Latest Posts | Page 149

** **Cyber crime continues to adapt to modern services and infrastructure, often leveraging legitimate services for malicious purposes. On top of this, blackhat services are also being created to aid in attacks. The result is a growing infrastructure available to cyber criminals who continue to innovate attack methodologies. Let's have a look at some examples. Leveraging Modern Services The use of legitimate web hosting for attacks is obviously not new - think of Geocities and Google Pages which were frequently abused in the past (which incidentally... [Read More]
by RSS Derek Manky  |  Dec 11, 2009  |  Filed in: Security Research
** **iPhoneOS/Eeki.B!worm is said to contain two malicious binaries: sshd, the binary searching for new victims, and duh, a binary found only in variant B and after which some antivirus companies named the worm. This article focuses on the latter. Duh is called by a malicious script named_ syslog_ (of course, there's no relationship with the traditional UNIX daemon syslog - it's just named that way to look less suspicious than if was named!): <span style="color: #993300;">/private/var/mobile/home/duh /xml/p.php?id=$ID... [Read More]
by RSS Axelle Apvrille  |  Dec 10, 2009  |  Filed in: Security Research
Remember some 10 years ago, when the web browser market was stagnating? Thankfully, those days seem to be long gone now, thanks to a rather intensive competition fostering innovation. A real bliss for the end users, now facing a relatively wide offer of (all free) browsers - the five most popular being: Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome and Opera. Yet, the market shares of those are tremendously different: The September 2009 trends from AT Internet Institute (taken from 23 European countries - see above),... [Read More]
by RSS David Maciejak  |  Dec 09, 2009  |  Filed in: Security Research
We have put up our November 2009 Threat Landscape Report, which shows movement amongst annual malware records set for 2009. Malware continued to be distributed in peak volume this period, building off a charge that began in September 2009. Last report, Bredolab and Scareware were the main occupants in our malware top 10 listing -- and were setting records in terms of daily detected volume. Now, a battle of the bots has ensued with Pushdo / Cutwail firmly taking the reigns. In latest developments, we observed a Pushdo variant attempting to remove... [Read More]
by RSS Derek Manky  |  Dec 02, 2009  |  Filed in: Security Research
Unless you have been cut from the net this last week, you probably know by now iPhones are facing their first set of malware (first ? well, actually, not quite as we have already detected spyware for iPhones): it's just all over the web. Those malware target jailbroken iPhones whose the default root password ('alpine') hasn't been changed. Consequently, most people remind/advise iPhone owners to customize root's password or not to jailbreak their iPhone. This is correct, but it is nonetheless worth adding that: all passwords should be customized:... [Read More]
by RSS Axelle Apvrille  |  Dec 02, 2009  |  Filed in: Security Research
AV Lab's honeypots have just started catching new malware seeding campaigns leveraging vaccination profiles for the H1N1 virus. The message is sent as a notification from the "Centers for Disease Control and Prevention (CDC)". Because the sender's email is spoofed and because the URL leading to the rogue website contains a "gov" subdomain, which can be mistaken for the top-level domain, the message may seem plausible to many people. Here is what the email looks like: From: "Centers for Disease Control and Prevention (CDC)" <>... [Read More]
by RSS Karine de Ponteves  |  Dec 01, 2009  |  Filed in: Security Research
Flash exploits targeting the old integer overflow vulnerability (CVE-2007-071) in Flash Player are still relatively active and multiplying on the base of the early versions exploit code, with more or less slight differences. One such variation was rendered tremendously more stealth and reliable, thanks to the use of a Flash run-time packer spawning a multiplexer component. It is caught as SWF/Dloader!exploit by Fortinet, yet, detection of this peculiar variant across the spectrum of antivirus products is still extremely scarce. Let's lift the lid... [Read More]
by RSS Bin Liu  |  Nov 20, 2009  |  Filed in: Security Research
Since my last post on Jane Doe and Bredolab, John has been slightly jealous of her fame. He told me that, he too, as a manager of the returned material service, was dealing with plenty of parcels and that he could have been the perfect target. As I was curious to see what a genuine shipment company e-mail looked like (to compare them with Bredolab), I asked him if I could have a quick look at his mailbox. I had hardly started reading his e-mails, that I ran into one that had me immediately start. For those of you who do not speak French, I have... [Read More]
by RSS Axelle Apvrille  |  Nov 16, 2009  |  Filed in: Security Research
Laurent Gaffié disclosed on Nov. 11 on his blog a proof of concept written in Python. This occured just the morrow after the Black Tuesday, and seems the author does not follow responsible disclosure, and decided to publicly disclosed the code, as he disagreed with Microsoft's answer (they wanted to delay the patch in a service pack rather than a Black Tuesday patch). This piece of code (see Figure 1) has been verified to successfully remotely crash Microsoft Windows 7 and Windows 2008-R2. It is caused by sending a specially crafted NetBIOS header... [Read More]
by RSS David Maciejak  |  Nov 13, 2009  |  Filed in: Security Research
Do you remember Asprox, the botnet that used SQL injection attacks combined with result from search engine like Google to automatically infect Microsoft IIS powered websites? We did a talk (slides) at last Virus Bulletin about that, and for about a month now, we've been seeing some new variants in the wild. Like last December, a blind SQL injection targeting ASP pages using Transact SQL is attempted using the following chain as a request argument: DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C41524520405420564...%20AS%20VARCHAR(4000));EXEC(@S) Once... [Read More]
by RSS David Maciejak  |  Nov 06, 2009  |  Filed in: Security Research