May 082013
 

random-numbers

Security researchers have uncovered an ongoing and widespread attack that causes sites running three of the Internet’s most popular Web servers to push potent malware exploits on visitors.

Linux/Cdorked.A, as the malicious backdoor behind the attacks is known, has been observed infecting at least 400 Web servers, 50 of them from the Alexa top 100,000 ranking, researchers from antivirus provider Eset said. The backdoor infects sites running the Apache, nginx, and Lighttpd Web servers and has already exposed almost 100,000 end users running Eset software to attack (the AV apps protect them from infection). Because Eset sees only a small percentage of overall Internet users, the actual number of people affected is presumed to be much higher.

“This is the first time I’ve seen an attack that will actually target different Web servers, meaning the attacker is willing to create the backdoor for Apache, Lightttp, and nginx,” Pierre-Marc Bureau, Eset’s security intelligence program manager, told Ars. “Somebody is running an operation that can victimize various Web servers and in my opinion this is the first time that has ever happened. This is a stealthy, sophisticated, and streamlined distribution mechanism for getting malware on end users computers.”

Previously, Cdorked was known to infect only sites that ran on Apache, which remains by far the Internet’s most popular Web server application.

MORE: Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too | Ars Technica.

 

 


 

Mar 052013
 

random-numbers

Some say we’re living in a “post-PC” world, but malware on PCs is still a major problem for home computer users and businesses.

The examples are everywhere: In November, we reported that malware was used to steal information about one of Japan’s newest rockets and upload it to computers controlled by hackers. Critical systems at two US power plants were recently found infected with malware spread by USB drives. Malware known as “Dexter” stole credit card data from point-of-sale terminals at businesses. And espionage-motivated computer threats are getting more sophisticated and versatile all the time.

In this second installment in the Ars Guide to Online Security, we’ll cover the basics for those who may not be familiar with the different types of malware that can affect computers. Malware comes in a variety of types, including viruses, worms, and Trojans.

Viruses are programs that can replicate themselves in order to spread from computer to computer, while targeting each PC by deleting data or stealing information. They can also change the computer’s behavior in some way.

“Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program,” Cisco notes. “When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments.”

READ MORE:  Viruses, Trojans, and worms, oh my: The basics on malware | Ars Technica.

 

 


 

Sep 252012
 

I’m not the only one to be getting these spammy direct messages on Twitter that lead to bogus Facebook links. Apparently a lot of people have been complaining of these messages, according to Sophos analyst Graham Cluley who wrote about it on the Naked Security blog.

Different variations of the direct messages include, “your in this [link] lol” and “lol ur famous now [link]” (I got this one too).

Of course, I didn’t click on the link. However, according to Cluley, those people that do click are led to a video player that says, “An update to Youtube player is needed.” Users are asked to download what is supposedly called “FlashPlayerV10.1.57.108.exe,” but Sophos antivirus products detect it as Troj/Mdrop-EML, which is a backdoor Trojan that can copy itself to accessible drives and network shares.

A Slate reporter wrote that he clicked on the bogus link and was directed to Facebook where he was told he had to log in to access an app. It’s unclear if this link also contained some sort of virus, Trojan, or malware.

MORETwitter users may be victims of direct message malware | Security & Privacy – CNET News.

 


Aug 272012
 

A vulnerability in the latest version of Oracle’s Java software framework is under active attack, and the damage is likely to get worse thanks to the availability of reliable exploit code that works on a variety of browsers and computer platforms, security experts warn.

The flaw in Java version 1.7 was reported on Sunday afternoon by FireEye security researcher Atif Mushtaq. A separate post published on Monday by researchers Andre M. DiMino and Mila Parkour said the number of attacks, which appear to install the Poison Ivy Remote Access Trojan, were low. But they went on to note that the typical delay in issuing Java patches, combined with the circulation of exploit code, meant it was only a matter of time until the vulnerability is exploited more widely by other attackers.

Members of Rapid7, the security company that helps maintain the open-source Metasploit exploit framework used by penetration testers and hackers, said they have already developed an exploit that works against Windows 7. They are in the process of testing it against the Microsoft Internet Explorer, Mozilla Firefox, and Google Chrome browsers running on other operating systems, including Ubuntu Linux 10.04 and Windows XP. They went on to suggest that users should disable Java until a patch plugging the gaping hole is released.

“As a user, you should take this problem seriously, because there is currently no patch from Oracle,” a Rapid7 exploit developer wrote in a blog post. “For now, our recommendation is to completely disable Java until a fix is available.”

MORE:  Critical flaw under active attack prompts calls to disable Java | Ars Technica.

 


Oct 122011
 

 

 

In a request made yesterday to the Internet Corporation for Assigned Names and Numbers, Verisign outlined a new “anti-abuse” policy that would allow the company to terminate, lock, or transfer any domain under its registration jurisdiction under a number of circumstances. And one of those circumstances listed was “requests of law enforcement.”

The request, submitted through ICANN’s Registry Services Evaluation Process on October 10, proposes a new malware scanning service for domains as well as a new Verisign Anti-Abuse Domain Use Policy. In the request letter, Verisign stated that its policy would help the registrar align with requirements ICANN is placing on new generic top level domains. “All parts of the internet community are feeling the pressure to be more proactive in dealing with malicious activity,” Verisign explained. “ICANN has recognized this and the new gTLD Applicant Guidebook requires new gTLDs to adopt a clear definition of rapid takedown or suspension systems that will be implemented.”

In part, the policy is aimed at empowering Verisign to act quickly to take down sites that are harboring malware, launching phishing attacks, or otherwise being used to launch attacks across the Internet. The scanning service, which registrars can opt into voluntarily, would scan sites on all .com, .net and .name sites for “known malware,” and inform the registrar and the site owner when malware is detected. Verisign has been soliciting domain registrars to participate in a pilot of the program, derived from the company’s Verisign Trust Seal program, since March.

via Verisign wants power to shut sites down upon law enforcement request.

Oct 042011
 

 

 

You don’t have to worry so much about the QR codes you find in magazines and television commercials; the malevolent codes are located squarely on the Internet. When people are looking for new apps for their phones, they often use their desktop computers to search the Web for what they’re looking for. Rather than forcing users to hen-peck the URL into their smartphone’s browser, many sites now include a QR code linking directly to the app to make things easier all around.

Scammers have begun redirecting QR codes away from the given URL and pointing them towards malware, Kapersky reports.

via Maximum PC | Poisoned QR Codes Spreading Malware To Android Phones.

Sep 232011
 

Malware continues to be a minimal threat to most Mac users, but that doesn’t mean attackers aren’t constantly trying to come up with new ways to steal information or turn users’ machines into botnet drones. The latter appears to be the case with a new Mac trojan posing as a PDF file, discovered by security researchers at F-Secure.

via Mac trojan poses as PDF to open botnet backdoor.

Sep 072011
 

 

 

Step zero: Read this guide, because we’re going to walk you through all the key details you need to know to both rid your computer of this junk and keep it free of downloaded problems forevermore.

via Maximum PC | Scrub Your PC Clean: Remove Malware in Four Easy Steps.