Donna's SecurityFlash

WHAT:      Marius van Oers, anti-virus research engineer with McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team) at McAfee, Inc. will discuss malware in a presentation titled, "Malicious Media Files - ASF Scripting." As part of the presentation, van Oers will teach IT administrators and virus researchers about the .ASF file structure and the possible security issues related to it.

WHEN:      Thursday, Sept. 30, 2004 from 2:40 PM - 3:20 PM Eastern Time at the Fairmont Chicago, Chicago, Illinois

WHERE:     For more information and to register, please visit: http://www.virusbtn.com/conference/

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/09-29-2004/0002261420&EDATE=

Antivirus software could be ill-prepared to protect corporate networks from the latest Windows vulnerability--innocent-looking JPEG files that contain security attacks.

According to Mikko Hypponen, director of antivirus research for F-Secure, antivirus software will strain to find JPEG malware because by default it only searches for .exe files.

"Normal antivirus software by default will not detect JPEGs," Hypponen said. "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things."

http://news.com.com/JPEG+exploit+could+beat+antivirus+software/2100-7349_3-5388633.html

Anti-Phishing: KeyBank - 'Technical services: Account Update Request'

Summary
Email title: 'Technical services: Account Update Request'
Scam target: KeyBank customers
Email format: HTML e-mail
Sender:
KeyBank - Customer Care Department <keysupport.6381508.148055.0 @ ebusiness.keybank.com>
Sender spoofed? Yes
Scam call to action: 'Technical services of the bank are carrying a planned software upgrade... We earnestly ask you to visit the following link to start the procedure of confirmation of your personal data...'
Scam goal: Getting victim's keybank.com username/password, credit/debit card information
Call to action format: URL link
Visible link: image link
Called link : h++p://www.parisharm.com/cgi-bin/
Phish website IP: 66.206.7.127

E-mail

KeyBank's customers are the new phish target. This is the first phish against them we get reported, but probably won't be the last one. It is not a sophisticated one, but it doesn't need it to be dangerous - this bank's customers are probably not as vigilant as the more targeted banks' customers.

Anyway, the message looks nice - with bank logo, spoofed sender and hidden link destination, even a 'legal' footer:

More in Anti-Phishing.org

by LURHQ Threat Intelligence Group

URL
http://www.lurhq.com/jpegvirus.html

Release Date
September 28, 2004

***JPEG "Virus" Facts***

A great deal of attention is being paid to a supposed "JPEG virus" discovered in a couple of Usenet postings. Because many people are still not familiar with the workings of the current MS04-028 exploits, much misinformation is being spread in public forums. This advisory is being sent to clear up the facts surrounding this posted JPEG exploit. If you have been following Threat #49 in the LURHQ Sherlock Enterprise Security Portal (MS04-028 Jpeg Comment Buffer Overflow Analysis), you may already be aware of most of this information.

Here are the simple details of this incident:

-It's not a virus. The posted JPEG is actually a trojan downloader. It has no ability to spread on its own.

-It only affects users with Windows XP Service Pack 1.
 
-It's does not automatically execute on reading the message. The JPEG must be saved into a local folder, then the mouse pointer must be moved over the JPEG file's icon.

-The file is detected by all major antivirus engines with current virus definition files. Because of the nature of the JPEG format, it is impossible to disguise an infected JPEG file. So current signatures should detect ALL future attempts to exploit this vulnerability.

Read more of the "facts" at http://www.lurhq.com/jpegvirus.html

Who's to blame for the hold that spam, spyware and viruses have on the Internet?

According to security software vendors, lax PC retailers should be fingered, for allowing "unroadworthy vehicles" out of their doors onto the information highway, to be attacked by viruses and converted into spam-spreading bots.

http://www.snpx.com/cgi-bin/news55.cgi?target=71318971?-2622

Jpeg Of Death.c v0.5

You knew it was coming. And now it's here - the latest evil spurred by the latest Microsoft security hole.

It's called the JpegOfDeath.c v0.5, but jpg isn't all it threatens.

"[...] for the people out there who think you can only be affected through viewing or downloading a jpeg attachment.. you're dead wrong," says K-OTIC's John Bissell aka HighT1mes.

"All the attacker has to do is simply change image extension from .jpg to .bmp or .tif or whatever and stupid Windows will still treat the file as a JPEG :-p..."

http://p2pnet.net/story/2563

Traditional security methods aren't robust enough to cope with today's multiple threats, and vendors need to up their game to help carriers and enterprises deal with the new techniques being deployed by hackers.

So says independent consultant Simon Hill, who has been examining the security market for a Light Reading Webinar, or online seminar, entitled "Multi-Layered Security: Security in an Insecure World," due to be given tomorrow (Wednesday). Anyone interested in the Webinar can still sign up for free - http://www.lightreading.com/webinar.asp?doc_id=27157

Some security system suppliers, such as Fortinet Inc. and Radware Ltd., have already reacted to the challenge.

http://www.lightreading.com/document.asp?site=lightreading&doc_id=59927

Site Offers Computer Users the Ability to Double Check Their Antivirus Security

GLENDALE, Calif., Sept. 28 /PRNewswire/ -- Panda Software, one of the leading developers of virus and intrusion prevention solutions, today announced the launch of Panda Challenge (http://www.pandachallenge.com.) PandaChallenge.com is designed for computer users to double check the performance of their antivirus solutions.  As users take the panda challenge Panda Software analyzes and repairs damage done to computers for free.  A special offer is also available for those wishing to purchase solutions from Panda Software.

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=109&STORY=/www/story/09-28-2004/0002260498&EDATE=

PRESS RELEASE
Oslo, Norway, 28 September 2004

Award-winning antivirus vendor Norman, together with anti-spyware leader Lavasoft, introduces Norman Ad-Aware SE Plus and Professional respectively for single users and organizations. These new programs from Norman are made available to protect computers against undesired programs installing themselves while connected to the Internet.

http://www.norman.com/News/Press_releases/17438/en

TrekEight, LLC announced today that over 6,000,000 users have used the SpywareNuker line of PC protection software, and 1,300,000 customers have utilized the latest version, SpywareNuker 2004, to check their personal computers for spyware and adware.

Spyware and adware are applications and files that can allow hackers and advertising companies to track your PC's activity. Though usually used for marketing purposes, (such as tracking the websites you visit and the items that you buy online and then directing advertisements to you), spyware can have the capability to record your credit card number, personal identification numbers, and all of your passwords.

http://www.ereleases.com/pr/20040928002.html

Related info
"Note on SpywareNuker & pcOrion:  Spyware Nuker and pcOrion are re-branded clones of one another; both are distributed by TrekBlue/TrekData. Spyware Nuker and pcOrion were listed on this page on this page primarily because of issues surrounding Version 1 of Spyware Nuker, because of TrekBlue's murky relationship with the adware distributor BlueHaven Media, and because of objectionable advertising that used to appear on the pcOrion home page.

Version 1 of Spyware Nuker had a deservedly poor reputation. It was a clone of BPS Spyware & Adware Remover, which itself is a rip-off of Ad-aware (1, 2) and Spybot Search & Destroy (1, 2, 3, 4, 5). Moreover, it was prone to ridiculous false positives, like the other clones of BPS Spyware & Adware Remover. (Contrary to allegations on the Net, no version of SpywareNuker or pcOrion, so far as we can tell, has itself installed adware or spyware.)

In the late spring or early summer of 2004, TrekBlue released a new version of SpywareNuker (version 2, also known as SpywareNuker 2004) which is not built on the codebase licensed from BPS (1). Testing with this new version  -- also released under the name pcOrion -- indicates that it does detect and remove spyware and adware. Moreover it is not prone to inexcusable false positives, as its predecessor was. Thus, the new SpywareNuker 2004 is a significant improvement on the justly discredited original version of SpywareNuker. Still further, the objectionable advertising on the pcOrion home page has been removed, and TrekBlue/TrekData has taken steps to clarify the history of its relationship with BlueHaven, which is no longer a TrekBlue/TrekData company. (1, 2)

Given that the issues surrounding Spyware Nuker and pcOrion have been addressed by the TrekBlue/TrekData, we can no longer consider Spyware Nuker or pcOrion to be "rogue/suspect" anti-spyware."

http://www.spywarewarrior.com/rogue_anti-spyware.htm#swn_note

Internet watchers say they've spotted infected images that could implant a back door into a Windows computer if they are viewed.

EasyNews, a provider of Usenet newsgroups, said it has identified two JPEG images that take advantage of a previously identified flaw in the way Microsoft software handles graphics files. Windows users could have their computers infected merely by opening one of those Trojan horse images.

The report of the widely expected exploit comes less than a week after sample code appeared that demonstrated how to take advantage of Microsoft's programming error. Some security researchers worry that the ubiquity of JPEG images provides an unprecedented opportunity to spread malicious code through file-trading networks, the Web or spamming.

http://news.com.com/Trojan+horse+exploits+image+flaw/2100-7355_3-5385995.html

ForeScout Technologies, Inc., the leading enterprise worm containment and prevention company, announced today that its latest version of WormScout, version 4.0, is now shipping. WormScout, which contains and suppresses fast-spreading, self-propagating network worms, is now also effective against e-mail worms. All of the worm-suppression activities are automated: from accurately identifying the infection attempts, to complete isolation, and then finally, the clean-up process. WormScout performs with such accuracy that 100 percent of ForeScout's customers turn on automatic blocking.

http://www.tmcnet.com/usubmit/2004/Sep/1077251.htm

Microsoft will release a low-price version of Windows in Russia by the end of the year, an effort to wean consumers in that country off pirated software and Linux.

The Redmond, Wash.-based software giant will also announce later in the week that it will bring a version of Windows XP Starter Edition, a relatively inexpensive and slimmed down version of Windows, to a fourth, as-yet-unidentified, Asian country, bringing the total number of countries in the program to five.

http://news.com.com/Russia+gets+budget+version+of+Windows/2100-1016_3-5381547.html

McAfee has released updates to its spam prevention service and personal firewall software to help home users combat a growing form of online fraud known as "phishing."

The new version of SpamKiller, released Tuesday, uses a multilayered filtering engine to help keep in-boxes free of unsolicited, fraudulent and malicious e-mails including phishing scams, the company said. The filter is based on Bayesian technology, which learns from past examples to determine what kind of e-mails should be blocked. The filter also can detect codes hidden inside e-mail images used to evade antispam engines.

http://news.com.com/McAfee+updates+target+%27phishing%27/2100-1029_3-5386970.html

British e-mail firm Avecho has offered a £10,000 ($18,056) award to anyone who can deliver a virus past its GlassWall filtering product. To participate contestants must sign up for an Avecho e-mail account and then either deliver a virus to or from the e-mail address. While Avecho is the only party able to see traffic on its network, vice president of international marketing Mark Elliot says the company would like to hire a third party to judge the contest, but no one has come forward to accept the role. Avecho has refused to release details about how its GlassWare works, saying it wants to keep it secret because it cannot patent the product. Past hacking challenges have been a source of embarrassment for the companies that issue them: Argus System refused to pay a Polish hacking group that managed to crack its Pit Bull server, while in 2002 Korean Digital Works suffered a take over on its contest registration server, allowing the hackers to control who could compete for its $100,000 prize.

http://news.com.com/E-mail+firm+baits+hackers+with+security+challenge/2100-7349_3-5383988.html

Administrators can now control removable media devices on five network machines for free

London, UK, 28 September 2004 – GFI is launching a freeware version of GFI LANguard Portable Storage Control (P.S.C.), its new network security product that can prevent unauthorized users from taking information from the network or introducing malware via USB (Universal Serial Bus) sticks and other removable media (such as floppies and CDs). The product also allows administrators to control the connection of devices that can register storage in Windows, such as iPods, smartphones, digital cameras and handhelds. GFI is offering a full version of GFI LANguard P.S.C. for five machines as freeware.

http://www.gfi.com/news/en/lanpscfreeware.htm

Nima Majidi has discovered some vulnerabilities in YPOPs!, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerabilities are caused due to boundary errors within the POP3 and SMTP services. These can be exploited to cause buffer overflows via overly long requests.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities have been confirmed in version 0.6. Versions 0.4 through 0.6 are reportedly affected.

NOTE: By default, the SMTP service is not enabled and the POP3 service only listens on the loopback interface (127.0.0.1).

Solution:
Disable the SMTP service and bind only the POP3 service to the loopback interface.

http://secunia.com/advisories/12660/

Internet Service Provider (ISP) EarthLink on Monday launched TotalAccess 2005 for Macintosh a new version of the access software EarthLink offers its subscribers. It works with EarthLink's broadband and dialup services and is available for download now. New features of TotalAccess 2005 for Macintosh includes ScanBlocker, which blocks users from visiting known or suspected Web sites involved in "phishing," a scam where consumers are tricked into giving personal information on a Web page that looks like a trusted source, such as a financial institution or a company with which they already have an account.

http://story.news.yahoo.com/news?tmpl=story&ncid=1292&e=1&u=/mc/20040927/tc_mc/newearthlinkmacsoftwarefightsphishingscams&sid=95573662

Executive Software ( http://www.executive.com ), the industry leader in the development of systems management tools to enhance the speed and performance of Microsoft(R) Windows(R) systems, and Shavlik Technologies, LLC
( http://www.shavlik.com ), a leading security products and services provider, have announced the signing of an OEM agreement to provide security patch management to customers.

As part of the agreement, Executive Software will integrate Shavlik's security patch management solution to create Patchkeeper, a patch management module being added to the Sitekeeper systems management product family,
allowing companies to assess patch compliance status on devices running Microsoft Windows operating systems, including Windows NT(R), Windows 2000, Windows XP and Windows Server 2003. Patchkeeper can be used as a stand-alone solution or as part of the Sitekeeper product suite.

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/09-27-2004/0002259352&EDATE=

Microsoft Corp. on Monday will start charging for a Hotmail feature that allows users of the Web-based e-mail service to access their e-mail using the Outlook e-mail client.

Microsoft is making the move not to increase the number of paying Hotmail users but because the feature is being abused by senders of spam, said Brooke Richardson, lead product manager for MSN at Microsoft.

http://www.infoworld.com/article/04/09/27/HNhotmailoutlook_1.html