Advisories, Vulnerabilties and Virus Alerts

Status
Not open for further replies.
OP
ferrarif50

ferrarif50

Journeyman
New IM Worm Infects AOL Software

Users of AOL's instant messaging software should be on the lookout for
an innovative new worm, variously named "Oscarbot-B" and "Doyorg" by
antivirus companies.

Whole story:
*www.computerworld.com/newsletter/0,4902,101826,00.html?nlid=VVR
 
OP
ferrarif50

ferrarif50

Journeyman
Beware How You Google

Security researchers warn that a one-letter typo in Google's domain name could lead to a massive virus- and spyware-infection attack.

A simple misspelling of Google's domain name could lead to a Web surfer's worst nightmare.

In a new twist to the old practice of "typosquatting," virus writers have registered a slight variation of Google Inc.'s popular search-engine site to take advantage of any users who botch the spelling of the google.com URL.

The malicious site, googkle.com, is infested with Trojan droppers, downloaders, backdoors and spyware, and an unsuspecting user only has to visit the page to be at risk of computer hijack attacks, according to a warning from Finnish anti-virus vendor F-Secure Corp.

When googkle.com is opened in a browser, two pop-up windows are immediately launched with redirects to third-party sites loaded with scripts. One of the sites, ntsearch.com, downloads and runs a "pop.chm" file, and the other, toolbarpartner.com, downloads and runs a "ddfs.chm" file, F-Secure said.

"Both files are downloaded using exploits and they contain exploits themselves to run embedded executable files. One of the Web pages of the 'toolbarpartner.com' website downloads a file named 'pic10.jpg' using an exploit. This JPG file is actually an executable that replaces [the] Windows Media Player application," the warning reads.
The typosquatters also launch a steady stream of pop-up Web pages with different .exe files.

One batch of exploits loads a malware package that includes two backdoors, two Trojan droppers, a proxy Trojan, a spying Trojan and a Trojan downloader.
The exploits appear to be targeting users of Microsoft Corp.'s Internet Explorer browser. A spokeswoman for Microsoft told Ziff Davis Internet News that the rogue site was attempting to exploit some vulnerabilities that were fixed in past security updates.

"[Users running] Windows XP SP2 are protected from this. Also, users who are up to date on supported platforms are protected," the spokeswoman said.

According to F-Secure's alert, the attack scenario also includes a separate Trojan dropper that copies itself to the Windows System folder with a random name and drops a DLL that modifies the HOSTS file to block connection to several anti-virus Web sites.

Another executable also drops a DLL file into the Windows System folder and prompts a fake virus alert on a desktop. The fake alert warns the user about a computer infection and prompts the user to yet another malicious site promising virus protection.

The Web site offers links to several different sites offering anti-virus and spyware cleaners for download. Those downloads all turn out to be a "toolbar.exe" file that is actually an adware installer, which installs a spyware toolbar known as "Perez," F-Secure said.

The practice of typosquatting was first spotted in the late 1990s and was a common tactic for ****ography sites, used to generate traffic from misspelled Internet addresses.
 
OP
ferrarif50

ferrarif50

Journeyman
New Bagle variants spreading

New Bagle variants spreading
At least three versions of the e-mail worm have been found

At least three new versions of the Bagle e-mail worm were spreading quickly on the Internet today, according to several Internet security firms.
MessageLabs Ltd., which monitors 110 million pieces of e-mail sent per day, found about 145,000 copies of just one of the new Bagle downloader variants, said Maksym Schipka, a senior antivirus researcher at the company. MessageLabs tracked about 4,000 copies of the variant between 7 a.m. and 8 a.m. EDT. That number jumped to nearly 42,000 copies in the next hour and rose to 56,000 copies between 9 a.m. and 10 a.m., the company reported.

About 80 variants of the original Bagle worm, which first appeared in January 2004, have been released on the Internet. The first Bagle downloader variant MessageLabs tracked today drops a Trojan horse program that attempts to download Bagle from a list of about 130 Web sites worldwide. Computer users who activate the file attached in the e-mail activate the virus, which harvests e-mail addresses it finds on the computer's hard drive. The virus then forwards itself onto the list of e-mail addresses found on the infected computer.

In the first variant, the e-mail carrying the Bagle worm had an empty subject line and body text, MessageLabs said.

The variant appeared to start on a Yahoo Inc. Web mail account, Schipka said. "Somebody wanted to refresh his botnets or e-mail addresses," Schipka said. "They want to keep up to date with the things they sell." Botnets are groups of compromised computers that are controlled by hackers and often used in cyberattacks.

Antivirus vendor Symantec Corp. also reported seeing at least one new Bagle variant but found the worm to be spreading slower than MessageLabs reported. Symantec found only about 50 Bagle copies on computers with its virus-protection software installed, said Alfred Huger, senior director of engineering at Symantec Security Response.

Huger said he expected little damage from this Bagle attack.

Damage from the new Bagle variants should be minor as antivirus vendors react quickly to the attacks, said Ken Dunham, director of malicious code at iDefense Inc., another cybersecurity vendor. The first two variants seen today were tentatively dubbed Bagle.CA and Bagle.CB, which would make them the 79th and 80th Bagle variants.

"We're a long way down the line of Bagle worms," Dunham said. "It's very similar to former Bagle attacks."

Dunham encouraged computer users to update their antivirus software, use firewalls and avoid opening suspicious files attached to e-mail. "Just because it looks like it was from your billing department, or it was from your friend, or it was porno doesn't mean it is," he said. "Be careful on e-mail -- don't trust anything."
 
OP
ferrarif50

ferrarif50

Journeyman
New Mytob worm poses as IT administrator

New Mytob worm poses as IT administrator
It warns recipients that their e-mail accounts are about to be suspended

Another variant of the Mytob worm began wiggling its way into in-boxes this week, enticing recipients to open an e-mail attachment that could allow a remote hacker to access and perform commands on an infected machine.
The variant, dubbed "Mytob.bi" by some security researchers, scans the hard drive of an infected machine and sends copies of itself to e-mail addresses it finds in the Windows Address Book, antivirus firm Trend Micro Inc. said yesterday. The worm poses as a message from an IT administrator, warning recipients that their e-mail accounts are about to be suspended, Trend Micro said.

Possible subject headers for the worm include "*IMPORTANT* Please Validate Your Email Account" and "Notice: **Last Warning**."

The latest variant is the fourth iteration of the Mytob family of worms that were first detected in late February, Cupertino, Calif.-based Trend Micro said. It has backdoor capabilities and can open a random port, allowing a hacker to remotely access an infected machine.

The variant also prevents the infected machine from accessing several antivirus and security Web sites by redirecting the connection to a local machine, the security company added.

While prevalence of the worm is still low, the damage potential is high, Trend Micro said. U.K.-based antivirus company Sophos PLC also rated the worm as a concern, due to the severe damage it could cause.

Researchers speculated that the Mytob worm family is popular with hackers because its code base is relatively easy to manipulate to create a new variant. Another version, Mytob.ar, was detected earlier this week, containing added spyware and adware elements.

Future Mytob variants could take advantage of the .ar version to reap monetary benefits from spyware, Trend Micro warned.

Internet users are advised to update their antivirus software to protect themselves from the new threats.
 
OP
ferrarif50

ferrarif50

Journeyman
Trojan trio disables Windows, AV updates

A trio of malicious programs is working together to hijack as many machines as they can in a short period, antivirus experts warned Thursday. Their apparent mission -- grow an army of zombie machines that can be sold on the black market and used to steal identities, lift bank account numbers and launch other attacks.

"This is all about money," said Roger Thompson, director of malicious content research for New York-based Computer Associates [CA]. "It's about the simple theft of credit card and bank account numbers, and there's probably a nexus with adware."

In the last 24 hours, CA has discovered coordination between three Trojan horse programs -- Glieder, Fantibag and Mitglieder.

Trio of trouble
According to CA, here's how the Trojans operate:

Glieder goes out and "seeds" cyberspace. On June 1, CA watched eight variants spread in quick succession. The whole point is to get to as many victims as fast as possible with a lightweight piece of malware, CA said.
Fantibag then creates a "shields down" on compromised systems, exploiting the infected machines' networking features to prevent them from communicating with antivirus companies or with Microsoft's update site. This means the security software can't call for updates.
Mitglieder then turns the compromised machine into a zombie that can be used to generate future attacks and act in concert with countless other zombie PCs. Machines infected with Mitglieder act as a proxy to force traffic to malicious sites, track user behavior, record keystrokes and set up spam relays.
Glendale, Calif.-based PandaLabs has also been tracking Mitglieder, saying it has been spammed to thousands of users around the world.

"Malware creators try to distribute their creations rapidly to prevent users from having time to update their antivirus solutions. They're trying to exploit the vulnerability window, i.e. the time that it takes between new malware appearing and users installing the updates on their computers," PandaLabs director Luis Corrons said in a statement. "New techniques are frequently being used in order to spread malware as rapidly as possible. So for example, as in this case, thousands of infected mails could be sent simultaneously as spam, or numerous variations can be launched at the same time."

The Bagle connection
Thompson said there's also a connection between the Trojans and this week's outbreak of new Bagle worm variants. "It's hard to tell the difference between Bagle and Mitglieder," he said. "Most of these share common code and they get mixed together."

Which points to a much larger problem, he said: "The bad guys have figured out that if they make a minor variation in their worms, viruses and Trojans and perhaps pack them a bit differently, these things can spread more rapidly and infect more computers before antivirus software has a chance to catch up."

With the first two Trojans spreading too quickly for AV to keep up, Fantibag arrives and cuts access to the security updates, Thompson said. "The attackers are being very cunning," he said. "They could launch one big program but instead they use smaller pieces that can easily be replaced. It's easier to change the smaller bits than fix the big part. It's a very sophisticated approach."

All about the botnets
For now, attackers don't seem to be aiming directly at enterprise networks, Thompson said. "I don't think this is about targeting a large corporation," he said. "I think it's about these guys trying to build botnets out of home systems."

But he said these botnets can eventually be used to hack into corporate databases to steal sensitive data or to launch other attacks.

In recent days security experts have also expressed alarm that hackers are successfully using zombie machines to launch brute force attacks against Secure Shell [SSH] servers that are accessible via the Internet.

Since there's no limit to what the bad guys can do with a zombie army, Thompson said there's growing demand on the black market for compromised machines. "The world is getting exceptionally scary," he said.

Source: searchsecurity.techtarget
 
OP
ferrarif50

ferrarif50

Journeyman
Sun patches critical Java flaws

The vulnerabilities could give allow back-door access to victims' computers

Sun Microsystems Inc. issued alerts this week about vulnerabilities in its Java platform that security researchers have described as critical and that could allow attackers to execute malicious code on targeted computers.
The affected software is Sun's Java Web Start and Java Runtime Environment. Weaknesses in the programs could allow applications to grant themselves permissions to write local files or execute other applications, allowing an attacker to gain backdoor access to victims' computers. Such an attack could be carried out without any visible symptoms, Sun said.

The vendor recommends that users replace earlier versions of Java 2 Platform Standard Edition with a more recent version. J2SE 5.0 Update 2, released in March, repairs the flaw; Sun's most recent J2SE 5.0 release is Update 3. J2SE updates are available for download on Sun's Web site.

Danish security firm Secunia rates the vulnerabilities "highly critical," its second-highest classification, while the French Security Incident Response Team gave it a "critical" rating, that organization's highest advisory rank. Those rankings are reserved for remotely exploitable vulnerabilities that can be executed without a user's knowledge.

 
Status
Not open for further replies.
Top Bottom