When AV attacks

By Dan Goodin in San Francisco •

Posted in Security, 3rd July 2009 22:48 GMT

IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan attacked core system files, in some cases causing the machines to display the dreaded blue screen of death.

Details are still coming in, but forums here and here show that it's affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer's 140 machines after they updated the latest virus signature file.

"Literally half of the machines were down with this McAfee anti-virus message IDing valid programs as having this trojan," the IT consultant said. "Literally half the office switched off their PCs and were just twiddling their thumbs."

When the consultant returned to his office he was relieved that his own laptop, which also uses VirusScan, was working normally. Then, suddenly, when it installed the latest McAfee DAT file, his computer was also smitten. The anti-virus program identified winvnc.exe and several other legitimate files as malware and attempted to quarantine them. With several core system files out of commission, the machine was rendered an expensive paperweight.

A McAfee representative in the US didn't immediately respond to phone calls seeking comment. Friday is a holiday for many US employees in observance of Saturday's Independence Day.

Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664, which McAfee seems to have pushed out in the past 24 hours. Affected systems then begin identifying a wide variety of legitimate - and frequently crucial - system files as malware. Files belonging to Microsoft Internet Explorer, drivers for Compaq computers, and even the McAfee-associated McScript.exe were being identified as a trojan called PWS!hv.aq, according to the posts and interviews.

We're still trying to determine how widespread this false-positive glitch is being felt and whether people have found any reliable fixes. If you have insight, please leave a comment below. ®

When you delete embarrassing photos from sites like MySpace and Facebook, they don't disappear immediately. In fact, more than a month after we deleted two test images from the sites, they are still accessible to the world.
By Jacqui Cheng | Last updated July 3, 2009 12:30 PM CT

In an age where your boss, coworkers, parents, and even (*gasp*) grandparents are finally joining social networks, we are all more aware than ever that we had better keep things relatively clean. And if you were someone who joined MySpace, Facebook, Flickr, or a number of other sites years ago, you may have more cleaning up to do than usual—after all, back then, you were probably young(er) and dumb(er), posting silly pics of your drunken escapades or questionable updates regarding your unusual interest in English cucumbers.

If you delete questionable images of yourself, you may be in the clear—or you may not, depending on the social network. As it turns out, some social networks delete your images right away while others hold onto them even after claiming they've been deleted. This was the discovery made by researchers at Cambridge University last month when they found that images deleted from social media sites are often left on the server, ripe for anyone to embed elsewhere or link up.

We put this finding to the test and found that some of the most popular sites on the Internet do, in fact, keep images on their servers after you delete them. On May 21, 2009, we deleted photos from four of the networks most used by the Ars staff and readership and monitored them for six weeks. The four networks we checked were Flickr, Twitter, MySpace, and Facebook.

First, the good news. Both Twitter and Flickr deleted our photos within seconds. Direct links to the photos in question broke after a quick hard refresh, so you can be sure that your salacious pictures mistakenly posted to Flickr while inebriated will no longer be accessible to your enemies (assuming they didn't copy them to their hard drives, that is).

Facebook and MySpace, however, did not fare so well. As of this writing, both images we used are still available on Facebook and MySpace servers despite having been "deleted" in May. (For embarrassment's sake, here are my two photos that were deleted from Facebook and MySpace; depending on when you read this article, these photos may or may not still be up).

Both sites claim to delete user info immediately, so we reached out to the companies to see what they had to say about the findings.

"MySpace takes the safety, security and privacy of its users very seriously and immediately deletes user content and profiles in their entirety when requested to," MySpace spokesperson Amy Walgenbach told Ars via e-mail. "We are aware it can take longer for images to be removed from third party servers (servers from the vendor we work with) and are actively working to address this."

Facebook offered a similar statement, but went a step further by claiming that third parties could not access the information even though it is retained on the server. "As stated in the Statement of Rights and Responsibilities, the governing document for the site, ‘when you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others),'" Facebook spokesperson Elizabeth Linder said. "We are working with our content delivery network (CDN) partner to significantly reduce the amount of time that backup copies persist."

This looks obviously false—said "backup copies" are indeed accessible to anyone on the Web. We tried to get clarification from Facebook on this point but received no response. Either way, the lesson is clear—if you don't want to give your enemies blackmail material, don't upload questionable photos in the first place. If you already have, just hope that no one has a direct link... or be prepared to blame all your transgressions on an evil twin.

Pesky monkey still creating (some) havoc

By Kelly Fiveash •

Mozilla Foundation notched up five million downloads in the first 24 hours after it released Firefox 3.5 earlier this week.

The open source browser maker also confirmed it would be bringing out version 3.5.1 soon to squash bugs its development team hadn’t managed to eradicate ahead of the launch.
Reg Event

Mozilla’s security patch is expected to rock up in the next few weeks. It will kill at least three bugs and “topcrashes” that remain present in the latest iteration of the popular Internet Explorer rival.

"[The] goal of this release should be a quick turnaround that fixes topcrashes and bugs we almost held ship for," said Mozilla earlier this week in its status meeting notes.

One of those fixes includes a patch for TraceMonkey, the outfit’s speedy JavaScript engine.

Indeed, Mozilla was forced to hold back the release of Firefox 3.5, nee 3.1, by about six months, because of the number of showstopping bugs it found in the pesky little monkey JavaScript engine.

The org didn't grab as many downloads this time around compared to a year ago when it spun out its last big release.

In June 2008 Mozilla pulled in over seven million downloads in the first 24 hours of Firefox 3.0 being available.

However, servers initially buckled under the pressure of all the traffic driven to Mozilla’s site after it urged people to help it break the Guinness World Record for the highest number of downloads in one day. It succeeded, despite the PR fiasco that ensued.

On Tuesday, when the final code for Firefox 3.5 was released, Mozilla suffered some outage trouble.

“I believe that was isolated to the Amsterdam datacentre and just for certain sites (most notably www.mozilla.com and getfirefox.com). My notes have that resolved sometime after 0845 PDT,” Mozilla’s Matthew Zeier explained to El Reg.

Wanna know more about Mozilla's latest browser? This way for the definitive Register review, people. ®

Making a hashtag of Web 2.0 security

By John Leyden •

The Month Of Twitter Bugs has begun with the publication of a flaw in a URL shortening service often used in conjunction with the microblogging service.

Four cross-site scripting (XSS) vulnerabilities in the bit.ly URL-shrinking service were published on Wednesday. TweetDeck, one of the most popular Twitter clients, integrates bit.ly, making the flaws much more risky than might otherwise be the case.

Fortunately, three of the four bugs were fixed before an alert was published. The last flaw was addressed hours after the release of a notice via Twitpwn, the home page of the Month Of Twitter Bugs project.

On Thursday, the Twitpwn project published details of a resolved cross-site scripting flaw in HootSuite toolbox.

The Month of Bugs series was inaugurated three years ago with a four week period that offered a different browser bug every day. Originally, the brainchild of HD Moore, of Metasploit fame, noted researcher Aviv Raff is applying the idea to Twitter and associated service during July. He notes that the idea might just as easily be applied to any other Web 2.0 service.

Raff is calling on third-party application developers to work with Twitter in developing more secure tools. Several hacking attacks against Twitter have emerged over recent months, many related in one way or another to password security. Microbloggers are being urged to adopt more secure passwords in response to the heightened risk of hacking attacks against Twitter. ®

Drive-by download attack hits multiple hosts

By John Leyden •

Hackers are running a mass compromise against sites running vulnerable ColdFusion application server installations.

Security watchers at the SANS Institute's Internet Storm Centre are warning that a "high number" of sites have been hit over the last 36 hours or so. Miscreants are exploiting sites running older installations of some ColdFusion applications, such as FCKEditor (a popular HTML text editor) or CKFinder (an Ajax file manager).

The two main strands of the assault both target FCKEditor. Firstly version 8.0.1 of ColdFusion installs a vulnerable version of FCKEditor that is enabled by default. The security flaw creates a means for scallywags to upload arbitrary files on affected servers.

Details of how to resolve this problem can be found on ColdFusion's site here.

The second strand of the attack relies on third party applications, in particular the CFWebstore e-commerce app, that incorporate vulnerable versions of FCKEditor.

Hackers are taking advantage of the vulnerabilities to plant malicious scripts onto compromised websites, as part of a drive-by download attack that ultimately aims to infect visiting surfers.

SANS reckons the crackers behind the attack are the same as the gang that pulled off a similar attack back in March. Security researchers urge sites to review their ColdFusion installations, paying particular attention to deleting older applications that may have been left around as orphans during systems upgrades. ®

Who's bad?

By John Leyden •

Updated Miscreants have wasted no time exploiting the shock death of Michael Jackson to run email harvesting and banking Trojan campaigns.

Security watchers warn that more malware-laced emails themed around the death of the King of Pop and Charlie's Angels star Farrah Fawcett, who also died on Thursday, are likely to follow.

Just eight hours after Jackson's demise, net security firm Sophos detected a spam run supposedly offering more details on the pop star's death, while actually designed to harvest victims’ email addresses, as explained below.
The body of spam message does not contains any call-to-action link such as url, email, or phone number. And the from email address of the message is bogus. But the spammer can harvest receivers’ email addresses via a free live email address if the spam message is replied to.

If you get this message you need just delete it!

No newsworthy event or natural disaster is complete these days without related scams and malware-themed attacks springing up in the days that follow. The London transport suicide bombing attacks of 2005, Hurricane Katrina, the Asian tsunami of 2004, and the execution of Saddam Hussein have all provided fodder for Trojan-laced email attacks.

Both McAfee (here) and security watchers at the SANS Institute's Internet Storm Centre (here) advise network administrators and users to brace for spam and malware attacks that take advantage of interest in Jackson's untimely demise to distribute malware or promote dodgy drug sites, to cite just two examples. Phishing emails themed around supposed O2 ticket refunds might also be imagined.

Jackson was scheduled to embark on a 50-night residency at London's O2 arena next month. ®
Updated

As predicted, spam email offering links to "unpublished videos and pictures" of Jackson have cropped up in malware campaigns. Spam email doing the rounds ostensibly offer link to a YouTube video while, in reality, sending recipients to a Trojan Downloader hosted on a compromised web site.

Websense has a full write-up of the attack here.

Meanwhile hackers are gaming search engines so that links to sites offering scareware packages appear prominently in search for Farrah Fawcett, as explained by Trend Micro here.

iframe redirection redux

By Dan Goodin in San Francisco •

Torrentreactor has long been regarded as one of the top bit torrent search engines, and with the demise of The Pirate Bay, it's likely bigger than ever. Now, it's been breached and is serving a potent cocktail of exploits to people browsing the site, Websense Security Labs says.

Attackers have managed to inject an iframe into the site that scours Torrentreactor visitors' computers from a long list of vulnerable applications, including Adobe's Reader and Shockwave programs and Microsoft's Internet Explorer and Office Snapshot Viewer. When it finds one, it downloads and runs a malicious file.

According to Websense, the malware has an extremely low detection rate, with just two of 32 anti-virus engines identifying the threat. Once executed, it installs a rootkit on victims' machines.

This isn't the first time that security researchers have reported Torrentreactor is foisting malware on its users. In March 2008, the site suffered a similar iframe attack, according to Dancho Danchev.

The malicious file in the latest compromise communicates with a server at 78.109.29.116, an IP address that web searches suggest has ties to the Russian Business Network. We'll be steering clear of this site for the time being. ®

More zombies than the Thriller video

By John Leyden •

Miscreants have created a Michael Jackson mass-mailing worm.

The malware, which follows a growing list of other hacking attacks in the wake of the superstar's death last week, claims to offer secret songs and photos of Jackson in an attached zip file. In reality, the emails (which claim to come from sarah@michaeljackson.com) offer only malicious code.

Prospective marks duped into opening the infected attachment on Windows machines get infected while further spreading the worm. The malware is also capable of spreading via USB memory sticks. More on the threat can be found in a blog posting by Sophos (here) and Symantec (here).

The mass mailing worm - identified by Symantec as Ackantta-F - spreads in messages that typically bear the subject line "Remembering Michael Jackson."

Ackantta is far from the only item of malware trying to ride on the coat-tails of Michael Jackson's death.

For example, an executable file posted on counterfeit photo-sharing sites was detected by F-Secure last week. The malware tried to established a backdoor on compromised Windows PCs, as explained here.

Separately, a domain loaded with exploit code - supposedly touting Jackson death conspiracy theories - is actually just an outlet for an exploit tool, Sunbelt Software warns. The malicious domain is being promoted via an enthusiastic spamming campaign. ®