-
Archive for the ‘Security’ Category
- Feb 16th, 2008
-
How to Remove Win32 AutoRun Worm - Funny UST Scandal - XMSS.exe
Yesterday I got a new type of “Stupid Worm” hidding in background as xmss.exe. It copied itself on Local disk and Windows Directory (%Windir%). Terminated “Windows Task Manager”, Windows Command Prompt (DOS-Prompt) & crashed System Internal Process Explorer (procxp.exe).Its not a funny video
According to McAfee, this worm is known as W32/Autorun.worm.g.
It can propagate itself over removable media and network drives and cause execution of malicious code via an autorun.inf file.
- Feb 14th, 2008
-
Blackhat SEO Spammer targeting High PR WordPress Blog
I’ve been monitoring mattheaton.com “wordpress.net.in goro spam injections” for this past few months. Noticeably, the blackhat spamming method is changing dramatically. For those who are still unaware of Wordpress Goro Spam please read my earlier post → Wordpress.net.in Spam injection& Gaming Bluehost & Hostmonster CEO’s Blog.thinkingphp.org (PR6) & jensfrake.com (PR7) has been hijacked by “Wordpress Blackhat SEO Spammer” for this month. Both sites were running on WordPress 2.3.2.
By now the <div id=”goro”> signature has been replaced with “Inline CSS” wrapper.
Cloacking Check on Mattheaton.com
- Normal Browser
- 32,246 characters - mattheaton-com-source.txt
- Google bot
- 34,646 characters - mattheaton-com-googlebot-source.txt
- Difference
- 2,400 characters
- Feb 10th, 2008
-
Firefox 2.0.0.12 Information Leak Vulnerability
We are going to see Firefox 2.0.0.13 probably by end of this week. Check out this directory transversal code using view-sources: & resource: scheme
view-source:resource:///
translate to file:///C:/Program%20Files/Mozilla%20Firefox/You can read/include firefox pref settings with this code. <script src=”view-source:resource:///greprefs/all.js”></script>
Workaround
Install No-script Add-ons.
- Feb 9th, 2008
-
Adobe Acrobat, Acrobat 3D & Reader Multiple Vulnerabilities
A JavaScript Buffer Overflow in Adobe Acrobat, Acrobat 3D & Reader allowed remote attacker to execute arbitrary code. The code will run with the privileges of the target user opening the PDF document. Excerpt from iDefense Public Advisory;
Adobe Reader and Acrobat implement a version of JavaScript in the EScript.api plug-in which is based on the reference implementation used in Mozilla products. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code.
Workaround
Disabled Adobe Reader & Acrobat JavaScript. Perform Update ↓
Update -Adobe Acrobat & Reader version 8.1.2
Adobe released version 8.1.2 of Adobe Reader, Acrobat & Acrobat 3D to address
these vulnerabilities.- Adobe Reader 7 and 8 users update to Adobe Reader 8.1.2
- Acrobat 8 users on Windows update to Acrobat 8.1.2
- Acrobat 8 users on Macintosh update to Acrobat 8.1.2
- Acrobat 3D version 8 users on Windows update to Acrobat 3D version 8.1.2
These vulnerabilities were discovered by Greg MacManus of VeriSign iDefense Labs.
- Feb 6th, 2008
-
Daily Hacking Attemps on blog.kakkoi.net - Feb 6th, 2008
Today’s we just upgrade from WordPress 2.3.2 to 2.3.3 security release. There is 21 attack (script injections) on blog.kakkoi.net from 3 known bot-herder scripts ↓. The first attacker is from 212.24.62.200 → udkado.ru masking their useragent as Googlebot (a real human?). The were playing with my 302.curie redirect page at blog.kakkoi.net/uri/. I send the attacker data to abuse network and IronPort. The next few hours we received 20 attack from the same bot-herder. They probably has a large scale of DDNS (china → korea → us ). Noticeably the scans pattern is predictable. From our Feb 5th attack all these botnet is targeting certain search keywords security, injection so we setup a honey-pot right on that particular URL.
(more…)
