A security researcher has identified a new attack that has infected almost 300,000 webpages with links that direct visitors to a potent cocktail of malicious exploits.

The SQL injection attacks started in late November and appear to be the work of a relatively new malware gang, said Mary Landesman, a researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. Hacked sites contain an invisible iframe that silently redirects users to 318x .com (a space has been added to protect the clueless), which goes on to exploit known vulnerabilities in at least five applications.

At time of writing, this web search showed more than 294,000 webpages that contained the malicious script. Infected sites included yementimes .com, parisattitude .com and knowledgespeak .com.

People who visit infected pages receive an invisible link that pulls code from a series of sites tied to 318x .com. The code looks for insecure versions of Adobe Flash, Internet Explorer, and several other Microsoft applications, and when they are detected it exploits them to surreptitiously install malware known as Backdoor.Win3.Buzus.croo. The rootkit-enabled program logs banking credentials and may do other nefarious bidding, Landesman said.

At the moment, about two percent of the requests ScanSafe sees are for sites infected by the malicious link, an indication the threat is significant, Landesman said.

SQL injection attacks prey on web applications that fail to adequately inspect user supplied input before passing it off to a webserver’s backend database. They are a favorite way of adding malicious links and content to third-party websites and were also the the chink that allowed Albert Gonzalez and other hackers the toehold they needed to steal more than 130 million credit card numbers from card processor Heartland Payment Systems and four other companies.

The fingerprints on this latest attack lead Landesman to believe the perpetrators are new to the SQL injection game. More sophisticated mass attacks using the method, such as the Gumblar infection inject unique, dynamically-generated links that prevent researchers from being able to locate them using web searches.

Gumblar also uploads exploits directly to infected sites, which greatly complicates white hat efforts to clean up the mess. Rather than shutting down a single site that’s hosting the malware, thousands of mom and pop sites must be disinfected one at a time.

“I’m not convinced SQL injection is the method they’re most accustomed to,” Landesman said of the gang behind the most recent mass infection. “It’s almost as if they’re a seasoned attacker but this is their first foray into managing a wide-scale web attack.”

theregister.co.uk

Microsoft’s release of its free Security Essentials product this week sparked the expected barrage of views and opinions from all angles, from those hailing the release as the end of the AV industry to those slating the free product as inadequate and pointless.

The new release is designed as a pared-down, free-for-all replacement for the now defunct OneCare, and is intended to mitigate the global malware epidemic by providing protection to those least likely to have a solution in place. Users on lower incomes and in developing nations are hoped to be among those taking advantage of the free product, and its introduction should, its makers claim, reduce the number of infected systems pumping out spam and malicious attacks around the world. It is also hoped that the release will reduce the danger of ‘rogue AV’ scareware, which targets unprotected users in its attempts to con victims into installing its paid-for software, a threat currently rife on the internet.

While many have suggested that the appearance of Security Essentials on the scene may herald the demise of existing free-for-home-use solutions from the likes of AVG, Alwil (avast!), and Avira (AntiVir), and indeed the rest of the AV industry, others have pointed out the likelihood of healthy competition in the free AV market bringing increasing sophistication to these free products, while also encouraging those who have tried out free solutions to move up to more complete, full-featured products.

The suggestion that it will provide protection for the downtrodden masses has been countered with the argument that those with the urge to install free security have had plenty of options for some time, while those in less developed states, who are likely to be a major part of the botnet problem, are also likely to be running unofficial, unvalidated copies of Windows, which are not supported by the new Microsoft protection offering.

Initial reviews of the product have been generally favourable, with praise for its simple, pared-down design and usability, unobtrusive system impact and decent detection levels. The fact that the product shares a core engine and detection with Microsoft’s corporate Forefront product – which has shown steady improvement in independent tests in recent years as Microsoft continues to invest in its security lines – bodes well for the product’s static detection abilities.

However, some commentators have criticised the apparent absence of advanced features such as dynamic detection, with one Symantec representative describing the solution as ‘behind the times’ after a set of test results showed Norton providing superior protection. Microsoft responded by insisting the product does include some sophisticated behavioural monitoring and reputation-based technology, and suggested that the solution is only intended as a component in an in-depth, multi-layer security regime.

“It seems unlikely that this release will revolutionise the security world the way some people have been suggesting,” said John Hawes, Technical Consultant at Virus Bulletin. “People aren’t going to stop investing in quality security suites with firewalls, intrusion prevention, spam filters and parental controls just because there’s another free bare-bones product available. However, with Microsoft’s marketing weight behind it, it should hopefully find its way onto some of those untold millions of unprotected systems out there – it should provide decent protection for them and stop their systems spamming and attacking the rest of us. If Microsoft change their mind about not letting it run on pirated copies of Windows, it would make an even bigger difference.”

Reported on Virus Bulletin

LiveJournal’s security team has disabled some media features on the blogging site after a quick-spreading worm stole user email addresses and caused entries designated as private to be available to everyone.

The self-propagating exploit spread to users who were logged in and did nothing more than view a LiveJournal posting that was already infected. Affected account holders had their email addresses stolen and found that their privacy settings were lowered so that posts that may have been restricted were generally available. The worm then embedded code into infected accounts that attacked other LiveJournal users.

“What occurred today caused a limited but serious privacy breach, so we are making this post in order to inform you of the issue, what actions this exploit performed, and how to know if you have been affected,” LiveJournal staff members wrote in a posting that was commendable for the level of transparency and detail it provided.
Passwords, authentication cookies, and other sensitive data were not intercepted. End users’ computers were also left unharmed.

The worm spread through malicious Adobe Flash media files that used “cross-domain scripting” to make the unauthorized account changes. The attack, which lasted for about two hours, was halted on Tuesday at about 8:50 pm California time by disabling the embedding of all video and audio. Since then, staffers have re-enabled content from YouTube and RuTube and plan to expand the list in the coming days.

“It does sound like a worm, and it probably could have been a lot worse,” said Mike Bailey, a web application security expert who is a senior researcher at Foreground Security. “I’m fairly impressed that it was found and stopped as quickly as it was.”

He added that based on this description of the exploit code, it appeared it was allowed to run wild because a parameter known as “allowScriptAccess” was set on the LiveJournal website. It appeared the setting allowed the malicious Flash file to execute javascript with the privileges of the LiveJournal page, something that should never happen on sites that accept user content.

The exploit harkens back to the so-called Samy Worm, which in 2005 knocked MySpace out of commission after it added a million users to the creator’s friends page.

Given the ability of the LiveJournal worm to quickly spread and surreptitiously steal email addresses, it’s surprising its authors didn’t direct it to do more.

“Which begs the question, was this PoC [proof of concept] or actively malicious?” Jeremiah Grossman, CTO of WhiteHat Security observed. “Or somewhere in between.”

The LiveJournal posting speculated that fewer than 100 entries were found to embed the malicious Flash file, but it cautioned the number of infected users was probably higher. Based on the number of users who responded that they were hit by the attack, that appeared to be the case.

href=”http://www.theregister.co.uk/2009/09/23/livejournal_email_stealing_worm/

Overview -

– Update August 26, 2009 –
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/08/25/pink_floyd_worm/

–

JS/RenWish is a detection for malicious javascript that is executed by clicking a crafted Macromedia Flash file. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered – possibly with every user infection.

Characteristics

Characteristics -

The malicious javascript is executed as part of clicking a specially crafted Macromedia Flash file. This Flash file is detected as W32/RenWish.

The Macromedia Flash file is being circulated through the Chinese social networking site Renren.com. Propogation is occuring due to a cross-site scripting flaw within the web site that does not allow script blocking. This is exhibited in playswf=function via ‘allowScriptAccess=\?always\’.

Upon execution of the javascript file, ‘friends’ information will be harvested and it will share the message with them.

Communication may be made with the following domains:

• [removed]img.cn
• [removed]ou.com

Symptoms

Symptoms -

• Presence of the aforementioned files
• Presence of unexpected network connections

Method of Infection

Method of Infection -

Users of the social network site renren.com receive messages on their profile that purports to be a Macromedia Flash video of Pink Floyd’s “Wish You Were Here”. Clicking the Macromedia Flash file will access this external Javascript malware.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Source : http://vil.nai.com

Home Antivirus 2010 is a new software menace that puts the compromised computer at great risk of performance deterioration and privacy invasion. Home Antivirus 2010 has taken over its forerunner called Home Antivirus 2009 we described previously. Home Antivirus 2010 usually installs with the aid of trojan viruses that security exploits of the compromised system. When Home Antivirus 2010 impostor intrudes on the PC, it configures the Operating System to execute its unregistered version each time the computer is booted. After Home Antivirus 2010 gets thus launched, it issues exaggerated alerts that claim you have malware on board. Home Antivirus 2010 may as well redirect you to its malicious website Home-antivirus-2010.com or display its phony scanners that also report some bad stuff inside your machine. The good news consists in the fact that you actually don’t have the infections reported by Home Antivirus 2010. In the meanwhile, the bad news is – a rogue anti-spyware of high severity is in your system, so you’d better take adequate measures to get rid of it. If ignored, Home Antivirus 2010 will keep playing havoc with your computer until it either gets you purchasing its license or until your system gets disrupted by its malicious “endeavors”. Please, use the guide below to learn how to accurately detect and eliminate Home Antivirus 2010 rogue anti-spyware.

How to remove Home Antivirus 2010 and affiliated threats manually:
Manual removal of Home Antivirus 2010 is a feasible objective if you have sufficient expertise in dealing with program files, processes, .dll files and registry entries.

The files to be deleted are listed below:

• %Program Files%\HomeAntivirus2010
• %Program Files%\HomeAntivirus2010\HomeAntivirus2010.exe
• %Program Files%\HomeAntivirus2010\htmlayout.dll
• %WINDOWS%\system32\cepapyx.com
• %WINDOWS%\syromeni.bat
• %Program Files%\Common Files\ywukynota.com
• %Program Files%\Common Files\vivifabyx.dll
• %Documents and Settings%\All Users\Application Data\ciqudehyri.dll
• %WINDOWS%\system32\_scui.cpl

The registry entries that need to be removed are as follows:

• HKEY_CURRENT_USER\Control Panel\don’t load\scui.cpl
• HKEY_CURRENT_USER\Control Panel\don’t load\wscui.cpl
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Home Antivirus 2010

Please, be aware that manual removal of Home Antivirus 2010 is a cumbersome process and does not always ensure complete deletion of the malware, due to the fact that some files might be hidden or may get reanimated automatically afterwards. Moreover, manual interference of this kind may cause damage to the system. That’s why we strongly recommend automatic removal of Home Antivirus 2010, which will save your time and enable avoiding any system malfunctions and guarantee the needed result.

Source : http://remove-malware.net/how-to-remove-home-antivirus-2010-rogue-anti-spyware/

PC Tools AntiVirus Free Edition protects you against the most nefarious cyber-threats attempting to gain access to your PC and personal details. Going online without protection against the latest fast-spreading viruses, worms and Trojans can result in infections within minutes. Once infected, the virus will usually attempt to spread itself to your friends, family and associates by accessing your e-mail contacts and networked PCs. The infection may also allow hackers to access files on your PC, use it to launch attacks against other computers and Websites or to send mass spam email. That’s why PC Tools AntiVirus Free Edition provides protection, with rapid database updates, IntelliGuard real-time file, Internet & e-mail protection and comprehensive system scanning to ensure your system remains safe and virus free. Version 5 features new improved scan engine, smaller memory footprint, and much improved system performance.

Downlod it here

The rapidly increasing interaction of consumers with social online networks, mobile phones and other intelligent devices has brought about significant lifestyle benefits that are under a serious threat from cybercriminals according to an international virus analyst. Addressing the audience of Kuwait’s ICT Security Forum, Stefan Tanase, Malware Analyst, EEMEA Research Center, Kaspersky Lab Global Research and Analysis Team, said that in 2009 social networking sites will be used by around 80 per cent of all Internet users, the equivalent of more than one billion people.

“The growing popularity of social networking sites has not gone unnoticed by cybercriminals; last year, such sites became a hotbed of malware and spam and yet another source of illegal earnings on the Internet. The Kaspersky Lab collection contained more than 43,000 malicious files relating to social networking sites in 2008 alone,” said Tanase.
“Malicious code distributed via social networking sites is 10 times more effective than malware spread via email. Social networks have approximately a 10 per cent success rate in terms of infection compared to less than 1 per cent for malware spread via email,” he said. Stolen names and passwords belonging to the users of social networking sites can be used to send links to infected sites, spam or fraudulent messages such as a seemingly innocent request for an urgent money transfer.

“Generally, users of social networking sites trust other users and accept messages sent by someone on their friends list without thinking; this makes it easy for cybercriminals to use such messages to spread links to infected sites. Various means are used to encourage the recipient to follow the link contained in the message and download a malicious program.”
According to the Kaspersky Lab expert, major Web 2.0 platforms such as Facebook or Twitter are highly vulnerable to malware attacks and end-users need to be aware of the risks and be ready to take precautionary measures to protect themselves.
During his presentation, Tanase also highlighted the rapid spread of mobile phone hacking.
“In the last week alone we found five new Trojans which send such money transfer requests without the permission or knowledge of the phone’s owner. The goal is to transfer large quantities of small sums in the hope that while individual users might not notice the leak, the overall sum of transfers will be significant.
“There is a rise of the number of attacks targeting mobile phones and a more clear shift towards methods for monetization of these attacks.”

::ArabTimes::

Symantec (NSDQ:SYMC) said it has acquired Web security company Mi5 Networks, aiming to integrate Web gateway technology into an array of security suites for both small businesses and enterprises that it also announced Tuesday.The Mi5 acquisition allows Symantec to integrate streaming technology that closely inspects both inbound and outbound traffic, company executives said. Meanwhile, the purchase also fulfills a valuable niche in Symantec’s product portfolio, adding specialized capabilities that protect against increasingly sophisticated Web-based malware.

“Today what we’re seeing is the next generation of malware that comes over Web sites and through HTTP traffic. What Mi5 gives to us is next-generation Web security protection,” said Francis deSouza, Symantec senior vice president for the Enterprise Security Group.

Symantec intends to incorporate Mi5′s Web gateway technologies into its e-mail gateway and endpoint security products in an effort to enhance suites that provide multipronged protection against sophisticated Web-based malware, deSouza said. Down the road, Mi5′s gateway technology will be incorporated in broader suites that integrate DLP and messaging security, deSouza said.

For channel partners, the acquisition provides one more set of capabilities that they can add to their overall portfolio of offerings that address current high-profile malware attacks, such as the Conficker worm. The additional gateway technologies are especially attractive for SMB customers, who have to deal with the same malware threats as the enterprise but with less dedicated staff and fewer financial resources, executives say.

“Conficker was a pretty big virus problem. And the cost of being hit is a big cost,” deSouza said. “Mi5 allows the channel to demonstrate to their customers that they are on top of these emerging threats.”

The hallmark of Symantec’s acquisition is a plethora of new Protection Suites incorporating Web security technology aimed at both the SMBs and enterprises. Symantec’s Protection Suite Small Business Edition offers protection for SMBs’ sensitive information by identifying and addressing malware and spam risks. The new suite also touts ease of use, fast performance and minimal deployment and installation time.

Symantec Protection Suite Enterprise Edition integrates Mi5′s Web gateway technology with Symantec’s endpoint and messaging security and system recovery technologies, incorporating multiple layers of protection designed to identify and remediate risks. The enterprise-class suite also incorporates endpoint security with backup and recovery capabilities, in the event of a disaster or system failure.

Symantec also launched its Endpoint Protection Small Business Edition, which offers comprehensive endpoint protection but includes built-in tools geared for SMBs, such as preconfigured notifications, installation wizard and a streamlined user interface, aimed at simplifying deployment.

Symantec executives say that the acquisition and the resulting focus on SMB protection is in direct response to increased demand from lower market customers who are requiring more sophisticated security infrastructure and data protection capabilities in order to stay competitive.

“We’re continuing to see that there is a growth in the demand from small businesses around more sophisticated security,” deSouza said. “They’re using it as a competitive differentiator to protect not just themselves but the data they have access to as part of the way they do business.”

Meanwhile, deSouza said that he had seen a broader trend expanding across all market segments for comprehensive security suites, which are less complex, require less IT staff and provide a wider breadth of functionality for customers’ security dollars.

“There’s a big drive across small business and large enterprises to say, ‘We want fewer but bigger security products that address the threats more holistically,’” deSouza said. “Companies are taking a very hard look at all of the security products they’ve deployed and are saying, ‘Look, do we really need all of these?’ ”

reported on channelweb