Experts: Gumblar attack is alive, worse than Conficker

The previously mentioned Gumblar virus is still running rampant, and worse than ever. Friendly Computers found some useful information about how the virus spreads and how to determine if your machine has been infected. Read more below…

Gumblar, a new attack that compromises Web sites, has added new domain names that are downloading malware onto unsuspecting computers, stealing FTP credentials to compromise more sites, and tampering with Web traffic, a security firm said on Thursday.

The Gumblar attack started in March with Web sites being compromised and attack code hidden on them. The malware downloaded onto those sites came from the gumblar.cn domain, a Chinese domain associated with Russian and Latvian IP addresses that were delivering code from servers in the U.K., ScanSafe said last week.

As Web site operators cleaned up their sites, the attackers replaced the original malicious code with dynamically generated and obfuscated JavaScript, making it difficult for security tools to identify. Attackers also changed the domain to martuz.cn, but now both domains have been shut down, according to ScanSafe.

Because the attackers made changes to the configurations of servers hosting compromised Web sites, they are able to continue controlling them and adding new domains for downloading exploit code onto computers of visitors to the sites, Mary Landesman, a senior security researcher at ScanSafe said on Friday. "At some point these attacks (on Web sites) will start again," she said.

Gumblar is building two botnets simultaneously--the botnet of compromised Web sites and a botnet of infected PCs, she said.

Visitors to those compromised sites, if they have JavaScript enabled, are then compromised and join the PC botnet, she said.

The malicious script that is downloaded onto the PCs from a gumblar domain attempts to load exploit code that does several things, according to Landesman. The code automatically opens PDF and Flash files and attempts to exploit vulnerabilities in Adobe's Acrobat Reader and Flash Player. It also injects itself into the Internet Explorer browser and starts intercepting all of the computer's Web traffic, replacing legitimate links in Google search results with links to sites the attackers want the user to visit, she said. Finally, the code steals FTP credentials stored on the computer that can be used to compromise additional Web sites the user may manage.

"It is targeting IE users and Google searches," Landesman said.

The malware targeting the PCs is coming from sites including liteautotop.cn and autobestwestern.cn, among others, according to ScanSafe.

Gumblar was responsible for 37 percent of all malware blocked by ScanSafe during the first two weeks in May and the number of sites compromised grew by more than 3,000 during that same time period, ScanSafe said. It's unclear how many Web sites total it has compromised, but Landesman said it could be in the "high tens of thousands."

The estimate for the number of individual PCs compromised by Gumblar is also a mystery, however that number is likely very high too given that antivirus software in general does a very poor job of detecting Gumblar malware, she said.

ScanSafe contends that Gumblar's behavior is more intrusive than Conficker, a worm that spreads via a hole in Windows through removable storage devices and network-shares with weak passwords, as well as disables security software and installs fake antivirus software.

In addition, Gumblar has extended its propagation capability, ScanSafe said. Once a Conficker infection is remediated, there is no further spread of the worm. However, Gumblar can use the FTP credentials it steals to compromise even more Web sites, potentially exposing many more victims.

To find out if a computer is infected:

1) Locate sqlsodbc.chm in the Windows system folder (by default under Windows XP, the location is C:\Windows\System32\);

2) Obtain the Sha1 of the installed sqlsodbc.chm. FileAlyzer is a free tool that can be used to obtain the SHA1 of a file;

3) Compare the obtained Sha1 to the list located on the ScanSafe STAT Blog;

4) If the SHA1 and corresponding file size do not match with a pair on the reference list, it could be an indication of a Gumblar infection.

The most effective way to remedy an infection is to do a full reformat and reinstallation, according to ScanSafe. Passwords or login details that were stored or used on infected machines should also be changed.

Source: http://news.cnet.com/security/?tag=hdr;snav

Microsoft to patch new DirectX hole

A security flaw in DirectX which could allow someone to take complete control of computer. Friendly Computers thinks this may be of interest to you:

Microsoft on Thursday said it was working on a security patch for a vulnerability in its DirectX streaming media technology in Windows that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

The remote code execution vulnerability exists in the way Microsoft DirectShow, audio and video sourcing and rendering software, handles supported QuickTime format files, the company said.

"Microsoft is aware of limited, active attacks that use this exploit code," Microsoft's security advisory said. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable but all versions of Windows Vista and Windows Server 2008 are not vulnerable, according to the advisory.

For the attack to work an attacker would have to lure the victim to visit a malicious Web site that hosts the exploit. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

Microsoft said it would release a patch to fix the hole as soon as it is ready for broad distribution. In the meantime, details on a work around are available here, as well a "fix it" button.

Source: http://news.cnet.com/security/?tag=hdr;snav

Facebook user drops lawsuit over virus

 

Yesterday, Friendly Computers found out about a man that was suing Facebook because he felt that the site did not protect their users’ account information sufficiently when the site was attacked by a virus. Today we find out that he is no longer pursuing the case:

A Florida librarian and activist said on Tuesday that he will drop a civil lawsuit he filed against Facebook alleging that the social network failed to adequately protect users from a virus.

Theodore Karantsalis, of Miami Springs, Fla., was seeking $70.50 from Facebook in the lawsuit, which was filed a week ago in Miami-Dade County court.

"I spoke with FB's law department and the case has been resolved," Karantsalis wrote in an e-mail late Tuesday. "I will file the attached Notice of Dismissal tomorrow. We agreed to add each other as 'friends' and 'poke' each other periodically. Also, FB is going to send me a T-shirt and I'm going to wear it in my profile photo."

Facebook spokesman Barry Schnitt said: "Obviously, we're pleased."

In the lawsuit, Karantsalis had alleged that Facebook breached a "legal duty to exercise at least reasonable care with regard to the safety of its network" on May 14 when it failed to properly contain a virus that spread across the social network. Karantsalis claimed his account was compromised and temporarily disabled and that his photos and friends were not restored.

"We're very interested to hear how he came up with the figure of $70.50," Schnitt wrote in an e-mail to CNET News early on Tuesday. "He's not going to get it but we promise to refund all the money he paid to use Facebook. Seriously, we're glad to know how important Facebook is to Mr. Karantsalis but his account was not disabled, is currently active, and he is using it, so I'm not sure what the problem is."

Karantsalis does have his account back up, but he said he had to manually re-add the photos and friends.

When Karantsalis' account was found to have been compromised nearly two weeks ago, Facebook reset his password and notified him via e-mail, as is the company's standard practice, Schnitt said. Facebook did not delete his photos and friends, he said.

In a phone interview, Karantsalis said the problem started when friends e-mailed and called him on May 14 to tell him that his name on Facebook had been changed to "John Doe" and it was being used to send out spam that directed people to a phishing site with a URL ending in ".im."

He said he does not know how his account was compromised and that he did not fall for a phishing scam. He said he teaches college classes on safe computing practices at Miami Dade College, where he works as assistant library director, according to Linked In.

Karantsalis said he arrived at the damages amount by figuring that each of the approximately 250 friends he had to re-add was worth 30 cents.

"Basically, I filed to get their attention," he said before agreeing to drop the suit. "Facebook has failed to respond to my e-mails and my phone calls."

"I'm a librarian and privacy advocate and take extra precautions with regard to safety," he had written in an e-mail to CNET News. "I've used PGP since 1995, an anonymous proxy, etc. If something like this can happen to me, then it's a big deal. FB is under reporting the amount of people affected."

According to a quick glance at Facebook's Statement of Rights and Responsibilities (terms of service, in common parlance), Karantsalis' suit may not have held up in court. It states that claims should be filed in Santa Clara County in California and limits Facebook's liability.

"WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK," the statement says. "WE DO NOT GUARANTEE THAT FACEBOOK WILL BE SAFE OR SECURE...WE WILL NOT BE LIABLE TO YOU FOR ANY LOST PROFITS OR OTHER CONSEQUENTIAL, SPECIAL, INDIRECT, OR INCIDENTAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS STATEMENT OR FACEBOOK, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."

One lawyer said that from a legal standpoint Karantsalis' claim was "DOA" (dead-on-arrival).

"Per 47 USC 230, Facebook is not liable for third-party conduct and has no legal duty to protect its users from third party-caused harms," Eric Goldman, an associate professor at the Santa Clara University School of Law and director of High Tech Law Institute, wrote in an e-mail. "There are at least two federal appellate cases supporting this proposition. See Green v. AOL (AOL not liable for user-posted virus placed into AOL chatroom); and Doe v. MySpace (MySpace had no obligation to police its premises to prevent users from harming each other)."

"If anything, Karantsalis might be on the hook to Facebook for filing such a meritless lawsuit," he said.

Karantsalis, who is also a journalist and blogger, has a history of filing lawsuits. He sued the city of Miami Springs for allegedly violating the Americans with Disabilities Act for not providing sufficient access to roads and sidewalks. (He has multiple sclerosis.) Karantsalis also won more than $750 in damages and court fees after suing Sprint and Wells Fargo when his Sprint invoice and personal data were exposed to a stranger who banks online at Wells Fargo (Karantsalis does not bank there). In addition, he sued the U.S. Defense Department and Air Force under the Freedom of Information Act for information on the 1986 U.S. raid on Libya.

Asked to comment on his litigious background, Karantsalis said he has acted to protect his privacy when corporations negligently exposed his personal information. In other cases, he said he tries to "fight for the underdog" and is an advocate for the Multiple Sclerosis Society.

Meanwhile, Facebook, founded in 2004, has had its share of viruses and other scams. In the latest incident, for instance, the site was hit by a combined phishing/drive-by-download attack which stole log-in information and downloaded the Koobface worm and other malware onto computers on Thursday.

Source: http://news.cnet.com/security/?categoryId=9729342&tag=rtcol;tags

Facebook sued by user over virus

A while ago we posted that Facebook had been attacked by a virus. One user feels that Facebook should have taken better steps to protect his user account. Friendly Computers wonders if more people now feel that Facebook is coming up short when it comes to protecting their users’ personal information:

A Florida librarian and activist has filed a civil lawsuit against Facebook alleging that the social network failed to adequately protect users from a virus.

Theodore Karantsalis, of Miami Springs, Fla., is seeking $70.50 from Facebook in the lawsuit, which was filed a week ago in Miami-Dade county court.

Facebook breached a "legal duty to exercise at least reasonable care with regard to the safety of its network" on May 14 when it failed to properly contain a virus that spread across the social network, the lawsuit alleges. Karantsalis claims his account was compromised and temporarily disabled and that his photos and friends were not restored.

"We're very interested to hear how he came up with the figure of $70.50," Facebook spokesman Barry Schnitt wrote in an e-mail to CNET News. "He's not going to get it but we promise to refund all the money he paid to use Facebook. Seriously, we're glad to know how important Facebook is to Mr. Karantsalis but his account was not disabled, is currently active, and he is using it, so I'm not sure what the problem is."

Karantsalis does have his account back up, but he said he had to manually re-add the photos and friends.

When Karantsalis' account was found to have been compromised nearly two weeks ago, Facebook reset his password and notified him via e-mail, as is the company's standard practice, Schnitt said. Facebook did not delete his photos and friends, he said.

In a phone interview, Karantsalis said the problem started when friends e-mailed and called him on May 14 to tell him that his name on Facebook had been changed to "John Doe" and it was being used to send out spam that directed people to a phishing site with a URL ending in ".im."

He said he does not know how his account was compromised and that he did not fall for a phishing scam. He said he teaches college classes on safe computing practices at Miami Dade College, where he works as assistant library director, according to Linked In.

Karantsalis said he arrived at the damages amount by figuring that each of the approximately 250 friends he had to re-add was worth 30 cents.

"Basically, I filed to get their attention," he said. "Facebook has failed to respond to my e-mails and my phone calls."

"I'm a librarian and privacy advocate and take extra precautions with regard to safety," he wrote in an e-mail to CNET News. "I've used PGP since 1995, an anonymous proxy, etc. If something like this can happen to me, then it's a big deal. FB is under reporting the amount of people affected."

According to a quick glance at Facebook's Statement of Rights and Responsibilities (terms of service, in common parlance), Karantsalis' suit may not hold up in court. It states that claims should be filed in Santa Clara County in California and limits Facebook's liability.

"WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK," the statement says. "WE DO NOT GUARANTEE THAT FACEBOOK WILL BE SAFE OR SECURE...WE WILL NOT BE LIABLE TO YOU FOR ANY LOST PROFITS OR OTHER CONSEQUENTIAL, SPECIAL, INDIRECT, OR INCIDENTAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS STATEMENT OR FACEBOOK, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."

Karantsalis has a history of filing lawsuits. He sued the City of Miami Springs for allegedly violating the Americans with Disabilities Act for not providing sufficient access to roads and sidewalks. (He has multiple sclerosis.) Karantsalis also won more than $750 in damages and court fees after suing Sprint and Wells Fargo when his Sprint invoice and personal data were exposed to a stranger who banks online at Wells Fargo (Karantsalis does not bank there). In addition, he sued the U.S. Defense Department and Air Force under the Freedom of Information Act for information on the 1986 U.S. raid on Libya.

Asked to comment on his litigious background, Karantsalis said he has acted to protect his privacy when corporations negligently exposed his personal information. In other cases, he said he tries to "fight for the underdog" and is an advocate for the Multiple Sclerosis Society.

Meanwhile, Facebook, founded in 2004, has had its share of viruses and other scams. In the latest incident, for instance, the site was hit by a combined phishing/drive-by-download attack which stole log-in information and downloaded the Koobface worm and other malware onto computers on Thursday.

 

Source: http://news.cnet.com/8301-1009_3-10249301-83.html?tag=mncol

Computer Virus Strikes FBI, U.S. Marshals: Report

 

Even the FBI is not safe from viruses! Friendly Computers recommends installing anti-virus software and keeping it constantly updated. Read what U.S. Marshals reported:

In one of his many memorable skits, my favorite comedian, the late George Carlin, lists “Things you don’t want to hear,” and this gem is among them:

“Well, Jim, there’s no reason why you shouldn’t live another 50 to 60 years. However, you will be bleeding constantly from both eyes.”

If you’re a federal law enforcement officials who is charged with protecting the kind of ultra-confidential information that increasingly travels through computer networks, I imagine the equivalent of that bad news for Jim goes something like this:

“A mysterious computer virus has infected your networks and forced both the FBI and U.S. Marshals to shut down.”

Yet that’s pretty much what happened this week, according to Devlin Barrett of the Associated Press.

Officials at the U.S. Marshals reportedly confirmed that they disconnected from Justice Department computers after the virus hit, and the FBI conceded that the agency also was having a problem.

Here’s what FBI spokesman Mike Kortan told Barrett: “We too are evaluating a network issue on our external, unclassified network that’s affecting several government agencies.”

What those agencies are he would not say, according to Barrett.

Yet the incident points to a disturbing phenomenon that deserves some thought. It is the business world, not the U.S. government, that leads the industry when it comes to developing new technology to cut costs, boost communications and increase efficiency, and it’s the private sector that often is ahead of the curve when it comes to detecting cybercriminals’ activity.

Consider: At about 76 percent of all phishing attacks, software represents the largest doorway that cybercriminals such as hackers use to enter computer users’ systems and steal confidential information. And one Cupertino, California-based security, storage and systems management solutions provider – Symantec Corp. – recently reported that it’s seeing malicious code grow at a record pace.

In recent weeks, more and more home and small office computers have seen their networks compromised by Internet security attacks that gain traction through the devices that many of us use to make our home-surfing lives more portable: routers. (To try and preempt the attacks, one Fountain Valley, California-based company recently launched a new system that prevents malicious software by detecting whether responses are generated by humans or computers.)

According to Stephen Trilling, vice president of Symantec’s (News - Alert) security technology and response group, the company is seeing attackers shift away from mass distribution of a few threats to micro-distribution of millions of distinct threats.

“Cybercriminals are profiting from creating and distributing customized threats that steal confidential information, particularly bank account credentials and credit card data,” Trilling said. “While the above ground economy suffers, the underground economy has remained consistently steady.”

That recalls some of what TMCnet heard recently from the world’s largest maker of computer networking gear. Officials at Cisco Systems Inc. say that cyber-criminals’ attacks are becoming more targeted and sophisticated.

This latest problem apparently started yesterday morning, for both the Marshals and the FBI. No data was compromised, officials said.

The type of virus that caused the shut-down and its origin are not clear, they said.

“In Thursday’s incident, the Marshals Service shut down its Internet access and some e-mail while staff worked on the problem,” Barrett reports. “The FBI made similar moves to protect its system.”

Source: http://sip-trunking.tmcnet.com/topics/security/articles/56645-computer-virus-strikes-fbi-us-marshals-report.htm

Deja vu: New phishing scam hits Facebook

 Friendly Computers wants to make sure that your Facebook account will be protected from a new phishing scam. More information is below…

A new phishing scam is hitting Facebook users on Thursday, sending them to a Web site designed to steal their log-in information, according to report.

Facebook users are receiving messages from friends with a subject line of "Hello" and a prompt to check out "areps.at" or another one ending in .at

If you log in to the site, it steals your email and password, logs you into Facebook and automatically changes your password and sends the same message to all your Facebook friends, according to the All Facebook blog.

"Whoever is behind the scam has been steadily amassing a large number of email addresses and passwords over the past few weeks," the blog says. "Some days as much as three scams will spread throughout the site (possibly even more). Facebook rapidly shuts down all references to the site but by then the scam has spread to thousands of users."

The phishing URLs were blocked by Firefox and flagged as a "Web Forgery" as of 9:50 a.m. PDT. One of them was still up and downloading malware on Internet Explorer.

A Facebook spokesman did not immediately return a call and e-mails seeking comment.

Separately, some Facebook users reported difficulty accessing the site on Thursday morning. It was unclear whether the connectivity issues were related to the phishing scam.

Source: http://news.cnet.com/8301-1009_3-10246536-83.html?tag=newsLatestHeadlinesArea.0

DPS blames computer virus for delay

Everyone knows that renewing your drivers license is not always fun. Friendly Computers found out that a computer virus caused a big delay in Houston. Read more below…

The Texas Department of Public Safety is blaming a computer virus for a six-week delay in processing new and renewed driver’s licenses.

Agency spokeswoman Tela Mange says the Conficker virus, which struck the Department April 15, forced a delay in a planned upgrade to the driver’s license system. That upgrade, called the “Drivers License Re-engineering” project, was supposed to be completed in three days last month. Instead, Mange says it will not be finished until later this week.

For drivers, this means the typical 10 to 15 day waiting period to get a license is now four to six weeks. The Department’s temporary permits, which drivers receive when they apply for a renewal online or in person, will now last for 45 days.

As a temporary measure, Mange says the DPS has asked local law enforcement agencies to double-check expired licenses in traffic stops against a computer database, to see if a driver has applied for a new license but has not yet received it. DPS is also issuing temporary paper licenses that last for 45 days.

Customers outside one of Houston’s DPS offices say that employees told them it will take anywhere from two to eight weeks to receive a new license.

Phone lines at the Department’s Austin headquarters are jammed with people checking on the status of their licenses, Mange said. When 11 News tried to reach an operator Monday, the automated system repeatedly told callers to hang up and try back later, because no one was available. There was also no mention of the delay on the DPS website.

State Rep. Lois Kolkhorst, R-Brenham, says she is not surprised that DPS is having computer problems.

Kolkhorst’s bill to upgrade computer systems at DPS has passed the Texas House and is awaiting a vote in the state Senate.

“This is the pattern that we have been seeing with the department,” she said. “We need a major overhaul. We’re asking the system to do more than it is probably capable of doing.”

Mange says that the computer problems that caused the delay should be resolved by Friday. She says at that point, the bulk of the delay will be behind them and licenses should take about 20 days to reach drivers.

Source: http://www.khou.com/news/local/stories/khou090518_jj_drivers-licenses-renewal-changes.16b2f560.html