This week in computer security

These hackers get more sophisticated every time :

Dear customer,

This is an automated notification sent from our account security system. You logined your account successfully at 4:27 on twelve 20th form the 125.87.108.* range, but our system shows the 125.10.151.* IP range exists a large number of hackers. As too many customer complaints, the 125.98.104.* IP range has been blacklisted.

We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, visit click:
http://us.battle.net.long.ykienr.in...t.com.cn/account/management/index.xml&app=bam

website fill out some information to facilitate our investigation.

Account security is solely the responsibility of the accountholder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

If you ignore this mail your account can and will be closed permanently.
Once we verify your account, we will reply to your e-mail informing you that we have dropped the investigation.

Sincerely,
Blizzard account system
Blizzard Entertainment2013

Never heard of that one before, of course :
http://us.battle.net.long.ykienr.info
And that one neither :
www.battlenet.com.cn
 
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
I used to get, among the other spam Yahoo sends to their users, Battlenet scams all the time. The funny thing is, I never had a Battlenet account. The last Blizzard game I bought was Warcraft 2, and I had AoL at the time, so basically no internet.

Heck, the last Activision game I bought was Call of Duty 2, which I thought was a far cry from the original, so I only played through it once and never again.

Since dumping my Yahoo accounts, I haven't gotten much spam.
 
Joined
Jun 28, 2007
Messages
2,742
Location
In the Middle of Nowhere
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
Rule#1: Never ever click on links that contain the word ref.
If not malware attached, those are usually a part of a bigger fraud.

Rule#2: Never ever use your password outside of the application it's ment for.
If you're in the browser, make sure in the address bar is not a scam honeypot site made looking like the official site. This commonly happens with pay2win frauds where 3rd party offers you already fradulent ingame currency for free and asks you for your ingame password where in the end your acc gets stolen. Noone would refuse a freebie in a pay2win game, and scammers know it.
 
Joined
Apr 12, 2009
Messages
23,459
What went pretty unnoticed till a few days ago was a ransomware CryptoLocker. The scam was classic, you get an unsuspicious e-mail but if you unzip it's attachment and execute it (it pretends to be a harmless PDF), you're screwed.
The malware, if executed, encrypts your files and asks $300 for a key to decrypt them back. Seems there is no way to crack the encryption key and get those files back, although I admit I didn't really visited all underground sites I know of.

Now the case of the evil version of "I love you" virus is not something I'd care about, but the problem went higher, it evolved into a worm and is now spreading over internet outside of e-mails! It's just a matter of days when visiting a random site or clicking on a random link would mean your data went locked.

You may read about current details here:
http://www.businessinsider.com/block-cryptolocker-virus-2014-1

Till a method of cracking the key is made, I've installed CryptoPrevent just to be safe.
 
Joined
Apr 12, 2009
Messages
23,459
If your files have been encrypted then I'd just as well presume they've been permanently deleted. I try to keep a backup of my most important files. And if you use an online fileservice with file versioning you're immunized against encryption.

Also want to plug, again, the excellent RequestPolicy extension for Firefox. Its a bit extra work to visits sites but it'll guard against most types of banner injections, as all external links used on a webpage must be whitelisted by you manually. Malware typically communicates with an unknown external site, so it cannot connect untill you allow it.
 
Joined
Mar 30, 2008
Messages
1,163
Location
Scandinavia
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
If you stumble upon a security issue that could make some company's life miserable, you should pretend not seeing it and keep your mouth shut. Who cares if in the future something does happen with the data! Because if you tell it to someone, instead of thanks you'll face the court.

At least in Australia:
http://www.theage.com.au/technology...ransport-victoria-website-20140107-30fkg.html
http://www.wired.com/threatlevel/2014/01/teen-reported-security-hole/
http://www.smh.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html

Can't remember if I've already written it on this site, but in Germany the court decided that watching any kind of stream is legal, only distribution (practically a storage of it) can be illegal. Yup, you're watching pr0n online from illicit source and you're doing nothing wrong as long as it's not stored or distributed on/from your PC.
http://gigaom.com/2013/12/21/watchi...gal-german-court-says-as-it-changes-its-mind/


Australia? No. I want to live in Germany!!!
 
Joined
Apr 12, 2009
Messages
23,459
The German thing has an bigger background : The "Abmahn-Industrie" was hitting new heights.

The "Abmahn-Industrie" consists of a partnership of firms - sometimes so tiny no-one never noticed them before, or especially founded for this casde - and lawyers hired to find out breaches of copyrights - and then send out Abmahn letters ("cease & desist").

In the German case, an lawyer tried this as well - seemingly by building an "honeyspot", and then asking the court for giving them the IP adresses of users.
It seems to be that this lawyer never had the rights for the streamed material, and they tricked users into going into an fake web site which has a name similar to that of the streaming site.

Other lawyers have already sent in notifications regarding fraud against this lawyer, because of why I tried to explain above - English isn't my first language, and therefore I'm unfamiliar with law terms.

Not only did the court "mess things up", but in fact the court itself ( ! ) has been tricked into giving information to that lawyer which he was not allowed to get.

Still no-one has translated the German term "Abmahn-Industrie" yet, seemingly there are too many Nerds and too few Lawyers on Wikipedia, all I can give you is this article : http://en.wikipedia.org/wiki/Abmahnung

One special thing of the German "Abmahn-Industriue" consists of the fact that the fee that is reached through an cease & desist letter is kept by the lawyer. So, this means that if he finds an willing ally, then this is money printing at large - depending on how many cease & desist letters are going out.
If an lawyer charges let's say 100 Euros per letter, and sents out 1000 of them - these numbers are nothing extraordinary nowadays here ! - then the profits are 1000 x 100 Euros. For the lawyer. The ally ... I don't klnow. And some copytright holders are founded just for this case - siomilar to Patent Trolls. No-one is able to prove that they get a share from these "profits", but everyone suspects it, then.
 
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
Newest twist : The people standing behind this wave of "cease & desist" letters ("Abmahnwelle") are said to have fled elsewhere - they fear legal punishment, an newspaper article says.
 
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
The German Ministry for Security in the IT area/sector (BSI) got hold of 16 Million stolen eIdentities (E-Mail address plus password) from one or many bot nets.

Mainly Germans are affected by this.

They have build a special web site for checking (so far it's in German language only) : https://www.sicherheitstest.bsi.de/

Every German forum user should check there to find out whether affected by the theft or not.
 
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
Just got my very first find of Microsoft's Anti-Viruis program - after doung the first half of an "full scan".

So, lesson learned : No matter how long it takes - please do a full scan once in a while !

The result was an "Hupigon.ZAK" backdoor trojan.

It also lists where I seemingly got this from :

Category: Backdoor

Description: This program provides remote access to the computer it is installed on.

Recommended action: Remove this software immediately.

Items:
containerfile:C:\Documents and Settings\PC1\My Documents\Downloads\perfmod_setup2.1.exe.zip
file:C:\Documents and Settings\PC1\My Documents\Downloads\perfmod_setup2.1.exe.zip->perfmod_setup2.1.exe

Description at Microsoft : http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Hupigon#tab=2

The other find was this :

Exploit:Java/CVE-2013-0431

Summary
Technical information

Threat behavior

Threat in context

Java is a general-purpose programming language, but cases of this exploit are targeted against the Java plug-in for web browsers. The intent of the Java plug-in is that Java programs (or "applets") can be offered by websites, and run in a "sandbox" where the Java plug-in enforces rules on what the Java applet can do so that it cannot escape restricted environment.

What is an exploit?

Exploits are written to take advantage of weaknesses (or vulnerabilities) in legitimate software. A project called Common Vulnerabilities and Exposures (or CVE) is used by many vendors and organizations and gives each vulnerability a unique number, in this case "CVE-2013-0431". The portion "2013" refers to the year the vulnerability was discovered, and "0431" is a unique identifier. There is more information on the Common Vulnerabilities and Exposures website.
Payload

Downloads and installs files

This exploit downloads and runs files from a remote host. The list of URLs used varies and are only active for a short time. The files that are downloaded can include other malware.

The exploits can run files from a hard-coded URL, or take instructions from the HTML file that loaded them - like loading a URL to run additional malware.

Additional information

Exploit:Java/CVE-2013-0431 uses a vulnerability that was first disclosed when Oracle released a patch in February 2013. The problem lies in the "com.sun.jmx.mbeanserver.Introspector" class which lets an insecure call to invoke a method of "java.lang.reflect.Method" class. An attacker can exploit this issue to bypass sandbox restrictions and run arbitrary code with elevated privileges.

The exploit attacks the security model instead of memory corruption issues. With memory corruption issues, the exploit is dependent on the specific CPU (Central Processing Unit) type and operating systems, and might be affected by mitigation technology like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization).

Attacking the security model means that the exploit might be effective on any platform the Java interpreter is on; for example Windows, MacOS or Linux.

Usually the exploits are written using a few Java classes working together. The various class files are bundled into an archive called a JAR, which uses the ZIP file format. Every JAR contains a Manifest.MF file to identify itself to the Java Runtime Environment. Since it is usually found in every JAR, it won't be listed.

Below are some examples of files that exploit the vulnerability described in CVE-2013-0431:

53fe88cfa1405790d97684dc1a5e44c967b455ad
bQLbvMvB.class
HCbdWGC.class
LmrKVvsU.class
MWpWd.hmrf
MzHCrXWlvg.class
pCXrJlkjl.class
YAW.class
zEC.class
cc18b9aceebdaa6b9c420bad230c418075160976
Asd.class
codehex.class
d.class
hw.class
Impossible.class
RunnerGood.class
test.class
test2.class
bef7ebd285841f0f064597e5d7dfb79d248ccde8
cfnD.class
gcSo.class
klowOWkGN.class
lPgOyYffM.class
sHARLdBue.class
VbidYCG.hmrf
YHMrMtQohR.class
yMDIs.class
1a1607652fdd2e3a48ef8392dda559178998a194
BurkinoGoso.class
codehex.class
d.class
hw.class
Impossible.class
RunnerGood.class
54b965557266f2fc29b674750d1f5cd27cdd6cd4
ddp.class
DOkU.class
EeUMUfASp.hmrf
etwGk.class
NQUzDuEIK.class
PYJTIGaCe.class
QkQoLAOA.class
sfslGDub.class
tOKIA.class
1c22ab90fe81db14d69c52596287f6f9e9f055e9
dmq.class
dzsrrk.class
lem.class
mjcluzq.class
oxnadowf.class
pyt.class
rt.class
a0b32e4971d1b9c81dd7667e4db4e1d5cb3c98ad
EGYMsp.class
evJUJyJ.hmrf
FSKdGyKTTW.class
MJKMwLP.class
oegqxHDVz.class
PCMpjy.class
QRdcLx.class
rpjpq.class
WHXNv.class
210fd654b32c33e18665df745e4ac39c9bf4eb01
a.class
alj.class
izemubql.class
me.class
vwxgngt.class
xmd.class
xp.class
874c6b1a64145f8c17f83b67eab71f3e9cc2fb2d
acHthNK.class
bgWMw.class
cRdYJ.class
efbUDeuaSC.class
EqJHhipC.class
irn.class
lXVMM.class
qqpiNAuCR.class
SSuauhLQ.hmrf
dd3f18743914eb75df98a2c3e3b053377888e662
g.class
sox.class
Y.ser

The following articles explain some of the technical details of the weakness this vulnerability exploits:

Oracle Java SE Critical Patch Update Advisory - February 2013

Analysis by Tanmay Ganacharya
Symptoms

Alerts from your security software may be the only symptom.
Prevention

Take these steps to help prevent infection on your PC.

Top

I want to…

Remove malware

Remove difficult malware

Remove FBI/police lock screen

See and search the latest threats

Answer common questions
Fix my software
Download and update
Submit a file


Alert level: Severe
Detected by definition: 1.145.177.0 and higher
First detected on: Feb 21, 2013
This entry was first published on: Feb 21, 2013
This entry was updated on: Dec 11, 2013

This threat is also detected as:

Java/Exploit.Agent.NIF trojan (ESET)
Troj/JavaDl-SA (Sophos)
JV/Blacole-FET!29A92C3EEDD7 (McAfee)
Exploit-FET!CVE2013-0431 (McAfee)
Troj/JavaDl-UG (Sophos)
Trojan.Maljava (Symantec)
JV/Blacole-FET!29A92C3EEDD7 (McAfee)
Exploit-FET!CVE2013-0431 (McAfee)
Exploit.CVE2013-0422.13 (Dr.Web)
Exploit-FET!Exploit-JAR (McAfee)
Mal/JavaJar-B (Sophos)
JV/Blacole-FHA!949BD2B7DE14 (McAfee)
Troj/JavaDl-FC (Sophos)
JAVA_EXPLOYT.BU (Trend Micro)
RDN/Generic Exploit!1mz (McAfee)
Troj/JavaDl-UL (Sophos)
Exploit.Java.458 (Dr.Web)
JV/Blacole-FHA!D0BA98FA1FE3 (McAfee)
Exploit.Java.461 (Dr.Web)
JV/Blacole-FHA!23C205BE86D0 (McAfee)
Java/Exploit.Agent.NLX trojan (ESET)
JAVA_EXPLOIT.WT (Trend Micro)
 
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
The Internet Explorer again : http://www.fireeye.com/blog/uncateg...ises-us-veterans-of-foreign-wars-website.html

Something called "Ebury-Rootkit" is infecting Unix-based systems, it seems : https://www.cert-bund.de/ebury-faq

Routery by "Synology" (what a name) were used as BitCoin Miners, I don't have any English-language article on that, only an forum entry : http://forum.synology.com/enu/viewt...sid=a9b61143dcd1d60c183a03ab4a2072f6&start=15

FTP Servers are seemingly more and more used to place infected program code there (code, not full programs !) : http://www.computerworld.com/s/arti...redentials_i_New_York_Times_i_among_those_hit

So, placing infected program code is lowering the level of infection from program to "pre-program", so to say.

I predict that one of the the last targets will be the program codes of compilers …
 
Last edited:
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
Joined
Apr 12, 2009
Messages
23,459
Well, I've reead that BitCoin is currently under pressure anyway.
Today's newspaper says that a major BitCoin trading company has closed, it's bureaus are empty, and the staff gone.
 
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
Yes.
Mt. Gox went down after discovery of a software glitch that resulted in a theft of 744K bitcoins. That's about $120 millions.
Due to the system structure of no transaction cancelling and only pseudonyms usage, it's now impossible to find out where those bitcoins ended.

The whole thing will probably make "customers" to switch on other similar frauds like Litecoin and Dogecoin.

Honestly, if you're not a tyrant who has to escape because revolutionists want to kill you, where the only way to take the money out of the country with you is to use Bitcoin or something similar, I don't see any reason to use it. Okay, you can use it for money laundry.
 
Joined
Apr 12, 2009
Messages
23,459
Be careful how you spend your bitcoins! Never used it myself but I think its an interesting concept, like how transactions are created using bitmining. Bitmining is this competition to find a small number that can be used as an identifier for a bulk of transactions. You pay with your cpu power (and watt), searching for this number, and get rewarded bitcoins. You can even buy specialized cpus for this.
 
Joined
Mar 30, 2008
Messages
1,163
Location
Scandinavia
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
Last edited:
Joined
Nov 5, 2006
Messages
21,908
Location
Old Europe
Back
Top Bottom