Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last.

Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions.

The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.

A quick analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the botnet-control mechanism shows:

00129953 |. 81F2 736C6E74 |XOR EDX,746E6C73 ; ”tnls”

The Command & Control servers which it connects to via UDP to receive instructions are:

mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com

Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer.

Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days.

Source: Panda Research Blog

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more.

Ncrack was started as a “Google Summer of Code” Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool.

Ncrack is available for many different platforms, including Linux, *BSD, Windows and Mac OS X. There are already installers for Windows and Mac OS X and there is a universal source code tarball that can be compiled on every system.

Example: A representative Ncrack scan

Downloads:
http://nmap.org/ncrack/dist/ncrack-0.01ALPHA.tar.gz
http://nmap.org/ncrack/dist/ncrack-0.01ALPHA-setup.exe
http://nmap.org/ncrack/dist/ncrack-0.01ALPHA.dmg

Ncrack Man Page: http://nmap.org/ncrack/man.html

Ncrack Home: http://nmap.org/ncrack

China’s leading search engine claims a shocking lack of security nous at its chosen domain name registrar was responsible for a prolonged outage last month.

China’s Baidu says in legal papers that that an obvious scammer was able to con Register.com support staff into handing over the keys to its kingdom, resulting in millions of dollars of lost revenue.

Baidu, which commands 70 percent of the Chinese search market, was offline for at least four hours on the 12th of January. During the incident, its baidu.com home page instead showed the messaged “This site has been hacked by the Iranian Cyber Army”.

In its lawsuit, the company claims a Register.com support rep allowed the hacker to reset the administrative email address for the domain to ‘antiwahabi2008@gmail.com’, despite the imposter providing obviously incorrect security codes during an online chat.

The hacker then allegedly used Register’s automated password reminder function to change Baidu’s account password, giving him access to the domain’s name servers. The whole rudimentary scam took less than 45 minutes, Baidu claims.

Baidu is suing for negligence and breach of contract, among other things. Register.com denies the charges. The case is being heard in New York.

Source: THINQ.co.uk

Russian security firm Intevydis has made a Windows exploit for a previously unknown security hole in Firefox 3.6 available to its customers. The exploit allows attackers to remotely gain control of a PC. Intevydis develops the commercial VulnDisco add-on for the also commercial Canvas exploit toolkit by vendor Immunity. On the Immunity forum, developer Evgeny Legerov praises his exploit for Windows XP (SP3) and Vista as being quite reliable. The developer says It was an interesting challenge to find the flaw – a buffer overflow – and to exploit it.

While the post dates back to the beginning of February, the hole is likely to remain open since no updates have been released for Firefox 3.6 so far. Secunia rates the problem as critical, but hasn’t provided any further information in its advisories and the Mozilla Foundation has become aware of the problem, but has yet to release an official statement. Whether the exploit has already been widely circulated or used on a large scale remains unknown.

However, according to the analysis on the Extraexploit blog, a significant increase in the number of Firefox 3.6 crashes was noted on the 12th and 13th of February. It is unclear whether the crashes were connected to the exploit being tested. The pages causing the highest number of crashes are listed in Mozilla’s crash reports.

In passing, Legerov also mentions zero day exploits for Lotus Notes 8.5/8.5fp1 and for RealPlayer 11. The exploit for RealPlayer is the modernised version of an exploit that appeared two years ago for a hole that RealPlayer closed only recently.

If you’ve ever wondered about the flow of your mouse around your computer screen, a free downloadable application, called “mouse pointer track,” can help you follow these esoteric movements and turn them into a fascinating blur between art and information.

The simple application was developed by Anatoly Zenkov, a Russian graphic designer and programmer, and has been downloaded tens of thousands of times since he first released it in late January this year.

The software runs on any Macintosh or Windows computer and tracks every movement and click of your mouse.

Mr. Zenkov explained in an interview that the project began as a simple attempt to create something visually interesting with computer code. “It was just for fun,” Mr. Zenkov said. “It was meant to be an experiment for me, and then I saw the interest from so many other people, so I decided to share it for free on the Internet.”

As you can see from the images on Mr. Zenkov’s Flickr page, he has been tracking different mouse movements in different application settings.

The images at the top and bottom of this post were made by tracking my mouse movements for 30 minutes, during which time I was writing this blog post and surfing the Web.

Source: The NewYork Times