CyberInsecure.com

Archive for the ‘Software’ Category

Apple released a security update for OS X Java on Tuesday, plugging a security vulnerability exploited by the latest Flashback Trojan. The latest variant of the Mac-specific malware appeared on Monday and targeted a vulnerability in Java (CVE-2012-0507) which was patched on Windows machines more than six weeks ago.

Apple’s new version of Java for OS X 10.6 (Snow Leopard) and 10.7 (Lion) offers Mac users equivalent protection.

Doctor Web, a Russian anti-virus vendor, conducted a research to determine the scale of spreading of Flashback Trojan in Mac OS X. Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.

Systems get infected with BackDoor.Flashback.39 after a user is redirected to a bogus site from a compromised resource or via a traffic distribution system. JavaScript code is used to load a Java-applet containing an exploit. Doctor Web’s virus analysts discovered a large number of web-sites containing the code. The recently discovered ones include:

godofwar3.rr.nu
ironmanvideo.rr.nu
killaoftime.rr.nu
gangstasparadise.rr.nu
mystreamvideo.rr.nu
bestustreamtv.rr.nu
ustreambesttv.rr.nu
ustreamtvonline.rr.nu
ustream-tv.rr.nu
ustream.rr.nu

According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com.

Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507). The vulnerability has been closed by Apple only on April 3 2012.

The exploit saves an executable file onto the hard drive of the infected Mac machine. The file is used to download malicious payload from a remote server and to launch it. Doctor Web found two versions of the Trojan horse: attackers started using a modified version of BackDoor.Flashback.39 around April 1. Similarly to the older versions, the launched malware first searches the hard drive for the following components:

/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app

If the files are not found, the Trojan uses a special routine to generate a list of control servers, sends an installation success notification to intruders’ statistics server and sends consecutive queries at control server addresses.

It should be noted that the malware utilizes a very peculiar routine for generating such addresses. It can also switch between several servers for better load balancing. After receiving a reply from a control server, BackDoor.Flashback.39 verifies its RSA signature and then, if successful, downloads and runs payload on the infected machine. It may get and run any executable specified in a directive received from a server.

Each bot includes a unique ID of the infected machine into the query string it sends to a control server. Doctor Web’s analysts employed the sinkhole technology to redirect the botnet traffic to their own servers and thus were able to count infected hosts.

Over 550 000 infected machines running Mac OS X have been a part of the botnet on April 4. These only comprise a segment of the botnet set up by means of the particular BackDoor.Flashback modification. Most infected computers reside in the United States (56.6%, or 303,449 infected hosts), Canada comes second (19.8%, or 106,379 infected computers), the third place is taken by the United Kingdom (12.8% or 68,577 cases of infection) and Australia with 6.1% (32,527 infected hosts) is the fourth.

In related news, Mozilla introduced changes in Firefox on Monday that will block older versions of Java that harbour critical vulnerabilities, specifically the increasingly infamous CVE-2012-0507 security flaw. “Blocklisting” forbids outdated plugins from running, unless specific approval is given. Mozilla has only introduced the technology into Windows versions of its open-source browser software, leaving Mac users without the added safety net.

Java is not needed to surf the net, with the exception of applications on some e-banking websites. Security firms – including F-secure, Sophos and others – have begun advising users to disable the technology in their browsers as a largely unnecessary security risk.

Credit: The Register
Credit: news.drweb.com

Security solutions provider Comodo released a free service called SiteInspector, designed to scan websites for pieces of malware and compare them against a range of blacklisting services, such as the ones offered by Google Safe Browsing, PhishTank or Malwaredomainlist.

Drive-by-download malware attacks launched from websites that fall victim to mass infections are highly common these days. SiteInspector allows users to choose 3 pages on a domain that they want monitored. If the service identifies any trace of malicious elements, the customer is immediately notified via email.

In these situations, one of the main problems is that the owner doesn’t even know that his site is altered to serve pieces of malware. Another issue is that once the site is infected, blacklisting services, such as the ones run by Google, will restrict the traffic, a measure that can have devastating consequences for the business workflow.

This is why security firms come up with such tools and services. SiteInspector can take that burden off the shoulders of the administrator and automatize the malware scanning and blacklist monitoring process.

“SiteInspector dramatically reduces the time between problem identification to problem resolution for business websites,” Melih Abduhayoglu, Comodo CEO and chief architect, revealed. “No longer will businesses have to wait for angry customers to complain that their website contains malicious content. To take advantage of this essential service, webmasters just need to take a few minutes to sign up and configure the service. SiteInspector will do the rest.”

The service includes features such as automatically recurring daily scans on three webpages, daily verifications against blacklists, email notification in case of an infection, threat mitigation advice in the situation where a malicious element is found, and an easy-to-use interface for users.

Website owners and administrators can sign up for the service right away at siteinspector.comodo.com.

Credit: Softpedia.com News

Bitdefender experts came across a piece of scareware that makes victims believe that something may have happened to all the files and folders stored on their computers. The user is then requested to pay $80 (60 EUR) for a tool that allegedly addresses the problem.

Scareware or ransomware is not uncommon, many security solutions providers releasing advisories on how to handle threats which pose as law enforcement agencies that demand the payment of fines, accusing the user of copyright infringement. However, this Trojan relies on the fact that many computer owners panic if they see that all their personal files and folders have suddenly disappeared.

Identified as Trojan.HiddenFilesFraud.A, the rogue disk repair utility starts operating by informing the user of certain issues that affect the computer. Since many people are already accustomed to fake AV’s, this malicious application has an ace up its sleeve that makes everything look more realistic.

It changes the attributes of all files and folders, setting them as Hidden, so that the user may think that everything has been deleted from the hard drive. Certain key shortcuts are also disabled to induce more panic. Even worse, the worm that downloads HiddenFilesFraud.A, Win32.Brontok.AP@mm, ensures that the files’ attributes can’t be modified from Windows Explorer back to their original state.

After displaying the numerous “errors” that affect the system, the scareware advertises a repair utility that costs $80 (60 EUR). Of course, just as in the situations presented on other occasions, the so-called utility does absolutely nothing.

Brontok.AP@mm, the element responsible for installing Trojan.HiddenFilesFraud.A, quickly copies itself on removable media drives to ensure that it spreads without difficulty from one computer to another.

Scareware most often relies on the fact that users fail to keep their security software constantly up-to-date. That’s why internauts are always recommended to ensure that a decent, updated antivirus solution is always keeping an eye out for malicious elements.

Credit: Softpedia.com News

One of the developers of a network exploration and security auditing tool called Nmap is accusing CNET of bundling free software with Trojans and shady toolbars, and serving them on their Download.com website.

Gordon Lyon, also known as Fyodor claims he discovered that Nmap and other free applications such as VLC are downloaded with pieces of malware attached and according to the Virus Total submission, 10 out of 39 vendors detect the Nmap installer as containing a Trojan.

“They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap’s real installer,” Fyodor said.

He’s also upset with the fact that CNET utilizes their Nmap trademark as if they were involved in the fact that the tool is not actually clean.

“In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap’s copyright,” he adds.

He states that in many cases users will not look at what they’re downloading or installing and they’ll just end up with a changed homepage, an extra toolbar and maybe even a malicious element.

His biggest fear is that Nmap users will believe that all these extras actually come from the developers, thus ruining their reputation.

“We’ve long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net’s Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!”

CNET offered them the opportunity to opt out of the Download.com Installer, but Fyodor says he’s not going to stop here. He is now in search of a copyright attorney as he’s sure his rights have been violated.

At the time of writing, the Nmap installer on download.com seems to be clean so maybe the company already acted on the warnings received from the devs.

Credit: Softpedia.com News

Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user’s status message.

Hijacked status updates are a handy way to persuade a victim’s contacts to click on a link and lead them to a dangerous website. Worse still, the bug in version 11.x of the Messenger client requires minimal user interaction to work, unlike previous exploits that relied on conning prospective marks.

The attacker sends a supposed file to a target that is actually an iframe that swaps the status message for the attacker’s customized text, as explained in a net security firm BitDefender blog. The message might be, and in most attack scenarios would be, sent firm outside a targeted user’s contact list.

If successfully executed, a victim will have no indication that his or her status message has been rewritten. The ruse might be used to gain affiliate incomes by promoting dodgy sites as well as directing users towards sites loaded with exploits or scareware scams.

Bitdefender said it has notified Yahoo about the vulnerability. Attacks based on the as yet unfixed flaw have already been detected in the wild, the Romanian security firm warns.

It advises users to change the setting of their IM client to “ignore anyone who is not in your Yahoo! Contacts” (which is off by default) as a precaution pending the release of a patch. In addition, some security suites include a web filter function that ought to defend users from this attack.

Credit: The Register

Security researchers warn that variants of a ZeuS spin-off trojan called Ice-IX are being distributed from osCommerce websites compromised during a recent mass injection attack. The attack targeting osCommerce installations vulnerable to a flaw that dates from November 2010 began at the end of July.

The code injection campaign escalated quickly and the number of infected pages jumped from 90,000 to over 3.8 within a week and 8 million two weeks later. The attack even prompted the German Federal Office for Information Security (BSI) to issue an alert because many of the infected websites are German online shops.

The code injected into the pages leads to externally-hosted drive-by download exploits that target vulnerabilities in unpatched versions of Java, Adobe Reader, Internet Explorer and Windows XP. If exploitation is successful, a trojan is installed on the victim’s computers. According to the Malware Domain List, a non-commercial community project that tracks malicious URLs, that trojan is now Ice-IX.

“Ice-IX (modified Zeus) is currently being distributed by Oscommerce mass compromise campaign,” the project warned via Twitter. Ice IX is a new banking trojan based on the ZeuS source code leaked earlier this year.

The Ice-IX builder is sold on the underground market for as much as $1,800. Like ZeuS, it injects itself into browser processes to steal information, but one particularly of samples seen so far is that they also steal Amazon AWS credentials.

Online shop owners who use osCommerce should upgrade to versions 2.3.1 or 3.0.2 of the platform as soon as possible. They are also advised to strengthen the security of their installations by implementing several recommendations described in a post on the osCommerce support forum.

Users should keep the software installed on their computers up to date and should run an antivirus solution capable of scanning web traffic.

Credit: Softpedia.com News

In the business world today, email has become one of the most heavily means of communication. It is quick and easy, files and ideas can be simply transferred between people in other parts of the world and it is relatively inexpensive. The downside is that it can be extremely vulnerable and important personal and company information can be easily compromised if the security standards are not up to par. There are a few areas of concerns that every business person should know about.

Malicious attacks come from outside and unknown sources very easily through email. To combat this, there needs to be several layers of protection in place. If an attack is successful, data can be corrupted or lost, information can be stolen and time and money can be spent in trying to remedy the problem.

Having a robust virus scanning program and firewall system will help to limit attacks and potential viruses. With any program, the most important aspect would be that virus definitions are up to date and updates are installed as soon as they are released. Malicious programs are constantly evolving in an effort to stay ahead of the virus protection programs.
(more…)

A new Android app makes hijacking other people’s Facebook, Twitter, YouTube and Amazon sessions a breeze over private or open wireless networks. Called FaceNiff, the app is the work of a Polish programmer named Bartosz Ponurkiewicz and was apparently released on his website in mid-May.

“It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK),” the developer writes. FaceNiff requires root access on the phone in order to work properly. Root (admin) access is not enabled by default on most devices, but there are many tutorials and tools available to obtain it.

So far, the app can hijack sessions for FaceBook, Twitter, Youtube, Amazon and Nasza-Klasa, a Polish social networking service. It has been confirmed to work on HTC Desire CM7 (CyanogenMod 7), Original Droid/Milestone CM7, SE Xperia X10, Samsung Galaxy S (Galaxy S T-Mobile), Nexus 1 CM7, HTC HD2, LG Swift 2X, LG Optimus Black – original rom, LG Optimus 3D – original rom, Samsung Infuse.

Session hijacking, also known as side-jacking, involves attackers positioning themselves between users and websites in order to steal session cookies, the small text files stored in browsers so that services can remember authenticated users.

Session cookies can be placed into any browser to take control over the sessions they correspond to. This type of attack does not expose passwords, but does give attackers access to the victims’ accounts.

Firesheep, an extension for Firefox released last year is based on a similar concept and its availability led to major websites like Google, Facebook, Twitter and others to speed-up their SSL deployment plans.

At the moment, the only method to protect the transmission of session cookies over wireless networks is to encrypt them and this can only be done on websites that support HTTPS, a combination of HTTP and SSL/TLS.

Users are strongly advised to only log into websites that support HTTPS when connected over wireless networks. The HTTPS-Everywhere extension developed by the EFF can force HTTPS automatically on major websites.

FaceNiff app homepage: http://faceniff.ponury.net

Credit: Softpedia.com News

Microsoft is now providing customers with a standalone malware scanner running from bootable CDs, DVDs or USB drives, for use on systems that are infected with sophisticated threats. The tool, called Microsoft Standalone System Sweeper, might have been available for some time now, but Microsoft didn’t actively promote it to the masses. Instead, it asked its customer support staff to decide which cases warrant its use.

Computer malware comes in various forms and with different capabilities. Some threats are more sophisticated and resilient to removal than others. Many families of malware interfere with certain antivirus programs by preventing them from running on infected systems or stopping their services.

Others prevent access to security websites in order to prevent victims from downloading anti-malware programs or asking for help. One of type of persistent malware is rootkits. These register themselves as drivers which gives them low-level access to the operating system. In some cases they can even interact directly with the hard drive without relying on the Windows file system APIs and they can use this functionality to protect themselves.

One particularly nasty type of rootkits is capable of writing code into the master boot record (MBR). This allows them to control the boot process and start even before the operating system, reason for which they are referred to as bootkits.

All these threats pose various problems for traditional antivirus programs which can make properly cleaning a Windows installation while it’s running impossible. To solve this issue, some antivirus vendors have created so-called rescue discs, bootable CDs that start a separate operating system and can run their anti-malware products unrestricted. This is a very effective method, because the malware can’t interfere with the scanning process and everything is run from memory; nothing is installed on the hard drive.

It looks like Microsoft has decided to provide a similar solution in the form a tool called Microsoft Standalone System Sweeper. This tool is still in beta and depends on the Windows installation. The other antivirus vendors normally use Linux for their rescue discs.

Users can download a builder application which creates a bootable CD, DVD or USB drive. They have to choose between a 32-bit or a 64-bit version, depending on the architecture of the infected Windows system they want to clean.

The link to this tool is now available in our Free Anti-virus, Online Scan And Rescue CDs page.

Credit: Softpedia.com News

Lockheed Martin has reportedly suspended remote access to email and corporate apps following the discover of a network intrusion that may be linked to the high-profile breach against RSA earlier this year.

The manufacturer of F-22 and F-35 fighter planes has reset passwords in response to a “major internal computer network problem”, according to two anonymous sources and an unnamed defence official, Reuters reports. Technology blogger Robert Cringely reports that Lockheed detected the suspected breach on Sunday. He adds that an estimated 100,000 personnel will be issued with new tokens before remote access is restored, a process likely to take at least a week.

The incident involves the use of SecurID token from RSA to log into accounts and may be tied to, or at least use information extracted from, an attack on RSA Security’s systems back in March. Unknown (or at least unidentified) hackers broke into the EMC divisions network and made off with unspecified information related to SecurID, possibly the seed used to generate one-time codes supplied by the token.

RSA has publicly explained how the attack might have taken place but not what was obtained. It did however warn that the breach may affect the level of protection offered by SecurID tokens, which are very widely used for two-factor authentication.

Potential hackers would still need a lot of information – including user account names and PINs – to break into corporate email or remote access systems protected by RSA SecurID. Our best guess is that Lockheed detected an attempt to access just this information and responded by suspending remote access and shutting down portions of its network as a precaution.

The data held by Lockheed would be of profound interest to agents of a hostile power. The level of sophistication of the original RSA hack strongly points towards state-sponsored hackers, hence Lockheed’s response is a proportionate response to an all too real cyberespionage threat.

Credit: The Register