June 2004 - Posts
Secunia offers an extensive history and documentation related to exploits and vulnerabilities affecting Internet Explorer. Four key graphs are shown below from Secunia's website. More information can be found at the link below:
The Bankhook.A trojan appears to be the same one referenced by both Tech Republic and the Internet Storm Center. It manipulates IE vulnerabilities and captures keystrokes anytime one of the 50 banks noted at Panda's site (see technical description) are referenced.
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=49138
| Brief Description |
 |
|
Bankhook.A is a Trojan that installs itself in the affected computer by taking advantage of several vulnerabilities. Bankhook.A is a DLL (Dynamic Link Library) that registers itself in order to ensure it is run whenever the browser Internet Explorer is launched.
Bankhook.A searches for several text strings associated to different online banks in the HTTPS traffic generated in the affected computer. If successful, Bankhook.A steals users confidential information such as user name, passwords, account number, credit card number, etc. Then, Bankhook.A sends these data to a remote computer in a script. |
New Pop-up program reads keystrokes, steals passwords
http://techrepublic.com.com/5100-22_11-5252997.html
A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned on Tuesday. The targeted sites include major financial institutions, such as Citibank, Barclays Bank and Deutsche Bank, researcher Marcus Sachs said Tuesday.
"If (the program) recognizes that you are on one of those sites, it does keystroke logging," said Sachs, director of the Internet Storm Center, a site that monitors network threats. Even though all financial sites use encryption built into the browser to protect log-in data, the Trojan horse program can capture the information before it gets encrypted by the browser software. "The browser does not encrypt data between your keyboard and computer. It's encrypting it (when it goes) out onto the Web."
Internet Storm Center also shares information on this:
http://www.incidents.org/diary.php?date=2004-06-29
A new IE "moderately critical" IE vulnerability was just posted by Secunia.
Internet Explorer Frame Injection Vulnerability
http://secunia.com/advisories/11966/
Secunia Advisory: SA11966
Release Date: 2004-06-30
Moderately critical
Impact: Spoofing
Software: Microsoft Internet Explorer 5.01, 5.5, 6.0
Description: A 6 year old vulnerability has been discovered in Microsoft Internet Explorer, allowing malicious people to spoof the content of websites. The problem is that Internet Explorer fails to stop a malicious website from loading arbitrary content in an arbitrary frame in another browser window. An example has been posted, which shows arbitrary content in a frame on windowsupdate.microsoft.com.
http://www.computerworld.com/securitytopics/security/story/0,10801,94203,00.html
Sporting long sideburns, a goatee and black baseball cap, instructor Ralph Echemendia has a class of 15 buttoned-down corporate, academic and military leaders spellbound. The lesson: hacking. The students huddled over laptops at a Los Angeles-area college have paid nearly $4,000 to attend "Hacker College," a computer boot camp designed to show how people will try to break into network systems -- and how they will succeed. "It's an amazing thing how insecure the big corporations are," said Echemendia during a break in the weeklong seminar. "It's just amazing how easy it is."
It is recommended this critical security update for Apache web servers be applied as soon as possible
Article: Another big Apache hole found
http://www.computerworld.com/securitytopics/security/story/0,10801,94191,00.html
Linux and Unix vendors are releasing fixes for a critical bug in the popular Web server Apache that could allow attackers to crash the system or execute malicious code.
The bug affects Apache 1.3.x installations configured to act as proxy servers, which relay requests between a Web browser and the Internet. When a vulnerable server connects to a malicious site, a specially crafted packet can be used to exploit the vulnerability, according to security researcher Georgi Guninski, who has publicly released exploit code.
The bug is most serious on BSD installations, where it may allow code execution, while on other platforms the most likely effect is a system crash, researchers said. A reference in the Common Vulnerabilities and Exposures database can be found here.
Symantec provides good instructions on how to correct issues associated with the Windows host files if a virus or trojan horse modifies it in blocking or redirecting IE to certain sites.
http://www.symantec.com/avcenter/venc/data/trojan.ecure.html
How to repair the Windows Hosts file
Note: The location of the Hosts file may vary and some computers may not have this file. For example, if the file exists in Windows 98, it will usually be in C:\Windows; and it is located in the C:\WINNT\system32\drivers\etc folder in Windows 2000. There may also be multiple copies of this file in different locations.
Follow the instructions for your operating system:
Windows 95/98/Me/NT/2000
1. Click Start, point to Find or Search, and then click Files or Folders.
2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
3. In the "Named" or "Search for..." box, type: hosts
4. Click Find Now or Search Now.
5. For each Hosts file that you find, right-click the file, and then click Open With.
6. Deselect the "Always use this program to open this program" check box.
7. Scroll through the list of programs and double-click Notepad.
8. When the file opens, delete all the entries in the Hosts file, except for the following line: 127.0.0.1 localhost
9. Close Notepad and save your changes when prompted.
Windows XP
1. Click Start > Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type: hosts
4. Verify that "Look in" is set to "Local Hard Drives" or to (C:).
5. Click More advanced options.
6. Check Search system folders.
7. Check Search subfolders.
8. Click Search.
9. Click Find Now or Search Now.
10. For each Hosts file that you find, right-click the file, and then click Open With.
11. Deselect the "Always use this program to open this program" check box.
12. Scroll through the list of programs and double-click Notepad.
13. When the file opens, delete all the entries in the Hosts file except for the following line: 127.0.0.1 localhost
14. Close Notepad and save your changes when prompted.
This new Trojan could require some extensive repair work based on the write-up at Symantec's site.
http://www.symantec.com/avcenter/venc/data/trojan.ecure.html
Trojan.Ecure is a Trojan horse that modifies the Hosts file and Internet Explorer home page.
Virus Writer for VBS/Lasku arrested
http://www.f-secure.com/weblog/
A new arrest was announced today: the Finnish Central Criminal Police is pressing charges against a Finnish man in his twenties. The man, who lives in the city of Tampere, is accused of writing and distributing the VBS/Lasku virus in the end of January 2004. VBS/Lasku is an unremarkable virus which keeps crashing when it tries to spread. The virus displays a quote taken from Tolkien's "Lord of The Rings" and deletes data. VBS/Lasku tries to replicate by sending email messages written in Finnish - which is quite rare.
BHODemon is a free tool that will list all Browser Helper Objects that are installed on a Windows system by scanning the registry and give you the ability to disable them. This will also list "good" BHOs as well, but nevertheless is a useful tool in detecting and disabling malicious software.
It is available at:
http://www.definitivesolutions.com/bhodemon.htm
BHODemon scans your Registry for BHOs, and presents any it finds in a list. By highlighting a BHO in this list, and clicking the "Details" button, you can see information about this BHO, and even disable it if you wish. BHOs are disabled by simply renaming the DLL that houses them. By renaming the DLL, instead of deleting it, you have the option of enabling it later if you wish. Why would you want to do that? Because the program that installed the BHO will not run if it can't find the DLL: Go!Zilla, for example, won't run if you remove its BHOs.
Click here to download BHODemon 1.0! The file is 470K, and is now a self-extracting executable - no ZIP software required! Also, it will place itself in the 'StartUp' group for you automatically.
TEST RESULTS: It's a keeper for me. In my own testing it only found an IE based BHO for Acrobot 6.0, but this looks like a great tool to help in the fight against spyware. I took mine out of startup as I stay fairly clean, but have it in the Quick launch toolbar if needed. 
This article provides six areas of defense that can help prevent major impacts associated with DDoS attacks.
How to defend against DDoS attacks
http://www.computerworld.com/securitytopics/security/story/0,,94014,00.html
Distributed denial-of-service attacks can paralyze even the most well-structured networks for days, costing millions of dollars in lost sales, freezing online services and crippling a company's reputation. The Internet can be a dangerous place, with DDoS attacks emerging as the weapon of choice for hackers, political activists and international cyberterrorists. In addition, with ever more powerful tools in a hacker's arsenal, DDoS attacks are getting easier to launch. New viruses and worms take hold every month, so companies need to be prepared to fend off this ever-expanding security threat.
KEY METHODS OF PROTECTION
1. Black-holing or sinkholing
2. Routers and firewalls
3. Intrusion-detection systems:
4. Configuring Servers more securely
5. DDoS mitigation appliances
6. Additional bandwidth capacity
Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
http://csrc.nist.gov/itsec/guidance_WinXP.html
KEY SECTIONS
This web site provides links pertaining to Microsoft's vision, strategies, and tools for eliminating spam email.
Microsoft Is Committed to Help End the Spam Epidemic
http://www.microsoft.com/mscorp/twc/privacy/spam.mspx
KEY TOPICS COVERED
Personally, I'm pleased to see significant efforts by Microsoft with respect to improved security as the spam, privacy, and virus threats are more numerous than ever.
Preserving and Enhancing the Benefits of Email — A Progress Report
http://www.microsoft.com/mscorp/execmail/2004/06-28antispam.asp
At work, I used CWS Shredder on a couple of occasions, as it would remove some of the most aggressive pop-up agents that Spybot or AdAware couldn't handle.
http://www.theregister.co.uk/2004/06/29/cws_shredder/
Merijn Bellekom has abandoned developing software that removes one of the nastiest browser hijackers on the planet: CoolWebSearch, a trojan that converts your PC into a source of revenue for fly-by-night not capable of generating legitimate Web traffic.
The trojan installs dozens of bookmarks on your desktop; it also adds a toolbar to Internet Explorer and changes your home page without asking. And it significantly slows down the performance of your PC, and introduces some modifications which cause Windows to freeze, crash or randomly reboot.
http://myitforum.techtarget.com/forums/default.asp?catApp=2
Summary of Changes: We've reorganized the forums a bit. Since the Security topics on the forums see a high-volume of posts, we've put them into their own Security category to help folks find them quicker. We've also opened up a couple new forums in the new Security category: Spam and Spyware/Adware.
Today, F-Secure has issued warnings for 5 new versions of Needy (“J“ thru “N“). These Java based trojans that manipulate Internet Explorer exploits.
Needy Trojan - Five new variants (IE Java Exploits)
http://www.f-secure.com/v-descs/needy_j.shtml
http://www.f-secure.com/v-descs/needy_l.shtml
http://www.f-secure.com/v-descs/needy_l.shtml
http://www.f-secure.com/v-descs/needy_m.shtml
http://www.f-secure.com/v-descs/needy_n.shtml
Needy trojan family consists of trojans that are written in Java and use vulnerability in Microsoft Internet Explorer Java Runtime. Usually these trojans change Internet Explorer homepage and search settings and some variants also download executable trojans. This variant Needy.J changes Internet Explorer start page and search settings and downloads trojan executable.
CERT uses the term “governing“ instead of management and I thought the list noted below provides an excellent representation of what's involved in managing the security function within an organization.
CERT: Governing for Enterprise Security
http://www.cert.org/features/green/govern_ent_sec.html
The following elements of governance with respect to their role in governing for enterprise security:
- Awareness and understanding - Governing boards and senior executives are aware of and understand the criticality of governingfor enterprise security:
- Protection of shareholder (or equivalent) value: They understand what actions are necessary to protect shareholder/stakeholder value with respect to enterprise security (such as protecting reputation and brand, and protecting customer privacy).
- Customer satisfaction: They understand what enterprise security actions are necessary to retain current customers and attract new customers (such as sustained marketplace confidence in comparison to competitors).
- Strategies and plans - Strategies and plans for enterprise security demonstrate how they support business objectives.
- Investments: Investments in enterprise security are aligned with and allocated so as to meet strategies and plans, taking risks into account (see risk management). Costs are optimized.
- Reporting: Status against plans is regularly reported, up to the Board. Performance against measures is monitored. Corrective action is taken when necessary.
- Policies - Policies, standards, guidelines, procedures, and measures for enterprise security exist and are regularly reviewed and enforced.
- Responsibilities - Responsibility and corresponding accountability and authority for enterprise security are clearly defined.
- Controls - Internal security controls are defined to effectively protect assets. Assets may include information, hardware, software, processes, services, physical facilities, knowledge, and people.
- Risk management - Risks to critical assets are identified and managed consistent with the enterprise's tolerance for risk. Asset protection investments are made commensurate with Liability risks. The enterprise understands its liability and exposure when connected to the Internet, and takes necessary due diligence actions to minimize liability risk and exposure.
- Oversight - The enterprise is regularly evaluated and audited to ensure an acceptable level of compliance to requirements, both internal and external, for example, regulations, standards, audit criteria, market sector requirements, and security requirements and objectives.
- Public disclosure - The enterprise is open to public disclosure of its security state, where such disclosure is required.
This article provides an update on Microsoft's announced campaign to reduce email spam. The key focus includes: a new Caller-ID for email protocol standard, taking legal action against defiant spammers, and improved filtering controls.
Article: Microsoft sets sights on spam
http://news.bbc.co.uk/2/hi/technology/3837467.stm
Microsoft's Spam and Privacy information
http://www.microsoft.com/mscorp/twc/privacy/spam.mspx
There is going to be much more spam around over the coming months and years. So says George Webb, Microsoft's man in charge of the software giant's anti-spam strategy. But the good news is that although more junk mail will be sent, those that take steps to protect themselves are going to get a lot less of it landing in their inbox. The reason that less spam will reach users, he believes, is because the computer industry has finally started working together to tackle the problem. "One company alone cannot solve this," he said.
This provides an analysis on the categories of spam email recieved.
TYPES OF SPAM
Dubious products - 9%
Graphical porn - 7.5%
Other spam - 7.5%
Newsletters - 6%
Scams - 7%
Travel/gambling/games - 3%
Financial - 13%
Herbal/drugs/vitamins - 10%
Insurance - 4%
Non-graphic porn - 33
http://www.incidents.org/diary.php?date=2004-06-28
We have received information about compromised systems with Internet Information Server. These systems had an administrator level account with the username IWAP_WWW added. Please check if your server has such an account and let us know what you find. Until we know more, we suggest that you consider a server compromised if you find and administrator account with this username.
More Posts
Next page »