Intego, a MacOSX only anti-virus vendor last week released some early details of Xprotect – the anti-malware system released by Apple with the Snow Leopard version of OSX.

Since then, Sophos have done some analysis of Xprotect and discovered that it is activated by an extended file attribute set by downloader applications like Safari, Mail, Firefox and Entourage.

How much information is available on those responsible for the koobface attack? One of the main attack servers – kukuruku-290709.com – is registered to Polev Andrei. This article looks for information on Andrei Polev using his name and e-mail address as a starting point.

Koobface migrated to Twitter and launched a posting frenzy at the end of last week. In a bit to avoid detection it is generating unique posts using bit.ly links and a series of suffixes including “;)” and “OMFG!!”. These are appended to the original “My home video” message.

Twitter suffered a well publicised denial of service last night. The attack, which succeeded in bringing down the service for over an hour, also caused problems for Facebook, LiveJournal and other social networking sites.

What is a Denial of Service (DoS) attack? Exactly what it says on the tin – an attack that denies a particular service to a target user or population. It could involve manipulating the computer of a single user to deny them access to the network or a particular website. Usually, though, it involves targetting a particular service at its source and denying it the whole population.

The Google Hacking technique proved effective at searching for domains that include the in.cgi?x pattern highlighted as part of the Nineball (and probably many other) attacks. In addition to the domains already listed on this site, a number of additional sites were illuminated.

Domains directly associated with the Nineball attack:

rnw.kz
bro.tw
rmi.tw
molo.tw
zedi.tw
sovi.tw
dmr.tw
stopssse.info

Other domains exhibiting similar URLs, uncovered using Google Hacking are below. At least one (google-analytstic.com) also links to Nineball final page stopssse.info.

Websense Threatseeker is reporting a new obfuscated Javascript injection attack, this time affecting up to 40,000 websites.

If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code …. The final landing page records the visitor’s IP address. When visited for the first time, the user is directed to the exploit payload site. But when visited again from the same IP address, the user is directed to the …

I’ve been running a Nepenthes low interaction honey pot over the last few months and have collected almost 900 binaries, 80 of which are unique. Upcoming posts will focus on static and dynamic analysis of some of this malware.
Geographic Source of Attacks
I used the new Fusion Tables service from Google to visualise the geographical sources of some of the attacks. The intensity map below shows that the majority come from the UK, Eastern Europe, Russia and China.

What is it?
Gumblar is the latest in a series of worm infestations that started with the Conficker outbreak in late 2008. Gumblar is a worm in two halves – a server infection with associated botnet, and a client infection with associated botnet.

Though the attack is circular, lets assume, for the sake of argument, that the attack begins with a victim browsing to an infected website. The site is infected with an injected Javascript. This Javascript downloads a further Javscript from one of a series of Chinese servers (most of …

In an attempt to gain a better understanding for who was registering Conficker.A/B DNS rendezvous points (either for interest, for malicious purposes or for sinkholing), I have used the downatool2 from Bonn University, Germany to calculate all the rendezvous points from January – May for Conficker.A and for B.
I ran WHOIS checks on all 90,000 names and extracted the registrant from those that exist. Where I could get an e-mail address I have, falling back on name or registrar where no e-mail address was available.
Conficker.A Analysis
Conficker.A domains were largely unregistered …