TechBlog

We just blogged about a highly targeted attack against military contractors. Now we saw one against the intelligence sector. This attack was done with a PDF file. Again. It was targetting the CVE-2009-4324 vulnerability. Again. When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this: What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0). Now, what is the document talking about? President’s day? DNI Information Sharing Environment? We don’t know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month. ...

Microsoft is releasing an out-of-band update for their IE vulnerability. Internet Explorer 6 is affected and is being actively exploited in the wild. The patch will be released on the 21st, today, see Microsoft’s Security Bulletin for additional details. Also in Microsoft news, Security Advisory (979682). There’s a vulnerability in Windows kernel privilege escalation. The vulnerability affects all versions of Windows (NT 3.51 up to Windows 7), on non x64-based systems, unless 16-bit application support is disabled. ...

Microsoft has said it will issue an out-of-band patch today for critical vulnerabilities in Internet Explorer that allow remote execution of code. The company said yesterday it would not wait until the February “Patch Tuesday” to fix the vulnerabilities. The much discussed “Aurora” vulnerabilities in IE have been held at least partially responsible for cyber attacks on Google and more then two dozen other major companies. The attacks on Google were aimed at Gmail accounts of dissidents and Google’s source code. The attacks on the other companies were aimed at stealing intellectual property. ...

Facebook recently rolled out new privacy settings that provides additional publishing controls. For example, Facebook users can now publish a photo to a selected list of friends. Clicking the “lock” icon opens the Custom Privacy settings. Once a photo is selected and the privacy options are set, the next step is to Share. As you can see, the default setting is set for Only Friends and this particular post is set for Only Me. ...

A day after the disaster that struck the Caribbean nation of Haiti, Rogue perpetrators have once again been busy with their SEO poisoning schemes. Searching for terms related to this earthquake leads to a website that installs a Rogue into the system. It happens when an unsuspecting user searches for Haiti Earthquake details. Happily clicking the link leads to this page: Then this… And this… ...

GhostAntivirus is a new rogue anti-virus application. It is a clone of InternetAntivirusPro.

Notable highlights this month include the shift of the regions of message origin, and changes in the average size of spam messages. In recent months, APJ and South America have been taking the spam share away from the traditional leaders of North America and EMEA. However, North America and EMEA together sent 57 percent of spam messages in December 2009, compared with 50 percent in November 2009. With respect to the average size of the messages, the 2kb – 5kb message size category increased by seven percent, while the 5kb – 10kb message size category decreased by six percent in December 2009. With respect to all spam categories, health and product spam have increased and now account for 52 percent of all spam messages. Click here to download the January 2010 State of Spam Report, which highlights the following trends: ...

Researchers at McAfee labs monitor Koobface activities 24/7 via custom honeypots and while reviewing one such update we noticed a variant that had debug/log features. Unlike the traditional captcha breaking technique to create new accounts, this variant of the worm converts the infected machine to a bot. When we analysed the malware trapped in our botnet, we found that this variant of Koobface has a special feature for logging all activities carried out during the infection process in a log file . Log file is created under system root with date and time stamp for eg, C:\fb_reg20090612.log. ...

With the holiday season behind us, cyber scammers and spammers will now be looking towards the upcoming events and worldwide happenings that they can leverage to form the next waves of online trickery. The noteworthy ones on the horizon include Valentine’s Day, tax-filing season, and the FIFA World Cup – all of which will, in all likelihood, produce their own variety of social engineering techniques, online fraud, malware, fake websites, phishing, and spam. ...

InfoSecurity, a great site for computer security news, just put up a story asking the very old question: “Why don’t AV vendors name malcode consistently.” The lead on the piece was: “…Fortinet, Sunbelt Software, and Kaspersky all published their lists of the most prevalent malware strains for the last month of 2009, but they didn’t match up, leading to an admission that users will inevitably be confused by the results.” Great observation, sort of. ...