October 2006 - Posts
Sharing an article on Stration, which is on the watchlist for developments, as it's now one of the leading email worms. 
Stration Worm -- Tricky new malware unnerves security vendors
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004601
quote: October 30, 2006 (IDG News Service) -- A tricky malicious program has become more prevalent in spam, but experts don't know what its creators plan to do with it. Many vendors are rating the malware -- called "Warezov," "Stration" and "Stratio" -- as a low risk. But they also say that it is tricky to deal with.
The malware is a mass-mailing worm that affects machines running Microsoft Corp.'s Windows OS. When the malware infects a computer -- usually after the user has opened an attachment containing the worm in a spam e-mail -- it sends itself out again to other e-mail addresses found on the computer. The code is then capable of downloading new versions of itself as frequently as every 30 minutes from a batch of Web sites, said Mikko Hypponen, chief research officer at F-Secure Corp., a security company in Helsinki.
Those new versions are created by a program on a server controlled by the hacker, Hypponen said. In the past, malware has been known to create variations of itself, but the code to create those variations was contained inside the malware. So when a sample was obtained, security analysts could study it and identify potential new versions, he said.
Coincidently, I just got a leading edge Stration variant where McAfee, Symantec, and Microsoft didn't detect this (as of 2pm EDT) 
EMAIL SUBJECT TITLE: This is not shown on TV.
ATTACHMENT: picture0000.zip (0000=number)
quote: Complete scanning result of "picture1656.zip", processed in VirusTotal
at 10/31/2006 19:37:49 (CET).
[ file data ]
* name: picture1656.zip
* size: 13321
* md5.: 17653f8f867ef7a6f5b9dd4be2f55902
* sha1: c0c70aead05814cb35097fc2358615868fd67f42
[ scan result ]
AntiVir 7.2.0.34/20061031 found [TR/Dldr.Stration.C.6]
Authentium 4.93.8/20061031 found [W32/Warezov.GA]
Avast 4.7.892.0/20061031 found [Win32:Warezov-MF]
AVG 386/20061031 found [I-Worm/Stration]
BitDefender 7.2/20061031 found [Win32.Warezov.EW@mm]
CAT-QuickHeal 8.00/20061031 found [I-Worm.Warezov.ev]
ClamAV devel-20060426/20061031 found [Worm.Stration.YY]
DrWeb 4.33/20061031 found [Win32.HLLM.Limar.based]
eTrust-InoculateIT 23.73.41/20061031 found
[Win32/Stration.Variant!Worm]
eTrust-Vet 30.3.3170/20061031 found nothing
Ewido 4.0/20061031 found nothing
F-Prot 3.16f/20061031 found [W32/Warezov.GA]
F-Prot4 4.2.1.29/20061031 found [W32/Warezov.GA]
Fortinet 2.82.0.0/20061031 found [W32/Stration.DU@mm]
Ikarus 0.2.65.0/20061031 found [Email-Worm.Win32.Warezov.gen]
Kaspersky 4.0.2.24/20061031 found [Email-Worm.Win32.Warezov.ev]
McAfee 4884/20061030 found nothing
Microsoft 1.1609 /20061031 found nothing
NOD32v2 1.1845/20061031 found [a variant of Win32/Stration]
Norman 5.80.02/20061031 found [W32/Stration.AOH]
Panda 9.0.0.4/20061031 found nothing
Sophos 4.10.0/20061026 found nothing
TheHacker 6.0.1.109/20061030 found [W32/Generic!zip-dobleextension]
UNA 1.83/20061031 found nothing
VBA32 3.11.1/20061031 found [MalwareScope.Worm.Warezov.1]
VirusBuster 4.3.15:9/20061031 found [Trojan.Opnis.Gen.14]
Many projects, including those centered around security, have failed due to folks not listening properly. It's an important skill to always keep in mind when gathering input, coordinating tasks, or in simply reading our email.
Listening - One of the most important communication skills
http://blogs.techrepublic.com.com/tech-manager/?p=213
QUOTE: Failure to listen is the first step in miscommunication. Technical folks, even technical project managers, are not always the best communicators. If we do not listen, and listen carefully, to one another things get lost. More importantly, other successful people who share that crazy spark which keeps us going, feel the lack of attention. They start to feel ignored, undervalued, and unappreciated.
So, what's a poor listener to do? In my case I ask myself four questions before I go into a conversation. These questions have become my mantra, something I repeat over and over again throughout the day.
1. Who am I really going to listen to, the person or my own inner voice?
2. What can I learn from this person by being brave enough to listen?
3. When will I need to accept help from this person again?
4. How can I tell this person that I believe in them as much as they believe in themselves?
My settings are a little more secure than the IE 7 defaults. So far, IE 7 has passed 2 of the 3 tests noted for IE 7 at Secunia. The one area related to an Outlook Express vulnerability is not in the wild and would be mitigated through phishing controls and best practices.
Secunia: Internet Explorer 7 Window Injection Vulnerability
http://secunia.com/advisories/22628/
QUOTE: A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites. The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.
TEST for vulnerabilities
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
MORE INFORMATION
http://msmvps.com/blogs/spywaresucks/archive/2006/10/30/228561.aspx
This new blog resource evaluates SOX IT requirements and has several informative posts:
Sarbanes Oxley Blackbelt 404 - Excellent Blog Resource
http://www.sarbox404.com/
Below are additional links to follow-up on the earlier good info Bill and Richard shared with us over the weekend.
Microsoft Windows NAT Helper Components DNS Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/4248
QUOTE: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to cause a denial of service. This flaw is due to a NULL pointer dereference error in the NAT Helper Components ("ipnathlp.dll") when processing requests via the "DnsProcessQueryMessage()" and "NatCreateRedirect()" functions, which could be exploited by attackers on the LAN to crash the Service Host Process by sending a specially crafted DNS request to a vulnerable system with Internet Connection Sharing enabled.
Note : A proof of concept exploit has been published.
ISC: Remote DoS released targets Windows Firewall/Internet Connection Sharing (ICS) service component
http://www.incidents.org/diary.php?storyid=1809
Microsoft ICS DoS FAQ
http://blog.ncircle.com/archives/2006/10/microsoft_ics_d.htm
Am I vulnerable Checklist:
1) Are you running Windows XP
2) Are you sharing your internet connection?
If the answer is yes to both of those, then you are vulnerable.
Mitigation:
1) Disable Internet Connection Sharing.
2) Block UDP port 53 (DNS) on the computer that is sharing the internet, manually set the DNS Server to your ISPs DNS address.
While this is humorous, there are some good tips in better IT security controls for organizations
Halloween: User Tricks and Security Treats
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004538
QUOTE: Thirteen malevolent spirits may haunt the halls and cubicles of your company, and if you're going to scare them into security compliance, you may need to get a little bit spooky yourself. Have a few treats up your sleeve to return for these goblins' sinister tricks.
ID Thefts Slam Online Brokers
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=270665
QUOTE: Two of the top online stock brokerages in the U.S. disclosed that overseas hackers broke into some of their customer accounts during the past three months, resulting in combined losses of at least $22 million and leading both firms to take steps to bolster their security measures.
All WinAmp users should update to the latest WinAmp release to correct two critical security issues
WinAmp Media Player - Critical Security Update
http://www.kb.cert.org/vuls/id/449092
http://www.winamp.com/player/version_history.php#5.31
http://secunia.com/advisories/22580/
Two vulnerabilities have been reported in Winamp, which can be exploited by malicious people to compromise a user's system.
1) An error in the Ultravox protocol handler during processing of the "ultravox-max-msg" header can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI.
2) An error during the parsing of certain Lyrics3 tags can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI.
The vulnerabilities are reported in versions 2.666 through 5.3.
SOLUTION -- Update to version 5.31
http://www.winamp.com/player/
I've found George Ou to provide some good technical writing for Tech Republic. He also shares that IE 7 is a "must have" upgrade and positive comments from a security perspective.
George Ou - Bottom line on IE7
http://blogs.techrepublic.com.com/Ou/?p=349
QUOTE: So what does IE7 really mean to individuals and companies? If you're using IE6 as your primary browser, IE7 is a must have. For IE6 users, IE7 will offer a huge improvement in the user interface though it is highly recommended that you follow the welcome tutorial to get acquainted with it. The UI is much more streamlined and the traditional file-edit-view menu is always hidden though you can still make it show up by hitting the ALT key. You will still have compatibility with IE-only webpages but the browser is also a lot more compatible with the web standards. Everyone one of my friends I've talked to has had a very positive experience with IE7 and we can thank Firefox for forcing Microsoft to deliver IE7 on Windows XP for free.
From a security standpoint, IE7 offers a huge improvement over IE6. The two most recent zero-day exploits from last month for example only affected IE6 and not IE7 because the code auditing on IE7 was rigorous. The ActiveX footprint in IE7 is about 90% smaller than IE6 because almost all of the ActiveX controls were completely disabled by default and only the most critical ActiveX controls for things like Media Player and Adobe Flash were kept on. Even if you're running an alternative browser like Firefox, you're still going to want to get rid of IE6 by installing IE7 if you ever need to use IE for anything.
Currently most malicious software is designed to hide silently on infected PCs. This study discusses findings from a recent study by Microsoft.
Microsoft MSRT Study on Malicious Software hiding in PCs
http://articles.techrepublic.com.com/2100-1009_11-6129235.html
QUOTE: More than 43,000 new variants of such insidious software were found in the first half of 2006, making them the most active category of malicious software, Microsoft said in a Security Intelligence Report published Monday. In June Microsoft also flagged zombies as the most prevalent threat to Windows PCs.
"Attackers, with financial gain in mind, are clearly concentrating a significant amount of development focus on this category of malware," Microsoft said in the report.
Of 4 million Windows PCs found to be infected with some kind of malicious software in the first half of this year, about 2 million were running malicious remote control software, Microsoft said. The data is collected by Microsoft's free Windows Malicious Software Removal Tool, which runs when security updates are installed on Windows PCs.
While the number is high, it is actually a decrease from the second half of 2005, when Microsoft found that 68 percent of infected PCs contained a backdoor Trojan. Meanwhile, hackers are trying harder to make their networks of hijacked computers go unnoticed by moving to new Web-based techniques.
Below are two recent reviews:
Review: Firefox 2.0 first impressions
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004398
Review: With Firefox 2, Mozilla touts security and speed
http://articles.techrepublic.com.com/2100-3513_11-6129141.html
QUOTE: The revamped Firefox includes a new interface theme and more security protection such as built-in phishing protection. It also has session memory, which, when the browser is re-opened, brings back the set of Web pages that were in use when it was last closed. Changes have also been made in the technology to import RSS feeds, which now offers a feed list view with title and first lines
Final Review: The Lowdown on Office 2007
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003994
QUOTE: Simplify, simplify, simplify. The challenge for Microsoft in revamping Office was to better organize all the options available without negatively impacting productivity. For new users, that's a particularly important goal, since the menus and toolbars in current versions may appear to be a mishmash.
The overriding design goal for the new user interface, Microsoft says, is to make it easier for users "to find and use the full range of features these applications provide" while preserving "an uncluttered workspace that reduces distraction for users so they can spend more time and energy focused on their work." The redesign makes most Office 2007 applications look completely fresh, clean, new -- and more colorful. From Ribbons that offer clearly labeled buttons to thumbnail previews of most graphic features, the applications bear only a slight resemblance to their former selves.
A positive review on IE 7 from both a security and functional standpoint. The just say "YES" encourages users to accept this when it is offered to them via Microsoft Updates in November.
Review: Just Say Yes to Internet Explorer 7
(see page 4 for a positive review on security)
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004205
QUOTE: IE7 is a considerable improvement over IE6, and with new features such as tabbed browsing, RSS support, improved security and an integrated search box, it's well worth the upgrade.
This information is preliminary and based on the SP Roadmap.
Article: Windows XP SP3 Pushed to 2008
http://www.betanews.com/article/Windows_XP_SP3_Pushed_to_2008/1161282900
QUOTE: Windows XP SP3 will be the first major upgrade to the operating system since XP SP2 debuted in August 2004. SP2 was an extensive upgrade, bringing a new security center and improvements in wireless networking and Internet Explorer. However, with SP3 arriving three years later, the update will focus security patches and bug fixes rather than feature enhancements.
Microsoft's SP Roadmap
http://www.microsoft.com/windows/lifecycle/servicepacks.mspx
QUOTE: SP3 for Windows XP Professional is currently planned for 1H CY2008. This date is preliminary.
A browser is simply a processor of web objects and does what's asked of it while visiting a website. Thankfully IE 7 has far better security than version 6. This potential issue is minor and would be used for phishing attacks primarily. In my own testing, this did not work in IE 7, Firefox 3.0a, or Opera 9.02. Still, folks always need to be careful when visiting websites as no browser can protect you from all the risks out there.
ISC: IE 7 - Popup Address Bar Spoofing Vulnerability
http://www.incidents.org/diary.php?storyid=1804
Secunia
http://secunia.com/advisories/22542/
Browser Test Site for this new issue
http://secunia.com/internet_explorer_7_popup_address_bar_spoofing_test/
Firefox 1.x users should upgrade for improved security and some new functions. I use Firefox as a complementary browser to IE 7. With excellent improvements to Internet Explorer and Firefox during October, users should move to these new technologies for improved security and functionality.
The links below provide information related to this new release:
Firefox 2 Review
http://mozillalinks.org/wp/2006/10/firefox-2-review/
Firefox 2 - Release Notes
http://www.mozilla.com/en-US/firefox/2.0/releasenotes/
Firefox 2 - Home Page and Download site
http://www.mozilla.com/en-US/firefox/
This is a good older article reflecting the real costs associated with "junk email" from the Internet. While it's difficult to ascertain costs, there are expenses in handling SPAM and junk email. I'm suspecting if other costs were factored in (e.g., lost user productivity, help desk calls, spam blocking software, etc), the costs would be significantly more than just the bandwidth costs noted in this research.
How much does unwanted Internet traffic cost an organization?
http://articles.techrepublic.com.com/5100-1009-5967393.html
QUOTE: A few weeks ago, a coworker asked me a simple question: How much of the Internet traffic coming into our network was "junk," and how much was this unwanted traffic costing us?
Statistics:
* Approximately 2.8 million distinct IP addresses from all over the world were responsible for junk traffic on my organization's network in the past month. And keep in mind that this doesn't include delivered junk e-mail.
* Roughly 40,000 networks that were responsible for junk traffic on my organization's network in the past month.
* Statistically, the majority of junk IP addresses came from inside the United States
* Second on the list for junk Internet traffic was China. Rounding out the top five on my list of junk Internet traffic sources were France, Belgium, and Germany
* Approximately 7 percent of all incoming Internet traffic to my organization's network fell under the junk traffic classification.
* Estimating the cost for bandwidth at about $50 per megabit per second, the junk traffic costs my organization about $255 per month—or about $3,060 annually.
I had been actively using the beta versions of IE 7 on all my home and work PCs, and was pleased especially with the more secure implementation. Think of a browser as being a compiler of objects at a web-site and how it has to protect us from a "sea of malware" out there.
Moving to IE 7 represents a positive step for improving home or corporate security. From a corporate standpoint, it's important to test, pilot, and certify this with all your apps before rolling it out.
IE 7 - Recommended installation approach
* Use only the official download from Microsoft's site
* Reboot PC for fresh start (e.g., advanced users should take a system restore point)
* Shut down all started applications and Disable AV scanner
* Do not run anything else during the complete install process
* Wait patiently as some processes are long-running and might seem to hang, (overall this required about 5 to 10 minutes for me).
* Reboot as prompted (twice)
* Select the "run" to continue the process after 1st reboot.
* Keep lucky charms and a celebration kit handy, e.g., plenty of Mountain Dew 
Internet Explorer Home Page
http://www.microsoft.com/windows/ie
Install the latest build of Internet Explorer 7
http://www.microsoft.com/windows/ie/downloads/default.mspx
Prepare your organization using the Internet Explorer 7 Readiness Toolkit
http://go.microsoft.com/fwlink/?linkid=64421
If needed, install the Internet Explorer 7 Blocker Toolkit to block automatic delivery
http://go.microsoft.com/fwlink/?linkid=65788
Another excellent resource for tips and techniques 
http://aumha.net/viewtopic.php?t=22165
Below are ideas that might help on "what to do" if your web servers are compromised:
1. Isolate immediately to prevent further damage (unplug servers from Internet)
2. Identify the intruder (based on Firewall logs)
3. Preserve any evidence (swap out hard drives or take a good backup)
4. Report to authorities (usually starting with local police or FBI)
5. Identify vulnerability (why did this happen)
6. Assess potential damage (e.g., accounts, altered web pages, data compromised, perform a thorough AV scan, etc.)
7. Always Rebuild the system from scratch
8. Change all passwords and thoroughly assess file shares and security permissions
9. Return systems back to operation
10. Closely monitor the returned web environment (as crackers or hackerss may try to return - but usually don't once discovered)
With active exploration of Office vulnerabilities by malware authors , it is important for any Office 2003 users on SP1 to move to SP2 for conintued support. Office 2003 SP1 users are still protected with the most current updates, but Microsoft will no longer create future security updates for this version. Discussions are also noted in our Office forums, and we'll keep this briefly pinned to promote awareness.
Office 2003 SP1 - Support from Microsoft expired on October 10th
http://support.microsoft.com/gp/lifesupsps#Office
Home Users - Office 2003 SP2 can be obtained here:
(note - you may need to have your Office CDs handy)
http://officeupdate.microsoft.com/
Corporate Users - Office 2003 SP2 can be obtained here:
http://office.microsoft.com/en-us/FX011511471033.aspx
Please note that Windows XP SP1 support also ended on October 10th as well.
Windows XP SP1 Support ended on October 10th
http://support.microsoft.com/gp/lifesupsps#Windows
More Posts
Next page »