Facebook hacked by Java Zero Day exploit

Facebook - a social networking giant with one billion active users said on Friday that it has been attacked by an unidentified group of hackers in January, fortunately no user information was compromised during the attack.

What is really interesting is the level of sophistication of the malware based attack that eluded security defense, it compromised the developer’s website and infected the employee's machine when visited it.

The laptops infected were fully-patched and running up-to-date anti-virus software occurrence that suggests attacker have exploited zero day vulnerabilities hosting an exploit on the web site.

The official statement reports:

“Facebook, like every significant internet service, is frequently targeted by those who want to disrupt or access our data and infrastructure. As such, we invest heavily in preventing, detecting, and responding to threats that target our infrastructure, and we never stop working to protect the people who use our service. The vast majority of the time, we are successful in preventing harm before it happens, and our security team works to quickly and effectively investigate and stop abuse. 

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.”

Facebook confirmed no user data was compromised.

We have found no evidence that Facebook user data was compromised.

Facebook advisory confirmed that security teams of the company are very active in the fight to cyber threats thanks to an intense collaboration with law enforcement and security teams of other companies. The attacks seem to have exploited a zero-day Java software vulnerability well before the official announcement provided by Oracle company.

“After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”

The investigation are still ongoing as confirmed by Facebook

“We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.”

Facebook has a very managed bug bounty program which attracts Bug Bounty Hunter to participate in it and report vulnerabilities to facebook.

Read More..

China on the top of malware infected country in 2012

According to Panda Security Annual Security Report 2012, 27 million new strains of malware were created last year alone and 74,000 new samples were released every day.

Delving into geographical analysis, China topped the list of countries with 54.89 percent of infected PCs, followed closely by South Korea at 54.15 percent and Taiwan at 42.14 percent. All three countries were the only Asian countries in the top ten list, according to Zdnet Reports.

One reason for the growth is the increased use of exploit kits such as Black Hole, which can exploit multiple system vulnerabilities to infect computers automatically without user intervention.

 The "Trojan!MMarketPay.A@Android" which affected 100,000 China Mobile subscribers, and started buying applications from China Mobile's marketplace on behalf of the user.

Read More..

Banking Malware Shylock spreads via Skype to target specific Countries

The home Trojan-banker known as Shylock has updated with new functions. It is noticed that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype. This allows the malicious Trojan-banker to infect more hosts and continue to be a prevalent threat, according to CSIS Security Group.

Shylock is one of the most advanced Trojan-banker currently being used in attacks against home banking systems. The code is constantly being updated and new features are added regularly.

The Skype infection is based on a malicious plugin called msg.gsm and allows the malware to send messages and transfer files, clean messages and transfers from Skype history and even bypass the Skype warning for connecting to servers.

Besides from utilizing Skype it will also spread through local shares and removable drives. Basically, the C&C functions allow the attacker to:

- Execute files

- Get cookies

- Inject HTTP into a website

- Setup VNC

- Spread through removable drives

- Uninstall

- Update C&C server list

- Upload files

Currently, the Shylock detection ratio is zero, which shows its power with advance features. According to a map showing the distribution of Shylock infections that was published by CSIS, there's a high concentration of victims in the UK. However, there are also many Shylock-infected computers throughout mainland Europe and the US.

Read More..