[CERT-daily] Tageszusammenfassung - Freitag 25-01-2013
Daily end-of-shift report
team at cert.at
Fri Jan 25 18:02:50 CET 2013
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 24-01-2013 18:00 − Freitag 25-01-2013 18:00
Handler: Matthias Fraidl
Co-Handler: Stephan Richter
*** Web server hackers install rogue Apache modules and SSH backdoors, researchers say ***
---------------------------------------------
"A group of hackers that are infecting Web servers with rogue Apache modules are also backdooring their Secure Shell (SSH) services in order to steal login credentials from administrators and users. The hackers are replacing all of the SSH binary files on the compromised servers with backdoored versions that are designed to send the hostname, username and password for incoming and outgoing SSH connections to attacker-controlled servers, security researchers from Web security firm Sucuri
---------------------------------------------
http://www.computerworld.com.au/article/451689/web_server_hackers_install_rogue_apache_modules_ssh_backdoors_researchers_say/?fp=4&fpid=16
*** Playing chess with APTs ***
---------------------------------------------
During a briefing from the top security analyst at one of the
Washington-area cyber centers, I got the idea that resisting targeted
attacks from sophisticated adversaries (so-called advanced persistent
threats, or APTs) is a bit like playing chess at the grand master level.
---------------------------------------------
http://blogs.gartner.com/dan-blum/2012/12/28/playing-chess-with-apts-2/
*** Silly gits upload private crypto keys to public GitHub projects ***
---------------------------------------------
Amazing what you can find searching for BEGIN RSA PRIVATE KEY Scores of programmers uploaded their private cryptographic keys to public source-code repositories on GitHub, exposing their login credentials to world+dog. The discovery was made just before the website hit the kill switch on its search engine or, more likely, the service collapsed under the weight of curious users trawling for the sensitive data.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2013/01/25/github_ssh_key_snafu/
*** Are Cyber Criminals Using Plus-Sized Malware To Fool AV? ***
---------------------------------------------
"Obesity is an epidemic in the United States. And it looks as if it may soon be a problem in malware circles, as well. After years watching malware authors pack their poison into smaller and smaller packages, one forum frequented by those seeking help with virus infections says that theyre seeing just the opposite: simple malware wrapped within obscenely large executables in one case, over 200 megabytes...."
---------------------------------------------
http://securityledger.com/are-cyber-criminals-using-plus-sized-malware-to-fool-av/
*** Identifying People from their Writing Style ***
---------------------------------------------
"Its called stylometry, and its based on the analysis of things like word choice, sentence structure, syntax and punctuation. In one experiment, researchers were able to identify 80% of users with a 5,000-word writing sample. More Information: -http://www...."
---------------------------------------------
http://www.schneier.com/blog/archives/2013/01/identifying_peo_3.html
*** Vulnerability Scans via Search Engines (Request for Logs) ***
---------------------------------------------
We had a reader this week submit the following web log to us: GET /geography/slide.php?image_name=Free+gay+black+moviesslide_file= script%E2%84%91_id=0+union+select+0x3f736372aca074200372 HTTP/1.1 The request, as you can probably tell, is an attempt to detect SQL Injection and likely XSS vulnerabilities. As such, it isnt really all that special. What makes this more interesting is the fact that it came from Microsoft +http://www.bing.com/bingbot.html) Client IP Address: 157.55.52.58 This
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=15010&rss
*** Inside the Gozi Bulletproof Hosting Facility ***
---------------------------------------------
Nate Anderson at Ars Technica has a good story about how investigators tracked down "Virus," the nickname allegedly used by a Romanian man accused by the U.S. Justice Department of running the Web hosting operations for a group that created and marketed the Gozi banking Trojan. Turns out, Ive been sitting on some fascinating details about this hosting provider for many months without fully realizing what I had.Related Posts:Three Charged in Connection with Gozi
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/u48Al_9RZnE/
*** China Accused Of Java, IE Zero Day Attacks ***
---------------------------------------------
"Recently disclosed vulnerabilities in Java and Internet Explorer have been used in targeted attacks that appear to be aimed at critics of the Chinese government. Tuesday, Jindrich Kubec, director of threat intelligence for Prague-based antivirus software developer Avast, reported that multiple websites had been compromised by attackers and used to infect visitors via JavaScript drive-by attacks. If successful, the attacks infected PCs with a remote access Trojan (RAT), thus giving
---------------------------------------------
http://www.informationweek.com/security/attacks/china-accused-of-java-ie-zero-day-attack/240146926
More information about the Daily
mailing list