Security and Privacy » Warnings and Alerts

Make sure your Java is up to date

derek — Thu, 01 Dec 2011 08:19:43 +0000

Public Java Exploit Amps Up Threat Level — Krebs on Security:
http://krebsonsecurity.com/2011/11/public-java-exploit-amps-up-threat-level/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

“An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows, Mac and Linux systems.”

“The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update. Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button. Apple issued its own update to fix this flaw and other Java bugs earlier this month.”

Microsoft Fixit for Duqu 0 day exploit

derek — Fri, 04 Nov 2011 07:53:54 +0000

Temporary fixit & workaround for 0 day exploit relating to duqu malware

Fixit & unfixit here http://support.microsoft.com/kb/2639658

Advisory with manual “fixes” http://technet.microsoft.com/en-us/security/advisory/2639658

My considered advice is that you won’t need it and you should wait until Microsoft issue a full patch
So far all attacks have been directly targetted against specific companies or Government departments, That might change as the skiddies get hold of the exploit

Using the fixit might make some applications/ word docs or websites not display correctly ( or even at all ) if they use embedded True type fonts & they haven’t been set to gracefully fall back on standard system fonts

If we start to see general attacks, then I will update this & suggest using the fixit

An additional workaround to prevent Websites attacking you by using embedded fonts is to set Internet Explorer font downloads to prompt instead of allow . That way you at least get an alert if a font is being downloaded and you can make an educated opinion as to whether it is likely to be malicious

Open Internet Explorer
On the Tools menu, click Options and then click the Security tab.
Select Custom and click Settings.
Scroll to the Downloads section.
Change the Font Download setting from Enable to Prompt

new Fake AV techniques

derek — Fri, 29 Jul 2011 17:21:26 +0000

http://xylibox.blogspot.com/2011/07/trojanfakeavlvt.html

once you get past the colourful language from the analyst, it is a very good read & shows what we are up against. Please forgive any errors in language as he doesn’t have English as a first language

This particular one has the ability to replace your existing antivirus with itself & make you think that you are still protected when you aren’t and it installs Zero access rootkit

This is definitely something to watch out for

June 2011 Adobe updates

derek — Thu, 16 Jun 2011 14:15:44 +0000

As if you needed more updates this week…

APSB11-16 – Security Advisory for Adobe Reader (v10.1) and Acrobat (v10.1 et al.)
http://www.adobe.com/support/security/bulletins/apsb11-16.html

APSB11-17 – Security Update Available for Adobe Shockwave Player v11.6.0.626
http://www.adobe.com/support/security/bulletins/apsb11-17.html

APSB11-18 – [Yes, yet another] Security update available for Adobe Flash Player (v10.3.181.26)
http://www.adobe.com/support/security/bulletins/apsb11-18.html

Another new URGENT Adobe flash security update

derek — Mon, 06 Jun 2011 08:24:34 +0000

http://www.adobe.com/support/security/bulletins/apsb11-13.html
An important vulnerability has been identified in Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.22 and earlier versions for Android. This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.
Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX). Adobe expects to make available an update for Flash Player 10.3.185.22 for Android during the week of June 6, 2011.

Adobe is still investigating the impact to the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems. Adobe is not aware of any attacks targeting Adobe Reader or Acrobat in the wild.

Cybercriminals Hoping You’ll Bite iPhone 5 Bait

derek — Wed, 25 May 2011 07:20:24 +0000

Online criminals know there are enough gadget hounds out there to make a scam surrounding any shiny new Apple device a surefire moneymaker. To that end, they’ve already begun sending out phishing emails for the iPhone 5.

The phishing emails appear to be official emails from Apple.com, with the title “Finally. The amazing iPhone 5. Now available in black edition.” The body of the message shows a hand holding a transparent iPhone, followed by an enticing offer to “check it out,” according to MacRumors.

Although there’s been much speculation about the next generation iPhone, Apple has not set a release date for it. In fact, Apple hasn’t even announced it yet, but that isn’t stopping this cleverly crafted Mac-themed scam from spreading.

So what are you checking out when you click the link to see the new iPhone 5?

You won’t receive any info about the smartphone, but you will enable a rigged Windows file to run malicious code on your computer. And you’ll also be taken to a phony Apple Web page that asks for your Apple ID and other sensitive information.

Apple announces new products, especially ones of this magnitude, in highly publicized press conferences. So if you receive an unsolicited email purporting to have information about the new iPhone 5, ignore it, DELETE IT WITHOUT EVEN READING IT.

story from: http://www.securitynewsdaily.com/cybercriminals-hoping-youll-bite-iphone-5-bait-0813/

This malware is quite well detected by many antivirus companies, but not all. It is a fairly standard Zapchast IRC trojan that will attempt to download lots of other crap & malware to your computer.

It also appears to try to perform a DDOS flood attack against several other competing Mirc users and channels to block their channels, so no doubt will turn out to be connected to the typical fake AV scams and stealing your money

A Different approach to scam phishing

derek — Wed, 11 May 2011 07:12:23 +0000

I wonder how effective the phishers will be sending this to countless people.

I doubt that there are enough Irish speakers/readers in the world to make it worthwhile

Translated it says

Dear Applicant:

We have noticed that you are entitled to a refund amount 361.43
Complete the tax refund 24h: Tax Return Form 2011

Thanks,
Irish Revenue

Irish revenue scam

I have received 5 of these in the last hour. 2 from chinese servers but 3 from different domains on Fasthost.co.uk servers. It looks to me that either fasthosts have been hacked again or they have open relays on their servers allowing bots & phishers to relay through them

new malware spam- order.zip

derek — Tue, 10 May 2011 11:07:51 +0000

There is a new spam bot out there sending a malware link. see screenshot

screenshot of typical spam email

all emails so far appear to originate from a Ukrainian server noc.maximuma.net 91.196.148.8 which may or may not have been hacked, but web searches suggest that lots of spam & malware is being distributed via that server hosting company

So far I have seen several different sites hosting the malware and the senders & recipient email addresses are all random or spoofed

At present antivirus detection is very sporadic but samples have been sent to all known AV companies so I do expect a better detection rate very shortly

The current payload is always order.zip, which when extracted pretends to be order.doc but has a lot of spaces then .exe so simply clicking on it will infect you

It appears to be a downloader or installer for one of the fake Antivirus programs, that currently plague us.

You can see a quick automatic analysis on the Anubis website From previous experience of this sort of malware and the locations it installs itself to , I would not be at all surprised if the malware shown in the Anubis report also installs the TDL4 bootkit

Update: they have changed the email slightly to something that resembles a previous attack attempt and included a “your credit card will be charged with xxxxx $

That always gets the unwary to follow the link, to check if it is their card that has been falsely charged

Revised updated email, showing alleged credit card charge

Results are coming in from many antivirus companies now, saying that it is a version of the spyeyes crimeware toolkit. Spyeyes is well described in this Symantec blog

Microsoft is aware of nine fraudulent digital certificates issued by Comodo

derek — Wed, 23 Mar 2011 17:50:02 +0000

The full advisory can be found on the Web at: http://www.microsoft.com/technet/security/advisory/2524375.mspx.

===========================
SUMMARY
===========================
Microsoft is aware of nine fraudulent digital certificates issued by Comodo, a certification authority present in the Trusted Root Certification Authorities Store on all supported versions of Microsoft Windows. Comodo advised Microsoft on March 16, 2011 that nine certificates had been signed on behalf of a third party without sufficiently validating its identity. These certificates may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer.

Certificates for the following Web properties are affected:

• login.live.com
• mail.google.com
•www.google.com
• login.yahoo.com (3 certificates)
• login.skype.com
• addons.mozilla.org
• “Global Trustee”

Comodo has revoked these certificates, and they are listed in Comodo’s current Certificate Revocation List (CRL). In addition, browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used.

An update is available for all supported versions of Windows to help address this issue. For more information about this update, see Microsoft Knowledge Base Article 2524375 (http://support.microsoft.com/kb/2524375).

Typically, no action is required of customers to install this update, because the majority of customers have automatic updating enabled and this update will be downloaded and installed automatically. For more information, including how to manually install this update, see the Suggested Actions section of this advisory.

===========================
RECOMMENDATIONS
===========================
Review Microsoft Security Advisory 2524375 for an overview of the issue, details on affected components, suggested actions, frequently asked questions (FAQ), and links to additional resources. MSRA Security Partners who are experiencing issues believed to be related to the issues described in this advisory should contact us via e-mail or by calling 888-HELPSEC with your custom Access ID.

===========================
ADDITIONAL RESOURCES
===========================
• Microsoft Security Advisory 2524375 – Fraudulent Digital Certificates Could Allow Spoofing –http://www.microsoft.com/technet/security/advisory/2524375.mspx

• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc

More details on Comodo blog

Microsoft update for Windows 7 KB2505438

derek — Wed, 09 Mar 2011 08:30:44 +0000

We are seeing on the forums and newsgroups several reports from users of “worries” about this update and following the links from the windows update page or the update history page on your computer doesn’t take you to the correct Microsoft support & information page about the update but to an advertising page

Ths is due to a mistype by Microsoft when inserting the link. You are NOT infected. Microsoft website is NOT infected. It is just a mistype by a Microsoft employee.
Microsoft have fixed the link on the windows update page and partially have on the history page on your computer. It looks like some of the regional Microsoft update servers are still giving a cached copy of the update with the bad link, but others are giving the correct link.
The correct link for support or information about this update is
http://support.microsoft.com/kb/2505438
The mistyped link was

http://support.micrososft.com/kb/2505438

Note the extra S in microsft
It is an easy typing error to make.
So Don’t panic about it. I repeat again you are not infected, Microsoft website is not infected, it was just a simple typing error that has been partially corrected and I expect to be fully corrected very soon.

We often see major problems with typo squatting. This is when unscrupulous people buy up every possible combination of mistypes for common domain names, in the hope that they will get money someone mistypes a URL ( web address) and lands on their site/landing page instead. This time it is only harmless advertising but in many cases the unscrupulous owner will either attempt to sell you a fake program or even worse install malware from the fake page.
Watch links you follow & make sure that they are spelled correctly
See the screenshots

Mistyped url on update history for KB2505438

Mistyped URL for KB2505438 from Windows update site