RDKsoftware and web development

Vulnerability Summary for the Week of July 12, 2010

Oracle Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

Vulnerability Summary for the Week of July 5, 2010

Vulnerability Summary for the Week of June 28, 2010

Vulnerability Summary for the Week of June 21, 2010

Vulnerability Summary for the Week of June 14, 2010

Vulnerability Summary for the Week of June 7, 2010

Adobe Flash and AIR Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

Facebook founder Mark Zuckerbert today announced that the following for his social media creation hit 500 million this morning. 

No wonder “Facebook” became a verb.

Facebook blog here.

Tom Kelchner

Boards on new PowerEdge equipment and non-Windows systems not affected.

According to a note on Dell’s company support forum, a small number of PowerEdge R410 replacement motherboards have been found infected with spyware. The company is notifying customers who have purchased the equipment.

http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx

Someone from the company posting under the name “Matt M” wrote in response to a question on the board: “As part of Dell’s quality process, we have identified a potential issue with our service mother board stock, like the one you received for your PowerEdge R410, and are taking preventative action with our customers accordingly.  The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware.  This malware code has been detected on the embedded server management firmware as you indicated.”

“To date we have received no customer reports related to data security. Systems running non-Windows operating systems are not vulnerable to this malware and this issue is not present on motherboards shipped new with PowerEdge systems.”

The company describes its Dell PowerEdge R410 as “a powerful and ultra-dense 2-socket 1U server that offers the performance of Intel Xeon processor 5500 and 5600 series, DDR3 memory, the availability of up to four hard drives (3.5” or 2.5”)…”

Tom Kelchner

Use a strong FB password or “Laughing Man” will post drivel on your wall.

Someone (or hacker group) has discovered the joy of posting material on the Facebook accounts of people who apparently use weak passwords.


(Click to enlarge)

A search on Facebook for the string “This is a video that's been appearing on hacked Facebook profiles,” shows a load of accounts carrying it. Some Facebook users also appear to be voluntairly posting the link to the YouTube video as well.

The video features a man’s torso with face overlaid with various still photos. The sound track is a droning lecture about the evils of authority. The eight-minute video concludes with a scroll of meandering quotes from Immanuel Kant and the 19th century French anti-statist writer Frederic Bastiat. There’s also an audio conclusion that’s a bit less than a call to action: “I can’t tell you what to do.”

A manifesto it ain’t.

Thanks Wendy.

Tom Kelchner

Automated Teller Machines (ATMs) are now targets for criminals of all sorts. After all, as the famous saying goes, that’s where the money is.

One common way to attack ATMs is via skimmers, devices that steal the data encoded on the magnetic strips of ATM cards. They can take a wide variety of form factors, from the simple to the more elaborate. One example, which we have blogged earlier, was fake POS devices that is used to skim data from credit and debit cards. Neither is this threat limited to the United States; similar schemes have been found in China.

Advanced (and more expensive) models send their captured data to the cybercriminals via existing cellular phone networks. Criminals on a budget could rent skimmers, with a 50/50 income split between the owner and the renter. (Some of the links in the above paragraphs go to Brian Kreb’s blog; Krebs has frequently discussed the ATM skimmer threat.)

However, ATMs are also under increasing attack by malware. As early as 2004, 70% of new ATMs ran on Windows; Diebold estimates that 90% of their shipments today use Windows. This leaves them as potentially vulnerable to malware as any ordinary computer.

The TSPY_SKIMER malware family, including TSPY_SKIMER.A and TSPY_SKIMER.B, serves as a good sample of the malware threats facing ATMs. Both of these were authored by someone who has good knowledge of ATM architecture, considering that these systems are not publicly documented. In addition, these malware needs to be installed manually by someone who has direct access with to an ATM terminal.

Let’s take a look at TSPY_SKIMER.A. The code specifically injects its code into specific services that are associated with Diebold ATMs. (Diebold is not alone as a target; other ATM manufacturers have also been targeted by SKIMER variants.) In addition, the cybercriminal can also use the ATM’s own keypad and screen to send commands to the malware–and these commands include checking for the installed Diebold software version, printing stolen information onto the machine’s paper receipts, and even dispensing cash.

The sophistication and intricacy needed to mount these attacks mean that despite the significant financial incentive, these attacks have not yet become all that common. However, users should not be lured into a false sense of security, but instead be more informed and guarded to avoid being victimized by these attacks.

Banks on the other hand, should also take note of this threat, as clients expect them to safeguard their money. An ATM machine infected with a SKIMER variant can tarnish a bank’s reputation and trustworthiness, so extra security measures should be taken in order to ensure ATMs are malware free.

Post from: TrendLabs | Malware Blog - by Trend Micro

ATMs Now High-Profile Cybercrime Targets

Sunbelt malware specialist Adam Thomas located a server being used as a drop for a Zbot/Zeus botnet. It contained over a gigabyte of text files of stolen information.

Yes, it is just another Zeus botnet and a relatively small one by comparison – 5,100 unique infected hosts – but, the list of affected organizations is a bit disconcerting.



(1.1 gigabytes of recovered data in text format)

Most of the infected hosts appeared to be home users, he said, but there were a large number of infected hosts inside of state and federal government agencies; Fortune 500 and 100 companies; drug companies and even banks.

He said: “It has been almost four years since Zbot/Zeus reared its ugly head and unfortunately it is still going strong, holding a high position on our top-10 detected threats list - http://sunbeltsecurity.com/.

“Back in the early days, the bad guys were sloppy with their server configurations and security researchers were able to find and recover the data that had been pilfered by Zbot trojans. The criminals eventually caught on and actually began taking measures to protect the data that they were stealing.

“Every once in a while, however, we stumble on server misconfigurations where the miscreant has (apparently) accidentally allowed access to the collected stolen data. During the past few days, our research team has been monitoring just that.

"Of course, we’ve alerted law enforcement and are working to notify those who have been affected," he said.

In November, police in England arrested a couple in Manchester in connection with a Zbot network. Zbot enables malicious operators to steal data, including bank passwords, credit card data, personal information and social networking site logins.

This "trojan" would be "Trojan-Spy.Win32.Zbot.gen." In June it was the second most common detection in the Sunbelt ThreatNet system. ThreatNet consists of tens of thousands of VIPRE and CounterSpy users who have banded together to form an early warning system when a new malware outbreak is noticed.

The trojan isn’t hard to detect and Sunbelt Software offers a free removal tool here.
http://go.sunbeltsoftware.com/?linkid=1211

Thanks Adam.

Tom Kelchner

This is very funny. It’s a cartoon that captures the rogue AV “experience.”






Click here to see the rest of the cartoon.

Thanks Dan. Thanks Alex.

Tom Kelchner

Cio-Cio San (Madama Butterfly) getting back at Pinkerton?

Someone using the handle “strelaoz,” (do a web search for it) claiming to be an ex-lover, has been leaving comment spam on hundreds of web sites “exposing” details of a romantic relationship and jilting by an exec at Symantec. The comments usually accompany news pieces about the company.

While comment spam is usually a nuisance, this defamation campaign takes the art form to a higher level than one usually sees. It is possible that the details are fiction and the campaign is simply an attempt to damage Freer and/or Symantec. It represents an Internet threat that could be very difficult to defend against.

In one post, there seems to be an oriental connection too – Chinese characters in the text:

If one reads the details, the back story appears to be vaguely similar to the plot of the Puccini opera “Madam Butterfly” (well, ok, it isn’t Japan and there’s no baby.)

Update: July 20:

Whoever is behind this appears to be using a Yahoo account under the name of Jennifer Yin:

http://pulse.yahoo.com/_J4EQHO7G3XRGON4P3Q33FVCJ2Q

(click to enlarge)

Nice work Mike.

Tom Kelchner

Toy Story 3 is romping across cinemas Worldwide, and rightly so – it’s the best of the series by far. I thought it might be worth pointing out that being a product aimed at children doesn’t exclude it from internet shenanigans.

If you have young children online who are partial to searching for Toy Story material, you might want to warn them about some of the below scams. One of the most popular tactics is advertising the “full movie” on Youtube, but directing the end-user to a bunch of surveys instead:


Click to Enlarge




Click to Enlarge

Most of the surveys we see tend to ask a lot of questions that reveal plenty of information about the individual filling them in, and you probably don’t want your kids giving some random third party lots of information about Dad or whatever.

The Toy Story 3 game is also a juicy target for these scams:


Click to Enlarge

I’m almost certain your child does not want to dine with Gordon Ramsay at Claridges, but what do I know.

Many of the sites promoting these online versions of the film seem to use advertising networks that are a little more adult than most. Let’s break it down:

1) Child goes looking for Toy Story 3.
2) Child finds site promoting Toy Story 3.
3) Child finds their eyeballs melting into the ground and people yell “Think of the children” while all of this pops up:


Click to Enlarge


Click to Enlarge


















Click to Enlarge

The above funfest all launched from the same site - wegotbest(dot)com - with popups contained inside the Flash player, gambling adverts popping out of the website itself and eventually throwing up a survey after the site had been inactive for ten minutes.

Amazingly, the survey didn’t contain any nudity. So there’s that.

We’ll round things off with websites asking you to install programs. Thankfully it seems the scammers out there aren’t pimping infectious “Buzz Lightyear.exe” files just yet, but they’ll still try and make some installation affiliate cash regardless.

This site is another one offering up the Toy Story 3 game:


Click to Enlarge

What’s the gag here? Well, hit the download link and you end up with the below folder on your PC:



That’s right – you have to install a toolbar from their frontpage, and after installation a magical message will appear and the fifth word will be the password to open up the zipfiles.

In practice, all I got was the below translation software and not a magic password in sight.



Don’t you just hate it when that happens?

Anyway, those appear to be the most common scams where Toy Story 3 is concerned right now. Sites asking to install programs in return for the Toy Story game or movie should be avoided, along with any promises that sound too good to be true on Youtube. Ensure your children stick to those rules and your PC, personal information and sanity will hopefully remain intact.

Christopher Boyd