Christopher Maxwell of Vacaville, California, was sentenced to 37 months plus three years of probation as well as a combined restitution pay of $250,000 to Northwest Hospital and Department of Defense.

Maxwell pleaded guilty to launching a botnet attack which compromised computers at Seattle Northwest Hospital and several universities.

Check here for the rest of the story.

This just shows that people in the high places are beginning to understand the damage that security breaches can bring and are now doing steps to send a message especially to the botnet community. One point for the good guys!

Better think twice if you’re trying to search some free stuff over the Internet. Searching for “free music” or “free screensavers” might give you results that lead to malicious web sites. “Free” is a common keyword used in searching and malware/spyware authors have used this fact to their advantage. Sites that advertise “free” games and screensavers often include spyware and adware bundled with the download. The same thing goes for sites that advertise other free items such as mp3s, e-cards and ringtones. You’ll never know if the site that promises tons of free mp3s would actually exploit a vulnerability in your browser and install a resource-hogging, keylogging, malware-downloading Trojan in your system. I guess the moral of the story is to be wary of such sites and not to be duped by the common social-engineering ploys.

Read more about this here

The August patch for MS06-042 have been known to cause Internet Explorer to crash while browsing sites with HTTP 1.1 compression on Windows XP Service Pack 1 and Windows 2000.

On August 22, eEye Digital Security released a posting expressing that this is not just a bug that crashes Internet Explorer but is actually an exploitable one. Ironically, it’s an exploitable vulnerability in a vulnerability patch.

No worries though as Microsoft has already re-released the MS06-042 patch to fix the issue. So people, patch your systems!

A Trojan which Trend Micro detects as TROJ_DELF.BRK uses ARP poisoning as its payload. This Trojan drops two files, a dynamic link library (DLL) and a driver file. The driver file is needed by the malware in order to interact with the affected users NIC card.

This way, the DLL file which is injected into windows explorer, explorer.exe, can do the ARP poisoning payload. The DLL file is (according to the Virus Report) “responsible for poisoning the ARP entry of hosts found on the network. It does this by sending an ARP broadcast to all hosts and poisoning the ARP cache of existing hosts on the network. This routine redirects all network traffic to the affected machine.”

Thus, when all traffic is redirected to the affected machine, a possible man-in-the-middle attack can take place. In the man-in-the-middle attack, stealing sensitive information such as usernames and passwords is possible. Another effect of the scenario is the Denial of Service to the other hosts found in the network whose traffic is being redirected to the affected machine.

Another possibility is sniffing network traffic which includes switch-based networks. Even though the switched network was designed to direct traffic to a particular host, sending heavy amount of ARP packets to the switch will force it to operate in “fail-safe mode” which operates like a hub. As we know, hubs send out packets to all hosts in the network and sniffing of traffic is easy.

This technique of ARP poisoning which was also used by PE_SNOW.A for Distributed Denial of Service detected back in January 2006 is being used by malware authors to gain their motives. And malwares will continue to “evolve” to circumvent security applied in the network and its hosts. Lastly, always update your antivirus pattern files to be secured from new malwares emerging from the internet.

References:

• An Introduction to ARP Spoofing
  
• Wikipedia.org

We are currently receiving samples for a PayPal scam. According to the email, the user is told that their account has been limited because of a report of a credit card use and for the user’s own protection they have limited the access to the account. The transaction details are suppose to be in the attachment. But I guess no transaction details are really included because the attachment is a windows executable file, the filename of this attachment is TT-022-421-683.ZIP. which after extraction will create a .EXE file with the same filename. Please beware of this scam. Below is a sample email of the said scam.

Update (Jasper, Fri, 25 Aug 2006 05:03:04 PM)

This threat is now detected as TROJ_CLAGGE.A.

Update (Jasper, Mon, 28 Aug 2006 09:02:44 AM)

TROJ_CLAGGE.A has been renamed to TROJ_CLAGGER.E. It is detected with CPR 3.684.01.