December 2005 - Posts
The Trojan horse version is out and there's speculation that an email based version may follow. EMAIL TO BLOCK OR AVOID Subject: New Year's
Trojan Characteristics: This threat is detected as W32/Bagle.gen with the 4651 DAT files, or newer. This is a downloader trojan. However, like previous. Bagle variants, it is likely that in the near future, the author(s) will post an accompanying EXE ...
New Year's Day.
Happy New Year
We congratulate happy New Year
Message: Password: --LINK TO IMAGE FILE--
The password is --LINK TO IMAGE FILE--
Seasonal email attachments, HTML messages, Electronic Greeting Cards, and URL links can potentially contain spyware or viruses. It's a popular approach and one idea offered by the Internet Storm Center is to send "plain text" messages to our family and friends. This approach communicates a good personal message and it also promotes security awareness. As a best practice, I've always advocated sending a real greetings card in lieu of e-cards.
Best Practices: Send Real Greeting Cards or Plain Text Messages
Please delete all associated email claiming to offer update protection from Kongo31.XRW. McAfee does not send out email notices link this way and you should continue to update through normal channels.
QUOTE: We've received several reports of emails, warning about a new virus called "Kongo31.XRW" (which doesn't exist). The email links to a fake McAfee site, hosted in Canada: The download link gets you a file called ak26xrw-patch-installer-win32.exe - which (surprise, surprise!) is infected with Trojan-Downloader.Win32.Hanlo.h
Kongo31.XRW -- False McAfee download links
Kongo31.XRW -- email Example
Kongo31.XRW -- Special McAfee warning
Security patches have been issued for both Windows and Internet Explorer. This update went well on my home PC with no issues and I recommend updating all workstations as soon as possible.
Windows Update Link
Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer (905915)
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Security Update Replacement: This update replaces the update that is included with Microsoft Security Bulletin MS05-052. That update is also a cumulative update.
Addresses four Vulnerabilities in Internet Explorer:
1. File Download Dialog Box Manipulation Vulnerability (CAN-2005-2829)
2. HTTPS Proxy Vulnerability (CAN-2005-2830)
3. COM Object Instantiation Memory Corruption Vulnerability (CAN-2005-2831)
4. Mismatched Document Object Model Objects Memory Corruption Vulnerability (CAN-2005-1790)
Microsoft Security Bulletin MS05-055
Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)
Impact of Vulnerability: Elevation of Privilege
Maximum Severity Rating: Important
Addresses the following Vulnerability in Windows: Windows Kernel Vulnerability - A privilege elevation vulnerability exists in the way that asynchronous procedure calls are processed within the kernel. This vulnerability could allow a logged on user to take complete control of the system (CAN-2005-2827)
Yesterday, a brand new exploit affecting OLDER versions of Firefox was published. It is important to stay up-to-date on the latest product versions, as security updates are often a critical component of each version update.
Mozilla Firefox "InstallVersion.compareTo" Remote Buffer Overflow Exploit
Please be careful at this site as actual exploit code resides here
Original Advisory from July 2005
Remotely Exploitable : Yes
Locally Exploitable : Yes
Affected Products: Mozilla Firefox 1.0.4 and prior, Mozilla Suite 1.7.8 and prior, Thunderbird 1.0.2 and prior
Solution: Upgrade to Mozilla Firefox 1.5 or later versions of the Mozilla Suite and Thunderbird
Personally, I'm still receiving lots of copies of Sober.x on a daily basis in my personal email accounts. On an infected PC, Sober.X creates a backdoor that allows it to autoupdate. Both F-Secure and CERT have issued warnings for new malware updates that will be automatically scheduled on January 6, 2006.
Secunia - Sober.X (CME-681) Anti-Virus links
F-Secure details how the URL calculation process works
QUOTE: Sober.Y was the biggest email outbreak of the year. It still is responsbile for around 40% of all the infections we see. This variant is programmed to activate on January 5th, 2006. After this date all the infected machines will regularily try to download and run a file from a website, forever.
So, what URL is the virus using? This is the tricky part. The virus writer knows well that if he uses a single, constant address in the virus body, it will get blocked quickly. So instead, Sober has been using an algorithm to create pseudorandom URLs which will change based on date. These URLs point to free hosting servers typically operating in Germany or in Austria. And 99% of the URLs generated by the virus simply don't exist.
However, the virus author can precalculate the URL for any date, and when he wants to run something on all the infected machines, he just registers the right URL, uploads his program and BANG! It's run globally in hundreds of thousands of machines.
Special CERT warning
QUOTE: US-CERT is aware of functionality that could allow the mass-mailing worm known as "W32/Sober.X" to automatically update itself. W32/Sober.X is a bi-lingual (English and German) mass-mailing worm that utilizes its own SMTP engine to propagate. The W32/Sober.X worm began propagating on November 15, 2005 and will attempt to update itself on or around January 5, 2006.
US-CERT strongly recommends that users and administrators implement the following general protection measures:
* Install anti-virus software, and keep its virus signature files up-to-date
* Do not follow unsolicited web links or execute attachments received in email messages, even if sent by a known and trusted source
* Keep up-to-date on patches and fixes for your operating system
Trend notes at least three new Java Script based viruses have emerged which exploit the unpatched 911302 IE vulnerability. Please be careful using Internet Explorer and visit only websites you trust.
More information: Microsoft Security Advisory (911302)
A new critical proof-of-concept exploit has been been published for Oracle 9 web based apps.
Oracle 9i Database XDB HTTP Authentication Remote Stack Overflow Exploit
The danger is associated with copy-protection software included on some Sony discs created by a company called SunnComm Technologies. The vulnerability could allow malicious programmers to gain control of computers that have run the software, which is typically installed automatically when a disc is put in a computer's CD drive.
Sony lists 27 CDs with SunnComm MediaMax vulnerability
27 CDs containing SunnComm MediaMax Version 5 Content Protection Software
The difficulties related to a bad copy protection design continue ...
Welomoch - Sony BMG based trojan horse
Trojan.Welomoch is a Trojan horse that attempts to utilize XCP software to hide W32.HLLW.Antinny, which it drops on to the compromised computer. The XCP software is installed by inserting certain Sony BMG content-protected music CDs into the computer.
F-Secure published a great weblog entry sharing an account of cleaning the Crepate multiparte MBR based virus in 1993. While I've been working with PCs since 1981, this was the year computer viruses began to become more prominent. This was close to the timeframe the Michangelo virus was prominent in the news and that was the first major virus our company had to defend against. The article related to Crepate brought back some memories of having to clean and repair systems with MBR based infections:
Article: Cleaning the Crepate computer virus in 1993
F-Secure Security Bulletin 210 - May 1993
Please be careful during the holiday period, avoiding all suspicious URLs and attachments.
New AIM Worm - Uses spoofed Holiday Greeting Card link
QUOTE: Malware authors just opened their own holiday season. We received couple of reports of a new AIM worm spreading. The worm is simple and doesn't exploit any vulnerability; instead it relies on social engineering. The user will receive the following AIM message:
"This AIM user has sent you a Greetings Card, to open it visit: http://greetings.aol.com/... <link is spoofed to hostile web site where privacy of the user could be affected >
A new email scam is circulating that appears to be legitimate correspondence from the IRS. They would never contact someone by email in this manner, so please delete these messages or call your nearest IRS office to confirm this.
IRS based Phishing Attack
US-CERT has received reports of a phishing email scam that attempts to convince the user that it is from the Internal Revenue Service (IRS) by using a spoofed "From" address of "email@example.com".
Upon clicking on the link provided in the email, the user is taken to a fraudulent site that looks like a legitimate U.S. government site. The user is then asked to provide personal information, such as their social security, credit card and bank pin numbers.
Some great advice from CERT on emails that appear to be legitimate:
Avoiding Social Engineering and Phishing Attacks
There are a number of great products you can purchase to protect your system. Many of these offer advanced features and conveniences such as autoupdating. Still, many home users don't want to invest in security products that might have an annual maintenance or renewal charge.
In many cases, you "pay for what you get". However in my testing, I've found several great FREE security products (e.g., Lavasoft AdAware SE, Zone Alarm 6, AVG 7, Microsoft's Antispyware beta, etc), that are not only free but top basic products. These solutions might require a little more work as you may not have some of the automation found in premium products. However, they are definitely better than nothing at all.
Most importantly, keep every product on your PC as up-to-date as possible on security patches. It's free and many attacks are based on existing security holes. So updating can make your PC a little more bullet-proof
Sunbelt Blog on Cheap Security Solutions
QUOTE: The simple fact is good internet security is based on what I call the Four Pillars of Internet Security. They are:
• Firewall protection
QUOTE: The first categories we tackle—antispyware, antivirus, and firewall—deal with security. If you have a PC that's connected to the Net, even intermittently, you need to protect it.
Microsoft's Safety.Live - Online virus scanner
Microsoft's Free Windows Update
Update after the 2nd Tuesday of each month
More Posts « Previous page