As promised, the AIRC Threat Report for November is out.

And as also promised, the link to McColo is revealed here – during the time when we were looking at the criminal server, we have had the opportunity to observe that someone is logged onto the server at the same time, and the connection came from… McColo. 

For those of you who are wondering – no, we did not “hack”, “infiltrate” or “break” into the server. Sometimes the simplest things let you see what’s behind the mirror (and legally).

Microsoft has released its monthly security bulletin for November 2008 to address two vulnerabilities in Windows, one of them is critical. We strongly suggest applying the patches provided by Microsoft for these vulnerabilities.

Following is a summary of the security updates released by Microsoft:

Critical

Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
This security update resolves several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Important 

Vulnerability in SMB Could Allow Remote Code Execution
This security update resolves a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on affected systems. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft has already addressed this vulnerability with a patch. The patch and additional information are available here.

Recently, there has been a lot of focus from the security research community on a hosting provider named McColo corporation (out of San Jose, CA). Reports on spam, phishing and connections to Malweb distribution amongst other have been accumulating (including our own malicious server analysis which has been spotted to be administered from a McColo address).

It seems like the combination of law enforcement investigations with a recent story by the Washington Post have made their mark and McColo IP addresses have gone silent since yesterday. We’ll be looking forward to additional coverage on this in the coming days, as we are finalizing our own threat report on the eCrime server that has been analyzed, and on which we found the 200,000 compromised FTP credentials.

Cyber criminals are drawing advantage from the world's focus on Barack Obama after winning the race for the White House.

Users worldwide were overwhelmed by a flood of spam emails right after results of the presidential race were announced. The spam invites the users to watch Barack Obama's victory speech. Clicking on the link will take the user to a webpage which will require him to install the latest version of Adobe Flash player in order to be able to play the video. Clicking the link to the supposedly update Adobe file, will download a Trojan called 'adobe_flash.exe', which in its turn will install an information stealing Trojan on the user’s system.

This Trojan installs a RootKit, a program that is specifically designed to conceal the Trojan’s presence on the infected system. The Trojan will monitor the victim’s system for passwords of banking websites and will then send gathered information back to server located in the Ukraine.

The following is an example of the spammed email:

eSafe proactively detects and blocks the spammed Trojan as a suspicious file. Only 14 out of the 36 major antivirus products detected the Trojan. The following is a link to the VirusTotal analysis for the Trojan’s file 'adobe_flash9.exe':

http://www.virustotal.com/analisis/58fd7100e69f9c940d6904981834f1fd

AIRC will provide a signature that would name this threat specifically in today’s update.

The Secret Crush invites Facebook users to find out which of their friends is latently in love with them. Users who would click the link would find out that it is actually an adware application that’s targeting them.

This malicious widget made its first appearance early January 2008.  It played on the popularity of Facebook and managed to entice millions of Facebook users to download the infamous Zango adware. Recently, this malicious widget has reappeared and has been infecting users with additional adware such as Zwinky. Facebook users receive an invitation that says: “Someone has a secret crush on you. Find Out Who!” Clicking the “Find Out Who!” link randomly redirects the browser to a number of websites. The target websites may range from hosted ads to adware serving domains.

Here is how the application’s invitation message would look like:

And here are the adware websites that users get redirected to: