Daily cyber threats and internet security news: network security, online safety and latest security alerts

Archive for May, 2008

Hackers Might Exploit Apple’s iCal Memory Corruption Vulnerability

Thursday, May 22nd, 2008

According to security vendor Core Security Technologies, Apple’s iCal calendar application contains three vulnerabilities that could allow an attacker to crash the application or execute remote code on the victim’s Mac. Core Security released an advisory on Wednesday detailing the vulnerabilities, which affect iCal version 3.0.1 running under Mac OS X 10.5.1 (Leopard).

In order for an attacker to exploit these vulnerabilities, an iCal user must be convinced to open an .ics file sent via e-mail or hosted on a Web server. The ability to add or modify files on a CalDAV server would allow the attacker to trigger the exploits directly. This is the most serious of three vulnerabilities and is possible due to potential memory corruption resulting from a resource liberation bug.

The other two vulnerabilities could be used to crash iCal using a maliciously crafted iCal (.ics) file. There is a possibility to use these two flaws for execution of arbitrary code but so far there is no proof such an attack is possible.

Core Security notified Apple of the vulnerabilities back in January. In February, Apple said it would fix the bugs in its March security patch, but it didn’t. Core Security then rescheduled publication of information about the vulnerabilities for April. So far Apple did not address the vulnerabilities and Core said it is about to publish the information to the public.

Hackers And Scammers Continue Exploit China Earthquake

Thursday, May 22nd, 2008

Spammers and scammers are always ready to jump on the latest disaster or big news headline to try and exploit users. This time its time to exploit the Chinese earthquake disaster, which killed more than 50,000, to push scams and malware spam.

In one report scammers sent out text messages enticing people to send donations to fund the aid for helpless victims. Today there was a report of spam message allegedly from a Filipino seeking financial aid to follow his wounded wife in China.

Here are the first and last portions of the long-winded letter designed to get merciful recipients to take action, i.e. donate money. It starts with:

Dear friend,

I do not know your exact name. I can only guess. I ask you to read through my letter up to the end.

And ends:

And still, if you will be able to help me I shall consider you to be the best man in this world. You will save a life of mine Jin. I shall write the data on which I will be able to receive cashes in Philippines through Western Union.

Next there are emails with infected Word attachments that include MalDoc-Fam Trojan. They being distributed in messages that pose as news about the disaster, net security firm Sophos reports. The malware-tainted emails typically appear with body text suggesting they contain news from China’s official press agency, Xinhua:

BEIJING, May 20 (Xinhua) — The death toll from the earthquake in southwest China’s Sichuan Province has risen to 34,074 nationwide as of 2 p.m. Saturday, while 198,347 people were injured, according to the Information Office of the State Council. Pay attention to attachment for more.

Opening the attached Word document triggers an exploit that downloads malware onto vulnerable Windows PCs. The MalDoc-Fam Trojan is more than a year old, dating from March 2007.

These schemes, much like during those that surfaced during previous tragedies, are surely only some of the many that will continue to use this ploy.

Recent reports tell that even the official Web site for donations to the eathquake victims in China, the Chinese Red Cross, has itself been hacked to divert donations elsewhere. Ironically, even if you carefully donate only to legitimate organizations, you can never be sure who will actually get the money nowadays.

Users should be extremely cautious in extending their help. If possible, keep a closer watch of who gets the donation and where it goes.

Apple iTunes Users Are Targeted By Phishers

Wednesday, May 21st, 2008

Phishers have started targeting users of Apple Inc.’s iTunes music store with sophisticated identity theft attacks. According to e-mail security vendor Proofpoint Inc., many users recieved spam with messages telling them that they must correct a problem with their iTunes account. A link in the spam leads to a site posing as an iTunes billing update page.

This fake page asks for information, including credit card number and security code, Social Security number and mother’s maiden name. The theft attempt is a new addition to companies and brands like like PayPal, eBay and Citibank, which are constantly attacked by phishers.

Users who receive an e-mail with a link to a site requesting personal financial information, should be very cautious about proceeding. Bookmark or type in the URLs for sites containing financial information, such as your bank or e-commerce sites like iTunes. Never visit the links you receive in an unsolicited e-mail.

Remote Attack Could Damage Systems Hardware Beyond Repair

Wednesday, May 21st, 2008

An attack, demonstrated by Rich Smith from HP Systems Security Lab at the EUSecWest security conference in London, showed that embedded systems hardware can be damaged beyond repair. The attack could be carried out remotely over the internet.

The attack was demonstrated for the first time in London on Wednesday and was called by Smith “permanent denial of service”. The attack thrashes systems by abusing firmware update mechanisms and if successful, the so-called “phlashing” attack would force victims to replace systems and cause financial damage.

Theoretically the attack could be cheaper and more effective (as the damage caused would be harder to recover from) than conventional denial of service attacks, which typically rely on hackers paying to rent control of a network of compromised PCs.

The new approach relies on exploiting frequently unpatched vulnerabilities in embedded systems, such as flaws in remote management interfaces, to get access to a system. That alone wouldn’t be enough, but because firmware updates are seldom secured, the possibility exists of making an update that effectively trashes a system.

Smith is calling on vendors to authenticate the mechanism as one way of defending against such attacks. He is demonstrating a tool to search for vulnerabilities in firmware, as well as an attack mechanism to corrupt vulnerable firmware at EUSecWest.

Another presentation at EuSecWest will demonstrate a proof of concept rootkit capable of covertly monitoring and controlling Cisco routers. The Cisco IOS rootkit software was developed by Sebastian Muniz, of Core Security and was recently reported.

More Websites Are Compromised, This Time Avoiding Chinese Websites And Users

Wednesday, May 21st, 2008

Two days ago there was a report about Chinese and Chinese language websites compromised and SQL-injected in order to infect visitors with malware. According to net security firm ScanSafe, recently new rounds of SQL injection attacks mostly target English language sites on .com domains, some of them hosted in China.

This time the attack purposefully avoid Chinese government sites. The latest attacks inject an iFrame onto compromised sites that loads malicious scripts from, a domain registered on 16 May. These scripts includes the text “silent love china” in an apparent greeting of other Chinese hackers. The malicious code exploit popular RealPlayer and Internet Explorer vulnerabilities to install a password-stealing Trojan that hides its presence on Windows PCs.

More than 7,000 sites have been compromised in this way so far. Among compromised websites there is Hong Kong stock brokerage website ( and Kodak camera reviews ( There are also sites of Israel Humanitarian Foundation, London-based Child Rights Information Network, the UK’s West Midlands Local Government Association, and AsiaObserver news portal. All these sites redirect to other domains and lead to the download and execution of http://******, which is detected as BKDR_HUPIGON.CFV by Trend Micro.

Current List Of Malicious Domains Inserted Through SQL Injection

Tuesday, May 20th, 2008

SQL injection vulnerabilities are widely exploited in various websites and used to insert malicious references that redirect users and infect their PCs. Since there are more and more of those attacks reported almost daily, a list of domains used in past and recent massive SQL injections can be very useful for many site owners and users who are trying to research or avoid infections.

Mike Johnson from Shadowserver has published a list that is focused on mass SQL injection attacks and can be used with other generic malware lists from or There is no full proof method to identify if a website or its database has been infected with malicious code. One way of checking it is by searching for the specific malicious domains hosting the JavaScript and pointed out by the malicious references added by mass infection tools.

Here is the list from Shadowserver, updated for September 17:
%6b%6b%36%2e%75%73 (
%73%61%79%38%2E%75%73 (
%66%75%63%6B%75%75%2E%75%73 (
%61%2E%6B%61%34%37%2E%75%73 (
%61%31%38%38%2E%77%73 (
%33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D (
%6D%31%31%2E%33%33%32%32%2E%6F%72%67 (

Do not visit those sites, they might infect your system.

Another method based on Google can check if your domain has been compromised and malicious Javascript references have been inserted on your website pages. Simply search by any of the domains in the list adding the Google’s “site:” directive specifying your own domain.

If you know about any other similar resource, or additional domains used to spread malicious code used in SQL injection attacks, please send it to us or post it in comments.


LPL Financial Compromised Advisors Logons Used In Stocks Manipulations

Tuesday, May 20th, 2008

LPL Financial recently notified the Maryland State Attorney General of a breach in which hackers compromised the logon passwords of fourteen financial advisors and four assistants of LPL Financial (“LPL”). The hackers used these passwords to gain access to customer accounts in order to “pump and dump” penny stocks. These incidents affected approximately 10,219 individuals.

Hackers compromised the logon passwords of employees in offices located in New Jersey, Illinois, Rhode Island, Pennsylvania, Colorado, Texas, California, Georgia and Connecticut over the course of several months. The information that was potentially accessible included unencrypted names, addresses and Social Security numbers of customers and non-customer beneficiaries.

According to LPL Financial, attempted transactions were intercepted and either rejected or reversed, so no losses were passed on to customers. At this time, LPL has no specific knowledge that any customer information was accessed or misused as a consequence of the breach. LPL also unaware of any personal instance of identity theft related to these incidents.

LPL learned of the first incident on July 16, 2007 and notified the law enforcement, the primary regulator, and the Financial Industry Regulatory Authority. They also determined what information had been compromised and notified the affected individuals, offering solutions to those interested.

Those having questions or encountered an identity theft issue, can call ID TheftSmart at 1-800-588-9839 between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday. To ask LPL Financial a question regarding this incident, call 1-800-558-7567, option 3 – Customer Service, between 9:00 a.m. and 6:00 p.m. (Eastern Time), Monday through Friday.

Research Shows Vista Is Almost As Vulnerable As Its Predecessors

Monday, May 19th, 2008

According to Techworld, an analysis from the Australian company “ThreatFire” reveals that Vista is almost as vulnerable as its predecessors. ThreatFire user base shows that 58,000 PCs running Vista were compromised by at least one piece of malware over the six months to May 2008, equivalent to 27% of all Vista machines probed. Vista made up 12.6% of the 1,513,502 machines running Windows in the user base.

In total, Vista suffered 121,380 instances of malware from its 190,000 user base, a rate of malware detection per system is proportionally lower than that of XP, which saw 1,319,144 malware infections from a user base of 1,297,828 machines, but it indicates a problem that is worse than Microsoft has been admitting to.

Just one week ago, PC Tools revealed that Vista was as likely to be hit with software vulnerabilities as Windows 2000, a claim that was denied by a Microsoft staffer in a blog. As PC Tools makes clear, that malware was detected did not mean harm had been done, simply that Vista’s own security had in some way been circumvented to the degree that its ThreatFire tool stepped in.

PC Tools notices that all systems used in the research pool were at the very least running PC Tool’s ThreatFire and that because the technology is behavioral-based, the data refers to threats that actually executed and triggered behavioral detection on the client machine. In response to alternative research from Microsoft’s Malicious Software Removal Tool, PC Tools highlights that the MSRT is not a comprehensive anti-virus scanner, but a malware removal tool for a limited range of “specific, prevalent malicious software”.

PC Tools also publicized details of some of the malware types it has found on Vista systems during its scans, including three pages of variants based on Trojan.Agent, a few of which were described as serious.

Above 300,000 More Websites Compromised Targeting Chinese Users

Monday, May 19th, 2008

Series of mass compromises continue and, according to Trend Micro, just a week after half a million websites were compromised, another mass web SQL injection hit more websites in the Chinese language. This malicious activity deliberately targets users from China, Taiwan, Singapore, and Hong Kong. Currently Google search results show around 300,000 pages that contain the malicious JavaScript code, among them, as usual, many government and educational sites.

Screenshot from Google (do not visit those sites):

Users visiting any of the compromised sites would be infected by a malicious script installed on their system. The script, detected as JS_IFRAME.AC, may be downloaded from the remote site http://s.****.us/s.js.

JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in web.The following exploit routines are performed by JS_IFRAME.AD:

1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
3. Checks for GLAVATAR.GLAvatarCtrl.1
4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow (Chinese-language software)
5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer (Chinese-language software)

These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:

http://********.cn/real11.htm – detected as JS_REALPLAY.AT
http://********.cn/real.htm – detected as JS_REALPLAY.CE
http://********.cn/lz.htm – detected as JS_DLOADER.AP
http://********.cn/bfyy.htm – detected as JS_DLOADER.GXS
http://********.cn/14.htm – detected as JS_DLOADER.UOW

Additional detected scripts downloaded by JS_IFRAME.AD are VBS_PSYME.CSZ, JS_VEEMYFULL.AA, JS_LIANZONG.E, JS_SENGLOT.D.

These four malware, in turn, download and execute http://******, which is detected as TROJ_DLOADER.KQK.

The research was conducted by Senior Threat Analyst Aries Hsieh, a team of researchers from Trend Micro and consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.

Trend Micro is trying to reach Taiwan CERT to inform them of this mass compromise.

School Computer Hacked And Personal Records Stolen By 15-Year-Old Student

Sunday, May 18th, 2008

Authorities are investigating the theft of personal information from a computer in a Chester County school district. According to Downingtown Area School District officials, a 15-year-old student gained access to files on a computer at Downingtown West High School on May 9. Numerous files containing the personal information of 70 staff members and several thousand tax payers were apparently copied and distributed to other students. The files apparently contained salary information and social security numbers.

Police said the students involved in the incident have been identified and the data was safely recovered.The district is working to determine how far the breach reached and secure their network from future abuse. Officials believe the student was just attempting to see if he could infiltrate the network, not identity theft. As a precaution, all staff members were notified of the incident and told to check their personal data.

At this point it is unclear if the student will face charges.