Cybercrooks Target File-Sharing Networks

This year is on its way out and seemingly cybercriminals are also planning their year ahead. Secure content management solutions developer Kaspersky Lab has outlined the threats it expects to see in 2010 as a result of cybercriminal activity.

Kaspersky Lab was expecting a rise in the number of global epidemics in 2009 but this year was marked by sophisticated malicious programs with rootkit functionality. Corporates and individuals struggled with the Kido worm (Conficker), Web attacks and botnets. An increase in the cases of SMS fraud and attacks on social networks was also experienced.

Continue reading in http://www.pcworld.com/article/185177/cybercrooks_target_file_sharing_networks.html

New Year 2010… CoU upgraded to new version of Discussion Board Software

Few more days… it’ll be Christmas day.  Have a great Christmas everyone and I wish you all the best for the New Year!

Calendarofupdates.com was offline for many hours because my fellow admin, Peter (aka ColdinCbus – Thanks Peter!) upgraded to newer version of Invision Power Board software.  That’s new look to many of us and I am liking it.  That’s just in time for a new year’s new look of the forum!  

Brittany Murphy SEO

From F-Secure Blog:

Just a quick note – the sudden death of Hollywood celebrity Brittany Murphy last Sunday (BBC report here) has prompted a spike in searches on the subject – and of course, an SEO attack.

Users who click on a poisoned search result link will be redirected to a website that will display a scare message trying to panic users into downloading rogue AV software.

Screenshot and more info in http://www.f-secure.com/weblog/archives/00001842.html

See also Websense Alert:  http://securitylabs.websense.com/content/Alerts/3514.aspx

Brittany Murphy’s Death SEO Poisoning
Date:12.21.2009
Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has discovered that Google top searches on "Brittany Murphy death" will return rogue AV Web sites. The Hollywood actress died suddenly during the weekend. Users will be redirected to malicious domains if they click the matches with a referrer from search engines like Google. The malicious domains try everything to convince people that they are real AV software Web sites, so that users download and execute the fake software offered. There are now a lot of variants available, typically named install.exe, and at the moment it seems they haven’t attracted much attention from AV companies.

Christmas Bo(g)us

From Sophos Blog:

Well, it didn’t take long for the Christmas E-Card scams to start.

Recently we have seen email messages pretending to be from Hallmark, suggesting that you have received an E-card from a friend. The complete email message looks like this:

You have recieved a Hallmark E-Card from your friend.
To see it, check the link below:
http://www. hallmark. com/webapp/wcs/stores/Occasion/ChristmasE-Cards
There’s something special about that E-Card feeling. We invite you to make a friend’s day and send one.
Hope to see you soon, Your friends at Hallmark

Note, that the link looks like it’s from Hallmark, but it’s fake. If you hover your mouse over the link and look at your browser’s status bar, the real link show up (which in this case is http://www. <hidden>. com/_themes/Christmas.exe). This piece of malware is detected by us as Troj/VBInject-S.

http://www.sophos.com/blogs/sophoslabs/?p=8039

UK retail Wi-Fi security still patchy

Wi-Fi security in UK retail environments is improving, but shops remain vulnerable to the sorts of attacks carried out as part of the infamous TJX credit card heist.

The cybercrooks, who lifted more than 21 million credit card records, leapfrogged onto the retailer’s credit card database after first breaking into the wireless network of a regional store, a subsequent investigation ahead of upcoming US trials revealed. The incident ought to have acted as a wake-up call to retailers worldwide, but progress has been a little slow.

A Wi-Fi war walk, passively detecting Wi-Fi networks in a popular shopping areas around Oxford Circus last week, revealed numerous problems.

Data was collected over a one hour period on 16 December using security scanning tools from Motorola AirDefense. No networks or devices were actively compromised during the exercise.

More in http://www.theregister.co.uk/2009/12/21/west_end_wardrive/

Kaspersky Lab announces publication of an article entitled "The botnet ecosystem"

Kaspersky Lab, a leading developer of secure content management solutions, announces the publication of the analytical article “The botnet ecosystem” by Vitaly Kamluk, Director of Kaspersky Lab’s EEMEA Research Center. The article sheds light on the nature of the cybercrime business and, in particular, the botnets at its core.

The author analyzes the components which make up the cybercrime business, how they interact with each other and with the outside world. The article describes the roles played by those who supply services to botnet owners, those who buy botnet services and the botnets themselves that link these activities. Botnets are at the center of the cybercriminal business, facilitating a continuous flow of money between cybercriminals. […]

The full version of the article is available at www.viruslist.com/en. A summary of the article can be found at www.kaspersky.com.

http://www.kaspersky.com/news?id=207575988

Twitter Hacked, Defaced By "Iranian Cyber Army"

From Techcrunch:

We’ve received multiple tips right around 10 pm that Twitter was hacked and defaced with the message below. The site is currently offline. We’re looking into this and waiting on a response from Twitter.

The message reads:

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Take Care.

Update: – We have just found out that the same defacement is appearing at at least one other site, mawjcamp.org. We are not able to see what was at this domain before, but it is now displaying the same defacement that Twitter was only a few minutes ago.
Twitter does not have the best record with security issues.
Update 2.: Twitter.com is down, status.twitter.com is down (not useful, perhaps they should host it at blogger).
Update 3.: It is suggested that if you use the same password on your Twitter account with other accounts, now would be a good time to change your password on those other accounts.
Update 4.: There is a history between Iran and Twitter.
Update 5.: There is speculation at the moment that this may be a DNS redirect, which means that the Twitter.com domain has been redirected to the defacement page.

Complete and for updates, go to http://www.techcrunch.com/2009/12/17/twitter-reportedly-hacked-by-iranian-cyber-army/

From Twitter status:

Working on site outage 1 hour ago

We are working to recovery from an unplanned downtime and will update more as we learn the cause of this outage.

Update (11:28p): Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.
Known issues: timeline delays and missing tweets. Retweet back up. 14 hours ago

We are aware of and investigating the causes of timeline delays and missing tweets. Retweet is back up and fully functional.


Dec 14th  Mon
SMS service temporarily unavailable, we are working on the problem 3 days ago

Posting tweets via SMS is currently unavailable. Some tweets are also not being delivered via text (the outbound service). We are actively working on the underlying cause of both problems and hope to restore service soon.

Update (12/14 6:30pm). The issue has been resolved.

http://status.twitter.com/

From Twitter Blog:

DNS Disruption
As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.

http://blog.twitter.com/2009/12/dns-disruption.html

Twitter (not) hacked by Iranian Cyber Army

The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says

"As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully."

This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.

These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.

http://countermeasures.trendmicro.eu/twitter-not-hacked-by-iranian-cyber-army/

Computer virus cripples Waikato DHB

Waikato District Health Board has been crippled by a computer worm which has seen every PC in the organisation shut down.  While the main hospital in Hamilton and smaller outlying hospitals were continuing to function, spokeswoman Mary-Ann Gill said it was important people only came for treatment if it was absolutely necessary.

Emergency care was still available but those arriving for routine appointments were being affected, as were GPs who often made referrals to hospitals via email.  "We are asking GPs to only make urgent referrals," she said.  "We need to keep as many people out of hospitals as we can."

Ms Gill said DHB technicians were working on a computer upgrade overnight when things started to go awry.  "About 2am they noticed there were some issues with the computers. By 4am they realised a computer virus had got into our whole system.
"We brought in Microsoft and have been working with them through the night."

Conficka has been identified as the culprit.

http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10616074

Microsoft ends 10-year fight with Europe on browsers

Microsoft has reached agreement with European Union anti-trust regulators to allow European users a choice of web browsers.

The accord ends 10 years of dispute between the two sides.

Over that time, the EU imposed fines totalling 1.68bn euros ($2.44bn, £1.5bn).

The European Commission said Microsoft’s legally binding agreement ended the dispute and averted a possible fine for the company.

The Commission’s concern was that the US computer giant may have broken competition rules by bundling its Internet Explorer web browser with its dominant Windows operating system.

http://news.bbc.co.uk/2/hi/business/8415902.stm

Microsoft Statement on European Commission Decision in http://www.microsoft.com/presspass/press/2009/dec09/12-16statement.mspx

overlay.xul is back

It’s been a while. If I remember correctly, a variant of Vundo was using the "overlay.xul" mechanism to hi-jack searches in the Firefox browser almost a year ago. Now, ISC reader Tom contacted us with a mystery that took him and his colleagues several days to unravel. The symptoms: You try to search with Google/Yahoo/Ask/Bing, but NoScript (a great add-on!!) warns you that the browser is actually trying to run a JavaScript from innoshots-dot-org. Having checked all the usual culprits, and run all the Anti-Virus tools you have, you find: Nothing. And the browser still redirects.

overlay.xul is a Firefox mechanism to allow applications to add elements to the browser GUI, and is used for good effect by several tools. We don’t know which infection vector was used in Tom’s case to deposit the malicious overlay file on the machine. All we have is the file, and the knowledge that it apparently either resides in

Documents and Settings/user/Local Settings/Application Data/{randomstring}/chrome/content   — or —
Program Files/Mozilla Firefox/extensions/{randomstring}/chrome/content

and is accompanied by a suspicious Javascript file called _cfg.js.

overlay.xul contains heavily obfuscated JavaScript, and has nice copyright headers to make it look like a valid Firefox add-on, but the "smoking gun" is still visible in the lower portion of the file.

http://isc.sans.org/diary.html?storyid=7765