Free Republic

A BusinessWeek probe of rising attacks on America's most sensitive computer networks uncovers startling security gaps The e-mail message addressed to a Booz Allen Hamilton executive was mundane—a shopping list sent over by the Pentagon of weaponry India wanted to buy. But the missive turned out to be a brilliant fake. Lurking beneath the description of aircraft, engines, and radar equipment was an insidious piece of computer code known as "Poison Ivy" designed to suck sensitive data out of the $4 billion consulting firm's computer network. The Pentagon hadn't sent the e-mail at all. Its origin is unknown, but the...

Ok, Daughter's laptop with an up to date anti-virus program and firewall has gotten infected with a worm called worm.win32.netsky. Can't find a removal program for this bugger and the scans haven't found or removed it. She was going to various School District web sites to apply for a teaching job when it happened It loaded on it's own new desktop icons, and diabled remove program from the task bar along with Ctl-Alt-Del. Anyone out there got ideas?

Digital photo frames containing malware have been found, heads up! http://isc.sans.org/diary.html?storyid=3807 http://isc.sans.org/diary.html?storyid=3787

An insidious computer virus recently discovered on digital photo frames has been identified as a powerful new Trojan Horse from China that collects passwords for online games - and its designers might have larger targets in mind. "It is a nasty worm that has a great deal of intelligence," said Brian Grayek, who heads product development at Computer Associates, a security vendor that analyzed the Trojan Horse. The virus, which Computer Associates calls Mocmex, recognizes and blocks antivirus protection from more than 100 security vendors, as well as the security and firewall built into Microsoft Windows. It downloads files from...

A former business associate of the failed marketing agency that attempted to secure Reggie Bush as a client told Yahoo! Sports he spoke directly to Bush about the company's business plan before the running back completed his junior season at the University of Southern California. Such an action would have violated NCAA rules and is the latest in a series of facts uncovered in a Yahoo! Sports investigation that indicate Bush and his family had an improper relationship with New Era Sports & Entertainment. Ben Delanoy, now CEO of Next Level Sports Marketing, said Bush indicated he would be part...

Malicious JavaScript pushes Trojan Virus writers are exploiting morbid curiosity about the assassination of former Pakistani Prime Minister Benazir Bhutto's to spread malware. Surfers searching for video footage of the suicide attack that killed Bhutto and at least 21 others on Thursday are liable to find malware posing as video clips that attempts to trick users into running malign ActiveX controls. The malicious downloaded file is detected by Symantec as the Emcodec-Trojan.

SAN FRANCISCO — In a backhanded compliment to Apple Inc., online criminals are apparently so impressed with its scorching sales they are sending Macintosh computers an attack typically aimed at machines running Microsoft Corp.'s dominant Windows operating system. Symantec Corp. researchers said the Web sites serving up the new attack also deploy a Windows version. "For a while Mac users have enjoyed the benefits of being a small enough population that hackers didn't go after them directly _ that's obviously now changing," said Ben Greenbaum, senior research manager at Symantec Security Response. Lynn Fox, an Apple spokeswoman, said the Cupertino-based...

Multi-Middleman 'Mpack' Attacks Use Google AdWords to Lure Victims By Scott M. Fulton, III, BetaNews June 19, 2007, 11:46 AM One of Russia's fastest growing markets, and quite possibly a contributor to stabilizing that country's fickle economy, is cut-rate, self-deploying Trojan horse packages. As malware writers there have discovered, rather than baiting and waiting for victims to fall into their traps at random, so that they carry out DoS and identity theft attacks without knowing they're doing so, would-be victims worldwide will gladly pay for the privilege of knowingly carrying out those same attacks. "In terms of social engineering," writes...

A new variant of the Russian Trojan Gozi, armed with keylogging functionality, is making the rounds again. What makes this time different is that the Trojan can scramble itself to avoid detection by your anti-virus software. The Trojan is believed to have been spreading since April 17. Like the original, which was discovered earlier in 2007, the new version of Gozi steals data from encrypted SSL (Secure Sockets Layer) streams. The latest variant was uncovered May 7 by Don Jackson, a security researcher at SecureWorks in Atlanta. Comments Posted by Steve 3:15 PM (CDT)

I have discovered a Win32:Agent trojan resident in a file on my C: drive. It is located in my Thunderbird email files section. Try as I may, I cannot seem to delete this. It appears to be growing in size. I have read a lot about this one and they refer to it as a "sleeper" trojan. How can I remove this trojan? I run Firefox, Thunderbird as email client, XP Pro, Avast & AVG 7.5 Internet Security System, Zone Alarm Pro, along with Spy Bot S&D and Spyware Blaster.Can anyone help with this?Thanks

Online criminals are using Windows registration pages as new way to fool consumers into divugling confidential information, researchers with Symantec have noticed. The security firm said that it has spotted a new trojan that steals credit card information by posing as an anti-piracy control for Windows XP. The phishing trojan mimicks the behavior of Microsoft's Windows Genuine Advantage (WGA) anti-piracy software, which tracks down pirated copies of the operating system. On startup, the trojan produces a window informing the user that their copy of Windows has been activated by another user. In order to "re-activate" Windows, the software asks the...

Thursday likely marked the largest proliferation of e-mail virus attacks in more than a year, according to security company Postini. Postini said that two variations of the Storm Worm virus, which originally spread across the Internet in January, have quickly driven global virus levels 60 times higher than their daily average. E-mail users should be on alert for messages with "love"-related subject lines and an executable attachment that would contain a Trojan virus, as well as messages with "Worm Alert!" subject lines that contained a .zip file full of malicious code. Postini, which is based in San Carlos, Calif., says...

IT security and control firm Sophos is welcoming news that a US man has pleaded guilty to charges of writing and distributing a Trojan horse designed to steal usernames and passwords from computer users. "The Trojan has been the key development in cybercrime in recent years - hackers use them to steal info and money from unsuspecting internet users" Graham Cluley, Sophos Richard C Honour, 31, faces a maximum penalty of five years in prison and a fine of $250,000 after admitting releasing malware that infected users of DarkMyst, an IRC chatroom popular with players of online role-playing games. Honour,...

Troy Hurtubise is facing eviction after his Trojan invention flopped.Troy Hurtubise really put everything he had into his bulletproof combat suit. He spent two years and tens of thousands of dollars developing the Trojan, hoping to sell it to the Canadian or American armed forces, or to another friendly government. Now he's broke. Last month, he promised the Trojan would give soldiers in the field affordable, lightweight protection from bullets and bombs alike. He had worked all kinds of extras into the body armour: a ventilation system and multiple lights in the helmet, pepper spray that could shoot from the...

I have a trojan, do not know how I picked it up: intcodec-v6.667.exe and intcodec-v6.400.exe The WGA on this WinXP pro was made invalid, and now I can't DL updates for Norton Virus either. Those are seperate issues. Immediate need is to remove this virus, only ref I got on the net was here http://fileinfo.prevx.com/adware/qq2b5d34188554-INTC22293613/INTCODEC-V6.766%5B1%5D.EXE.html but I do not know anything about prevx.com or the free removal tool for this trojan. Does anyone know if prevx is legit, and does anyone know of any other ways to remove this trojan? Thanks for the help.

Websense raises the alarm about a phishing Trojan that uses a new technique to cloak its activity. The Web security company said that the Trojan, which installs itself as an Internet Explorer helper object, waits for the user to enter information in specific Web site forms -- particularly online banking sites -- then zaps the stolen data back to the attacker. What's unique about the new Trojan, said Websense, is that it delivers that data via ICMP packets. Keylogging Trojans usually transmit purloined usernames and passwords via e-mail or a HTTP POST command. Both can be easily spotted. "Instead, this...

An identity-stealing keylogger that disguises itself as a Firefox extension and installs silently in the background was discovered Tuesday by security vendor McAfee. According to the Santa Clara, Calif.-based company, the "FormSpy" Trojan horse monitors mouse movements and key presses to steal online banking or credit card usernames and passwords, other login information, and URLs typed into Firefox, the popular open-source browser. Another component of the Trojan sniffs out passwords from ICQ and FTP sessions, and IMAP and POP3 traffic, said McAfee. All collected information is sent to an IP address hard-coded into the Trojan. The scam starts with spam...

New Trojan asteroid hints at huge Neptunian cloud 19:00 15 June 2006 NewScientist.com news service Kelly YoungThe four known Neptune Trojans are shown in their position 60 degrees ahead of Neptune. The known clusters of Trojan asteroids on either side of Jupiter are also shown (Illustration: Scott Sheppard) A newly discovered asteroid in Neptune's orbit indicates the existence of a much larger, but as-yet-unseen, cloud of rocks in that region. The asteroids in Neptune's orbit might even outnumber those in the main asteroid belt between Mars and Jupiter, the new research suggests." The asteroid was discovered by Scott Sheppard of...

VIENNA - The night air in Vienna has finally turned warm, filling the city's trams with visitors. On the Ringstrasse, tourists take in the city, pointing out the City Hall and the parliament. ADVERTISEMENT "Did you see that one girl - so young! And wearing a veil," a woman clucks in lightly accented English, staring out the window of tram D. "They will form a separate culture." The sentiment isn't isolated. Earlier this month, Austria's Interior Minister Liese Prokop announced that 45 percent of Muslim immigrants were "unintegratable," and suggested that those people should "choose another country." In the Netherlands,...

A new kind of malware circulating on the Internet freezes a computer and then asks for a ransom paid through the Western Union Holdings money transfer service. A sample of the Trojan horse virus was sent to Sophos, a security vendor, said Graham Cluley, senior technology consultant. The malware, which Sophos named Troj/Ransom-A, is one of only a few viruses so far that have asked for a ransom in exchange for releasing control of a computer, Cluley said. The new Trojan falls into a class of viruses described as "ransomware." The schemes had been seen in Russia, but the first...

Excerpt - LAKE BUENA VISTA, Fla. — In a rare discussion on the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation. "When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at...

This Worm Is Nasty, Brutish, And Sneaky As a data security specialist, Jeremy Pickett sees all kinds of digital tricks. So on Mar. 20, when he was tracing the origins of a computer worm that had been blocked the night before from entering a client's computer network, Pickett wasn't too surprised that it tried to connect with four sleazy Web sites, most of them, he believes, in Russia. Or that it then tried to load victims' PCs with as many as 30 new pieces of "malware," ranging from spam programs to those that automatically dial in to expensive phone-sex services....

A dangerous new exploit in Internet Explorer could put PCs and data at risk, Microsoft has admitted. The flaw, for which code has already been published on the internet, could be exploited to set an email-borne virus free on the unsuspecting public. Potential viruses could come as an attachment that conceals the code, or could possibly redirect users to a site that will unleash the code on the user's machine, leaving the computer open to remote attack. Once the PC is being controlled by a malicious user, it can then be used to launch attacks on other PCs. Even supposedly...

In May 2005, a trojan called PGPcoder was discovered in the wild by Websense Security Labs. The trojan's purpose was to encrypt a user's files, then demand a ransom for their decryption. Although this scheme seemed novel, it is actually predated by over 15 years, by a similar scam in 1989. LURHQ's Threat Intelligence Group has now discovered a third such scheme involving ransomware which we are calling Cryzip. Unlike PGPcoder, which used a custom encryption scheme (which was subsequently reverse-engineered by LURHQ), Cryzip uses a commercial zip library in order to store files inside a password-protected zip. Although the...

New virus seeks 'ransom' for computer files Wed Mar 15, 12:56 PM ET WASHINGTON (AFP) - In the equivalent of a holdup in cyberspace, a new computer bug locks up a user's file with encryption and demands a 300-dollar "ransom," security experts say. The so-called "ransomware" Trojan was discovered Saturday by the security firm LURHQ, which said it was based on a similar scheme perpetrated 15 years ago. Users whose computers are infected receive an e-mail stating that their files have been encrypted and will not be unlocked unless they transfer 300 dollars to a special account. In poorly written...

Time for a new FreeRepublic folding@home thread. Our FreeRepublic team of 300+ members comprised primarily of Free Republic members in good standing have banded together to donate their excess CPU cycles to a worthy cause. Via distributed computing, millions of computers around the world, contribute directly to scientific research, in the quest for a greater understanding of diseases such as Alzheimer's, Cancer, and Mad Cow (BSE). Currently, the team is in 164th place (with 992 CPUs - nearly 19,000 completed Work Units and 2,982,241 points) This is an entirely voluntary program, and if you want to learn more, please see...

On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named "latestpics.tgz" The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include: _infect: _infectApps: _installHooks: _copySelf: The exact consequences of the application are unclear, but according to...

LOS ANGELES, CA, USA -- A US computer hacker on Monday pleaded guilty to hijacking around 400,000 computers, including military servers, and infecting them with malicious software. In the first such prosecution of its kind, "botmaster" Jeanson Ancheta, 20, admitted infecting the computers with software that caused them to send spam, show ads and launch crippling attacks on Internet sites. In federal court in Los Angeles, Ancheta admitted conspiring to violate both the Computer Fraud Abuse Act and an anti-spam law, to causing damage to US defense computers and to hacking into computers to commit fraud. His plea comes after...

This is a transcript from a show Steve Gibson did with Leo LaPorte. The link to the audio is at the above link. Also, I will excerpt a little of the relevant information here.Steve: And so, you know, because I'm a developer when I'm not being a hacker, I wanted to understand - oh, and the other thing is, I want to write a robust testing application, you know, that always works all the time. So I wanted to know, like, okay, what bytes have to be set which way, what matters, what doesn't. Because, you know, that's the way...

Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us." I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.

Excerpt - NEW YORK -(Dow Jones)- Microsoft Corp. (MSFT) plans to release a patch for a new security flaw at its next scheduled update release on Jan. 10, leaving users largely unprotected until then from a rapidly spreading computer virus strain. "Microsoft's delay is inexcusable," said Alan Paller, director of research at computer security group SANS Institute. "There's no excuse other than incompetence and negligence." "It's a problem that there's no known solution from Microsoft," said Alfred Huger, senior director of engineering at Symantec Corp.'s (SYMC) security response team. SANS Institute, via its Internet Storm Center, has taken the unusual...

Computer security experts were grappling with the threat of a newweakness in Microsoft’s Windows operating system that could put hundreds of millions of PCs at risk of infection by spyware or viruses. The news marks the latest security setback for Microsoft, the world’s biggest software company, whose Windows operating system is a favourite target for hackers. “The potential [security threat] is huge,” said Mikko Hyppönen, chief research officer at F-Secure, an antivirus company. “It’s probably bigger than for any other vulnerability we’ve seen. Any version of Windows is vulnerable right now.” The flaw, which allows hackers to infect computers using...

This alert is a follow-up to a post made yesterday on our blog: http://www.websensesecuritylabs.com/blog/ Websense® Security Labs™ has discovered numerous websites exploiting an unpatched Windows vulnerability in the handling of .WMF image files. The websites which have been uncovered at this point are using the exploit to distribute Spyware applications and other Potentially Unwanted Soware. The user's desktop background is replaced with a message warning of a spyware infection and a "spyware cleaning" application is launched. This application prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware...

Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied.

This small body, known as 2001 QR322, leads Neptune around its orbit in such a way as to maintain, on average, approximately equal distance from Neptune and the Sun. As such, it mimics the Trojan asteroids of Jupiter which orbit the Sun in two clouds approximately 60 degrees ahead of and behind Jupiter. The first Jovian Trojan was discovered in 1906 and approximately 1,560 such objects are known today. However, until the discovery of 2001 QR322, Trojan-like objects associated with other giant planets had not been found.

I hate vanity posts, but I am wondering if anyone in FR land knows anything about the Spy Axe 3.0 virus. It has set up shop in my toolbar and has hijacked my home page. eTrust isn't touching it. Help?!?!

My computer apparently picked up a virus from spyaxe.net. I have a pop-up window saying I have spyware and "it is recommended to use antispyware tools to prevent data loss." Everytime I close the popup it pops up again. I got tired of closing it and installed it then removed it with "Add/Remove Software" in the control panel. The pop-up is back. Can anyone help?

The release of a Trojan that exploits an unpatched IE hole has prompted speculation that Microsoft may release an emergency out-of-cycle security patch. The Delf-DH Trojan downloader uses an Internet Explorer vulnerability to infect unprotected Windows users who stray onto maliciously constructed websites. Delf-DH downloads other malware onto infected machines changing settings in order to monitor user activity and redirect surfers onto porn sites. The attack relies on a flaw in the way IE handles requests to the window() object, highlighted by proof-of-concept code last week and now used in anger by VXers. Even fully patched Windows 2000 and Windows...

Sony's controversial copy-protection scheme had been in use for seven months before its cloaking rootkit was discovered, leading one analyst to question the effectiveness of the security industry. "[For] at least for seven months, Sony BMG Music CD buyers have been installing rootkits on their PCs. Why then did no security software vendor detect a problem and alert customers?" asked Joe Wilcox, an analyst with JupiterResearch. "Where the failure is, that's the question mark. Is it an indictment of how consumers view security software, that they have a sense of false protection, even when they don't update their anti-virus and...

When the news first broke in the mainstream press that Windows expert and blogger Mark Russinovich (he wrote a book about Windows for Microsoft) had found that Sony's anti-piracy efforts had gone too far and that Sony's DRM was installing an undetectable rootkit on customers' computers which they couldn't safely remove, the first reaction from Microsoft was guarded. They were concerned, they said, and were evaluating what, if anything, to do: Microsoft, which also ships an anti-spyware program, recently renamed "Windows Defender," hasn't yet decided whether it will also flag the Sony DRM software as malicious code, the spokesperson said....

More than one-half million networks infected by Sony including U.S. military and various countries. Dan Kaminsky, http://www.doxpara.com/ ,is the expert who broke this and did the work. His U.S. and Europe infection maps are shown below and are frightening. Dan did a hell of a good job. Search Google News for "sony numbers trouble" for more in an excellent article today that is very worth reading.

Sony BMG Music Entertainment said Friday that it will suspend production of CDs with copy-protection technology that has been exploited by virus writers to try to hide their malicious code on PCs. The decision by the music label comes after 10 days of controversy around the technology, which is designed to limit the number of copies that can be made of the CD and to prevent a computer user from making unprotected MP3s of the music. Security experts blasted the technology because it uses "rootkit" techniques to hide itself on hard drives and could be used by virus writers to...

Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs. Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory....

Sony is in trouble but we might be the ones who lose out in the end, says technology commentator Bill Thompson. Sony says it has been using XCP for months Sony BMG, the record company part of the multinational corporation that makes laptops, TVs, movies and many other things, is in trouble this week thanks to a copy protection scheme it has used on a number of its CDs. The software, called Extended Copy Protection or XCP, hides itself on your hard drive using techniques normally reserved for viruses, worms and trojans, which use similar "rootkits" to evade detection. And...

A new Trojan horse exploits an unpatched flaw in Microsoft Office and could let an attacker commandeer vulnerable computers, security experts have warned. The malicious code takes advantage of a flaw in Microsoft's Jet Database Engine, a lightweight database used in the company's Office productivity software. The security hole was reported to Microsoft in April, but the company has yet to provide a fix for the problem. "Microsoft is aware that a Trojan recently released into the wild may be exploiting a publicly reported vulnerability in Microsoft Office," a company representative said in a statement sent via e-mail on Friday....

Troj/Yusufali-A is a Trojan for the Windows platform. Troj/Yusufali-A analyzes the title of the window in focus looking for various words. Some of the words Troj/Yusufali-A searches for are: sex teen xx Phallus jegger Priapus Phallic Penis Exhibitionism If Troj/Yusufali-A finds one of these words in the title bar it will minimise the current window and display the following message in English along with other messages in other languages: YUSUFALI: Know, therefore, that there is no god but Allah, and ask forgiveness for thy fault, and for the men and women who believe: for Allah knows how ye move about...

Computer users are being urged to be on guard for a bogus e-mail that pretends to offer news updates about Hurricane Katrina as a means to infect their PCs. The malicious e-mail gives a brief news bulletin on the disaster before urging people to click "read more" and be taken to the full story on a website. Yet once directed to the website, a virus is sent to the user's computer. People are also being told to watch out for fraudulent e-mail scams pretending to raise cash for Katrina victims. It's sickening to think that hackers are prepared to exploit...

Hurricane Katrina is bringing out the worst in people on the net as well as on the streets of New Orleans. Spam emails purporting to offer links to news about Katrina are been used to tempt potential victims onto a site hosting Trojan malware. The site exploits well-known IE vulnerabilities to install a variety of Trojans including Cgab-A, Borobot-P, Borobot-Q, Borodldr-H and Inor-R. Security firm Sophos reports that subject lines used in the malicious emails include, but are not limited to, the following: Re: g8 Tropical storm flooded New Orleans. Re: g7 80 percent of our city underwater. Re: q1...

Microsoft Corp. warned users of its Windows operating system on Tuesday of three newly found "critical" security flaws in its software, including one that could allow attackers to take complete control of a computer. Computer security experts urged users to download and install the patches, which are available at www.microsoft.com/security. "Users (should) apply the updates as quickly as possible," said Oliver Friedrichs, senior manager of Symantec Security Response, part of security software company Symantec Corp. SYMC.O. Microsoft said that vulnerabilities exist in its Internet Explorer Web browser, the most severe of which could allow an attacker to take complete control...

Microsoft on Tuesday issued alerts on several security flaws in Windows, the most serious of which could allow an attacker to gain control over a victim's computer. Microsoft released six security bulletins as part of its monthly patching cycle, three of which it deems "critical." The Redmond, Wash., software gives that rating to any security issue that could allow a malicious Internet worm to spread without any action required on the part of the user. One bulletin addresses three flaws in Internet Explorer. Of all the issues Microsoft offered fixes for Tuesday, these put users at most risk of attack,...