In this month 505 security incidents were reported to CERT-In from various National/ International agencies. As shown in the figure, 76 % incidents related to Spreading of malware through website compromise were reported in this month. 08 % phishing incidents , 06 % unauthorized scanning , 06 % incidents related to technical help under the Others category, 03 % incidents related to virus/worm under the Malicious code category, and 01 % incidents related to spamming were also reported in this month..
In this month CERT-In observed that the conficker worm has infected around 15 lakhs computer systems across India .CERT-In has informed all the concerned ISPs for dis -infecting the systems. CERT-In has also communicated to CISOs and Govt , Defense, Banks and Public sector organizations to prepare themselves for safeguarding against conficker worm infections.
| 852 Indian websites were defaced during April 2009. The vulnerabilities which might have been exploited for the defacements are : |
|
Vendor/Product |
Title of Vulnerability |
References & Patch Information |
| IBM |
Vulnerability in IBM DB2 9.1 before FP7 might allow attackers to obtain sensitive information via a crafted query. |
|
| Apache |
Multiple directory traversal vulnerabilities in the web administration console in Apache Geronimo Application Server 2.1 through 2.1.3 on Windows allow remote attackers to upload files to arbitrary directories via directory traversal sequences. |
|
| Oracle |
Unspecified vulnerability in the Resource Manager component in Oracle Database 9.2.0.8 and 9.2.0.8DV allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | |
| Oracle |
Unspecified vulnerability in the Core RDBMS component in Oracle Database 10.1.0.5, 10.2.0.4, and 11.1.0.6 allows remote authenticated users with the IMP_FULL_DATABASE role to affect confidentiality, integrity, and availability. |
|
| Joomla! | SQL injection vulnerability in the com_musica module in Joomla ! |
|
| PHP |
CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 |
|
| PHP | Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 |
|
| IBM | The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.3 has an unspecified "security problem" in the XML digital-signature specification, which has unknown impact and attack vectors. |
|
| IBM | Unspecified vulnerability in the eClient in IBM DB2 Content Manager 8.4.1 before 8.4.1.1 has unknown impact and attack vectors. |
Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource.
CERT-In tracked 231 open proxy servers functioning in India during April 2009. All the concerned ISPs were alerted immediately to shut down the open proxy servers. A bar chart of open proxy servers tracked during this year is shown in the figure.
.
Statistics of Open Proxy Servers tracked during April 2009
Worm Conficker/Downadup/Kido widely propagating
It has been observed that worm Win32/Conficker/Downadup/kido is spreading widely by exploiting a previously reported Server Service vulnerability described in CERT-In vulnerability note CIVN-2008-170
and Microsoft Security Bulletin MS08-067
Apart from exploiting the said vulnerability, the attack vectors include network shares (ADMINI$ shares with a long list of hard-coded passwords), removable drives (drops a hidden autorun.inf file), scareware (fake security alerts to frighten consumers into purchasing bogus computer security software) and most recently Metasploit payload (the exploitation method derived from the metasploit ms08_067_netapi module to spread itself).
It is reported that this worm is actively infecting Windows systems with specific language operating systems such as English, Chinese, Arabic, Portugese .
Propagation of Waledac worm variants
It has been observed that ‘ Win32/Waledac Worm' is circulating via spam e-mails pretending to be Valentine's Day Greetings to deceive users to download the greeting card or the attached file.
These spam e-mails comes with the subject line such as “short and sweet”, “Me and You”,” In Your Arms”,” With all my love” and other Valentine's Day related phrases. E-mail contains URL which takes to the user to malicious fast flux websites hosting malware “youandme.exe", "onlyyou.exe", "you.exe", and "meandyou.exe" ,, start.exe” and so on.
The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during April 2009 and their countermeasures along with wide-spreading malicious code like virus/ worm/Trojan are given below:
Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability |
Rustock Trojan/
Rootkit
observed that
a multi-
component
family of
rootkit-enabled
backdoor
Trojans named
Rustock is
spreading
in the wild
which has
been known
primarily as
a prolific
spam source.
It comes to
the system as
attachments in
spammed mails
or dropped by
other malware
(Trojan “ Costrat”
- BKDR
_RUSTOCK.
A
(Trendmicro)
- Backdoor.
Rustock.
B(Symantec)
- Spam-
Mailbot
(Mcafee)
April 22, 2009
Qakbot
It has been
observed
that a worm
named Qakbot
is spreading
in the wild.
It spreads
through
network
shares and
opens a
backdoor
on the
compromised
computer to
listens to the
remote
attackers
commmands.
It also steals
sensitive
information
from the
compromised
computer and
sends this
information
to the attacker.
http://www.symantec.com/business/security_response/writeup.jsp?
docid=2009-050707-0639-99&tabid=1
Neeris
observed
that a worm
named Neeris
is spreading
in the wild.
It spreads
through
multiple
vectors such
as network
shares,
removable
drives, instant
messenger,
MSN Messenger.
After successful
installation the
Worm drops
a rootkit
component to
hide its process.
It also opens
random port
on the infected
system to
receive
commands
from the
remote attacker
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=WORM%5FNEERIS%2EA
Windows Bugs Never Truly Squashed
[Source: http://www.pcworld.com] 25 April 2009
Hackers can successfully attack Windows PCs months -- even years -- after Microsoft Corp. fixes a flaw, a security expert said, because there's always a pool of unpatched systems.
According to data that Qualys Inc. culled from scans of more than 80 million machines, between 5% and 20% of all systems are never patched for any vulnerabilities, including those disclosed by Microsoft in its monthly security updates.
Qualys, a provider of on-demand IT security systems, tracked four vulnerability bulletins issued by Microsoft in 2008 and in each case found that a sizable fraction of the PCs it scanned had not been patched, even though in some cases more than a year had passed since Microsoft issued fixes.
Microsoft supplies Interpol with DIY forensics tool
[Source: http://www.register.co.uk] 16 April 2009
Interpol plans to distribute a Microsoft DIY computer forensics tool to its 187 member countries under an agreement announced Wednesday.
Cofee, short for Computer Online Forensic Evidence Extractor, is a thumb drive containing more than 150 investigative applications police can use to collect digital evidence at crime scenes. When Microsoft announced the free tool last year, it said some 2,000 officers in 15 countries were using it.
The proliferation of cell phones, digital cameras, and other electronics devices means that even old-world crimes such as muggings and burglaries have the potential to be cracked by sifting through digital footprints inadvertently left behind by perpetrators. But collecting that evidence and preserving its integrity so it can be admitted into court trials isn't easy.
Cofee is designed to ease that burden by providing investigators with easy-to-use tools that allows them to collect electronic data on the fly. It also allows them to collect data without necessarily having to lug gear to headquarters first.
Encrypted USB drive solution with anti-malware capability
[Source:http:// http://www.net-security.org] 21 April 2009
Mobile Armor announced the addition of anti-malware support to its existing KeyArmor product group.
The mobile workforce continues to show sustainable growth, the requirements for protecting portable data for enterprise organizations needs to be addressed. USB drives are highly vulnerable assets at risk to theft and loss, but are often exposed to malicious applications and viruses. Mobile Armor's KeyArmor USB drive is designed to combat these threats that exist in today's mobile workforce environments.
The KeyArmor solution is a military level encrypted USB drive managed by the Mobile Armor enterprise policy console, PolicyServer. KeyArmor USB drives are FIPS 140-2 Level 2 validated using on processor AES hardware encryption.
Sun Announces MySQL Cluster 7.0 for Real-Time, Mission-Critical Database Applications
[Source: http://www.mysql.com/] 21 April 2009
Sun Microsystems, Inc. today announced MySQL™ Cluster 7.0, a major new release of its high-availability open source database software for real-time, mission-critical applications. New features include significantly enhanced performance and scalability; support for popular LDAP directories; and simplified cluster back-up and maintenance. Information on MySQL Cluster 7.0 -- including downloads, evaluation guides, and performance benchmarks – is available now at http://www.mysql.com/cluster .
Today's announcement was made at the seventh annual MySQL Conference & Expo being held this week at the Santa Clara Convention Center. With more than 2,000 attendees, it is the world's largest community event for open source database developers, DBAs, vendors and corporate IT managers.
MySQL Cluster combines the world's most popular open source database with a fault tolerant "shared nothing" architecture, enabling organizations to deploy real-time mission-critical database applications reaching 99.999% ("five nines") availability. MySQL Cluster 7.0 can deliver predictable, millisecond response times while servicing tens of thousands of transactions per second. Support for in-memory and disk based data, automatic data partitioning with load balancing and the ability to add nodes to a running cluster with zero downtime allows almost unlimited database scalability to handle the most unpredictable workloads.
Malicious Activity in India on the Rise, Says Symantec Report
[Source: http://networkcomputing.in] 22 April 2009
Symantec in its recent Internet Security Report has observed that malicious code activity globally, continued to grow at a record pace throughout 2008, primarily targeting confidential information of computer users. The report also observed that India saw a substantial increase in its proportion of malicious activity having the third highest volume of malicious activity accounting to 10 percent of the regional total.
Symantec created more than 1.6 million new malicious code signatures in 2008 which equates to more than 60 percent of the total malicious code signatures ever created by the company, as a response to the rapidly increasing volume and proliferation of new malicious code threats. These signatures helped Symantec block an estimated average of more than 245 million attempted malicious code attacks across the globe each month during 2008.
The report is derived from data collected by millions of Internet sensors, first-hand research, and active monitoring of hacker communications, and provides a global view of the state of Internet security. The study period for the ISTR XIV covers January 2008 to December 2008. It noted that Web surfing remained the primary source of new infections in 2008, and attackers are relying more on customized malicious code toolkits to develop and distribute their threats.
Computers from the United States and China were observed to be the leading source of Web-based attacks targeting India , accounting for 84 percent and 5 percent respectively.
SANS: Newest WLAN Hacks Come From Afar
[Source : http://www.darkreading.com ] 24 April 2009
SAN FRANCISCO -- RSA CONFERENCE 2009 -- An attacker doesn't need to be in physical proximity to hack your wireless network. In fact, a more sophisticated wireless attack doesn't use RF at all, according to a SANS security expert here at RSA.
Ed Skoudis, founder and senior security consultant for InGuardians and a SANS instructor, said a deadly combination of long-distance remote and wireless hacking to get inside an organization is one of the potentially more dangerous new attacks to look out for.
"You assume an attacker must be nearby for a wireless hack. But the really long-distance wireless hacks don't use RF at all," Skoudis said in a SANS presentation on Thursday bout dangerous, new attack techniques. "There have been advances in wireless hacks where they are used in combination with other [attacks]."
This type of attack typically begins with a remote exploit on a Windows machine visiting an infected Website, which then uses the machine as a "wireless drone," he said. "That lets the attacker turn on the machine's wireless interface, look around, and exploit it," Skoudis said. "This is a tremendously useful attack for bad guys."
The good news is that this type of attack is tough to execute in Windows XP. But not so for Vista or Windows 7, where the API calls make it relatively simple to write code that talks to the wireless interface, according to Skoudis.
JavaScript flaw reported in Adobe Reader
[Source: http://www.securityfocus.com] 28 April 2009
The United States ' Computer Emergency Readiness Team (US- CERT ) warned users of the ubiquitous Adobe Reader to disable the program's use of Javascript after Adobe warned that a possible flaw had been found.
In a post to its product security blog, the company said it was investigating reports of a serious flaw in Adobe Reader. While initial reports only stated that a flaw had been found in the Linux version of Adobe Reader, the company updated the post to include Windows and Mac OS X versions as well.
"Adobe plans to provide updates for all affected versions for all platforms — Windows, Macintosh and Unix — to resolve this issue," the company stated on its blog. "We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue."
The warnings appear similar to those that forced Adobe to issue a security advisory in February, and a patch the following month, urging users to beware of Reader attacks. Because of their ubiquity, Adobe's Acrobat and Flash software have become popular targets of security researchers, who try to find vulnerabilities to help secure software, and online criminals, who try to exploit the vulnerabilities. The repeated vulnerabilities and the lure of such a large user base have caused at least one security company, F-Secure, to recommend that people use alternate applications.
. [More]
Windows 7 RC is now available
[Source: http://www.net-security.org] 30 April 2009
Today Microsoft reached a significant milestone with the Release Candidate (RC) of Windows 7, now available for download to MSDN and TechNet subscribers. Broader public availability will begin May 5.
New to the Windows 7 RC are advancements such as Remote Media Streaming, Windows XP Mode (beta) and the upcoming beta of the Windows 7 Upgrade Advisor:
- Remote Media Streaming. Enables highly secure, remote Internet access to home-based digital media libraries from another Windows 7-based PC outside the home.
- Windows XP Mode. Utilizing Windows Virtual PC, Windows XP Mode allows Windows 7 users to run many Windows XP productivity applications, launched right from the Windows 7 desktop. Windows XP Mode will be available to Windows 7 Professional and Windows 7 Ultimate customers via download or, for the best experience, pre-installed directly on new PCs. As part of today's announcement, Microsoft is releasing the beta of Windows XP Mode and Windows Virtual PC. For larger businesses where management is important to reduce the total cost of ownership, Microsoft Enterprise Desktop Virtualization ( MED -V) within MDOP adds management to Windows Virtual PC including centralized policy, administration experience and deployment.
- Windows 7 Upgrade Advisor. To help enable a smooth transition, Windows 7 Upgrade Advisor will help people analyze their PCs in preparation for a Windows 7 upgrade. Available soon, Windows 7 Upgrade Advisor will be a downloadable tool that will help people determine their ability to upgrade from their Windows XP-based or Windows Vista-based PC to Windows 7.
Swine flu email scams circulating
[Source: http://blogs.zdnet.com/] 28 April 2009
Opportunistic scammers and spammers are actively exploiting the swine flu buzz across the web by spamvertising links to pharmaceutical scams, and bogus ‘Swine Flu Survival Guides' using search engine optimization of typosquatted domains related to the outbreak.
The event-based social engineering campaign is similar to the recent fake ‘Conficker infection alerts‘, the bogus Conficker removal tools pushed through SEO practices, and the timely spam campaign serving malware as a fake Microsoft patch Tuesday message.
Strangely, the massive spam campaign doesn't seem to be targeting the specific market segment since upon clicking on the links the users are directed to the ubiquitous Canadian Pharmacy scam. Based on previous experience with related campaigns, cybercriminals are prone to diversify the traffic acquisition tactics, so consider keeping yourself informed on the issue by using the right sources.