Russian roulette
By John Leyden → More by this author
Published Thursday 13th September 2007 11:43 GMT
Webpages of the US Consulate General in St. Petersburg, Russia, were infected by malware earlier this week. The US consulate site was caught up in a much larger hack attack and is not thought to have been targeted as such.
The infected pages have since been cleaned up, reports net security firm Sophos which monitored results of the assault.
The attack on the US consulate was part of a larger campaign by cybercriminals targeting vulnerable web servers. The majority of the 400 compromised web pages hit by the attack were hosted in Russia. Hackers planted malicious scripts on compromised hosts.
After retrieving a copy of one of the infected Consulate pages from an internet cache, virus analysts as Sophos were able to identify the malware script planted on the site as Mal/ObfJS-C, a strain of web nasty that attempts to load further malware from a remote server. This malware includes a Trojan downloader script that attempts to plant backdoor code onto the PCs of surfers with vulnerable machines who visit infected sites.
The attack is described in much greater depth in Sophos's blog here. [...]
Read more ...
The Register. Security.
Friday, September 14, 2007
AOL's Free Anti-Virus Switcheroo
A number of AOL users who have taken advantage of the free "Active Virus Shield" anti-virus offer from Kasperksy are complaining that the software has ceased downloading updates. Turns out AOL recently severed its relationship with Kaspersky, and is now offering customers free anti-virus service from McAfee.
It doesn't appear that AOL gave any sort of advanced warning that this change was forthcoming, although the company has information up on its site detailing the new McAfee offering. An AOL spokesperson said that while the the ISP is no longer offering new licenses for the free Kaspersky software, there is no reason that customers who still have time left on their Kasperksy license should have stopped receiving updates for the program.
Even so, some AOL virus shield users have reported that they can no longer download virus signatures to keep the program up-to-date. Assuming those users still have time left on their license (it gets renewed once a year), there appears to be a relatively simple tweak that has helped re-enable updates for many users.
Alternatively, AOL users can remove Kaspersky, pay to upgrade to a full version, or uninstall the program and go with the free McAfee offering. There also are several other free anti-virus options out there, including Antivir Personal Edition Classic, AVAST Home Edition, BitDefender Free, Clamwin Free, and Grisoft's AVG Free. [...]
Read more ...
Brian Krebs on Computer Security. The Washington Post Company.
Wednesday, September 12, 2007
Microsoft serves light fare on Patch Tuesday
No critical patches for most Windows users
By Dan Goodin in San Francisco → More by this author
Published Tuesday 11th September 2007 22:00 GMTFind your perfect job - click here from thousands of tech vacancies
Microsoft served comparatively modest fare for its monthly patch release on Tuesday, issuing only four security-related updates, only one of which carried its top severity rating of critical. It plugged a hole in a Windows 2000 component, while the other updates fixed vulnerabilities rated as important in instant messenger programs, Visual Studio .Net and Windows services for
Unix found on several different versions of the Windows operating system.
In a rare event, the typical Windows user is likely to have just one patch to install. It addresses a vulnerability in the MSN Instant Messenger and Windows Live Messenger that could allow an attacker to take over a machine by tricking a victim into clicking on a specially crafted chat request. Despite MSN Messenger being installed on every copy of Windows, Microsoft rated the flaw important, presumably because it can't be exploited without the user taking action first.
Some users may have no patches to install, as was the case with this reporter. That's because the vulnerability doesn't affect Windows Live Messenger version 8.1, which was installed on the machine. A spokeswoman says other versions of Windows Live Messenger don't use Windows Update to install new updates. Instead, the client prompts the user to install a new version, she said. Windows Update still encouraged us to run Windows Malicious Software Removal Tool, as it does every month.
The rest of the updates apply to more technically inclined users. The most serious is the patch for a Windows 2000 component known as Microsoft Agent, which fixes a critical vulnerability that could allow an attacker to remotely execute code of his choosing. A third flaw affecting Visual Studio could also allow a remote execution, but only if a user opens a specially crafted RPT file. The last vulnerability, which affects Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications, could allow an attacker to elevate privileges.
A fifth patch that had been planned for today was pulled for reasons that are not entirely clear. It was to address a vulnerability in SharePoint and had a severity rating of important. "Once Microsoft has developed and tested a security update that meets its quality bar for release, it will release the final update for this affected product along with a bulletin as part of Microsoft’s regularly scheduled process," a company spokeswoman said. You might say this month's Patch Tuesday was a small snack. By comparison, August's release required users to gorge on nine patches, six of which were rated critical. Internet phone provider Skype said the binge triggered a system-wide outage that lasted several days. The explanation left many of us scratching our heads because Patch Tuesday has been a regular fixture for several years now, and it was unclear why the update bundle only recently wreaked havoc. [...]
Read more ...
The Register. Security.
By Dan Goodin in San Francisco → More by this author
Published Tuesday 11th September 2007 22:00 GMTFind your perfect job - click here from thousands of tech vacancies
Microsoft served comparatively modest fare for its monthly patch release on Tuesday, issuing only four security-related updates, only one of which carried its top severity rating of critical. It plugged a hole in a Windows 2000 component, while the other updates fixed vulnerabilities rated as important in instant messenger programs, Visual Studio .Net and Windows services for
Unix found on several different versions of the Windows operating system.
In a rare event, the typical Windows user is likely to have just one patch to install. It addresses a vulnerability in the MSN Instant Messenger and Windows Live Messenger that could allow an attacker to take over a machine by tricking a victim into clicking on a specially crafted chat request. Despite MSN Messenger being installed on every copy of Windows, Microsoft rated the flaw important, presumably because it can't be exploited without the user taking action first.
Some users may have no patches to install, as was the case with this reporter. That's because the vulnerability doesn't affect Windows Live Messenger version 8.1, which was installed on the machine. A spokeswoman says other versions of Windows Live Messenger don't use Windows Update to install new updates. Instead, the client prompts the user to install a new version, she said. Windows Update still encouraged us to run Windows Malicious Software Removal Tool, as it does every month.
The rest of the updates apply to more technically inclined users. The most serious is the patch for a Windows 2000 component known as Microsoft Agent, which fixes a critical vulnerability that could allow an attacker to remotely execute code of his choosing. A third flaw affecting Visual Studio could also allow a remote execution, but only if a user opens a specially crafted RPT file. The last vulnerability, which affects Windows Services for UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based Applications, could allow an attacker to elevate privileges.
A fifth patch that had been planned for today was pulled for reasons that are not entirely clear. It was to address a vulnerability in SharePoint and had a severity rating of important. "Once Microsoft has developed and tested a security update that meets its quality bar for release, it will release the final update for this affected product along with a bulletin as part of Microsoft’s regularly scheduled process," a company spokeswoman said. You might say this month's Patch Tuesday was a small snack. By comparison, August's release required users to gorge on nine patches, six of which were rated critical. Internet phone provider Skype said the binge triggered a system-wide outage that lasted several days. The explanation left many of us scratching our heads because Patch Tuesday has been a regular fixture for several years now, and it was unclear why the update bundle only recently wreaked havoc. [...]
Read more ...
The Register. Security.
Tuesday, September 11, 2007
Banner Ad Trojan Served on MySpace, Photobucket
Several banner ads containing Trojan horse programs that can compromise a user's computer have been running on some high-traffic Web sites for the past several weeks, including MySpace.com and Photobucket.com, Security Fix has learned.
Web security company ScanSafe said it first spotted the tainted banner ads on Aug. 8, and estimates that the hostile ads ran several million times for the next three weeks. Other sites that ran the ads included Bebo.com, TheSun.co.uk, and UltimateGuitar.com, officials at ScanSafe said. All a visitor to one of these sites needed to do to infect their machines was to browse a page that featured the ads with a version of Internet Explorer that was not equipped with the latest security updates from Microsoft.
This is hardly the first time malicious software has shown up in banner ads. A little over a year ago, I wrote about a similar banner ad attack that installed spyware on machines of more than a million MySpace.com users. This latest attack won't be the last either: Hacked banner ads are a very efficient way to distribute malware because they end up running on sites that most people trust:
The banner ads in question were traced back to an ad network exchange run by a company called RightMedia, which was recently bought by Yahoo!. The ads were being delivered to RightMedia's network from a third-party ad server. According to ScanSafe, those third-party servers included in their rotation several malicious ads that used Macromedia Flash files to load an invisible "iFrame" (used to insert content from another Web site into the current Web page). [...]
Read more ...
Brian Krebs on Computer Security. The Washington Post Company
Web security company ScanSafe said it first spotted the tainted banner ads on Aug. 8, and estimates that the hostile ads ran several million times for the next three weeks. Other sites that ran the ads included Bebo.com, TheSun.co.uk, and UltimateGuitar.com, officials at ScanSafe said. All a visitor to one of these sites needed to do to infect their machines was to browse a page that featured the ads with a version of Internet Explorer that was not equipped with the latest security updates from Microsoft.
This is hardly the first time malicious software has shown up in banner ads. A little over a year ago, I wrote about a similar banner ad attack that installed spyware on machines of more than a million MySpace.com users. This latest attack won't be the last either: Hacked banner ads are a very efficient way to distribute malware because they end up running on sites that most people trust:
The banner ads in question were traced back to an ad network exchange run by a company called RightMedia, which was recently bought by Yahoo!. The ads were being delivered to RightMedia's network from a third-party ad server. According to ScanSafe, those third-party servers included in their rotation several malicious ads that used Macromedia Flash files to load an invisible "iFrame" (used to insert content from another Web site into the current Web page). [...]
Read more ...
Brian Krebs on Computer Security. The Washington Post Company
Tuesday, September 4, 2007
Storm Worm Dwarfs World's Top Supercomputers
The network of compromised Microsoft Windows computers under the thumb of the criminals who control the Storm Worm has grown so huge that it now has more raw distributed computing power than all of the world's top supercomputers, security experts say.
Estimates on the number of machines infected by Storm range from one million to 10 million, depending upon which security sources you believe. But hardly anyone would argue that many thousands of new PCs are being stricken by the worm each day, largely because the worm authors are continuously changing their tactics to trick people into installing it.
Massive pools of virus or worm-infected PCs, known as "botnets," are principally used to blast out spam, host scam Web sites, or to flood targeted Web sites with so much junk traffic all at once that they simply crash and are rendered unreachable by legitimate visitors. But the criminals who control these infected machines could just as easily use them to do some serious number-crunching, the kind of computational analysis typically left to the world's fastest supercomputers.
In a posting today to a data security mailing list, Peter Gutmann, a computer science professor with the University of Auckland in New Zealand, said the Storm botnet could easily outperform IBM's BlueGene/L, currently the top-ranked supercomputer on the planet.
Brian Krebs on Computer Security. The Washington Post Company
Subscribe to:
Posts (Atom)
![[JP]Sec.](http://1.bp.blogspot.com/_w3x0VP6CzIc/RspuVwtFd1I/AAAAAAAABiI/VukcTNUqa2Y/s1600/MSNLogo.png)
