December 2006 - Posts
As a starting point, here's hoping that rootkit detection tools won't be needed for Vista or that the improved security makes this a rare event. F-Secure''s Blacklight Rootkit detection tool is a great free service offered to users who need assistance in removing Windows based rootkits that hook into the OS in a highly stealth-like manner.
F-Secure creates Vista compatible version of Blacklight Rootkit detection tool
http://www.f-secure.com/weblog/archives/archive-122006.html#00001062
QUOTE: The same BlackLight executable will work on all supported platforms.You may find it interesting that we're adding support for 64-bit operating systems, even though there are currently no rootkits for them! The reason is that while 32-bit rootkits do not work on 64-bit platforms it is not impossible to create a 64-bit compatible rootkit. It just requires extra effort.
For example, a user-mode rootkit would have to hook 64-bit processes with 64-bit code but also make sure everything is hidden from 32-bit applications running under WOW64 emulation. As the number of computers running 64-bit Windows has remained low, the rootkit authors have not had a reason to spend the extra effort to target those systems. When they do, we hope to be ready
F-Secure has move to medium risk for the new Luder worm circulating. Several new versions are circulating with different messages also.
Happy New Year email messages - avoid all attachments or links
http://www.incidents.org/diary.php?storyid=1988
http://www.f-secure.com/weblog/archives/archive-122006.html#00001063
http://www.f-secure.com/weblog/archives/archive-122006.html#00001065
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EBH
Subject Line Examples
Annual Fun Forecast!
Baby New Year!
Best Wishes For A Happy New Year!
Fun 2007!
Fun Filled New Year!
Happiness And Continued Success!
Happiness And Success!
Happiness In Everything!
Happy 2007!
Happy New Year!
Happy Times And Happy Memories!
May Your Dreams Come True!
New Hopes And New Beginnings!
New Year... Happy Year!
Promises Of Happy Times!
Raising A Toast To Happy Times!
Scale Greater Heights!
Sparkling Happiness And Good Times!
Warm New Year Hug!
Warmest Wishes For New Year!
Welcome 2007!
Wish You Smiles And Good Cheer!
Wishing You Happiness!
Wishing You Happy New Year!
Attachment Examples
postcard.exe
Postcard.exe
greeting card.exe
Greeting Card.exe
greeting postcard.exe
Greeting Postcard.exe
This new virus infected email message is currently circulating and should be avoided 
Luder.A - Happy New Year message with postcard.exe attachment http://www.f-secure.com/v-descs/luder_a.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EAY http://www.sophos.com/security/analyses/w32drefu.html http://www.incidents.org/diary.php?storyid=1987 EMAIL TO AVOID
Subject: Happy New Year!
Message body: {blank}
Attachment: postcard.exe
Recently one of the handlers at SANS shared some great posts related to this open source Intrusion Detection system used to inspect incoming network traffic.
SNORT Intrusion Detection Tool - Some Tips and Techniques
What is SNORT - Webopedia
Wikipedia - SNORT Intrusion Detection Tool
In my personal email, I've seen dramatic increases in SPAM and these articles document these trends as well:
Spam Rates Soar in 2006 due to Botnets
http://www.eweek.com/article2/0,1759,2077665,00.asp
Microsoft sees Botnets as a top threat in 2007
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006818
QUOTE: E-mail security firm Commtouch says 85 percent of today's spam comes from remote-controlled "zombie" computers. A report on spam by e-mail security firm Commtouch Software dubs 2006 the "Year of the Zombies." The study found that "zombies," the name given computers remote-controlled by hackers, can number up to 8 million hosts globally on a given day.
As a result, spam volume increased by 30 percent in 2006, according to the report. "Spam outbreaks got bigger, faster and smarter during 2006," Amir Lev, president and chief technical officer for Commtouch, based in Netanya, Israel, said in a statement. "Innovative spammers quickly developed new techniques to bypass common anti-spam technologies and amassed huge zombie botnets. Outbreaks have become so fast, massive and sophisticated that most anti-spam solutions had great difficulty defending against them."
Some prior links:
Massive surge in spam hits the Internet
http://blogs.techrepublic.com.com/Ou/?p=354
Bot nets likely behind jump in spam
http://www.securityfocus.com/news/11420
Great site to bookmark for SPAM trends (under construction until 12/30/2006)
http://tqmcube.com/tide.php
This new vulnerability is rated as low-risk can only be exploited by local users.
Microsoft Windows Client Server Run-Time Subsystem Memory Disclosure Vulnerability
http://www.frsirt.com/english/advisories/2006/5197
http://secunia.com/advisories/23491/
QUOTE: A Microsoft Windows vulnerability can be exploited by malicious local users to gain knowledge of sensitive information. The problem is that CSRSS.exe does not properly validate arguments passed via NtRaiseHardError and can be exploited to view the contents of CSRSS process memory. The vulnerability is confirmed on a fully-patched Windows XP SP2 system and reportedly affects Windows 2000 SP4 as well. Other versions may also be affected.
Solution: Allow only trusted users access to the system
F-Secure has published 3 new malware threats that use holiday themes to trick users into opening them:
Stration (Warezov) - Happy New Year
http://www.f-secure.com/weblog/archives/archive-122006.html#00001059
QUOTE: A new Warezov spam run is underway, using a "Happy New Year" postcard as a disguise.
More Christmas-themed malware
http://www.f-secure.com/weblog/archives/archive-122006.html#00001058
QUOTE: Now there's a backdoor called Christmas_Puzzle.exe. This one uses a rootkit to hide it's presence on a system. We detect it as Trojan-Spy.Win32.Ardamax.e. As a decoy, this one shows a Christmas-themed jigsaw puzzle game on screen. And then there's a Powerpoint file called Christmas+Blessing-4.ppt. This one uses MS06-012 or a related vulnerability to drop and execute two embedded programs. As a decoy, the exploit has been embedded in an innocent Christmas-themed PPT slideshow that has been making rounds previously.
Christmas.EXE
http://www.f-secure.com/weblog/archives/archive-122006.html#00001057
QUOTE: When run, this IRCBot variant will try to download various malicious executables from web servers. As a decoy, it shows this Christmas-themed image. Obviously, a gift that keeps on giving. To be avoided.
There is also a POC exploit published for this new vulnerability.
Windows Workstation Service - New unpatched vulnerability
http://www.frsirt.com/english/advisories/2006/5142
QUOTE: A vulnerability has been identified in Microsoft Windows, which could be exploited by attackers to cause a denial of service. This issue is due to an error in the Workstation Service that does not properly handle specially crafted "NetrWkstaUserEnum()" requests, which could be exploited by attackers to cause a vulnerable service to crash or exhaust all available memory resources, creating a denial of service condition.
Affected Products: Windows XP and 2000
Solution: Block ports 139 and 445 at the firewall.
This recent hacking incident illustrates the need to be fully protected and up-to-date while surfing the Internet. Kids or Parents might land on this type of site which doing a general Internet search.
Santa Web Site Hacked and may download spyware
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006639
QUOTE: It turned out that Santa's Web site had been hacked. On Friday, the Web site was still downloading malicious software, according to Roger Thompson, chief technology officer with Exploit Prevention Labs Inc. It exploits a bug in Internet Explorer that Microsoft Corp. patched last August, meaning that people running older versions of the browser could be at risk, Thompson said via instant message."The site is hacked," he said. "If you are not patched, it uses an exploit to silently install a huge amount of adware and spyware."
Security updates have been issued for Firefox, Thunderbird, Seamonkey and other Mozilla products that fix critical security vulnerabilities. These vulnerabilities could be exploited by attackers to take complete control of an affected system or bypass security restrictions. All users should install these udpates as soon as possible.
Mozilla Security Release - New Firefox and Thunderbird versions
http://www.mozilla.com/en-US/firefox/2.0.0.1/releasenotes/
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.1
Fixed in Firefox 2.0.0.1
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
http://www.mozilla.org/security/announce/2006/mfsa2006-68.html
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
http://www.mozilla.org/security/announce/2006/mfsa2006-69.html
MFSA 2006-70 Privilege escallation using watch point
http://www.mozilla.org/security/announce/2006/mfsa2006-70.html
MFSA 2006-71 LiveConnect crash finalizing JS objects
http://www.mozilla.org/security/announce/2006/mfsa2006-71.html
MFSA 2006-72 XSS by setting img.src to BLOCKED SCRIPT URI
http://www.mozilla.org/security/announce/2006/mfsa2006-72.html
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
http://www.mozilla.org/security/announce/2006/mfsa2006-73.html
MFSA 2006-75 RSS Feed-preview referrer leak
http://www.mozilla.org/security/announce/2006/mfsa2006-75.html
MFSA 2006-76 XSS using outer window's Function object
http://www.mozilla.org/security/announce/2006/mfsa2006-76.html
Mozilla Security Center
http://www.mozilla.org/security/
Internet Storm Center
http://www.incidents.org/diary.php?storyid=1958
CERT
http://www.us-cert.gov/current/current_activity.html#mzsecadv1206
FrSIRT
http://www.frsirt.com/english/advisories/2006/5068
Secunia
http://secunia.com/advisories/23282/
Zero-Day Initiative - Fixing the SVG vulnerability is critical
http://www.zerodayinitiative.com/advisories/ZDI-06-051.html
http://www.mozilla.org/security/announce/2006/mfsa2006-73.html
Firefox Product Page and Download link
(most users should be able to auto-update to the new release)
http://www.mozilla.com/en-US/firefox/
Thunderbird Product Page and Download link
http://www.mozilla.com/en-US/thunderbird/
Seamonkey Product Page and Download link
http://www.mozilla.org/projects/seamonkey/
Jim Allchin provided an EXCELLENT response to Windows Vista and the improved protection from malware based on a recent analysis, which seemed to infer that "Vista offers no more protection than XP". Technically, this article had some factual information, but it did not tell "the rest of the story". Users must almost want to purposefully infect their systems, for these attacks to work properly.
At the end of November, Sophos commented on Vista being suseptible to 3 of the top 10 viruses circulating in-the-wild. However, Vista users must lower built-in defenses, not run any AV protection at all, plus click on a clearly suspicious email attachment (that most likely would be prefiltered as a suspicious document and classified as spam). No Operating System's security controls can fully protect a user from themselves.
I didn't have the opportunity to beta test Vista (as my home PCs are too underpowered to support it). However based on numerous articles and reviews, Vista will clearly offer superior security over Windows XP SP2. By enhancing Windows XP SP2 with IE 7, MP 11, and a good AV product, users can enjoy a secure environment there as well. I'm anxious to purchase a new family PC later in 2007 with Vista Ultimate installed for better protection and gain greater knowledge of this environment by actually using it.
The new version of Opera released today offers improvements to help prevent phishing attacks with it's new Fraud Protection facility.
Opera 9.1 Download site
http://www.opera.com/download/
Opera 9.1 introduces Fraud Protection
http://www.opera.com/docs/fraudprotection/
Changelog for Opera 9.1 for Windows
http://www.opera.com/docs/changelogs/windows/910/
Release Notes and Change Log
This release of Opera introduces Fraud Protection.
User interface
- Fixed handling of access keys on Web pages with frames.
Mail, messaging, and newsfeeds
- Fixed an instability connected with delayed entry of the Master password.
- Deleting of newsfeeds in the panel now both unsubscribes and deletes.
Display and scripting
- Improved performance for elements with both :focus and :hover.
- Fixed an issue with opacity on links that have images nested within them.
Security
- New Fraud Protection feature (a phishing filter).
- Changed Wand data to a new format. The upgrade to this new format is not reversible.
Miscellaneous
- Multiple stability issues solved, including crashes on Gmail and Google Maps.
- Changed the Mozilla User Agent string to include Firefox identification.
- Improved handling of Web site logins on slow connections.
- Cancellation of torrent downloads now functions as expected.
Windows-specific changes
- Multimedia keys now function as expected when Opera has focus.
- Enabled loading of Windows Media plugins when Java is turned off.
Both of these are rated as low-risk by FrSIRT
Windows Media Player - New Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/5039
QUOTE: A vulnerabilitiy has been identified in Microsoft Windows Media Player, which could be exploited by attackers to cause a denial of service. This issue is due to a division by zero error when handling a specially crafted MIDI file with a header chunk containing malformed fields (i.e. number of tracks and delta time), which could be exploited by attackers to crash a vulnerable application via a specially crafted file.
Microsoft Project Server 2003 File Information Disclosure Vulnerability
http://www.frsirt.com/english/advisories/2006/5038
QUOTE: A vulnerability has been identified in Microsoft Project Server 2003, which could be exploited by malicious users to gain knowledge of sensitive information. This issue is due to an error when handling HTTP POST requests passed to the "logon/pdsrequest.asp" script, which could be exploited by authenticated attackers to disclose the username and password of the "MSProjectUser" SQL account.
Since April 2005, this site has captured summary info for tech and non-tech violations where sensitive information has been exposed and possibly compromised. This is a great site to bookmark (and even share with your IT management so that security remains an important focal point).
Privacy Rights - Chronology of Data Breaches
http://www.privacyrights.org/ar/ChronDataBreaches.htm
http://www.incidents.org/diary.php?storyid=1942
QUOTE: Some major data breaches announced at UCLA and Boeing put the total number of privacy breaches at privacyrights.org since April 2005 to almost 100 million.
... and on a related note, looks like 3 million folks may need to be added from Russia 
Major data leak from Russian banks
http://www.viruslist.com/en/weblog?calendar=2006-12
Note - Please see Dec 13th Weblog entry
A second round of the SAV worm is circulated on unpatched Symantec PCs (vulnerable to the buffer overflow exploit)
Big Yellow worm - Exploits SAV update vulnerability if unpatched
http://www.incidents.org/diary.php?storyid=1945
http://research.eeye.com/html/alerts/AL20061215.html
QUOTE: This file was being downloaded by a large number of machines that were recently exploited using the SAV remote exploit. The sequence of events for these compromises were:
1. Exploit comes in from an IP address
2. Stops the Windows firewall service,
3. Creates an ftp command script named "x" which is later run by ftp.exe -s:x
4. which downloads NL.eXe
5. May include keylogger
SOLUTION: Users need to apply the SYM06-010 patch
Symantec Client Security and Symantec AntiVirus Elevation of Privilege
http://www.symantec.com/avcenter/security/Content/2006.05.25.html
This article provides an update on several forthcoming changes for next year, although not all of the work on SOX 404 is complete:
S.E.C. Eases Regulations on Business
http://www.nytimes.com/2006/12/14/business/14secure.html
| Quote: |
| WASHINGTON, Dec. 13 — Responding to criticism that regulators had overreacted to years of major corporate scandals, the Securities and Exchange Commission on Wednesday issued a flurry of deregulatory orders and proposals intended to lower costs to public companies. It said the moves would not reduce investor protection |
SUMMARY OF DISCUSSIONS
APPROVED
1. Easier for foreign companies to withdraw their securities from American markets.
2. Increase the financial qualifications for investors in hedge funds, to a net worth of $2.5 million from the current standard of $1 million.
3. The S.E.C. adopted a rule that would save corporations the expense of mailing financial reports and proxy statements by enabling them to communicate with the vast majority of their investors through the Internet. (Investors can continue to receive paper copies of proxies and other material through the mail if they request them.)
And it proposed rules that would make it easier and less costly for banks to offer brokerage services.
IN THE WORKS
1. Under those new guidelines, prosecutors in the field will now have to obtain permission from senior officials before trying to get companies that are under investigation to waive their attorney-client privilege.
2. In weighing whether to seek the indictment of a company, the prosecutors will also no longer be permitted to consider whether the company is paying the legal fees of an employee involved in the inquiry.
3. The changes announced by the commission on Wednesday fell short of what some companies and groups had sought. In the case of the auditing rules, for instance, many businesses had sought an exemption from the requirements of Section 404 of the Sarbanes-Oxley Act.
4. Instead of a blanket exemption, officials said, the proposed guidance would give many small companies a powerful new tool in restricting their auditors from engaging in what the executives viewed as expensive and unnecessary audits of financial controls that had minimum impact on financial statements.
5. Under the guidance proposed by the S.E.C., executives would evaluate the design of only those financial controls that might carry the risk of having a material impact on financial statements. Commission officials emphasized that the guidance is being drafted to be less onerous on smaller or less intricate companies.
During the December updates, I almost "unselected" MS06-078, as it referenced an update for Media Player 6.4 in the title information and at 1st I felt it might even impact my Media Player 11 environment. Still I decided to install this and when I saw the same reference to MP 6.4 in updating other PCs, I knew all was well 
This is actually documented in the FAQs. Apparently, MP 6.4 "lives" on your PC for compatibility reasons even if you're on the latest and greatest version.
MS06-078 - Please see FAQ section
http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
quote:
I have installed Windows Media Player 11 on my computer. Why am I being offered the Windows Media Player 6.4 security update?
While Windows Media Player 11 is not vulnerable, Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows XP Professional x64 Edition, Microsoft Windows Server 2003 or on Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 x64 Edition will still have Windows Media Player 6.4 installed on the system for backwards compatibility.
This is an interesting article and hopefully someone will eventually catch these guys.
The Rock Phish group may be responsible for half of all phishing attacks
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005958
QUOTE: The Rock Phish criminal organziation is responsible for as many as one-half of all current phishing attacks. Problem is, no one's sure who they are, or even if it isn't just one person. It is estimated that the criminal organization's phishing schemes have cost banks more than $100 million to date.
Rock Phish is not known for targeting the two most popular phishing targets -- eBay and PayPal. Instead, it specializes in European and U.S. financial institutions. At last count, the group had spoofed 44 brands from businesses in nine countries, sending out e-mails that try to trick victims into visiting phony Web sites and entering information such as credit card numbers and passwords. Rock Phish sites have spoofed CitiBank, E*Trade, Barclays, and Deutsche Bank, among others.
Microsoft Security Bulletins - December 2006
http://www.microsoft.com/technet/security/bulletin/ms06-dec.mspx
As part of Microsoft's routine, monthly security update cycle, they've or they will released the following updates:
3 Critical:
MS06-072 - Cumulative Security Update for Internet Explorer (925454)
MS06-073 - Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)
MS06-078 - Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)
4 Important:
MS06-074 - Vulnerability in SNMP Could Allow Remote Code Execution (926247)
MS06-075 - Vulnerability in Windows Could Allow Elevation of Privilege (926255)
MS06-076 - Cumulative Security Update for Outlook Express (923694)
MS06-077 - Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)
More Posts
Next page »