copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


AusCERT Week in Review for 8th February 2013

Date: 08 February 2013

Click here for printable version


In a joint operation by Microsoft and Symantec earlier this week, command and control servers belonging to the "Bamital" botnet were shutdown in USA based data centres located in New Jersey and Virginia. The companies estimate that anywhere between three hundred thousand and 1 million PCs are currently infected with the malware that received instructions from these C&C servers. The malware is believed to have hijacked search results with the purpose of fraudulently charging businesses for online advertisement clicks. In addition the malware also allowed the botnet owners to take complete control of infected PCs.

By now we've all heard about the prevalence of the 'Blackhole' exploit kit, which has been responsible for a number of infections worldwide that is so large it is impossible to quantify - but what about the Whitehole exploit kit? The 'Whitehole' kit, dubbed with that name by researchers simply to differentiate it from 'Blackhole', employs exploits for five Java vulnerabilities, including the recently patched zero-day exploit for CVE-2013-0422 that was doing the rounds throughout January. It is believed that the new kit is being employed in several malware campaigns to deliver the ZeroAccess malware as well as ransomware. The developers are apparently charging a fee smaller than that of Blackhole, so we can expect to see an increase in the popularity of this particular kit employed on compromised websites in the near future.

Security researchers at FireEye have uncovered a malware campaign called 'Beebus', believed to be of Chinese origin, which is targeting the aerospace and defense industries in the United States. 'Beebus' has been designed to steal information and it is believed infections begin through a campaign of spear-phishing emails. The researchers believe Beebus is closely related to 'Operation Shady RAT' which was first detected back in April 2011. The malware has modules which are designed to capture system information, such as processor, disk, memory OS, process ID, process start time and current user information as well as an additional functionality to allow for it to download and execute further payloads or updates.

Dutch hacker David Benjamin Schrooten, known as 'Fortezza', who was responsible for trafficking over 100,000 credit cards, was sentenced to 12 years in a US prison last Friday. Schrooten pleaded guilty in November last year to charges relating to hacking, bank fraud, and identity theft. It is believed the related damage amounted to more than 63 million dollars. A man from Maryland, Christopher Schroebel, who was working with Schrooten was sentenced to 84 months prison in August 2012. Schrooten and Schroebel were responsible for building carding websites which made the stolen credit cards available for purchase by other criminals. Another man from California who was working with Schrooten to procure stolen credit cards is set to go on trial by the middle of the year.

This week's top five bulletins (in no particular order):

1) ASB-2013.0013 - ALERT [Win][UNIX/Linux] Oracle Java : Multiple vulnerabilities

Oracle released a significant patch for Java products this week correcting 50 vulnerabilities that could allow for code execution, unauthorised modification, confidential data access and more. Java continues to be one of the most actively exploited cross-platform products in extremely widespread circulation. Administrators should push this update out as soon as possible!

2) ESB-2013.0144 - [OSX] Java: Multiple vulnerabilities

Apple were quick to follow up on Oracle's Java patch, pushing out the updated packages to OSX on the same day.

3) ESB-2013.0161 - [Win][UNIX/Linux] OpenSSL: Multiple vulnerabilities

A vulnerability was identified in the handling of CBC ciphersuites in SSL, TLS and DTLS as used by OpenSSL which could be exploited to cause a denial of service.

4) ESB-2013.0167 - ALERT [Win][Linux][Android][OSX] Adobe Flash Player: Multiple vulnerabilities

Adobe released a critical bulletin to address two vulnerabilities in Flash Player which are being actively exploited. It is advised that administrators update to the latest version as soon as possible.

5) ESB-2013.0149 - [OSX] OS X Server: Execute arbitrary code/commands - Remote/unauthenticated

Apple also released updates for OS X Server this week, correcting two vulnerabilities in its Profile Manager and Wiki Server.

Have a great weekend,