Unidentified hackers are said to have have launched a large-scale attack against WordPress blogs and any hosts using weak passwords are urged to update them immediately.

Security analysts have detected an ongoing attack that uses a huge number of computers from across the Internet to commandeer servers that run the WordPress blogging application.

The unknown people behind the highly distributed attack are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems, researchers from at least three Web hosting services reported. At least one company warned that the attackers may be in the process of building a "botnet" of infected computers that's vastly stronger and more destructive than those available today. That's because the servers have bandwidth connections that that are typically tens, hundreds, or even thousands of times faster than botnets made of infected machines in homes and small businesses.

"These larger machines can cause much more damage in DDoS [distributed denial-of-service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic," Matthew Prince, CEO of content delivery network CloudFlare, wrote in a blog post describing the attacks.

Read 10 remaining paragraphs | Comments


Jason is writing us saying that his firewall is dropping 600-700 packets per second with protocol 61 (not port 61). He hasn't been able to capture full packets but is working on it.

This looks very much like a corrupt packet, maybe as a result of a DoS upstream, or a broken attack tools. If anybody sees something similar, please let us know (and we really like full packets)

The source IP addresses are and (again, odd addresses... )

Here are some anonymized firewall logs from Jason:

	2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside: dst outside:xxx.xxx.xx6.1
	2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside: dst outside:xxx.xxx.xx6.1
	2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside: dst outside:xxx.xxx.xx8.1
	2013-04-12 00:00:00 firewall %ASA-3-106010: Deny inbound protocol 61 src outside: dst outside:xxx.xxx.xx8.1

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

------------------------------ BEGIN OF WARNING SECTION ------------------------------

This diary have live malware links, so be careful if you decide to access them.

------------------------------ END OF WARNING SECTION ------------------------------

Spammers are busy this week in my Country! Today april 11 2013 I received a spam claiming to be a promotion from the biggest retail company in the country and statng that they are giving for free debit cards for US$274.54.

SCAM from Almacenes Exito

This link points to http://katiepriceuk.com/wp-content/gallery/ecards/www.exito.com.tarjetaderegalo.php. Having a look with wireshark shows the following:

First redirect from malicious site

This looks like a vulnerable wordpress site which got modified by a redirect injection. Second one looks like a hacked drupal with the FCKEditor module compromised. Check below:

Malware Location

MD5 for the downloaded zip file is 11da149ca99f2cc9f64c5e4fca76a9f1. The following are the zip content details:

After analyzing this little thing, it turned out to be a koobface variant. Virustotal detection rate is pretty high (36/42), but as I stated in my previous diary, too many people around here does not like to install security controls inside their computers because they do not allow them to use insecure programs or they just think that investing in antimalware / HIPS licenses is not worth it.

If you are in Colombia, please remember that cybercrime is rising and local computer criminals are diseminating specific antimalware targeting banking software from local banks (Bancolombia, Grupo Aval, Corpbanca, ...) and of course every web access you perform to the personal banking sites or payment sites using your banking information. You will do yourself a favor if you invest in basic security controls for your computer like:

  • Firewall Software: Windows Firewall is good but lacks advanced functions that really can enhance the protection of your information assets.
  • Antimalware: Remember that there are too many malicious software pieces out there, too many of them are not exe files but content delivered through web sites. You need to be protected for malicious javascripts, flash applets, java applets, PDF and so on.
  • Host IPS: Most 0-day vulnerabilities can be catched with this protection since it catches buffer overflows and common malicious operations performed by exploits to gain privileges or perform malicious tasks inside your computer.


Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Lyft and Sidecar may be the kings of ridesharing right now, but Uber is coming up in the rearview mirror.
As co-president of Oracle, Mark Hurd is tasked with selling an ever-increasing array of new software and hardware products, such as the Exadata database machine and Fusion Applications, while figuring out how to keep the company's vast installed base happy and fending off competition from the likes of SAP.
Cloud hosting provider Rackspace Hosting is striking back against patent holder Rotatable Technologies, a Texas company that has filed patent infringement cases against more than a dozen companies in the past year.
The memory market is feeling the effects of a fall in PC shipments with the subsequent stabilization of DRAM prices, which industry observers say will delay the wide adoption of the upcoming DRAM called DDR4.
Facebook Home, which doesnt replace the Android OS but sits on top of it, includes a family of Facebook-focused apps and also works with the apps a user already has on her phone.
MetroPCS has pushed back a hotly anticipated shareholder meeting that will decide the fate of the carrier's proposed merger with T-Mobile USA.
For some reason, Silicon Valley's titans are encouraging Mark Zuckerberg to lead the charge on immigration visas. It's an odd choice.
Microsoft today urged Windows 7 users to uninstall a patch shipped earlier this week that has crashed customer's PCs and crippled the machines with endless reboots.
VLC Media Player ASF File Handling Buffer Overflow Vulnerability
RubyGems kelredd-pruview Multiple Remote Command Injection Vulnerabilities
Tweets may soon have beats. Twitter appears to be readying its own music application designed to let users discover new artists and songs based on trending activity on the site.
Several signs are pointing to Twitter launching a new music app, and speculation has the company unveiling it Friday.
A new survey suggests that large data centers might be less energy efficient than was previously thought.
BlackBerry's recent launch of the Z10 smartphone and the upcoming Q10 qwerty device were intended to put the company back on solid ground, but BlackBerry seems to be defending itself from a new crisis every week.
Internal Revenue Service told CSO it does not use emails to target taxpayers, but the agency did not address the use of subpoenas

Microsoft has pulled a Windows 7 security update released as part of this month's Patch Tuesday after discovering it caused some machines to become unbootable.

Update 2823324, which was included in the MS13-036 bulletin, fixed a "moderate-level vulnerability" that requires an attacker to have physical computer access to be able to exploit a targeted computer, Dustin Childs, a group manager in the Microsoft Trustworthy Computing group, wrote in a blog post published Thursday evening. The company has now pulled it from the bulletin and is advising at least some Windows users who have installed it to uninstall the update following the guidance here. MS130-26 was one of nine bulletins released on Monday to fix 13 separate vulnerabilities.

"We’ve determined that the update, when paired with certain third-party software, can cause system errors," Childs wrote. "As a precaution, we stopped pushing 2823324 as an update when we began investigating the error reports, and have since removed it from the download center."

Read 3 remaining paragraphs | Comments

Microsoft has pulled a faulty security update in MS13-036, part of its April 2013 Patch Tuesday release. Those who had installed it should remove it.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
But Microsoft is likely to reap more revenue from the disappearance of XP than will system builders, as many customers will do in-place upgrades to Windows 7 on current hardware.
BlackBerry's recent launch of the Z10 smartphone and the upcoming Q10 qwerty device were intended to put the company back on solid ground, but BlackBerry seems to be defending itself from a new crisis every week.
Remote command injection in Ruby Gem kelredd-pruview 0.3.8
Various Cisco routers and switches with the company's Adaptive Security Appliance software are vulnerable to one or more of four denial of service triggers. Fixed versions of the software are now available

HTC's just-released Android smartphone, the HTC One, offers high-quality hardware, an outstanding camera and stunning design. But the device isn't without its drawbacks.
[ MDVSA-2013:142 ] postgresql

E&T magazine

InfoSec Skills launch cyber security competitions
E&T magazine
InfoSec, an organisation providing computer security training to businesses, will give entrants the change to test their skills across a range of information security governance, risk and compliance subjects. The competitions, part of the Cyber ...
Business and management skills training launched by Cyber Security Challenge ...SC Magazine UK

all 2 news articles »
I love my iPad, but I made the mistake of buying a 16GB model--that's not enough storage for all my apps, home videos, movies, TV shows, photos, and documents. I can rely on cloud storage, but since my iPad is Wi-Fi only, I like having extra local storage. I've been using a Kensington Wi-Drive, but it has its limitations.
As Google Reader gets ready to join that big obsolete app store in the sky on July 1, RSS-addicts like myself are on the search for a suitable alternative. Previously, I test-drove the popular Feedly app and website for a week and found it to be a worthy Reader successor. For this go-around, I've spent some time with Pulse, an RSS-catcher that is heavy on design, but short on versatility.
What could be better than a portable hard drive? A battery-powered portable hard drive that provides its own Wi-Fi hotspot, of course. Corsair's Voyager Air and Seagate's Wireless Plus command hefty price premiums compared to more ordinary drives, but they are also extremely convenient.
LinuxSecurity.com: Updated subversion packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in postgresql: PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare [More...]
LinuxSecurity.com: Updated libxslt packages fix security vulnerability: Nicholas Gregoire discovered that libxslt incorrectly handled certain empty values. If a user or automated system were tricked into processing a specially crafted XSLT document, a remote attacker could [More...]
Security expert Hugo Teso examined the communication between aeroplanes and ground control systems and discovered highly critical vulnerabilities. The researcher managed to take control of realistic plane simulations

Cisco Universal Broadband Routers 10000 Series Multiple Denial of Service Vulnerabilities

Security certificates 'an infosec weak spot'
Implicitly trusting all digital security potentially allows vast amounts of malware into corporate systems, warns enterprise key and certificate management solutions firm, Venafi. Venafi evangelist, Calum MacLeod, says malware with embedded digital ...

and more »
Intel is hoping to get more Chinese developers to back its products by forming a new joint innovation lab with the nation's largest search engine Baidu.
Microsoft has removed security update 2823324 from its automatic updating service and recommends that users uninstall it. Some users are reporting Blue Screen of Death (BSoD) crashes and other problems

The latest release of VLC formally releases the fix to an ASF file handling flaw from January. There are also a number of other enhancements and fixes for the open source media player with improvements on Linux, Mac OS X and Windows


Business and management skills training launched by Cyber Security Challenge ...
SC Magazine UK
Registrations for online competitions for information security management, business continuity management and information risk management open today. These are new initiatives from the Cyber Security Challenge and InfoSec Skills are specifically aimed ...


St. Louis Infosec Conference: “The next time you present your phone to pay for ...
Houston Chronicle
St. Louis Infosec Conference: “The next time you present your phone to pay for your coffee … you might just have gotten owned,” A Keynote by Elite Hacker Charlie Miller. PRWeb | April 11, 2013. Comments (0) · E-mail; Print. Tweet. Page 1 of 1 ...

and more »

#FFSec, April 11: Five infosec pros who stand out
CSO (blog)
@attritionorg: Attrition.org is several people with one goal: To keep their fellow infosec pros honest. If you want to be aware of the fakes of our community or those who have earned respect but have stumbled, this is a must-follow. I say that as ...

Our online lives have become so important that Google just released a feature that enables users to control what happens to their data after they die.
Microsoft has amended a security update containing a patch that reportedly caused errors in some third-party software.
Internet Storm Center Infocon Status