SECURITY WARNINGS & Notices - Please post them here

[CharleyO]

***

Shamoon the Wiper - Copycats at Work

Earlier today, we received an interesting collection of samples from colleagues at another anti-malware company. The samples are especially interesting because they contain a module with the following string:
C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb

Of course, the “wiper” reference immediately reminds us of the Iranian computer-wiping incidents from April 2012 that led to the discovery of Flame.

The malware is a 900KB PE file that contains a number of encrypted resources. The malware appears to be collecting information about “interesting” files on the infected system.
It is more likely that this is a copycat, the work of a script kiddies inspired by the story.

We detect the 32 bit components of the malware as Trojan.Win32.EraseMBR.a. The 64 bit component is detected as Trojan.Win64.EraseMBR.a. At moment of discovery a main dropper was detected by heuristics as "HEUR:Trojan.Win32.Generic"

See & read more at :
https://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work


***

[CharleyO]

***

MyAgent Trojan Targets Key Technology-Related Industries

Security experts are analyzing a targeted trojan that leverages emailed PDF files to gain access to systems and deliver its payload to specified networks in the aerospace, chemical, defense and tech industries.

 According to researchers at the FireEye Malware Intelligence Lab, the MyAgent trojan masks its payload as a zipped health insurance policy, but then downloads a second file entitled, "ABODE32.exe," which may have had its name derived from PDF originator Adobe (NSDQ:ADBE)’s, into the temp directory. The executable then accesses Windows Protected Storage where passwords for Internet Explorer, Outlook and additional applications are kept, and it begins uploading data to command-and-control servers. Symptoms of infection include the loading of various DLLs, which are believed to be used to support communication with C&C servers.

 The malware also uses JavaScript to assess which version of Adobe Reader is currently running on the host machine, and then executes attacks based on known vulnerabilities in the discovered version.

Read more at :
http://www.crn.com/news/security/240005702/myagent-trojan-targets-key-technology-related-industries.htm?cid=crnbuzz


***

[CharleyO]

***

Invisible iFrame drive-by malware attacks explained

iFrames and script tags are being used by malicious hackers to serve up drive-by internet attacks, silently and invisibly.

iFrames allow webmasters to embed the content of one webpage into another, seamlessly.

There are legitimate reasons why some websites may want to do that - but what cybercriminals do is exploit the functionality (presumably they have been able to gain write access to the website) to deliver malware such as fake anti-virus or a PDF vulnerability exploit to infect your computer.

What's sneaky is that malicious hackers can make the embedded content invisible to the naked eye, by making the window zero by zero pixels in size. You can't see the threat, but your web browser is still dragging it down.

See & read more at :
http://nakedsecurity.sophos.com/2012/08/16/invisible-iframe-drive-by-malware-attacks-explained-video/?utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29&utm_medium=twitter&utm_source=twitterfeed


***

[CharleyO]

***

NSS Labs expose inadequate AV products

NSS Labs testing showed that 9 of 13 popular consumer anti-virus products tested failed to provide adequate protection against exploits targeting two recent critical Microsoft vulnerabilities.

 Only 4 vendors – Avast, Kaspersky, McAfee and Trend Micro – successfully blocked all attacks delivered over both HTTP and HTTPS.

“This test revealed that numerous vendors that protected against an exploit over HTTP failed to protect against the same exploit delivered via HTTPS,” said Bob Walder, Chief Research Officer at NSS Labs. "Vendors who did not perform well might want to reconsider their default settings in this age of attacks against SSL and other protocols.”

Read more at :
http://www.net-security.org/malware_news.php?id=2224


***

[CharleyO]

***

MyAgent Trojan Targets Key Technology-Related Industries

Security experts are analyzing a targeted trojan that leverages emailed PDF files to gain access to systems and deliver its payload to specified networks in the aerospace, chemical, defense and tech industries.

The malware also uses JavaScript to assess which version of Adobe Reader is currently running on the host machine, and then executes attacks based on known vulnerabilities in the discovered version.

Another good reason to not use  Adobe Reader  but use some other PDF reader.   
Read more at :
http://www.crn.com/news/security/240005702/myagent-trojan-targets-key-technology-related-industries.htm?cid=nl_crn


***

[CharleyO]

***

FBI warns of Internet malware that locks computers, demands money

Aug 17, 2012 (Bangor Daily News - McClatchy-Tribune Information Services via COMTEX) -- The Federal Bureau of Investigation's Boston Division issued a warning Thursday about a new Internet virus that locks computers and carries a fake message purportedly from the FBI requesting payment to unlock the computer.
In the alert, the FBI's Boston Division -- which covers Rhode Island, Maine, New Hampshire and Massachusetts -- said it has received an increasing number of reports from individuals who have fallen victim to the scam.

 Though she declined to provide numbers, FBI spokeswoman Katherine Gulotta said that about 15 percent of all of the computer complaint calls the FBI has received in the Boston Division have been attributed to the Reveton virus. Of those, 10 percent came from Maine, she said.Reveton has been identified as "drive-by" malicious software, or malware, because unlike many viruses, which activate when users open a file or attachment, this one can install itself when users simply click on a compromised website.

 Once infected, the victim's computer immediately locks and the monitor displays a screen stating that there has been a violation of federal law. The fraudulent message goes on to say the user's Internet address has been identified by the FBI or the Department of Justice's Computer Crime and Intellectual Property Section as having visited child pornography sites and other illegal content, Gulotta said Thursday.

 To unlock their machines, users are told to pay a fine to the U.S. Department of Justice using a prepaid money card service. Gulotta said that the amounts demanded vary but are in the $200 range. In addition to the "ransomware," the FBI said, the malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud.

Read more at :
http://it.tmcnet.com/news/2012/08/17/6515717.htm


***

[CharleyO]

***

FBI warns of child porn scam

The FBI is warning computer users about a new scam that not only takes your money, but accuses you of visiting child pornography websites as well.

"They're getting more boisterous," said Troy Rice, an IT expert. "They're trying to really intimidate the average user."

The trouble begins when you click an unfamiliar link. Hackers download a virus to your computer, and you see a screen telling you that you're in trouble with the FBI for looking at child pornography. Then it demands you pay a $100 fine to the Department of Justice.

"And the scariest thing is it's probably not just the 100 bucks. You've now given them a credit card, and you've given them proprietary information, personal information, so once they have that it's even more detrimental," said Rice.

If your computer is compromised, try to run a virus scan. If you can't get rid of the problem, have your computer professionally cleaned.

The best way to prevent the attack is to be careful what you click on. If you're casually surfing the web, clicking from one link to another, experts say it's only a matter of time before you run into trouble.

If you're a victim of online fraud, report it to the FBI at www.IC3.gov.

See & read more at :
http://www.tucsonnewsnow.com/story/19300728/fbi-warns-of-child-porn-scam


***

[Pondus]

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

tested against CVE-2012-1875 and CVE-2012-1889. only 4 of 13 tested got 100%  ...... read and see who

pdf.doc
http://www.nsslabs.com/assets/noreg-reports/2012/Can%20Consumer%20AV%20Products%20Protect.pdf

[Lisandro]

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

tested against CVE-2012-1875 and CVE-2012-1889. only 4 of 13 tested got 100%  ...... read and see who

pdf.doc
http://www.nsslabs.com/assets/noreg-reports/2012/Can%20Consumer%20AV%20Products%20Protect.pdf

Related post in blog: https://blog.avast.com/2012/08/17/avast-one-of-few-to-protect-against-microsoft-vulnerabilities/

[mchain]

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

tested against CVE-2012-1875 and CVE-2012-1889. only 4 of 13 tested got 100%  ...... read and see who

pdf.doc
http://www.nsslabs.com/assets/noreg-reports/2012/Can%20Consumer%20AV%20Products%20Protect.pdf

Note the following quote from the pdf;  page 6: 

En garde  Once an endpoint defense mechanism has been bypassed, the next step taken by most attackers is to attempt disable it completely.  This would, for example, enable further malicious software to be downloaded without risk of it being detected by the protection mechanism. 
There are significant differences in the ability of market-leading products to defend themselves against being disabled.  Unfortunately both Microsoft and CA offerings presented virtually no defensive capabilities.  Both products could be disabled with a simple "kill" command.

Quote taken directly from Page 6 of pdf. link provided by Pondus.

Whoa!  One would think Microsoft would at least have measures in place to prevent their product from being disabled so easily.

I had Norton Antivirus back a few years ago (more than ten years ago) fail to protect in a similar situation.  Was very tough to recover from, as uninstalling and reinstalling would not work.  I did eventually get it to run again, but....  self-defense should be a basic protection for all antiviruses, so users should be aware of this flaw and lack of necessary protection.

[Pondus]

another type of scam......

SEC Shuts Down $600 Million Online Pyramid and Ponzi Scheme
http://www.sec.gov/news/press/2012/2012-160.htm

[CharleyO]

***

Own the Email, Own the Person

A must read for all email users, especially those with accounts linked with Facebook, & others.

For attackers looking to take control of a victim's online presence, there is no better place to start than the target's email account. If you own the email, you own the person. That's never been more true than today, with so many social networks, services and shopping sites attached to users' email addresses. New research done by Cesar Cerrudo of IOActive shows just how simple it can be to get control of a target's email account, and from there, everything else.

For many people, their personal email account is where they store their lives. Bank statements, bills, personal correspondence, work files, anything you can get in electronic form can often be found in a given target's email inbox. And a large number of email systems protect users' inboxes with nothing more complicated than a simple password. Gmail is one notable exception, with its two-factor authentication option that enables users to employ a mobile app to generate one-time codes that they use in addition to their passwords. But, that's an option and not mandatory, and for many users just looks like an annoyance on the way to getting their email.

Please read more at :
http://threatpost.com/en_us/blogs/own-email-own-person-082012


***

[CharleyO]

***

SMSZombie Malware Infecting Android Devices, Stealing Money

A nasty new piece of malware that has the ability to steal money from users' via fraudulent SMS payments has shown up in a Chinese Android market and researchers say it's infected more than 500,000 victims. The SMSZombie malware is being hidden inside apps on the app market and once it's on a device it has the ability to prevent users from uninstalling it.

"The SMSZombie virus has been hidden in a variety of wallpaper apps and attracts users with provocative titles and pictures. When the user sets the app as the device’s wallpaper, the app will request the user to install additional files associated with the virus. If the user agrees, the virus payload is delivered within a file called 'Android System Service',"

Read more at :
http://threatpost.com/en_us/blogs/smszombie-malware-infecting-android-devices-stealing-money-082012


***

[CharleyO]

***

Royal Mail malware attack distributed via email

It's wise to be wary when it comes to unsolicited email, even when the email appears to come from a legitimate organisation.

Today we're warning internet users to be careful not to be tricked into open attachments that have been spammed out, posing as communication from the British Royal Mail.

It should go without saying that the emails are not connected with the real Royal Mail in anyway, despite them appearing to arrive from noreply@royalmail.com and containing the Royal Mail's logo.

The cybercriminals who have distributed the attack are hoping that your curiousity will be piqued, and you will be tempted to open the attached ZIP file in the mistaken belief that a parcel is winging its way to you.

See & read more at :
http://nakedsecurity.sophos.com/2012/08/20/royal-mail-malware/?utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29&utm_medium=feed&utm_source=feedburner


***

[DavidR]

You really would have to be gullible to fall for this and many other scams. How in hells bells would they know your email. Not to mention, in this case the Royal Mail is going to hell in a hand basket. Its level of service is getting worse not better so I couldn't see them even offering this service.

Whilst they have a tracking service they certainly don't have an email notification service, the sender would have to know your email, no doubt this would be a premium service which no doubt you the user would be paying for (so you should know and expect it). How would it even work if they had when they really haven't a clue when your parcel might arrive.

It doesn't take much rational thought to see through these scams.