From XSS to root: Lessons Learned From a Security Breach

In an excellent blog, the people from Apache did a very good job analyzing and documenting how a security breach happened–going through all the stages of the attack and drawing conclusions. Should you ever become the unfortunate victim of an attack, this blog offers an example of how to document it! I quote:”If you are a user of the Apache-hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised.” So if you are a user, please act accordingly after reading this blog 😉 ...

April 14, 2010 Â· 3 min Â· 449 words Â· Omid Farhang

Heads up – 0day ITW – Rihanna is a lure

On April 9th, Tavis Ormandy published a proof of concept about how to use the latest version of Java to compromise a pc. You can read about it here. He notified Sun, but they weren’t concerned enough to break their patch cycle, so he published the code. The problem is that when Sun released Java 6, update 10 in April 2008, they introduced a new feature (it’s not a bug, it’s a feature folks) called Java Web Start. In order to make it easier for developers to install software, they created a method to execute a program from a website. ...

April 14, 2010 Â· 2 min Â· 299 words Â· Omid Farhang

Zipping Images and Documents – Did That Really Help?

Does anyone really care about opening a zip file to examine an RTF or JPEG file? This task—combined with a dull, unexciting, unstimulating subject line—competes with the content of the email to win a race of worthlessness. Spammers have traditionally used zip files to carry executables, but in most cases the subject line or the content of the message made an effort to encourage users to open the attachment. There are cases of spamming attacks in which HTML attachments opened up a fully functional Web page, capable of carrying sensitive user information back to the fraudsters. However, with this latest spam attack using zipped files, not only have the spammers made an attempt to escape anti-spam filters, they’re missing out on reaching any users as well. The scope of returns for these messages looks to be much less rewarding than other comparable attacks. ...

April 14, 2010 Â· 2 min Â· 345 words Â· Omid Farhang

Barcelona vs. Real Madrid Black Hat SEO attack

Of course I’m talking about football. When I say football I mean the game that is played with one ball thas is kicked with the foot, not the other game that is known as football in the US even though it’s played using the hands. Anyway I don’t like football at all, it’s too boring fo me. But, at least in Europe, everyone loves football. And one of the best national championships is the Spanish one, with the 2 biggest teams being Real Madrid and F.C. Barcelona. Every time they play against each other, millions of people watch that game, and news about it are going around all the time. Last Saturday they played in Madrid, and being this such a popular match, cybercriminals couldn’t miss this opportunity. ...

April 12, 2010 Â· 2 min Â· 226 words Â· Omid Farhang

Malware humor

Every once in a while, you find some odd piece of text in a piece of malware. Debugging the TDL 3 rootkit yields some interesting results. Here are messages that dump in the debug window at various times: Fri Apr 9 09:02:37.495 2010 (GMT-4): You people voted for Hubert Humphrey, and you killed Jesus Fri Apr 9 09:03:01.900 2010 (GMT-4): Ah Lou, come on man, we really like this place Fri Apr 9 11:53:08.715 2010 (GMT-4): Dude, meet me in Montana XX00, Jesus (H. Christ) Fri Apr 9 12:18:27.522 2010 (GMT-4): I felt like putting a bullet between the eyes of every panda that wouldn’t screw to save it’s species. I wanted to open the dump valves on oil tankers and smother all those french beaches I’d never see. I wanted to breathe smoke ...

April 12, 2010 Â· 2 min Â· 231 words Â· Omid Farhang

WordPress blog pages redirected to rogue site

Brian Krebs, in his “Krebs on Security” blog is reporting that a large number of WordPress blog pages have been hacked to redirected visitors to networkads.net that downloads rogue security applications onto their machines. Also, the owners of the blogs are locked out of access. “It’s not clear yet whether the point of compromise is a WordPress vulnerability (users of the latest, patched version appear to be most affected), a malicious WordPress plugin, or if a common service provider may be the culprit. However, nearly every site owner affected so far reports that Network Solutions is their current Web hosting provider,” Krebs wrote. ...

April 12, 2010 Â· 1 min Â· 152 words Â· Omid Farhang

Singer's Exploit Kit version CVE-2010-0806

Well, well
 looks like someone has been singing along to one of Jay Chow’s songs while coding an exploit that corresponds to a vulnerability in Internet Explorer, which was addressed in Microsoft Security Bulletin MS10-018. The exploit that targets on the Peer Object component (iepeers.dll) in IE has been found in the wild, and today it was detected while attempting to exploit on the client browser. After decoding from a shellcode, it will download the payload and will be detected as Trojan:W32/KillAV.LD. ...

April 9, 2010 Â· 1 min Â· 135 words Â· Omid Farhang

Trojanised Mobile Phone Game Makes Expensive Phone Calls

We have received reports of a malicious Windows Mobile game that creates significant phone bills to affected users. The game in question is called 3D Anti-terrorist action, and it’s manufactured by Beijing Huike Technology in China. The game itself is a 3D first-person shooter. Apparently some Russian malware author took the game and trojanized it. Then he uploaded the trojanized version to several Windows Mobile freeware download sites. ...

April 9, 2010 Â· 1 min Â· 157 words Â· Omid Farhang

Benign Feature, Malicious Use

An interesting and unknown feature used by sysadmins around the world in some large corporate networks is the use of proxy-auto config (pac) files. This benign feature is accepted by all modern browsers and is described in detail here. It contains a function to redirect your connection to a specific proxy server. Unfortunately this simple and smart proxy technique are being largely used by brazilian malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions. A .pac script URL is configured in the browser, in the field “Use automatic configuration script”: ...

April 9, 2010 Â· 2 min Â· 227 words Â· Omid Farhang

The mobile game with a Trojan thrown in for free

TSince 27 March a new game called 3D Antiterrorist has been cropping up on quite a few international freeware sites offering downloads for Windows Mobile smartphones. As well as the game itself, the 1.5 MB archive contains the file reg.exe which is actually a Trojan that calls premium rate international numbers and leaves smartphone owners significantly out of pocket. As of 8 April this malicious program has been detected by Kaspersky Lab as Trojan.WinCE.Terdial.a. Let’s take a closer look at what happens. ...

April 9, 2010 Â· 2 min Â· 280 words Â· Omid Farhang