Security Bytes: Sober ready to ruin your Monday

By SearchSecurity.com Staff 20 May 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Sober set to strike again
After tearing through the Internet earlier this month by promising tickets for the 2006 World Cup in Germany, the Sober-N worm dropped the Sober-Q Trojan on compromised machines and began spewing messages of German nationalism. Now, CipherTrust researchers say, that Trojan will be receiving new instructions that could include a more destructive payload than merely sending out spam.

"The instructions in the code tell [the Trojan dropped by the last Sober variant] to stop sending current spam on the 23rd and to start searching for new code to send out," Dmitri Alperovitch, research engineer at CipherTrust, said in an e-mail. "That could lead to the launch of a new worm next week with undetermined functionality. The new worm may just turn infected machines into proxies that would be sold to spammers or phishers." He advises sysadmins to "get your filtering systems in place. Look at the source -- the IP addresses -- of machines that are sending this stuff out so you can block it."

Lexis-Nexis, Paris Hilton data thefts linked
A federal investigation into the massive data theft at Lexis-Nexis has revealed that the group responsible also took credit for hacking into hotel heiress Paris Hilton's T-Mobile Sidekick and posting compromising pictures of celebrities on Internet sites, according to The Washington Post. The paper cited several sources involved in the investigation who said that the FBI was serving search warrants and seizing computers and other evidence from a number of teens believed to be involved.

The newspaper reported a small group of hackers sent out hundreds of e-mails with a message urging recipients to open an attached file to view pornographic child images. When those attachments were opened, a keystroke logger was installed -- in one case capturing the login information of a Florida police office who accessed Accurint, a LexisNexis service provided by a subsidiary. The hackers said they used the information to create sub-accounts and accessed thousands of names in the database, eventually selling personal identifiable consumer information to a ring of identity thieves.

A hacker also told The Washington Post that Hilton's cell phone was compromised by the same group in an attack that exploited a vulnerability in the T-Mobil Web site that allowed them to access to the account of any T-Mobile subscriber who used a Sidekick device to store photos and other data on the company's server. The group then used social engineering to con a T-Mobile salesperson into providing a password and the Internet address of the Web site used to manage T-Mobile's customer accounts. They allegedly used the site to lock Hilton out of her account and were able to download and store all of her data to their Sidekick.

Fake Windows security update leads to malicious Web site
If you see a Microsoft security update in your inbox, don't open it. Instead of patching your computers, it'll take you to a malicious Web site, said Lynnfield, Mass., antivirus firm Sophos. Sophos said an e-mail campaign has been launched to direct users to a bogus site that looks like Microsoft's official security Web page. But if users follow the links in the e-mail for downloading updates, they get infected with the Troj.DSNX-05 Trojan, which allows hackers to take remote control of the infected PC.

The e-mails claim to come from "Windows Update" [update@microsoft.com] and include subject lines like "Update your windows machine," "Urgent Windows Update" and "Important Windows Update." The e-mail body claims to link to Microsoft's Windows Update site but instead links to a site controlled by hackers.

"This criminal campaign exploits the public's rising paranoia about the security of their Windows computers. If users fall for it they may put themselves at risk of being spied upon or having their credit card and online banking details stolen," Graham Cluley, Sophos' senior technology consultant, said by e-mail. "Users must be very careful to be sure they are going to the official update Web sites, rather than just following links in e-mails which have been sent by hackers."

Data theft allegedly affects 500,000 customers, four banks
Nine people -- seven of them former bank employees -- face criminal charges for their alleged role in a massive data heist. Electronic account records for about 500,000 customers from four different banks was apparently stolen and sold to collection agencies, Computerworld reported. Hackensack, N.J., police are eying a crime ring they believe accessed the data through the former bank employees. The U.S. Treasury Department believes it's the largest bank security breach in the U.S.

"This thing's getting bigger and bigger," Hackensack police Det. Capt. Frank Lomia told Computerworld. "It's still growing. The banks are uncovering more accounts than we knew about."

The police announced the arrests of the nine suspects April 28, charging them with illegally selling personal identification information stolen from bank and New Jersey state computer databases. Police allege a company called DRL Associates Inc. was set up to find individuals and as a collection agency, but was not properly licensed for those activities by the state.

The bank employees worked for Wachovia Corp., Bank of America Corp., Commerce Bancorp Inc. and PNC Bank NA. One of the other suspects is a former manager of the New Jersey Department of Labor, Computerworld said.

Digg This!     StumbleUpon     Del.icio.us