Time to add another fake e-mail to the long list of social engineering e-mail scams. This one looks like this.
Subject 4912-3337 Apple AppStore Confirmation
Sender Apple Up-To-Date Add contact
Apple Store
Call 1-800-MY-APPLE
#4368-66525
Order Details
You can also contact Apple Store Customer Service or visit online for more information.
Visit the Apple Online Store to purchase Apple hardware, software, and third-party accessories.
Copyright 2010 Apple Inc. All rights reserved.
This one wants you to click on the order details link, which I have removed, but if you look at the “Order Details” link more closely, you will see that it doesn’t go to the apple store but links to some place called goofbomb. I don’t feel like testing out my anti-virus or risk getting a 0-day virus or some malware, let’s just assume it’s a bad place. So keep your eyes out for this and other e-mails that claim you have purchased something, or missed a delivery, and gives you a link to your “order” or has an attachment for you to open. Quite a few of these going around these days.
Surf Safe
Here we go again. This isn’t news hot off the press, but I decided I should post about it here just in case some of you have missed it. There has been another Adobe Acrobat Reader exploit, CVE 2009-4324. Since it was first disclosed back in the middle of December, it has grown even nastier. The Internet Storm Center over at sans.org has a good analysis of one of the current variants.
There are still a couple days before Adobe releases a patch, which will finally be released on Jan 12. Adobe suggests you disable Java support until then. This is not the first time this has happened. What I’m suggesting is that even after this is patched, just keep Java disabled. If you open a PDF file that requires Java support, you could always turn it back on. With so many exploits in the wild, and how long it takes for the anti virus vendors to discover them, this one won’t be fixed for almost a month since it was first disclosed publicly, it’s better safe than sorry. Just disable Java support for good. Here’s how to disable Java support in Adobe Acrobat Reader
quoted from Adobe.com
SOLUTION
Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the TechNote for more information.
Customers who are not able to utilize the JavaScript Blacklist functionality can mitigate the issue by disabling JavaScript in Adobe Reader and Acrobat using the instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK
Customers using Microsoft DEP (“Data Execution Prevention”) functionality available in certain versions of Microsoft Windows are at reduced risk in the following configurations:
All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
Acrobat 9.2 running on Windows Vista SP1 or Windows 7
Acrobat and Adobe Reader 9.2 running on Windows XP SP3
Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7
With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during our testing.
Watch your docs and surf safe
There is a fake adobe flash player updater that monitors your google searches. It looks just like the adobe flash installer. I’m not sure where I picked it up, but luckily I found this fake adobe flash player on a computer running firefox. Good thing I run NOD 32. I have been getting a notice that NOD 32 was blocking an outbound connection 
I found out that I was infected by this Fake Adobe Flash Player
While that website does tell you how to figure out if you have it or not, it doesn’t really tell you how to remove it, unless you buy their program. So I’m currently in the process of removing it. If you do have it, you’ll want to stop it right now! I’ve found that by going into Firefox’s extensions (Tools -> Addons -> extensions) you can disable Adobe Player 0.2 and restart Firefox. After doing this, I no longer got the warning for NOD 32 that it’s blocking the connection that msjupdate site, which I don’t know why it hasn’t been shut down yet.
I found socks.exe was running and when I looked for that file, I found it in my Windows/system folder with a creation date of 09-09-09, so I stopped socks.exe and renamed it socks.bak I would have deleted it but just in case it wasn’t installed by this Trojan, I figure it’s better to rename it. If some legit program I have starts complaining that socks.exe is missing, I can always rename it back to socks.exe
Once I’ve figured out how to completely remove it, I will update this post. In the meantime, disabling it will work. It’s after 3AM and I should have been in bed hours ago, but this was too important not to immediately warn you about it and give you at least a way of stopping it until I can post removal instructions.
This just in from the Internet Storm Center
Juha-Matti pointed out multple reports on a vulnerability in the widely used wordpress blog software that supposedly allows lets remote users reset the administrative password. They all lead to an original post on a full disclosure mailing list.
You can get all the details from the original post – WordPress unauthenticated administrator password reset
You can find the fix here
Basically you just need to change line 190 in wp-login.php from
if ( empty( $key )
to
if ( empty( $key ) || is_array( $key ) )
If line 190 in wp-login.php doesn’t match the example, you should update Word Press.
I’ve already done it here and everything still works. I also tried it on a version of Word Press that isn’t the latest version. I had to search for the string that needed changing because it’s not on line 190 in the older version. I updated the info and everything is working there too.
Filed Under (0day, DefCon, malware) by chris on 08-01-2009
Unable to attend DefCon this year, I’ve been following it on twitter. There was a talk about how insecure Firefox extensions are.
@ramereth word to the wise: DO NOT trust any firefox extension. assume they can grab and do anything including executing other code #defcon
Just one of many tweets talking about how scary the talk was. So until I can get more information on this, I’m disabling most of my Firefox extensions. Could this be Firefox’s vulnerability equivalent to Internet Explorer’s active-x? Ironically, I’ve been using Google’s Chrome browser lately. I’m liking it more and more. I was just switching back to Firefox because it has a couple extensions I use a lot. But now that they might not be safe, it looks like Chrome is going to be set as my default browser. At least until I find out more about these Firefox extension exploits.
Seeing how this talk was given today, I suspect there will soon be a rash of these exploits and figured I should pass on the info I have even though it’ sketchy at best at this point. To disable your extensions in Firefox, just go to Tools, then addons, then extensions, and uninstall or disable them.
I’m going to post some helpful info about conficker in a bit. I’m at work right now and can’t. Will do it at lunch… Some real good and timely resources. Be sure to check back
It has been recently disclosed that Adobe Acrobat Reader is vulnerable to a virus attack. Known as Adobe Reader PDF File Handling Remote Code Execution Vulnerability. A .pdf file, which is what you are reading with acrobat, is created with some code in it that uses java to exploit your computer.
After checking the usual exploit sites, I found several versions of this attack and proof of concepts. I tested them against several anti virus programs, and so far none of them detect it. I believe it is because of the way this attack is implemented. And I don’t think they will detect it since it’s not an “infected” file but a .pdf document. I could be wrong about this and maybe there will be some anti virus software that will detect it. Let me clarify this. The exploits I found were not detected. There is a trojan going around, called Pidief.E, which uses this vulnerability to install a second piece of malware. This second piece of malware takes screen shots and installs a keylogger. The screen shots and what you have typed on your computer are uploaded somewhere so the bad guys can go through it, and look for user names, passwords, credit card numbers, etc.
This particular malware can be detected, it’s the others that are out there that are worrisome.
I was more concerned with finding a fix now, because Adobe has said the flaw will be closed by March 11th, through updates to Acrobat Reader 9. Updates for earlier versions will be released later.
For now I have found to fixes. The first is a “homebrew” patch from soucerfire and can be found here. While I applaud their efforts, replacing the .dll file with their patch could have unknown results. The second fix, which I have been implimenting all day it work today, is to disable java script in acrobat reader. This is easy enough to do. Simply run Adobe Acrobat Reader. Select edit and go down to teh bottom and select prefrences. Once prefrences is open, you will see JavaScript on the left side, under catagories. After you have selected JavaScript, you will see your options on the right. The first box that is checked says Enable Acrobat Java Script. Just uncheck this box, and you are done.
If you open a .pdf file in the future and it asks you to re-enable java script, be sure to tell it no. And be sure to update Acrobat Reader when Adobe does post the update.
