CyberInsecure.com

Storm Botnet Celebrates The Independence Day With New Wave Of Malware Spam

The group behind the Storm Botnet has always been conscious of timing and this time a new malware spam wave had started, dedicated to Independence day of course. This spam wave directs the user to click on a link that encourages the intended victim to download an infected fireworks.exe file.

The Storm botnet launched the latest campaign in June 3rd. Here’s a partial list of subject lines seen in the latest spam messages:

Amazing Independence Day salute
Amazing firework 2008
America for You and Me
America the Beautiful
Celebrate Independence
Celebrate with Pride
Celebrating Fourth of July
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Fourth of July
Happy Independence Day
Independence Day firework broke all records
Light up the sky
Proud to be an American
Sparkling Celebration of Independence Day
Spectacular fireworks show
Stars and Strips forever
Super 4th!
The best firework you’ve ever seen
The best of 4th of July Salute
Well done 4th!

The body of the messages is similar to previous campaigns, with a one line phrase followed by an IP address, such as:

Amazing Independence Day salute http://123.456.789.000/
Amazing Independence Day show http://123.456.789.000/
Bright and joyful Fourth of July http://123.456.789.000/
Celebrate the spirit of America http://123.456.789.000/
Celebrating Fourth of July http://123.456.789.000/
Celebrations have already begun http://123.456.789.000/
Light up the sky http://123.456.789.000/
Proud to be an American http://123.456.789.000/
Stars and Strips forever http://123.456.789.000/
The best firework you’ve ever seen http://123.456.789.000/
Well done 4th! http://123.456.789.000/

Visiting the IP address would bring up a page with a fake online video player and a picture of fireworks inside the player. The following text is included below the image:

Colorful Independence Day events have already started throughout the country. The largest firework happens on the last weekday before the Fourth of July. Unprecedented sum of money was spent on this fabulous show. If you want to see the best Independence Day firework just click on the video and run it.

Users attempting to watch the fireworks video will instead be infected by malicious code.

The “video” links to an executable called fireworks.exe. In addition, the site also launches an invisible iframe with obfuscated malicious javascript ind.php.

Data Breach At Benefits Company Affects Google Employees

Google employees hired before 2006 have been warned to watch out for possible attempts to steal their identities.
InformationWeek reports that in a letter last month, Google attorney Lewis A. Segall alerted New Hampshire Attorney General Kelly A. Ayotte that computers had been stolen from Colt Express Outsourcing Services, a third-party employee benefits administrator for Google and other companies, in early June.

Segall did so by forwarding a copy of the letter from Google’s director of corporate security and safety, Marty Lev, to employees affected by the Colt breach.

The information contained on the computers related to current and former Googlers who were with Google before December 31.2005; Googlers hired after December 31, 2005 were not affected due to new benefits administrator since that time. Specific personal information for employees and dependents included names, Social Security numbers, birth dates, addresses, hire dates, and relationships; but not driver’s license numbers, credit card numbers, or bank account numbers, or passwords, or PINs for any financial account.

Google’s letter says there is no evidence any personal information on the stolen computers has been misused. As a precautionary measure, the company is offering to enroll affected employees in Kroll’s IDTheftSmart identity and credit protection program for a year.

In a July 1 blog post, Microsoft developer Danny Thorpe, a former Google employee, said he had received such a letter.

In response to the credit monitoring offer, Thorpe said, “Well, that’s something at least. I appreciate Google’s gesture.”

The breach occurred on May 26, 2008, when someone broke into Colt’s Walnut Creek, Calif. office, according to Colt. The company says it has contacted the Walnut Creek police and the REACT high tech crime task force, based in Santa Clara, Calif. The investigation is ongoing.

According to the Identity Theft Resource Center, other companies affected by the breach include Avant Corp. (now part of Synopsys), Bebe, CBS’ CNET Networks, Ebara Technologies, and Punahou School.

Sony USA PlayStation Website SQL Injected And Redirects Visitors To Fake Anti-Virus Scam

Sony’s USA PlayStation website, a website with a very large number of daily visitors according to Alexa, had been the victim of an SQL injection attack. Sony PlayStation’s site is another high trafficked web site that fall victim into the continuing waves of massive botnets (ASProx botnet for example) SQL injections.

The purpose of this wave of attacks seems to be to dupe users into installing the same fake anti-virus software SophosLabs discovered on .MOBI websites earlier this week. Numerous malicious websites making use of the unusual .MOBI top level domain attempted to load a script ‘AD.JS’ located in root of each site. This in turn attempted to load another website - a fake anti-virus install site. The site pretends to do an online virus scan:

A bogus warning message then displayed, saying that one or more of the following have been detected:

Trojan.Bakloma.A
Win32.Gattman.A
Trojan.Zapchas.F
JS.Blackworm.A
Trojan.Tibs.E
Win32.Netsky.P@mm
Trojan.Winsys
Trackware.Adctech2006
Downloader.TrafficSector
Adware.Roings

If you have seen/installed this software on your PC, consider running a trusted anti-virus as soon as possible, since your machine is infected.

After this, the user is encouraged to download and run an executable (installer.exe). This malware is detected as Mal/Packer by Sophos. If the installer was run, it installs more malicious files (Troj/FakeAV-AA) on the victim machine.

Visiting the affected PlayStation site runs a script that pretends to perform the same online security scan of your computer, and presents a bogus warning message you can see on the image above. Users frightened by the fake ‘warnings’ might rush to spend money on useless software.

The fact that the Sony PlayStation site has been attacked in this way suggests that someone with malicious intent could place other harmful malware there and infect a very high number of Sony PlayStation website visitors.

Sony PlayStation’s site hasnt been targeted by hackers, it’s been targeted automatically in between the rest of thousands of other pages that were SQL injected with a malicious coldwop.com domain (yet another SQL injection attack by Chinese hackers). There are no reports of hacked Sony PlayStation’s database or customers private details, the flaw in Sony’s website only allowed injection of redirection code that loads a script from malicious site.

Mozilla Fixes 12 Security Vulnerabilities In Firefox 2.0.0.15

Mozilla have released Firefox 2.0.0.15 which according to the release notes fixes 12 security vulnerabilities.

Here is a list of fixes in Firefox 2.0.0.15 from their website, some of them are critical so if you are running Firefox 2, you should update as soon as possible.

MFSA 2008-33 Crash and remote code execution in block reflow

MFSA 2008-32 Remote site run as local file via Windows URL shortcut

MFSA 2008-31 Peer-trusted certs can use alt names to spoof

MFSA 2008-30 File location URL in directory listings not escaped properly

MFSA 2008-29 Faulty .properties file results in uninitialized memory being used

MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X

MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range

MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()

MFSA 2008-24 Chrome script loading from fastload file

MFSA 2008-23 Signed JAR tampering

MFSA 2008-22 XSS through JavaScript same-origin violation

MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

You can get the latest version of Firefox 2 here. If you are already Firefox 2 user, you can also click “Check for updates…” under “Help” menu.

Seamonkey was also updated to version 1.1.10 and included fixes for the same issues plus one additional critical vulnerability, so if you use it, it should also be updated.

25 Mac OS X Security Vulnerabilities Fixed in Apple’s 2008-004 Security Update

Apple has shipped a new Mac OS X update that addresses 25 documented vulnerabilities that could lead to arbitrary code execution attacks. Apple fixes in this 2008-004 Security Update code execution flaws in Launch Services, SMB File Server, System Configuration, VPN and WebKit.

Fixes for six highly critical Ruby, a popular open-source scripting language, vulnerabilities are also included. The update also installs a Tomcat patch that addresses nine vulnerabilities, the most serious of which may lead to a cross-site scripting attack.

Here is the list of vulnerabilities from Apple’s security bulletin:

Alias Manager (CVE-2008-2308): A memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier.

CoreTypes (CVE-2008-2309): This update adds .xht and .xhtm files to the system’s list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload.

c++filt (CVE-2008-2310): A format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X 10.5.

Dock (CVE-2008-2314): When the system is set to require a password to wake from sleep or screen saver, and Exposé hot corners are set, a person with physical access may be able to access the system without entering a password. This issue does not affect systems prior to Mac OS X 10.5.

Launch Services (CVE-2008-2311): A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation. If the “Open ’safe’ files” preference is enabled in Safari, visiting a maliciously crafted website may cause a file to be opened on the user’s system, resulting in arbitrary code execution. This issue does not affect systems running Mac OS X 10.5 or later.

Net-SNMP (CVE-2008-0960): An issue exists in Net-SNMP’s SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. Additional information is available from US-CERT.

Ruby: Multiple memory corruption issues exist in Ruby’s handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays. Also, if WEBRick is running, a remote attacker may be able to access files protected by WEBrick’s :NondisclosureName option.

SMB File Server (CVE-2008-1105): A heap buffer overflow exists in the handling of SMB packets. Sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution.

System Configuration (CVE-2008-2313): A local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This issue does not affect systems running Mac OS X 10.5 or later.

Tomcat: Tomcat version 4.x is bundled on Mac OS X v10.4.11 systems. Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Further information is available via the Tomcat site.

VPN (CVE-2007-6276): A divide by zero issue exists in the virtual private network daemon’s handling of load balancing information. Processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution.

WebKit (CVE-2008-2307): A memory corruption issue exists in WebKit’s handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2.

Updates can be retrieved and installed using Mac OS X’s integrated update feature.

Hackers Selling Stolen Credit Cards Lead To Montgomery Ward Parent Company Breach Exposure

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward. The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy. It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com.

The financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company’s retail properties.

An online chatter was detected in June by Affinion Group Inc.’s CardCops, a group of investigators who track payment-card theft for financial institutions. In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant. CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.

Along with the card numbers, their three-digit “security codes” and expiration dates, the thieves had the cardholders’ names, addresses and phone numbers. The data had been organized in the same way, indicating the numbers likely came from the same database. The vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.

When cardholders were contacted, the first eight said they had bought things online or through mail order from Montgomery Ward. Further investigation showed that there is a high probability that the entire database of Montgomery Ward was breached.

Direct Marketing Services immediately informed its payment processor and Visa and MasterCard and closely followed a set of guidelines, issued by Visa, on how to respond to a security breach, including a report to the U.S. Secret Service. Those guidelines from Visa are largely technical, and do not require the organizations that have been hacked to come clean to the affected consumers, not just to the financial industry. Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state.

As a result, scores of breaches covering hundreds of millions of consumer accounts have been disclosed by banks, universities, corporations and retailers in recent years. Direct Marketing Services now plans to contact consumers.

It is not clear whether the hackers were inflating their claim when they offered 200,000 records or whether the official number of 51,000 is accurate.

Cross-Domain Vulnerability In Microsoft Internet Explorer 6

New Microsoft Internet Explorer 6 vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. A proof-of-concept code for this vulnerability is already available. The vulnerability could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 and Firefox do not appear to be affected by this issue.

The vulnerability is caused due to an input validation error when handling the “location” or “location.href” property of a window object. The vulnerability was first published in an article in Chinese Security E-zines, called pstzine, two days ago. The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008.

Until a patch is available, IE6 users should disable scripting in the browser. Another option  might be an upgrade to Microsoft Internet Explorer 7 or usage of alternative browser to help mitigate the risk.

Hackers Hijack ICANN And IANA’s Domains

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket domain on the 18th of June.

The domains that were hijacked are icann.net, icann.com, iana-servers.com, internetassignednumbersauthority.com, iana.com.
ICANN is responsible for the global coordination of the Internet’s system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols. The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.

NetDevilz left the following message on all of the domains :

You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group)

The hackers redirected visitors to Atspace.com (82.197.131.106) free hosting again. Atspace was used when during the Photobucket DNS hijacking. Since the NetDevilz hacking group declined to reveal how they did it, many consider cross-site scripting or cross-site request forgery vulnerability as the methods used to hijack domains.

Terrorist And Leftist Websites Defaced By Israeli Hackers

Israeli hacking group broke into sites of Izz al-Din al-Qassam, the terrorists military wing, and some leftist movements. Hacked websites were defaced and previous information replaced with words of Israeli national anthem. Currently the website of Izz al-Din al-Qassam displays a white screen and words in Arabic announcing technical difficulties.

The hacker group, which calls itself Fanat al-Radical (the fanatical radicals), also said that it broke into additional terror organizations’ sites and those of various leftist movements. According to this group unnamed representative, they searched for relevant sites, whether leftist or anti-Zionist, and looked for loopholes. The group consists of young adults from 16 to 18 years of age.

In addition to the Hamas military wing’s site, they also broke into the Balad political party site (http://arabs48.com/balad), that of the Hagada Hasmalit (the left bank, http://www.hagada.org.il), the Kibush (occupation, kibush.co.il) site and more. The Left Bank site, considered by the group as another site identifying with the left, was defaced “due to its blatant anti-Zionist contents”. The hacked sites are now equipped with an Israeli flag, the words of the Israeli national anthem “Hatikva” with vowels and pictures of Palestinian babies and children dressed as suicide bombers. A short explanation of why this specific site was broken into to begin with is also included.

Fanat al-Radical is a new group of hackers whose members were members of another group called Kamikaz Team. According to them, since they didn’t want to include politics in Kamikaz, a parallel group that supports the destruction of Arab sites was created. The group feels that its first hacking campaign was successful, but they do not intend on stopping here. They said that they plan an additional attack in the future.

Yahoo! Groups Are Used By Phishers To Send Personalized Scam Emails

A spam campaign that sends personalized phishing emails through Yahoo! Groups has recently been reported by TrendLabs researchers, Jake Soriano and Grace Ermitanyo (who provided detailed analysis about this attack). Phishers appear to have sent phishing emails through Yahoo! Groups via either the standard posting methods through Yahoo! Groups site’s Post Message feature or through sending an email to the group’s @yahoogroups.com address. Thus, users who receive this email from a Yahoo! Group (of which they are members) are likely to believe that it is legitimate.

The success of this phishing attempt further depends on how the group mailing list is actually moderated. There are settings in Yahoo! Groups spam abuse prevention that allow the moderator to approve all messages before they are sent out to members.

The phishing email provides a link that redirects the recipient to a website with a fake form. The form steals user identities by gathering personal and sensitive user information, such as phone numbers, PINs, passwords, account numbers and debit card numbers. These details are sent over to the phishers who may then peruse the information themselves or sell them in underground forums to cyber criminals.

In one particular case, clients of the Royal Bank of Scotland (rbs.co.uk) are targeted. In phishing email the URL is different from the actual bank domain and redirects to rtsrv.co.uk.

Moderators of Yahoo! Groups are advised to read about their options related to keeping their members safe from spam and phishing attempts at the Yahoo! Groups FAQ on spam abuse prevention.

Employees Personal Information Exposed In Department of Consumer Affairs Email Incident

A security breach discovered on Monday, June 9, compromised names and social security numbers of 5,000 employees, contractors and board members in state Department of Consumer Affairs (DCA). About 2,800 of the people on the list are current, full-time employees of the DCA.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich. The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information. Some of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board. The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone’s name. However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver’s license numbers. This kind of information is very easy to obtain though.

The DCA is the main state agency charged with protecting consumers in California. From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.

The incident is still being investigated, and it can not be disclosed who had received the document. So far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

The state Department of Consumer Affairs (DCA) has sent warning letters to all 5,000 affected. The DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list. The DCA had not yet determined how much these protections were going to cost.

Anyone concerned about identity theft can visit http://www.privacy.ca.gov/, for more information on how to protect themselves.

Marshall Islands Email Service Paralysed By Spam Attack

Email communication in the Marshall Islands was paralysed Tuesday after hackers launched a “zombie” computer attack on the western Pacific nation’s only Internet service provider. The Marshall Islands is a Micronesian island nation in the western Pacific Ocean, located east of the Federated States of Micronesia and south of the U.S. territory of Wake Island.

The attack starting early Tuesday, in which hackers used computers taken over by viruses to flood the Internet provider with spam emails, caused a complete shutdown of email traffic into the nation of around 55,000 people. More than 18 hours after the initial attack Tuesday incoming email service to the monopoly provider had still not been restored.

The government-owned National Telecommunications Authority (NTA) was hit with a sudden increase in incoming email, which it described as an attack by “zombie computers”, said an NTA spokesman. While NTA customers could send and receive emails to each other through the local system, virtually no non-NTA emails had been received since Monday, impacting local businesses, banks and government offices.

“Some malevolent person unleashed infected computers to flood NTA with mail,” said an unnamed local information technology expert. “The fact that there were so many messages sent shows a degree of sophistication to the attack.”

Local officials said this attack was believed to be the first on the country’s only Internet service provider.