Adobe Reader, hit with another Zero-Day

Popular PDF plug-in becoming favorite target for attackers, prompting some security experts to recommend open-source alternatives.

A new zero-day vulnerability in Adobe Reader has been disclosed, once again putting the popular PDF reader in possible peril from attackers.

The newly discovered vulnerability affects "all currently supported shipping versions" of the software, meaning Versions 9.1, 8.1.4, 7.1.1, and earlier of Adobe Reader and Acrobat, and on all operating system platforms for the applications, said Adobe's Product Security Incident Response Team (PSIRT) in its blog this afternoon.

F-Secure now advises users to switch over to an alternative PDF reader from the pdfreaders site for open-source PDF readers. The more diverse the PDF reader pool, the better for user security, says Patrik Runald, chief security advisor for F-Secure..

If you can't change from Adobe Acrobat Reader we strongly recommend that you disable the ability for it to run JavaScript. This is easily done via by going to:

Edit -> Preferences -> JavaScript -> Un-check "Enable Adobe JavaScript"

Sources: 1, 2

Beware of Facebook phishing attack

A rogue website located at fbaction.net is trying to look like the Facebook login page trying to steal your login information.

The authors of the website are spreading the news via a message you should definitely ignore. Facebook is now blocking the link and as browsers go, IE 8 is blocking the site as a phishing scam.

Google Trends shows how much interest there is for the malicious website.

At RSA, Security Pros don't practice what they preach

AirPatrol study finds almost 100 unauthorized WiFi access points at convention

Of all the events you might attend, you'd think a security convention would be the least likely place to have attendees hopping onto "free public WiFi" and other insecure connections.

Unfortunately, you'd be wrong.

In fact, a network monitoring study conducted at last week's RSA Conference by wireless security vendor AirPatrol turned up 2,792 WiFi client devices, including smartphones, PDAs, and laptops. All were devices that wouldn't have shown up on the scan if they had been properly secured.

Some 94 "unofficial" access points accounted for much of the traffic, according to AirPatrol. These wireless networks were determined to be unsanctioned by show organizers, and some of them may have been "rogues" that were insecure or even built to siphon data from unsuspecting users.

The scan also turnd up 35 "ad hoc" WiFi networks with common Service Set Identifiers (SSIDs), such as Linksys, Free Public WiFi, and hpsetup. Ad hoc networks often have no firewall on the wireless interface, leading to potential security problems, AirPatrol noted.

"Amazingly, some of the world's leading IT security professionals still think of wireless security as an afterthought, and our RSA Conference wireless monitoring results demonstrate there is still a disconnect between what they practice and what they preach," says Ozzie Diaz, CEO of AirPatrol.

Source.

Spammers piggyback on Swine Flu outbreak

Researchers at McAfee saw a spike in swine flu spam over the weekend. In just that short amount of time this particular brand of spam accounted for two percent of all spam.

As might be expected, the spam is pharmaceutical-centered, advertising drugs and providing links to online pharmacies. The spam originates from a network of compromised, "zombie" computers, says McAfee. The security company expects swine flu related spam will increase and that many may contain links to malicious websites.

The subject lines combine scare tactics with celebrities the spammers think recipients might be interested in:

· First US swine flu victims!
· US swine flu statistics
· Salma Hayek caught swine flu!
· Swine flu worldwide!
· Swine flu in Hollywood!
· Swine flu in USA
· Madonna caught swine flu!

McAfee says there also has been an increase in the number of domain names containing references to swine flu, which could indicate a rise in malicious websites.

As always, watch what you click, and ignore, delete and report spam messages appearing in your inbox.

Company hires hacker kid, kid keeps hacking

The seventeen-year-old hacker who gave Twitter a busy weekend earlier in the month was subsequently hired by hosting company exqSoft Solutions, a reward that may have inspired further bad behavior.

"Bad" behavior, in cases like this one might be subjective. Judging from the stream of tweets at exqSoft CEO and founder Travis Rowland, who hired the infamous "mikeyy" (Michael Mooney), he's had to do a lot of justifying.

Shortly after the first mikeyy worm hit Twitter, Rowland implored Biz Stone on Mooney's behalf, hoping Twitter wouldn't sue and saying Mooney did Twitter a favor. Mikeyy himself said the point of his hacking was to alert Twitter, not to do any harm.

Originally Mooney said he hijacked Twitter accounts out of boredom, and stopped because he was getting too much attention. A few days and a job offer later, someone at least calling himself mikeyy was hijacking accounts again and sending messages to Oprah, Ellen Degeneres, and Ashton Kucther, among others. One hijacked tweet proclaimed Twitter should be paying him now.

One tweet said, "Twitter, this sucks! Fix your coding."

And the tweets just kept on going. On Saturday, Mikeyy had hacked into several accounts and was tweeting a standup routine, jokes to the effect of: "If you are born ugly blame your parents, if you died ugly blame your doctor. Womp. mikeyy."

On Twitter, Mikeyy's new boss was quick disavow his company's involvement in the new variant of the mikeyy worm. One particular tweet has that nice I've-created-a-monster ring to it:

"Was just informed new Mikeyy is spamming my website all over Twitter, I did not ask him to do that and can't get a hold of him right now."

That was Friday, and by yesterday, Rowland was defending his hire again saying, Mooney hadn't used "any of the Twitter admin sessions he farmed" to gain complete backend access to Twitter.

Security firm Sophos' Graham Cluley is highly critical of the hire. On the company's blog, Cluley noted that while Mooney proved there was a problem with Twitter, he also proved he was irresponsible. The responsible thing to do is not exploit flaws and cause panic, but to inform Twitter and work with them to fix it.

"ExqSoft Solutions are in effect encouraging other youngsters to behave like irresponsible idiots," wrote Cluley. "The last thing we want is a wave of other kids exploiting software and websites, in the hope that they might be rewarded with a job offer."

And when feds are publicly looking to hire hackers, that's hard logic to argue with.

Connecting the dots: Downadup/Conficker Variants

For the last couple weeks, all’s been pretty quiet on the Downadup/Conficker front.

But vigilance never sleeps. As a part of the information security circle, we're still performing our ‘daily patrols’, watching for signs of something new. Quiet moments like this give us a chance to reflect on what has come to pass so far.

Read more.

For those of you looking for a quick-and dirty rundown of the link, here’s the timeline summarized:

November 22, 2008: W32.Downadup is released
December 28, 2008: W32.Downadup.B is released
March 4, 2009: W32.Downadup.B downloads W32.Downadup.C
April 1, 2009: W32.Downadup.C begins checking 500 of 50,000 domains
April 7, 2009:
* W32.Downadup.E is seeded into W32.Downadup.C P2P network
* W32.Downadup.E updates W32.Downadup.B
* W32.Downadup.C downloads other risks

AVG Releases Free Real-Time Search Virus Scanner

AVG has pretty good timing considering the recent success cybercrooks have had with manipulating search results to direct searchers to malicious websites. The security company released a free tool today that scans links before users click on them.

AVG LinkScanner, available for free download, checks URLs ahead of clicking by scanning the webpage and alerting the user if the site contains malicious code. When used in conjunction with Google, Yahoo, or MSN, the tool shows green check marks beside safe results and red exes beside unsafe ones. The tool also works with links in email, IMs, and bookmarks.

Available for Windows XP and Vista users, AVG's LinkScanner prevents users from downloading compromised webpages.

The tool scans pages individually, so prevention and labels only apply to one page on a given website, not the entire site itself.

The free scanning tool comes at a good time as Google has been struggling with malicious pages making their way high up in the search results before the search engine can identify them as attack sites. The problem has gotten bad enough that Google says its ranking algorithm will be tweaked to make this less likely.

No word yet on whether the tool also works with URL shorteners, used on social networks and microblogging platforms like Facebook and Twitter to fit links into character limits. Recently hackers have been using URL shorteners to trick users into clicking out to malicious sites.

When Google Search Becomes Malware Trap

Google is becoming almost an everyday tool for most people.

Undecided on what to eat? Google.
Check out a movie review? Google.

Looking for someone? Google. And so the story goes.

About twenty seven years ago, Dirk Pratt's two-year-old daughter was taken off to Ecuador by her mother and he never saw her again. His ex-wife told him Francesca had died after being bitten by a mosquito. Dirk heard someone had been reunited with a family member with the help of a Google vanity search for their own name. So Dirk searched his name and found a message on a message board from his daughter. She was also told her father was dead, but was suspicious. But now they're reunited.

I couldn't imagine what that must have felt like. So I went off in search of the message board. I wanted to see what the father saw. Eventually, I found a result for a Zabasearch message search result, but I can't be sure this is same place he found it.

The Zabasearch result was the sixth listing on Google. The top, where sponsored results often are, was a Google News result. The first through fifth results: all malware links.

I only clicked on the first few links, which led to scareware. Upon closer look at the others it was obvious. They had strange URLs, irrelevant texts. One appeared to be a BBC link but the URL didn't resolve to bbc.com. All of them, were indexed fairly recently.

Earlier there was an article about link velocity and Google's apparent new favoritism of freshness is allowing cybercrooks and SEO blackhatters to manipulate and dominate Google's search results.

Google needs to fix this or users will lose trust quickly. If every time you tried to do research on popular subjects and all you were met with were attack sites, wouldn't you?

Google has been contacted and notified about this issue several times over the past couple of months since instances like this became more and more frequent. I have yet to hear back from them about what they intend to do about it.

Source.

Conficker Becomes 'Downdac', a Waledac Zombie

The sexiness of the Conficker story wore off after April 1st came and went, and subsequently mass hysteria on your TV (at least regarding this particular subject) vanished. About a week after the let down, Conficker.E came alive after all, but instead of communicating directly with the 50,000 URLs, it wormed its around cyberspace via peer-to-peer networks.

Another component digs around for exploitable machines and drops a nasty little payload in Windows Registry and hides itself much like how rootkits hide themselves on machines. Once on the machine, the new virus connects to a malicious URL for an encryption download.

And thus is born what TrendMicro is calling Downdac.A, a hybrid of Downad and Waledac, which turns the infected machine into a zombie under the control of the botnet and causes it to download fake antivirus software called Spyware Protect 2009.

"Waledac is a notorious spammer, and is also known for injecting information-stealer codes. FakeAV, meanwhile scares users into buying their ‘security' products by faking infection symptoms, and lately, by employing crimeware routines as well," write Trend Micro's Paul Ferguson and Ivan Macalintal.

Curiously, the whole process has an end date of May 3rd, but researchers are at a loss as to what might happen then.

Source

New Attack Sneaks Rootkits Into Linux Kernel

Kernel rootkits are tough enough to detect, but now a researcher has demonstrated an even sneakier method of hacking Linux.

The attack attacks exploits an oft-forgotten function in Linux versions 2.4 and above in order to quietly insert a rootkit into the operating system kernel as a way to hide malware processes, hijack system calls, and open remote backdoors into the machine, for instance. At Black Hat Europe this week in Amsterdam, Anthony Lineberry, senior software engineer for Flexilis, will demonstrate how to hack the Linux kernel by exploiting the driver interface to physically addressable memory in Linux, called /dev/mem.

"One of bonuses of this [approach] is that most kernel module rootkits make a lot noise when they are inserting [the code]. This one is directly manipulating" the memory, so it's less noticeable, he says.

Linux system administrators typically aren't aware of the potential dangers of leaving /dev/mem exposed. Lineberry says his goal is to educate them on this potential security hole.

And there's now a way to defend against such an attack, too: the Linux development community recently issued a patch to locks down /dev/mem, limiting read and write access from the outside, he says.

Read more.

Resurrection Of Conficker?

Just a week after the April Fools Day hysteria surrounding Conficker.C, most have forgotten and gone on. Security researchers, however, have not, and have noted more activity and a possible connection to the spambot Waledac.

Researchers at both TrendMicro and Symantec noticed new activity from a Conficker variant they've now labeled Conficker.E. The new variant spreads via peer-to-peer to update machines infected by earlier variants.

The activity they are witnessing also seem fairly benign. Conficker connects to major websites like MySpace, MSN, eBay, CNN, and AOL to get a simple time update.

Whereas the .C variant made burrowed its way into several areas of a computer to disable security communications and removal tools, the .E variant includes a previously unseen self-removal functionality to erase all traces of its presence from the infected host.

1. It patches “tcpip.sys” in order to increase the number of concurrent network connections available on the system.
2. The exploitation of the MS08-067 vulnerability, which had not featured in W32.Downadup.C, is now included in W32.Downadup.E.
3. This variant also uses the SMB protocol to identify the target system before attempting to exploit it. This is most likely an attempt to increase the chances of successful exploitation.
4. This worm has the UPnP capabilities that we saw in previous versions of Downadup. The threat exploits weaknesses in certain routers to allow access to compromised machines from external networks.
5. W32.Downadup.E will remove itself from the system on or after May 3, 2009.

The ultimate purpose of W32.Downadup.E is to install W32.Downadup.C on vulnerable systems. W32.Downadup.C will not be removed after May 3, 2009.

Thus, on May 3, 2009, this gives us yet another date to pay attention to. TrendMicro traced the worm to sources somewhere in Korea, and noted a possible connection to Waledac, one of the world's most active spambots.

Symantec confirms an apparent connection to Waledac, and suspects Conficker.C was instrumental in distributing Waledac, which "steals sensitive information, turns computers into spam zombies, and establishes back door remote access.

Because Waledac is a reiteration of the famed Storm botnet, researchers also suspect all three pieces of malware are connected, perhaps created by the same cybercriminal source.

Malicious Code Analysis
Technical writeup of Conficker.E
W32.Downadup.E—Back to Basics

Facebook, Privacy and Contracts

Facebook was trying to solve a legitimate problem: People who deleted their accounts did not realize that information that they shared with other users would persist on their Facebook friends' accounts. Thus, they needed some way of telling users that the information might remain. The proposed change in the contract noted that:

"You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You represent and warrant that you have all rights and permissions to grant the foregoing licenses."

Essentially, according to these new terms, if you created a Facebook page, posted content on one, created a link from one, or allowed someone else to do so, you had transferred the intellectual property rights to the content to the company, subject to your privacy settings.

Full story here

Zero-Day PowerPoint Attacks Under Way

Microsoft's PowerPoint application is being used in a new attack that exploits an unpatched vulnerability in the popular Office app. The software giant yesterday issued a security alert confirming "limited and targeted attacks" were under way using malicious PowerPoint files that exploit the flaw.

The exploits carry a Trojan, according to Microsoft, and in an interesting twist, the exploit files were recently submitted to the VirusTotal free malware-scanning site. "Either the miscreants who created these exploits were looking to see how antivirus products detect their new files, or the victims were looking to get some information about their maliciousness," blogged Cristian Craioveanu and Ziv Mador of Microsoft's Malware Protection Center.

When exploited, the vulnerability can give an attacker local rights to a user's machine if he opens the malicious PowerPoint file, which is currently being delivered via targeted email messages, but can also be pushed via a Website or instant messaging link.

The vulnerability affects PowerPoint 2000 Service Pack 3, PowerPoint 2002 Service Pack 3, PowerPoint 2003 Service Pack 3, and Microsoft Office 2004 for Mac . The newer Microsoft Office PowerPoint 2007 and Microsoft Office for Mac 2008 are immune.

For now, Microsoft has provided a few workarounds for users to protect against the new PowerPoint attack:

• Do not open or save Office files received unexpectedly from a trusted or untrusted source;
• Use the Microsoft Office Isolated Conversion Environment to open those files; or
• Use Microsoft Office File Block policy to ban Office 2003 and earlier files from being opened.

Read more here.

Public Search Engines Mine Private Facebook Details

Another reason to be careful what you post on Facebook:
All it takes is a simple Google search, and phishers and marketers can glean a treasure trove of private information based on relationships among Facebook "friends," according to new research.

Researchers from the U.K.'s University of Cambridge recently published a paper (PDF) detailing a project in which they developed a software tool to correlate and map Facebook profiles they found via public search engines, such as Google, to build detailed maps of relationships among Facebook members.

"Knowing who a person's friends are is valuable information to marketers, employers, credit rating agencies, insurers, spammers, phishers, police, and intelligence agencies, but protecting the social graph is more difficult than protecting personal data," the researchers wrote in their paper. "Personal data privacy can be managed individually by users, while information about a user's place in the social graph can be revealed by any of the user's friends."

Source

Facebook's hot body dance videos and malware

Maybe when you received the email you didn't think it was suspicious, or even if you did maybe you thought it was worth the risk.

Subject: Facebook message: Cute Girl Top Model Dancing

Message body: News from Facebook - Facebook Hot Body Dance Video Competition! Today: "Girls in beautiful black underwear dancing in the pub, showing off perfect bodies. Unbelievable Final!"

Of course, the spammed-out emails aren't really from Facebook - and if you look carefully at the URL you are about to click on you would realise that it was taking you to a third-party website instead of the social networking site.

The website is pretending to be Facebook and it shows a preview frame from a sexy dance video. If the tease piques your interest then all it says you need to do is download an "updated" version of Adobe Flash to view the movie.

Those with an interest in IT security know by now that they should only ever download a new version of Adobe Flash from Adobe's own website, but there are plenty of people out there who don't know that that's the sensible thing to do.

And that's who these hackers are preying upon. People who don't realise that a quick thrill might result in a longterm loss of their identity, data or the contents of their bank account.

Source