Earlier today the official website for the Apache Software Foundation (of the Apache web server fame) was offline for several hours.
When it came back online, it briefly showed this message:
The site looks normal now.
Why is this important? Because the Apache web server software is distributed from apache.org, and roughly one half of all the web servers on the planet run on Apache!
We have no information on whether any code on the site was modified or not.
IceGold used to be an online currency transfer service. The company, operating in Estonia, ceased operations last year when the Estonian government passed new anti-money laundering laws.
The company has had a placeholder site since at www.icegold.com. However, now someone has started up a fake copy of the site at www.icegold.us, offering electronic currency transfers.
This is probably not connected at all, but we've noticed a steep increase in the amount of targeted attacks against organizations supporting the Uyghurs.
These support groups operate around the world. The attack techniques against them are the same as we've seen in similar attacks before: highly targeted emails with innocent looking booby-trapped document attachments.
Here's some examples of such malicious documents that we've seen. Most of them look pretty innocent.
When opened, all the above documents use known vulnerabilities in Adobe Reader or Microsoft Word to invisibly take over the computer. After this a backdoor allows an outsider full access to the computer and the local area network.
The two screenshots above are not from documents but instead fake screen savers… which contain backdoors.
Again, this wave of attacks against Uyghur supporters probably isn't connected to the real-world riots in any way. We think.
One of the Fellows from our Munich office, Rüediger, has written a paper on worms (including Conficker) in the course of his studies, which we'd like to share.
The paper is written in German and is available here (PDF, 2MB). Feel free to download and enjoy.
Mr. h1t3m's other website is still up at h1t3m.org.
According to Australian media, "Federal police officers in co-operation with Victoria Police executed a search warrant on premises in Brighton, Melbourne, connected to the administrator of an underground hacking forum, r00t-y0u.org, which had about 5000 members."
So:
1. r00t-y0u.org was taken over by the police 2. …but it was still up and running
And now, someone calling himself KillaWho infiltrated r00t-y0u.org, replacing the front page again.
Mr. Killawho also posted details about the system itself and files found from it. He posted full details to this posting on pastebin.com. "I decided I would move on to getting control of r00t-y0u.org. See what the authorities know about server maintenance.. and how secure they can make stuff."
Right now the server seems to be taken down for good.
There are already several media reports that claim that Australian Police itself got hacked.
Now, if the police take over a web server run by hackers, and that server later gets hacked, I wouldn't be too worried!
We've seen no evidence showing that any internal police systems would have been infiltrated.
Here's an interesting move recently found being used by some malware targeting Delphi.
The malware first checks to see if the Delphi version is between 4 to 7, then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas and writes malicious code there. After this, SysConsts.pas is deleted.
The malware saves a clean copy of SysConsts.dcu as SysConst.bak and adds a call to its own init function at the entrypoint of the SysConsts.dcu library.
When a program is compiled with an infected version of SysConsts.dcu, it will have something like the malicious code snippet below:
Subsequently, whenever the compiled program is executed, if SysConst.bak is not found the malicious code in the program tries to re-infect Delphi.
In this case, the malware is basically just ensuring that Delphi stays infected. Still, it's another mechanism to spread malware around.
We received a report that the popular IntegrIT website was suspected to be compromised and performing a redirect-link to a pornography website. The case occurred when the user searched for "integrit" (without quotes) in a search engine.
We inspected the www.integrit.ru contents and found no suspicious code, hence we suspect that the www.integrit.ru Web server configuration files (htaccess, etc.) redirecting the client browsers were compromised.
This was the page we were redirected to when the HTTP Header containing the "referer" parameter (above) was detected:
This is what you would get without the "referer":
A few search engines were tested and only two search engines (Yahoo! and Google) were redirecting users to the pornography website; the other search engines (Bing, Altavista, Ask, and Lycos) were not affected.
Users who type the web address "www.integrit.ru" directly into their browsers won't see this redirection.
The website owner was informed and our users are protected.
Web Security team post by — Chu Kian
—————
Updated to add: Currently the .ru domain is not resolving, though the redirect is still occurring.
As if being deluged under DDoS attacks isn't bad enough, this week Twitter found itself the target of another sort of threat. The Register recently reported that the wildly popular social networking service is also being used to direct part of a botnet's activities.
According to the report, a security analyst accidentally stumbled across a Twitter account being used by botherders as a cheap and effective way of directing infected computers to websites where they can get further instructions.
This appears to be the first time Twitter has been used as part of a botnet's command and control structure. At time of writing, the malicious account has already been taken offline.
For more details, you can also check the original post from Arbor Sert.
On this day five years ago, one of the largest worm outbreaks in history happened: Blaster.
The case was so huge, even VANITY FAIR wrote a 10-page feature on it. It's hard to imagine any virus getting that kind of coverage today.
So we're republishing the original article from 2004. It's a long story, but worth a read. In fact, the article got reprinted in Reader's Digest in over 20 different languages.
2nd: Send us a postcard in the mail. It doesn't matter where it's from, any postcard will do. That's also easy.
Address and send it to: F-Secure Labs Tammasaarenkatu 7 00180 Helsinki Finland
Write your address on the postcard and we'll begin mailing out stickers in early September. Simple!
First-come, first-serve, while they last.
—————
P.S. Upload a picture of your postcard to the Lab's Facebook page before you drop it in the mailbox… and you'll be eligible for another giveaway in September. Cheers!
Last night we saw a massive attack on a Georgian blogger who goes by the name "Cyxymu".
The attack included at least these components:
• DDoS attack against Cyxymu's Twitter account (http://twitter.com/cyxymu) • DDoS attack against Cyxymu's Youtube account (https://www.youtube.com/cyxymu) • DDoS attack against Cyxymu's Facebook account (http://www.facebook.com/cyxymu) • DDoS attack against Cyxymu's Livejournal account (http://www.livejournal.com/cyxymu and http://cyxymu1.livejournal.com) • DDoS attack against Cyxymu's Fotki account (http://public.fotki.com/cyxymu/) • An e-mail "Joe Job" campaign against Cyxymu
The effects of some of these attacks are still visible. For example, Livejournal and Facebook are still not accepting connections to Cyxymu's pages.
Here's an example of what the Joe Job e-mails looked like. They were not sent by Cyxymu although they look like it.
Launching DDoS attacks against services like Facebook is the equivalent of bombing a TV station because you don't like one of the newscasters. The amount of collateral damage is huge. Million of users of Twitter, Livejournal, and Facebook have been experiencing problems because of this attack.
Whoever is behind this attack, they had significant bandwidth available. Our best guess is that these attacks were done by nationalistic Russian hackers who wanted to silence a visible online opponent. While doing that, they've only managed to attract more attention to Cyxymu and his message.
Then again, Cyxymu himself simply comments in his Tweets that the attack was done by the Russian KGB.
We're unlikely to ever know the truth.
Updated to add: Added info that Cyxymu's Fotki account was under attack as well.
Updated to add: See the comments section for commentary from a person who worked at a radio station that was bombed…
This scam is old as hills, but scammers are still using and making money of unsuspecting people. So we thought that a warning is in order.
Today, one of our senior researchers received a call from unknown international number and when he answered the call, it was immediately dropped. And being used to receiving calls from reporters from around the world he might have done the obvious thing and called the number back.
But what he did instead was to perform a Google search on the number. He discovered there are a lot of other people who have received calls from same number and wondered what the calls are about, and more importantly people who called back and are complaining about mysterious charges on their phone bill.
The scam used by fraudsters is very simple. Set up a premium rate number, use that number to call a group of randomly selected phone numbers and either let the phone ring only once, or cut the call immediately after receiver answers the call.
Then simply wait for curious people to call back, play an "busy tone" audio file to make the caller think that call did not connect, and then rake in the profits.
Usually these numbers charge something in between 1 to 5�, a big enough sum to make money if you can fool thousands of people into calling, small enough to make complaints impractical.
The best way to avoid this scam is to be wary of unknown numbers and not to call them back immediately. If the number looks something you have not seen before and the country code is something you haven't even heard of run a Google or WhoCallsMe search on the number before calling back.
Malware Domains List (MDL) is a popular website among security professionals and others interested in IT security. Now a rogue antivirus promoter seems to have latched onto its popularity by setting up a website on a URL very close to MDL's domain.
Visitors expecting to see this:
May instead end up seeing the following:
Note the difference in the URL between the legitimate website and the fake.
Despite a few grammatical errors, the warning does a decent job of looking like a legitimate notice from Firefox. Compare it to the (legit) one below:
Note the "Get security software" button on the malicious website's "warning" message. If clicked, the user is directed to a website promoting a rogue antivirus solution.
One of the Fellows from our Munich office, Rüediger, has written a paper on worms (including Conficker) in the course of his studies, which we'd like to share.
