ID: IRCNE2014032121
Date: 2013-03-02

According to "computerworld", a new variant of the Gameover malware that steals online banking credentials comes with a kernel-level rootkit that makes it significantly harder to remove, according to security researchers from Sophos.
Gameover is a computer Trojan based on the infamous Zeus banking malware whose source code was leaked on the Internet in 2011. Gameover stands apart from other Zeus-based Trojan programs because it uses peer-to-peer technology for command and control instead of traditional servers, making it more resilient to takedown attempts.
At the beginning of February, researchers from security firm Malcovery Security, reported that a new variant of Gameover was being distributed as an encrypted .enc file in order to bypass network-level defenses. However, the latest trick from the Gameover authors involves using a kernel rootkit called Necurs to protect the malware's process from being terminated and its files from being deleted, researchers from Sophos said Thursday in a blog post.
The latest Gameover variant is being distributed through spam emails purporting to come from HSBC France with fake invoices in .zip attachments. These attachments don't contain the Gameover Trojan program itself, but a malicious downloader program called Upatre which, if run, downloads and installs the banking malware.
If this first stage of the infection is successful, the new Gameover variant attempts to install the Necurs rootkit which operates as a 32-bit or 64-bit driver depending on the Windows version used by the victim. The malware tries to exploit a Windows privilege escalation vulnerability patched by Microsoft in 2010 in order to install the Necurs driver with administrator privileges.
If the system is patched and the exploit fails, the malware triggers a User Account Control (UAC) prompt to ask the victim for administrator access. The UAC prompt should look suspicious considering the user opened what he believed to be an invoice, the Sophos researchers said.
However, if the user confirms the execution anyway or the exploit is successful in the first place, the rogue driver starts protecting the Gameover components.
"The rookit greatly increases the difficulty of removing the malware from an infected computer, so you are likely to stay infected for longer, and lose more data to the controllers of the Gameover botnet," the Sophos researchers said.
According to a recent report from Dell SecureWorks, Zeus variants accounted for almost half of all banking malware seen in 2013.
In addition to stealing online banking credentials and financial information, cybercriminals are increasingly using such malware to collect other types of data.

Related Link:
Hackers use '.enc' trick to deliver Zeus banking malware

شماره: IRCNE2014032120
تاريخ:10/12/92

تعداد حملاتي كه از آسيب پذيري اصلاح نشده IE سوء استفاده مي كنند به شدت در حال افزايش مي باشد و اين نشان مي دهد كه اين آسيب پذيري نه تنها در حملات هدفمند مورد سوء استفاده قرار مي گيرد بلكه در حملات ديگري نيز از آن سوء استفاده مي شود.
اين آسيب پذيري مرورگر IE نسخه هاي 9 و 10 را تحت تاثير قرار مي دهد و روز سيزدهم فوريه توسط محققان امنيتي شركت FireEye به طور عمومي افشاء شده است.
شركت مايكروسافت راهنمايي امنيتي را در خصوص اين آسيب پذيري با عنوان CVE-2014-0322 منتشر كرد و يك ابزار برطرف كننده موقت نيز براي آن منتشر ساخت. با اين وجود اين شركت تاكنون اصلاحيه دائمي براي برطرف كردن اين مشكل از طريق كانال به روز رساني ويندوز منتشر نكرده است.
اين حملات كه توسط شركت هاي امنيتي گزارش شده است با عنوان "watering hole attacks" شناخته مي شوند زيرا وب سايت هايي را كه افراد خاص مشاهده مي كنند هدف قرار مي دهد. اين افراد مورد هدف مهاجمان مي باشند.
محقق امنيتي شركت سايمانتك در پستي در يك وبلاگ نوشت: ما از نزديك حملات مبتني بر CVE-2014-0322 را نظارت مي كنيم. مشاهده كرديم كه روند اين حملات از حملات هدفمند به سمت گسترش آن بر روي كاربران اينترنتي نيز تغيير يافته است.
با توجه به داده هاي شركت سايمانتك، تعداد حملاتي كه از اين آسيب پذيري سوء استفاده مي كنند از 22 فوريه تاكنون به شدت افزايش يافته است و كاربران را در سراسر جهان از جمله امريكاي شمالي، اروپا، آسيا و خاورميانه تحت تاثير قرار داده است.
اگر حمله با موفقيت انجام شود، يك تروجان بانكي مي تواند اعتبارنامه هاي ورود به بانك هاي خاص را به سرقت ببرد.
كاربران بايد مرورگر IE خود را به نسخه 11 ارتقاء دهند زيرا اين آسيب پذيري در نسخه 11 وجود ندارد و يا برطرف كننده موقتي را كه شركت مايكروسافت عرضه كرده است، نصب نمايند.

شماره: IRCNE2014032119
تاريخ:10/12/92

با توجه به گزارشي كه اخيرا توسط Secunia منتشر شده است، تعداد آسيب پذيري هاي كشف شده در سيستم عامل هاي ويندوز 7 و xp در سال 2013 نسبت به سال 2012 دو برابر شده است و هم چنين تعداد رخنه هاي گزارش شده در ويندوز 8 نيز بالا مي باشد.
شركت امنيتي دانماركي Secunia در گزارش خود آورده است كه در سال 2013 تعداد 102 آسيب پذيري در ويندوز 7 و 99 آسيب پذيري در ويندوز xp كشف شده است كه اين تعداد در سال 2012 به ترتيب 50 و 43 آسيب پذيري بوده است. در اين ميان بيشترين آسيب پذيري در ويندوز 8 گزارش شده است اما شركت امنيتي Secunia اظهار داشت كه كه 55 آسيب پذيري از مجموع 156 آسيب پذيري كشف شده در ويندوز 8 به دليل تجميع ادوب فلش پلير و مرورگر IE مي باشد.
شركت امنيتي Secunia داده هاي مربوط به آسيب پذيري هاي نرم افزاري را در گزارش سالانه خود منتشر كرده است كه در آن 50 برنامه و سيستم عاملي كه بيشتر مورد استفاده قرار گرفته، ذكر شده است.
در اين جدول مايكروسافت پس از ويندوز مديا پلير و IE در رده سوم قرار گرفته است. ادوب بواسطه نرم افزار فلش پلير خود در رده پنجم قرار گرفت و بواسطه نرم افزار Reader خود در رده هفتم قرار گرفته است. شركت اوراكل با پلت فرم جاواي خود در اين جدول رده دهم را اشغال كرده است.
با توجه به گزارش سالانه Secunia، 86 درصد از آسيب پذيري هايي كه در اين 50 محصول نرم افزاري كشف شده است در همان روز افشاي آسيب پذيري توسط اصلاحيه اي برطرف شده اند.
برنامه هاي ديگري كه توسط توليدكنندگان مختلف عرضه مي شوند 76 درصد از آسيب پذيري ها را جدول 50 برنامه نخست سال 2013 به خود اختصاص دادند. اين ميزان نسبت به سال 2012 حدود 10 درصد كاهش يافته است.
در اين گزارش تنها به 10 آسيب پذيري zero-day اشاره شده است كه در حال حاضر از آن ها سوء استفاده مي شود و هم چنان اصلاحيه اي براي آن ها منتشر نشده است.

ID: IRCNE2014032120
Date: 2013-03-01

According to "computerworld", the number of attacks exploiting a yet-to-be-patched vulnerability in Internet Explorer has increased dramatically over the past few days, indicating the exploit is no longer used just in targeted attacks against particular groups of people.
The vulnerability affects Internet Explorer 9 and 10 and was publicly revealed on Feb. 13 by researchers from security firm FireEye who found an exploit for the flaw being served from the Veterans of Foreign Wars (VFW) website.
Microsoft published a security advisory about the vulnerability, which is tracked as CVE-2014-0322, and released a "Fix It" tool as a temporary workaround. However, the company has not yet released a regular patch through the regular Windows update channel.
The attacks reported by FireEye and Websense are known as "watering hole attacks" because they involve compromising websites visited by particular groups of people that attackers wish to target -- in these particular cases U.S. military personnel and French defense contractors.
"We have continued to closely monitor attacks focusing on CVE-2014-0322," security researchers from Symantec said Tuesday in a blog post. "We've observed trends suggesting that attacks targeting this vulnerability are no longer confined to advanced persistent threats (APT) -- the zero-day attacks are expanding to attack average Internet users as well."
According to Symantec's telemetry data, the number of attacks that exploit this vulnerability increased dramatically since Feb. 22 and affected users in many parts of the world, including North America, Europe, the Middle East and Asia.
"If the attack is successful, the exploit drops a banking Trojan that steals login details from certain banks," the Symantec researchers said.
Users should either upgrade to Internet Explorer 11, which is not affected by this vulnerability, or install the Fix It solution provided by Microsoft.

ID: IRCNE2014032119
Date: 2013-03-01

According to "computerworld", the number of vulnerabilities found in Microsoft's Windows 7 and XP operating systems doubled last year over 2012, with the highest number of flaws reported in Windows 8, according to new research from Secunia.
The Denmark-based security company said 102 vulnerabilities were found in Windows 7 in 2013 and 99 in XP, up from 50 and 49 vulnerabilities respectively in 2012.
Windows 8 had the most vulnerabilities, at 156, but Secunia said that was due to the integration of Adobe System's Flash Player into the Internet Explorer browser, which accounted for 55 of those problems.
Secunia released the data in its annual report on software vulnerabilities, which looks at the 50 most commonly used programs and operating systems.
Microsoft took the first three spots in the list with its XML Core Services, followed by Windows Media Player and Internet Explorer. Adobe came in fifth place with its Flash Player and seventh place with Reader. Oracle occupied the number ten spot with its Java platform.
Eighty-six percent of the vulnerabilities found in the top 50 software products had a patch available on the day the vulnerability was disclosed, Secunia said.
Third party programs, which are made by a variety of vendors, contained about 76 percent of the vulnerabilities in the top 50 programs in 2013. That's down from 86 percent in 2012," according to the report.
Secunia found only 10 zero-day vulnerabilities, which are those actively being exploited that don't have a patch, in its top 50 portfolio.

شماره: IRCNE2014022115
تاريخ:07/12/92

بسياري از شركت ها در معرض تهديدات جدي قرار دارند زيرا كليدهاي رمزگذاري SSH كه براي تاييد هويت افراد براي دسترسي به سيستم هاي داخلي و سرويس هاي حياتي استفاده مي شوند، به خوبي مديريت نمي شوند.
تحقيقات موسسه Ponemon Institute از 2100 مدير سيستم در بيش از 2000 شركت در سراسر جهان نشان مي دهد كه سه شركت از چهار شركت در برابر حملات سطح root آسيب پذير مي باشند و اين آسيب پذيري به علت عدم مديريت صحيح كليدهاي SSH مي باشد.
با وجود آن كه بيش از 50 درصد از شركت هاي مورد مطالعه حملاتي را در رابطه با كليد SSH تجربه كرده اند، 53 درصد از آن ها اظهار داشتند كه هم چنان مديريت واحدي بر روي اين كليدها ندارند و 60 درصد بيان كردند كه هيچ راهي براي شناسايي كليدهاي جديد توليد شده در سازمان ندارند. حدود 46 درصد نيز اظهار داشتند كه هرگز كليدهاي SSH را تغيير نداده اند.
با توجه به گزارش منتشر شده توسط موسسه Ponemon، اين يافته ها نشان مي دهد كه يك شكاف قابل ملاحظه اي در كنترل هاي امنيتي سازمان ها وجود دارد.
كليدهاي SSH به مديران شبكه اجازه مي دهد تا از راه دور و از طريق يك تونل رمگذاري شده امن به سيستم متصل شوند.هم چنين مديران شبكه براي دسترسي به سيستم پايگاه داده، سرور برنامه هاي كاربردي، سيستم هاي ابر و سيستم هاي امنيتي سازمان از اين كليدها استفاده مي كنند. اين كليدها براي تاييد هويت ماشين هاي در حال اجراي فرآيندها و سرويس هاي خودكار نيز مورد استفاده قرار مي گيرد.
كليدهاي SSH هرگز منقضي نمي شوند و اين بدان معناست كه پس از آن كه كليد براي تاييد هويت دسترسي به يك سيستم استفاده شد، همان كليد مي تواند براي هميشه مورد استفاده قرار گيرد مگر آن كه مدير شبكه كليد را تغيير دهد. اگر هكري يك كليد SSH امن نشده را بدست آورد مي تواند به سرورها و سرويس هايي كه از اين كليد استفاده مي كنند دسترسي يابد و سپس مي تواند از اين طريق دسترسي به كليدهاي بيشتري را در شبكه بدست آورد تا بتواند به سيستم هاي ديگر شبكه نيز دسترسي يابد.
از آن جايي كه كليدهاي SSH در سطح مدير سيستم ايجاد مي شوند، دسترسي كامل به سيستم هاي سازمان م يتواند به هكر اجازه دهد تا كنترل كامل سيستم را بدست آورد در حالي كه اين حمله قابل شناسايي نيز نمي باشد.
اين مطالعه نشان داد كه شركت هاي بزرگ بيش از دها هزار كليد SSH بر روي شبكه خود دارند و اغلب آن ها به خوبي مديريت نمي شوند. اغلب شركت ها از وجود اين كليدها بر روي شبكه اطلاع كمي دارند ئ در نتيجه نمي توانند به خوبي آن ها را مديريت نمايند.
براي رفع اين مشكل، شركت ها بايد مشخص نمايند كه SSH در كجاها استفاده مي شود و چند كليد در سطح شبكه وجود دارد. سپس بايد راهي براي مديريت آن ها بيابند به گونه اي كه كليدها بر روي سرورهاي مناسب نگهداري شوند و فرآيندي را در نظر بگيرند تا اين كليدها در فواصل زماني خاص به طور خودكار تغيير يابند.

ID: IRCNE2014022118
Date: 2013-02-26

According to "zdnet", in addition to fixing a high-priority bug in SSL/TLS and shipping numerous feature tweaks and fixes, Apple released a large number of security fixes today to OS X, Safari and QuickTime for Windows.
There were 33 vulnerabilities patched in OS X, four in Safari and 10 in QuickTime for Windows.
Surprisingly, in addition to patching the current version OS X 10.9 (Mavericks), updates were also released for OS X 10.7.x (Lion) and OS X 10.8.x (Mountain Lion). In the time since they released Mavericks in October Apple has disclosed and but not patched dozens of vulnerabilities in Mountain Lion. This policy appears to have changed, but most of the vulnerabilities previously unpatched remain unpatched, according to Apple's disclosures.
Many of the OS X vulnerabilities are quite severe. Apple has a good deal of experience with this vulnerability having now patched it on 8 separate occasions in different programs:

• Ruby in Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4
• curl in Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3
• Apache in Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
• Apple TV 4.0 through 4.3
• Data Security in iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad
• CFNetwork SSL and python in OS X 10.6.x through 10.8.5
• neon (XCode) for OS X Lion v10.7.4 and later
• Secure Transport for OS X Mountain Lion v10.8.5

The remaining vulnerabilities include many with which an attacker could execute privileged code, intercept confidential data or modify files. One vulnerability could allow an unprivileged user to change the system clock.
Four vulnerabilities were patched in Safari for Lion, Mountain Lion and Mavericks. All four are in the Webkit browser engine, and are memory corruption vulnerabilities with which an attacker could execute arbitrary code by getting the user to visit a malicious web site.
All ten vulnerabilities in QuickTime for Windows could allow remote code execution if the user plays a malicious movie file.

Related Links:
Apple promises to fix OS X encryption flaw 'very soon'

ID: IRCNE2014022117
Date: 2013-02-26

According to "techworld", Kaspersky Lab has spotted malware for the Android mobile operating system employing the TOR anonymity network.
TOR, short for The Onion Router, is software that offers users a greater degree of privacy when browsing the Internet by routing encrypted traffic between a user and a website through a network of worldwide servers. TOR can also be used to host websites on a hidden network.
The Android malware uses a TOR website as a command-and-control server, wrote Roman Unuchek of Kaspersky. Command-and-control servers are used to send instructions to the malware.
Adding TOR functions to desktop malware programs is nothing new. The latest finding shows hackers are increasingly targeting powerful mobile devices, which often hold valuable personal data. The malware can intercept SMSes, and collect other data, such as a user's phone number, the device's IMEI and the country where the device is located and request GPS coordinates.
Unuchek wrote that using a TOR site as a command-and-control server makes it "impossible to shut down."
The malware, which Kaspersky calls "Backdoor.AndroidOS.Torec.a" uses a package of software, called Orbot developed by The TOR Project that enables TOR on Android.
"We recommend keeping an eye out for any data usage increases from your mobile device, over-power consumption (running a constant TOR connection will no doubt drain your battery faster than otherwise) and any other kinds of odd behavior," Kujawa wrote.

ID: IRCNE2014022116
Date: 2013-02-26

According to "zdnet", researchers claim to have discovered another vulnerability which could allow hackers to log your keystrokes before sending such data to a remote server.
First spotted by Ars Technica, the security team at FireEye have developed a proof-of-concept application which could, in theory, run in the background of your mobile device and log your keystrokes without your knowledge.
In a blog post, the researchers say that this background monitoring can take place on both jailbroken and non-jailbroken devices running iOS 7.
FireEye says that this type of "flaw" could be used by potential attackers in order to break in to user accounts and spy on them, by duping them in to downloading a malicious application, conducting a phishing campaign, or by exploiting another remote vulnerability of an application.
Furthermore, FireEye states that disabling iOS7's "background app refresh" feature will not block the vulnerability as it can still be bypassed.
The latest scrutiny of Apple security comes as the tech giant quickly released a patch last Friday for an overlooked SSL encryption flaw which left iPhone, iPad and Mac devices open to man-in-the-middle (MITM) attacks.

Related Links:
Apple promises to fix OS X encryption flaw 'very soon'
Apple security update fixes iOS vulnerability

ID: IRCNE2014022115
Date: 2013-02-26

According to "computerworld", many companies are dangerously exposed to threats like the recently revealed Mask Advanced Persistent Threat because they don't properly manage the Secure Shell (SSH) cryptographic keys used to authenticate access to critical internal systems and services.
A Ponemon Institute survey of more than 2,100 systems administrators at Global 2000 companies discovered that three out of four enterprises are vulnerable to root-level attacks against their systems because of their failure to secure SSH keys.
Even though more than half of the surveyed enterprises had suffered SSH-key related compromises, 53% said they still had no centralized control over the keys and 60% said they had no way to detect new keys introduced in the organizations. About 46% said they never change or rotate SSH keys -- even though the keys never expire.
Those findings reveal a significant gap in enterprise security controls, said Larry Ponemon, founder and CEO of the Ponemon Institute.
SSH keys allow administrators to remotely login to and operate a system via a secure encrypted tunnel. Administrators use such keys to authenticate access to critical database systems, application servers, cloud systems and security systems. SSH keys are also used to authenticate machines running automated processes and services and to protect data in transit.
SSH keys never expire, meaning that once a key is used to authenticate access to a system, the same key can be used in perpetuity unless it is changed. A hacker who acquires an unsecured SSH key can use it to gain access to the server or service to which it is attached and then use that access to try and find more keys for jumping on to other systems in a network.
Because SSH keys provide administrator-level, fully encrypted access to enterprise systems, any compromise of the keys could allow an attacker to gain complete control of a system while they remain hidden from view.
Large enterprises can have tens of thousands of SSH keys on their network -- most of which are poorly managed, said Kevin Bocek, vice president of product marketing and threat research at security vendor Venafi, which commissioned the Ponemon survey.
Companies often have little knowledge about the presence of such keys on their networks and therefore do little to manage them.
To get a handle on the problem, enterprises must figure out where SSH is in use and how many keys might be floating about on their networks. They then need to find a way to correlate the keys back to the appropriate servers, evaluate whether they're needed and put in place a process for automatically changing keys.