._/:: 8#00p$ ::\

Wednesday, May 26, 2010

Botnet (for hire )at just $8.94/hour*

Recently it has been disclosed by VeriSign cyber security intelligence arm that botnet services are available at very cheap rate $8.94 per hour*. This online investigation is carried out on 25 botnet operators. it has been founs that the botnet operators has advertised for renting their services on three different forums. * Terms and conditions applied.

In the reported advertisement, botnet assured number of illegal services or say attack vectors like ICMP, SYN, UDP, HTTP, HTTPS and Data.

While those masterminding criminal operations involving botnets have in the past often been technical experts, the trend is towards the hiring of botnet services by less-skilled individuals, according to VeriSign. This was disclosed when these was arrest of three men operating Mariposa botnet.

The Mariposa botnet, believed to have been composed of 12.7 million PCs th

at stole credit card and bank log-in data and infected computers in half of the Fortune 1000 companies and more than 40 banks. According to ZDNet.

The world's largest botnet, Zeus botnet, had its traffic disrupted by repeated disconnections of a Kazakhstani ISP in March, but a series of reconnections revived its activity, security researchers have said. The botnet mainly pushes out the Zeus banking Trojan, an information-stealing keylogger that relays sensitive data back to its controllers.

To read more, follow:
http://news.cnet.com/8301-1009_3-20005844-83.html?tag=mncol;title
http://www.zdnet.co.uk/news/security-threats/2010/05/25/botnet-price-for-hourly-hire-on-par-with-cost-of-two-pints-40089028/
http://www.zdnet.co.uk/news/security-threats/2010/03/12/zeus-botnet-shaken-by-isp-cutoffs-40088290/
http://pandalabs.pandasecurity.com/mariposa-botnet/

H@v3 @ $@f3 br0ws!n9 !!!

nj0y !!!

Tuesday, May 25, 2010

"Distracting Beach Babes" yet another FB Worm

Hey you guys . . . beware of the Facebook spam or say Facebook worm spreading in a wild. This is kind of same FB spam worm about which I posted early this month name "Candid Camera Prank! [HQ]".

This time the worm posting message like "Distracting Beach Babes" onto your wall. And if you caught by this trick, this will also do the same like its previous version, it will post the same link onto the walls of all of your friends.

Like its previous version, if it lures you to click and if you clicked, you will land on its application page where it will ask you accept for the following:

Access my public data
Post on my wall
Access my data any time

If you accept, that means you have allow this application, to do whatever it wants to do with your profile and your data. It will take you to a luring page which looks like this. Along with this it will give you a fake warning message that your FLV player is out of date, download update for it. This time i didn't wasted my time on downloading this malware because this may be the same kind of adware or may be different malware.

And the last lets see how this application home page looks like. This time there is a profile of an administrator of this application. I am not aware whether it is a real profile or fake. Generally these kind of profile are fake and used for luring users.

Follow the instructions to remove this application from your profile if you already caught before that it will do something more dangerous with your profile and profile data.
The Instructions are:
Goto your "Account"-> "Application Setting", find "Video Wave" in the list and click on 'X' to Remove application from you profile.

To read more about all this and previous please follow:
http://bh00ps.blogspot.com/2010/05/candid-camera-prank-hq-fb-virus.html
http://community.websense.com/blogs/securitylabs/archive/2010/05/22/warning-for-quot-distracting-beach-babes-quot-on-facebook.aspx
http://community.websense.com/blogs/securitylabs/archive/2010/05/15/sexiest-video-ever-on-facebook.aspx

H@v3 @ $@f3 br0w$!n9 !!!

nj0y !!!

Warning !!! Facebook worm "FBHOLE"

A new Facebook worm was spreading in the wild. The worm is doing nothing but posting on people's wall without user's intervention, I mean users doen't know that after clicking on this link the message will be posted on their friends wall, which is so weird. The message getting posted can be seen here...

The message posted by this worm is:

"try not to laugh xD http://www.fbhole.com/omg/allow.php?s=a&r=[RandomNumber]"

If you click on this type of posting on your wall, you will land on a page which merely looks like the page shown. This page says "If i don't, someone else do it." and also shows a fake script error. If you click any where on this page you will trigger a script which will post the same massage, shown above to your wall. The script is running in such a way that it follows your mouse button with a hidden iFrame in it. This iFrame is actually a "publish" button.

This worm is doing nothing except posting to your wall. But posting anything on user's wall without user's concern is wrong.

As of now the domain is blocked and it malicious activity is stopped. To read more about this follow:
http://www.f-secure.com/weblog/archives/00001955.html

H@v3 @ $@f3 br0w$!n9 !!!

nj0y !!!

Wednesday, May 19, 2010

Zero Day - Microsoft Windows Aero, Remote Code Execution Vulnerabiltiy

Few hours ago, Microsoft released and advisory about a kernel memory error vulnerability, which could allow remote code execution on affected machine installed with Windows Aero. this vulnerability exists in recently released Microsoft's products, Windows 7 x64 and Windows Server 2008 R2 x64 and Itanium.

A remote attacker may exploit this by sending specially crafted image file via email attachment or could host on a web server as a part of website and luring users to open it. Once open, and parsed by windows kernel may cause parsing error in the Canonical Display Driver (cdd.dll) and execute arbitrary code on the user's system.

This is a" Zero Day Vulnerability", no patch is available with MS.

The only safeguard suggested by MS is:

Disable Windows Aero. (not in use generally)

And from my side:

Do not open image files received from untrusted sources, or received unexpectedly from trusted sources, or file received through instant messaging.
Do not follow untrusted links and URLs received by any mean.

TwitterNET Builder, Botnet toolkit

TwitterNET Builder, Now any script kiddie can create their own botnet with help of this toolkit. David Jacoby, Kaspersky Lab Expert posted information about this. With the help of this toolkit, it has became very easy to create a malicious program in few clicks. Upon execution, victim's system will become node of botnet. This toolkit will create a profile on twitter which will be contacted by infected computer for receiving instructions and commands. To read more follow:
http://www.securelist.com/en/blog/2163/New_tool_allows_script_kiddies_to_build_botnets_via_Twitter

The detail description of this toolkit can be found at:
http://sunbeltblog.blogspot.com/2010/05/diy-twitter-botnet-creator.html

How to get protected from this?
Do not open unsolicited email attachments or attachments received unexpectedly from trusted sources.
Do not receive or execute files received from untrusted users through instant messaging.
Keep your anti-virus program up-to-date.

H@v3 @ $@f3 br0w$!n9 . . .

nj0y !!!

Monday, May 17, 2010

Beware of Security essentials 2010, A Rouge Anti-Virus

Rouge anti-virus, Security Essential 2010 is spreading now a days. Websense® Security Labs™ has discovered a new job search related malware spam outbreak. People are getting spam mails with a Resume(CV) attached as compressed file, asking them to review it.

Hopefully I didn't receive any sample of this but thought of sharing information with you. So that you will be aware of what is happening.

According to Websense, inside this zip file there is an executable which is Oficla bot. the detection can be seen here . . .
http://www.virustotal.com/analisis/db641f27e14f54a02229cd3d9da9ca0c844c819c1db00b38005c3154be099965-1273654511

Once this bot installed on your computer, it will change your wallpaper and threaten you that your computer is seriously infected. Which is something like:

After all this drama it downloads and install rouge anti-virus program with the name of "Security Essentials 2010". This rogue AV give you fake warnings like your system is infected with multiple serious vulnerabilities and Trojan, virus, worms etc . . .

This is not for the first time, In the past there were few rouge AV, here is one example of "Antivirus 7"

when there was a news of releasing Windows 7 and another one is with name "PersonalSecurity" which was like . . .

To read more, please refer the following links:
http://community.websense.com/blogs/securitylabs/archive/2010/05/12/new-malspam-please-review-my-cv-thank-you.aspx

hope for the best, and never caught in these scams. i have seen people lost money in the name of buying updates for this rouge AV or in the name of getting latest definitions of clearing off infection shown by rouge AV. Please beware of these scams.

H@v3 @ s@f3 br0w$!n9 . . . .

nj0y !!!

Windows XP Service Pack 2 Support will be ceased on July 13, 2010

There is sad news for home users and entrepreneurs who are using Microsoft Windows XP, SP1 and SP2 . . .

Microsoft decided to cease support for its legendary operating system "Microsoft Windows XP SP2" on July 13, 2010. This date was decided when Windows XP Service Pack 3 (SP3) was released on April 21, 2008.

To read more please follow the links:
http://support.microsoft.com/gp/lifean31
http://support.microsoft.com/gp/lifesupsps
http://www.theregister.co.uk/2010/05/14/winxp_sp2_support_cut_off_looms/

Microsoft will continue to provide paid support During the Extended Support phase for Windows XP and security updates at no additional charge. Microsoft will continue support for Windows XP Sp3 till 2014. Finally and officially Windows XP will retire on April 8, 2014.

Upgrade to XP SP3 and nj0y $@f3 br0w$!n9 . . .

nj0y !!!

._/:: 8#00p$ ::\_.