FW: NEWSBANK :: XSS Vulnerabilities Happen To Everybody

-------------------------------------------
From: Juan Castro (SAL-LA)
Sent: Tuesday, May 04, 2010 2:43:40 PM
To: Newsbank
Subject: NEWSBANK :: XSS Vulnerabilities Happen To Everybody
Auto forwarded by a Rule

XSS Vulnerabilities Happen To Everybody

Cross-site scripting flaw found in UK's Cybersecurity Challenge site

may 03, 2010 | 05:49 PM

By Tim Wilson
DarkReading

You would think that of all people, the developers of the U.K.'s Cybersecurity Challenge website would be the most scrupulous about finding security vulnerabilities before they happen. But according to researchers, cross-site scripting (XSS) flaws happen to them, too.

According to a report on the Netcraft security site, an XSS vulnerability was uncovered on the Cyber Security Challenge UK website -- before the site had even been made ready for candidates to register.

The Cybersecurity Challenge was established by a management consortium of key figures in cybersecurity, and is designed to test the mettle of security professionals.

The simple coding error was demonstrated by James Wheare, according to the report. Wheare told Netcraft that he was prompted to look for the hole after reading a friend's tweet and noticed insufficient encoding in the page's tags.

Netcraft says it has informed the Cybersecurity Challenge about the flaw.

http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=224700547

 

 

Juan Pablo Castro | xSP, Latin America Region Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437

 

FW: Malware Blog news pickups: April 24-30, 2010

-------------------------------------------
From: All of PH AV Technical Marketing
Sent: Tuesday, May 04, 2010 2:33:15 PM
To: Newsbank; Marketing Writers
Subject: Malware Blog news pickups: April 24-30, 2010
Auto forwarded by a Rule

Pageviews to blog posts picked up

 

	24-Apr	25-Apr	26-Apr	27-Apr	28-Apr	29-Apr	30-Apr
Malware Blog	2,201	3,109	2,975	4,389	3,247	3,252	3,165
KOOBFACE IP Taken Down, Gang Transfers Hosting to China by Jonell Baltazar	27	65	74	29	6	0	3
Fake IT Email Notification Spreads Malicious PDF by Carolyn Guevarra	-	-	-	162	194	90	51
PDF Exploit Becomes a Little More Sophisticated by Jovi Umawing	-	-	-	-	155	69	29

 

 

PDF Exploits Bloom in the Spring

PCMag.com, US – Apr 30

The TrendLabs Malware Blog describes a PDF that it found, which exploits two different patched vulnerabilities. If you are running current Adobe software, you are not vulnerable. But if you do get exploited, the PDF decodes an embedded XML file containing a malicious TIFF file.

(also linked to Virus Encyclopedia article: Adobe TIFF File Vulnerability)

 

Continuing the Story of Malicious PDFs: Fake IT Notifications

Pc1news.com, US – Apr 29

"When executed, this .PDF file creates the script batscript.vbs, which drops and executes a worm component named game.exe. The worm component also carries the rootkit file bp.sys to possibly hide its malicious routines and to prevent itself from being discovered by the user," Trend Micro experts note.

(also linked to Virus Encyclopedia article: TROJ_PIDIEF.ZAC)

 

Botnet Server Escapes to China

The New Internet, US – Apr 24

“When a botnet server is taken down, botnet owners tend to avail of bulletproof hosting services or the services of hosting companies that are hard to take down, which not only means business as usual for cybercriminals but also means they are shoring up their ‘defenses,’” writes a researcher at TrendLabs.

.

 

FW: NEWSBANK :: Hacked US Treasury websites serve visitors malware

-------------------------------------------
From: Juan Castro (SAL-LA)
Sent: Tuesday, May 04, 2010 2:28:52 PM
To: Newsbank
Subject: NEWSBANK :: Hacked US Treasury websites serve visitors malware
Auto forwarded by a Rule

 

Original URL: http://www.theregister.co.uk/2010/05/03/treasury_websites_attack/

Hacked US Treasury websites serve visitors malware

Lights on, no one home

By Dan Goodin in San Francisco

Posted in Security, 3rd May 2010 20:40 GMT

Updated Websites operated by the US Treasury Department are redirecting visitors to websites that attempt to install malware on their PCs, a security researcher warned on Monday.

The infection buries an invisible iframe in bep.treas.gov, moneyfactory.gov, and bep.gov that invokes malicious scripts from grepad.com, Roger Thompson, chief research officer of AVG Technologies, told The Register. The code was discovered late Sunday night and was active at time of writing, about 12 hours later.

To cover their tracks, the miscreants behind the compromise tailored it so it attacks only IP addresses that haven't already visited the Treasury websites. That makes it harder for white hat-hackers and law enforcement agents to track the exploit. Indeed, Thompson initially reported that the problem had been fixed until he discovered the sites were merely skipping over laboratory PCs that had already encountered the attack.

The attack is most likely related to mass infections that two weeks ago hit hundreds of sites hosted by Network Solutions (http://www.theregister.co.uk/2010/04/19/network_solutions_mass_hack/) and GoDaddy, said Dean De Beer, founder and CTO of security consultancy Zero(day) Solutions.

He made that assessment based on the observation that the compromised Treasury websites are hosted at Network Solutions and the owner of grepad.com is also the owner of record for most of the websites used in the earlier attacks.

"There's a very high probability that it's the same person," De Beer said. "The only things that are changing are the domains."

Earlier, Thompson speculated the attack might be the result of someone exploiting a SQL injection vulnerability on the Treasury websites. After investigating that possibility, De Beer said it was unlikely because the hacked Treasury sites contained static HTML pages that aren't susceptible to such exploits.

Media representatives at the Treasury Department didn't return a phone call seeking comment. ®

This posting was updated to include details linking the attacks to similar mass compromises that hit sites hosted by Network Solutions and GoDaddy.

 

 

Juan Pablo Castro | xSP, Latin America Region Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437

 

FW: NEWSBANK :: In Liu of IPO, Security's Sophos Sold To Apax At $830M Valuation

-------------------------------------------
From: Juan Castro (SAL-LA)
Sent: Tuesday, May 04, 2010 2:12:44 PM
To: Newsbank
Subject: NEWSBANK :: In Liu of IPO, Security's Sophos Sold To Apax At $830M Valuation
Auto forwarded by a Rule

In Liu of IPO, Security's Sophos Sold To Apax At $830M Valuation

Sophos has sold a majority stake to private equity's Apax Partners. The deal values the British company at about $830M.

Sophos is an anti-virus software vendor that competes with Symantec and McAfee amongst others. Unlike its bigger US rivals, Sophos does not sell software for residential computer users, only companies. It specializes in small- and medium-sized business, but has some biggies, including GE, Tesco, Hilton and Toshiba.

Sophos pulled an IPO attempt from the London Stock Exchange at the end of 2007. Last year the company said that they planned to take the company public in the US in 2010 but apparently the reception it got with PE firms was better than what it felt on Wall Street.

Sophos was founded in the UK and has dual headquarters in London and Boston. Sophos claims to be the world's largest privately-held data security company, with 2010 revenues of $260M. The two co-founders of Sophos will make about $300M. Jan Hruska and Peter Lammer are selling a large part of their combined 60% of the company. They launched Sophos in 1985 after meeting as engineering students at Oxford University.

http://www.thealarmclock.com/mt/archives/2010/05/in_liu_of_ipo_s.html

 

Juan Pablo Castro | xSP, Latin America Region Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437

 

FW: NEWSBANK :: Storm Worm 2: A view of its C&C

-------------------------------------------
From: Juan Castro (SAL-LA)
Sent: Tuesday, May 04, 2010 2:06:31 PM
To: Newsbank
Subject: NEWSBANK :: Storm Worm 2: A view of its C&C
Auto forwarded by a Rule

Storm Worm 2: A view of its C&C

News broke recently that there’s a new Storm Worm doing the rounds.  Late last week a detailed analysis of the new Storm Worm malware variant has been posted by The Honeynet Project at theirwebsite.

Based on the analysis I conducted over the weekend, this particular threat is indeed very similar to the old Storm Worm – with at least 67% of the code being the same – and the most notable difference being that the P2P functionality of the old version has been dropped from the new version. The command protocol is now reliant upon HTTP instead of simple TCP connections.

Now let’s go to the juicy stuff, analyzing the CnC.

From the malware samples I’ve obtained, I was able to extract two critical CnC’s. Let’s call them CnC Domain B and CnC Domain C. Based upon our historical data trove, Domain B is also being used for CnC by other malware families – while Domain C is only being utilized by the new Storm Worm variant – at least for now.

The other malware families that utilize Domain B for CnC also make use of Domain A. This other domain is not utilized by the new Storm Worm variant (at least it’s not present in the malware samples I have had the chance to analyze so far). Domain A is being utilized by another family of botnet malware. For a graphical representation, please see Figure 1 below.

Figure 1: C&C Relationships with other Malware Families

From the figure,above,  the lettered boxes show different malware families positioned within a timeline as to when we first uncovered them. The cloud represents the domains they utilize for CnC. So from here, a pattern is starting to emerge. It would appear that the botmaster’s campaign can be easily traced by overlapping CnC Domains.

In Dec 2009, a family of malware (Malware A) utilized Domain Aas its CnC in an infection campaign. By the second month of 2010, multiple malware families materialized and utilized CnC Domain Atogether with a new CnC (Domain B). Then, by April 2010, the new Storm Worm variant was identified by security researchers and it utilized CnC Domain B, and no longer referenced Domain A for CnC. Instead it utilized a new CnC domain – CnC Domain C. If the pattern proves to be correct, we will see new malware families that will utilize CnC Domain C.

Another observation I’ve made is that there are multiple malware families – each of them probably with serial variants – utilizing a handful of CnC’s. This is obviously a continued source of headaches for anti-virus host-based solutions; not only in detection but also in clean up.

One important question to ask is “Will the new malware families used in future campaigns be detected by my AV host solution?”

The answer is, unfortunately, probably not. But one thing is certain, whatever malware families are used for the next few campaigns, the CnC domains will likely not change as much or as frequently as the malware variants themselves. Disrupting the CnC – the command tether linking the infected host and the botmaster together -  is where you need to focus your protection nowadays.

http://blog.damballa.com/?p=683

 

Juan Pablo Castro | xSP, Latin America Region Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437

 

FW: NEWSBANK :: Internet Explorer Falls Below 60% Market Share

-------------------------------------------
From: Juan Castro (SAL-LA)
Sent: Tuesday, May 04, 2010 2:03:15 PM
To: Newsbank
Subject: NEWSBANK :: Internet Explorer Falls Below 60% Market Share
Auto forwarded by a Rule

Internet Explorer Falls Below 60% Market Share

By Wolfgang Gruener on 2nd May, 2010 

 

Microsoft’s Internet Explorer dropped to a historic market share low in April, according to Net Applications. The company estimated IE’s market share at 59.95% in April, which is about the range that was reached by Internet Explorer 4 more than 11 years ago in early 1999. The big winner was once again Google’s Chrome browser, which maintained a double-digit growth rate and is now more than 2 points ahead of Apple’s Safari browser, which it surpassed four months ago.

 

Since IE8’s launch in March of 2009, Microsoft has surrendered almost 9 points of market share, most of which was gobbled up by Google’s Chrome. According to Net Applications, Microsoft stood at 59.95% in April 2010, 0.69 points less than in the month before. Mozilla’s Firefox gained 0.07 points to 24.59%, which is near its all-time high of 24.72% that was recorded in November 2009.

Chrome had another impressive month with a gain of 0.6 points that boosted Google’s share to 6.73%, while Apple’s Safari inched up 0.06 points to 4.72% and Opera lost 0.07 points and was listed with an estimated share of 2.30%.

 

In comparison, StatCounter currently estimates IE’s market share at 51.42%, Firefox at 32.62%, Chrome at 8.82%, Safari at 4.27% and Opera at 1.99%. While NetApplications and StatCounter publish considerably different results for IE, Firefox and Chrome, both agree that IE is losing market share quickly and Google is gaining market share at a fast pace. StatCounter sees Firefox growing at this time, but NetApplications’ data suggests that Firefox’ market share is somewhat stable: Firefox’ market share has been within a range of 1% since August 2009.

So What is Microsoft’s Problem?

Simple (or not, depending on your view.) IE is not compelling enough. If we look at IE5, IE6, IE7 and IE8 data published by Net Applications (those browser account for about 99.55% of IE’s total market share), we notice that IE8 gained 0.78 points of market share in April (and now stands at 27.91%), but IE7 lost 0.70 points (down to 13.08%) and IE6 lost 1.04 points (down to 18.67%). The positive side here is that IE8 and IE6 are still the world’s most popular browsers (according to Net Applications), but the data also reveals that IE8 can barely keep up with the users IE7 loses. In fact, it surrenders another full point for what IE6 loses.

Net Applications’ public data does not provide depth to determine which users are picked up by IE8 and which are not.

However, the data set indicates that Mozilla has a very loyal user base that reliably upgrades from one version to another as there is very little difference between the market share loss of Firefox 3.0x and 3.5x (4.04 points in April) and the market share gain of Firefox 3.6 (4.19 points in April). Apple’s Safari has become somewhat invisible in this dynamic market as there is very little movement in terms of market share. A share of 4.72% is a new record, but the addition of one full point has taken Apple 11 months.

In the same time frame, we have seen Google growing by almost 5 points. Google Chrome now stands at 6.73%, up 0.6 points from March and up from 1.79% in April 2009. Google has maintained a nearly double-digit growth rate in April (9.79%) and remains the fastest growing browser, both in terms of absolute and percentage numbers. Less than 7% market share is still far away from Mozilla and Microsoft, but Google has shown that it is serious about the browser market and both Mozilla and Microsoft should watch out. In the long term, this may turn into a battle between Google and Microsoft, as Mozilla is simply out-resourced.mar

Microsoft is much more vocal about its next-generation browser IE9 and its HTML5 capabilities. At least in terms of speed, it appears that IE9 is slightly faster than the current version of Firefox. However, IE9 may be 9-12 months away from a public release, which gives Mozilla enough time to react. And by 2011, the browser battle may have shifted already – as we are seeing many more mobile browser entering the battlefield and gaining market share.

 

http://www.conceivablytech.com/796/science-research/internet-explorer-falls-below-60-market-share/

 

 

Juan Pablo Castro | xSP, Latin America Region Insurgentes Sur 688 P6, 03100 Mexico City, DF, Mexico Office: +52.55.3067.6013 | Mobile: +52.1.55.1451.3437

 

FW: NEWSBANK: Symantec Doubles Down On Encryption

-------------------------------------------
From: Fabian Romankewicz (GECS-DE-ENT)
Sent: Tuesday, May 04, 2010 1:51:26 PM
To: Newsbank
Subject: NEWSBANK: Symantec Doubles Down On Encryption
Auto forwarded by a Rule

Symantec Doubles Down On Encryption

Symantec says it's going to continue expanding its product line and it's asking partners to become more specialized. This week, Symantec revealed plans to purchase PGP for about $300 million in cash and GuardianEdge for about $70 million in cash.

Toothy new data protection laws are driving vendors to add encryption to their product lines, and Symantec's move is a response to earlier encryption deals from McAfee and other security market foes. What's ironic about the PGP deal is that McAfee bought the company back in 1997 and then sold it off five years later. If Symantec can successfully integrate PGP's technology, that's going to give Big Yellow something to crow about.

http://www.crn.com/it-channel/224700361