New Adobe Vulnerabilities Being Exploited in the Wild

adobe readerAdobe posted a vulnerability report warning that vulnerabilities in Adobe Reader and Acrobat XI (11.0.1) and earlier versions are being exploited in the wild. Adobe is currently investigating this issue.

According to the FireEye blog posted earlier today, the malicious file arrives as a PDF file. Upon successful exploitation of the vulnerabilities, two malicious DLL files are dropped.

Symantec detects the malicious PDF file as Trojan.Pidief and the two dropped DLL files as Trojan Horse.

We are currently investigating the possibility of further protections for these vulnerabilities and will provide an update to this blog when possible.

A subsequent advisory posted by Adobe indicates the following versions of Adobe Reader and Acrobat are vulnerable:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

Internet Explorer security hole: Use other browser

TheTelegraph: Internet Explorer users might want to consider upgrading or switching to another browser after a massive security hole was discovered in Windows’ native web browser.

internetexplorer9logoAccording to security forum, Rapid7 , Internet Explorer 7, 8 and 9 operating on Windows XP, Vista and Seven contains what is known as a “zero day exploit” which allows attackers to gain access to your personal data while you browse.

The forum claimed the exploit would give cyber criminals “the same privileges as the current user”.

It claimed that 41 per cent of US and 32 per cent of global Internet Explorer users could be affected.

Microsoft confirmed that it was aware of the targeted attacks “potentially affecting some versions of Internet Explorer”.

Director of Microsoft Trustworthy Computer, Yunsun Wee, told Fairfax that Internet Explorer 10 is not affected by the issue.

“We recommend customers deploy Microsoft’s Enhanced Mitigation Experience Toolkit 3.0, which provides effective protections without affecting the web browsing experience,” he said. “We will continue to investigate this issue and take further actions as appropriate.”

Oracle rushes out patch for critical 0-day Java exploit

JavaTheRegister: In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits.

“Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance, said in a blog post published on Thursday.

Maurice said that the vulnerabilities patched only affect Java running in browsers, and not standalone desktop Java applications or Java running on servers. According to Oracle’s official advisory on the flaws:

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.

That certainly matches the description of the vulnerabilities first spotted on a rogue website by security firm FireEye on Sunday. Exploits for the flaws have since been incorporated into the notorious Blackhole malware toolkit and the Metasploit penetration testing tool.

On Wednesday, Adam Gowdiak of Polish startup Security Explorations revealed that his company had disclosed details of the vulnerabilities in question – along with 29 others – to Oracle in April of this year, but that the database giant still had not fixed the flaws as of its June Critical Patch Update (CPU).

JAVA-updateOracle told Security Explorations that it had developed fixes for most of the other vulnerabilities it had submitted and that they would be ready for the next Java CPU. Unfortunately, however, that patch kit wasn’t scheduled to be released until October 16.

Now, in an apparent capitulation to growing public concern over the exploits, Oracle has issued a rare out-of-band update for Java 7 that it says should ameliorate the threat.

According to Maurice, Java users who run Windows can use the Java Automatic Update feature to get the latest, patched version, which is officially dubbed Java SE 7 Update 7. Users on other platforms can visit the official Java website to download and install it.

Java zero day vulnerability actively used in targeted attacks

JavaZDNet: Security researchers from FireEye, AlienVault, and DeependResearch have intercepted targeted malware attacks utilizing the latest Java zero day exploit. The vulnerability affects Java 7 (1.7) Update 0 to 6. It does not affect Java 6 and below.

Based on related reports, researchers were able to reproduce the exploit on Windows 7 SP1 with Java 7 Update 6. There’s also a Metasploit module available.

Upon successful exploitation, the campaign drops MD5: 4a55bf1448262bf71707eef7fc168f7d – detected by 28 out of 42 antivirus scanners as Gen:Trojan.Heur.FU.bqW@a4uT4@bb; Backdoor:Win32/Poison.E

Users are advised to consider browsing the Web, and interacting with emails in an isolated environment, or to to block Java in their Web browsers until Oracle ships a patch for the security flaw.

Although what we’ve got here is a clear indication of an ongoing malicious attack utilizing a zero day flaw, on the majority of occasions cybercriminals wouldn’t necessarily rely on a zero day flaw in order to infect as many users as possible. Instead, they would stick to using outdated and already patched vulnerabilities taking into consideration the fact that end and corporate users aren’t patching their third-party software and browser plugins.

Bogus anti-hacking tool targets Syrian activists

At one point, the AntiHacker malware even had its own Facebook group - now offlineh-online: Syrian activists, journalists and opposition group members are reportedly under attack by malware claiming to be a security tool that will help protect them against hackers. The fake “AntiHacker” tool is being spread through targeted phishing emails and via sites such as Facebook, and claims to provide “Auto-Protect & Auto-Detect & Security & Quick scan and analyzing” functionality.

However, according to the Electronic Frontier Foundation (EFF), the fraudulent tool actually installs a program called DarkComet RAT (remote access tool). The US digital rights advocacy organization says that the new malware is being spread and controlled by pro-government hackers. With DarkComet, these hackers can remotely access users’ systems to steal private data, record keystrokes, disable certain antivirus programs’ notification systems and even obtain images from a computer’s built-in webcam.

Users who believe their systems are infected with the remote access program can download the DarkComet RAT removal tool by developer Jean-Pierre Lesueur, who originally wrote DarkComet. Lesueur stopped development and sales of DarkComet after he learned that it was being used by Syrian government forces against political opponents.

http://h-online.com/-1669262

Ladies with few clothes tend to cause a lot of trouble on PCs – and now on Android devices too

Cross-posted from Surelist

The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but we’ve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland.

Spreading

Trojan-SMS.AndroidOS.Vidro is spread via porn sites. The mechanism is very similar to the way the very first Android malware (Trojan-SMS.AndroidOS.FakePlayer) spread. If the user visits a porn site with a desktop browser he will see something similar to this:

208193738

But if the potential victim somehow visits the same website using an Android device, a porn web site will be ‘optimized’ for the smartphone:

208193731

After clicking on the link ‘Watch Now’, the user will be redirected to the web site called ‘Vid4Droid’ (vid4droid.com) which suggests to the victim that they download ‘The new Sexvideo App’:

208193732

A click on the ‘Install’ button will redirect the victim to a page containing an automatic download start which contains instructions on‘how-to-install-our-super-porno-app’ with a reminder to allow an installation of applications from unknown sources:

208193733

Vidro description

After the installation of Vidro the following icon can be found in the main menu:

208193734

If the victim launches malware the first thing he’s going to see is the dialog box which invites him to agree with the terms and conditions.

208193735

But the ‘funny’ fact is that there’s no EULA and/or terms and conditions in the app. In other words, even if those conditions exist, there’s no possibility to read them. After clicking ‘Yes’ an SMS message to will be sent to a premium rate number. The premium rate number is 72908 (Polish) and the SMS text is PAY {unique sequence of ciphers and letters}. Each message cost 2 zl (0,5 Euro). We will discuss the SMS text later. Messages will be sent every 24 hours. All the data required for sending the expensive SMS is stored in the configuration file ‘setting.json’.

Vidro is also able to hide incoming SMS messages from specific numbers. We’ve seen already such functionality in Trojans like Foncy a Mania.

Besides sending expensive messages Vidro is able to:

  • Update the configuration file (which might contain a new premium rate number and SMS text) and update itself. For connecting to remote server the malware uses its own User-Agent string:“Mozilla/5.0 (Linux; U; {app_id}; {android_version}; de-ch; Vid4Droid) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30”.
  • Upload information about itself and the infected device to a remote server.

Content provider and affiliate network

If you google ‘72908’ (the premium rate number from Vidro) you can find a Polish forum which contains some complaints about this number.

208193736

Rough translation:

“How to remove ‘carmunity’ from 72908 number? Help me.”

“It’s probably some kind of virus, this SMS goes out from the phone, it’s better to disable it with your GSM provider, both outgoing and incoming.”

“I want to disable.”

Let’s take a deeper look at the malicious vid4droid.com domain. According to Robtex this domain is controlled by two name servers at carmunity.de; and the vid4droid.com mail server is handled at tecmedia.eu.

208193737

There is a number of hosts (like ‘sex-goes-mobile.biz’, ‘sexgoesmobile.biz’, ‘sexgoesmobil.com’ and similar) which share both name servers and mail servers with this domain. And if you visit one of these hosts you will be redirected to the web site sexgoesmobile.com.

Carmunity

Carmunity is a German content and service provider company, whose “portfolio offers an array of creative and technical solutions, enabling businesses to generate and apply their own portals in the mobile internet”. This quote was copied from the English version of their web site (carmunity.de).

208193739

Main page of Carmunity web site

Contact information contains the physical address of this company. According to this, Carmunity is located in Bremen, Mary-Astell-Str. 2. If you google this address you can find that another German company called Displayboy has the same physical address. What do we know about this organization? Well, here are some quotes from their web site displayboy.com (no German version, only English):

“Welcome to DisplayBoy – the leading provider for adult affiliate marketing in the mobile Internet.”

“Right now, between 5%-10% adult website users are surfing sites with mobile phones. With Displayboy you can convert your existing mobile traffic in a snap. It’s easy, simple and reliable.”

208193740

Do Carmunity and Displayboy have something in common? I think, yes 🙂 At least both companies are specialized in monetization of mobile traffic.

SexGoesMobile

As was mentioned above, some host names use the vid4droid.com domain name and mail servers. And if you try to visit one of them you’ll be redirected to sexgoesmobile.com. Here is a part of the main page of this web site:

208193741

Yes, it’s an affiliate network created for monetizing mobile adult traffic. And there are some curious things inside. Let’s see what’s going on there.

Many mobile affiliate networks (Russian ones at least) provide full access to various so-called ‘promotional tools’ to all participants. The SexGoesMobile affiliate network also offers various ‘promotional tools’. For example, you can create a mobile pay site using one of the existing templates:

208193742

Each template has its own domain name. And each affiliate who participates in SexGoesMobile has an ID. After choosing the template this affiliate is able to choose the target audience (‘mobile’ or ‘desktop’):

208193743

And finally an affiliate is able to generate a unique URL with his ID:

208193744

If the potential victim clicks on this unique link he will be redirected to the web site exgftube.mobi that contains fake video thumbnails. By clicking on one of this thumbnails the user will be redirected to the vid4droid.com web site where he will be invited to download vid4droid.apk file (Trojan-SMS.AndroidOS.Vidro). Do you remember the format of the SMS text in this malware? PAY {unique sequence of ciphers and letters}. This unique sequence of ciphers and letters will be generated on a remote malicious server based on the referrer (a unique URL with the ID of the affiliate). In other words, each affiliate ‘has’ his own SMS Trojan with unique SMS text.

Conclusion

The mobile malware industry and mobile malware services continue to evolve. A couple of years ago mobile affiliate networks were mostly Russian. Now we see that these affiliate networks appearing in other countries. Unfortunately, such networks have already become pretty effective and are an easy way to spread mobile malware and earn money illegally. And the ‘migration’ of affiliate networks will lead to new infections and huge money losses not only in Russia but in other countries as well.

Android Forums hacked: 1 million user credentials stolen

ZDNet: Phandroid’s AndroidForums.com has been hacked. The database that powers the site was compromised and more than 1 million user account details were stolen. If you use the forum, make sure to change your password asap.

androidforums

Read the whole story at ZDNet: http://www.zdnet.com/android-forums-hacked-1-million-user-credentials-stolen-7000000817/

Yahoo! Voice reportedly compromised, over 453,000 credentials exposed

compromised_passwords

Übergizmo wrote: If you use Yahoo! Voice a lot – Yahoo’s VoIP service via its Yahoo! Messenger instant messaging application, then you will definitely need to hear this report. Earlier today, more than 453,000 user accounts from an unidentified service owned by Yahoo were posted on a hacker site. The hackers reportedly said that they infiltrated the subdomain by using a union-based SQL injection. But the group responsible for the security breach added that the data breach was intended to be a wake-up call for Yahoo.

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers wrote. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.” According to TrustedSec, the compromised server could most likely belong to Yahoo! Voice. This assumption was based on the string “dbb1.ac.bf1.yahoo.com” found in the data dump. Yahoo has yet to release an official response to the reports.

If you have a Yahoo account you should change your password as soon as possible.

Source: Übergizmo

Important: Today is your last chance to keep your internet connection

March8Internet_main_0227

Tomorrow, July 9th, the FBI will shutdown the DNS servers which allow the computers infected with this malware to use the Internet.

If you want to make sure you will keep your internet working, act today and check your computer to see if it’s infected by DNS Changer or not, here is a very easy to use tool: Tool available for those affected by the DNS-Changer

Password leaks bigger than first thought

The published password hashes do not contain any email addresses or usernamesThe H-Online: There have still been no official statements on the causes and extent of the recent password leaks at LinkedIn, eHarmony and Last.fm. A credible source is now reporting that the published 2.5 million Last.fm MD5 hashes, for example, are just the tip of a 17 million hash iceberg. That iceberg has reportedly been circulating since summer 2011.16.4 million of these – 95 per cent – have, the source claims, already been cracked, a claim which, for unsalted hashes, is entirely credible.

Since the lists do not contain any duplicates, it is likely that the number of affected users is in fact much larger than originally thought. Similarly, at LinkedIn, whose official statement persists in using the seemingly harmless phrase “some passwords”, several factors suggest that the list of 6.5 million SHA1 hashes posted online may exclude simple passwords that have already been cracked. A blog post entitled LinkedIn vs password cracking gives an excellent overview of the contemporary tools and techniques used to crack passwords.

The concrete effects of this particular password leak are not yet clear. The publicly distributed lists do not include user names or email addresses. It would, however, seem reasonable to assume that whoever stole the passwords also has, and is using, this information. Last month Last.fm admitted to having received several reports of spamming involving user data. Since identical spam is sometimes sent to email addresses from the LinkedIn and Last.fm leaks, it is more than likely that both databases have fallen into the same hands.

There is also a first indication as to why Last.fm failed to implement rudimentary security measures to protect its users’ passwords. According to someone claiming to be a former system architect at the company, design weaknesses in the music service’s mobile API architecture were responsible for the, by today’s standards, weak encryption. The technique employed uses the password and client-side user name to calculate an access key. For the server to check this, it needs to store the password, which is secured only with MD5 hashes. The API was developed 9 years ago, and appears not to have been updated since. It’s going to be interesting to see what comes to light regarding the reasons for the sloppiness at these companies.

And one amusing detail – although eHarmony implores its users to use strong passwords including both upper and lower case letters, it saves the passwords in all upper case, thereby weakening its already weak security further. The hypocritical concern expressed by these companies has been covered in an editorial from The H Security: “Comment: LinkedIn and its password problems“.

http://h-online.com/-1614516