Bogus Windows License Spam is in the Wild

October 26, 2012 by  
Filed under Security News

For everyone’s information:

Below is a screenshot of a new spam run in the wild, and the sender (whoever he, she, or it is) presents to recipients a very suspicious but very free license for Microsoft Windows that they can download.

Sounds too good to be true? It probably is.

 

01 MSWindowsLic 10221 Bogus Windows License Spam is in the Wild

From: {random email address}
Subject: Re: Fwd: Order N [redacted]
Message body:
Welcome,

You can download your Microsoft Windows License here -

Microsoft Corporation

Clicking the hyperlinked text leads recipients to a number of .ru websites hosting the file, page2.htm (screenshot below), which contains obfuscated JavaScript code that loads the Web page fidelocastroo(dot)ru(colon)8080/forums/links/column(dot)php.

 

02 blackhole1 Bogus Windows License Spam is in the Wild

 

This spam is a launchpad for a Blackhole-Cridex attack on user systems.

This method is likewise being used by the most recent campaign of the “Copies of Policies” spam, also in the wild.

Our AV Labs researchers have documented their findings in detail regarding these spam runs on our GFI Software Tumblr page. Please visit www.gfisoftware.tumblr.com.

Stay safe!

 

By Jovi Umawing @ http://www.gfi.com/blog


Hot Off the Web: New Java 0-Day Vulnerability

August 28, 2012 by  
Filed under Security News

java vulnerability 150x1501 Hot Off the Web: New Java 0 Day Vulnerability

 

The latest buzz on security and vulnerability these past few days revolves around Java, a software development platform originally created by Sun Microsystems and now owned by Oracle. Websites often run Java programs in them, normally as applets (.jar), in order to “provide interactive features to web applications that cannot be provided by HTML alone”. Initial reports reveal that the exploit used to take advantage of the vulnerability found in Java 7—version 1.7, updates 0 to 6—is an applet called applet.jar (Note that names of malicious files can change in the future).

Our friends at FireEye first uncovered the new 0-day Java Runtime Environment (JRE) vulnerability being exploited in the wild. It is leveraged by online criminals to perform targeted attacks, regardless of the Internet browser used or how updated it is. “The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails.” said Andre’ M. DiMino and Mila Parkour of DeepEnd Research in their blog entry. An official patch from Oracle is yet to be released; however, our friends at DeepEnd are distributing a temporary fix, courtesy of Michael Schier, to system administrators only and by request. The said patch allows the execution of the exploit but stops the payload.

Once the vulnerability is successfully exploited, a binary is dropped on the compromised system. Based on initial reports, the binary is hi.exe (MD5: 4a55bf1448262bf71707eef7fc168f7d), whichGFI VIPRE Antivirus already detects as Trojan.Win32.Generic!BT.

Although earlier releases of Java do not have the said JRE vulnerability, security researchers advised against downgrading to versions 1.6 and below as flaws inherent to those versions can still affect users. Instead, users are advised to disable Java on their browser for the time being until an official patch is made available. It is expected in October based on their triannual Java patch release schedule.

Stay safe!

Jovi Umawing @ gfi.com (SOURCE)

TDL4 – Top Bot

July 24, 2011 by  
Filed under Security News

TDSS variants

 

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

 

Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.

 

The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.

 

tdl4 pic019  TDL4 – Top Bot
TDL-3 encrypted disk with SHIZ modules

 

At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.

 

The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.

 

Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn’t have to worry about competition from those who bought TDL-3.

 

In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.

 

Yet another affiliate program

 

The way in which the new version of TDL works hasn’t changed so much as how it is spread – via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.

 

tdl4 pic029  TDL4 – Top Bot
Affiliates spreading TDL

 

Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.

 

The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.

 

The ‘indestructible’ botnet

 

Encrypted network connections

 

One of the key changes in TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.

 

Readers may recall that one of the distinguishing features of malware from the TDSS family is a configuration file containing descriptions of the key parameters used by various modules to maintain activity logs and communications with command and control servers.

 

tdl4 pic03s9  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Example of configuration file content

 

Compared to version 3, there are only negligible changes to the format of the configuration file. The main addition is the bsh parameter, an identifier which identifies the copy of the malware, and which is provided by the command and control sever the first time the bot connects. This identifier acts as one of the encryption keys for subsequent connections to the command and control server.

 

tdl4 pic04s9  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Part of the code modified to work with the TDL-4 protocol.

 

Upon protocol initialization, a swap table is created for the bot’s outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.

 

The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.

 

An antivirus of its own

Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.

 

TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.

 

tdl4 pic05s9  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
TDSS module code which searches the system registry for other malicious programs

 

TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

 

This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.

 

Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.

 

tdl4 pic065  TDL4 – Top Bot
TDSS downloads

 

Notably, TDL-4 doesn’t delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.

 

Botnet access to the Kad network

 

One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?

 

We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:

  1. The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
  2. Computers infected with TDSS receive the command to download and install the kad.dll module.
  3. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
  4. The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
  5. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.

 

tdl4 pic07s5  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Encrypted kad.dill updates found on the Kad network

 

Below is a list of commands from an encrypted ktzerules file.

 

  • SearchCfg – search Kad for a new ktzerules file
  • LoadExe – download and run the executable file
  • ConfigWrite – write to cfg.ini
  • Search – search Kad for a file
  • Publish – publish a file on Kad
  • Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.

 

The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.

 

tdl4 pic08 en5  TDL4 – Top Bot
How publicly accessible and closed KAD networks overlap

 

Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands.

 

tdl4 pic09s5  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Kad.dll code responsible for sending commands from the TDL-4 cybercriminals

 

Furthermore, access to Kad makes it possible for the cybercriminals to download any files to botnet machines and make them accessible to the P2P users. This includes adult content files and stolen data bases.

 

The key threat that such a botnet poses is that even when its command and control centers are shut down, the botnet owners will not lose control over infected machines. However, the system does face two major obstacles:

  1. By using the publicly accessible Kad network, the cybercriminals still run the risk of fake botnet commands.
  2. When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.

 

Extended functionality

 

In addition to its known adware function, TDL-4 has added some new modules to its arsenal. This article has already touched on the ‘antivirus’ function and the P2P module. The owners of TDSS have also added several other modules to their malware, and now offer services such as anonymous network access via infected machines and 64-bit support.

 

The proxy server module

 

A file called Socks.dll has been added to TDSS’s svchost.exe; it is used to establish a proxy server on an infected computer. This module facilitates the anonymous viewing of Internet resources via infected machines.

 

Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month. For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser.

 

tdl4 pic10s5  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Firefox add-on for anonymous Internet use via the TDSS botnet

64-bit support

 

The appearance of a 64-bit malicious driver in TDSS was another innovation in malware in 2010. In order to support operations with 64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a version of cmd.dll for 64-bit systems. However, due to the limitations of working with 64-bit programs, cmd64.dll code only provides communication with the botnet command and control servers.

 

tdl4 pic11s5  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
List of botnet command and control center commands

Working with search engines

 

The cmd.dll module (see for details) remains almost completely unchanged. This module facilitates communication with the botnet command and control servers and substitutes search results, i.e. fraudulently manipulates advertising systems and search engines. The newest innovation in the list of commands for TDSS is the SetName command, which assigns a number to each infected computer. For search engines and banner networks, TDSS uses the same fake click and traffic technologies as similar malicious programs. However, TDSS has the longest list of search engines for which it substitutes search results.

 

tdl4 pic125  TDL4 – Top Bot
List of search engines supported by TDSS

Botnet command and control servers

When running, TDSS uses several sources to obtain lists of command and control server addresses. The default list is taken from cmd.dll; if these addresses are inaccessible, then TDSS gets a list from cfg.ini. If for some reason no command and control server listed is accessible, then a list is created from an encrypted file called bckfg.tmp, which the bot receives from the command and control server on first connection. Since the beginning of the year, around 60 command and control centers have been identified across the globe.

 

Control server
address
Server address at the
beginning of February
Server address at the 
beginning of March
Percentage of 
mentions in C&C lists
01n02n4cx00.ccnoipnoip0,05%
01n02n4cx00.com91.212.226.5noip0,43%
01n20n4cx00.com91.212.226.591.193.194.90,21%
0imh17agcla.com77.79.13.2891.207.192.220,80%
10n02n4cx00.com194.28.113.20194.28.113.200,22%
1il1il1il.com91.212.158.7291.212.158.726,89%
1l1i16b0.com91.193.194.1191.193.194.110,43%
34jh7alm94.asia205.209.148.232noip0,03%
4gat16ag100.comnoipnoip2,07%
4tag16ag100.com178.17.164.12991.216.122.2506,69%
68b6b6b6.comnoipnoip0,03%
69b69b6b96b.com91.212.158.75noip6,89%
7gaur15eb71.com195.234.124.66195.234.124.666,85%
7uagr15eb71.comnoipnoip2,07%
86b6b6b6.com193.27.232.75193.27.232.750,14%
86b6b96b.comnoipnoip0,24%
9669b6b96b.com193.27.232.75193.27.232.750,22%
cap01tchaa.comnoipnoip2,19%
cap0itchaa.comnoipnoip0,58%
countri1l.com91.212.226.691.212.158.726,89%
dg6a51ja813.com91.216.122.25093.114.40.2216,85%
gd6a15ja813.com91.212.226.591.212.226.52,07%
i0m71gmak01.comnoipnoip0,80%
ikaturi11.com91.212.158.75noip6,89%
jna0-0akq8x.com77.79.13.2877.79.13.280,80%
ka18i7gah10.com93.114.40.22193.114.40.2216,85%
kai817hag10.comnoipnoip2,07%
kangojim1.comnoipnoip0,14%
kangojjm1.comnoipnoip0,24%
kur1k0nona.com68.168.212.2168.168.212.212,19%
l04undreyk.comnoipnoip0,58%
li1i16b0.comnoipnoip0,05%
lj1i16b0.comnoipnoip0,05%
lkaturi71.comnoipnoip0,14%
lkaturl11.com193.27.232.72193.27.232.720,22%
lkaturl71.com91.212.226.691.212.158.727,13%
lo4undreyk.com68.168.212.1893.114.40.2212,19%
n16fa53.com91.193.194.9noip0,05%
neywrika.innoipnoip0,14%
nichtadden.innoipnoip0,02%
nl6fa53.comnoipnoip0,03%
nyewrika.innoipnoip0,03%
rukkeianno.comnoipnoip0,08%
rukkeianno.innoipnoip0,08%
rukkieanno.innoipnoip0,03%
sh01cilewk.com91.212.158.75noip2,19%
sho1cilewk.comnoipnoip0,58%
u101mnay2k.comnoipnoip2,19%
u101mnuy2k.comnoipnoip0,58%
xx87lhfda88.com91.193.194.8noip0,21%
zna61udha01.com195.234.124.66195.234.124.666,85%
zna81udha01.comnoipnoip2,07%
zz87ihfda88.comnoipnoip0,43%
zz87jhfda88.com205.209.148.232205.209.148.2330,05%
zz87lhfda88.comnoipnoip0,22%

 

A careful examination of this list reveals that the IP addresses of command and control centers are constantly changing, while some command and control centers are phased out altogether. These changes are due to the use of proxy servers, which hide the true location of the command and control centers.

 

Command and control server statistics

 

Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.

 

According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.

 

tdl4 pic13s all2  TDL4 – Top Bot enlarge49  TDL4 – Top Bot
Distribution of TDL-4 infected computers by country

 

Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.

 

To be continued…

 

This heading of this last section has become traditional in our articles on TDSS. In this case, we have reason to believe that TDSS will continue to evolve. The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware. The botnet, with more than 4.5 million infected computers, is used by cybercriminals to manipulate adware and search engines, provide anonymous Internet access, and acts as a launch pad for other malware.

 

TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.

 

Source:  Securelist.com


Cross-platform worm targets Facebook users

October 29, 2010 by  
Filed under Security News

A new member of the Koobface family of malware has been making the headlines in the last 24 hours. The reason why the threat, which is sometimes being referred to as “Boonana”, has been getting so much attention is that it doesn’t just infect Windows, but targets Mac OS X and Linux computers too.

 

This incarnation of the Koobface worm appears to have been spread via Facebook in messages asking “is this you in this video”.

 

IMPORTANT! PLEASE READ. Hi <username>. Is this you in this video here : <link>

 

Clicking on the link takes you to an external website that displays an image of a woman (grabbed from the Hot Or Not website).

 

8755cde9602dee77b05f2e5dfe2819d6 Cross platform worm targets Facebook users

 

Visitors to the webpage who want to see more are prompted to give permission for an applet called JPhotoAlbum.class to be run from inside a Java Archive (JAR) called JNANA.TSA.

 

5fec1e0596ad53518da8cf541682f3dc Cross platform worm targets Facebook users

dfd3d83de8313c38da5d5cd97c128927 Cross platform worm targets Facebook users

 

Whether you are running Windows, Mac OS X or Linux on your computer, if you give permission for the highly obfuscated Java app to run then the malware will sneakily download a variety of programs from the internet which it will then execute on your computer.

 

Files which can be downloaded include:

applet_hosts.txt
cplibs.zip
jnana_12.0.tsa
jnana.pix
OSXDriverUpdates.tar
pax_wintl.crc
pax_wintl.zip
rawpct.crc
rawpct.zip
rvwop.crc
rvwop.zip
VfxdSys.zip
WinStart.zip

 

Sophos detects various components of the attack as Troj/KoobStrt-A, Troj/KoobInst-A, Troj/KoobCls-A, Troj/Agent-PDY, Troj/DwnLdr-IOX, and Troj/DwnLdr-IOY. In addition, Sophos’s web protection blocks access to the malicious webpages.

 

Don’t forget to always be careful about what links you click on, even if they appear to have been shared by someone you know on Facebook.

 

And if you’re a user of Linux or Mac OS X, don’t think that the malware problem only exists on Windows. Malicious hackers are becoming increasingly interested in targeting other platforms, and if users of your operating system have a reputation for being dismissive of malware warnings on your preferred OS, the bad guys may consider you a soft target.

 

By Graham Cluley @ nakedsecurity.sophos.com

 

 

 

WINDOW LIVE TEAM -ACCOUNT ALERT- Another Spam That Attacking Hotmail Accounts

October 9, 2010 by  
Filed under Security News

Watch out from this fake spam emails that says its from WINDOW LIVE TEAM and its asking about your personal information.

 

Its look like this in your inbox :

 

hms WINDOW LIVE TEAM  ACCOUNT ALERT  Another Spam That Attacking Hotmail Accounts

 

 

and the message content looks like this:

 

hms2 1024x461 WINDOW LIVE TEAM  ACCOUNT ALERT  Another Spam That Attacking Hotmail Accounts

 

 

Finally, don’t reply to these kind of emails and mark it as spam.  - Take Care -

 

Watch out for new Type of Hotmail Spam Attack

October 8, 2010 by  
Filed under Security News

I just received new spam message from one of my Hotmail contact (My friend), it’s with new type of message and most of people could be fall into it so watch out.

 

The message looks like:

 

Subject : Hii


Content :


HMNSPM Watch out for new Type of Hotmail Spam Attack
I found some hidden text in the end of the message, it says:
HMNSPM2 Watch out for new Type of Hotmail Spam Attack

 

???? I don’t know what is that mean.

 

Finally the trapped link that included in the message is redirecting the victims to another website and its asking for the username and the password :

 

HMNSPM3 Watch out for new Type of Hotmail Spam Attack

 

When you insert your information, the site will spam and steal the information from you and all your contacts, so be careful.

 

 

Adobe races to patch zero-day vulnerability in Flash Player

September 26, 2010 by  
Filed under Security News

Adobe has issued a security advisory about an as-yet unpatched vulnerability in its popular Flash Player software, affecting users of Windows, Mac, Linux, Solaris and even Google Android.

 

The critical security hole could allow an attacker to take control of your computer and run malicious code.

 

The firm also confirmed that the vulnerability also affects Adobe Reader 9.3.4 for Windows, Mac and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac. The reason that Acrobat and Reader are also affected is because the programs support Flash content inside PDF files

 

The new warnings follow closely after news last week of another vulnerability in Reader and Acrobat that was being exploited by malware authors.

 

Adobe has announced that an update for Flash Player tackling the latest vulnerability is expected to be available during the week of September 27, and an update for Acrobat and Reader will be available the following week.

 

Last month, Sophos blogger Chet Wisniewski interviewed Brad Arkin, Adobe’s Senior Director of Product Security and Privacy, about the firm’s security strategy and their upcoming sandboxing technology.

 

You can also download the interview directly in MP3 format.

 

 

Read More…

 

The Pirate Bay Hacked, User Info Exposed

July 8, 2010 by  
Filed under Security News

An Argentinian hacker named Ch Russo claims that he and two associates have found several SQL injection vulnerabilities in The Pirate Bay’s database, which granted him access to all user information, including usernames and e-mails.

 

According to KrebsOnSecurity, who spoke with Ch Russo on the phone, the hackers did not modify the user data or give it away to a third party. They did, as they say, consider how much this info would be worth to various anti-piracy outfits such as the RIAA.

 

“Probably these groups would be very interested in this information, but we are not [trying] to sell it. Instead we wanted to tell people that their information may not be so well protected,” Ch Russo said.

 

It seems that the vulnerability has been at least partially patched however, as Russo said the website component that gives access to The Pirate Bay’s database has been removed. Furthermore, The Pirate Bay site is currently down, sporting the following message: “Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

 

Although it’s been under the attack of the entertainment industry for years now, The Pirate Bay has somehow been able to survive to this day, even in the wake of some other major torrent trackers, such as Mininova.

 

Security problems such as this one, however, might cause huge problems to the service if user information falls into the wrong (or right, depending on how you look at it) hands.

 

 

By :Stan Schroeder

Source : mashable.com


Contract_05_07_2010.zip – all you’ll contract is a malware infection

July 8, 2010 by  
Filed under Security News

SophosLabs is seeing another widespread malicious spam attack being sent to email addresses around the world. The emails, which have a malware-infected attachment called Contract_05_07_2010.zip, pretend to be a legal contract – however, opening the contents of the file could infect your Windows computer.

 

contract email Contract 05 07 2010.zip   all youll contract is a malware infection

A typical email reads:

Subject: Permit for retirement

Message body:

Good day,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
"<name>

Attached file: Contract_05_07_2010.zip

 

 

Read More…

 

Never Texting Again: Facebook rogue app spreading quickly

July 8, 2010 by  
Filed under Security News

Updated Over 290,000 people have in the last few days clicked on a link that is spreading virally across Facebook, claiming to point to a video of someone who died after sending a text message on their cellphone.

The links are being posted on innocent Facebook users’ walls by a rogue application. A typical message posted by the rogue application reads:

 

I am shocked!!! I'm NEVER texting AGAIN since I found this out. Video here: http://bit.ly/a37TaB - Worldwide scandal!

texting facebook statuses Never Texting Again: Facebook rogue app spreading quickly

 

If you do make the mistake of clicking on the link then you are taken to the rogue Facebook application

 

texting click here Never Texting Again: Facebook rogue app spreading quickly

texting permisson Never Texting Again: Facebook rogue app spreading quickly

The problem is that even though Facebook is warning users that they are giving the “I will never text again after seeing this” application permission to post to their wall (as well as access their personal information) many people are still go ahead and press “allow”.

 

Why should you ever have to grant an application such permissions in order to watch a video?

 

Sigh.. Sometimes you just feel like you’re hitting your head against a brick wall..

 

Sure enough – with the permission granted, the application begins to spread its links virally via your Facebook profile:

 

I'm Never Texting Again Since I Found This Out
<name> has seen a shocking video, which shows someone dying because of texting

texting facebook updates Never Texting Again: Facebook rogue app spreading quickly

 

Properly cleaning-up your account after you have given permission for the rogue application to access your Facebook account takes two steps. But I’ll throw in a third for good measure.

 

1. Remove the application
Firstly, visit your Application Settings on Facebook and click on the “X” to remove the app from your profile.

texting application settings Never Texting Again: Facebook rogue app spreading quickly

You will be asked to confirm if you really want to remove it. Obviously the correct answer is to go ahead and remove it.

 

texting remove Never Texting Again: Facebook rogue app spreading quickly

2. Clean-up your wall
With the application gone, you now need to clean-up your own wall – and stop advertising the link (and rogue application) to your online friends. Hovering your mouse over the posts on your wall should display a “Remove” option which will allow you to sanitise the news feed you are sharing with others.

 

3. Get smart
There are only two things you need to do to clean-up your Facebook account, but I’d recommend you get yourself educated about internet threats too, so you’re wise to these sort of attacks in the future. If you’re regular user of Facebook, you should really join the Sophos page on Facebook to be kept informed of the latest security scares and attacks.

 

Read More…

 

Next Page »