Milw0rm offline

Published: 2009-07-08
Last Updated: 2009-07-09 19:11:23 UTC
by Marcus Sachs (Version: 3)
2 comment(s)

We've received multiple emails today from readers who cannot reach Milw0rm.  The site's owner, str0ke, left this message on the site yesterday:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

Update: Well, it wasn't gone for too long.  str0ke brought the site back up with this message:

"milw0rm's back up & posting will start once again, I can't let all of the emails in my submit box to just sit there"

--Joel

Update 2:  Many people have written in, continuing to say that they can't get to milw0rm right now.  According to str0ke, the box that is hosting the page is being hit so hard, they can't keep it running.

--Joel

 

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: milw0rm
2 comment(s)

RFI: DDoS Against Government and Civilian Web Sites

Published: 2009-07-08
Last Updated: 2009-07-09 02:34:21 UTC
by Marcus Sachs (Version: 5)
9 comment(s)

We are aware of an ongoing DDoS against several high-profile web sites.  Public details are in these online stories:

http://blogs.csoonline.com/online_attack_hits_us_government_web_sites

http://hosted.ap.org/dynamic/stories/U/US_CYBER_ATTACK

There have also been sketchy reports that South Korean websites are experiencing outages.  We are looking for any additional information, especially technical reports or packet captures.  Please use our contact page.

UPDATE 1:  Several news agencies are reporting that attacks in South Korea are ongoing.  There are some allegations that North Korea is involved but we have not seen any technical attribution.  Shadowserver's DDoS charts clearly show the increases in DDoS traffic.  (see update 3 below)

UPDATE 2: Speculation on who is behind this series of attacks based on the evidence we have seen is just that, speculation. Given the mountain of evidence we have to review, judgements on attribution or motivations would be inaccurate at best and irresponsible at worst. As we analyze all the data we will hopefully be able to provide more clarity into these attacks.  There does appear to be many malicious binaries responsible for this activity, some of these binary files appear to have different target lists. - AndreL

UPDATE 3:  The good people over at Shadowserver wrote to tell us that the spike in their DDoS graph is not related to the US/KR attacks.  They said that the timing is just coincidental and that they have no specific statistics on the US/KR event.

UPDATE 4:  Trendmicro and PandaLabs have posted lists of sites that are being attacked, as well as some other information.  You can get this information at the links below. - AndreL

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.EA&VSect=T

http://pandalabs.pandasecurity.com/archive/DDoS-attacking-US-and-South-Korea-government-sites-.aspx

 

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: DDoS
9 comment(s)

Safari 4.0.2 update published

Published: 2009-07-08
Last Updated: 2009-07-08 23:28:10 UTC
by Andre Ludwig (Version: 1)
0 comment(s)

It looks like Apple released safari 4.0.2 for OS X and Windows platforms.

It would appear that this new versions addresses the following security related issues in WebKit (as well as some performance increases in the nitro JS engine).

Detailed information can be found at Apples KB article: http://support.apple.com/kb/HT3666

 

CVE-ID: CVE-2009-1724
Impact:
  Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.

CVE-ID: CVE-2009-1725
Impact:  Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
Description: A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.
 

You can get the new version of Safari at the url below.

http://www.apple.com/downloads/macosx/apple/application_updates/safari.html

Keywords: safari
0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives