Web2Secure: Web Security Blog

Searching for Google Chrome can lead to malicious content

2012-01-26T15:33:00.000-08:00

Searching "Google Chrome" in Google search engine will end with potential malicious infection. This alert has been reported at Websense Researcher.

According from founding, The domain (chromeplugins.com) has been registered in 2008, indicating that the website - an unofficial Google Chrome plugin forum - is legitimate. This website was compromised with fake AdSense "show_ads.js".

Fake "show_ads.js" host in pagead2.googlesyndlcation.com". - pagead2.googlesyndlcation.com/pagead/show_ads.js

Microsoft Patch Tuesday - January 2012

2012-01-10T18:42:00.000-08:00

Microsoft today released first batch of patches to fix their products security flaws for January 2012. Micorsoft released seven security bulletins addressing eight vulnerabilitis in Windows. Vulnerabilities in Windows Media rated as Critical severity. The remaining rated as Important.

Summary of Microsof of January releases can be found at http://technet.microsoft.com/en-us/security/bulletin/ms12-jan

MS12-001: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.This patch counter CVE-2012-0001.

MS12-002: Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. This patch counter CVE-2012-0009.

MS12-003: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)

This security update resolves one privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. All supported editions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability. This could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.This patch counter CVE-2012-0005.

MS12-004: Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)

This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This patch counter CVE-2012-0003 and CVE-2012-0004.

MS12-005: Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. This patch counter CVE-2012-0013.

MS12-006 Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This patch counter CVE-2011-3389.

MS12-007: Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if a an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library. The consequences of the disclosure of that information depend on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker’s user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.This patch counter CVE-2012-0007.

Suspicious and Spam Link 20-Dec-2011

2011-12-20T07:48:00.000-08:00

121.11.80.161

adobe-reader-2012.com
official-reader-upgrade.com
online-direct-tv.com
pay4yourdomain.com
pdf-adobe-2012.com
sslgateway-signup.com
official-reader-upgrade.com

209.112.247.144

mail.e4.net
mail.oceansideurc.org
mail.onsolidrock.org
mail.whyibelieve.org
onsolidrock.org
preferredresources.info
raq53.dnssys.com
real-player-superpass.com
strategicdeviance.com
whyibelieve.org
www.basket-lady.com
www-adobe-reader.com

194.28.158.153

secure.signup-page.com

85.234.236.21

adobe-acrobat.org
adobe-reader.es
adobe-reader.nl
adobe-reader8.com
dividendpagina.nl
hobbydoos.nl
wolhemel.com
www.dividendpagina.nl

46.105.150.218

adobe-reader.softlate.com
softlate.com
softlatedownloads.com
www.softlate.com

New Yahoo Messenger 0-Day Exploit Hijacks User's Status Update

2011-12-03T10:04:00.001-08:00

Malware spread via Yahoo Instant Messenger has been around for years. Infection, though, has been limited by the fact that it requires some interaction with the user.

Not anymore.

A newly discovered exploit in version 11.x of the Messenger client (including the freshly-released 11.5.0.152-us) allows a remote attacker to arbitrarily change the status message of virtually any Yahoo Messenger user that runs the vulnerable version.

How does it work?

The status message change occurs when an attacker simulates sending a file to a user. This action manipulates the $InlineAction parameter (responsible for the way the Messenger form displays the accept or deny the transfer) in order to load an iFrame which, when loaded, swaps the status message for the attacker's custom text. This status may also include a dubious link. This iFrame is sent as a regular message and comes from another Yahoo Instant Messenger user, even if the user is not in the victim’s contact list.

Read Full More Here.

Apache HTTP Server Reverse Proxy - CVE-2011-4317

2011-11-26T07:40:00.001-08:00

Engineer from Qualys Security Labs discovered vulnerability in Apache HTTP Server Reverse Proxy/Rewrite URL Validation during creating vulnerability signature for CVE-2011-3368.

The weakness is caused due to the mod_proxy module, when configured in reverse proxy mode, incorrectly processing certain web requests. This can be exploited to send requests to an unintended server behind the proxy via a specially crafted URL.

Full Details with PoC
https://community.qualys.com/blogs/securitylabs/2011/11/23/apache-reverse-proxy-bypass-issue

WorkAround:

Apache has not yet released a patch for this issue. Until a patch is release, configuring the reverse proxy rules correctly will prevent this issue from occurring. For example, in the above case, if the reverse proxy rules are configured as follows, the proof of concept will not work.

RewriteRule ^(.*) http://10.40.2.159/$1
ProxyPassMatch ^(.*) http://10.40.2.159/$1

Next Stuxnet : Duqu

2011-10-18T23:55:00.000-07:00

Researchers obtained new type of Stuxnet new virus called "Duqu". This remote acces Trojan (RAT) does not contain any code related to industrail control systems. The threat does not self-replicate.

Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets.Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.
Key points:
• Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
• The executables are designed to capture information such as keystrokes and system information.
• Current analysis shows no code related to industrial control systems, exploits, or self-replication.
• The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
• The exfiltrated data may be used to enable a future Stuxnet-like attack.

Reference:

W32.Duqu: The Precursor to the Next Stuxnet http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet

McAfee said that the Duqu worm has been identified in "professional, targeted attacks" against CAs in parts of Europe, the Middle East, Asia and Africa. The researchers speculate that a digital certificate belonging to the firm C-Media, based in Taipei, was not stolen, but forged by a compromised CA.
The McAfee analysis fills in some details omitted from a longer analysis released by Symantec Corp on Tuesday. That research declined to name the kind of firm targeted by the worm, but provided a detailed analysis of the Duqu code, which bears a close resemblance to Stuxnet, with shared code used for the injection attack and several encryption keys and techniques that were used in Stuxnet.
Like Symantec's report, the analysis from McAfee says that it knows of only a few infections linked to Duqu, and says the worm doesn't appear to be designed to attack industrial control systems, as Stuxnet was.

Reference:
The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu
https://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-files

Another Cyber Security company, F-Secure Security Labs also posted related "Duqu" on its websites.

Unlike Stuxnet, the new backdoor, known as Duqu, does not target automation or PLC gear. Instead, it's used for reconnaissance. Duqu collects various types of information from infected systems for a future attack. It's possible we'll eventually see a new attack targeting PLC systems, based on the information gathered by Duqu.
The code similarities between Duqu and Stuxnet are obvious. Duqu's kernel driver (JMINET7.SYS) is actually so similar to Stuxnet's driver (MRXCLS.SYS) that our back-end systems actually thought it's Stuxnet:

Reference:
Duqu - Stuxnet 2
http://www.f-secure.com/weblog/archives/00002255.html

Additional Detail about "Duqu" by Symantec can be obtained here [PDF]

DefCon 19 DVD now online download

2011-10-13T05:01:00.000-07:00

For those who missed the presentation/talk session during DefCon 19, DefCon so kind to post DEF CON 19 DVD content media in 2 iso images.

Download them at the following links. :)
https://media.defcon.org/dc-19/defcon-19-dvd-original.iso (~1.6 GB)
https://media.defcon.org/dc-19/defcon-19-dvd-updated.iso (~1.7 GB)

Blizzard Phishing Emails Scam 12-Oct-11

2011-10-12T01:20:00.000-07:00

Host names neighbor for173.234.243.61

517ks.com
admin-wow.net
anshan521.com
at853.com
at853.net
catuba.org
game-10086.com
host64.yydns.net
newsletteraccount.net
us.battle.net.worldofwarcraft.com.admin-war.net
wouting.net
www.admin-wow.net
www.at853.com
www.at853.net
www.blizzard-battle.net
us.battle.net.en.iqzl.co.cc
www.blizzardnet-en.co.cc

Host names neighbor for 10.10.10.10

2a.72hg.com
2a.bigboynetworks.com
3dyyzb.com
abbsza.com
abbza.info
abbza.org
abbza.us
abbzaonline.com
ad.ath.bielsko.pl
adams.plus.ru
agecs.com
agetresa.com
alainze.no-ip.biz
aq0.softex.ru
arai.owner.linuxmaster.co.cc
arg.hopto.org
bacha.chutiya.co.cc
bcsmcs.co.cc
bhagyashree.co.cc
bharwa.ghashti.ka.bacha.chutiya.co.cc
bilik.cn
brokerdirect.com
bugzilla.allenpress.com
cafeislam.co.cc
calre1.com
cannaiolo.sytes.net
changewccc.com
changhesd.com
chutiya.co.cc
chuyenthamkin.co.cc
cobalt1.myftp.org
core-rs1.thdo.ncuk.net
dalla.kunjer.bharwa.ghashti.ka.bacha.chutiya.co.cc
dena.razi.ac.ir
dj-dj.no-ip.org
drive-megawheels.net
erouterzone.net
estrim.ru
etali.de
evanj8.co.cc
exe.redirectme.net
exicorp.co.cc
facebook.co.cc
fendermfg.com
figo.servecounterstrike.com
financialbg.com
flowby.no-ip.org
fsxforum.co.cc
ftp.lainnet.lv
fuchme.com
fuchyou.com
gdk-vpn.co.cc
ghashti.ka.bacha.chutiya.co.cc
globalsit.com
golestanroad.net
gombel.co.cc
guapunye.nick.arai.owner.linuxmaster.co.cc
hot.k1ss.co.cc
igratatin.co.cc
ikutsukaakuisa.co.cc
infotechpro.info
innogroup-online.net
invalid.blueocean.com
itquan.org
jabbus.co.cc
jeff-dunham.co.cc
jiitnameserver.jiit.ac.in
k1ss.co.cc
ka.bacha.chutiya.co.cc
kawasakibusiness.com
kunjer.bharwa.ghashti.ka.bacha.chutiya.co.cc
lastfile.co.cc
limsadiane.co.cc
lincolncarlton.com
linuxmaster.co.cc
lootparty.com
lovemei.myftp.org
mail.72ym.com
mail.abbsza.com
mail.abbza.biz
mail.abbza.info
mail.abbza.org
mail.abbza.us
mail.abbzaonline.com
mail.behindtheblackboard.com
mail.environmentalhealthinc.com
mail.event-marketing-group.com
mail.fireservicetanks.com
mail.holowesko.net
mail.holoweskofund.com
mail.holoweskofund.net
mail.holoweskofunds.net
mail.holoweskoglobalfund.net
mail.holoweskoglobalfunds.com
mail.holoweskoglobalfunds.net
mail.i-you.net
mail.landmarkdistribution.com
mail.lap-service-bolsward.nl
mail.lsfsa.com
mail.markholowesko.com
mail.markholowesko.net
mail.mind-fullonline.com
mail.modularwheelchairramps.com
mail.stylebagno.it
mail.tomcatrecords.net
mail.transport2000-office.org.uk
mail.updatepaypals.com
mail1.test.argenta.be
mailnotifications.com
mdrdsp01.es.wh.verio.net
meirite.com
merlot.organicvintners.com
michaelwanderson.net
mobitech-forums.co.cc
moccainside.co.cc
morte.servebeer.com
mossurf.co.cc
mx.bgns.net
mx.yuxiaosuo.com
mx1.citadis-avignon.com
mx1.djangocom.net
mx1.nievre-amenagement.net
mx1.semaeb.net
mx1.semerap.net
mx2.alpine-isolation.net
mx2.djangocom.net
mx2.lacamiciaealtrivizi.com
mx2.modulgraficaonline.com
mx2.nievre-amenagement.net
mx2.relliance-partenaires.net
mx2.semaeb.net
mx2.semerap.net
mx2.spazzicatering.com
mycandeo.com
mycubaweb.com
neoclic-pro.com
nicejewishguys.com
nick.arai.owner.linuxmaster.co.cc
nj025.net
nomail.rasputin.de
nowhere.cais.net
null.fsrmail.com
ny1core01.erouterzone.net
organicvintners.com
otginsott.net
owner.linuxmaster.co.cc
pacar.yang.sangat.perhatian.co.cc
parsfr01.fr.wh.verio.net
pati.servebeer.com
perely.co.cc
perhatian.co.cc
philyves.net
picallo.co.cc
pprox.co.cc
primarydns.jalindia.co.in
proxy808.co.cc
prueba.etb.net.co
qqo9.com
rauchit.com
redbox.by
rocker.redirectme.net
romeodelta.net
sangat.perhatian.co.cc
sarek.com
securehostserver.com
serviziaziendali.net
shellinfo.no-ip.info
sith.ad.ath.bielsko.pl
smkn8mlg.co.cc
spousta.com
srv.cat
sushi.tdlab.ca
tdlab.ca
the-hirsts.net
torrentmovies.co.cc
tw2.no-ip.info
v-link.co.cc
vosmmscom.co.cc
vpn.net1.cc
w3.vmhome.com
wag-bill-smtp.waggonerstrucking.com
waggonerstrucking.com
wcccsucks.com
web44.co.cc
wow3.co.cc
www.chuyenthamkin.co.cc
www.etali.de
www.blizzard.car-fear.co.cc
www.facebook.co.cc
www.gcts.bh
www.retaj.com.bh
www.securehostserver.com
www.torrentmovies.co.cc
www.tu888.cn
xn--ferienwohnungen-rgen-5ec.net (ferienwohnungen-rügen.net)
xserve.carlton.sg
yang.sangat.perhatian.co.cc
yrphone.com
yuanmu.net
yzscale.com

Host names neighbor for:

112.175.243.21

112.175.243.22

112.175.243.24

10.lucasribeiro.co.cc

18cn.co.cc

24.10.lucasribeiro.co.cc

3adalat.co.cc

440amg.co.cc

airtelfun.co.cc

alynwap.co.cc

ambady.co.cc

anisomnia.co.cc

araup.co.cc

arteportugal.co.cc

articleinfo.co.cc

aspirincardio.co.cc

astrazeneca.co.cc

baby.d0ll.co.cc

baithuctap.co.cc

bangkok-hotels.co.cc

bayer-ah.co.cc

bayeraspirin.co.cc

bayerfull.co.cc

bayerhealthcare.co.cc

bayeryoungenvoy.co.cc

best-warez.co.cc

bestmusic4u.co.cc

blizzarwar.co.cc

bokepmurah.co.cc

campingalhassan.co.cc

cardio-bayer.co.cc

carolebayersager.co.cc

cbm64.co.cc

cbm64.strangled.net

cclmail.co.cc

chitthumyar.co.cc

cialislevitrasalesviagra.co.cc

cimahi.co.cc

coctail-host.co.cc

cyberwhitestar.co.cc

d0ll.co.cc

davidsaw.co.cc

diane-patenaude.co.cc

diane.co.cc

dianearbus.co.cc

dianebishtv.co.cc

dianekruger.co.cc

dianelanenude.co.cc

dianelovesbob-net.co.cc

dianestanley.co.cc

dianeturton.co.cc

dogs4u.co.cc

drocink.co.cc

ekoi.co.cc

englishpremierleague.co.cc

es-krim.co.cc

f.co.cc

femalelife.co.cc

filmesgratis.co.cc

folos.co.cc

friendster-music.co.cc

fullmusick.co.cc

gamebazaar.co.cc

getarticles.co.cc

gocthethao.co.cc

gudangrahasia.co.cc

h-pe.co.cc

hdytaufik.co.cc

hesitate.with.malaysian-hackers.co.cc

hk.co.cc

ibintechs.co.cc

ilavalai.co.cc

islamarket.co.cc

jammaah-mig33.co.cc

kecoakwap.co.cc

kn4h.co.cc

kutopersada.co.cc

lanxess-europe.co.cc

lanxess.co.cc

law4u.co.cc

leechouse.co.cc

lenadianejennings-blogspot.co.cc

levitravardenafilhcl.co.cc

ljcbraga.co.cc

look.sexy.with.baby.d0ll.co.cc

mail.chitthumyar.co.cc

mail.co.cc

mail.kecoakwap.co.cc

mail.name-server.co.cc

mail.pvpdestiny.co.cc

malaysian-hackers.co.cc

marshadianearnold.co.cc

mastigalaxy.co.cc

maturecunt.veronichka.co.cc

mayanks.co.cc

me.hot.k1ss.co.cc

melupakanmu.co.cc

mobifriendz4m.co.cc

mobile4m.co.cc

moneysukh.co.cc

mp3.co.cc

my-exploit.co.cc

name-server.co.cc

nanangs.co.cc

navanblog.co.cc

nestle-gifts.co.cc

nestle-icecream.co.cc

nestle-waters.co.cc

nestle.co.cc

newskhitpyaing.co.cc

ns1.bangkok-hotels.co.cc

osamax.co.cc

outerxcircle.co.cc

p2p101.co.cc

pernah.melupakanmu.co.cc

pkfc.co.cc

pvpdestiny.co.cc

r-o-o-t.co.cc

radiowahrheit.co.cc

rafaelius.co.cc

rapiddown.co.cc

rawbeen.co.cc

realoiltd.co.cc

richardwalean.co.cc

rumbayan.co.cc

salon-net.co.cc

saurav.co.cc

sawa7.co.cc

sexy.with.baby.d0ll.co.cc

shibukg.co.cc

smppanderman.co.cc

stylweb.co.cc

sweet-memoriez.co.cc

sweetlady.co.cc

techcenter-lanxess.co.cc

thebayerfamily-blogspot.co.cc

uatu.co.cc

undernet-mafia.co.cc

veronichka.co.cc

viancom.co.cc

viuu.co.cc

vlrb.co.cc

walean.co.cc

webkontes.co.cc

williambayer.co.cc

wiredtree.co.cc

with.baby.d0ll.co.cc

with.malaysian-hackers.co.cc

woman-fucking-animals.veronichka.co.cc

www.18cn.co.cc

www.3adalat.co.cc

www.araup.co.cc

www.astrazeneca.co.cc

www.bayer-ah.co.cc

www.bayerfull.co.cc

www.bokepmurah.co.cc

www.cardio-bayer.co.cc

www.cialislevitrasalesviagra.co.cc

www.diane-patenaude.co.cc

www.dianebishtv.co.cc

www.femalelife.co.cc

www.folos.co.cc

www.freetemplates4u.co.cc

www.gocthethao.co.cc

www.jawamark.co.cc

www.kolah-ghermezi.co.cc

www.la-videoteca.co.cc

www.lanxess-europe.co.cc

www.metrovid.co.cc

www.nestle-gifts.co.cc

www.nestle.co.cc

www.outerxcircle.co.cc

www.p2p101.co.cc

www.sawa7.co.cc

www.techcenter-lanxess.co.cc

yahgoo.co.cc

yasmindavidds.co.cc

ycmi-med.co.cc

yduocantho.co.cc

zipwaves.co.cc

Host names neighbor for: 58.218.209.113

163rfg.com

baiduaic.com

baiduawj.com

baidubcv.com

baiducbx.com

baiduccd.com

baiduccf.com

baiducdd.com

baiduce4.com

baiduchs.com

baiducls.com

baiduclz.com

baiducuu.com

baiducxz.com

baidud4r.com

baidudc3.com

baiduddp.com

baidudjf.com

baiduduu.com

baidugal.com

baidugcb.com

baidugcd.com

baidugcx.com

baidugdj.com

baidugfc.com

baiduggs.com

baidugiu.com

baidugsd.com

baidugxs.com

baiduhjc.com

baiduhus.com

baidujdf.com

baidujhf.com

baidujk4.com

baidujkl.com

baidujus.com

baidujvc.com

baidukch.com

baidukjd.com

baidukjs.com

baidukkh.com

baiduks2.com

baidul08.com

baidul90.com

baidulal.com

baidulcm.com

baidulka.com

baidulkd.com

baidulks.com

baidulo0.com

baiduloc.com

baidulos.com

baidulpa.com

baidulsc.com

baidulss.com

baidumch.com

baidumcn.com

baidumls.com

baidummd.com

baidumnf.com

baidumnv.com

baidumnx.com

baidumqw.com

baidunbd.com

baiduncb.com

baiduohg.com

baiduoic.com

baiduoiu.com

baiduols.com

baiduosc.com

baidupbv.com

baidupdo.com

baidupju.com

baidupoc.com

baidupom.com

baidupsd.com

baidupwp.com

baiduqos.com

baiduqpx.com

baiduqw2.com

baiduree.com

baiduret.com

baidurew.com

baidurfg.com

baidurfh.com

baidurhg.com

baidurjg.com

baidurre.com

baidurrt.com

baidurwe.com

baidurwq.com

baiduscs.com

baidussd.com

baidusw1.com

baiduswt.com

baidutcs.com

baidutdc.com

baidutec.com

baidutes.com

baidutet.com

baidutew.com

baidutfg.com

baidutrb.com

baidutre.com

baidutrg.com

baidutsd.com

baiduttr.com

baidutvc.com

baidutvf.com

baidutvk.com

baiduuim.com

baiduuys.com

baiduuyt.com

baiduwex.com

baiduwlc.com

baiduwwe.com

baiduxah.com

baiduxsl.com

baiduxzs.com

baiduycd.com

baiduycm.com

baiduycs.com

baiduydp.com

baiduyew.com

baiduygl.com

baiduyjk.com

baiduyms.com

baiduytc.com

baiduyte.com

baiduytr.com

baiduytv.com

baiduytw.com

baiduywe.com

baiduyxb.com

baiduyxz.com

baiduzxc.com

google2fv.com

google6u7.com

googledsv.com

googlefct.com

googlemis.com

laotuw.com

sohuhju.com

sohus45.com

sohusde.com

sohusw4.com

www.163dcf.com

www.163lou.com

www.163qw8.com

www.163rfg.com

www.baidubcv.com

www.baidudg3.com

www.baiduhus.com

www.baidumls.com

www.baiduree.com

www.baidutdc.com

www.googledsv.com

www.laotuwang.com

www.sohusde.com

www.yahooui0.com

www.yahoozsw.com

yahooidd.com

yahoomkl.com

yahoowaq.com

yahooyao.com

Microsoft Patch Tuesday - October 2011

2011-10-11T16:53:00.000-07:00

Microsoft Tuesday patch release for october consists of 8 bulletins. 2 of bulletins are rated "Critical" and remaining issue are rated "Important". Six of issues could cause Remode Code Execution, one for Denial of Service and Elevation of Privilege.

MS11-078 - Critical - Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

MS11-081 - Critical - Cumulative Security Update for Internet Explorer (2586448)

MS11-075 - Important - Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)

MS11-076 - Important - Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)

MS11-077 - Important - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)

MS11-079 - Important - Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)

MS11-080 - Important - Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)

MS11-082 - Important - Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)

Microsoft’s summary of the October releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms11-oct

Suspicious and Spam Link 3-Oct-2011

2011-10-03T07:50:00.000-07:00

Hostnames neighbor for 112.216.242.125

actbus.ru
actpot.ru
admin.actmud.ru
admin.againstboard.com
admin.ampzoo.ru
admin.bitblood.com
admin.botfox.ru
admin.bridgefinger.com
admin.channel3online.com
admin.cupelf.ru
admin.fadbed.ru
admin.fatpenisphoto.ru
admin.fightgrey.com
admin.gaprip.ru
admin.hatdot.ru
admin.legtie.ru
admin.matfox.ru
admin.matlip.ru
admin.mictie.ru
admin.mixrag.ru
admin.padwit.ru
admin.paltag.ru
admin.pawbin.ru
admin.podyak.ru
admin.pupgas.ru
admin.ragaxe.ru
admin.tagray.ru
admin.tarkid.ru
admin.tinpet.ru
admin.wigelf.ru
admin.zipfad.ru
ahtryte.ru
alecat.ru
allpup.ru
ampyak.ru
anthat.ru
armlaw.ru
ashpit.ru
batgas.ru
baypan.ru
bedamp.ru
bedego.ru
bluebroken.com
bodybrass.com
bodyfeeble.com
boggas.ru
bogpod.ru
boilingfertile.com
boyrag.ru
boyson.ru
brothermonth.com
bugear.ru
bunsum.ru
busdot.ru
cangun.ru
cantax.ru
caryou.ru
certainegg.com
channel3online.com
chinblood.com
chincontrol.com
copyafter.com
coughengine.com
cowguy.ru
cupact.ru
cupcar.ru
dadnet.ru
dadtoe.ru
demandvalues.ru
dogjar.ru
dogpit.ru
dotpod.ru
dyedog.ru
eggant.ru
egoair.ru
egodye.ru
elfbay.ru
enlargemypenisnatural.ru
enlargemypeniss.com
eyerib.ru
eyeute.ru
fabboy.ru
fadgap.ru
fadpaw.ru
fangap.ru
fanrow.ru
fantea.ru
fashionwit.ru
fatpenisphoto.ru
flowerbody.com
foxpup.ru
foxzit.ru
fungin.ru
galhog.ru
gaplab.ru
gaspup.ru
getitbigz.com
gindad.ru
grainlanguage.com
gunbog.ru
gundew.ru
gunyou.ru
gutice.ru
guypub.ru
hitpeg.ru
icehog.ru
inkion.ru
ionpit.ru
jarsax.ru
jarsun.ru
jellygoat.com
kidaxe.ru
labtin.ru
landchin.com
languageawake.com
languagefeeble.com
legfox.ru
maprib.ru
medialine3.com
mefox.ru
mekey.ru
menjar.ru
mickid.ru
miczit.ru
mixmat.ru
momcar.ru
mudcar.ru
mudpad.ru
mumtow.ru
mumute.ru
nutamp.ru
nuteye.ru
nutgas.ru
oilmom.ru
oldyak.ru
padink.ru
padmix.ru
paldad.ru
paltag.ru
panwar.ru
pawego.ru
pawtv.ru
pawyou.ru
pegcan.ru
penislargechat.ru
penislargebrain.ru
penislargeforex.ru
penislargegreen.ru
penislargeproperty.ru
petbay.ru
piespa.ru
pigegg.ru
pitbed.ru
pitegg.ru
podspa.ru
pubmix.ru
puppub.ru
raptap.ru
replicaswatchcash.ru
replicaswatchcloud.ru
replicaswatchclub.ru
replicaswatchdog.ru
replicaswatchfish.ru
replicawatch4you.com
ribale.ru
rimpub.ru
ripwax.ru
rowpen.ru
rowpup.ru
saxegg.ru
saxelf.ru
saxeye.ru
seebun.ru
skysum.ru
slimmonth.com
soddot.ru
sodjar.ru
sodleg.ru
sodtap.ru
sodtea.ru
sonbar.ru
sonlip.ru
sontax.ru
sumbus.ru
tablip.ru
tabmud.ru
tabpit.ru
tagbox.ru
taghog.ru
tapute.ru
tarbat.ru
tarwit.ru
taxwit.ru
teaspa.ru
tiebag.ru
tinpie.ru
tipwit.ru
toekid.ru
tubweb.ru
ukolfyg.ru
usefax.ru
vadeixr.ru
waxsax.ru
webtar.ru
wigweb.ru
world3newz.com
yaktab.ru
zenwit.ru
zitcow.ru
zitlab.ru
zooyou.ru

Hostnames neighbor for 200.63.45.11

accesspharmacy.ru
buymedicines.ru
compu-pharmacy.ru
compupharmacy.ru
connect-pharmacy.ru
connectpharmacy.ru
cyber-medicines.ru
cyberpharmacy.ru
deeperwinnings.com
direct-medsshop.ru
direct-pharmacy.ru
directpharmacy.ru
directrxhere.ru
domain-pharmacy.ru
e-card-greeting.com
e-cards-fast.ru
ecard2011.ru
ez-pharmacy.ru
ezmedicines.ru
ezpharmacy.ru
faster-ecard.ru
hiddendate.com
hotmedicines.ru
hotpharmacy.ru
internet-pharmacy.ru
internetpharmacy.ru
mail.rxfromhome.com
mega-pharmacy.ru
megapharmacy.ru
new-ecard.ru
paylessrx.ru
propharmacy.ru
shop-medsdirect.ru
uptodowner.com
usatermlifequoter.com
www.direct-medsshop.ru
www.e-cards-fast.ru
www.megapharmacy.ru
www.shop-medsdirect.ru
www.special-e-card4you.com
your-ecard-here.ru
yourlifequotesterm.com

Hostnames neighbor for 31.11.43.24

admin.pillcorrectpharmacyrx.net
admin.pillsvx.net
admin.sussuhlywn.com
admin.suyquylfe.net
admin.tabdiet.com
admin.tabdrugstoretablets.net
admin.tabhealthospital.com
admin.tabletcvs.com
admin.tabletshealthdrugstoreguide.net
admin.tabletspharmacytabs.net
admin.tabletspillsmercola.com
admin.tabletsspecialtypharmacymeds.com
admin.tablettorontorxmeds.ru
admin.tabpause.com
admin.tabstabletspharmacy.ru
admin.taxlnesslevitra.com
admin.taxtrapharmacy.com
admin.taxtrarx.com
admin.tevasviagra.com
admin.thepurplepills.ru
admin.thijgobqux.com
admin.totalpharmacyrx.ru
admin.touchpadiet.com
admin.treatmentsdrugstorepharmacy.net
admin.treatmentspharmacytablets.net
admin.trenomdys.com
admin.uhlyjywke.com
admin.veczedfeyd.com
admin.veczedfeyd.net
admin.viagrapatients.com
admin.vmedall.com
admin.walgreenspharmacyrxmeds.com
admin.welnesshealthcare.com
admin.welnesslevitrainc.com
admin.welnessmedical.com
admin.welnessmedicare.com
admin.wikihealthospital.com
admin.wikimedicare.com
admin.wikiovercharge.com
admin.workoutwelnessdiet.com
admin.wyjterqus.com
admin.xumcoycdead.net
admin.yofgeptu.com
admin.zagbevgoqe.com
mail.pillsvx.net
mail.rxbiological.com
mail.sussuhlywn.com
mail.tabdiet.com
mail.tabdrugstoretablets.net
mail.tabhealthospital.com
mail.tabletcvs.com
mail.tabletpharmacyhealthmedicare.com
mail.tabletshealthdrugstoreguide.net
mail.tabletsleepingpillsdrugstore.com
mail.tabletsleepingpillsdrugstore.net
mail.tabletspharmacytabs.net
mail.tabletspillsmercola.com
mail.tabletsspecialtypharmacymeds.com
mail.tabpause.com
mail.tabstabletspharmacy.ru
mail.taxlnesslevitra.com
mail.taxtrapharmacy.com
mail.taxtrarx.com
mail.totalpharmacyrx.ru
mail.touchpadiet.com
mail.treatmentspharmacytablets.net
mail.uhlyjywke.com
mail.veczedfeyd.net
mail.viagrapatients.com
mail.walgreenspharmacyrxmeds.com
mail.welnesshealthcare.com
mail.welnesslevitrainc.com
mail.welnessmedical.com
mail.welnessmedicare.com
mail.wikihealthospital.com
mail.wikimedicare.com
mail.wikiovercharge.com
mail.wineherbalmeds.com
mail.workoutwelnessdiet.com
mail.xmedonline365.net
mail.xuhtuivtict.com
mail.xumcoycdead.net
ns1.qufkadzolv.com
ns1.realmed-plus.net
ns1.sussuhlywn.com
ns1.suyquylfe.net
ns1.trenomdys.com
ns1.twozefukl.com
ns1.uhlyjywke.com
ns1.veczedfeyd.com
ns1.veczedfeyd.net
ns1.vmedall.com
ns1.xuhtuivtict.com
ns1.yajpoxwes.com
ns1.zagbevgoqe.com
ns2.pillsvx.net
ns2.sussuhlywn.com
ns2.suyquylfe.net
ns2.trenomdys.com
ns2.vmedall.com
ns2.wyjterqus.com
ns2.xmedonline365.net
ns2.xuhtuivtict.com
ns2.xumcoycdead.net
ns2.zagbevgoqe.com
pillscifi.com
prescriptioncounterpunch.com
ratsed.com
rxgenericsdrug.com
tabhealthospital.com
tabletcanadandroid.com
tabletmedsomma.net
tabletprecisionpharmacyrx.net
tabletrxdrugstoreomma.net
tabletsmedshealth.com
tabletsmedshealthcare.net
tabletsmedshealthnook.net
tabletspharmacytabs.net
tabletspillsexpress.com
tabletspillshealth.com
tabletsrxmedsomma.net
tablettorontorxmeds.ru
taxlnesslevitra.com
taxtrarx.com
techbuypills.ru
techmedicinepills.ru
techhealth.ru
tlezuidce.com
tradhyvy.com
tradhyvy.net
tyqugilac.com
ufpfk.ru
unixmedsdrugstore.net
vasmiklet.com
veczedfeyd.net
vomiccalhe.com
vzaclulqumb.com
walgreenspillsdrugstore.net
wikigenerics.com
wikimedicalpatients.com
wikimedicare.com
wrimvysry.com
wrimvysry.net
www.svalopras.com
www.tabletsrxmedsomma.net
www.tnacj.ru
www.ugff.ru
www.ugfj.ru
www.umdgv.ru
www.upfzl.ru
www.wygpufli.com
www.vasmiklet.com
www.zudiqwolo.com
xarneidr.com
xopnymjurh.com
yajpoxwes.com
yavtiomy.com
yofgeptu.com
yogilqugja.com
yukeufmiti.com
zagbevgoqe.com
zdiafuyfqe.com

Hostnames neighbor for 86.55.243.25

amazingsize.ru
bigpenisll.ru
bigpenisrf.ru
bigpenissu.ru
bigpenisti.ru
bigsizeac.ru
bigsizehn.ru
buypenispass.ru
client25.zaininter.net
crisrays.ru
dlikdele.ru
dvovojzo.ru
extra-ordinary.ru
extraviagrow.com
gatecelest.ru
go-tomeeting.ru
growlong.ru
huge-manhood.ru
illusioniste.ru
importheavy.ru
inpantshardd.com
intensemedium.ru
joinfast.ru
life-mania.ru
mail.bebiggers.com
mail.bigsizehn.ru
mail.blwomenow.com
mail.buypenisface.ru
mail.cheapenlarger.com
mail.cheerspenis.com
mail.crisrays.ru
mail.dildobiger.com
mail.dlikdele.ru
mail.dvovojzo.ru
mail.extraviagrow.com
mail.growlong.ru
mail.growsfasts.com
mail.inchezlarged.com
mail.increasepenisplaty.ru
mail.increasepenisroan.ru
mail.joinfast.ru
mail.masterviagrow.com
mail.menlydicks.com
mail.minixmaxy.com
mail.mostgrow.com
mail.mynewsviagra.com
mail.newsviagrowerz.com
mail.penisgrowcare.ru
mail.penisgrowkids.ru
mail.penisgrowshopping.ru
mail.penisprosell.ru
mail.penisproteen.ru
mail.penisselect.com
mail.penissizeaverse.ru
mail.penissizeaxenic.ru
mail.penissizecosey.ru
mail.powerhuger.com
mail.rvolivec.ru
mail.rx-newsviagrows.com
mail.shopenlarge.com
mail.soldsviagrows.com
mail.stephuge.com
mail.superlarge.ru
mail.via-growth.com
mail.viagradrinker.com
mail.viagrasgrows.com
mail.viagrower.ru
mail.viagrowerz.com
mail.viagrowstore.com
mail.voukluci.ru
mail.vzpodska.ru
mail.wondershuge.com
mail.wonderviagrow.com
mail.wowmonster.ru
mail.zlojzori.ru
manhoodbig.ru
menlydicks.com
minixmaxy.com
nightdeep.ru
penissizecosey.ru
root.bigsizehn.ru
root.dlikdele.ru
root.rvolivec.ru
rvolivec.ru
sexypenis.ru
stephuge.com
viagrowstore.com
voukluci.ru
vzpodska.ru
wonderviagrow.com
zlojzori.ru

Hostnames neighbor for 86.55.243.28

mail.couturewatches.ru
mail.luxury2shop.com
mail.newscouturee.com
mail.replicabuyme.com
mail.replicastoreshop.ru
mail.richcoutures.com
mail.toperect.ru
mail.watchforless.info
replicastorenet.ru
root.toperect.ru
toperect.ru

Zeus Trojan in depth by TrustDefender Labs

2011-10-02T20:13:00.000-07:00

TrustDefender Labs posted in-depth report for “Zeus Trojan Update – New Variants based on leaked Zeus Source Code” by Alex Shipp / Andreas Baumhof.

Three variants were released to improve malware within few weeks which consists ICE IX, Registry Storage Version and RC4 replaced with AES.

************************************

1 Introduction

When the source code of the Zeus Trojan (v.2.0.9.8) leaked into the public in April this year, it was clear that this will have some serious implication for the security industry. At the time, there was speculation that this would result in a large amount of new variants, as malware writers got hold of the code and started work on their own versions.
After a period of silence, we have seen at least three new variants based on the leaked Zeus source code appearing within the last couple of weeks. None of the three variants modified the core of the Zeus code; all of them focused on AV evasion and making sure that security researchers/tools cannot easily decrypt the configuration files.
The configuration files define what a Zeus Trojan does, and are therefore the holy grail to each Trojan.
In this report, we look into great detail with respect to these new variants and what changes were introduced.
The Zeus Trojan is complicated, with more than 600 subroutines. Rather than examine the entire code for changes, this research just looks at the processes involved in obtaining a decoded configuration file. This is a useful benchmark for a researcher, because the information we are usually interested in are the sites under attack by any particular copy of Zeus, and any custom code used in those attacks. Both these pieces of information are contained in the configuration file, which is encrypted.

READ MORE HERE

CVE-2011-3192 - Apache Killer DoS Vulnerability and Patch

2011-09-29T07:27:00.000-07:00

Byterange filter in Apache HTTP Server prior to HTTP Server 2.2.20 allow remote attackers to cause Denial of Service ( DoS ) which cause memory and CPU consumption , exploited in the wild in August 2011.

As patch for this vulnerability been released by Apache last week. Prior to official patch, there have solution was suggested and discussed to mitigate this problem.

Official Mitigation by Apache (https://httpd.apache.org/security/CVE-2011-3192.txt), Web administrators who use Apache HTTP Server are advised to apply the patch as soon as possible.

Mitigation:

===========

There are several immediate options to mitigate this issue until a full fix

is available. Below examples handle both the 'Range' and the legacy

'Request-Range' with various levels of care.

Note that 'Request-Range' is a legacy name dating back to Netscape Navigator

2-3 and MSIE 3. Depending on your user community - it is likely that you

can use option '3' safely for this older 'Request-Range'.

0) Consult http://httpd.apache.org/security/CVE-2011-3192.txt for the most

recent information (as this is the final advisory).

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then

either ignore the Range: header or reject the request.

Option 1: (Apache 2.2, requires mod_setenvif and mod_headers)

# Drop the Range header when more than 5 ranges.

# CVE-2011-3192

SetEnvIf Range (?:,.*?){5,5} bad-range=1

RequestHeader unset Range env=bad-range

# We always drop Request-Range; as this is a legacy

# dating back to MSIE3 and Netscape 2 and 3.

RequestHeader unset Request-Range

# optional logging.

CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Above may not work for all configurations. In particular situations

mod_cache and (language) modules may act before the 'unset'

is executed upon during the 'fixup' phase.

Option 2: (Pre 2.2, requires mod_rewrite and mod_headers)

# Reject request when more than 5 ranges in the Range: header.

# CVE-2011-3192

RewriteEngine on

RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]

RewriteRule .* - [F]

# We always drop Request-Range; as this is a legacy

# dating back to MSIE3 and Netscape 2 and 3.

RequestHeader unset Request-Range

The number 5 is arbitrary. Several 10's should not be an issue and may be

required for sites which for example serve PDFs to very high end eReaders

or use things such complex http based video streaming.

WARNING These directives need to be specified in every configured

vhost, or inherited from server context as described in:

http://httpd.apache.org/docs/current/mod/mod_rewrite.html#vhosts

2) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients - such as those used for

e-Readers and progressive/http-streaming video.

Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific

legacy header - add:

RequestHeader unset Request-Range

Unlike the commonly used 'Range' header - dropping the 'Request-Range'

is not likely to affect many clients.

4) Deploy a Range header count module as a temporary stopgap measure.

A stop-gap module which is runtime-configurable can be found at:

http://people.apache.org/~fuankg/httpd/mod_rangecnt-improved/

A simpler stop-gap module which requires compile-time configuration

is also available:

http://people.apache.org/~dirkx/mod_rangecnt.c

Exploit:
For study and researching purpose, source code for this vulnerability can be obtained from "CVE-2011-3192 (“Apache Killer”) Exploit in Ruby", "Apache HTTP Server Byte Range DoS Manual Check" and PoC for this exploit code by Exploit-db.com

Mozilla Firefox 7 Released!

2011-09-27T20:22:00.000-07:00

Mozilla, a global, non-profit organization dedicated to making the Web better, today released an update to Firefox for Windows, Mac and Linux. Mozilla Firefox provides a speedy Web browsing experience for users and new tools to help developers create faster websites and Web apps.

Firefox manages memory more efficiently to deliver a nimble Web browsing experience. Users will notice Firefox is faster at opening new tabs, clicking on menu items and buttons on websites. Heavy Internet users will enjoy enhanced performance when lots of tabs are open and during long Web browsing sessions that last hours or even days.

New tools in Firefox make it easier for developers to build snappy Web experiences for users. A new version of hardware-accelerated Canvas speeds up HTML5 animations and games in Firefox. This allows developers to build more compelling and interactive Web experiences like Angry Birds or Runfield.

Firefox now supports the W3C navigation timing spec API so developers can measure page load time and website navigation against bandwidth speed, website traffic and other factors. This API allows developers to test user experiences remotely and easily and quickly optimize websites and Web apps for different types of users.

To help improve future versions of Firefox, users can opt in to Telemetry. Telemetry is a tool built on Mozilla Privacy Principles that allows users to provide anonymous browser performance data in a private and secure way that they control.

New users can head to the Firefox 7 download page (http://www.firefox.com/)

Reference: Mozilla Website

Phishing Email Scams targets Blizzard WOW

2011-09-27T18:33:00.000-07:00

Battle.net, the largest net gaming service, was launched by Blizzard in 1997. For years it has hosted online play for games like Diablo, Warcraft and Starcraft.

Victims of the scam are sent an email purporting to be from Battle.net, requesting a confirmation of the user’s login information. Users are directed to a fake website designed to look like Battle.net, where they are asked to log in. From there, their information is presumably stolen.

World of Warcraft’s popularity makes it a popular target for phishing scams. Blizzard recently announced that the game had 12 million players worldwide. Blizzard’s policy states that its employees will never request a player’s password.

Email Spam URL:
-hxxxp://www.newsletteraccount.net/login/en/login.html.asp?ref=https://us.battle.net/account/management/index.xml&app=bam

-hxxxp://us-account.net/login/en/login.html.asp?ref=https://us.battle.net/account/management/index.xml&app=bam

-hxxxp://us.battle.net.en.eg-wlk.in/login/en/login.html.asp?ref=https://us.battle.net/account/management/index.xml&app=bam

-hxxxp://us.battle.net.wow-admin.net/

-hxxxp://usadminaccount.in/

-hxxxp://admin-wow.net/

-hxxxp://www.admin-wow.net/

Email Phishing format 1

Email Phishing format 2

Email Phishing format 3

Email Phishing format 4

Fake Battle.net

IP neighbor for newsletteraccount.net (173.234.243.61):

517ks.com

admin-wow.net

anshan521.com

at853.com

at853.net

catuba.org

game-10086.com

host64.yydns.net

newsletteraccount.net

wouting.net

www.at853.com

www.at853.net

www.blizzard-battle.net

www.dgut0769.com

www.jade-china.com

www.jn12315.com

www.newsletteraccount.net

IP neighbor for us.battle.net.en.eg-wlk.in (173.208.131.218):

18023.net

admin.zupingan.com

us.battle.net.en.eg-wlk.in

webmaster.zupingan.com

IP neighbor for usadminaccount.in (173.234.243.61):

517ks.com

admin-wow.net

anshan521.com

at853.com

at853.net

catuba.org

game-10086.com

host64.yydns.net

newsletteraccount.net

wouting.net

www.admin-wow.net

www.at853.com

www.at853.net

www.blizzard-battle.net

www.dgut0769.com

www.jade-china.com

www.jn12315.com

www.newsletteraccount.net

us.battle.net.worldofwarcraft.com.admin-war.net

us.battie.net.en.funshud.co.cc

IP neighbor for us.battle.net.wow-admin.net (173.208.131.221):

IP neighbor for usadminaccount.in (173.208.131.220):

Updated: 2-Oct-11
hxxxp://us.battle.net.worldofwarcraft.com.admin-war.net/ - IP Address: 173.234.243.61
hxxxp://us.battie.net.en.funshud.co.cc/ - IP Address: 173.234.243.61

TLS 1.2 in Windows 7

2011-09-27T00:32:00.000-07:00

There have few discussion about vulnerability in TLS ( Transport Layer Security ) v1.0 recently, there have security concern over TLS 1.0 when two researchers are demostrating their method "BEAST" to bypass and breaking an encrypted PalPal cookies during Ekoparty conference. This topic also posted in THE REGISTER - "Hackers break SSL encryption used by millions of sites - Beware of BEAST decrypting secret PayPal cookies"

This attack only works for communication encrypted with TLS 1.0 or less version. Currently there have two client browsers support TLS 1.2 which Opera and IE9 only.

By Default, Windows 7 support TLS 1.1 and TLS 1.2 protocol. To enable the use of protocols that will not negotiated by default.Change the DWORD value data of the DisabledByDefault value to 0x0 in each of the following registry keys under Protocols key.

SCHANNEL\Protocols\TLS 1.1\Client
SCHANNEL\Protocols\TLS 1.1\Server
SCHANNEL\Protocols\TLS 1.2\Client
SCHANNEL\Protocols\TLS 1.2\Server

Those Subkey are located under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL "

Details about thoe to Restrict the Use of Certain Cryptographic Algorithms can be found from Microsoft Support. http://support.microsoft.com/kb/245030

To verify the changes, you may try to test it out on few TLS interop servers in internet.

http://www.mikestoolbox.org - Detect client browser TLS version.
http://tls.secg.org/index1.php?action=preconnect - Certicom’s interop server which shows you details about the entire handshake.
http://tls.woodgrovebank.com - Microsoft’s TLS interop server

Updated 13-Oct-2011:

Apple iOS 5 added support for TLS1.2

mysql.com javascript compromised with malicious code

2011-09-26T22:41:00.000-07:00

Few researchers from Armorize Malware Blog have found mysql.com was compromized with hosting malicious codes. The malicious code was injected to .js file which can be obtained from here.

Basically the decoded script point to "hxxxp://falosfax.in" which will redirecting "302 protocol" to final exploiting websites "hxxxp://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php". The truruhfhqnviaosdpruejeslsuy.cx.cc exploiting client browers plugin like Adobe PDF, Flash, Java and executable malware file.

Right now, the "s_code_remote.js" is clean after removing the code.

READ FULL HERE

Mebromi rootkit - BIOS Threat in wild

2011-09-16T07:45:00.000-07:00

Researcher from Webroot and Symantec posted about Mebromi rootkits findings. This is first ever BIOS rootkit Mebromi spread in wild. I am not sure how many of PC infected before the finding, I better switched to better OS. :)

**********************************

There are more and more known viruses that infect the MBR (Master Boot Record). Symantec Security Response has published a blog to demonstrate this trend last month. However, we seldom confront with one that infects the BIOS. One of them is the notorious CIH appeared in 1999, which infected the computer BIOS and thus harmed a huge number of computers at that time. Recently, we met a new threat named Trojan.Mebromi that can add malicious components into Award BIOS which allows the threat to take control of the system even before MBR.
The threat will drop a driver to %system%\drivers\bios.sys, then stop the beep service and replace %system%\beep.sys with the dropped one. After that it restarts beep service to load the dropped driver.
bios.sys is used to interact with BIOS such as get BIOS info, flash and backup BIOS.

By using bios.sys, the threat will check whether the compromised computer is using Award BIOS. If so, it will save existing BIOS to c:\bios.bin and check whether it is already infected:

READ FULL HERE

*******************************

In the past few weeks a Chinese security company called Qihoo 360 blogged about a new BIOS rootkit hitting Chinese computers. This turned to be a very interesting discovery as it appears to be the first real malware targeting system BIOS since a well-known proof of concept called IceLord in 2007. The malware is called Mebromi and contains a bit of everything: a BIOS rootkit specifically targeting Award BIOS, a MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader. At this time, Mebromi is not designed to infect 64-bit operating system and it is not able to infect the system if run with limited privileges.
The infection starts with a small encrypted dropper that contains five crypted resource files: hook.rom, flash.dll, cbrom.exe, my.sys, bios.sys. The goal of these files will be presented later in this analysis.
The infection is clearly focused on Chinese users, because the dropper is carefully checking if the system it’s going to infect is protected by Chinese security software Rising Antivirus and Jiangmin KV Antivirus. To gain access to the BIOS, the infection first needs to get loaded in kernel mode so that it can handle with physical memory instead of virtual memory.
Many of you may recall the old CIH/Chernobyl infection, the infamous virus discovered in 1998 that was able to flash the motherboard BIOS, erasing it. Even CIH needed to gain kernel mode access to reach the BIOS, though at the time the virus was exploiting a privilege escalation bug in Windows 9x operating system which allowed it to overwrite the Interrupt Descriptor Table with its own payload from user mode, then triggering the overwritten interrupt handler and its malicious code is executed in kernel mode. Mebromi does not use such kind of privilege escalation trick anymore, it just needs to load its own kernel mode driver which will handle the BIOS infection. To do so, it uses two methods: it could either extract and load the flash.dll library which will load the bios.sys driver, or it stops the beep.sys service key, overwriting the beep.sys driver with its own bios.sys code, restart the service key and restore the original beep.sys code.
The bios.sys driver is the code which handle the BIOS infection. To read the BIOS code, it needs to map the physical memory located at physical memory address 0xF0000, this is where the BIOS ROM usually resides. Once read, the driver verifies if the BIOS ROM is Award BIOS, by checking the presence of the string: $@AWDFLA. If found, the driver tries to locate the SMI port that will be used by the rootkit to flash the BIOS ROM.

READ FULL HERE

Suspicious link 9-Sep-2011

2011-09-09T02:09:00.000-07:00

hxxxp://193.105.154.136/w.php?e=2&f=20
hxxxp://www.charlesandrecars.com/wp-content/zeus/ext.exe
hxxxp://gafs.at

hxxxp://posterityn71.com
hxxxp://rifepfl61.com
hxxxp://torpormvp35.com
hxxxp://209.141.60.200

TDL-4

2011-09-06T17:01:00.000-07:00

Joseph Mlodzianowski from sub0day had did great article about analysis new variant TDL-4 .It worth to read if you following TDL trends.

******************************************

Attention… You no longer have to put up with google browser search hijacks, popups or annoying spam email. The latest and greatest in trojan technology can use your computer to browse silently, visiting hundreds of websites per day earning the attacker thousands of dollars per day* (botnet). Additionally, it is capable of stealing your email, bank account and other passwords on your system as well using your computer as a proxy, and all with no intrusive popups.
This article will focus on the dissection and analysis of a new TDL-4 ”Variant” I believe I discovered. While performing the analysis, some interesting trends, data and methods the “underground” is using to evade detection and make money were uncovered.
If you’re new to TDL (TDSS variants) malware, or crimeware in general, I suggest several articles written by Sergey Golovanov from Kaspersky Lab that can be found here: http://www.securelist.com/en/userinfo/72

This Stealth trojan malware (TDL4.2) uses the victims computer to browse websites with out any signs. It doesn’t display the common browser redirects or annoying popups, which normally alert users to the fact that they are infected. TDL-4 is detectable and can be removed by Kasperskys TDSS Killer, however, this variant will download and update itself becoming undetectable. [At least for a while]
The malware is very sophisticated in that it utilizes custom encryption and has various methods in which it is capable of avoiding detection. It contains a root kit that infects the boot sector allowing it to load prior to other drivers, etc..
Proxy Service – In addition, this variant downloads and uses Socks.dll, which allows the victims system to be used as a proxy server (AWM Proxy Client), the fine people at awmproxy-dot-com created a convenient plug-in for firefox. It appears, you can purchase their service and use the plug-in to browse anonymously using tdl infected systems.

READ FULL HERE

Morto worm sets a (DNS) record (Symantec)

2011-08-31T17:53:00.000-07:00

There has been a lot of coverage of the recent RDP capable W32.Morto worm, but one of the more interesting aspects of the worm’s behavior appears to have been overlooked. Most malware that we have seen recently has some means of communication with a remote Command and Control (C&C) server. The actual vector of communication tends to vary between threats. For example, W32.IRCBot uses Internet Relay Chat channels whereas the recent high profile threat, Trojan.Downbot, is capable of reading commands embedded in HTML pages and image files. W32.Morto has added another C&C communication vector by supplying remote commands through Domain Name System (DNS) records.

DNS is primarily used to translate human readable URLs, such as “Symantec.com”, into numerical network identifiers (216.12.145.20). Every URL on the Internet is eventually resolved to an associated IP address using this system, typically using a DNS A record for IPv4. The A record is what we usually think of when we discuss DNS. These records map domain names to their associated IP addresses with a PTR record used for the inverse operation of IP to host. But DNS is not limited to these records types; there are a number of record types that have been defined in various RFCs over the years to address the changing needs of the system. The record type that W32.Morto uses for its communication protocol is the TXT record.

The DNS TXT record type was originally used to allow human readable text to be stored with a DNS record andlater evolved to store machine useable data. To experiment with this, you can use the Microsoft nslookup.exe tool. By querying the TXT record type for “Symantec.com” you can retrieve the SPF information associated with the Domain.

READ FULL HERE

DigiNotar reports security incident

2011-08-30T22:52:00.000-07:00

Topic which related to DigiNotar's SSL rouge certification were widely discuss and posted in Web post, twitter and other channel as well. DigiNotar finally officially released public announcement to clarify the incident.

*************************************

VASCO Data Security International, Inc. (Nasdaq: VDSI; www.vasco.com) today comments on DigiNotar’s reported security incident. DigiNotar is a wholly owned subsidiary of VASCO.

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com.
Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures.
At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate.

The attack was targeted solely at DigiNotar's Certificate Authority infrastructure for issuing SSL and EVSSL certificates. No other certificate types were issued or compromised. DigiNotar stresses the fact that the vast majority of its business, including his Dutch government business (PKIOverheid) was completely unaffected by the attack.

The company will take every possible precaution to secure its SSL and EVSSL certificate offering, including temporarily suspending the sale of its SSL and EVSSL certificate offerings. The company will only restart its SSL and EVSSL certificate activities after thorough additional security audits by third party organizations.

DigiNotar actively looks for quick and effective solutions for its existing (EV)SSL customers. The company expects to have a solution for its entire customer base before the end of this business week. DigiNotar expects that the cost of this action will be minimal.

The incident at DigiNotar has no consequences whatsoever for VASCO's core authentication technology. The technological infrastructures of VASCO and DigiNotar are completely separated, meaning that there is no risk for infection of VASCO’s strong authentication business.

VASCO expects the impact of the breach of DigiNotar’s SSL and EVSSL business to be minimal. Through the first six months of 2011, revenue from the SSL and EVSSL business was less than Euro 100,000.
VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans.

READ FULL HERE

Apple iCloud phishing attacks

2011-08-26T22:58:00.000-07:00

No surprise if Apple iCloud become of the phishing target by hacker. Below is the post by Sophos about Apple iCloud phishing attacks in details.
**************************

When a Naked Security reader forwarded us a suspicious email he received today, it served as a healthy reminder for all computer users to be on their guard against phishing attacks.

The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple's MobileMe service.

Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in 'the cloud' and wirelessly push them to all of your devices).

Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait.

Subject:

Welcome to iCLOUD

Message body:

Important information for MobileMe members.
Dear MobileMe member,
Please sign up for iCloud and click the submit botton, you'll be able to keep your old email address and move your mail, contacts, calendars, and bookmarks to the new service.
Your subscription will be automatically extended through July 31, 2012, at no additional charge. After that date, MobileMe will no longer be available.
Click here to update iCLOUD
Sincerely,
The Apple store Team

Apache Web Server Vulnerable CVE-2011-3192

2011-08-26T22:39:00.000-07:00

Apache Software Foundation announced their Apache Web Server (Httpd) vulnerable (CVE-2011-3192) to attack. According to source, the attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. Patch to fix vulnerability is expected to release by another 46 Hours.

Luckily, there have mitigation steps are in place to counter the attack while waiting for patch to fix the vulnerable Httpd.

Mitigation Steps:

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)

# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Option 2: (Also for Apache 1.3)

# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.

2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short - it may break other headers;
such as sizeable cookies or security fields.

LimitRequestFieldSize 200

Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.

See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize

3) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.

4) Deploy a Range header count module as a temporary stopgap measure:

http://people.apache.org/~dirkx/mod_rangecnt.c

Precompiled binaries for some platforms are available at:

http://people.apache.org/~dirkx/BINARIES.txt

5) Apply any of the current patches under discussion - such as:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e

Another latest research from Netcraft about Web Server Survey, it indicates Apache Web Server still dominate compare to other Web Server (like ngix, Microsoft, Google). It also potentially leaving up 65.86% Apache Web Server vulnerable (CVE-2011-3192) to DoS attack.

Facebook Makes a Move Toward Security

2011-08-26T22:18:00.000-07:00

Facebook recently published a guide for it's users on how to secure their online accountsfrom anything that threatens one's Facebook security. Among those covered are Wall, Chat, and Comment spams, weak passwords, fake applications, and account hacking. Personally, I'm quite happy that Facebook is actually doing something that concerns user security, despite it being quite late come to think about it. Still, better to have something than nothing.

The document guide contains practical tips and cases to illustrate the gravity of the attack if ignored. It also has some great, agreeable points that make it a good reference anyone can recommend to their friends and family who are on Facebook. Feel free to download here and distribute.

READ MORE HERE

Follow Me Not - Microblog SEO Study (Websense)

2011-08-26T22:12:00.000-07:00

With the release of Social Web Control, Websense Security Labs™ looks at the growing trend of how you can optimize your popularity ranking on social Web sites such as Twitter and Sina's Weibo.

Marketeers are heavily tuning social Web sites for Search Engine Optimization (SEO) in a similar way to standard Web sites, where SEO is still the primary source of information traffic. In parallel, cyber-criminals also use BlackHat SEO to spread malware. A high social Web ranking is becoming an important tool to receive constant exposure and get messages out to the desired target audiences, hence the race from both personal and business microblog users to boost their recognition. To attract or to be featured on microblog platforms, you need a very large follower base in a very short time.

Weibo.com, being one of the largest microblog platforms in China with over 200 million users, attracted a different kind of user. Seeing potentially unlimited business opportunities, many users were spoofing as famous companies and celebrities to publish false messages to the public. Weibo recently enforced true identity verification as identify theft became an increased problem. To counter this, ranking "smoke-screen" services are popping up, leading to the idea to "Shua Fen": purchase followers. The screenshot below shows 2 Weibo accounts with avatars advertising services for "Microblog, get thousands of followers", and "Paid Followers and get verified".

READ MORE HERE