system
562
Secunia Half Year Report for 2010 shows interesting trends
The report does a good job of discussing the current trends and statistics and highlights what they are seeing for vulnerabilities.
http://isc.sans.edu/diary.html
system
563
Mozilla snuffs password pilfering Firefox add-on
http://www.theregister.co.uk/2010/07/15/mozilla_blocklists_malicious_addon/
http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/
Issue
An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.
Impact to users
If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.
Status
Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected.
Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.
Hi malware fighters,
Disabling autorun is not enough, new virus vector found -windows-shortcut-flaw (no it is no feature!): “The virus is able to infect the OS in a complete new way and fashion, via a hole in the way lnk-files are being processesd, without using an autorun.info file (so nothing can be detected on the malicious USB stick”, this according to an advisory on VirusBlokAda. Re analysis: http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf &
http://www.securelist.com/en/blog/269/Myrtus_and_Guava_Episode_1
So be aware handling these Flash drives/USB-sticks …opening any file manager or IE is enough to place two Realtek signed drivers there to inject malicious code into System Processes in order to hide malcode there…
Seems this malware was specifically developed for spying on corporations - i.e. looking for Siemens WinCC SCADA systems & similar big distributed systems for energy management etc., re: http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw - the malware can get epidemic proportions, so use a good USB av solution:
http://www.mxone.net/en/ or http://download.cnet.com/Panda-USB-Vaccine/3000-2239_4-11040112.html
polonus
system
565
mxone.net blocked by hpHosts:
http://hosts-file.net/default.asp?s=mxone.net+
http://hosts-file.net/?s=www.mxone.net&x=29&y=6
• EMD - sites engaged in malware distribution
This classification is assigned to website’s engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).
Sites with this classification typically either contain files (e.g. cracks, keygens, adware, spyware, trojans, viruses et al) or lead to such via (for example) “fake scanners” or other social engineering and misleading tactics.
Panda-USB-Vaccine/3000-2239_4-11040112.html looks like an advertisement for Panda Cloud Antivirus ???
The only one I trust is Flash_Disinfector.exe by sUBs 8)
http://www.bleepingcomputer.com/forums/lofiversion/index.php/t229158.html
Hi YoKenny,
Clean here: Report 2010-07-15 21:03:59 (GMT 1)
Website _mxone.net
Domain Hash c6cfdae769f9e964e905ab272c77cc6b
IP Address N/A [SCAN]
IP Hostname N/A
IP Country – (–)
AS Number N/A
AS Name N/A
Detections 0 / 17 (0 %)
Status CLEAN
Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender CLEAN
Scanning site with: Finjan CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MalwareDomainList CLEAN
Scanning site with: MyWOT UNRATED
Scanning site with: Norton SafeWeb UNRATED
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN
SiteTruth say’s: This site is safe.
Google Safe Browsing say’s: This site is safe.
Threat Name: No Threat FOUND
Threat Definitions: 806935
Engine Version: 0.96.1
Host IP: 174.132.148.58
Link Status: Clean
File Size: 14.87 KB
Time Finished: 5.01 secs
Overall result: This site is secure,
polonus
system
567
New infections are not reported quickly enough :
system
569
Hi YoKenny,
But what can protect us then from this new USB stick root kit malware?
MS is studying it, it has already infected over 16.000 computers worldwide…staring from India,
were it was created with 2 Realtek certified drivers…so nothing shows up on the malcoded stick,
does not need autorun to infect, shortcut link and hoopla…
and we have malware here with a certificate (not valid anymore but it is not checked for that),
what is next MS certified malware?
polonus
Asyn
571
Backgrounds of the current Twitter Spam mails increase
http://www.emsisoft.com/en/kb/articles/tec100714/
asyn
nmb
572
Hi folks,
New Ariad hole will hunt Windows XP SP2 forever, so get SP3 or use this tool, from here:
http://blog.didierstevens.com/programs/ariad/
polonus
system
574
MS confirms Windows shortcut zero-day flaw
http://www.theregister.co.uk/2010/07/19/win_shortcut_vuln/
Microsoft has confirmed the presence of a zero-day vulnerability in Windows, following reports of sophisticated malware-based hacking attacks on industrial control systems that take advantage of the security flaw.
Security shortcomings in the Windows shortcut (.lnk files) are being exploited by the Stuxnet rootlet, an information stealing threat that targets industrial and power plant control systems. The malware - which has been detected in the wild - executes automatically if an infected USB stick is accessed in Windows Explorer.
The attack features rootkit components designed to hide the presence of the information-stealing payload on compromised systems. The digital certificate, assigned to legitimate firm Realtek Semiconductor, used to sign the rootkit components in the malware was revoked by VeriSign last week following discovery of the attack.
sounds like Panda USB vaccine is implicitly advised ;D
see here too:
http://www.microsoft.com/technet/security/advisory/2286198.mspx
MS workaround:
Disable the displaying of icons for shortcuts
…I think I’ll wait for the hotfix instead 
PTRPRO
576
Hi Logos,
This is demonstrating what an enormous threat is formed by the collective Zeus zombie army, because that is how the driver certificates to make the stuxnet malware were initially compromised and could be further abused to design the new malware. Zeus/kneber botnet collectives etc. goes under the radar of normal av initially (see my postings in the virus and worms, last detection zero detection rate), and just alone in the USA 3.6 million computers are not any longer owned by the folks that sit between their keyboards and chairs, but machines are owned by malcreant bot herders, that even got a cybercriminal licence key to operate this menace machine herd (lowsec\local.ds.). Here is a message from someone who is not aware of that particular fact:
http://seclists.org/honeypots/2010/q2/3
A clean system by default should not have any unique ID made by the malware, so if you run the following:
REG QUERY “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network” /v UID
– or –
REG QUERY “HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network” /v UID
an infected machine would return the following data in the following format:
_ (for example, COMP1_00038EB9)
TN security info
The net has become more and more broken now and the situation is not getting any better soon, my friends, and this is a very realistic statement not for the users that know how to Safe hex and be well protected but to the poor unaware clicking-on-everything-that-moves user… and all we can do is preaching to the choir or as the desolate in the desert that was never heard, specifically by parties that do not want to change the security situation as we have it,
polonus
Link to wake you all up: http://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot
http://www.securelist.com/en/blog/2128/Will_the_real_Zeus_botnet_please_stand_up
analysis on the malware’s complexity: http://blog.threatexpert.com/2009_09_01_archive.html
nmb
579
nmb
580
I don’t know whether this was posted.
GUI for metasploit now available : http://pauldotcom.com/2010/07/metasploit-new-gui.html
Warning! Only for people who know what they are doing - (advanced users).
nmb
