In this month 505 security incidents were reported to CERT-In from various National/ International agencies. As shown in the figure, 61 % incidents related to Spreading of malware through website compromise were reported in this month. 26 % incidents related to virus/worm under the Malicious code category, 07 % phishing incidents , 03 % unauthorized scanning ,03 % incidents related to spamming were also reported in this month..

In this month CERT -In tracked 02 C&C (Command & Control) servers and 30,025 bot -infected computers existing in India . The concerned ISPs were intimated to dis -infect the bot infected systems and C&C servers to mitigate botnets .

Any proxy server that doesn't restrict its client base to its own set of clients and allows any other client to connect to it is known as an open proxy server. An open proxy server will accept client connections from any IP address and make connections to any Internet resource.

.

Worm Conficker/Downadup/Kido widely propagating

It has been observed that worm Win32/Conficker/Downadup/kido is spreading widely by exploiting a previously reported Server Service vulnerability described in CERT -In vulnerability note CIVN-2008-170 and Microsoft Security Bulletin MS08-067 .

Apart from exploiting the said vulnerability, the attack vectors include network shares (ADMINI$ shares with a long list of hard-coded passwords), removable drives (drops a hidden autorun.inf file), scareware (fake security alerts to frighten consumers into purchasing bogus computer security software) and most recently Metasploit payload (the exploitation method derived from the metasploit ms08_067_netapi module to spread itself).

It is reported that this worm is actively infecting Windows systems with specific language operating systems such as English, Chinese, Arabic, Portugese.

[More]

Propagation of Waledac worm variants

It has been observed that ‘ Win32/Waledac Worm' is circulating via spam e-mails pretending to be Valentine's Day Greetings to deceive users to download the greeting card or the attached file.

These spam e-mails comes with the subject line such as “short and sweet”, “Me and You”,” In Your Arms”,” With all my love” and other Valentine's Day related phrases. E-mail contains URL which takes to the user to malicious fast flux websites hosting malware “youandme.exe", "onlyyou.exe", "you.exe", and "meandyou.exe",, start.exe” and so on.

"Application Code Security Review"  


A one day training workshop "Application Code Security Review" was conducted on March 25, 2009 . The objective of this training workshop is to create awareness among IT professionals form Indian Govt./Public sector IT Infrastructure and user organisations on different techniques in reviewing application code and to train them to handle advanced attacks with the hands-on practical sessions. Delegates were from Government, Corporate and critical sector organizations.

The critical and medium vulnerabilities in various Operating Systems, Application software and Network devices discovered during March 2009 and their countermeasures along with wide-spreading malicious code like virus/ worm/Trojan are given below:

Worm: Psybot

The worm infects
any of a family of
Linux Mipsel
devices that
contain one of
several
administration
interfaces.

It is also
reported
that devices
with the
following
properties
are vulnerable:

• A mipsel
  (MIPS
  running in
  little-endian
  mode,)
  device.
• Devices
  having Telnet,
  SSH or web-
  based
  interfaces
  available to
  the WAN
• Weak
  username-
  password
  combinations,
  or the daemons
  that firmware
  uses are
  exploitable.

http://www.cert-in.org.in/virus/Worm_Psybot.htm

Worn Tidserv

It has been
observed that
a Worn named
Tidserv is
spreading in
the wild.
It spreads
copying itself
to removable
drives. Further
the Worm
also download
potentially
malicious
files onto
the compromised
computer.

http://www.symantec.com/business/security_response/writeup.jsp?
docid=2009-032211-2952-99

Trojan.Xrupter

http://www.symantec.com/business/security_response/writeup.jsp?
docid=2009-032207-0838-99&tabid=2

Emerging threats: Cyber terrorism and cyber attacks
[Sourcehttp://www.indianexpress.com/] 26 March 2009

While security agencies are coping with the terror attacks, cyber terrorism and cyber attacks have emerged as new threats with a capability to paralyse critical infrastructure of the country, a top government official said.

Cabinet Secretary K M Chandrasekhar said cyber attacks and cyber terrorism could be carried out in such a way that critical infrastructure could be completely paralysed.

"Cyber attacks and cyber terrorism are the new looming threats on the horizon. There could be attacks on critical infrastructure such as telecommunications, power distribution, transportation, financial services, essential public utility services and others," he said at the CBI 's Conference on International Police Cooperation against Cyber Crime.

Chandrasekhar said the damage of such attacks could range from a simple shut down of a computer system to complete paralysis of a significant portion of critical infrastructure in a specific region or even the control nerve centre of the entire infrastructure.  

[More]

China becoming the world's malware factory
[Source http://www.computerworld.com/] 24 March 2009

With China 's economy cooling down, some of the country's IT professionals are turning to cybercrime, according to a Beijing-based security expert.

Speaking at the CanSecWest security conference last week, Wei Zhao, CEO of Knownsec, a Beijing security company, said that while many Chinese workers may be feeling hard times, business is still booming in the country's cybercrime industry. "As the stock market dropped like a stone, a lot of IT professionals lost lots of money on the stock market," he said. "So sometimes they sell zero days," he said, referring to previously unknown software bugs.

" China is not only the world's factory, but also the world's malware factory," Zhao said.

China 's red-hot economy has been hit by the global recession, and while the economy is still growing, technology companies such as Intel, Motorola and Lenovo have all laid off employees in China in recent months.

Last December, Chinese hackers found a previously undisclosed zero-day vulnerability in Internet Explorer. When employees of Zhao's company inadvertently published details of the bug on a public forum, Microsoft was sent scrambling to patch the issue. 

[More]

Conficker worm might originate from China
[Source:http://blogs.zdnet.com/] 30 March 2009

There's been a lot of fuss about the Conficker worm. However, there is a US$250,000 question: the origin of the virus.

This is the amount Microsoft is putting up as a reward for any information leading to an arrest related to the case. Folks at BKIS, a Vietnamese security firm that makes the BKAV antivirus software, announced that they found clues that the virus may have originated from China . Previously, there were rumors that it might have been from Russia or Europe .

The firm's conclusion is based on its analysis of the virus' coding. It found that Conficker's code is closely related to that of the notorious Nimda, a virus that wreaked havoc on the Net and e-mail in 2001. At that time, BKIS determined that Nimda was made in China based on the firm's own data.

It's important to note that the origin of Nimda was never verified. Though Nimda contained text indicating that it may have originated from China , this is in no way hard evidence.

[More]

Googling for Conficker clean-up information? Be careful
[Source: http://blogs.zdnet.com] 31 March 2009

If you're trawling the Web for information on disinfecting the Conficker worm,  be very, very careful.

Cyber-criminals are latching onto the hype around the Windows malware threat and have started registering domain names linked to Conficker and poisoning search results to trick users into installing fake anti-virus software programs.

According to this growing list maintained by the Conficker Working Group, at least one of the domains is actively serving malware.  F-Secure dug into one of the domains and found an a rogueware (fake anti-virus) campaign attempting to bilk users out of $39.95 for non-existent Conficker clean-up.

Yesterday, just hours after the release of enterprise scanning tools to help fingerprint the virulent worm, search results on Google were poisoned to serve malware for queries related to that news.   In one instance, the top Google result for “nmap conficker” was serving up a redirect to a drive-by download exploit site.

. [More]

Stealthy router-based botnet worm squirming
[Source:http://blogs.zdnet.com/] 25 March 2009

Researchers at DroneBL have spotted signs of a stealthy router-based botnet worm targeting routers and DSL modems.

The worm, called “psyb0t,” has been circulating since at least January this year, infecting vulnerable embedded Linux devices such as the Netcomm NB5 ADSL modem (above) and launching denial-of-service attacks on some Web sites.

Some characteristics:

• It's the first botnet worm to specifically target routers and DSL modems
• Contains shellcode for many mipsel devices
• It's not targeting PCs or servers
• Uses multiple strategies for exploitation, including brute-force username and password combinations
• Harvests user names and passwords through deep packet inspection
• can scan for exploitable phpMyAdmin and MySQL servers

According to this DroneBL blog post, the worm can infect any Linux mipsel routing device that has the router administration interface or sshd or telnetd in a DMZ, which has weak username/passwords (including openwrt/dd-wrt devices). 

[More]

Ericsson to enable wireless kill switch for laptops
[Source: http://arstechnica.com/] 31 March 2009

A laptop remote-kill switch has long been a fantasy of those paranoid about theft and service providers alike. And now, with the latest wave of subsidized notebooks coming out of wireless carriers, said switches are coming in the form of a new mobile broadband card from Ericsson. The card, designed to work on HSPA/GPRS/ EDGE networks, is slated for release in June, and carries with it a number of innovative features. But the most interesting is that it supports certain security options that work with Intel's anti-theft technology, allowing carriers to send a signal that will lock down the machine and make it unusable.

Ericsson's F3607gw module boasts reduced power consumption, prolonged battery life, and increased integration with the OS. Ericsson specifically highlights the F3607gw's wake-on-wireless feature, which allows users to remotely wake the notebook at specific times, like when an important message is received or the computer has been stolen. 

[More]

New study details the dynamics of successful phishing

[Source: http://blogs.zdnet.com/] 10 March 2009

In a recently presented study by the Intrepidus Group, the company behind the PhishMe.com spear phishing awareness service allowing companies to ethically attempt to phish their employees on their way to build security awareness, presents some interesting key findings based on 32 phishing scenarios tested against a total of 69,000 employees around the world. Here they are:

• 23% of people worldwide are vulnerable to targeted/spear phishing attacks
• Phishing attacks that use an authoritative tone are 40% more successful than those that attempt to lure people through reward-giving
• Men and women are both equally susceptible to phishing
• On an average 60% of corporate employees that were found susceptible to targeted spear phishing responded to the phishing emails within three hours of receiving them
• People are less cautious when clicking on active links in emails than when they are requested for sensitive data  

[More]

Cybercrime server exposed through Google cache
[Source: http://www.theregister.co.uk/] 23 March 2009

A reported 22,000 card records have been exposed through cached copies of data stored on a defunct cybercrime server.

iTnews in Australia reports that 19,000 of the 22,000 exposed details referred to US and UK cards and that data came from Google cache records of a disused internet payment gateway, a line picked up by Slashdot.

However, a security expert told us the information was actually from either a dump or attack site used for credit card fraud. This cybercrime site, registered by someone in Vietnam, is no longer operational.

The data - viewable through Google cache - includes credit card numbers, expiry dates, names and addresses for accounts held with Visa, Mastercard, American Express, Solo and Delta. The information remains available at the time of writing for anyone with the wit to formulate the correct search term.

First spotted by an anonymous Australian, details were posted on a now deleted thread on whirlpool.net.au. Reg readers have since independently located the sensitive information in Google's cache.

[More]

OpenSSL patches three security holes
[Source:http://blogs.zdnet.com/] 26 March 2009

The OpenSSL Project has released new versions of its popular implementation of the SSL v2/v3 and TLS protocols to fix three security vulnerabilities.

According to an advisory from the open-source group, the toolkit update fixes three security flaws that carry “moderate severity” ratings.

• ASN 1 printing crash: The function ASN 1_STRING_print_ex() when used to print a BMPString or UniversalString will crash with an invalid memory access if the encoded length of the string is illegal. (CVE-2009-0590.
  • Any OpenSSL application which prints out the contents of a certificate could be affected by this bug, including SSL servers, clients and S/MIME software.
    
    
• Incorrect Error Checking During CMS verification: The function CMS _verify() does not correctly handle an error condition involving malformed signed attributes. This will cause an invalid set of signed attributes to appear valid and content digests will not be checked. (CVE-2009-0591)
  • These malformed attributes cannot be generated without access to the signer's private key so an attacker cannot forge signatures. A valid signer could however generate an invalid signature which appears valid and later repudiate the signature.
    
    
• Invalid ASN 1 clearing check: When a malformed ASN 1 structure is received its contents are freed up and zeroed and an error condition returned. On a small number of platforms where sizeof(long) < sizeof(void *) (for example WIN 64) this can cause an invalid memory access later resulting in a crash when some invalid structures are read, for example RSA public keys (CVE-2009-0789). 

[More]

Foxit PDF Reader being exploited in the wild
[Source:http://blogs.zdnet.com/] 25 March 2009

Adobe isn't the only PDF software maker facing in-the-wild malware attacks.

Just weeks after the availability of patches for critical security flaws in the popular FoxIt Reader, there is word that malicious hackers are already targeting unpatched versions of the software.

According to Symantec's Sean Hittel:

• On March 20, our honeypots began detecting exploits for the Foxit PDF reader. Although it is not clear if this specific attacker intentionally wanted to target users of the Foxit Reader who had installed and not updated their software, or if the exploit was simply added to the attack toolkit when it became public, users should nonetheless review their installations to ensure that they are not vulnerable to this attack. Foxit has fixed all known security vulnerabilities. 

[More] 

Easter Surprise For You
[Source https://forums2.symantec.com/] 26 March 2009

Easter is around the corner and as expected, attackers have already started to poison search engine queries to redirect users to websites that deliver misleading applications. Various search keywords related to Easter have been poisoned in Internet search results so that links to rogue websites are returned in the search listings. Some of the examples of poisoned keywords are:

Easter verse
Popular Easter Bible verse scriptures
Easter greeting card verses
Easter Bible verses
Easter verses poems
Bible Easter verse
Easter-Bible
Easter Bible quotes

Attackers are using various tricks, such as referrer checking, in order to evade security researchers. If the bogus domains returned in the search listing are visited directly, we will see a page with many Easter-related keywords and links used to bolster the page's search ranking. However, if the bogus links are clicked on from the search engine results, users will be redirected to malicious websites delivering misleading applications. In addition, the attackers are using “ no-store , no-cache ” in their HTTP headers so that these malicious pages are not stored or cached. 

[More]

Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari
[Source: http://blogs.zdnet.com/] 18 March 2009

A security researcher named “Nils” (he declined to provide his full name) performed a clean drive-by download attack against the world's most widely used browser to take full control of a Sony Vaio machine running Windows 7.

He won a cash prize and got to keep the hardware.  Details of the vulnerability, which was described by contest sponsor TippingPoint ZDI as a “brilliant IE8 bug!” are being kept under wraps.

Several members of Microsoft's security response team were on hand to witness the successful exploit.

“Nils” also scored a clean hit against Apple's Safari (he was the second hacker to exploit Safari) and, later in the afternoon, he exploited a Firefox zero-day flaw to claim the trifecta. 

[More]

Patch Those Internet Printers
[Source: http://www.avertlabs.com/] 17 March 2009

Usually administrators ignore the security of printer devices. They may think there is no harm even if the printer can be controlled remotely by an attacker.

The administration web interface of these LaserJets can be accessed without passwords. The attacker can use these LaserJets to print any documents from anywhere. Although attackers may not be able to reach the printouts, at least they can waste a lot of paper. Spammers can also post free advertising to companies if they connect to these printers.