured" (allow me to have my doubts here) and Verisign's own one unsecured? Just wonder how easy it would be for the bad guys to phish your clients, or their customer base - I don't think that they are all aware of the risks imposed by XSS vulnerabilities.

Realize now the risk impact and not until you are forced to do so...

McAfee.com XSS vulnerabilities:
mastdb3.mcafee.com XSS submitted by Zeitjak (pending fix)
knowledge.mcafee.com XSS submitted by C1c4Tr1Z
knowledge.mcafee.com XSS submitted by holisticinfosec
us.mcafee.com XSS submitted by TreX
mcafee.com XSS submitted by kusomiso.com
mcafee.com XSS submitted by www.r3t.n3t.nl
www.mcafee.com XSS submitted by kusomiso.com
knowledge.mcafee.com XSS submitted by i-landet
mcafee.com XSS submitted by mityo on 13/06/08 / published on 15/06/08 (fixed-18/06/08)

8 out of 9 XSS vulns are fixed.

It is a shame that McAfee continuously lies to the users of their "Hacker Safe" clients...
Building user trust just with evil marketing is not the correct way forward! You do knowingly deceive online users with fake promises concerning their privacy and security. How is this for a business plan? :-/ Deliberate deception techniques like yours are only used for the sake of profiting from increased sales.
We are still receiving on a frequent basis many XSS vulnerable "Hacker unSafe" web sites.
It is an embarassing fact that your site is also vulnerable!

- "More bad news for McAfee, HackerSafe certification", Nathan McFeters, ZDNet Zero Day blog - 1 May 08
- "McAfee 'Hacker Safe' cert sheds more cred", Dan Goodin, TheRegister - 29 Apr 08
- "McAfee isn't 'McAfee Secure' or 'Hacker Safe'...", Nathan McFeters, ZDNet Zero Day blog - 13 May 08

Quoting from Russ McRee's blog post titled "McAfee is not McAfee Secure":

>A challenge was put forth on Zero Day, and it has been answered.
>Apparently, McAfee doesn't care about XSS on their own sites either.

>I'll let the video speak for itself.

>For the love of all thing good and proper, McAfee, please address this issue...for yourselves and the consumers who look to you to do >the right thing.

>Russ McRee

Symantec.com XSS vulnerabilities:
nct.symantecstore.com XSS submitted by C1c4Tr1Z
www-secure.symantec.com XSS submitted by Zeitjak
partnerlocator.symantec.com XSS submitted by S_e_YM_e_N
investor.symantec.com XSS submitted by mox
www4.symantec.com XSS submitted by TreX
www4.symantec.com XSS submitted byTreX
symaccount.symantec.com XSS submitted by www.r3t.n3t.nl
service1.symantec.com XSS submitted by www.r3t.n3t.nl
service4.symantec.com XSS submitted by www.r3t.n3t.nl
photocontest.symantec.com XSS submitted by www.r3t.n3t.nl
service1.symantec.com XSS submitted by www.r3t.n3t.nl
searchg.symantec.com XSS submitted by security0x00
www-secure.symantec.com XSS submitted by www.r3t.n3t.nl
securityresponse.symantec.com XSS submitted by www.r3t.n3t.nl
www.symantec.com XSS submitted by Saime
securityresponse.symantec.com XSS submitted by cachaca
partnerlocator.symantec.com XSS submitted byTotalSchaden
www4.symantec.com XSS submitted by TotalSchaden

10 out of 18 XSS vulns are fixed.

Quoting from this news article:
"Symantec.com is never going to get a status clientHold. Malicious phishers can still use the Symantec's XSS vulnerabilities to spread malware and steal personal sensitive information. Why did they choose to validate a mirror of a corrected PayPal XSS as a phishing site and give us the status clientHold? They should have the clientHold status for leaving an open door to the exploitation of their faithful customer's security and privacy."

I want to believe that all the above issues get fixed within the next few days.

Related News (Updated):
"Major Security Vendors' Sites Could Be Launchpads for Phishing Attacks", Tim Wilson, Dark Reading, 10 Jun 08
"Top security companies not immune to XSS problems", Steve Ragan, The Tech Herald, 11 Jun 08
"Verisign and anti-virus vendors fix cross-site scripting holes", Mike Barwise, heise Security UK, 13 Jun 08
"Scripting bugs blight security giants' websites", John Leyden, The Register, 13 Jun 08
"Major security sites hit by XSS bugs", Matthew Broersma, Techworld, 12 Jun 08

[Source: xssed]

HSBC web sites are open to critical XSS attacks. Warning to customers!

Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. XSS must be considered as the phishers' future weapon by all people working in the security industry.

Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users.

If they want to own HSBC's e-banking customers, all they have to do is to register a "suspicious" looking domain like hscsbc.com which is currently available and then serve a phishing page.
Even better, they can exploit a cross-site scripting vuln on hsbc.com, obfuscate the attack vector and significantly increase their phishing success rate!

Updated: 23/06/08:
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.hsbc.com.sv XSS notified by sl4xUz
www.hsbc.com XSS notified by Airrox
www.hsbc.co.uk XSS notified by PaPPy / unfixed
www.hsbc.com.tr XSS notified by DaiMon / unfixed since 26/05/2008
www.hbeu1.hsbc.com XSS notified by DaiMon / unfixed since 26/05/2008
www.hsbc.com.tr XSS notified by Babaconda / unfixed since 25/05/2008
www.hsbcprivatebankfrance.com XSS notified by ironzorg / unfixed since 25/04/2008
www.hsbc.fi.cr XSS notified by Venom23 / unfixed since 26/02/2008
www.hsbc.com XSS notified by Darkster / published on 26/07/2007 - fixed on 12/09/2007
monavenir.hsbc.fr XSS notified by takethis /published on 01/04/2007 - fixed on 21/08/2007

Protect your customers' privacy and security now! Leaving site-specific vulnerabilities open for days, weeks or months, can lead to substantial financial losses! :-/

We suggest that you subscribe your online properties to the XSS early warning mailing list.

Related News (Updated):
"HSBC scripting flaws play into the hands of phishers", John Leyden, The Register, 25 Jun 08

[Source: xssed]

ICANN and IANA domains hijacked by Turkish crackers

Written by Marcelo "Vympel" Almeida and Kevin Fernandez

Thursday, 26 June 2008

The ICANN and IANA websites were defaced earlier today by a Turkish group called "NetDevilz". ICANN is responsible for the global coordination of the Internet's system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols.

The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
Their domains were redirecting to a hosting space at "atspace.com" where the defacers left the following message:

"You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"

Hijacked domains include "icann.com", "icann.net", "iana.com" and "iana-servers.com".

We reached the defacers by email but they refused to tell us how they changed the DNS records, however a cross-site scripting or cross-site request forgery vulnerability might have been exploited.

Here is the mirror of the ICANN.com defacement:

You can have a look at their other defacements here:

Original News:

[Source: xssed]

Internet Explorer ‘feature’ causing drive-by malware attacks

Internet Explorer ‘feature’ causing drive-by malware attackMy colleague at Kaspersky Lab Roel Schouwenberg (see disclosure) has discovered a drive-by malware download taking advantage of what Microsoft describes as an Internet Explorer “feature” to launch cross-site scripting attacks.

The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.

Schouwenberg (left) said he reported the vulnerability to Microsoft a long time ago, warning the company that JavaScript embedded into GIF files can be executed under certain circumstances.  Microsoft disagreed and the issue was never patched.

Fast forward to the latest site compromise — on a high traffic Web site — where a GIF file containing an embedded iFrame is pointing IE users to a known malicious site.  (The malicious site is currently offline but there’s evidence that it’s tied to ID-theft attacks).

“This is a step more advanced than today’s very common Web site compromises where some JavaScript gets added to the main page,” Schouwenberg said.  In this case, a “view source” at the compromised site will not reveal any malicious code, making swift analysis harder.

Schouwenberg has contacted Microsoft again to reconsider its position on this issue.

[Source: zdnet]

Critical security alert issued for Tor

Critical security alert issue for TorIf you use Tor for anonymity/privacy on the Web, you might want to pay attention to this critical security announcement from project leader Roger Dingledine.

According to the advisory, a known vulnerability in the Debian GNU/Linux distribution’s OpenSSL package could allow an attacker to figure out private keys generated by these buggy versions of the OpenSSL library. Because Tor uses OpenSSL, all private keys generated by affected versions of OpenSSL must be considered to be compromised.

The skinny:

Due to a bug in Debian’s modified version of OpenSSL 0.9.8, all generated keys (and other cryptographic material!) have a stunningly small amount of entropy. This flaw means that brute force attacks which are very hard against the unmodified OpenSSL library (e.g. breaking RSA keys) are very practical against these keys.

While we believe the v2 authority keys (used in Tor 0.1.2.x) were generated correctly, at least three of the six v3 authority keys (used in Tor 0.2.0.x) are known to be weak. This fraction is uncomfortably close to the majority vote needed to create a networkstatus consensus, so the Tor release changes these three affected keys.

[ SEE: Hacker builds tracking system to nab Tor pedophiles ]

The alert applies to Tor 0.2.0.x and/or any Debian/Ubuntu/related system running any Tor version.

Dingledine warned that a  local attacker or malicious directory cache may be able to trick a client running 0.2.0.x into believing a false directory consensus, causing the client to create a path wholly owned by the attacker.

[Source: zdnet]

WordPres Blogs DoS Attack

Blogs were inaccessible for about 5 to 15 minutes in the 4 days that have passed since Saturday, when the attack started. Automattic, the company that maintains WordPress.com, was knee deep in the work laid before them by hackers all throughout this period and managed to restore most of the service’s original functions by yesterday afternoon.

 Article: WordPres Blogs DoS Attack
Credits: Ronnie Comeau

Logging into accounts and posting was only the tip of the DoS
(denial of service) attack, spokesman Matt Mullenweg told PC World in an email that his company noted spikes of 6 gigabits (768 Mb) of income traffic. "Obviously that [is not good] and is pretty unusual for our service. […] All our people who can are working on the issue," he wrote. Automatic let the bloggers know about the problem via email.

The WordPress.com homepage was down for a longer period of time than the regular blogs because, Mullenweg said, "we sacrificed it in order to keep blogs and our users up." That’s a nice gesture, but it was the only one to be made under the given circumstances, due to the old time policy of "the customer is more important."

Various suppositions about the cause for the DoS attack were made and Joris Evers, spokesman for security research and software company McAfee, said that a distinct possibility was that it was caused by someone "who was upset about something that was written on a WordPress blog, and they decided to take action against that."

According to Wikipedia, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

[Source: softpedia]

Google Reader Hacked?

Google has long fought spam and for a while it managed to fend it off with elegance and class, but it looks like spam has finally breached one of the last spam-free products on the web, Google Reader. The Google Groups forum, a place for users to complain about things falling apart or demand new features, now hosts a new thread created addressing the issue.

"How are these people's blogs showing up in my
reader that I haven't added to my subscriptions? Lots of Ads or people I just don't know," the man starting the respective thread wrote. His claim to have been targeted by somebody using Reader to advertise his blog and deliver some unwanted content is backed by another user, claiming to have a similar problem: "In my iGoogle homepage where I have a widget (taken from Google reader I think?) allows me see my feeds. I am seeing a feed from something called 'best pics around.' This now is flooding the widget so that i no longer see any of my other feeds. However, when I go to my Reader there is no sign of this feed and I see my other feeds as normal but therefore I am unable to unsubscribe to this feed. I have no Friends shared items and I am logged in to my account."

An example of blog spam
 Article: Google Reader Hacked?
Comments: An example of blog spam

As spam by definition means unwanted messages, the above seems to describe exactly such an attack. Immediately, the thread was visited by a Google Reader guide that asked if by chance that wasn’t some other person’s Reader, out of which they might have forgotten to log out. Not likely, the two situations are different in nature, one having a gadget acting weird and the other the service itself.

A few distinct possibilities are plausible, as suggested by rustybrick of seroundtable.com. The first involves somebody hacking the accounts and adding the content explicitly, another would be the computer having been infected and injected with the new feeds. A site could have triggered this by automatically adding subscriptions to the accounts, but it hasn’t been heard of before. In case this happened to others as well, here’s the link to the thread, additional cases and input are always welcomed.

[Source: softpedia]

Google Responsible for Hacker’s Wrongdoings, McAfee Says

The wave of URLs that appeared to lead to Google, but were created by hackers for their devious deeds, has caught the eye of security company McAfee, and boy, were they mad about it. There’s no way not to be upset
when you see that fraudsters turn one of the Internet’s symbols into a means of committing cybercrime, but at least there’s something Google can do about it. Unfortunately, at least this far, it didn’t, and that ticked McAfee off even more.

 Article: Google Responsible for Hacker’s Wrongdoings, McAfee Says

Just to prove how real the danger is, the security company created a similar link that began with the Mountain View-based company’s trademark URL and made it point to its site, Web User reports. Having made a point, Vino Thomas, a McAfee Avert Labs researcher, said that: "Although this type of technique is not necessarily new, the problem is that Google is not preventing the redirects to such sites. […] Google must be aware of this redirect abuse, and it's hard to understand why they don't prevent these redirects working for known bad file types or for spam and malware sites."

Google, on the other hand, said that whenever there was a notification that proved to be true, it ceased the redirects from happening, but McAfee would not hear it. It’s not clear what the security company is after and my guess is as good as any other, but I think that an algorithm is what the fuss is all about, or a filter. The Mountain View-based company is famous for coming up with one of the two after any problem occurs, in order to fix it. The Googlebombs were diffused in this manner and many sites have a security warning pop up before being accessed from the search results page. Why wouldn’t these work now?

[Source: softpedia]

Save Darfur Coalition’s Site Hacked from China

The Save Darfur Coalition is a non-profit group created to draw attention to the ongoing genocide caused by civil war in western Sudan’s Darfur region. Relying on the strong commercial agreements between China and Sudan, the group is trying to
get the Asian country to pressure Sudan’s government into stopping the killing, but so far it has been unsuccessful. Furthermore, they have found their web site hacked and an unauthorized entry was granted access to the email and web server.

After checking the IP of the attacker, Brooks-LaSure, one of the group’s spokespeople, said that the computers used were based in China, and continued noting that probably "someone in Beijing is trying to send us a message." There were no signs of traditional hacking, like text left behind and malware having been installed on Save Darfur Coalition’s machine. Instead, the criminals seemed to have been more interested in gathering information and data about the group.

 Article: Save Darfur Coalition’s Site Hacked from China

Other groups working towards the same goal might have been hit as well, Brooks-LaSure said, after noticing very carefully targeted emails that were closely connected with the ongoing situation. Installing malicious software was a given with the attacks, just the same as the attempts to poison the computers of pro-Tibetan activists discovered by security company F-Secure. The attempts of exploiting one of the numerous Adobe Acrobat software security flaws have been discovered in time, though, and those interested have been warned.

The Chinese involvement in both of the attacks mentioned above is not certain, as it was often proved that computers in Asia have been used as jump points for cybercriminals residing in totally different parts of the world. However, the number of attacks being traced back to machines in the Asian country is increasing every day. The Federal Bureau of Investigation is looking into the matter closely, according to spokeswoman Debbie Weierman.

[Source: softpedia]

No Sale for Hacked Vista Ultimate SP1 Laptop Together with Attack Code

The laptop running a copy of Windows Vista Ultimate Service Pack 1 hacked in the CanSecWest PWN2OWN 2008 challenge was listed for sale on Ebay but failed to conduct to a successful sale. The starting bid for the auction of the Fujitsu U810 running Vista Ultimate SP1, claimed as part of the prize of the security researchers that hacked it at the CanSecWest Vancouver 2008 at the end
of the past week, was set at $0.01. However, the item did not last long enough on Ebay for the auctioning bid war to reach the end. In fact, the online auction site took down the laptop arguing that it was infringing the site's terms of agreement.

Shane Macaulay - right - Alexander Sotirov - left
Article: No Sale for Hacked Vista Ultimate SP1 Laptop Together with Attack Code
Comments: Shane Macaulay - right - Alexander Sotirov - left
Credits: TippingPoint

Before it was pulled down the listing for the hacked Vista SP1 laptop read: "This laptop is a good case study for any forensics group/company/individual that wants to prove how cool they are, and a live example, not canned of what a typical incident responce sitchiation would look like." Now, Ebay only shows the following message: "this listing (280214168502) has been removed or is no longer available. Please make sure you entered the right item number. If the listing was removed by eBay, consider it cancelled. Note: Listings that have ended more than 90 days ago will no longer appear on eBay."

Shane Macaulay is a researcher with Security Objectives. You are able to see him in the image at the top of this article along with friend Alexander Sotirov. After winning the Fujitsu U810 laptop with Vista Ultimate SP1 by exploiting a zero-day vulnerability in Adobe Flash, Macaulay offered the "spoils of war" via Ebay. Macaulay stated that he simply wanted to see how much would his zero-day exploit be worth on the open market. Macaulay was helped by Derek Callaway (from Security Objectives) and Alexander Sotirov to hack Windows Vista Ultimate SP1, and back in 2007 he and security researcher Dino Dai Zovi hacked and won the Mac offered at the last year's PWN2OWN competition.

A spokesperson for Ebay explained that the site had pulled the Vista SP1 laptop listing due to the fact that it violated the restriction not to sell items that can potentially cause harm. At the same time, Macaulay appears to have broken his non-disclosure agreement with TippingPoint, sponsor of the hacking challenge via the Zero Day Initiative. Macaulay did not have the rights to disclose any details about the zero-day vulnerability in Flash until Adobe had patched it.

[Source: softpedia]

Vista SP1 Upgrade Hack Is Piracy

Eric Ligman, Microsoft US Senior Manager Small Business Community Engagement, has come out guns blazing with sarcasm following reports of a Windows Vista Service Pack 1 loophole which permits end users to perform clean installations of the operating system instead of upgrades. The workaround is nothing new and represents an item of novelty just because of Service Pack 1. In fact
as early as the delivery of Vista RTM, a hack which enabled a full and clean deployment of Vista from upgrade editions of the operating system (with reduced prices) became general knowledge. According to Microsoft, using the hack is the same as using pirated software, namely illegal.

Windows Vista SP1 Ultimate
Article: Vista SP1 Upgrade Hack Is Piracy
Comments: Windows Vista SP1 Ultimate
Credits: Microsoft

"It seems that there are some people out there who don’t quite get the concept of an upgrade," Ligman stated. "Because of this, I am going to explain it again. You can buy a software full license that gets you the rights to install and run the software. You can buy a software upgrade license that allows you to upgrade from the full license you have to the upgraded product you purchased the upgrade for. To qualify for an upgrade license, you MUST have a full license to upgrade from first. Without the full license, you have nothing to upgrade from and an upgrade from nothing gets you nothing."

Ligman has taken sarcasm as far as drawing the explanation of how users should install upgrade software in relation to the full license. Ligman went on to say that installing Vista upgrade editions without owning a full license for a previous version of the operating system is 100% illegal. At the same time, the Senior Manager Small Business Community Engagement indicated his discontent for the authors of materials which incite end users to perform illegal actions.

"While I really can’t believe I have to put that ridiculous note on my [words], just the fact that there are people writing articles advising people to illegally install software that they are not licensed for ‘because they can get it to physically install’ just shows how clueless some people are and how willing they are to share that with others. And just in case one of them happens to read this, I want to make sure they are not confused by the paragraph above. If you are one of those people, let me put it this way, ‘It is not ok to do so. It is BAD to do so.’ There, no words bigger than three letters, so that should hopefully be easy enough to follow," Ligman concluded.

Windows Vista Service Pack 1 Five Language Standalone for both 32-bit and 64-bit versions of the operating system is available for download HERE.

[Source: softpedia]

Indian Government's Computers Hacked

Chinese hackers seem to be quite experienced these days as they manage to infiltrate into any vulnerable system found out there, connected to the web. After lots
of reports concerning Chinese hackers who managed to broke into a certain computer, here's another one: the network belonging to the Indian Ministry of External Affairs got hacked a few days ago. The bad guys may come from China.

According to IRNA, the hackers invaded the systems due to some weaknesses in the security software, but nobody knows for sure whether the attackers aimed to access a certain type of data or not. However, there's no sensitive material on the hacked computers as this type of content is not hosted on systems with Internet connections, the same source reports, quoting Indian officials.

 Article: Indian Government's Computers Hacked
Credits: dilella.org

The Indian authorities should find themselves pretty lucky because no important documentation was accessed as the attackers usually have a specific target when attempting to break into official computers. However, this underlines, once again, the necessity of more powerful security measures, no matter if we're talking about advanced software solutions or experienced workforce that would be able to implement high-end technologies.

It happened in the past, it happens again and it will probably happen in the future because authorities around the world aren't interesting in improving the security of the official computers until somebody manages to invade the system. Sure, it's quite dangerous for a hacker to attack such a system because in case he leaves any trace or evidence, that may help the investigators identify him, the judges may have no mercy for him. However, such attacks occur every once in a while and they do nothing more than to remind us that security is one of the main aspects to be cared of when working with a computer handling important data.

[Source: News.softpedia]

Download Three Free Tools to Eradicate SQL Injection Attacks

An escalation in SQL injection attacks aimed at websites based on ASP and ASP.NET technologies has prompted Microsoft to take action. Immediately after the explosion of SQL injection exploits the Redmond company highlighted resources available for administrators to bulletproof websites, but initially offered only a set of guidelines and pointed to the collection of best practices documentation already available. In addition, Microsoft has
coordinated the release of three free security tools designed to eradicate SQL Injection attacks.

 Article: Download Three Free Tools to Eradicate SQL Injection Attacks
Comments: Security
Credits: Microsoft

"Today, Microsoft is releasing two new SQL injection defense and detection tools, URLScan 3.0 and Microsoft Source Code Analyzer for SQL Injection (MSCASI). We are also excited to announce the release of HP Scrawlr, a SQL injection detection tool developed by HP Web Security Research Group in conjunction with Microsoft. Each of these tools works differently and each attacks the SQL injection problem from a different angle, and in combination they complement each other well," revealed Bryan Sullivan, Security Product Manager SDL team.

What it is important to note is that none of the vulnerabilities involved in the spate of SQL injection attacks are server-side. Microsoft has made it clear that there are no security holes to plug in the web server code, and that instead, weaknesses in the applications dealing with end user input are being exploited. In the context in which the applications fail to adhere to the best practices guidelines outlined by Microsoft, input containing malicious code and syntax can be introduced into queries to the database, that could potentially compromise not only the database or a specifically targeted website but even the entire underlining web server.

"UrlScan version 3.0 Beta, a security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, the UrlScan helps prevent potentially harmful requests. Microsoft Source Code Analyzer for SQL Injection Community Technology Preview (June 2008), a tool that can be used to detect ASP code susceptible to SQL injection attacks. Scrawlr, a free scanner, developed by HP Web Security Research Group in conjunction with Microsoft, which will allow customers to identify whether their Web sites might be susceptible to SQL injection," explained Andrew Cushman, Director, Microsoft Security Response Center (MSRC).

UrlScan version 3.0 Beta is available for download here.
Microsoft Source Code Analyzer for SQL Injection Community Technology Preview (June 2008) is available for download here.
Scrawlr is available for download here.

[Source: softpedia]

How to Hack the Best Protected Computers!

After spending millions and even more into software that would protect the computers from vicious attacks with ever new viruses, loggers and whatnot, the simplest method is the one that works best, provided access to the PC is granted. It's simple and everybody can do it, but only somebody more experienced can actually capitalize on the possibility.

According to a research conducted at Princeton University,
the easiest and most certain way to hack a computer is to blast it with a burst of cold air. This will change the way the memory chip works and instead of erasing information within seconds, the gush of air will cause the DRAM chip to retain it for minutes and even hours after the machine loses power.

Not that extreme, although this is just plastic
Article: How to Hack the Best Protected Computers!
Comments: Not that extreme, although this is just plastic

Rebooting the hacked PC with a program that copies the memory contents is all it takes, and voila, all the bank accounts and passwords are a giveaway, not to mention the rest of the content of the hard drive. According to other polls and common sense, the most computers stolen are laptops, and if they are not shut down when they are taken and instead are in hibernate or sleep mode, they will be even more vulnerable.

"These risks imply that disk encryption on laptops may do less good than widely believed. [...] Ultimately, it might become necessary to treat DRAM as untrusted, and to avoid storing sensitive confidential data there, but this will not be feasible until architectures are changed to give software a safe place to keep its keys," according to the report, which was published last week by researchers from Princeton, Wind River Systems software company and the Electronic Frontier Foundation digital rights group.

The temperature required for this to work, the study showed, was of -50 degrees Celsius, or about -60 degrees Fahrenheit.

[Source: News.softpedia]

New Zealand Teen Hacker Faces 10 Years in Jail

Owen Thor Walker, 18, a computer programmer from Hamilton, New Zealand, is facing up to ten years of jail time for allegedly being the head of an international cyber crime network.
Additional charges brought against him are: accessing a computer for dishonest purposes on two counts, damaging or interfering with a computer system, possessing software for committing crime and an additional two counts of accessing a computer system without authorization. Also, the network is said to have turned thousands of computers into a botnet after infecting them.

Hacking is not easy, but fascinating
 Article: New Zealand Teen Hacker Faces 10 Years in Jail
Comments: Hacking is not easy, but fascinating

He walked out on bail pending the verdict, conditions not available to the press. Walker was arrested in November 2007 in an action part of an international investigation into a cyber crime network which was accused of infiltrating 1.3 million computers and skimming millions of dollars from the victims’ bank accounts, news.cn reports.

What is even more important than the sentence to hammer down on the teenager, the circumstances that lead to his arrest showed that an international network of Internet security based on cooperation is not the dream many believe it to be. "We worked closely with U.S. and Dutch authorities on this investigation. This arrest is significant not just to New Zealand but the international community as well," police spokesman Detective Inspector Peter Devoy said. "Very few people who carry out this sort of offending are ever prosecuted so the resolution of this case has huge international implications," he told the cited source.

The international crackdown on hackers continues and the authorities hope to get some relevant information from Walker, as who the other members of the network are. That’s not likely to happen but here’s to hoping it does, and that one after the other, all of the criminal networks will be stopped. I wouldn’t hold my breath, though.

[Source: News.softpedia]

Honest Hacker Cracks F1 Malaysian Site

Here’s a good change from the usual security news that depict one worm or Trojan as the apocalypse, turning PCs into zombies and proud members of botnets. A hacker calling himself CuciOtak defaced the official website of the Malaysian F1 Grand Prix that is to take place this
weekend. No claims and demands, no message, just a single picture of what seems to be a powder detergent box with a good punch line: Brain Wash: Removes even the TOUGHEST Propaganda.

The 'Detergent'
 Article: Honest Hacker Cracks F1 Malaysian Site
Comments: The 'Detergent'

Security firm F-Secure was the one with the find, and detailed that the means by which this came to be was that CuciOtak most likely modified the DNS information for the www.malaysiangp.com.my website and by that redirected all visitors to the spoofed page. This might come off as wrong, but I sincerely admire this guy who made no attempt to serve malicious code to those interested in Formula 1. He is probably just trying to make a name for himself, the way hackers used to do in the good old days when the pages considered to be the most secure started being attacked.

"There were no exploits or malware on the site. That would have been really bad, as this site must get tons of traffic right now," said F-Secure’s Mikko Hypponen. Formula 1 has grown to be a worldwide phenomenon in the past years, and the money going into it amounts to huge numbers. Just one circuit made a profit of £13.6 million in 2006, now multiply that by the total number of tracks and you’ll get just a glimpse of the cash. There’s advertising involved as well, nobody can miss the various brands on the side panels and on the cars themselves.

Despite causing some inconvenience to the fans, this type of hack would be preferred any other day over the ones delivering malware, and it doesn’t take an Einstein to see it.

[Source: News.softpedia]

Pornography Makes New Victims, Brings Hackers on Government's Site

Hackers are always looking for new targets for their attacks but, in case somebody instigates them, hacking a certain website becomes their main priority. This is what
probably happened in Indonesia where some hackers attacked the official website of the country's information ministry after the government tried to promote a law that prohibits the distribution of pornographic material on the web. According to Reuters, any person who is found guilty of "transmitting pornographic material, false news or racial and religious hate messages" on the web may spend his next six years in prison or pay a fine of approximately $100,000.

Article: Pornography Makes New Victims, Brings Hackers on Government's Site
Credits: coolest-gadgets.com

On Thursday, the hackers managed to break into the website and posted a message saying: "Prove that the law has not been made to cover government stupidity" along with "a mocked-up photograph of a local information technology expert, who has been advising the government on the new law, depicted with a bare chest," Reuters reports. Although the website has been taken offline, several screenshots were captured and posted on the Internet.

At this time, the page is supposed to be up and running, but it doesn't work for me although I've tried to load it at different times of the day.

This is not the first time when hackers manage to infiltrate into a government website and this should trigger an alarm for the people in charge with the security of these pages. Just think that hacking these official websites and accessing the data stored on the server may also mean opening some sort of private information which would obviously be quite a critical moment for the national security of the affected country.

However, let's just hope that pornography is not a reason to make too much damage no matter how addicted you are and what laws your government is trying to promote.

[Source: News.softpedia]

Auto Website Hacked, 56,000 People in Danger

An ingenious hacker managed to infiltrate into the Advance Auto Parts website and gain access to information belonging to approximately 56,000 consumers, the affected company explained in a security notice published on its main page. No less than 14 stores
in the US were affected by the attack so people who have recently bought products from them may be in danger. The company has already started sending letters to the affected consumers, a toll-free number being available to all those who want more information about the intrusion: 1-800-704-1154. Obviously, the case has already been reported to the police so the on-going investigation may reveal some new details anytime soon.

Article: Auto Website Hacked, 56,000 People in Danger
Credits: ecu.edu

"We sincerely apologize for any inconvenience this attack on our network may cause. Advance Auto Parts has been dedicated for the past 75 years to earning customer trust and for providing Legendary Customer Service. We strive to serve each and every customer better than anyone else," said Darren Jackson, President and Chief Executive Officer. "We truly appreciate the business of each Advance Auto Parts customer."

We've seen similar attacks in the past, so security companies around the world - the ones which fight for better security measures and obviously struggle to block such attempts - underline the need for more powerful technologies to protect the data. Sophos is one of the security companies that commented the case: "Advance Auto Parts joins a growing list of companies who have suffered from an embarrassing data breach, and this news may rattle the confidence of customers," said Graham Cluley, senior technology consultant for Sophos. "All firms would be wise to look long and hard at their own security to make sure that they are doing everything possible to reduce the chances that they will be the next to fall victim."

[Source: News.softpedia]

Hackers Attack Architects' Database

Hackers show no mercy when infiltrating in a certain system, no matter if we're talking about hospitals, morgues or churches. These
malicious people have attempted to infiltrate into the Royal Institute of British Architects, also known as RIBA but, according to The Register, no important damages were recorded. The same source informs that the database and no less than 1,200 other organizations in the United Kingdom and in the United States were assaulted by somebody, apparently based in China, although no reason could be discovered.

"Neither the RIBA nor other organizations contacted have yet found any evidence of fraudulent activity or attempts to extract information from the databases," The Register informs, citing a RIBA representative. The hacker "planted a web address on the databases. The source has been traced to an organisation in China known for its large scale spamming. We cannot be certain of the purpose but it is likely to be the capture of email addresses."

Hackers now interested in architects' details

Article: Hackers Attack Architects' Database
Comments: Hackers now interested in architects' details
Credits: careersserviceni.com

RIBA states that no details were stolen from the database, but the affected members should keep an eye on their bank accounts and report any suspicious activity.

This type of attack occurs every once in a while, especially when spammers attempt to steal a large database of emails which would afterwards be used for spamming purposes. Just imagine that infiltrating into the servers of 1,200 organizations would bring a huge number of valid emails, which, for spammers, are similar to water for fish.

As usual, better security measures are welcome, but most companies choose to improve their security system just after the hackers manage to infiltrate into their servers. For instance, RIBA temporarily closed the access to the database until more information concerning the intruder is collected. The Metropolitan Police has already been noticed about the case, so keep an eye on the news to find out more hot info.

[Source: News.softpedia]

Hackers Postpone CNN Attack

The short story so far: a pro-China hacker group that considered an article published by CNN offensive for their country prepared what they wanted to be a
destructive attack over the website, in a move to take the page down. The attack was first scheduled for April 19 but, in a statement published by a member of the group, the hackers announced its delay. According to Dark Visitor, a blog which translated the hackers' statement, they postponed the attack due to the fact that too many people were informed about their plans.

"Our original plan for 19 April has been canceled because too many people are aware of it and the situation is chaotic. At an unspecified date in the near future, we will launch the attack. We ask that everyone remain ready. I will repeat it again. At an unspecified date in the near future, we will launch the attack. We are only at present cancelling the attack. We could send out a notice on the day of the attack and have it completed in one day. The attack hasn’t been cancelled; it will be carried out on an unspecified day in the near future. I think everyone understands what we mean," the hacker group, nicknamed "Revenge of the Flame", explained according to Dark Visitor.

Hackers said that a pro-Tibet article published by CNN was offensive for their country
Article: Hackers Postpone CNN Attack
Comments: Hackers said that a pro-Tibet article published by CNN was offensive for their country
Credits: antineodem.wordpress.com

Although the hackers delayed the assault, it seems like some of the members couldn't be stopped and launched the attack over CNN's website on Saturday. Jose Nazario of Arbor Networks, a traffic monitoring company, wrote on Saturday that some attacks targeting CNN's servers were spotted, but nothing that could take the website down.

"So far there have been a few attacks seen by ATLAS (a few SYN and ICMP floods), but nothing too big. All of the attacks have been under 100 Mbps as we can see, well under the mean attack size we typically see. More attacks to report, with greater intensity. It look s like some people still giving this a go," he wrote.

CNN confirmed the attacks and admitted that the traffic has been filtered a few days ago, some of its Asian users being affected by the restrictions. "CNN took preventative measures to filter traffic in response to attempts to disrupt our Web site. A small percentage of CNN.com users in Asia are impacted. We do not know who is responsible, nor can we confirm where it came from," the company said in a statement.

ICANN and IANA’s domains hijacked by Turkish hacking group

What happens when the official domain names of the organizations that issue the domain names in general, and provide allNetDevilz ICANN IANA the practical guidance on how the prevent DNS hijacking, end up having their own domain names hijacked? A wake up call for the Internet community.

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket’s domain on the 18th of June. Zone-H mirrored the defacements, some of which still remain active for the time being :

The ICANN and IANA websites were defaced earlier today by a Turkish group called “NetDevilz”. ICANN is responsible for the global coordination of the Internet’s system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols. The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.

NetDevilz left the following message on all of the domains :

“You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group)”


The following domains were hijacked, and some of them still return the defaced page - icann.net; icann.com; iana-servers.com; internetassignednumbersauthority.com; iana.com.

The hackers are once again redirecting the visitors to Atspace.com, in particular, the ISP that theyNetDevilz ICANN IANA used in the Photobucket’s DNS hijacking. And while Photobucket hasn’t issued an official statement on the DNS hijack, Atspace.com did so last week, a copy of which you can find here.

The NetDevilz hacking group seems to be taking advantage of a very effective approach when hijacking domain names, and while they declined to respond to an email sent by Zone-H on how they did it,  cross-site scripting or cross-site request forgery vulnerability speculations are already starting to take place.

One thing’s for sure though, if the ICANN and IANA can lose control of their domains, anyone can.

[Source: zdnet]

Yahoo swats serious cross-site scripting bug

Yahoo plugs cross-site scripting flawWeb application security firm Cenzic has flagged a serious cross-site scripting vulnerability affecting millions of Yahoo Mail users.

The flaw, which was patched by Yahoo on June 13,  opened the door for hackers to steal Yahoo identities and gain access to users’ sensitive and private information.

The skinny, via a Cenzic advisory:

If the attacker is using the Yahoo! Messenger desktop application to chat with the victim, and the victim is using the Messenger support in the new Yahoo! Mail Web application, it will cause a new chat tab to open in the victim’s browser. While chatting, the attacker can change their status to “invisible” causing a message of “offline” in the chat tab of the victim. The vulnerability occurred when the attacker then changed status, and sent a custom message containing a malicious string in the form of a status message of “online,” with the script executed in the context of Yahoo! Mail on the victim’s machine. This allowed an attacker to get active access to the victim’s session ID, and in turn steal their Yahoo! identity, exposing sensitive personal information stored in their Yahoo! account.

[ ALSO SEE: Firefox raises barrier to cross-site scripting attacks ]

[Source: zdnet]

Russian hackers planning attacks against Baltic countries and Ukraine

Recent Tweets on Twitter are pointing to grumblings in the blogosphere around suspicion of a planned attack against Baltic countries and the Ukraine.  An article posted at The Baltic Course describes the planned attacks, as originally reported by Estonian television channel ETV24: 

Recently, there have been multiple appeals in Russian Internet forums, calling for Russian hackers to unite and launch a large-scale attack on Internet websites of Latvian, Lithuanian and Estonian government institutions.

Russian hackers are dissatisfied with “the way Russian-speakers are treated in the Baltic countries”, and the ban on use of Soviet and Communist symbols.

Ukraine, on the other hand, has caused Russian hackers’ disapproval with its NATO aspirations.

“All the hackers of the country have decided to unite, to counter the impudent actions of Western superpowers. We are fed up with NATO’s encroachment on our motherland, we have had enough of Ukrainian politicians who have forgotten their nation and only think about their own interests. And we are fed up with Estonian government institutions that blatantly re-write history and support fascism,” says the appeal that is being circulated on Russian Internet forums.

Russian hackers plan to replace the original content of the websites that they hack into with huge red stars and photographs of Soviet soldiers.

This would not be the first politically motivated attack by Russian hackers against another country.  Hopefully the advanced notice will help these governments prepare some.


[Source: zdnet]

Zero-day flaw haunts Internet Explorer

Zero-day flaw haunts Internet ExplorerAn unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.

The zero-day flaw, which has been reported to Microsoft, is a variation of Eduardo Vela’s IE Ghost Busters talk:

Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.

No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.

Details of the new variation have been posted online by the Ph4nt0m Security Team (translation here).

It affects Internet Explorer 6 on Windows XP SP2 and SP3.  The new IE 7 browser is not affected because Microsoft changed the way Javascript protocol URLs are handled to prevent these types of attacks.

Security researcher Aviv Raff has created a test page that confirms the attack vector in IE 6. This screenshot shows a script loaded in one domain (raffon.net) showing a cookie of a different domain (google.com):

Zero-day flaw haunts Internet Explorer

In the absence of a patch, IE users are strongly encouraged to upgrade to IE 7.  Or, as always, consider using an alternative browser.

UPDATE: An alert from US-CERT spells out the risks:

This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. This could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials.

Secunia rates this a moderately critical issue.

In the absence of a patch, IE users are strongly encouraged to upgrade to IE 7.  Or, as always, consider using an alternative browser.

UPDATE: An alert from US-CERT spells out the risks:

This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. This could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials.

Secunia rates this a moderately critical issue.

[Source: zdnet]

Trojan exploiting unpatched Mac OS X vulnerability in the wild

The source code of a trojan horse exploiting last week’s uncovered local root escalation vulnerability in Mac OS X 10.4 andMacshadows 10.5 has been released in the wild, allowing malicious attackers to take advantage of the ARDAgent-based trojan in what appears to be a very short vulnerability-to-malware cycle, since the trojan template was released on the same day as details for the vulnerability emerged.

Discussion and release of the source code originally took place at the Mac Shadows forums, whereas the source code is now circulating across many other forums and IRC chat rooms, including several popular ones mainly visited by Chinese script kiddies.

According to an advisory issued by SecureMac last week :

SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat and Limewire. The source code for the Trojan horse has been distributed, indicating an increased probability of future variants of the Trojan horse.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing. The Trojan horse exploits a recently discovered vulnerability with the Apple Remote Desktop Agent, which allows it to run as root.


 Compared to this week’s reported PokerStealer trojan horse targeting Mac OS X users, by trying to trick them intoARDAgent-based trojan empowering the malware with administrator capabilities, the ARDAgent-based trojan is doing it automatically, unless of course you’ve already taken care of the issue until a fix for it is officially available.

The author of the trojan, Adrew, even left a copyright notice within, however, it appears that the source code for the trojan isn’t a one-man operation, but the result of a collaborative discussion aiming to add as many modules as possible. Here’s what he thinks of OS X security, according to his own statement :

    “Apple tells us that OS X is safe and secure and fails to actually confirm that it is so on their own. We are left to experiment and test our own security and too often we discover that we aren’t actually as secure as we were led to believe,” Andrew said in an e-mail. “When you are seeking information about how to secure your own system, frequently the best sources of that information are hackers, not the vendors.”

Going full-disclosure with the idea to shorten the time until a patch is released by the vendor for the sake of closing the “window of opportunity” for malicious abuse of the vulnerability is one thing, releasing a do-it-yourself trojan template in a vulnerability-to-malware fashion is entirely another.

[Source: zdnet]

New BBB trojan attacks

We're seeing some new BBB trojan attacks going around.

This attack method is well-known and has been occurring for months: A high-level executive inside an organization receives an e-mail that mentions a complaint supposedly made to the Better Business Bureau (USA). The e-mail appears to be credible and links to a site in order to download the complaint. The download claims to require IE and ActiveX in order to succeed. Once ActiveX is enabled, the sites drops a backdoor on the system.

The message looks like this:


his would be fairly convincing to most recipients, especially since the real company and individual names are used.

The message links to a page under us-bbb.com (the real BBB site is at us.bbb.org).


The site was running over the weekend, was down today on Monday and then just reappeared — with a modified version of the malware.

If the recipient enables ActiveX, the site sends the system a CAB file which gets automatically installed as Acrobat.exe — and displays this:


In reality, it's just installed a backdoor (which we detect as an Agent variant).

Nasty stuff. Watch out.

[Source: f-secure]

SQL Injection Continues

A couple of weeks ago we blogged about mass SQL injections. After that it went quiet but the attacks have now started again, this time pointing to several different domains.

During the last few days we've seen the same type of encoded SQL script as in the previous case being inserted into ASP/ASP.NET pages. The scripts point to the following domains:


All of the domains above are pointing to IP addresses in China.

SQL May 9th 2008

Just like last time the scripts attempt to use several exploits to infect the user's computer.

[Source: f-secure]

Vulnerability Descriptions

We now have vulnerability descriptions available from www.f-secure.com/vulnerabilities.

Here's an example of one:

First discovered on March 26th, Mozilla Thunderbird reported cross-site scripting and security bypass vulnerabilities which can be exploited by remote attackers. Mozilla recently (May 1st) released version to mitigate these vulnerabilities.

Mozilla Thunderbird

For more information, read Security Advisory SA29548.

You can use Health Check to determine if you have vulnerable software installed.

And you can update to the latest version of Mozilla Thunderbird from here.

[Source: f-secure]

SQL Injection Attacks Becoming More Intense

The mass SQL injection attacks we've mentioned here and here are increasing in number and we're seeing more domains being injected and used to host the attack files. We believe that there is now more than one group using a set of different automated tools to inject the code.

Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:


We've now seen other domains being used as well such as direct84.com which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available. The direct84.com domain fast-fluxes to several different IPs in Europe, Israel and North America.

SQL fastflux direct84

The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS.

This is a good time to again mention that it's not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database.

There are many articles on how to do this such as this one. You could also have a look at URLScan which provides an easy way to filter this particular attack based on the length of the QueryString.


[Source: f-secure]

Debian OpenSSL Vulnerability

 Debian's OpenSSL packages versions 0.9.8c-1 up to 0.9.8g-9 are affected by a highly critical vulnerability which may lead to weak cryptographic keys and potentially compromise the system.

The vulnerability is due to the random number generator in Debian's OpenSSL package being more predictable which might lead an attacker to conduct brute force guessing attacks and decipher cryptographic keys used in SSH, OpenVPN, DNSSEC, X.509 certificates, and session keys used in SSL/TLS connections.

Also, an unspecified weakness in the Datagram Transport Layer Security implementation can be exploited by remote attackers to cause a denial of service condition and potentially compromise the vulnerable system.

Update the OpenSSL package from Debian and recreate all cryptographic keys to mitigate.

For more information read our vulnerability report and Debian's announcement.

[Source: f-secure]

May's Microsoft Updates

It's time once again for monthly updates from Microsoft.

MS Updates for May 2008

Microsoft Office Word and Publisher reportedly have Remote Code Execution vulnerabilities which could be exploited by remote attackers. Various Office versions are affected.

The three vulnerabilities are highly critical and we recommend users to apply the latest updates.

Microsoft Malware Protection Engine, a component of their antivirus products, reportedly has two denial of service vulnerabilities. The vulnerabilities can be exploited remotely and can cause the malware engine to stop responding or to restart while scanning a specially-crafted file. It may also exhaust available disk space.

The issue of specially-crafted files affected all antivirus vendors. We fixed it a few months ago with automatic hotfixes. You can read the Security Bulletins here and here.

Click here for more information on Microsoft's Updates.


Motorola Razr Vulnerability

In mobile news: TippingPoint has reported a JPEG Processing Stack Overflow Vulnerability affecting firmware based Motorola Razr phones. The vulnerability was discovered last summer. New Razr shipments will not be affected as Motorola has produced a fix for the issue.
Motorola Razr
The vulnerability allows remote attackers to execute arbitrary code on vulnerable Motorola Razr firmware based cell phones.

From TippingPoint:

A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device.

So some user interaction is required — accepting the MMS. However, people by and large generally trust image files so that isn't a difficult social engineering challenge.

On a positive note, the Razr uses a proprietary OS and the "knowledge base" is limited to enthusiasts and modders. But there are modders are out there. Popular hardware always generates a crowd of recreational hackers, e.g. iPhone.

Perhaps we'll see this JPEG exploit used to simplify unlocking older Razrs. Jailbreaking the iPhone was simplified by a TIFF handling exploit after all.

We probably won't see any malware as a result of this vulnerability. Still, one interesting thing to consider is that if a Razr were to be exploited by this, the user wouldn't be able to undo the damage without a reinstall of the firmware. Being a closed OS, there is no hard reset available as there are with many smartphones.

Updates are available for older Razr models via Motorola.

[Source: f-secure]

June Updates

Microsoft released their monthly updates yesterday. There are three critical updates.

The Security Bulletin Summary for June 2008 has more details.


Apple also released a security update yesterday for QuickTime. Users should update to version 7.5.

Apple's Software Update is one method:


Apple's security article has additional details and you can also read our vulnerability report.

In other updates, Skype 3.8 was released last week. You can read vulnerability report SA30547 for details, and can download the latest version from Skype.com.

[Source: f-secure]

Two New Mac OSX Trojans

A report of an Apple Remote Desktop Agent vulnerability recently surfaced. Now there's news of a trojan that can exploit the flaw.

The exploit tool, called "Applescript Trojan horse template" was crafted by forum participants of MacShadows.com. These guys appear to have been hobbyist hackers interested in testing the ARDAgent vulnerability. It doesn't appear to be in the wild at present. We detect it as Backdoor.Mac.Hovdy.a.

What's the ARDAgent flaw? In a nutshell, ARDAgent runs Applescript with root privileges. So once the victim is tricked into installing Hovdy, no user passwords are required for it to do its thing, which is provide backdoor access to the attacker.

You can read more details from Security Fix here and here. SecureMac's advisory is here.

Trojan number two:

There was also another Mac OSX trojan discovered last week.

This one was found by Intego. We detect it as Trojan-PSW:OSX/PokerStealer.A.

Response Analyst Mark G. performed our analysis and provided the following details:

PokerStealer.A heavily relies on social engineering. It comes with the filename PokerGame.app (180Kb), sounds interesting, right?


However, once executed, it will prompt the user for a password.


It checks the provided password to see if it matches the username of the machine. If not, it will ask again. It needs the user's password to continue.

What happens behind the scenes is the following: It enables the SSH of the infected machine by running; It acquires the local IP address, subnet mask, private IP address of the router (domain), public IP address by querying via the Internet; It gets the version of OSX, recovers its hash and saves it to a file named secret_file.

After all the necessary information has been gathered it then sends the information to a specific e-mail address with a subject of Howdy and the message details include username, password, and IP addresses.

With the e-mailed information, the attacker can perform routines from a remote location through SSH without the user knowing it and may even take control of the infected machine.

he PokerStealer.A trojan appears to have been written by someone with more than just hobbyist level motivations.

PokerStealer's infection is limited by the password requirement.

So what do you think happens next?

That's right. The author of PokerStealer (motivated by profit) is going to seek out the hobbyist's "Applescript Trojan horse template" and will reduce the infection steps of PokerStealer.A to simply running an application named "Poker Game".

How many Mac users do you think like to play poker?

[Source: f-secure]