Saturday, August 29, 2009

MessageLabs Intelligence Report: August 2009

MessageLabs has published their Intelligence report that sums up the latest threat trends for August 2009.

Report highlights:
• Spam – 88.5% in August (0.9% decrease since July)
• Viruses – one in 296.6 emails in August contained malware (almost unchanged since July)
• Phishing – one in 341.2 emails comprised a phishing attack (0.01% decrease since July)
• Malicious websites – 3,510 websites blocked per day (2.9% decrease since July)
• Latvian ISP closure dents Cutwail botnet
• Shortened-URL spam runs continue
• Social networking websites get hit by DDoS attacks

The report can be found here.

Wednesday, August 26, 2009

Pink Floyd Worm Spreads In Chinese Social Networking Site

Virus Researcher Boris Lau from SophosLabs writes in their blog about a worm that is spreading on Chinese social networking website, renren.com. The worm, known as W32/PinkRen-A by Sophos, poses as a flash file for the “Pink Floyd - Wish You Were Here” video - which tries to execute an external javascript file.

"The technique used in this worm exploits a simple XSS hole in the website - with a payload which has a flash component with the AllowScriptAccess=”always” attribute to allow the above “non-malicious” javascript to spread the worm via renren.com’s API", Lau writes.

First analysis of the found variant show that W32/PinkRen-A doesn't seem to do anything else than just spreads itself across renren site.

Monday, August 24, 2009

Delphi Compilers Targeted By File Infector

Trend Micro writes in their blog about new file infector that targets Borland Delphi Compilers. The file infector, detected by Trend Micro as PE_INDUC.A, tampers with Borland Delphi Compilers installed in targeted systems, causing all files compiled using the compromised Delphi compiler to be infected.

So far there is no known payload for this malware except for infecting the compiled files.

Source

Saturday, August 22, 2009

Symantec Lists Top 100 Dirtiest Web Sites

Symantec has released its top 100 list of dirtiest web sites. 48 percent of those feature adult content. Rest 52 percent of sites are dedicated to different things like deer hunting, catering, figure skating, legal services, and buying electronics. Malware is the most common threat represented on the dirtiest list, followed by security risks and browser exploits.

Complete article here.

Monday, August 17, 2009

New Koobface Variant On Loose

Security company Panda Security warns in their blog of new wave of Koobface worm that is spreading in social networking site Facebook. Spam messages come with text "CooooL Video" and a web link. When the link is clicked, victim is redirected to a Koobface controlled server that routes to a fake codec site. On fake codec site victim is shown "Flash Player upgrade required" -message that tries to make user open a malicious executable file.

Source

Sunday, August 16, 2009

Jaiku Used For Sending Botnet Commands

Twitter doesn't seem to be the only social service criminals have used for sending commands to botnet clients. Kaspersky's lab blog tells that similar service, though not as popular as Twitter, Jaiku had also account with name "upd4t3" set up sending similar commands like suspended Twitter account used to send.

Jose Nazario tells in updated post at Arbor Networks blog that he had found also "upd4t3″ profile in Tumblr. However, that profile was abandoned of some reason.

Friday, August 14, 2009

Twitter Account Used As Botnet Command Channel

Microblogging service Twitter has been one of the hottest topic for the past couple of weeks due to attacks putting more traffic than it could handle towards the service. Jose Nazario, the manager of security research at Arbor Networks made the latest add to Twitter related news by telling in the company's blog how he noticed Twitter account "upd4t3" (now suspended) been used to send commands to botnet of infected computers.

More details in Arbor Networks' blog.

Wednesday, August 12, 2009

Safari 4.0.3 Released

Apple has released version 4.0.3 of its Safari web browser. New version fixes six vulnerabilities:
-CoreGraphics
CVE-ID: CVE-2009-2468
Available for: Windows XP and Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the drawing of long text strings. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Will Drewry of Google Inc for reporting this issue.

-ImageIO
CVE-ID: CVE-2009-2188
Available for: Windows XP and Vista
Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of EXIF metadata. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

-Safari
CVE-ID: CVE-2009-2196
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista
Impact: A maliciously crafted website may be promoted into Safari's Top Sites view
Description: Safari 4 introduced the Top Sites feature to provide an at-a-glance view of a user's favorite websites. It is possible for a malicious website to promote arbitrary sites into the Top Sites view through automated actions. This could be used to facilitate a phishing attack. This issue is addressed by preventing automated website visits from affecting the Top Sites list. Only websites that the user visits manually can be included in the Top Sites list. As a note, Safari enables fraudulent site detection by default. Since the introduction of the Top Sites feature, fraudulent sites are not displayed in the Top Sites view. Credit to Inferno of SecureThoughts.com for reporting this issue.

-WebKit
CVE-ID: CVE-2009-2195
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in WebKit's parsing of floating point numbers. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple.

-WebKit
CVE-ID: CVE-2009-2200
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Visiting a maliciously crafted website and clicking "Go" when viewing a malicious plug-in dialog may lead to the disclosure of sensitive information
Description: WebKit allows the pluginspage attribute of the 'embed' element to reference file URLs. Clicking "Go" in the dialog that appears when an unknown plug-in type is referenced will redirect to the URL listed in the pluginspage attribute. This may allow a remote attacker to launch file URLs in Safari, and lead to the disclosure of sensitive information. This update addresses the issue by restricting the pluginspage URL scheme to http or https. Credit to Alexios Fakos of n.runs AG for reporting this issue.

-WebKit
CVE-ID: CVE-2009-2199
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Look-alike characters in a URL could be used to masquerade a website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit's list of known look-alike characters. Look-alike characters are rendered in Punycode in the address bar. Credit to Chris Weber of Casaba Security, LLC for reporting this issue.



Windows version users can get the latest version from Apple Downloads.

Tuesday, August 11, 2009

Microsoft Updates For August 2009

Microsoft has released security updates for August. The release contains nine packets. Five of those are categorized as critical:
- MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
- MS09-038: Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)
- MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
- MS09-043: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)
- MS09-044: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)



and other four as important:
- MS09-036: Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)
- MS09-040: Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032)
- MS09-041: Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)
- MS09-042: Vulnerability in Telnet Could Allow Remote Code Execution (960859)



New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft Update service.

Twitter Suspending Malware Affected Accounts

Twitter has released a status message in which they state that they are suspending a number of accounts that have been affected by malware. Users of compromised accounts will be sent instructions how to restore access.

Reason behind this suspending appears to be Koobface variant and hacked accounts in general, states Mashable, which received following response to their inquiry about the compromised Twitter accounts:
“Unfortunately, it appears to be a number of groups working together; some phished accounts, a sprinkling of hacked accounts — but a large percentage of accounts affected appear to have a Koobface/Win32 variant. We’re attempting to identify the precise variants affecting these folks but have been pushing out notifications to those affected as is.”

Thursday, August 6, 2009

Java SE 6 Update 15 Available

Sun has released update for Java SE Runtime Environment (JRE) 6. JRE allows end-users to run Java applications. The latest update can be downloaded from Sun's Java SE Downloads site.

More information about contents of the update can be read from Release Notes of Java SE 6 Update 15.

Java users are recommended to update their versions to the latest one available.

Tuesday, August 4, 2009

New Updates For Supported Firefox Versions Available

Mozilla has released new updates for Firefox 3.5.x and older 3.0.x versions. 3.5.2 version fixes six vulnerabilities of which four are categorized as critical, one as moderate and one as low. Update 3.0.13, meant for older 3.0.x series, fixes three vulnerabilities of which two are categorized as critical and one as moderate.

Update can be obtained by using inbuilt updater of Firefox or by downloading it manually.

Download links and related extra information:
Release notes for 3.5.2 version
Release notes for 3.0.13 version

Saturday, August 1, 2009

Batch Of Security Updates From Adobe

Adobe has released new security updates for its Flash Player, Shockwave Player and Adobe Acrobat and Reader applications.

Affected Flash Player versions are 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions. More information can be found here and here.

Affected Shockwave Player versions are 11.5.0.600 and earlier on Windows only. More information

Affected Adobe Acrobat and Reader versions are 9.1.2 and earlier 9.x versions. More information.

It's recommended to update affected versions to the latest ones available. Instructions for updating can be found in the links listed above.