IT Defense Solutions

• Connections Between DroidDreamLight and DroidKungFu

  We were recently able to analyze the routines of the latest DroidKungFu variant, detected as ANDROIDOS_KUNGFU.CI. While we were monitoring the traffic between ANDROIDOS_KUNGFU.CI and its remote server, we chanced upon a command to delete a certain package.

  In the command above, the server instructs the malware to delete a package called com.practical.share. We have seen other commands sent from the server such as commands to update the malware’s native code, install an APK, or open a URL. But this is the first time we’ve seen the server tell the malware to delete a package, and we’re not entirely sure why it does this routine.

  I did some research on the package, and found that the deleted package is a new DroidDreamLight variant. The DroidDreamLight family is known to show notifications as part of its social engineering routine. This is to trick the user into clicking on the notifications to download new component, or update itself.

  This particular DroidDreamLight variant, detected as ANDROIDOS_DORDRAE.O, starts its service (called ‘SystemConfService’) when the device boots up or receives/makes a call. It uploads the same information as its previous incarnations.

  I wanted to see the notifications created by the malware for myself so I tested it by creating a web server and making the malware connect to it by changing the emulator network setting. Based on my analysis of the code, the malware expects an XML from the server with the following sample format:

  The malware shows four types of notifications:

  • Update

  This notification updates the current malware package. When the user clicks on the update notification, the device shows a dialog box asking the user if he/she wants to replace the current app. If the user clicks “OK,” the installation continues. The package to be installed is already pre-downloaded by the malware before showing the notification.

  

  • Download – When the user clicks the download notification, it will download the file specified by the malware server.
  • Market – When the user clicks the market notification, the malware will view the Android Market page for the package specified by the server.
  • Web – When the user clicks the web notification, the malware will connect to the URL specified by the server.

  Below are sample notifications from the malware. Of course, the malware server will put different titles and descriptions (probably with a social engineering twist to it), and will not send the notifications at the same time to avoid suspicion.

  Users can check if their phones are infected by going to Settings > Applications > Running Services. Look for the service called ‘SystemConfService.’

  Moreover, users can manually remove the malware from their devices by going to Settings > Applications > Manage Applications to uninstall the infected app:

  The mentioned DroidKungFu and DroidDreamLight variants are detected as ANDROIDOS_KUNGFU.CI and ANDROIDOS_DORDRAE.O respectively. For more information on mobile threats, please check our Mobile Threat Information Hub.

  Post from: TrendLabs | Malware Blog – by Trend Micro

  Connections Between DroidDreamLight and DroidKungFu

  

  

Digest powered by RSS Digest

• TheHackersNews: RT @yo9fah : Fake Social Networking Application Promotes Maldives http://t.co/18rORK3m
  TheHackersNews: RT @yo9fah : Fake Social Networking Application Promotes Maldives http://t.co/18rORK3m
• TheHackersNews: RT @fsecureukteam : How To Limit Your Digital Footprint http://t.co/DeLuF7xi
  TheHackersNews: RT @fsecureukteam : How To Limit Your Digital Footprint http://t.co/DeLuF7xi
• TheHackersNews: RT @threatpost : Researchers uncovered a hole that could enable circumvention of apps sandbox restrictions in Mac OS X. http://t.co/FUpK8PA0
  TheHackersNews: RT @threatpost : Researchers uncovered a hole that could enable circumvention of apps sandbox restrictions in Mac OS X. http://t.co/FUpK8PA0
• TheHackersNews: RT @CiscoSecurity : Malware obfuscation taken to the next level with steganography? http://t.co/ympCLBxQ
  TheHackersNews: RT @CiscoSecurity : Malware obfuscation taken to the next level with steganography? http://t.co/ympCLBxQ
• Week on the Web: Zenbooks, piracy, and Windows Phone jailbreaks

  
  
  

  The Asus Zenbook: a steely marvel with an appalling trackpad: The ASUS Zenbook is a beautiful ultrabook, except for one crippling weakness.

  Viacom so devastated by piracy that CEO gets $50 million raise: Viacom CEO Philippe Dauman got an impressive $50.5 million raise in 2010. This makes us skeptical of Hollywood’s demand that US taxpayers should spend even more money fighting piracy of Viacom content.

  

  Read the comments on this post

  

• Improve your security series

  I have seen in various forums and on Facebook some of these links used and I thought it would be handy to see them all in one post.

  So, here they are sorted in chronological order, each linked to the original post.

  #6: harden your Facebook account

  #5: use dedicated accounts for each user

  #4: update your software often

  #3: online protection

  #2: securing your notebook

  #1: complex passwords aren’t always better

   

  Sorin Mustaca

  Data Security Expert

• Apple’s iOS 5.0.1 is out – should you upgrade?
  Apple’s latest iOS update is out. The new version bumps iOS5 up to 5.0.1, and is Apple’s first update available over-the-air.

  Question is, should you update right away?

• Apple Fixes Battery, Kernel Issues in iOS 5.0.1 Update
  Apple has closed the security hole exposed by veteran researcher Charlie Miller earlier this week and fixed the software problem that was rapidly depleting battery charge. – Earlier this week, a security researcher well-known for
  hacking Apple products said he’d found a kernel bug that let him run unsigned
  code on iOS devices, bypassing Apple’s protections. Within 72 hours, Apple has
  fixed that flaw.
  Apple released an update to iOS 5 on Nov. 10 for
  the iPhone, iPod…

  
  

  
  

  

  

• More CAs Report Breaches, Suspend Issuing SSL Certificates
  As two more certificate authorities report breaches in their networks, the Electronic Frontier Foundation found that there were more CAs that appear to have been compromised. – Two more certificate authorities have recently uncovered breaches in
  their networks and suspended issuing new digital certificates,
  prompting new concerns about trusting the CA system and the danger of
  relying on a system riddled with so many problems.

  The largest CA in Netherlands, KPN/Ge…

  
  

  
  

  

  

Digest powered by RSS Digest

• [WEB SECURITY] What's the best way to maintain password history?
  Justin Scott: [WEB SECURITY] What's the best way to maintain password history?:
  <br />
  [...]
  <br />
  That sounds like a bug in their implementation. If the user id stays
  the same then I would expect the password history check to kick in to
  prevent a prior password from being used. If they change the user id
  at the same time then I don't believe the prior password check is as [...]
• Anonymous and LulzSec trawl Google Code search for security holes
  A new report suggests that Google’s Code Search is being used by groups such as LulzSec and Anonymous to find passwords and other private data, gain access to secure networks and decide who their next victim should be.
• Amex clueless about security–so what else is new?

  American Express is, as far as I know, alone among major financial institutions (for large values of “major”) in sending out phish-like messages.  Pretty much every other bank has gotten the message: don’t send email to your customers, and alert them that if they receive email, it’s not from you.

  (I’m still getting those messages, by the way.  Ironically, it’s because I don’t want them.  If I want to tell Amex to turn them off, the only way I can do that is to register to receive them.  Explain to me the logic underlying that process …)

  Amex is also alone in not providing an email account to which you can send phishing messages.  I guess Amex doesn’t want to do any more takedowns than they absolutely have to.

  As a security pro, I’ve got contacts; personal contacts; in many major banks and financial institutions.  These are people who work in phishing and malware takedowns, and I’ve encountered them in the course of my research into same over the years.  I’ve never come across anyone from Amex.  I’ve never had anyone from Amex in any of my seminars.

  So, it is no great surprise that when a researcher recently found a gaping hole in Amex security, he had a very hard time letting Amex know about it.

  

  -

  Is your site safe from SQL Injection? Website Security Audit is the way to protect your network!

• Adobe Air updated to 3.1.0.4880, (Fri, Nov 11th)
  – Rick Wanner – rwanner at isc dot sans dot org – http://namedeplume.blogspot …(more)…

Digest powered by RSS Digest

• DARPA Wants To Get Rid of Password Protection

  
  

  coondoggie writes “Researchers from the Defense Advanced Research Projects Agency will next week detail a new program it hopes will develop technology to dramatically change computer system security authorization. The program, called Active Authentication, looks to develop technology that goes way beyond today’s use of hard to remember password protection and determine identity through ‘use of software applications that can determine identity through the activities the user normally performs,’ DARPA said.”

  

  

  Read more of this story at Slashdot.

  

• Quick Read

  The lab credited with discovering the Duqu malware has built an open-source toolkit that administrators can use to see whether their networks are infected.

• Steam user database hacked, incl. encrypted credit card info

  Steam, Valve’s digital distribution, DRM, multiplayer and communications platform, which has become so popular that some users no longer by any other method than digitally, may have just lost its mojo.

• Cyber-Criminals Intercept Banking Credentials for Fast Wire Transfer Fraud
  Cyber-criminals are using malware and man-in-the-middle tactics to initiate fraudulent wire transfers from bank accounts, even with two-factor authentication in place. – Cyber-criminals are increasingly attacking banks and other financial
  institutions to transfer funds fraudulently into accounts under their
  control.

  There are a number of ways for attackers to gain control, and malware
  is just one of them, according to Jorge Solis, a senior vice president
  …

  
  

  
  

  

  

• PDF Malware is Back in Season
  Avid readers of the GFI Labs blog can attest that they’re no strangers to this kind of attack: one receives an email purporting to have come from a legitimate company with an attached Adobe .PDF file claiming that it’s either a receipt, a document, or a ticket. Claims of what the attachment is supposed to be varies, but what remains consistent is that the email always instructs recipients to open it and / or save it on their computer. What happens more often is that systems get infected and users are left wondering what happened.

  Case in point—
  

  

  click to enlarge

  Our researchers in the AV Labs have been seeing an uptick of this particular campaign, which pose as a message from the United States Postal Service (USPS) and bears the subject “Package is was not able to be delivered please print out the attached label”. The message body reads as follows:

  Hello!

  Unfortunately we failed to deliver the postal package you have sent on the 19th of September in time because the recipient’s address is erroneous.

  Please print out the shipment label attached and collect the package at our office.

  United States Postal Service

  {long line of unreadable characters}

  Here is what the attached file looks like once downloaded onto a system:
  

  

  When executed, it connects to the IP address, 91(dot)221(dot)98(dot)29, and downloads the file named step.exe, which is a variant of FakeSysDef, a rogue malware. It also checks on the following websites, all of which are from Russia:
  

  • followmego12(dot)ru
  • hidemyfass87111(dot)ru
  • losokorot7621(dot)ru
  • mamtumbochka766(dot)ru

  Doing site checks could mean a lot of potential actions this malware might do, like downloading other binaries / components onto the infected system, updating a copy of itself, posting information to these sites, or waiting for commands from its controller. As of this writing, the file does not download other binaries or additional component files. Fortunately, we detect this malware as Trojan.Win32.Generic!BT.

  As always, steer clear from these kinds of emails, especially if you haven’t made transactions with such companies. When in doubt, double check with the supposed sender by calling their office for confirmation, but do not reply to the sender’s email address. With Black Friday and Cyber Monday (not to mention Cyber Weekend and the holiday season) just around the corner and majority of the people everywhere are shopping online, it is wise to expect such attacks to multiply further in the coming days and weeks. Such an attack is not new; however, many are still falling for it. It’s time to wise up.

  Jovi Umawing (Thanks to Matthew, Robert, and Adam)

  

  
• FBI Busts Massive Click-Fraud Cyber-Ring That Netted $14 Million
  Law enforcement officials have arrested six individuals responsible for infecting over 4 million computers in a sophisticated clickjacking scam. – The FBI and its international partners
  have charged six individuals with conducting a sophisticated click-fraud scheme
  that netted them millions of dollars, the federal agency said.
  The cyber-ring infected about 4 million
  computers in 100 countries with malware and pocketed at least $14 million …

  
  

  
  

  

  

Digest powered by RSS Digest

• New, odd SSH brute force behavior, (Sun, Nov 6th)
  Over the past 72 hours, I’ve noticed a shift in the types of brute force attacks I’m seeing on my SS …(more)…

Digest powered by RSS Digest

• TheHackersNews: ☛ CapitalOne Bank taken down by Anonymous hackers http://t.co/YyD2uJTD #Security #Anonymous @AnonymousIRC @Anonymousabu @AnonymousPess
  TheHackersNews: ☛ CapitalOne Bank taken down by Anonymous hackers http://t.co/YyD2uJTD #Security #Anonymous @AnonymousIRC @Anonymousabu @AnonymousPess
• New, odd SSH brute force behavior, (Sun, Nov 6th)
  Over the past 72 hours, I’ve noticed a shift in the types of brute force attacks I’m seeing on my SS …(more)…
• SSL Authority Stops Issuing Certificates Following Breach
• Malaysian hacker jailed in US

  WASHINGTON: A US District judge sentenced a Malaysian to 10 years in prison for hacking into the US Federal Reserve and other banks.

• Apple Security Chief Reportedly Leaves Company

  Apple’s vice president of global security has reportedly stepped down roughly two months after the surface of news reports that an iPhone prototype had gone missing for the second time in less than two years.

  read more

• Duqu First Spotted as ‘Stars’ Malware in Iran

  As we continue to investigate the Duqu targeted attack, there is new information that suggests the malware was created to spy on Iran’s nuclear program.

  Some background and facts:

  Back in April this year, Iran announced it was victim to a cyber-attack with a virus called “Stars.” This article offers some additional details on that attack.

  We can now confirm that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k.sys via embedded True Type Font (TTF) file.

  According to analysis by IrCERT (Iran’s Computer Emergency Response Team) Duqu is an upgraded version of “Stars”:

  

  If we are to believe these reports, then it means that Duqu was created in order to spy on Iran’s nuclear program.

  Just yesterday (November 4), the United Nations announced it was in possession of plans from Iran to make computer models of a nuclear warheads.

  “The annex will also say that more than 10 nations have supplied intelligence suggesting Iran is secretly developing components of a nuclear arms program – among them an implosion-type.”

  It would not be surprising that Stars and Duqu were used to collect such information.

• 5 Favorite Security Reads of the Week

  Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:

  • Applied Network Security Analysis: The Malware Analysis Use Case by Mike Rothman
  • Stolen Password Checking: A Question of Trust by David Harley
  • Intro to HDMoore’s Law by Josh Corman
  • Breaking Into the Digital Forensics Field: Melia Kelley’s Path by Michael Kassner
  • Army of ‘Socialbots’ Steal Gigabytes of Facebook User Data by Dan Goodin

  Also, during the past week I published the following post:

  • Assigning Descriptive Names to Malware – Why and How?

  Looking forward to next week!

  For more recommendations, see my earlier security reads of the week.

  — Lenny Zeltser

  

  

Digest powered by RSS Digest

• Free service can tell if your email address has been compromised
  Has your email or username been snatched by hackers and posted to the Internet? You can find the answer to that question at a new online service called Pwnedlist.
• Security roundup for Nov. 4: virtualization is key to public cloud security; China, Russia accused of cyber-espionage; More Duqu for you
  Ever been in an argumentative mood? Well, last week we were, with editors here coming up with 33 red-hot arguments, such as open source vs. proprietary, or which browser is better.
• _MDL_: RT @securityshell: Duqu Analysis & Detection Tool Released http://t.co/aPV790Up #tools
  _MDL_: RT @securityshell: Duqu Analysis & Detection Tool Released http://t.co/aPV790Up #tools
• New Mac Malware Variants Found in Trojaned Apps Are Stealing Data

  Researchers have discovered a series of variants of the DevilRobber Mac OS X Trojan that have a menu of different capabilities, depending upon the strain, and can not only mine Bitcoins using the infected machine’s processing power, but also steals files, installs a Web proxy and may steal the user’s Safari browsing history.

  read more

• SMB Security: Don’t Get Held For Cyber Ransom
  Targeted attacks aren’t just the bane of big business. Here’s an expert take on how SMBs can prevent cyber crooks from hijacking their data and other corporate assets.

  
  
  
  
  

• Microsoft Details Duqu Workaround
  Patch Tuesday next week won’t have a fix for the newly discovered zero-day vulnerability, but Microsoft says it will deliver one as soon as it can.

  
  
  
  
  

• CIA Admits It Monitors, Analyzes Facebook, Twitter

  The Associated Press published a report today detailing, for the first time, a unit within the CIA, referring to itself as the ‘vengeful librarians,’ that is responsible for monitoring the vast and various social networks, local and international news, radio, and television, Internet chat rooms, and pretty much anything from which they can procure intelligence.

  read more

• A short history of crimeware
  George Orwell, in his classic vision of the future "Nineteen Eighty-Four," foresaw a totalitarian state filled with devices termed telescreens that were the state's means of monitoring citizens. Today, with our dependence on modern technologies such as PCs and mobile devices, and the widespread availability of crimeware, we've exceeded anything Orwell could ever have imagined. Crimeware is a class of malware that is specifically designed to automate large-scale financial crime. We now carry our own version of Orwell's telescreens with us–termed mobile devices–having cameras, microphones, GPS, and containing all our interactions. Instead of Orwell's vision of a totalitarian state monitoring citizens' lives, we now have a limitless number of individual criminals or hostile states from around the globe capable of using crimeware within our technologies to track our every movement, conversation and action.
• Microsoft releases Duqu flaw fix

  Microsoft said it has traced the root of the exploit back to a flaw in its Win32k Truetype font parsing engine.

• China Scorns U.S. Cyber Espionage Charges
• Duqu exploits same Windows font engine patched last month, Microsoft confirms
  Microsoft on Thursday confirmed that the Windows kernel vulnerability exploited by the Duqu Trojan is within the TrueType parsing engine, the same component it last patched just last month.
• Hacker selling access to compromised websites gets hacked
  A hacking group called d33ds broke into the online shop of a rival hacker who sells unauthorized access to high-profile websites and data.

Digest powered by RSS Digest

• UK Council Loses Memory Stick with Details of 18,000 Residents
  

  Rochdale Metropolitan Borough Council somehow managed to lose a memory stick that contained information on 18,000 of their residents. The stick, which was lost in May, contained details such as names, addresses and payment info but fortunately, no bank account records were present. As it turns out, the USB storage device had been used by an officer from the institution’s finance department to collate information required for final accounts.

  The ICO began an investigation and found that the data protection practices were in breach with the Data Protection Act. While most of the info was of public interest and was already published online, the Commissioner’s Office considered the council failed to provide data protection training for its staff.

  “Storing the details of over 18,000 constituents on an unencrypted device is clearly unacceptable. This incident could have been easily avoided if adequate security measures had been in place. Luckily, the information stored on the device was not sensitive and much of it is publicly available. Therefore, the incident is unlikely to have caused substantial distress to local people,” said Acting Head of Enforcement, Sally Anne Poole.

  Tags: 

  Privacy

  UK

  Source: 

  Softpedia News
• Microsoft releases temporary fix for critical Windows bug
  

  Microsoft has issued a temporary fix for a critical Windows vulnerability that has already been exploited to install highly sophisticated malware that targeted manufacturers of industrial systems.

  In an advisory issued late Thursday, Microsoft said the previously unknown flaw in the Win32k TrueType font-parsing engine affected every supported version of Windows, including Windows 7 and Windows Server 2008, which are the most secure to date. The critical vulnerability was recently exploited to spread Duqu, malware that some researchers say was derived from last year’s Stuxnet worm that sabotaged Iran’s uranium enrichment program.

  “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” the advisory warned. “The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The accompanying Fix it is designed to protect against exploits until a permanent patch is issued. The company didn’t indicate when that would happen, except to say it wouldn’t be before next Tuesday’s regularly scheduled security update release.

  Tags: 

  Microsoft

  Software-Programming

  Source: 

  The Register (UK)
• Cyber-espionage attempts on US businesses are on rise
  
  
  

  The Office of the National Counterintelligence Executive has just published a report to Congress that presents a frightening picture of the degree to which other countries use cyber espionage to attempt to gain business and industrial secrets from US companies. And while the biggest perpetrators of cyber-espionage against American business are no surprise—China and Russia—some US allies have engaged in efforts to obtain sensitive business and technology information as well. The report projects that China and Russia will “remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.”

  The same technological advances that many companies see as increasing productivity and reducing cost of operations are creating a huge risk of additional cyber-espionage by the ONCE’s assessment. The persistence of Internet-connected devices such as smartphones, the use of cloud computing and the rise of telework all elevate the risk of data theft, the report suggests. And the globalization of business through IT lowers the threshold further. “National boundaries will deter economic espionage less than ever as more business is conducted from wherever workers can access the Internet,” the report states. “The globalization of the supply chain for new—and increasingly interconnected—IT products will offer more opportunities for malicious actors to compromise the integrity and security of
these devices.”

  The biannual report is mandated by a provision of the 1995 law funding US intelligence organizations. But this edition is the first to focus heavily on cyber-espionage, reflecting how most critical data now passes over networks. The research behind the report also draws heavily from Defense Department intelligence resources as well as those of other US government agencies and the private sector.

  The report pointed out that attribution of cyber-espionage efforts is difficult at best, and that while “Chinese actors are the world’s most active and persistent perpetrators of economic espionage” and the vast majority of attacks on US businesses have come from within China, the intelligence community cannot confirm who was responsible for them, let alone whether they were state sanctioned and funded.

  However, the report classified the Chinese government as a “peristent collector,” and said that the Chinese frequently tried to exploit Chinese citizens or people with family or other connections to China working within US companies to steal electronic data from their employers.  The the report also singled out Russia’s intelligence services as “conducting a range of activities to collect economic information and technology from US targets.”

  Read the comments on this post

  

• Microsoft expected to offer hot fix for Duqu soon
  The big zero-day exploit on everyone's mind is Duqu, or "son of Stuxnet" – but researchers don't expect Microsoft to include a patch for it in next week's Patch Tuesday. Instead, a manual fix could be out as soon as this week.
• Microsoft to patch critical Windows 7 bug in ‘upside down’ update next week
  Microsoft today said it will issue four security updates next week to patch four vulnerabilities in Windows.
• Romanian eBay hacker and prosecutor both unhappy with appeal ruling

  Romanian eBay hacker Vlad Duiculescu, known online as “Vladuz,” lost the appeal to get his three-year suspended prison sentence reduced on Tuesday.

• MIT server hijacked and used in drive-by attack campaign

  A server belonging to the Massachusetts Institute of Technology was commandeered by hackers who used it to launch attacks against other websites as part of a larger drive-by download campaign, according to antivirus vendor BitDefender.

• Is .info the New .cc?

  By Kurt Baumgartner

  In April, the .co.cc and .cz.cc sub-domains were absolutely littered with malware distributing web sites, and the unusually telling DNS registration setup on .co.cc and .cz.cc had forecast the previously upcoming Apple FakeAv. That DNS setup later led to FakeAv downloads for the Mac as forecast. But FakeAv distribution has been steadily declining since the beginning of the year, and a few related major events have occurred over the past six months. Blackhole operators have migrated to .info domains, along with other related malicious site operators. Have they pushed .info to become the new .cc?

  read more

• What Is Duqu Up To?
  As researchers debate a Duqu-Stuxnet connection and study a new zero-day Duqu exploit, still no word on the actual targets or its mission.

  
  
  
  
  

• MIT server hijacked and used in drive-by attack campaign
  A server belonging to the Massachusetts Institute of Technology was commandeered by hackers who used it to launch attacks against other websites as part of a larger drive-by download campaign, according to antivirus vendor BitDefender.
• MIT server hijacked and used in drive-by attack campaign
  A server belonging to the Massachusetts Institute of Technology was commandeered by hackers who used it to launch attacks against other websites as part of a larger drive-by download campaign, according to antivirus vendor BitDefender.

Digest powered by RSS Digest

• Secunia jumps on vuln reward bandwagon

  First, catch your rabbit

  Secunia has launched yet another vulnerability rewards program, the Secunia Vulnerability Coordination Reward Program, which it says is designed to operate independently of particular software vendors.…

• Report: Popular CAPTCHAs Easily Defeated
• Thousands Of WordPress Sites Commandeered By Black Hole
• Carbonite Privacy Breach Leads To Spam

  
  

  richi writes "It looks like Carbonite, Inc. has been giving out customers' personal information. The company's admitted giving customer email address to a third party, in direct contravention of its privacy policy. A company statement reads: 'Carbonite has discovered an advertiser misappropriated our e-mail list during the process of one of our e-mail marketing campaigns. When Carbonite launches an e-mail marketing campaign, it provides a suppression list to e-mail advertisers so that Carbonite customers do not receive promotion emails from Carbonite (since they’re already customers) and importantly, so that people who have opted out of receiving emails from Carbonite do not receive future email from us. This list was mishandled by an advertiser and we have taken immediate remedial efforts. As an online backup company, the security and privacy of our customer data is our top priority. We take all matters related to privacy very seriously. The matter will be addressed privately with the involved third parties and we will ensure that all customer e-mail addresses are permanently removed from their database.'"

  

  

  Read more of this story at Slashdot.

  

• Nitro targeted attacks

  Recently, our friends over at Symantec released a report about an attack named Nitro. This targeted attack allowed unknown attackers to target several types of organizations, the latest known attacks occurring in the chemical sector, where 29 different targets were confirmed.
   
  The attacks follow a standard pattern for tools and techniques used in previous attempts. An email is sent to several recipients within an organization with an attachment or link pointing to a file. These files are repacked variants of Poison Ivy, a very popular Remote Access Tool (RAT). The Command & Control servers for this tool use Dynamic DNS services extensively to provide the hostname and IP address lookup.

   

  

  Screenshot of the Poison Ivy builder application.

  
  

  This is precisely why Websense released a Dynamic DNS category earlier this year. In its default configuration, products that have this category will not allow these RATs to successfully communicate. With this new category, our Websense Security Gateway and Hosted Web solutions will not allow traffic from PoisonIvy at all, due to the way it communicates over port 80. In this way, Websense customers remain protected from this popular form of target attack.

   

  For more information about how Websense protects against APTs and Targeted Attacks see our white paper.

   

  Symantec's full report can be downloaded here.

Digest powered by RSS Digest

• Microsoft unlikely to patch Duqu kernel bug next week
  The odds are that Microsoft won’t patch the Windows kernel bug next week that the Duqu remote-access Trojan exploits to plant itself on targeted PCs, a researcher said today
• Critical Windows zero-day bug exploited by Duqu

  Trojan used booby-trapped Word file to spread

  The Duqu malware used to steal sensitive data from manufacturers of industrial systems exploits at least one previously unknown vulnerability in the kernel of Microsoft Windows, Hungarian researchers said.…

• Duqu exploits zero-day flaw in Windows kernel
  The Duqu trojan infects systems by exploiting a previously unknown Windows kernel vulnerability that is remotely executable.

Digest powered by RSS Digest