Security

Exploit code for the the zero-day vulnerability in Internet Explorer has been added to the Metasploit framework. According to an email HD Moore wrote to ZDNet’s Ryan Naraine, the exploit works quite reliable – successful 50% of the times on Windows XP with SP2 and SP3 with IE7 and deactivated Data Execution Prevention (DEP). The security hole got reported yesterday on Microsoft’s March 2010 Patch Tuesday. Drive-by-Download-Exploits are likely to appear now as the Metasploit framework is open source and the exploit can now be abused even by script kiddies. Time to change the default browser – Microsoft just released a new browser choice screen which allows for exactly that!

As we were working through URLs identified as suspicious due to our GTI technology, one of the URLs that presented itself was an average “.com” site that loaded a php. As we processed this – it was interesting to see that this php actually reached out to download a file that ended with the string facebook.com.exe — as this “.com” site was very social-network friendly – it would be easy to see how an average user, without web protection in place, would not even realize what was going on. ...

Swiss security blog Abuse.ch has reported that the worst Zeus botnet hosting ISP was taken off line yesterday, cutting the botnet’s number of servers from 249 to 181 – including the six worse ones. Abuse.ch wrote: “As you can see in the chart above, on March 9th 2010, the number of active ZeuS C&C servers dropped from 249 to 181! The first thing I thought was: There has to be some problem with the ZeuS Tracker cron script. I checked the script – everything looked ok. So the massive drop of ZeuS C&C server is fact. I noticed that six of the worst ZeuS hosting ISP suddenly disappeared from the ZeuS Tracker. _ _ “I verified the subnets of the affected ISP and came to the conclusion that Troyak-as (AS50215), the upstream provider for the six worst ZeuS hosting ISPs, was cut from the internet on 2010-03-09. ” ...

Hollywood celebrity Corey Haim has died in typical tabloid fashion: “under investigation.” And we all know that celebrity death equals Internet scams by the boatload. There are a number of spam runs currently circulating on video sharing sites such as Youtube, ready to catch out the curious and the unwary. Shall we take a look? “Suicide or killed! Watch Corey Haim first found dead” Classy. Visiting mycelebzone(dot)com will pop open a Hotbar prompt, which you need to install to “see the content”: ...

Malware has traditionally been easy to spot and classify, mainly because it was created to serve a specific nefarious purpose and nothing else. In the ongoing arms race between malware authors and the security industry, stealth and other ‘in plain sight‘ technologies are emerging as clear favorites. Case in point is a recent Craigslist phish, disguised as a phone update – nothing new about malware pretending to be something it isn’t, but that’s not where the story ends. Examining the executable shows that it is nothing more than a RAR self-extracting (SFX) archive – and thus not inherently malicious. ...

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly quiet month—the vendor is releasing two bulletins covering a total of eight vulnerabilities. All of the issues are rated “Important” this month: seven affecting Office/Excel and one affecting Movie Maker and Producer. All of the issues are file-based remote code-execution vulnerabilities in the context of the currently logged-in user. Microsoft also released a security advisory (981374) today regarding a publicly disclosed vulnerability affecting Internet Explorer 6 and 7. Limited, targeted attacks exploiting this issue have been detected in the wild. ...

Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last. Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions. The interesting thing is that when she plugged the phone to her PC via USB her Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into. ...

Hmmm. A new vector for malware: USB battery chargers. Wonderful. The U.S. Computer Emergency Response Team (CERT) is warning that Energizer DUO USB battery chargers have been found infected with a Trojan that loads backdoor malware on a victim PC along with its battery monitoring software. The charger copies a .dll file named UsbCharger.dll in the application’s directory and another named Arucer.dll in the Windows system32 directory. USBCharger sets a registry entry to autoexecute Arucer.dll when Windows starts. ...

There’s an angelically tinged infection doing the rounds at the moment that has more than a whiff of sulphur about it. We can’t say for definite, but it looks like the point of this little angel is to turn your PC into a file storage area for an IRC channel since it dumps you into #music IRC channels and makes sure you can accept various media files. Our tale begins with an Email, claiming you have a “funny picture from Facebook friends” waiting for you at Oast(dot)com: ...

Cybercriminals are attacking bloggers who use Google’s Blogger.com. We have received emails intended for bloggers to update their account. Here’s the snapshot email of the email we have received: The email contains link that will redirect to fake login page of the “Blogger.com”. As seen from the highlighted link, it has a root domain “*.erdca.kr” which is differ from the authentic root domain of blogger.com. The fake login page which is known as phishing site appears to be like this: ...