Massive DNS Poisoning Affects Major Brazilian ISPs

Brazil is currently under a massive DNS cache poisoning attack, reports Kaspersky Labs. When a user tries to visit popular, local and global sites, such as Google, Yahoo and Facebook, a popup like the one shown below is displayed. It asks the user to download a security suite called Google Defender in order to access the site.


As Kaspersky’s Fabio Assolini explains in his blog post,

In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there:














In fact the file ad.html is an encrypted script, exploiting CVE-2010-4452 and running arbitrary code in an old installation of JRE. The exploit detected by us as Exploit.Java.CVE-2010-4452.a calls up one of the files in this list. According to statistics in KSN (Kaspersky Security Network) all the infected users are from Brazil; we registered more than 800 attempts to access this site which were thwarted by our web antivirus.

The attack has been going on for some time. It is suspected that employees of ISP companies, who had access to DNS records, were paid to change them in order to redirect the users to malicious sites. Fabio also notes that an arrest has already been made in this case by the Brazilian Federal Police. The accused (who is an employee of an ISP company) allegedly changed the DNS records over a 10 month period.

So, if you are from Brazil and have experienced similar pop-ups, we recommend that you do not click it. Follow the usual procedures such as updating your OS, security software as well as all other install programs and run a complete system scan. Kaspersky also suggests changing your DNS provider to someone other than your ISP, such as  Open DNS or Google DNS.

TimesofMoney/Remit2India Database Hacked Through SQL Injection – HDFC Bank Vulnerable Too

Update – August 4th 2011: TimesofMoney contacted us with an update saying that this breach does not exist and will be sending us a statement regarding the same shortly.

In this day and age of technology, it does not come as a surprise that websites are frequently hacked. Groups like Anonymous and Lulzsec have been creating havoc on the internet, however, there are other cases too where security teams hack several websites to show them how insecure they are.

One of the most common way of hacking websites is by SQL injection. Ironically, was also hacked using an SQL Injection attack a few months back.

Today, zSecure Team has found a vulnerability in a very popular digital payments site called TimesofMoney which provides online remittances, fortified domestic e-payment mechanisms and facilitated remittance solutions of banks. The company is behind products like Remit2India, DirecPay and Times Card.

The zSecure Team claims that there exist a critical SQL Injection Vulnerability in the TimesofMoney website using which an attacker can gain access to the site’s entire database which contains the huge amount of customers confidential information.

This vulnerability may prove to be very critical for the company because TimesofMoney is India’s one of the leaders in e-payment system. Existence of such a critical flaw in company’s web may cause huge to the existing market reputation of the company concerned.

The group also claims that HDFC Bank’s Website is also vulnerable right now:

We discovered alike vulnerability in HDFC Bank’s Website as well and issued them a similar advisory. But even after couple of weeks of sending our advisory to the bank, the said vulnerability is still open for outside attacks. If the said vulnerability doesn’t get fixed by the bank as an earliest then our next post may disclose that concerned vulnerability publically.We hope that both the companies (TimesofMoney and HDFC Bank) will take immediate actions to fix the reported vulnerabilities

TimesofMoney currently has a SQL Injection Vulnerability which is very high. They are currently running the Oracle Database 11g Enterprise Edition. The vulnerability allows hackers to access the database as well as run a database dump. It also has a possibility of shell uploading.

The security team has also posted images about the hack, which can be viewed below.

TimesofMoney Hacked Database 1

TimesofMoney Hacked Database 2

TimesofMoney Hacked Database 3

TimesofMoney Hacked Database 4

The security team have said that no data has been dumped, but the fact that the attackers can access your financial information so easily is enough to make me cringe. I would suggest that you purge information from the relevant sites, till it is fixed. More information on the vulnerability can be found at zSecure website.

Thanks for the tip Christopher

Common iPhone Passcodes Could Put Your iDevice At Risk

Mobile devices have become the lifeline of our existence. From making simple calls, these devices have now transformed into smartphones allowing us to keep in touch with family and friends, checking our email, check our favorite websites, read news, banking online and more.

However, when we are increasingly using our mobile devices to do almost everything that we did on a desktop, we still do not protect it that well. Every mobile device including an have a feature which allows us to lock the device. This ensures that the device can only be accessed if a pass code is entered.

While many tech savvy people might use strong passcodes or symbols, a majority of users still prefer to use very weak passcodes. A recent study by Daniel Amitay, he found that the top ten iPhone passcodes are really easy to crack.

Most Common iPhone Passcodes

Out of 204,508 passcodes he had access to, the top ten iPhone passcodes were 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998. Most of these were easy to crack and were used very frequently. The most common one was 1234 which is also part of one of the most common internet passwords.

Interestingly passwords like 5683, which do not seem to follow any pattern is actually the numeric value for the word "LOVE" when typed on a phone keypad.  Another common password usage was to use the 4 digit year. For example, 1998, 1999 and so on or birth years.

These trends are pretty disturbing as it gives intruders an easy chance to access the content of your phone. Having memorable and difficult passcodes is not hard at all.

In addition to that, you can also use a much stronger protection for your iPhone, or by visiting our guide for Setting stronger passcodes for iPhone, iPod Touch and iPad.

Speeding Ticket? Give Us All Your Cell Phone Data

The Michigan State Police have been testing a high-tech device that can be used to extract information from cell phones. The CelleBrite UFED is able to copy most of the data on over 2500 different mobile devices, often in less than 2 minutes. A sales brochure says this device offers the following:

cellebright-ufedThe UFED system extracts vital information from 95% of all cellular phones on the market today, including smartphones and PDA devices (Palm OS, Microsoft, Blackberry, Symbian, iPhone, and Google Android). Simple to use even in the field with no PC required, the UFED can easily store hundreds of phonebooks and content items onto an SD card or USB flash drive.

For nearly three years, the ACLU of Michigan (American Civil Liberties Union), has repeatedly asked what the State Police were doing with the UFED. So far, their FOIA (Freedom of Information Act) requests have been delayed or ignored by Michigan officials.

An ACLU spokesman says:

policemanThrough these many requests for information we have tried to establish whether these devices are being used legally. It’s telling that Michigan State Police would rather play this stalling game than respect the public’s right to know.

The ACLU fears that the next time you get stopped for speeding in Michigan, you’ll be handing over your cell phone, and your entire mobile history, to the nice officers.

Check out this video of the Cellebrite in action on CSI NY. Deleted cellphone data isn’t really deleted?


How to Update Windows XP to Service Pack 3

Just as my fellow author, Amit, had warned you, Microsoft has ended support for PCs running Windows XP Service Pack 2 (SP2). According to figures I’ve seen at InformationWeek, as many as 45% of Windows XP machines will need to update to SP3 in order to stay secure.

If you are running a PC that has not been updated yet, there’s no need to panic. Computers running SP2 will continue to work as usual. The end of support for SP2 simply means that those computers will not receive the most current security fixes from Microsoft’s update website or the automated updates.

Since it’s very important to keep your Windows up to date, how can you find out if your machine needs to update to SP3?

The quickest and easiest way to find out is a keyboard shortcut: [Windows key] [Pause/Break]


Another way to view your current Windows version is to right click on a My Computermenu entry or desktop icon and choose the Propertiesitem in the list.


As a result of either of these actions, you should see your computer’s properties as shown below.


If it says Service Pack 2, then you should use one of the links below to update your PC to SP3. I’ve included four ways to update and a brief description of each method.

A. Windows Update Website
Yes, it’s as easy as visiting Microsoft, however, you will need to use Internet Explorer because Microsoft hates to see you use any other type of web browser.

B. Service Pack 3 Network Install
Despite what the title implies, you can download this single executable file and it will install SP3 easily on any XP machine that needs it. The file is a bit over 300mb in size.

C. Service Pack 3 Add-on for Multi-Lingual Users
If you use languages other than English, you may need this file in addition to the download Babove. It’s only about 9mb in size.

D. Service Pack 3 ISO / CD Image
You can download this ISO file (CD image) and burn it to a CD. This makes it possible for you to have a backup copy and to use it on any XP machine that needs it. The file is over 500mb in size.

E. You can also order a CD from Microsoft by using one of the location links below:
Asia / Europe and Africa / North America / South America

Now, I’m feeling better after writing this important public service announcement. I hope you feel better too, after you’ve updated your old Windows XP machines.

Dangerous Bug in Windows XP Turns Windows Help into Windows Hell

red-x-ico If you haven’t already, you need to fix your Windows XP or Windows Server 2003 machines to protect you against a recently discovered flaw. It’s called the HCP Flaw.


Is it dangerous? Yes, all you have to do is view a specially coded page on the net, and your control over your PC can be stolen right out from under you.

Here’s what the problem is. A flaw in the Windows Help and Support Center (helpctr.exe) was discovered recently, and shortly after that, the information telling people how to take advantage of it was also published. It’s good when Windows flaws are reported, but it’s very bad when the information on how to use those flaws is also broadcast. You can bet that there are some black hats out there already infecting PCs with this new flaw.

There is a fix out from Microsoft. Go to this page and click on the Fixbutton to download the fix (KB2219475).


This fixisn’t a real solution. It disables the Help and Support Center in Windows, but if you are like me, you never use it anyway. Some time after Microsoft offers a real update to solve this problem, I’ll go back and re-enable the help center.

People running running Windows 7, Vista, 2000 or Server 2008 are safe from this bug. The affected operating systems are:

Microsoft Windows Server 2003 Service Pack 2, when used with:
Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
Microsoft Windows Server 2003, Web Edition
Microsoft Windows Server 2003, Datacenter x64 Edition
Microsoft Windows Server 2003, Enterprise x64 Edition
Microsoft Windows Server 2003, Standard x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
Microsoft Windows XP Service Pack 2, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows XP Service Pack 3, when used with:
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Here’s a good place to find more information on the HCP Flaw if you need it.

Many thanks to Terry’s Computer Tips for this tip.

Firefox 3.6.2 Released, Fixes Security Vulnerability

Mozilla has upped the ante to fix a severe security vulnerability in Firefox 3.6 which affects several users. The vulnerability in question, was reported by security researcher Evgeny Legerov last month.

Firefox did release a release candidate yesterday, but due to criticality of the bug they have released the final version today.

Mozilla has accelerated its timetable and released Firefox 3.6.2 ahead of schedule. This release contains a number of security fixes, including a fix to Secunia Advisory SA38608 which was previously discussed on this blog when we were first made aware of and were then able to confirm the issue.

If you are a Firefox 3.6 user, go to the help menu and click on "Check for Updates" to update to the current version, if you need any help check our earlier post on how to update Firefox.

Users can also update their Firefox to the latest version by visiting the Firefox Download site and downloading the latest version and installing it.

Fake Antivirus Sites Target Windows 7 Users

The folks who write malware and virus are not just smart at writing them, they are also very smart at camouflaging their stuff in such a way that unsuspecting users may easily get fooled to believe that they are actual doing something legitimate.

Many malware and virus thrive on SEO poisoning for popular search terms. They make use of the fast indexing capabilities of Google to get indexed for popular search terms, especially "sex scandals" and "sex videos".

Also Read: Tips To Keep You Safe On The Internet | Protect Yourself from Internet Threats

A recent analysis from the folks at Sophos Labs, uncovered several URLs which made it to Google through blackhat SEO, however, the more interesting finding was that, malware and virus writers have now started to generate spoof screens which look similar to .

Fake Antivirus Windows 7 Security Popup

When users visit sites which host such malware, they will come across an interface which is similar to Windows 7, with a popup which looks exactly like the security center popup for Windows 7. Furthermore, the malware site also displays fake antivirus scan results which show the user that there are several viruses installed on the PC.

Fake Antivirus Scan on Windows 7

It is easy to get fooled because of the stark similarities between this Fake antivirus, however, users should know that they are using a web browser, and such scans are not carried out by Microsoft in the web browser.

Though the looks may be deceiving, you should not click on any security related or free antivirus scans on a web browser. Additionally, many modern browsers are smart enough to block such malware sites, so make sure to keep your browser upgraded to the latest version.

You might also want to check on some tips we had written earlier to keep yourself safe on the internet.

Firefox Add-ons Contained Trojans [Security Alert]

In a somewhat scaring discovery, two experimental Firefox add-ons were found to be containing Trojans. The add-ons included version 4.0 of Sothink Web Video Downloader and Master Filer.

Users who installed the infected add-ons would be affected when they restarted Firefox. When a user restarted Firefox the Trojan would be executed and take over the host machine. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan.

Both these add-ons have now been disabled by Mozilla, however users who have been using the above add-ons should disable them and run full system virus and spyware scans immediately. The vulnerability is known to affect Firefox on a Windows PC. According to Mozilla, around 5000 users have been affected.

Mozilla has not yet made it clear as to how the infected add-ons made it to the add-ons gallery, however, this is definitely scary and Mozilla should definitely run more checks and Antivirus scans on add-ons that they accept, since millions of people visit the add-ons gallery to find and download new extensions.