Thursday, November 22, 2007

Virus Definition Updates 22/11/2007

AVG Anti-Virus Free Edition 7.5
Download AVG AVI:269.16.4.1
Download AVG AVI:269.164.2
Download AVG AVI:269.16.4.3
Download AVG IAVI:1145
Version: -
Date: 22/11/2007

AntiVir PersonalEdition Classic
Download AntiVir IVDF
Version: 7.00.00.248
Date: 22/11/2007

Avast! 4 Home Edition
Download Avast VPS
Version: 071121-0
Date: 21/11/2007

Symantec
Download Norton VDU
Version: 91121b
Date: 21/11/2007
Supports the following versions of Symantec antivirus software:
Norton AntiVirus 2003 Professional Edition
Norton AntiVirus 2003 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2004 Professional Edition
Norton AntiVirus 2004 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2005 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
Norton AntiVirus for Microsoft Exchange (Intel)
Norton SystemWorks (all versions)
Norton Utilities for Windows 95/98 (all versions)
Symantec AntiVirus 3.0 for CacheFlow Security Gateway
Symantec AntiVirus 3.0 for Inktomi Traffic Edge
Symantec AntiVirus 3.0 for NetApp Filer/NetCache
Symantec AntiVirus 8.0 Corporate Edition Client
Symantec AntiVirus 8.1 Corporate Edition Client
Symantec AntiVirus 9.0 Corporate Edition Client
Symantec AntiVirus 10.0 Corporate Edition Client
Symantec AntiVirus 10.1 Corporate Edition Client
Symantec AntiVirus 10.2 Corporate Edition Client
Symantec Mail Security for Domino v 4.0
Symantec Mail Security for Domino v 5.0

Firefox 2 Security Update Coming

InformationWeek 21/11/2007
Website: http://www.informationweek.com

Even as Firefox 3 moves into beta, Firefox 2 is getting a security makeover.

The Mozilla Quality Assurance Community has called for volunteers to help test Release Candidate Builds of Firefox 2.0.0.10, which is expected to be released next week, following the Thanksgiving holiday.

Firefox 2.0.0.10 addresses a Java Archive handling bug that was first reported back in February. The vulnerability allows a malicious attacker to conduct a cross-site scripting attack by hiding exploit code in a Java Archive (.jar) file. This is because the .jar protocol is not restricted to .jar files and will open .zip files, which can be malicious.

"In simple terms, [this] means that any application which allows upload of .jar/.zip files is potentially vulnerable to a persistent cross-site scripting," said Petko Petkov, founder of security consultancy gnucitizen.org, in blog post earlier this month. "Potential targets for this attack include applications such as Web mail clients, collaboration systems, document sharing systems, almost everything that smells like Web 2.0, etc., etc., etc."

The browser update also addresses a redirection bug related to .jar/.zip files.

The Mozilla Security Blog notes that this exploit has been demonstrated to work against Gmail as a way to access the victim's stored contacts.

"In future versions Firefox will only support the jar scheme for files that are served with the correct application/java-archive MIME type," says the Mozilla Security Blog. "Firefox will also adjust the security context to recognize the final site as the source of the content. This will be addressed in Firefox 2.0.0.10, which is currently in testing."


MySpace Hacker Tells His Story

PC World 20/11/2007
Website: http://www.pcworld.com

If Samy Kamkar plays his cards right, he may be allowed to visit MySpace again in just a few months. For the time being, however, he's not even allowed to touch a computer, following a January 2007 guilty plea for creating what many consider to be the first Web 2.0 worm: the Samy worm.

Samy's worm wasn't malicious, but it did force News Corp.'s MySpace social-networking site to shut down in late 2005 after forcing more than 1 million users to declare Samy a "hero" on their profile pages.

Last week, Samy, who is now 21, made his first public appearance since his conviction, attending the OWASP App Sec 2007 conference, hosted by eBay, in San Jose, California. He was treated like a celebrity at the show, but there were some complications. Under the terms of his plea agreement, he can only use computers for work, so he was forced to show slides that he'd dictated to a friend on a computer that was operated by a conference staffer.

It's not easy being a computer geek cut off from computers, but if Samy remains a model parolee, he could be allowed to use computers again in a couple of months. He talked to IDG News Service about what life has been like since his arrest and what he plans to do as soon as he's online again.

IDGNS: What were you thinking when you wrote the Samy worm?

Kamkar: When I wrote the worm, it initially wasn't a worm. Initially I was just trying to spruce up my MySpace profile. I also wanted to show off to a couple of friends, so I thought 'wouldn't it be cool if I did this? What if I made some of these people add me as a friend automatically?' Then I figured, 'what if I made them add me as a hero?' So I wrote a little code and what ended up happening is whenever someone viewed my profile, they would automatically add 'But most of all, Samy is my hero' at the end of their hero section on their profile. And after that, I thought, 'If I can make this person my friend, if I can make myself their hero, couldn't I just copy this code onto their profile?'

I didn't think this would be a big deal, so I tried it out. I thought maybe I'll get one friend tomorrow and a few in maybe a few days. It went quickly. Apparently, MySpace is a bigger place than I assumed.

IDGNS: How hard was it to write the worm?

Kamkar: I'm not a Web application security expert, but I'm into security and I'm into Web applications. As a programmer, it wasn't too much to learn how to use AJAX, which really helped make the worm work and proliferate really quickly. It only took a few days to write the thing from start to finish and it was only in the last day that I thought that this could be a worm.

IDGNS: Do you think it would be easy to write another MySpace worm now?

Kamkar: It would be much harder to write a MySpace worm right now just because they've added so many restrictions, but it's always possible and there are so many other sites that these exploits are available on. So it could still happen.

I think that more worms are going to come out. I've heard of more worms trying to take off using the same code base that I wrote, and just changing a few things. Luckily restrictions have really prevented those from working out too well. But yeah, from here on out, I think worms are only going to get more advanced.

IDGNS: What's your life been like since you pleaded guilty in this case last January?

Kamkar: My life has been a bit different. I have computer restrictions now, so I can only use computers for work purposes. I also serve community service and I'm on probation. So on top of the restitution, it's a little more than a slap on the wrist.

IDGNS: The worm you wrote was fairly innocuous. It just made you really popular on MySpace. How do you feel about being indicted for this?

Kamkar: Well, I didn't have malicious intent writing the worm. I understand that it was a big example of what you shouldn't be doing, so I think if I were in their shoes, maybe I'd do the same thing. Maybe I'd say, 'Well that guy got a lot of press. He's showing, this is how you hack a Web site and this is how you write a worm, and we want to make sure people don't do that.'

And I agree that people shouldn't be doing that and I shouldn't have released that. So I sort of see it on both sides.

IDGNS: Do you regret doing it?

Kamkar: I wish I could take it back.

IDGNS: What's the first thing you're going to do when you're free to use a computer again?

Kamkar: The first thing I'm going to do when I can use a computer again is probably just get back into development on the site and write projects that are interesting to me and non-malicious. No more worms.

IDGNS: Would you work for MySpace if they wanted you to?

Kamkar: I think in the future, I'd be happy to help out because they actually provide a pretty cool site. Right now, I'm involved in one project with one company, but in the future, that's definitely an option.

Tuesday, November 13, 2007

MySpace Still Denies Security Holes

News Factor Network 12/11/2007
Website: http://www.newsfactor.com

Alicia Keys' MySpace page isn't the only profile to be hacked with malware. Some 8,000 band profiles have been hacked in the exact same way -- and many of those profiles are still linked to malware sites, according to security researcher Chris Boyd, who first posted information about the attack on October 31.

MySpace has denied that there is a security problem with the social-networking site, saying that the bands that were hacked fell victim to phishing attacks, which compromised their profile passwords.

Writing on his VitalSecurity blog, Boyd said MySpace's explanation defies rational thinking. "This is patently nonsense," Boyd wrote. "What -- an endless stream of bands, record labels, music newspapers, and producers all woke up yesterday and forgot what the real MySpace Web site looks like? Give me a break."

'Bubbling Scum of Malware'

The fact that Keys' profile was rehacked after MySpace announced it had been cleaned belies the notion that phishing is responsible, said Andrew Storms, director of security operations for nCircle. "I tend to agree that there is a yet-to-be-reported problem with MySpace," Storms said. "MySpace has gotten a bad rep as a bubbling scum of malware," he added. "It's where people go to incubate their malware."

In the so-called Alicia Keys hack, malware authors inserted a very large transparent background image on the site, linked to the malware being hosted in China. "It's a classic drive-by attack," Storms said. "The user doesn't even have to click." Simply by mousing over the page, users are inviting the malware onto their system.

"The first attempt is to install it automatically," Storms said. If that doesn't work, the malware presents a prompt, saying that a new codec is needed to play a video. By default, browsers are set to prompt the user before installing software, but they also present an option to download automatically, which many users choose, Storms said.

"You know a site has got problems when the only surefire solution to not be subjected to hack attacks and dubious redirects is to not use it. But that's currently where we are. Well played, MySpace," Boyd wrote on his blog.

MySpace Should Act Soon

Making matters worse, MySpace has simply deleted many affected bands' profiles, including their content and friend information, without so much as a warning, according to press reports. Vaughn Atkinson, guitarist with the British band JetKing, said MySpace deleted the band's profile and has refused to restore it from backup. Many little-known bands are in similar straits, Boyd said.

"So you can imagine how angry a lot of these bands are when they've gone and built that complex network of friends, people who spread the word about their music, promoters, upcoming shows, and a lot more besides and then -- whoops. No more MySpace page."

As this story continues to grow, Storms said, MySpace will have to take action. "MySpace is going to have to come out soon with some more information, he said. "They're going to have to say we've identified the security problem and it's been fixed or we've reset all these profiles -- or both."

While to some degree bands "get what they pay for" -- nothing, in this case -- MySpace should treat all users the same, Storms added. "If this kind of hacking continues, they're going to have to offer some sort of user-initiated rollback," he said.


Some Ad Networks Are Bad News

By Larry Seltzer - eWEEK


You wouldn't go surfing to just any site. You're careful about where you go. You only go to sites you trust.

But who are you trusting? A series of recent attacks has resulted in seemingly respectable news sites serving malware and redirecting users to sites that serve malware.

The problem is in the ads on those news sites. The ads are served by advertising networks that weren't careful enough with their own security. When you trust a Web site you have to trust everyone it's in bed with.

The first one I became aware of was YNet, an Israeli news site. Don't go to that site just yet. The Ynetnews.com site I read is in English. The Hebrew site at ynet.co.il is far more popular, in fact the most popular news site in Israel. It is the Internet site for Yedioth Ahronoth, a very large Israeli newspaper.

About two weeks ago I noticed that after going to the page from a bookmark that had only the domain name in it I was redirected to a different site on the domain malware-scan.com, a classic "rogue anti-spyware" site that I recognized from prior experience. There are a variety of scams that come from this domain, but this one said that my system was infected with malware and that they could scan it. The browser window shrinks down to dialog box size to give the appearance of a dialog box. You can't cancel out; no matter what you do (other than killing the process in Task Manager) you are brought to the "scanning" Web site, where your system is faux-scanned, and lots of malware is found on it.

I've observed this attack many times now, both through up-to-date versions of Internet Explorer and Firefox. Sometimes the "app" being pushed is a "performance optimizer" rather than a malware scanner, but in any event it's malware. Kaspersky Antivirus on my system recognized it as "not-virus.Hoax.Win32.Renos.kd." I got a lot of analysis help from the ubiquitous Gadi Evron, from independent analyst Thor Larholm and from Adam Thomas of Sunbelt Software.

The redirect came from code in one of the many ad sections in the Ynetnews.com home page. The code in this page is disturbingly complex and contains a large number of IFRAME tags, many to other domains. An IFRAME tells the browser to go to some other site and read in the HTML from there. This is an example of what is called transitive trust: I trusted Ynet, it trusted its ad providers, therefore I trusted those ad providers. Big mistake. The attack is still up and running as of Sunday, Nov. 11. Incidentally, the actual attack came through Flash code on one of the ad domains (adtraff.com) that performed the redirect.

And Ynet isn't the only news site to be infected with this plague. It's spreading. Tucson Newspapers had a similar attack. That attack, according to a report, was on the site for 10 to 18 days. They say, "Our people reacted very quickly," which seems to be a contradiction.

A third attack, on the Boston Herald, was reported to have come in through a Flash ad on advertising.com. I've confirmed that the attack is still on the advertising.com site, although it's not clear that that specific flash movie is actually being served on any advertising.com customer sites.

The malware-scan.com attack itself is interesting enough (yawn!), but I'm basically interested in how legitimate news organizations got to include such obviously undesirable content on their sites. Not only does the attack itself subject the user to malware, but it takes them away from the news site. And yet Ynet hasn't bothered yet to do anything about it, at least as far as I can tell.

In all of these news site cases, I've seen the redirect performed through the same Flash movie mechanism, but I think the movie was served from three different sources: advertising.com, adtraff.com and in the Tucson Newspapers site all of the ad content appears to be served from tucson.com through Akamai. Ad networks have complicated relationships, but I'm definitely confused. Someone is selling this dirty ad, and legitimate sites are getting scammed.

And then, just as I was finishing up this column, we found another one on an even more significant site: MLB.com, the site of Major League Baseball. It's not clear yet where the redirect is coming from, but it goes through newbieguide.com, which hosts what seems to be the same malicious Flash movie, to adverdaemon.com and on to the fake anti-malware ad, which we've seen both at longlifepc.com and fixthemnow.com.

BTW, yes, of course even eWEEK has ads from outside ad networks such as DoubleClick, recently bought by Google. Is this a risk? At some level yes, of course it is. Both DoubleClick and eWEEK have no history of problems in this regard that I can recall, and I wouldn't tell you to avoid any specific sites, except maybe YNetnews.com.

The point is that Web sites that have content relationships with outside sites need to scrutinize the content coming from those sites. They need accountability from those partners, and they need contingency plans for taking the content down in case there's a problem with it. And someone needs to investigate these malware ad attacks further to find out how legitimate sites can avoid them.

Security Center Editor eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack

Saturday, November 10, 2007

Hacker Pleads Guilty to Spreading Botnets

PCWorld 10/11/2007
Website: http://www.pcworld.com

A hacker has pleaded guilty to infecting hundreds of thousands of computers with malware in order to steal money from Paypal accounts. He could spend 60 years in prison and face a US$1.75 million fine.

John Schiefer, 26, admitted that he and some associates developed malware that allowed them to create botnet armies of as many as 250,000 computers. Schiefer was able to collect information sent from the infected computers, including usernames and passwords for Paypal accounts. He and his associates were then able to make purchases using the Paypal accounts. They also shared the password information with others.

This is the first prosecution of a hacker for this type of activity, according to the United States Attorney's Office for the Central District of California. The Federal Bureau of Investigation pursued the case.

Schiefer says he also found Paypal usernames and passwords using malware that could access usernames filed in a secure storage area on the computers. The malware would send that information to Schiefer, who used it to access the accounts.

Schiefer also acknowledged fraudulently earning more than $19,000 from a Dutch Internet advertising agency that hired him as a consultant. He was supposed to install the company's programs on computers after receiving consent from computer owners. Instead, he and his associates installed it on 150,000 computers that were infected with his malware.

Schiefer is scheduled to appear in the U.S. District Court in Los Angeles on Nov. 28 and be arraigned on Dec. 3.

Virus Definition Updates 10/11/2007

AVG Anti-Virus Free Edition 7.5
Download AVG AVI:269.15.28.1
Download AVG AVI:269.15.28.2
Download AVG AVI:269.15.28.3
Download AVG IAVI:1122
Version: -
Date: 10/11/2007

AntiVir PersonalEdition Classic
Download AntiVir IVDF
Version: 7.00.00.197
Date: 9/11/2007

Avast! 4 Home Edition
Download Avast VPS
Version: 071109-0
Date: 9/11/2007

Symantec
Download Norton VDU
Version: 91109q
Date: 9/11/2007
Supports the following versions of Symantec antivirus software:
Norton AntiVirus 2003 Professional Edition
Norton AntiVirus 2003 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2004 Professional Edition
Norton AntiVirus 2004 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2005 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
Norton AntiVirus for Microsoft Exchange (Intel)
Norton SystemWorks (all versions)
Norton Utilities for Windows 95/98 (all versions)
Symantec AntiVirus 3.0 for CacheFlow Security Gateway
Symantec AntiVirus 3.0 for Inktomi Traffic Edge
Symantec AntiVirus 3.0 for NetApp Filer/NetCache
Symantec AntiVirus 8.0 Corporate Edition Client
Symantec AntiVirus 8.1 Corporate Edition Client
Symantec AntiVirus 9.0 Corporate Edition Client
Symantec AntiVirus 10.0 Corporate Edition Client
Symantec AntiVirus 10.1 Corporate Edition Client
Symantec AntiVirus 10.2 Corporate Edition Client
Symantec Mail Security for Domino v 4.0
Symantec Mail Security for Domino v 5.0

Malware Planted on MySpace Once Again

News Factor Network 9/11/2007
Website: http://www.newsfactor.com

Attackers are piggybacking on the fame of R&B recording artist Alicia Keys to spread their malware over the Web. Keys' MySpace page has been infected with malicious software.

Exploit Prevention Labs discovered the attack, one of several targeted MySpace pages. French funk band Greements of Fortune and Glasgow rock band Dykeenies were also targets of the Web-based attack.

"When a visitor visits the infected page, they're first hit by an exploit which installs malware in the background if they're not fully patched against the latest security vulnerabilities, and next they're presented with a fake codec which tells them they need to install a codec to view the video," said Roger Thompson, CTO at Exploit Prevention Labs. "So even if they're patched, they can fall victim to the exploit."

One Hack After Another

Specifically, visitors to these MySpace pages are directed to co8vd.cn/s. This appears to be a Chinese malware site. If the visitors accept the code installation, the site installs malicious software. You can view a video demonstration of the attack on YouTube.

The hack has some interesting characteristics, Thompson explained. "Perhaps most interesting, the bad guys are using a creative hack we haven't seen before: The HTML in the page contains some sort of image map, which basically makes it so you can click on anything over a wide area on the page and your click is directed to the malicious hyperlink," he said. "We tested it and even the ads were affected."

MySpace officials could not immediately be reached for comment, but Thompson reported that the popular social-networking site fixed the pages in question within hours of the discovery. However, yet another hack was discovered just a few hours later, and a new image code has appeared that Thompson warned could be coming online soon.

Reviewing the History

MySpace is no stranger to malware writers. In March, McAfee reported the site is increasingly becoming an unhealthy breeding ground for the "scum of the Internet" by luring surfers to sexually explicit Web sites or trying to capture personal information from members that could lead to identity theft.

The rock band attack theme remains popular. In March, it was the French rock band MAMASAID that was used as a vehicle to download Trojans to unsuspecting members' computers. The Trojan JS/SpaceStalk worked through a feature in QuickTime that opens links automatically when a movie is run.

For its part in the security equation, Apple released an update to QuickTime earlier this week that fixed several security bugs. The 7.3 update plugs seven holes in the software, six of which could allow an attacker to run unauthorized software on a victim's PC.

Moving Forward

The Keys page hack on MySpace doesn't rely on QuickTime, but Thompson said the fact that the social-networking site is media-rich, with lots of sound and videos, makes the fake codec trick effective. The victim is likely to think he or she legitimately needs to download software to view the rich media.

"What's not clear at this point is how they're doing it, and how widespread it is. Neither Google nor MySpace seems to be indexing the critical bit of html," Thompson concluded. "If you search for the exploit site, the only results seem to be victims, or people talking about victims."


Need mobile spyware? Look on eBay

InfoWorld 9/11/2007
Website: http://www.infoworld.com

San Francisco - Think your wife may be cheating on you? Wondering who your boss might be talking to? "Learn the truth. Spy today."

So reads an ad for "Bluetooth Spy Pro-Edition," one of nearly 200 mobile phone spyware products currently listed for sale on eBay.

The software, which costs as little as $3.99, can be used to view photographs, messages, and files on the phone, listen into phone conversations, and even make calls from the phone being spied upon.

Security experts are concerned because while these products aren't illegal, installing them without authorization to spy on someone else most definitely is.

And that's exactly what some of these products seem to be advertising. "You can now easily find out who your partner, business associates, friends have been in contact with," reads the Bluetooth Spy ad. "Whether you are suspicious of an affair or would just like information that will help progress your career, you can now do all of the following using your mobile phone, and the person you are targeting will not suspect a thing. Guaranteed!"

Another spellcheck-free ad claims that "You will now be able to establish who your freinds associates and husband/wife have been conversating with, you can read messages, even download them to your own phone or laptop, view their information and pictures."

This type of mobile spy software has been available for several years now, sold by companies like Flexispy and Neo-Call. Typically, however, it is much more expensive, and these companies are generally careful to promote only their legal uses such as monitoring corporate equipment, said Mikko Hyppönen, CTO with F-Secure. But the software is often used for nefarious purposes, such as industrial espionage and spying, Hyppönen said.

According to him, eBay shouldn't be selling this software; it is simply too dangerous.

Another security expert said that this type of software may even be harmful to the buyer. "You're certainly at a higher risk with the software of there being additional functionality that is not advertised and potentially malicious," said Craig Schmugar, virus research manager at McAfee's AVERT labs. "In general, when you see the advertising claims made and the types of pages represented, you should approach them with some skepticism."

This software can be installed via a Bluetooth connection and typically runs on both Windows Mobile and Symbian operating systems, McAfee said.

eBay representatives could not immediately be reached for comment on this story.


Wednesday, November 7, 2007

Apple Patches QuickTime Holes, Microsoft Warns Of Macrovision Driver Flaw

InformationWeek 6/11/2007
Website: http://www.informationweek.com

Apple on Monday released QuickTime 7.3 for Mac OS X and Windows XP SP2 to patch seven vulnerabilities in its multimedia software.

All seven of the vulnerabilities have the potential to allow arbitrary code execution by an attacker if the user visited a site with certain maliciously crafted movie or image files, or a maliciously crafted Java applet.

Apple updated QuickTime to version 7.2 in July, when it fixed eight security problems with the software.

Microsoft meanwhile warned Monday that a flaw it the Macrovision secdrv.sys driver in Windows Server 2003 and Windows XP is actively being exploited. An attacker making use of the vulnerability potentially could gain elevated privileges to the affected system.

"This vulnerability does not affect Windows Vista," Microsoft said. "We are aware of limited attacks that try to use the reported vulnerability. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary."

Macrovision, which provides Microsoft with digital rights management (DRM) technology, is offering a driver update to address the vulnerability.

Microsoft expressed concern that the vulnerability had been made public rather than first disclosed to the company in private.

"We continue to encourage responsible disclosure of vulnerabilities," Microsoft said. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

Microsoft said that it plans to address the issue as part of its regularly scheduled patch plan.

Microsoft to patch software driver vulnerability

InfoWorld 6/11/2007
Website: http://www.infoworld.com

San Francisco (IDGNS) - Microsoft has warned that a faulty driver used for copy protection could allow a hacker to gain high-level access to a PC.

The problem lies with a driver called secdrv.sys, which is part Macrovision's SafeDisc software included with Windows Server 2003 and Windows XP. The software, which can block unauthorized copying of some media, also ships with Windows Vista, but that OS is not affected.

Microsoft said it knows of "limited attacks" that try to use the vulnerability, in an attack known as an elevation of privilege. The vulnerability could allow a hacker with local access to a machine to elevate his access rights and gain administrator rights, for example, allowing him to install software.

Microsoft said it was concerned that the vulnerability had been disclosed before it had a chance to fix it, which puts people at greater risk. "We continue to encourage responsible disclosure of vulnerabilities," it said.

Macrovision has issued an update for the driver. Microsoft said it also plans to issue a fix as part of its monthly patch cycle.

Danish security vendor Secunia said the vulnerability was first reported as a zero-day about two weeks ago, meaning the problem was being exploited by hackers as it became known.The company rated the vulnerability as "less critical," it's second lowest risk ranking for a vulnerability.

Friday, November 2, 2007

Mac Users Targeted with Nasty Malware

News Factor Network 1/11/2007
Website: http://www.newsfactor.com

So much for Mac users avoiding bugs, worms, and other security nuisances. A Trojan targeting Macs is on the loose, and it's hanging out on porn sites, according to security researchers.

The incident was first reported by Intego, a Mac security software vendor. Sunbelt Software, the SANS Institute's Internet Storm Center (ISC), Sophos, and McAfee have confirmed the Trojan. Dubbed "OSX.RSPlug.a," the Trojan changes the Mac's Domain Name System (DNS) settings to redirect unsuspecting users to different sites.

"The whole Trojan is relatively simple and works almost exactly the same as its brother for Windows," said ISC analyst Bojan Zdrnja in a warning the center posted on Thursday. "The bad guys are taking Mac seriously now. This is a professional attempt at attacking Mac systems, and they could have been much more damaging."

Porn Opens the Door

The family of malware that is targeting Macs is called "Puper." It's been plaguing Windows users since 2005. One of the most notable cases of Puper attacks was exploits on infected MySpace pages.

In the Mac attack, people who are searching for porn on the Internet may find it. But they may also find a nasty payload when they encounter a popup window instructing them that QuickTime needs to install new software so they can view the videos. If the user tries to install the codec, a script then creates a scheduled task to change the Mac's DNS to point to a malicious server.

"In effect, instead of getting valid entries for Web sites like you would expect, you're now getting whatever this malicious site decides to point you to. That could be a phishing site, that could be more malicious files, you can no longer trust that the URL you expected to get will be what is delivered to you," Allysa Myers, part of the computer search research team at McAfee Avert Labs, wrote on the company's blog.

Mac Malware Short List

The OSX/RSPlug.a Trojan is on a very short list of malware that's been specifically designed to target Mac OS X, according to Graham Cluley, senior technology consultant for Sophos. The motive of this particular Trojan could be for the purposes of phishing, identity theft, or simply to drive traffic to alternative Web sites, he said.

The good news is the Trojan doesn't exploit a vulnerability in Leopard, Tiger, or any Apple code. This Trojan exploit depends on a user to take actions to open the door to the nasty payload.

"This is not a red alert, but it is a wake-up call to Mac users that they can be vulnerable to the same kind of social engineering tricks as their Windows cousins," Cluley said. "The truth is that there is very little Macintosh malware compared to Windows, but clearly criminal hacker gangs are no longer shy of targeting the platform."

Keeping It in Perspective

In February 2006, in the wake of the discovery of the first Mac OS X worm, Sophos released research that showed 79 percent of computer users believed Macs would be targeted more in the future. However, over half of those polled said they did not believe the problem would be as great as for Windows. Still, Sophos experts are urging Macintosh users to keep the threat in perspective.

Cluley said the latest version of Mac malware is making headlines because it is so rare. A Trojan like this for Windows would be unlikely to generate as many column inches because such Trojans are encountered every day. Nevertheless, he said, it obviously makes sense for Mac users to ensure that they are protected.

"People have been predicting that as soon as financially motivated malware came to the Mac neighborhood, its denizens could no longer be so smug about security issues," McAfee Avert Labs' Myers wrote. "This is a very simple piece of malware, and yet it works. Time will tell if this family will wreak as much havoc as it has on Windows."

Fortress Mac Is Gone

eWeek 1/11/2007
Website: http://www.eweek.com

Several pornography sites are loading a Trojan disguised as a video codec required to view content on Macs—the first Mac-targeted malware exploit to be spotted in the wild and validation of security researchers' long-maintained prediction that, sooner or later, the rationale for Mac security smugness would rub off.

"[Users infected by visiting questionable Web sites] began using Macs as most malware target the Windows operating system. Well, soon enough, it may not matter which OS you are using," said Symantec's Joji Hamada in a Nov. 1 posting.

Sunbelt Software and Intego, a maker of Mac security software, are warning that a mother lode of spam has been posted to many Mac forums in an attempt to trick users into visiting sites with rigged porn photos. The photos are from reputed porn videos. If Mac users click on the stills to view the videos, they're taken to a site that informs them that the QuickTime Player is unable to play the movie file. They're then instructed to click to download a new codec.

Sunbelt reports that the fake codec is a variant of Trojan.DNSChanger, malware that's been plaguing Windows users for some time. Symantec Security Response has confirmed the finding and has added detection for the threat as OSX.RSPlug.A.

Intego says that after the page loads, a disk image (.dmg) file downloads to users' Macs. If users have checked "Open 'Safe' Files After Downloading' in the General preferences of their Safari browser—or similar settings in other browsers—the disk image mounts. The .dmg file contains an installer package that then launches.

Otherwise, if users wish to install the codec, they double-click the .dmg file, then double-click the package file, which is named install.pkg.

If users continue with the installation, a Trojan program installs. Installation requires an administrator's password, which grants the Trojan full root privileges. No video codec is actually installed. If users return to the purported porn site, they just receive the download anew.

The Trojan uses a sophisticated method, via the scutil command, to change the Mac's DNS server. When the new, malicious DNS server is active, it hijacks some Web requests, leading users to phishing Web sites that are after account information for sites such as eBay, PayPal and some banks, or simply to pages displaying ads for other porn sites. "In the first case, users may think they are on legitimate sites and enter a user name and password, a credit card, or an account number, which will then be hijacked. In the latter case, it seems that this is being done solely to generate ad revenue," Intego said in its release.

Running Mac OS X 10.4, the GUI has no way to display the changed DNS server. Running Mac OS X 10.5, it can be seen in the Advanced Network preferences, Intego officials said. However, Trojan-installed DNS servers are dimmed and can't be removed manually. Intego said it's now testing previous versions of Mac OS X and that they're likely vulnerable as well, given that they all have the scutil command.

The malware also installs a root crontab that checks every minute to ensure that its DNS server is still active. Since changing a network location could change the DNS server, this added touch ensures that, in such a case, the malicious DNS server remains the active server, Intego officials said.

Heise Security's Juergen Schmidt told eWEEK that this malware is related to the security company's recent findings on holes in Leopard's firewall. If a user were to install the fake video codec, it could install a backdoor on a Leopard system that can let in remote attackers, even if the Leopard firewall has been configured to block all incoming connections, if there isn't a hardware firewall in front of the Leopard system.

Schmidt noted that this Trojan also provides different versions of itself, perhaps according to the country in which the user is located to provide country-specific spoofing. "Repeated downloads of the disk image show that there are several different versions," he said.

To see an eWEEK Labs' walk-through of Leopard, click here.

Tom Ptacek, founder of Matasano Security, told eWEEK that the threat to Macs is real, although it's not a huge one—just the same old scenario Windows users face every day.

It is an interesting story, however, given that it's the first OS X malware to be "weaponized." Unlike prior OS X malware, which was all about ego, this one's out to make money, Ptacek said—again, same old, same old in the world of Windows.

Unsurprisingly, there are more than a few I-told-you-sos ensuing in security circles. "For years, we've heard snorts of derision from Mac users about the poor security of PCs. Yet that supercilious attitude (as we know from our history books) is patently dangerous, because it creates a false sense of security. Now, Mac users will need to be a bit more careful out there ('cause when Joey wants his pr0n, he wants it now!). On the heels of the poorly-secured release of Leopard, we now find that there is no perfect protection against human stupidity social engineering, even for a Mac user," said Alex Eckelberry, Sunbelt president, in an Oct. 31 eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.


Researchers dig for hidden links in spam

InfoWorld 1/11/2007
Website: http://www.infoworld.com

San Francisco (IDGNS) - Filtering spam messages is a thankless job for software. For every 100 spam e-mails, one message usually gets through, an irritating pitch with links to Web sites selling questionable drugs or sketchy Rolexes.

The links contained within spam are one indicator in determining whether it should be blocked. Often after a large spam run, the addresses of spammy Web sites will be added to blocklists that are used by antispam software to cull future messages with those links.

To get around it, spammers construct e-mails with links that can't be identified by filters but still are valid in the messages, said Christopher Fuhrman, a professor of software engineering in the Department of Software and IT Engineering at the University of Quebec.

Spammers do this by "munging" the HTML -- adding backslashes, taking out tags -- so that the message and its links are still readable by the rendering engines of browsers or e-mail clients but appear as a garble of nonsense to filters. The technique is also known as obfuscation.

It's a trial-and-error process because spammers don't read HTML Web standards. "Spammers just want to get the cash," Fuhrman said.

Tamper with the HTML too much, and the message won't render at all. Too little, and filters snare the message.

So spammers aim for a narrow gap: Most browsers and e-mail clients can render a certain amount of munged HTML, although the tolerances vary depending on the application.

Fuhrman theorizes that spammers test their messages using Microsoft's widely used Outlook program, which uses the same HTML rendering engine as its IE (Internet Explorer) browser.

So Fuhrman and one of his graduate students, Hicham El Alami, are writing a program to use that IE's rendering engine as a way to "parse" messages, or extract the links.

Services such as SpamCop already do this. SpamCop -- part of IronPort Systems, a subsidiary of Cisco -- has a Web-based service that uses algorithms to parse links out of spam messages submitted by users.

Those algorithms are hard to write, although SpamCop's is pretty good, Fuhrman said. Fuhrman and El Alami are interested in creating an alternate way to do that same parsing without needing to consistently tweak an algorithm to keep up with new tricks used by spammers.

It's hard to write a parser that will read links the same way IE's rendering engine does since Microsoft's source code is secret, Fuhrman said. So a better idea would be just to use that engine as part of a program to parse messages. A variety of tools exist to manipulate IE's rendering engine through APIs, Fuhrman said.

The links that IE's engine renders would be reported to a blocklist service. Fuhrman wrote a model version of his idea that works in Java, but El Alami is now working on one for .NET, Microsoft's application development framework.

"I want to ultimately get it as a Web-based engine so that users can paste spam, and when it comes out, it will reveal the links," Fuhrman said.

Storm Worm Sent 15 Million Pump-And-Dump E-Mails Last Month

PCWorld 30/10/2007
Website: http://www.pcworld.com


The Storm Worm botnet network may be shrinking in size, but it has managed to send out 15 million annoying audio spam messages in October, according to antispam vendor, MessageLabs.

It's hard to believe that the Storm messages were effective. Recipients had to first click on an attachment-- usually given a misleading name like beatles.mp3 or Britney.mp3-- to hear the stock pitch, which featured a warbly robotic woman advising people to invest in online car seller, Exit Only.

This kind of scam, called "pump-and-dump", tries to nudge up the price of penny stocks by a cent or two, giving the spammers a way to make a quick buck by selling the stock before it crashes. Spammers have been delivering their messages in different formats, including.pdf and Excel files, over the past few years as part of a cat-and-mouse game with spam blockers. This latest move to MP3 spam is the latest development in this battle, observers say.

Spam watchers say that pump-and-dump schemes are the hottest and most lucrative area for spammers today.

The spam run began on Oct. 17, and lasted about 36 hours, using infected computers in the Storm Worm network to send out the mails, MessageLabs said in a statement released Tuesday. The spam sounded strange and warbly because the voice in the message was "synthesized using a very low compression rate of 16K Hz to keep the overall file size small, at around 50 KB, to avoid detection," the company said.

Storm is thought to have landed on as many as 15 million PCs over the past year, but recently its network of infected PCs has been shrinking. University of California, San Diego, researchers recently pegged it at about 160,000 computers, only 20,000 of which are accessible at any one time.

Exit Only said it was not involved in sending the spam. Its stock was trading around US$0.41 on Oct. 18, the day after the Storm spam started. On Tuesday it closed at $0.20.

Virus Definition Updates 2/11/2007

AVG Anti-Virus Free Edition 7.5
Download AVG AVI:269.15.18.1
Download AVG AVI:269.15.18.2
Download AVG AVI:269.15.18.3
Download AVG IAVI:1104
Version: -
Date: 1/11/2007

AntiVir PersonalEdition Classic
Download AntiVir IVDF
Version: 7.00.00.163
Date: 2/11/2007

Avast! 4 Home Edition
Download Avast VPS
Version: 071102-0
Date: 2/11/2007

Symantec
Download Norton VDU
Version: 91101p
Date: 1/11/2007
Supports the following versions of Symantec antivirus software:
Norton AntiVirus 2003 Professional Edition
Norton AntiVirus 2003 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2004 Professional Edition
Norton AntiVirus 2004 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2005 for Windows 98/Me/2000/XP Home/XP Pro
Norton AntiVirus 2006 for Windows 2000/XP Home/XP Pro
Norton AntiVirus 2007 for Windows XP Home/XP Pro/Vista
Norton AntiVirus for Microsoft Exchange (Intel)
Norton SystemWorks (all versions)
Norton Utilities for Windows 95/98 (all versions)
Symantec AntiVirus 3.0 for CacheFlow Security Gateway
Symantec AntiVirus 3.0 for Inktomi Traffic Edge
Symantec AntiVirus 3.0 for NetApp Filer/NetCache
Symantec AntiVirus 8.0 Corporate Edition Client
Symantec AntiVirus 8.1 Corporate Edition Client
Symantec AntiVirus 9.0 Corporate Edition Client
Symantec AntiVirus 10.0 Corporate Edition Client
Symantec AntiVirus 10.1 Corporate Edition Client
Symantec AntiVirus 10.2 Corporate Edition Client
Symantec Mail Security for Domino v 4.0
Symantec Mail Security for Domino v 5.0