January 2005 - Posts
This is an excellent article on how to prepare, investigate, and report phishing attacks. It includes techniques on how to examine headers and contact authorities.
ISC: Handling phishing attacks
http://isc.sans.org//diary.php?date=2005-01-21
http://news.zdnet.com/2100-1009_22-5544157.html
http://www.sophos.com/virusinfo/analyses/w32crowta.html
A PC virus has started to spread through e-mail, luring potential victims by disguising itself as a headline newsletter from CNN, an antivirus company said Thursday.
E-mails laden with the virus, dubbed "Crowt.A" by Sophos, do not have a typical subject line and other characteristics, Sophos said. Instead, the virus sends out e-mail messages with subject lines, message content and attachment names drawn from the latest news headlines on CNN's Web site, which it gathers as it spreads. Very few Sophos customers have reported that they been affected by Crowt.A so far, the company said.
Kaspersky Labs warns on this new threat in their weblogs
http://www.viruslist.com/en/weblog
Trojan-Clicker.Win32.Agent.bm
The computer underground keeps a close eye on Microsoft. The AntiSpyware tool, despite being only a beta, has already inpsired new malware. We urge users to treat unsolicited files from the Internet with suspicion.
or Trojan-Dropper.Win32.Agent.ed
http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.al@mm.html
W32.Mydoom.AL@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it finds on a compromised computer. It also spreads by using ICQ instant messenger. The worm attempts to exploit the Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS04-040). This worm downloads and runs a copy of Backdoor.Nemog.D.
Five quick tweaks to lock down any desktop
http://techrepublic.com.com/5208-6230-0.html?forumID=3&threadID=166433
The best thing about this list of five, is that they are all FREE. 
I'm personally using 4 of the 5 suggested items. I've been using ZA and McAfee for years to protect my home PCs. Still, AVG 7 is excellent for a free AV product.
This is why Security Awareness is important. If only folks knew they could protect their system WELL with just these FREE solutions.
I'll also add 5 more things that come to mind, beyond what the article lists:
1. Best Practices (e.g., Avoidance, "Think before you Click", and know the dangers of the Internet)
2. Ramp up your IE security
http://myitforum.techtarget.com/blog/hwaldron/archive/2004/12/29/1089.aspx
3. include AdAware SE (and/or the new MSAS beta)
4. enhance your EMAIL settings beyond just the default settings (e.g., Outlook, Thunderbird, Pegasus, etc)
5. Education - Know the risks and the latest threats (that's why I visit here daily)
Five quick tweaks to lock down any desktop
http://techrepublic.com.com/5208-6230-0.html?forumID=3&threadID=166433
TechRepublic member ron_enderland has a foolproof recipe for securing end-user desktops: "I have several non-nerdy friends and acquaintences who have called me with serious system problems (spyware, viruses, worms, etc. all via unsecured broadband). After I undo the damage (sometimes rebuilding from scratch in serious cases), I leave them with five things: ZoneAlarm, or preferably, a broadband router/firewall; Spybot, set to automatically update and scan nightly; AVG from Grisoft, also set to update and scan nightly; Windows Updates set to do its thing automatically, and Firefox. User is advised to stop using IE. I have yet to have anyone call me with further issues after months. Case closed, as far as I'm concerned."
Pharming -- Is this a new ID theft scam in the wings? http://www.gcn.com/vol1_no1/daily-updates/34815-1.html
An e-mail security executive warns that a new method of ID theft he calls “pharming” could crop up in the near future. “Pharming is a next-generation phishing attack,” said Scott Chasin, CTO of MX Logic Inc. of Denver.
Phishing is a social-engineering attack, often using phony e-mails to lure victims to a spoofed Web site, where personal information can be harvested. “Pharming is a malicious Web redirect,” in which a person trying to reach a legitimate commercial site is sent to the phony site without his knowledge.
Today McAfee released a large number of virus definitions to cover new spyware and adware risks. This daily DAT has to be one of the largest I seen as it probably includes over 200 definitions. I'm not sure whether today's beta will be part of 4420 or 4421, but this one is going to worthwhile to install and scan user PCs with.
McAfee Virus Definitions - Dozens of new Adware/Spyware definitions released today
http://myavert.avertlabs.com/myavert/default.aspx?index=1
Adware-.aj.lnk
Adware-123Search
Adware-2.5b56.lnk
Adware-2ndThought
Adware-2Spy
Adware-3rdEye
Adware-4Arcade
Adware-7FaSSt
Adware-ABSystemSpy
Adware-AccesMembre
Adware-Achtung
Adware-AdBlaster
Adware-AdBreak
Adware-ade.lnk
Adware-AdGoblin
Adware-AdultLinks
Adware-Alexa
Adware-AppsTraka
Adware-AtomicLog
Adware-Aveo
Adware-BackAttack
Adware-Barok
Adware-BDEProjector
Adware-Belcaro
Adware-bes_98.lnk
Adware-bes_XP.lnk
Adware-BHO.gen.url
Adware-BkdSpace.url
Adware-BPS.lnk
Adware-CashSurfers
Adware-ClearSearc.dldr
Adware-ClearSearch.dldr
Adware-ClearSearch.dll
Adware-CleverCracers.lnk
Adware-CleverCracker.lnk
Adware-CometCursor
Adware-CovenantEyes
Adware-CyberSnoop
Adware-Cytron
Adware-DAPlus
Adware-DateManager
Adware-DateManager.url
Adware-DCToolbar
Adware-den.lnk
Adware-DesktopDetect
Adware-DesktopDetect.lnk
Adware-DFC2
Adware-DopeWars
Adware-DopeWars.lnk
Adware-DownloadAccel
Adware-DSSAgent
Adware-E-Surveiller
Adware-EGroup
Adware-EmailPI
Adware-EmployeeMon
Adware-er.lnk
Adware-Expedioware
Adware-EZSearchBar
Adware-Ezula.dldr.url
Adware-Farsighter
Adware-FlashGet
Adware-Forbes
Adware-Freecam
Adware-FreeEbook.lnk
Adware-GameSpyArcade
Adware-GameSpyArcade.url
Adware-GatorEWallet
Adware-GatorEWallet.url
Adware-GoogleMS
Adware-GRLRealHidden
Adware-GRLRealHidden.url
Adware-Hack99
Adware-Hanuman
Adware-HideExec
Adware-HideRun
Adware-HideWindow
Adware-HiWire
Adware-ICUSurf
Adware-iGetNet
Adware-IGetNet.dr
Adware-Ilookup
Adware-IMIServ
Adware-IMIServ.dr
Adware-IMIServ.dr.url
Adware-iNetDelivery
Adware-INetspeak
Adware-InlookExpress
Adware-IntraSpy
Adware-InvActSpy
Adware-IopusStarr
Adware-IPSentry
Adware-Iroffer
Adware-iSpyNow
Adware-JimmySurf
Adware-Kazoom
Adware-Key2Log
Adware-KeyboardLog
Adware-KeybSpectator
Adware-KeybSpectator.url
Adware-KeyKey
Adware-KeyStrokeRep
Adware-l.lnk
Adware-LeakTest
Adware-LinkGrabber99
Adware-LoggerBuddy
Adware-LoverSpy
Adware-LyttleKeyBug
Adware-Medload
Adware-MidnightOil
Adware-MidnightOil.url
Adware-MotherbrdMon
Adware-MSGate
Adware-myPCsearch.lnk
Adware-Net900
Adware-NetPal
Adware-NetSonic
Adware-NetSpy
Adware-NetworkEss
Adware-NewtonKnows
Adware-NukeNabber
Adware-OmniQuadDet
Adware-OmniquadLog
Adware-OnF
Adware-PCSpy
Adware-PehPai
Adware-PeopleOnPage
Adware-Perfect
Adware-Perfect.gen
Adware-Perfect.url
Adware-PortalScan.url
Adware-PowerStrip
Adware-PrecisionTime
Adware-PrecisionTime.url
Adware-Probot
Adware-RadLight
Adware-RapidBlaster
Adware-RAS.as
Adware-RAS.ax.gen
Adware-RAS.bb.gen
Adware-RAS.bb.gen.url
Adware-RAS.bd.gen
Adware-RAS.bo.gen
Adware-RAS.bw.gen
Adware-RAS.cc.gen
Adware-RAS.ck.gen
Adware-RAS.cx.gen
Adware-RAS.cz.gen
Adware-RAS.dd.gen
Adware-RAS.di
Adware-RAS.dk.gen
Adware-RAS.dl.gen
Adware-RAS.v.gen
Adware-Raven
Adware-Reboot.AA
Adware-RecorderLite
Adware-RedHand
Adware-RedV
Adware-s36.98.lnk
Adware-s36.XP.lnk
Adware-s36XP.lnk
Adware-Safenet
Adware-Search-Explor
Adware-SearchIt
Adware-SecondThought.lnk
Adware-ShopAtHomeSel
Adware-ShopNav
Adware-Sidesearch.lnk
Adware-SideStep
Adware-SnoopInternet
Adware-Spector
Adware-SpotOn
Adware-SpyAgent
Adware-SpyAnywhere
Adware-SpyPC
Adware-SpytechShadow
Adware-SpyWiper
Adware-StarParty.lnk
Adware-StarPartySpy.lnk
Adware-Starr
Adware-StopPop
Adware-StripPlayer
Adware-Stukach
Adware-SurfPlus
Adware-SurfSnoop
Adware-SurfSpy
Adware-SystemSpy
Adware-TalkingBuddy
Adware-Telephonespy
Adware-TightVNC
Adware-Tps108
Adware-Trickler
Adware-TwistedHumor
Adware-Ultrabar
Adware-VBouncer
Adware-VCatch
Adware-WatchRight
Adware-WatchRight.lnk
Adware-WeatherCast
Adware-Web3000
Adware-WebMailSpy
Adware-WhistleSoft
Adware-WinGuardian
Adware-WinSniffer
Adware-Winvestigator
Adware-WinWhatWhere
Adware-WurldMedia
Adware-X-Diver
Adware-XPCSpy
Adware-xplus
Adware-xplus.url
Adware-XPStyle
Adware-YSKKeylog
http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf
Oracle has released a critical patch update to address vulnerabilities in the RDBMS products. The full details of the vulnerabilities have not yet been released. Oracle has rated some of them as having wide impact. NGSSoftware, who have released an advisory, rates many of them as high risk. They include privilege escalation and a buffer overflow condition.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZAR.A
WORM_ZAR.A propagates via email using its own Messaging Application Programming Interface (MAPI) engine. It uses email addresses gathered from Microsoft Outlook as its recepients. This worm also has the ability to perform a distributed denial of service attack on the Web site www.hacksector.de This Visual Basic-compiled worm runs on all Windows platforms (95, 98, ME, NT, 2000, and XP). A summary of the sent email's content is as follows
Subject: Tsunami Donation! Please help!
Body: Please help us with your donation and view the attachment below! We need you!
Attachment: tsunami.exe
We've just received a report of a destructive virus that will wipe all data from the hard disk. We're not the least bit worried though. Why? Well, it's just a hoax.
So what is a hoax? Typically, a hoax takes the form of an e-mail message that carries a warning about the 'imminent danger' posed by a non-existent threat. The aim is to scare users into sending the false warning to their contacts: friends, family, colleagues. Hoaxes cause no direct harm to data. However, a user's well-meaning action in forwarding the message gives credence to the hoax, spreads the fear, doubt and uncertainty even further and clogs up networks with increasing amounts of 'self-inflicted spam'.
Trying to stamp out a hoax can be as difficult as putting out a forest fire: 'successful' hoaxes often come back again and again, like recurrent bouts of malaria. To make matters worse, sometimes a real threat will model itself on the 'look-and-feel' of a previous hoax.
So how do you decide if something's a hoax or not? Here are some general guidelines.
Don't simply forward such an e-mail message without checking first to see if it's a hoax.
If it didn't come from a security vendor's news or alert service, check out the hoax sections of specialist security web sites.
If in doubt, check with your anti-virus vendor, or send it to newvirus@kaspersky.com for analysis.
Never click on attachments in e-mails that come from an unknown source.
You can find further guidance on the Kaspersky Lab web site.
Best practices can help mitigate the risk here, as you should only download files from trusted sites and never from email links.
Internet Explorer - Experts Warn of IE Download Flaw
http://www.pcworld.com/news/article/0,aid,119322,00.asp
Hackers could bypass security warnings and download malicious content.
Paul Roberts, IDG News Service
Friday, January 14, 2005
A computer security researcher and an antivirus company are warning Microsoft customers about an unpatched hole in the company's Internet Explorer Web browser that could allow a remote attacker to bypass security warnings and download malicious content onto vulnerable systems.
The warnings came after the hole was identified on the Bugtraq Internet security discussion list by someone using the name "Rafel Ivgi." The hole affects Internet Explorer (IE) version 6.0.0, including the version released with Windows XP Service Pack 2.
The vulnerability allows malicious attackers to bypass warnings designed to inform users when a file is being passed to their computer using a specially-crafted HTML Web document.
In revisiting Technet today, I found some excellent articles reflecting Best Practices and Advanced Security Practices that are good resources for corporate users.
Microsoft Technet - Advanced Security Practices
http://www.microsoft.com/technet/Security/default.mspx
The Cable Guy – January 2005
Testing Network Paths for Common Types of Traffic
Published: January 4, 2005
A new variant of the MyDoom virus family has been discovered. Any new member of this family of viruses should be watched, as it can spread rapidly if users launch infected attachments.
W32/Mydoom.ap - First New Variant for 2005
http://secunia.com/virus_information/14588/mydoom.ap/
http://vil.nai.com/vil/content/v_130859.htm
http://www.sophos.com/virusinfo/analyses/w32mydoomaa.html
* Sends itself to email addresses found on the infected computer
* Uses its own emailing engine
* It can spread peer-to-peer
* Installs itself in the Registry
* Leaves non-infected files on computer
EXAMPLES OF EMAIL MESSAGES TO AVOID
From: (Spoofed email sender)
Subject: (Varies, such as)
Do not reply to this email
HELLO
Server Report
Good Day
Attention!!!
ERROR
Mail Transaction Failed
(random characters)
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. Mail transaction failed. Partial message is available. (Random gibberish) New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web. Thank you, The World Bank Group © 2004 The World Bank Group, All Rights Reserved
Attention! New self-spreading virus! Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more. To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment. © 2004 Networks Associates Technology, Inc. All Rights Reserved
Attention! Your IP was logged by The Internet Fraud Complaint Center Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted. This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (31kb)
examples (common names, but can be random)
doc.bat
document.zip
message.zip
readme.zip
text.pif
hello.cmd
body.scr
test.htm.pif
data.txt.exe
file.scr
In the case of two file extensions, multiple spaces may be inserted as well
An update 3 weeks after Santy Internet worm outbreak began
Update on Santy Internet worm
Nearly one month since the outbreak, more than 2,100 sites are still infected. The Santy worm was released December 21, 2004. The worm has been infecting sites which use PHPbb discussion forums.
Example of infected site
Web Server Software Breakdown (Microsoft and Apache All versions)
Note - phpbb is installed predominantly on Apache web servers
Apache 81 %
Microsoft IIS 13 %
Other 6 %
Web Server Software Breakdown (Details on Versions)
Apache/1.3.33(Unix)PHP/4.3.10 23 %
Microsoft-IIS/5.0 8.5 %
Apache/1.3.29(Unix)mod_perl/1.28 5.7%
Apache/1.3.33(Unix)mod_perl/1.28 5.0%
Apache/1.3.33(Unix)mod_auth_passthrough/1.8 4.0%
Apache/1.3.31(Unix)DAV/1.0.3 2.7%
Apache/1.3.29(Unix) 2.7%
Apache/1.3.20(Unix)PHP/4.3.3 2.3%
Apache/2.0.46(RedHat) 2.1%
Apache/2.0.50(Fedora) 2.1%
Apache/1.3.33(Unix)mod_auth_passthrough/1.8 2.1%
Other (200 other versions of Apache, IIS, and others) ~19%
Please apply the January security updates from Microsoft as quickly as possible as a brand new POC this soon is not a good sign
MS05-002 - Backdoor.Globe POC Trojan
http://secunia.com/virus_information/14495/globe/
http://www.sarc.com/avcenter/venc/data/backdoor.globe.html
Backdoor.Globe is a proof-of-concept Trojan that exploits the Microsoft Windows LoadImage API Function Integer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-002). The Trojan exists as javascript embedded in an HTML file that uses a malformed animated cursor (.ani) to cause a stack overflow. The Trojan does not affect Windows XP SP 2.
This new email worm is socially engineered well to disquise itself as a non-delivery message. It uses several spaces in the name of the attachment and a "com" extension to appear potentially safe at first glance. This one could spread quickly until all AV vendors have protection available, as non-delivery email is something users will usually follow up on. W32/Buchon.C - Be careful of non-deliverable email messages http://vil.nai.com/vil/content/v_130857.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BUCHON.C This mass-mailing worm bears the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests target email addresses from the victim machine
* spoofs the From: address
* drops a trojan (keylogging and proxy) to the victim machine
Outgoing messages are deceptive and may be constructed as follows: From: Spoofed
Subject: Mail Delivery failure - (insert target email address)
Message Body: If the message will not displayed automatically, you can check original in attached message.txt. Failed message also saved at: www.(insert server name)/inbox/security/read.asp? sessionid-(random number) (check attached instructions)
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus -
www.mcafee.com Attachment: Copy of the worm with the following filename:
message txt (many spaces) length (random number) bytes (many spaces) mcafee.com
Jubo helps in the McAfee forums and did an excellent job of summarizing the new Microsoft Virus Removal tool. Below is a copy of what he shared
The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.
Virus and Worm Families Cleaned
This tool scans for and cleans malicious software associated with the following security threats:
Source:
Malicious Software Removal Tool.
Online scan for Microsoft
Windows XP,
Windows 2000, and
Windows Server 2003:
Scan and Clean Your PC.
More Posts
« Previous page -
Next page »