Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts

Thursday, October 24, 2013

Google blacklist blocking php.net

Google blacklist blocking php.net

Google's safe browsing API, a security blacklist service which warns of malicious web sites, has marked the php.net site as malicious. As a result, users of Google Chrome and Mozilla Firefox get a dire warning when attempting to visit the site.

Read more here:

Note:  Also, be aware of the comments section under the article.  There is a bit of banter going on about 1) it was a non-news-worthy event, since Google did what it was supposed to have done -- ie, it was not a false positive, 2) a reader insists that it was a false positive and that Google has a habit of blocking small business owners, causing them financial woes, and 3) reader points out that Netcraft detected possible malware at php.net (substantiated by a Hacker News analysis), which substantiates Google's claim.
Posted by at No comments:
Labels: , , , , , , , , , ,

Thursday, February 21, 2013

Mandiant APT2 PDF Malware

That didn't take long at all.

http://blog.9bplus.com/mandiant-apt2-report-lure

https://threatpost.com/en_us/blogs/spear-phishing-campaigns-use-fake-mandiant-apt1-report-lure-022113

http://www.symantec.com/connect/blogs/malicious-mandiant-report-circulation

So, I got a notification from corporate security that there was a piece of malware around that it taking advantage of the popularity of Mandiant's APT1 report.  That's a huge deal, but one should really be checking downloads against Mandiant's posted MD5s anyways.

Bottom-line:  do not open it (verifiy the PDF if you can...if you can't don't open it).

I've reported it to ISC.


Posted by at No comments:
Labels: , , , , ,

Saturday, December 01, 2012

w32.changeup

I was at work this week and a teammate mentioned that w32.changeup might be a concern to our client base.  We try to proactively alert our clients on what could affect them without needlessly spamming them (we try to weed through the hype as well).  The vendors already have the technical write-ups, so I'll spare the readers my thoughts on that.  But I will say that the worm was first discovered a year ago...it's an older worm but the new variants appear to be enhanced, and there's a large spike in infections across the world.  As well, the worm is apparently difficult to remove if not using AV tools.

In my research, I discovered the following:


  • When using Symantec as a resource, it is difficult to determine which variant is being discussed, which leads to confusion and not being fully aware of possible impact.  There are 32 variants of this worm and in most of Symantec's articles, knowledge-base entries, and blog/forum posts, the authors rarely mention the variants that could negatively affect users.  

  • As well, there aren't many other vendors that can detect and/or remove infections, so it is critical that rare resources be accurately documented (as much as possible, at least).

  • I became curious if any other vendor could detect (and/or remove) the worm, but because I didn't know a common name for this worm that the industry was collectively using, it was difficult to find additional details.  Finally, I stumbled across this:  http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name, which is the Symantec Blog.  It lists several vendor names of the worm.  It is highly annoying that I had to visit Symantec's site to find what McAfee named the worm.
I hate researching worms and viruses because there's no real standards that the AV industry follows.
*Resources:

 http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&om_rssid=sr-latestthreats30days
http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name
http://www.symantec.com/connect/blogs/w32changeup-threat-profile
https://kc.mcafee.com/corporate/index?page=content&id=KB76807
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1607456
Posted by at No comments:
Labels: , , , , , , ,

Thursday, August 26, 2010

E-mail Malware Attempt

I've a friend that I got an e-mail from.  It had an empty subject line and one URL in the body.  Twenty others were sent the same e-mail.

I notified the sender that they had an issue.  I then decided to use Web-Sniffer to attempt to visit the link and do a quick investigation.

When visiting via the web proxy, I observed the following:


 The web server was up and running, serving content but threw a code 302.  It also may have attempted to redirect to hxxp://uvuhjomuph.com (I obfuscated the link).  Clicking that URL takes me to an ED page (erectile dysfunction):



Googling that domain, I got at least one good hit:



So, my friend more than likely got phished and her e-mail account is now throwing out spam for penile meds.  :(
Posted by at No comments:
Labels: ,

Wednesday, August 25, 2010

Failure of controls...Spanair crash caused by a Trojan

 Failure of controls...Spanair crash caused by a Trojan

Several readers have pointed us to an article about the preliminary report of the Spanair flight that crashed on takeoff in 2008 killing 154. The article suggests that a Trojan infected a Spanair computer and this prevented the detection of a number of technical issues with the airplane. The article speculates that if these issues had been detected the plane would not have been permitted to attempt take off.

NOTE:  Another article is here.  Another is here, and this one supports the error being on the pilots' behalves (bad pre-flight checks).
Posted by at No comments:
Labels: , , ,

Wednesday, May 05, 2010

Twitter Spam

 


I looked in my e-mail going back a few days and saw the above e-mail.  It looks legit, right?  It appears to be coming from a twitter engineer, but look at my mouseover...there's a different URL behind the one showing and it looks to be suspicious.


I've gotten six of these since April 21st and I know that they're phishing-related.  Most people don't know this, though.  While some people suspect this type of e-mail is suspect, others are asking, "WTF is this?"

Tips:

1. Turn off HTML rendering in your e-mail client, as this prevents accidental clicking of malware/spyware/phishware links.

2.  If you prefer HTML rendering to be on, if your OS or e-mail client supports link mouseover, you should be able to see what site you'd be directed to if you clicked the link.  If the link isn't related to Twitter, then you know that something isn't right about that e-mail.

These phishers are beginning to get crafty, and in a subtle manner.  It's sad that we have to suspect any official e-mails as bad as a first step.

Bottom Line:  Don't click on those links if you're getting these types of e-mails.
Posted by at No comments:
Labels: , , ,

Sunday, March 30, 2008

Firekeeper, an IDPS system (plugin) for Firefox

http://isc.sans.org/diary.html?storyid=2403 explains Firekeeper, an IDS/IPS Firefox browser plugin.

I'm running it on two machines that run Slackware (versions 11.0 and 12.0). I may throw it on my work machine (which runs Windows XP), but that may be a bit daring.

Firekeeper's homepage is at http://firekeeper.mozdev.org/installation.html

Please share your experiences with this plugin...this is a great idea and may be a Holy Grail for malware that infects via browsers.

Also, I've found what may be a good security site, http://www.megasecurity.org/Main.html. It may take me awhile to read, as it has tons of data, it seems.
Posted by at No comments:
Labels: , , , , , , , ,
Subscribe to: Posts (Atom)