Category: Virus

Stalkdaily worm strikes Twitter — Brings down the House!!

Paul

twitter-stalkdaily

According to Techcrunch, this seems to of happened today where this worm has brought down twitter. I have been using the Twitter Client Tweetdeck and have not had any problems like they have had with this site. I wouldn’t visit the site in question because you would most likely get the worm. It seems to be a very good hack it sends out spam on your twitter account like this:

stalkdaily1

[ad#cricket-right-ez]If you have been infected twitter is suggesting you password reset and requesting a new password. Some other removal information can be found here. I will update as necessary when I find out more.

*Update a Few hours*
It looks like Twitter had a Cross Site Scripting going on, and it wasn’t really Stalkdaily who did it rather someone injected code into twitter to grab peoples browser Cache. See this post for more information.

According to watch I am seeing Stalkdaily is now safe to surf to as long as you don’t click on links on twitter just yet. I have found that if you make sure you aren’t logged into twitter in your browser you are much better at preventing this type of attacks. You can see the screenshot of stalkdaily website and it looks like they are an innocent party.

stalkdaily2

Conficker Gets a new Look : Spyware Protector 2009

Paul3 Replies

Looks like the Conficker Worm has changed directions according to Viruslist:

One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.

The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com.

[See Pictures of website at Viruslist.com]

[ad#cricket-right-ez]From my understanding of this worm, it seems to be trying to [intlink id=”3114″ type=”post”]scareware tactic[/intlink] trying to get you to pay $49.95 to remove these threats. F-secure has also seen this worm and thinks this is doing what the Waldec virus is doing by becoming a spambot. According to Eset, the botnet is larger than most and this could create a problem in the future.  It seems that it used the p2p to distribute this update so they could bypass the domain blocks that were in place.

I will tell you this, if you get the warnings you are infected by all means go to my [intlink id=”2205″ type=”page”]Malware resource page[/intlink] and do a scan from the trusted sources.   I will update as I get more information on this little development.

Electric Company fear Mongering gone wrong!!

Paul

I saw this talking going on at Arstechnica and SANS Interenet are Talking about the Elecric Company Fear mongering. Here’s what Ars Says:

It sounds like something straight out of Hollywood. Current and former US security officials have reported that foreign nations have penetrated the cybersecurity barriers surrounding the US electrical grid, water system, and even financial networks. Although no known attempts have been made to activate the booby traps said black hats left behind, such sleeper cells could activate suddenly during a war or crisis, plunging the nation into a disaster only Bruce Willis and that Mac dude could avert.

[Via Arstechnica]

[ad#cricket-right-ez]This was posted today with people asking the question Is the Electric company have a viruses or have a worm? I don’t know but these fears are coming from the Wall Street Journal:

WASHINGTON — Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

[Via Wall Street Journal]

Now let’s talk about this, This is being a talked about on a friends Podcast, The Caffination Podcast. This is where I have figure we should talk about this. I think Sans Internet Storm says it better than I could:

One email stated that The power systems we have in place today are ran by Knobs and Switches. Mostly built int he 70’s and 80’s, these power stations are mostly ran by manual intervention. The power stations that _have_ been stood up since then, a couple of Nuclear Power stations, are federally regulated to not have any connections to anything, let alone the Internet.

Since this particular email comes from a very trusted source, I am inclinded to believe this person. Is it possible that there ARE computers in power stations that are connected to the Internet? Yes, I am quite sure there are. However, is it possible that the computer or computers (if there are any) that actually CONTROL the power are connected to the internet, I tend to not believe that.

[Via Sans Internet Storm]

I agree with what Sans is saying but I don’t think there is anything to worry about, for the fact that I think that the computers that control electricity are not hard wired to be online. This is meaning that if someone virus or worm gets on those computers there is no way these viruses or worms could talk back to command and control. This is my Theory and I don’t work from the electric but I do think this is the most plausible way they are preventing this type of attack. The First Tier, just like tech support, is for Corporate and technicians to talk to eat other over the intranet. The 2nd Tier, this is the important computers that would control Electric process. I don’t know this for sure but I think the 2nd tier would be used to isolate the computers from being accessed externally. Like I said before I don’t work for the electric company and this is all theory on how the electric has this set up!! So you can take it with a grain of salt or come up with your own ideas.

Hackers Jump onto Power Point Exploits : KB969136

Paul

In my Previous post, we talked about Microsoft [intlink id=”3280″ type=”post”]Advisory for KB969136[/intlink] and the exploit was in the wild.  It looks like Trend Micro has published some new spam attempts to get the users to open up the Maleware for them to deposit TROJ_PPDROP.AB onto there systems.

[ad#cricket-right-ez]Trend Micro has some screen shots of the most common Fake Presentations for you to see just how they try to get you to open the file.

Although these are some common tactics for  attackers to use such as  nude pictures, Earth Hour, or Celebrities without Makeup,  users who don’t normally use PPT should check the files out before you load them.  You also should remember to save them to a file and [intlink id=”2205″ type=”page”]scan them with your Anti-virus software[/intlink], also it wouldn’t hurt to have a firewall software.  It looks like these exploits tries to connect to the internet and you might be able to find out by the request from the firewall.

According to Internet Storm Center, the CVE place Holder for this is CVE-2009-0556 and hasn’t become live yet. I do not think they will release that information until they get a chance for Microsoft to patch the systems.

This would be a good time to remind IT staff and anyone who might use Power Point that they should not open anything they aren’t expecting and even then they should verify with your IT staff that it is safe until Microsoft issues a patch for this. I expect that if this become widely used it will be released out of Cycle or even In May’s Patch Tuesday. According to Microsoft you could install Microsoft Office Isolated Conversion Environment (MOICE) but requires Office 2003 and Office 2007 systems. Find out how you can use this work around at Microsoft’s Advisory of KB969136 for further instructions.

Microsoft issues Advisory KB969136 (Zero Day Exploit in the Wild)

Paul

Well, this had to happen sooner or later.  It looks like Powerpoint can be exploited with a Remote Code Execution.   So Microsoft today has issued an Advisory for KB969136.

In there post they say:
[ad#cricket-right-ez]

At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. If you suspect that you were target for such an attack, you can scan your computer with the Windows Live OneCare safety scanner. The malicious PPT files are detected as Exploit:Win32/Apptom.gen. Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Products affected are Microsoft Office PowerPoint 2000 Service Pack 3, Microsoft Office PowerPoint 2002 Service Pack 3, and Microsoft Office PowerPoint 2003 Service Pack 3. Microsoft Office PowerPoint 2007 is not affected.
[Via Microsoft Blog]

Microsoft has even added a diagram on how an attacker could implement this into an email.

So what do you need to know:

If you receive a Power Point presentation from someone you aren’t expecting either scan it good with a[intlink id=”2205″ type=”page”] free anti-virus[/intlink]. There are no major workarounds to this because Microsoft is telling people not to open the Power Point files directly. I tend to agree you should however know if you are expecting something from someone by either emailing them back or if it’s an office situation pick up that phone for the time being. I am sure Microsoft will issue this patch in the coming months probably May or June at the earliest. I don’t think it will be April Patch Tuesday, they could however make this an out of cycle if enough hackers start to use this.

According to Micrsoft the Windows Live One care picks this up as Win32 Exploit so I am sure other [intlink id=”2205″ type=”page”]Anti-virus Software will do the same[/intlink].   Just for the time being you will want to scan any presentations that come your way.  I will update the blog as more information becomes available!!