phpbb and sql errors asp sqlserver odbc sql errors
click to see newsfeed

Newsfeed
(click to hide)

about this feed

Today´s Diary

If you have more information or corrections regarding our diary, please share.

Share |
Published: 2010-03-14,
Last Updated: 2010-03-14 16:16:10 UTC
by Marcus Sachs (Version: 1)
5 comment(s)

One of our readers reported that his copy of Windows 7 Ultimate failed to update itself overnight with the change to Daylight Saving Time.  We have not had any other reports of this, but are curious if any readers have seen any DST difficulties with Windows 7.  It may have been a local configuration error, but it's always good to ask around for other observations.

Thanks for the note Ramu.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
5 comment(s)
Share |
Published: 2010-03-13,
Last Updated: 2010-03-14 16:11:03 UTC
by Marcus Sachs (Version: 2)
1 comment(s)

One of our regular readers submitted a Google query to us that points to yet another temptation that the criminals are taking advantage of - the March Madness basketball tournaments here in the USA.  I'm sure that other sporting events are just as popular with the scammers and crooks.  If you want to check out the fun, put this into your browser:

http://www.google.com/search?q=big+ten+tournament+2010+wiki

We trust that you are not crazy enough to click on the links that Google marks as hazardous to your computer's health, but if you do and you net something really cool that you'd like to analyze, please let us know what you uncover.  Use the comment feature below or send us a note via our contact form.

Thanks Melvin for the info!

UPDATE 1

One of our readers took the challenge and tried clicking through the Google warnings to see what happened.  According to Richard (and Melvin pointed this out to us in his original note) clicking on a link that Google marks as hazardous will not lead you to the exploited site.  Instead, you have to copy/paste the evil URL but when you do that you remove the referring site (Google) from the URL and the exploit won't work.  In this case, some of the site redirect to www.cnn.com.  Others give you a 404 error.  Some browsers will also alert you to the impending doom if you have certain helper plug-ins installed.  However, some of the infected sites have not been flagged by Google.  Richard followed a few of these and sent us these notes:

Many of these redirect to a .in server to dish up a rogue AV exploit:

http://www.urs2.net/rsj/computing/imgs/rogue_1.gif

The trojan executable starts to cache while the usual popup messages begin to appear along with the fake scan.

http://www.urs2.net/rsj/computing/imgs/rogue_2.gif

But these are not remote code execution exploits, for at some point the download prompt box appears, requiring a click.

http://www.urs2.net/rsj/computing/imgs/rogue_4.gif

You cannot X out of the page with the mouse, but ALT + F4 works, and of course, closing the Process in Task Manager.

These same exploits are also served up if you search for "Holly Graf."

I downloaded one of the binaries earlier today from a "Holly Graf" site; it had already been analyzed at Virus Total:

http://www.virustotal.com/analisis/34041381efe99d23fe716de431e464aea0b7d1fc6b2fd7d09baf1ddde603c160-1268542205
 

Thanks Richard for sacrificing your computer and providing the additional analysis.  :)

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
1 comment(s)
Reminder: Daylight Saving Time starts tonight in several countries. See http://www.timeanddate.com/time/dst2010.html for more details.

If you have more information or corrections regarding our diary, click here to contact us.

Diary Archive

DateAuthorTitle
2010-03-14Marcus Sachs DST Issue in Windows 7 Ultimate?
2010-03-13Marcus Sachs Evil Sports Sites
2010-03-11donald smith Cert write up on Skype IMBot Logic and Functionality.
2010-03-11donald smith Interesting SKYPE SPIM.
2010-03-10Rob VandenBrink What's My Firewall Telling Me? (Part 4)
2010-03-10Rob VandenBrink Microsoft Security Advisory 981374 - Remote Code Execution Vulnerability for IE6 and IE7
2010-03-09Marcus Sachs Energizer Malware
2010-03-09John Bambenek Vodafone Android Phone: Complete with Mariposa Malware
2010-03-09John Bambenek March 2010 - Microsoft Patch Tuesday Diary
2010-03-08Raul Siles Samurai WTF 0.8
Complete Archive
Search Diaries: