Chuck Norris Wants Your Router

"If you haven't changed the default password on your home router, you may be in for an unwanted visit from Chuck Norris -- the Chuck Norris botnet, that is.

"Discovered by Czech researchers, the botnet has been spreading by taking advantage of poorly configured routers and DSL modems, according to Jan Vykopal, the head of the network security department with Masaryk University's Institute of Computer Science in Brno, Czech Republic.

"The malware got the Chuck Norris moniker from a programmer's Italian comment in its source code: `in nome di Chuck Norris,` which means `in the name of Chuck Norris.` Norris is a U.S. actor best known for his martial arts films such as `The Way of the Dragon` and `Missing in Action.`

"Security experts say that various types of botnets have infected millions of computers worldwide to date, but Chuck Norris is unusual in that it infects DSL modems and routers rather than PCs."

From PC World...

Massive Oracle PWN@G3 At Black Hat

"In 2001, Larry Ellison brashly proclaimed in a keynote speech at the computing conference Comdex that his database software was "unbreakable." David Litchfield has devoted the last nine years to making the Oracle chief executive regret that marketing stunt.

"At the Black Hat security conference Tuesday afternoon, Litchfield unveiled a new bug in Oracle's 11G database software, a critical, unpatched vulnerability that would allow a hacker to take control of an Oracle database and access or modify information at any security level. `Anything that God can do on that database, you can do,` Litchfield [said] in an interview following his talk.

"The attack that Litchfield laid out for Black Hat's audience of hackers and cybersecurity researchers exploits a combination of flaws in Oracle's software. Two sections of code within the company's database application--one that allows data to be moved between servers and another that allows management of Oracle's implementation of java--are left open to any user, rather than only to privileged administrators. Those vulnerable subroutines each have their own simple flaws that allow the user to gain complete access to the database's contents.

"Litchfield says he warned Oracle about the flaws in November, but they haven't been patched. Oracle didn't immediately respond to a request for comment."

More at Forbes.com...

Hacking Twits For Fun And Profit

"According to researchers at Kaspersky Lab, cybercriminals are trying to sell hacked Twitter user names and passwords on-line for hundreds of dollars.

"Since 2005, the bad guys have been developing new data-stealing malware that is now a growing problem on the Internet. Some of these programs look for banking passwords, others hunt for on-line gaming credentials. But the fastest-growing data stealers are generic spying programs that try to steal as much information as possible from their victims, said Kaspersky Researcher Dmitry Bestuzhev, speaking at a press event Friday.

"In 2009, Kaspersky identified about 70,000 of these programs -- twice as many as the year before, and close to three times the number of banking password stealing programs.

"They're popular because criminals are starting to realize that they can do better than simply swiping credit card numbers. Bestuzhev has seen Gmail accounts for sale on Russian hacker forums, (asking price 2,500 rubles, or $82) RapidShare accounts going for $5 per month, as well as Skype, instant messaging and Facebook credentials being offered.

"Asking prices can vary greatly, depending on the name of the account and the number of followers, but attackers are looking for an initial, trusted, stepping stone from which to send malicious Twitter messages and, ideally, infect more machines.

"Bestuzhev said that one Twitter account, with just over 320 followers, was offered at $1,000 in an underground hacker forum. The user's name was a simple three letter combination that Bestuzhev thought might make it more valuable to criminals. Compare that to an MSN account, which Bestuzhev has seen priced at €1 ($1.40). `The price for Twitter accounts is really high,` he said."

More at ComputerWorld...