In this month CERT-In tracked 4 C&C (Command & Control) servers and 1370 bot-infected computers existing in India.The concerned ISPs were intimated to dis-infect the bot infected systems and C&C servers to mitigate botnets.
In this month CERT-In tracked 450 storm-bot infected computers. The concerned ISPs were communicated to dis-infect these systems.
Cyber Intrusion during October 2007
In total 143 Indian websites were defaced during October 2007. A chart depicting Top Level Domain(TLD) wise defacements is shown in the figure.
The vulnerabilities which might have been exploited for the defacements are:
1. Apache Tomcat WebDAV Arbitrary File Content Disclosure CVE-2007-5461
2. PHP COM Objects Security Bypass CVE-2007-5653
Statistics of Defaced Indian Websites in October 2007
Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it, is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource.
CERT-In tracked 61 open proxy servers functioning in India during October 2007. All the concerned ISPs were alerted immediately to shut down the open proxy servers. A bar chart of open proxy servers tracked during this year is shown in the figure.
Statistics of Open Proxy Servers tracked during Jan - Oct 2007
The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during October 2007 and their countermeasures alongwith wide-spreading malicious code like virus/ worm/Trojan are given below:
Microsoft IE, RPC Authentication, Microsoft Windows Share Point Service 3.0 and Share point server 2007, Microsoft Word
Nethell Trojan
It propagates by copying itself to the network shares and newly attached media such as removable drives in the form of the following executables :
%DriveLetter%\Minerva Game.exe
%DriveLetter%\New_Games.exehttp://www.symantec.com/business/security_response/writeup.jsp?docid=2007-102615-0143-99&tabid=1
The Trojan comes as a PDF attachment in spammed e-mails with subject lines enticing innocent users into opening the malicious file and executing the malware on their systems.
It is exploiting Remote code Execution vulnerability in Adobe Acrobat PDF File described in CIVN-2007-128Report: U.S. tops list of spam-offending countries
[Source:
www.news.com]
October 26, 2007
The U.S. remains the world's biggest spammer, according to security firm Sophos, which on Friday released its quarterly report on the world's top spam-offending countries--dubbed the "Dirty Dozen."
The U.S. came in well ahead of its rivals, according to the report, being responsible for 28.4 percent of all spam. South Korea was second (5.2 percent), followed by China (4.9 percent), Russia (4.4 percent) and Brazil (3.7 percent). "It seems as though a major American spammer is arrested every other week at the moment but, despite these high-profile law-breakers being put away, the U.S. continues to relay far more spam than any other nation on the planet," Carole Theriault, senior security consultant at Sophos, said in a statement."This level of activity can't be attributed solely to the slick operations of a few cash-hungry criminals. The problem is there are thousands of spammers using many thousands of compromised zombie computers in the U.S.," Theriault said.
Spammers turn YouTube into spam relay channel
[Source:
www.theregister.com]
October 05, 2007
Miscreants have turned a YouTube service into a spam relay channel.
YouTube contains a facility that allows users to invite their friends to view videos that they are looking at or have posted. This "Invite Your Friends" system is being used to send out "massive quantities of spam", according to content security outfit Marshall.
The messages, which all come from service@youtube.com, have the same appearance as a legitimate YouTube invite, except they contain pitches for tat such as penis pills and get-rich quick schemes instead of links to online video tat. Both could be considered forms of junk anyway which partly explains why cybercriminals have adopted the tactic."Spammers are doing this to defeat spam filters and to lower the recipient’s guard by making it look as though the messages are coming from a perfectly innocuous email address. YouTube’s own Help Centre suggests that you exclude the service@youtube.com email address from spam filtering. The spammers are keenly aware of this," said Bradley Anstis, Marshall’s director of product management.
In August, spammers used a Trojan to automatically generate large numbers of Hotmail and Gmail accounts from which to send spam. The YouTube attack is working on the same principle, according to Marshall.
Research Shows Image-Based Threat on the Rise
[Source: www.darkreading.com]
October 18, 2007
Until recently, steganography, the stealth technique of hiding text or images within image files, has mostly been considered too complex -- and conspicuous -- to be much of a threat. But some forensics experts now worry that the bad guys are starting to use the tactic more frequently, especially in child pornography and identity theft trafficking.
There are an estimated 800 or so steganography tools available online, many of them free and with user-friendly graphical user interfaces and point-and-click features. This broad availability making steganography more accessible and easier to use for hiding and moving stolen or illicit payloads, experts say. Security experts to date have mostly dismissed steganography as a mainstream threat, relegating it to the domain of spooks and the feds. Their skepticism has been well-founded: The few studies that have searched for images hiding steganographic messages have come up empty-handed.
But now, preliminary data from a new steganography study underway at Purdue University indicates that some criminals indeed may be using steganography tools, mainly in child pornography and financial fraud cases. Although the Purdue survey is in its early phases, researchers have found proof of steganography tools installed on convicted criminals' computers.
Death by iFrame
[Source:www.cio.com]
October 08, 2007
iFrames were the distribution mechanism used to create a large population machines infected by the form-grabbing malware variant dubbed Gozi. In fact, they’ve become a popular way to dump many varieties of malware onto unsuspecting web surfers. iFrames are a browser feature that allows websites to deliver content from a remote website within a frame on a page. Think of stock quotes originating from one site streamed into a small box on another site.
Criminal hackers exploit this feature by building iFrames into pages that are one pixel by one pixel—invisible to the user. Inside that iFrame they can stash executable code stored at another site. Usually, the stash it’s a tiny piece of software called a downloader. A downloader is a single redirect instruction. When a PC visits the iFramed website, the downloader is delivered from inside the invisible iFrame and it tells the browser to visit to some other IP address. Its job is done.
Usually this address contains another downloader, which repeats the process. For obfuscation purposes, this may happen several times before one of the downloaders finally points to a server containing malware. The malware is delivered through the iFrame onto the PC. This is how Gozi got on machines.
Yahoo! Teams! With! eBay! And! PayPal! To! End! Phishing!
[Source:www.theregister.com]
October 06, 2007
Yahoo! has teamed with eBay and PayPal to save you from phishing scams. If you use Yahoo! Mail. And the scams involve eBay or PayPal.Yesterday, the three companies announced that, over the next several weeks, Yahoo! Mail users worldwide "will begin receiving fewer fake e-mails claiming to be sent by eBay and PayPal." You see, Yahoo! is rolling out a new email authentication system that uses the company's very own DomainKeys technology to block such messages.
"By reducing the risk of phishing scams," said vice president of Yahoo! Mail John Kremer, "Yahoo! Mail now offers a much safer Web mail service for eBay and PayPal users."Presumably, Yahoo! Mail is also offering a much safer Web mail service for extremely gullible people who succumb to eBay or PayPal phishing scams even though they don't use eBay or PayPal.
According to a spokeswoman for eBay and its PayPal subsidiary, the two companies have included DomainKey signatures on all outbound email since the end of 2006. So, if Yahoo! identifies a message that purports to come from the eBay or PayPal domain and it doesn't include the proper signature, the message will be blocked.
Report: PDF files used to attack computers
[Source:
www.news.com]
October 27, 2007
E-mails containing malicious PDF files have been putting computers at risk since Friday, Finnish security software firm F-Secure said on Saturday.
"The e-mails sent in bulk looked like credit card statements, and contained an attachment called 'report.pdf'," its Chief Research Officer Mikko Hypponen said in a statement.
When such PDF files are viewed on vulnerable machines, they start downloading software from servers in Malaysia or Sweden, which are now being cleaned, he said. "There will be more such attacks."
"We are worried about this case, as PDF attachments are typically not filtered at e-mail gateways." A security update for Adobe Acrobat Reader, which opens PDF files, was made available a few days ago, but many users have not updated the program yet, Hypponen said.
Russian Crooks Spreading Gozi Trojan with PDFs
[Source:www.news.yahoo.com]
October 25, 2007
A malicious PDF attack launched earlier this week is downloading a variant of the Gozi Trojan—the same malware that's been used to steal personal data with a black market value of over $2 million, including bank, retail and payment services account numbers as well as Social Security numbers.
SecureWorks, which originally discovered the Gozi Trojan in February 2007, said the latest attack is coming from the same Russian criminals who launched the February attack.
The Russian Business Network—a Russian ISP that's notorious for hosting illegal or shadowy businesses including child pornography, phishing and malware distribution sites—has had to take down two servers that were getting overloaded due to the success of the exploit, according to SecureWorks.
Storm Worm Sent 15 Million Pump-And-Dump E-Mails Last Month
[Source:www.pcworld.com]
October 25, 2007
The Storm Worm botnet network may be shrinking in size, but it has managed to send out 15 million annoying audio spam messages in October, according to antispam vendor, MessageLabs.
It's hard to believe that the Storm messages were effective. Recipients had to first click on an attachment -- usually given a misleading name like beatles.mp3 or Britney.mp3 -- to hear the stock pitch, which featured a warbly robotic woman advising people to invest in online car seller, Exit Only.This kind of scam, called "pump-and-dump", tries to nudge up the price of penny stocks by a cent or two, giving the spammers a way to make a quick buck by selling the stock before it crashes. Spammers have been delivering their messages in different formats, including .pdf and Excel files, over the past few years as part of a cat-and-mouse game with spam blockers. This latest move to MP3 spam is the latest development in this battle, observers say.
'Storm worm' exploits YouTube
[Source:www.msn-cnet.com]
October 10, 2007
Spammers are exploiting YouTube's "invite your friends" function to send spam containing a variant of the "Storm worm."
Bradley Anstis, director of product management at security firm Marshal, said that spammers are taking advantage of the YouTube function that lets people invite friends to view videos that they have viewed or posted. The function allows someone to e-mail any address from an account.
The scam on Google's video-sharing site is targeting Xbox owners, urging recipients to collect a prize version of the popular game Halo 3. Anstis said clicking on the link to "winhalo3" leads to a file containing a Storm trojan.
Storm worm pulls Halloween hoax
[Source: www.networkworld.com]
October 31, 2007
The latest Storm-backed spam campaign invites e-mail recipients to visit a Halloween-themed Web site where they can download a dancing skeleton. What gets downloaded instead is a version of the Storm malware that turns unsuspecting users’ PCs into members of the world’s largest botnet. Members of these botnets are also known as zombies. According to security vendor Marshal, the e-mail’s embedded link is not to a URL but to an IP address. Users who click on the link to the Halloween Web site and don’t have their browsers up to date with security patches could automatically become infected, Marshal says. Those who have current patches but click on the link to download the dancing skeleton could also become infected.
Malware is Multiplying, Study Warns
[Source: www.news.yahoo.com]
October 27, 2007
Malicious code that installs files such as Trojans, password stealers, keyboard loggers and other malware on users' systems registered a fivefold increase in the first half of 2007, according to research released by Microsoft at the RSA Security conference in London.
And in the same period, 31.6 million phishing scams were detected, an increase of 150 percent over the previous six months.
The survey, sponsored by Microsoft and conducted by the Ponemon Institute, interviewed more than 3,600 security, privacy and marketing executives across a variety of industries, such as financial services, healthcare, technology and government, in the U.S., U.K. and Germany.It found that attackers are increasingly targeting personal information to make a profit, threatening people's privacy as crime rings grow more sophisticated. Further, there are more opportunities for cyber-criminals to steal personal information, as enterprises need to share information and conduct business across borders and devices.
Roger Halbheer, chief security advisor of Microsoft EMEA, "If there are rumors of a takeover or a merger, information can become desirable for organized crime circles. Auction bids for a laptop of a CEO amongst criminal organizations can reach seven digit figures."
F-Secure sees smaller botnets on the rise
[Source: www.news.com]
October 01, 2007
Cybercriminals are downsizing their botnets to make it harder for software security companies to track and contain botnet operations, researchers say.
Computers infected with a virus unknowingly become "zombies" in a botnet--which is a network used to send out spam and to mount further attacks on other machines. The zombie army can be controlled remotely, with the botnet creators usually trying to build the largest possible botnet of compromised computers to rent out to gangs for as little as $100 for a couple of hours.
But researchers at antivirus company F-Secure have reported seeing these large networks being broken down into smaller groups of compromised computers because the creation of large botnets is not creating as much revenue for such cybercriminals.
Skype Trojan steals login credentials
[Source:www.theregister.com]
October 17, 2007
Skype users, Beware a new Trojan that uses subtle social engineering tricks to try to steal your login credentials
The malware, which calls itself ‘Skype Defender’, poses as a security plug-in. Infected users are prompted to log-into their Skype accounts. Cleverly the Trojan displays what looks like a Skype login screen, the internet telephony company warns.
If a user enters his Skype username and password, the Trojan displays a message saying that the name and password are unrecognized.
Behind the scenes, this information - as well as all usernames and passwords saved in Internet Explorer - is sent to a hacker-controlled website. By compromising user Skype accounts, hackers gain access to SkypeOut credits, which might be resold, and a possible means to access the PayPal accounts used to pay for those credits.
Industry Hears First 'SingingSpam'
[Source:www.darkreading.com]
October 30, 2007
Even your iPod is no longer safe from spam.
Security firm MessageLabs today reports that it has spotted a massive run of spam sent out in the form of MP3 files and masquerading as music clips from popular artists. This is the first instance of a large distribution of spam hiding inside sound files, the researchers say.
"On October 17, MessageLabs intercepted the first copies of a fairly large spam run likely to be conducted by the same group responsible for the earlier PDF spam," the report says. "This time, the attachment was an audio MP3 file, containing a rusty-sounding, 25-second voice-over touting the latest stock offering from 'Exit Only Incorporated,' MessageLabs says. "It is likely that the voice was synthesized using a very low compression rate of 16 kHz to keep the overall file size small, at around 50 KB."
The spam run continued for about a day and a half, accounting for around a half million spams per hour -- about 5 to 10 percent of the spam sent during that period, MessageLabs says. The audio files were being randomized automatically by changing name and file sizes, sometimes with the same message repeated up to three times within the attachment.
The MP3 files fooled users with attracting and deceptive names, such as bartsimpson.mp3, beatles.mp3, britney.mp3, familyguy.mp3, elvis.mp3, and ringtones.mp3. The files also fooled most anti-spam tools, which typically cannot detect spam hidden in a sound file.
Spyware Fighting Tools Needed
[Source:www.news.yahoo.com]
October 30, 2007
Organizations and law enforcement agencies fighting spyware are making progress, but new tools in an antispyware bill stalled in the U.S. Congress could improve the efforts, a member of the U.S. Federal Trade Commission said Monday.
One of the spyware bills passed by the House of Representatives earlier this year, the Spy Act, would give the FTC authority to impose civil fines on companies that distribute spyware to consumers' computers. The bill, along with the Internet Spyware Prevention (or I-SPY) Act have stalled in the Senate since passing the House in May and June.
The FTC has the authority to collect profits from spyware operations and collect money for consumer redress, but it lacks the authority to impose other fines, as it does when going after spammers, said Commissioner Jon Leibowitz, speaking at a spyware forum in Washington , D.C.