|
Security News and Best Practices for corporate and home users
July 2004 - Posts
-
This update from the Internet Storm Center provides more details on the vulnerabilities corrected by the MS04-025 security udpate.
http://www.incidents.org/diary.php?date=2004-07-30
Microsoft Releases a Critical Patch for Internet Explorer
Today Microsoft released a patch to Internet Explorer that addresses critical vulnerabilities that may allow malicious sites to run arbitrary code on unpatched systems. These vulnerabilities have been known for some time. One of them was being actively exploited by the Scob/Ject attack that we described in:
http://www.incidents.org/diary.php?date=2004-06-25
Considering the severity of these vulnerabilities, we recommend installing this patch as soon as possible, and hope that you have a chance to consider this security bulletin before heading home for the weekend:
http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx
The following break-down of the vulnerabilities addressed by this security update is based on CVE database entries
http://www.cve.mitre.org
CAN-2004-0549: The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.
CAN-2004-0566: Integer signedness error in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.
CAN-2003-1048: mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code due to a malformed GIF image that triggers a buffer overflow.
|
-
-
-
-
http://www.microsoft.com/technet/security/bulletin/MS04-025.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Download size: 2.8 MB
 Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB867801)
A security issue has been identified that could allow an attacker to compromise a computer running Internet Explorer and gain control over it. You can help protect your computer by installing this update from Microsoft.
 Resolves these key vulnerabilities
Navigation Method Cross-Domain Vulnerability - CAN-2004-0549
Malformed BMP File Buffer Overrun Vulnerability - CAN-2004-0566
Malformed GIF File Double Free Vulnerability - CAN-2003-1048
Please click on the Windows Update button below to install:
|
-
-
 I'm guessing that this is most likely an added attack feature the author of the MyDoom.M worm has implemented as a "second wave"
MyDoom.M -- DDos Attack against Microsoft by Zindos worm
http://secunia.com/virus_information/10909/zindos/
http://www.sarc.com/avcenter/venc/data/w32.zindos.a.html
http://vil.nai.com/vil/content/v_127038.htm
W32.Zindos.A is a worm that performs a Denial of Service (DoS) attack against the domain, microsoft.com. The worm spreads through the backdoor that Backdoor.Zincite.A opens on TCP port 1034.
Due to bugs in the code, when a system that is infected with Backdoor.Zincite.A becomes infected with Backdoor.Zindos.A, an infinite infection loop is entered, with each infection of Backdoor.Zindos.A re-infecting the system. This may cause the system to become slow and unresponsive.
Note: Backdoor.Zincite.A is a backdoor Trojan horse that W32.Mydoom.M@mm drops.
|
-
-
-
 A few best practices in using a Credit Card online include:
1. Always use a true credit card and never use a debit card for online purchases (you have have better fraud protection with the Fair Credit Reporting Act) and vandals can have unlimited access to your checking or savings account.
2. Make certain you are purchasing from a mainstream secure site and using secure server technology where you see a “lock“ icon in your browser including your information will be encrypted.
3. As shared by the Internet Storm Center, use a special credit card with low limits for any online purchases.
4. Monitor credit card statements carefully for every credit card you have.
5. Contact your credit card customer service center immediately by phone and in writing if you detect a fraudulent transaction. Usually only 30 days are allowed to dispute charges.
http://www.incidents.org/diary.php?date=2004-07-25
Many people use credit cards for online purchases. One thing you can do to help protect yourself is to get a credit card that you only use for online purchases and have the limit set low, say for $500. This way if your information is stolen, you have a lower limit for which someone can take advantage. Always make sure to keep an eye on that credit card statement.
Some banks will allow you to setup a one-time use only card number online, or a temporary number that is only valid for a couple of months and has a smaller limit then your main card. For more information on what you can be held liable for and steps you can take if you believe that your credit card information has been stolen see
http://www.ftc.gov/bcp/conline/pubs/credit/atmcard.htm
|
-
 Opera 7.53 now available
All users of Opera should upgrade to v7.53 to avoid a URL spoofing vulnerabilities. The new version is working without issues in my early testing.
 Security - Fixed a JavaScript problem that made it possible to show one URL in the address bar, but load a different URL in the page (Secunia Advisory SA12028)
Opera version 7.53 now available for download.
|
-
http://www.f-secure.com/weblog/
One of the hot topics over the last months has been the continuing DDoS & extortion attacks against mostly UK-based gambling sites. According to a recent article in The Financial Times (titled "Internet gambling extortion racket broken up"), three men in their early 20s were arrested in raids in Russia. Apparently they were launching big DDoS attacks from botnets against gambling sites, then emailing them and asking $50,000 for not doing it again. The extortion money was rerouted to Russia via Caribbean and Latvia, but nevertheless the UK police was able to trace it, leading eventually to the arrests.
So...so far, the year looks pretty good:
Month Country
July Russia: Three DDoS hackers arrested
June Hungary: Magold virus author sentenced
June Finland: VBS/Lasku virus author arrested
May Taiwan: Peep backdoor author arrested
May Canada: Randex variant author arrested
May Germany: Agobot variant author arrested
May Germany: Sasser & Netsky author arrested
|
-
This group of young people came up with excellent ideas  on how a network is attacked and countermeasures on how to defend it. This was impressive and they'd get an A+ from me. 
SANS mentoring class on network attacks and defense
http://www.incidents.org/diary.php?date=2004-07-24
 Scott Weil, the director of the SANS Local Mentor Program, had an opportunity to meet with about 40 students from a Midwest math and science academy on Friday to discuss network security. The students ranged in age from 10 to 15 years old. Prior to beginning his talk on ways that kids can surf safely online, Scott divided the room into two groups. One group was told to design an attack on the school's network, the other group was told to defend against an attack. After discussing it for a few moments, each group was asked to explain to Scott and the rest of the students what they decided.
The level of understanding at this age is shocking. Briefly, here is what each group said they would do.
 Attacking group:
- Map the network to find the computers
- Map the connections
- Understand the details of the OS--they all said they hoped the OS was Windows; they were going to research all known vulnerabilities of Windows to plan the attack
- Attack the network by installing a virus via a memory stick onto a node of the network and then engineer a denial of service attack via spam emails
- Disable antivirus software on the network, although they didn't say how
 Defending group:
- Use Macs as the operating system because its Unix operating system was more secure than Windows
- Make sure their anti-virus software was well tuned and current
- Monitor the firewall for any unusual activity
- Install a network tracker to document any illegal activities and then call in the local law enforcement
- Make sure that they had applied the latest patches to every piece of software and hardware on their network
Each group appointed a spokesperson for the group. The leader for the defense of the network and perimeter was a 10 year old.
|
-
http://zdnet.com.com/2100%2D1105_2%2D5278576.html
 Regulations around privacy, such as the Health Insurance Portability and Accountability Act, and financial reporting measures, such as the Sarbanes-Oxley Act, are also raising the stakes for corporations. As a result of these regulations, companies need to keep their customers' information, as well as their financial reporting material, under tight security.
John Thompson, chief executive of security software provider Symantec, has been a longtime advocate of companies developing corporate policies on security issues. He notes that technology alone can't keep companies secure. "Security is a process, and while technologies are important to facilitate the process, the technology itself does not ensure that you are secure,"
Thompson said. "A case in point: There is a technology, a simple technology associated with securing your house, it's called a lock. But if you, a user, do not facilitate the process, or lock the door when you walk out of your house, having the technology installed is of no value. And so the process starts with first having you be aware of how you secure your home, what threats you need to protect yourself from."
Historically, companies have viewed the issue of security and antivirus protection as a problem for their IT departments. And employees at these companies have held a similar view, said IT managers and security officers.
|
-
In looking at updated statistics, I found that the all time top 10 worms intercepted in email had changed substantially, as half of these are now Netsky variants.
Message Labs - Top 10 Viruses of ALL TIME
http://www.messagelabs.com/viruseye/threats/default.asp?toptenduration=all
1. W32/MyDoom.A-mm (62M)
2. W32/Sobig.F-mm (35M)
3. W32/Netsky.B-mm (9M)
4. W32/NetSky.D-mm (9M)
5. W32/Klez.H-mm (8M)
6. W32/Swen.A-mm (5M)
7. W32/Netsky.P-mm (4M)
8. W32/Netsky.C-mm (3M)
9. W32/Yaha.E-mm (2M)
10. W32/Dumaru.A-mm (2M)
|
-
-
 Bagle.AI - Medium Risk (McAfee)
http://vil.nai.com/vil/content/v_126798.htm
http://www.f-secure.com/v-descs/bagle_ai.shtml
http://secunia.com/virus_information/10740/bagle.ai/
 Beagle.AG - Medium Risk (Symantec)
http://www.symantec.com/avcenter/venc/data/w32.beagle.ag@mm.html
 VirusTotal reports significant infections
http://www.virustotal.com/flash/index_en.html
This is a mass-mailing worm with the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- attachment can be a password-protected zip file, with the password included in the message body.
- contains a remote access component (notification is sent to hacker)
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
- uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
- terminates processes of security programs and other worms
- deletes registry entries of security programs and other worms
From : (address is spoofed)
Subject : Re:
Body Text:
- >foto3 and MP3
- >fotogalary and Music
- >fotoinfo
- >Lovely animals
- >Animals
- >Predators
- >The snake
- >Screen and Music
The worm will add the following body text if the attachment is sent as a password-protected ZIP file.
- Password: (random number)
- Pass - (random number)
- Key - (random number)
Attachment: (with extension .EXE, .SCR, .COM, .CPL or .ZIP)
- MP3
- Music_MP3
- New_MP3_Player
- Cool_MP3
- Doll
- Garry
- Cat
- Dog
- Fish
|
-
 This new Korgo variant poses a significant threat for unpatched Windows systems.
MS04-011: Korgo.U - Secunia issued a MEDIUM RISK
http://secunia.com/virus_information/10254/korgo.u/
The Korgo.U variant was found on June 24th, 2004. It is very similar to the previous Korgo variants, discovered since June 17th. Korgo.U worm spreads throughout the Internet using a vulnerability in Microsoft Windows LSASS. A description of the vulnerability can be found in Microsoft Security Bulletin MS04-011. It also opens a backdoor that allows unauthorized access to an affected machine. The worm is distributed as a 9,353-byte Win32 executable. When executed, Korgo.V creates a copy of itself in the %System% directory using a randomly-generated filename that is between 5 and 8 characters in length.
Aliases: Korgo.U
W32.Korgo.Q
W32/Korgo.U
W32/Korgo.U.worm
W32/Korgo.worm.v
Win32.Korgo.V
Win32.Korgo.X
Win32/Korgo.X.Worm
Worm.Win32.Padobot.m
|
-
-
AGIST Worm - uses random "garbage" text for messages
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGIST.A
TrendLabs has received several infection reports regarding this new worm spreading via email. It uses its own SMTP engine to propagate across machines. It arrives as a randomly-named .ZIP attachemnt via email. The details of the email message it sends out are as follows:
Subject: <none>
Body of message: (the message body is pure garbage)
Attachment: <random file name>.zip
The following is a sample email message that this worm sends out
![Sample message](http://www.trendmicro.com/vinfo/images/worm_agist_a.gif")
It runs on Windows 95, 98, NT, ME, 2000, and XP.
|
More Posts Next page »
|
|
|