Attorneys for the University of Tennessee student accused of breaking into Alaska Governor Sarah Palin's email account have filed a small forest's worth of court documents in defense of the high-profile suspect. Among them is a motion to prohibit prosecutors from referring to their client as a hacker.
A former US sysadmin faces between six and 12 years behind bars after he admitted using his IT skills to carry out a series of burglaries, computer intrusions, and identity thefts.
17:54 Google Chrome vulnerable to data theft flawGoogle has seeded a new version of its Chrome browser to developers with fixes for a pair of security issues that could expose users to data theft.
The issue, rated as a “moderate” risk could allow hackers to use HTML files to steal arbitrary files from a victim’s machine.
Details below:
r4188 and r4827 Address an issue with [...] >>>
The compromise is a great example of a mixed use of pure malicious domains in a combination with compromised legitimate ones and on purposely registered accounts at free web space providers, hosting the blackhat SEO content. However, digging deeper we expose the entire malicious doorways ecosystem pushing PDF exploits, banker malware and Zlob variants. The malicious attackers embedded links to their blackhat SEO farms advertising fake security software, and also a link to a traffic redirection doorway
The active and redirecting traff .asia (89.149.251.203) is currently serving a fake account suspended notice - "This account has been suspended. Either the domain has been overused, or the reseller ran out of resources." but is whatsoever redirecting us to antimalware09 .net. This particular traffic redirection doorway is actively redirecting us to a command and control server running a well known web malware exploitation kit which is currently serving PDF exploits.
google-analyze .com/socket/index.php (216.195.59.77) from where we're redirected to google-analyze.com/tracker/load.php which is serving system.exe (Trojan-Spy.Win32.Zbot.ehk; Win32.TrojanSpy.Zbot.gen!C.5), and google-analyze .com/tracker/pdf.php (Exploit:Win32/Pdfjsc.G; Exploit.JS.Pdfka.w; Bloodhound.Exploit.196). Naturally, within the live exploit URLs there are multiple IFRAMEs redirecting us to more of this group's campaigns. google-analyze .com has multiple IFRAMEs pointing to google-analystic .net (209.160.67.56), yet another traffic redirection doorway further exposing their campaigns.
For instance, google-analystic .net/in.cgi?20 loads google-analystic.net/tea.php (209.160.67.56) where google-analystic .net/in.cgi?8 is redirecting to 91.203.93.61 /in.cgi?2 taking us to 91.203.93.61 /25/2/ where we deobfuscate the javascript leading us to the exact location of the PDF exploit - 91.203.93.61 /25/2/getfile.php?f=pdf. This is just for starters. google-analystic .net/in.cgi?9 redirects to mangust32 .cn/pod/index.php (218.93.202.102) where they serve load.exe (Backdoor:Win32/Koceg.gen!A) at
mangust32 .cn/pod2/load.php and load.exe at mangust32 .cn/eto2/load.php, moreover, google-analystic .net/in.cgi?10 leads us to mmcounter .com/in.cgi?id194 (94.102.50.130) a traffic management login which is no longer responding. The last IFRAME found within google-analystic points to busyhere .ru/in.cgi?pipka which redirects to beshragos .com/work/index.php (79.135.187.38) where once we
deobfuscate the script, we get to see the PDF exploit location beshragos.com /work/getfile.php?f=pdf.
What's contributing to the increase of PDF exploits durin the last month? It's an updated version of a web based malware exploitation tool, which despite the fact that it remains proprietary for the time being, will leak in the next couple of weeks causing the usual short-lived epidemic.
16:08 Dissecting the Latest Koobface Facebook CampaignThe latest Koobface malware campaign at Facebook, is once again exposing a diverse ecosystem worth assessing in times of active migration to alternative ISPs tolerating or conveniently ignoring the malicious activities courtesy of their customers. The -- now removed -- binaries that the dropper was requesting were hosted at the American International Baseball Club in Vienna, indicating a compromise.
The dropper then phones back home to : f071108 .com/fb/first.php (79.132.211.50) with the binaries hosted at a legitimate site that's been compromised :
The development of cybercrime platforms utilizing legitimate infrastructure only, has always been in the works. With spamming systems relying exclusively on the automatically registered email accounts at free web based providers, to the automatic bulk registration of hundreds of thousands of domains enjoying a particular domain registrar's weak anti-abuse policies, it would be interesting to monitor whether marginal thinking or improved OPSEC relying on compromised hosts will be favored in 2009.
A US-based prescription processing and benefits firm has taken the unusual step of offering a $1m bounty for information that leads to the arrest and conviction of an unknown group which targeted it in a cyber-extortion scam.
11:51 Off the wire: Access remote network services with SSH toolsYou probably rely on the services on your own private network -- wikis, mail servers, Web sites, and other applications you've installed. What happens when you have to leave the friendly confines of y... >>>
After a brief delay, the non-profit group that oversees the internet's address system has decided to proceed with plans to revoke the credentials of EstDomains, a domain name registrar with a reputation for catering to cyber criminals.
05:40 Firefox security makeover: 11 vulnerabilities, 4 criticalMozilla has released a new version of its flagship Firefox browser to fix a total of 11 vulnerabilities that expose users to code execution, information stealing or denial-of-service attacks.
Four of the 11 flaws covered with the new Firefox 3.0.4 are rated “critical” because of the risk of code execution attacks via specially rigged Web pages.
The [...] >>>
02:12 $10k hacking contest announcedIsraeli software developer Gizmox is challenging hackers to try hacking into the company’s Visual WebGui Platform, by offering a $10,000 incentive to those who manage to achieve the objectives of their contest launched at the beginning of the month. What’s particularly interesting about the contest is the fact that the company is running the contest [...] >>>
It's a tough security trade-off. Guests lose their hotel room keys, and the hotel staff needs to be accommodating. But at the same time, they can't be giving out hotel room keys to anyone claiming to have lost one. Generally, hotels ask to see some ID before giving out a replacement key and, if the guest doesn't have his wallet with him, have someone walk to the room with the key and check their ID.
This normally works pretty well, but there's a court case in Brisbane right now about a hotel giving a room key to someone who ended up sexually attacking the woman who had rented the room.
In civil action launched yesterday, the woman alleges the man was given the spare access key to her room by a hotel staffer.
The article doesn't say what kind of authentication the hotel requested or received.
00:57 A Diverse Portfolio of Fake Security Software - Part ThirteenWhat is the difference between a reactive and proactive threat intell? A reactive threat intell is assessing a campaign, individual, a group of individuals, how are they related to one another, and what have they been doing in the past, based exclusively on a lead that's been found within the past couple of hours.
Try the very latest rogue security domains courtesy of three domainers (Fedor Ibragimov cndomainz@yahoo.com, Anton Golovayk gpdomains@yahoo.com and Ivan Durov idomains.admin@gmail.com ) whose portfolios can always keep you updated about the latest releases of such popular software as The Best Antivirus Cleaner 2008.
It would be interesting to monitor whether or not the well known non-existent security software brands we've monitoring throughout 2008, will be basically typosquatted in a 2009 like fashion, or would they simply introduce new brands. With their business model under pressure, I'm starting to see evidence of schemes involving the illegal advertisement of affiliate links to legitimate security software, where the cybercriminals are actual resellers of it. There's also no shortage of surreal situations, where a fake security software is taking advantage of blackhat SEO practices promising the removal of competing fake security software brands.
Last week, the noadware .net (69.20.71.82; 69.20.104.139) software was persistently advertised in such a way, mostly by generating Wordpress accounts promising to remove competing software :
The day when fake security software sites start attracting traffic by promising to remove other fake security software, is the day when we have clear evidence that an ecosystem has emerged.
From an attacker's perspective, are remotely exploitable SQL injections, the insecure hosting provider's web interfaces, or the pragmatic possibility for data mining a botnet's accounting data for access to such portfolios the tactic of choice? In both of these propositions, the seller is citing vulnerabilities within the web hosting providers as an attack tactic.
The continues supply of such access is, however, a great indicator for the upcoming development of this segment within the underground marketplace in 2009.
00:01 Google fixes critical XSS vulnerabilityAll your accounting data are not belong to us. Hours after a proof of concept example detailing a XSS vulnetability at Google’s account login page was posted at the XSS Project’s clearing house, the company quickly took notice and fixed it.
“Security researcher “Xylitol” is credited with the discovery of this critical bug. In this case, [...] >>>
