April 2009 - Posts

Facebook Phishing attack -- Don't go to fbaction.net – SANS Internet Storm Center

Facebook Phishing attack -- Don't go to fbaction.net
Published: 2009-04-29,
Last Updated: 2009-04-29 20:52:58 UTC
by Joel Esler (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6292&rss'; digg_title = 'Facebook Phishing attack -- Don\'t go to fbaction.net'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

Matthew writes in to tell us about an article posted over on TechCrunch about a Phishing Attack that is "underway at Facebook."

This Phishing attack is an email that has the subject "Hello"  (First off, if you receive an email that has a subject of "Hello", and that's all...  immediately suspect for nonsense.  I used to get a ton of these at one point, because I belonged to a website where people would post via a webpage, and this webpage had no spam protections, so the most common Subject was "Hello".  It got so bad, I used to send all Emails with simply the subject "Hello" to /dev/null.  (Yes, it was *that bad*.) Anyway, I digress.)

The phishing attack with read something like ""YOURFRIEND" sent you a message" with a link to go click on and read what your "friend" wrote.

The link instead sends you off to fbaction.net (Don't go there.)  Where the page looks like the Facebook login page and they are hoping you will type in your credentials.  Farily simple phish, so keep your eyes open.

Original article here.  Thanks Matthew!

-- Joel Esler | http://www.joelesler.net | http://twitter.com/joelesler

Posted Thursday, April 30, 2009 9:15 AM by cmosby | with no comments
Filed under: , , , ,

Microsoft Security Bulletin Major Revisions - Issued: April 29, 2009

********************************************************************

Title: Microsoft Security Bulletin Major Revisions

Issued: April 29, 2009

********************************************************************

Summary

=======

The following bulletins have undergone a major revision increment.

Please see the appropriate bulletin for more details.

* MS09-012 - Important

* MS08-076 - Important

* MS08-069 - Critical

Bulletin Information:

=====================

* MS09-012 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-012.mspx

- Reason for Revision: V2.0 (April 29, 2009): Added an entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update to communicate the rerelease of the Norwegian-language update for Microsoft Windows 2000 Service

Pack 4 (KB952004). Customers who require the Norwegian-language update need to download and install the

rereleased update. No other updates or locales are affected by this rerelease.

- Originally posted: April 14, 2009

- Updated: April 29, 2009

- Bulletin Severity Rating: Important

- Version: 2.0

* MS08-076 - Important

- http://www.microsoft.com/technet/security/bulletin/ms08-076.mspx

- Reason for Revision: V4.0 (April 29, 2009): Added Windows Media Services 2008 (KB952068) on 32-bit and x64-based editions of Windows Server 2008 Service Pack 2 as affected software.  Also, added Windows Server 2008 for Itanium-based Systems Service Pack 2 as non-affected software. This is a detection change only; there were no changes to the binaries. Customers who have already successfully installed KB952068 do not need to reinstall.

- Originally posted: December 9, 2008

- Updated: April 29, 2009

- Bulletin Severity Rating: Important

- Version: 4.0

* MS08-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx

- Reason for Revision: V2.0 (April 29, 2009): Added Microsoft XML Core Services 4.0 (KB954430) on 32-bit and x64-based editions of Windows Vista Service Pack 2 and on 32-bit, x64-based, and Itanium-based editions of Windows Server 2008 Service Pack 2 as affected software. Also added as non-affected software:  Microsoft XML Core Services 3.0 and Microsoft XML Core Services 6.0 on 32-bit and x64-based editions of Windows Vista Service Pack 2 and on 32-bit, x64-based, and

Itanium-based editions of Windows Server 2008 Service Pack 2.  This is a detection change only; there were no changes to the binaries. Customers who have already successfully installed KB954430 do not need to reinstall.

- Originally posted: November 11, 2008

- Updated: April 29, 2009

 

- Bulletin Severity Rating: Critical

- Version: 2.0

Posted Thursday, April 30, 2009 8:27 AM by cmosby | with no comments
Filed under: , , , , ,

Microsoft Security Bulletin Minor Revisions - Issued: April 29, 2009

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: April 29, 2009

********************************************************************

 

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

 

  * MS09-013 - Critical

 

Bulletin Information:

=====================

 

* MS09-013 - Critical

 

  - http://www.microsoft.com/technet/security/bulletin/ms09-013.mspx

  - Reason for Revision: V1.1 (April 29, 2009): Added entry to the section, Frequently Asked Questions (FAQ) Related to This

    Security Update, to communicate that the Known issues with this security update section in the associated Microsoft

    Knowledge Base Article 960803 has been updated. This is an informational change only. 

  - Originally posted: April 14, 2009

  - Updated: April 29, 2009

  - Bulletin Severity Rating: Critical

  - Version: 1.1

Posted Thursday, April 30, 2009 7:53 AM by cmosby | with no comments
Filed under: , , ,

Microsoft Security Advisory Notification - Issued: April 29, 2009

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: April 29, 2009

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (960715)

- Title: Update Rollup for ActiveX Kill Bits

- http://www.microsoft.com/technet/security/advisory/960715.mspx

- Revision Note: V1.1 (April 29, 2009): Added an entry to

Frequently Asked Questions to communicate that users with

Windows Server 2008 Server Core installation do not need to

install this update

Posted Thursday, April 30, 2009 7:46 AM by cmosby | with no comments
Filed under: , , ,

Targeted Examples – F-Secure Weblog

<<< Wednesday, April 29, 2009  
 
Targeted Examples Posted by Mikko @ 14:22 GMT | postCount('00001672'); Comments

We continue to see targeted attacks. More and more of them. We're currently collecting some statistics on the frequency of these attacks and hope to publish them here later this week.

Here's some recent examples of documents that we've seen in targeted attacks. All of them use known vulnerabilities to drop backdoors to take over the computer.

The examples cover all popular file types: DOC, XLS, PPT and PDF. (Just to be fair.)

We've seen all of these cases exactly once, worldwide. So whomever got hit by these, it wasn't just bad luck and it wasn't just a coincidence.

Our first example looks like an average in-house purchase agreement… but when viewed, it drops a backdoor that connects to lemondtree.freetcp.com. XLS file.

Assets

Connects to heet.25u.com. PDF file.

UNICEF

Drops files called hlwin32.dll, hlsvc32.dll and svchost.exe to SYSTEM32 or TEMP folders. PPT file.

USFood

"Fertilizer news and analysis"? What? Drops a backdoor that connects to wolfdu.5166.info. PDF file.

Market

Drops a variant of Poison Ivy remote access trojan. PDF file.

Medvedev

We don't have any information on the identities of the parties targeted with these attacks.

Posted Wednesday, April 29, 2009 1:23 PM by cmosby | with no comments
Filed under: ,

Microsoft is turning off Auto-Run! – SANS Internet Storm Center

Microsoft is turning off Auto-Run!

Published: 2009-04-29,
Last Updated: 2009-04-29 16:44:34 UTC
by Joel Esler (Version: 2)

2 comment(s) Facebookacebook witter

Well, kinda.

Yesterday morning Microsoft through their MSRC announced that they were going to further protection of Windows customers by disabling the Auto-Run "feature" in Windows for everything *except* optical media.  (Because CD-ROM's can't be written to, according to them.  I see nothing about CD-R and CD-RW specifically.)

I feel this is a good idea.  There have always been virus/malware that liked to attach itself to things like thumbdrives and removable media like diskettes.  (Does anyone use those anymore? ;)  All the Windows environments that I've ever functioned in my whole career have always had Auto-Run disabled, so this is just good security practice by now.

For more details check out Microsoft's articles on the subject here and here.

Thanks to the reader who wrote in about this.

Update:  Had a reader write in asking how to disable Auto-Run on <Win 7 machines.  I "Googled" it (I haven't done this in years) and found this:

http://features.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/

Happy regedit'ing

-- Joel Esler | http://www.joelesler.net | http://twitter.com/joelesler

Posted Wednesday, April 29, 2009 1:19 PM by cmosby | with no comments
Filed under: , , ,

Two Adobe 0-day vulnerabilities – SANS Internet Storm Center

Two Adobe 0-day vulnerabilities

Published: 2009-04-29,
Last Updated: 2009-04-29 03:22:48 UTC
by Jason Lam (Version: 1)

0 comment(s) acebook witter

There are two 0-day vulnerabilities on Adobe Acrobat announced today, all current versions are vulnerable. One exploits the annotation function and the other exploits the custom Dictionary function. Both of these buffer overflow vulnerabilities exist in the Javascript system of the Adobe Acrobat and can be mitigated by disabling Javascript on Adobe Acrobat.

Since the exploits for these vulnerabilities on Linux platform are posted to the Internet, we can just guess that someone will somehow make it work on Windows and use it to spread botnet agents shortly.

http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html

Keywords: adobe acrobat 0day

0 comment(s) acebook witter

Posted Wednesday, April 29, 2009 8:43 AM by cmosby | with no comments
Filed under: , , , ,

Swine Flu (Mexican Flu) related domains – SANS Internet Storm Center

Swine Flu (Mexican Flu) related domains
Published: 2009-04-27,
Last Updated: 2009-04-28 00:07:25 UTC
by Johannes Ullrich (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6271&rss'; digg_title = 'Swine Flu (Mexican Flu) related domains'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

This is a first cut of a list of "Swine Flu" related domains. In Europe, this flu is usually refered to as "Mexican Flu". Right now none of the domains is spreading  malware or running donation scams. One appears to seel questionable pharmaceuticals (symptoms-of-swine-flu.com). The rest are either just parked, or offer some kind of information and may try to make some money with Google ads. Lots of the "information" is very minimal/incomplete/hype, but this classification is beyond a quick scan of the content.

Please let us know if you come across anything of interest. (use our contact page)

The list comes from Bojan's passive DNS system. (he will talk about this at SANSFIRE in June... don't miss it ).

h1n1swineflu.com			links to birdflu site (google ads)
human-swine-influenza.com		under construction
humanswineflu.com			same as h1n1swineflu.com
pandemicswineflu.com			same as h1n1swineflu.com
swine-flu-info.co.nz			info site (google ads)
swine-flu-information.com		info site (google ads)
swine-flu-news.com			info site (google ads)
swine-flu-symptoms.com			info site
swine-flu-symptoms.info			info site (link to google ads)
swine-flu-vaccine.sdfgdfd.us		junk search / link site
swine-flu.info				godaddy parked
swine-flu.net				godaddy parked
swine-flu.org				godaddy parked
swine-influenza-news.org		info site (google ads)
swineflu-symptoms.com			godaddy parked
swineflu.biz				same as h1n1swineflu.com
swineflu.info				same as h1n1swineflu.com
swineflu.us				same as h1n1swineflu.com
swineflubase.com			under construction (wordpress site)
swineflublog.com			info site (google ads)
swinefludrugs.com			same as h1n1swineflu.com
swinefluforum.com			swineflu.org, forum
swineflumaps.com			info site (google ads)
swineflupost.com			under construction
swinefluprecaution.com			godaddy parked
swinefluprecautions.com			godaddy parked
swineflusymptoms.net			directory index / under construction
swineflusymptoms.us			info site / onclose ads
swineflusymtoms.com			unrelated info / ebay ads / amazon ads
swineflusyptoms.com			godaddy parked
swineflusyptoms.net			godaddy parked
swineflutv.com				same as h1n1swineflu.com
swinefluvaccine.info			godaddy parked
swinefluvaccines.com			same as h1n1swineflu.com
swinefluvirussymptoms.com		godaddy parked
swineinfluenzasymptoms.com		junk site / parked
symptoms-of-swine-flu.com		pharma ad, tamiflu UK (legit?)
symptoms-of-swine-flu.info		info site (google ads)
theswineflu.com				parked/ads
theswineflusymptoms.com			info site (google ads)

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute     Follow johullrich on twitter

Posted Tuesday, April 28, 2009 9:44 AM by cmosby | with no comments
Filed under: , ,

Firefox gets another update – SANS Internet Storm Center

Firefox gets another update
Published: 2009-04-27,
Last Updated: 2009-04-28 12:20:32 UTC
by Joel Esler (Version: 4)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6274&rss'; digg_title = 'Firefox gets another update'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

Didn't I just post about Firefox getting updated?  Well, I'm not complaining, good for Mozilla.

Looks like a memory corruption bug that was introduced in 3.0.9.  In particular the users of HTML Validator (a Firefox add-on) were receiving crashes, and upon further review of the situation, Mozilla found the mem corruption bug.

Anyway, here's the security announcement from Mozilla.  Time to update, again.

-- Joel Esler

http://www.joelesler.net

http://twitter.com/joelesler

Posted Tuesday, April 28, 2009 9:01 AM by cmosby | with no comments
Filed under: , , ,

Swine Flu Spam – McAfee Avert Labs Blog

Swine Flu Spam

Monday April 27, 2009 at 5:56 am CST
Posted by Chris Barton, Research Scientist and Artemis Geek


The Swine Flu pill spam has started and it’s taking a few Hollywood stars names in vain. Nothing out of the ordinary with the sites on the far end yet though I do expect Oseltamivir [AKA Tamiflu] will get some extra exposure once the affiliate pill sites are updated.

Swine Flu

Subjects:

First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!

Also we’ve noticed domain name registrations mentioning the word swine are up by about 30 times and you can bet your daughters it’s not all going to be “whitehat” SEO.

Posted Monday, April 27, 2009 10:31 AM by cmosby | with no comments
Filed under: ,

Swine Flu SEO – F-Secure Weblog

<<< Monday, April 27, 2009  
 
Swine Flu SEO Posted by Sean @ 09:34 GMT | postCount('00001668'); Comments

Swine Flu is in the news worldwide and search trends are spiking in North America:

Swine Flu, Google Trends

We're seeing lots of domains being registered. Here's a list of the ones registered over the weekend.

Swine Flu

No malware sites… yet. But plenty of them are opportunistic:

NoSwineFlu.com

Click on the "Add to Cart" button at noswineflu.com and you'll be asked to buy a PDF file called "Swine Flu Survival Guide" for $19.95.

Swine Flu Survival Guide $19.95

You'd be better off spending your money on this.

Posted Monday, April 27, 2009 7:57 AM by cmosby | with no comments
Filed under: , , ,

Did you check your conference goodies? – SANS Internet Storm Center

Did you check your conference goodies?

Published: 2009-04-24,
Last Updated: 2009-04-24 19:26:48 UTC
by Pedro Bueno (Version: 1)

1 comment(s) Facebookacebook witter

This year I went to the RSA to have lunch with some friends.

It was nice to get together with some other SANS ISC friends too, as Johannes, Marc and Lenny.

Good to see them again. Also while visiting the expo, something occurred to me. Some booths were giving away pen-drives with promotional material. It is easy to imagine that the booth was always crowded.

So, to get your pen drive you just put your business card and pick your pendrive among several over the table and go away...cool...

I don’t like people scanning my badge or using my business card to send me offers later, so , previously, I went to some other booths, collected a bunch of business card from sales people (they love to give them away...:) ) and went to the 'pen-drive booth' to get mine...:)

If I have a malicious intent, I would go to some other place, plug my new pen-drive, load an autorun-kind of malware, or fill it wth malicious PDFs and return it to the crowded booth table full of pen-drives...And I would be able to do it several times...

An average user would get it, plug in his computer and happily install it and be p0wned…

So, did you test your goodies on a safe environment, preferable on a non autorun-able machine, like a mac or linux? Also did you use your AV to scan those PDFs against exploits? :)

Be safe, be paranoid…:)

-----------------------------------------------------------------

Pedro Bueno ( pbueno // isc. sans. org)

http://twitter.com/besecure

Posted Friday, April 24, 2009 4:09 PM by cmosby | with no comments
Filed under: ,

Google Chrome "ChromeHTML" URI Handler Vulnerability - Secunia

Google Chrome "ChromeHTML" URI Handler Vulnerability

SECUNIA ADVISORY ID:

SA34900

VERIFY ADVISORY:

http://secunia.com/advisories/34900/

DESCRIPTION:

A vulnerability has been reported in Google Chrome, which can be exploited by malicious people to disclose certain system information and conduct cross-site scripting attacks.

The vulnerability is caused due to the improper handling of "ChromeHTML" URIs, which can be exploited to enumerate local files and folders or execute arbitrary HTML and script code in a user's browser session in context of arbitrary websites by tricking the user into clicking a specially crafted link in Internet Explorer.

Successful exploitation requires that Google Chrome is not running and that a victim follows a malicious link in Internet Explorer.

The vulnerability is reported in version 1.0.154.55 and prior.

SOLUTION:

Update to version 1.0.154.59.

PROVIDED AND/OR DISCOVERED BY:

Roi Saltzman, IBM Rational Application Security Research Group

ORIGINAL ADVISORY:

http://code.google.com/p/chromium/issues/detail?id=9860

http://googlechromereleases.blogspot.com/2009/04/stable-update-security-fix.html

----------------------------------------------------------------------

About:

This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.

Subscribe:

http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)

http://secunia.com/advisories/about_secunia_advisories/

Posted Friday, April 24, 2009 3:47 PM by cmosby | with no comments
Filed under: , , , ,

Possible MS09-013 activity – SANS Internet Storm Center

Possible MS09-013 activity

Published: 2009-04-23,
Last Updated: 2009-04-23 21:34:10 UTC
by Kyle Haugsness (Version: 1)

0 comment(s) Facebookacebook witter

Jack sends us notice that Symantec is alerting on possible MS09-013 activity.  This information is coming from the Symantec ThreatCon Network Activity Spotlight.  Basically, their network monitoring systems are seeing an increase in activity that could be a precursor to an MS09-013 attack, but it could also be old vulnerabilities from 2002 (both Apache and IIS).  Consider it a reminder to get the recent Microsoft patchset deployed.

Keywords: MS09013

0 comment(s) Facebookacebook witter

Posted Friday, April 24, 2009 10:10 AM by cmosby | with no comments
Filed under: , ,

Some trendmicro.com services down – SANS Internet Storm Center

Some trendmicro.com services down

Published: 2009-04-23,
Last Updated: 2009-04-23 23:03:42 UTC
by Kyle Haugsness (Version: 1)

0 comment(s) Facebookacebook witter

A couple of people have reported that TrendMicro is having network issues and the following site has been down many hours today:  http://esupport.trendmicro.com

Posted Friday, April 24, 2009 10:09 AM by cmosby | with no comments
Filed under: ,
More Posts Next page »