Archive for category News
Zeus Trojan infected 2.5 thousands Corperate machine around the Globe
Posted by Mourad Ben Lakhoua in News on February 18, 2010
Over the past 1,5 year more than 75 thousands machine worldwide have been infected by Zeus Trojan this is according to NetWitnes Company, all these infected computers were used to thief Banking account, Social Networking and email passwords.
Among the victims we can find some of the major companies like Merck, Cardinal Health, Paramount Pictures and Juniper Networks. NetWitness informed that Cybercriminals might be from an Eastern European group countries and performed their activities over a server located in Germany, by spreading emails containing malicious software or redirecting victims to a malicious website.
The observed hacking activities do not stop here but researchers noted that on 26 January they found a 76 Gigabytes of data stolen by this Trojan, this data contains information about 68 thousand corporate logins as well as online Banking credential, Facebook , Yahoo and Hotmail.
Attackers According to NetWitness are still actively exploiting all vulnerabilities to spread their dangerous Malware in the globe and controlling remotely all these machines by using different ways like p2p-bots Waldec botnet.
ZeuS consists of two main parts:
1. Command control (panel) – a set of scripts, including the admin area that can be installed on the server.
2. Bot – Win32 victim side (Trojan).
The Main features of Zeus are:
1- Invisible in windows process list
2- Bypass most firewalls.
3- Works on the windows restricted accounts.
4- The main Bot are encrypted
5- Disable Windows Firewall, which provides access to incoming messages/ commands.
6- All settings including configuration ,logs and commands passes over encrypted HTTP form (HTTPS).
7- Separate configuration file are available that allows hackers to find them when they lose access to the Main server.
8- Configuration Backup file are available in case of losing the config.
9- The ability to work with any kind of Browser because the program is running through wininet.dll (Internet Explorer, Mozilla Firefox, AOL…)
10- Interception of all machine activities by including a keylogger.
11- Simple transparent URL-redirection to fake web sites (GET / POST-requests, etc.)
12- Get all SSL/TLS Certificate imported by the victim and send them to the server
13- POP3 and Ftp protocol grabber.
14- Search all Hard disk files and download a specific file as desired by the attacker.
15- Getting screenshot in real time.
As you can see it is very easy to gain access to any person sensitive information so it is important to keep your AV/System definitions up to date to ensure you have the best protection against new threats.
make sure you subscribe to my RSS feed!
Fake Antivirus with a Live Technical Support
Posted by Mourad Ben Lakhoua in News on February 16, 2010
A New case has been observed by Symantec about sailing a fake antivirus product with real time technical support to victims.
After installing the fake antivirus software popup windows open to alert victims about detecting malware with an unusual yellow button on the screen leads to an online support. After clicking on the Support Online victim gets the opportunity to talk to a real person playing the role of a support service employee and the conversation goes over the instant messaging.
This tactic convince the victim that the service is legitimate and make him purchase this software which called Live PC Care for 30 to 100$ while the software do not offer any kind of protection to the customer and give them a false security sense.
According to Symantec 43 million copy of the antivirus software were installed during the period from July 1, 2008, to June 30, 2009.
make sure you subscribe to my RSS feed!
Adobe Apologized for a 16 month-old-Bug
Posted by Mourad Ben Lakhoua in News, Software Security, Vulnerabilities, Vulnerabilities & attacks, Web Security on February 9, 2010
Adobe Company has officially apologized for the flash player 16 month old vulnerability that is still not fixed.
According to Adobe the bug has been eliminated in the beta flash player 10.1, but there still not yet a stable version for this release.
The bug officially was reported on the 22nd of September 2008 and all Flash player plug-in since the 9th version are affected. Many hackers used this gap to inject malicious code on victim’s machine.
Currently Adobe experts provided a special web page to check this vulnerability. The exploit really work you can test it following this link but before clicking you should make sure that you have another page open on the same browser.
Adobe Product Manager Emmy Huang promised that on the next Flash player 10.1 releases the vulnerability will be fixed without giving any sign on the final version date.
you can install the Adobe Flash Player 10.1 from Here.
make sure you subscribe to my RSS feed!
Cybercriminals had a phishing Attack on .gov and .mil
Posted by Mourad Ben Lakhoua in Cybercrime, News on February 8, 2010
Criminals are conducting spam attacks on email addresses related to .gov and .mil domain name. According to Brian Krebs Blog post the fake messages includes a link leads to a Trojan Zeus which helps to steal Banking system passwords.
The reason of success of such attacks that the phishing message looks quit legitimate, Recipients are invited to download a report 2020 Project which exist and recently published by the National Intelligence Council of the United States.
At the same time after investigating the email headers the real sender is nobody@sh16.ruskyhost.ru which is a Russian email address.
16 out of 39 Antiviruses detected the malicious software as a dangerous Trojan. Because Cybercriminals are upgrading their Bot Network to cheat on different AV products (F-Secure detected the Trojan as Suspicious:W32/Riskware!Online).
make sure you subscribe to my RSS feed!
Apache SpamAssassin New Release
Posted by Mourad Ben Lakhoua in News, Software Security, Tools on January 27, 2010
New version of the anti-spam filter SpamAssassin Today has been released, the free anti spam solution is widely used by hundreds of thousands organization around the globe.
Apache SpamAssassin 3.3.0 offers a new way of updating rules for spam filtering. Now the rules database are separated from the main product and loaded through the automatic updates. This approach has been provided as an option in the previous versions.
SpamAssassin supports a huge number of filtration mechanisms, including text analysis, Bayesian filtering, DNS blocklists, collaborative filtering databases and much more. All these methods will help in the spam identification and reduce the false positive (ham incorrectly marked as spam).
You can download Apache SpamAssassin 3.3.0 here.
Hackers Target Internet Forum Database
Posted by Mourad Ben Lakhoua in Cybercrime & Hacking, Internet, News on January 22, 2010
A popular Irish discussion forum, Boards.ie has been today forced to change all users’ passwords this is due to a security breach where hackers compromised a part of users database on the server.
Tom Murphy one of the portal founders has made an official statement that the site is “regularly the target for disruption and take continual actions to proactively protect data”.
During this attack hackers have gained access to part of the main Database server that stores usernames, email addresses and encrypted passwords for registered users. So as a security measure they started to change all users’ login and password and recommend all subscribers to not use the same accounts credentials on other websites to prevent any identity theft.
The site started life as a forum for the computer game Quake in 1998 and has more than 500 forums on a range of topics.
According to the most recent ABC internet traffic statistics in November, Boards.ie had more than 20m page views, averaging more than 1.1m page views a day.
make sure you subscribe to my RSS feed!
Secure Live-CD Ubuntu Privacy Remix 9.04r3 is Out!
Posted by Mourad Ben Lakhoua in News, Operating System, Privacy & data protection on January 11, 2010
Ubuntu Privacy Remix (UPR) developers released a new modified version of the Linux Ubuntu operating system and now are available for download online.
UPR is a Live CD Destro that aims to provide users with an environment that allows to safely handling personal information, the system installed on the computer running UPR remains untouched.
The risk of theft of such private data arises not only from “conventional” criminals, trojans. rootkits, keyloggers etc. Ubuntu Privacy Remix is a tool to protect your data against unsolicited access.
To mitigate the risks Ubuntu Privacy Remix tries to create such a working environment on any PC with the following measures:
• The system resides on a read-only CD, Spyware and other malicious software cannot be installed permanently.
• The system completely ignores any potentially compromised local (S-)ATA hard disks.
• The system kernel is modified so that it cannot activate any network hardware. No LAN/WLAN/Bleutooth/Infrared etc.
• The system is based on free software which can be verified in source code.
• To ease working with a non-modifiable system, UPR introduces “extended TrueCrypt-Volumes”, which can store program configuration like GnuPG settings, OpenOffice dictionaries etc. permanently and securely within an encrypted volume.
The OS software component, including the system kernel, has been updated to the latest versions and as a result the creators managed to get rid of some bugs and vulnerabilities. In addition to the CD version there is a special utility to create bootable USB-drive directly from the protected environment.
you can download Ubuntu Privacy Remix 9.04r3 here.
make sure you subscribe to my RSS feed!
Software Failure or 2010 Problem!
Posted by Mourad Ben Lakhoua in News, Software Security on January 7, 2010
The New Year 2010 starts with a no good surprise not only for system administrators but also for many European Banks customers. Many cardholders were not able to use cash machines or make payments via terminals. The problem was caused by vulnerability in the software chips installed with ATMs.
Bugs corrupted not only ATM software but also a different number of software vendors, the first error was noticed in the spam filtering program SpamAssassin. This is due to a default rule FH_DATE_PAST_20XX which made all messages marked as spam and been stored in the junk folder.
Security software company Symantec has faced also some problems in 2010 and released a bulletin that reports a bug in the Symantec Endpoint Protection Manager (SEPM) server. This error in the system does not allow customer to install updates that were released after 31/12/2009 so users were defenseless against new malwares. On a Blog post Symantec stated that they are working on a solution and will update customers when a solution becomes available.
make sure you subscribe to my RSS feed!
Microsoft IIS 0-Day
Posted by Mourad Ben Lakhoua in News on January 1, 2010
New vulnerability has been discovered by Soroush Dalili in the latest popular Microsoft web server IIS, the vulnerability allows an attacker to bypass the IIS security and execute remotely a malicious code on the system.
According to the researcher the gap exist due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by “;”, only one internal extension being equal to “.asp” (e.g. “file.asp;.jpg”). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.
On the other hand secunia confirmed the vulnerability on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected and the solution is by Restricting file uploads to only trusted users.
make sure you subscribe to my RSS feed!
Twitter Was Owned.. No it was a Compromised DNS trick!
Posted by Mourad Ben Lakhoua in Internet, News, hacking on December 18, 2009
Today Morning Twitter website was out of service for two hours and the reason of this service disruption is a DNS-attack. Many users thought that the website was compromised by hackers from “Iranian cyber army” by exploiting WordPress vulnerabilities but that was not the case, the attack was made on the DNS server by redirecting users attempting to enter Twitter website to Hackers Website IP address.
The Twitter Team posted the following on their Blog:
As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.
This is not the first DNS attack we read about in the news there were a big number of incidents that are related to the DNS record and it is now very important to start using and implementing the DNSSec to protect the DNS servers.
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the News category.
SUBSCRIBE
