Sunday, October 11, 2009

A weekend of Old News

Adobe



I'm not sure whose idea it was that we should be able to execute Javascript inside a PDF or Flash file, but we continue to see this exploited. Let's review:

In February 2009, Kevin Haley from Symantec warned that the Adobe PDF reader had an unpatched bug that was being exploited in the wild.
Adobe acknowledged this in a February 19th security advisory.

In April 2009, Computerworld shared a warning from David Lenoe of Adobe urging people to disable Javascript, saying "All currently supported shipping versions of Adobe Reader and Acrobat, 9.1, 8.1.4, and 7.1.1 and earlier, are vulnerable to this issue.

In May 2009, SANS Internet Storm Center warned that the current version of Adobe Flash Player (9.0.124.0) was vulnerable to a similar exploit.

In July 2009, SANS advised of "YA0D" or "Yet Another 0-Day" in Adobe Flash Player.

And finally we get to this week . . . on October 8th, Adobe again released a security advisory, which could be paraphrased as: "hey! if you run our program, you may get owned. We'll patch it next week," advising that a patch would be released on October 13th.

You know, rather than warning us every sixty days that its dangerous to run Javascript in their programs, perhaps Adobe would consider turning it off by default?

IRS Zeus / Zbot continues


Another day, another million dollars stolen by the Russians. This weekend the fake IRS websites are continuing to be a top spam category with more than 56 new websites pretending to be the Internal Revenue Service.

The current malware is still undetected by most anti-virus products, and as always, it changes on an almost daily basis. The current version was first seen Saturday morning, and only 4 of 41 anti-virus products detected that version. Its now up to 12 of 41 according to this current VirusTotal Report for MD5 fb9580be8bcdca37cc377e365365d4de which is 90,112 bytes in size.

Here are the websites we've seen spammed over the past few days according to the UAB Spam Data Mine:

Those spammed on October 9th . . .

www.irs.gov.beffaxsde.eu
www.irs.gov.bezfalsdo.eu
www.irs.gov.bezfazsda.eu
www.irs.gov.brtferho.eu
www.irs.gov.brtferhx.eu
www.irs.gov.brtferhy.eu
www.irs.gov.byugggb.com
www.irs.gov.byugggb.net
www.irs.gov.byugggk.com
www.irs.gov.byugggk.net
www.irs.gov.byugggl.com
www.irs.gov.byugggl.net
www.irs.gov.byugggm.com
www.irs.gov.byugggm.net
www.irs.gov.byugggr.com
www.irs.gov.byugggr.net
www.irs.gov.byugggu.com
www.irs.gov.byugggu.net
www.irs.gov.feraaaz.eu
www.irs.gov.feraaze.eu
www.irs.gov.gerfas1k.com
www.irs.gov.gerz1der.cn
www.irs.gov.gerz1der.com
www.irs.gov.gerz1der.net
www.irs.gov.gerzfdek.cn
www.irs.gov.gerzfdek.com
www.irs.gov.gerzfdek.net
www.irs.gov.linners.cz
www.irs.gov.oiiiterqa.cn
www.irs.gov.oiiiterqa.com
www.irs.gov.oiiiterqa.eu
www.irs.gov.oiiiterqq.cn
www.irs.gov.oiiiterqq.com
www.irs.gov.oiiiterqr.cn
www.irs.gov.oiiiterqr.com
www.irs.gov.oiiiterqw.eu
www.irs.gov.oiiiterqz.cn
www.irs.gov.oiiiterqz.com
www.irs.gov.oiiiterqz.eu
www.irs.gov.oyicoemqu.eu
www.irs.gov.oyicoerqz.eu
www.irs.gov.oyiioerql.eu
www.irs.gov.qazseek.eu
www.irs.gov.qazseep.eu
www.irs.gov.qazsewe.eu
www.irs.gov.qazsewl.eu
www.irs.gov.qazsewm.cn
www.irs.gov.qazsewx.eu
www.irs.gov.qazskem.eu
www.irs.gov.qazsxek.eu
www.irs.gov.refdree.eu
www.irs.gov.refdref.eu
www.irs.gov.refdrek.eu
www.irs.gov.refdrem.eu
www.irs.gov.yxeeddlrp.eu


Those spammed on October 10th . . .

www.irs.gov.brtferho.eu
www.irs.gov.brtferhv.eu
www.irs.gov.brtferhx.eu
www.irs.gov.brtferhy.eu
www.irs.gov.byugggb.com
www.irs.gov.byugggb.net
www.irs.gov.byugggk.com
www.irs.gov.byugggk.net
www.irs.gov.byugggl.com
www.irs.gov.byugggl.net
www.irs.gov.byugggm.com
www.irs.gov.byugggm.net
www.irs.gov.byugggr.com
www.irs.gov.byugggr.net
www.irs.gov.byugggu.com
www.irs.gov.byugggu.net
www.irs.gov.feraaaz.eu
www.irs.gov.feraaze.eu
www.irs.gov.gerfas1k.com
www.irs.gov.gerz1der.cn
www.irs.gov.gerz1der.com
www.irs.gov.gerz1der.net
www.irs.gov.gerzfdek.cn
www.irs.gov.gerzfdek.com
www.irs.gov.gerzfdek.net
www.irs.gov.linners.cz
www.irs.gov.refdree.eu
www.irs.gov.refdref.eu
www.irs.gov.refdrek.eu
www.irs.gov.refdrem.eu

Those spammed on October 11th . . .

www.irs.gov.brtferho.eu
www.irs.gov.brtferhv.eu
www.irs.gov.brtferhx.eu
www.irs.gov.brtferhy.eu
www.irs.gov.byugggb.com
www.irs.gov.byugggb.net
www.irs.gov.byugggk.com
www.irs.gov.byugggk.net
www.irs.gov.byugggl.com
www.irs.gov.byugggl.net
www.irs.gov.byugggm.com
www.irs.gov.byugggm.net
www.irs.gov.byugggr.com
www.irs.gov.byugggr.net
www.irs.gov.byugggu.com
www.irs.gov.byugggu.net
www.irs.gov.feraaaz.eu
www.irs.gov.feraaze.eu
www.irs.gov.gerz1der.cn
www.irs.gov.gerz1der.com
www.irs.gov.gerz1der.net
www.irs.gov.gerzfdek.cn
www.irs.gov.gerzfdek.com
www.irs.gov.gerzfdek.net
www.irs.gov.linners.cz
www.irs.gov.refdree.eu
www.irs.gov.refdref.eu
www.irs.gov.refdrek.eu
www.irs.gov.refdrem.eu


Comcast raises the bar for ISP Behavior


There is one new news item I wanted to call attention to this weekend. According to Brian Krebs "Security Fix" column in the Washington Post Comcast, the largest residential Internet Service Provider, is beginning a new program to alert home PC users who might be infected with malicious bot software.

Good job, Comcast! If we can get more Internet Service Providers monitoring for malicious software, we could dramatically reduce the number of infected computers. We look forward to hearing how this initiative impacts your customers!

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.