Hackin9

InfoSec News

In another event that was to be expected America has come out saying that Chinese based hacker have been obtaining smart card details via a well known Trojan that has been modified to seek out the smart card data.


 
San Francisco City College has only just recently discovered a virus that has taken over there system and spread like wildfire. From this they have been doing a lot of research and monitoring and have discovered traces of this virus in the system all the way back to 1999.


 
In light of some recent virus attacks another one has come out which has left a small village without a computer to do all the funding and payrolls. The tow, DALZELL which is a part of Bureau county suffered from a virus that totalled the computer leaving in a un-usable state. Now the point i want to get to is, what the hell is a virus doing on this computer, why if its so critical is it allowed to connect to a network that would allow this to happen or has some one done it with bad intentions?


 
IT was bound to happen sooner or later, a space agency is now reporting that it has suffered from a unknown virus attack from unknown sources.


 
IT seems that 2012 is year of the credit card hackers, with hundreds of thousands of cards being leaked this year already it has turned into a daily thing.


 
The popular gaming shop GAME has become a victim to hackers who have attacked and now dumped a load of accounts from the www.game.co.uk website.


 


Antony Elmar owns quite a few domain names. He lives in a lovely city called Kansas, US, but seems to make his home there on a park bench, because he doesn't have a street address. On the upside, the park bench does have a phone extension, but one with a phone number that is a tad odd for Kansas, US and has a dial prefix that looks more like Italy:
Domain Name:EVORMCORP .IN

Created On:14-Jan-2012 00:01:08 UTC

Last Updated On:14-Jan-2012 00:01:10 UTC

Expiration Date:14-Jan-2013 00:01:08 UTC

Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN)

Registrant Name:Antony Elmar

Registrant Organization:N/A

Registrant Street1:none

Registrant City:Kansas

Registrant State/Province:

Registrant Postal Code:67420

Registrant Country:US

Registrant Phone:+3.976639877
None of this fazes the domain name registrar Directi Web Services in Mumbai, India, to the least. And Antony has been busy - he bought a dozen or so new domains over the past two days, and managed to bring them live within a matter of minutes after purchase.
His new domains currently point to 89.187.53.237, in Moldova. Yup, ol'Antony is quite the international business executive, conducting his trade on three continents with equal ease! The IP used seems to change about once per week, until past Thursday, Antony's virtual HQ was at the neighboring IP, 89.187.53.238.
His latest new domains include
cyberendbaj .in

cyberevorm .in

endbaj .in

endbajcomp .in

evorm .in

evormhost .in

evormcorp .in
and provide a generous helping of malware to users unlucky enough to get redirected there via what appears to be poisoned ads on legitimate web pages. Antony's toys currently seem to use URLs with a certain pattern that you can search for in your web logs with a command likeegrep -E '\/.{8}\/\?[[:xdigit:]]{60}'
Example result from earlier today:

http://endbajcomp. in/rgy9hcgw/?1a4c39a0370ad0f641cc790b5d0acdb24eba0f2d2483b98b4076689a4684
Caveat - that regexp might of course also match on perfectly benign web site URLs.
The malware uses CVE-2010-0842 (javax.sound.midi) and CVE-2011-3544 (Rhino script engine) and when successful seems to download an executable off a URL that matches[0-9]'


If you find anything of interest in your logs, please let us knowvia the contact form, or comment below.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In a sign that massive public pressure may be working, six Republican U.S. Senators who previously supported the Protect IP Act, late Friday asked Senate Majority Leader Harry Reid (D-Nevada) to postpone a scheduled Jan. 24 vote on the controversial bill.
 
The same hacker who dumped the recent fileden accounts has dumped another lot of accounts this time coming from a Slovenia based torrent website called Orion.


 
CES 2012 ushered in three new ways that we will interact with our electronics: multitouch, voice and in-the-air gestures.
 
Just another dump of accounts from what has claimed to be LulzOps, but due to that twitter account being suspended/deactivated we can not confirm the source of this 100%.


 
Well in what's been a fairly rough couple fo weeks for Symantec, they should of known it was going to lead to this, the dumping of the actual source code, which has since been removed by the upload site it was on for its short period of time today. The leak comes from YamaTough's twitter account and is aimed clearly at attempting to help the lawsuit with a


 
Well once again Asus has become victim to weak security and hackers who have left a extra file on the site with a message telling them they have been hacked.


 
Internet Storm Center Infocon Status