The Antivirus blog

More SQL injections

2008-05-11T14:24:30Z

The sites effected by the last SQL injection wave haven’t recovered until it’s time for the next attack of SQL injections

Once again it looks like it’s older version of phpbb that got injected by JS_SMALL.QT (discovered by Advanced Threats Research Program Manager Ivan Macalintal). Unfortunately if you’re going to use phpBB you have to make sure you upgrade after they’ve released yet another security fix (which they tend to to often sometimes ).

Visitors to a compromised site got redirected a couple of times to other sites and then will see a popup asking to install an ActiveX Object.

When the ActiveX Object gets installed these trojans also gets installed on the victims computer:

TROJ_DNSCHANG.CS
TROJ_ALUREON.AE
TROJ_ALUREON.AH
TROJ_ALUREON.AI

According to Trend Micro these trojans are evil:

These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats.

Google Adwords phishing attempt

2008-05-01T19:31:37Z

I just got an email from Google informing me of possible phishing attempts and that I should be “on my watch” for suspicious emails appearing to be from Google. Here’s the email I got (I removed @ from the email addresses):

At Google, we take the safety of our users very seriously, and we work hard to ensure that your accounts are secure. As part of those efforts, we recently compiled some tips on our blog to help protect you from “phishing,” which is an attempt to fraudulently collect passwords, credit card numbers, and other sensitive information: http://googleblog.blogspot.com/2008/04/how-to-avoid-getting-hooked.html

This information is important because any online account can be targeted by phishers, including online advertising accounts.

There are reports of phishing attempts that falsely appear to be from adwords-noreply (a) google.com. These fraudulent emails ask users to update their billing information, take action on a disapproved ad, edit their account, or accept new AdWords terms and conditions. Please remember that Google’s AdWords team will never send an unsolicited message asking for your password or other sensitive information by email or through a link.

If you need to change your account information, such as your billing details or your password, always sign in to your AdWords account from the main AdWords login page at https://adwords.google.com and make the changes directly within your account.

We’ve included more information below on how to avoid phishing. If you have any questions, please don’t hesitate to contact us at adwords-support (a) google.com.

Sincerely,
The Google AdWords Team

As always it’s important to make sure your logging in at the correct site (in this case google.com).

Post from: The Antivirus blog

Security fix for Wordpress

2008-04-26T07:02:29Z

Most of us have just upgraded to Wordpress 2.5 when it’s now time for another upgrade. This time it’s a more urgent upgrade since it includes a security fix and about 70 bug fixes:

We recommend everyone update immediately, particularly if your blog has open registration. The vulnerability is not public but it will be shortly.

My guess is that this security fix is related to this post, but that’s just my guess.

Read more in the Wordpress blog or go directly to the download page to get the latest version.

Post from: The Antivirus blog

Hosting companies watch out!

2008-04-20T15:32:26Z

Now all hosting companies offering IIS and SQL Server on Windows XP, 2003, Vista, and Server 2008 must watch out for a vulnerability allowing local users to raise his privilege level.

Microsoft stated in their advisory:

Hosting providers may be at increased risk from this elevation of privilege vulnerability.

But no explanation was provided.

Since IIS is a popular platform for may web hosting companies we may see targetted attacks on hosting companies (and their clients web sites) . If you work for or run your own hosting company you may have to keep an eye on your SQL server.

Wordpress 2.5 is out, upgrade today!

2008-03-31T17:21:57Z

The latest version of Wordpress is only a few days old when I noticed this urgent post in the TrendLabs blog regarding the old version of Wordpress (version 2.3.3 that is). It’s always important to upgrade your software, and this time it can really hurt your visitors and subscribers if you don’t

This javascript injection is createing a directory called 1 in your wp-content directory. So to find out if your blog has been hijacked you should search for a directory called that. This directory will be full of infected files containing links to other infected files so you need to remove them all if your blog has been infected.

If you blog gets infected, then all your blog pages will be filled with links to other infected pages.

TrendLabs is giving this advice to blog owners:

As of this writing, a fix for this vulnerability has yet to be issued by WordPress. (You may, however, find this and this sites useful.) As a workaround, users may want to close their registration feature. Also, be wary of third-party plug-ins you install in your blog sites.

Post from: The Antivirus blog

Manipulated ratings at eBay?

2008-03-24T07:09:48Z

TrendMicro is this morning reporting about manipulated ratings at eBay.co.uk. The ratings at eBay show the users history using stars. The more stars (five is the maximum) a user got the more successful trades have been completed and the more trusted a user can be.

The manipulation works like this. The unsuspecting user visits one of the auction pages at eBay which contains an embed (and hidden) Shockwave file. The user is redirected to a .aspx file in Russia, which means that the user is doing business with someone he can’t identify . So be alert when you do business on eBay. Make sure you’re still at the eBay site at all times!

Post from: The Antivirus blog

Check your Wordpress installation

2008-03-21T09:50:25Z

If you’re using Wordpress you should make sure that you’re using the latest version (at the moment 2.3.3) and that you’ve removed all the old files so no one can take advantage of a security leak in the old files. Shoemoney.com is reporting that people claim to have hidden links (or even iframes) injected into their latest installations of Wordpress.

Shoemoney.com says:

First I want to say I have never seen any evidence of a fresh 2.3.3 install of Wordpress.

The issue most likely comes from either a previous exploitable file still existing in your Wordpress install directory or from someone who has already hijacked your admin cookie. You see there were some wicked exploits in earlier versions that allowed people to hijack your admin cookie which authenticates you (keep me logged in).

So the advice is to always keep your installations up to date, change passwords regularly and to remove old files used in previous version of your installation. This is not only true for Word press, but for all installations on your server like for example phpBB.

A good idea is also to keep a backup on your database at some other location then your current server. Wordpress got a few good plugins that can email your database to you on a daily basis, or if you can you should setup so your web server is sending a backup of your entire site to some remote FTP account.

Post from: The Antivirus blog

Make sure you upgrade your phpBB forums

2008-03-21T09:50:36Z

Since a few days over 200 000 pages (most of them using phpBB) have been compromised with an exploit according to McAfee.

This video will show you how it looks like on the users side:
March 2008 - Mass Hack Demo from Schmooog on Vimeo.If you got a forum using phpBB you have to make sure you’re using the latest version. Back in 2004 another mass hack of phpBB occurred so this is not the first (and absolutely not the last time) the users of phpBB forums learn the hard way how important backups are.

Post from: The Antivirus blog

Welcome to the antivirus blog

2008-03-15T13:49:25Z

Welcome to the latest blog from Xavier Media about antivirus softwares, latest virus threats and how to protect you and your computer from scumware, trojans and other malware.

The virus map found on the main page is constantly updated with the latest threats you need to look our for. You can also “zoom in” on your region to see what’s going on in your part of the world.

Thanks to our friends at Trend Micro you can also scan your computer for viruses completely free by visiting this page.

More features and articles on how to protect yourself will be added shortly and I really hope that you like the new and improved antivirus page from Xavier Media .

Post from: The Antivirus blog