Weekly Summary of the "DHS Daily Open Source Infrastructure Report"

The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered. This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.

Week Ending: Friday, June 5, 2009

Daily Open Source Infrastructure Report for 1June 2009

Perhaps You Should Consider Blocking Some Search Terms!

25. May 28, SC Magazine – (International) McAfee documents riskiest search terms. A McAfee study into 2,600 of the most popular keyword searches on the web has concluded that hunts for “screensavers” present the most risk. The report released the week of May 25 shows that users who search for “screensavers” have a 59.1 percent chance that they will be infected by malware on a given page of results. By category, the most dangerous searches involved keywords containing the word “lyrics” (26.3 percent risk) and “free” (21.3 percent). The safest category searches, meanwhile, related to “health” (four percent) and the “economic crisis” (3.5 percent). The report also warned of the risk generated by searching for information on “work from home.” Variations of this search term — considered more popular than ever, given the state of the economy — ranged from a 6.3 percent-risk to a 40 percent-risk of infection. Source: http://www.scmagazineus.com/McAfee-documents-riskiest-search-terms/article/137632/

Daily Open Source Infrastructure Report for 2 June 2009

Are You Prepared for the Latest Corporate Spamming Techniques?

26. June 1, Computerworld – (International) Spammers find new ways to flood corporate networks. Unsolicited e-mail accounted for 90.4 percent of all messages received on corporate networks during April, an increase of 5.1 percent from a month earlier, according to a report released May 26 by Symantec Corp.’s MessageLabs Intelligence unit. The monthly MessageLabs report on threat trends also found that nearly 58 percent of all spam can be traced to botnets. A researcher at Cloudmark Inc., a provider of antispam tools, noted that in addition to using botnets, spammers in recent months have been experimenting with a new way to sneak unwanted email past corporate filters. Often, he said, a spammer will rent legitimate network services, often in an Eastern European country, and then blast a large amount of spam at the network of a specific ISP. The idea is to push as many messages as possible onto the network before any kind of filtering software detects the incident. The researcher estimates that hundreds of thousands of such messages are sent each day without detection. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=339801&taxonomyId=17&intsrc=kc_top

Daily Open Source Infrastructure Report for 3 June 2009

Is there a “Gumblar” in your future?

32. June 2, CNET News – (International) Thought the Conficker virus was bad? Gumblar is even worse. ScanSafe, a computer security firm, has been tracking the progress of the worm since its arrival on the scene in March, according to CNET. Originally, the attack spread through infectious code that was planted in hacked Web sites and then downloaded malware from the gumblar.cn domain on to victims’ computers. But that was just the opening salvo. As Web site operators cleaned their pages of the code, Gumblar replaced the original material with dynamically generated Javascript (Web site code that is created on the spot instead of being completely determined beforehand — a key element of Web apps like Gmail) that is much harder for security software to detect and remove. The evolved version also went about adding new domains to the list of sources for downloading its malware payload, including liteautotop.cn and autobestwestern.cn, and began exploiting security holes in Flash and Adobe Reader. The worm also searches out credentials for FTP servers (a method for uploading files to a Web site) on a victim’s computer, using them to infect additional Web sites. It is not clear how many sites Gumblar has infected, but security firms seem to agree that it accounts for about 40 percent of all new malware infections right now. According to ScanSafe in just the first two weeks of May over 3,000 Web sites were compromised and spreading the worm. Most sites have been quick to clean up the infections as best they can, but, even if all the infected pages were removed, Gumblar would still have an army of infected PCs to inflict further damage. Source: http://www.switched.com/2009/06/02/though-the-conficker-virus-was-bad-meet-gumblar/

Daily Open Source Infrastructure Report for 4 June 2009

Has one of the sites for which you are responsible been compromised?

35. June 2, IDG News Service – (International) Thousands of Web sites stung by mass hacking attack. As many as 40,000 Web sites have been hacked to redirect unwitting victims to another Web site that tries to infect PCs with malicious software, according to security vendor Websense. The affected sites have been hacked to host JavaScript code that directs people to a fake Google Analytics Web site, which provides data for Web site owners on a site’s usage, then to another bad site, said the threat research manager for Websense. Those Web sites have likely been hacked via a SQL injection attack, in which improperly configured Web applications accept malicious data and get hacked, the researcher said. Another possibility is that the FTP credentials for the sites have somehow been obtained by hackers, giving them access to the inner workings of the site. It appears the hackers are using automated tools to seek out vulnerable Web sites, the researcher said. The latest campaign underscores the success hackers have at hosting dangerous code on poorly secured Web sites. Once a user has been directed to the bogus Google analytics site, it redirects again to another malicious domain. That site tests to see if the PC has software vulnerabilities in either Microsoft Corp.’s Internet Explorer browser or Firefox that can be exploited in order to deliver malware, the researcher said. If it does not find a problem there, it will launch a fake warning saying the computer is infected with malware and then try to get the user to willingly download a program that purports to be security software but is actually a Trojan downloader, he said. The fake security programs are often called “scareware” and do not work as advertised. As of May 29, only four of 39 security software programs could detect that Trojan, although that is now likely changed as vendors such as Websense swap malware samples with other companies in order to improve overall Internet security. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9133820&taxonomyId=17&intsrc=kc_top See also: http://news.cnet.com/8301-1009_3-10255226-83.html

Daily Open Source Infrastructure Report for 5 June 2009

Will U.S. Government investment in Cyber Security help solve problems?

37. June 3, Congress Daily – (National) Obama Administration begins work on cybersecurity R&D. Maximizing government investment in federal cybersecurity research and development is a major component of the U.S. President’s plan to bolster defenses against high-tech attacks. If the White House’s new cyber strategy and key agencies’ fiscal 2010 budget requests are any indication, they are off to a solid start. In the near term, the White House’s unnamed cyber czar will be charged with developing a framework for R&D strategies that focus on “game-changing technologies” and provide the research community access to event data to help develop tools and testing theories, according to the May 29 report, which stemmed from a 60-day review. That czar will eventually develop threat scenarios and metrics for risk management decisions, recovery planning and R&D prioritization. “Research on new approaches to achieving security and resiliency in information and communications infrastructures is insufficient,” the report stated. “The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.” The President proposed a $37.2 million cyber R&D budget for DHS in fiscal 2010 to support operations in its national cybersecurity division as well as projects within the CNCI. DHS is using much of its fiscal 2009 allotment to deploy Einstein, a system to analyze civilian agencies’ systems for cyber threats and intrusions. Source: http://www.nextgov.com/nextgov/ng_20090603_2540.php

Perhaps something like this?

11. June 2, SC Magazine – (National) Bank of America certificate scam propagating Waledac, Virut. A new spam campaign disguised as a Bank of America email telling users they need to update their digital certificate is attempting to lure users into installing the Waledac worm. The messages, which first started being detected recently, seemingly come from Bank of America, and tell users, “The digital certificate for your Bank of America direct online account has expired. You need to update the certificate using Bank of America direct digital certificate updating procedure.” Recipients are then instructed to click on a link and follow the given instructions, the lead threat analyst at web and email security firm Marshal8e6 told SCMagazineUS.com in an email on June 1. The spam originates from the Pushdo botnet, which has been active in similar malicious phishing attacks, the analyst said. After following the link, the user is encouraged to fill in a web form, and to download a new “digital certificate” to continue, the analyst said. The “certificate” however, is an executable file which seeks to download malware to the victim’s PC. The SANS Internet Storm center said in a post on June 1 that a quick analysis of this malware showed “probable signs” of Waledac, the notorious worm capable of harvesting and forwarding password information and receiving commands from a remote server. A threat researcher for Panda Security confirmed to SCMagazineUS.com on June 2 that the threat is being detected as Waledac. Source: http://www.scmagazineus.com/Bank-of-America-certificate-scam-propagating-Waledac-Virut/article/137848/

Note: The DHS only maintains the last ten days of their reports online. To obtain copies of earlier reports or complete summaries, go to:


No comments: