Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.
Vulnerabilities of Interest:
- GNU Coreutils creates temporary files in an insecure manner which would allow an attacker with local access to obtain sensitive information or perform symbolic-link attacks to overwrite arbitrary files in the context of the affected application. The GNU Core Utilities are the basic file, shell and text manipulation utilities of the GNU operating system. These are the core utilities which are expected to exist on every operating system. The “distcheck” Makefile rule in coreutils 5.2.1 through to 8.1 uses an unsafe (or predictable) temporary directory location for performing own tasks. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible. GNU Coreutils 5.2.1 through 8.1 are vulnerable. An attacker can use readily available commands to launch attacks.
- A vulnerability has been identified in Webmin and Usermin, which could be exploited by attackers to execute arbitrary scripting code. Webmin and Usermin are web-based interfaces for system administration for Unix. This issue is caused due to unspecified input validation errors, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user’s browser in the security context of an affected site.
- Two vulnerabilities have been identified in Sun Ray Server Software, which could be exploited by remote attackers to bypass security restrictions, cause a denial of service or compromise a vulnerable system. Sun Ray is a stateless thin-client solution aimed at corporate environments. The first issue is caused by an unspecified error in the Authentication Manager, which could allow remote attackers to crash an affected service or execute arbitrary code with root privileges. The second vulnerability is caused by an error within the encryption keys generation, which could allow an attacker, who is able to intercept network traffic, to predict the private key and decrypt the mouse, keyboard, and display traffic between the Sun Ray DTU and the Sun Ray Server.
- TP ZDI and HP X-Force have identified multiple vulnerabilities in HP OpenView Network Node Manager (OV NNM), which could be exploited by remote attackers to compromise a vulnerable system. These issues are caused by buffer overflow errors in “nnmRptConfig.exe”, “Snmp.exe”, “ovwebsnmpsrv.exe”, “snmpviewer.exe”, “ovalarm.exe”, “OvWebHelp.exe”, “webappmon.exe”, “ovsessionmgr.exe” and “ovlogin.exe”, and input validation errors in various Perl CGI executables when processing malformed HTTP requests, which could be exploited by remote attackers to execute arbitrary code.
News item 1:http://www.net-security.org/secworld.php?id=8599 <Rick>
Helpnet Security has an article that lays out the Top 10 Botnets by Name and Size. They layout the Message Labs’ list of top 10 which reads like this:
Rustock
Rustock frequently sends spam at full capacity for short periods, and then ceases its activity often for days at a time. Between August and September 2009, it controlled between 1.3 million to 2 million bots. Rustock had accounted for approximately 10-20% of all spam for much of the year, but by the end of 2009 it had increased its dominance and stabilized its output to approximately 18% of all spam. By the end of 2009, Rustock was mostly sending pharmaceutical and medical spam.
Cutwail
Cutwail consisted of 1 million to 1.5 million bots throughout the year, and was responsible for 17% of all spam. It was responsible for the surge in Bredolab malware, spoofed greetings card emails containing malicious hyperlinks, phishing activities, pharmaceutical spam and spam peddling counterfeit watches.
Bagle
Bagle has finished the year with somewhere in between 600,000 and 800,000 bots under its belt. By the end of 2009, Bagle was responsible for approximately 16% of global spam, and the spam in question was almost exclusively pharmaceutical or medical.
Bobax (aka Kraken)
Bobax has an estimated 80,000 to 120,000 bots at its disposal, and throughout the year it increased the rate at which each bot was sending spam. Finishing the year by positioning itself in the 4th place by being responsible for 13% of spam, Bobax returned to its pre-McColo spam levels. The spam it sends out is mostly related to counterfeit fashion accessories and watches.
Grum
Grum was busiest between June and September, when it was sending more spam than any other botnet (20% of all spam). The number of bots it controls ranges from 600,000 to 800,000, and they are charged with sending out mostly pharmaceutical spam.
Maazben
A newcomer among botnets, Maazben made it’s first appearance in March. By the end of 2009, it controlled 200,000-300,000 bots. Responsible for 2% of all spam, it cornered the market on French and German language casino related and gambling spam.
Festi
Another newcomer, Festi emerged in August 2009 – by the end of the year, it controlled approximately 100,000-200,000 bots which send out counterfeit watch and fake fashion accessories spam.
Mega-D
At the beginning of 2009, Mega-D was the main spamming botnet and emerged after the McColo closure as the most active botnet, comprising of an estimated 300,000-500,000 bots. However, as the year progressed, Mega-D seemed to be seriously hemorrhaging bots, its estimated size plummeted to less than 100,000 bots. In January, it was responsible for 58.3% of all spam, but it was almost eradicated on 4 November as the result of community action to disrupt the botnet, and it’s output fell drastically. It returned on 13 November using a different collection of bots, sending between 4-5% of spam, mostly pharmaceutical and some
phishing activity.
Xarvester
Believed to be designed and operated by the owners of the defunct Srizbi botnet, Xarvester was closely watched and there was a lot of activity aimed at suppressing its operation. In January it controlled 500,000-800,000 bots, but by the end of the year it had only 20,000-36,000 bots – less than 1% percent of all spam was sent by them (mostly pharmaceutical and medical).
Gheg
Gheg was at its peak in January, when it controlled 150,000 to 200,000 bots following the closure of McColo. At the end of 2009 it had less than 100,000 bots and was linked to approximately 0.5% of all spam – mostly Russian language dating spam, and medical spam in French, German and English.
Donbot
Somewhat of a “riches-to-rags” turn of events happened to Donbot. It appeared in the wake of the McColo closure and had a boom during the first quarter of 2009 – it controlled an estimated 800,000 to 1.2 million bots. But, by the end of the year the number of bots fell to 100,000-150,000, so it effectively failed to enter the top 10 list – think of this as a honorable mention due to its huge impact it had at the beginning of the year. Its spam contained links to profiles on social networking and micro-blogging websites, related to “make-money-working-at-home” type spam messages.
News item 2 http://www.cybercrime.gov/proipreport2009.pdf<shoe>
News item 3. http://www.networkworld.com/news/2009/121009-hackers-find-a-home-in.html?t51hb <Rick>
Security researchers have spotted the Zeus botnet running an unauthorized command and control center on Amazon’s EC2 cloud computing infrastructure.
This marks the first time Amazon Web Services’ cloud infrastructure has been used for this type of illegal activity
General consensus is that hackers may have just stumbled on a Web site with a security vulnerability — they may have hacked the site’s software or simply stolen an administrative password from a desktop computer to get on the site.
News item 4. http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=222001558&subSection=Attacks/breaches <Rick>
A large-scale SQL injection attack has hit 132,000 Websites as of today, injecting malicious iFrames that install a backdoor Trojan.
ScanSafe, which first reported the attack yesterday when it was at about 125,000 sites, first noticed the attack on Nov. 21. The attack loads malware from 318x.com, which then installs a rootkit-enabled version of the Buzuz backdoor Trojan — best known for credit card and other financial data theft.
So far the affected Websites in the SQL injection attacks are a mix of sizes and geographic locations, including the City of Iowa and The Yemen Times, which can be found via a Google search of the iFrame.
http://www.google.com/search?hl=en&q=%3Cscript+src%3Dhttp%3A%2F%2F318x.com%3E&aq=f&oq=&aqi=
http://search.yahoo.com/search?n=100&ei=UTF-8&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=any&vd=all&vst=0&vf=all&vm=p&fl=0&p=%3Cscript+src%3Dhttp%3A%2F%2F318x.com%3E&vs=
News item 5: http://www.computerworld.com/s/article/9142078/Microsoft_knew_of_just_patched_IE_zero_day_for_months
Computerworld is reporting that Microsoft may not have hustled as fast as researchers first thought when they released the patch for a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public. According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed “K4mr4n” posted attack code to the Bugtraq security mailing list on Nov. 20. iDefense’s Zero Day Initiative (ZDI), one of the two best-known bug bounty programs, reported the vulnerability to Microsoft on June 9, 2009, iDefense noted in an advisory published Wednesday.
Three days after K4mr4n publicized the exploit proof-of-concept, Microsoft confirmed that PoC worked, and issued a security advisory that provided some information about the bug. At no time did they acknowledge that they were already aware of the vulnerability. In fact they said that they were going to investigate the issue.
Much to everyone’s surpirse Microsoft released a patch for the vulnerability mearly two weeks after it was released, which earned Microsoft a lot of priase. Priase that was unwarranted it would seem.
News item 6: http://www.forbes.com/2009/12/10/adobe-hackers-microsoft-technology-cio-network-software.html?feed=rss_news <Rick>
What would you say is the most hacked software of 2009? According to Forbes, it is Adobe, which according to Verisign’s bug tracking division iDefense noted 45 bugs in Adobe Reader were found by either cybersecurity researchers or malicious hackers this year and patched. In 2008, iDefense found 14 Reader bugs, double the number in 2007.
The number of bugs found in Microsoft programs remained pretty much flat or dropped. There were just 30 bugs exposed 2009 for Internet Explorer and 41 bugs in all Microsoft Office down from 44 in 2008.
