January 2007 - Posts
Users should continue to be cautious and avoid all suspicious or unexpected Office documents received in email messages.
Microsoft Word 2000 - New unpatched vulnerability and expolit
http://secunia.com/advisories/23950/
http://www.frsirt.com/english/advisories/2007/0350
http://www.microsoft.com/technet/security/advisory/932114.mspx
QUOTE: A vulnerability has been identified in Microsoft Word, which could be exploited by attackers to take complete control of an affected system. This issue is due to a memory corruption error when handling a document containing a malformed string, which could be exploited by attackers to execute arbitrary commands by tricking a user into opening a specially crafted Word document.
Many of the key currently unpatched vulnerabilities and their associated risk factors are being maintained here:
Microsoft Unpatched Vulnerabilities - ISC Master List
http://isc.sans.org/diary.html?storyid=1940
QUOTE: Vulnerabilities that are widely known and/or actively exploited are of great interest to our readers, here we try to keep an overview of them
While there have been noteable cases where sensitive information has been obtained by Internet crackers and criminals, the TJX security breach has started impacting folks and it's a good practice to always check banking and credit card statement vigilently each month.
TJX Security Breach - Stolen Credit Cards are being used
http://www.eweek.com/article2/0,1895,2087760,00.asp
QUOTE: Banking industry officials in Massachusetts are reporting that a string of local companies have already observed fraudulent activity related to the massive data breach reported by retail chain TJX Companies on Jan. 17.
Unlike many other highly publicized data losses reported by organizations such as the United States Department of Veterans Affairs, which have not yet been traced to any criminal activity, the information stolen from TJX during two specific incidents in 2003 and 2006 has already been put to use by fraudsters, according to the MBA (Massachusetts Bankers Association).
The MBA reported on Jan. 24 that several banks in the state, which is also home to the TJX corporate headquarters in Framingham, have reported incidents of fraud specifically related to the information that was lifted from the retailers' IT systems by unidentified outsiders.
AVERT Labs is a division of McAfee. This blog entry provides practical advise in being careful with email, websites, and protecting your PC with good security controls.
Internet Security - The Need for Common Sense
http://www.avertlabs.com/research/blog/?p=181
Quote: Memorizing lists of Do’s and Don’ts can be a bit daunting for people, so I’ve started advising people to look at their computer like it was their house. People can “come to your house” by email, via web-sites, by comment spam, by portable media or storage devices, whatever. Just like people can come to your real house by ringing your front door-bell, using the door-knob, crawling in a window, etc.
Citrix security should be updated where applicable in corporate environments:
Citrix Security Vulnerability - Patch Now
http://isc.sans.org/diary.html?storyid=2102
http://support.citrix.com/article/CTX111686
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0444
http://www.zerodayinitiative.com/advisories/ZDI-07-006.html
QUOTE: This is for Citrix users: Time to Patch! Another vulnerability was disclosed that affects the Citrix presentation plataform. This one, discovered by the ZeroDayInitiative is a buffer overflow vulnerability and received the CVE ID of CVE-2007-0444 (not much info there) and affects the Citrix Presentation Server 4.0, Metaframe XP 1.0 and Metaframe Presentation Server 3.0.
If sucessfuly exploited, an attacker will be able to run code as System. Exploit for this vulnerability is available, so I really recommend the usual test and patch procedure! Citrix has information about this vulnerability and the proper measures to take.
Users should continue to be cautious of all spam email and avoid all attachments.
Storm Worm - New Variants have Billing or Love Themes
http://www.f-secure.com/weblog/archives/archive-012007.html#00001094
QUOTE: A new round of malicious billing spam e-mails were received yesterday. All attachments have the filename of Rechnung.pdf.exe. Two variants emerged from these spams: W32/Nurech.X and W32/Nurech.Y.
Later in the day, the phrase "Love is all Around" was given a new meaning when another batch of Stormy was received. This new Stormy is still adhered to the theme of Love. Filenames of this new variant could be any of the following:
Flash Postcard.exe
Greeting Postcard.exe
Greeting Card.exe
Postcard.exe
flash postcard.exe
greeting card.exe
greeting postcard.exe
postcard.exe
This massively spammed trojan became the 1st MEDIUM risk virus for Symantec since May 2005.
ARTICLE: Storm Trojan Hits 1.6 Million PCs
http://www.informationweek.com/news/showArticle.jhtml?articleID=196903023
QUOTE: The goal of the Trojan seems to be to acquire a large botnet, or collection of compromised PCs, that can be used to send traditional scam spams or for later identity mining. Originally dubbed the "Storm worm" because one of the subject heads used by its e-mail touted Europe's recent severe weather, the Trojan's author is now spreading it using subjects such as "Love birds" and "Touched by Love," said Finnish anti-virus vendor F-Secure.
FIRST MEDIUM RISK VIRUS IN 18 MONTHS:
Symantec went to MEDIUM risk for the 1st time since May 2005, as most email threats have been well contained over the past 18 months.
http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99
It's rated as "low risk" as it requires user action plus it's probably unlikely to become a target for in-the-wild exploitation.
Microsoft Visual Studio ".rc" File Handling Buffer Overflow
http://www.frsirt.com/english/advisories/2007/0296
http://secunia.com/advisories/23856/
QUOTE: porkythepig has reported a vulnerability in Microsoft Visual Studio, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error within the handling of ".rc" files that contain an overly long string after the "1 TYPELIB MOVEABLE PURE " text. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution when a malicious ".rc" file is opened.
Successful exploitation requires that a user click on the "Ok" button or closes the message box when the "file not found" message box appears.
Affected Products: Microsoft Visual Studio 6 SP6 and prior
Solution: FrSIRT is not aware of any official supplied patch for this issue.
Users should continue to be cautious and not select any attachments in email from untrusted sources, as continued new waves and iterations of the Storm Worm are spammed out in large scale attacks.
New German version - GEZ_Rechnung.pdf.exe
http://www.f-secure.com/weblog/archives/archive-012007.html#00001093
Storm Worm changes theme to Love related topics
http://www.f-secure.com/weblog/archives/archive-012007.html#00001092
QUOTE: This evening a new wave of the Stormy worm has been widely spammed. The subjects used in the e-mails have now changed from news-related events to love-related topics as you can see from the screenshot and the list of subjects below.
Storm Worm starts to use Rootkit Techniques
http://www.f-secure.com/weblog/archives/archive-012007.html#00001089
Storm Worm more Variants emerge
http://www.f-secure.com/weblog/archives/archive-012007.html#00001088
Storm Worm becomes the Largest Trojan horse attack in months
Unfortunately, this trojan horse disguised as breaking news coincided with one of Europe's most fercious storms. I've also received copies of this massively spammed worm in my personal email. Please avoid all attachments on breaking news emails and check major news sites instead for pertinent information.
Storm Worm rages across the globe
http://articles.techrepublic.com.com/2100-1009_11-6151414.html
QUOTE: "Storm Worm," one of the larger Trojan horse attacks in recent years, is baiting people with timely information about a deadly, real-life front, security researchers said Friday. Over an eight-hour period Thursday, malicious e-mails were sent across the globe to hundreds of thousands of people, said Mikko Hypponen, chief research officer for F-Secure.
Storm Worm is already close to being as large as the bigger attacks of 2006, Hypponen said, though it's still smaller than Sasser and Slammer. People who open the attachment then unknowingly become part of a botnet. A botnet serves as an army of commandeered computers, which are later used by attackers without their owners' knowledge.
Additional Links below:
McAfee - DAT 4943 is available and provides protection
http://vil.nai.com/vil/content/v_141316.htm
F-Secure: Small.DAM definition
http://www.f-secure.com/v-descs/small_dam.shtml
F-Secure: Storm-Worm spreads Quickly
http://www.f-secure.com/weblog/archives/archive-012007.html#00001087
ISC: European Storm Video E-Mail
http://isc.sans.org/diary.html?storyid=2071
EMAIL TO AVOID:
Subject:
230 dead as storm batters Europe
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
A killer at 11, he''s free at 21 and kill again!
British Muslims Genocide
Attachment: Read More.exe, Full Clip.exe, Full Story.exe, Video.exe
P.S. Below is the true story of the Winter Storm which impacted Europe with high winds, as some gusts were reported at 105 mph.
Accuweather Blog - European Storm Winds over 105 MPH
This interesting weblog entry discusses an industrial strength client/server topology that's being used for spam generation. A server contains templates plus email addresses (e.g., 68GB worth - WOW). The spambot clients (a.k.a., zombies) then interact with the master servers to create all these text and image based spam messages we have to clean up after daily.
F-Secure: Commercial-grade redundant client-server backend systems for SPAM
http://www.f-secure.com/weblog/archives/archive-012007.html#00001085
QUOTE: Oh man, there's a lot of spam out there nowadays. The Warezov gang is using variants of Warezov and Medbot/Horst to send out medication and replica spam. The Rustock gang is using Mailbot.AZ and variants to send out stock spam. The Warezov gang is apparently operating from China and the Rustock boys from Russia.
Machines infected with Medbot use a client-server architecture. They connect to a central server to get further instructions as well as spam content and address lists. Then they get to the work of actually sending the spam.
The server addresses keep changing. Last week <<URL-removed>> was used to serve e-mail addresses to the bots. While investigating the case last week, we downloaded some 68 GIGABYTES of e-mail addresses from this server.
Another good example of the client-server architecture is the service running at <<URL-removed>>. This URL serves randomized HTML templates for different spam mails. The URL is live at the moment of this posting. If you access it and reload the page, you'll get a different spam template every time
The security primer is an excellent resource which summarizes key security risks and prevention techniques.
IT Security website - Network Security Primer
http://www.itsecurity.com/features/network-security-threats-011707/
Discussion of security risks and prevention techniques for:
1. Viruses and Worms
2. Trojan Horses
3. Spam
4. Phishing
5. Packet Sniffers
6. Maliciously-Code Websites
7. Password Attacks
8. Hardware Loss and Residual Data Fragments
9. Shared Computers
10. Zombie Computers and Botnets
Below are a few links and all users should ensure they are up-to-date on the latest Microsoft security updates:
MS07-004 Attack code out for 'critical' Windows flaw
http://news.zdnet.com/2100-1009_22-6150642.html
Trend Blog
http://blog.trendmicro.com/ms07-004-code-in-the-wild/
Trend's AV Definition for new POC exploit code
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=EXPL%5FEXECOD%2EC
An interesting 3 page article, as I definitely remember some past worms (e.g., Bugbear) that could infect network based printers and waste tons of paper. This article speculates that as other resources are hardened, currently unpatched resources like printers could become the next target? 
Article: The Surprising Security Threat Your Printers
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=277746
QUOTE: Networked printers — yes, printers — can open your corporate network to malicious attacks. They need security patches, too
... He described the kinds of mischief you could do with a compromised printer, including password-catching, password-snarfing (changing passwords), hijacking functions, grabbing print jobs and playing with a billing program. O’Connor, who says he has proved in his research lab that these hacks are possible, showed a video of himself exploiting these vulnerabilities in his lab during his Black Hat presentation.
... The question remains how many IT departments apply security patches to their printers. “One of the reasons this is a particularly nasty problem is that people don’t update their printer software,” security technologist Bruce Schneier wrote in his blog.
... The apathy toward printer security isn’t surprising, since printer attacks have been few and far between in recent years. That’s mostly because, right now, it’s easier just to hack PCs and laptops, says Dean Turner, senior manager for security response at Symantec Corp. But as those systems become more secure through tougher security standards and best practices, attackers will turn their tools to the next low-hanging fruit, Turner says. And unprotected printers are a logical target.
Bugbear and other viruses that can impact network printers
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99728
http://www.google.com/search?hl=en&q=printer+virus
This is a brief and interesting analysis by one of Kaspersky's analysts in Moscow. It illustrates the awareness that's still needed for wireless security protection.
Kaspersky Labs Blog - Please see JAN 16th entry
http://www.viruslist.com/en/weblog?calendar=2007-01
QUOTE: I live pretty close to the office, and my commute only takes about ten minutes - even in that time I was able to collect a fair bit of data which is shown in the picture below. Overall, I detected 40 Wifi networks: the totally unprotected networks are marked with a red dot, those with WEP enabled are marked with a yellow dot, and those with WPA are marked with a green dot.
Findings on the way to work
http://images.kaspersky.com/en/pictures/vlweblog-208187308.png
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=277590
QUOTE: In Hacking Exposed VoIP, which hit bookshelves last month, authors David Endler and Mark Collier argue that voice-over-IP technology “is about to hit critical mass” and will become a favorite security hole for hackers to slip through to disrupt IT operations. Endler and Collier hope their book can show not just how to crack a VoIP network — which it will — but also how to lock one down. According to Endler, who is director of security at 3Com Corp.’s TippingPoint division in Austin, hackers have begun to use VoIP in phishing exploits that emulate the interactive voice response systems of legitimate companies. “The rate of vulnerabilities will increase,” says Collier, chief technology officer at SecureLogix Corp. in San Antonio. Distributed denial-of-service attacks are likely and could be devastating to VoIP systems, Collier says, noting that even a modest DDoS attack could make it all but impossible to make VoIP calls because of quality-of-service issues. Then there’s the problem of privacy. “It’s extremely easy to listen in on a call,” Endler says. It isn’t that much harder to inject noise or even spam into VoIP communications.
As a member of the Sarbanes-Oxley forums, I found this thread particularly informative as it related to IT security requirements.
http://www.sarbanes-oxley-forum.com/modules.php?name=Forums&file=viewtopic&t=1919
As requested by the article, some brief comments are noted below:
1. I disagree with public disclosure of vulnerability details and exploit code, favoring private sharing with the vendors only.
2. Projects like MOBB, MOKB, and MOAB clearly demonstrate no product is safe and vendors need to work focus even more on making their products more secure.
3. Some findings might have a small benefit as vendors may patch security hole more expediently. However, this small gain in security is usually far out-weighed by arming the bad guys with leading edge exploit code that can be used against an unprotected public.
4. Microsoft and all vendors desire zero defects in their software, although it's not humanly possible. Security patches for any vendor are prioritized based on risk factors. With public disclosure, the inventories of outstanding patches might grow, because vendors scramble to provide protection for the unpatched leading edge exposures.
5. Softare vendors may need to add more folks and priority for security issues. Still, I see public disclosure often focused on embarassing the vendor rather than helping the cause of security.
6. Maybe there's some "middle ground" where as privately shared security concerns are logged with an assigned number and tracked publicly on websites. Very sketchy details would be shared on the nature of the vulnerability so there's a reduction of impact to the public, yet there might also be improved accountability by vendors.
7. As a bottom line, leaking even proof-of-concept exploit code to the public is dangerous, as it can be crafted into phishing, spyware, or worm attacks by folks who wish to harm others. I may have to "agree to disagree" with some of the security experts on perceived benefits of this process.
Vulnerability Disclosure: The Good, the Bad and the Ugly
http://www2.csoonline.com/exclusives/column.html?CID=28088
QUOTE: More than a decade into the practice of vulnerability disclosure, where do we stand? Are we more secure? Or less? If you see a glaring security hole in a sensitive application, what will you do? Will you notify the developer? The users? Other hackers?
More Posts
Next page »