JPCERT-AT-2009-0023 JPCERT/CC 2009-10-27 <<< JPCERT/CC Alert 2009-10-27 >>> Web sites attempting to infect users with malware increasing https://www.jpcert.or.jp/english/at/2009/at090023.txt I. Overview JPCERT/CC has received a sudden increase this week in reports regarding web sites serving injected, malicious Javascript code. So far, this specific incident appears to mainly affect Japanese Internet users. This bulletin aims to inform users about countermeasures against such malicious sites. If a web site injected with malicious code is visited, a separate web site will attempt to infect the user with malware. According to multiple Japanese PC vendors, a large number of users infected with malware have reported not being able to successfully start their computers. This phenomenon is currently thought to have been caused by visiting such websites. The impact of an infected computer not being able to boot is significant. Accordingly, after checking whether or not the below countermeasures have been applied, it is highly recommended that you follow these guidelines as a priority if you have not taken these precautions. II. Countermeasures JPCERT/CC is currently confirming that this attack is utilizing vulnerabilities in Adobe Flash Player, Adobe Acrobat and Adobe Reader as reported. Please update to the latest version of each of these software products if installed. [Adobe Acrobat, Adobe Reader] From the Acrobat or Reader menu, selecting "Help" -> "Check for Updates" will allow you to upgrade to the latest version. If upgrading fails for some reason, please install the latest version from the following URL: Adobe.com - New downloads http://www.adobe.com/support/downloads/new.jsp [Adobe Flash Player] Please check whether you're running the latest version of Flash Player at the following URL: Adobe Flash Player:Version Information http://www.adobe.com/software/flash/about/ If your installed version of Flash Player is not the latest version, please install the latest version from the following URL: Adobe Flash Player installation http://get.adobe.com/flashplayer/ Additionally, the malicious content present on injected sites is being changed on a continual basis. Consequently, attack methods and the software targeted also appears to be changing regularly. For this reason, it is recommended that you update your computer's operating system and install the latest patches for installed software on a regular basis. Microsoft Update https://update.microsoft.com/ III. Reference Kaspersky Labs Japan Gumblar-like, updated threat emerges (Japanese) http://www.kaspersky.co.jp/news?id=207578788 SecureBrain New, Gumblar-like attack technique confirmed, 1/3 of previously infected websites re-defaced (Japanese) http://www.securebrain.co.jp/about/news/2009/10/gred-gumbler.html Microsoft A mouse cursor on a black screen (Win32/Daonol) (Japanese) http://blogs.technet.com/jpsecurity/archive/2009/10/23/3288625.aspx Warning regarding computer virus Win32/Daonol (Dell) http://supportapj.dell.com/support/topics/topic.aspx/jp/shared/support/news/2009/20091022 Apology for call center disruptions due to large number of Win32/Daonol infected customers (Fujitsu) (Japanese) http://azby.fmworld.net/support/info/apology/20091022.html Apology for call center disruptions due to large number of Torojan.Win32/Daonol.H infected customers (NEC) (Japanese) http://121ware.com/navigate/support/121cc/info/20091026/ Trojan.Win32/Daonol.H (Toshiba) http://dynabook.com/assistpc/info/20091022.htm Apology for VAIO customer call center congestion (Sony) http://vcl.vaio.sony.co.jp/iforu/hotnews/2009/10/003/ If you have any further questions or information regarding this alert, please contact JPCERT/CC. ====================================================================== JPCERT Coordination Center (JPCERT/CC) MAIL: info@jpcert.or.jp TEL: +81-3-3518-4600 FAX: +81-3-3518-4602 https://www.jpcert.or.jp/english/