We reported on all the recent cyberattacks lately, but didn’t catch this, so here’s an addendum to yesterday’s story:
Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing.
Microsoft and Adobe have issued their round of updates today, as of 1 PM EST. The below details what was fixed.
First, Microsoft…Five of the 12 patches Microsoft released today earned “critical” acclaim. This means that attackers could exploit such vulnerabilities at any time.
Some of the vulnerabilities include: Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining (critical) patch fixes a flaw only on Windows XP systems.
In today’s update, a patch for .NET may be included. This should be installed separately for best results. Install all other updates, and then do the .NET patch. This seems to be the best plan.
Adobe fixes Flash and Shockwave Players:
APSB13-05 tells about the fixes for CVE-2013-1372, CVE-2013-0645, CVE-2013-1373, CVE-2013-1369, CVE-2013-1370, CVE-2013-1366, CVE-2013-0649, CVE-2013-1365, CVE-2013-1374, CVE-2013-1368, CVE-2013-0642, CVE-2013-0644, CVE-2013-0647, CVE-2013-1367, CVE-2013-0639, CVE-2013-0638 and CVE-2013-0637. The fixes are for Flash Player, AIR and AIR SDK.
Here are the new versions:
Android 2.x-3.x, 22.214.171.124
Windows, Mac, & Android, 126.96.36.1997
Adobe AIR SDK
Windows, Mac, & Android, 188.8.131.529
Google pushed out today it’s channel update for Chrome for Flash Player.
Kelihos appears again with a new variant as many researchers have discovered. The variant enables it to remain dormant on the machine with sinkholing techniques, and other rootkit-style operations. It hides domains, and does many other things to conceal itself, as researchers have discovered.
This is the third attempt for the Kelihos botnet. When it got shutdown back in 2011 by a collaborative effort between Kaspersky Lab and Microsoft, it was figured that it was a P2P botnet, which made it more difficult to shutdown completely all operations for the botnet. At least its main servers were cut off, but it didn’t stop the malware from spreading since tons of blackhats still had the malcode on their own server/computer.
Researchers at Deep End Research and FireEye have new samples that have been analyzing, and after some impressive research, it was found that the Kelihos network is back on the rise.
“Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior. Besides making a call to the function SleepEx(), the code also makes a call to the undocumented API NtDelayExecution() for performing sleep,” Abhishek Singh and Ali Islam of FireEye wrote in an analysis.
Experts are trying to discover the new roots, and another takedown may be in order. This is insanity.
Patch Tuesday is approaching in a few days with 57 security fixes by Microsoft. The company detailed the fixes in its latest security bulletin.
According to Microsoft, every version, 6-10, of Internet Explorer needs to be patched! They are all vulnerable to drive-by exploit attacks. A simple boobytrapped webpage can lay out many victims in its path with this vulnerability.
Five of the twelve updates are given the title of “critical”. Some of the updates are for Windows, Server, Office, and .NET Framework. These patches are set to be released on February 12th at 1:00 PM EST.
The Bamital Botnet, known for grossing about $1 million a year using fraudulent means has been destroyed by the investigative teams of Microsoft and Symantec. With help from the feds, the two teams collaborated in the investigation of a number of data centers for the botnet servers. This operation is the sixth operation in the past three years to take down botnets, titled Operation b58. This operation began around a year ago, when Symantec approached Microsoft with intent to collaborate and take down this botnet.
The most notorious means of the botnet are very typical, inflicting a fraudulent payload via search redirects. The victims were lured in to a scam (social engineering), in which malware was then installed to infect the machine. Once done, the victim will do their normal activities including searching, which the malware will redirect to scam sites, selling fake (or legitimate but modified) software or services, attempting to steal credit card data.
For the last two years of its continual attack on internet users, the botnet totaled 8 million computers, approximately, and stole/racked in around $1 million USD. Right now, it’s estimated that anywhere from 300,000 to 1 million computers are still infected with the botnet.
During the takedown operation, Microsoft’s crew constructed a lawsuit against the botnet operators to pull the plug on the zombie network. Yesterday, February 6, after the request was granted by the court, Microsoft was escorted by the US Marshals Service to go to every facility in Virginia and New Jersey to seize servers.
According to Richard Boscovich, assistant general counsel with Microsoft’s Digital Crimes Unit, the operators of the Virginia data center were persuaded to take down the server at the parent facility in the Netherlands.
Many of the cybercriminals involved include about 18 of them, scattered all around the world from the US, to the UK, to Australia, and even Romania.
Microsoft and Symantec seek to help users who’re infected. The search redirect and querying system by the rogue servers will be broken, therefore the search function on victim computers will be broken, too. There will be removal tools to help this, as well as the ability to repair the broken functions.
It is sure this will make it a lot harder for the cybercriminals behind Bamital to restart their servers, as Microsoft and possibly others like the feds and Symantec, have the servers in their custody.
Well it’s Patch Tuesday, or what some people call “Black” Tuesday.
Seven security bulletins were released for Microsoft products, which were about 11-12 vulnerabilities at least being patched. Could be more on some systems.
Current bulletins for this round:
- MS12-077 Cumulative Security Update for Internet Explorer
- MS12-078 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
- MS12-079 Vulnerability in Microsoft Word Could Allow Remote Code Execution
- MS12-080 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution
- MS12-081 Vulnerability in Windows File Handling Component Could Allow Remote Code Execution
- MS12-082 Vulnerability in DirectPlay Could Allow Remote Code Execution
- MS12-083 Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass
(Key: Important – Critical)
For the December Adobe Updates…The updates are for Adobe Flash Player 11.5.502.110 and earlier versions for Windows and Macintosh, Adobe Flash Player 184.108.40.206 and earlier versions for Linux, Adobe Flash Player 220.127.116.11 and earlier versions for Android 4.x, and Adobe Flash Player 18.104.22.168 and earlier versions for Android 3.x and 2.x, Adobe said.
The three updates fix a buffer overflow vulnerability, integer overflow vulnerability and a memory corruption vulnerability, all three of which could lead to code execution, Adobe also said.