CyberInsecure.com

Archive for June, 2008

Nuwar spammers have recently moved from real news of natural disasters and current affairs to creating their own fictional events in an attempt to infect users computers. This new high volume spam campaign is using some attention drawing subjects to lure people into clicking on the links.

The spam message has a list of newsworthy subjects that are being used by both the subject and the message body. Here is a list subjects discovered so far by Sophos and McAfee:

Bad press surrounds US Army as renegade soldiers open fire on civilians
Boston’s MIT hit by massive corruption scandal
Click here for a massive boost to your sex life
Columbia admits directors have been stealing
DA rolls over on Britney foot-fault case
Don’t belittle the effects of power enlargement
Don’t let old age shrivel away your self esteem when you can maintain with herbal supplements
Don’t panic when you cannot score with the girl that you have a crush on
Dutch disqualified from Euro Championships
Enlargement does not involve putting a big hole in your pockets
Ex-Pentagon lawyers challenged on sex abuse in Iraq
Fantastic upgrade to your manhood available now
Gather your loose change to try out the revolutionary herbal supplement
Get the latest herbal enhancements to grow your large howitzer now
Gloomy Americans still spending money admist economy gloom
Great improvement to your sex life guaranteed
Harvard Medical School admits embezzlement by directors
Heir to Prada empire found strangled
Herbal supplement at merely 5 cents a day
Hollywood hit by Aids scandal, more than 20 stars implicated
Italy showed France the difference in length
Keep this new herbal supplement out of reach from your friends
Lakers bombed out after big loss to Celtics
Lindsay Lohan converts to Islam, causes uproar
Make sure you do not miss the action - get your organ enlargement package now
Obama caught with pants down with Clinton
Opponents of gay marriage stay quiet
Ralph Lauren found dead in country home
Red cross shown to abuse power in latest aid
Ring it up for Celtics after fantastic win
Studies have shown that this herbal solution really makes a difference in men’s health
The enlargement is so powerful it will make you increase in your strength
The greatest gift of all is the secret to the fountain of youth
The most affordable herbal supplement that works to increase your self esteem
The real reason why Anne Hathaway splits from longtime love
Try out the latest herbal solution that will make you a new superhero
US election campaign shames after sex scandal exposure
US Soldier throws boy off cliff, villagers enraged
You better be home to receive this package that will change your life
Britney found hanged in locker room
White House hit by lightning, catches fire
Oprah found sleeping the streets
Eiffel Tower damaged by massive earthquake
Donald Trump missing, feared kidnapped
Lastest! Obama quits presidential race

This clever social engineering technique exploits people weakness for news of natural disasters and celebrities. The emails contain plain text and always include a link that looks fairly harmless but in fact redirects to a web page that attempts to install malware.

In this particular campaign all the links go to a fake pornotube page hosted on legitimate sites that have been hacked. If you click on the video, which is actually just an image, it tries to download an executable file. This is detected by McAfee as BackDoor-DNM and also by most other anti-virus products. The spam is also currently detected by anti-spam products.

Users are advised to run updated anti-virus software and never click on links in an email unless they come from a verified person.

Botnet operators are using false reports about an earthquake near Beijing that could disrupt the Olympic games to spread malware. Unsolicited emails discovered to be a part of a new malicious spam campaign that claims another earthquake has just occurred in China, and could derail the upcoming Olympic Games.

Samples of the bogus alert doing the rounds intercepted by SophosLabs, featuring subject lines such as “Million dead in Chinese quake” and links to websites on a .cn domain. These sites claim a quake measured in at 9.0 on the Richter scale has caused millions of casualties. The pages contain links to a supposed video that actually downloads the Nuwar-E malware onto the Windows based PCs.

Net security firm Sophos reports that the .cn domains advertised in that attack are likely to be part of a botnet. Each DNS query for the domains returns a different IP address, indicating a changing network of compromised hosts are serving up the malware.

The recent Chinese earthquake is still so fresh in people’s minds, that many computer users won’t think twice before opening this email and clicking on the link. The spammers are using one of the most common tricks in an attempt to spread their malware, and if people continue to open unsolicited emails, unfortunately the spammers will continue.

Sophos experts note that by using the highly-anticipated Olympic Games due to take place in Beijing in August, the spammers are hoping to take advantage of the excitement surrounding the event in order to trick unsuspecting computer users into downloading their malware. Spammers are hoping that computer users will be so eager to find out more that they’ll forget their common sense when it comes to their emails. According to Sophos, we’re likely to see more spam messages referencing the upcoming Olympic Games as we get nearer to the event.

Code execution vulnerability found in latest Firefox 3.0 could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. The flaw found in Firefox 3.0 is considered a high-severity risk and affects earlier versions of Firefox 2, including the latest 2.0.0.14.

Several hours after the official release, an unnamed researcher has sold a critical code execution vulnerability to TippingPoint’s Zero Day Initiative (ZDI), a company that buys exclusive rights to software vulnerability data. The vulnerability puts Firefox 3.0 users at risk of PC takeover and malware infection attacks.

Technical details are kept unrevealed until Mozilla’s security team develops a patch. TippingPoint researchers continue to study the flaw to see if user-interaction required for successful exploitation, such as clicking on a link or visiting a malicious web page.

Until there is a patch, Firefox users should avoid clicking on links that arrive via e-mail or in IM messages from unknown or suspicious sources. At this point, there are no reports of this issue being exploited.

Photobucket, a very popular photo sharing site, had its DNS records hacked yesterday by a Turkish hacking group known for its defacement of the adult video site Redtube earlier this year.

Photobucket users across the world repored outages of the service and problems when trying to login to their accounts. A very similar incident happened to DNS records of Comcast.net, which redirected users to a third-party domain a few weeks ago.

The hacking group left a message that appears to have been loading from a third-party free hosting domain atspace.com. This web hosting service belongs to Zetta hosting solutions, and users of Photobucket attempting to access the site with the old DNS entries are still being redirected to a default hosting ad page within atspace.com. There are no reports of malware infections or stolen accounts as a result of this incident.

It seems Photobucket did not acknowledge the service suffered from hijacked DNS. Instead, Photobucket said nothing on their blog and website, and when the users started discussing this on Photobucket’s own support forums, according to a comment left by a Photobucket Forum Support representative, there was just a downtime of about one hour due to changed DNS entries:

On Tuesday afternoon, some users that typed in the Photobucket.com URL were temporarily redirected to an incorrect page due to an error in our DNS hosting services. The error was fixed within an hour of its discovery, but due to the nature of the problem, some users will not have access to Photobucket for a few hours as the fix rolls out. It is important to note that only a portion of Photobucket users encountered the problem and that no Photobucket content, password information or other personal information was affected by the redirect.

Mozilla Corp. launched a new Firefox version, 3.0, on June 17. This is a major update to the open-source browser that adds a new search tool, anti-hacking protection and revamped bookmarking. The first major revision of Firefox since late 2006, Firefox 3.0 was posted to Mozilla’s servers at 1 p.m. Eastern time.

Firefox 3.0 first entered public testing with an Alpha 1 release in December 2006. The first of several beta versions was released in November 2007. The browser moved to release candidate stage last month. The third and final release candidate hit Mozilla’s servers less than a week ago.

The updated browser features a redesigned address bar that can be used to search for previously-visited pages using keywords or characters in either the URL or the page title. It also has a Google-powered anti-malware blocker that warns users before they reach a site hosting malicious code, as well as an enhanced tool for handling bookmarks and keeping track of the user’s browsing history. The browser’s performance has also been improved, and its memory leaks has been fixed.

According to the most recent data from Net Applications Inc., Firefox accounted for 18.4% of all browsers used in May, ranking it second behind IE (73.8%) and ahead of Apple Inc.’s Safari (6.3%).

As of 3:30 p.m. Eastern time today, Mozilla’s download servers were available and offering the final version of the open-source browser’s latest update. Within minutes of Firefox 3.0’s official launch at 1 p.m. Eastern time, Mozilla’s servers were overwhelmed by the traffic.

As part of the launch promotion, Mozilla had urged users to help set a single-day download record. No such record currently exists, Mozilla had admitted late last month in a FAQ, but it was pursuing one nonetheless. “This is the first record attempt of its kind, so there is no set number. We’d really like to outdo the number of Firefox 2 downloads on its launch day, which was 1.6 million,” Mozilla said in the FAQ.

After a blackout of more than an hour caused by users trying to download the final release of Firefox 3.0, Mozilla Corp. has restored service to its servers and Firefox 3.0 can now be downloaded from Mozilla’s site.

DivShare, an online service for storing and sharing video, photos, music and documents, has had a security breach. The company announced on its blog tonight that a malicious user had accessed its database, which included user e-mail addresses and other basic profile information.

DivShare is an online file-sharing service with more than half a million members. It is free to sign up for, gives members 5GB of storage and it is possible to download 50GB of data from the service per month.

DivShare members have been warned regarding this security breach by an email from the service. DivShare temporarily took all members’ files offline and implemented a new security system, though full access to the files has now been restored, the company said.

“No financial information has been accessed by any unauthorized parties. We have taken extreme measures to secure the site in the last 12 hours and are currently in the process of rolling out new security precautions,” the statement said. It also says that the company apologizes for allowing this breach to take place and takes every precaution available to ensure that this doesn’t happen again.

While it’s good that DivShare provides information about their security breach, it might be hard to trust again a company that allowed personal information to be accessed by hackers. Although they quickly resolved the issue, the database remains compromised, and this is probably why DivShare recommends all users to change account password and the passwords on any private folders as a security precaution.

According to DivShare website update from 8:30 PM ET, all files are now back online after outages caused by security upgrades. Concerned members of DivShare service can contact support in case of any questions.

Altman Weil online store was compromised by a virus that may have exposed the credit card information of certain store customers. It has been discovered on May 16, 2008 by the company that hosts the online store website. The hosting company remains unnamed in the official Maryland State Attorney General breach notification, but the current hoster of Altman Weil online store seems to be mindSHIFT.

Upon learning of this unauthorized breach and attack, on that same day, Altman Weil immediately authorized the hosting company to shut the site down so that access was no longer possible. Altman Weil assured that the hosting company has preserved logs and electronic evidence, has logged all actions taken, and has not altered or compromised the systems.

According to the hosting company, the server on which the online store located was password protected and had current firewalls and security protection, but it seems like, what company calls “SQL virus”, may nonetheless have accessed credit card information.

This attack is currently under investigation in order to fully determine the extent to which credit card information of customers may have been accessed.

Altman Weil notified all card holders by letter of the situation and the possible risk. They notified police department located in Newton Square, Pennsylvania, where Altman Weil is located on May 23, 2008. Also contacted: Secret Service’s ECTF and Electronic Crimes Working Group, every state Attorney General in the states where potentially affected cardholders reside, Federal Trade Commission, Office of Thrift Supervision, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Board of Governors of the Federal Reserve System.

For more information, Joann Miller at Altman Weil, Inc. can be contacted at 610-886-2006, or via email at: jamiller<at>altmanweil.com.

Private details and social security numbers of 5,000 Columbia University students had been searchable online for the last 16 months. Students received an e-mail message on Tuesday night from the vice president of student auxiliary and business services, Scott Wright, explaining that in February 2007, a student employee had posted a database of students’ housing information on a Google-hosted Web site.

On June 3, Columbia University’s Housing and Dining department was informed that one archival database file containing housing information of current and former undergraduate students. It appears that the file was inadvertently posted by a former student employee in February 2007. Upon university request, Google immediately removed this file.

Columbia Public Safety investigators have concluded that this security breach was unintentional. Columbia University would not identify the student, saying only that the person had worked in the university’s housing office. A similar leak occurred in April 2007, when the university noticed that three databases containing students’ addresses and Social Security numbers were online.

Several students created an online petition and posted it to the main campus Web log, demanding that the university investigate the former employee and issue a report explaining how security will be increased. The petition address is www.petitiononline.com/breach/petition.html.

No financial data was included in the file in question, and there is no evidence of identity theft. Phone number for questions or comments is 1(888) 882-7331. Email: studentservices-assist@columbia.edu.

Recent versions of the notorious “Zlob” Trojan are checking the victims for wireless or wired hardware router. The Trojan attempts to guess the password needed to administer the suitable router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim’s domain name system (DNS) records so that all future traffic passes through the attacker’s network first. DNS translate names into IP addresses and changed settings might expose victims Internet traffic.

The new Zlob Trojan, also known as DNSChanger, is using same old technique and presents itself as a video codec required to view content on certain infected websites. When installed in the system, it tries to change key settings on the victim’s Internet router so that all of the victim’s Web traffic is routed through servers controlled by the attackers. The DNS hijack occurs during the installer program, so by the time the user sees the fake codec installer screen, the malware has already attempted to change DNS settings on the victim’s router.

This appears to be the first time this behavior has been spotted in malware released into the wild. This new function should worry users since Zlob is among the most “popular” types of Trojans downloaded onto Windows machines (14.3 million instances of Zlob-related malware from customer machines in the second half of 2007, according to Microsoft).

Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Users will not look to the router settings, if the Internet connection seems to be functioning fine. In reality, the router might still send traffic to malicious logging servers, even when the system is virus-free.

Sunbelt confirms that the malware successfully changes DNS settings on a Linksys router (model BEFSX41). It was a new, of the factory, box with a default username and password. Another test showed that the Zlob variant successfully changed the DNS settings on a Buffalo router running the DD-WRT open source firmware.

Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked. According to Eric Sites, chief technology officer at Sunbelt, this is something they have not seen before and it was only a matter of time before someone started using this attack. Sites said his team is testing the new Zlob variants against multiple routers to see how they fare against the malware.

Captured traffic shows that the new Zlob variant is trying to reconfigure different routers by requesting the local Web page for various “setup wizards” that ship with the devices. Routers on machines infected by Zlob/DNSchanger should be reset to its default configuration if the settings have been changed. If there are other Zlob-infected machines using the same router, they will need to be cleared of the trojan before resetting the router. Otherwise,the malware will simply go back and change the router’s DNS settings a few minutes after the reboot. You will need to reconfigure any security settings you had in place prior to the reset.

Credit: Sunbelt Blog, Washingtonpost Security Fix Blog

Personal information of more than 11,000 current and former University of Florida students was compromised after being posted on a school website, officials said Tuesday. The information, which included Social Security numbers, was put on a school tutoring site without a password. The site contained information about students at the school from 2003 to 2005 who expressed an interest in tutoring through the Office for Academic Support and Institutional Services.

In the wrong hands, Social Security numbers can be used to open credit card accounts, get government benefits or apply for a job. School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.

Two former students who worked in the office were trying to create a database for tutoring and included for about 11,300 students. Only students from the College of Liberal Arts and Sciences would have had information on the site. Letters were sent out Tuesday to students notifying them of the privacy breach, which was discovered last month during a routine school audit.

The school doesn’t have any evidence that the information was accessed but cannot be absolutely certain. The site has been taken down and the information has been removed from the university system.

Full press release regarding the incident can be found at http://privacy.ufl.edu/CLASBreach/CLASBreach.doc. For further questions, there is a UF’s Privacy Office Hotline at 866-876-HIPA.