For McAfee users, I'm sure also AVERT Labs is correcting this issue. Still, it's worthwhile to monitor developments, as I'm staying on DAT 5663 on my corporate PC until this issue is resolved.
McAfee DAT 5664 - False Positives may affect Compaq/HP drivers
http://community.mcafee.com/showthread.php?t=231901
http://www.theregister.co.uk/2009/07/03/mcafee_false_positive_glitch/
QUOTE: IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attack their core system files. In some cases, this caused the machines to display the dreaded blue screen of death. Details are still coming in, but forums here and here show that it's affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer's 140 machines after they updated the latest virus signature file.
Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664, which McAfee seems to have pushed out in the past 24 hours. Affected systems then begin identifying a wide variety of legitimate - and frequently crucial - system files as malware. Files belonging to Microsoft Internet Explorer, drivers for Compaq computers, and even the McAfee-associated McScript.exe were being identified as a trojan called PWS!hv.aq, according to the posts and interviews.
Malicious emails are being spammed related to the themes of: Independence Day, the Fourth of July and fireworks shows. Please avoid related email messages/attachments, special website links, and You-Tube links.
July 4th based Malware circulating
http://isc.sans.org/diary.html?storyid=6727
http://securitylabs.websense.com/content/Alerts/3431.aspx
http://www.eset.com/threat-center/blog/?p=1244
http://www.symantec.com/connect/blogs/waledac-july-campaign
Waldac.DU Information
http://blog.trendmicro.com/waledac-celebrates-independence-day-too/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WALEDAC.DU
QUOTE: The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine.
Web ADMINS should ensure the HTML text editor is secured as it may be automatically installed by default on some versions of Cold Fusion studio.
Large # of Cold Fusion web sites compromised in past 24 hours
http://isc.sans.org/diary.html?storyid=6715
QUOTE: There have been a high number of Cold Fusion web sites being compromised in last 24 hours. It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager.
The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting.
How to disable the HTML editor to improve safety
http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat
Security research testing of the Twitter API will be conducted during the month of July. The stated goal is to bring awareness to the need for strengthening security in this very popular and flexible social network messaging facility.
MOTB Daily Findings published here
http://www.twitpwn.com/
Security Researcher Aviv Raff shares mission statement
http://aviv.raffon.net/2009/06/15/MonthOfTwitterBugs.aspx
QUOTE: Today, three years after the “Month of Browser Bugs”, I’ve decided to declare July 2009 as “Month of Twitter Bugs” (MoTB). I’m doing so in order to raise the awareness of the Twitter API issue I recently blogged about. MoTB could have been easily converted to any other “Month of Web2.0 service bugs”, and I hope that Twitter and other Web2.0 API providers will work closely with their API consumers to develop more secure products.
Below is the 1st documented vulnerability related to shortened URLs that may be shared in these micro-blog messages:
MoTB #01: Multiple vulnerabilities in bit.ly service
http://www.twitpwn.com/2009/07/motb-01-multiple-vulnerabilities-in.html
QUOTE: "bit.ly allows users to shorten, share, and track links (URLs). Reducing the URL length makes sharing easier. bit.ly can be accessed through our website, bookmarklets and a robust and open API. bit.ly is also integrated into several popular third-party tools such as Tweetdeck."
bit.ly has a large user base (who doesn't click bit.ly links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs...
This informative article shares an awareness that credit card purchase patterns could be used as part of the analysis in determining whether someone is a higher credit risk.
What You Buy, Where You Shop May Affect Your Credit
http://www.walletpop.com/credit/credit-cards/article/what-you-buy-where-you-shop-may-affect/544639
QUOTE: As credit card companies continue to tighten their lending standards on card users, some are using purchasing data -- gleaned from millions of card transactions processed daily -- to weed out who may or may not be good credit risks.
Have you used your credit card at merchants specializing in secondhand clothing, retread tires, bail bond services, massages, casino gambling or betting? Your credit card issuer may be taking note -- and making decisions about your creditworthiness based on your purchasing behavior. The reason: Buying used clothing or retread tires may be an indication of financial distress and a preamble to missed credit card payments or defaults.
The recent credit crunch has placed greater emphasis on using the data to predict who may be a higher credit risk. Credit card issuers have said people living in states hard hit by foreclosures, such as Florida, Nevada and California (referred to as the "sand states") may be considered increased risks by virtue of the fact that they live there. People who shop at the same establishments where subprime borrowers shop also may be considered higher risk.
I use Firefox as a complementary browser and the latest new version became available today. The upgrade from 3.0.11 went well and so far there are no issues in using the new version
Firefox 3.5 Home Page
http://www.mozilla.com/en-US/firefox/
Firefox 3.5 Key Features
http://www.mozilla.com/en-US/firefox/features/
Malware writers often use tragic news events to trick users into opening malicious website links, YouTube video links, or attachments. While most AV vendors have coverage in place, please avoid these types of email messages that are now actively circulating.
Malicious SPAM related to passing of Michael Jackson and Farrah Fawcett
http://isc.sans.org/diary.html?storyid=6646
http://isc.sans.org/diary.html?storyid=6658
http://sanesecurity.blogspot.com/2009/06/michael-jackson-virus-already.html
http://www.avertlabs.com/research/blog/index.php/2009/06/25/bad-news-oportunity-to-spread-malware/
http://securitylabs.websense.com/content/Alerts/3426.aspx
http://vil.nai.com/vil/content/v_132277.htm
http://www.avertlabs.com/research/blog/index.php/2009/06/26/michael-jackson-news-affects-web-traffic/
QUOTE: michael jackson virus already 
Well, it didn't take long for the "them" to abuse the situation did it?
The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called Michael.Jackson.videos.scr
Below are some excellent articles and awareness on this popular form of attack. These programs are improving in their methods of emulating Anti-virus programs and should be avoided as they are difficult to clean.
Excellent Article on Scareware and other Rogue security programs
http://lastwatchdog.com/scareware-attacks-spreading-twitter-google-legit/
http://www.usatoday.com/tech/news/2009-06-09-cybergangs-scareware-hackers_N.htm
QUOTE: In some cases, the fake software you buy may actually provide you with some nominal protection. But mostly for your $30 to $80 the only thing you get is temporary relief from the obnoxious dialogue boxes, and misleading hard drive scans.
HOW SCAREWARE TRICKERY ENSNARES INTERNET USERS
1 Criminals buy blocks of ad space on websites, intermittently slipping in a tainted ad.
2 Just visiting a webpage with a tainted ad causes a fake warning box to appear.
3 Clicking "OK" or "Cancel" launches the same thing: a "free scan."
4 After you've been lured into a fake "free" scan of your PC:
5 The bogus scan will purport to find a virus infestation.
6 Ensuing boxes steer the user to activate "Personal Antivirus," on left.
7 The activation prompts take the user to a shopping cart.
8 Declining to place an order triggers endless fake scans.
What is Scareware
http://en.wikipedia.org/wiki/Rogue_software
http://whatis.techtarget.com/definition/scareware.html
QUOTE: Scareware is a type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software. Scareware, which generates pop-ups that resemble Windows system messages, usually purports to be antivirus or antispyware software, a firewall application or a registry cleaner. The messages typically say that a large number of problems -- such as infected files -- have been found on the computer and the user is prompted to purchase software to fix the problems. In reality, no problems were detected and the suggested software purchase may actually contain real malware.
Scareware programs produced by those companies include: DriveCleaner, WinAntivirus, ErrorSafe, WinFixer and XP Antivirus
As many folks realize Microsoft does not distribute updates by email. However, Microsoft will alert users who have signed up for Patch Tuesday notifications, that new updates are available.
In the links below, Trend Labs notes a highly deceptive email that contains authentic looking HTML and valid Microsoft site links. Even the wording appears to be legitimate. The email address is also spoofed to appear as if it originated from "Microsoft Customer Support".
Fortunately, spoofed email headers often end up in the spam or bulk mail folders automatically. As Trend Labs notes, a best practice of hovering over email links would reveal a different one than shown in the document.
Finally, when notified of any vendor updates it's always best to go to home site to check directly (rather than using the email link). However, this particular attack could trick some users as it has some resembles to a Microsoft security notification.
Trend Labs - “Critical Update” Leads to Critical Info Theft
http://blog.trendmicro.com/critical-update-leads-to-critical-info-theft/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FZBOT%2EBTS&VSect=T
Spoofed “Critical Update” appears to originate from Microsoft
http://www.trendmicro.com/vinfo/images/blog/062209_fig1.gif
QUOTE: Microsoft Corporation regularly issues updates to fix bugs and security vulnerabilities in its software products. These updates are meant to protect its users from different attacks that depend mainly on exploiting these documented bugs. Close to the weekend, we identified spam claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.”
A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination.
Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here. Note that the said list may be changed at any time.
How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server.
SPAM email should always be deleted without opening it or any accompanying attachments. Daily, I receive numerous copies of dating services and other SPAM in my personal email.
Some key dangers include tricking users to visit malicious websites or to reveal credit card or personal information
Trend Labs shares some dangers in a good awareness article below:
http://blog.trendmicro.com/deceitful-advertisement-thru-dating-spam/
QUOTE: Today we have noticed an increase in the amount of dating spam mails containing phrases such as:
I’m emailing you because I like you
wanted to let you know about my profile
you have been invited to join
The link in the spam points to an adult-dating web page, as well as a profile on the right corner of the screen with a huge clickable ad that says, CLICK HERE TO CHAT FOR FREE.
Following the link opens a page where the visitor is asked to register by providing an email address and password. Afterward the visitor’s browser opens a new site where he/she is prompted to create a preferred chat handle (username). Users tempted to correctly fill up the forms from the shown web pages provide a free service to the cybercriminals as they reveal their valid email addresses, passwords, and credit card information.
Please be careful with website visitations as malicious attacks continue to compromise some sites that may not be locked down well from a security standpoint.
Nine-Ball Mass Injection attack compromises 40,000 Websites
http://www.eweek.com/c/a/Security/40000-Web-Sites-Compromised-in-Mass-Attack-227486/
http://securitylabs.websense.com/content/Alerts/3421.aspx
http://vil.nai.com/vil/content/v_141590.htm
QUOTE: Websense Security Labs has detected another large mass injection attack in the wild after the Beladen and Gumblar attacks. We are calling this mass compromise Nine-Ball because of the final landing site. We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.
After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.
Several reports are circulating in the media for a new Microsoft consumer security product that will soon be announced. As sometimes early reports contain inaccuracies, the official announcements by the company should only be considered at this point.
Hopefully, MSE will successful in providing basic security protection. WGA validation also seems to be a reasonable requirement for the enhanced malware protection this product will offer. Once official Microsoft announcements are published, we'll know more regarding this new product.
Microsoft Security Essentials (MSE) Beta version to be released soon
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=913455
http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=218100195
http://www.pcmag.com/article2/0,2817,2348996,00.asp
http://news.cnet.com/8301-1009_3-10268040-83.html
http://www.windowslive.com/Connect/Post/14eb0c3e-78fc-4e21-8783-c4521a4d83a6
http://blogs.zdnet.com/microsoft/?p=3120
http://blogs.zdnet.com/Bott/?p=1067
PC Magazine - Early in-depth evaluation
http://www.pcmag.com/article2/0,2817,2348998,00.asp
QUOTE: Microsoft Corp. today said it will release a public beta of its free antimalware software, now called Microsoft Security Essentials, formerly "Morro," next Tuesday for Windows XP, Vista and Windows 7. "This is security you can trust," said Alan Packer, general manager of Microsoft's antimalware team, when asked to define how it differs from rivals, both free and not. "And it's easy to get and easy to use." He stressed the Security Essentials' real-time protection over its scanning functions, which are both integral to any security software worth its weight. "Rather than scan and clean, which it also does, it's trying to keep you from being infected in the first place," Packer said. Microsoft will not give Security Essentials to everyone who wants it, however. PCs running a copy of Windows that Microsoft decides is counterfeit or pirated -- "non-genuine" in its parlance -- cannot download a copy of the security software.
Hopefully, the Twitter site administrators can respond promptly to proof-of-concept vulnerabilities that are crafted by Aviv Raff, a highly experienced security research expert. Users should be alert for any major issues that surface. Most importantly, be careful with all forms of communication keeping a good focus on privacy and security.
Month of Twitter Bugs - July 2009
http://blogs.zdnet.com/security/?p=3632
QUOTE: A well-known security researcher plans to use the month of July to expose serious vulnerabilities in the Twitter ecosystem. The Month of Twitter Bugs, a project which launches on July 1, is the handiwork of Aviv Raff, a researcher known for his work on Web-based security issues. Raff, who previously warned that the Twitter API is ripe for abuse, says the project will disclose a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws that put Twitter users at risk of malicious hacker attacks.
Microsoft is adjusting Autorun technology for XP to provide the improved safety Vista currently supports. AVERT Labs shares an awareness that any portable storage device (e.g., MP3 player, Digital Picture frame, Digital Camera, etc) may also be vulnerable to Autorun malware attacks. Additionally, these worms often infect unprotected network shares, as well as compromising accounts with weak passwords.
Autorun Worms - Infect more than just USB Flash Drives
http://www.avertlabs.com/research/blog/index.php/2009/06/11/worms-dig-further-than-thumb-drives/
QUOTE: Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?
Answer - Most USB devices that you can plug into your computer that have storage.
How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication. How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.” Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.
In almost all cases, Windows Update (or preferably Microsoft Update) works accurately. I usually update manually right way without waiting on Automated Updates to start. Windows Update can be immediately invoked by selecting the Windows Update option found in the IE8 Safety Shield icon or other methods.
All work PCs were updated without issues for the June 2009 security updates. However, I encountered a rare error on our family PC at home. A total 10 of 11 updates were downloaded and installed properly. After rebooting, security update MS09-025 continued to experience "Download Failed" message. I noted a temporary folder on C: created by the June updates that may have been a factor.
After 3 tries using Windows Update, I then went to Microsoft Download site to manually download the MS09-025 patch. As a starting point, I searched using keyword MS09-025 to locate the specific update that needed to be applied. After locating the XP security patch, I downloaded and installed this patch manually outside of the regular Windows Update process.
Microsoft's Download Site
Search by bulletin or KB # to find a specific security update for your O/S
http://www.microsoft.com/downloads/en/default.aspx
After successfully installing MS09-025 and rebooting, I reinvoked Windows Update to ensure there are no updates left to be applied. This final step ensured the special manual update process was successful. We are now properly up-to-date at home with these important protective patches.
I've used Opera as a complementary browser since the free "ad-bar" version first surfaced several years ago. Thankfully the ad bar was later removed and Opera has enjoyed a good track record in security, innovation, and web standards support. While less popular than IE or Firefox, it offers a sophisticated and reliable browser environment. It is working well so far in early testing.
Opera 10 Beta - New Innovations
http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/Opera-10-Beta-Adds-Turbo-Mode-Makes-Improvements-to-Tabbed-Windows-669426/
QUOTE: The Opera 10 beta includes new features—including a Turbo mode that aims to speed slow connections—that will likely find their way into rival browsers in the future. Ever wonder what features will be found in the next generation of Web browsers? Well, usually there’s one easy way to find out: Just check out the latest version of Opera. Opera may not be the best known or most used Web browser out there, but, over the years, it has been one of the most innovative. Often, features that become mainstays across browsers appeared first in Opera.
Opera 10 Beta - Features
http://www.opera.com/browser/next/
Opera 10 Beta - Download
http://www.opera.com/browser/download/?ver=10.00b1
Opera 10 Beta - Blog
http://my.opera.com/desktopteam/blog/
Opera 10 Beta - New Features
http://www.opera.com/docs/changelogs/windows/1000b1/
KEY NEW FEATURES
* Opera Turbo Mode
* Automatic updates
* Crash logging
* Inline spelling checker
* 100/100 and pixel-perfect on the Acid3 test
* Significantly improved performance, particularly on CSS/HTML rendering
* Opera Mail HTML Compose support
Every monthly update should be applied as soon as possible. Often we are racing against the clock to patch all systems to make them safer from exploits that will emerge or may already be found in-the-wild.
The June 2009 security release has 10 security updates that cover 31 vulnerabilies that apply to Windows, IE, Office, and IIS. So far these installed updates are working well and without issues on my PCs. As some of patched vulnerabilities have working exploits, it is important for everyone to PATCH NOW
Microsoft Security June 2009 Updates - IMPORTANT Patch Tuesday Updates
https://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx
MS09-018 - Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
MS09-019 - Cumulative Security Update for Internet Explorer (969897)
MS09-020 - Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
MS09-021 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
MS09-022 - Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
MS09-023 - Vulnerability in Windows Search Could Allow Information Disclosure (963093)
MS09-024 - Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
MS09-025 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
MS09-026 - Vulnerability in RPC Could Allow Elevation of Privilege (970238)
MS09-027 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
Excellent Analysis of updates
http://isc.sans.org/diary.html?storyid=6538
http://blog.trendmicro.com/june-2009-microsoft-and-adobe-security-updates/
https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/vulnerabilities_exploits/article-id/197
Microsoft asking for help with SysInternals Survey
http://isc.sans.org/diary.html?storyid=6544
QUOTE: Hands-down the best tools for determining what is going on on a Windows system are Mark Russinovich's and Bryce Cogswell's Sysinternals Tools. Frequent contributor Roseman has pointed out that Microsoft is asking for your help improving the Sysinternals tools. Over at the Microsoft Technet blog they are requesting Sysinternals users to take a short survey.
http://blogs.technet.com/sysinternals/archive/2009/06/08/short-sysinternals-customer-survey.aspx
QUOTE: Sysinternals Customer Survey – We could use your help. We're looking into who uses the Sysinternals tools and what other Microsoft tools you use. Please take this very short questionnaire (7 questions max. depending on how you answer). We won’t ask you who you are, your email or anything that can identify you. - Thanks
Recently, I saw articles stating that the Gumblar website injection attacks were gaining strength and could become worse than Conficker. Gumblar was a very sophisticated malware attack, that took off like wildfire a couple of weeks ago. Thankfully, this new threat has almost faded away, as the malware hosting websites were quickly shutdown by authorities.
Experts: Gumblar attack is alive, worse than Conficker
http://news.cnet.com/8301-1009_3-10251779-83.html
Gumblar Attacks Dying Off
http://blogs.pcmag.com/securitywatch/2009/06/gumblar_attacks_dying_off.php
Conficker is still alive and well, as it continues to infect up to 50,000 PCs daily. Users need to stay up-to-date on all security updates and AV protection. We should follow major evolving threats, as sophisticated stealth attacks continue to circulate.
Conficker still infects approximately 50,000 PCs daily
http://viewfromthebunker.com/2009/05/20/conficker-continues-to-spread/
http://www.networkworld.com/news/2009/052109-conficker-still-infecting-50000-pcs.html
QUOTE: The worm is infecting about 50,000 new PCs each day, according to researchers at Symantec, who reported Wednesday that the U.S., Brazil and India have been hit the hardest.. "Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide," Symantec said in a blog post.
More Posts
Next page »