Firefox 3.6.4 has been released, this version address 7 vulnerabilities which range from critical issues such as denial of service or arbitrary code execution bugs along with a few lower level issues. Below is list of critical vulnerabilities fixed in this version

MFSA 2010-30 Integer Overflow in XSLT Node Sorting

MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal

MFSA 2010-28 Freed object reuse across plugin instances

MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)

For full list of fixed vulnerabilities click here.

In this version they have also improved the handling of plugin crashes, now if a plugin crash or freez while visiting or browsing a website it will now crash the plugin without killing the browser (process end). User and reader if you have not update visit below link to download.

http://www.mozilla.com/en-US/firefox/3.6.4/releasenotes/

The vulnerability for Microsoft Windows Help and Support Center is being exploited in the wild. More information for this vulnerability at http://www.microsoft.com/technet/security/advisory/2219475.mspx . The vulnerability allows for infecting a Windows system by visiting manipulated web sites, for example (drive-by-download).

Microsoft now has released a “Fix It” tool which unregisters the HCP protocol as a workaround, because there is currently no patch available. We recommend users to use this tool to block the vulnerability from being exploited.

Yesterday while traveling to office I saw the hoarding of save tiger the on-going initiative undertaken by Aircel partnered with WWF-India to help "Save Our Tigers".

According to the latest Tiger census in India we have only 1411 left in wild. So I thought of joining this initiative by doing my bit so when i reached office I opened the website... oh no not again... it seem the website www.saveourtigers.com has been compromised and is loading foreign pages which in turn installing rogue security application on visiting user system.



When i visited the website www.saveourtigers.com it closed the firefox browser, and showed me below message



So clicked on "OK" no other button hear (the close button is also of no use). It then started to show a fake scan running on my system.


And at the end of the scan it showed that 100's of malware are running on my system so I need to install a security application. It automatically started to install My Security Engine


Users are advised not to visit this website untill it is cleaned up. We have reported this to website owner and Cert-In, hopefully we will hear from them soon.

Quick Heal successfully detects this rougeware and takes appropriate action.

Below mail landed in my mailbox today with an attachment DHL_Tracking_NR.324-492383.zip, as curious user i went to check it

--------------------------------------------------------------------------
Subject: DHL Tracking number #1488883
From: xxxxxxxxxxxxxxxx
Date: Tue, May 24, 2010 10:09 am
To: xxxxxxxxxxxxxx

Good morning,

We were not able to deliver postal package you sent on the 22nd May in time
because the recipient's address is not correct.
Please print out the invoice copy attached and collect the package at our
office.

Your personal manager: Dolly Gibson,
Customer Service: 1-800-CALL-DHL
Fax: 888-378-9347
DHL International, Ltd. All Rights Reserved.
--------------------------------------------------------------------------



When extracted a file DHL_Tracking_NR.324-492383.DOC.exe was present. Once this file was opened it dropped in the system

[System32 Folder]\pgsb.lto
[Current Profile Folder]\Local Settings\Temp\3.tmp

In registry it added
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe rundll32.exe pgsb.lto csxyfxr"

It tried to connect to remote system, to download other trojan on the system. After few minutes the system started showing fake messages and eventually a fake antivirus program got installed.



We have released protection against this fake AV/ Rogueware which is detected as Securityessentials2010.

Today I received a SMS message with following text:

CONGRATS-YOU-WON-700,000-GBP-
IN 2010-UK-TOYOTA WORLDWIDE-
INT'L-MMOBILE-DRAWS-WINNING
-#1,TO-CLAIM-YOUR PRIZE
CONTACT MR.BEN VIA
EMAIL:xxxxxxxx2010@hotmail.com

Its not something new, malware writers/ cyber criminals are attempting to fool mobile phone users with such bogus text messages. Mobile user are increasing day by day so is the SMS (Short Message Service).

The same what we see in mail called phising and when done using sms is termed smishing (SMS phishing). In Smishing an attacker targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user initiated via mobile texting rather than email. The user is enticed to provide information or go to a compromised web site via a text message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.

Users are advised not fall into such bogus SMS, if someone is asking for your personal details do not give away.

Social networking sites are often targeted by Cyber criminals in the rising Web 2.0 Internet world. Recently with the completion of its 6th anniversary Facebook has reached mark of 400 million users. No doubt it is becoming soft target as it is easier to get huge online users community. Some Facebook applications use different innovative techniques to force user to grant permissions to collect friend lists and push themselves to other users' profile. Such applications may post to users' walls which could be used to abuse privacy.


Recent example is Facebook application that poses itself as Facebook Antivirus. It tags photos of infected profile with 20 from friends list and publishes the tagged photo to the wall. Subsequently friends get the update notifications and end up in getting fake antivirus.

If you observe that any of your friend has tagged you photo, following are the steps to manually remove the tag:
- Open your photos
- Click the photo picture which is tagged
- If you your name appears in the tagged list, click the ‘Remove Tag’ link for your name

Facebook has removed the fake application at the time of writing this blog, however gives insights into Security and privacy issues with this popular social networking site. Users are advised to appropriately configure Facebook privacy settings and be more careful when clicking any links.

More details
http://thefacebookinsider.com/2010/03/warning-facebook-antivirus-will-virally-spam-your-friends/

http://blog.facebook.com/blog.php?post=287542162130

http://www.allfacebook.com/2009/12/facebook-privacy-new/

Thanks Rajesh for the input.

Another new variant of Sality was reported on Saturday. As was the case with previous versions of Sality (like Sailty.R), this one is also a polymorphic EPO virus which replaces the entry point code of the original file. The main virus body is attached at the end of original file and the section header is modified accordingly. It is made writable and executable and the size is also modified. Virus code offset is calculated within the code patched at control point. This code is mixed with a lot of junk instructions. Once the offset is calculated, it uses PUSH - RET or JMP instruction to jump to that offset. The initial bytes at this offset contain the loop which decrypts rest of the bytes. The loop code is obfuscated, containing unwanted garbage instructions. Once the code is decrypted, it takes control to the decrypted code using RET instruction. The original bytes at control point are found within this code. New variant of Sality uses various threads to carry out different functionalities. One of the threads keeps on infecting files. Other one move the original code to control point and passes control to that code for clean file to execute.

Feistel Network:

New variant of Sality uses a modified version of 64-bit block Feistel network with 32-bit key and 64(0x3F) iterations for decryption. Each iteration decrypts 64 bits. To decrypt first half of 64-bit code, it uses the key derived from the second half and vice-versa. The virus decrypts 0xFEE2 bytes using this algorithm.

To derive the key from 32-bit data, it performs complex operations.

It also adds the current iteration count to this value and once 0x3F iterations are complete, it adds to the key, the number of bytes already decrypted.

Once the key is generated, it uses subtract operation to decrypt the data. The virus is detected by Quick Heal as W32.Sality.U

Thanks to Omkar, Jithin and Rajesh for the analysis and writeup.

There seems to be a problem with Windows Live Messenger being abused to send spam messages, sometimes called SPIM. I have been noticing recently is that my hotmail mail box contains 1 mail from "Windows Live" having subject line as "A private message from [Your friend] on Windows Live"

Usually these kind of attack are performed to do identity theft. Sometimes it will take you to a site where it has you sign up for something, it may ends up costing you money later on or even has malware. Identity protection is one of the most important considerations in today’s society. So follow general rule of thumb if you do not recognize the sender.

HOW TO REPORT ABUSE OR SPAM IN WINDOWS LIVE HOTMAIL
http://windowslivehelp.com/solution.aspx?solutionid=e1e87293-909f-45e9-9dcd-920a04719bc3

If your system has restarted after applying the MS10-015, this might be a sign that your system is infected with the notorious W32.Alureon malware. It is one of complex and advanced piece of malware which is been in existence for quite sometime now. Some of the function it is loaded with are modification of DNS settings, search hijacking, and click fraud. It infects the system critical drivers with whose help it tries to avoid being detected by security products. In the recent version of this malware we seen it is able to infect the miniport driver associated with the hard disk of the operating system, this gives the malware full control on disk activity.

Here is a list of filenames used by this malware:

atapi.sys
iaStor.sys
nvata.sys
nvstor32.sys
nvstor.sys
nvgts.sys
nvatabus.sys
SiSRaid.sys
IdeChnDr.sys
iastorv.sys

For example: ‘atapi.sys’ resides at the following location:
%windir%\system32\drivers\atapi.sys

Quick Heal users are well protected by this malware as we have the detection. We will post more information on this soon.

A new wave of the phish mail of Income tax department (Govt. of India) earlier blogged by Sanjay here, have been seen in our radar from today morning.

Just started to see mails targeting Bank of India too.

We have released update to protect all our user.

Yesterday Microsoft released the February bulletin. This month they plan to release 13 bulletin, five rated Critical, seven rated Important, and one rated Moderate - addressing 26 vulnerabilities. Eleven of the bulletins affect Windows and the remaining two affect Office.
The recently published Advisory 980088, "Vulnerability in Internet Explorer Could Allow Information Disclosure" fix is not planned for the this bulletin release. To protect implement the workarounds and mitigations as mentioned in Advisory 980088.

To find more information on the security updates click here

A new stream of phishing emails aimed at user using Google Adwords have been noticed. The ongoing practice of phishing for personal information, especially financial details like credit card numbers makes this kind of crime low risk with high gain for the criminals.


Google's online advertising brings a high level of attention from criminal spammers. User using Google Adword are cautioned not get lured by such email and provide financial details.


Quick Heal browser protection will automatically block the users from visiting this fraudulent website automatically.

Internet Systems Consortium announced the release of the BIND 9.6.1-P3 security patch to address two cache poisoning vulnerabilities, "both of which could allow a validating recursive nameserver to cache data which had not been authenticated or was invalid."

More details follow below links
CVE-2010-0097
CVE-2009-4022v6

A remotely exploitable vulnerability in QuickTime has been discovered. Information on vulnerable version of QuickTime available on Bugtraq 32540

The vulnerability can be exploited by malformed .mov files. The latest version of QuickTime is not affected by this vulnerability.

Some user reported of receiving mail from BANK OF INDIA with subject line "BANK OF INDIA -Beware of fraudulent emails".

The Bank seem to be woken up by the recent surge to fraudulent emails targeting their users. The mail contains an attachment named "Take_Care_from_Phishing_emails.doc" which provides some Tips for safe and secure banking.

If you happen to be one of the recipient of this mail don't panic.