January 2005 - Posts
This is an excellent article on how to prepare, investigate, and report phishing attacks. It includes techniques on how to examine headers and contact authorities.
ISC: Handling phishing attacks
A PC virus has started to spread through e-mail, luring potential victims by disguising itself as a headline newsletter from CNN, an antivirus company said Thursday.
E-mails laden with the virus, dubbed "Crowt.A" by Sophos, do not have a typical subject line and other characteristics, Sophos said. Instead, the virus sends out e-mail messages with subject lines, message content and attachment names drawn from the latest news headlines on CNN's Web site, which it gathers as it spreads. Very few Sophos customers have reported that they been affected by Crowt.A so far, the company said.
Kaspersky Labs warns on this new threat in their weblogs
The computer underground keeps a close eye on Microsoft. The AntiSpyware tool, despite being only a beta, has already inpsired new malware. We urge users to treat unsolicited files from the Internet with suspicion.
W32.Mydoom.AL@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it finds on a compromised computer. It also spreads by using ICQ instant messenger. The worm attempts to exploit the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS04-040). This worm downloads and runs a copy of Backdoor.Nemog.D.
Five quick tweaks to lock down any desktop
The best thing about this list of five, is that they are all FREE. I'm personally using 4 of the 5 suggested items. I've been using ZA and McAfee for years to protect my home PCs. Still, AVG 7 is excellent for a free AV product.
This is why Security Awareness is important. If only folks knew they could protect their system WELL with just these FREE solutions.
I'll also add 5 more things that come to mind, beyond what the article lists:
1. Best Practices (e.g., Avoidance, "Think before you Click", and know the dangers of the Internet)
2. Ramp up your IE security
3. include AdAware SE (and/or the new MSAS beta)
4. enhance your EMAIL settings beyond just the default settings (e.g., Outlook, Thunderbird, Pegasus, etc)
5. Education - Know the risks and the latest threats (that's why I visit here daily)
Five quick tweaks to lock down any desktop
TechRepublic member ron_enderland has a foolproof recipe for securing end-user desktops: "I have several non-nerdy friends and acquaintences who have called me with serious system problems (spyware, viruses, worms, etc. all via unsecured broadband). After I undo the damage (sometimes rebuilding from scratch in serious cases), I leave them with five things: ZoneAlarm, or preferably, a broadband router/firewall; Spybot, set to automatically update and scan nightly; AVG from Grisoft, also set to update and scan nightly; Windows Updates set to do its thing automatically, and Firefox. User is advised to stop using IE. I have yet to have anyone call me with further issues after months. Case closed, as far as I'm concerned."
Pharming -- Is this a new ID theft scam in the wings? http://www.gcn.com/vol1_no1/daily-updates/34815-1.html
An e-mail security executive warns that a new method of ID theft he calls “pharming” could crop up in the near future. “Pharming is a next-generation phishing attack,” said Scott Chasin, CTO of MX Logic Inc. of Denver.
Phishing is a social-engineering attack, often using phony e-mails to lure victims to a spoofed Web site, where personal information can be harvested. “Pharming is a malicious Web redirect,” in which a person trying to reach a legitimate commercial site is sent to the phony site without his knowledge.
Today McAfee released a large number of virus definitions to cover new spyware and adware risks. This daily DAT has to be one of the largest I seen as it probably includes over 200 definitions. I'm not sure whether today's beta will be part of 4420 or 4421, but this one is going to worthwhile to install and scan user PCs with.
McAfee Virus Definitions - Dozens of new Adware/Spyware definitions released today
Oracle has released a critical patch update to address vulnerabilities in the RDBMS products. The full details of the vulnerabilities have not yet been released. Oracle has rated some of them as having wide impact. NGSSoftware, who have released an advisory, rates many of them as high risk. They include privilege escalation and a buffer overflow condition.
WORM_ZAR.A propagates via email using its own Messaging Application Programming Interface (MAPI) engine. It uses email addresses gathered from Microsoft Outlook as its recepients. This worm also has the ability to perform a distributed denial of service attack on the Web site www.hacksector.de This Visual Basic-compiled worm runs on all Windows platforms (95, 98, ME, NT, 2000, and XP). A summary of the sent email's content is as follows
Subject: Tsunami Donation! Please help!
Body: Please help us with your donation and view the attachment below! We need you!
We've just received a report of a destructive virus that will wipe all data from the hard disk. We're not the least bit worried though. Why? Well, it's just a hoax.
So what is a hoax? Typically, a hoax takes the form of an e-mail message that carries a warning about the 'imminent danger' posed by a non-existent threat. The aim is to scare users into sending the false warning to their contacts: friends, family, colleagues. Hoaxes cause no direct harm to data. However, a user's well-meaning action in forwarding the message gives credence to the hoax, spreads the fear, doubt and uncertainty even further and clogs up networks with increasing amounts of 'self-inflicted spam'.
Trying to stamp out a hoax can be as difficult as putting out a forest fire: 'successful' hoaxes often come back again and again, like recurrent bouts of malaria. To make matters worse, sometimes a real threat will model itself on the 'look-and-feel' of a previous hoax.
So how do you decide if something's a hoax or not? Here are some general guidelines.
Don't simply forward such an e-mail message without checking first to see if it's a hoax.
If it didn't come from a security vendor's news or alert service, check out the hoax sections of specialist security web sites.
If in doubt, check with your anti-virus vendor, or send it to firstname.lastname@example.org for analysis.
Never click on attachments in e-mails that come from an unknown source.
You can find further guidance on the Kaspersky Lab web site.
Best practices can help mitigate the risk here, as you should only download files from trusted sites and never from email links.
Internet Explorer - Experts Warn of IE Download Flaw
Hackers could bypass security warnings and download malicious content.
Paul Roberts, IDG News Service
Friday, January 14, 2005
A computer security researcher and an antivirus company are warning Microsoft customers about an unpatched hole in the company's Internet Explorer Web browser that could allow a remote attacker to bypass security warnings and download malicious content onto vulnerable systems.
The warnings came after the hole was identified on the Bugtraq Internet security discussion list by someone using the name "Rafel Ivgi." The hole affects Internet Explorer (IE) version 6.0.0, including the version released with Windows XP Service Pack 2.
The vulnerability allows malicious attackers to bypass warnings designed to inform users when a file is being passed to their computer using a specially-crafted HTML Web document.
In revisiting Technet today, I found some excellent articles reflecting Best Practices and Advanced Security Practices that are good resources for corporate users.
Microsoft Technet - Advanced Security Practices
The Cable Guy – January 2005
Testing Network Paths for Common Types of Traffic
Published: January 4, 2005
A new variant of the MyDoom virus family has been discovered. Any new member of this family of viruses should be watched, as it can spread rapidly if users launch infected attachments.
W32/Mydoom.ap - First New Variant for 2005
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* It can spread peer-to-peer
* Installs itself in the Registry
* Leaves non-infected files on computer
EXAMPLES OF EMAIL MESSAGES TO AVOID
From: (Spoofed email sender)
Subject: (Varies, such as)
Do not reply to this email
Mail Transaction Failed
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Mail transaction failed. Partial message is available. (Random gibberish) New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web. Thank you, The World Bank Group © 2004 The World Bank Group, All Rights Reserved
Attention! New self-spreading virus! Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more. To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment. © 2004 Networks Associates Technology, Inc. All Rights Reserved
Attention! Your IP was logged by The Internet Fraud Complaint Center Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted. This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (31kb)
examples (common names, but can be random)
In the case of two file extensions, multiple spaces may be inserted as well
An update 3 weeks after Santy Internet worm outbreak began
Update on Santy Internet worm
Nearly one month since the outbreak, more than 2,100 sites are still infected. The Santy worm was released December 21, 2004. The worm has been infecting sites which use PHPbb discussion forums.
Example of infected site
Web Server Software Breakdown (Microsoft and Apache All versions)
Note - phpbb is installed predominantly on Apache web servers
Apache 81 %
Microsoft IIS 13 %
Other 6 %
Web Server Software Breakdown (Details on Versions)
Apache/1.3.33(Unix)PHP/4.3.10 23 %
Microsoft-IIS/5.0 8.5 %
Other (200 other versions of Apache, IIS, and others) ~19%
Please apply the January security updates from Microsoft as quickly as possible as a brand new POC this soon is not a good sign
MS05-002 - Backdoor.Globe POC Trojan
This new email worm is socially engineered well to disquise itself as a non-delivery message. It uses several spaces in the name of the attachment and a "com" extension to appear potentially safe at first glance. This one could spread quickly until all AV vendors have protection available, as non-delivery email is something users will usually follow up on. W32/Buchon.C - Be careful of non-deliverable email messages http://vil.nai.com/vil/content/v_130857.htm
This mass-mailing worm bears the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests target email addresses from the victim machine
* spoofs the From: address
* drops a trojan (keylogging and proxy) to the victim machine Outgoing messages are deceptive and may be constructed as follows: From:
Mail Delivery failure - (insert target email address) Message Body:
If the message will not displayed automatically, you can check original in attached message.txt. Failed message also saved at: www.(insert server name)/inbox/security/read.asp? sessionid-(random number) (check attached instructions)
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com Attachment:
Copy of the worm with the following filename: message txt (many spaces) length (random number) bytes (many spaces) mcafee.com
Jubo helps in the McAfee forums and did an excellent job of summarizing the new Microsoft Virus Removal tool. Below is a copy of what he shared
The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.
Virus and Worm Families Cleaned
This tool scans for and cleans malicious software associated with the following security threats:
Source: Malicious Software Removal Tool
Online scan for Microsoft Windows XP
, Windows 2000
, and Windows Server 2003
: Scan and Clean Your PC
More Posts « Previous page
- Next page »