The Microsoft Security Response Center (MSRC) has posted an entry to alert people of a security issue (advisory 953818) for users using Safari on the Windows platforms. I’ve written in the past about Apple distributing the Safari browser to Windows users, first as an “update” and later as new software, but still defaulted to install. With this information, it was really only a matter of time before something nasty would take advantage of it.
From how I read it, the blended threat takes advantage of something Safari asks Windows to do. Currently the advice is “Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.” In other words if you are using Safari on Windows, change the default download location.
A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available for download now. Adobe has not yet released a patch nor an official advisory. Symantec has also said that this vulnerability is currently being exploited by the bad guys as we speak. Soon they will have an update out but at this point, it is up to you to protect yourself. Don’t click on unsolicited links or attachments in spam e-mail. Your behavior can go a long way in protecting yourself when on the Internet.
Stay safe and have a great Wednesday!
UPDATE Wednesday, May 28, 2008 16:30 CST
Well as the day went on, it was found that current release of Adobe Flash Player ( 9.0.124.0) is not vulnerable to the attacks that are ongoing at this time. Here is a list of the nasty sites serving up the exploits. WARNING!! Do not visit these sites no matter what!!
tongji123.org
bb.wudiliuliang.com
user1.12-26.net
user1.12-27.net
ageofconans.net
lkjrc.cn
psp1111.cn
zuoyouweinan.com
user1.isee080.net
guccime.net
woai117.cn
wuqing17173.cn
dota11.cn
play0nlnie.com
0novel.com
UPDATE: 053008
Well this story has more turns in it than a NASCAR event. Some are even right turns. First we thought all versions of Adobe Flash Player were vulnerable. Then we are told that the current version is OK and not vulnerable. Then, Adobe doesn’t come right out and say it and Symantec is saying that these exploits are working so just be careful out there. Seems that the bad guys are using these in new SQL injection attacks. Have a great Friday!!
A new twist to on old scam, I had someone report SPAM e-mail that was sent that appeared to come from Microsoft. A quick little research online led me to know this has been around for a few years but it has a different twist.
As you can see, this was the entire body of the e-mail. Nothing to sell. No e-cards to click on. No official document from some bogus US Court. Just 3 innocent looking links from everyone’s friend Microsoft. The text makes you think you subscribed to MSN Featured Offers and they are being kind enough to add an Unsubscribe link. Since you never really subscribed to this in the first place, they are hoping to get people to click the Unsubscribe link so they won’t have this sent anymore. All because they respect your privacy. Taking a closer look at the 3 links, they all lead you to the same URL. The IP for the URL was registered in the USA. A quick Google search of the domain showed a lot of Russian language found on references to this domain. After taking a closer look, all this URL did was to redirect you to a site that was registered in Korea. This gives you a little more insight on how SPAM e-mail can be a threat. If this trail would have been followed all the way through, exploits for Microsoft, QuickTime, RealPlayer, and possibly Adobe Reader would have run against the PC and if it were not patched, then remote code execution could be possible, meaning the PC would have been added to someone’s criminal botnet and used in nefarious ways.
Remember what we say, never click on unsolicited links or attachments in e-mail. Stay safe.
The Shadowserver.org does great work and informs the security community on the darker side of the Internet. In their most recent posting, they have listed the sites that are serving up the malicious content. Here is the list of sites and the number of sites injected with each of these malicious domains. Please be advised….DO NOT VISIT ANY OF THESE SITES.
| www.nihaorr1.com |
468,000 |
| free.hostpinoy.info |
444,000 |
| xprmn4u.info |
369,000 |
| www.nmidahena.com |
140,000 |
| winzipices.cn |
75,000 |
| sb.5252.ws |
69,000 |
| www.aspder.com |
62,000 |
| www.11910.net |
47,000 |
| bbs.jueduizuan.com |
44,000 |
| www.bluell.cn |
44,000 |
| www.2117966.net |
39,000 |
| s.see9.us |
39,000 |
| xvgaoke.cn |
33,000 |
| 1.hao929.cn |
20,000 |
| www.414151.com |
17,000 |
| cc.18dd.net |
15,000 |
| yl18.net |
15,000 |
| www.kisswow.com.cn |
13,000 |
| urkb.net |
13,000 |
| c.uc8010.com |
9500 |
| rnmb.net |
7000 |
| www.ririwow.cn |
6000 |
| www.killwow1.cn |
4000 |
| www.qiqigm.com |
3600 |
| www.wowgm1.cn |
3500 |
| www.wowyeye.cn |
2800 |
| 9i5t.cn |
2500 |
| c11.8866.org |
2500 |
| computershello.cn |
2300 |
| www.z008.net |
1600 |
| b15.3322.org |
1200 |
| www.direct84.com |
1100 |
| www.caocaowow.cn |
900 |
| www.qiuxuegm.com |
800 |
| firestnamestea.cn |
700 |
| %61%2E%6B%61%34%37%2E%75%73 (a.ka47.us) |
600 |
| %61%31%38%38%2E%77%73 (a188.ws) |
500 |
| n.uc8010.com |
250 |
| www.qiqi111.cn |
230 |
| heartgames.cn |
220 |
| www.adw95.com |
170 |
| www.banner82.com |
90 |
| smeisp.cn |
85 |
| okey123.cn |
55 |
| b.kaobt.cn |
50 |
| www.nihao112.com |
45 |
| al.99.vc |
45 |
| www.aidushu.net |
45 |
| a.13175.com |
40 |
| www.chliyi.com |
40 |
| free.edivid.info |
40 |
| 52-o.cn |
40 |
| www.fucksb.net |
40 |
| www60.actualization.cn |
40 |
| d39.6600.org |
40 |
| h28.8800.org |
34 |
| 001yl.com |
30 |
| ucmal.com |
30 |
| t.uc8010.com |
30 |
| www.dota11.cn |
25 |
| m11.3322.org |
20 |
| bc0.cn |
20 |
| %33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D (3.trojan8.com) |
20 |
| www.adword71.com |
17 |
| killpp.cn |
16 |
| w11.6600.org |
13 |
| usuc.us |
13 |
| www.msshamof.com |
10 |
| newasp.com.cn |
7 |
| www.wowgm2.cn |
8 |
| mm.jsjwh.com.cn |
8 |
| 17ge.cn |
4 |
| www.adword72.com |
2 |
| www.117275.cn |
1 |
| vb008.cn |
? |
| www.wow112.cn |
? |
| www.nihaoel3.com |
? |
I work in computer security. We see a lot of attacks from some bad people. What trends are we seeing and what will attacks look like in the near future? Here are my thoughts. I read a lot of tech sites, I listen to tech podcasts, and you hear a lot of opinions. The biggest trend this year will be legitimate sites being hacked and malicious code actually injected into them so they actually serve up attacks on unknowing visitors.
We started seeing this trend in early 2007 with the Super Bowl from Dolphin’s Stadium. Then it got quiet until the end of the year and then things have picked up. Things are going to get worse. Malicious tool kits can be bought on the Internet and you can change the attacks as new ones are found and old ones are patched. This attack vector very efficient. Some attacks can affect hundreds of thousands of pages in a short period of time.
What is going to come in the not so far future in computer security? I believe those who say that different types of hardware other than the actual PC will be targeted soon. Routers being controlled by attackers who can use a form of DNS poisoning where they can direct you to their bad paypal.com. You won’t be able to tell you aren’t really on the real paypal.com site. These hardware devices need to be secured and upgraded with security updates too. Let me ask you a question about your router you use in your home. When was the last time logged into that wireless router you own and update the firmware? Never? I’m sure there have been updates. Learn how to maintain all devices that you have.
I feel pretty secure surfing the web but I take steps avoid going to places and I use as many things to help defend against those evil criminal attackers out on the Internet. Patch. It’s simple and a huge step in the right direction. I read a lot. I try sharing it with you. The common man or woman does not keep up with all the threats out there. The one resource I would start to read is the Internet Storm Center. They are sort of a warehouse of information relating to threats on the net and what you can do to protect yourself.
That is it for now. The weekend is getting so close I can taste it. Stay safe and have a happy Thursday.
Most of the time, attacks from the Internet are silent. You may not have realized that clicking on your favorite web site silently redirected you to a server in China and then exploits from Microsoft’s Internet Explorer, Firefox, QuickTime, Realplayer, and other applications are run on your PC. If you haven’t patched all your software, some bad guy attacker might just be able to take control of your machine and then be able to execute code remotely. Those are words you really don’t want to hear.
Eventually, your anti-virus vendor gets the signatures of the bad software loaded on your machine and can clean it off. But how did it get there? What do I use my PC for? Do I bank online? Do I access my investment accounts online? Do I store personal information about myself or my family in a document saved on the PC’s hard drive? Then you need to take steps in trying to figure out just what happened.
First of all, is your software patched? If not, then download your patches from Microsoft, Apple, RealPlayer, or any other applications and apply those security patches. Set up a process in making sure your PC is scanned regularly and you check for patches regularly.
Can you find out if sites you visit have been hacked? Sometimes you won’t know unless you really follow stories posted online. If it is a big name site like CNN.com or USAToday.com, then you might know. Hundreds of thousands of sites get hacked and you never really know. You could possibly defend against these attacks by using a tool called NoScript with your Firefox browser.
Do you store passwords for sites so when you browse to them? Are any of those holding a credit card of yours? If you’ve read my blog much, I advise you not use the function that will remember passwords to sites.
One thing you will have to remember. The Internet was not set up to handle secure transactions. It was set up to share information. Bad guys are taking advantage of all the vulnerabilities out there. I can not guarantee you will be completely safe even following all these steps. You can follow best practices and be safer than the average person. If you have teenagers, your battle will be an uphill fight. Teenagers trust everyone. Clicking things that need not be clicked. Think about having a computer you adults use, then one that the teenagers use. You’ll still have to fight off attacks on the teenagers PC.
Good luck and stay safe. I’m ready for SUMMER!!!
Adobe Reader has been patched (won’t be the last time) and you need to make sure you update it. This patch fixes 8 security vulnerabilities. We preach patching here. If there is a security patch for any software you use, you need to update it. Bad guys are out there will take advantage of you not patching your software. The bad guys always will have an advantage when they exploit 0day vulnerabilities (no patch available), so when you have an opportunity to fix problems, then do it. Patch, patch, patch!
Stay safe and have a great Tuesday!
Yep, you are reading that headline right. Yet another code injection attack that is new. Just prior to writing this post, it showed 855,000 pages infected with some malicious (BAD!!) code that was injected into legitimate sites. NoScript is one defense, since this code is hosted on another domain.
The attack that I wrote about that started last week just hasn’t really taken off. Doing a Google search shows 25,500 pages that were affected by this one. It is early in the game for both of these attacks so more details will come out later. I’ll do more checking on the current attacks to see where those bad sites are being hosted.
The two sites in this new attack are listed below. I’ve altered the URL. My advice is NOT to go to either of these sites.
hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js
Stay safe and HAPPY MOTHER’S DAY!!!
Well it doesn’t appear that this attack is spreading. I just did a Google search on one of the redirect domains and it showed only 14,000 pages. Not as efficient as the last one that blasted several hundred thousand pages. Still see some of the same names on this list and it seems that the smaller organizations who probably don’t have full time staff to work on them and may not even know their sites have been compromised. Here is a short list of a few of the domains that still are making an appearance in Google. Remember that they may have been cleaned and Google hasn’t caught up with their spiders.
hxxp://www.wiredseniors.com
hxxp://www.moviesunlimited.com
hxxp://www.seniorstravelguide.com
hxxp://www.cancerissues.com
hxxp://www.reducecholesterol.org
hxxp://www.coloradowheelchairsports.org
hxxp://www.peta.org (All you PETA freaks can still go there though. Happy Surfing. All my friends stay clear)
hxxp://www.seniorshomeexchange.com
hxxp://www.adhdissues.com
hxxp://www.goodtime-tickets.com
hxxp://www.matcmadison.edu
hxxp://www.coolbuddy.com
I’ll give an update on this if things pick up. If you want to see the number of sites infected Google with
winzipices.cn and you’ll get a pretty long list. Stay away unless you want your PC compromised. Stay safe and take care.
I don’t have a lot of information at this time other than it appears that there is another SQL injection attack similar to the attacks we’ve seen where legitimate sites are redirecting to sites in China that are then launching different attacks that can compromise a machine. It may take a few days but there will be more information coming out about the details of this attack but at this time, there isn’t a lot out there. If you want to read more, you can go to the Internet Storm Center page by clicking here and reading what they know.
As more information becomes available, I’ll post another story. Take care and have a safe week!
