Information Security Newsletter

Bulletins posted 3/27/2009

Firefox critical vulnerability patched in 3.0.8, due next week
A new vulnerability has just been found in Firefox. The vulnerability, discovered by security researcher Guido Landi, was published on several security sites on Wednesday the 25th. The flaw could be used by an attacker to remotely execute code on a users machine using remote memory corruption after a user views a specially crafted malicious XML file.

According to Mozilla developer notes, the vulnerability seems to affect Firefox versions 3.0 to 3.0.7 on all operating systems, including Linux and Mac.

The patch is expected to be released by Mozilla next week.

If you use Firefox, watch for this patch to come out and update your Firefox browser software as soon as possible.

Latest delivery notice trojan, from DHL this time, spews forth spam
A new torrent of spam, disguised as a message from package carrier DHL, is making its way into inboxes. This is a further variation of a malicious spam campaign that pretends to be from a well-known package carrier. Earlier this month a spam campaign purported to be arriving from UPS.

The incoming message claims that DHL attempted delivery of a package on March 14 and instructs recipients to click on a link to print out an invoice needed to retrieve the package from the DHL office.

Users who fall for the ploy and click on the link, instead download a malicious trojan, Troj/Agent-JJP, onto their computer. The file, contained inside dhl_n756512[dot]zip, establishes connections to remote hosts via port 80. The hackers are then able to download a cocktail of further malware, as well as initialize phoney security alerts in Internet Explorer, delivering pop-up advertisements for rogue security apps.

The spam arrives with the subject line: "DHL Tracking number," but each recipient receives their own randomly generated reference number.

We have heard reports of this type of scam with the same basic Modus Operandi, and attempting to download very similar trojans, that use all of the different shipping companies as well as airlines. With the airline scams, as we have reported in the past, they thank you for your ticket purchase and attach a fake link that is supposedly your e-ticket or an invoice.

To avoid being a victim of these types of scams, make sure your antivirus programs are up to date, and that you're firewall is configured correctly and updated. Also, as always, be extremely suspicious of any attempts to download anything to your computer, either from a web site or email.

Bulletins posted 3/26/2009

Lack of infosec news items does not mean any less threats, just recycling of the old ones
In case you've noticed less news items coming out from this source recently, we wanted to re-assure you that this is not because the bad guys are taking some time off.

In fact, the amount of badware being disseminated through email and especially via poisoned websites has been growing exponentially. But the tricks are the same ones we've warned you about in the past, so we don't want to fill up your time with things you already know to watch out for.

The most predominant threats right now are email, website and phone scams all taking advantage of the poor economy and the stimulus legislation to try to lure desperate people into fraudulent schemes. There are scams offering low-interest stimilus loans, stay at home jobs, re-financing of credit card debt, etc. etc. ad nauseum.

So, just because you don't see anything from us for a little while, please don't let down your guard for a minute!

Mac users warned of malware which also affects PCs
Sophos is warning Apple Mac users to be on their guard against websites hosting malicious code designed to infect their systems. The advice follows the discovery of a new version of the OSX/RSPlug Trojan horse that is being distributed via a legitimate-looking website offering HDTV software.

"While there is much less malware for the Apple Mac than for Windows, it doesn't mean that Apple fans can avoid the issue," says Brett Myroff, CEO of regional Sophos distributor, Sophos South Africa.

Sophos notes that the criminal gang behind this malware attack is targeting Windows computers as well as Mac OS X. If a user visits the website from a Windows computer, it will serve up a malicious Windows executable from the Zlob family of malware rather than the RSPlug-F Mac OS X Trojan horse.

Sophos experts have determined that the RSPlug-F Trojan horse changes DNS Settings on Apple Mac computers, meaning users may find they are taken to bogus websites which may attempt to steal personal information, display revenue-generating adverts, or install further malware.

Be careful and always resist the temptation to download applications from the Internet, whether you are a Mac or PC user, unless you have some way to ensure they are legitimate.

Nasty new worm targets home routers, cable modems
A computer worm has been discovered that can infect 55 different home-based routers and DSL and cable modems including common brands like Linksys and Netgear.

Believed to have originated in Australia and known as "psyb0t" or Bluepill, this is the first worm known to be able to infect residential routers and modems.

Psyb0t is armed with 6000 common usernames and 13,000 popular passwords that it tries in various combinations to gain entry to your home network. Most home-based routers will give you unlimited attempts to get the username and password correct, making these devices an ideal target for infection. Also, unlike your PC, your router and modem are running 24 hours a day meaning psyb0t has a relatively unlimited amount of time to try and gain access.

If that wasn't frightening enough, psyb0t is reportedly very hard to detect and most home users will be unaware that they're infected. Like other worms, psyb0t is designed to infect systems and then carry out commands given by its author, creating what is known as a botnet. There may not be much cause for alarm, though, as APC Magazine is reporting that the botnet capabilities for this worm are no longer active. At its height, psyb0t was suspected of controlling 80,000 to 100,000 systems.

Although the immediate threat from this worm may be diminished, it is still important to change the default passwords on your home routers. Your routers will have come with instructions on how to do so and we highly recommend that anyone with a home network change them from the default.

Bulletins posted 3/18/2009

Official Adobe Security Bulletin Offers Updates to Several Versions of Reader and Acrobat
In an official security bulletin released from Adobe today they notified users of updates for several different versions of Adobe Acrobat and Reader.

Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users who can't update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4 and Adobe Reader 7.1.1 updates.

Those of you who read our notice last week and have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. Adobe plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 25.

We recommend updating your Acrobat and Reader as soon as possible, as there are now exploits being reported for this vulnerability.

Bulletins posted 3/17/2009

New Waledac Spam Falsely Warns of Bomb Blasts
Normally capitalizing on current events and holidays to spread its seed, the Waledac trojan now has turned to the message of fear.

Security companies warned Monday of a new malware campaign in which the Waledac botnet creators are distributing emails that falsely claim the recipient's city has been the site of a bomb blast.

The emails contain a link that leads to a malicious -- but real looking -- site, complete with the logo for news agency Reuters. The headline across the mock page, customized for each viewer thanks to geolocation technology that enables the site to map incoming IP addresses, warns of a "powerful explosion" in the victim's city, Dan Hubbard, CTO of security firm Websense, told SCMagazineUS.com.

Below that is a brief news story and a video player, said Hubbard, who added that Websense has received tens of thousands of attack samples since Sunday. The goal is to dupe users into clicking on a link to view the video, which installs the increasingly prevalent Waledac trojan. The malware opens a backdoor on the compromised machine and then sits quietly, awaiting additional commands from its command-and-control server, he said.

Though the emails do contain some spelling and grammatical errors, the social engineering aspects may be slick enough to dupe many victims, Hubbard said.

"As soon as you add in legitimate brands, people tend to think, 'Wow, this is really real,'" he said.

Trend Micro researcher Rik Ferguson said Monday on the anti-virus firm's blog that the latest campaign is proof that cybercrooks are having no problem making up for the amount of spam that may have dropped off when web hosting provider McColo was shut down.

As of about 1 p.m. EST on Monday, eight of 39 major anti-virus providers detected the new Waledac variant, according to a file-analyzer VirusTotal test commissioned by Hubbard and his team.

The most recent Waledac attacks leveraged the inauguration, the economic crisis and Valentine's Day to infect users. Hubbard said researchers had been expecting a St. Patrick's Day-themed attack until they began seeing the fake bomb spam.

Watch out for this new twist in the ever evolving arsenal of the cyber criminals.

March Madness Nearing, But Cyberthreats Already Here
Sports fans might be eager for March Madness to begin later this week, but for cybercriminals, the games already have begun. A number of security firms already have spotted attacks that target fans of the annual NCAA men's college basketball tournament, which kicks off Thursday afternoon EST.

Cybercriminals are poisoning top Google search results related to March Madness to lure users into visiting fake anti-virus sites, Stephan Chenette, manager of security research at security firm Websense told SCMagazineUS.com Tuesday. Attackers are using deceptive search engine optimization (SEO) to get their malicious sites to the top of results on Google and other search engines, Chenette said.

Searches for “March Madness schedule,” “March Madness brackets,” and “2009 NCAA bracket predictions” have been poisoned, Chenette said. The malicious sites fall in the top ten search results, and have been as high up as the first result. in most instances, when users follow a poisoned search link, they are directed to a fake anti-virus site, where they are told their computer is infected and they should download a rogue program. However, they actually end up installing a fake solution that, at some point, will prompt them for money, Chanette said.

“Users are warned to be very cautious when clicking on any March Madness hyperlinks,” Chanette said. “Even Google search results should be clicked on with caution.”

Attackers also are using automated software to post comments on sports blogs, which actually contain links to spam websites, Chanette said. The links typically lead to fake AV or fake video sites where users are told they can watch March Madness videos but need a codec -- which is really a trojan -- to watch, Chanette said.

Spencer Parker, director of product management at web security firm ScanSafe, told SCMagazineUS.com Tuesday that it seems Google appears to be quickly taking down the malicious sites, but users must still be wary.