News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
August 22, 2014, 23:28:18
Pages: 1 ... 7 8 [9] 10
 81 
 on: July 13, 2014, 05:50:00  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Recent Updates: smokeloader, shylock domains added
- http://www.malwaredomains.com/?p=3629
July 13th, 2014
7/09 – 441 domains added
7/12 – 226 domains added
Sources include www.mwsl.org.cn, malwareurls.joxeankoret.com, gist.github.com/jedisct1, stopmalvertising.com and others...

 Exclamation

 82 
 on: July 11, 2014, 07:05:46  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

OS X / Safari - Flash Player updates available
- http://support.apple.com/kb/HT5655
July 10, 2014 - "... If the version of Adobe Flash plug-in you are using is out of date, you may see the message, "Blocked plug-in", "Flash Security Alert” or "Flash out-of-date" when attempting to view Flash content in Safari. Clicking the indicator displays an alert, "Adobe Flash Player is out-of-date."
In order to use Adobe Flash you need to update to a later version:
- Click the Download Flash button.
- Safari opens Adobe Flash Player installer page on the Adobe website.
- Click the Download now button on the Adobe website to download the latest Adobe Flash Player installer.
- After the download completes, open the downloaded disk image (usually located in your Downloads folder) if it does not open automatically.
    In the window that appears, open the installer and follow the onscreen instructions.
Note: If you need to run an older version of Flash, you can use web plug-in management* to re-enable it for specific websites using "Run in Unsafe Mode" (??) in Safari 6.1 or later..."
* http://support.apple.com/kb/HT5954

 Rolling Eyes  Questioning or Suspicious

 83 
 on: July 11, 2014, 04:46:15  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Citibank Commercial Form email – PDF malware
- http://myonlinesecurity.co.uk/fw-important-commercial-form-fake-pdf-malware/
11 July 2014 - "FW: Important – Commercial Form is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
Commercial Banking Form
To: < redacted >
Case: C1293101
Please scan attached document and fax it to +1 800-285-5021 .
All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is… For enquiries, please telephone the Service Desk on +1 800-285-6575 or email enquiries@ citibank .com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .
Yours faithfully
Leanne Davis Commercial Banking Citibank N.A Leanne.Davis@ citibank .com
Copyright © 2014 Citigroup Inc.


11 July 2014: C1293101.zip (9kb): Extracts to  C100714.scr
Current Virus total detections: 0/53 * . This FW: Important – Commercial Form is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/06f0344c0ecdf239c1b5012d88c0b466d56888d4bc1a5066837f3fbcfe5a2d60/analysis/1405086057/
___

A cunning way to deliver malware
- http://blog.malwarebytes.org/malvertising-2/2014/07/a-cunning-way-to-deliver-malware/
July 11, 2014 - "Potentially unwanted programs, also known as PUPs, continue to be a real nuisance. A recent blog post by Will Dormann on CERT.org* shows the prevalence of such applications lurking on every corner of the web: search engines results, software portals, popups, ads, etc... Here is an example of an unwanted warning pushed as a pop-up:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/message.png
... The following page shows that our browser (Internet Explorer) may be out of date and urges us to download a program to check for outdated software.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/download.png
It is worth noting that this webpage was totally unsolicited and is in fact very misleading... In other words, the program they want you to download bundles other applications, something we know all too well. Attempting to close the page brings up yet another warning:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/sure.png
We could argue with advertisers that these practices are not okay until we are blue in the face. But here’s the catch with this one: while the page is saying our system could be at risk we are silently being infected with a drive-by download... two malware payloads are subsequently dropped (#1, #2) detected as Spyware.Zbot.VXGen... We have reported this incident to Akamai’s Abuse department so that they can take immediate action against these bad actors."
1) https://www.virustotal.com/en/file/d9726e80eb043f3a9c84eae6e3e69f85d5fb648b818ecaad15c5f09e1cc115c2/analysis/

2) https://www.virustotal.com/en/file/476e6d017c23cf1f254d0df5b8cf9e305469c9cc990af131da730c6ef1c25fbb/analysis/

* https://www.cert.org/blogs/certcc/post.cfm?EntryID=199
7/07/2014 - "... depending on what the application is, where you downloaded it from, and how carefully you paid attention to the installation process, you could have some extra goodies that came along for the ride. You might have components referred to as adware, foistware, scareware, potentially unwanted programs (PUPs), or worse. Sure, these may be annoyances, but there's an even more important security aspect to these types of applications: attack surface..."
___

Fake 'E-ZPass Unpaid Toll' SPAM - links to Malware
- http://www.hoax-slayer.com/e-zpass-unpaid-toll-malware.shtml
July 11, 2014 - "Email purporting to be from US toll collection system E-ZPass claims that the recipient has not paid for driving on a toll road and should click a link to download an invoice... The email is -not- from E-ZPass. It is a criminal ruse designed to trick you into downloading malware... If you receive this message, do -not- click any links or open -any- attachments that it contains..."
> http://www.hoax-slayer.com/images/e-zpass-unpaid-toll-malware-1.jpg

Ref: http://stopmalvertising.com/spam-scams/e-zpass-themed-emails-lead-to-asprox.html
9 July 2014 - E-ZPass themed emails lead to Asprox
___

GameOver Zeus mutates - launches Attacks
- http://blog.malcovery.com/blog/breaking-gameover-zeus-returns
July 10, 2014 - "... -new- trojan based heavily on the GameOver Zeus binary. It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed... we saw spam messages claiming to be from NatWest...
> https://cdn2.hubspot.net/hub/241665/file-1213696521-png/Gameover_Return_2.png
... we saw spam messages with the subject “Essentra PastDue” like these:
> https://cdn2.hubspot.net/hub/241665/file-1210759939-png/Gameover_Return_4.png
... The longest lasting of the spam campaigns was imitating M&T Bank, with a subject of “E100 MTB ACH Monitor Event Notification. That campaign is still ongoing as of this writing.
> https://cdn2.hubspot.net/hub/241665/file-1217283407-png/Gameover_Return_7.png
The three spam campaigns each had a .zip attachment. Each of these contained the same file in the form of a “.scr” file with the hash:
MD5:   5e5e46145409fb4a5c8a004217eef836
At this timestamp (1600 Central time, 7 hours after we first noticed the spam campaign) the detection rate at VirusTotal is 10/54:
> https://cdn2.hubspot.net/hub/241665/file-1210902723-png/Gameover_Return_8.png
Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a domain generation algorithm. The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing. Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information “webinject” files from the server. The Domain Generation Algorithm is a method for a criminal to regain access to his botnet. Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists... Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down".  This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy... This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history..."

- http://www.nationalcrimeagency.gov.uk/news/news-listings/390-reminder-still-time-to-reduce-threat-from-powerful-malicious-software
13 June 2014
___

SCAMS: Free Movies - Reel Deal? ...
- http://blog.malwarebytes.org/online-security/2014/07/are-these-free-movies-the-reel-deal/
July 11, 2014 - "... We often see Netflix themed sites used as a -bait- so this one immediately caught our eye... The end user is presented with a number of surveys and offers, one of which has to be completed to obtain the “free account”. They lead to a variety of places:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/flix3.jpg
Another one:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/flix4.jpg
We tried to “unlock” the supposed text file to see what happened next, by installing two separate offers – a “TV toolbar” and a “We love games community toolbar”.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/flix5.jpg
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/flix6.jpg
In both cases, nothing was unlocked and we saw no evidence of text files. What we did have, were two potentially unwanted programs which a regular user would only have installed to get the text file in the first place. You’re better off avoiding sites which promise “free” signups to websites and services, and buying directly from the real thing. More often than not, you can never be sure if what you’re receiving is legit or will be shut down by the service provider. And of course, in many cases what you’ll be getting your hands on after signing up to offers or downloading programs will be little more than thin air..."

 Evil or Very Mad  Sad

 84 
 on: July 10, 2014, 12:43:32  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Microsoft Security Advisory 2982792
Improperly Issued Digital Certificates Could Allow Spoofing
- https://technet.microsoft.com/en-us/library/security/2982792.aspx
July 10, 2014 - "Executive Summary: Microsoft is aware of improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue. The subordinate CA has been misused to issue SSL certificates for multiple sites, including Google web properties. These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against web properties. The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks...
Recommendation: An automatic updater of revoked certificates is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, and Windows Server 2012 R2, and for devices running Windows Phone 8 or Windows Phone 8.1. For these operating systems or devices, customers do not need to take any action because the CTL will be updated automatically.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070* for details), customers do not need to take any action because the CTL will be updated automatically.
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, and that do -not- have the automatic updater of revoked certificates installed, this update is not available. To receive this update, customers must install the automatic updater of revoked certificates (see Microsoft Knowledge Base Article 2677070* for details). Customers in disconnected environments and who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430** to receive this update (see Microsoft Knowledge Base Article 2813430** for details)..."
* https://support.microsoft.com/kb/2677070

** https://support.microsoft.com/kb/2813430

- https://technet.microsoft.com/en-us/library/security/2982792
V2.0 (July 17, 2014): Advisory revised to announce the availability of update 2982792 for supported editions of Windows Server 2003. For more information, see the Suggested Actions section of this advisory.
___

- http://atlas.arbor.net/briefs/index#1956386183
High Severity
July 10, 2014
Four fake certificates have been identified posing as Google and Yahoo, putting Internet Explorer users at risk.
Analysis: The certificates were issued by the National Informatics Centre (NIC) in India, whose certificate issuance process was reportedly compromised. NIC is trusted by CCA India, who in turn is trusted by Microsoft. Other fake certificates were likely issued as well, though details on the full scope of the breach have not been released. While the identified certificates have been revoked by CCA, they could nonetheless affect Windows users: real-time revocation checks performed by security measures using certificate revocation list and online certificate status protocol do not sufficiently prevent attacks, as seen following certificate revocations after disclosure of the OpenSSL Heartbleed vulnerability earlier this year. Firefox, Thunderbird, and Chrome users on Windows are -not- at risk, as the applications' root stores are independent of Windows. Users running Mac OS X, Linux, and other platforms are also not at risk. Until Microsoft has addressed the issue, Windows users should use applications other than Internet Explorer to access domains using TLS. [ http://arstechnica.com/security/2014/07/crypto-certificates-impersonating-google-and-yahoo-pose-threat-to-windows-users/ ]

- http://www.securitytracker.com/id/1030548
Updated: Jul 17 2014
Impact: Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2003 SP2, Vista SP2, 2008 SP2, 7 SP1, 2008 R2 SP1, 8, 8.1, 2012, 2012 R2; and prior service packs
Description: A vulnerability was reported in Microsoft Windows. A remote user may be able to spoof SSL certificates.
The operating system includes invalid subordinate certificates issued by National Informatics Centre (NIC), which operates subordinate certificate authorities (CAs) under root CAs operated by the Government of India Controller of Certifying Authorities (CCA)...
Impact: A remote user may be able to spoof SSL certificates.
Solution: The vendor has issued a fix, available via automatic update for Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows Phone 8, and Windows Phone 8.1.
The vendor has issued a fix for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 systems that use the automatic updater of revoked certificates (see KB2677070)...
Vendor URL: https://technet.microsoft.com/en-us/library/security/2982792

 Exclamation Exclamation

 85 
 on: July 10, 2014, 06:25:11  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Shylock takedown - Europol
- http://www.nationalcrimeagency.gov.uk/news/news-listings/408-law-enforcement-industry-collaborate-to-combat-shylock-malware
10 July 2014  -"An international operation involving law enforcement agencies and private sector companies is combating the threat from a type of malicious software (malware) used by criminals to steal from bank accounts. In the first project of its kind for a UK law enforcement agency, the National Crime Agency has brought together partners from the law enforcement and private sectors, including the FBI, Europol, BAE Systems Applied Intelligence, GCHQ, Dell SecureWorks, Kaspersky Lab and the German Federal Police (BKA) to jointly address the Shylock trojan. As part of this activity, law enforcement agencies are taking action to disrupt the system which Shylock depends on to operate effectively. This comprises the seizure of servers which form the command and control system for the trojan, as well as taking control of the domains Shylock uses for communication between infected computers. This has been conducted from the operational centre at the European Cybercrime Centre (EC3) at Europol in The Hague. Investigators from the NCA, FBI, the Netherlands, Turkey and Italy gathered to coordinate action in their respective countries, in concert with counterparts in Germany, Poland and France. Shylock - so called because its code contains excerpts from Shakespeare’s Merchant of Venice -  has infected at least 30,000 computers running Microsoft Windows worldwide. Intelligence suggests that Shylock has to date targeted the UK more than any other country, although the suspected developers are based elsewhere. The NCA is therefore coordinating international action against this form of malware. Victims are typically infected by clicking on malicious links, and then unwittingly downloading the malware. Shylock will then seek to access funds held in business or personal accounts, and transfer them to the criminal controllers..."
___

MS cybercrime bust frees 4.7 million infected PCs
- http://www.reuters.com/article/2014/07/10/us-cybersecurity-microsoft-idUSKBN0FF2CU20140710
July 10, 2014 - "Microsoft Corp said it has freed at least 4.7 million infected personal computers from control of cyber crooks in its most successful digital crime-busting operation, which interrupted service at an Internet-services firm last week. The world's largest software maker has also identified at least another 4.7 million infected machines, though many are likely still controlled by cyber fraudsters, Microsoft's cybercrime-fighting Digital Crimes Unit said on Thursday. India, followed by Pakistan, Egypt, Brazil, Algeria and Mexico have the largest number of infected machines, in the first high-profile case involving malware developed outside Eastern Europe. Richard Domingues Boscovich, assistant general counsel of the unit, said Microsoft would quickly provide government authorities and Internet service providers around the world with the IP addresses of infected machines so they can help users remove the viruses... The operation is the most successful of the 10 launched to date by Microsoft's Digital Crimes Unit, based on the number of infected machines identified, Boscovich said. Microsoft located the compromised PCs by intercepting traffic headed to servers at Reno, Nevada-based Vitalwerks Internet Solutions, which the software maker said criminals used to communicate with compromised PCs through free accounts on its No-IP.com services. Vitalwerks criticized the way Microsoft handled the operation, saying some 1.8 million of its users lost service for several days. The Internet services firm said that it would have been glad to help Microsoft, without interrupting service to legitimate users. Microsoft has apologized, blaming "a technical error" for the disruption, saying service to customers has been restored... The operation, which began on June 30 under a federal court order, targeted malicious software known as Bladabindi and Jenxcus, which Microsoft said work in similar ways and were written and distributed by developers in Kuwait and Algeria."
___

Fake "TT PAYMENT COPY" SPAM - malicious attachment
- http://blog.dynamoo.com/2014/07/tt-payment-copy-spam.html
10 July 2014 - "We've seen spam like this before. It comes with a malicious attachment.
   Date:      Thu, 10 Jul 2014 00:09:28 -0700 [03:09:28 EDT]
    From:      "PGS Global Express Co, Ltd." [pgsglobal1960@ gmail .com]
    Subject:      Re TT PAYMENT COPY
    ATTN:
    Good day sir,here is the copy of the transfer slip ,kindly find the attach copy and please check with your bank to confirm the receipt of the payment and do the needful by dispatching the material as early as possible.
   We hope you will do the needful and let us know the dispatch details.
    (purchase) Manager.
                       ------sent from my iphone5s-------


It comes with an attachment TT PAYMENT COPY.ZIP containing the malicious executable TT PAYMENT COPY.exe which has a VirusTotal detection rate of 19/54*. According to Malwr** this appears to be a self-extractive archive file which then drops (inter alia) a file iyKwmsYRtDlN.com which has a very low detection rate of 1/52***. It isn't clear what this file does according to the report**."
* https://www.virustotal.com/en-gb/file/89f760f143108d9a37d8b5722d81a02a688ddd9c4ef7a035c8969824f0c2c372/analysis/1405000247/

** https://malwr.com/analysis/NThjMzU0MDg5MzRhNDhiYWFiY2JjNmU0OWM0YzM0OTA/

*** https://www.virustotal.com/en-gb/file/8465f3fcbccce3ea12495edbb0bd09c3b066e3df891613ce3180f9bb38b37b01/analysis/1405000668/
___

Fake E100 MTB ACH SPAM – PDF malware
- http://myonlinesecurity.co.uk/e100-mtb-ach-monitor-event-notification-fake-pdf-malware/
10 July 2014 - "E100 MTB ACH Monitor Event Notification is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
You have received a secure message from M&T Bank
At M&T Bank,we understand the importance of protecting confidential information. That’s why we’ve developed this email messaging system, which will allow M&T to securely send you confidential information via email.
An M&T Bank employee has sent you an email message that may contain confidential information. The sender’s email address is listed in the from field of this message. If you have concerns about the validity of this message, contact the sender directly.
To retrieve your encrypted message, follow these steps:
1. Click the attachment, securedoc.html.
You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
2. Enter your password.
If you are a first time user, you will be asked to register first.


10 July 2014: Securedoc.zip ( 284kb): Extracts to Securedoc.pdf.scr              
Current Virus total detections: 0/38 * . This E100 MTB ACH Monitor Event Notification is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/3ff49706e78067613aa1dcf0174968963b17f15e9a6bc54396a9f233d382d0e6/analysis/1405013243/
___

Fake Money Transfer - PDF malware
- http://myonlinesecurity.co.uk/important-notice-incoming-money-transfer-fake-pdf-malware/
10 July 2014 - "Important Notice – Incoming Money Transfer is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment... Email reads:
An Incoming Money Transfer has been received by your financial institution for thespykiller .co .uk. In order for the funds to be remitted on the correct account please complete the “A136 Incoming Money Transfer Form”.
Fax a copy of the completed “A136 Incoming Money Transfer Form” to +1 800 722 4969.
To avoid delays or additional fees please be sure the Beneficiary Information including name, branch name, address, city, state, country, and Routing Number (ABA Number) or SWIFT BIC Code is correct. For international Wires be sure you include the International Routing Code (IRC) and International Bank Account Number (IBAN) for countries that require it.
Thank you,
Trevor.Mcdowell
Senior Officer Level III
Cash Management Verification ...


10 July 2014: A136_Incoming_Money_Transfer_Form.zip (10kb): Extracts to
A136_Incoming_Money_Transfer_Form.exe.exe - Current Virus total detections: 2/53 * . This Important Notice – Incoming Money Transfer is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected.
* https://www.virustotal.com/en/file/2b357bc5a04b97cdd5d55f8cdda8c95ea882f21d1633a901089ccc0b8c68aee6/analysis/1405013171/
___

Symantec in talks with Chinese government after software ban report
- http://www.reuters.com/article/2014/07/10/us-symantec-china-idUSKBN0FF1V320140710
July 10, 2014 - "U.S. security software maker Symantec Corp said it is holding discussions with authorities in Beijing after a state-controlled Chinese newspaper reported that the Ministry of Public Security had banned use of one of its products. The China Daily reported last week that the ministry had issued an order to its branches across the nation telling them to uninstall Symantec's data loss prevention, or DLP, products from their systems and banning their future purchase, saying the software 'could pose information risks'..."

 Evil or Very Mad  Sad

 86 
 on: July 09, 2014, 12:29:49  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

- http://tools.cisco.com/security/center/publicationListing.x

Multiple Cisco Products - Apache Struts 2 Command Execution vuln
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2
2014 July 9 - "Summary: Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870 *. The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system. Cisco has released free software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000 Series. Customers using Cisco Business Edition 3000 Series should contact their Cisco representative for available options. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available..."
* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1870

 Exclamation

 87 
 on: July 09, 2014, 08:32:05  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Fake Incoming Fax – PDF malware
- http://myonlinesecurity.co.uk/new-incoming-fax-fake-pdf-malware/
9 July 2014 - "New Incoming Fax pretending to come from Incoming Fax <noreply@ fax-reports .com> is another one from the current zbot runs which try to drop cryptolocker, ransomware and loads of other malware on your computer. They are using email addresses and subjects that will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from consumers.
Dear Customer,
You have received a new fax.
Date/Time: 2014:08:09 12:28:09
Number of pages:2
Received from: 08447 53 54 56
Regards,
FAX


9 July 2014: fax9999999999.zip(168 kb)  Extracts to fax0010029826052014.scr          
Current Virus total detections: 7/54* . This is another one of the spoofed icon files that unless you have “show known file extensions enabled“, will look like a proper PDF file instead of the .exe file it really is, so making it much more likely for you to accidentally open it and be infected..."
* https://www.virustotal.com/en/file/4cef86f285f555a67f2f2e0be6f22ecdcd90a745cc1279b8f99931b670c87945/analysis/1404915722/
___

E-Z Pass Spam
- http://threattrack.tumblr.com/post/91280291573/e-z-pass-spam
July 9, 2014
Screenshot: https://gs1.wac.edgecastcdn.net/8019B6/data.tumblr.com/fbf366d5ba38476f51a12ad59c64b5de/tumblr_inline_n8gnzk8QOy1r6pupn.png
Subjects Seen:
    Indebted for driving on toll road
Typical e-mail details:
    Dear customer,
    You have not paid for driving on a toll road. This invoice is sent repeatedly,
    please service your debt in the shortest possible time.
    The invoice can be downloaded here.


Malicious URLs:
    krsk .info/components/api/aHZ/WVeiJ0vWJCZzh9O0pXzmah/NtSjknz1hSYIcsqQ=/toll

91.193.224.60
: https://www.virustotal.com/en/ip-address/91.193.224.60/information/

Tagged: E-Z Pass, Kuluoz

 Evil or Very Mad  Sad

 88 
 on: July 09, 2014, 05:37:08  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Facebook kills Lecpetex botnet ...
- https://www.computerworld.com/s/article/9249616/Facebook_kills_Lecpetex_botnet_which_hit_250K_computers
July 8, 2014 - "Facebook said* police in Greece made two arrests last week in connection with a little-known spamming botnet called "Lecpetex," which used hacked computers to mine the Litecoin virtual currency. As many as 50,000 Facebook accounts were affected, and as many as 250,000 computers worldwide, primarily in Greece, Poland, Norway, India, Portugal and the U.S., according to a blog post* on Tuesday from Facebook's Threat Infrastructure team. The social networking site described the difficulties in shutting down the botnet, whose creators taunted Facebook through messages left on servers that were part of its network. Those behind Lecpetex launched at least 20 spam campaigns between December 2013 and last month, affecting Facebook and other online services. Some of the victims received private messages containing a ".zip" attachment containing a Java JAR file or Visual Basic script. Those files, if executed, would then retrieve other malware modules stored on remote sites. The modules were either DarkComet, a widely used remote access tool that can harvest login credentials, or variants of software that mines the virtual currency Litecoin, the team wrote. By frequently refreshing and changing the malicious attachments, Lecpetex defeated Facebook's filters designed to stop such malware from being distributed. The malware would also automatically update itself to evade antivirus products... Facebook said it reached out to other infrastructure providers and law enforcement when it realized security software wasn't alone going to foil Lecpetex..."
* https://www.facebook.com/notes/protect-the-graph/taking-down-the-lecpetex-botnet/1477464749160338
___

Cyber Armies Brute Force POS Systems
- http://intelcrawler.com/news-21
July 8, 2014 - "... identified a malicious automated network that targets Point-of-Sale software using infected computers from around the world.  The underground bot army, using the project name “@-Brt”, is using thousands of peaceful and unsuspecting infected users to brute force Point-of-Sales systems in an attempt to steal login credentials. This increased trend during the past two months has been in a stealth mode since the bot activities have successfully slide under the radar of both the end user and the targeted merchants. Previous threat intelligence notifications by IntelCrawler confirmed that the interest of cybercriminals to offline and online (cloud-based / SaaS) Point-of-Sales has increased significantly of late as the use of automation and -bots- increases their chances of finding another gold mine like Target...
Administrative Interface of “@-Brt” project:
> http://intelcrawler.com/images/7c268ee5220dca4b4c0c32104a426c7e.jpg
... The “@-Brt” project was released in May 2014 in the underground as a specific type of malware for brute forcing the Point-of-Sale credentials, using collected indicators like subnet IP ranges and commonly used operators, supervisor, and back office administrator logins, some of which are default manufactures passwords for famous Point-of-Sale equipment, as conveniently described in the official technical documentation from particular vendors... The bad actors distribution of the “@-Brt” botnet allows for active scanning of multiple IPv4 network ranges of specific TCP ports and parallel brute forcing of available remote administration protocols such as VNC, Microsoft RDP and PCAnywhere. The identified malware supports multithreading, which allows to speed-up the process of gaining unauthorized access to merchants for further data theft. IntelCrawler has also detected within the bot the concentration of some compromised merchants and the massive IPv4 scanning in network ranges of famous US Internet Service Providers such as AT&T Internet Services, Sonic.net and SoftLayer Technologies. There are several modifications of the “@-Brt” project, supported by several cybercriminals, using a bit different approaches to parallelism, potentially written by different authors for speed and timeouts optimization. After monitoring and infiltrating the bot network, IntelCrawler’s analysts have figured out the most commonly used passwords for compromised Point-of-Sale terminals and geographical distribution of the infected hosts for cyberattacks.
> http://intelcrawler.com/images/98dae80a700d4aaf87ead1c12a80ab99.jpg
Passwords distribution showed leaders with very low entropy – “aloha12345” (13%), “micros” (10%), pos12345 (8%), “posadmin” (7%) and “javapos” (6.30%). IntelCrawler recommends to strengthen passwords used for POS terminals, as well as to monitor suspicious incoming network traffic from the following countries:
> http://intelcrawler.com/images/1828bfa79e3b5854de4ee4f9c16a2aad.jpg "

- http://www.fireeye.com/blog/technical/botnet-activities-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html
July 9, 2014 - "... we found five C2 servers used by the BrutPOS botnet. Three of these servers are located on the same network in Russia; one of them is located in Iran. Only two of these servers remain active at this time...
62.109.16.195    Russia    THEFIRST-NET    Active
62.109.16.195: https://www.virustotal.com/en/ip-address/62.109.16.195/information/
92.63.99.157    Russia    THEFIRST-NET    Active
92.63.99.157: https://www.virustotal.com/en/ip-address/92.63.99.157/information/ ..."

 Evil or Very Mad  Sad

 89 
 on: July 08, 2014, 15:54:24  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Microsoft Security Advisory 2871997
Update to Improve Credentials Protection and Management
- https://technet.microsoft.com/en-us/library/security/2871997
Published: May 13, 2014 | Updated: July 8, 2014 Version: 2.0 - "Microsoft is announcing the availability of updates for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 that improve credential protection and domain authentication controls to reduce credential theft..."

Microsoft Security Advisory 2960358
Update for Disabling RC4 in .NET TLS
- https://technet.microsoft.com/en-us/library/security/2960358
Published: May 13, 2014 | Updated: July 8, 2014 Version: 1.2 - "Microsoft is announcing the availability of an update for Microsoft .NET Framework that disables RC4 in Transport Layer Security (TLS) through the modification of the system registry. Use of RC4 in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions.
Recommendation. Microsoft recommends that customers download and test the update before deploying it in their environments as soon as possible. Please see the Suggested Actions section of this advisory for more information.
Known Issues. Microsoft Knowledge Base Article 2978675* documents the currently known issues that customers may experience when installing this update. The article also documents recommended solutions for these issues..."
* https://support.microsoft.com/kb/2978675

Microsoft Security Advisory 2755801
Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
- https://technet.microsoft.com/en-us/library/security/2755801
Published: September 21, 2012 | Updated: July 8, 2014 Version: 26.0 - "Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.
Current Update: Microsoft recommends that customers apply the current update immediately using update management software, or by checking for updates using the Microsoft Update service. Since the update is cumulative, only the current update will be offered. Customers do not need to install previous updates as a prerequisite for installing the current update..."

 Exclamation

 90 
 on: July 08, 2014, 09:29:33  
Started by AplusWebMaster - Last post by AplusWebMaster
FYI...

Flash 14.0.0.145 released
- https://helpx.adobe.com/security/products/flash-player/apsb14-17.html
July 8, 2014
CVE number:
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671 - 6.8
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0537 - 7.5 (HIGH)
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0539 - 7.5 (HIGH)
Platform: All Platforms
Summary: Adobe has released security updates for Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.378 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions:
- Users of Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 14.0.0.145.
- Users of Adobe Flash Player 11.2.202.378 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.394.
- Adobe Flash Player 14.0.0.125 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 14.0.0.145 for Windows, Macintosh and Linux.
- Adobe Flash Player 14.0.0.125 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.0.
- Adobe Flash Player 14.0.0.125 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 14.0.0.145 for Windows 8.1.
- Users of the Adobe AIR 14.0.0.110 SDK and earlier versions should update to the Adobe AIR 14.0.0.137 SDK.
- Users of the Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions should update to the Adobe AIR 14.0.0.137 SDK & Compiler.
- Users of Adobe AIR 14.0.0.110 and earlier versions for Android should update to Adobe AIR 14.0.0.137...
___

- https://www.adobe.com/products/flashplayer/distribution3.html

Flash test site:
- http://www.adobe.com/software/flash/about/

AIR download:
- http://get.adobe.com/air/
___

- http://www.securitytracker.com/id/1030533
CVE Reference: CVE-2014-0537, CVE-2014-0539, CVE-2014-4671
Jul 8 2014
Impact: Disclosure of system information, Disclosure of user information, Modification of user information, Not specified, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 14.0.0.125 and prior (for Windows/Mac), 11.2.202.378 and prior (for Linux)...
Solution: The vendor has issued a fix (14.0.0.145 for Windows/Mac, 11.2.202.394 for Linux)...

 Exclamation

Pages: 1 ... 7 8 [9] 10
Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 3.642 seconds with 15 queries.