[+] Wayc0de's Blog[+]


Cisco Patches Slew of IOS Bugs

CiscoCisco has patched a string of serious vulnerabilities in its IOS networking software, including some that could be used for remote code execution, and also fixed flaws in some of its other products. In all, Cisco released 10 advisories, nine of which concerned IOS vulnerabilities.

The most serious of the flaws in IOS, the company's ubiquitous network operating system, is a bug in the way that the Smart Install application works on some Cisco Catalyst switches. The problem can allow an attacker to run arbitrary code on the switch.

"A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software that could allow an unauthenticated, remote attacker to perform remote code execution on the affected device. Smart Install uses TCP port 4786 for communication. An established TCP connection with a completed TCP three-way handshake is needed to be able to trigger this vulnerability," Cisco said in its advisory.

Several of the other vulnerabilities that Cisco patched in IOS are denial-of-service flaws. IN addition to those problems, there also is a serious issue in the Identity Services Engine, which has a default set of credentials for its underlying database.

"The Cisco ISE contains a set of default credentials for its underlying database. A remote attacker could use those credentials to modify the device configuration and settings or gain complete administrative control of the device," the advisory says.

The full list of Cisco advisories is available on the Cisco security support site. Read More...

10 identity management metrics that matter

Getting your organization's governance processes locked in is a tall order, but well worth it

Within the IT security community, identity- and access-management (IAM) initiatives are considered high value, but are notoriously problematic to deploy. Yet despite IAM's complexity, it represents 30 percent or more of the total information security budget of most large institutions, according to IDC (a sister company to CSO's publisher).

Ironically, the deployment difficulties stem from having to reconcile the very people and process breakdowns IAM automation is meant to solve, such as too many or too few people involved in authorizing requests, a lack of documentation for access requests and approvals, connecting to target systems with "dirty" or obsolete data, and so on. This conundrum has led to the rise of what is called identity governance.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Identity governance involves defining and executing the identity-related business processes that are most critical to the organization. For example, an engineer needs root access to the server hosting an ERP system -- who needs to approve that request? Who is the one who actually takes the action that grants that access? How does that process get documented? Where is it stored, and for how long? How can we report on it during an audit?

[Also read Too much access? Privileged identity management to the rescue]

Getting your organization's governance processes locked in is a tall order, but well worth it. One of the many benefits of proper identity governance is that it pinpoints which identity-related processes are most in need of attention. Here are 10 of the most common measurements for gauging the effectiveness of identity governance.

1. Password reset volume per month. This one is a classic in identity management, and it's key to helping organizations measure the effectiveness of their IAM programs. Businesses typically look at password-related help desk calls, account lockouts, and self-service resets per month as good indicators of password-policy effectiveness. This metric should generally trend downward, alhough there may be peaks and valleys driven by business events. If it doesn't, your organization's password policies and management tools require a closer look.

2. Average number of distinct credentials per user. Another IAM classic, and for years, a key business justification for single sign-on (SSO) initiatives. The industry average ranges from 10 to 12 unique accounts per user. Organizations should strive to bring this average down as close to one as possible.

3. Number of uncorrelated accounts. These are accounts that have no owner, and occur most frequently when a change happens, such as a promotion or a termination, and that person's accounts were not transitioned properly. Too many uncorrelated accounts can lead to unnecessary risks -- they are open, live accounts that can be easily hijacked for un-authorized use.

4. Number of new accounts provisioned. This number should closely follow the number of new joiners to the organization. An effective IAM program should always account for any new user who needs to be granted access to systems and applications. If there's a discrepancy or a significant lag between the number of provisioned accounts and the total number of new joiners for a given period, that indicates inefficient processes or poor identity data.

5. Average time it takes to provision or de-provision a user. This shows how long a new user waits to get access to the resources they need to do their work. It has implicit productivity and ROI ramifications. Nine times out of 10, if someone doesn't get access to applications in a timely fashion, there are process issues behind the delay. This metric can flag a business process that needs to be reviewed and possibly adjusted.

6. Average time it takes to authorize a change. This metric can provide insight into the efficiency of an organization's approval processes. For example, if there are four people involved in approving a sales rep's access to Salesforce.com, but it takes two weeks for that approval to be granted, that's two weeks the sales rep is limited in his capacity to sell. Knowing how long it takes for approvals to be granted can help identify bottlenecks or out-of-date processes.

7. Number of system or privileged accounts without an owner. These are also known as orphaned accounts. They crop up when people who had the credentials to grant them access to important resources -- making them privileged users -- no longer need access to those resources but never had their privileges removed. This problem here is obvious -- who wants privileged accounts that don't belong to anyone floating around?

8. Number of exceptions per access re-certification cycle. A high number of exceptions is expected for new applications or user sets being brought under governance, but over time this should trend toward zero. A consistently high number of exceptions is a strong indicator of poor identity data quality (that is, lots of users having access that they should not have), or of process problems (that is, the person requesting re-certification does not have all the information they need to complete the process.)

9. Number of reconciliation exceptions. Reconciliation exceptions are typically caused be the inability of an IAM platform to reliably tie an identity to an account in a target system. This is usually the result of manual entry errors (that is, user names or unique identifiers are not matched), or worse yet, of an account created by backdoor channels. These exceptions should trend toward zero over time, and any spikes should trigger a thorough investigation and further discussion.

10. Separation of duty violations. Examples of separation of duty violations include developers who have admin access to production databases and traders who can submit and approve their own transactions. These are more difficult to catch and measure, given their sophistication and cross-application nature, but are also the riskiest to miss, given the potential damage that could be inflicted if they're exploited. Exploitations of these problems are the kind that often make headlines. The organization should implement preventive controls to monitor these violations, report them and orchestrate their remediation.

It's often hard to understand the scope and ramifications of these kinds of people and process breakdowns until you take concrete steps to address them. That is part of the reason IAM and identity governance are perceived as daunting and, at times, painful. But only with metrics can the organization measure its effectiveness and success in efficiently managing user access, and make the necessary adjustments to reap significant security, compliance and operational benefits. If you have started an identity governance initiative, do your best to track some of these metrics -- you'll be glad you did.




Russian security company adds BlackBerry password cracker

Elcomsoft says its software can extract a master device password from an encrypted BlackBerry memory card

A Russian security company has upgraded a phone-password cracking suite with the ability to figure out the master device password for Research in Motion's BlackBerry devices.

Elcomsoft said on Thursday that before it developed the product, it was believed that there was no way to figure out a device password on a BlackBerry smartphone. BlackBerry smartphones are configured to wipe all data on the phone if a password is typed incorrectly 10 times in a row, the company said.

[ Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]

Elcomsoft said it figured a way around the problem using a BlackBerry's removable media card, but only if a user has configured their smartphone in a certain way. In order for Elcomsoft's software to be successful, a user must have enabled the feature to encrypt data on the media card.

The feature is disabled by default, but Elcomsoft said around 30 percent of BlackBerry users have it enabled for extra security.

The company's software can then analyze the encrypted media card and use a brute-force method to figure out a password, which involves trying millions of possible password combinations per second until one works.

Elcomsoft said it can recover a seven-character password in less than an hour if the password is all lower-case or all capital letters. The software does not need access to the actual BlackBerry device but just the encrypted media card.

The new feature is wrapped into Elcomsoft's Phone Password Breaker. It costs £79 ($123) for the home edition and £199 for the full-featured suite, which can also recover plain-text passwords used to access encrypted backup files for Apple's iPhone, iPad and iPod Touch devices. To crack those passwords, a user does need to have the Apple device in hand.

The BlackBerry password recovery feature is only available in the professional edition. Elcomsoft has published a chart comparing the two versions.
The backup files contain sensitive data including call logs, SMS archives, calendars, photos, email account settings, a person's Web browsing history and more.

Elcomsoft reserves some of its password-cracking software strictly to vetted law enforcement, such as its iOS Forensic Toolkit, which can extract passwords and decrypt a device's file system.



Mozilla Fixes 11 Security Bugs in Firefox 7 Release

Firefox patchMozilla has released Firefox 7, the latest version of its flagship browser, which includes a number of security fixes and other improvements. The new version is being touted as the fastest yet and also includes a new feature meant to conserve memory on users' PCs.

Firefox 7 was pushed out on Wednesday and users who have the automatic update functionality in place should see it downloaded to their machines soon. The new browser is designed to run much faster than even the version that was released just six weeks ago, thanks to improvements in the way that Firefox handles memory usage.

"Firefox 7 now uses much less memory than previous versions: often 20% to 30% less, and sometimes as much as 50% less. This means that Firefox and the websites you use will be snappier, more responsive, and suffer fewer pauses. It also means that Firefox is less likely to crash or abort due to running out of memory," Mozilla officials wrote in a blog post.

" Mozilla engineers started an effort called MemShrink, the aim of which is to improve Firefox’s speed and stability by reducing its memory usage. A great deal of progress has been made, and thanks to Firefox’s faster development cycle, each improvement made will make its way into a final release in only 12–18 weeks. The newest update to Firefox is the first general release to benefit from MemShrink’s successes, and the benefits are significant."

In addition to the memory improvements, there are also are fixes for 11 security vulnerabilities in Firefox 7, including eight critical flaws.

The full list of security fixes:

MFSA 2011-45 Inferring Keystrokes from motion data
MFSA 2011-44 Use after free reading OGG headers
MFSA 2011-43 loadSubScript unwraps XPCNativeWrapper scope parameter
MFSA 2011-42 Potentially exploitable crash in the YARR regular expression library
MFSA 2011-41 Potentially exploitable WebGL crashes
MFSA 2011-40 Code installation through holding down Enter
MFSA 2011-39 Defense against multiple Location headers due to CRLF Injection
MFSA 2011-38 XSS via plugins and shadowed window.location object
MFSA 2011-37 Integer underflow when using JavaScript RegExp
MFSA 2011-36 Miscellaneous memory safety hazards (rv:7.0 / rv:

On a related note, security researchers are warning that some black hat SEO campaigns are again preying on the new Firefox release to push unsuspecting users to malicious sites. Searching for "Firefox download" can lead to some of these malicious ads on Bing, specifically, warns GFI Labs's Christopher Boyd. You're better off simply going to the official Mozilla Firefox download page or having Firefox download the update automatically. Read More...

The Inside Story of the Kelihos Botnet Takedown

Earlier this week, Microsoft released an announcement about the disruption of a dangerous botnet that was responsible for spam messages, theft of sensitive financial information, pump-and-dump stock scams and distributed denial-of-service attacks.

Kaspersky Lab played a critical role in this botnet takedown initiative, leading the way to reverse-engineer the bot malware, crack the communication protocol and develop tools to attack the peer-to-peer infrastructure. We worked closely with Microsoft’s Digital Crimes Unit (DCU), sharing the relevant information and providing them with access to our live botnet tracking system.

A key part of this effort is the sinkholing of the botnet. It’s important to understand that the botnet still exists – but it’s being controlled by Kaspersky Lab. In tandem with Microsoft’s move to the U.S. court system to disable the domains, we started to sinkhole the botnet. Right now we have 3,000 hosts connecting to our sinkhole every minute. This post describes the inner workings of the botnet and the work we did to prevent it from further operation.

Let's start with some technical background: Kelihos is Microsoft's name for what Kaspersky calls Hlux. Hlux is a peer-to-peer botnet with an architecture similar to the one used for the Waledac botnet. It consists of layers of different kinds of nodes: controllers, routers and workers. Controllers are machines presumably operated by the gang behind the botnet. They distribute commands to the bots and supervise the peer-to-peer network's dynamic structure. Routers are infected machines with public IP addresses. They run the bot in router mode, host proxy services, participate in a fast-flux collective, and so on. Finally, workers are infected machines that do not run in router mode, simply put. They are used for sending out spam, collecting email addresses, sniffing user credentials from the network stream, etc. A sketch of the layered architecture is shown below with a top tier of four controllers and worker nodes displayed in green.

Figure 1: Architecture of the Hlux botnet

Worker Nodes

Many computers that can be infected with malware do not have a direct connection to the Internet. They are hidden behind gateways, proxies or devices that perform network address translation. Consequently, these machines cannot be accessed from the outside unless special technical measures are taken. This is a problem for bots that organize infected machines in peer-to-peer networks as that requires hosting services that other computers can connect to. On the other hand, these machines provide a lot of computing power and network bandwidth.

A machine that runs the Hlux bot would check if it can be reached from the outside and if not, put itself in the worker mode of operation. Workers maintain a list of peers (other infected machines with public IP addresses) and request jobs from them. A job contains things like instructions to send out spam or to participate in denial-of-service attacks. It may also tell the bot to download an update and replace itself with the new version.

Router Nodes

Routers form some kind of backbone layer in the Hlux botnet. Each router maintains a peer list that contains information about other peers, just like worker nodes. At the same time, each router acts as an HTTP proxy that tunnels incoming connections to one of the Controllers. Routers may also execute jobs, but their main purpose is to provide the proxy layer in front of the controllers.


The controller nodes are the top visible layer of the botnet. Controllers host a nginx HTTP server and serve job messages. They do not take part in the peer-to-peer network and thus never show up in the peer lists. There are usually six of them, spread pairwise over different IP ranges in different countries. Each two IP addresses of a pair share an SSH RSA key, so it is likely that there is really only one box behind each address pair. From time to time some of the controllers are replaced with new ones. Right before the botnet was taken out, the list contained the following entries:

The Peer-to-Peer Networks

Every bot keeps up to 500 peer records in a local peer list. This list is stored in the Windows registry under HKEY_CURRENT_USER\Software\Google together with other configuration details. When a bot starts on a freshly infected machine for the first time, it initializes its peer list with some hard-coded addresses contained in the executable. The latest bot version came with a total of 176 entries. The local peer list is updated with peer information received from other hosts. Whenever a bot connects to a router node, it sends up to 250 entries from its current peer list, and the remote peer send 250 of his entries back. By exchanging peer lists, the addresses of currently active router nodes are propagated throughout the botnet. A peer record stores the information shown in the following example:

m_live_time: 22639 seconds
m_last_active_time: 2011-09-08 11:24:26 GMT
m_listening_port: 80
m_client_id: cbd47c00-f240-4c2b-9131-ceea5f4b7f67

The peer-to-peer architecture implemented by Hlux has the advantage of being very resilient against takedown attempts. The dynamic structure allows for fast reactions if irregularities are observed. When a bot wants to request jobs, it never connects directly to a controller, no matter if it is running in worker or router mode. A job request is always sent through another router node. So, even if all controller nodes go off-line, the peer-to-peer layer remains alive and provides a means to announce and propagate a new set of controllers.

The Fast-Flux Service Network

The Hlux botnet also serves several fast-flux domains that are announced in the domain name system with a TTL value of 0 in order to prevent caching. A query for one of the domains returns a single IP address that belongs to an infected machine. The fast-flux domains provide a fall-back channel that can be used by bots to regain access to the botnet if all peers in their local list are unreachable. Each bot version contains an individual hard-coded fall-back domain. Microsoft unregistered these domains and effectively decommissioned the fall-back channel. Here is the set of DNS names that were active before the takedown – in case you want to keep an eye on your DNS resolver. If you see machines asking for one of them, they are likely infected with Hlux and should be taken care of.


The botnet further used hundreds of sub-domains of ce.ms and cz.cc that can be registered without a fee. But these were only used to distribute updates and not as a backup link to the botnet.


A bot that can join the peer-to-peer network won't ever resolve any of the fall-back domains – it does not have to. In fact, our botnet monitor has not logged a single attempt to access the backup channel during the seven months it was operated as at least one other peer has always been reachable.

The communication for bootstrapping and receiving commands uses a special custom protocol that implements a structured message format, encryption, compression and serialization. The bot code includes a protocol dispatcher to route incoming messages (bootstrap messages, jobs, SOCKS communication) to the appropriate functions while serving everything on a single port. We reverse engineered this protocol and created some tools for decoding botnet traffic. Being able to track bootstrapping and job messages for a intentionally infected machine provided a view of what was happening with the botnet, when updates were distributed, what architectural changes were undertaken and also to some extend how many infected machines participate in the botnet.

Figure 2: Hits on the sinkhole per minute

This Monday, we started to propagate a special peer address. Very soon, this address became the most prevalent one in the botnet, resulting in the bots talking to our machine, and to our machine only. Experts call such an action sinkholing – bots communicate with a sinkhole instead of its real controllers. At the same time, we distributed a specially crafted list of job servers to replace the original one with the addresses mentioned before and prevent the bots from requesting commands. From this point on, the botnet could not be commanded anymore. And since we have the bots communicating with our machine now, we can do some data mining and track infections per country, for example. So far, we have counted 49,007 different IP addresses. Kaspersky works with Internet service providers to inform the network owners about the infections.

Figure 3: Sinkholed IP addresses per country

What now?

The main question is now: what is next? We obviously cannot sinkhole Hlux forever. The current measures are a temporary solution, but they do not ultimately solve the problem, because the only real solution would be a cleanup of the infected machines. We expect that the number of machines hitting our sinkhole will slowly lower over time as computers get cleaned and reinstalled.

Microsoft said their Malware Protection Center has added the bot to their Malicious Software Removal Tool. Given the spread of their tool this should have an immediate impact on infection numbers. However, in the last 16 hours we have still observed 22,693 unique IP addresses. We hope that this number is going to be much lower soon.

Interestingly, there is one other theoretical option to ultimately get rid of Hlux: we know how the bot's update process works. We could use this knowledge and issue our own update that removes the infections and terminates itself. However, this would be illegal in most countries and will thus remain theory.

Windows 8 security: Stronger but gentler

Microsoft's next operating system incorporates more security than Windows Vista, with fewer annoying upfront notifications

The Metro GUI is the most visible representation of Microsoft's coming operating system. While the release of the tentatively named Windows 8 is still a year away, the company has not been shy about putting the multicolor tiled interface front and center.

Windows 8's security improvements will be much less visible, and that's just the way Microsoft wants it. The company has added a number of protection features to Windows 8 to better protect the system, all the while making the security less intrusive by limiting the number of notifications a user may receive.

For example, the company's SmartScreen technology for detecting potentially malicious sites -- introduced with Internet Explorer 8 -- will be built right into the OS to allow any file downloaded to a Windows 8 computer to be checked out by the system, yet the protection should not alert the average user more than twice a year, Microsoft says.

The higher signal-to-noise ratio will likely make users pay more attention to the truly dangerous incidents, Steven Sinofsky, president of Microsoft's Windows and Windows Live division, writes in a blog post on Microsoft's Developer Network.
"When they do see (a notice), it will signify a higher risk scenario," he says in a description of the feature.

Using its telemetry data, Microsoft has found that 95 percent of Internet Explorer 9 users do not run malicious software when they receive a SmartScreen warning. Once a user receives a SmartScreen warning, their chance of getting malware if they run the suspect program varies from 25 to 70 percent, according to Microsoft. Some 92 percent of applications downloaded by users already have an established reputation, so SmartScreen does not issue a notification.

Allowing SmartScreen to check applications downloaded by other browsers and applications is not the only feature Microsoft has added. Here are the ones currently announced.

Improving Windows Defender

Microsoft noticed a disturbing trend among Windows 7 users: While almost all users had antivirus protection following the purchase of Windows 7 -- due, most likely, to trial subscriptions shipped with new PCs -- almost a quarter of them let those subscriptions lapse in the ensuing months.

The company plans to make Windows Defender a baseline security solution, which will block all commonly used malware, worms, Trojan horses, and other attacks. Microsoft plans to use a file system filter to better protect critical files.

Making Windows 8 harder to exploit

Like Apple did with its security improvements to Mac OS X Lion, Microsoft plans to harden the operating system to attack. With each release, both Apple and Microsoft have bolstered a key anti-exploit technology known as ASLR (address space layout randomization). Windows 8 is no different: More components of Windows will use ASLR, and the memory randomization will be better.

Microsoft will bring a lot of secuity improvements to the kernel and a dynamically assigned area of memory known as the heap. Finally, the company plans to add defenses to Internet Explorer to eliminate "use-after-free" vulnerabilities, which make up three-quarters of the flaws reported in IE in the past two years. Basically, we can expect Internet Explorer to do a better job of cleaning up after itself and flushing away sensitive data after it has been used.

Supporting UEFI Secure Boot

Finally, Microsoft will use the UEFI (Unified Extensible Firmware Interface) to implement a secured boot process. UEFI Secure Boot allows the firmware to cryptographically verify the integrity of the computer's envrionment, preventing malicious software from executing before the computer boots into the operating system.

Secure Boot uses the Trusted Platform Module, a piece of hardware that has shipped in millions of systems, but largely remains unused. Microsoft had planned a similar feature, dubbed Secure Startup, in Windows Vista in 2005, but faced industry concerns that the company could block the installation of other operating systems on PC hardware.

Hardware OEMs will be required to support the architecture, but otherwise, Microsoft claims it will be vendor neutral. While the company aim is quiet security, expect this feature to create a fairly loud debate.



Don't fight cybercrime on your own - do it with Synergy!

Project Synergy is the name of an ongoing annual series of conferences organised by the Queensland Police Service.

Sophos has been sponsoring, attending and speaking at these events for several years; we've also written about them numerous times on Naked Security.

We've written about Romanian card-skimming gangs, recounted the pain suffered by the victims of hi-tech crime, presented talks on the risk posed by apparently-innocent file formats, and warned about the growing tendency of cybercriminals to target those who can least afford to get scammed.

The Project Synergy events aren't just for cops or law enforcement agents. Quite the opposite - the events are intended to bring together all of us who have an interest in helping to protect our economy from cybercrime.

If you're an anti-virus researcher, a computer security consultant, a penetration tester, a fraud investigator or an auditor; if you're from the financial sector, an ISP, a community group, a social media company, an online store (or, of course, from any branch of law enforcement), these events could be just the thing for you.
Both the size and scale of internet-enabled crime are vast, from the peddlers of fake anti-virus software who can suck in $72,000,000 by conducting nearly one million fraudulent transactions for just $75 each, to the financial scammers who spend months convincing targeted individuals to invest their entire retirement income in fraudulent schemes.

So, if you've got any interest in disrupting and preventing cybercriminality then you'll know how big a task it sometimes seems.

You probably keep asking yourself, "How can I possibly make a difference on my own?"

At the Project Synergy events, you get to meet a whole bunch of people - many of whom will become good contacts, probably even good friends - who will remind you that you aren't on your own.

You become part of a virtual global team of people who share your goals. People who can help you, and whom you can help.

I'll be heading up to the Gold Coast in Queensland, Australia, on Monday next week (03 October 2011) for the final event in this year's Project Synergy series: the Identity and Hi-Tech Crime Symposium 2011.

I'm going to be giving a live demonstration of how Search Engine Poisoning works, and how to combat it.
By the way, there are still seats left at the event, rooms at the hotel where it's being held (I just checked!), and a special delegate rate at the hotel.

So, if you're in this part of the world, why not give some thought to a last-minute registration?

It's at the Royal Pines Resort on Queensland's Gold Coast, and runs from Monday evening (03 Oct 2011) to Thursday early afternoon (06 Oct 2011). The fee is AU$1800, which includes a welcome party, a gala dinner, and luncheon plus morning/afternoon tea each day.

You also get an all-important Fiscal the Fraud Fighting Ferret laptop bag :-)
Hope to see you there!

Microsoft's botnet shutdown won't stop Mac malware

Microsoft Digital Crimes Unit logoThere has been much discussion of the shutdown of the Kelihos botnet this week by Microsoft and Kaspersky. It is the third such action by the Microsoft Active Response for Security (MARS) initiave in recent memory.

Taking down botnets is always good news and even better Microsoft named an individual defendant in their US court case this time.
The owner of the cz.cc domain, Dominique Alexander Piatti, was named and Microsoft received permission from the court to disable the entire cz.cc domain and several other abused .com registrations.

cz.cc subdomains are frequently seen being used for all sorts of botnet control, fake anti-virus, spam sites and for other malicious purposes.

Sophos Web Security logoSophosLabs have protected our Sophos Web Security Appliance and endpoint web customers from cz.cc domains for quite some time due to the high number of dangerous sites.

Some journalists were also commenting on Microsoft's mention of the Mac Defender malware having been hosted on cz.cc domains. Some suggested that this would stop the criminals from targeting OS X users.

The vanishing of Mac Defender is much more likely the result of Pavel Vabrlevsky being arrested and other FBI fake anti-virus arrests.

We have seen two new Trojans for OS X just this week which join botnets and can be used to steal sensitive data. One was built to look like a PDF file and the one Graham wrote about today pretended to be a Flash Player updater.

The sad fact is that Mac users are increasingly being targeted by these digital thugs and need to take security very seriously. Even without the threat from cz.cc domains Mac users should take advantage of our free Sophos Anti-Virus for Mac Home Edition.

The same as there are now botnets, data stealers and remote control malware for OS X, criminals will find domain name registration services other than cz.cc.
While all of us will be little safer without Kelihos and cz.cc, we still need to take security seriously for our own peace of mind (and data security).

Inside a Modern Mac Trojan

Mac malware is back in the  news again. Last week, security firm F-Secure warned that it had discovered a Trojan built for OS X that was disguised as a PDF document. It’s not clear whether this malware is a present threat — it was apparently created earlier this year — but the mechanics of how it works are worth a closer look because it challenges a widely-held belief among Mac users that malicious software cannot install without explicit user permission.

F-Secure said the Mac malware, Trojan-Dropper: OSX/Revir.A, may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. F-Secure was careful to note that the payload installed by the dropper, Backdoor:OSX/Imuler.A, phones home to a placeholder page on the Web that does not appear to be capable of communicating back to the Trojan at the moment.

I wanted to understand a bit more about how this Trojan does its dirty work, so I contacted Broderick Aquilino, the F-Secure researcher who analyzed it.

Aquilino said the sample is a plain Mach-O binary — which we’ll call “Binary 1″, that contains PDF file and another Mach-O binary (Binary2). Mach-O, short for Mach object, is a file format for executable files on OS X.

According to Aquilino, when you run Binary1, it will extract the PDF file from its body, drop it in the Mac’s temporary or “tmp” directory, and then open it. This is merely a decoy, as Binary1 continues to extract Binary2 from itself — also into the “tmp” directory — and then runs the file.

Upon execution, Binary2 downloads another binary from [omitted malware download site] and saves it as /tmp/updtdata. For the sake of continuity, we’ll call this latest file “Binary3.” Binary2 then executes and downloads the third binary, which opens up a backdoor on the OS X host designed to allow attackers to administer the machine from afar.

“All of this happens without the user needing to input their password,” Aquilino said.

Aquilino believes the Trojan drops its files into the “tmp” directory because the malware is not meant to be permanent.

“Another reason could be that the Trojan is avoiding the need for users running under a Standard account to be authenticated with an Admin account just to be able to infect the system,” he said. “Standard accounts only have access to their home directory and those such as /tmp. However the account created by OS X setup is an Admin account. Therefore, I believe most will be running under it.

Given that assumption, other malwares can choose to run in directory such as /Application just like the case of the Fake MacDefender rogue. Take note though unlike in earlier Windows versions, Admin accounts in OS X are still required to input their password if a malware choose to put its files in system directory such as /System/Library. I don’t see the need for a malware to do that though.”
Aquilino said the malware nevertheless has the potential to be very persistent.

“Upon execution, the downloaded copy of the backdoor (/tmp/updtdata) will create a copy called /users/%user%/library/LaunchAgents/checkvir. It will also create a corresponding launch point in /users/%user%/library/LaunchAgents/checkvir.plist to make sure it still runs after the user rebooted the system. Take note of the casing in ‘library’ instead of ‘Library.’ This maybe the reason why the sample didn’t work on some test machines. Again, no password is needed since the backdoor install its files in the user’s home directory (%user%).”

Aquilino observed that the backdoor will only run when the infected account logs in, but he said this doesn’t mean that other accounts on the infected machine are safe.

“The risk is the same if these accounts save their files in shared volumes where the infected account has permission to,” he said.

In other Mac malware news, Mac security vendor Intego is warning about an OS X Trojan called “Flashback” that disguises itself as a Flash update.

It’s worth noting that these threats, like most of those facing Windows users today, rely on social engineering — tricking the user into clicking an attachment or link. Regardless of which operating system you use, it’s a good idea to develop a healthy sense of skepticism and paranoia about any unexpected documents that arrive via e-mail, or random prompts to “update” software. Rule #1 from my 3 Basic Rules for Online Safety applies just as well to Mac users as it does folks using Windows: “If you didn’t go looking for it, don’t install it!”

I still don’t believe it’s necessary for Mac users to install anti-virus software, but for those who disagree there are certainly a number of free and affordable options for anti-malware protection on OS X. Sophos offers a free anti-virus product for the Mac, as does ClamXav and PCTools. There are also several non-free options. Read More...

Mozilla puts Firefox 7 on memory diet, patches 11 bugs

The company also continues to support Firefox 3.6 with security updates for enterprise users

Mozilla yesterday patched 11 vulnerabilities in the desktop edition of Firefox as it upgraded the browser to version 7.

The company has batted a thousand so far in its rapid release schedule: Firefox 7 marks the third consecutive upgrade that Mozilla has met its every-six-week deadline for a new version of the browser.

[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

Mozilla switched to the faster release tempo last March, when some wondered whether the open-source company -- which has historically struggled to ship on time -- would be able to make its milestones.

The biggest improvement to Firefox 7 is a reduction in memory use. Mozilla has previously claimed that the upgrade slashes memory consumption by as much as 50 percent.

"Firefox [7] manages memory more efficiently to deliver a nimble Web browsing experience," Mozilla said Tuesday when it launched the new edition. "Users will notice Firefox is faster at opening new tabs, clicking on menu items and buttons on websites."

Most users will see a 20 to 30 percent reduction in memory usage compared to Firefox 4, Mozilla said, but in some situations that can climb to 50 percent.
In an accompanying blog post on the Firefox 7 memory changes, Mozilla said that Windows users will see the most benefit.

The company also claimed that the memory diet has boosted the browser's performance, especially in scenarios where users have opened numerous tabs and leave Firefox running for long stretches.

Firefox has long been knocked as hogging memory, criticism that prompted Mozilla to kick off the "MemShrink" project, which was designed to drive down Firefox's memory use and close "memory leaks" -- bugs that prevent memory from being released to the system when tabs are closed.

Other changes that debuted in Firefox 7 included a new hardware acceleration framework to speed up HTML5 rendering, and an opt-in tool called Telemetry that lets users send performance data to Mozilla.

Firefox 7 also patched 11 security vulnerabilities, 10 of which were rated "critical," the company's most serious threat rating; the sole exception was labeled "moderate."

Because Mozilla now bundles virtually security patches almost exclusively with each version upgrade, users stuck on Firefox 6 or earlier must update to quash the bugs.

Two of the critical vulnerabilities patched Tuesday were in Firefox's implementation of WebGL, a 3-D rendering standard that both Firefox and Google's Chrome comply with. One of the pair was reported to Mozilla by a researcher with Context Information Security, a company that has cited serious security issues with WebGL.

The other was credited to a member of Google's security team.

Firefox has received several patches specific to WebGL since Context recommended users and administrators disable the standard in Mozilla's browser and in Chrome.
Mozilla also released Firefox 3.6.23 yesterday, a security update that patched four vulnerabilities. That aging edition -- Mozilla first shipped Firefox 3.6 in January 2010 -- is still maintained, in part because enterprise users have resisted adopting the rapid release cadence.

As part of a proposal called Extended Support Release, Mozilla plans to halt Firefox 3.6 security updates three months after it kicks off a less-frequent shipping schedule for corporations.

Firefox 7 can be downloaded manually from Mozilla's site, while people running Firefox 4, 5, or 6 will be offered the upgrade through the browser's own update mechanism.

The next version of Firefox is currently scheduled for release on Nov. 8.



Symantec sees surge in morphing malware and JavaScript abuse

A new social engineering technique fools users into thinking they've received a legitimate file from an office printer

Proving that most malicious hackers are more than happy to employ time-tested tactics instead of developing sophisticated new techniques and tools, Symantec has reported a huge spike in generic polymorphic malware (malware that changes shape to bypass detection) spread via good old fashioned socially engineered email messages.

That's not to say that the bad guys aren't innovating at all: "Symantec's Intelligence Report: September 2011" (PDF) noted a new social engineering twist to get users to download dangerous attachments: convincingly masking malicious emails as legitimate messages sent from office printers. The security company also has witnessed more spammers and malware authors using JavaScript to hide their activities.

Generic polymorphic malware variants accounted for 72 percent of all email-borne malware in September, compared with 18.5 percent in August and 23.7 percent in July. "This unprecedented high-water mark underlines the nature by which cyber criminals have escalated their assault on businesses in 2011, fully exploiting the weaknesses of more traditional security countermeasures," wrote Paul Wood, senior intelligence analyst at Symantec.

The challenge for cyber criminals is to dupe victims into downloading and opening dangerous attachments. One new approach entails fooling users into thinking they've received an attachment sent from an office printer that has a scan-to-email capability; this feature enables users to send scanned files directly from a printer to a specified email addresses.

To pull off this dupe, hackers send users malicious emails with Subject lines stating "Scan from" followed by the convincing-looking office-printer information. The message itself contains additional fake details about the so-called scanned file, including a sender's name, the number of pages, the type of file, a device number, and possibly the printer's location in an office.

Symantec sees surge in morphing malware and JavaScript abuse

This is all intended to lull targets into a sense of security such that they'll download the attached file, which turns out to be a zip file with a malicious executable.

"To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as zip file attachments. No printer or scanner hardware was involved in the distribution process," wrote Bhaskar Krishnappa, malware analyst at Symantec.

Additionally, Symantec reported that spammers and malware authors are increasingly using JavaScript to do their dirty deeds. And they're not just using the language to covertly redirect users to malicious sites; they're using JavaScript to obfuscate entire Web pages. Doing so enables spammers and malware authors to set up their obfuscated pages on free hosting sites without site operators realizing it.

Symantec's September Intelligence Report also covers a vulnerability in the WordPress platform, which spammers are exploiting to compromise Web servers and hide files deep with the WordPress directory structure. The files are basic HTML pages, according to Symantec, that redirects users to the Canadian Health & Care Mall spam website. WordPress-hosted blogs aren't affected by these vulnerabilities, according to the report; only older versions of software downloaded from WordPress.org.

Other findings in Symantec's report include:
  • Spam rates dipped to 74.8 percent in September, a 1.1 percent drop since August
  • One in 447.9 emails were actually phishing attempts, marking a 0.26 percent drop month over month
  • One in 188.7 emails in September contained malware, an increase of 0.04 percent
  • The number of malicious websites blocked daily rose 1 percent since last month, up to 3,474
  • 44.6 percent of all malicious domains blocked in September were new, up 10 percent since August
  • 14.5 percent of all Web-based malware blocked in September was new, down 2.9 percent since last month



Blowback: Microsoft, OnStar Pump the Breaks on Location Tracking

Redmond, Washington software giant, Microsoft, and Detroit based GM subsidiary, OnStar backtracked on policies widely seen as egregious privacy violations following lawsuits and public outcry. Here's the news:

Windows Phone Update Requires User Consent For Tracking

Microsoft released their “Mango” update, which, according to a report by Tom Warren on Winrumors, updates the Windows Phone, addressing widespread accusations and a related lawsuit that the company had been tracking device locations without reasonable consent.

In a location and privacy FAQ on the Microsoft website, the company staunchly claims that the location information stored within the Windows Phone 7 devices is intended to gather information about nearby Wi-Fi access points and provide users with location based services more efficiently and effectively; this information does not uniquely identify or track devices, they say.

However, the company also says they discovered that some of that information had been periodically relayed back to Microsoft when users access the camera application and use its US-English voice command feature. (Whoops!) This relay of information, Microsoft claims, is an unintended behavior. The latest update resolves these and other issues. Now users will have to agree if they want to the Camera application to tag photo location. Voice Command will no longer request location information at all.

For more information, read the FAQ here.

OnStar Won't Force Automated Location Tracking

OnStar found itself in a similar situation after it was discovered that the vehicle navigation and emergency notification service was to begin monitoring the speed and location of vehicles equipped with OnStar technology on December 1, even if those owners decided to opt-out or cancel OnStar’s services.

A press release published yesterday on the OnStar website announced that the company is revising their proposed terms and conditions to make it clear that customer data will not be collected after a customer cancels their OnStar service.
“We realize that our proposed amendments did not satisfy our subscribers,” OnStar President Linda Marshall said in the statement. “This is why we are leaving the decision in our customers’ hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers.”

The appearance of GPS and other location tracking technologies in mobile phones, cars and other devices has raised concerns among privacy and civil liberties advocates in the U.S. and elsewhere. An analysis by the Wall Street Journal found that iPhones running version 4 of the company's iOS operating system appeared to track a user's location and movement of whether the user enabled or disabled location tracking. Like Microsoft, Apple claimed that the phones weren't tracking specific users' movements, just using the company's huge user base to assemble an accurate list of active cell phone towers and WiFi hotspots. Software vendors, also, have been discovered to be collecting location data, often quite apart from the kind of service they are providing. In just one example, the mobile phone application for the Pandora music streaming service was found to be harvesting user location data.

Security experts have wondered, aloud, how else the company might use the location and movement data that is collected, including how it might be used by third party advertisers. Read More...

Zenprise offers iPad app for secure SharePoint access

Positioned as a data loss prevention tool, the app and server software focus on enforcing SharePoint content policies on iOS devices

Zenprise on Wednesday announced that the new version of its MobileManager mobile device management (MDM) suite will include a component that lets iPad and iPhone users access Microsoft SharePoint project files and transfer them from their iOS device into a secure container. The module will honor the access policies set in SharePoint, both the on-premise and Office 365 versions; thus, files can be set as read-only or uncopyable via email or transfer to other iOS apps. An Android version is planned for early 2012.

The company calls this module a data loss prevention (DLP) capability. However, unlike traditional DLP tools, it does not scan outgoing information from the corporate network to see if the sender and recipient have permission to access that data. Instead, it extends the existing SharePoint controls to iOS.

[ Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Read Bill Snyder's Tech's Bottom Line blog for what the key business trends mean to you. ]

Microsoft does not support iOS or other mobile operating systems except its own Windows Phone, causing many SharePoint users working on mobile devices to copy project files outside the SharePoint environment so that they can be used when traveling. Zenprise spokesman Ahmed Datoo says the DLP module is meant to address that gap in SharePoint's reach outside Microsoft enviroments.

Zenprise expects the updated MobileManager product to be available by December; pricing has not been set.



Microsoft kills botnet that hosted MacDefender scareware

Summary: The botnet contained about 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day.

Microsoft’s Digital Crimes Unit has shut down a botnet that was investigated for hosting the MacDefender scareware that preyed on Mac OS X users.

The botnet, known as Kelihos or “Waledac 2.0,” has been linked to spam messages, ID-theft attacks, pump-and-dump stock scams and websites promoting the sexual exploitation of children, according to Microsoft senior attorney Richard Domingues Boscovich.

The botnet contained about 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day.

For the first time since Microsoft’s anti-cybercrime team started disabling botnets, the company moved to the U.S. court system and identified a defendant that allegedly owned the domain that controlled the botnet.

In the complaint [PDF], Microsoft names Dominique Alexander Piatti alongside dotFREE Group SRO and John Does 1-22 and said they owned domains and subdomains that were used to operate and control the Kelihos botnet.

“Our investigation showed that while some of the defendant’s subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities,” Boscovich said.

In addition to hosting the Kelihos botnet, Microsoft said its investigations revealed that the defendants’ cz.cc domain was previously linked to sub-domains responsible for delivering MacDefender, a type of scareware that infects Apple’s operating system.

In May 2011, Google temporarily blocked subdomains hosted by the cz.cc domain from its search results after it discovered it was hosting malware, although Google reinstated the subdomains after the defendant allegedly corrected the problem.  (See this public gripe from Piatti about the blocked domains).

Boscovich said the botnet was also used to promote potentially dangerous counterfeit or unapproved generic pharmaceuticals from unlicensed and unregulated online drug sellers. Kelihos also abused Microsoft’s Hotmail accounts and Windows operating system to carry out these illegal activities.
[T]his case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way.

Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.
Piatti, who is based in the Czech Republic, has been served notice of the lawsuit.  Microsoft said it is in discussions with Piatti to determine which of his sub-domains were being used for legitimate business, so that those customers could be reconnected.

Apple blocks malware-as-PDF threat but new attack emerges

Summary: Even as Apple adds detection to block a Mac OS X malware threat, researchers find new Mac malware posing as a legitimate Flash Player installation package.

Apple has quietly added detection for the recent malware attack that used PDF files as lures to trick Mac OS X users into downloading a malicious Trojan dropper. 

The detection was added into the rudimentary XProtect.plist malware blocker built into Mac OS X.

The malware, flagged as a trojan dropper, installs downloader component that downloads a backdoor program onto the system, while camouflaging its activity by opening a PDF file to distract the user.

However, in what has become a classic cat-and-mouse game, researchers have spotted a new Mac malware threat posing as a legitimate Flash Player installation package.

Researchers find Mac OS X malware posing as PDF file ]

Intego explains the characteristics of the new threat:

Users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link. When they click the link, an installation package downloads, and, if the user is using Safari as their web browser, the Mac OS X Installer will launch. (Safari considers installer packages, with .pkg or .mpkg extensions, to be “safe” files and will launch them after download, if default settings are used.)

If the user proceeds with the installation procedure, the installer for this Trojan horse will deactivate some network security software, Intego said.

After installation, [it] will delete the installation package itself. The malware installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches. This code, installed in a file at ~/Library/Preferences/Preferences.dylib, connects to a remote server, and sends information about the infected Mac to this server: this includes the computer’s MAC address, a unique identifier. This will allow the malware to detect if a Mac is infected.

The company said it has spotted this new malware in the wild but notes that it is not widely distributed.


'Pepper spray' officer named by Occupy Wall Street activists [video]

A senior officer with the New York Police Department has been named online by activists associated with the Occupy Wall Street activists, in connection with the controversial use of pepper spray against a group of female protesters.

On Saturday, in an incident captured on video, a small group of seemingly peaceful protestors were said to have been doused with pepper spray by a uniformed officer.

Warning: Some readers may find the following video upsetting.

Even some of the police officers seen in the video seem shocked by the use of pepper spray.

Now, after slow motion examination of the video, the Anonymous group has published what it claims to be the spraying police officer's personal information - including phone numbers, addresses, and the names of relatives.
It is claimed that the officer was identified by online supporters of the Occupy Wall Street movement after his badge was enlarged from a photograph taken at the scene.
Alleged details of police officer
Clearly, feelings are running pretty high over this incident, and if police officers acted without provocation appropriate steps should be taken. If a police officer is guilty of an offence then obviously he should be punished.

But it feels very wrong to me to name a man who we have to assume is innocent until proven guilty, and especially dangerous to make public his address and the details of his family.

Anonymous is no stranger to releasing personal information of individuals in positions of authority. For instance, last month it released partially nude photographs of a man said to be Linton Johnson, the chief spokesperson for the San Francisco's BART, as well as names, postal addresses and email addresses of officers.

nb : nakedsecurity.sophos

How Anonymous emerged to Occupy Wall Street

Mocked at first by some, Occupy Wall Street is showing the potential of online 'hacktivism' allied with street protest
 Occupy Wall Street protesters in Liberty Plaza

    Occupy Wall Street protesters in Liberty Plaza, 22 September 2011. Photograph: Stephanie Keith/Demotix/Corbis
    Defying harsh critiques from Stephen Colbert and slews of bloggers who scoffed last week at the "leaderless", "directionless", Frisbee-throwing hipsters camping out on cardboard at a random New York City park in the financial district, Occupy Wall Street appears to be gaining ground. From the modest 200 occupiers last week, numbers of protesters rose to an estimated peak of approximately 3,000 to 5,000 at the weekend's march. Media attention has grown exponentially. After taking their inspiration from the Egyptian "one demand" model, Occupy Wall Street have now released their list of "one" demands, bringing much-needed clarity to their objectives. The movement has moved to reach out to a broader base, including labor unions. Last week's execution of Troy Davis also contributed to the growth of Occupy Wall Street as crowds of protesters in Zucotti Park, renamed Liberty Plaza, swelled to approximately 1,500 last Thursday night demanding an end to capital punishment. Violence caught on camera over the weekend of police arresting approximately 80 protesters and, in one now-notorious case, apparently spraying mace into the faces of female protesters has generated an outcry over the NYPD's "cowardly" use of force on peaceful protesters. Thanks to these two incidents, says one protester, Danny Garza, "Occupy Wall Street has gotten bigger than we ever thought it could be." But the protest's profile cannot be measured purely in numbers of street protesters: on the periphery of Liberty Plaza is a parallel internet-based activism buttressing the movement. Under the banner of the virtual collective Anonymous, these "hacktivists" are now engaged in the physical action of street protest. "Groundfags" in Liberty Park communicate back and forth with online activists. The new dynamics of combined street and online activism have significantly underpinned Occupy Wall Street as a distinctive new movement. "We can physically be at a protest one day and the next day show up online," according to an Anonymous activist who goes by the name of "MotorMouth". The most concrete example of this symbiotic relationship is the rapid online identification by Anonymous activists of an NYPD officer they claim to have been the perpetrator in the pepper-spray incident. Naming an individual police officer may be a controversial tactic, but Occupy Wall Street has used social networking media as a positive organisational tool. When it emerged that a handful of activists were prepared to incite rioting and provoke the police days before Occupy Wall Street was to begin, Anonymous developed a Twitter application called URGE, launching an online campaign designed to quell potential violence. Anonymous "culture-jammed" Twitter with messages to keep protests peaceful, using top Twitter trends from around the world. The involvement of Anonymous activists has also helped the movement make new connections. When activists expressed outrage at Troy Davis's execution on Wednesday night, Anonymous linked the death penalty with the protests. One Anonymous figure, by the name of "Jackal", says:
    "This is a new way to protest. Many of us have done our fair share of street protesting. But they drag us into the streets, and they mace us. Now we have brought our protests into the online social media space. We do it all at once – the street protesting along with our distributed denial of service [DDoS] attacks. We are a bit of an online flash mob."
    What will become of Occupy Wall Street is uncertain: protesters now face eviction from Zucotti Park; yet the movement has sparked similar activism in Chicago, Boston, Denver and other cities throughout the United States. Much has been written about the "Twitter revolution" dimension of the Arab Spring; now it looks as though, in this emerging alliance between street protest and online activism, the Arab Spring is turning to American Fall.
nb : guardian

MySql.com Site Hacked, Was Serving Malware

The main Web site of MySql.com has been compromised and on Monday afternoon was serving malware to visitors for a short time through the use of JavaScript redirects. The site, which is owned by Oracle, was sending victims off to a remote site that is using the BlackHole exploit kit to install malware on their machines.

The attack uses several stages and bounces victims to a couple of different sites during the process. Researchers at Armorize found that the main home page of MySql.com was compromised sometime on Monday and discovered that visitors hitting the site were quietly forced to load a JavaScript file. That file eventually creates an iframe that then redirects the victim to a page hosted at falosfax.in and then on to another page at hxxp://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php. The attack was disabled by mid-afternoon Monday.

Once on that page, the victim's machine was attacked by the BlackHole exploit kit, which the remote site apparently is hosting, according to Armorize's research. BlackHole is one of a number of exploit packs that is in wide use right now, and it contains pre-loaded exploits for vulnerabilities in browsers, as well as common components and plug-ins such as Flash.

"This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection," Armorize's Wayne Huang said in a blog poast.

The intermediate redirection site is located in Germany, while the final site that's serving the exploits is apparently located in Sweden. This kind of drive-by download attack is quite common and has been a favorite technique of attackers for several years now, and it often involves using JavaScript to redirect users to one or more sites in order to land them on a page that ultimately serves them malware.

MySQL is a database platform that originally was owned by an independent entity, but was purchased by Sun Microsystems in 2008, and later became part of Oracle when that company bought Sun in 2009.

nb : threatpost

New Mac Trojan Pretends to Be Flash

Mac malware is still quite rare, but there is one new threat floating around that you should be aware of. A new Trojan for Mac OS X disquises itself as an installer for the Adobe Flash Player browser plug-in, according to security software company Intego. The good news (if you want to call it that)? This new malware doesn't appear to have spread very far as of yet.

According to Intego, this Trojan spreads via malicious sites that feature links asking you to download Flash Player (recent versions of Mac OS X don't come with Flash Player pre-installed). Instead of being taken to the Adobe Flash site when clicking the link, you'll inadvertantly download the Trojan instead. The Trojan looks and acts like any typical Mac installer package--in fact, if you have the "Open 'safe' files after downloading" box checked in Safari, the installer will open automatically.

Intego is still trying to learn more about this particur Trojan, but the company says that "the installer for this Trojan horse will deactivate some network security software, and, after installation, will delete the installation package itself." From there, the Trojan "installs a dyld (dynamic loader) library and auto-launch code, allowing it to inject code into applications the user launches." Put in English, it basically turns good apps bad by making them run malicious tasks.

The malware then gathers information about your Mac, including its MAC address, and sends it to a server, which, according to Intego, "will allow the malware to detect if a Mac is infected."

But there's no need to panic: Intego says they've received only one report of this malware in the wild, so as of right now, this particular Trojan doesn't appear to have spread very far.

To keep it from spreading further, and to keep from becoming its next victim, there are a couple steps you can take. First, only download and install the version of Flash available directly from Adobe. Not only does it ensure that you'll get the real thing, but it ensures that you'll get the latest version, complete with the newest security fixes.

Also, if you use Safari, select Preferences from the Safari menu, click General, then un-check the box labeled "Open 'safe' files after downloading". This will prevent installers and other files (images, text documents, etc...) from opening automatically when you download them. In addition, don't open any downloads that you weren't expecting--this will prevent you from being taken advantage of by so-called drive-by downloads and other threats.

nb : pcworld

Alureon Rootkit Morphs Again, Adds Steganography

Alureon SteganographyThe Alureon rootkit has become not just a major headache for its victims, with its insidious infection routines and persistence once on a machine. But it also has proved to be a challenge for researchers engaged in trying to identify new versions and unwind its new tactics and techniques. The latest hurdle thrown up by Alureon is the use of steganography to hide configuration files to update infected machines with new instructions.

The steganography usage has shown up in a specific version of Alureon that often is downloaded by a Trojan and then installed on the victim's machine. The malware has a new function that goes out to a remote Web site and downloads a new component called "com32", which, once decrypted, presents a list of URLs hosted on LiveJournal and WordPress. Each of the pages simply hosts a series of image files, which look to be harmless at first glance. But when researchers at Microsoft looked deeper into the code that is responsible for retrieving the image files, they discovered that the code looks specifically for some IMG HTML tags.

The rootkit then tries to pull down the JPEGs, and along with the image data comes a long string of characters that looks to be a password of some kind, according to the analysis by Scott Molenkamp of Microsoft's Malware Protection Center.

"After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography. One of the critical sections of the configuration file contains the list of command and control servers. The purpose of the publically hosted data was revealed -- it's there to provide a layer of redundancy and defense against existing domains that might become unavailable. In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these 'backup' locations," Molenkamp wrote.

The images being used to hide the configuration file look to be completely random, unless the attacker behind Alureon is a health nut who loves his grandma and "Tropic Thunder." The JPEGs include a picture of an elderly woman, a bowl of something sort of health-food looking and...Tom Cruise.

Alureon, which also is known as TDSS or TDL4, has been a serious problem for a couple of years now. The addition of a steganography routine is just the latest in a line of new features added to the malware in the last few months. Earlier this year researchers came across a version of Alureon that was using an older brute-force technique in order to decrypt some components of its own code that are encrypted. And in June another variant appeared that had its own self-replicating loader which allowed Alureon to spread via network shares once it's on a victim's machine.

nb : threatpost

Second LulzSec hacker 'Neuron' could be tracked down via UK VPN

Following the arrest last week of alleged LulzSec member 'Recursion', the Guardian has found that another member of the hacking crew used the HideMyAss service for their connection

LulzSec: members allegedly used the HideMyAss proxy service to disguise their IP addresses
At least one more member of the hacking group LulzSec, known online as "Neuron", may be arrested if traced by their use of a British anonymous VPN (virtual private network) proxy service, following a similar arrest last week.

Hackers have expressed already dismay after it emerged that that Cody Kretsinger, who was arrested by the FBI last Thursday for allegedly hacking into the Sony Pictures website, had been identified via his use of HideMyAss's proxy service to disguise his IP (internet protocol) address when connecting to the Sony Pictures site.

Kretsinger allegedly went by the online handle "Recursion" – which crops up in chatlogs from the group posted on the Pastebin site. "Recursion" boated of hacking into the Sony Pictures site.

However the Pastebin logs also show that another LulzSec member, using the handle "Neuron", also claimed to use the HideMyAss service. Neuron and Recursion are not the same people: the LulzSec chatlog records posted by the Guardian covering a period from 31 May show the two in the same chatroom at the same time, and on one occasion addressing each other directly. "Recursion" quit the group after it attacked an FBI-related site early in June, but "Neuron" remained.

HideMyAss, posted a lengthy defence of its actions on its blog after the news emerged, insisting that it had to retain logs:
Being able to locate abusive users is imperative for the survival of operating a VPN service, if you can not take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn.

The main type of logging is session logging – this is simply logging when a customer connects and disconnects from the server, this identifies who was connected to X IP address at X time, this is what we do and all we do. Some providers choose not to do session logging and instead try to locate the abusive customer by using the intelligence from the complaint, for example if someone hacks XYZ.com they may monitor traffic to XYZ.com and log which customers have a connection to this website. Ask yourself this: if a provider claims not to do any form of logging, but is able to locate abusive customers, how are they able to do this without any form of logging?
The company added that it would only hand over logs if they were the subject of a valid UK court order: "if a request for information is sent to us from overseas, we will not accept this request unless it is sent through the appropriate UK channels and a UK judge warrants a court order or a court summons that forces us to provide this information. We are not intimidated by the US government as some are claiming. We are simply complying with our countries legal system to avoid being potentially shut down and prosecuted ourselves."

Some questioned whether HideMyAss – which says that it helped people in Egypt to evade crackdowns during the Arab spring protests – would hand over details of individuals to repressive regimes such as Syria. The company says in the blogpost that it would not because "[in] UK law, there isn't a law that prohibits the use of Egyptians gaining access to blocked websites such as Twitter, even if there is one in Egypt."

The revelation that the service retains some log details has caused outrage amid parts of the hacking community, with a number vowing never to use HideMyAss's service again. A rival service, AirVPN, put out a statement saying that it does not keep logs in the way that HideMyAss does: "we would like to reassure our users and our customers that nothing like that [handover of logs] may happen with AirVPN, for a series of legislative (we are based in the EU, not in the USA, and we don't recognize USA jurisdiction, obviously) and above all technical reasons." It says it will accept payments in BitCoin, the cryptocurrency, which can be made via the Tor network, for security.

Four people have been arrested in the UK relating to LulzSec's activities, with three charged so far.

nb : guardian