copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


AusCERT Week in Review for 6th July 2012

Date: 06 July 2012

Click here for printable version


There have been a couple of interesting developments this week regarding the Android platform. First up, details regarding a possible Android botnet were published on July 3 by Terry Zink over at the MSDN blog. Terry stated that he came across a number of interesting spam samples coming from Yahoo Mail servers, containing the following Message-ID:

"Message-ID: <>"

On top of this, they also included the following footer:

"Sent from Yahoo! Mail on Android"

Lovely, so it seems that someone has control of a botnet which is living on Android devices! It is most likely that this botnet is comprised of Android devices which have downloaded and installed malicious Android apps, or possibly even a rogue Yahoo Mail app from outside of the Android marketplace. We can only expect that this kind of activity is going to be on the increase.

On the following day, July 4, 'The H' announced that a number of security researchers at North Carolina State University have developed and demonstrated a prototype rootkit for the Android platform. The researchers demonstrated that the rootkit "clickjacks" users, causing them to launch malicious apps when they believe they are launching their legitimate apps. The rootkit works by manipulating program shortcuts, which allows them to be either hidden, or to direct users to different applications. The researchers used a Samsung Nexus S smartphone which was configured with factory settings to demonstrate the rootkit, and have stated that they are unsure whether the attack will work on other devices, as well as it being "unclear if the vulnerability is closed in the next version of Android." No doubt we'll be seeing more news regarding Android rootkits in the not too distant future as well.

Another interesting development was blogged by Brian Krebs over at his KrebsonSecurity blog - it appears that Java exploit CVE-2012-1723, which was announced and patched by Oracle as part of their June 2012 patches, is to be exploited in new BlackHole malware exploit kits. Krebs has stated that the BlackHole author has said the new Java attack will be released via update to all licensed users of BlackHole on July 8. It would be wise to ensure that your Java is updated to Java 6 Update 33, or Java 7 Update 5 prior to this!

For all of those who have been following the DNSChanger saga, don't forget that the switch-off time for the FBI's DNS servers is set to occur in just a few days, at 2pm AEST Monday July 9, at which point if your machine is infected then you are likely to lose all internet connectivity. If you haven't already checked, don't forget to go to to see if you've been infected!

And lastly, here are my picks for this week's top 5 bulletins:

1) ESB-2012.0644 - ALERT [Win] Invensys Wonderware SuiteLink: Denial of service - Remote/unauthenticated

ICS-CERT has released an advisory regarding a remote denial of service vulnerability in industrial control software 'Invensys Wonderware Suitelink', stating that public exploit clode is available targeting this vulnerability.

2) ESB-2012.0639 - [HP-UX] BIND: Denial of service - Remote/unauthenticated

Hewlett-Packard have announced the availability of patches for last month's BIND denial of service vulnerability which is exploitable remotely without authentication.

3) ESB-2012.0635 - [Win][UNIX/Linux][Debian] libapache-mod-security: Cross-site scripting - Remote with user interaction

A cross-site scripting vulnerability has been identified by Qualys in Apache's ModSecurity module. Attackers could potentially use this vulnerability to allow the execution of code in the context of user's browsers.

4) ESB-2012.0636 - [Win][Linux][HP-UX][Solaris] HP Network Node Manager i: Multiple vulnerabilities

A large number of code execution and denial of service vulnerabilities have been patched in HP Network Node Manager i running PostgreSQL, some of which date back to as far as 2009.

5) ESB-2012.0634 - [Win][Linux] IBM Support Assistant: Multiple vulnerabilities

IBM released a security update for IBM Support Assistant for Linux and Windows, correcting four vulnerabilities which could allow for unauthenticated confidential data access as well as code execution and cross-site scripting.

Have a great weekend!

The AusCERT Week in Review is a roundup of the week's notable security advisories, events and AusCERT activities - brought to you by the AusCERT Coordination Centre team. For an extra perspective, follow @AusCERT on Twitter and stay connected to events as they happen.