Apple gets a bounty on their head

A Russian network of spam and malware affiliates known as “Partnerka” are beginning to aggressively focus on Apple Mac platform offering $.43 for each Mac machine infected.  Dmitry Samosseikko from Sophos Labs provided a stunning presentation at VB Conference 2009. 

As I discussed in the previous post about the Army taking up the Apple Mac platform that the common thought that Macs are immune to malware and have very few security issues was mostly bunk.  In fact, on a monthly basis the Apple Mac platform has more vulnerablities than Microsoft Windows OS.

As with most affiliate programs, the site was offering promotional material in the form of MacOS video  players and other trojanware.  DNS Changer trojans embedded in promises of porn videos was a popular stunt to infect Mac machines.

TechCrunch: Now Hiring Hackers

Recently was hacked and 310 confidential documents were taken from their Google Apps account.  These documents consisted of executive meeting notes, partner agreements and financial projections to the meal preferences, calendars and phone logs of various Twitter employees.   These documents were delivered to TechCrunch(.com) via email by someone who refers to themselves as “hacker Croll”.

Any individual or company with a shred of ethics would contact authorities and keep this information private.  TechCrunch on the other hand would rather use this information to get more links to their website.  So Mike Arrington  over at TechCrunch thinks leaking confidential documents is a great way to do this.  I for one think this is very unethical and don’t agree with their stance that this is what is considered news.

Twitter has responded to this incident with their own post.

What do you think?

Intel CPU Rootkit to be released

Tomorrow at 12pm EST Joanna Rutkowska and Loic Duflot are publishing a paper and actual exploit code that works against Intel cache mechanisms.  These attacks will allow privileged escalation in SMM (System Management Mode) space and capable of deploying a rootkit that can take complete control of the machine.   SMM space is out of reach of operating systems and this attack cannot be detected or protected with any current form of software anti-virus protection.  SMM space is available on all Intel CPUs from as far back as the Intel 386.

This exploit has been reported to Intel on numerous occasions over the last few years.  Loic reported it 3-4 months prior back in October and Intel’s own employees had made mentioned of it in documents as far back as 2005.  So far to date, Intel has not provided any resolution to this vulnerability and is this is the main reason behind Joanna and Loic going the full disclosure route.  Joanne mentions on her blog “If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later.”

Intel did alert CERT back in October when Loic reported his findings, this was tracked under Issue VU#127284.

You will find full details published at Joanna’s website Invisible Things Kernel Security Blog

Currently, there is no defense to this threat outside of using AMD or Virtualization, or is there Intel?

Spam is Back in Full Force

Symantec’s Monthly State of Spam report for March showed an increase in bounced messages that found spammers forging sent email addresses and using them in the “From” header of their own Spam messages.

Reminiscent of Backscatter, spammers are taking advantage of mail transfer agents configured to send back a list of failed email recipient addresses, an explanation of the cause of failure, and a copy of the original email. This opens a window for Spam attacks, as anti-spam filters do not block most “failed email” replies. Since spammers forge the sender’s address, this mail is going to be received by people who have nothing to do with the Spam.

Corporate networks will feel the greatest burden of the increased attacks. Using increased bandwidth and an increase of unwanted Spam messages in users’ inboxes will result in lost productivity. Networks are encouraged to configure mail transfer agents to not send back a copy of the original failed messages and require signatures for outgoing emails.

IIS vulnerability spreads like a forest fire

Almost 300,000 web sites hosted with Internet Information Services are infected with a new malicious malware according to PandaLabs. By injecting SQL code in all pages hosted on the same IIS server, this vulnerability allows hackers to inject SQL code and redirect the visitor to a malicious site. The malicious page scans the visitors machine to find ways to compromise the visitors machine. Exploits are then downloaded and used to infected the redirected visitor based on the information found on the scan.

If your site is hosted with Internet Information Services it is highly recommended you check to see if your site is compromised. To check if your site is compromised, search your source code for the following IFRAME reference: “<script src=>”. If this IFRAME reference is found, remove them immediately and notify your IIS admin right away.

Top attacks used by hackers – March 2008

1,800 attacks were registered throughout the United States throughout the last month, almost 20% higher than the previous month.  Foreign based attacks showed a decline of 4.5% resulting in over 2,800 attacks originating from a Foreign IP space.

Top 5 attacks used by U.S. hackers

  • Cisco IOS HTTP Server HTML auto-view exploit
  • Hacktool FxScanner detection
  • PerlCal CGI reconnaissance directory traversal
  • PHPNuke reconnaissance directory traversal
  • Cisco IOS denial of service attack using non-standard protocol

Top 5 attacks used by foreign  hackers

  • Generic File Inclusion Attack
  • Mambo register_globals Emulation Layer Overwrite
  • HTTP overflow attack
  • phpBB Activity Module File Inclusion
  • WebDAV Overflow Attempt