10:24:00 AM
Gumblar, a new attack that compromises Web sites, has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.
The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. The malware downloaded onto those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.
As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. Attackers also changed the domain to martuz.cn, but now both domains have been shut down, according to ScanSafe.
Because the attackers made changes to the configurations of servers hosting compromised Web sites, they are able to continue controlling them and adding new domains for downloading exploit code onto computers of visitors to the sites, Mary Landesman, a senior security researcher at ScanSafe said on Friday. "At some point these attacks (on Web sites) will start again," she said.
Gumblar is building two botnets simultaneously--the botnet of compromised Web sites and a botnet of infected PCs, she said.
Visitors to those compromised sites, if they have JavaScript enabled, are then compromised and join the PC botnet, she said.
The malicious script that is downloaded onto the PCs from a gumblar domain attempts to load exploit code that does several things, according to Landesman. The code automatically opens PDF and Flash files and attempts to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player. It also injects itself into the Internet Explorer browser and starts intercepting all of the computer's Web traffic, replacing legitimate links in Google search results with links to sites the attackers want the user to visit, she said. Finally, the code steals FTP credentials stored on the computer that can be used to compromise additional Web sites the user may manage.
"It is targeting IE users and Google searches," Landesman said.
The malware targeting the PCs is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.
Gumblar was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May and the number of sites compromised grew by more than 3,000 during that same time period, ScanSafe said. It's unclear how many Web sites total it has compromised, but Landesman said it could be in the "high tens of thousands."
The estimate for the number of individual PCs compromised by Gumblar is also a mystery, however that number is likely very high too given that antivirus software in general does a very poor job of detecting Gumblar malware, she said.
ScanSafe contends that Gumblar's behavior is more intrusive than Conficker, a worm that spreads via a hole in Windows through removable storage devices and network-shares with weak passwords, as well as disables security software and installs fake antivirus software.
In addition, Gumblar has extended its propagation capability, ScanSafe said. Once a Conficker infection is remediated, there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more Web sites, potentially exposing many more victims.
To find out if a computer is infected:
1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);
2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;
3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;
4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.
The most effective way to remedy an infection is to do a full reformat and reinstallation, according to ScanSafe. Passwords or login details that were stored or used on infected machines should also be changed.
source from cnet.com
9:59:00 AM
An investigation of a TV, apparently used a BlackBerry mobile phones are busy in the Nigeria market. The price is also cheaper for just $ 25 - $ 65 at the Lagos market.
Reputedly used handphone BB BB is used from the U.S., Europe and the UK. The problem is not clear whether the mobile phone used beneran or results from theft ditampung sent to African markets.
Not only mobile phones that have the type of BB, smart phone also available. Only the BB is a type of model are most active.
Nigeria on its own, a few individual crimes that make the Internet mencuat. Community west of the habit, generally also store important data on their mobile phone. This ditakutkan by the user that important data on the smartphone can be stolen.
A survey involving 600 small user subway in London said 16% mobile phone store user data on their mobile phone bank them. The other 24% keep a PIN number and password at the same time.
For the business user, this is also at risk when they lost smartphone device. Because the corporate data stored in the mobile phone.
Simon Steggles directors DiskLabs a forensic data recovery, said hard data on the mobile phone because the data stored in the form of a chip. Do reset the phone is not enough.
Smartphones such as BB is able to accommodate very large data, including historical data from the web browser to email.
source from obengware.com
8:38:00 AM
Well that was until last night when we saw a new file (119,296 bytes) in the Windows Temp folder. Checking on the file properties reveals that the file was created exactly on April 7, 2009 at 07:41:21.
Checking also on traffic captures show that there was no HTTP download that occurred somewhere around that time frame, which was from April 7, 2009 at 07:40:00 up to April 7, 2009 at 07:42:00. However, we noticed a huge encrypted TCP response (134,880 bytes) from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea.
The size of the encrypted TCP blob pretty much matches the size of the binary that got created in the aforementioned folder. There are some additional bytes, which could be the headers and keys that Conficker/Downadup has been known to use.
Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:
- (Un)Trigger Date – May 3, 2009, it will stop running
- Runs using a random file name and random service name
- Deletes this dropped component afterwards
- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs.
- Opens port 5114, and serves as an HTTP server by broadcasting via SSDP request
Myspace.com
msn.com
ebay.com
cnn.com
aol.com
It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.
Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file. This coincidentally happened just after the creation of the new Downad/Conficker binary described below (07:41:23):
Two things can be summed up from the events that transpired:
- As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!.
- Conficker-Waledac connection? Possible, but we still have to dig deeper into this…
Research and collaboration is currently ongoing in our own labs, as well as within the Conficker Working Group, and will update this blog post for new findings.
8:38:00 AM
More again trojan virus fraudulent Russian origin. Virus Trojan.Winlock.19 use the Russian language, spread through the Codec download files via the Internet. When exposed to this virus, the computer will go to the blocked system.
Trojan.Winlock.19 found on 8 April, found by security company drweb. Trojan.Winlock.19 virus has been modified from the original version Trojan.Winlock.origin.
But the quiet course, this virus can disappear themselves. After 2 hours of appear computer. So no need to panic, when exposed to the virus Trojan.Winlock.19.
translate by MKWingzero Read More......
8:34:00 AM
Virus Downadup since the beginning of February 2009 is being spread quickly, BitDefender provides tools virus.
Worm Downadup Win32/Conficker.C target large scale attack on 1 April. Worm Downadup Win32/Conficker.C as variants to 3, has the ability memblock some website security system, turning off the security system of Windows components and download the file at random to lead the web to a particular site.
When the Worm Downadup Win32/Conficker.C downloaded and activated by accident on the computer. The worm will copy itself to create a random file name in the Windows System. Worm sometimes release some of the file that is input into the program directory.
Worm Downadup Win32/Conficker.C will be active each time the computer is turned on, because it can be registered from the list of programs that should be active when the computer starts is enabled.
Computer Worm infected Downadup Win32/Conficker.C, directly taking some steps such as turning off the antivirus update system.
Worm will turn off service from Windows:
* wscsvc - Security Center
* WinDefend Windows Defender (Vista)
* wuauserv - Automatic Updates
* BITS - Background Intelligent Transfer Service
* ERSvc - Error Reporting Service
* WerSvc - Windows Error Reporting Service (Vista)
Worm also turn off system restore point, if your computer does not have a system restore then there is the possibility computer has been infected Downadup.
Remove Downadup from infected computers
Downadup (or Conficker) is a network worm that takes advantage of vulnerabilities in Windows to spread. Its removal is complicated by the fact that it blocks many known antivirus software and associated websites.
BitDefender Labs has detected a new and more aggressive Downadup version. It spreads using a Windows RPC Server Service vulnerability and is called Win32.Worm.Downadup.Gen.
The new version is more resilient to disinfection. Once the system is compromised, the worm disables Windows Update and blocks access to most of the anti-virus websites in order to hinder the user to disinfect his machine.
BitDefender is the first to offer a free tool which disinfects all versions of Downadup. This domain is the first to serve a removal tool without being blocked by the e-threat.
The worm itself is not new, it made its first appearance late November 2008, known under the names Conficker or Kido as well exploiting the vulnerability described in the Microsoft security bulletin MS08-067. After successful exploitation it used to install rogue security software on the infected machine.
Download and run the tools provided below to rid your computer or newtork of this e-threat.
1. Single PC Removal Tool
Removes Downadup from a single PC
Download Now (.zip - 2.2MB)
2. Network Removal Tool
Removes Downadup from PCs in a Microsoft Network
Download Now (.exe - 13MB)
Download Manual to Removal tool Downup for Single and Network (.doc - 324.50 KB)
3. PCMAV Express (Indonesia antivirus by pcmav)
Download (Ziddu)
Download (indowebster)
Download (4shared)
The instruction for using pcmav express :
Confirm user you had the right to be equal the Administrator.
Deactivated antivirus that terinstall in order to not disturb PCMAV Express.
Confirmed beforehand that your computer not terkoneksi to the network or the internet for the process scan.
After being finished, really was suggested to do restart and scan repeated (if necessary). After the virus succeeded in being settled, immediately update/patch your Windows. PCMAV Express this then could detect if your computer not yet in patch.
Ascertain all of PC that has terhubung in the network also was free Conficker.Confirmed password Administrator's right in PC Anda was not easy to be guessed, because Conficker had the capacity to infiltrate with did “the conjecture” against password the Administrator with the public's available vocabulary in his dictionary. If the step 3-7 above was not followed by you well, then big the Conficker possibility could attack came back, was as good as anything antivirus that was used by you.
8:30:00 AM
Files carried the virus is:
autorun.inf
Microsoft.Ink
Desktop.ini
Ink Shortcut_New_Harry_potter .....Ink
Tumb.db
I try to delete them with booting linux slax via USb flash, and files on the virus does not return. Congratulations and best wishes for success try
- Go to run type msconfig.msc and clear check box : database.mdb and Update Microsoft office update.
- Restart computer
- Extract yuyun (virus Microsof.lnk) removal tool
- Copy yuyun removal tool to every drive /path like D: E: F: etc....or flashdsik drive (except drive C: or drive where was your windows there is, becouse its execution in drive (C:) will delete shortcut of program).
Really this virus named Yayuk Cantix, but this popular call Microsoft.lnk. If your anti virus can't detected the main trojan file, it will show Yayuk Cantix on your desktop. So, for clean this virus is :
- Klick Run on sart menu program, write gpedit.msc - system - Administrative Template - System - Prevent Access registry tool - right klick - properties, set to disable, while you in the gpedit, go to run and enter regedit. find WSscript.exe //e:VBscript and delete the string. find with type Yayuk Cantix, if the string found in the folder, delete with the folder yayuk too.
- After finish, go to start program - search - write with type *.lnk, delete all shortcut folder, (don't delete shortcut program).
- Seacrh Thumb.db on my computer, choose More Advanced Option and klick for search hidden file folder, and delete.
- Search for database.mdb in my computer, and delete.
- Go to run again type msconfig.msc and clear check box : database.mdb and Update Microsoft office update.
- Restart computer. it will be normally again.
Friends
 |
 |