Spammers Pay Tribute to Icons with Atrocious Malware

Contributor: Christopher Mendes

When stalwarts pass away the world mourns their loss, tributes flow and emotions run high. Whenever we lose a legendary figure, their death brings shock or grief and people are hungry for any and every available piece of information about the "How" and the "Why" and the "When" related to the death of these important figures.

We studied the aftermath of these icons’ passing and the eulogy written by spammers. The spammer’s sole motive is to use incidents to compromise weak systems. On further examination of the collected data we traced a predictable pattern, the details of which are given below:

Michael Jackson Subject: Michael Jackson not dead
Subject: Michael Jackson seen alive
Subject: Michael Jackson lives
W32.HLLP.Sality.O
W32.Pinfi
Trojan.Dropper
[email protected]
Downloader.Psyme
Backdoor.Trojan
Amy Winehouse Subject: Ravages of the drug in the body of Amy Winehouse
Subject: Amy Winehouse Not Dead
Infostealer.Bancos
Steve Jobs Subject: Is Steve Jobs Really Dead?
Subject: Steve Jobs Alive!
Subject: Steve Jobs Not Dead!
Subject: Steve Jobs: Not Dead Yet!
Subject: Steve Jobs Alive and Well?
Blackhole Exploit

As in the case when Michael Jackson passed away, spammers started spreading a rumor through email which stated 'Michael Jackson is not dead'. The same pattern was used when Amy Winehouse suddenly passed away. And when visionary Steve Jobs passed away.

But, in all these cases, it was not just false rumors but malicious code that was being transferred to computers in various ways (using iframes, redirecting users to malicious Web pages, and/or malware as embedded attachments). People jumped to open such links, under the influence of their emotions over news of the tragic events, and spammers thrived by discovering and exploiting the vulnerabilities available on users’ systems.

Users can definitely deny spammers satisfaction by checking emotions and withholding curiosity. Use a little bit of caution before clicking on any unknown link. Symantec provides regular security updates to stave off any such misadventure from spammers. Regularly update your security products and stay safe.

Duo Who Sold Lost iPhone 4 Prototype Sentenced to Probation

brian-hoganTwo young men involved in the sale of an iPhone 4 prototype found in a Silicon Valley bar last year pleaded no contest to misdemeanor charges of theft Tuesday, putting an end to the drawn-out drama.

The two have each been sentenced to one year of probation, 40 hours of community service and will have to pay $250 each in restitution to Apple, according to CNET.

Brian Hogan, a 21-year-old student at the time, admitted to finding the phone at the Gourmet Haus Staudt in Redwood City, California, after it was left behind by an Apple engineer named Gray Powell, and later selling it to Gizmodo. Sage Wallower, a friend of Hogan’s, who reportedly helped shop the device around to media outlets.

“We asked for some jail time,” San Mateo County District Attorney Steve Wagstaffe told CNET. “The judge considered that Wallower had served in the armed forces and Hogan was enrolled in San Jose State and neither had any criminal record, and decided that jail time wasn’t required…. This was a couple of youthful people who should have known better.”

In April last year, Gizmodo, which is owned by Gawker Media, published a bombshell story about the iPhone prototype, after paying $5,000 for exclusive access to the device. Gizmodo eventually returned the device to Apple, but not before publishing numerous photos of the phone.

Apple told police at the time that the publication of Gizmodo’s story was “immensely damaging” to the company, because consumers would stop buying current generation iPhones in anticipation of the upcoming product. Apple told police that the device “was invaluable.”

Hogan was at the German beer garden Haus Staudt with friends when another patron handed him the phone after finding it on a nearby stool. The patron asked Hogan if the phone belonged to him, and then left the bar. Hogan asked others sitting nearby if the phone belonged to them, and when no one claimed it, he and his friends left the bar with the device.

Hogan didn’t know what he had until he removed a fake cover from the device and realized it must be a prototype of Apple’s upcoming next-generation iPhone, according to Gizmodo’s account of the find.

A friend of Hogan’s then offered to call Apple Care on Hogan’s behalf, according to Hogan’s lawyer. That apparently was the extent of Hogan’s efforts to return the phone before it was sold.

After the friend’s purported efforts to return the phone failed, several journalists were offered a look at the device. Wired.com received an e-mail — not from Hogan — offering access to the iPhone, but did not follow up on the exchange after the tipster made a thinly veiled request for money. Gizmodo then paid $5,000 in cash for it.

Following publication of the photos by Gizmodo, police launched an investigation to find the person who had sold it to the media outlet. They closed in on Hogan after his roommate called an Apple security official and turned him in, according to court records.

The tip sent police racing to Hogan’s home, and began a strange scavenger hunt for evidence that a friend of Hogan’s had scattered around this Silicon Valley community. Police recovered a desktop computer stashed inside a church, a thumb drive hidden in a bush alongside the road, and the iPhone’s serial-number stickers from the parking lot of a gas station.

Wired.com independently identified Hogan as the finder of the prototype by following clues on social network sites, and then confirmed his identity with a source involved in the iPhone find.

Hogan later said through his attorney that he regretted not turning the phone over to Apple.

Prosecutors had also gone after Gizmodo editor Jason Chen initially, obtaining a warrant to search his home and threatening to prosecute him, but they ultimately dropped any plans to file charges against him.

This year, another iPhone prototype was left at a San Francisco bar in a bizarre déjà vu of the previous incident. This time, Apple security employees tracked the phone to the residence of a bar patron and used San Francisco police to help them gain access to the residence to conduct a search, according to CNET. They were unsuccessful in finding the device, however.

But the device, presumably an early version of the iPhone 4S announced last week, did not end up in the hands of a tech blogger this go-round.

Image: Brian Hogan in a 2008 blog photo.

See Also:

Microsoft Patch Tuesday – October 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is an average month — the vendor is releasing 8 bulletins covering a total of 23 vulnerabilities.

Nine of the issues are rated ‘Critical’ and they affect Internet Explorer, .NET, and Silverlight. The remaining issues are rated ‘Important’ and affect Windows, the kernel, Forefront Unified Access Gateway, and Host Integration Server. Of note this month: all Internet Explorer issues being patched are rated ‘Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the October releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms11-oct

The following is a breakdown of some of the issues being addressed this month:

  1. MS11-081 Cumulative Security Update for Internet Explorer (2586448)

    CVE-2011-1993 (BID 49947) Microsoft Internet Explorer Uninitalized Object CVE-2011-1993 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, 8, and 9

    CVE-2011-1995 (BID 49960)  Microsoft Internet Explorer 'OLEAuto32.dll' CVE-2011-1995 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, 8, and 9

    CVE-2011-1996 (BID 49961) Microsoft Internet Explorer Option Element CVE-2011-1996 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, and 8

    CVE-2011-1997 (BID 49962) Microsoft Internet Explorer OnLoad Event CVE-2011-1997 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6

    CVE-2011-1998 (BID 49963) Microsoft Internet Explorer 'Jscript9.dll' CVE-2011-1998 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 9

    CVE-2011-1999 (BID 49964) Microsoft Internet Explorer Select Element CVE-2011-1999 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer when it attempts to access a dereferenced memory address. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 8

    CVE-2011-2000 (BID 49965) Microsoft Internet Explorer Body Element CVE-2011-2000 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has been deleted, or not properly initialized. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, 8, and 9

    CVE-2011-2001 (BID 49966) Microsoft Internet Explorer Virtual Function Table CVE-2011-2001 Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency 7.1/10)

    A remote code-execution vulnerability affects Internet Explorer when it accesses a virtual function table that has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the user running the affected browser.

    Affects: Internet Explorer 6, 7, 8, and 9

  2. MS11-078 Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

    CVE-2011-1253 (BID 49999) Microsoft Silverlight & .NET Framework Inheritance Restriction Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency 7.5/10)

    A remote code-execution vulnerability affects .NET and Silverlight due to how they handle class inheritance. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious webpage. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

    Affects: Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5.1, 4, and Microsoft Silverlight 4

  3. MS11-077 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)

    CVE-2011-1985 (BID 49968) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1985) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency 6.6/10)

    A local privilege-escalation vulnerability occurs because the kernel fails to properly validate user-supplied data between user-mode and kernel-mode. An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer.

    CVE-2011-2002 (BID 49973) Microsoft Windows Kernel 'Win32k.sys' TrueType Font File Remote Denial of Service Vulnerability (MS Rating: Moderate / Symantec Urgency 6.7/10)

    A denial-of-service vulnerability affects the Windows kernel when handling a specially crafted TrueType font file. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malformed font file. Successful exploits will cause the affected computer to stop responding.

    CVE-2011-2003 (BID 49975) Microsoft Windows Kernel '.fon' Font File Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency 7.8/10)

    A remote code-execution vulnerability affects the Windows kernel when handling a specially crafted ‘.fon’ font file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malformed font file from a remote WebDAV or SMB share or as an email attachment. A successful exploit will result in the execution of arbitrary attacker-supplied code with kernel-level privileges. This may facilitate a complete system compromise.

    CVE-2011-2011 (BID 49981) Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-2011) Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency 6.6/10)

    A local privilege-escalation vulnerability occurs because of the way the kernel handles kernel-mode driver objects. An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. This may facilitate a complete compromise of the affected computer.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.