Sunday, August 31, 2008

Updates To VMware Software Released

There has been found eight vulnerabilities in VMware software which among other things might result in denial of service attack or allow an attacker run arbitrary code. Updates fix vulnerabilities in ISAPI extension and in Cairo, FreeType, libpng and bind libraries. One update sets a killbit in VMware's ActiveX controls and one fixes VMware Consolidated Backup (VCB) command-line utilities.

Vulnerable versions:
- VMware ACE 2.0.4 and earlier versions
- VMware ACE 1.0.6 and earlier versions
- VMware Player 2.0.4 and earlier versions
- VMware Player 1.0.7 and earlier versions
- VMware Workstation 6.0.4 and earlier versions
- VMware Workstation 5.5.7 and earlier versions
- VMware Server 1.0.6 and earlier versions
- VMware ESX 3.0.3 without fixes ESX303-200808404-SG, ESX303-200808403-SG and ESX303-200808406-SG
- VMware ESX 3.0.2 without fixes ESX-1005109, ESX-1005113 and ESX-1005114
- VMware ESX 3.0.1 without fixes ESX-1005108, ESX-1005112, ESX-1005111, ESX-1004823 and ESX-1005117


Non-vulnerable versions:
VMware ACE 2.0.5 and 1.0.7
VMware Player 2.0.5 and 1.0.8
VMware Workstation 6.0.5
VMware Workstation 5.5.8
VMware Server 1.0.7
VMware ESX 3.0.3, 3.0.2 and 3.0.1: please see the VMware's Security-announce.

Wednesday, August 27, 2008

Asprox Botnet Punishes Of Incorrectly Filled Forms

SecureWorks reports that Asprox botnet, used specially for phishing banking details, has adopted a "special" way to treat users who fill out for phishing used forms incorrectly. Wrongly filled out form causes a malware attack which tries to exploit web browser's and Windows operational system's vulnerabilities.

This kind of action will be taken if form is filled out with details that doesn't seem to be real or contains words like "phish" or NSFWUYAS (Not Safe For Work Unless You’re a Sailor) language. If system is vulnerable against these exploits it will end up as a part of Asprox botnet.

According to SecureWorks if the form is filled out with details that looks correct system won't be attacked.

Tuesday, August 26, 2008

Microsoft Adds Privacy Tools To IE8

Microsoft is going to bring new privacy tools to IE8. Andy Zeigler, IE Program Manager, shares some details about these tools on Team Blog. In a nutshell, IE8 will contain following features:

* InPrivate™ Browsing lets users control whether or not IE saves their browsing history, cookies, and other data
* Delete Browsing History helps users control their browsing history after they’ve visited websites.
* InPrivate™ Blocking informs users about content that is in a position to observe their browsing history, and allows them to block it.

* InPrivate™ Subscriptions allow users to augment the capability of InPrivate™ Blocking by subscribing to lists of websites to block or allow.

For more specific details please see the IE Team's blog entry.

Saturday, August 23, 2008

Opera 9.52 Released

Opera Software released new version of Opera web browser on last Wednesday (20th of August). Version 9.52 of the Windows version of the software fixes seven vulnerabilities, including a startup crash that creates a means for hackers to inject hostile code on certain systems. There's also a fix for a cross-site scripting (XSS) bug, details of which Opera hasn't released.

XSS flaws, in general, allow hackers to present the content of third party sites under their control in the context of a site they wish to impersonate. The approach is therefore useful in phishing attacks or other similar scams.

Links to advisories about six other fixed vulnerabilities can be read from Release Notes which contains also details about numerous stability and performance improvements made in this latest version of the browser.

New version can be downloaded here.

Wednesday, August 20, 2008

Britney Spears Spam Spreading

Among all present spam there seems to be spreading spam with Britney Spears related title now. Spam message contains a picture with a link to a malicious file named as mov.exe. A bit over 12 hours ago detection rates (Result: 12/36 (33.33%)) weren't too good.

Title of the spam varies. So far I've seen following titles:
Oops I did it again - new photos of Brithey's pussy!
Britney sues vagina for divorce
Britney Spears and Brad Pitt naked video

China Netcom DNS Cache Poisoning

Websense® Security Labs™ ThreatSeeker™ Network has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code.

When users mistype a domain name they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. In the case of CNC its customers are directed to a web site under the control of an attacker. Malicious sites contain an iframe with malicious code that attempts to exploit RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player vulnerabilities.

Sunday, August 17, 2008

Malware Hijacks Clipboard

The Register writes that recently there's been reported about several cases in which surfers have noticed their clipboard content has been replaced with a link to rogue antispyware program. The rogue link won't go away even after the user copies a new batch of text. The only way to remove it is to reboot the system.

Thus far the attack has been reported by Firefox users running both OS X and Windows. At the moment it's not clear how the attack spreads exactly but the culprit might be Flash using malware.

By using clipboard functionality people behind the attack try to get the user paste the bad url in emails, blog/forum posts or directly into a browser's address bar spreading the link further.

Friday, August 15, 2008

Shadow Botnet Smashed By The Authority Of The Netherlands

The Dutch High Tech Crime Unit has arrested two persons and closed down Shadow botnet which is estimated to be consisted of over 100,000 computers. A 19-year-old Dutch national is accused of running the botnet. Another arrested person is a Brazilian man who tried to rent the botnet. Security company Kaspersky is asked to help close the botnet down.

Eddy Willems, security evangelist with Kaspersky Labs Benelux, who worked closely with the High Tech Crime Unit, believes this case clearly illustrates how the security industry can help law enforcement in the fight against cybercrime.

The Dutch police is asking anyone who finds that they were part of the Shadow botnet to contact them and register a complaint. Kaspersky provides instructions for locating and removing the Shadow bot malware on its web site.

FBI is also reported to have taken part in the case.


Source

New Gpcode Variant Not As Dangerous As Earlier Variants

On Tuesday I blogged about Kaspersky's report of new Gpcode variant. Closer analyzes has shown this be less dangerous than its predecessors. " The claims made by the author about the use of AES-256 and the enormous number of unique keys were a bluff. The author even didn’t use a public key in encryption, so all the information needed to decrypt files is right there in the body of the malicious program", is told in Kaspersky's Blog.

Kaspersky analysis shows that the Trojan uses the 3DES algorithm but the author dug up an off-the-peg Delphi component rather than going to the trouble of creating his own encryption routine. Also, the Trojan's code is quite messy making it look like the author isn't much of a programmer.

Kaspersky calls this new Gpcode variant as Trojan-Ransom.Win32.Gpcode.am. The trojan was spread by another malicious program, P2P-Worm.Win32.Socks.fe.

Thursday, August 14, 2008

Bogus 'msnbc.com - BREAKING NEWS' Alerts

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new replica wave of 'msnbc.com - BREAKING NEWS' alerts that are being sent out via spam emails. Similar to previous attacks related to 'Bogus CNN Custom Alerts', these emails contain links to a legitimate news page, but are designed to encourage users to download a malicious application posing as a video codec.

The malicious payload is only accessed when the user clicks on the ‘breakingnews.msnbc.com’ link, which takes users to a Web page named up.html. This page issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.


Here are some examples of the varied subjects used in this campaign:
msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: Mary-Kate Olsen responsible for Heath Ledger's death
msnbc.com - BREAKING NEWS: Stupid Asians lose lawsuits against Americans
msnbc.com - BREAKING NEWS: West Nile virus spreads in Europe

Tuesday, August 12, 2008

New Version of Gpcode On Loose

Kaspersky reports in its blog about new variant of Gpcode. This version is currently spread via a botnet which name is withheld for security purposes.

Gpcode leaves a text file named crypted.txt which includes a ransom demand of $10. The file also contains the author's contact details: an email address, an ICQ number and a URL. In addition to encrypting files and leaving the message Gpcode changes the desktop wallpaper to a giant red skull with crossbones on white background (screenshot).

The ransom shouldn't be paid since it encourages the author to produce new variants. Also, the authors' details about used encryption algorithm can't be verified at this point. Kaspersky's analysts are analyzing it to find way to crack the encryption and restore files. Meanwhile, victims of latest Gpcode variant are suggested to attempt to restore their files using methods described here. Some victims have reported that the method does partially restore encrypted files.

Gpcode victims are instructed to contact Kaspersky on stopgpcode at kaspersky dot com and watch the blog space for new updates on the matter.

Monday, August 11, 2008

Microsoft Security Update For August 2008 To Be Released Tomorrow

Microsoft will release its monthly security update for August 2008 tomorrow, Tuesday 8/11/2008. This month's update packet consists of 12 updates of which seven are critical and five important categorized. New version of Microsoft Windows Malicious Software Removal Tool will be released too.

Details about the updates can be read here. The easist way to get the updates is to use Microsoft automatic update service.

Thursday, August 7, 2008

Zlob Enters Search Engine Market

TrendMicro reports in its TrendLabs Malware Blog that people behind ZLOB malware have now entered the multibillion-dollar search engine market.

Over a year ago, last spring, Trend Micro (TM) threat researchers uncovered a network of over 900 rogue DNS (Domain Name System) servers related to the ZLOB Trojan family. Recently TM researchers discovered that this network is now targeting four of the most popular search engines.

In a large scale click fraud scheme, the ZLOB gang appears to hijack search results and to replace sponsored links with DNS “tricks”. Found ZLOB Trojans change the local DNS settings of affected systems to use two of abovemeantioned 900+ rogue DNS servers. These trojans spread by advanced social engineering tricks. One good example of this would be professional-looking web sites that promise internet users access to pornographic movies after installing malware that pose as video codecs.

"Among others, this criminal operation has even set up rogue sites of the UK and Canadian versions of one of the largest search engines. Even searches performed via the installed browser toolbar (provided by the same company) are now being hijacked by ZLOB. Another popular search engine company has been hit even harder — most, if not all, domain names of the search engine that give back search results get resolved to fraudulent Web sites by the rogue DNS servers," is told in the TrendLabs Blog.

The primary objective of ZLOB here appears to be stealing traffic and clicks from search engines, making money along the way. TM has taken steps to get in touch with its security contacts in all four affected search engine companies. However, there isn't much these contacts could do since the DNS hijacking is done locally on ZLOB Trojan infected systems.

Tuesday, August 5, 2008

Malware Spread Through Twitter Profile

Security company Kaspersky reports in its Analyst's Diary about an attack that is targeting both social networking service provider Twitter's users and whole internet community at large. A malicious Twitter profile with a name that is Portuguese for ‘pretty rabbit’, has a photo with malware advertisement of a fake video. Profile contains no other data than the photo with a link to the video making it look obvious that the profile has been created to infect users.

Clicking on the link will open a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. This technique is currently very popular and the file is actually a Trojan downloader that proceeds to download more files onto the infected machine, all of which are disguised as MP3 files. The downloader is labeled as Heur.Downloader and Trojan-Downloader.Win32.Banload.sco by Kaspersky.

The footprints of this particular crime are pure Brazilian, ranging from the Portuguese, to the web servers hosting the malware to the email embedded in the malware which is used for receiving data from infected machines.

This technique does not require any serious programming skills and Google indexes un-protected Twitter profiles, so malicious pages built and marketed with good social engineering tactics end up high in the rankings.

Twitter suffers also from a vulnerability which allows an attacker to make user follow him automatically. Twitter has partially fixed the vulnerability on the 1st of August 2008 but it can still be exploited on Internet Explorer web browser.

Saturday, August 2, 2008

Malware Spreads In Social Networking Services

Security company Kaspersky Lab warns about new worm named as Koobface which uses social networking services, Facebook and MySpace to spread itself. Thus far four different variants of the worm exist.

Koobface makes infected systems part of botnet which clients spread malware links using friends lists of MySpace & Facebook. "The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others."

Links in messages guide user to site containing video clip. If the user tries to watch the clip (s)he's been shown a message that asks to get the latest version of Flash Player to be able to watch the clip. Instead of the latest version of Flash Player, a file named as codesetup.exe is downloaded to the victim machine. That file is actually Koobface worm.

“Unfortunately, users are very trusting of messages left by 'friends' on social networking sites. So the likelihood of a user clicking on a link like this is very high. At the beginning of 2008 we predicted that we'd see an increase in cybercriminals exploiting MySpace, Facebook and similar sites, and we're now seeing evidence of this. I'm sure that this is simply the first step, and that virus writers will continue to target these resources with increased intensity”, says Alexander Gostev, Senior Virus Analyst at Kaspersky Lab.