Tuesday, March 9. 2010Internet Explorer vulnerability could allow Remote Code Execution
If you are using an older version of Internet Explorer (IE 6 or IE 7), you have a strong reason to upgrade to Internet Explorer 8.
Attackers are exploiting a security bug in the older versions of Internet Explorer that allows them to remotely execute a malicious code. The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. Microsoft said "At this time, we are aware of targeted attacks attempting to use this vulnerability." The vulnerability exists in Internet Explorer 6 and Internet Explorer 7 and not in Internet Explorer 8. This Internet Explorer vulnerability is different from the one which I had blogged last week under Internet Explorer .HLP vulnerability on Windows XP. Quick Heal's Browsing Protection feature protects Quick Heal users from the attacks exploiting this vulnerability. Moreover, we still recommend all the Internet Explorer 6 and Internet Explorer 7 users to upgrade to Internet Explorer 8. Microsoft Security Advisory is at the following link: http://www.microsoft.com/technet/security/advisory/981374.mspx Monday, March 8. 2010FIFA World Cup 2010 Lottery Scam Mail
The online scammers have attempted a new trick shot. They are trying to boost their chances of a scam by capitalizing on the popularity of FIFA Football World Cup 2010 that will be held in South Africa from June 11, 2010 onwards.
Today I received an email with the words GOOD NEWS!!! in the Subject line and SOUTH AFRICAN FIFA WORLD CUP 2010 INTERNET LOTTERY PROMOTION as the header of the mail. Please be aware that such mails are framed by online scammers and serves just one purpose, to lure users into believing that they won the lottery and in turn gather personal information from the users. On many occasions when contacted on the contact details provided in the mail, scammers ask victim to pay some amount to receive the lottery prize. Most of the time victims have fallen for this trap and ended up paying their savings without receiving the lottery prize. While receiving this mail, Quick Heal AntiSpam automatically filtered it as SPAM. So please try to ignore such emails and keep away from online scams. A copy of the entire mail follows:
Saturday, March 6. 2010Phishing email of Bank of India in Hindi.
Today I got 4 Bank of India phishing emails. As I had written a blog earlier the phishing attack on Bank of India is getting repeated every few days. Out of the 4 phishing attack emails that I received 3 were in English language but the fourth email was in local language Hindi.
This is the first time I have come across a phishing attack email on Indian bank with local language email. The email content looked like this. ![]() The email message did not had any images like bank logo. Email had lot of grammatical and spelling mistakes The English language phishing emails had bank logo and a well designed HTML page. The email had a content that asked user to visit the given link which was as below: http:// dsl212-235-112-130.bb.netvision.net. il/www.bankofindia.com/ The above link points to a compromised server that is located in Israel. When visited the website it looked as below: ![]() Fake Bank of India website asking for users PIN number. This indicates that the attacker is doing all possible ways to lure the innocent users to click the like and reveal their account information along with PIN number. The email is automatically blocked by Quick Heal AntiSpam and the link is blocked by the anti-phishing plug-in. More news as things happen. I will keep on twitting on this topic as I get more information. Follow me on twitter @sanjaykatkar Wednesday, March 3. 2010Windows XP users do not press F1 if prompted by a website
As Abhijit Kulkarni yesterday blogged about the .HLP vulnerability in Windows XP. See details below in his blog. I observed that Microsoft has rated this vulnerability as "Medium risk" as it needs user intervention. We are monitoring for any malicious exploit of this vulnerability being made by any malware.
I see no reason why this vulnerability will not be exploited and hence recommend all our users to avoid pressing F1 in Windows XP when using the browser. If a website is showing a prompt or asking users to press F1 to perform certain activity, there may be chance that the website is infected by a malware exploiting this vulnerability. If anybody comes across such website which is asking to press F1 repeatedly, please report it to us on viruslab at quickheal dot com Tuesday, March 2. 2010Spanish police arrested 3 hackers as suspected masterminds of Mariposa botnet.
Mariposa botnet which has grown much stronger over last six months was posing a big challenge for security software developers. The botnet which was first observed in April-May 2009 has shown significant traffic growth over last six months indicating substantial number of compromised computers.
The botnet was quite actively managed by these hackers who use to update the functionality of the bot more frequently by downloading and executing random files from newly hosted locations. This way it has become quite sophisticated and was believed to have more than 10 millions computers under control. The real names of these hackers are yet to released. This sounds one more victory against bad guys which arrived just after the news of MS taking down Waldec. Even though the news arrived now the activity of tracking these guys and taking down the botnet has been going on months before this news release. Kudos to Spanish Police for the successful arrest of these masterminds. More information on the arrest news can be found at: http://www.cbsnews.com/stories/2010/03/02/tech/main6259510.shtml?tag=stack Tuesday, March 2. 2010Internet Explorer .HLP vulnerability on Windows XP
Microsoft's security team is investigating a security vulnerability reported at http://isec.pl/ by Maurycy Prodeus.
The vulnerability is observed on operating system older than Windows Vista (i.e. Windows XP). In this, the attacker hosting a malicious website can remotely run arbitrary code by convincing the user to press the computer's F1 key in response to a popup window. The vulnerability is the result of the passing a samba share as a helpfile parameter along with a stack based buffer overflow in the winhelp32.exe file when parameters are too long. There are no reports of attacks exploiting the weakness. Microsoft plans to issue guidance once its investigation is completed. Microsoft’s Jerry Bryant says more on it, here: http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx Tuesday, March 2. 2010Paypal phishing attack
I came across multiple emails in my inbox which were talking about my Paypal account being blocked. The mails had a subject line as "Your Papal account is suspended". I immediately sensed it as phishing email. As earlier I had received emails indicating about payments that I made using Paypal which were phishing emails and after that I had been more careful when going through the email with respect to Paypal.
This email was not having my name and has started like "Dear Paypal Member", usually it should have been addressed to me on my name. The email also had lot a warning kind of message like "Your account will be suspended" "Click here to activate your account". I just moved my mouse pointer over the link and observed that the link is not actually taking me to the Paypal website. This confirmed that its a phishing email. The link pointed to the URL something like (http :// www. worldangler.com/~paypal/paypal.fr/fr/...) I still visited the link just to see how the attacker had created the webpage. It appeared as shown below: ![]() The above page is designed carefully to look similar as Paypal official website. Its in European local language. I advice to all the readers that while going through the emails from bank/paypal/online financial websites please have a suspicious view at the back of your mind and look for such signs of a phishing attack. Please "Do not click" on any links in the email. Its always better to open the browser and directly type in the email address of the bank/paypal etc. whatever service you are concern of. Then visit the website. This will delay the process but will be more safe. Paypal had a interesting tutorial on teaching to guess the phishing email correctly. Please see below webpage to have a look at the tutorial that teaches how to spot phishing. https://www.paypal.com/fightphishing Happy learning Saturday, February 27. 2010Rogueware "Security essentials 2010"
Microsoft has warned Windows users to be cautious against a rogueware (fake software) which calls itself Security Essentials 2010 as opposed to Microsoft Security Essentials which is a genuine security product from Microsoft.
Security essentials 2010 installs a fake virus scanner on your machine and blocks some processes. It also blocks access to the websites of some of the antivirus companies. It does this by downloading a Win32/Alureon component and another Layered Service Provider (LSP) component which monitors the TCP traffic sent by various Web browsers and blocking any traffic to certain domains. Moreover, Security essentials 2010 charges you to scan and remove files on your machine, claiming the version you will have initially downloaded as a trial edition. This is contrary to Microsoft Security Essentials which is free for genuine Windows users. Microsoft has blogged it here: http://blogs.technet.com/mmpc/archive/2010/02/24/if-it-calls-itself-security-essentials-2010-then-it-s-possibly-fake-innit.aspx Friday, February 26. 2010Operation B49
Since couple of weeks back Microsoft has been working on secret Operation B49 to wipe out Waledac botnet. Waledac is one of the largest botnets active and having major presence in US and European countries. This botnet is believed to be actively sending spam messages and had capacity to send billions of spam mails per day. Microsoft's observation concluded that in just 18 days time the botnet has sent more than 650 million spam emails just to hotmail accounts. This operation ended successfully on Wednesday.
Researches from the University of Mannheim in Germany and Technical University Vienna in Austria published a research paper on Waledec botnet and showcased a method to control this botnet. Microsoft contacted those researchers this year and planned a major offensive against the Waledec botnet by planning to take control of all the command an control severs which were in hundreds and distributed across the globe. Microsoft legal team took courts permission from District Court of Eastern Virginia. This was quite difficult but finally they managed to get the permission to temporary shutdown almost 277 Internet domains believed to be run by the Waledac bot for command and control. This helped to cut off traffic between Waledac servers and zombies from source level. This disconnected the hacker groups connection between them and the zombie computers across the globe. Now remains the job of cleaning the zombie's. We appreciate this move by Microsoft and congratulate them for able to get through the legal hurdles and making such a huge attempt to stop the new edge problem. Now we have to wait and watch the gradual slow down of the botnet traffic and its after effect. We are sure this will surely have major effect on the botnets business. Even though it may be temporary but it is significant enough. We know that this will not stop these hackers all together but doing such action will definitely make their job more difficult. One should keep on doing such activity repeatedly to dismantle the hackers functioning network. Friday, February 26. 2010Search Engine Optimization (SEO) attacks are increasing rapidly
One has to be very careful when using search engine for looking for information or news on the latest hot topics. There are more chances of getting malware infection after visiting the websites listed in the results.
Malware authors are creating more and more webpages which are loaded with newly created malwares, fake softwares, roguewares. These webpages contains hundreds of most searched words on search engine. This improves chance of their infected web page getting listed on the search engine. These keywords are mostly of latest hot topics which increases the chance their link getting listed on first page of the search result. This technique is called as SEO (Search Engine Optimization) poisoning. There is more to this as SEO poisoning also involves exploiting the weakness in the way search engines are implemented. This way the hackers make sure their webpage links get listed immediately on first page. Recent observations indicated SEO poisoning attempts on popular topics like, American Idol Winners, Tiger Woods confession, Olympic Games news, iPad related news. Search results of these hot topic had at least few links to the malicious webpages on the day they were most searched. Users who visit these infected pages had to face problems of scareware getting installed in the system which later try to make user pay for the services they used. And I guess everybody knows where this money goes. |
Archives |