March 2006 - Posts
This McAfee AV False Positive Issue was limited in scope, but users could encounter it on a few files and moving to the latest DAT files solves this.
DAT 4726 - False Positive Issue with Dollar Revenue detection
http://secunia.com/virus_information/27941/dollarrevenue/
The 4726 DAT files contain an incorrect identification on a limited number of executables. This was corrected in the 4727 DAT files. If McAfee users are seeing a Dollar Revenue detection, ensure that you are running the latest DAT files.
CERT has issued the following bulletin with information and links related to the new unpatched vulnerabilities recently discovered in Internet Explorer.
http://www.kb.cert.org/vuls/id/876678
Disable Active Scripting
Known attack vectors for this vulnerability require Active Scripting to be enabled. By disabling Active Scripting, the chances of exploitation are reduced. For instructions on how to disable Active Script in Internet Explorer, please refer to the Internet Explorer section of the Securing Your Web Browser document.
Additional workarounds are available in Microsoft Security Advisory 917077.
Trend and Symantec have added generic detection for the new unpatched vulnerability in Internet Explorer that Microsoft is working on a patch for. McAfee and other AV vendors have recently added protection and it's beneficial to stay as up-to-date as possible and use the safest practices in email, IM, and web surfing.
Trend's Generic Protection
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=EXPL%5FTXTRANGE%2EA
This is Trend Micro's detection for a zero-day exploit that takes advantage of a vulnerability in the createTextRange Method call process in Internet Explorer. Using the aforementioned method enables a user to create a text range within an object.
This exploit causes an error in the mentioned text range, which is applied to a radio button control, allowing malicious Web sites to consume a large amount of an affected system's memory and to execute arbitrary codes on the system. It can also download and execute malicious codes on the system.
Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This poses a threat in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Symantec's Generic Protection
http://www.sarc.com/avcenter/venc/data/bloodhound.exploit.61.html
Bloodhound.Exploit.61 is a heuristic detection for the Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (BID 17196).
Microsoft is working on a security update targeted for the April updates. Quality and testing are important as IE is a very complex product to patch. This security patch could be released sooner if needed.
IE CreateTextRange vulnerability - Status from Microsoft
http://blogs.technet.com/msrc/archive/2006/03/25/423116.aspx
A few overnight developments are summarized below:
JS_DLOADER.BXR
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOADER%2EBXR&VSect=T
This malicious JavaScript is a zero-day exploit that takes advantage of a vulnerability in the createTextRange Method call process in Internet Explorer. A text range enables a user to modify text within an object. This JavaScript causes an error in the mentioned text range, which is applied to a radio button control, allowing malicious Web sites to consume a large amount of an affected system's memory and this JavaScript to execute arbitrary codes on the machine.
It should be noted that zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it. Thus, Trend Micro recommends that users avoid visiting Web sites of questionable origin to help prevent possible infection of this malware.
Downloader-AVK - IE CreateTxtRange based trojan
http://vil.nai.com/vil/content/v_139048.htm
This trojan was discovered in connection with the Exploit-CreateTxtRng trojan . A hacked webserver contains exploit script, which results in a file named ca.exe being downloaded from another hacked webserver. ca.exe is Downloader-AVK This trojan simply attempts to download an execute another trojan calc.exe from the same compromised webserver. calc.exe is a new password stealing trojan, PWS-PartyPooper .
PWS-PartyPooper
http://vil.mcafeesecurity.com/vil/content/v_139049.htm
This trojan was discovered in connection with the Downloader-AVK trojan , which was installed via the Exploit-CreateTxtRng trojan. This password stealing trojan scans your system for stored passwords and monitors the websites that you visit for the purpose of sending all this information to the trojan author/distributor.
The following is an advisory reflecting the latest information and guidance by Microsoft:
Microsoft Security Advisory (917077) -Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/917077.mspx
IE Vulnerability - ISC back to Green with 12 sites reported so far
http://www.incidents.org/diary.php?storyid=1216
QUOTE: We have decided to return the InfoCon to green for the start of the weekend. We feel that everyone that is going to has reacted to the latest exploit for IE and wanted to start the weekend in normal mode.
We do want to remind everyone however that this is a serious problem. We have received information that at least a dozen sites exist out there that are working the exploits.
McAfee and other AV vendors are adding enhanced protection to cover some of the exploits that are begining to emerge in the wild.
Internet Explorer Vulnerability - McAfee has provided enhanced protection
http://vil.nai.com/vil/content/v_139047.htm
Quote: -- Update March 24, 2006 -- The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.com.com/Dangerous+code+on+Net+could+be+used+to+exploit+IE+hole/2100-1002_3-6053456.html?tag=cd.top
An EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page (the cmd-line scanner / email / gateway restrictions are not present in the extra.dat file. However, scanning for unknown macro and script viruses must be enabled).
This detection covers code attempting to exploit a Microsoft Internet Explorer "createTextRange()" Code Execution vulnerability. This exploit was first seen on March 22, 2006 in Denial of Service (DoS) form. On March 23, 2006, code execution exploits began to appear. The 4726 DAT files contain enhanced JS/Exploit-BO.gen detection to cover those code execution exploits.
This detection covers code attempting to exploit a Microsoft Internet Explorer "createTextRange()" Code Execution vulnerability. This exploit was first seen on March 22, 2006 in Denial of Service (DoS) form. On March 23, 2006, code execution exploits began to appear. The 4726 DAT files contain enhanced JS/Exploit-BO.gen detection to cover those code execution exploits.
Microsoft issued an advisory last night to respond to the new unpatched Internet Explorer vulnerability and Proof of Code exploit developments. We should be careful with websites, keep AV protection updated, and watch for an upcoming patch or other solutions.
Microsoft Security Advisory (917077)
Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/917077.mspx
OVERVIEW
Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.
WHAT CAUSES THREAT?
When Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects, system memory may be corrupted in such a way that an attacker could execute arbitrary code. Specifically, the public postings discuss a potential behavior in Internet Explorer in the way that HTML objects may handle an unexpected createTextRange() method call to an HTML object. A Web page that is specially crafted to exploit this vulnerability will cause Internet Explorer to fail. As a result of this, system memory may be corrupted in such a way that an attacker could execute arbitrary code.
SUGGESTED ACTIONS & WORKAROUNDS
* Microsoft encourages users to exercise caution when they open e-mail messages and links in e-mail messages that come from untrusted sources.
* Customers are encouraged to keep their antivirus software up to date.
* Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zones.
* Set Internet and Local intranet security zone settings to "high" to prompt before Active Scripting in these zones.
Due to PoC exploits that can be easily crafted into more dangerous attacks, the Internet Storm Center has declared a Yellow Alert. Be very cautious with all URLs in emails, IM messages, and on the web.
Internet Explorer Exploit in-the-wild - ISC yellow alert
http://isc.sans.org/diary.php?storyid=1212
Original Advisory
http://secunia.com/advisories/18680/
If you use Real Player or Rhapsody, there are critical security updates that should be applied as soon as possible.
http://service.real.com/realplayer/security/03162006_player/en/
RealNetworks is making available product upgrades that contain security bug fixes. We have received no reports of any machines actually compromised as a result of the now-remedied vulnerabilities.
http://secunia.com/advisories/19358/
Some vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system.
1) A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system.
2) A boundary error within the handling of web pages can be exploited via a specially crafted web page on a malicious server to cause a heap-based buffer overflow. This may allow execution of arbitrary code on the user's system.
3) A boundary error in the processing of MBC files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system.
This is one of the best in-depth overviews of what Microsoft's next generation Operating System will reflect. I'm definitely anxious to try this out in the futre and we're saving up for a new family PC, so that we have the right hardware to enjoy the new graphics and other capabilities that are coming in early 2007.
Windows Vista - An inside Look by CNET
Note - There are 4 pages for this in-depth article (use page links at bottom)
http://news.com.com/An%2Binside%2Blook%2Bat%2BWindows%2BVista/2100%2D1043_3%2D6051736.html
Windows Vista - Security & Networking Overview (page 3)
http://news.com.com/An+inside+look+at+Windows+Vista+-+page+3/2100-1043_3-6051736-3.html
Some of the key summariries are quoted below, but the whole article is informative and worthwhile reading:
Windows Desktop Manager
The next version of Windows brings an end to 20 years of 2D desktop rendering. Windows Aero is actually just a theme, or skin type, used by the Desktop Windows Manager, a new graphical system built into Windows Presentation Foundation. While Windows Vista is Microsoft's DirectX 10 vehicle, the 3D Desktop Windows Manager requires only DirectX 9.0. The switch to 3D rendering means that Windows will now have a use for that fancy $400 graphics card on the desktop.
Windows Aero
Aero is Microsoft's new default 3D desktop theme. Gone are the bright blues and smooth color gradients of Windows XP. The new transparent Aero theme features subdued colors and unobtrusive, rounded corners ready for the Web 2.0 era. Transparencies and soft fade effects give Aero a polished look. The borders of each window blur objects lying under them, leaving the window you are working on in focus while giving you a hint of what lies beneath. It's all very pretty.
Graphics card requirements
Windows Vista doesn't have official minimum system requirements yet, but Microsoft has recommended at least 512MB of memory, a "modern" Intel or AMD processor and a DirectX 9.0 graphics card for the current Windows Vista Beta 1. You'll need to have the right hardware to get the full Windows Vista experience.
Search
Windows Vista was supposed to come with WinFS, a systemwide relational database designed to make file navigation more enjoyable than playing on your Xbox 360. Microsoft had to cut WinFS out of the release in order to meet the launch schedule, but it should be available as a download for both Windows Vista and Windows XP once it's released. A pervasive database lets users and programmers create deep relationships between files. Imagine instead of just finding a folder full of pictures, you could easily find pictures with only you in them, from specific dates, and even certain events--all at the same time. That's what WinFS is supposed to do.
Organization
Windows Vista will also let you save searches as a virtual folder. When you open the folder, it runs the search to populate the folder with items. By running the search in real-time, the virtual folder will be able to catch and display all the new files that meet the search criteria. Virtual folders don't recopy your files, so you can safely delete the virtual folder without losing any data. Microsoft's new metatag feature will help you better organize your files by allowing you to attach description "tags" to a file to make it easier to find and organize.
Explorer
Microsoft has overhauled the Windows Start Menu to make it easier to find and access programs. The left side of the menu displays the most recently used programs, and the All Programs menu selection at the bottom now transforms the entire left menu area into a program-navigation menu, instead of opening an unwieldy navigation menu that expands rightward.
Security (see page 3 link above for a more indepth overview)
If you've used Windows XP in the last few years, you know security hasn't exactly been its strong suit. Numerous folks have shown that an unprotected PC with a fresh install of Windows XP can be compromised within minutes of being connected to the Internet. Microsoft has released a series of security updates and service pack releases over the years, but it has been tough keeping up when all the black hats are gunning for you. You can find a plethora of antivirus, antispyware, and malware companies shilling their wares to make up for the inadequacies of the PC operating system.
The new OS comes with an upgraded, built-in firewall, new user-access protocols, a more secure version of Internet Explorer, a new version of Windows Defender, and sports new features like parental controls, full-drive encryption, and device-driver blocking.
For Windows Vista, Microsoft tweaked the user accounts to offer extra privileges, while reserving critical privileges for special use on the administrator account. Users should now be able to run all programs and change minor settings without being logged in as the administrator. To enhance security further, even if you log in as an administrator, Vista will automatically prompt the user for the proper credentials before continuing with a program's request.
Networking
Windows Vista will come with a completely reworked networking stack. The next-generation TCP/IP stack will work with IPv4 and IPv6, and will also support auto-tuning and quality-of-service features. Wireless traffic will receive numerous boosts in technology to better accommodate for lost packets, bad signals, and large amounts of electromagnetic interference. All these features boil down to better, more-consistent transfer rates for your existing Internet connection.
DirectX 10
Microsoft rebuilt its Direct3D API from scratch for Windows Vista, and Direct3D10 will serve as the base for all future Direct3D innovations throughout the life span of the Windows Vista operating system. Because the Direct3D10 foundation has to serve game developers through the next decade, Windows Vista will streamline and open up Direct3D with several forward-looking features that will help programmers create better games and get more performance out of PC hardware.
A new password stealing trojan horse has emerged that uses rootkit techniques to hide from AV products and it transmits passwords from websites allowing security to be compromised. The old axiom of "Think before you click" is always important for URLs in email, IM, or when surfing the Internet.
Rootkit.Hearse - Article on Dangers
http://www.pcadvisor.co.uk/news/index.cfm?newsid=5869
Rootkit.Hearse - Related AV links
http://vil.nai.com/vil/content/v_138991.htm
http://secunia.com/virus_information/27816/pws-banker.be/
http://www.f-secure.com/v-descs/hearse_a.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FHEARSE%2EA
http://securityresponse.symantec.com/avcenter/venc/data/trojan.goldun.k.html
Security researchers at Sana Security are warning of a new type of malicious software designed to steal usernames and passwords from web surfers. The malware, dubbed "rootkit.hearse", uses rootkit-cloaking techniques, making it extremely difficult to detect.
To steal information, however, the software must first be downloaded on to a user's system. This can be done by tricking the user into downloading the malicious code, or by infecting a computer with some other form of malware. Once installed, it sends the sensitive information to a server in Russia, that appears to have been in operation since 16 March, Sana said.
The software has two components: a Trojan horse application that communicates with the Russian server, as well as rootkit software that cloaks the malicious software from system tools and antivirus programs. Sana has observed the software being downloaded in conjunction with the Win32.Alcra worm.
The latest version of the MyDoom virus may now be using rootkit techniques to stay hidden better from AV software. Developments should be carefully watched.
Gurong.A - New MyDoom variant using Rootkit techniques
http://www.f-secure.com/v-descs/gurong_a.shtml
http://www.f-secure.com/weblog/archives/archive-032006.html#00000838
QUOTE: Yesterday we received an interesting email-worm sample, detected as Gurong.a, that uses rootkit techniques to hide its file, process and launch point in the registry. It is based on the infamous Mydoom code and it is in the wild but currently spreading very slowly.
Gurong.a modifies the operating system kernel, specifically the system service table and process object structures, so it is a kernel-mode rootkit. What makes it different from other kernel-mode rootkits we have seen is the way it installs the rootkit payload into kernel. Often malware uses a special purpose driver or the physical memory device to modify the kernel from user mode.
F-Secure's Blacklight Tool helps find Rootkits
http://www.f-secure.com/blacklight/
This is one of three new rootkit approaches being documented this morning. Hopefully, 2006 won't be the year of the Rootkit.
Trojan.Azwiz.F - New trojan horse uses Rootkit approach
http://securityresponse.symantec.com/avcenter/venc/data/trojan.abwiz.f.html
Trojan.Abwiz.F is a Trojan horse with rootkit abilities that downloads and executes remote files and sends confidential computer information to a remote attacker. The Trojan also allows a remote attacker to perform various unauthorized actions on the compromised computer.
A newly discovered Internet Explorer security issue has surfaced, but so far there are no known exploits. Everyone should be careful with email links or websites with any browser.
New Internet Explorer Security Issue - create text range vulnerability
http://secunia.com/advisories/18680/
http://www.incidents.org/diary.php?storyid=1209
Rating: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x, 7 preview
Description: Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.
Successful exploitation allows execution of arbitrary code. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview. Other versions may also be affected.
Solution: Do not visit untrusted web sites.
Microsoft Response: http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx
A new "alpha" version of Firefox 2.0 was made public for testing today. This is also known as "Bon Echo". As I enjoy working with any type of computer technology, I had to try this new version. So far it's been working very smoothly for me, as I had a simplified Firefox 1.5.0.1 environment with no themes or extensions (in fact I use my own menu based web pages in lieu of bookmarks).
Anyone wishing to test this should have a good working knowledge of Firefox and how to resolve any issues, as there is no support for the new alpha version. This 1st release is intended for IT professionals, web developers, and experienced individuals.
Firefox 2.0 alpha set for release
http://msn.com.com/2100-3513_22-6052412.html
Firefox 2.0 - Recommendations from the Wiki site:
http://wiki.mozilla.org/Places#Goals_.26_Objectives
Firefox 2.0 - Release notes
http://www.mozilla.org/projects/bonecho/releases/2.0a1.html
Firefox 2.0 - Download and installation instructions
http://www.mozillazine.org/talkback.html?article=8146
Bon Echo Alpha 1 is a developer preview release of our next generation Firefox browser and it is being made available for testing purposes only. Bon Echo Alpha 1 is intended for web application developers and our testing community. Current users of Mozilla Firefox 1.x should not use Bon Echo Alpha 1.
This is a new variant from one of the most advanced virus families. Hopefully, it will not spread extensively in the wild.
MyDoom.BK - New advanced virus variant
http://secunia.com/virus_information/27791/mydoom.bk/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYDOOM%2EBK&VSect=T
This worm propagates via email using its own SMTP (Simple Mail Transfer Protocol) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications
Subject: (Any of the following)
• {Random characters}
• Greetings!
• Hello friend ;)
• Hey dear!
• Hey! How are you doing bud?
• Re: Hello
• Re: I got it! Try it now!
• Re[2]: wazzup bro
• Wazzap bro!!
These copies may use any of the following extension names:
COM
EXE
PIF
TXT {Spaces}.SCR
TXT{Spaces}.EXE
TXT{Spaces}.PIF
ZIP
Renama.A can reply to Outlook emails (so it looks more legitimate than regular spam) & it uses ZIP attachments. It can also spread across unprotected network shares. 
QUOTE: This new virus goes through the MS Outlook inbox, and replies to any emails found. The email will have the following properties:
Subject - One of the following:
[NAME], your name is listed in terrorism organisation..!!!
[NAME], this file from me (%s)
*** Note: [NAME] is taken from the contents of the user's emails.
Message - One of the following:
1. if you are not sure, please read attachment bellow, and please reply to me..!!! this message is very urgent..!!!! hope we don't have miss understanding thank's...!!!
2.This attachment contain listname of terrorist..!!! hope you can be carrefull if you find one of them..!!!! or you can reply this email to me after you read the attachment thank's...!!!
Attachment: [RANDOM].zip
Renama.A: Replies to email & uses ZIP files
http://secunia.com/virus_information/27783/renama.a/
http://www.sarc.com/avcenter/venc/data/w32.renama.a@mm.html
The following links provide instructions on how to submit malware samples to Microsoft. This also includes emails with hostile URLs, viruses, spyware samples, or anything of a suspicious nature.
http://www.incidents.org/diary.php?storyid=1205
If you encounter some nastiness that you'd like to see Microsoft include in their monthly MRT updates send email to the following Microsoft email addresses depending on sample type, Please use the AV industry standard password for malware samples of 'infected' to protect a zip or rar file containing your submitted sample.
http://silverstr.ufies.org/blog/archives/000931.html
QUOTE: Microsoft has recently streamlined their process for receiving samples of malicious software or spyware ... Samples sent to the following addresses will be automatically processed into the Microsoft Antimalware Team analysis queue:
An excellent writeup featured at Princeton Universities website.
http://itpolicy.princeton.edu/pub/sonydrm-ext.pdf
More Posts
Next page »