MyBB downloads were infected

The H-Security: In a blog posting, the MyBB development team has confirmed that the download package for version 1.6.4 of MyBB had been modified to include malicious code. Unknown attackers were able to exploit a vulnerability in the MyBB web site's CMS (content management system) to inject and execute PHP code.

The attackers placed a contaminated version of MyBB, containing a backdoor, on the server. It is unclear exactly when the hack took place, meaning that all downloads of 1.6.4 prior to 6 October could be affected. Users with MyBB systems are advised to check their installations and apply a patch. For rapid disinfection, the developers are advising users to replace the /index.php file with a clean version and to delete the /install/ directory.

The MyBB development team is currently mulling over what conclusions can be drawn from the successful attack. One countermeasure they intend to take is to publish checksums to enable users to check that their downloads are genuine; however, this would not be particularly effective if the attackers have control of the server on which the checksums are store. A better solution would be digital signatures, since these cannot be faked without the secret key – though the problem with digital signatures is that, unless the update system does so automatically, almost no-one ever checks them.

Hoax: The Pink Profile Pic Facebook virus hoax

SophosLabs: Have you noticed the profile pics of some of your Facebook friends have acquired a pink tinge?

Rumours have hit the social networking site that the Facebook app that turns your profile picture pink carries "keylogger malware" that can spy on your keypresses, and steal your passwords - not just from Facebook, but from online banks you may log into as well.

One warning reads as follows:

ABC News 24 just released a statement about a virus on facebook app that adds a pink tinge to your profile picture to `raise money for cancer`.
Be aware this fake third-party app installs a virus on the machine you used to access the app. Apparently its a keylogger malware that searches for bank details and passwords etc. Facebook allows keylogger in its apps to aid predictive search algorithms, and therefore the virus hasnt been picked up.
Keep a look out for any of your friends who may have fallen victim to this app. Apparently, they should be easily identifiable with a pink tinge to their profile picture.

However, the warning is balderdash. ABC News has released no such warning, the app is not malicious and we have seen no evidence that it contains a keylogger. The truth is that your Facebook friends are doing something positive - helping raise money and awareness for the fight against breast cancer.

Australian bank CUA raises funds every October for Breast Cancer Awareness Month, and this year decided to share an app that would change users' profile pictures pink to show that they were supporting the campaign.

Remember to always get your computer security advice from a computer security company. Friends may be well-intentioned in passing on warnings, but it's always good to check your facts before forwarding them any further.

If you want to learn about the real threats on Facebook you should join the Omid's Blog facebook page, where I'll keep you up-to-date on the latest rogue applications, scams and malware attacks threatening social network users.

The continuation of dangerous rogue ads on Bing (and Yahoo)

GFI Labs Blog: We've noted this before, but Microsoft needs to get a handle on ad placements on Bing. Ok, so Bing isn't the most widely used search engine, but remember that Yahoo plays a part here as well.

In this case, we're talking Sirefef (ZeroAccess aka Max++), probably the nastiest piece of malware circulating on the 'net right now. Sirefef kills any attempt to remove it, and is nearly impossible to clean (short of booting onto a rescue disk and performing cleanup actions, or reformatting).

So just search for "adobe flash", and you might see this ad:

(That same search term will look identical on Yahoo, since Yahoo displays Bing ads and search results.)

Which leads to an innocent-looking "download flash" page:

Note that the page isn't actually "GetAdobeFlash.com". Instead, it redirects to a directory on a compromised trucking site (arulbrothers.com), downloading a file from torreandaluz (dot) com/flash/Flash Player 10 Setup.exe

So let's download that Flash Player and run it through VirusTotal, and no surprise: It's Sirefef.

Duqu, Son of Stuxnet?

Schneier on Security: A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original. Link to Source

Symantec: W32.Duqu: The Precursor to the Next Stuxnet
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility. Read Full Article

F-Secure: Duqu – Stuxnet 2:
A new backdoor created by someone who had access to the source code of Stuxnet has been found.
Stuxnet source code is not out in-the-wild (only the binaries). Only the original authors have the source code. So, this new backdoorwas created by the same party that created Stuxnet. Read Full Article

Norman: W32/Duqu – Stuxnet lite?
Oct 18th, our competitor Symantec published an extensive report on a malware called Duqu, which appears to bear some resemblance to last year’s Stuxnet worm. This time the malware does not seem to be aimed at sabotage, but is instead made for intelligence gathering. Read Full Article

Wired: Son of Stuxnet Found in the Wild on Systems in Europe

Duqu, like Stuxnet, masks itself as legitimate code using a driver file signed with a valid digital certificate. The certificate belongs to a company headquartered in Taipei, Taiwan, which Symantec has declined to identify. F-Secure, a security firm based in Finland, has identified the Taipei company as C-Media Electronics Incorporation. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14, shortly after Symantec began examining the malware. Read Full Article

Update, Oct 24, Added Avira Article too:
Avira: Stuxnet v2 or TR/Duqu
The Stuxnet virus has gone to the next generation: “TR/Duqu”.
Avira already detects the new malware since VDF 7.11.16.63, which was released on 2011-10-19. Read Full Article

Twitter Malware Attack: Photos of Dead Gaddafi

Mashable: As reports of former Libyan leader Muammar Gaddafi’s death circulate on the Internet, so is a gruesome cellphone photo of what appears to be his severely wounded body and another that appears to be his dead body. Both are likely opportunities for spammers with bad intentions.

The first photo was distributed by the news agency AFP after commanders for Libya’s transitional military, the National Transitional Council (NTC), said they had captured Gaddafi after invading his hometown of Sirte. On Thursday, an NTC spokesperson told the New York Times Gaddafi had been killed, but the U.S. State Department had still not confirmed his death as of 10:00 a.m. ET.

Celebrations in Libya and a flood of Twitter updates are treating the announcement of Gaddafi’s death as authentic — including a slew of sharing of the photos allegedly showing his capture.

In the past, photos like this — including alleged photos of Osama Bin Laden’s body — have been easy vehicles for malicious links. One reason is search engines decide which links are legitimate partly by looking at user behavior. When news like Gaddafi’s death breaks, however, there is no history for them to rely on and malicious links mascarading as news can more easily rank high in search results. Another reason is that people often seek such images from unfamiliar sources. Websites or Twitter messages promise to link to a breaking topic and then lead instead to another site or virus. The Gaddafi photo is a prime candidate for this type of malicious links, so it’s wise to use caution when clicking.

Because of the photo’s violent nature, we have decided not to post it in this article. There is another photo that has been shown on news network Al Jazeera (Warning: this links to graphic content) of Gaddafi’s body that could be susceptible to similar scams.

So are the photos fake? An NTC official told Reuters that the apparently dead man in the Al Jazeera photo is Gaddafi. But as CNN notes, “Much caution should be used with these reports because false information has come out previously.”

Blackhole Exploit Targeting Steve’s Death

Symantec: The sad news making the rounds these days is the death of Steve Jobs, Apple Co-founder and former CEO. His death has been a terrible loss to both Apple and Apple fans everywhere.

Spammers are capitalizing on this incident by sending malicious links related to the news of Steve Jobs’ death. Below is a screenshot of one such spam email containing a malicious link:

More malicious links found relating to death spam are:

http://[removed]com/pink.html
http://720[removed].info/habit.html
http://ebuy[removed].com/kids.html
http://[removed].com/grain.html

All these websites contain obfuscated code leading to a BlackHole exploit. Most of the domains are recently registered, however a few of the older domains look quite legitimate and seem to be hijacked.

Below are the Subject lines which have been observed in this virus spam attack:

Is Steve Jobs Really Dead?
Steve Jobs Alive!
Steve Jobs Not Dead!
Steve Jobs: Not Dead Yet!

It is unfortunate spammers are capitalizing on this loss. Internet users must continue to be vigilant when searching for pictures, videos, and news of current events. Do not open any suspicious links or attachments received in unsolicited email, and frequently update your security software which protects you from potential online viruses and scams.

-

R.I.P. Steve Jobs

Eric Schmidt on Steve Jobs: "He was always ahead of me"

Jobs and Schmidt connect at the introduction of the iPhone, 2007

businessweek.com: The Google executive chairman admired Jobs's passion, courage, and smarts

When he went to Apple, he was basically down to 1 percent market share. Apple was near bankruptcy, the company had been for sale, there were a series of management changes. I talked to him about it. He said, “The thing that I have that no one else has is very loyal customers.” He had these fanatical people who would line up all night for a product that wasn’t any good. He figured correctly that by upgrading and investing in and broadening the portfolio, he could do it. At some level he foresaw the next 10 years.

What I remember thinking at the time is that you shouldn’t take a job unless you know how to win. I had no clue how to do what he did. When somebody tells you they’re going to do something and you say, “I don’t understand how you’re going to do that,” and they succeed? That is the ultimate humbling experience. My interactions with Steve were always like that. He was always ahead of me. When he started working on tablets, I said nobody really likes tablets. The tablets that existed were just not very good. Steve said: “No, we can build one.” One of the things about Steve is, he was always in the realm of possibility. There was a set of assumptions that Steve would make that were never crazy. They were just ahead of me.

Continue reading: http://www.businessweek.com/magazine/eric-schmidt-on-steve-jobs-10062011.html 

Facebook Scam: In memory of Steve, a company is giving out 50 ipads tonight

"In memory of Steve, a company is giving out 50 ipads tonight..." is another Facebook scam you want to avoid.

More similar scam links is expected, so take care what you click on, These kind of free offers will end up in phishing or malware attacks.

Don't forget you should join the Omid's Blog Facebook page, where I not only debunk hoaxes and chain letters or scams, but I also keep you up-to-date on the latest rogue applications, scams and malware attacks threatening Facebook users.
Credit to Norman Security.