Financial times published details about “the most successful” cyber attack so far against the American Department of Defense. The details have been published a week after Der Spiegel published German government accusations that Chinese hackers, supported by the Chinese government, attacked German government computers.

The Chinese government, of course, denied the allegations claiming that they do not support any illegal activities. Although it is extremely difficult, or almost impossible to prove who organized attacks such as these, a fact remains that the information war slowly enters the Internet and that security of any computer network must not be neglected, especially when they host sensitive information.

Last week Infigo IS noticed an extremely high number of e-mails sent by machines infected with the latest variant of the Storm worm (some anti-virus vendors call this worm Tibs or Peacomm).

In order to spread, the worm also relies on social engineering. E-mails sent by the worm do not contain any malicious code – they contain only URL addresses to servers hosting exploits used to infect visitors. E-mails look like electronic postcards.

An interesting thing about the Storm worm is that it generates URL addresses dynamically and that infected machines are used as web servers. This means that administrators cannot simply block access to certain URL or IP addresses as they are constantly changed.

The Storm worm shows that organizations have to invest in multiple security layers and implement defense in depth.

Thousands of Italian web servers have been compromised last week when. Attackers installed a toolkit called MPack on all compromised servers. MPack is used to further compromise client machines that visit compromised web servers.

A typical attack adds a hidden iframe object into one or more HTML pages on the compromised web servers. When such a web page is visited, the iframe object redirects a user’s browser to another web server. This web server serves exploits for various security vulnerabilities in web browsers (both in Internet Explorer and in Firefox Mozilla).

Owners of compromised web servers have been notified and most of the iframe objects have been removed. Infigo IS would like to use this incident as an opportunity to remind all our customers about the need to timely patch client machines.

FBI released details about an ongoing operation called “Bot Roast”. The main goal of this operation was to identify and arrest bot-herders. Bot-herders typically infect victim machines that are subsequently managed through special servers called Command and control (C&C) servers.

FBI’s operation identified over 1 million infected machines that were used for carrying out network attacks, identity theft and spam sending. The operation also resulted in three bot-herders being arrested. More information can be found at http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm.

The Internet Storm Center published a diary stating that they detected exploits for recently published 0-day Yahoo! Messenger vulnerabilities in the wild. Fully functional proof of concept exploits have been published couple of days ago.

While Yahoo! released an update only couple of hours after the exploits have been published, not all machines will be automatically updates as Yahoo! will gradually inform users about the new update when they log in. As the PoC exploit is extremely simple to modify, Infigo IS urges all Yahoo! Messenger users to install the latest version available at http://messenger.yahoo.com/download.php.