Posted by Avik Sarkar
On 1/18/2013 06:49:00 pm
DHS & US-CERT Recommended to Disable Java in Web Browsers Unless It's Absolutely Necessary
The running time is proving to be the worst period for Java, as it has been walking under serious security issues. Yet again security researchers have pointed out a zero-day security vulnerability in the Java program that hackers are exploiting. The exploit takes advantage of a vulnerability left open in Java 7 Update 10, released in October last year. It works by getting Java users to visit a website with malicious code that takes advantage of a security gap to take control of users' computers. Thus how Java is being used by cyber criminals to infect computers with malware. Oracle, hasn't specified the number of users who have downloaded Java 7 Update 10. However, Java runs on more than 850 million computers and other devices. When Oracle released Update 10, so it is predictable that more than 850 million devices run by Java is under threat. The exploit was first discovered by French researcher Kafeine, who claimed to have found it running on a site registering hundreds of thousands of page views daily. From that site, immediately that vulnerability and a large number of effected devices has been spotted in the wild. In Java 7 Update 10 the creator of Java, Oracle added several security control and fixed older bugs and promised more security enhancement, but its very unfortunate that Oracle failed to keep their promise. What ever after this newly discovered 0-day hole spotted wildly, Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets. It "strongly recommends" that Java SE 7 users upgrade immediately to avoid all kind of security hazards.
After seeing all the drama, many of you have failed to keep trust in Java, and you all will be relieved when you will gone through the security advisory of CERT (Computer Emergency Response Team) where they have clearly instructed to disable Java in your popular web-browser. In their official release CERT said "Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future."
You will see similar advice in the advisory posted on the official DHS US-CERT website where DHS also suggested to disable Java until and unless it is that much necessary. "To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment." - said U.S. CERT in their advisory.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 8/30/2012 01:39:00 am
0-day Vulnerability Found in Java Spotted in the Wild
Yet another 0-day vulnerability found by FireEye's Malware Intelligence Lab that affects all the latest version of Java , including the current Java 7 update 6, are also vulnerable to the hole that is already being exploited in the wild. With the publication of a vulnerability notice by the US-CERT and warnings from the German BSI (Federal Office for Information Security), the best advice for all users is to disable Java applets in their browsers on all operating systems. The vulnerability can be exploited when a user visits a specially crafted web site and can be used to infect a system with malware. The code to exploit the problem is already available on the internet, making its use for infecting systems very likely. There is no patch available for the flaw so it is essential that users disable the Java plugins used by their browsers. Instructions for the various browsers can be found below:
Several security firms have already declared that, this newly found Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. "Exploit code for the Java vulnerabilities has been added to the most prevalent exploit kit out there, Blackhole," said Websense in a short post on its company blog. The addition of the exploit to Blackhole was cited by FireEye researcher Atif Mushtaq in a similar blog entry yesterday as the basis for a spike in attacks. "After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands," said Mushtaq.
-Source (The-H, CW)
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 9/28/2012 04:42:00 am
Researcher Figure-out Yet Another Java Hole That Puts 1 Billion Users at Risk
Just as
Oracle is
ramping up for the September 30 start of
JavaOne 2012 in San Francisco yet again another critical
Java vulnerability has been spotted in the wild. The Polish security researcher
Adam Gowdiak has found another
vulnerability in Java that could allow an attacker to bypass the sandbox. This newly discovered security hole has effected all latest versions of Oracle Java SE software. According to Security Explorations researcher Adam Gowdiak, who sent the
email to the Full Disclosure Seclist, this Java exploit affects
“one billion users of Oracle Java SE software.” So far the researcher were able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass
in the environment of Java SE 5, 6 and 7. Researcher could only claim such an impact with reference to Java 7 environment (the
Apple QuickTime attack relying on Issues 15 and 22 is the only exception here).
The following Java SE versions were verified to be vulnerable:
- Java SE 5 Update 22 (build 1.5.0_22-b03)
- Java SE 6 Update 35 (build 1.6.0_35-b10)
- Java SE 7 Update 7 (build 1.7.0_07-b10)
All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications:
- Firefox 15.0.1
- Google Chrome 21.0.1180.89
- Internet Explorer 9.0.8112.16421 (update 9.0.10)
- Opera 12.02 (build 1578)
- Safari 5.1.7 (7534.57.2)
So far there are no reports that the vulnerability is being exploited for attacks. Oracle has not said whether or when it will close the vulnerability. Here we want to remind the very recent history, when several
zero day vulnerability was found in
all the version of java, which was added on
BlackHole Exploit kit. Later Oracle released a
patch to close the security hole.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 8/31/2012 06:06:00 pm
Oracle Released Emergency Update to Patch Java 0day (CVE-2012-4681)
Zero-day vulnerabilities in Java, which was on the spotlight for last few days; takes a new direction. Several security firms have already declared that, this newly found Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. As expected Oracle has released an emergency update to address those zero-day vulnerabilities. This Security Alert addresses security issues CVE-2012-4681 (US-CERT Alert TA12-240A and Vulnerability Note VU#636312) and two other vulnerabilities affecting Java running in web browsers on desktops. These vulnerabilities are not applicable to Java running on servers or standalone Java desktop applications. They also do not affect Oracle server-based software.
These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
In addition, this Security Alert includes a security-in-depth fix in the AWT subcomponent of the Java Runtime Environment.
Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2012-4681 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Supported Products Affected
Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.
Affected product releases and versions:
| Java SE | Patch Availability |
|---|
| JDK and JRE 7 Update 6 and before | Java SE |
| JDK and JRE 6 Update 34 and before | Java SE |
Patch Availability Table and Risk Matrix
Java SE fixes in this Security Alert are cumulative; this latest update includes all fixes from previous Critical Patch Updates and Security Alerts.
Patch Availability Table
Also Java 7 Update 7 is now available to download for Windows (32- and 64-bit), Linux (32- and 64-bit), Mac OS X (64-bit), Solaris x86 (32- and 64-bit) and Solaris SPARC (32- and 64-bit). JDKs with the updated Java runtimes are also available. Users with Java installed on their systems, whatever operating system, should install the updates as soon as possible because malicious software that uses the vulnerability is already in circulation. For detailed information click here.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 11/29/2011 05:32:00 pm
Security researcher and journalist Brian Krebs has found evidence that a recently discovered vulnerability in Java is being added to the 'BlackHole' exploit kit. The vulnerability was discovered a few weeks ago and makes use of the Rhino Script Engine to run arbitrary code outside the sandbox. Following a patch released by Oracle, the exploit works against all but the latest versions of Java.
Although there is evidence suggesting that this exploit is currently only used to target computers running Windows, the fact that Java is cross-platform makes these vulnerabilities popular for those who want to attack other operating systems, such as Mac OS X. Java exploits are therefore commonly used in exploit kits such as 'BlackHole'. This kit, which can be bought on the black market, attempts to gain access to the victim's system via exploits in commonly used browser add-ons such as Java, Flash and Adobe Reader. It is usually embedded into legitimate but hacked websites via hidden iframes, making those who avoid the more obscure corners of the Internet just as vulnerable to such attacks. Making sure software is always up to date (or in the case of Java, as Krebs suggests, uninstalled when not needed) is thus an essential step Internet users should take to keep their computers secure.
The sad irony is that 'customers' of 'BlackHole' are having their kits automatically 'patched' to include this latest exploit, Krebs found on underground forums. This is yet another sign of how cybercriminals have become as professional as legitimate software companies.
For more information click Here
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 3/11/2013 02:55:00 am
Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned Only Safari Survived
Couple of months ago we have talked about 'Pwn2Own 2013' hacking contest sponsored by HP TippingPoint, ZDI and Google where the most famous and widely used browsers have to face challenges
. Now the result of this long awaited
security competition
has came which is showing that the entire browser security landscape can change in a single day, as browsers thought to be secure are proven to be otherwise. Of the Big Four browsers, only
Apple's Safari has so far survived the onslaught of the browser-breakers where
Chrome,
Internet Explorer 10 and
Firefox all fell to the mercy of the hackers.
Not only browsers but also three other popular applications that is Adobe Reader, Flash Player and yet again Java fallen victim to hackers at 'Pwn2Own'. And for Java it was a true disaster as Java fell
three times, though under the contest rules, only the first attacker was due to win the
$20,000 prize.
Vupen, a renowned security research firm based in France, cracked both Firefox and Internet Explorer. It roughly explained the attack in a
tweet,
“We’ve pwned Firefox using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP.” This bug hint leads them winning
$100,000 for finding a huge hole. Again in a
tweet, Security firm
Vupen explained
“We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass.” Lastly, U.K.-based security firm
MWR Labs cracked Chrome and also gained full control of the operating system, this time Windows 7. It also
“demonstrated a full sandbox bypass exploit.” The company explained in a
blog post that it found a zero-day in Chrome
“running on a modern Windows-based laptop.” It was able to exploit the
vulnerability by performing a very similar attack to what took down
Facebook,
Microsoft, and a number of other
well-known companies: It had the laptop visit a malicious website.
Now lets take look at the final score board of Pwn2Own 2013:
Wednesday:
1:30 - Java (James Forshaw) PWNED
2:30 - Java (Joshua Drake) PWNED
3:30 - IE 10 (VUPEN Security) PWNED
4:30 - Chrome (Nils & Jon) PWNED
5:30 - Firefox (VUPEN Security) PWNED
5:31 - Java (VUPEN Security) PWNED
Thursday:
12pm - Flash (VUPEN Security) PWNED
1pm - Adobe Reader (George Hotz) PWNED
2pm - Java (Ben Murphy via proxy) PWNED
The total damage to the prize fund comes out at a whopping $480k. With HP's announcement that everyone will get paid for each attack, the prize monies will be divvied up as follows:-
- James Forshaw: Java = $20K
- Joshua Drake: Java = $20k
- VUPEN Security: IE10 + Firefox + Java + Flash = $250k
- Nils & Jon: Chrome = $100k
- George Hotz: Adobe Reader = $70k
- Ben Murphy: Java = $20k
As you all know that the main motive of these contest is to make applications, software more safe and secure while figuring out hidden vulnerabilities Here also for
Pwn2Own the security holes figured out by the above experts have already been submitted and taken carefully by those organization along with that, the expected
patch for the browsers have already been released. Those who are still using the older version of those above applications are requested to update their system. So, stay tuned with
VOGH and be safe on the Internet.
-Source (HP, Naked Security)
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 9/06/2012 04:31:00 pm
Hackers Sending Rogue 'Microsoft Services Agreement' Emails Exploiting Java Vulnerability
Cyber criminals are distributing mass on the internet while sending rogue email notifications about changes in
Microsoft's Services Agreement to trick people into visiting
malicious pages that use a recently circulated
Java exploit to infect their computers with
malware.
Oracle left a
security flaw in one of the world’s most widely used programs unpatched for four months and then
issues a half-baked fix, the company is practically inviting cyber criminals to exploit its users en mass. And as expected the invitation has been accepted.
The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce
changes to the company's Services Agreement that will take effect Oct. 19.
"This email is a legitimate announcement regarding updates to the
Microsoft Services Agreement and Communication Preferences," a Microsoft
program manager for supporting mail technologies who identifies herself
as Karla L, said on the Microsoft Answers website in response to a user inquiring about the authenticity of the email message.
However,
she later acknowledged the existence of reports about malicious emails
that use the same template. "If you received an email regarding the
Microsoft Services Agreement update and you're reading your email
through Hotmail or Outlook.com, the legitimate email should have a Green
shield that indicates the message is from a Trusted Sender," she said.
"If the email does not have a Green shield, you can mark the email as a
Phishing scam."
However,
in the malicious versions of the emails, the correct links have been
replaced with links to compromised websites that host attack pages from
the
Blackhole exploit toolkit. Blackhole is a tool used by
cybercriminals to launch Web-based attacks that exploit vulnerabilities
in browser plug-ins like
Java,
Adobe Reader or
Flash Player, in order to
install malware on the computers of users who visit compromised or
malicious websites.
This type of attack is known as a drive-by
download and is very effective because it requires no user interaction
to achieve its goal. The malicious Java applet used in
this attack is detected by only eight
of the 42 anitivirus engines available on the VirusTotal file scanning
service. The
Zeus variant has a similarly low detection rate.
"We're receiving multiple reports of a phishing campaign using the
template from a legitimate Microsoft email regarding Important Changes
to Microsoft Services Agreement and Communication Preferences," Russ
McRee, security incident handler at the SANS Internet Storm Center, said
Saturday in a
blog post.
-Source (Info World)
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 12/05/2012 07:33:00 pm
'Dockster' A New Mac Malware Targeting Apple Users Found on Dalai Lama Related Website
Researcher at
F-Secure blog has identified that A new piece of malicious software targeted at
Apple users has been found on a
website dedicated to the
Dalai Lama. According to
blog post by F-Secure -the website related to
Dalai Lama is fully compromised and is pushing new Mac
malware, called
Dockster, using a
Java-based exploit. Dockster tries to infect computers by exploiting a vulnerability in Java,
CVE-2012-0507. The vulnerability is the same one used by the
Flashback malware, which first appeared around September 2011 and infected as many as
600,000 computers via a drive-by download. Flashback was used to fraudulently click on advertisements in order to generate illicit revenue in a type of scam known as click fraud. Apple patched the vulnerability in Java in early April and then undertook a series of steps to remove the frequently targeted application from Macs. Apple stopped bundling Java in the 10.7 version of its
Lion operation system, which continued with the company's Mountain Lion release. In October, Apple removed older Java browser plug-ins in a software update.
But still the matter of relief is that current versions of
OS X are not vulnerable; users who have disabled the Java browser plug-in are also not vulnerable. F-Secure researcher Sean Sullivan said Dockster is
“a basic backdoor with file download and keylogger capabilities.” Meanwhile F-Secure’s Sullivan, also said that the Dalai Lama’s site is also serving a Windows-based exploit for CVE-2012-4681, the Agent.AXMO Trojan. The Trojan exploits a Java vulnerability that allows remote code execution using a malicious applet that is capable of bypassing the Java SecurityManager.
While talking about Mac malware, then you must remember that earlier also Mac users faced such attacks when mac Trojan OSX.SabPub was spreading through Java exploits In 2011 we have also seen OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also Linux Tsunami trojan Called "Kaiten"targeted Mac OS users in 2011. Also another malware named "Devil Robber" which was also make MAC users victim while stealing their personal information. In the very decent past we have seen a trojan named 'BackDoor.Wirenet.1' apparently providing its masters with a backdoor into infected systems. It is also capable of stealing passwords stored in browsers like Chrome, Chromium,Firefox and Opera. For any kind of cyber updates and infose news, stay tuned with VOGH.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 9/15/2012 03:47:00 pm
BlackHole Exploit Kit 2.0 Released !! (Collection of Latest Exploit Modules)
BlackHole exploit kit - which is so far recognized as the most successful exploit kit that includes a collection of
exploits to take advantage of vulnerability in the target's machine to download
malwares & infect the victim, now became more power full as
The BH developers have unleashed a new version of their exploit toolkit on the net. With
BlackHole 2.0, the software has been
"rewritten from scratch" to fool antivirus & firewall, said the unknown developers in a Russian-language release announcement on
Pastebin. In their posting, they advertise new features such as temporary exploit URLs that are only valid for a few seconds, making them harder to analyse. The other features are also quite worthy and makes it a quite faster exploit kit like the new version doesn’t rely on plugindetect to determine the
Java version installed. This will speed up the malware download routine. As the link to the malicious payload was easily identified by security software earlier, the BlackHole 2.0 comes with a feature that allows the customer to choose the link. The creators of the exploit kit claim that this way none of the commercial antivirus solutions is able to detect it. Old exploits that were causing the browser to crash have been removed.
A total of
16 improvements have been claimed to be done in BlackHole’s administrator panel. Now it’s faster, statistics are easier to view, and mobile phones and
Windows 8 have been added to allow customers to see precisely what types of devices are infected. The price for the services are quite comparative. All you need is criminal intent and money. The toolkit can now even be
rented for a $50 a day and will then run on a server that is owned by the BlackHole team. The annual licence fee for criminals who use their own servers is
$1,500. Detailed information about BH 2.0 can be
here.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 8/04/2011 06:55:00 pm
The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool. The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.
New Exploit Modules:
VSFTPD v2.3.4 Backdoor Command Execution
Java RMI Server Insecure Default Configuration Java Code Execution
HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
Mozilla Firefox nsTreeRange Dangling Pointer Vulnerability
Black Ice Cover Page ActiveX Control Arbitrary File Download
Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
Lotus Notes 8.0.x – 8.5.2 FP2 – Autonomy Keyview
RealWin SCADA Server DATAC Login Buffer Overflow
Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow
Iconics GENESIS32 Integer overflow version 9.21.201.01
Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
Sielco Sistemi Winlog Buffer Overflow
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
HP OmniInet.exe Opcode 20 Buffer Overflow
HP OmniInet.exe Opcode 27 Buffer Overflow
Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow
Lotus Notes 8.0.x – 8.5.2 FP2 – Autonomy Keyview
New Post-Exploitation Modules:
Winlogon Lockout Credential Keylogger
Windows Gather Microsoft Outlook Saved Password Extraction
Windows Gather Process Memory Grep
Windows Gather Trillian Password Extractor
Windows PCI Hardware Enumeration
Windows Gather FlashFXP Saved Password Extraction
Windows Gather Local and Domain Controller Account Password Hashes
Windows Gather Nimbuzz Instant Messenger Password Extractor
Windows Gather CoreFTP Saved Password Extraction
Internet Download Manager (IDM) Password Extractor
Windows Gather SmartFTP Saved Password Extraction
Windows Gather Bitcoin wallet.dat
Windows Gather Service Info Enumeration
Windows Gather IPSwitch iMail User Data Enumeration
New Auxiliary Modules:
John the Ripper Password Cracker Fast Mode
Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS
Kaillera 0.86 Server Denial of Service
2Wire Cross-Site Request Forgery Password Reset Vulnerability
SIPDroid Extension Grabber
MSSQL Password Hashdump
Notable Features & Closed Bugs:-
Feature #4982 – Support for custom executable with psexec
Feature #4856 – RegLoadKey and RegUnLoadKey functions for the Meterpreter stdapi
Feature #4578 – Update Nmap XML parsers to support Nokogiri parsing
Feature #4417 – Post exploitation module to harvest OpenSSH credentials
Feature #4015 – Increase test coverage for railgun
Bug #4963 – Rework db_* commands for consistency
Bug #4892 – non-windows meterpreters upload into the wrong filename
Bug #4296 – Meterpreter stdapi registry functions create key if one doesn’t exist
Bug #3565 – framework installer fails on RHEL (postgres taking too long to start)
Armitage integrates with Metasploit 4.0 to:-
Take advantage of the new Meterpreter payload stagers
Crack credentials with the click of a button
Run post modules against multiple hosts
Automatically log all post-exploitation activity
Revision Information:
Framework Revision 13462
Several import parsers were rewritten to use Nokogiri for much faster processing of large import files. Adding to Metasploit’s extensive payload support, Windows and Java Meterpreter now both support staging over HTTP and Windows can use HTTPS. In a similar vein, POSIX Meterpreter is seeing some new development again. It still isn’t perfect nor is it nearly as complete as the Windows version, but many features already work. Java applet signing is now done directly in Ruby, removing the need for a JDK for generating self-signed certificates. The Linux installers now ship with ruby headers, making it possible to install native gems in the Metasploit ruby environment.
Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets.
To download Metasploit Framework v4.0.0 Click
Here For more information abous MSF click
here
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 12/05/2013 02:35:00 am
TeamSpeak Official Forum Hacked! Infecting Users By Malicious DotCache Exploit Kit
A serious
security breach has compromised official forum of
TeamSpeak, according to sources
hackers have gained access inside the server and injected
malicious script into the landing page of
TeamSpeak official forum. Expert
malware analyzer have figured out that the attack was thoroughly planned in order to infect millions of users while redirecting them to a
DotCache exploit kit landing page as illustrated below
TeamSpeak is a very famous Brazilian company who offers
(VoIP) software that allows computer users to speak on a chat channel with fellow computer users, much like a telephone conference call. Users use the TeamSpeak client software to connect to a TeamSpeak server of their choice, from there they can join chat channels and enjoy the excellent VoIP service. Mostly it is used by millions of gamers across the globe.
Basically we can consider TeamSpeak is a high value target, so did the hacker. Researchers said that the
exploit kit landing page is hosted on
atvisti.ro, a forum for ATV enthusiasts that's also been compromised. In a statement well known malware analyst & security researcher Jerome Segura said- if the
Java exploit succeeds the final
payload is loaded. In this particular example, the payload was the
Zero Access Trojan which an Anti-Malware from Malwarebytes detects as
Rootkit.0Access. The matter of a bit relief is that the malware has not yet been spotted in the wild. According to a statistic by
Virus Total, only 7 of 46 leading antivirus can detect this type of malware. Exactly like TeamSpeak, a few days earlier
Kahu Security researchers uncovered a similar compromise on the forum for the Nissan Pathfinder Off Road Association
(NPORA) in both cases,
JJEncode was used to obfuscate the malicious script. To avoid further infection, TeamSpeak forum has already been informed, an as expected they have over come this issue. For detail analysis of the above said
malware you can visit official blog post of
Malwarebytes.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 2/25/2013 02:07:00 pm
NBC.com Compromised, Hackers Exploited The Website to Spread Malware
The month of
February is still going from bad to worse for the cyber domain, in this very month cyber criminals swallowed the security system of many giant companies like
Facebook,
Twitter,
Apple,
New York Times and many more. But the game is not over yet, as we have just passed a few weeks, when the attack on
NY Times took place, which stolen the employ database; yet again the cyber criminals have targeted another media giant
National Broadcasting Company widely known as
NBC. During the attack, hackers have successfully gain access inside the server of NBC and planted
malware, in order to harm innocent readers. Famous security expert and blogger Brian Krebs said that the hackers inserted code into the NBC.com homepage. This caused visiting browsers to load pages from third-party sites that were compromised. While explaining the nature of the attacker, Krebs said;
"The compromised sites tried to foist the Citadel Trojan, a variant of the Zeus Trojan." The Zeus is a
"sophisticated data theft tool that steals passwords and allows attackers to control machines remotely" he added. Not only the NBC’s
home page, also several others were affected, including the pages of late night talk show hosts Jay Leno and Jimmy Fallon. Well known security firm
Sophos explained how roughly attack played out, and how NBC got sucked into the equation:
- NBC's hacked pages were altered to add some malicious JavaScript that ran in your browser.
- The JavaScript injected an additional HTML component known as an IFRAME (inline frame) into the web page.
- The IFRAME sucked in further malicious content from websites infected with an exploit kit known as RedKit.
- The exploit kit delivered one of two exploit files to try to take control over your browser via a Java vulnerability or a PDF bug.
- If the exploit worked on your computer, financially-related crimeware from the Citadel or ZeroAccess families was installed.
This, of course, is an example of a dreaded drive-by download, where the crooks use a cascade of tricks to download, install and execute software without going through any of the warnings or confirmation dialog you might expect. This, in turn, means that even if you are a careful and well-informed user, you may end up in trouble, since there are no obvious signs that you are doing anything risky, or even unexpected.
As soon as this story get spotted the American commercial broadcasting television network, NBC News reported and confirmed that its site had been attacked. The broadcaster released the following statement regarding the website: "We've identified the problem and are working to resolve it. No user information has been compromised."
The emergency response team immediately take the situation under control and restored the website, and confirmed that the site is back again and
completely safe for its visitors. But so far there is no evidence of attackers who were involved in this attack. For the safety of
VOGH readers we would like to recommend you to update your operating systems and browser plugins. Also note that the attack on NBC was similar to many that have occurred in recent years in that the malicious sites tried to exploit
vulnerabilities in Java. So it will better to
disable Java, unless it is that much necessary. So stay tuned with
VOGH and be safe in the cyber domain.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 2/20/2013 06:52:00 pm
Apple Hacked, Macintosh Computers Infected By The Same Group Who Attacked Facebook
The month of February is not going good for cyber space, specially for giant organization. Last week the
social networking giant
Facebook fallen victim of a devastating
cyber attack which did effected a number of systems.
Facebook admitted that it faced a
"sophisticated attack" on computers where it has been found the attackers used a
zero-day Java exploit to initiate the attack, but that no user data was compromised. The same thing happened to micro blogging site
Twitter and
New York Times. And now it was the turn for
Apple. The California based multinational company acknowledged that
recently their systems has been attacked by hackers who infected Macintosh computers of some employees. Like Facebook here also no data has been effected, "there was no evidence that any data left Apple." -said Apple.
According to an exclusive report of Reuters -some unknown hackers infected the computers of some Apple workers when they visited a website for software developers that had been infected with malicious software. The malware had been designed to attack Mac computers. The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday. The malware was also employed in attacks against Mac computers used by "other companies," Apple said, without elaborating on the scale of the assault. Experts are presuming that all these cyber attacks of February, that is Twitter, New York Times, Facebook & Lastly Apple Inc was originated from China, and executed by the same hacker group. On the other side few experts are also saying that the group responsible for the hack, has been identified as "Unit 61398" of the People's Liberation Army. But so far there is no proof.
Apple also revealed that it plans to release a software tool later Tuesday that will protect customers against the same type of software that was used against its employees.
Apple also provided a statement as follows:-
"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.
Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found..."
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 4/05/2012 08:43:00 pm
Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist
In the official blog post
Mozilla confirmed that they have blacklisted unpatched versions of the
Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions. "The
February 2012 update to the
Java Development Kit (JDK) and
Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer. This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the
Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms. Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied."- Said Mozilla
Unlike
Google's Chrome browser, which has a feature specifically aimed at disabling outdated plug-ins,
Firefox relies on Mozilla developers deciding which plug-ins pose a risk to users. However, users retain the choice of preventing those plug-ins from being disabled. The Firefox blocklist has rarely been used to disable plug-ins from big software vendors like Oracle, but precedents do exist. In October 2009, Mozilla decided to add Microsoft's
Windows Presentation Foundation (WPF) plug-in to the Firefox blocklist after Microsoft revealed that it had a vulnerability.
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
Posted by Avik Sarkar
On 4/20/2012 11:17:00 pm
Another Mac Trojan "Backdoor.OSX.SabPub" Discovered, Exploiting Java Vulnerability
Few weeks ago security experts found
Flashback Trojan infected more than 60,000
Mac users around the world. Immediately after this incident Apple issued
patches that curb the vulnerability. Yet again it has been found that another Mac trojan that is also spread through Java exploits. The malware, called
Backdoor.OSX.SabPub, can take screen-shots of a user’s current session, execute commands on an infected machine and connect to a remote website to transmit the data. It is not clear how users get infected with the trojan, but because of the low number of instances and the trojan’s backdoor functionality, Securelist speculates that it is most likely used in targeted attacks, possibly launched through emails containing a URL pointing to two one of websites hosting the exploit. Two versions of SabPub were discovered in the wild this past weekend, flying undedected for about two months now. Kaspersky's Costin Raiu wrote in a
blog post that SabPub was probably written by the
LuckyCat authors.
Version 1: Microsoft Office
One version of SabPub traps Mac (and potentially Windows) users with booby-trapped Microsoft Word documents which exploit the vulnerability 'MSWord.CVE-2009-00563.a.'
The spear-phishing emails containment a malicious Word attachment entitled '10thMarch Statemnet' (with typo) to Tibet sympathizers. March 10, 2011 refers to the day the Dalai Lama delivered his annual speech observing the Tibetan Uprising of 1959. The Word doc was created in August 2010 and updated in February with SabPub thrown in; "quite normal" for such attacks and seen in other APT's like Duqu, Raiu notes.
Version 2: Java
A March version of Sabpub also discovered last weekend exploits the same drive-by Java vulnerability seen in Flashback, one of the biggest botnet attacks seen in OS X. Once the backdoor Trojan is downloaded, a victim's system is connected to a command-and-control center via HTTP. From there the botnet can grab screenshots, upload/download files, and remotely execute commands, Sophos' Graham Cluley writes. SabPub drops the following two files on a user's system, so if you are concerned about infection Cluley recommends searching for these files:
/Users//Library/Preferences/com.apple.PubSabAgent.pfile
/Users//Library/LaunchAgents/com.apple.PubSabAGent.plist
Earlier also Mac users faced such attacks where
OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also
Linux Tsunami trojan Called "Kaiten" targeted Mac OS users in 2011. Also another malware named
"Devil Robber" which was also make MAC users victim while stealing their personal informations.
-Source (Securelist & PC Mag)
SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
