Spyware, viruses, & security forum: NEWS - May 04, 2012

Security researchers from StopMalvertising have spotted a rogue Firefox extension, capable of hijacking browser sessions and posting content on Facebook. [Screenshot]

The rogue extension is currently distributed across multiple adult web sites, and across Facebook, attempting to trick users into thinking that they're running an outdated version of their Adobe Flash Player.

What happens one the user installs the bogus extension?

' The internet user will visit additional websites in the background with the viral add-on installed, possibly participate in click-fraud and expose themselves to malware while surfing on those unwanted sites.Furthermore, when logged in on Facebook, the victim will spam a viral video to their friends, spreading the Trojan clicker even more.

When visiting Google for example, the script will fetch additional web pages in the background which may lead to malware. The page at footprintsit.com contains a list of URL's to visit. The URL also contains an affiliate ID / Name ... Foreste. This is the criminal who will earn money from your surfing.'

If the affected user is logged into Facebook, the rogue extension will distribute a viral video with the title "Kristen Stewart Was Taped Drunk & Having S#x!", in an attempt to trick even more people into downloading and installing the bogus extension. Affected Facebook users will be served a bogus Facebook landing page, prompting them to install Flash_Player_11.exe.

Continued : http://www.zdnet.com/blog/security/rogue-firefox-extension-hijacks-browser-sessions/11856

The updates to PHP versions 5.3.12 and 5.4.2 released on Thursday do not fully resolve the vulnerability that was accidentally disclosed on Reddit, according to the discoverer of the flaw. The bug in the way CGI and PHP interact with each other leads to a situation where attackers can execute code on affected servers. The issue remained undiscovered for eight years.

The best protection at present is offered by setting up filter rules on the web server. However, the RewriteRule workaround described on PHP.net is also, according to security expert Christopher Kunz, inadequate. He suggests a slightly modified form of the rule as an alternative.

Because the PHP interpreter for CGI does not comply with the specifications laid out in the CGI standard, URL parameters can, under certain circumstances, be passed to PHP as command line arguments. Servers which run PHP in CGI mode are affected; FastCGI PHP installations are not...

Continued : http://www.h-online.com/security/news/item/PHP-patch-quick-but-inadequate-1568454.html

Related: Serious Remote PHP Bug Accidentally Disclosed

See Vulnerabilities & Fixes: PHP PHP-CGI QUERY_STRING Parameter Vulnerability

Adobe has shipped an extremely urgent Flash Player patch to block in-the-wild malware attacks against Windows users.

Adobe described the attacks as "targeted" and warned that malicious Flash files are being delivered in e-mail messages.

Although the vulnerability affects Flash Player on all platforms, the malware attacks target Flash Player on Internet Explorer for Windows only.

According to Adobe's advisory, the patch is available for Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x.

"These updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system," Adobe said.

There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only.

Windows users should treat this update with the utmost priority, Adobe said.

http://www.zdnet.com/blog/security/adobe-warns-flash-player-malware-hitting-ie-on-windows-users/11893

Also:
Adobe Releases Patch for Flash Bug Being Used in Targeted Attacks
Adobe Flash Player update closes critical object confusion hole

See : Security Update Available for Adobe Flash Player (APSB12-09)

From F-Secure Antivirus Research Weblog:

Syria has been the center of much international attention lately. There's unrest in the country and the authoritarian government is using brutal tactics against dissidents. These tactics include using technology surveillance, trojans and backdoors.

Some time ago we received a hard drive via a contact. The drive had an image of the system of a Syrian activist who had been targeted by the local authorities.

The activist's system had become infected as a result of a Skype chat. The chat request came from a fellow activist. The problem was that the fellow activist had already been arrested and could not have started the chat.

Initial infection occurred when the activist accepted a file called MACAddressChanger.exe over the chat. This utility was supposed to change the hardware MAC address of the system in order to bypass some monitoring tools. Instead, it dropped a file called silvia.exe which was a backdoor — a backdoor called "Xtreme RAT".

Xtreme Rat is a full-blown malicious Remote Access Tool.

Sold for 100 euro (Paypal) via a page hosted at Google Sites: https:/ /sites.google.com/site/nxtremerat [Screenshot]

We have reasons to believe this infection wasn't just bad luck. We believe the activist's computer was specifically targeted. In any case, the backdoor calls home to the IP address 216.6.0.28. This IP block belongs to Syrian Arab Republic — STE (syrian Telecommunications Establishment).

Continued : http://www.f-secure.com/weblog/archives/00002356.html

Related:
Syrian regime uses Skype to fire Trojan at opposition activists
Syria pushing malware via Skype to spy on activists

A new product from TrustSphere is tackling the problem of email incorrectly flagged as spam, an irritating and potentially costly error for businesses.

The product, called TrustVault, analyzes the communication between the sender and recipient of an email over a few weeks, looking at how many messages are sent, how often in a day and how quickly.

TrustVault builds a kind of social graph between senders and receivers, and can overrule spam filters that might normally flag a message as suspicious when it isn't. It doesn't look at an email's content.

"When we see an email from a known trusted sender that is blocked, we are able to release it from quarantine or prevent it from going into quarantine if it [the product] is configured that way," said Manish Goel, TrustSphere's CEO.

Estimates of the percentage of messages incorrectly labeled as spam vary wildly. Goel said a typical figure cited is 3.5 false positives per million emails, but he said TrustSphere has audited companies that have a much higher error rate.

Continued : http://www.pcworld.com/businesscenter/article/255030/email_product_looks_to_reduce_spam_false_positives.html

"CNET learns the FBI is quietly pushing its plan to force surveillance backdoors on social networks, VoIP, and Web e-mail providers, and is asking Internet companies not to oppose a law making those backdoors mandatory."

The FBI is asking Internet companies not to oppose a controversial proposal that would require the firms, including Microsoft, Facebook, Yahoo, and Google, to build in backdoors for government surveillance.

In meetings with industry representatives, the White House, and U.S. senators, senior FBI officials argue the dramatic shift in communication from the telephone system to the Internet has made it far more difficult for agents to wiretap Americans suspected of illegal activities, CNET has learned.

The FBI general counsel's office has drafted a proposed law that the bureau claims is the best solution: requiring that social-networking Web sites and providers of VoIP, instant messaging, and Web e-mail alter their code to ensure their products are wiretap-friendly.

"If you create a service, product, or app that allows a user to communicate, you get the privilege of adding that extra coding," an industry representative who has reviewed the FBI's draft legislation told CNET. The requirements apply only if a threshold of a certain number of users is exceeded, according to a second industry representative briefed on it.

Continued : http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wiretap-ready-web-sites-now/

Microsoft says it will ship seven security updates next week, three critical, to patch 23 bugs in Windows, Office, and its Silverlight and .Net development platforms.

The number of patches -- nearly two dozen -- is higher than usual for an odd-numbered month; for some time, Microsoft has used an even-odd schedule, patching more vulnerabilities in the even months, when it also regularly updates Internet Explorer.

"May has been a light month, historically, very light," said Andrew Storms, director of security operations at nCircle Security, who tracks the number of patches and updates Microsoft issues each month.

In May 2011, Microsoft shipped two update that patched three vulnerabilities. The year before, it delivered two updates that patched two bugs.

"So, this is a big number," said Storms.

The pace so far this year -- Microsoft's collections during the first five months have included seven, nine, six, six, and seven updates -- puts to rest the idea that Microsoft still hews to a wave-and-trough practice.

Continued : http://www.pcworld.com/businesscenter/article/255046/brace_for_big_batch_of_microsoft_patches.html