Cyber Intrusion during July 2007
In total 48 Indian websites were defaced during July 2007. A chart depicting Top Level Domain(TLD) wise defacements is shown in the figure.
The vulnerabilities which might have been exploited for the defacements are:
1. Microsoft IIS (Internet Information Server 5.1) DLL Request Denial of Service Vulnerability CIVN-2007-86
2. PHP-Fusion ShoutBox_Panel.PHP Cross-Site Scripting Vulnerability CVE-2007-3559
3.PHP "glob()" Function Arguments Processing Arbitrary Code Execution Vulnerability
CVE-2007-3806
4.PHP Win32STD Extension Safe_Mode and Disable_Functions Restriction Bypass Vulnerability
CVE-2007-4010
Statistics of Defaced Indian Websites in July 2007
Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it, is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource.
CERT-In tracked 54 open proxy servers functioning in India during July 2007. All the concerned ISPs were alerted immediately to shut down the open proxy servers. A bar chart of open proxy servers tracked during this year is shown in the figure.
Statistics of Open Proxy Servers tracked during Jan - July 2007
The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during July 2007 and their countermeasures alongwith wide-spreading malicious code like virus/ worm/Trojan are given below:
Microsoft Excel Remote Code Execution vulnerabilities
other malware and exploiting Brazilian plane crash tragedy to compromise the system in order to steal information for some monetary gain purpose.
Hackers steal government, corporate data
[Source:
www.news.com.com]
Hackers stole information from the Department of Transportation and several U.S. corporations by seducing employees with fake job listings on ads and e-mail, a computer security firm said on Monday.The list of victims included several companies known for providing security services to government agencies.
Details on defacement of Microsoft's U.K. Web site
[Source:
www.theregister.co.uk]
Details have emerged of an attack which defaced Microsoft's U.K. Web site.Hackers broke through the site's security, defacing it and replacing genuine content with a photo of a child waving a Saudi Arabian flag.It is likely that the company's U.K. site, which was breached on Wednesday, was subverted using an SQL injection, in which hackers exploit application vulerabilities to alter server settings or mine data, according to Zone-H, which has also run a picture of the defacement.
DNS Security Problems Widespread and Poorly Understood: Study
[Source: www.informationweek.com]
Nearly half of IT and business professionals surveyed by Mazerov Research reported a security compromise of their Domain Name System servers, despite spending money on overlapping security products.
The independent study of 465 people, conducted on behalf of Secure64, found that "[n]early half (45%) of the participants had experienced a compromise of either their internal, external or caching DNS servers."Sixty-eight percent of respondents attributed their DNS security problems to malware. Forty-eight percent cited denial of service attacks. Thirty-six percent pointed to cache poisoning (injecting false information into DNS caches). Twenty-three percent indicated pharming (redirecting document requests from one Web site to another).
Web application security -- time for services
[Source:
www.computerworld.com]
Web application security, like other forms of vulnerability scanning is as much an art as science. The vendors are pretty good at detecting known vulnerabilities, and generating lovely reports for IT on all that they've found. However, for all of the advances in the technology, the vendors are unable to tell their customers that their customer-facing applications are secure or to articulate business benefits beyond meeting a PCI requirement.
Chinese computers vulnerable to viruses
[Source:www.chinaknowledge.com]
With over half of computers attacked by viruses in the first half of this year, China has become one of the most serious computer virus-stricken regions in the world, sources report. In a report from a Chinese anti-virus company, Rising Technology Company, the Mainland has over 35 million computers attacked by viruses during the first half of this year.
Spammers Exploit Brazilian Plane Crash
[Source:
www.informationweek.com]
Spammers are luring unsuspecting users to a malicious Web site by sending out e-mails promising information about the crash and the victims onboard. Spammers were quick to take advantage of the tragic plane crash in Brazil this week.
Researchers at Websense Security Labs reported that a new spam campaign is using this week's crash to lure unsuspecting users to a malicious Web site. The e-mails link to a Web site that purports to contain information on the people onboard the plane, but actually simply infects the users' computers with malware.
FBI Analyst Sentenced To 10 Years For Stealing National Secrets
[Source:www.informationweek.com]
A former U.S. Marine and FBI analyst was sentenced to 10 years in federal prison for espionage charges in connection with stealing classified national defense documents from the White House, the FBI, the Department of Defense, and the U.S. Department of State.
Leandro Aragoncillo, 48, received his sentence on Wednesday in U.S. District Court in Newark, N.J. A release from the Department of Justice noted that there is no parole in the federal system, and Aragoncillo, who also was fined $40,000, can be expected to serve nearly the entire sentence except for potential "good-inmate" credits.
McAfee sets Rootkit Detective free
[Source:www.computerworld.com]
On July 26, McAfee will begin offering a new application called Rootkit Detective, designed to detect and remove dangerous rootkit attacks. The software will also help end users ward off the threats, as well as funnel new intelligence into the company's ongoing research operations.Following in the footsteps of SiteAdvisor -- the free Web site security program acquired by McAfee in April 2006 that warns users about potentially dangerous sites and search results -- the new tool will be offered at no charge from McAfee's Web site via download, company officials said, with benefits for both end users and its researchers.
Auction site sells security exploits
[Source:www.news.com.com]
An eBay-like auction site that sells vulnerabilities will improve security by ensuring researchers get a fair price for their work, its founders say."The existing business model to reward researchers is a failure," said Herman Zampariolo, chief executive of WSLabi, and the man behind the WabiSabiLabi auction site. A tiny minority of vulnerabilities currently get patched, he said, because IT experts aren't paid for their work in uncovering them: "If the firemen are not paid, it's not easy to extinguish a fire."
Virus Top 20 for July 2007
[Source:www.first.org]
The activity of the botnet that was created in May via the Agent.bqs Trojan was only reaching its “design capacity” in June; by July it was in full swing. Another member of the Warezov family, which is distributed by this zombie network, reached the top position on the chart, accounting for 22% of the malicious code in mail traffic.
Sophos has published its latest report on the top twelve spam-relaying countries over the second quarter of 2007
[Source: www.chi-publishing.com]
SophosLabs scanned all spam messages received in the company's global network of spam traps, and have revealed that the US continues to relay more spam than any other nation, accounting for 19.6 per cent - a decrease of just 0.2 per cent from the previous quarter. However, Europe now has six entries in the dirty dozen, which when combined, account for even more spam-relaying than the US.
Escaping a virtual machine
[Source: www.computerworld.com]
Virtual Machines are all the rage right now, but that might be about to change. One of the main attractions to VM's was the knowledge that even if the virtual machine was compromised, the host OS was secure. Or at least it was until now. Ed Skoudis and Tom Liston from Intelguardians have discovered a way to crash the guest operating system and run arbitrary code on the host operating system. They demonstrated their technique to attendees at SANSFIRE 2007 last Friday, though the specific details of the compromise were kept secret from the audience.
Excel Latest Vehicle for 'Pump-and-Dump' Spam
[Source:www.eweek.com]
"Pump-and-dump" spammers have found a new package for their scam: Excel files. Commtouch researchers reported the appearance of pump-and-dump spam in Excel files for the first time on July 21. The spam promotes stocks in file attachments with names such as "invoice20202.xls," "stock information-3572.xls" and "requested report.xls."
Recent change in Stock-Spam Tactics (PDF and excel)
[Source:www.isc.sans.org]
It started nearly a month ago, a shift from image-based spam to spams containing PDF files.I'm sure that you've seen these in your mailbox, the shift over to PDF was effective in evading spam-filters. You have also likely noted their shift in tactics from a simple text message in the PDF over to encoded images in the PDF (to foil pdf2text-like tools, I presume.)
New Attack Uses Bogus Web Sites To Deliver Malware
[Source:www.informationweek.com]
The new threat comes from a number of newly registered Web sites that pretend to represent Italian organizations, but are really just vehicles for using malicious IFrames to spread malware.The Italian job that last month saw more than 10,000 legit Web pages embedded with malicious IFrames has resurfaced, this time with even more international intrigue. Last month's threat pushed malicious HTML files onto Web pages of several Italian Web sites and infected Web surfers visiting those sites.
The return of the ransom-ware Trojan
[Source:www.theregister.co.uk]
Virus writers are revisiting the tactic of holding data on compromised machines to ransom with a new strain of so-called "ransom-ware" Trojan.
Gpcode-AI (AKA Sinowal-FY) encrypts data on compromised machines before demanding money from users to decrypt it. The malware also include backdoor key-logging features designed to pinch confidential bank account and credit card details from compromised PCs.
PayPal data stealing trojan and IcePack malware installer
[Source:www.net-security.org]
PayRob.A is a Trojan designed to steal data from PayPal accounts. Like most Trojans, PayRob.A cannot spread by itself, but needs intervention from a malicious user to reach computers.If the targeted user runs the file carrying PayRob.A, it gives itself hidden file attributes and modifies the Windows Registry to ensure it is run whenever the system is restarted.
Fun & Games - A new Storm Worm variant - 'Trojan.Win32.Agent.auh'
[Source:www.first.org]
We're seeing a substantial seeding of a new Storm Worm variant. The attachment is static, and the emails look like this (sender information varies):
Good afternoon, buddy!
From : "Chase Busby" < darach.dadisman@a15bler.dk>
Subject : Pictures
Did you see this game? Funny flash game with nude Nicole Kidman.
Enjoy! The game in your attachment.
Bye.
Worm eats music on infected PCs
[Source:www.theregister.co.uk]
Virus writers have unleashed a worm that attempts to delete MP3 files from infected machines.The Deletemusic worm spreads via removable devices. As soon as an infected device is accessed the worm will be executed. Thereafter it copies itself onto all drives, including removable devices, and executes whenever Windows is started up on compromised PCs.
Storm Worm Erupts Into Worst Virus Attack In 2 Years
[Source:www.informationweek.com]
The Storm worm authors are waging a multi-pronged attack and generating the largest virus attack some researchers say they've seen in two years.
"We are basically in the midst of an incredibly large attack," said Adam Swidler, a senior manager with security company Postini. "It's the most sustained attack that we've seen. There's been nine to 10 days straight days of attack at this level."