..:: ALEXXfender ::.. - Novice

Researchers from Websense have caught Google carrying ads punting rogue software that secretly installs malware on the PCs of its users.

Recent Google searches for Winrar turned up sponsored links that offer a "spyware free" copy of the widely used data-compression application. Google users unfortunate enough to download and install that software are soon exposed to a program that makes changes to their PC's hosts file. From then on, every time the users try to visit Google, Yahoo, and other popular sites, they are instead sent to an impostor site under the control of the attackers.

The operation is another testament to the resourcefulness of those running rogue software scams. Rather than relying on zero-day vulnerabilities or hard-to-execute website hijackings, they often find it easier to snare their victims through legitimate ads placed on Google or elsewhere.

"This raises some questions," Websense researcher Elad Sharf writes. "Is this problem Google's fault for not checking whether advertised links actually serve malware? Is it the miseducated user's fault for getting infected?"

Probably a little of both, but are we the only ones who find it ironic that Google's own anti-malware initiative imposes draconian punishments on smaller websites when they're caught doing the same thing? Websense, which first witnessed the scam last week, said the malicious Google links were still available when it posted this report on Sunday.

A Google spokesman said the company is in the process of removing the offending sites from its ad network. "Google is committed to ensuring the safety and security of our users and our advertisers," he said.

As a recent complaint filed by Federal Trade Commission shows, purveyors of rogue anti-virus and other software spend millions of dollars per year advertising their wares on legitimate sites - and go to great lengths to conceal their behavior. No doubt, Google isn't the only advertiser to be tricked into running malevolent ads, but as the do-no-evil company that's steam-rolling its competition in the ad industry, it's hard to believe these kind of links are still being sponsored.
Source:
http://www.theregister.co.uk/2008/12/16/google_sponsored_links/

..:: ALEXXfender ::.. - Novice

Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild.

Redmond issued advanced notice for tomorrow's fix, describing the out-of-cycle patch as protection from "remote code execution."

Unscheduled updates are pretty rare for Microsoft, stressing the potentially serious nature of the flaw. Although the last time Microsoft broke it's update cycle was in late October � it was the first time it had done so in about 18 months.

The latest zero-day vulnerability stems from data binding bugs that allows hackers access to a computer's memory space, allowing attackers to remotely execute malicious code as IE crashes, Microsoft has said.

Although the exploit was at first contained to warez and porn sites hosted on a variety of Chinese domains, the malicious JavaScript code has since spread to more trusted sites though SQL injection. The flaw is primarily being used to steal video game passwords at present, but could potentially be used to retrieve more critical sensitive data from users as well.

The vulnerability is specifically targeted at surfers running IE 7, but it's also known to affect versions 5, 6, and 8 of the browser as well. All IE users are advised to install the update.

Microsoft's emergency patch will become available Wednesday at 1 PM EST from auto-update and the Microsoft Download Center. A separate patch will be made available for those running IE8 Beta 2.
Source: http://www.theregister.co.uk/2008/12/16/microsoft_ie_emergency_patch_warning_dec_16_2008/

..:: ALEXXfender ::.. - Novice

Opera pushed out an update to its popular web browser on Tuesday that fixes vulnerabilities it described as "extremely severe".

The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing, respectively. A critical bug with similar arbitrary code injection risks involving the handling of long host names in files has also been patched.

The latest version of the software also lances a cross-site scripting flaw, involving XSLT templates, as well as bugs in feed preview.

More details of these various fixes can be found on Opera Software's website here. That advisory covers Windows but other versions of the browser running on Mac and Linux also need updating against the similar cross-platform risks.

An advisory from Secunia clarifies that not all these bugs are brand new with one, at least, known about since last month.

Version 9.63 of the browser was pushed out to via the software built-in update mechanism on Tuesday.
Source: http://www.theregister.co.uk/2008/12/16/opera_update/

..:: ALEXXfender ::.. - Novice

Legal advocates have petitioned an Indian court to ban Google Earth following intelligence indicating the satellite imaging site was used to plan last month's terrorist attacks in Mumbai that killed 170 people.

Advocate Amit Karkhanis told India's High Court the free service "aids terrorists in plotting attacks" by providing detailed images used to acquaint radical militants with their targets. He asked that Google blur images of sensitive areas in the country while the case proceeds.

It's by no means the first time government authorities with a world power have taken aim at the popular satellite imaging service. Earlier this year, the US Department of Defense banned Google from capturing Streetview images of military facilities after discovering 360-degree views inside a base located in Texas. Not to be outdone, the British military jumped on the anti Google Earth bandwagon, forcing the site to remove images of military bases in Basra, Iraq. Australia and South Korea, among others, have also gotten in on the action.

But in those cases, the calls were mostly to blur or censor specific images of sensitive areas. If articles penned by The Times (of London), UPI, and others are accurate, India's request goes much further by requesting Google Earth be banned outright.

As The Times points out, investigators believe the gunmen who stormed Mumbai in late November used a wide array of high-tech gizmos to carry out their assault, including GPS systems to navigate by sea, mobile phones with multiple SIM cards, and possibly Blackberry web browsers to monitor events as they unfolded. No word yet if the government will call for a ban of those services, too. �

Source: http://www.theregister.co.uk/2008/12/10/google_earth_ban_request/

..:: ALEXXfender ::.. - Novice

WordPress has fixed a cross-site scripting (XSS) flaw in its blogging software.

Version 2.6.5 also addresses three unrelated performance and stability bugs with the open source package. The XSS fixed by the latest version of the software is limited to particular setups involving IP-based virtual servers running on Apache 2.x.

In those setups it might be possible for hackers to rig systems so that they serve up malicious Java Script from domains under their control, as explained in an advisory by WordPress here.

WordPress has jumped from version 2.6.3 to 2.6.5 of the software in order to avoid confusion with 2.6.4, a fake version recently offered up by black hats via a bogus site. Sysadmins were directed to download the backdoor-rigged code earlier this month by hackers exploiting vulnerabilities in the blogging package.
Source: http://www.theregister.co.uk/2008/11/27/wordpress_update/

..:: ALEXXfender ::.. - Novice

Fraudsters have upped the ante in their fight to discredit a respected UK-based anti-fraud website.

The email address of Bobbear.co.uk, which fights phishing fraud by exposing groups attempting to recruit money mules, was spoofed in obscene emails. The Joe Job attack represents a further attempt to make life difficult for Bobbear.co.uk, which operates on a voluntary basis, and site administrator Bob Harrison.

Just over a week ago the site came under a sustained denial of service attack, which remains ongoing despite largely successful attempts by BobBear in cooperation with ISP Fasthosts to minimise the effect of the assault. "The DDOS continues and the criminals are also now attempting to hurt me by spoofing my email addresses to send obscene emails," reports Harrison. "These are nothing to do with me and have not come from me or my domain. This is called a 'Joe Job'. Do not be fooled by them - simply discard them or use SpamCop to report the source IP. Oh, and I DO NOT send out newsletters - it's the same spoofed spam from the same criminals."

As well as forcing Bobbear to field angry messages about the junk mail and complaints the Joe Job email run has led to thousands of bounce-back messages from spoofed emails sent to non-existent addresses, clogging up the site's mail server.

Forged emails supposedly from Bobbear have been used in an attempt to discredit the site in the past. In October 2007, a spam run sought to ruin the reputation of Bobbear by bombarding intenet users with supposed begging request. In truth the junk mail messages, asking for donations through online payment service e-Gold, were nothing to do with Bobbear.co.uk. Fasthosts temporarily suspended Bobbear.co.uk in response to complaints over these emails at the time but have been far more supportive since, for example going out of their way to get the site up and running during the latest Job Job attacks, Harrison told El Reg.
Source: http://www.theregister.co.uk/2008/11/27/bobbear_joe_job/

..:: ALEXXfender ::.. - Novice

More than a month after Microsoft issued an emergency patch for a Windows vulnerability that allows for self-replicating exploits, researchers have spotted a wave of new attacks in the wild that target the critical flaw.

Exploits of MS08-067 have been reported on and off since Microsoft issued the patch in late October, but over the past week, the volume and sophistication of the attacks have grown, according to Ziv Mador, a researcher in Microsoft's Malware Protection Center. His assessment was echoed in reports issued this week by anti-virus providers McAfee and Symantec, the latter which ratcheted up its ThreatCon alert level as a result.

A worm dubbed Conficker.A by Microsoft and Downadup by Symantec is aggressively slithering through corporate networks and home systems alike. It opens up a random port and connects to a server using HTTP. It uses several techniques to obfuscate the attack.

The worm is notable because once it takes hold of a machine it patches the vulnerability to prevent competing attackers from taking hold of the same valuable resource. Infection reports are coming mostly from the US, but other regions, including Western Europe, Japan, China and Brazil, are also affected. Conficker.A avoids infecting PCs based in Ukraine, which is presumably where the attackers are based.

MS08-067 is among the more critical vulnerabilities to hit Windows because on XP versions and earlier a single successful attack can touch off a chain reaction in which other machines on the same network are also compromised. The threat posed by the flaw was so severe Microsoft took the unusual step of issuing an emergency patch outside of its normal update cycle.

It's not surprising that bad guys would target a hole as nasty and gaping as MS08-067. What we still can't fathom is why anyone hasn't yet installed the patch. We're not ones to blame the victim, but anyone attacked by Conficker deserves a generous portion of the responsibility.
Source: http://www.theregister.co.uk/2008/11/26/conficker_attacks_windows/

..:: ALEXXfender ::.. - Novice

A US-based prescription processing and benefits firm has taken the unusual step of offering a $1m bounty for information that leads to the arrest and conviction of an unknown group which targeted it in a cyber-extortion scam.

Express Scripts went public last week with news that it received personal details on 75 end users including, in some cases, prescription data. Blackmailers threatened to expose millions of records they claimed were in their possession unless the firm paid up.

The cyber-extortionists responded to a refusal to pay up by moving onto the customers of Express Scripts with similar threats, sent in letters to these various organisations. Express Scripts responded on Tuesday by upping the ante and offering a $1m reward for information that put the unidentified miscreants behind bars.

In a related move, Express Scripts offered identity restoration services to anyone who becomes a victim of identity theft as a result of its security breach. It has set up a website to provide information to its members - insurance carriers, employers, unions and the like who run health benefit plans - to provide support at esisupports.com. It has also has hired risk consulting firm Kroll to help its members.

The cause of the breach that led to the data leak and the extent of the compromise are still under investigation. Beyond saying it "deploys a variety of security systems designed to protect their members' personal information from unauthorized access", Express Scripts (which handles a reported 50 million prescriptions a year) has said little about the breach or how it intends to prevent a repetition.

As well as posting a reward, Express Scripts has called in the FBI in its attempts to bring the blackmailers threatening its business to book. Anyone with information on that threats is advised to contact the FBI on 800-CALL-FBI.
Source: http://www.theregister.co.uk/2008/11/13/express_scripts_extortion/

..:: ALEXXfender ::.. - Novice

After a brief delay, the non-profit group that oversees the internet's address system has decided to proceed with plans to revoke the credentials of EstDomains, a domain name registrar with a reputation for catering to cyber criminals.

In a notice posted Wednesday, the Internet Corporation for Assigned Names and Numbers said EstDomains would lose its registrar accreditation on November 24. It cited the conviction of EstDomains President Vladimir Tsastsin in an Estonian court for credit card fraud, money laundering, and document forgery.

ICANN first announced its plans to de-accredit EstDomains two weeks ago, but stayed the move after the registrar appealed the move (PDF), arguing that the court finding was not final.

"On 7 November 2008, EstDomains was informed that, based on ICANN's findings, ICANN was proceeding with the termination of EstDomains' [registrar accreditation], effective 24 November 2008," ICANN wrote in Wednesday's notice.

..:: ALEXXfender ::.. - Novice

Sophisticated overseas hackers broke in to the computer systems of both the Barack Obama and John McCain campaigns and stole a large amount of data, according to an article published Wednesday by Newsweek.

Officials with the FBI and the Secret Service notified Obama staffers in August of the breach after tech consultants for the campaign detected what they thought at the time was a computer virus.

"You have a problem way bigger than what you understand," an FBI agent told Obama staff members. "You have been compromised, and a serious amount of files have been loaded off your system."

White House chief of staff Josh Bolten also weighed in, telling an Obama campaign chief: "You have a real problem...and you have to deal with it."

Investigators told Obama aides that the McCain computer systems had been similarly compromised. A senior McCain official confirmed to Newsweek that the campaign's network had been hacked and the FBI was investigating.

Representatives of both campaigns weren't available to comment on the Newsweek report.

According to investigators at the FBI and the White House, a "foreign entity or organization" is believed to be behind the attacks in an attempt to "gather information on the evolution of both camps' policy positions." The information could prove useful in negotiations with a future administration. The investigators told the Obama team the hack wasn't carried out by political opponents.

The article is here.