Password-Stealing Hackers Infect Thousands of Web Pages

Hackers looking to steal passwords used in popular online games have infected more than 10,000 Web pages in recent days.

The Web attack, which appears to be a coordinated effort run out of servers in China, was first noticed by McAfee researchers on Wednesday morning. Within hours, the security company had tracked more than 10,000 Web pages infected on hundreds of Web sites.

McAfee isn't sure how so many sites have been hacked, but "given how quickly some of these attacks have come on, it does seem like some automation has gone on," said Craig Schmugar, a researcher with McAfee's Avert Labs. In the past, attackers have used search engines to scour the Internet for vulnerable Web sites and then written automated tools to flood them with attacks, which ultimately let criminals use legitimate sites to serve up their malicious code.

The infected Web sites look no different than before, but the attackers have added a small bit of JavaScript code that redirects visitors' browsers to an invisible attack launched from the China-based servers. This same technique was used a year ago, when attackers infected the Web sites of the Miami Dolphins and Dolphins Stadium just prior to the 2007 Super Bowl XLI football game.

The attack code takes advantage of bugs that have already been patched, so users whose software is up-to-date are not at risk. However, McAfee warns that some of the exploits are for obscure programs such as ActiveX controls for online games, which users may not think to patch.

If the code is successful, it then installs a password-stealing program on the victim's computer that looks for passwords for a number of online games, including the Lord of the Rings Online.

These online game passwords are a popular hacker target, in part because many online gaming resources can be stolen and then sold for cash.

Other Attacks

Widespread Web attacks such as this are becoming more common too.

In January, security vendor Finjan reported a widespread hacking effort that infected 10,000 Web sites with malicious code that attacked visitors and then installed data-collecting software on their machines.

This type of attack is attractive to criminals, in part because it can be hard to thwart. "It's more subtle than spamming a malicious executable file to billions of e-mail addresses," Schmugar said. "You allow the people to go to the sites that they normally go to and pull off a low-scale attack that flies under the radar.

میثم جمعه 24 اسفند 1386 ساعت 12:11 ق.ظ

3 نظر

Firefox 3 Beta 4

First Look: Firefox 3 Beta 4

The just-released beta 4 version of Firefox 3 shows a browser short on flash and long on important, useful improvements that make browsing the Web easier, faster, safer, and simpler to customize.

Preston Gralla, Computerworld

The just-released beta 4 version of Firefox 3 offers a few visible additions to the browser. For example, the download manager has been improved, making it simpler to locate and work with downloaded files. It's quite nice -- you can easily search through your downloads.

Also, Firefox now integrates directly with your virus scanner, and shows the scanning being done right inside the download manager. And you can see the icon of the file you've downloaded, making it a lot quicker to identify.

The primary interface has been somewhat modified to look more modern, but much more important are a host of less immediately obvious features that any serious Web surfer will welcome.

The zooming feature, already improved in previous betas, has been refined. You can now, if you wish, zoom in and out of the text (rather than the entire page); your settings are remembered, so you don't have to reset them each time.

In addition to visible features, there are a number of key changes to be found under the hood. Firefox has long been bedeviled by memory bloat problems, and with this version, Mozilla claims that it has gone a long way towards solving that. It claims that it has plugged hundreds of memory leaks.

In addition, Mozilla says that it has cleaned up a related memory issue: that the browser uses increasing amounts of memory the longer it's in use. Mozilla says that Firefox now collects and releases unused memory, and reduces memory fragmentation.

Although I did not run specific tests, I can say the browser seems faster and does not slow down over time, as did previous versions. I tried the version for Vista; the version for XP shouldn't be much different.

Better Browsing and Bookmarking

Other changes to the browser have already been available in previous betas, but are worth mentioning. The most visible is the more modern-looking upper left corner with its icons for forward, back, reload, and stop. The forward and back buttons now have a 3D chiseled look, bringing what had been a tired-looking 2D interface into the modern age.

One not-so-nice change: Mozilla has moved the Home button off of the Navigation toolbar and onto the Bookmarks toolbar. This may have freed up some real estate on the Navigation toolbar, but it means that if you normally hide the Bookmarks toolbar (which I do), you no longer have access to your Home button. The change does not make much sense.

That being said, Firefox has done an exceptional job of turning the Navigation toolbar into a highly useful and powerful tool by integrating it with bookmarking and security features. For example, there is now a star icon on the far right side of the address bar; click it and you'll bookmark the site you're currently visiting. When you bookmark the site or visit a site you've already bookmarked, the star is gold; otherwise it is gray. To edit the bookmark -- for example, to change its folder, add tags, and so on -- click the star after it's turned gold.

Also useful is a new search-as-you-type feature. As you type an address into the Address Bar, a drop-down list of sites you've visited and in your bookmarks appears. The list includes not just the site URL, but also the site name and favicon.

Similarly, when you're visiting a site on which there is an RSS feed, an RSS icon should show up, as it did in the previous version of Firefox. (In this beta, I found that the icon did not always show up on pages with RSS feeds.)

میثم پنج‌شنبه 23 اسفند 1386 ساعت 01:45 ق.ظ

0 نظر

Microsoft Monthly Security Updates Focus on Office

Microsoft's critical security patches this month target its Office software, fixing a flaw in Excel that had been exploited by attackers for the past two months

Microsoft today released critical security patches for its Office software, fixing a flaw in Excel that had been exploited by attackers for the past two months.

The bug fixes were released in four software updates for Excel, Outlook, Office 2000, and Office's Web components. Microsoft rates all of the updates as critical, meaning that an attacker could theoretically exploit these flaws in order to hack into a victim's computer.

In total, 12 vulnerabilities are fixed in the four updates.

Office Only

Typically Microsoft includes bug fixes for Windows or Internet Explorer in its monthly security updates, and security experts said Tuesday that this is the first time they could remember Microsoft focusing the patches exclusively on Office.

It's a sign of the times, according to Paul Zimski, senior director of market strategy with Lumension.

Between 2006 and 2007 the number of attacks targeting Office software doubled, he said. "Malicious entities are looking toward Office as a vector for delivering malicious code," he said. "You can't really mitigate against Office: organizations can't block Office attachments and Office documents are generally trusted by users."

Pay Special Attention

Although all of Tuesday's updates are critical, system administrators will want to pay special attention to MS08-014, because it fixes a publicly disclosed flaw that hackers have been exploiting for several months now. "This is the long awaited patch for the Excel zero day issue first reported in mid-January 2008," said Eric Schultze, chief security architect with Shavlik Technologies, via instant message. "Angst-ridden computer users can now sleep easy knowing that they can now open malicious Excel documents without fear of being hacked."

"Patch this one as soon as possible if you visit illicit Web sites or open malformed Excel documents on a regular basis," he added.

This previously disclosed bug affects users of Excel 2000, 2002 and 2003, and Service Pack 2, although customers with Excel 2007 or Excel 2003, Service Pack 3 are not at risk, according to Microsoft.

Another update to watch is the MS08-015 patch, which contains a flaw that could be easily exploited by attackers. By tricking the victim into clicking on a specially crafted "mailto" Web link, an attacker could "install programs; view, change, or delete data; or create new accounts with full user right," Microsoft said in its security bulletin.

These types of bugs, called URI (Uniform Resource Identifier) handling flaws, have been increasingly studied by hackers and security researchers over the past year, and they have led to a number of effective Web-based attacks.

Schultze said that he would patch the MS08-015 update before all others. That's because, while users may now be learning to hesitate before opening untrusted Office documents, they generally don't think twice about clicking on a Web link.

"Clicking on the e-mail link can allow the attacker to run code on your system, assuming that you have Microsoft Outlook," Schultze said. "There would be very little way to know ahead of time whether or not the mail link was evil. I expect we'll see exploit code for this very shortly."

The two other security updates fix critical flaws in Office and in the Office Web Components ActiveX controls used by products such as Office, BizTalk Server, Commerce Server, and the Internet Security and Acceleration (ISA) Server.