Spyware, viruses, & security forum: NEWS - June 27, 2012

The Blackhole exploit kit has been extensively covered by Symantec for some time. As a brief reminder, like other exploit kits such as Phoenix, people using Blackhole compromise a legitimate site, inserting malicious and highly obfuscated JavaScript code into the site's main page. To evade detection and avoid attracting suspicion, the rest of the page (and indeed site) is left untouched.

When an innocent user browses to a Blackhole-infected site, their browser runs the JavaScript code, which typically creates a hidden iframe, which silently exploits vulnerable browser plug-ins and drops any malware and exploits onto a users system. It typically targets vulnerable Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications. These attacks are often called drive-by downloads.

Although this approach has generally been very successful for malware authors, it has had one weakness. If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.

Continued : http://www.symantec.com/connect/blogs/blackhole-exploit-kit-gets-upgrade-pseudo-random-domains

Related: BlackHole exploit kit experimenting with 'pseudo-random domains' feature

A La Carte: Criminals Charging Per Feature for Custom Webinjects

From the Trusteer Blog:

Over the past several months, Trusteer has written about the evolving underground market for webinjects. Our researchers recently discovered a new development -- criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS) that was reported by Trend Micro researchers last week.

In our earlier posts we discussed the various approaches criminals have taken for selling Webinjects. Initially, they used malware-based pricing. In this model, webinjects were developed for specific malware platforms such as Zeus and SpyEye, and priced per platform. Certain platforms commanded a higher price for webinjects.

This pricing system was followed with bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinjects costs were determined by the geographic location of the target they were designed to attack. That was followed by production cost pricing, where sellers offered cheaper pre-made Webinjects and charged a premium for custom-based webinjects.

Continued : http://www.trusteer.com/blog/la-carte-criminals-charging-feature-custom-webinjects

There's a fake Delta airlines email in circulation at the moment which comes with a zip attached, named "Ticket_Delta_Airlines_IN2139.zip" [Screenshot]

The text reads:

' Hello, E-TICKET / EH065894335
SEAT / 77E/ZONE 2
DATE / TIME 20 JUNE, 2012, 09:55 AM
ARRIVING / Virginia Beach
FORM OF PAYMENT / CC
TOTAL PRICE / 276.42 USD
REF / EF.5709 ST / OK
BAG / 4PC

Your bought ticket is attached to the letter as a scan document. You can print your ticket. Thank you for using our airline company services. Delta Air Lines.'

The zip contains an assortment of nasties - running the executable inside would infect it with Sirefef and (after 15 to 30 minutes or a reboot) the WinWebSecurity: Live Security Rogue, which is - as you can see below - a piece of Fake AV.

Continued : http://www.gfi.com/blog/fake-delta-email-leads-to-sirefef-fake-av/

Google has closed a total of 23 vulnerabilities with the release of Chrome 20. Of those vulnerabilities, 14 are rated critical, enabling attackers to execute code in the browser's sandbox, among other things. Integer overflow vulnerabilities in the code for processing PDF files and Matroska containers (.mkv) have also been fixed. Chrome 20 also includes the latest version of Adobe's Flash Player on Linux, using the new cross-platform Pepper API. In testing at The H, it was confirmed that the Flash Player support also works on 64-bit Linux systems.

Google has also embedded the "Chrome to Mobile" feature that was previously available as an extension; if the Google account that is registered with Chrome is also linked with an Android phone, the current web page can be forwarded to the smartphone by clicking on the mobile phone symbol in the address bar. This feature only works with a phone running the beta of Chrome for Android, which requires Android 4.0 or higher.

Chrome usually updates automatically in the background. Users can find out whether the current version has already been installed by clicking on the wrench icon and selecting "About Google Chrome". If required, a manual update can be triggered this way.

http://www.h-online.com/security/news/item/Chrome-20-closes-23-security-holes-1627112.html

A couple of days ago a read about a new amendment to copyright laws passed in Japan last week.

The amendment addresses illegal downloads of pirated material establishing extremely severe penalties for the violators.

The law comes into effect in October, and it establishes that those people who download pirated material such as DVDs and Blu-Ray discs may be fined an amount as high as $25,000 and could be sentenced with two years in prison.

The Japanese Government has declared war on piracy and illegal downloads, the new amendment makes downloading truly punishable, and it's first time that the country decided on such severe penalties.

According the data provided by the Recording Industry of Japan (RIAJ) there were around 440 million legal music downloads, and around 4400 illegal ones.

In Japan, the amendment has provoked a heated debate. The political opposition, while agreeing on the need to protect copyrights, does not share enthusiasm for the law passing.

Today I've noted several tweets of Anonymous cells invoking the #opJapan hashtag to respond to the approval of the law.

Continued : http://www.infosecisland.com/blogview/21763-OpJapan-Anonymous-vs-Japan-and-its-War-on-Piracy.html