Page 4 of 4 FirstFirst 1 2 3 4
Results 61 to 80 of 80

Thread: Security News

  1. #61
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb QuickTime exploits

    According to ComputerWorld, there is a new trojan horse making the rounds on MySpace. This one exploits a flaw that has already been patched in QuickTime 7.1.5 and attempts to steal passwords and other personal information.
    Helsinki-based security vendor F-Secure Corp. ticked off the pieces the Trojan horse steals: MySpace username, FriendID, MySpace Display Name and other user passwords. The data is uploaded to a server at the domain Profileawareness.com, which is a members-only forum that "provides working methods of tracking exactly who visited your MySpace profile."
    This is an important patch to apply whether or not you frequent MySpace.

  2. #62
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Securing servers

    B. Securing servers

    Securing a computer system is always a tradeoff; to make it more secure, you disable services, making it less useful, and you carefully examine details of those services you leave running, making it more expensive to set up and maintain.

    Servers however are easy to secure; they are special-purpose machines, and need only offer a very limited range of services. So the bulk of the effort consists solely in disabling everything else.

    First, find out everything that's running on your server.

    List the processes, or better list the network ports that have servers listening on them. The commands to do this vary from one OS to another; under Unix processes can be listed with ``ps'', and open network ports can be listed with ``netstat''.

    A better tool, which lists open network ports together with which process is listening on each one, is ``lsof'', available from
    ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/.

    Second, disable everything but the specific processes required to serve the content for which the machine is in use. For example, a web server should not be listening on any of the network ports for other services besides http (TCP port 80) or https (TCP port 443). For remote administration and content updates, use a remote login and file copy program with good encryption, such as ssh
    http://www.openssh.org/.

    Third, install packet filtering.

    Packet filtering comes with recent Linux releases, and is available for most other OSes.
    IPFilter http://coombs.anu.edu.au/~avalon/ip-filter.html works with most versions of Unix.

    Packet filtering gives you two benefits.

    First, it allows you to once again block off everything that doesn't need to be remotely accessible; this provides a second line of defense, in case any of the services you disabled should be inadvertently re-enabled.

    And second, it allows a machine to provide fine control over access to services. For example, a web server may need to run, or to access, a database server. That database server should not be accessible by random strangers over the Internet, but it needs to be accessible to the web server.

    This sort of control can be enforced by packet filtering.
    Last edited by TZ; 03-20-2007 at 08:15 AM.

  3. #63
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Don't trust that email url

    Computer & Internet Security News
    29 March 2007
    Phishing threats triple
    By Gregg Keizer, Computerworld

    Online identity theft threats tripled in the first two months of 2007 as attackers shifted to simpler, more effective tactics, according to Cyveillance. The risk monitoring company compiled data from its internet sweeps to report that the average daily count of URLs hosting malicious downloads climbed to 60,000 in February, 200 percent over the December 2006 figure. A single-day spike mid-month came close to 140,000 such sites.

    "The traditional phishing technique is being replaced by putting a URL in the email," said Manoj Srivastava, Cyveillance's CTO. "The trend now is to use the browser as the attack vector."

    Phishing attacks have shifted from the usual emails that try to con users into visiting reproductions of legitimate pages, then duping them into entering their personal information. Instead, thieves simply stick a link in an email message and count on users' gullibility.

    "It works," Todd Bransford, vice president of marketing for Cyveillance, said when asked what might be behind the rise. "It's proved to be a highly effective way of taking control of someone's PC."

    Malicious sites typically exploit browser vulnerabilities to conduct "drive-by" downloads, installing bot Trojans that let a hacker control the machine or password-stealing keyloggers on compromised systems.

    Srivastava speculated that another reason for the rapid rise in malicious sites is, ironically, the effectiveness of anti-phishing software. "The phishing detection business has gotten good - ours included - and [so] it's far easier to detect conventional phishing techniques" than to gauge the potential for harm from a web site.

    The quick climb might also be a result of the increasing ease with which identity thefts are crafted. "[Phishing] kits have become common. It's so simple to launch attacks now that there's something of a geometric progression going on with the numbers," said Srivastava. "The economics and risks involved being what they are, more people are learning about identity theft and how to make money from it. This looks like an inflection point."

    Cyveillance also uncovered hundreds of thousands of credit and debit card account numbers in its sweeps of IRC channels and server logs of botnet operators. In the first two months of the year, the company's monitors found more than 320,000 credit and debit card numbers, more than 1.4 million potential Social Security numbers and approximately 1.3 million account log-on credentials.

    "We're pretty solid on those numbers," said Srivastava. Although the Social Security numbers were not actually verified, he said, they match the nine-digit criteria and the algorithm used to construct the numerical strings.

  4. #64
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Punching holes in firewalls

    Jürgen Schmidt The hole trick - How Skype get round firewalls Heise Security
    Peer-to-peer software applications are a network administrator's nightmare. In order to be able to exchange packets with their counterpart as directly as possible they use subtle tricks to punch holes in firewalls, which shouldn't actually be letting in packets from the outside world . . . . . Network administrators who do not appreciate this sort of hole in their firewall and are worried about abuse, are left with only one option - they have to block outgoing UDP traffic, or limit it to essential individual cases. UDP is not required for normal internet communication anyway - the web, e-mail and suchlike all use TCP. Streaming protocols may, however, encounter problems, as they often use UDP because of the reduced overhead. Astonishingly, hole punching also works with TCP. After an outgoing SYN packet the firewall / NAT router will forward incoming packets with suitable IP addresses and ports to the LAN even if they fail to confirm, or confirm the wrong sequence number
    http://www.heise-security.co.uk/articles/8248
    Last edited by TZ; 03-29-2007 at 02:20 PM.

  5. #65
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Why you should not install Google Desktop

    Google Desktop for Mac is out.

    Install it? Maybe not.

    "Google Desktop on the Mac silently installs an Input Manager whose function appears to be to load bundles of code into applications targeted by Google. The Input Manager is installed in a location where it will be loaded into every application run by any user of the Mac. The fact that it loads other code on demand is worrying as it could be used for malicious purposes. Moreover, it is odd that Google installs this software without requesting the user's permission given the recent controversy on this very topic. Hopefully Google will fix the issues outlined in the article in upcoming revisions of their software."

    Daring Fireball:

    Guide to What Gets Installed by the Google Desktop Installer
    http://daringfireball.net/2007/04/go...ktop_installer

    • that means the only apps that are targeted by these “mods” are Safari and Camino. I don’t know what they’re supposed to do; none of the Google Desktop documentation seems to say. The gist seems to be GoogleModLoader is more or less like SIMBL — a meta-hack framework for input manager patches that ostensibly target specific applications.
    • /Library/Google/Google Desktop/ — This is where the index files are stored. On my test system, they’re about 60 MB for a system with about 70 GB of data on disk.
    • /Library/LaunchDaemons/ — Two files for launchd here: com.google.Desktop.Daemon.plist and com.google.Desktop.StatsUploader.plist
    • /Library/PreferencePanes/ — GoogleDesktop.prefpane is the System Prefs panel that lets you configure the options for Google Desktop.
    • /System/Library/Frameworks/CoreServices.framework/Versions/A/ Frameworks/Metadata.framework/Versions/A/Support/Spotlight/ — This one is baffling to me. My understanding is that it’s a major no-no for third-party software to install anything in the /System/Library/ hierarchy other than kernel extensions. Google creates this “Spotlight” folder, which contains a binary file named “mdimport”. I presume this is how Google Desktop piggybacks on Spotlight for file system notifications using the same exclusion rules as Spotlight.

  6. #66
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

  7. #67
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Pump-and-dump scammers

    New type of image spam hides in e-mail wallpaper

    Pump-and-dump scammers behind innovation; malware attacks could be on the way

    By Jon Brodkin, Network World, 06/13/07
    A new type of image spam found this week is able to bypass many filters by presenting a message as wallpaper within an e-mail, according to the vendor Secure Computing.


    Image spam uses text embedded in an image to foil traditional spam filters that catch spam by scanning messages for key words and by using other text-based techniques.
    Normal image spam is delivered as an attachment or loaded into an e-mail via a url, says Paul Henry, vice president of strategic accounts for Secure Computing.


    But a new type of image spam Secure Computing found this week takes advantage of e-mail stationery, which consists of an HTML template. When used legitimately, the template might contain a company’s logo and the sender’s name and contact information, just like a piece of letterhead paper.


    Many antispam programs are trained to ignore these backgrounds, or wallpaper, because they are often used to send real e-mails, according to Secure Computing. The new spam e-mail, which promotes a pump-and-dump stock scam, puts the text within one of these stationery backgrounds, the vendor says.

  8. #68
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb

    New Web Exploit at 10,000 Machines and Growing, Security Company Warns

    By Ryan Singel June 18, 2007 | 1:54:50 PM
    Categories: Hacks and Cracks

    More than 10,000 web sites have been infected with a malicious script that redirects visitors to a site installing malware through unpatched browsers, and the number is likely to rise as only 1,100 were infected on Friday, according to Trend Micro, which describes the infestation as the largest attack attributable to a single Trojan downloader.

    The attack started in Italy and largely targets little used web pages whose security is likely lax. The sites are hacked to include a malicious IFRAME tag, which redirects visitors through a computer in San Francisco, to one in Chicago, which attempts to install various forms of malware, including keyloggers, according to Trend Micro.

    Users should make sure their systems and browsers are fully patched, according to Trend Micro network architect Paul Ferguson, though he said the old advice of avoiding untrustworthy corners of the internet seems not be holding anymore.

    "Now almost every time you fire up your web browser, you are going in the bad part of town," Ferguson told THREAT LEVEL.

    The attack is the largest Trend Micro has ever seen of its type, but expects to see more of these in the future.

    As for cleaning up the mess, Trend Micro is looking to shut down the sites that users are being re-directed to, but suspects that the hackers will just find a new target server and update the redirecting address on the compromised boxes.

    "We have thousands of pages serving this malicious redirect and it's hard to identify and contact all these websites," Ferguson said. "It's getting to point we are going to have to blacklist half of the internet."

    Security Fix's Brian Krebs has more on Mpack, the exploit toolkit, being used in this attack, which targets multiple vulnerabilities in software including Internet Exploere, Quicktime, Firefox and Opera.

    Symantec Security Response Weblog: How MPack behaves
    Last edited by TZ; 06-19-2007 at 03:02 PM.

  9. #69
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb IPv6 Security Hole

    Apple Shuts Down IPv6 Security Hole

    Apple has slammed the door shut on denial-of-service attacks and a security bypass that Type 0 routing headers in IPv6 let in. The company on June 20 put out an update, Mac OS X 10.4.10, that addresses the problem by disabling support for the headers.

    This vulnerability has been left wide open in IPv6 even though it was well-known and shut down in IPv4; by default, all routing engines now turn it off.
    This particular type of packet header can be used to crazily bounce network packets back and forth between hops on their route, clogging up bandwidth and potentially causing a DoS.

    Back in April, two researchers, EADS Corporate Research Center research engineers Philippe Biondi and Arnaud Ebalard, showed that when you can specify where your nodes route packets, you can create a loop—for example, from hop A to hop B to hop A to hop B—that exponentially jacks up Internet traffic, thus causing a DDoS (distributed DoS).

    The ability of users to route their own packets—a procedure optimized automatically in today's IPv4 Internet—allows not only DDoS attacks, but also the ability to bypass security. Researchers say the vulnerability is easy to fix with RH-sensitive filters.

    At the time of the CanSecWest demonstration, Bob Hinden, chairman of the IPv6 working group at Internet Engineering Task Force, told eWEEK that the group wasn't seeing this "ingenious" exploit in the wild.

    Still, nobody was losing time in fixing it, he said. "The implementer community is rapidly enabling fixes, and the standards body is rapidly trying to change it so it can't be used in a bad way," Hinden said at the time.
    Is the Macintosh computer platform becoming a more inviting target for hacker attacks? Click here to find out.

    Apple said in its security advisory that the issue doesn't affect systems prior to Mac OS X 10.4.

    The update is available for Mac OS X 10.4 through Mac OS X 10.4.9 and Mac OS X Server 10.4 through Mac OS X Server 10.4.9. It can be obtained from Mac OS X's Software Update pane under System Preferences or via Apple's Software Downloads site.

  10. #70
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Firewall Security Appliances

    Security appliance:
    http://www.astaro.com/downloads/software

    Yoggie Gatekeeper Personal
    http://linuxdevices.com/news/NS9845221861.html

    Yoggie Security Systems has squeezed a hardware firewall for Windows into a USB key sized form-factor. The "Yoggie Pico" runs Linux 2.6 along with 13 security applications on a 520MHz PXA270, a powerful Intel processor popular in smartphones and high-end consumer devices.
    http://www.yoggie.com/

    How does it work?

    The original Gatekeeper sported a pair of RJ-45 jacks that allowed it to be connected in-line between the network and a PC running any OS, similar to traditional hardware firewalls. Alternatively, it could be connected via its full-speed (12Mbps) USB port, and used in conjunction with low-level Windows drivers that "hi-jack traffic at layers 2-3, below the TCP/IP stack, and route it to USB," Touboul explained.

    Drivers for Linux and MacOS X are planned, he confirmed.

    Stack components, according to Touboul, include:
    Anti-Spam
    Anti-phishing
    Antispyware
    Antivirus
    Parent control system
    Transparent email proxies (POP3; SMTP)
    Transparent web proxies (HTTP; FTP)
    Intrusion detection system
    Intrusion prevention system
    Firewall
    Adaptive security policy
    Multi-layer security agent (Patent pending)
    "Layer-8" security engine (Patent pending)

    Gatekeeper will run applications including the following:

    Stateful inspection firewall
    VPN client
    Intrusion detection and prevention
    Four transparent proxies: HTTP, FTP, POP3 (Pro model only), and SMTP (Pro model only)
    Antivirus, antispyware, antispam (Pro model only), antiphishing (Pro model only)
    Yoggie "Layer 8" security engine (patent pending)
    Yoggie multilayer security agent
    Content filtering
    White and black lists
    Yoggie health monitoring
    Web management and monitoring said to provide "real time, constant, consistent and un-paralleled visibility into distributed laptop platforms, regardless of location"

    Availability

    The Yoggie Pico will ship the first week of June, priced at $180 with a year's subscription to updates, according to the company. Subscriptions will cost $30/year thereafter. Distribution channels are being finalized, but will include big-box retailers like CompUSA and Fry's (Outpost.com), Touboul said. Dexxon Digital Storage, Inc. (DDSI) will handle distribution in North America.

    Also available for $200 will be a "Pro" version targeting the enterprise market. It adds VPN features, and is designed to fetch firewall updates from a local enterprise server rather than Yoggie's central servers.

    http://www.linuxdevices.com/news/NS5094510735.html

    Windows Firewall Squeezes into USB Key
    http://www.eweek.com/article2/0,1895,2137988,00.asp

    Linux-powered PCI card guards PCs from friendly fire, Windows worms
    http://linuxdevices.com/news/NS3121141854.html

    http://www.yoggie.com/PDF/Personal%20DS.pdf

  11. #71
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb greeting card spam

    Security experts warn on 'hydra' attack
    Computerworld

    A new round of greeting card spam that draws users to attack sites relies on a sophisticated multi-pronged, multi-exploit strike force to infect machines according to security professionals.

    Captured samples of the spam have all borne the same subject line - "You've received a postcard from a family member!"-- and contain links to a malicious website, where JavaScript determines whether the victim's browser has scripting enabled or turned off.

    "If JavaScript is disabled, then they provide you a handy link to click on to exploit yourself," said a SANS Institute's Internet Storm Center (ISC) alert. Some users turn off scripting because it is a frequent attack vector; browsers with JavaScript enabled are simply fed a two-part package of downloader and malware.

    The quick browser status exam in this attack is somewhat similar to one used in a different exploit tracked by Symantec since Tuesday, but the two are not connected, said Oliver Friedrichs, director of Symantec's security response group. "They're using two different toolkits," said Friedrichs, "but they're both prime examples that exploits against browsers are more and more prevalent."

    Thursday's greeting card gambit tries a trio of exploits, moving on to the second if the machine is not vulnerable to the first, then on to the third if necessary.

    The first is an exploit against a QuickTime vulnerability, the second an attack on the popular WinZip compression utility and the third, dubbed "the Hail Mary" by ISC, is an exploit for the WebViewFolderIcon vulnerability in Windows that Microsoft patched last October.

    ISC said several anti-virus vendors had tentatively pegged the executable malware - the file offered to users whose browsers have JavaScript disabled - as a variation of the Storm Trojan, an aggressive piece of malware that has been hijacking computers to serve as attacker bots since early this year. According to ISC's warning, computers already compromised by Storm - aka Peacom - are hosting the malware, and the attackers are rotating those machines' IP addresses in the spam they're sending.

    "Every Storm-infected system is potentially capable of hosting the malware and sending the spam, but only a few will be used in any given run," said the alert, "depending on how many emails they want sent and how many web hits they're expecting."

    Hackers haven't abandoned the practice of attaching malware to email, then counting on naive users to open the file, said Friedrichs. But malware hosting sites are the trend.

    "It's much more difficult to send a full malicious file," he said, because of users' learned reluctance to open suspicious files and filtering and blocking tactics by security software.

    "This is widespread, and leads the user to multiple IP addresses," said Shimon Gruper, vice president with Aladdin Knowledge Systems Inc., a security company known for its eSafe anti-virus software.

    "There's not a single server, there are multiple exploits [and the email] has no attachments. This will be very difficult to detect."

    Two days ago, a Symantec honeypot captured a similar website-hosted attack that had an arsenal of multiple exploits at its disposal. That attack, however, featured an unusual, if rudimentary, browser detector that sniffed out whether the target computer is running IE or Firefox. If the attack detects IE, it feeds the machine a Windows animated cursor exploit. If it finds Firefox, however, the sites spits out a QuickTime exploit.

  12. #72
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb MySpace phishing attack

    MySpace hit by new phishing attack

    Phishers have been using compromised MySpace accounts to attack web surfers.

    Two components comprise the attack. It attempts to install malicious botnet software on victims' computers, and it also uses these infected computers to try to steal MySpace credentials in a phishing attack.

    Computers that are compromised by the attack become infected with malicious botnet software known as "flux bot," which makes them unwitting participants in the phishing scam. After the malicious Web site attempts to install the flux bot code, it then presents victims with a fake MySpace.com log-in page, which tries to extract their MySpace.com user name and password.

  13. #73
    Join Date
    Nov 2004
    Location
    Germany
    Posts
    2,352

    Default Photoshop CS2 CS3 and Flash Security Patches for Mac/PC

    Photoshop CS2 and CS3 updates to address security vulnerabilities Release date: July 10, 2007
    Vulnerability identifier: APSB07-13
    CVE number: CVE-2007-2244, CVE-2007-2365
    Platform: All Platforms
    Affected software versions: Photoshop CS2 and Photoshop CS3
    Summary

    Critical vulnerabilities have been identified in Photoshop CS2 and CS3 that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious BMP, DIB, RLE, or PNG must be opened in Photoshop by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update their installations with the patches provided below, and Adobe encourages all customers to be cautious before opening any unknown file, regardless of which application they may be using.
    http://www.adobe.com/support/securit...apsb07-13.html

    Also Flash has some issues those can be corrected by installing the new Flash-Player version:
    http://www.adobe.com/shockwave/downl...ShockwaveFlash
    Custom Configurations! Rad Hacks and Mods!

  14. #74
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb iPhone runs as root

    The iPhone’s biggest security pitfall: All applications run as root

    Posted 23 July 2007 @ 10am in Security

    A few weeks ago, Rixstep posted a piece titled simply “Effective UID: 0,” pointing out the fact that (as revealed by iPhone crash reports — see this article on deciphering) expressing concern the iPhone runs most (all?) of its applications/processes as root (superuser, UID 0). This means that they enjoy full system rights — a huge concern with regard to security, since any compromised application has the highest possible privilege level.

  15. #75
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Vulnerability in BIND 9

    BIND 9, or Berkeley Internet Name Domain 9, is among the most widely used software packages used on DNS (Domain Name System) servers. When a user types a Web address into a browser, the request goes to a DNS server, which finds the corresponding numerical IP (Internet protocol) address and locates the Web site.

    For security purposes, when a browser queries a DNS server, a random 16-bit transaction ID is used to verify the response from the server. However, according to Amit Klein, chief technology officer at security vendor Trusteer Ltd., the transaction ID is not random at all.

    "On the contrary, this transaction ID is very predictable," he wrote in a paper describing the problem this week.

    The vulnerability in BIND 9 could allow an attacker to force the DNS server to return an incorrect Web site to a user, a trick known as DNS cache poisoning, or pharming. The problem exists in all BIND 9 releases when the software is being used in a caching server configuration, Klein wrote.

    Other security watchers confirmed the problem. "This is very much a feasible attack," wrote Johannes Ullrich, chief technical officer of the SANS Internet Storm Center. "Best to patch your BIND server soon."

    ISC advised users to install an upgrade for BIND 9 from its Web site.

    The problem is particularly worrisome since desktop security software is not effective at preventing this style of attack, Klein wrote. The attack does not directly involve a user's computer or the DNS server, but rather data that is cached on the server.

    NetworkWorld

  16. #76
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Windows Sharing Samba

    The addition of an exploit to the Metasploit hacking framework had boosted the threat posed by an unpatched bug in Samba, the open-source file- and print-sharing software included with the Apple operating system.

    Although the vulnerability was disclosed May 14 and patched that same day by the Samba community, Apple has not updated Mac OS X with a fix.

    "Samba is used in virtually every mixed environment where there are Macs and PCs, and the threat profile is much higher now that an exploit has been added to Metasploit."

    Apple has not updated Samba within Mac OS X since March 2005. Samba, which is also used by most Linux distributions to file- and print-sharing with Windows systems, is turned on in Mac OS X when users activate the Windows Sharing feature.

  17. #77
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Process injection

    Researchers warn that rootkits aren't the only threat
    Other stealth techniques are equally effective -- and more imminent

    Rootkits may be getting most of the attention within the security community. But it's important not to overlook other, equally effective antiforensic techniques that malware writers have at their disposal for hiding their code from detection, according to a security researcher at the Black Hat 2007 conference.

    Process injection
    The technique involves the injection of malicious code into another legitimate running process on an end user's system.

    The technique can be used to bypass firewalls on client devices and other security defenses, because the process that has been injected with the malicious code would appear largely normal, he said.

    Similarly, "a cleverly named process is often enough to fly beneath the radar and avoid immediate detection."

    The idea is to inject a malicious process in a system and hide its presence by using slight variations on commonly running processes; the Svchost.exe and spoolsv.exe processes make the best targets because there are usually several of them running in memory.

    "One more will often go unnoticed."

    Execute malicious code directly from memory
    Doing this greatly enhances its stealth because it means the code never has to reside on the hard drive where it might be detected, Harbour said.

    The first exploit involved launching a process in a suspended state and then overwriting it with malicious code.

    An attacker could launch notepad.exe in a suspended state and then overwrite it with sol.exe, causing a game of Solitaire to be presented to the user even though views in the task bar would make it appear that notepad was running, he said.

    Such techniques are simpler to use and more commonly available than rootkits and therefore present a more imminent threat to companies.

  18. #78
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Even the hackers are nervous

    Even the hackers are nervous
    By John Borland EmailAugust 09, 2007 | 2:53:22 PM
    Categories: CCC
    http://blog.wired.com/27bstroke6/200...he-hacker.html

    The people who know best say it's not safe out there on the Internet.

    In a series of talks at the Chaos Communication Camp here in Germany today, researchers and virus experts outlined the recent growth in the numbers of viruses and Trojans (up 34 percent since the same time last year), the evolving sophistication of attacks, and – perhaps most strikingly – the increasing professionalism of the malware business.
    . . . . .
    Most antivirus firms rush products out on tight deadlines, without the extremely sensitive debugging process that such critical software ought to have, he argued. That left virtually all security software open to attacks that take advantage of those bugs, opening a painful paradox for systems administrators.

    Indeed, even while filing this piece, my antivirus software has notified me of a buffer overflow attack on my computer, something I'd never seen before yesterday. More pop up every time I go online here, following a brush with a Deep Throat Trojan shortly after getting on the network here yesterday.

  19. #79
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Prg Trojan

    August 17, 2007 (Computerworld) -- A security researcher at SecureWorks Inc. has uncovered a cache of financial and personal data that was stolen from about 46,000 individuals by a variant of Prg, a Trojan program gaining notoriety for its quick-change behaviors.

    The stolen data includes bank and credit card account information and Social Security numbers as well as usernames and passwords for online accounts. Many of the victims were infected and reinfected as they visited several leading online job search sites, including the popular Monster.com.

    Don Jackson, the SecureWorks researcher who found the collection, said it was the largest single cache of data he discovered from the Prg Trojan, a piece of malware first seen in the wild in June.

    That server is one of 20 similar servers worldwide that are collecting and storing data stolen by Prg. Twelve of those servers -- including the one with the large data cache -- are being managed by a single hacking group known for naming their attacks after car manufacturers such as Bugatti, Ford and Mercedes, Jackson said.

    A user clicking on one of the malicious ads is taken to an exploit page that "fingerprints" the user's browser and then serves up between one and four exploits designed to infect the user's system with the Trojan. From that point on, all information the user enters into the browser is captured and sent off to the hacking group's servers, Jackson said.

    A number of Prg variants are known to operate in part by opening up Port 6081 on victims' computers and listening for connections there. Some experts suggest that concerned parties looking to cut Prg off at the knees might start by blocking inbound and outbound traffic on 6081.

    "This Trojan (PRG) is a very good example of a man-in-the-middle attack as it is designed to intercepts requests to encrypted web sites and SSL encryption offers no protection for machine as in SSL transactions the encryption occurs between the machines transporting data but not the end node," Biviano said.

    "Wnspoem and the PRG Trojan were all based on this construction kit which enables people to define the properties of the Trojan, how it infects and even what it does."

    "It is really taking the tricks learnt in the past and applying them to modern day motives". According to ISS, the construction kit is readily available online and is designed for rapid deployment of new Trojan variants using a variety of different packaging schemas.

    "The PRG Trojan itself seems to have the ability to sort through files, sniff data out of HTTP/HTTPS headers (logins, etc) as opposed to actually keylogging, so it can detect "virtual keyboard" inputs, pasted text etc," an ISS spokesperson said.

    An organization can block port 6081 activity by using strict firewall rules as well as ingress and egress filtering.

  20. #80
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Lightbulb Personal rambling

    Why I am concerned about security, firewalls, etc.
    • I saw one "drive by download" even as I was using OS X and a web site triggered an .exe file to my hard drive.
    • Getting one pop-up I don't want is one too many.
    • I was prompted at one site for an "enter userid and pswd" that didn't look normal or exactly right.
    • identity theft can take years out of a person's life, and their bank account.
    • I found Little Snitch 'interesting' but not that well designed as Intego NetBarrier or AVG firewall.
    I read security news every AM, and have for the last 25+ yrs. And have talked to some of the early AV writers for Mac back in late '80s. But I come from a more IT type background probably than you.

    As a moderator on a web site, sometimes I want to check a site, and I don't want to be as vulnerable with 'just' the bare minimum.

    The next stage (in malware) seems to be using built in virtualization enabled in today's cpus (like Intel Penryn) to create and run in a VM. The code never goes out of memory and out to disk. And, VMware's server versions are vulnerable.

    No you can't "win" and AV or anything that is 'reactive' rather than pro-active isn't fool-proof. Heuristics, better.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •