News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
August 01, 2014, 16:22:46
Pages: 1 ... 43 44 [45] 46 47 ... 81   Go Down
  Print  
Topic: SPAM frauds, fakes, and other MALWARE deliveries...  (Read 260176 times)
0 Members and 2 Guests are viewing this topic.
« Reply #660 on: May 17, 2012, 06:10:55 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

621 "Most Visited" sites are on Google's Black List
- https://threatpost.com/en_us/blogs/hijacked-web-sites-among-most-visited-googles-black-list-051512
May 15, 2012 - "Legitimate Web sites that have been -hijacked- and used to serve malicious content greatly -outnumber- malicious sites on a list of the most-trafficked sites on Google's blacklist, according to analysis by security firm Zscaler*..."

* http://research.zscaler.com/2012/05/look-at-top-websites-blacklisted.html
"Google Safe Browsing is the most popular security blacklist in use. It is leveraged by Firefox, Safari and Google Chrome. As such, being blacklisted by Google is a big deal - users of these three browsers are warned not to visit the sites and Google puts warnings in their search results... I've run Google Safe Browsing against the top 1 million (based on number of visits) websites according to Alexa. 621 of them are blacklisted by Google Safe Browsing. I've looked at the most popular to understand why they are considered malicious (charted at the Zscaler URL above). Most of the top-ranked websites that have been blacklisted are not malicious by nature, but they have been hijacked. Malicious JavaScript, similar to the code we found on a French government website, or a malicious IFRAME is generally the culprit. It is interesting to notice that Google decided to blacklist the infected site, rather than just blocking the external domain hosting the malicious content. I have also checked to see which country the blacklisted domain is hosted in. Here is the breakdown:
> http://1.bp.blogspot.com/-_Jj9WdVe8BE/T6wFhfHQJ5I/AAAAAAAAsUA/1OkHcl5IYGA/s400/blacklist-per-country.png
... Most of the blacklisted sites are hosted in the US. Western Europe (especially Germany, France and the Netherlands) is number two, followed by China (8%)... Windows users with Internet Explorer 6 and 7 users get the old "iepeers.dll" exploit (a different version for each browser). No site is safe from hijacking. Personal websites and top-10,000 sites are all likely to be infected at some point."

 Shocked  Sad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #661 on: May 17, 2012, 14:47:53 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

Facebook worm spreads via Private Messages, Instant Messengers
- http://blog.trendmicro.com/worm-spreads-via-facebook-private-messages-instant-messengers/
May 17, 2012 - "... recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file “May09-Picture18.JPG_www .facebook .com.zip”. This archive contains a malicious file named “May09-Picture18.JPG_www .facebook .com” and uses the extension “.COM”. Another noteworthy routine is that this worm downloads and executes another worm, one detected as WORM_EBOOM.AC. Based on our analysis, WORM_EBOOM.AC is capable of monitoring an affected user’s browsing activity such as message posting, deleted posted messages and private messages sent on the following websites such as Facebook, Myspace, Twitter, WordPress, and Meebo. It is also capable of spreading through the mentioned sites by posting messages containing a link to a copy of itself. Facebook and IM applications are tools to share and connect. Cybercriminals’ use of these tools is nothing new, but there are users who fall prey to these schemes. We recommend users to be conscious with their online behavior, in particular on social media sites*..."
* http://about-threats.trendmicro.com/ebooks/socialmedia-101/

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #662 on: May 19, 2012, 17:08:05 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

PHP v5.4.3 - PoC remote exploit in the wild
- https://isc.sans.edu/diary.html?storyid=13255
Last Updated: 2012-05-19 - "There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port. Since there is no patch available for this vulnerability yet, you might want to do the following:
• Block any file upload function in your php applications to avoid risks of exploit code execution.
• Use your IPS to filter known shellcodes like the ones included in metasploit.
• Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336* registered at the beginning of the month.
• Use your HIPS to block any possible buffer overflow in your system."
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2336

> Last: http://www.php.net/archive/2012.php#id2012-05-08-1

PHP 5.4 (5.4.3) Code Execution (Win32)
> http://www.exploit-db.com/exploits/18861/
___

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2376 - 10.0 (HIGH)

 Exclamation Exclamation Sad
« Last Edit: May 22, 2012, 02:03:46 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #663 on: May 21, 2012, 09:34:33 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

Bogus Pinterest pins lead to Survey Scams
- http://blog.trendmicro.com/bogus-pinterest-pins-lead-to-survey-scams/
May 18, 2012 - "The continuing increase in visitors to the Pinterest site may be a primary cause why it’s becoming a hit for cybercriminals’ scams and schemes. In March, we spotted scammers using popular brands to lure users into “pinning” fake posts that led to surveys scams... new wave of survey scams found came from search using “pinterest” as keyword... Upon clicking the link, users are -redirected- to a Pinterest-like webpage offering prizes, vouchers, gift cards and others... Made to resemble like a typical Pinterest webpage, the fake site features a search field, add+, an about. However, these are mere images and are -not- clickable... After a user fills out the fields required in the scam page, users are also required to enter their mobile numbers. Users who do provide their numbers will receive a code on their mobile phones and will continue to receive unwanted messages, charges and other scams via text message...  the fake site requires an email address...
> http://blog.trendmicro.com/wp-content/uploads/2012/05/pinterest_repins_4.jpg
Users entering their email addresses are brought to complete several steps to get the supposed offer. Users receive an email claiming to be from Pinterest. The email urges the user to click on the link found in the message body to confirm the subscription. Clicking on the link redirects the user to a Pinterest-like scam page. Again, all the clickable links lead to the same scam pages..."

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #664 on: May 21, 2012, 15:06:16 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

ZeuS ransomware feature: win_unlock
- https://www.f-secure.com/weblog/archives/00002367.html
May 21, 2012 - "... new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock... this slightly modified ZeuS 2.x includes a ransomware feature. When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs .com/locker /lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline. The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first. Looking at the code that corresponds with a received win_unlock command, it's clear the unlock information is stored to the registry. Unlocking can therefore be performed quite easily with a registry editor:
  1. boot the system in safe mode
  2. add a new key named syscheck under HKEY_CURRENT_USER
  3. create a new DWORD value under the syscheck key
  4. set the name of the new DWORD value to Checked
  5. set the data for the Checked value to 1
  6. reboot
SHA1: 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119 ..."

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #665 on: May 22, 2012, 03:35:30 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

Facebook cancellation malware poses as Flash update
- http://nakedsecurity.sophos.com/2012/05/21/facebook-account-cancellation-malware-adobe-flash-update/
May 21, 2012 - "Have you received an email asking you to confirm that you wish to cancel your account? Be on your guard... reader was in touch with us earlier today, after his suspicions were aroused by an email he had received - seemingly from Facebook. Malicious email claiming to come from Facebook
    Hi [email address]
    We are sending you this email to inform you that we have received an account cancellation request from you. Please follow the link below to confirm or cancel this request
    Thanks,
    The Facebook Team
    To confirm or cancel this request, follow the link below:
    click here
... The link doesn't point to an official Facebook page, but a third-party application running on the Facebook platform. Of course, that means that the link -does- go to a facebook .com address - something might fool those who are not cautious. The first thing you're likely to encounter if you did click on the link is a message asking you if you want to allow an unknown Java applet to run on your computer... they're pretty insistent that you allow it.. If you hit the "No thanks" button they'll just carry on pestering you to allow the Java applet to run... They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family... If you do allow the applet to run, you will see a message telling you that Adobe Flash must be updated... the code that is downloaded is not really Adobe Flash at all. Instead, the program drops additional files into your /WIN32 folder, which have the intention of allowing remote hackers to spy on your activities and take control of your computer..."

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #666 on: May 23, 2012, 03:00:34 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

'LinkedIn Invitation’ SPAM serving exploits and malware
- http://blog.webroot.com/2012/05/22/ongoing-linkedin-invitation-themed-campaign-serving-client-side-exploits-and-malware/
May 22, 2012 - "... another round of malicious emails to millions of end and corporate users.
More details:
Once the user clicks on the link (hxxp ://hseclub .net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0
Upon execution the sample attempts to connect to the following hosts:
• janisjhnbdaklsjsad .ru:443 with user janisjhnbdaklsjsad .ru and password janisjhnbdaklsjsad  .ru – 91.229.91.73, AS50939, SPACE-AS
• sllflfjsnd784982ncbmvbjh434554b3 .ru – 91.217.162.42, AS29568, COMTEL-AS
• kamperazonsjdnjhffaaaae38 .ru – 91.217.162.42, AS29568, COMTEL-AS
• iiioioiiiiooii2iio1oi .ru – 91.217.162.42, AS29568, COMTEL-AS
Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad .ru in particular..."
> https://webrootblog.files.wordpress.com/2012/05/linkedin_invitations_exploits_malware.png
___

- http://www.google.com/safebrowsing/diagnostic?site=AS:50939
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 26 site(s)... that infected 42 other site(s)..."

- http://www.google.com/safebrowsing/diagnostic?site=AS:29568
"... this network has hosted sites that have distributed malicious software in the past 90 days. We found 668 site(s)... that infected 544 other site(s)..."

 Evil or Very Mad
« Last Edit: May 23, 2012, 03:35:58 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #667 on: May 23, 2012, 06:48:43 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

Trojan bypasses mobile security to steal from Online Banking users ...
- https://www.trusteer.com/blog/tatanga-trojan-bypasses-mobile-security-steal-money-online-banking-users-germany
May 22, 2012 - "... a complex new criminal scheme involving the Tatanga Trojan that conducts an elaborate Man in the Browser (MitB) attack to bypass SMS based transaction authorization to commit online banking fraud. The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitB webinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device. In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance, and will transfer funds from the account with the highest balance if there is more than one to choose from. The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake web form, as a way to complete this security process. By entering the TAN in the injected HTML page the victim is in fact approving the fraudulent transaction originated by Tatanga against their account. Even though the victim is presented with the fund transfer amount and the destination account information in the SMS message that contains the TAN, the injected HTML page claims that the process uses “experimental” data and that no money will leave their account... Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fraudulent transaction...  By combining a MitB attack and social engineering, Tatanga is able to circumvent out-of-band authentication used by many banks. Then it goes one step further by hiding evidence of the fraudulent transaction from the victim using a post transaction attack mechanism. Fortunately, the text in the injected HTML page is littered with grammar and spelling mistakes and appears not to have been written by a German speaker... they are blending multiple attack methods in a single fraud scam... However, they still need to compromise the endpoint with malware, which can be prevented."

 Shocked  Evil or Very Mad
« Last Edit: May 24, 2012, 05:55:00 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #668 on: May 29, 2012, 03:23:42 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

Flame: Questions and Answers
- https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
May 28, 2012 - "... Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage..."
(More detail at the kaspersky URL above.)

> https://www.securelist.com/en/images/pictures/klblog/208193524.png

- http://www.symantec.com/connect/blogs/flamer-highly-sophisticated-and-discreet-threat-targets-middle-east
May 28 2012 - "... Several component files have been identified. These are:
• advnetcfg.ocx
• ccalc32.sys
• mssecmgr.sys
• msglu32.ocx
• boot32drv.sys
• nteps32.ocx ..."

- https://www.f-secure.com/weblog/archives/00002371.html
May 28, 2012
> https://www.f-secure.com/weblog/archives/flame.png

- http://community.websense.com/blogs/securitylabs/archive/2012/05/29/flame-flamer-skywiper.aspx
29 May 2012
___

- http://www.symantec.com/connect/blogs/painting-picture-w32flamer
30 May 2012 - "... Full understanding of W32.Flamer requires analyzing each of the approximately 60 embedded Lua scripts, reversing each of the sub-components, and then building this all back together..."
___

UN to warn member nations on risk of Flame virus
- http://atlas.arbor.net/briefs/index#-264998726
Severity: Elevated Severity
May 30, 2012
Analysis: ... the threat from this malware or any other malware with the same types of capabilities can be significant, depending upon the motives of those driving the attack campaigns. Nation states may be involved and using this toolkit for spying purposes, but there is no clear attribution at this stage.
Source: http://www.reuters.com/article/2012/05/29/cyberwar-flame-idUSL1E8GT7X120120529

 Shocked Evil or Very Mad
« Last Edit: May 31, 2012, 12:50:06 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #669 on: May 30, 2012, 15:43:33 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

CareerBuilder fake SPAM serves exploits and malware
- http://blog.webroot.com/2012/05/30/spamvertised-careerbuilder-themed-emails-serving-client-side-exploits-and-malware/
May 30, 2012 - "... Cybercriminals are currently spamvertising millions of emails impersonating the popular jobs portal CareerBuilder in an attempt to trick users into clicking on client-side exploits serving links... they’re spamvertising a binary that’s largely detected by the security community...
Spamvertised URL: hxxp ://karigar .in/car.html
Client-side exploits served: CVE-2010-0188 and CVE-2010-1885
Malicious client-side exploitation chain: hxxp ://karigar .in/car.html ->  hxxp ://masterisland .net/main.php?page=975982764ed58ec3 ->  hxxp ://masterisland  .net/data/ap2.php -sometimes- hxxp ://strazdini.net/main.php?page=c6c26a0d2a755294 is also included in the redirection.
Upon successful exploitation drops the following MD5: 518648694d3cb7000db916d930adeaaf
Upon execution it phones back to the following URLs/domains:
zorberzorberzu .ru/mev/in/ (146.185.218.122)
prakticalcex .ru – 91.201.4.142
nalezivmordu .in
internetsexcuritee4dummies .ru
Thanks to the overall availability of malware crypting on demand services, we believe that it’s only a matter of time before the cybercriminals behind this campaign realize that they’re spamvertising an already detected executable, crypt it and spamvertise it once again this time successfully slipping it through signatures-based antivirus scanning solutions..."

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #670 on: May 31, 2012, 01:53:41 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

Pharma SPAM on Dropbox
- http://www.gfi.com/blog/pharmacy-spam-lurks-on-dropbox/
May 31, 2012 - "Pharma Spam pages sometimes pop up on Dropbox accounts (along with more dubious content*, if you’re really unlucky), and it seems we have another one lining up to sell you some pills.
> http://www.gfi.com/blog/wp-content/uploads/2012/05/dropboxpillspam11.jpg
Clicking through will take the end-user to a typically generic pills website:
> http://www.gfi.com/blog/wp-content/uploads/2012/05/dropboxpillspam2.jpg
... the best advice would be “don’t bother” (especially if it involves random spam in your mailbox)..."
* http://www.gfi.com/blog/dont-cash-this-cheque/

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #671 on: June 02, 2012, 03:30:56 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

Small 20K trojan does damage
- http://h-online.com/-1588948
1 June 2012 - "Security experts at CSIS* say that they have discovered the smallest online banking trojan yet. Called Tiny Banker (Tinba), the malware is just barely 20KB in size, including its configuration files. Like Zeus, Tinba uses man-in-the-browser techniques and easily extendable configuration files to manipulate bank web sites via webinjects. Webinjects can be used, for example, to create additional fields for numerical single-use passwords that the attackers can then leverage to authorise fraudulent payments. Tinba can also uncover standard passwords and monitor network traffic. Tinba is a bot in the classical sense; it uses an encoded connection to deliver data it has collected to a command and control server, which in turn gives the bot new orders. According to CSIS, Tinba has only been used on a very small number of banking web sites so far, but its modular structure means that the perpetrators should not have any problems adding other sites to that list."
* https://www.csis.dk/en/csis/news/3566/

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #672 on: June 05, 2012, 04:15:45 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

Fake Facebook SPAM e-mails...
- http://blog.commtouch.com/cafe/anti-spam/reset-your-facebook-password-%E2%80%93-and-visit-wikipharmacy/
June 4, 2012 - "Using phony Facebook emails to draw recipients to pharmacy websites is not a new trick... this is no ordinary Viagra shop – it’s the WikiPharmacy! The phony Facebook emails and the pharmacy destination are shown below...
> http://blog.commtouch.com/cafe/wp-content/uploads/Facebook-wikipharmacy-images.jpg
... the links in the emails above lead to compromised websites. These unknowingly host -redirects- to the WikiPharmacy...
Email text:
'You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 3 ago.  This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.
If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team
...' "
___

Facebook privacy notice chain letter - hoax
- http://nakedsecurity.sophos.com/2012/06/05/facebook-privacy-notice-chain-letter-is-a-hoax/
June 5, 2012 - "... messages are simply another chain letter type hoax pinned upon wishful thinking. If you are uncomfortable with Facebook monetizing your content or making your content available to the US government you either need to avoid posting the content to Facebook, or more carefully control your privacy settings and hope the authorities don't seek a court order for your information. If you receive one of these messages from a friend, kindly notify them that it is not legally valid. You might also suggest they check with Snopes* or the Naked Security Facebook page** before propagating myths."
* http://www.snopes.com/computer/facebook/privacy.asp

** http://www.facebook.com/SophosSecurity

 Evil or Very Mad
« Last Edit: June 05, 2012, 06:20:35 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #673 on: June 07, 2012, 08:02:14 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

284,000 WordPress sites hacked? Probably not.
- http://blog.commtouch.com/cafe/malware/284000-wordpress-sites-hacked-probably-not/
June 6, 2012 - "This Amazon order confirmation email is a fake:
> http://blog.commtouch.com/cafe/wp-content/uploads/Amazaon-account-malware-phony-email.jpg
Every link leads to malware. Every link leads to a different compromised WordPress site. And they all seem to be using one of the most common WordPress theme directory – check out the links:
http ://maximconsulting .us/wp-content/themes/twentyten/—e.html
http ://hampsteadelectrician .com/wp-content/themes/twentyten/—e.html
http ://mormonwomenvoices .com/wp-content/themes/twentyten/—e.html
http ://steppingstones-online .co.uk/wp-content/themes/twentyten/—e.html ... etc.
Notice a trend? – The evil redirect html file (—e.html) is located in the “twentyten” theme directory of all of these sites – and all of the sites we checked in every other version of the phony Amazon order. A Google search tells us that there are 284,000 sites with a similar structure:
> http://blog.commtouch.com/cafe/wp-content/uploads/Amazaon-account-malware-wordpress-themes.jpg
... this does not indicate an issue with the theme itself. Chances are that the exploit that has allowed hackers to take over these sites is in a plugin or maybe (less likely) the CMS itself. Using the “twentyten” directory is a safe bet for a hacking script since almost every WordPress installation will have it. The malware targets known Adobe Reader and Acrobat exploits."

 Sad  Questioning or Suspicious
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #674 on: June 08, 2012, 07:06:37 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8181



FYI...

Flame self-destruct cmd sent ...
- http://www.symantec.com/connect/blogs/flamer-urgent-suicide
6 Jun 2012 - "Late last week, some Flamer command-and-control (C&C) servers sent an updated command to several compromised computers. This command was designed to completely remove Flamer from the compromised computer. The Flamer attackers were still in control of at least a few C&C servers, which allowed them to communicate with a specific set of compromised computers. They had retained control of their domain registration accounts, which allowed them to host these domains with a new hosting provider. Compromised computers regularly contact their pre-configured control server to acquire additional commands. Following the request, the C&C server shipped them a file named browse32.ocx. This file can be summarized as the module responsible for removing Flamer from the compromised computer. One could also call it the "uninstaller".
The browse32.ocx module has two exports:
1. EnableBrowser — This is the initializer, which sets up the environment (mutex, events, shared memory, etc.) before any actions can be taken.
2. StartBrowse — This is the part of the code that does the actual removal of the Flamer components.
The module contains a long list of files and folders that are used by Flamer. It locates every file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection..."

- https://blog.opendns.com/images/stats-domain-med.png
Jun 1st, 2012

 Shocked
« Last Edit: June 22, 2012, 07:24:18 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: 1 ... 43 44 [45] 46 47 ... 81   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.803 seconds with 19 queries.