The Edge of I-Hacked

From milw0rm.com

The new Windows Media Player exploits have been released on Milw0rm.com..  They even included a Metasploit file.  I am thinking of writing a metasploit tutorial, would you guys be interested?

from CNET News.com

At least when it comes to such mishaps as the Sony BMG Music Entertainment fiasco, that’s what an official from the Department of Homeland Security suggested Thursday.

“The recent Sony experience shows us that we need to be thinking about how we ensure that consumers are not surprised by what their software programs do,” Jonathan Frenkel, director of law enforcement policy at the U.S Department of Homeland Security said in a speech here at the RSA Conference 2006.

A lesson has been learned from the Sony debacle, which left unwitting consumers with software on their PCs that could be used by cyberattackers to hide their malicious code. “Companies now know that they should not surreptitiously install a rootkit on computers,” Frenkel said.

But perhaps more importantly, how could the mishap have been avoided in the first place? “Legislation or regulation may not be a solution in all cases, but it may be warranted in appropriate circumstances,” Frenkel said.

Hmmmm.. Ya think so?  This should already be law in my books..  There is no place for rootkit technology embeded in consumer goods.

from Mac Rumors

On the evening of the 13th, an unknown user posted an external link to a file on MacRumors Forums claiming to be the latest Leopard Mac OS X 10.5 screenshots. The file was named “latestpics.tgz”

The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but is actually a compiled Unix executable in disguise. An initial disassembly (from original discussion thread) reveals evidence that the application is virus-like or was designed to give that impression. Routines listed include:

_infect:
_infectApps:
_installHooks:
_copySelf:

The exact consequences of the application are unclear, but according to the users that originally executed the application have noted that it appeared to self propogate:

If anyone remembers last night, when lasthope spread that picture that opened in terminal. I just turned on my other computer and it said it had an incoming file, from my computer, which was the latest pics file. Any help. I have already secure deleted it off of my harddrive, but how do i know that it will not come back.
Andrew Welch who had done some of the initial disassembly is posting updates to this thread.

According to the initial investigation, the application uses Spotlight to find the other applications on the infected machine and subsequently inserts a stub of code into each application executable.

Update: It appears that there is some debate about the classification of this application, and as it does require user activation, it appears to fall into the Trojan classification, rather than self-propogating through any particular vulnerability in OS X.

from IT Security News - SC Magazine UK

A hacker who stopped more than three million Spanish computer users from using the internet has been sentenced to two years in jail. Twenty-six-year-old Santiago Garrido used a computer worm to launch distributed denial-of-service (DDoS) attacks after he was expelled from the popular “Hispano” IRC chat room for disobeying its rules.

The attacks disrupted an estimated three million users of the Wanadoo, ONO, Lleida Net and other internet service providers - amounting to one third of all of Spain’s web users at the time of the 2003 offense.

Garrido, who went by the aliases “Ronnie” and “Mike25,” was sentenced at a court in La Coruña and also faces a 1.4 million Euro fine.

“Many times hackers use DDoS techniques to try and blackmail the website under attack. On this occasion, it seems the hacker was so furious about being thrown out of a chat room that he resorted to a criminal act to wreak his revenge, affecting millions of internet users in the process,” said Graham Cluley, senior technology consultant for Sophos. “This type of activity causes serious damage and disruption, and any hackers engaged in such behaviour must be punished accordingly. The Spanish Civil Guard should be congratulated for seeing this case through to its conclusion.”

SophosLabs estimates that more than 60 percent of all spam originates from zombie computers, which can be used by criminal hackers to launch DDoS attacks, spread unwanted email messages or steal confidential information. In May 2005, the Sober-Q trojan and Sober-N worm were found to have worked in tandem to infect and hijack computers around the world, programming them to spew out German nationalistic spam during an election.

from Police and Justice Bill

[via]

Proposed changes to the Police and Justice bill would make it an offense to make, adapt, supply, or offer to supply any article which is designed or adapted to impair the operation of a computer, prevent or hinder access to a computer, or impair the operation of any program or access to any data. (Look at Part 5, sections 34 and 35).

from The Register

Insider attacks and industrial espionage could become more stealthy by hiding malicious code in the core system functions available in a motherboard’s flash memory, researchers said on Wednesday at the Black Hat Federal conference.

A collection of functions for power management, known as the Advanced Configuration and Power Interface (ACPI), has its own high-level interpreted language that could be used to code a rootkit and store key attack functions in the Basic Input/Output System (BIOS) in flash memory, according to John Heasman, principal security consultant for UK based Next-Generation Security Software.

The researcher tested basic features, such as elevating privileges and reading physical memory, using malicious procedures that replaced legitimate functions stored in flash memory.

“Rootkits are becoming more of a threat in general- BIOS is just the next step,” Heasman said during a presentation at the conference. “While this is not a threat now, it is a warning to people to look out.”

from F-Secure : News from the Lab

James Ancheta aka “Resjames” or “Botmaster” pleaded quilty in Los Angeles yesterday for running a botnet and selling bots.

He faces up to six years in prison. He will also have to pay restitution and give back about $60,000 and his BMW, bought with botnet money.

Ancheta was active in 2004. With another bot herder known as “SoBe”, they infected more than 400,000 computers.

They were making money by selling bots to spammers, and by signing up as affiliates in adware install programs run by Gammacash and Loudcash (both are owned by 180Solutions nowadays). This way they earned money every time they installed an adware program to an infected machine.

James Ancheta seems to be offline nowadays, but you can still find some of his old forum posts via Google. In this thread he has just rented a dedicated server from Sagonet, which he then used to run the irc server to control his bots.

The court papers make a fascinating read

from VTE

“The Virtual Training Environment (VTE) is a Web-based knowledge library for Information Assurance, computer forensics and incident response, and other IT-related topics. VTE is produced by the Software Engineering Institute at Carnegie Mellon University.”

from ZDNet.com
Via digg

The Brazilian adware company Exfol, which owns Freecat.biz domain, has been caught using the Windows WMF exploit to execute spyware from its pop-up advertising. It does not appear that they are being pursued legally, but this it certainly a domain to put on your browsers ban list

from SANS - Internet Storm Center

Two additional functions vulnerable to memory corruption attack within the Microsoft graphics rendering engine. The flaw reportedly affects the ‘ExtCreateRegion’ and ‘ExtEscape’ functions. WMF exploits round two to follow?