The Conficker worm, also known as Downadup, is targeting the Web site of Southwest Airlines and could disrupt online flight check-in and other services on March 13 as a result, security firm Sophos warned on Monday.
Mike Wood of SophosLabs Canada did some digging and found that the millions of computers infected with Conficker are programmed to contact wnsux.com, which redirects visitors to the main Southwest.com site, on March 13 to get instructions. That would cause a denial of service, shutting the site down temporarily, he wrote in a blog entry.
The worm is targeting about 7,750 domains, of which Wood said he found that nearly 3,900 are active. But they only resolve to 42 unique IP addresses, he said. Only a handful of those IP addresses are involved in a covert operation of ISPs and others trying to thwart Conficker by pre-registering domains, Wood wrote.
Other sites and potential dates that could be affected by Conficker are music site jogli.com on March 8, Chinese women's network qhflh.com on March 18, and computer phonetics site praat.org on March 31, he said.
"Other, less frequented sites of interest that appeared in the list include 'The Tennesse Dogue De Bordeaux' dog breeders site (tnddb.com, March 14) and the coy 'Double Super Secret Message Board' site (dssmb.com, March 11)," Wood wrote.
Sophos has more information in a statement on its Web site.
The worm, which has been around since last year, spreads through a hole in Windows systems, exploiting a vulnerability that Microsoft patched in October. Conficker also spreads via removable storage devices like USB drives, and network shares by guessing passwords and usernames.
Customers of CheckFree.com, an online bill paying site, were quietly redirected to servers in Ukraine early Tuesday morning, according to several reports.
Representatives of CheckFree told WashingtonPost.com that customers were redirected to a blank log-in page that attempted to install malware on the visiting PC. The company said it regained control at 5 a.m. EST Tuesday, so only customers using the site overnight were likely affected.
Mike Haro, senior security analyst at Sophos told CNET News, "The fact that they used a blank page to download a Trojan (not exactly subtle) says to me one of two things: a) they fell into these credentials and chose the fastest way to get something done, expecting the breach to be quickly detected; or b) they got more than we're being led to believe."
The Post also said someone was able to steal the user name and password to make account changes at CheckFree's domain registrar. The Domain Name System (DNS) takes the common name CheckFree.com and converts it to an online address; the criminals were able to change that online address to a server hosting malicious content.
CheckFree allows users to pay their utility bills, insurance payments, mortgage and loan payments along with 330 other kinds of bills electronically. The company declined to say how many of its customers may have been affected, according to the Post story.
CheckFree...stressed that the attack occurred during off-peak hours when customer traffic to its Web site is typically low. Still, CheckFree has a huge customer base: The company claims that some 24.7 million consumers initiate payments through its services.
Haro said: "I guess I'm less surprised that someone got access credentials, and more surprised at what they did--or didn't do--with that level of access." For example, he hasn't seen evidence the criminals have tried to extract money directly from the exposed accounts.
As of Thursday afternoon, representatives from CheckFree had not responded to CNET News' request for further comment.
The customer database of Express Scripts, a company used by employer health care services to provide prescription medicine by mail, has been breached. In a twist, the company said it learned of the breach in "a letter from an unknown person or persons trying to extort money from the company."
The company posted details on its Web site Thursday. The letter, received in October, threatened to reveal millions of customer records--including Social Security numbers, addresses, dates of birth, and in some cases, prescription information--on the Internet if the extortion demands were not paid. The company did not disclose what those demands were.
Graham Cluley, of security software maker Sophos, told CNET News that Express Scripts did things right. "It appears they have not paid up." He noted that's important with data theft because the criminals have the data in their possession and can keep going back to the company to get more and more money. Second, Express Scripts went to the FBI and decided to go public about the breach.
"We have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls," Express Scripts said on its site.
Cluley said: "I think it's going to be old-fashioned police work that gets to the bottom of this." For example, it's possible the sender of the extortion request and the attacker used the same servers.
Usually extortion is used in connection with denial-of-service of attacks, when the criminals have nothing of value except the sheer volume of data to spew at a targeted site. A letter is sent asking for money in exchange for ending that attack.
This however is an old-school data theft. The criminals presumably have millions of customer details that can be sold on the Internet. But Cluley notes that "people's identities sell for a relatively small amount, and if you go to an auction site on the Web and try to barter on that, you might not get that much as you might potentially get by embarrassing a company."
A few weeks ago, Sophos noted a similar data breach/extortion attempt at a North American Maserati dealership. Still, Cluley said he does not think this was the beginning of a trend.
Cluley said the thieves in this case might not be connected with the established "carder" world, where personal identities are bought and sold online. "Maybe this is an accidental data leakage, something they stumbled across, maybe they're not part of the criminal community, and they're just taking their chances."
Express Scripts said it will notify affected customers in compliance with state regulations.
One of the spam messages using Obama's election to entice people to download malware.
(Credit: Sophos)Within hours of settling the U.S. presidential election on Tuesday, spam seen worldwide began incorporating the name and image of Barack Obama, according to various security vendors. The U.K.'s Sophos reported 60 percent of all spam seen by the lab on Wednesday was in some way Obama related.
One piece of spam alleges to contain a link to video of Obama's acceptance speech. If you follow the video link within the e-mail message you will be taken to a Web page where you'll be asked to update your Adobe Flash Player with a file, adobe_flash9.exe, first. This is not an official Adobe update file and downloading this file may in turn infect your computer with a Trojan.
Sophos named the Trojan Mal/Behav-027. F-Secure named it W32/Papras.CL. Sunbelt Software also has a blog about this particular piece of spam.
Meanwhile, Websense is reporting a separate threat. An e-mail appears to be an interview with the new president elect. The e-mail features embedded links to a video site that attempts to install a file, BarackObama.exe. Downloading this file may infect your computer with a Trojan.
A flood of e-mails pretending to be from MSNBC contain links to malicious software, security companies warned Wednesday.
According to an MX Lab blog post, subject lines always start with "msnbc.com - BREAKING NEWS" then are followed with a variety of possible headlines, including: "Google launches free music downloads in China"; "Plane crashes into prep school, hundreds of kids killed"; "Please give your opinions for change"; and "US Dollar hits 6-year high, further gains expected."
The Web address http://breakingnews.msnbc.com is valid if you type it into your browser; however, clicking the link within the body of the e-mail will take you to another site entirely. The bogus site will then ask you to download a Flash video file. It is the file adobe_flash.exe that contains a malicious Trojan horse.
Sophos and Websense also issued warnings about the e-mails. Earlier this month, Sophos warned that fake CNN Top Ten e-mails contained a similar Trojan horse. In 2006, the BBC was used in a similar attack.
Disclosure: CNET News is published by CBS Interactive, a unit of CBS.
Endpoint security isn't endpoint security anymore.
The old standards of antivirus, anti-spyware, and a firewall are no longer enough. In today's market, you need more types of protection like data loss prevention (DLP), full-disk encryption, or endpoint operations. The big guys like McAfee, Symantec, and Trend Micro aren't settling for one safeguard or another. They will likely have the whole enchilada in their endpoint security suites soon.
With this trend in mind, U.K.-based Sophos decided to jump into the new endpoint security game with both feet. The company announced that it is offering $340 million to acquire Utimaco Safeware, a leader in endpoint encryption and DLP. Yes, that's a lot of dough, but Utimaco is a leader in these burgeoning markets. The combination of Sophos and Utimaco can:
1. Leverage both installed bases. Sophos can up-sell Utimaco into its broad base while Utimaco customers will get an integrated endpoint suite down the line.
2. Bolster North American sales. Sophos has been keen on entering North America in a big way. It can now jump-start this effort by tapping into Utimaco customers and channel partners.
3. Compete on the new vision. As endpoint security morphs into a more holistic endpoint protection/operations category, Sophos/Utimaco could vault to a new leadership position.
Acquisitions are always risky but some become necessary as markets change. This one certainly appears to fit into this model.
According to a report out Wednesday, antivirus vendor Sophos says it detects one Web page with malicious content every 5 seconds--a trend that is up 300 percent from 2007.
In its Security Threat Report for the first half of 2008, Sophos says it finds just over 16,000 malicious pages each day, mostly the result of malicious SQL-injection attacks on legitimate Web sites such as the attack on Sony's U.S. PlayStation site in July. Tricks used by criminal hackers include using simple HTML code to place via SQL-injection a 1x1 pixel element (about the size of a pin prick) on an infected page. In loading the page, the Internet browser would then contact a server running exploit scripts and malicious code. But because the sites are legitimate, some security vendors struggle with blocking infected Web pages.
As for illegitimate sites, Sophos notes that Geocities and Blogger both make it easy for anyone to set up a Web site without much identification. Blogger, owned by Google, is particularly problematic, says Sophos, with the blog site alone accounting for nearly 2 percent of all malware hosts. It is not only possible for the Blogger sites to host malicious code, but criminal attackers can also inject links to malicious sites in the comments sections of the blogs.
A spokeperson for Google said "Google takes the security of our users very seriously, and we work hard to protect them from malware. Using Blogger, or any Google product, to serve or host malware is a violation of our product policies. We actively work to detect and remove sites that serve malware from our network."
- prev
- 1
- next
