|
Security News and Best Practices for corporate and home users
May 2005 - Posts
-
 Trend and Secunia have issued MEDIUM RISK alerts for MYTOB.AR. Click these links below for more information:
MYTOB.AR - Secunia alert MEDIUM RISK
TREND MICRO - MEDIUM RISK
MYTOB.CU - Symantec
W32/Mytob.bh - McAfee (DAT 4502)
quote: As of May 30, 2005 3:08 AM (PDT/GMT-7:00), TrendLabs has declared a MEDIUM risk alert in order to control the spread of WORM_MYTOB.AR. TrendLabs has received several infection reports indicating that this worm is currently spreading in Australia, China, Hongkong, India, Japan, Korea, Philippines, Taiwan, and the United States.
Similar to other MYTOB variants, this memory-resident worm propagates by sending a copy of itself as an attachment (file size is around 29,868 to 29,882 bytes) to an email message, which it sends to target recipients using its own Simple Mail Transfer Protocol (SMTP) engine.
EXAMPLE - Usually an EMAIL delivery or account issue
EMAIL FORMAT
Subject: (any of the following)
• {Random}
• *DETECTED* Online User Violation
• *IMPORTANT* Please Validate Your Email Account
• *IMPORTANT* Your Account Has Been Locked
• *WARNING* Your Email Account Will Be Closed
• Account Alert
• Email Account Suspension
• Important Notification
• Notice of account limitation
• Notice: **Last Warning**
• Notice:***Your email account will be suspended***
• Security measures
• Your email account access is restricted
• Your Email Account is Suspended For Security Reasons
Attachment: (any combination of the following file names and extension names)
File name:
• {random}
• account-details
• document
• document_full
• email-doc
• email-info
• info
• information
• info-text • instructions
• your_details
Extension name: BAT, CMD, EXE, PIF, SCR, ZIP
|
-
 This new threat arrives as a Word document and manipuates unpatched Windows PCs, manipulating the recent MS05-016 patch which was part of the April 2005 updates provided by Microsoft.
VBS_RUNEXPLT.C Information
This malicious VBScript file takes advantage of the Windows Shell vulnerability, which could allow a remote malicious user to execute arbitrary code on the affected system. For more information about this vulnerability, please refer to the following Microsoft page: Microsoft Security Bulletin MS05-016
It usually arrives on a system as a Microsoft Word document. When executed on a vulnerable machine, it attempts to download and execute a file, which may also be malicious in nature, from the following location: Nnpyf.c{BLOCKED}nn.com. This malicious VBScript file runs on Windows 98, ME, 2000, and XP.
|
-
-
 This is a new malicious attack that's not widespread and provides all the more reason to stay up-to-date with Microsoft Security updates.
MS04-023: PGPCoder Trojan - Encrypts & demands $200 for the key
http://news.zdnet.com/2100-1009_22-5718678.html
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=194
http://secunia.com/virus_information/18207/pgpcoder/
Researchers at Symantec have seen the malicious program used in the ransom attack. The "Trojan.Pgpcoder" searches a victim's hard disk drive for 15 common file types, including images and Microsoft Office file types. It then encrypts the files, removes the originals and drops a note asking $200 for the encryption key, Friedrichs said.
This memory-resident Trojan arrives via Internet or copied from disks. Upon execution, it encrypts all files on the system having the following extensions:
- ASC
- DB
- DB1
- DB2
- DBF
- DOC
- HTM
- HTML
- JPG
- PGP
- RAR
- RTF
- TXT
- XLS
- ZIP
|
-
 The next edition of Microsoft Office should become available during 2006. It will offer improved security for server based documents.
Office 12 - Improved server based security on documents
http://techrepublic.com.com/2100-10877_11-5717662.html
Federal record-keeping regulations, such as Sarbanes-Oxley and HIPAA, are forcing Microsoft to examine various ways to secure Office documents. With the next version of Office, Microsoft plans to let businesses set rules, enforced by server-based software, to determine how those documents are handled
Office 12 - Some early reported info on new features
http://techrepublic.com.com/2100-10877_11-5712784.html
|
-
This is excellent and easy to follow in securing a wireless network. Key approaches include WPA, turning off unneeded wireless router services, using strong passwords, and reassigning SSIDs. I also recommend using XP SP2 which offers the most up-to-date support for wireless technology by Microsoft.
http://www.komando.com/tips_show.asp?showID=8796
|
-
-
The new Sober.Q variant is installed automatically from existing infected Sober.P systems. It generates extensive SPAM in German. While these SPAM messages don't contain the virus itself, the URLs most likely point to sites could could contain adware, spyware, or possible viruses.
PLEASE DO NOT CLICK ON ANY URLS in these messages 
http://www.f-secure.com/v-descs/sober_q.shtml
Sober.U -- Trend Micro has indepth information
W32.Sober.P@mm - Symantec
http://vil.nai.com/vil/content/v_133684.htm
Sober.Q was found on May 14th, 2005. This Sober variant doesn't spread itself in e-mails. Instead, it mass-mails political statements. Sober.Q is installed to computers infected by Sober.P. Sober.Q is written in Visual Basic.
Like many Sober variants, this variant uses it's own SMTP engine to send spammed messages to email addresses found on the infected system. It can generate several different email messages randomly, in either English or German depending on the version of Windows. Some messages may contain several links inside them.
|
-
This was a neat read in F-Secure's weblog:
Monday, May 9, 2005
In-depth investigation of the "Cabir-in-Cars" myth
http://www.f-secure.com/weblog/
However a mobile worm infecting a car is a thought that one cannot let go easily, and even as we knew that the car cannot be infected, this was something
that just had to be tested for real. So we got a Toyota Prius to test out the myth. Credit has to be given to Toyota for trusting their systems enough to
actually lend the car for us for such testing. According to Toyota, this Prius model had identical in-car Bluetooth systems with the Lexus models, so it
was suitable for our tests.
|
-
-
 Mozilla has released version 1.04 of Firefox to address a security security issue and exploit discovered this week. I have installed the new release for Windows 98, 2000, and XP SP2 with no issues so far. While there are no in-the-wild threats or viruses associated with the new exploit, current Firefox users should upgrade to further protect their systems.
Firefox 1.04 - Security Changes and other release notes
Security Update to Firefox Now Available
 Firefox 1.04 Free Download (English version 1.04)
Original Advisories on Security Issues
Mozilla Foundation Security Advisory 2005-42
Secunia - Mozilla Firefox Two Critical Vulnerabilities
The cross-site scripting and remote system access flaws were discovered in Firefox version 1.0.3, but other versions may also be affected, said security company Secunia, which issued the ratings Sunday. The two vulnerabilities, when combined, can be exploited, but no known cases have yet emerged where an attacker took advantage of the public exploit code.
One flaw involves "IFRAME" JavaScript URLs, which are not properly protected from being executed in the context of another URL in the history list. "If you visit a malicious Web site, it can steal cookie information from other Web sites you had previously visited," said Thomas Kristensen, Secunia's chief technology officer. The attacker could then use that information to engage in identity theft or gain access to other password-protected sites that the victim visited.
Mozilla issued the following workaround to prevent installing software automatically from web sites. This adds protection for future issues and it enhances security even after upgrading to version 1.04 (and can be toggled on or off as needed).
1. Select the "Options" dialog from the "Tools" menu
2. Select the "Web Features" icon
3. Click the "Allowed Sites" button on the same line as the "Allow web sites to install software" checkbox
4. Click the "Remove All Sites" button
5. Click "OK"
|
-
Avoid ZIP based attachments as this one is spreading significantly. Wurmark.J - MEDIUM RISK by Secunia/Trend Trend Micro WORM_WURMARK.J Information
quote: As of May 11, 2005 at 4:30 am (Pacific Daylight Time; GMT-7:00) TrendLabs has declared a Medium risk alert in order to control this new WURMARK variant that is currently spreading in France, India, Singapore, and Taiwan. This memory-resident worm propagates via email messages. Upon execution, it drops a copy of itself in the Windows system folder using a random file name. It also drops a randomly named (Dynamic Link Library) DLL file in the Windows system folder, which is a component of an IESpy, a Spyware program. This worm has a keylogging capability. It saves the logs typed by the user in a dropped random DLL file. AVOID THE FOLLOWING ATTACHMENTS Attachment: (any of the following file names) •details.zip •girls.zip •image.zip •love.zip •message.zip •music.zip •news.zip •photo.zip •pic.zip •readme.zip •resume.zip •screensaver.zip •song.zip •video.zip
|
-
 This new virus has been declared as MEDIUM RISK by Secunia. TrendLabs has declared a Medium risk alert in order to control this new WORM_MYTOB variant that is currently spreading in Australia and Japan.
It uses a social engineering approach where there appears to be administrative or non-delivery issues associated with email message processing. On all non-delivery messages, it's always important to never open attachments, even if it appears to be from someone you know or yourself.
MyDoom.BQ - Symantec
MEDIUM RISK at Secunia
MyTob.ED - Medium Risk Trend Micro
Diagram on how this worm spreads & potential to impact network
Email messages to block or avoid:
Subject: (any of the following)
- *IMPORTANT* Please Validate Your Email Account
- *IMPORTANT* Your Account Has Been Locked
- {random}
- Email Account Suspension
- Notice: **Last Warning**
- Notice:***Your email account will be suspended***
- Security measures
- Your email account access is restricted
- Your Email Account is Suspended For Security Reasons
Message body: (any of the following)
- Account Information Are Attached!
- Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
- please look at attached document.
- To safeguard your email account from possible termination, please see the attached file.
- To unblock your email account acces, please see the attachement.
- We have suspended some of your email services, to resolve the problem you should read the attached document.
- {random}
Attachment: (any of the following file names)
- {random}
- document_full
- email-doc
- email-info
- email-text
- IMPORTANT
- information
- info-text
- your_details
(any of the following extensions)
- BAT
- CMD
- EXE
- PIF
- SCR
- ZIP
|
-
-
http://news.com.com/2061-10789-5697143.html
Quote: Security vendor VeriSign found 66 percent would choose to give up their passwords for a Starbucks coffee, during an informal on-the-street survey conducted Thursday in San Francisco ... Those that revealed their password or gave hints received a $3 gift card for Starbucks--the price of a latte
This study is sponsored by VeriSign (a leader in digital certificate technologies), so I'm confident 66% of folks surveyed would not truly reveal their passwords. The 66% may have provided a false password or more likely clues on their passwords. Most likely, the true number who would reveal their true passwords is probably less than 10%.
Still, individuals should do their utmost to protect all of their passwords. In helping in security issues, I've actually had folks send me their ISP or email account name and password. Sometimes a good strong password is the only lock you have to keep the bad guys out.
This same techique of trying to get users to reveal passwords was used about a year ago.
Would you trade your password for Chocolate?
P.S. Wonder if Starbucks has "Chocolate flavored Coffee" 
|
-
Virus writers continue to use social engineering techiques to trick folks into opening attachments. Sober.P has spread more successfully than most recent viruses, as it can tempt sports fans into thinking they have won something free. Usually in email, there are no “free lunches” as most of these types of emails are like telemarketing calls -- there's always a catch ... and in this case you'll catch a very advanced virus that is difficult to remove from Windows.
Sober.P - Beware of Free World Cup 2006 Tickets
http://www.google.com/search?hl=en&q=world+cup+sober.p
http://www.viruslist.com/en/weblog
http://www.theregister.com/2005/05/03/world_cup_virus/
http://netscape.com.com/4520-6600_7-6215417-1.html
http://www.webuser.co.uk/news/63573.html
Sober.p, which has caused outbreaks in various western European countries, owes some of its success to social engineering. It arrives as an attachment to infected messages which use a range of subject headers, messages and attachment names in both English and German. Some of the messages appear to promise tickets to the World Cup in 2006 - and who wouldn't want World Cup tickets?
Infected emails pose as ticket confirmation messages from organisers of the football World Cup, due to be held in Germany next year. The worm composes messages with subject lines such as "WM-Ticket-Auslosung" and "Your Password" with attachments such as Fifa_Info-Text.zip containing a .pif payload file. Sober-P only infects Windows machines
|
-
CBS News Feature -- P2P Privacy Dangers
A summary of some key risks associated with P2P File sharing:
1. Malware (including some of the most dangerous viruses out there) will be automatically written to openly shared hard drives. While AV protection can help, brand new viruses are created daily and seeded on P2P networks.
2. The exchange of music, CDs, P2P file shares violate Copyright Laws related to intellectual property rights. Individuals may rationalize that participating in P2P is no worse than using TIVO or copying a movie off of a cable station. Still, the "law is the law". Due to current widespread practices the RIAA or DCMA can only make "examples" out of some of the unlucky ones they catch in the process.
3. The greatest danger of all is privacy invasion as illustrated in the article. By sharing your hard drive, ANYONE in the P2P network can potentially access ANYTHING on your hard drive. It could be a tax return, bank account spreadsheet, stored email messages, or other sensitive information.
|
-
-
 Please be careful with IM programs as several new viruses have emerged over the weekend. Please do not accept attachments or click on URLs in IM messages.
 W32.Kelvir.BA - Symantec
WORM_KELVIR.AL - Trend Micro
Sends the following instant message to all MSN Messenger contacts on the compromised computer. If the recipient clicks on the above link, a copy of the W32.Spybot.OFN. worm is downloaded. Avoid the following message
lol you'll like this
http://[domain removed]/downloads/gallery.php?email=[email address]
 Backdoor.Doyorg
Backdoor.Doyorg is a back door Trojan which allows unauthorized remote access. The Trojan may arrive via an instant message received in AOL Instant Messenger (AIM).
W32/Oscarbot
This threat "spreads" via a hyperlink that is received via AOL Instant Messenger. Recipients may receive a message such as:
hey check out this ...
Following the hyperlink results in users being prompted to save/run an executable file. If users choose to download and/or run this file, Oscarbot will contact a remote IRC server, logon to a specified channel and wait for further instructions. One of these instructions can result in the bot program sending the aforementioned hyperlink to all recipients on the infected users buddy list. Technically not a worm, this threat requires a bot commander to initiate the "spimming" (IM spam) routine.
|
-
 At the end of April, New York state filed a major suitsuit against a company which includes tracking and monitoring agents in some of it's free software offerings.
Adware/spyware vendor sued over 'invasive' software
Fines against Intermix Media could reach $1.85B
http://www.oag.state.ny.us/press/2005/apr/apr28a_05.html
APRIL 28, 2005 (COMPUTERWORLD) - New York state has gone on the attack against spyware and adware by filing a lawsuit against a Los Angeles-based marketing company that allegedly installed the "invasive" software onto consumers' computers without proper notice as part of free software downloads.
|
|
|
|