Spyware, viruses, & security : NEWS - November 13, 2009
- 11/13/09 1:47 AM
NEWS - November 13, 2009
by Donna Buenaventura - 11/13/09 1:47 AM
Nastygram: Beware the NACHA gotcha
Cyber thieves on Thursday began blasting out millions of e-mails impersonating NACHA - The Electronic Payments Association, a not-for-profit group that develops operating rules for organizations that handle electronic payments, from payroll direct deposits to online bill pay services.
The missives in this latest scam arrive with various subject lines, but all complain about an unauthorized, rejected or failed ACH transaction. Most regular Internet users probably will ignore this message, as few people probably even know what ACH stands for (ACH, or "automated clearing house" refers to the electronic network used by banks to process credit and debit transactions in batches). That's likely just fine with the attackers, who appear to be targeting bookkeepers at small to mid-sized companies -- people who actually recognize what a failed or rejected ACH transaction can mean for their business's bottom line and reputation.
http://voices.washingtonpost.com/securityfix/2009/11/in_the_past_few_weeks.html
Twitter spam worm stealing user logons
by Donna Buenaventura - 11/13/09 1:53 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
The popular social media service Twitter is being targeted by a new attack that tries to hijack user accounts to send spam via direct messages.
At first, the attack was thought to be the result of "phishing" or social engineering asking people to enter their username and password details into bogus sites masquerading as Twitter's website, possibly done by utilising a cross-scripting vulnerability.
However, New York-based PHP and application security specialist Chris Shiflett says that he strongly suspects there's a new variant of the Facebook worm Koobface at large, which searches for users' session ID cookies. These are set on users' computers when they tick the "Remember Me" box to stay logged onto Twitter.
While the exact scale of the attack isn't known, anecdotal evidence suggests many thousands of people have been affected and have had their accounts compromised.
http://www.stuff.co.nz/technology/digital-living/3061176/Twitter-spam-worm-stealing-user-logons?
Zbot head and shoulders high in October malware charts
by Donna Buenaventura - 11/13/09 1:57 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
The October malware charts - just released by Sunbelt Software - show that the password-stealing trojan threat Trojan-Spy.Win32.Zbot.gen maintained the top spot on the list for the seventh straight month and is growing at an alarming rate.
According to the anti-malware and spyware specialist - which globally pools data from its CounterSpy and Vipre security software - the Zbot trojan accounted for 8.48% all global malware threats in October, a month-on-month increase of more than 25% on the figures for September.
Michael St. Neitzel, Sunbelt's vice president of threat research, said the threat posed by the Zbot trojan shows no sign of abating due to its effective versatility in stealing cached passwords, login credentials and data in certificates and cookies.
http://www.infosecurity-magazine.com/view/5219/zbot-head-and-shoulders-high-in-october-malware-charts/?
See also:
http://www.sunbeltsoftware.com/malware-threat-report/
http://www.sunbeltsoftware.com/Press/Releases/?id=316
Twitter DM Spam Collects Mobile Numbers
by Donna Buenaventura - 11/13/09 2:07 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
Cybercriminals are using compromised Twitter accounts to spam out information-gathering websites to unknowing users. The attack starts with compromised Twitter accounts. The accounts are used to send out Direct Messages to the followers of the users who own the compromised accounts.
The Direct Message-which is basically the Twitter counterpart of a private message-contains a link to what looks like an IQ test website. An IQ test may seem harmless but the last thing asked for in the test is no longer an answer but the respondent's mobile number. Though the real motive for this scheme is unclear, we believe that this was set up to gather mobile numbers from unknowing users to become potential targets for SMS spam or other mobile-related attack.
Users are strongly advised to refrain from clicking the links contained in similar Direct Messages that they may encounter even if the person who sent the DM is a known user. On the other hand, those users who think that their accounts may be one of those compromised should change their passwords as soon as possible.
More with screenshots in http://blog.trendmicro.com/twitter-dm-spam-collects-mobile-numbers/
Pushdo/Cutwail Spambot - A Little Known BIG Problem
by Donna Buenaventura - 11/13/09 2:09 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
From SANS ISC Handler's Diary:
Today was another one of those days that all ISP's dread. I am the Abuse Coordinator for a small Midwestern ISP. Several days ago we started receiving Spam Abuse reports on the IP address to our Corporate firewall. Unfortunately, the IP I discovered is blacklisted on several blacklists. I began to investigate what could be causing these reports of abuse. I reviewed the logs in the firewall and discovered that we had a couple of workstations doing some bad things. Our It techs began to look at the computers (both of which had AV installed) and discovered that we had some pretty significant infections on these computers. Both machines were pulled offline, the data backed up and the machines were formatted and reloaded. We were pretty confident that we had solved the problem and breathed, an unfortunately premature, sigh of relief.
Yesterday we again started getting abuse reports so it was back to the drawing board for me. I started trying to get information on exactly what was being detected and what was causing these abuse reports. This investigation led me to MultiRBL.org. We were indeed listed on several blacklists again. As I began to look at the various blacklists looking for the answers it became apparent that we will dealing with a Trojan/Botnet called Cutwail Spambot aka Pushdo aka Pandex. The interesting thing is, I hadn't never heard of it. So last night I began to research just what this Cutwail Spambot was. What I find out just blew me away.
Continue reading in http://isc.sans.org/diary.html?storyid=7576
Hotmail imposes tracking cookies for logout
by Donna Buenaventura - 11/13/09 2:23 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
Hotmail users are now unable to log out of their account if the browser they are using does not accept third party cookies.
The move by Microsoft raises security concerns, particularly as PCs on corporate networks and in cybercafes and libraries are often set to reject cookies.
Third party cookies are most commonly used by advertising networks to track surfers across the web.
http://www.theregister.co.uk/2009/11/12/hotmail_cookies/
Nope. You don't have to enable third-party cookies to solve that sign-out issue. See http://msmvps.com/blogs/donna/archive/2009/11/08/people-having-issue-to-sign-out-their-windows-live-id-or-hotmail.aspx
Just add hotmail.com, live.com, passport.com in allowed cookies and you can logout already or just close the browser without allowing any cookies. ~ Donna
Microsoft defends Hotmail's cookie requirement
by Donna Buenaventura - 11/13/09 8:04 AM
In reply to: Hotmail imposes tracking cookies for logout by Donna Buenaventura
Microsoft has said its new policy of requiring users to accept third party cookies to log out of Hotmail improves security.
We reported the change, which was applied earlier this month, yesterday.
Some readers who contacted El Reg said it raises the risk that accounts will be compromised on public machines, while others who do not allow third party cookies simply found the error message when they tried to log out irritating.
Angus Logan, the product manager for Windows Live ID, told The Register the use of third party cookies has two benefits.
"We write our cookies to multiple domains to give users a good experience with single sign-on, so they can be authenticated to multiple sites (e.g. MSN, Xbox Live, Windows Live, Bing) at once without having to retype their password," he said.
"[It also] helps protect user security, by separating the authentication cookies that are used for different services. If a cookie in one domain is compromised, it means that user assets in another domain won't be compromised."
http://www.theregister.co.uk/2009/11/13/hotmail_cookies/
New Flash Attack Has No Real 'Fix'
by Donna Buenaventura - 11/13/09 7:55 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
Researchers show how Adobe Flash can be exploited in browsers when victim visits sites that accept user-generated content
Researchers have discovered a new attack that exploits the way browsers operate with Adobe Flash -- and there's no simple patch for it.
The attack can occur on Websites that accept user-generated content -- anything from Webmail to social networking sites. An attacker basically takes advantage of the fact that a Flash object can be loaded as content onto a site and then can execute malware from that site to infect and steal information from visitors who view that content by clicking it.
"Everyone is vulnerable to this, and there's nothing anyone can do to fix it by themselves," says Michael Murray, CSO for Foreground Security, which today posted demonstrations of such an attack against Gmail, SquirrelMail, and cPanel's File Manager. "We're hoping to get a message out to IT adminstrators and CIOs to start fixing their sites one at a time."
An attacker could upload malicious code via a Flash file attachment or an image, for instance, and infect any user that clicks on that item to view it. "If I can trick a system to let me upload anything, I can run code in any browser, and Adobe can't fix this," Murray says. "If I can upload a picture to a site and append it with Flash code to make it look like an image, once a user views that, the code executes and I can steal your cookies and credentials."
The only thing close to a "fix" is for the Website to move its user-generated content to a different server, according to Michael Bailey, the senior researcher for Foreground Security who discovered the attack.
http://www.darkreading.com/security/showArticle.jhtml?articleID=221700036
Flash Origin Attack FAQ
by Donna Buenaventura - 11/13/09 10:54 AM
In reply to: New Flash Attack Has No Real 'Fix' by Donna Buenaventura
Flash Origin Attack FAQ
* This is not a single issue
* This is not a cross-site scripting attack
* This attack abuses the user to attack the server
* Adobe does not intend to fix it
Read more about the above in http://www.foregroundsecurity.com/MyBlog/flash-origin-attack-faq.html
Microsoft opens up Windows 7 to advertisers via downloadable
by Donna Buenaventura - 11/13/09 10:39 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
The same way that it already allows advertisers to buy placement on various Microsoft sites and properties, Microsoft may allow them to extend their brands onto Windows 7. The ads aren't being foisted on Windows 7 users. Those who don't want the branded themes don't have to see them, as they're opt in.
Microsoft announced on November 13 that it has begun test pilots with a handful of advertisers for ads on Windows 7. The two "theme experiences" they are offering are known as the "Windows Theme Experience" and the "Windows Personalization Gallery." The trial is set to run through October 2010.
Advertisers participating in the pilot include Ducati, Infiniti, Porsche and Twentieth Century Fox, according to a Microsoft press release.
Via the Windows Theme Experience pilot, advertisers are going to be able to put their brand on Internet Explorer 8 add-ons; Windows 7 and Windows Vista gadgets; Windows 7 backgrounds and borders and Windows "audio elements." Via the Windows Personalization Gallery pilot, advertisers will be able to push their brands "throughout the operation of their Windows 7-based PC including backgrounds, slide shows, borders and application audio elements."
http://blogs.zdnet.com/microsoft/?p=4538
Expressing Brand Passion with Windows 7
Microsoft Advertising has unveiled two new exclusive branding opportunities available on Windows 7.
Microsoft is enabling global marketers to utilize the desktop or Internet browsing experience exclusively for their brand, with Windows Theme Experience and Windows Personalization Gallery. The announcement was made at the Monaco Media Forum in Monte Carlo.
Both of these Windows 7 theme experiences are being tested by a handful of brands as part of a pilot program that runs until October 2010. The themes allow new consumer engagement opportunities across Microsoft's unique product portfolio and let consumers connect with their favorite brands outside of traditional online advertising. The themes are opt in for consumers, who have the choice to download the branded themes they are most passionate about.
http://www.microsoft.com/presspass/press/2009/nov09/11-13windows7adspr.mspx
iPhone worm hacker gets death threats, job offers
by Donna Buenaventura - 11/13/09 10:43 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
The creator of the rickrolling iPhone worm has spoken of possible job offers and death threats since the release of the Jesus Phone malware last weekend.
Ashley Towns, 21, from Wollongong, New South Wales, Australia, told local media he received both threats and offers of possible work a day after he was identified as the creator of what's been described as the first strain of iPhone malware. The malicious code created by Towns changed the wallpaper of jailbroken iPhone devices it infected to a picture of cheesy '80s pop star Rick Astley.
Jailbroken phones have been modified so that they are capable of running non-Apple approved applications. Only users on the Optus network in Australia with jailbroken iPhones and SSH installed were hit by the so-called ikee worm created by Towns. Even so, scores or perhaps hundreds were affected.
Towns describes this as an "experiment" that got out of hand: "I didn't really think about legal consequences at the time. I honestly never expected it to go this far."
http://www.theregister.co.uk/2009/11/13/ikee_worm_vxer_speaks/
Microsoft Cracks Down On Piracy With Twitter Feed
by Donna Buenaventura - 11/13/09 10:57 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
Microsoft has launched a dedicated Twitter feed for its anti-piracy enforcement team in an attempt to curb unauthorised file-sharing
Microsoft's Anti-Piracy Enforcement Team now has a Twitter feed.
The feed, which began on 3 November with a link to a Microsoft page describing how to tell whether a piece of software has been pirated, has only four tweets but is expected to expand. A Microsoft spokesperson described the Twitter handle as a way for the company "to connect with the public on the issues of pirated and counterfeit software."
http://www.eweekeurope.co.uk/news/microsoft-cracks-down-on-piracy-with-twitter-feed-2442
Email from Vodafone or Verizon about an over limit credit...
by Donna Buenaventura - 11/13/09 11:06 AM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
balance? Beware!
Email users around the world are being finding messages in their inbox today claiming to come from mobile phone operator Vodafone.
The emails, which have the subject line "Your credit balance is over its limit" and claim to come from no-reply@vodafone.co.uk, are not really from Vodafone at all and try to trick unsuspecting users into opening a dangerous attached file which poses as the "Vodafone Balance Checker Tool".
The body of the malicious emails reads as follows:
Dear Vodafone customer,
Your credit balance is over its limit. Please use the attached Vodafone Balance Checker Tool to review and analyze your payments.
Yours sincerely,
Vodafone Customer Services
Sophos detects the contents of the attached file (balancechecker.zip) as Mal/EncPk-LE.
There is a danger that unsuspecting mobile phone owners might fall for the trap, perhaps convinced by the use of Vodafone's logo which is embedded in the email, and launch the file attachment, thus infecting their computers.
More in http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/
Conficker patch via email?
by Carol~ - 11/13/09 12:21 PM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
(Similar happening (and posting) last month)
Published: 2009-11-13,
Last Updated: 2009-11-13 18:29:53 UTC
by Adrien de Beaupre (Version: 1)
Microsoft does not send patches, updates, anti-virus, or anti-spyware via email (hopefully ever). The following ended up in my inbox this aft.
"Dear Microsoft Customer,
Starting 12/11/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.
To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.
Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.
Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division"
Attachment is 3YMH6JJY.zip application/zip 45.82 KB and detection at Virustotal is soso: https://www.virustotal.com/analisis/5d8caa7c9baaed6242e3842e0dafea5056f41d9c99732f0fd2961bedff647ae5-1258134283
Continued here: http://isc.sans.org/diary.html?storyid=7591
IObit apologized to Malwarebytes.org
by Donna Buenaventura - 11/13/09 6:03 PM
In reply to: NEWS - November 13, 2009 by Donna Buenaventura
IObit made another declaration (statement) regarding the issue that they currently have with Malwarebytes.org.
From their blog:
We have received a large number of feedback and suggestions from Internet users since IObit Security 360 v1.0 was released on September 7, 2009. And we also paid special attention to questions regarding the old database of IObit Security 360 among the feedback. Due to the serious flaws and defects of our sample submission system and management, the old database includes malware names from non-IObit data sources. We are willing to face all of the problems and take responsibility for the disputes.
We have apologized for all the inconvenience, meanwhile, we have taken immediate actions to remove all disputed data and updated the whole database online on November 3. We also have finished the second complete update of IObit Security 360 on Sunday (2009-11-08, at noon) since it was formally released - IObit Security 360 v1.20.
The existing database is collected from hundreds of thousands of malware samples in abundant database accumulated by IObit within 5 years. We welcome more useful feedback and strict supervision for the updated version of IObit Security 360 from users and other vendors. Eventually, IObit would like to work with all anti-malware vendors, to enhance the overall evolution of malware detection and removal, make breakthrough in software functions, and work constantly to provide users with more and better user experience by contributing a long-term, practical and substantive work.
http://blog.iobit.com/archives/122.html
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
