TechBlog

Earlier this week Sophos informed a UK Local Police Authority (Hertfordshire) that a website they owned was infected with Troj/IFrame-DY. It turns out that the Police Authority has a new site and the infected site is an old one that just leads the user to the new site: Unfortunately, the old site also contains a malicious script, appended after the closing /HTML tag. There are several ways of migrating users to a new website: ...

Imagine that you’re sitting at home catching up on your email backlog. In comes an email from your ISP, FooBarBazCo (some creativity required here, I know). The email seems to be from Technical Support – ‘From: FooBarBazCo.com Team’ – and states that you need to update your email settings as a result of a recent security upgrade. Can you trust it? Today we observed an increase in spam messages containing links to a particular malicious URL. The messages masquerade as having come from mail administrators, with the ‘from’ address spoofed so that they appear to have come from the same network domain as the address to which the mails are sent (the ‘from’ and ‘to’ addresses are actually identical, although this will not be visible in most email programs). ...

(CNN) (CNET) — Facebook this week was awarded a patent pertaining to streaming “feed” technology — more specifically, “dynamically providing a news feed about a user of a social network,” complementing another patent filing that has been published but not yet approved. The implications for this, as AllFacebook.com pointed out earlier on Thursday, are far-flung: Facebook may choose to pursue action against other social-media sites that potentially violate this patent. ...

Herndon, Va., forensics firm NetWitness has said that the Zeus botnet has breached the networks of nearly 2,500 organizations in nearly 200 countries, including 10 U.S. federal agencies. NetWitness researchers said many victims are Fortune 500 companies in energy, finance and high tech sectors. NetWitness based its conclusions on information from a 75-gigabyte collection of data that they intercepted. It was information the botnet had stolen in one month. The Zeus botnet, which started in 2008, is believed to have 74,000 machines infected. ...

Fraudsters never seem to rest. They have now turned their attention towards phishing using the Indian Income Tax Department’s name and branding. It is the season of tax returns in India and it is well known that people will file their income tax returns for the end of the fiscal year in India. Hence, phishers have chosen the right time to phish the market since most users will not be aware of these attacks. ...

Symantec has recently observed phishing scams targeting Apple iPhones in order to gain serial numbers, IMEI, model, and capacity, etc. What is an IMEI? An IMEI (international mobile equipment identity) is a 15-digit unique number used by GSM networks to identify valid devices. Every GSM, WCDMA, or iDEN mobile phone (and even the odd satellite phone) has an IMEI. It can be found under the battery of the device or by typing *#06# on the mobile. If your phone or device is lost or stolen you can report it to your service provider, providing the IMEI number. The service provider can then blacklist the IMEI number, rendering the device unusable in that country. ...

A survey of 54,000 households (129,000 people) commissioned by National Telecommunications and Information Administration (NTIA) last year found that 30 percent of U.S residents did not use the Internet at home or at work. The study, based on Census Bureau work, found that 64 percent of households had connections. In 2007, only 51 did. The NTIA researchers found that of those without connections, 38 percent said they didn’t need Internet and 26 percent said it was too expensive. In rural areas, 11 percent said they didn’t have any Internet access available. In urban areas, one percent said they couldn’t get it. ...

Evgeny Legerov, founder of Intevydis in Moscow, has created an exploit that hits a previously unknown heap-corruption vulnerability in the Firefox browser. The code isn’t readily available though, since he’s put it in a module to the automated exploitation system he sells (reportedly at a considerable price.) Legerov has not provided information on the vulnerability to Mozilla. The Intevydis site says: “Exploitation frameworks are not new on the market, but only we may offer you hundreds of CANVAS modules for unpatched and unknown vulnerabilities in highly popular software products.” ...

Symantec recently upgraded their scanner on VirusTotal to include their new reputation-based security engine. That has caused a spike in their detection rates, in particular Suspicious.Insight detections, and so I thought I’d take a few minutes to explain some of the background and what is going on. So what exactly is a Suspicious.Insight detection? These detections are derived from Symantec’s new reputation-based security technology. They highlight files that have not yet developed a strong reputation (either good or bad) amongst Symantec’s community of users. their goal is to keep their users’ machines safe, and part of achieving that goal means helping their users make informed choices about the files they allow on to their systems. Suspicious.Insight detections help shine a spotlight on files that have not yet developed a full reputation. ...

First, make a note: after Adobe updates, restart your machine immediately to remove the Adobe Download Manger – it can be a vector for malcode. Now, back to our story. Aviv Raff has discovered a vulnerability with Adobe’s web site in combination with its Download Manager, an ActiveX script that is used to download updates for Reader and Flash. After a Reader or Flash update the download manager remains running on a user’s machine until it is rebooted. Malicious operators could exploit it to download their code of choice. ...