November 2006 - Posts
This morning I had several new email messages with file attachments containing a brand new variant of Stration (aka Warezov). Even though I'm up-to-date on McAfee protection, these new viruses would have infected my system had I selected and opened the file attachments. New variants from this family viruses are emerging almost daily, as AV vendors work hard to pace with developments.
1. Mail server report. Tue Nov 21, 2006 32k
2. Status Tue Nov 21, 2006 33k
3. Mail server report. Tue Nov 21, 2006 32k
4. picture Tue Nov 21, 2006 45k
5. Mail server report ....
F-Secure also reports increased activity
----- VIRUS TOTAL ANALYSIS ------
Subject: [VirusTotal] Server notification
Complete scanning result of "Update-KB5290-x86.zip", processed in VirusTotal at 11/22/2006 16:15:21 (CET).
[ file data ]
* name: Update-KB5290-x86.zip
* size: 22972
* md5.: 674a6a5c631abc5f5d745d851f988166
* sha1: 778bada5df8c3ea2452073d774e2e754e14157cb
[ scan result ]
AntiVir 22.214.171.124/20061122 found [TR/Dldr.Stration.G]
Authentium 4.93.8/20061122 found [Possibly a new variant of W32/Tricky-Malware-based!Maximus]
Avast 4.7.892.0/20061122 found [Win32:Warezov-QI]
AVG 386/20061120 found nothing
BitDefender 7.2/20061122 found [Win32.Warezov.GK@mm]
CAT-QuickHeal 8.00/20061122 found nothing
ClamAV devel-20060426/20061122 found [Worm.Stration.PR]
DrWeb 4.33/20061122 found [Win32.HLLM.Limar.based]
eSafe 126.96.36.199/20061120 found [suspicious Trojan/Worm]
eTrust-InoculateIT 23.73.63/20061122 found [Win32/Stration!ZIP!Worm]
eTrust-Vet 30.3.3205/20061121 found [Win32/Stration!ZIP!generic]
Ewido 4.0/20061122 found [Worm.Warezov.gj]
F-Prot 3.16f/20061122 found [Possibly a new variant of W32/Tricky-Malware-based!Maximus]
F-Prot4 188.8.131.52/20061122 found [W32/Tricky-Malware-based!Maximus]
Fortinet 184.108.40.206/20061122 found [W32/Stration.GK@mm]
Ikarus 0.2.65.0/20061122 found [Email-Worm.Win32.Warezov.dr]
Kaspersky 220.127.116.11/20061122 found [Email-Worm.Win32.Warezov.gj]
McAfee 4901/20061121 found nothing
Microsoft 1.1804 /20061122 found nothing
NOD32v2 1877/20061122 found [Win32/Stration.PP]
Norman 5.80.02/20061122 found [W32/Stration.CEP]
Panda 18.104.22.168/20061121 found nothing
Prevx1 V2/20061122 found [Trojan.Update-KB]
Sophos 4.11.0/20061116 found [W32/Stratio-Zip]
TheHacker 22.214.171.124/20061121 found nothing
UNA 1.83/20061121 found nothing
VBA32 3.11.1/20061122 found [Email-Worm.Win32.Warezov.gj]
VirusBuster 4.3.15:9/20061122 found [Trojan.Opnis.Gen.28]
[ notes ]
Microsoft developed a security guide earlier this month that can be helpful in assessing and establishing security controls for the new Windows Vista environment.
Windows Vista Security Guide - General Information
Windows Vista Security Guide - Key Information published at TechNet
QUOTE: The Windows Vista Security Guide consists of five chapters, and an appendix that you can use to reference setting descriptions, considerations, and values. The Windows Vista Security Guide Settings.xls file that accompanies this guide provides another resource that you can use to compare the setting values. The following figure shows the guide structure to help inform you how to optimally implement and deploy the prescriptive guidance.
TABLE OF CONTENTS
Chapter 1: Implementing the Security Baseline
Chapter 2: Defend Against Malware
Chapter 3: Protect Sensitive Data
Chapter 4: Application Compatibility
Chapter 5: Specialized Security – Limited Functionality
Additional resources are noted below:
Microsoft Threats and Countermeasures Guide
Windows XP Security Guide
Secunia rates this new vulnerability and POC exploit code as highly critical. Throughout the month, POCs have been developed on a daily basis with many of these pertinent to unpatched Linux 2.6 and Apple vulnerabilities
MOKB: Apple Mac OS X Critical Memory Corruption Vulnerability
QUOTE: LMH has reported a vulnerability in Mac OS X, which potentially can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in Apple Disk Image Controller when handling corrupted DMG image structures. This can be exploited to cause a memory corruption and may allow execution of arbitrary code in kernel-mode. The vulnerability is reported in a fully patched Mac OS X (2006-11-20).
WORKAROUND: Deactivate the option "opening safe files after downloading" in the preferences and grant only trusted users access to affected systems
This 2 page evaluation provides report card scoring on various categories for the "Ultimate" edition.
Vista Ultimate scores B+ on Information Week evaluation
QUOTE: Overall: B+ My biggest Vista surprise was, struggle though I might, I couldn't find much significantly different from previous versions. Then it dawned on me: That's a good sign, because it indicates that Microsoft's focus is no longer on look and feel but rather on the software guts required to keep Vista from crashing.
For businesses, and for CIOs charged with the decision about migrating to Vista, the three burning questions are: just how much better is Vista at security than XP, what's the total cost of ownership, and how much more does Vista-capable hardware cost?
Early word is that Vista's security is indeed a big step up, notwithstanding the surface annoyance of the user account controls. On the TCO front, Microsoft's broad embrace of an ecosystem extending beyond Vista to encompasses both Office 2007 and Exchange 2007 might go a long way toward blunting incursions onto the desktop from Linux. As for buy-in costs, I'm not the first reviewer to opine that, rather than rushing to Vista right out of the box, businesses will most likely migrate to Vista as part of their normal PC upgrade cycle.
DBAs and security professionals should carefully watch WOODB developments during December 2006 to ensure data bases and information stay as protected as possible.
WOODB - Week of Oracle Database Bugs scheduled during December 2006
QUOTE: Based on the great idea of H D Moore "Month of Browser Bugs" and LMH "Month of Kernel Bugs", we are proud to announce that we are starting on December the "Week of Oracle Database Bugs" (WoODB).
What is the WoODB about?
An Oracle Database 0day will be released every day for a week on December.
Why are you doing this?
We want to show the current state of Oracle software ("in")security also we want to demostrate Oracle isn't getting any better at securing its products (you already know the history: two years or more to fix a bug, not fixing bugs, failing to fix bugs, lying about security efforts, etc, etc, etc.).
Why are you targeting only Oracle?
We have 0days for all Database software vendors but Oracle is "The #1 Star" when talking about lots of unpatched vulnerabilities and not caring about security.
Why not the Month of Oracle Database Bugs?
We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.
As I was listening to the radio news on my way to work, I learned about the new online shopping day now termed as "Cyber Monday". The growth and convenience factors related to the Internet have made the first Monday after Thanksgiving a very large day for online orders (e.g., 11/27/2006 this year). In fact, it was the 2nd largest online shopping day of all last season (i.e., 12/12/2005 was the largest).
One reason is that many folks return back to work and put the companies high-speed Internet facilities to work (e.g., some folks may not have Internet at home, they may be on dial-up, or they may even have some idle time on their hands, etc). Just as shoppers must lock their cars and hide purchases in their trunks, they must also be careful during Cyber Monday or any other time they choose to shop online.
Some safety tips include:
1. Does your employer permit this? -- Hopefully, most employees will recognize that employers have a right to monitor all Internet activities conducted on business equipment. However, some employers permit some personal use during lunch, breaks, or after hours. Users should check IT policies or with their supervisors if they are unsure on corporate usage policies. They should carefully use this business resource and not allow "Cyber Monday" to become grounds for "Layoff Tuesday"
2. Always "Think before you click" -- Be careful with email links or URLs returned via a website search. Phishing attacks are disquised sites that look like the real e-commerce site, but they are designed to capture your credit card or account information for fraudulent misuse. These types of sites are abundant and often referenced in spam email. Always go in by the parent site to find products or services. Be careful and avoid clicking on ads in web pages. Remember that a complete stranger on the Internet doesn't truly want to give you anything. More information on phishing attacks can be found at www.castlecops.com
3. Conduct e-commerce with mainstream sites that use secure server technology. Never shop by email or other untrusted conventions. Research human contact or return policies, so that you can resolve issues quickly.
4. Use a true credit card, rather than a bank debit card as better fraud protection is present
5. Maintain your privacy at all times. Only provide information once you're certain the information can be trusted. Also ensure your system is free of any malware.
Cyber Monday - Home Page
Cyber Monday - FAQs
Cyber Monday Frequently Asked Questions
• Is Cyber Monday the biggest online shopping day of the year?
• Was Cyber Monday “made up?”
• Why are you encouraging consumers to shop through CyberMonday.com?
• How big was Cyber Monday last year?
• How are retailers encouraging people to shop online this year?
• Do retailers get upset when consumers shop online rather than in stores?
• Where can I find more information about the holiday season?
Stay Safe while shopping online (a few sites found in a quick search)
McAfee offers a free removal tool (special version of STINGER) for the new Philis.BG worm, a.k.a, Looked worm. This is very difficult to remove due to it's use of the Chinese language
McAfee's AVERT Stinger Home Page
DOWNLOAD - Stinger for W32/HLLP.Philis.bq
POC was developed in one hour and a fully functional exploit within 3 hours ... This signifies that sooner is better when it comes to pilot testing and rolling out the updates as quickly as possible in the corporate environment.
Fully working MS06-070 POC exploit developed in just 3 hours
QUOTE: One of the exploits that has become available for the workstation service flaw was developed by Immunity Inc. The Miami Beach-based penetration-testing company was able to develop a proof-of-concept code against the flaw one hour after Microsoft released a patch for it on Tuesday and a fully working exploit in about three hours, said Kostya Kortchinsky, a senior researcher at Immunity. The code has been tested and found to be working "perfectly well" against several versions of Windows 2000, including Service Pack 3 and SP4, he said. The only mitigating factor is that an attacker would need to have a domain controller set up and accessible somewhere around the machine that is being attacked for the exploit to work, he said.
Below are two sites found to help in monitoring new security developments:
EWeek's Exploit Monitoring Site
EWeek's Security Watch
After the NOV 2006 updates, I had an extra TEMP folder created by MS06-071 (Microsoft XML Core Services) update in the root directory on C:
It is an unusually named folder on C: drive. It is safe to delete this leftover folder. A log file named msxml4-KB927978-enu.log is present in this system type folder on the C: root drive.
I deleted this folder from my C: drive with no issues on all of my PCs.
Check Point announces ZoneAlarm 7.0 Beta
QUOTE: The Redwood City, Calif.-based security company announced Nov. 17 that the beta version of ZoneAlarm Internet Security Suite 7.0 is now available to the public. The latest version of the company's software security suite is designed to protect consumers' PCs from malware, spyware and an array of different viruses.
NEW FEATURES: In order to combat blended attacks from hackers, Check Point has also added an hourly update feature to ensure users are protected. Another feature of the 7.0 version is an "Auto-Learn" mode, which will set up security settings based on the user's PC environment. This aims to decrease the number of alerts a user may experience when installing ZoneAlarm.
A new complex family of Botnet variants have emerged that can generate extensive spam based malware. Users should avoid clicking on any URLs or opening attachments in SPAM based email
MEDBOT Menance - Several new HORST variants emerge
|Among the currently detected botnet families (and their expansive variants), a curious little family called MEDBOT recently stood out and became popular--although not in a good sense. |
At first glance, the MEDBOT family looks like the usual run-of-the-mill IRC-based malware. Even less, actually, especially when placed side by side with more prolific families like AGOBOT and SDBOT. Its worm variants simply spread across accessible network shares. It carries the usual payloads, including antivirus retaliation and backdoor capabilities. To say that this family is notable based on its routines seems far-fetched, even absurd.
However, whatever MEDBOT seems to lack in its performance, it compensates with its complexity. Indeed, further analysis reveal that MEDBOT is more of a malware package that consists of a Trojan downloader, the Trojan's hidden copy, and a worm. The worm is responsible for dropping the downloader to the shared folders, while the hidden copy merely serves as a backup in case the main Trojan is removed from the system. The package's heart and soul, therefore, lie in the downloader.
Below are the most recent variants
2006/11/17 TrendMicro TROJ_HORST.CK
2006/11/17 TrendMicro TROJ_HORST.GF
2006/11/17 TrendMicro TROJ_HORST.GL
2006/11/17 TrendMicro TROJ_HORST.GM
2006/11/17 TrendMicro TROJ_HORST.GN
This new file infector virus can spread by infecting unprotected network shares and on systems where the MS06-014 patch is not installed. The component written in Chinese is difficult to remove and research should be conducted for a good cleaning solution for infected systems.
MS06-014: HLLP.Philis.bq - Network virus uses malware components written in Chinese
QUOTE: Overview: W32/HLLP.Philis.bq is a file infecting virus. It searches for executable files on the infected machine to prepend its viral code. It is also responsible for dropping a .DLL file, which downloads a password stealing trojan from a website.
DAT 4899 RELEASE: McAfee 4899 DAT files are being released early as there is concern that this thread will spread globally. The web site hosting malware downloaded by this threat also contains Exploit-MS06-014 to automatically download and installs this virus on vulnerable systems.
* PE_LOOKED.LF-O (Trend)
* W32.Looked.O (Symantec)
* Win32/Looked.BZ (CA)
METHOD OF INFECTION: The virus tries to spread via existing network shares. It searches for all active machines within the subnet. When it finds an active machine it sends an ICMP ping request and waits for a response. After getting the ping response it tries to access the ADMIN$, IPC$ and any other shares that might exist on the machine.
Vista Gets High Security Marks from Beta Users
QUOTE: With Microsoft getting ready to ship its new Vista operating system, experts who have been evaluating it for use within corporations are praising its security enhancements while fretting about the finer points of implementation.
It's certainly the most secure operating system they've released to date," said Erik Schmidt, a technical manager at the University of Florida, which has been evaluating Vista on more than 50 personal computers as one of the formal beta testers in Microsoft's Technology Adoption Program.
This new development could impact W/2000 users and it's definitely in the "Patch Now" column.
MS06-070: New network wormable exploit could impact W/2000 PCs
|The Milw0rm exploit, released by a hacker called "cocoruder," takes aim at the high-severity bug covered in the MS06-070 bulletin and can be used to launch a network worm against unpatched Windows 2000 systems. Amol Sarwate, manager of the vulnerability research lab at Qualys, in Redwood Shores, Calif., is strongly urging businesses running Windows 2000 to test and deploy the MS06-070 patch because of the ease in which a hacker could launch an exploit. |
Microsoft Security Advisory (928604) - Exploit Code Published Affecting the Workstation Service on Windows 2000
Windows attack code released
MS06-070 Security Bulletin
QUOTE: Worm risk: Both McAfee and Qualys say a Zotob-like worm attack is probable. In August last year, Zotob slithered into Windows 2000 systems through a hole in the plug-and-play feature in the operating system. Zotob surfaced only days after Microsoft offered a fix for the "critical" bug as part of its monthly patching cycle.
WSUS is the superior patch management environment when compared to the earlier SUS environment. Microsoft has granted additional time so that corporate users can make the necessary transition.
Microsoft Extends SUS 1.0 Support to July 2007
QUOTE: The Redmond, Wash., company was all set to retire the patch distribution software on Dec. 6, 2006, but after listening to what it is described as "customer feedback," Microsoft has extended support for SUS 1.0 for another seven months. The extension means that IT managers have until July 10, 2007, to migrate to WSUS (Windows Server Update Services), the new enterprise patch-management platform currently being beta tested. Microsoft released WSUS to manufacturing in June 2005 and has spent the last few years prodding users to upgrade, but, for a myriad of reasons, patch management administrators have struggled to migrate.
The Internet Storm Center handlers often provide good information related to Microsoft's security updates. The following provides an overview of the November Security Updates
Microsoft and Adobe both released security updates on November 14, 2006. There are no conflicts between the Microsoft security update (MS06-069) and Abode's security update (APSB06-18) as they patch different Flash versions. Microsoft patches a critical issue in the older default version of Adobe. The latest Adobe patch offers more current security protection.
Adobe Security Bulletin APSB06-18 - Issued November 14, 2006
Note - In installing the latest Adobe download, you may be offered the Yahoo toolbar and you can optionally uncheck this if desired.
Microsoft MS06-069 - Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789) - Issued November 14, 2006
Secunia: Adobe Flash Player CRLF Injection Vulnerabilities
Message Labs is one of the leading value-added email security firms and they have a large customer base. As noted in the article below, spam related email has increased dramatically during the past weeks.
MessageLabs - Do you want spam with that spam?http://www.messagelabs.com/Threat_Watch/Intelligence_Reports/October_2006
QUOTE: We've seen a dramatic increase in spam since September 2006. The latest report from MessageLabs Intelligence explains why.
* Spam - 72.9% in October (up 8.5% from September 2006)
* Viruses - 1 on 100.3 emails contained malware
* Phishing - 1 in 190 emails contained a phishing attack
October marks the beginning of the spam season this year in the run up to the holiday period, with MessageLabs seeing a sharp increase in levels this month, especially in the past few weeks. As predicted in the September/Q3 MessageLabs Intelligence report, spam is not going away. This increase is largely attributed to the huge rise in botnet activity over the past few weeks.
There are two contributing factors compounding this issue, and it is as yet unclear as to whether there is any link between them. The first culprit is the aggressive level of activity around one particular trojan dropper called Warezov. Tens of thousands of copies of each variant are dispatched in numerous batches, where each batch is subtly different from the previous ones.
More Posts « Previous page
- Next page »