News

The H-Online: A Russian AV company, Dr. Web, says it has conducted research to determine the spread of the Flashback trojan on systems running Mac OS X and says that 550,000 systems are infected, mostly in the US and Canada. A later update raised that number to 600,000 and claimed 274 infected systems in Cupertino, California. Dr. Web says it employed a sinkhole technique to intercept the bot installed by the newest Flashback trojan, and directed the bots to its own servers where it could analyse the traffic. Each bot includes a unique ID of the machine it has infected in the query string it sends to the command and control server; it is these unique IDs that Dr. Web has used to calculate the infection count. According to its estimates, of the original 550,000 estimate, 56.6% of the systems were in the United States, 19.8% in Canada, 12.8% in the United Kingdom and 6.1% in Australia. ...

SophosLabs: Brian Krebs is reporting that MasterCard and Visa are warning member-banks of a payment processor breach that may impact more than 10,000,000 credit cards. It is important to note that MasterCard and Visa’s own networks were not involved in the attack, it appears to be related to payment processor Global Payments. Reuters is reporting that Global Payments stock was suspended for trading after falling more than 9% on the Nasdaq stock exchange. ...

The H-Security: Google has added new features to its OAuth 2.0 Playground, which it launched last November. Developers can now switch to using client-side flow, and the system has added support for APIs that use OAuth 2.0 drafts 10 to 25. Google has also added a feature that makes it easy to see all available API operations supported by the user’s current access token. To make it easier to use the Playground for an extended amount of time, developers now have the ability to refresh their access tokens automatically, and clicking HTTP response links will now populate the request URI field. ...

The H-Security: On Tuesday, a user who is known as “lawabidingcitizen” posted an unusual request to the Full Disclosure mailing list, a forum that is mainly used by the security community: “Please do not take down the Sality botnet.” The contributor says that he found a way of dramatically reducing the number of infected computers after analysing the botnet. He adds that the required actions are unlawful, however, but proceeds to describe the method in considerable detail and makes special tools for the task available. ...

The H-Security: Business appears to be booming for those who trade in unpatched (zero-day) security holes: according to a report by Forbes magazine, a US company that works for the US government recently paid $250,000 for a vulnerability in Apple’s iOS operating system. The report says that the deal was arranged by a hacker who goes by the name of “the Grugq” and who has brokered agreements between those who discover vulnerabilities and government agencies over the last year. If negotiations are successful, the hacker retains a 15 per cent commission; he’s reportedly on track to earn about a million US dollars this year with his brokerage business. ...

Mashable: The day when Android users will first lay hands on the red hot photo-sharing app Instagram just got even closer. Late Saturday, a sign-up page appeared on Instagram’s website, inviting all those of the Android persuasion to sign up to be notified when the app is first available for that OS. The company still isn’t saying when the long-awaited Android Instagram app will actually become available. But now, at least those eager to try out the free app can take some sort of action that brings them closer to Instagram. ...

The Register: Pro-China hackers have started spoofing security firm AlienVault’s email address in spam messages in an attempt to infect pro-Tibetan recipients with malware. The move follows days after the security tools firm warned that AlienVault about spear phishing attacks against a number of Tibetan organizations. The spear-phishing messages relate to the Kalachakra Initiation, a Tibetan religious festival that took place in early January. The closely targeted messages – sent to organizations such as the Central Tibet Administration and International Campaign for Tibet – carry an infectious Office file attachment with a malware payload, a digitally signed variant of Gh0st RAT (remote access Trojan). ...

The H-Security: Until just a few days ago, web sites belonging to the world’s largest online payment service contained a security vulnerability in a key component that could have been exploited by fraudsters to steal information from customers. PayPal fixed the vulnerability shortly after being notified of its presence by The H’s associates at heise Security. The eBay subsidiary was, however, unable to give any information on how such a serious security problem could have remained undetected. ...

Exploit found in Russian adware invades process, doesn’t install files The Register: Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs. The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process. ...

H-Online: The Firefox team has announced that they are postponing the release of Firefox 11, originally planned for today, because of a security report which the team wants to evaluate to make sure the issue will not impact on their code. Jonathan Nightingale, Mozilla’s Senior Director of Firefox Engineering, also Microsoft’s monthly Patch Tuesday security update, also scheduled for today, as a reason to hold back on releasing the new Firefox version. ...