July 2009 Archives
Posted By Pete at 4:49 PM, July 31, 2009
Every few months an incident like this happens. This time the victim is Network Solutions (a domain name, email, and Web hosting company) and 500k+ of its customers. This is very similar to another credit card heist that happened last year. Again, there was this little piece of malware that found its way onto Network Solutions' credit card system and when no one was looking, transmitted all the hundreds of thousands of credit card numbers to some unknown hacker out on the Internet.
All companies who handle customer data should have stricter network security layers and policies in place. PCI is a start, but has not prevented credit card stealing from becoming a recurring theme. The bad guys are out in the dark, a constant threat over our shoulders, waiting for a vulnerable moment from our network. To give us a better chance, we need more security in the network both at the end points and at the gateway, as well as better designed systems that are designed with network safety in mind. Last but not least, more end user education, training, and access control.
Posted by: Pete at 4:49 PM
Categories: General , Malware , Spyware
Posted By Pete at 10:45 AM, July 27, 2009
Just a heads up - There is a new Adobe Flash Player vulnerability (again).
"A critical vulnerability exists in the current versions of Flash Player (v184.108.40.206 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows."
There is currently no fix for it, however the malware used for exploit is detected as Exploit.SWF.Agent.bs in our malware library. According to Adobe a fix should be available for it on July 31st.
Please proceed with caution when browsing unknown and shady looking sites (especially links from spam!).
Posted by: Pete at 10:45 AM
Categories: Malware , Viruses
Posted By Pete at 5:33 PM, July 24, 2009
Now that we've had some time to look back at the DDoS attacks on many of our government Web sites a couple of weeks ago, a few things are apparent:
1. Trojan.Win32.Agent.cper - This is a variant of the infamous MyDoom email worm. It was the worm that infected the 60,000+ PCs that were used in the attacks. MyDoom made its debut in 2004, that's right - more than years ago! Malware is malware, no matter how old, they are just as deadly. Protection against the wildlist alone is simply not enough.
2. This is a new form of warfare - In today's internet, one can accomplish creating massive damage upon one's enemies by attacking critical network infrastructure. We are only going to see more of this in the future.
3. If this is warfare, the zombie PCs in the botnet were essentially troops - An astonishing 60,000+ PCs were part of the botnet uses to (unknowingly) attack US and South Korean sites.
4. Cyberweapons - Using the same analogy, malware authors are literally cyber arms manufacturers and dealers. Malware has gone commercial and has its own underground eco system to support it. Malware is bought and sold just like goods in real life. The more effective the malware, the more its worth.
5. Secure the end point, secure the network - The government probably spends a lot of (tax payer) money to secure their network assets, however perhaps not enough emphasis has been put on securing the millions of PCs within the country. If the average computer user is more educated on computer security and thus bringing down the infected ratio, wouldn't the bad guys have a lot less to work with?
Posted by: Pete at 5:33 PM
Categories: General , Malware , Viruses
Posted By Netgear Threat Lab at 4:48 PM, July 24, 2009
There have been a number of vulnerabilities discovered in commonly used Web browsers including Internet Explorer and Firefox. A couple of these vulnerabilities have been exploited a lot more than the others:
1. Microsoft Office Web Components Spreadsheet Control zero day vulnerability
The Office Web Components Spreadsheet component is used to publish spreadsheets, forms, and databases to the Web. The security hole allows remote code execution when the victim browses to a Web page that is specifically crafted to exploit the vulnerability. The attacker will then be able to gain complete control of the victim's system. As of now, this security hole is being widely exploited by attackers. Microsoft has published a security bulletin and temporary workaround here:
2. Firefox module allows remote code execution
We strongly suggested all users of Firefox either install the update as soon as possible, or disable the JIT module.
Posted by: Netgear Threat Lab at 4:48 PM
Categories: Malware , Netgear Threat Lab
Posted By Pete at 5:11 PM, July 21, 2009
This malicious program exploits vulnerability CVE-2005-2087.
Microsoft Internet Explorer is prone to a heap-based buffer-overflow vulnerability.The vulnerability is caused due to the JVIEW Profiler (javaprxy.dll) COM object being instantiated incorrectly in Internet Explorer via the object tag. By persuading a victim to visit a malicious Web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a memory corruption.
Affected Versions: Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP4
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 SP1
Posted by: Pete at 5:11 PM
Posted By Pete at 11:35 AM, July 20, 2009
NETGEAR ProSecure's Senior Product Line Manager Jason Leung's article on computer viruses was featured in Vertical Systems Reseller. In the article Jason explains how viruses both biological and computer borne have similar characteristics in the way they propagate and mutate. He then goes into the best approach to take to protect your network from these types of threats.
You can read the entire article here.
Posted by: Pete at 11:35 AM
Categories: General , Malware , Viruses
Posted By Pete at 5:26 PM, July 17, 2009
Michael Jackson's unexpected passing has shocked the world and generated a new wave of "Michael Mania". Everywhere you go, people are talking about it. It's all over TV, radio, and the Internet. Even I have pulled out my old stash of Michael Jackson CDs and gave Thriller another good listen.
As we've mentioned before in this blog, hot news items such as this one are often exploited by spammers and other cyber criminals. Sadly, MJ is no exception. Riding on this wave of public interest, emails claiming Michael Jackson being murdered, having exclusive video footage, or emails with Michael Jackson's songs or pictures began to surface minutes after his death. These emails contain attachments and bad URLs that had malware. These were all used in attempt to infect user PCs and to extract information from them for criminal purposes.
Another method also used was fake Michael Jackson related blogs. Users would see many pop-up services when browsing to these fake blog sites pretending to talk about Michael Jackson. While the users are reading the fake blogs, malicious scripts would attack the reader's machine in the background.
As if Michael Jackson's death hasn't already been exploited enough by the media, cyber criminals also felt the need to jump in on the exploitation. So, fake emails, fake videos, fake pictures, fake URLs, fake blogs, fake nose (sorry), there are so many smoke and mirrors regarding this subject floating around that one really needs to be careful what they click on. Otherwise your machine might be the one that's paralyzed.
Posted by: Pete at 5:26 PM
Categories: General , Malware , Phishing , Spam , Worms
Posted By Pete at 2:53 PM, July 10, 2009
Over the past week, many US government Web sites such as the Whitehouse and Department of Defense plus a handful of well known commercial sites like Amazon.com, as well as well known sites in South Korea have been under siege from waves of Denial-of-Service (DoS) attacks. The attacks first started to emerge on July 4th with varying degrees of success. Some sites such as the Treasury Department and Federal Trade Commission were shutdown while others did not experience any interruption in service. Since then, there have been multiple waves of similar attacks, creating more chaos amongst many US and South Korean sites. There have been some reports of the attacks having North Korean origins, however they have been unconfirmed.
Security researchers have estimated that a botnet of approximately 60,000 compromised PCs carried out the attacks. Those PCs were infected with an updated version of the MyDoom virus.
What's even more interesting is that the virus downloads addition payload - one of which is a file that causes the infected PC to self destruct. Reports of PCs used in the attacks self destructing have already began to surface. The attacker(s) might be doing this to cover their tracks. With so many under-protected PCs throughout the world, there is only going to be more of such incidents. We'll continue to follow these events as they unfold in the coming days.
The following US Web sites were hit:
Posted by: Pete at 2:53 PM
Categories: General , Malware , Viruses
Posted By Netgear Threat Lab at 2:19 PM, July 2, 2009
The adoption of social networking has spread like wild fire the past few years. It has become a mainstay as one of the major activities people participate in when on the Internet. However, at the same time, its popularity has attracted the attention of malware authors and other cyber criminals. After using Facebook and MySpace as a means to spread malware, they have now turned their attention to Twitter. A new virus utilizing Twitter has caught our eyes.
This new Twitter does not use "tweets" to spread, but instead is another type of email spam based phishing attack. The bait this time - is the trust users have for official invitation emails from Twitter itself.
The user will receive an invitation email from email@example.com with the subject being "Your friend invited you to twitter!". The contents of this email are identical to real invitations from Twitter with one exception: the invitation URL in the email is fake and does not lead to the Twitter Web site. Instead, it's a link to a Invitation Card.zip file. This zip file contains the virus Trojan.Win32.Buzus.anee. This virus infects Explorer.exe and will at theinstruction of its creator, download more malware onto the infected desktop.
With more and more people utilizing social networks as part of their everyday lives, attacks that exploit these social networks only look to be more common. The next time you receive a tweet or a app invite on Facebook, look twice before you click.
Posted by: Netgear Threat Lab at 2:19 PM
Categories: Malware , Netgear Threat Lab , Phishing , Spam , Viruses
« June 2009 |
Main Index |
| August 2009 »