Oldest Pakistani newspaper, Daily Jang’s website compromised

Websense Security Labs ThreatSeeker network has determined that the popular online Pakistani newspaper Web site the ‘Daily Jang’ (at jang.com.pk) has been compromised.

The Web site has been injected with malicious code in several locations. The code redirects visitor browsers to exploit Web sites. At the time this writing, the exploit sites that the Daily Jang redirects to are active and serve malicious code.

The paper is one of the most popular and oldest newspapers in Pakistan. The Web site gets a lot of daily traffic from its many loyal readers, both within and outside Pakistan. It also links to many other Web sites (Alexa report). Some reports indicate an average of more than 40,000 unique visits to the Web site a month.

An infection can occur while visiting the main page of the site. The visiting user’s browser is redirected silently, in the background, to an exploit site loaded with an exploit kit called ‘g01pack’ . If one of the kit’s many exploit attempts is successful, a Trojan Backdoor file is dropped onto the user’s machine. The backdoor file currently holds a detection rate of 26%.

Injection Information

The site is injected in several places. The injection appears as an Iframe at the bottom of each injected page. A snapshot is provided below. You might think it ends here, but any security holes that leave the door open for attackers to inject malicious code may also be revealed by other attackers as well, this is the main reason why the Web site has another kind of malicious injection on many of its pages. In total there are two kinds of injections on jang.com.pk. The first appears as an Iframe, the second appears as obfuscated Javascript code that also silently redirects any browsing user to exploit sites; however, those exploit sites appear to be down at the time of writing of this post.

Cybercriminals targeting consumers through social network viruses and data theft

The next time you are prompted to enter your facebook or twitter password after clicking on some nice ad, make sure the location bar of the browser says ‘facebook.com’ or ‘twitter.com.’ Moving beyond their favorite targets, the corporates, cybercriminals are now targeting the least secure users of all, the end consumers, notes the latest Microsoft Security Intelligence Report.

Gone are the days of alluring emails asking you to part with your bank account details to claim your million dollar prize, cyber criminals now prefer to ‘hang out’ at your favorite social networking site. According to the Security Intelligence Report — a quarterly security-related update from the World’s biggest software firm Microsoft — social networks accounted for 84.5 percent of all attempts to steal personal data from users in December 2010.

In comparison, only 8.3 percent of all such attempts — known as phishing — occurred through Social Networks in January 2010. There has been an increase of 1200 percent in phishing through social networking sites, as these venues have become lucrative hot beds for criminal activity, the report warns.

The attacks take the form of advertisements and links on Facebook and other social networks — legitimate marketing campaigns and product promotions, but are actual just traps to steal your data. They take the form of pay-per-click schemes, false advertisements, or fake security software sale.

“Social networking is on a high and cybercriminals and these sites have creates new opportunities for cybercriminals to not only directly impact users, but also friends, colleagues and family through impersonation,” says Sanjay Bahl, Chief Security Officer, Microsoft India.

The ultimate aim is to get users to download and install their programs, which will then make use of their computer to spread itself as well as to steal all kinds of data entered through the computer. Social networking viruses, Microsoft points out, is especially risky in India since the country has some 50 million (5 crore or 4% of the population) social networking users.

Interestingly, Microsoft owns 5% of Facebook — a site whose revenues may be hit if people stopped clicking on its ads.

According to the report, the most common category of unwanted software in India was Worms, which affected 42.5 percent of all infected computers, down from 45.4 percent in the last quarter. Worms are self-replicating programs.

The second most common category in India was Misc. Trojans, which affected 33.9 percent of all infected computers, down from 34.5 percent from the last quarter. Trojans, which may also be worms, also have the additional characteristic of being harmful to the user and are often used to steal data.

Complete sourcecode of ZeuS botnet leaked to the masses

Center for Strategic and International Studies, CSIS has found that the complete source code for the ZeuS botnet crime kit is being distributed on several underground forums as well as through other channels. CSIS has also collected several addresses from where Zeus source code is being distributed in a compressed zip archive. The company says it has also downloaded, unzipped and compiled the code to confirm its authenticity. Peter Kruse, Partner & Security Specialist, CSIS says, “We can hereby confirm that the complete ZeuS/Zbot source code is freely available for inspection, inspiration or perhaps to be compiled and used in future attacks. ”

ZeuS/Zbot is already considered as being amongst the most pervasive banking Trojan in the global threat landscape. It is an advanced crime kit and very configurable. With the release and leakage of the source code the ZeuS/Zbot could easily become even more widespread and an even bigger threat than it already is today.

The source code would greatly help security companies analyze how this advanced botnet really works and this could mark a breakthrough for the industry, which is struggling to keep pace with the highly advanced malware being developed, which are increasingly difficult to detect. However, this would also give other malware writers a head-start for advanced virus and botnet writing.