SECURITY WARNINGS & Notices - Please post them here

[polonus]

Hi YoKenny,

Yep, and what if there is a console with "embedded Windows XP2", and someone plays an encoding smart card
trick there; how irresponsible can admins and security staff be, "infantilisized" by society around them and brainwashed alike to accept such insecure systems and not upgrade,

polonus

[YoKenny]

Hi YoKenny,

Yep, and what if there is a console with "embedded Windows XP2", and someone plays an encoding smart card
trick there; how irresponsible can admins and security staff be, "infantilisized" by society around them and brainwashed alike to accept such insecure systems and not upgrade

I know

Insanity: doing the same thing over and over again and expecting different results.
Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
Albert Einstein

[Asyn]

Hi Kenny & polonus,
nice info, nice map, nice quote...!
I stumbled over admins with no knowledge at all, just doing the same what the 'learned' years before...
asyn

[nmb]

Week in review: YouTube, iTunes, The Pirate bay hacked, Facebook scams and Twitter kits

Here's an overview of some of last week's most interesting news, interviews and articles

http://www.net-security.org/secworld.php?id=9558

nmb

[Jtaylor83]

Yeah, all the Jason Bieber videos were hacked through cross-scripting (XSS) vulnerability, replacing comments with big red words.

[polonus]

Hi malware fighters,

What banks are being attacked by zeus 3 and what countries are targeted?
http://community.ca.com/blogs/securityadvisor/archive/2010/07/12/zeus-version-3-target-spain-germany-uk-and-usa-banks.aspx
See: http://www.malwaredomains.com/wordpress/?p=1081
http://www.malwaredomainlist.com/mdl.php?search=zeus&colsearch=All&quantity=100

Remarkable the zeus3 trojan only targets Spain, Germany, United States and the U.K.,

pol

[CharleyO]

***

Secunia Half Year Report for 2010 shows interesting trends

The report does a good job of discussing the current trends and statistics and highlights what they are seeing for vulnerabilities.

http://isc.sans.edu/diary.html


***

[Hermite15]

Mozilla snuffs password pilfering Firefox add-on
http://www.theregister.co.uk/2010/07/15/mozilla_blocklists_malicious_addon/
http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/

Issue
An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.

Impact to users
If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.

Status
Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected.

Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.

[polonus]

Hi malware fighters,

Disabling autorun is not enough, new virus vector found -windows-shortcut-flaw (no it is no feature!): "The virus is able to infect the OS in a complete new way and fashion, via a hole in the way lnk-files are being processesd, without using an autorun.info file (so nothing can be detected on the malicious USB stick", this according to an advisory on VirusBlokAda. Re analysis: http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf  &
http://www.securelist.com/en/blog/269/Myrtus_and_Guava_Episode_1

So be aware handling these Flash drives/USB-sticks .....opening any file manager or IE is enough to place two Realtek signed drivers there to inject malicious code into System Processes in order to hide malcode there...
Seems this malware was specifically developed for spying on corporations - i.e. looking for Siemens WinCC SCADA systems & similar big distributed systems for energy management etc., re: http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw - the malware can get epidemic proportions, so use a good USB av solution:
http://www.mxone.net/en/  or   http://download.cnet.com/Panda-USB-Vaccine/3000-2239_4-11040112.html

polonus

[YoKenny]

Hi malware fighters,

Disabling autorun is not enough, new virus vector found -windows-shortcut-flaw (no it is no feature!): "The virus is able to infect the OS in a complete new way and fashion, via a hole in the way lnk-files are being processesd, without using an autorun.info file (so nothing can be detected on the malicious USB stick", this according to an advisory on VirusBlokAda. Re analysis: http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf  &
http://www.securelist.com/en/blog/269/Myrtus_and_Guava_Episode_1

So be aware handling these Flash drives/USB-sticks .....opening any file manager or IE is enough to place two Realtek signed drivers there to inject malicious code into System Processes in order to hide malcode there...
Seems this malware was specifically developed for spying on corporations - i.e. looking for Siemens WinCC SCADA systems & similar big distributed systems for energy management etc., re: http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw - the malware can get epidemic proportions, so use a good USB av solution:
http://www.mxone.net/en/  or   http://download.cnet.com/Panda-USB-Vaccine/3000-2239_4-11040112.html

polonus

mxone.net blocked by hpHosts:
http://hosts-file.net/default.asp?s=mxone.net+
http://hosts-file.net/?s=www.mxone.net&x=29&y=6

• EMD - sites engaged in malware distribution
This classification is assigned to website's engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).

Sites with this classification typically either contain files (e.g. cracks, keygens, adware, spyware, trojans, viruses et al) or lead to such via (for example) "fake scanners" or other social engineering and misleading tactics.

Panda-USB-Vaccine/3000-2239_4-11040112.html  looks like an advertisement for Panda Cloud Antivirus

The only one I trust is Flash_Disinfector.exe by sUBs
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t229158.html

[polonus]

Hi YoKenny,

Clean here: Report    2010-07-15 21:03:59 (GMT 1)
Website    _mxone.net
Domain Hash    c6cfdae769f9e964e905ab272c77cc6b
IP Address    N/A [SCAN]
IP Hostname    N/A
IP Country    -- (--)
AS Number    N/A
AS Name    N/A
Detections    0 / 17 (0 %)
Status    CLEAN
      
Scanning site with:    AMaDa    CLEAN
Scanning site with:    BrowserDefender    CLEAN
Scanning site with:    Finjan    CLEAN
Scanning site with:    Google Diagnostic    CLEAN
Scanning site with:    hpHosts    CLEAN
Scanning site with:    Malware Patrol    CLEAN
Scanning site with:    MalwareDomainList    CLEAN
Scanning site with:    MyWOT    UNRATED
Scanning site with:    Norton SafeWeb    UNRATED
Scanning site with:    ParetoLogic URL Clearing House    CLEAN
Scanning site with:    PhishTank    CLEAN
Scanning site with:    SURBL    CLEAN
Scanning site with:    Threat Log    CLEAN
Scanning site with:    TrendMicro Web Reputation    CLEAN
Scanning site with:    URIBL    CLEAN
Scanning site with:    Web Security Guard    UNRATED
Scanning site with:    ZeuS Tracker    CLEAN

SiteTruth say's: This site is safe.
Google Safe Browsing say's: This site is safe.
Threat Name: No Threat FOUND
Threat Definitions: 806935
Engine Version: 0.96.1
Host IP: 174.132.148.58
Link Status: Clean
File Size: 14.87 KB
Time Finished: 5.01 secs
Overall result: This site is secure,

polonus

[YoKenny]

New infections are not reported quickly enough

[polonus]

Hi YoKenny,

Look here: http://www.wilderssecurity.com/showthread.php?t=236298
http://site-press.com/antivirus/antivirus-news/mx-one-usb-antivirus-tutorial-33-instalacion-en-usb/
This is from a scam site: http://www.articlesbase.com/security-articles/how-to-remove-mx-one-automatically-mx-one-removal-instructions-1910840.html
Re: http://www.remove-malware.com/forums/viewtopic.php?f=22&t=6070
Only if you try to download illegally you will be confronted with: htxp://filespump.com/index.html
which was seized by US govmnt: http://mybroadband.co.za/vb/showthread.php/246753-Filespump.com-siezed-by-US-goverment

polonus

[YoKenny]

Hi YoKenny,

Look here: http://www.wilderssecurity.com/showthread.php?t=236298

March 16th, 2009, 03:06 PM  

http://site-press.com/antivirus/antivirus-news/mx-one-usb-antivirus-tutorial-33-instalacion-en-usb/
This is from a scam site: http://www.articlesbase.com/security-articles/how-to-remove-mx-one-automatically-mx-one-removal-instructions-1910840.html
Re: http://www.remove-malware.com/forums/viewtopic.php?f=22&t=6070
Only if you try to download illegally you will be confronted with: htxp://filespump.com/index.html
which was seized by US govmnt: http://mybroadband.co.za/vb/showthread.php/246753-Filespump.com-siezed-by-US-goverment

polonus

You are quoting old references.
Its now July and those references are as old as sour milk or moldy cheese

[polonus]

Hi YoKenny,

But what can protect us then from this new USB stick root kit malware?
MS is studying it, it has already infected over 16.000 computers worldwide...staring from India,
were it was created with 2 Realtek certified drivers...so nothing shows up on the malcoded stick,
does not need autorun to infect, shortcut link and hoopla...
and we have malware here with a certificate (not valid anymore but it is not checked for that),
what is next MS certified malware?

polonus