India’s financial website Moneycontrol.com was hacked last week, as unknown hackers inserted a malicious code inside the website’s pages, making visitors to it vulnerable, US based cyber security firm Websense Security Labs said in its security alerts released on Tuesday.

According to the San Diego based Websense, the main Indian site of Moneycontrol.com was compromised and injected with malicious code on November 6, 2010. The injected code redirected users to an exploit website. “Once a user visited the Moneycontrol.com, the malicious code took the user’s browser quietly to an exploit website http://www.Brenz.pl – in a typical “drive-by” attack. Brenz.pl is an exploit site pre-loaded with an exploit kit called Eleonore,” says Websense Labs Senior Researcher Elad Sharf.

Exploit kits contain malicious programs which can be downloaded to infect a particular computer. “A list of exploits are delivered to the user’s browser once Brenz.pl is visited and any successful attempt of exploitation results with the user being infected with a Trojan called Virut,” Mr Sharf adds. Virut is a file infector that targets .exe and .scr files, extensions used for applications and scripts respectively. The site was cleaned up the next day.

Active injected codes can potentially impact a site’s performance. When a website is injected with code that leads to an exploit site, visitors generally experience hanged or slow browsers, and often a a browser crash, as well, says Sharf.

Eleonore on the other hand has potential to exploit common vulnerabilities in applications like Adobe Reader, Mozilla Firefox and Internet Explorer.

According to CERT-in, India’s Computer Emergency Response Team at Ministry of IT, SQL injection attacks are on the rise. Such an attack is designed to inject an iframe into the website source which will force visitors to download a javascript file, says CERT-in. Many websites have been found infected with such scripts. After successful exploitation, malware such as Trojans are downloaded to the user’s system, says the agency. It advises caution even while visiting trusted websites.

Dear All,

You should be alert during next few days.

Don’t open any message with an attachment entitled “POSTCARD FROM HALLMARK”, regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which ‘burns’ the whole hard disc “C” drive of your computer.

It has been classified by Microsoft as the most destructive virus ever. This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the zero sector of the Hard Disc.

It was apparently checked by Norton Anti-Virus, and they are gearing up for this virus!

Check if your PC is infected with the Cornficker virus.

Click here (Source http://www.ipt.net)

Conficker has gone on to become one of the most widespread internet worms in recent years.

The conficker computer worm, also known as downup, downandup and Kido first surfaced in 2008 but as of January 17, various reports declare that 6.5 million computers have already been infected by this virus. It also states that 3 in 10 windows PC are vulnerable to conficker attacks.

It could be the biggest April Fool’s joke ever played on the internet, or it could be one of the worst days ever for computers connected to the network. Security experts can’t work out whether the Conficker virus will wreak havoc on Wednesday , or just let the day pass quietly.

Experts have worked out that from midnight on 1 April, the Conficker program will start scanning thousands of websites for a new set of instructions telling it what to do next. The infected machines thus comprise one of the biggest “botnets” – a network of “robot” computers – in internet history. And if they were all given a target, such as simultaneously sending search queries to Google or trying to connect to a gambling site, they could knock it offline through the sheer volume of connections – a “denial of service”. Victims usually discover that they have been locked out of their computers or have very slow-running internet connections.

Careful study of infected machines has revealed that from midnight on Wednesday they will seek new instructions from a randomly generated list of thousands of websites that changes every day. Just one needs to be under the virus writers’ control to turn Conficker into a newly configured botnet – making the task of catching the exact site a search for a needle in a computing haystack.

Experts admit that they have little idea of where Conficker might be headed next. “It’s a brave man who puts his neck out like that,” said Graham Cluley, an analyst with internet security company Sophos. “For what it’s worth, we have never seen earlier versions of the Conficker worm downloading a malicious payload.”

It is also rumoured that Conficker may not activate immediately, preferring to lie in wait before receiving further orders to avoid scrutiny. The main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide.

The identity of its creator remains unknown, despite Microsoft offering a bounty of $250,000 (£176,000) for the information. Usual methods of unpacking the virus code to examine its workings have been thwarted because the authors have encrypted it, using algorithms that render it almost uncrackable.

Symptoms –

• Users being locked out of directory
• Access to admin shares denied
• Scheduled tasks being created
• Access to security related web sites is blocked.

Method of Infection –

• This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.
• Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
• Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.
• Scheduled tasks have been seen to be created on the system to re-activate the worm.
• Autorun.inf files have been seen to be used to re-activate the worm.

Removal –

• Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
• Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.

More information – http://vil.nai.com/vil/content/v_153464.htm

But beware of the other malware and virus creeping into your system by means of fraudulent software claiming to be an anti-dote to Conrficker. Microsoft is behind it and will do an appropriate press release for it. So trust only well known names for the cure.