DP's Security Bits

Zombie network fails to bite
By John Leyden

Mocbot tries to connect to two IRC servers in Russia, but the servers seem to be down (or overloaded), according to Finnish anti-virus firm F-Secure. "we received reports that the bot channel may instruct all joining bots to start automatically scanning for vulnerable computers, thus acting as automatic worms. But both channels used to control this spread are not working," said said Mikko Hyppönen, chief research at F-Secure.

Paint it black
By John Leyden

The UK had the third highest rate of spyware infections last quarter, according to research by anti-spyware firm Webroot Software which lumps tracking cookies in with far more malicious risks such as Trojans and keylogging programs. The UK has 18 "spies" on an average PC if you include cookies but only 4.5 if you exclude these lesser threats, a figure which puts the UK outside the top 10 of spyware infested nations. The US - either with or without cookies - tops Webroot's spyware poll.

Spyware falls into several categories. At its most basic, spyware consists of programs that track online and offline activities, which are shared with third parties without a user’s consent. Spyware can include system monitoring tools that record everything from visited sites to chat sessions, while also including keylogger programs which capture keystroke information such as usernames and passwords used for online banking, for example. A bigger category (by number) are invasive programs that feed advertising to unsuspecting users - spyware’s more benign cousin - adware.

Yahoo has fixed a security flaw in its free Web-based e-mail service that opened the door to phishing scams, account hijacks and other attacks.

The flaw, known as a cross-site scripting vulnerability, existed because Yahoo's Web site did not detect certain script tags in combination with certain special characters, according to SEC Consult, which issued an advisory on the flaw Friday.

Even game consoles are under attack by hackers, a security company noted Friday. But although the current crop poses little risk to the average player, the next generation may if attackers decide to take on the Internet-centric xBox 360, Microsoft's next game machine.

Panda Software said that over the last several days, it has tracked a trio of Trojans that aimed to reduce Sony's PSP (PlayStation Portable) and the Nintendo DS game consoles into expensive bricks.

The three pieces of malware -- Format.a, Tahen.a, and Tahen.b -- pose as tools to run unsigned code (games that have been cracked, and then illegally copied) on the PSP or as homemade applications for the Nintendo. When users install them, however, the Trojans overwrite portions of the consoles' firmware -- the software embedded in the machines) and make then unusable.

WASHINGTON - The Interior Department won a reprieve Friday from a judge's order to disconnect from the Internet all computer systems with access to accounts it manages for thousands of American Indians.

In a motion filed in federal courts, officials had said disconnecting the computers would cause "massive injury to the public interest and the operations of government."

An appellate court on Friday granted a stay allowing the department to appeal the judge's ruling.

U.S. District Judge Royce Lamberth ordered the shutdown on Thursday, saying the department's computer security was so bad that hackers could easily break into the system and access and manipulate the Indians' account information.

For the second time in as many weeks, Microsoft revised a critical security bulletin, this time to clarify confusing directions about which patch Windows 2000 users should deploy.

Directions in the MS05-050 security bulletin, which was released Oct. 11 to fix a flaw in DirectX, confused some customers, who then downloaded the wrong patch, a Microsoft spokesperson said Friday.

"Microsoft is aware that a limited amount of customers, who may have obtained the wrong security update for their version of DirectX, may think they are protected when, in fact, they are not," the spokesperson acknowledged in an e-mail to TechWeb.

Potential conflict with older versions of InCD 3.x (bundled with Nero Burning ROM 5.x)

After downloading the latest AVG Anti-Virus update (AVG 7.1, load 360), customers using InCD 3.x CD burning software may experience a conflict between the AVG Resident Shield and the InCD 3.x drivers, which results in a problem when launching Windows XP. Customers with this problem should un-install this older version of InCD while in Safe Mode and install the current version, which is available for download on the vendor's website. This latest version of InCD should be installed PRIOR to downloading the newest AVG Anti-Virus program update. For InCD update instructions see our Technical FAQ, News section. Please contact our AVG technical support for assistance and any questions.

http://www.grisoft.com/doc/3/lng/us/tpl/tpl01

Note that a new build has been released today, October 21, 2005 (7.1.361).

Update Summary:

This update resolves possible conflict with bug in older InCD 3.x driver after update to AVG 7.1 build 360.

This recommended update may require restart on some systems.

OCTOBER 20, 2005 (COMPUTERWORLD) - At the moment, there's a dirty little secret that ponly a few people in the information security world seem to be privileged to know about, or at least take seriously. Computers around the world are systematically being victimized by rampant hacking. This hacking is not only widespread, but is being executed so flawlessly that the attackers compromise a system, steal everything of value and completely erase their tracks within 20 minutes.

When you read this, it almost sounds like the plot of a cheesy science fiction novel, where some evil uberhacker is seeking world domination, while a good uberhacker applies all his super brain power to save the world. Sadly, this isn't science fiction, and we don't typically have uberhackers on our side.

Symantec Corp. has deployed a database security appliance at seven pilot customer sites and could roll the product out to wider release next year.

The security firm built the appliance in its Advanced Concepts Group, a research division within Symantec that focuses on developing emerging technology and makes recommendations for new company products. After the as-yet unnamed appliance is tested by the select customers, Symantec executives will decide whether to commercialize it.

"We believe the application tier will be the critical next tier for security," said Stephen Trilling, vice president of Symantec Research Labs. "Databases are obviously a big part of that, considering that a single security breach with those applications can have devastating consequences."

Health care and financial services are heavily represented among the customers Symantec selected, since compliance issues tied to the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act will be a major driver for the appliance.

Hackers and scammers have suddenly turned to a new technique to hide malicious JavaScript on compromised or criminal sites, a security researcher said Thursday.

According to Dan Hubbard, the senior director of security and research at Websense, a family of obfuscation routines with the umbrella name of "JS/Wonka" has spread wildly in the last few weeks.

"For whatever reason, the number has just skyrocketed since the last of September," said Hubbard. "There are 10,000 unique sites using this exact same method. The strange thing is, they're completely different types of sites."

It's not uncommon to see hackers and scammers try to hide their malicious JavaScript code, said Hubbard. They want the code to be invisible to both Internet users and site operators. But the scale Websense is seeing is unprecedented.

AMSTERDAM, Netherlands - Three suspects in a Dutch crime ring hacked 1.5 million computers worldwide, setting up a "zombie network" that secretly stole credit card and other personal data, prosecutors said Thursday.

The three, who were arrested Oct. 6 and originally were estimated to have hacked 100,000 computers, have yet to enter a plea.

A court in the town of Breda extended the custody of the 19-year-old main suspect and a 22-year-old accomplice for a month Thursday, and ordered the release of the third, aged 27, pending trial, prosecution spokesman Wim de Bruin said. The suspects' names have not been released.

Grisoft announces the release of AVG Anti-Virus 7.1, the latest version of its award-winning AVG Anti-Virus software. All current AVG customers will be able to download the upgrade to the new 7.1 version through the standard update process. To ensure that all customers are able to take advantage of the full functionality offered by AVG 7.1 as soon as possible, the upgrade will be available as two updates: a “Recommended Update” available today, which will include program components, and a second update available on Monday, October 24, which will include additional components.

Among the most important new features you will find

• Detection of potentially unwanted applications.
• Support for Windows XP 64-bit Edition
• Additional configuration options for the AVG Resident Shield
• Improved support for screen reader programs
• Further reduction of update package size
• Improved automatic configuration wizard for the AVG Firewall
• And more – extended email scanning options, additional event history logging, extended system area test options
  

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches.

Supported Products and Components Affected

The security vulnerabilities addressed by this Critical Patch Update affect the products listed in Categories I, II, and III .

Federal regulators have outlined several ways in which financial institutions can keep financial data and account access more secure on the Internet.

The Federal Financial Institutions Examination Council released new security guidance for Internet banking last week. The guidance will replace Authentication in an Electronic Banking Environment issued in 2001.

The council states that single-factor authentication is behind much of the identity theft and account fraud reported in the past several years. Banks will be required to have a two-tiered approach to security by next year. The council did not endorse technology, but it did outline several methods for improving authentication.

Virus writers are targeting Skype users with a new Trojan that poses as the latest version of the popular VoIP software.

Systems Affected

• Snort versions 2.4.0 to 2.4.2
• Sourcefire Intrusion Sensors

Overview

The Snort Back Orifice preprocessor contains a buffer overflow that could allow a remote attacker to execute arbitrary code on a vulnerable system.

I. Description

Snort is a widely-deployed, open-source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire Intrusion Sensors, and Snort is included with a number of operating system distributions.

Snort preprocessors are modular plugins that extend functionality by operating on packets before the detection engine is run. The Back Orifice preprocessor decodes packets to determine if they contain Back Orifice ping messages. The ping detection code does not adequately limit the amount of data that is read from the packet into a fixed-length buffer, thus creating the potential for a buffer overflow.

The vulnerable code will process any UDP packet that is not destined to or sourced from the default Back Orifice port (31337/udp). An attacker could exploit this vulnerability by sending a specially crafted UDP packet to a host or network monitored by Snort.

US-CERT is tracking this vulnerability as VU#175500. Further information is available in an advisory from Internet Security Systems (ISS).

II. Impact

A remote attacker who can send UDP packets to a Snort sensor may be able to execute arbitrary code. Snort typically runs with root or SYSTEM privileges, so an attacker could take complete control of a vulnerable system. An attacker does not need to target a Snort sensor directly; the attacker can target any host or network monitored by Snort.

Rootkits are becoming increasingly common on enterprise computer networks and are even being used to create undetectable download servers for pirated movies and MP3s, according to anti-virus experts.

Anti-virus software company F-Secure Corp., of Helsinki, Finland, has detected rootkits on the networks of numerous customers, and malicious-code authors are integrating rootkit stealth features into Internet worms, bots and Trojan horse programs, according to anti-virus researcher Kimmo Kasslin of F-Secure. Despite the surge in interest, only a small number of anti-virus companies offer dedicated rootkit detection features.

Rootkits are programs that are used to give a remote user access to a compromised system while avoiding detection. Originally developed more than 10 years ago and used on Unix machines, rootkits have been rare on Windows systems, said Mikko Hyppönen, manager of anti-virus research at F-Secure.

Published: 2005-10-18,
Last Updated: 2005-10-18 05:18:40 UTC by Johannes Ullrich

Later this evening Trend updated their webpage concerning the TROJ_SSPLOIT.A virus to show that it was not MS05-051, but was MS05-012 instead.  Thanks Microsoft for updating us on this as well.

Original Message:

Trend Micro reports that they spotted a POC for MS05-051 in the wild. They found it included  as a new exploit in other malware. We don't have any details yet beyond what can be found in at Trend Micro. If you find a copy of this malware, please forward it.

Trend Micro states that the malware was written in Visual Basic, which usually indicates some low skilled bot-kid. Kind of odd to see it surface this way, but having it included as a new warhead in existing malware matches past patterns.

Trend Micros virus statistics do not report any "captures" of this exploit in the wild. Not exactly sure if this is just a lab sample, or if it was actually seen in the "wild".

We will update this diary as we learn more. Source

NEW YORK (Reuters) - Federal regulators have ordered banks to tighten their Internet security procedures by the end of 2006 to help thwart identity theft, one of the fastest-growing types of consumer fraud.

In a letter sent to banks last week, the Federal Financial Institutions Examination Council said it is not sufficient that banks permit online access with a single form of authentication, such as a password or personal identification number, when the risks of a breach are too high.

"Single-factor authentication, as the only control mechanism, (is) inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties," the council said.

It's Monday: time to pay your monthly credit card bill. A tech-savvy consumer, you log on, open your Web browser and surf to MBNA. com, a site run by the bank that issued your card. Once there, you enter your user name and password, access your account, check your last statement, transfer funds, and pay your bill.

Little do you know that a program on your computer that you agreed to install perhaps without knowing exactly what it did is silently monitoring your actions, taking snapshots of the pages you visit and forwarding that information to a company that sells market "intelligence" to advertisers. That's if you're lucky. Worse yet, the program may be an hours-old online banking Trojan that captures your e-banking sessions and sends the information to a compromised server in Brazil or South Korea. And, then ... who knows?

The details of the attacks vary, but one thing is certain: current anti-virus technology provides only sparse protection against the kinds of threats that Internet users face today. For more than a decade, anti-virus software has been a pillar of enterprise security programs. But times are changing.