February 2006

Invasion of the Computer Snatchers
washingtonpost.com
By Brian Krebs
Sunday, February 19, 2006

In the six hours between crashing into bed and rolling out of it, the 21-year-old hacker has broken into nearly 2,000 personal computers around the globe. He slept while software he wrote scoured the Internet for vulnerable computers and infected them with viruses that turned them into slaves.

The young hacker doesn’t have much sympathy for his victims. “All those people in my botnet, right, if I don’t use them, they’re just gonna eventually get caught up in someone else’s net, so it might as well be mine,” 0×80 says. “I mean, most of these people I infect are so stupid they really ain’t got no business being on [the Internet] in the first place.”

A quick scroll through the first few dozen pages of the file reveals credentials his victims have used to log in to online accounts at PayPal, eBay, Bank of America and Citibank, to name just a few.

Shadowboxing With a Bot Herder
washingtonpost.com
By Brian Krebs
March 9, 2006

Witlog may in fact be the product of a new generation of “script kiddiez”; the chief distinguishing feature of this generation being that instead of using Web site flaws to deface as many Web sites as possible, these guys are breaking into thousands of home and work PCs and taking them for a virtual joyride, often times all the way to the bank.

Copyright © is the original authors.

Updated: 03-01-06

Apple security updates

Sophos in Mac OS X worm false alarm
Cure worse than disease
By John Leyden
Published Thursday 23rd February 2006

Sophos has apologised after releasing a faulty signature update that flagged up legitimate Mac OS X system files as infected with a new low-risk worm, Inqtana-B.

The faulty signature file, issued on Tuesday, February 21, falsely identified a number of component files of Microsoft Office applications as infectious.

The UK-based anti-virus firm issued a new update in short time, two hours after the dodgy signature files went out.®

Third worm hits Mac OS
TechWorld
By Matthew Broersma
22 February 2006

Security researchers have confirmed what may be the worst-yet security flaw for Apple’s Mac OS X, following the appearance of two Mac worms in a single week.

The newly disclosed bug allows attackers to disguise malicious shell scripts as harmless files stored in ZIP archives. The bug is considered particularly dangerous because it can be used to execute malicious code on a system automatically via the Safari web browser, which is set by default to open ZIP archives.

F-Secure

Like Inqtana.A the .B and .C are locked to certain bluetooth addresses and are time limited to 24. February 2006, so they will not be able to replicate on any real environment and will work only in specially crafted lab. However it is possible that some virus author will create similar worms that are not intentionally limited, so please make sure that your OS X is up to date.

Red Herring

Security researchers said Friday they have found a second virus that affects Apple computers running the Mac OS X operating system, further eroding the long-held belief that Mac machines are more impervious to attacks than Microsoft’s Windows-based personal computers.

By Stephen Hutcheon and Jacquelin Magnay
February 16, 2006
‘Spam man’ wins gold.

According to the International Olympic Committee’s website, Australia’s gold medallist Dale Begg-Smith, runs an internet pop-up advertising company that he describes as the third largest of its type.

According to the Canadian Press news agency, Begg-Smith said “his business had never dealt with any specific kind of advertising, only the technology to track how often the ads were being seen. It was up to his customers to decide what kind of ads they wanted to use, he said.”

Copyright © is the original authors.

Anti Spyware Community
broadbandreports
Adscpm Spyware King wins Olympic Gold

Suzi Turner
Aussie Olympic gold medalist is spyware pusher?

WebHelper
CPM-MEDIA.COM

Microsoft has released Windows® Defender (Beta 2) which replaces Microsoft AntiSpyware.

• If you recieve an update error message after you reinstall Windows Defender Beta 2 see here: “Windows Defender definitions haven’t been updated�?

Installed on your computer via a Trojan these fake anti spyware programs popup a screen over the desktop or a balloon popup from the windows tray area; displaying a warning message that your computer is infected with spyware and telling you to purchase, download & install their program to remove it.

SpywareQuake and SpyFalcon.
These versions are slightly different than other variants (SpywareStrike, SpyAxe, etc) in that the alerts do not look like Windows Security alerts but are rather a square that appears from your taskbar.

All are Rogues

Names you may see in this infection:

• AntiVirusGold
  PSGuard
  RazeSpyware
  Security IGuard
  Search Maid
  SpyFalcon
  SpySheriff
  SpyTrooper
  Spywarestrike
  SpywareQuake
  SystemWarning
  Virtual Maid
  W32.Sinnaka.A@mm
  WinHound

Information:

• Nick’s Computer Security

Spyware Warrior

Fellow spyware warrior and Microsoft Security MVP Nellie2 has started a campaign to fight back against spyware pushers.

Nellie2

I have know Nellie2 for a few years now; she has helped countless users in the forums. Someone who genuinely cares about people; well…. unless they are malware writers.

Update: 02-10-06
Spyware warriors call for action

By Adam Blenford
BBC News website
Computer users whose machines have been hijacked by potentially dangerous software are being asked to add their tales of woe to an online campaign.

Security experts say that growing numbers are being conned into paying for fake anti-spyware programs.

Add your two cents about malware that infected a PC.

IE7 Beta is out and available to the public for download.

Remember this is a Beta. Early days yet.

Thank you for choosing Microsoft and for trying this pre-release software. Everyone on the Internet Explorer team wants to make your web browsing experience safer and easier. We welcome your feedback.

To help you with beta testing, we’ve provided the resources and checklists below. You may want to print the checklists that apply to you and verify that your websites/applications work with the new Internet Explorer features.

© 2006 Microsoft Corporation

Highly critical.

Description:
Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user’s system.

1) Some errors in the JavaScript engine where certain temporary variables are not properly protected may be exploited to execute arbitrary code via a user-defined method triggering garbage collection.

One of the vulnerabilities affects only version 1.5. The other affects version 1.5 and prior.

2) An error in the dynamic style handling can be exploited to reference freed memory by changing the style of an element from “position:relative” to “position:static”.

Successful exploitation may allow execution of arbitrary code.

The vulnerability has been reported in version 1.5.

3) An error in the “QueryInterface” method of the Location and Navigator objects can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

The vulnerability has been reported in version 1.5.

4) An input validation error in the processing of the attribute name when calling “XULDocument.persist()” can be exploited to inject arbitrary XML and JavaScript code in “localstore.rdf”, which will be executed with the permissions of the browser the next time the browser starts up again.

5) Some integer overflows in the E4X, SVG, and Canvas functionalities may be exploited to execute arbitrary code.

The vulnerabilities have been reported in version 1.5.

6) A boundary error in the “nsExpatDriver::ParseBuffer()” function in the XML parser may be exploited to disclose data on the heap.

The vulnerability does not affect version 1.0.

7) The internal “AnyName” object of the E4X functionality is not properly protected. This can be exploited to create a communication channel between two windows or frames having different domains.

This does not pose any direct risks and does not allow bypass of same-origin restrictions or disclosure of web content from other domains.

The vulnerability does not affect version 1.0.

Solution:
Update to version 1.5.0.1.

Provided and/or discovered by:
1) Igor Bukanov
2) Martijn Wargers
3) Georgi Guninski
4) moz_bug_r_a4
5) Georgi Guninski
6) Johnny Stenback
7) Brendan Eich

Mozilla.org

Note: Thunderbird shares the JavaScript engine with Firefox and could be vulnerable if JavaScript is enabled in mail. This is not the default setting; we strongly discourage users from running JavaScript in mail.
Workaround
Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or Mozilla Suite mail.