CyberInsecure.com

Microsoft Release Standalone System Sweeper, Bootable Malware Scanner For Infected Computers

Microsoft is now providing customers with a standalone malware scanner running from bootable CDs, DVDs or USB drives, for use on systems that are infected with sophisticated threats. The tool, called Microsoft Standalone System Sweeper, might have been available for some time now, but Microsoft didn’t actively promote it to the masses. Instead, it asked its customer support staff to decide which cases warrant its use.

Computer malware comes in various forms and with different capabilities. Some threats are more sophisticated and resilient to removal than others. Many families of malware interfere with certain antivirus programs by preventing them from running on infected systems or stopping their services.

Others prevent access to security websites in order to prevent victims from downloading anti-malware programs or asking for help. One of type of persistent malware is rootkits. These register themselves as drivers which gives them low-level access to the operating system. In some cases they can even interact directly with the hard drive without relying on the Windows file system APIs and they can use this functionality to protect themselves.

One particularly nasty type of rootkits is capable of writing code into the master boot record (MBR). This allows them to control the boot process and start even before the operating system, reason for which they are referred to as bootkits.

All these threats pose various problems for traditional antivirus programs which can make properly cleaning a Windows installation while it’s running impossible. To solve this issue, some antivirus vendors have created so-called rescue discs, bootable CDs that start a separate operating system and can run their anti-malware products unrestricted. This is a very effective method, because the malware can’t interfere with the scanning process and everything is run from memory; nothing is installed on the hard drive.

It looks like Microsoft has decided to provide a similar solution in the form a tool called Microsoft Standalone System Sweeper. This tool is still in beta and depends on the Windows installation. The other antivirus vendors normally use Linux for their rescue discs.

Users can download a builder application which creates a bootable CD, DVD or USB drive. They have to choose between a 32-bit or a 64-bit version, depending on the architecture of the infected Windows system they want to clean.

The link to this tool is now available in our Free Anti-virus, Online Scan And Rescue CDs page.

Credit: Softpedia.com News

Honda Suffers Data Breach, Personal Information Of 283,000 Customers Exposed

Honda’s Canadian division has suffered a data breach that exposed the personal information of 283,000 customers, according to its website and published media reports.

The purloined data includes the names, addresses and vehicle identification numbers of customers who made purchases in 2009. The company is warning customers to be wary of scams, which could use the stolen information to trick customers into revealing additional data, which could be used in identity theft.

“We do not recommend that customers take any specific action at this time, other than being alert for marketing campaigns from third parties that reference your ownership of a Honda vehicle,” Honda’s online advisory stated.

According to The Toronto Star, the breach affects 283,000 customers. Honda’s advisory also said that Honda Financial Services account numbers were also exposed “in a small number of cases.”

It’s the second time in less than six months that Honda has reported a security breach that leaked customer’s personally identifiable information. In late December, Honda’s US division warned that hackers made off with a database containing the names, email addresses, and vehicle identification numbers of 2.2 million customers.

Honda’s latest warning comes as Sony begins restoring some online gaming services to customers in Asia. The company exposed details for more than 100 million customers after hackers penetrated systems for its PlayStation Network and Sony Online Entertainment service.

Credit: The Register

Lockheed Martin Discovers Network Intrusion, Suspends Remote Access

Lockheed Martin has reportedly suspended remote access to email and corporate apps following the discover of a network intrusion that may be linked to the high-profile breach against RSA earlier this year.

The manufacturer of F-22 and F-35 fighter planes has reset passwords in response to a “major internal computer network problem”, according to two anonymous sources and an unnamed defence official, Reuters reports. Technology blogger Robert Cringely reports that Lockheed detected the suspected breach on Sunday. He adds that an estimated 100,000 personnel will be issued with new tokens before remote access is restored, a process likely to take at least a week.

The incident involves the use of SecurID token from RSA to log into accounts and may be tied to, or at least use information extracted from, an attack on RSA Security’s systems back in March. Unknown (or at least unidentified) hackers broke into the EMC divisions network and made off with unspecified information related to SecurID, possibly the seed used to generate one-time codes supplied by the token.

RSA has publicly explained how the attack might have taken place but not what was obtained. It did however warn that the breach may affect the level of protection offered by SecurID tokens, which are very widely used for two-factor authentication.

Potential hackers would still need a lot of information – including user account names and PINs – to break into corporate email or remote access systems protected by RSA SecurID. Our best guess is that Lockheed detected an attempt to access just this information and responded by suspending remote access and shutting down portions of its network as a precaution.

The data held by Lockheed would be of profound interest to agents of a hostile power. The level of sophistication of the original RSA hack strongly points towards state-sponsored hackers, hence Lockheed’s response is a proportionate response to an all too real cyberespionage threat.

Credit: The Register

Geek.com Compromised, Visitors Infected With Malware

Security researchers from cloud security provider Zscaler warn that technology website geek.com was compromised and many of its pages are executing drive-by download attacks against visitors. Geek.com is one of the oldest technology news websites around, dating back to 1996, the dawn of the commercial World Wide Web.

Attackers have managed to inject rogue IFrames into different portions of the site, both within articles and the site’s main pages like home, about us, etc. According to Umesh Wanve, a senior security research engineer at Zscaler, there are multiple infections and the iframes take visitors to different malicious websites.

One example is the rogue code injected into a May 13 article about Call of Duty: Modern Warfare 3 details being leaked, which redirects visitors to an exploit kit. These kits perform various checks to determine what versions of certain program users have installed on their computers and then serve exploits for vulnerabilities in those products.

The most commonly used applications like Java Runtime Environment, Flash Player, Adobe Reader or the browser itself are usually targeted. “As this is first article is highlighted and ‘Call of Duty’ is a very popular game, one can assume that many people have fallen victim to this attack,” Mr. Wanve says.

Drive-by download attacks are currently one of the main malware distribution channels on the Internet. They are very dangerous because in most cases they are completely transparent to victims. “Unfortunately, we see hundreds of attacks such as this each and every day. Many legitimate websites are being compromised by taking advantages of poor coding practices in web applications,” the Zscaler security researcher says.

Users can protect themselves by keeping all of they software up to date, including the operating system itself, and running anti-virus products capable of scanning web traffic. Mozilla Firefox users can also use advanced extensions such as NoScript.

Credit: Softpedia.com News

Video Game Publisher Eidos Interactive Servers Breached, Sensitive Data Stolen

Hackers have managed to break into servers belonging to Eidos Interactive, a reputed game publisher now owned by Square Enix, and stole sensitive data. The hackers who instrumented the attack seem to be affiliated with the so-called Anonymous splinter group that recently took over AnonOps, the hacktivist collective’s IRC network.

The target seems to have been the Deus Ex Human Revolution website which is dedicated to the upcoming game from the Deus Ex franchise. On Thursday morning the first page of the website displayed a message reading “Owned by Chippy1337″ and “Hacked by Xero (Ryan King), XiX (Ian Summers), Evil Hom3r, Viral (Ryal Cleary), Nikon, Venuism (Aaron Lingard).”

However, according to IRC logs that surfaced after the incident, the real hackers went by the handles of evo and n` (nigg), two Anonymous members known to have been involved in the recent Anonymous coup. The handles and names placed on the defaced page were intentional and designed to cause problems for those individuals. The logs leaked by someone who monitored the hackers’ chat room, reveal that evo had much more devious plans for the deusex.com website.

“We should put 0day or exploits in the pdf and see if someone logs in. We will use a RAT [Remote Administration Tool] that will be the payload. “One thing that would be funny, I write a nasty virus that will bsod [blue screen of death] on startup, [expletive] up all your drives, delete tons of files, forkbom on start, etc. “We put that in an exploit kit on the main page. There [sic.] security will be responsible for like thousands of [expletive] up computers and it would make the news,” evo wrote.

The techniques described are commonly used by cyber criminals to infect computers in drive-by download attacks, which suggests that evo might be familiar with this type of activity. Fortunately nigg disagreed with the idea, not because of some ethical reasons, but because there wasn’t enough time to put it into practice.

Instead they went for the defacement and leaking of captured information. A torrent was uploaded to The Pirate Bay claiming to contain 370 CVs and the website’s user database.

Square Enix later confirmed that eidosmontreal.com and two product websites were compromised by a group of hackers. As a result, the company said, up to 350 CVs and 25,000 email addresses used by people to register for updates, have been stolen.

Sony Second Data Breach Expose Over 24 Million Personal And Financial Records

Following recent revelations that PlayStation Network (PSN) was compromised by hackers who stole the personal information of millions of users, Sony Online Entertainment, another division of Sony Corporation, announced a computer intrusion that led to the exposure of over 24 million personal and financial records. San Diego-based Sony Online Entertainment LLC, is a developer and publisher of massively multiplayer online games, such as EverQuest and EverQuest II.

“Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT),” the company said in a press release.

The engineers investigating the intrusion have determined that personal information including names, addresses, emails, birth dates, genders, phone numbers, login names and hashed passwords, of 24.6 million SOE customers might have been stolen. In addition, there is reason to believe that hackers also stole 10,700 bank account numbers associated with customer names, addresses and account names.

Because the SOE services are subscription-based, the company will extend the subscription period with 30 days for all accounts. In addition, it will be compensating them with an additional free day for every day the system remains offline. SOE also plans to provide free subscriptions with identity theft protection services for customers in each of the affected regions, which include Austria, Germany, Netherlands and Spain.

This breach is even more serious than the PSN one which exposed 27 million records, because in this case, the loss of financial information is very likely. In PSN’s case, the compromise of billing data was considered unlikely because it was stored in encrypted form.

SOE operates online servers for games like EverQuest, EverQuest II, PlanetSide, Star Wars Galaxies, Free Realms, Vanguard: Saga of Heroes, and DC Universe Online.

Credit: Softpedia.com News

Goal.com Parts Injected With Malware-Serving Code, Multiple Pages Including English Affected

Security researchers from Armorize warn that attackers have managed to inject visitor infecting code into the popular soccer news website goal.com. The rogue iframe has been inserted, probably through SQL injection techniques, into multiple goal.com pages including the main English one.

“From what we’ve collected, parts of goal.com seem to have been compromised allowing the attacker to manipulate content at will. A backdoor may exist to allow the attacker continuous control of goal.com’s content,” the researchers write.

Furthermore, they believe the attacker was only testing his exploits which led to the compromise being picked up by the company’s automated scanners.

If this is true, it would make for a very odd behavior giving that goal.com is a pretty high-profile target to waste on simple tests. The website has over 200,000 unique visitors per day and ranks 379 on Alexa. The pool of potential victims is very varied because it covers over 200 countries with content in 22 languages.

The injected iframe takes visitors through a series of redirects meant to determine the version of their browser, OS and other software.

The results influence what exploits are loaded. In this drive-by download attack, the cyber criminals are using a known exploit toolkit known as g01pack. An interesting feature of this pack is a fake admin/stats page intentionally protected with weak or default passwords to throw researchers off.

During their supposed testing, the attackers behind this compromise used exploits for Java (CVE-2010-1423), Windows (CVE-2010-1885, CVE-2006-0003) and Adobe Reader (CVE-2009-0927).

According to the Armorize analysts, the exploit code was “mutated,” a detection evasion technique used in addition to the regular obfuscation.

Fortunately, most domains involved in the attack were blacklisted by Google’s Safe Browsing service, which means that Firefox and Chrome users are protected. However, the AV detection rate for the installed malware remains pretty low (37%) at the time of writing this article.

Credit: Softpedia.com News

Malicious Advertisements Spotted On Yahoo! Philippines , Visitors Infected With Trojan

Security researchers have detected a malvertizing attack launched from the home page of Yahoo! Philippines in order to infect users with a trojan. Trend Micro detects this particular threat as TSPY_PIRMINAY.A, a trojan that collects sensitive data from computers and modifies the Windows HOSTS file to block access to The Pirate Bay, Mininova and other sites associated with them.

Even more intriguing is the fact that the malicious advertisement was for Yahoo! Philippines’ own Purple Hunt 2.0 competition. The original Purple Hunt was held in 2009 and involved users looking for clues online and offline in order to win prizes. The competition proved very popular so a second edition was organized for this year. The grand prize is a purple Hyundai i10 which is what the rogue ad displayed.

According to Maharlito Aquino, a threats analyst at Trend Micro who analyzed this latest attack, when clicked, the rogue ad served a file called com.com from randomly generated URLs.

COM is a binary executable format that dates back to the days of MS-DOS. It still works on many Windows systems today and has been used by malware pushers to trick users for a long time.

According to Mr. Aquino, the malicious ad was designed to offer the file for download only once to every user. To achieve this it probably kept a history of IP addresses that accessed it.

Yahoo’s ad security team was alerted and reacted quickly by blocking the malvertizement from infecting more users. However, the method used to put the rogue ad up on the site’s home page in the first place, was not revealed.

One common technique is tricking ad vetting employees to accept the ads by impersonating a legit advertising company. Another way is to compromise the ad server and inject the ad directly.

Credit: Softpedia.com News

Sony PlayStation Network Breached, 77 Million Users Private Data Stolen

Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. Sony’s stunning admission came six days after the PlayStation Network was taken down following what the company described as an “external intrusion”.

The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said on Tuesday. The company plans to keep the hacked system offline for the time being, and to restore services gradually. The advisory also applies to users of Sony’s related Qriocity network.

Sony’s advisory means that the company was likely storing passwords, credit card numbers, expiration dates, and other sensitive information unencrypted on its servers. Sony didn’t say if its website complied with data-security standards established by the Payment Card Industry.

Sony had already come under fire for a copyright lawsuit targeting customers who published instructions for unlocking the game console so it could run games and applications not officially sanctioned by the company. The criticism only grew after Sony lawyers sought detailed records belonging to hacker George Hotz, including the IP addresses of everyone who visited his jailbreaking website over a span of 26 months.

Hackers howled with displeasure saying they should have a right to modify the hardware they legally own. Sony recently settled that case, but Hotz, whose hacker moniker is GeoHot, has remained highly critical of the company. Many have also objected to the removal of the so-called OtherOS, which allowed PlayStation 3 consoles to run Linux.

Sony reminded users located in the US that they’re entitled to receive one credit report per year from each of the three major credit bureaus. The company didn’t offer to pay for any sort of credit monitoring service to help ensure the information it lost isn’t used in identity-theft ruses against its users.

“When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password,” advises a letter that Sony is sending to its users.

Of course, that suggestion assumes users continue to trust Sony to safeguard their information and stand behind assurances that the PlayStation Network is secure, and at the moment there’s little evidence to support that assumption.

Credit: The Register

PlayStation Network Investigates Intrusion, Down For Over 3 Days

Sony says the extended PlayStation Network (PSN) downtime is caused by an intrusion into its systems which has prompted a detailed investigation. The PlayStation Network is used by 70 million gamers, many of whom are currently infuriated after being locked out of the service for over three days.

“An external intrusion on our system has affected our PlayStation Network and Qriocity services,” Patrick Seybold, Sony’s senior director of corporate communications & social media, announced. “In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th,” he explained.

It’s not clear who is responsible for the intrusion, but whatever they did must be serious enough to keep the service down for so long, especially now during the Easter break. When the PSN initially went offline, everyone directed their attention towards Anonymous, the hacktivist collective that attacked it in the past to protest Sony’s legal actions against geohot and other PS3 hackers.

However, soon after launching the attacks the group suspended them saying it doesn’t want to hurt players. The people inside Anonymous coordinating this type of operations, have now released a statement entitled “For Once We Didn’t Do It.”

“While it could be the case that other Anons have acted by themselves AnonOps was not related to this incident and takes no responsibility for it,” they said.

Nevertheless, Anonymous cannot be eliminated as a suspect, especially since a Facebook account associated with the movement is posting messages suggesting its involvement.

“Take a break from online gaming for a while…..it will help your skills, your health, and your emotional levels, which by the way are a bit out of order if they are being shackled by the PSN being down. We have no qualms about our actions, even though it may affect fellow anonymous or supporters… we hope they understand the bigger picture,” one such message reads.

Credit: Softpedia.com News