Trend Micro threat analysts were alerted to another mass compromise attack affecting around 55,000 consumer-oriented sites spread throughout Canada, China, the United Kingdom, and India as of the first report.

The IP address (74.52.164.210) distributing the malware has been busy over the last few months. Click here for more information.

Upon execution the binary makes the following HTTP GET requests which you can search for within your proxy logs to identify infected hosts.

GET 174.133.34.178/p0723/2.0/d.bin?axa072776988
GET 174.133.34.178/p0723/2.0/ms.bin?axa0727588773
GET 174.133.34.178/p0508/2.0/so.bin?axa0727737721

You can also search your FW logs to identify any communication to the IP addresses listed below.

Name Query Result
bfkq.com (174.133.126.2)
74.54.201.210
174.133.72.250
jsactivity.com (74.52.142.226)
74.55.37.210
174.133.126.2

Click here for Anubis Report
Virus Total Results

According to Mischel Internet Security, there’s a new Trojan going around. Detected as TrojanClicker.VB.395 by TrojanHunter, it pretends to be an update for Adobe Flash. When run, it goes through the motions of updating the Flash player, and most users will think nothing of it. They suspect the installer for this spreads via forum posts that use JavaScript to link to the malware.

What the article fails to say is what domain is distributing this malware and how many other AV vendors are picking this up. I did a little digging through the sample collection and came across the following URL which fits the description.

hxxp://adobeupdateserver.com/download/AdobeUpdate.exe

DNS Information
Name: adobeupdateserver.com
Address: 216.146.130.104

Very Low detection by AV vendors at the time of this posting (6/41).

Virus Total Results for AdobeUpdate.exe
Threat Expert Report for AdobeUpdate.exe

They do mention how you can tell if you have fallen victim to this clever scheme.

Look for the following

– A Firefox plugin named “Adobe Flash Player 0.2″
– Having recently installed a file called install_flash_player.exe or Install_Flash.exe from an unknown source

Discovered by security researchers at scan safe

“A potent trojan cocktail consisting of backdoors, password stealers, and downloader is being loaded by a malicious iframe on nearly 55,000 compromised website pages. The iframe points to an intermediary exploit site, http://a0v.org/x.js, which in turn loads additional exploits and malware from up to seven different malware domains.

A Google search on the iframe script tag resulted in 54,900 hits. Victim sites include www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.”

I started seeing these domains pop up around 8/5. Follow the links below for more information.

ahthja info
laogong info

Read More

‘Skimming’ customer credit card numbers is a growing threat
By Ellen Messmer , Network World , 08/25/2009

Miniature digital cameras have been found “hidden in false ceilings,” above PIN pads, or on store counters “in boxes to hold leaflets” and in “charity boxes next to PIN pads,” the council’s report notes. Criminals use “miniature cameras to observe and record the PIN as it is entered.”

Attackers are doing whatever takes to tamper with payment-terminal equipment to compromise it by adding skimmers, sometimes paying off employees to look the other way.

“The skimming equipment can be very sophisticated, small and difficult to identify,” the council’s report notes. “Often it is hidden within the terminal so neither the merchant nor the cardholder knows that the terminal has been compromised.” Even MP3 players and voice recorders have been used as skimming equipment

Read More

You can now hide a GPS unit in your family car and find out where everybody went. But should you?
By Todd R. Weiss , Computerworld , 08/25/2009

These days, if you want to watch over your house, your kids or your significant other, there’s a whole world of high-tech security devices out there you can use, in forms you may not have even imagined.

There are tiny GPS data loggers you can slip into someone’s car or backpack to learn where they’re going. There are audio recorders the size of flash drives that can listen in and preserve the conversations of others nearby. And there are surveillance cams in a whole assortment of motion-activated disguises, including facial tissue dispensers, alarm clocks, outdoor home electrical boxes, bird feeders and even soft, furry teddy bears.

But while it’s easy to find and buy surveillance devices, is it legal and/or ethical to use them? Is it okay if you use them to watch over strangers? Is it reasonable to use them to watch and hear family members and loved ones?

The answers can sometimes be murky.
Read More