A large increase in bank phishing emails was spotted today in SophosLabs. Users are being tricked into opening HTML attachments to provide criminals with credit cards and personal information.
Another component of the Duqu malware was acquired by CrySyS and shared with security researchers. This newest component exploits a zero-day vulnerability in the Microsoft Windows kernel.
The high court’s inaction Monday means the justices have never squarely addressed the parameters of off-campus, online student speech. So far, lower courts appear to be guided by a 1969 high court ruling saying student expression may not be suppressed unless school officials reasonably conclude that it will “materially and substantially disrupt the work and discipline of the school.”
In that landmark case, the Supreme Court said students had a First Amendment right to wear black armbands to protest the Vietnam War. But that precedent, which addressed on-campus speech, is now being applied to students’ online, off-campus speech four decades later.
The case the justices rejected concerned a Connecticut school district’s discipline of banning a then high-school junior from running for school office because of the 2007 vulgar blog post.
Dozens of similar cases across the nation have had varying results.
One case the lower courts decided last year went against a 14-year-old Pennsylvania junior high student, who was suspended for 10 days in 2007. She mocked her principal with a fake MySpace profile that insinuated the principal was a sex addict and pedophile.
Another case last year favored student speech of a Pennsylvania senior, who was suspended 10 days after creating a mock MySpace profile of his principal.
The profile said the principal took drugs and kept beer at his desk. The courts ruled the fake profile did not create a “substantial disruption” at school.
We discussed much of the unfolding Duqu attack in our previous post. Some new light has recently illuminated some missing pieces to this interesting attack.
Researchers at CrySys Labs in Hungary have disclosed information about a Word document that is purported to be the installer file for the Duqu attacks. The document loads a kernel driver after exploitation from a possible new zero-day vulnerability, which then loads a DLL into Services.exe to start the Duqu installation. This driver appears to have been compiled on Thu Feb 21 06:14:47 2008, according to the time stamp in its PE header. The driver is not signed, as it is loaded via the zero-day exploit that results in kernel memory access.
We have already seen several indications that this threat was related to Stuxnet in some form. When comparing the code of the first Duqu samples we received with older Stuxnet variants, we noticed several similarities, and even exact matches for some important functions such as the DLL-injection routine, decryption of strings and external modules, and management of tables for indirect API calls, among others. Due to the 2008 timeframe for the driver code in question, we have yet another clue, beside the zero-day exploit, that this code is likely based on the same base as Stuxnet, which reused old driver code in several cases while creating new exploits.
Detection has been added for these new malware to our existing Duqu coverage: PWS-Duqu, PWS-Duqu!rootkit, and PWS-Duqu!dat.
More to come as this tale unfolds!