Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What's New, Old and Morphing?

Published: 2008-04-23
Last Updated: 2008-04-23 18:35:31 UTC
by Mari Nichols (Version: 1)
0 comment(s)

 Cyberspace was so busy churning out facts yesterday that our Handler on Duty, Donald Smith furiously posted diary entries to keep you informed. So, I thought I would take a moment to summarize the events of April 22 and further elaborate on the situation. 

  1. First, spam plagues us every day so it is important for us to stay up on the current threat vector. Don wrote about the latest attempt to exploit users called “Apocalyptic NEWS Usama Ben Laden.” The email attempts to lure users to download a version of Zlob. The links in the blog site are malicious. 
  2. Don talked about another spam phenomenon involving Google agenda. This is considered a new method of delivery.
  3. Social network site MySpace was exploited again in an attempt to lure the user to download by clicking on a “fake” Microsoft update popup. The pop up is actually a large css layer which initiates a download session. 
  4. Then, Don told us about a situation in which a malicious .rar file (promising Paris Hilton undressing), which cleverly bypassed email gateway security but was ultimately found by an AV program. The program seems to be SDBOT.  

So there you have it, new spam, Google agenda, social networking css and a bot. Another day in the life… But, all that was all so yesterday, today we have several situations arousing attention from our readers.

First off today, Heather wrote in to tell us about US Cert releasing an advisory yesterday afternoon concerning a malicious website injecting javascript which infected many UK and a UN site. Websense alerted about it here. They analyzed the malware and concluded that it is related to our story by Bojan.  We recommended mitigations for the situation here.

Then, Andrew from Vancouver wrote in to tell us about his experience with a Wordpress Blog infection that let spammers insert hidden text into the Wordpress (several versions) powered sites. While not widespread, the technique is interesting and should allow us the opportunity to discuss these methods of attack. Further information is revealed on a Tech Side Up blog.

Another reader sent in an old “download this” scam which has seemed to have migrated itself to a Skype chat.  The following information is used to get the user to click on the included link which downloads the Downloader Trojan. Your AV should catch the download of this old nasty, but the new delivery vector should be added to the warnings to users through your security awareness programs.

 

"[4:09:40 PM] Software Update ® says: WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================
ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:
Microsoft Windows NT Workstation
Microsoft Windows NT Server 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Win98
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair
utility immediately

Your system IS affected, download the patch from the address below !

Failure to do so may result in severe computer malfunction."

That sums it up!  With all this activity, let us know what you are seeing out there.

Fair winds,
Mari
0 comment(s)
Diary Archives