[ General ] 31 December, 2010 15:16

    As the new year will come less than 12 hours here, we made some security prediction for 2011 based on our research and observations. And we can verify if it is true in the year end of 2011. Here they are,


    1. Mobile device security: sensitive information and privacy leakage would be the headlines and top public concerns as the shipping volume of mobile devices like smart phones and tablets increases dramatically.
      
    2. Critical infrastructure attack: We will see more and more attack not just "for fun & profit" as before, but with political intention or precise targets.
   
    3. Cyber war/Cyber terrorism: Stuxnet-like attack which is believed [or guessed] to be created by national level organization, is complicated and take advantages of several zero-day vulnerabilities together. Unite states also formally launched their Cyber Command in middle of 2010.
   
    4. Black hat SEO-Posioned attack: We already see such kind of attacks, which misguide search engine users to web pages contains fake-AV, drive-by download, scare-ware, and so on. And the number of suspicious page will grow exponentially.
   
    5. Hacking for Money: Even several Zeus gangs were took down in 2010, it will still be quite active in forthcoming year. Also the successive SpyEye bot-net. Those bots are targets for web ATM. And physical ATM can be suffered also as Barnaby Jack's presentation at BlackHat 2010.
      
    6. Social media: Social media and web has become the dominate applications in 2010. But it also becomes hot-bed of criminals, spam, phishing, malicious links, and privacy infringement toward users.
   
    7. DPI becomes next component after VPN to be integrated in SoC: As VPN circuit is an additional component, now most of SoC processors embedded with it already. We expect the DPI circuit will follow the same path as VPN. Embedded with DPI circuit can makes SoC users develop more dedicated security and content management solutions while the performance won't be sacrificed.

    8. Info-security will be booming to home gateway: As security deployment is mature in enterprise and   desktop/NB, there is still blank for home gateway. However, with increased home appliance, like net-TV, IP-cam and so on, connect to Internet, the protection for them becomes important in the role of home gateway. We expect to see more home gateway and wireless AP equips with security functions turn on by default.

    Finally, happy new year to all the audience.

By Aegislab.

[ Security Alert ] 29 December, 2010 16:43

    AegisLab has found that Preschool of Ministry of Education (教育部幼兒班) official website has been tampered with SEO-poisoned pages.

The attack path is listed as below.

[search] http://www.google.com (search 'aretha franklin died')
[root] http://140.126.34.167/preschool/help.php?module=lesson&file=maxpages.html
  [hop] hxxp://urodtds.ws/in.cgi?22...
    [hop] hxxp://surfseek.net/search.php?q=aretha+franklin+died

Victim website was injected with malicious link of hopping site "urodtds.ws", the link will redirect visitors who are from google search engine to "surfseek.net". 

The detection rates of two hopping sites are both 0% (0/18) in URLVoid.com.

 
Since 12/23/2010,  AegisLab WebGuard signature has blocked these 2 hopping sites.

By AegisLab   

 

[ Security Alert ] 28 December, 2010 11:25
    463.org.tw cafe (蓮心咖啡小站) is a disabled sheltered store. AegisLab has found its official website has been tampered with SEO-poisoned pages. The page contains lots of keywords which can have higher PageRank in search engine and make user more easilier to visit these pages by using search engine.
 
The attack path is listed as below.
[search] http://www.google.com (search 'paul hogan death')
[root] hxxp://www.463.org.tw/coffee/product_info.php?cPath=25...
  [hop] hxxp://urodtds.ws/in.cgi?22...
    [hop] hxxp://surfseek.net/search.php?q=xxx&us=1
 
Victim website was injected with malicious link of hopping site "urodtds.ws", the link will redirect visitors who are from google search engine to "surfseek.net". 

The detection rates of two hopping sites are both 0% (0/17) in URLVoid.com.

 
Since 12/23/2010,  AegisLab WebGuard signature has blocked these 2 hopping sites.

By AegisLab  

 

[ Security Alert ] 27 December, 2010 11:21

    There are 12 chinese websites tampered with SEO-poisoned pages. The page contains lots of keywords which can have higher PageRank in search engine and make user more easilier to visit these pages by using search engine. The following list shows the 12 victim website links:

1. 宜蘭高商學生wiki

http://140.111.90.12/wiki96d03/index.php/%E5%90%B3%E9%8D%B6%E7%91%BE

2. 師大進修推廣部,華裔青年線上教學資源網 

http://140.122.109.69/eyouth/calendar/view.php?view=month&cal_d=1&cal_m=10&cal_y=2010

3. 國立台中教育大學

http://210.240.188.179/pas/group3.php?show=news

4. 2008 電影聯合通識課程網站

http://2008.movie.idv.tw:16080/smf/index.php?topic=253.0

5. DBA TAIWAN

http://dba.tw/index.php?topic=156.0

6. 南投縣教育局

http://storage.ntct.edu.tw/gallery/slideshow.php?mode=applet&set_albumName=album433

7. 桃園縣大溪鎮內柵國民小學 

http://student.njes.tyc.edu.tw/lifetype/index.php?blogId=53

8. 融合爵士樂團

http://www.doms.com.tw/fred/diary/date.php?nsn=323

9. 哿哿屋購物網

http://www.gegego.com.tw/catalog/product_info.php?products_id=938&osCsid=8fcb64ab394beab405399df76e54d27f

10. 花蓮縣港口國小

http://www.gkps.hlc.edu.tw/module/cpg1413/displayimage.php?album=23&pos=1

11. 柔恩絲情趣精用品

http://www.lung.com.tw/product_info.php?products_id=2745

12. 台灣省傳統整復職業工會聯合會

http://www.ttrpua.url.tw/Discuz/upload/viewthread.php?tid=184 

  

The attack path is listed as below.

[search] http://www.google.com

[root]http://www.ttrpua.url.tw/Discuz/upload/viewthread.php?tid=184
  [hop]http://urodtds.ws/in.cgi?...
    [hop]http://surfseek.net/search.php?q=xxx&us=1
      [hop]http://surfseek.net/search.php?q=xxx

 

Victim websites were injected with malicious link of hopping site "urodtds.ws", the link will redirect user to "surfseek.net", then finally to a malware or porn website .

 

The detection rates of two hopping sites are both 0% (0/17) in URLVoid.com.

 

Since 12/23/2010,  AegisLab WebGuard signature has blocked these 2 hopping sites.

By AegisLab  

[ Security Alert ] 24 December, 2010 13:25

    AegisLab has found that Biodiversity Research Center in Academia Sinica(BRCAS) contain SEO-posioned page with fake AV link at 6 PM in 23th Dec. When you get into the webpage, you will be redirected to a fake AV scanning page and then download the fake AV software. At 10 PM in 23th Dec., it became to redirect to the fake search engine and finally jumped into a malicious website.

The fake AV attack path is listed as below.

[search] http://www.google.com (search 'trix rabbit')
  [root] hxxp://classes.biodiv.tw/user/view.php?id=2785
    [hop] hxxp://razumtds.ws/in.cgi?22
      [hop] hxxp://ainuzpcedh.ru/people/?ZGVydHplbg==
        [hop] http://ainuzpcedh.ru/global/?sub=1&kw=
          [hop] http://www2.save-clean-foryou.in/?syob4=...
            [hop] khttp://www2.save-clean-foryou.in/NskYN107_289.php?...
              [click]http://www2.scansoftprotect.com/bgyg107_289.php?...
                [virus] hxxp://www2.scansoftprotect.com/whfbu107_289.php?...

 

The fake search engine path is listed as below.

[search] http://www.google.com (serach 'trix rabbit')
  [root] hxxp://classes.biodiv.tw/user/view.php?id=2785
    [hop] hxxp://urodtds.ws/in.cgi
      [fake search engine] hxxp://surfseek.net/search.php?q=new&us=1

 

The detection rate of fake av software in VirusTotal is 44.2%(19/43). please see the following link.

 

And in URLVoid.com, the detection rates are 18%(3/17) and 0%(0/17) for "razumtds.ws" and "urodtds.ws" respectively.

 
Since 12/20/2010 and 12/23/2010, AegisLab WebGuard signature has blocked the two malicious sites "razumtds.ws" and "urodtds.ws" respectively.
 
by AegisLab 

 

[ Security Alert ] 23 December, 2010 14:21

    Catch-Tec, a vendor of wireless routers and switches for the computer market, their official site is tampered with SEO-poisoned pages. The page contains lots of keywords which can have higher PageRank in search engine and make user more easilier to visit these pages by using search engine. The following page (http://www.catch-tec.com/blog/svgk.php?arg=Bayer-ASA-Aspirin-Pharmacy) figure discloses such finding.

 

http://catch-tec.com/

 

Furthermore, more keywords are injected into the following query pages:

 

more keywords 

 

The attack path is listed as below.

[search]http://www.google.com (search bayer aspirin)
 [root]http://www.catch-tec.com/blog/svgk.php?arg=Bayer-ASA-Aspirin-Pharmacy
  [hop]http://seek4you.couchpotatofries.org/zb5/i_d2.php?q=Bayer....
   [search] http://yourprescriptionrx.net/search...

 

Finally you will be redirected to a pharmacy website in Canada.

 

By AegisLab 

 

1 2  Next»