Idiots er people are using Flash apps to hijack the clipboard putting a url in the clipboard that won’t go away till the browser is closed. This effects Firefox, Opera, IE, and Safari even on Linux and Mac. By seizing control of the clipboard they are able to place a URL to a fake anti virus program.
These have been showing up on sites such as Newsweek, Digg, and MSNBC.com. They are showing up in forums and in comments on blogs. So if you go to a page and all the sudden every time you right click and paste or cntrl + v something and you see a URL, unless you put it there do NOT go it.
If you want to test this out go here Aviv Raff a Security Researcher has created a proof of concept. This will insert http://www.evil.com into your clipboard and will NOT go away till you close out the browser. So click THIS LINK HERE to test.
If you are interested in knowing how this works, I’ll tell ya. It uses a continuous loop within flash that calls the command setClipboard. Closing the Tab or Browser will break the loop and allow you to copy and paste again.
So once again they are betting on the fact that some /luser will actually go to the site, download and install the software. Guess what… People have done it! I guess you could also exploit this if the person had something like I don’t know… maybe a Clipboard monitor that ran or did something like download automatic. Either way be careful.
Now Gmail, the exploit is not out yet. It will be soon but seems Google has paid enough attention to add to your Gmail settings. The setting you are looking for is under Settings -> General scroll to the bottom and select Always use https. Do this because just going to https://www.gmail.com does NOT work. This only secures the authentication and not the rest of the data. This one I take from Nike and tell ya, Just Do It!
Tags: adobe, exploit, gmail, hack
Well we have another one following on the heals of the CNN Alert and CNN.com Daily Top 10. These are the same and have links to download an updated flash player. The flash player is NOT flash player at all but a trojan.
Some examples of the Subject:
msnbc.com - BREAKING NEWS: All Baseball Players May Be Indicted For Steroid Abuse
msnbc.com - BREAKING NEWS: SJC Loosens Handgun Control To Stimulate Economy
msnbc.com - BREAKING NEWS: Elizabeth Taylor found murdered at home
msnbc.com - BREAKING NEWS: Nature Did Not Connect the Funny Bone to the Satire Bone
They are also starting a BBC NEWS and just a breaking news. None of the From: fields are msnbc, cnn, or BBC. So lets just start calling this the news alert virus. These viruses are based on the assumption that someone they are sending to is signed up to receive the alert. Without looking just clicking links, I know for one I am signed up to receive some of these type of alerts. I guess one of the things that have saved me is I only receive email in plain text and I do not click on the links if they are not from the sending domain. For instance in one of the breaking news from msnbc.com the link goes to www.4×4.co.rs and well this is NOT msnbc.com. So some tips:
If you receive breaking news alerts instead of clicking the link move your mouse over the link and copy the shortcut. Open your web browser and paste it into the web browsers URL field. If the URL is NOT to the site the email came from DO NOT GO TO IT. Delete it from the URL and delete the email.
Remember folks this is a simple one. If you are NOT expecting the email do not open it, especially if it has an attachment. If it is from someone you know and it has an attachment call them and ask “Hey what is this your sending me” if they do not know then do NOT open it. It is just common sense.
If you go to a web site and it wants you to update any software go to the original site to update it. For instance all these trojans want you to update FLASH Player. Go to the Adobe download site at http://www.adobe.com/products/flashplayer/ and update your flash player. Do NOT update it from a web site you do not know. You should never install and or update software from a web site that you do not know.
Others:
http://blog.mxlab.be/2008/08/13/msnbccom-breaking-news/
http://www.securitywatch.co.uk/2008/08/13/msnbccom-breaking-news-spam/
http://www.securitymanagement.com/news/beware-msnbc-com-breaking-news-spam-e-mails-004502
http://securitylabs.websense.com/content/Alerts/3159.aspx
Tags: alert virus
I hope everyone likes the new Zerosource. I took out the Dark black theme and put in one I like better. I also did away with all the advertisment. I’m not really looking to make anything from this, but figured what the hell. Well with anything I’m free to change my mind and therefore I did. No Ads! Not that I won’t tell you about a company I like and or even the company I work for, but no more random Ads. I will continue to write post that interest me and hopefully you.
While i’m writing I also want to say thanks to Birmingham Magazine, thanks for the mention for the Birmingham Pulse in the Article on the current issue August 2008. I recommend you pick it up. It list the Essential Birmingham websites. While my site the Birmingham Pulse is not essential it is mentioned. (Page 86 btw) So go pick up the magazine. Found out from The Terminal of course.
And if you are not a follower and reader of the Birmingham Terminal, let me take this time to tell you this site is Essential! I wish every city I’ve lived in had a group as dedicated to an online forum/magazine as the Terminal does. Thanks Andre Natta and group! Great work, it is a daily read for me.
So let me know, how do you like the new site?
Follow up to yesterdays post about CNN.Com Daily Top 10, today we have a new one. This one has the subject of CNN Alerts: My Custom Alert. The email “From” address is random, and the content looks legit except for the Full Story link. This is the one that takes you to the site that immediately ask for you to install an updated version of flash. This is the virus, the payload…. This virus is part of the Rustock Rootkit and Spam Bot.
Tags: alert virus
Recently I wrote about the “UPS, FedEx, and US Customs Email Virus” today I want to tell you about the CNN.Com Daily Top 10 email going out. I’m seeing this from allot of different sources and it is pretty heavy out in the wild. I’m sure you have probably already seen it somewhere. The interesting points of this one, the virus payload is not in the email but from the links in the email. This allows it to by pass most virus scanners. It is NOT From: user@cnn.com but from a randomly generated or infected users email address. The links in the email take you to sites, not cnn.com, that want to show you a video but says you have the wrong flash player installed. Other points:
- The URL’s are not cnn.com
- The writing is poor (even worst then mine)
- It ask you to install Flash Player 0
- The ActiveX installer does not seem like a standard ActiveX installer
- It is not digitally signed.
CNN Daily Top 10
Tags: alert virus
