Security Bytes: Malware targets Google programs

By SearchSecurity.com Staff 20 Jun 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Malware targets Google programs
A week after Yahoo Mail was targeted by a worm, rival search giant Google Inc. is trying to fight off malware targeting its Google Page Creator Web site hosting service as well as its Orkut service. San Diego-based Websense Inc. issued an advisory on the first issue, saying that a Trojan horse program was uploaded to a Googlepages.com server. It lies dormant on a client system until a user logs on to a banking Web site. The Trojan then tries to steal the person's information by capturing their keystrokes.

According to a published report, Google said it is moving as quickly as possible to address the threat and asked that users notify the search giant when they encounter sites that host or serve malicious files.

Meanwhile, Foster City, Calif.-based security firm FaceTime Communications Inc. said it has discovered a worm capable of stealing bank details and other personal data via Orkut, Google's social networking service. Google's service, while available globally, is wildly popular among Brazilians who make up the bulk of its users, the Reuters news agency noted in a report. The malicious program, which FaceTime calls MW.Orc, works its way onto users' personal computers when they click on infected links on Orkut scrapbook pages.

In a statement, Google said that "Orkut.com users and users of all online services and applications should always be careful when opening or clicking on anything suspicious." The company added that it is aware of this issue and was working to implement a temporary fix, but it's currently unclear if that fix is now in place. "We are working on a more permanent solution for users to guard against these malicious efforts."

Microsoft offers advice on zero-day Excel flaw
Microsoft said Monday it's investigating a recently exploited Excel flaw and recommends customers "always exercise extreme caution when opening unsolicited attachments from both known and unknown sources." Meanwhile, Danish vulnerability clearinghouse Secunia has issued an advisory warning of a new flaw affecting Excel and Microsoft Office.

Of the zero-day Excel flaw discovered last week, Microsoft said in an advisory that it has added detection of exploits to the Windows Live Safety Center for "up-to-date removal of malicious software that attempts to exploit this vulnerability." When its investigation is finished, Microsoft said it will take the appropriate action to help protect customers. "This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," the company said.

Secunia said attackers could exploit the new flaw affecting Excel and Office to compromise a vulnerable system. "The vulnerability is caused due to a boundary error in hlink.dll within the handling of hyperlinks in Excel documents," Secunia said. "This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted hyperlink in a malicious Excel document." Secunia confirmed the flaw in Microsoft Excel 2003 SP2. The company recommended users avoid opening untrusted Microsoft Office documents and avoid following links in Microsoft Office documents.

Worm exploits World Cup craze
UK-based antivirus firm Sophos said a new worm is spreading by exploiting interest in the World Cup. Sixem-A spreads using a variety of disguises, including subject lines such as "Naked World Cup game set," "Soccer fans killed five teens" and "Crazy soccer fans," Sophos said.

One of the messages sent by the worm reads, "Nudists are organizing (sic) their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos ;)"

"If the attached file is run, it attempts to disable security software on the infected computer and then spread itself to other email addresses," Sophos warned.

Microsoft's French Web site defaced
Hackers made their way onto Microsoft's French Web site over the weekend and splattered part of it with graffiti. The intruders accessed the server that was running http://experts.microsoft.fr/, Microsoft told CNET News.com Monday. Turkish hackers have apparently claimed responsibility for the attack.

The attackers were likely able to penetrate the server running the Web site due to faulty configuration. Microsoft said it took the appropriate action "to resolve the issue and stop any additional criminal activity," CNET News.com reported.

After breaking in, the hackers left the following note: "Hi Master (: Your System 0wned By Turkish Hackers! redLine ownz y0u! Special Thanx And Gretz RudeBoy |SacRedSeer| The_Bekir And All Turkish HacKers next target: microsoft.com date: 18/06/2006 @ 19:06 WE WERE HERE...."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Securing Productivity Applications,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary