Donna's SecurityFlash

Softpedia's exclusive interview with Malwarebytes: Malwarebytes Accuses, IObit Plays Dead

donna — Mon, 09 Nov 2009 17:48:29 GMT

Malwarebytes burst the bubble this week and came out accusing IObit of copying their database, thus providing through their IObit Security 360 product the same protection as Malwarebytes' Anti-Malware. The copyright infringement implications led to DMCA serving of the latter to a number of software download websites in US.

Both security vendors have engaged in a war of statements on their respective blogs, stirring up heated discussions among users on their forums. Speculations have been made, opinions expressed, but no official answer to clear all haze has been given. We tried to learn about the sparks that lit the scandal and the elements fueling it.

Before we begin, we'd like to note that, in order to be fair and give everyone involved a chance to express their point of view, we also sent a set of questions to IObit for a similar interview. We have received a short response from one of the company's representatives, making it clear that the vendor had more important software development-related tasks on hand than to continue responding to Malwarebytes' accusations.

From the reply we got, we conclude that IObit's position regarding this issue remains unchanged. The company describes Malwarebytes' claims as mere rumors and its actions as unwarranted attacks.

On the matter of other antivirus vendors possibly making similar accusations in the future as a result of this incident, the IObit spokesperson stressed that the company did not steal signatures from anyone and noted that everyone was encouraged to test their database.

Continue reading in http://news.softpedia.com/news/Malwarebytes-Accuses-IObit-Plays-Dead-126389.shtml

Hat tip: Randy

First iPhone worm discovered - ikee changes wallpaper to Rick Astley photo

donna — Sun, 08 Nov 2009 20:52:51 GMT

Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

The worm, which could have spread to other countries although we have no confirmed reports outside Australia, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH. Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again

On each installation, the worm - written by a hacker calling themselves "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message:

ikee is never going to give you up

What's clear is that if you have jailbroken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, "alpine". In fact, it would be a good idea if you didn't use a dictionary word at all.

The worm will not affect users who have not jailbroken their iPhones or who have not installed SSH.

http://www.sophos.com/blogs/gc/g/2009/11/08/iphone-worm-discovered-wallpaper-rick-astley-photo/

People having issue to sign-out their Windows Live ID or Hotmail

donna — Sun, 08 Nov 2009 20:27:25 GMT

If you are seeing the message below when signing out of Windows Live ID or Hotmail pages by Microsoft:

Sign out failed!

We could not sign you out because your browser seems to be blocking third party cookies.

Close all browser windows to sign out.

To prevent this error in the future, you must enable third party cookies by chaging your browser settings.

You should just close the browser. If you don't want to see the above message, add passport.com, live.com and hotmail.com in your cookies manager. If you are using MSN (e.g. personalized or customized MSN page), add msn.com too!

See discussion in http://www.calendarofupdates.com/updates/topic24848

Vint Cerf: 'Google doesn't know who you are'

donna — Sun, 08 Nov 2009 19:49:19 GMT

Interwebs founding father and Google evangelist Vint Cerf has insisted that when you search Google, the company doesn't know who you are.

Thursday morning, at a mini-conference in San Francisco, the always entertaining Cerf sat down with Wall Street Journal columnist Walt Mossberg and other tech luminaries to discuss "open" mobile networks. But at one point, the conversation turned to the epic amounts of user data pouring onto Google servers across the globe.

As Mossberg started to complain about Google using Gmail and other sign-in services to tie more and more search data to real live people, Cerf quickly interrupted. "We still don't know who you are," said the Google figurehead.

Mossberg begged to differ, pointing out that as netizens sign-in to their Google accounts in order to use other services, the company also ties those accounts to search data. "When I search Google, you can see - right up at the top of page - that I'm logged in. You can see my Gmail address," he told Cerf. "You know who I am."

But Cerf insisted that even in those situations, Google doesn't know you. "You are somehow conflating things that I think need to be disaggregated," Cerf told Mossberg. "A Gmail identifier doesn't tell us anything. It's just an identifier. We have no other thing to tie that to. It's just an identifier [You said that already. -Ed]. And by the way, you picked it. We didn't."

As ridiculous as that may sound, it's a common Google argument. When a federal court recently asked Google to divulge the identity of an innocent Gmail user - if the account was still active - the company told us that wasn't possible.

http://www.theregister.co.uk/2009/11/07/cerf_on_google_data_collection/

Malware SPAM: Congratulations!! You have won todays Macbook Air winner.zip

donna — Sat, 07 Nov 2009 04:40:50 GMT

A malicious attachment in today's malware spam is in the wild. The email message is:

Congratulations!! You have won todays Macbook Air.
Please open attached file and see datails.

70% of malware scanners will detect the file. Once executed, the trojan will try to connect to IP address 78.159.121.41

http://www.calendarofupdates.com/updates/index.php?showtopic=24840

Windows 7 sales exceed Vista sales by 234%

donna — Fri, 06 Nov 2009 15:40:05 GMT

It has been quite amazing to watch the global excitement build around Windows 7, especially during a tough economic climate. It was just a few short weeks ago that we learned about Windows 7 outselling the UK's "own" Harry Potter. In Japan, anxious PC users waited in line to be one of the first to get their hands on Windows 7. And just today, according to the NPD groups' weekly tracking service, Windows 7 software unit sales in the U.S. increased 234% over Windows Vista's first few days of sales. "A combination of factors impacted Windows 7 PC sales at the outset, but the trajectory of overall PC sales is very strong leading into the holiday season," said Stephen Baker at NPD.

http://windowsteamblog.com/blogs/windows7/archive/2009/11/05/windows-7-sales-exceed-vista-sales-by-234.aspx

Windows 7 Boxed Software Sales Surpass Vista Launch, According to NPD

Top-Selling Windows 7 SKUs
1. Windows 7 Home Premium Upgrade
2. Windows 7 Pro Upgrade
3. Windows 7 Home Premium Family Pack 3 User Upgrade

http://www.npd.com/press/releases/press_091105a.html

Now get your Windows 7 theme :)

Revamped: MSN Homepage

donna — Fri, 06 Nov 2009 15:33:54 GMT

New Cleaner, Prettier MSN Homepage Revealed

he new, revamped MSN homepage is now live. Updated on Tuesday, November 3rd, this hugely popular internet portal sees 100 hundred million visitors per month who comes to read news, watch videos, and get other local information like events and weather. Yet despite its popularity, the portal has not seen a major overhaul of its design since 2004.

If you’re not a regular visitor to the site, you’ll still be able to tell at a glance that it’s undergone a number of big changes. Nothing has been left untouched – even the butterfly logo has been revamped!The new site opts for a much cleaner look. Gone is the blue background surrounding the white space, replaced by a completely white background instead.

At the top of the site, there’s a Bing search box, followed by topical links underneath taking you to news, entertainment, sports, money, lifestyle, or “more” subsections. On the main page, the lead stories are promoted by large, attention-grabbing images while other news items appear below as links.

Also different is that the site no longer forces you to sign in and custom your settings in order to get local information. Although customization is still an option, Microsoft found that most users weren’t bothering. So now, the site uses geolocation technology to determine your location by IP address. This allows it to deliver local weather and news to the homepage and to the “local edition” sub-site that’s filled exclusively with area news (see link at top right).

However, if you want to see your Hotmail email or Windows Live updates in the homepage modules that sit towards the bottom of the page, you will need to sign in and authenticate yourself using your Windows Live ID.

One of the more interesting updates is the inclusion of Facebook news feeds and Twitter updates, both of which are located as tabs within the Windows Live module. Using Facebook Connect and Twitter OAuth, you can sign into these sites without having to enter your username and password. These new features allow you to keep up-to-date on your social networks right from the homepage. You can also update your status from the homepage, too.

The new homepage is being rolled out over the coming months, but U.S. users can see a preview of it now at preview.msn.com. By the end of the year, 10% of U.S. users will have been switched over. After the U.S. rollout is complete, international markets will follow.

Screenshots in http://on10.net/blogs/sarahintampa/New-Cleaner-Prettier-MSN-Homepage-Revealed/ or http://www.microsoft.com/presspass/press/2009/nov09/11-03NewHomepagePR.mspx

Good but I'm not interested with Facebook and Twitter OAuth that have dark-side

Google Chrome Two Vulnerabilities

donna — Fri, 06 Nov 2009 15:30:19 GMT

Secunia Advisory: SA37273
Release Date: 2009-11-06
Critical: Moderately critical
Impact:
Exposure of system information
Exposure of sensitive information
System access
Where: From remote
Solution Status: Vendor Patch
Software: Google Chrome 3.x

Some vulnerabilities have been reported in Google Chrome, which potentially can be exploited by malicious people to disclose sensitive information or compromise a user's system.

1) The browser fails to display a warning when a user downloads and opens e.g. SVG, MHT, or XML files. This can be exploited to potentially execute arbitrary JavaScript code in a local context and e.g. disclose the content of local files via a specially crafted web page.
2) An error in the Gears SQL API implementation can be exploited to put SQL metadata into a bad state and cause a memory corruption.

Successful exploitation of this vulnerability may allow execution of arbitrary code, but requires that the user allows the interaction of a malicious website with the Gears plugin.
The vulnerabilities are reported in versions prior to 3.0.195.32.

Solution: Update to version 3.0.195.32.

http://secunia.com/advisories/37273/

Controversial email blocklist SORBS sold

donna — Fri, 06 Nov 2009 15:28:32 GMT

GFI confirms purchase of reputation service

GFI Software has confirmed the purchase of sometimes controversial spam blocklist provider SORBS for a reported $451,000.

Spam and Open Relay Blocking System (SORBS) has maintained a list of email servers suspected of sending or relaying spam since 2002. Inefficiencies in its spam blocklist database removal procedure, a controversial fines policy and the aggressive blacklisting of shared IP addresses have drawn criticism even from those also looking to clamp down on junk mail on the internet.

Citing an impending eviction by its University of Queensland web hosts, Australia-based SORBS publicly contemplated either selling or closing the service back in June. In the event the operation continued running as before until October when it found a white knight in the shape of GFI Security, a US based vendor of web and network security and management tools.

http://www.theregister.co.uk/2009/11/06/sorbs_sold/

Apple Mac OS X "ptrace()" DoS Vulnerability

donna — Fri, 06 Nov 2009 15:28:12 GMT

Secunia Advisory: SA37238
Release Date: 2009-11-06
Critical: Not critical
Impact: DoS
Where: Local system
Vendor Solution Status: Unpatched

A vulnerability has been reported in Mac OS X, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to a race condition within the "ptrace()" implementation, which can be exploited to cause a kernel panic.

The vulnerability is reported in version 10.5.6, 10.5.7, and 10.6.1. Other versions may also be affected.

Solution: Restrict access to trusted users only.

http://secunia.com/advisories/37238/

House Panel Approves Cyber-security Awareness Act

donna — Fri, 06 Nov 2009 15:14:46 GMT

Legislation would mandate that National Institute of Standards and Technology develop a plan to ensure cyber-security coordination within the U.S. government.

A U.S. House subcommittee approved Nov. 4 the Cybersecurity Coordination and Awareness Act, legislation that would require NIST (National Institute of Standards and Technology) to develop and implement a plan to ensure coordination within the U.S. government with regard to the development of international cybersecurity technical standards.

The bill, approved by the the Committee on Science and Technology’s Subcommittee on Technology and Innovation, would also require NIST to develop and implement a cybersecurity awareness and education program and engage in research and development to improve identity management systems.

"Twenty-two years ago, this Committee paved the way for federal cybersecurity efforts with the Computer Security Act of 1987, which charged NIST with developing technical standards to protect non-classified information on federal computer systems and was the first of 13 major laws related to cybersecurity," Subcommittee Chairman David Wu (D-OR), said in a statement.

http://www.eweek.com/c/a/Security/House-Panel-Approves-Cybersecurity-Awareness-Act-899956/

Botnets Tighten Defenses Year After McColo Shutdown

donna — Fri, 06 Nov 2009 15:12:07 GMT

In the roughly 12 months since the McColo shutdown caused a short but dramatic drop in spam, botnet operators have changed tactics to minimize the impact of authorities shutting down their ISPs. Security researchers discussed how with eWEEK.

In the year since the shutdown of notorious Web hosting firm McColo, spammers are growing strong. In fact, researchers at McAfee reported that spam accounted for 92 percent of e-mail in the second quarter of 2009. Part of this is the result of improvements by botnet operators. Like anyone who is successful what they do, the people controlling the most powerful botnets in cyber-space learn from their mistakes.

"McColo affected a couple of main botnets seriously, notably Srizbi which has never recovered and Rustock which took an immediate hit before recovering over time," explained Bradley Anstis, vice president of technical strategy at M86 Security. "One of the immediate changes was the use of hard coded domains in the malware body instead of IP addresses. Before, domains could be changed to different IP addresses to provide a recovery option on their command and control methods."

"In general," he continued, "they have improved the availability and resilience of their command and control servers and in some ways the McColo take down has driven them more underground and forced them to use more different methods, making it harder to detect. Some examples that have already been seen have been the use of Twitter, Google Groups and Facebook."

More in http://www.eweek.com/c/a/Security/Botnets-Tighten-Defenses-Year-After-McColo-Shutdown-613503/

Gov't warns firms about online robberies

donna — Fri, 06 Nov 2009 14:59:49 GMT

Online criminals have used the Automated Clearing House (ACH) system to facilitate the theft of more than $100 million from small and medium businesses, the FBI warned this week.

The attacks typically use social engineering via e-mail messages to install malicious software on the computers of managers responsible for a business's financial transactions. The Trojan horse then transfers money from the firm's account, when the manager signs onto the business's bank account. The FBI has had reports of firms losing hundreds of thousands to millions of dollars, according to an advisory posted on the FBI's Internet Crime Complaint Center (IC3).

"In most cases, the victims' accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions," the FBI stated. "The bank account holders are often small- to medium-sized businesses across the United States, in addition to court systems, school districts, and other public institutions."

Data indicates that criminals are quickly ramping up their operations. Last month, the FBI estimated that more than $40 million has recently been stolen from firms, according to the Washington Post. In one example, a Silicon Valley construction firm had $447,000 siphoned from its account in 27 separate transactions in a matter of minutes.

http://www.securityfocus.com/brief/1032

Backdoor in top iPhone games stole user data, suit claims

donna — Fri, 06 Nov 2009 14:56:51 GMT

Storm8's iSpy

A maker of some of the most popular games for the iPhone has been surreptitiously collecting users' cell numbers without their permission, according to a federal lawsuit filed Wednesday.

The complaint claims best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. The Redwood City, California, company, which claims its games have been downloaded more than 20 million times, has no need to collect the numbers.

"Nonetheless, Storm8 makes use of the 'backdoor' method to access, collect, and transmit the wireless phone numbers of the iPhones on which its games are installed," states the complaint, which was filed in US District Court in Northern California. "Storm8 does so or has done so in all of its games."

Messages left for Storm8 representatives weren't returned.

http://www.theregister.co.uk/2009/11/06/iphone_games_storm8_lawsuit/

Vulnerability in the BlackBerry Desktop Manager allows remote code execution

donna — Fri, 06 Nov 2009 14:52:33 GMT

Research In Motion (RIM) has tested the following software to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected.

Affected product: BlackBerry Desktop Software version 5.0 and earlier (on all platforms)
Non-Affected Software: BlackBerry® Device Software, BlackBerry® Enterprise Server

This advisory relates to a vulnerability in a Lotus Notes Intellisync DLL that the BlackBerry Desktop Manager may use. This vulnerability may allow a malicious user to perform an attack that leverages social engineering to achieve remote code execution on the computer running the BlackBerry Desktop Manager. If the legitimate (logged in) user clicks a link to a malicious web site (for example, in an email message, in a browser, or an instant message) on the computer that is running the BlackBerry Desktop Manager, a vulnerability in an Intellisync component could allow the malicious user who sent the link or created the malicious web site to execute code on the computer using the privileges of the legitimate user.

Note: The affected Lotus Notes Intellisync DLL is included by default in all BlackBerry Desktop Manager installations. This vulnerability exists whether or not the DLL is used after installation.

Issue Severity: This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.3.
Issue Status: Vulnerability confirmed. For more information, see the Resolution section.

Resolution
RIM has issued a software update that resolves this issue in BlackBerry Desktop Software version 5.0.1 and later.
Upgrade the BlackBerry Desktop Software

Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 5.0.1.

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19701 via http://www.us-cert.gov/current/index.html#blackberry_desktop_manager_vulnerability

Postini Technology to Spread Across Google Apps

donna — Fri, 06 Nov 2009 14:48:38 GMT

The Postini technology that lets Google Apps Premier administrators control their e-mail environments by establishing and enforcing usage policies, rules and parameters will be extended to the other applications of the suite.

That way, Apps Premier administrators will gain tighter control over how employees use not only Gmail but also the other suite components, like the word processing, spreadsheet and presentation applications.

When completed, this extension of the Postini security and management capabilities could go a long way toward calming concerns from CIOs and IT managers about using Web-hosted software like Google Apps.

This could in turn boost Google's attempts to lure large organizations to adopt Apps Premier, which, as the suite's most sophisticated version, contains an increasing number of tools and services that these companies require. Apps Premier is the only fee-based edition of the suite, priced at US$50 per user per year.

http://www.pcworld.com/businesscenter/article/181575/postini_technology_to_spread_across_google_apps.html

Kaspersky: Removable media is a major source of infection

donna — Fri, 06 Nov 2009 14:41:26 GMT

Kaspersky Lab presents its monthly malware statistics

From this month onwards, the data used is gathered from all products that use the Kaspersky Security Network (KSN), i.e. products from both the 2009 and 2010 lines. As a result, the Top Twenties have changed somewhat and the figures in both ratings this month are significantly higher, due to an increased numbers of users participating in KSN.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time, i.e. by the on-access scanner.

Net-Worm.Win32.Kido.ir, which made its first appearance last month, has replaced the traditional leader, Kido.ih. This demonstrates once again that infected removable media are a major source of infection.

Still on the subject of removable media, Autorun.dui, which appears regularly in the ratings, has been joined by a very similar program, Autorun.awkp that entered in 9th place. These malicious programs, as the name suggests, automatically run malware on removable devices.

http://www.kaspersky.com/news?id=207575954
http://www.kaspersky.com/news?id=207575955

Websense: Media-servers.net Compromised

donna — Fri, 06 Nov 2009 14:37:47 GMT

Websense Security Labs™ ThreatSeeker™ Network has detected that the site media-servers.net has been compromised and injected with malicious code. The Web site belongs to a high-profile advertiser on the Internet realm. It's important to note that media-servers.net serves advertising content from ad.media-servers.net, and that this site is clean. The injected code is part of an ongoing mass injection campaign that compromised thousands of legitimate Web sites. Websense Security labs have been tracking this campaign for months.

The exploits associated with this attack are:

Microsoft DirectShow CVE-2008-0015
Microsoft Snapshot Viewer CVE-2008-2463
Microsoft Data Access Components (MDAC) CVE-2006-0003
AOL ConvertFile() remote buffer overflow exploit

There is also an autoloading malicious PDF file that holds the next vulnerabilites:

Adobe Reader and Acrobat 8.1.1 buffer overflow CVE-2007-5659
Adobe Acrobat and Reader 8.1.2 buffer overflow CVE-2008-2992

If the user's browser is successfully exploited, a malicious file is downloaded and run in the user's Windows home directory from another collaborated exploit site. The malicious file (SHA1: 6776489a0ed889fbabb317763c7c913fdc782631) has an extremely low AV detection rate at the time the file was checked.

http://securitylabs.websense.com/content/Alerts/3500.aspx

Gumblar malware is active again

donna — Fri, 06 Nov 2009 14:32:00 GMT

Malware hijacks Google searches to infect PCs

ScanSafe researchers are seeing renewed activity regarding Gumblar, a multifunctional piece of malware that spreads by attacking PCs visiting hacked Web pages. Gumblar can steal FTP credentials as well as hijack Google searches, replacing results on infected computers with links to other malicious sites.

When the Gumblar malware was found in March, it looked for instructions on a server at gumblar.cn. That domain was taken offline at the time, but has been reactivated within the last 24 hours, wrote Mary Landesman, a senior security researcher with ScanSafe, on a company blog.

Websites that are infected with Gumblar contain an iframe, which is a way to bring content from one Web site into another. Malware writers usually make those iframes invisible. When a victim visits the site, the iframe will launch a series of exploits hosted on a remote computer to try and hack the visiting machine.

http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=17487

56pc wireless networks open to hackers

donna — Fri, 06 Nov 2009 14:27:40 GMT

Over half (56pc) of wireless networks in Dublin, Cork and Limerick are vulnerable to attackers, according to the latest wireless vulnerability assessment by Deloitte.

This means that over half of the 6545 networks that were scanned across the three cities are not protected against attacks on their information, exposing sensitive personal or business data to unauthorised users.

The findings of the assessment, which was expanded this year to include Cork and Limerick, has shown that once again the use of wireless encryption to protect wireless networks remains poor. The 56pc of networks found to be vulnerable used either no encryption to protect communications (19pc), or weak encryption which can be trivially broken in a matter of minutes by hackers (36pc).

By analysing those networks that can be identified as either residential or business networks (i.e. excluding public networks), it was found that the incidence of unsecured wireless network drops to 46pc. In addition, further analysis of the business and residential networks reveals that Limerick has the most secure wireless landscape (at 62pc) compared to Dublin and Cork (54pc and 53pc respectively). The survey shows that the level of wireless security in Dublin has remained consistent with last year, when 54pc of connections were also found to be insecure in the capital city.

http://www.businessworld.ie/livenews.htm?a=2506719