Internet attackers looking for ways to compromise a growing number of computers have brought back SQL Injection.  Researchers are noticing a growing number of websites that have been compromised by a mass SQL Injection that take advantage of weak website apps and then use those sites as a launch pad to infect their website visitors with malware.  The concern is that there are a number of sites on the web that are vulnerable to an attack of this nature.  The attackers can access easily and quickly find new targets to attack.

The Asprox Trojan is an example of this SQL Injection.  Researchers have observed it being distributed by a spam botnet.  This trojan is related to a password-stealing trojan known as Danmec. The infected PC will download a binary that searches Google for websites that contain specific search terms and launch a SQL Injection attack on those sites.

Read more here: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1314697,00.html

Protect your companies computers with Digital Reach Managed Services. 

The Abobe Flash Player has a zero day defect that is currently being targeted by attackers across the world who have set up over 200,000 webpages for exploitation of the defect.  The vulnerability could be exploited to cause a denial of service ( DOS ) situation.  It is reported that Adobe Flash Player 9.0.115.0 and 9.0.124.0 are at risk.  The defect occurs when the flash player tries to process a harmful swf file.  Symantec and McAfee are reporting that different exploits are crafted to exploit the different versions of Adobe Flash and that the exploits exist for both IE and Firefox.  Users should visit www.adobe.com to download the latest version of the Adobe Flash Player to protect themselves from this attack.

Digital Reach, Inc. delivers IT solutions designed to help your business perform more efficiently and with more productivity.  Learn more about Digital Reach.

 Security experts are warning computer users to beware of malware attacks timed to coincide with April Fool’s Day, noting that the keepers of the Storm Trojan have already launched such attacks.

Source: SearchSecurity.com | Information Security Magazine

Researchers at Helsinki-based F-Secure Corp. said in the company blog that a new wave of April Fool’s Day-related Storm mails were spammed out late Monday with a link that points to an IP address. Subject lines carry such messages as “All Fools’ Day,” Doh! April Fool” and “Surprise! The joke’s on you.”

There appears to be no text in the messages, only the URL that, if clicked, downloads executable files with such names as “foolsday.exe” and “kickme.exe.” The files carry the Storm Trojan.

“Virus coverage is poor with the samples we’ve captured, but we’re working with the antivirus vendors to improve that,” Stephen Hall, a handler at the Bethesda, Md.-based SANS Internet Storm Center (ISC), said in a message on the SANS ISC blog.

In a follow-up message on the ISC site, handler Joel Esler reminded people to be aware of this and other April Fool’s tricks.

Controllers of the Storm botnet have a history of using holidays such as Valentine’s Day and news events such as a wave of storms that swept across Europe several months ago to dupe people into opening infected emails.

Meanwhile, victims falling pray to the Pushdo Trojan aren’t finding any love. Sunnyvale, Calif.-based network security vendor, Fortinet has been tracking the Pushdo, which continues to spread as a result of a successful eCard spam campaign. The eCard touts nude photographs, random female names and a fake link to relationship sites.

If the victim opens an attachment in the email, “Pushdo.EV cycles through various IP’s in an attempt to establish an HTTP session where it will download a rootkit component,” Fortinet said in its March threat report. The Pushdo botnet is growing larger and gaining in activity, according to Fortinet security research engineer Derek Manky.

Source: www.widespreadpr.com

How to determine if I have the Storm Worm?
How to determine if my email is infected with the Storm Worm? 

The Storm Worm ( a botnet of infected computers that feeds off unprotected users to strengthen its network ) may arrive in an email with one of the common subject lines listed below: ( see below that for a list of attachment filenames to avoid )

Original Source: Snopes.com

Email Subject Lines:

ATTN!
Spyware Alert!
Spyware Detected!
Trojan Alert!
Trojan Detected!
Virus Activity Detected!
Virus Alert!
Virus Detected!
Warning!
Worm Activity Detected!
230 dead as storm batters Europe.
A killer at 11, he’s free at 21 and…
British Muslims Genocide
Naked teens attack home director.
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Russian missle shot down Chinese satellite
Russian missle shot down USA aircraft
Russian missle shot down USA satellite
Chinese missile shot down USA aircraft
Chinese missile shot down USA satellite
Sadam Hussein alive!
Sadam Hussein safe and sound!
Radical Muslim drinking enemies’ blood.
U.S. Southwest braces for another winter blast. More then 1000 people are dead.
Venezuelan leader: “Let’s the War beginning”.
Hugo Chavez dead.
President of Russia Putin dead.
Third World War just have started!.
The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!.
The commander of a U.S. nuclear submarine lunch the rocket by mistake..
First Nuclear Act of Terrorism!.
So in Love
Happy World Religion Day!
Most Beautiful Girl
Someone at Last
I Believe
The Dance of Love
The Miracle of Love
All For You
Vacation Love
I am Complete
Wrapped Up
Moonlit Waterfall
A Little (sex) Card
A Special Kiss
Hugging My Pillow
Safe and Sound
You’re Soo kissable
A Romantic Place
Breakfast in Bed Coupon
For You
I Love You So
Want to Meet?
We Are Different
We Have Walked
You Asked Me Why

The attachment filename may be any of the following:

Full Clip.exe
Full Story.exe
Read More.exe
Video.exe
Full Video.exe
Full Text.exe
Flash Postcard.exe

Nugache is a worm that has actually been around longer than Storm.  The Storm Worm is one of the worst botnets on the net but Nugache could take its place.  Researchers report that Nugache has been revised and updated to make it more powerful…perhaps even more powerful than Storm.

Both Nugache and Storm are botnets.  That means they are made up of networks of infected computers that work together to distribute spam to millions of users.  These networks are then bought by spammers to distribute spam email like mortgage offers, performance enhancing drugs, pump-and-dump stocks and ecards. 

The problem is these networks could just as easily mail out a keylogger program that would record items like your login to your bank or credit card number entered in at an ecommerce site.  The keylogger program would then send that back to the botnet creator to be sold.

Are you protected?  Contact Digital Reach and let us protect your network!

The Stration Worm, found mostly in SPAM, could pose a real threat given the potential its creators could unleash.

Security vendors are rating the Stration Worm ( also known as Warezov, Stration and Stratio ) as a low risk infection but admit that the worm is difficult to work with. 

The malware is a virus spread via mass-email and infects machines running Windows.  The infected computer, usually infected due to opening an attachment via email from a spam message, then sends itself out again to other email addresses located in the host computer’s contact list. 

The tricky part is the code is capable of downloading new versions of itself as frequently as every 30 minutes from a batch of websites on the Internet.  The new versions are created by the creator of the original hacker.  This new way is more difficult to identify and solve because the code resides on host computers that can be altered to stay ahead of the virus protection efforts.

Sample Email Subject: “This is not shown on TV.” with attachment: picture0000.zip.

This leading email worm is certainly something to watch.

Are you protected?

Related:
http://antivirus.about.com/od/virusdescriptions/p/stration.htm

http://www.spywareguide.com/product_show.php?id=3108

http://www.sophos.com/security/analyses/w32strationx.html

Finjan Inc. reports that attackers infected at least 10,000 trusted web sites with malware last month using the Random.JS Trojan toolkit.  Random.JS is an exceptionally sneaky Trojan that infects the targeted machine and sends data from the machine back to the attackers controlling it via the Internet.  The information that is stolen includes documents, passwords, surfing habits and other forms of compromising information.

“Random.JS uses varying methods to remain undetected and keep spreading,” he said. “It is able to break antivirus signatures and store malware on legitimate sites.” The Random.JS toolkit is a piece of JavaScript code that morphs every time it is accessed, Ben-Itzhak said. As a result, it’s nearly impossible to detect with traditional signature-based anti-malware products.

The Random.JS attack is performed by dynamic embedding of scripts into a Web page, he said. It provides a random filename that can only be accessed once and is done in such a selective manner that when a user receives an infected page once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses.

The list of attack toolkits includes MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit, along with newer toolkits like Random.JS, vipcrypt, makemelaugh and dycrypt.

Security vendors warn of the rising use of attack toolkits in recent months.

Are your systems protected?  Let Digital Reach assess your network security strategy.