February 2007 - Posts
QUOTE: The worm attempts to log into your systems as the users “lp” or “adm” and execute a bunch of shell commands (some of which are visible in the IDA screen shot below) to set up shop and keep on truckin’. Very old school, reminds me of the old ADM worms I saw back in the late 90’s that got me interested in self-propagating malware in the first place.
This new Trojan from the Storm Worm authors, registers a malicious dll as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer. It can then inject a copy of the malicious code into blog comments automatically from an infected PC.
Please avoid any "fun video links" you may see in a blog post as AV protection is very limited at this point.
Mespam Trojan - New Storm Worm version spreading as blog comments
Security Watch commentary - New Storm Worm spreading via Blog Posts
QUOTE: A Storm worm variant using both e-mail and Web sites to infect Windows-based PCs is injecting itself into the responses people are leaving on blogs. Dmitri Alperovitch, principal research scientist at Secure Computing, told eWEEK that the worm is injecting itself into the operating system as a rootkit and is capable of intercepting Web traffic.
When a user with an infected system visits a bulletin board or posts to a blog, the worm inserts a malware into his or her comments. The line asks readers to look at a fun video and contains a link leading to a Web site where the malware is waiting to reinfect more users.
The worm is taking over PCs, Secure Computing reports, giving the criminal control for multiple purposes: sending spam, launching DDoS attacks and running keyloggers.
Also notable in this worm is that it's using server polymorphism—i.e., it contains self-modifying code that changes automatically every time it is downloaded. This worm form has been around "for ages," Alperovitch said, such as in the Bagle worm. Morphing worms are designed to avoid antivirus signature detection, and so far, Alperovitch said, it's working, as few major antivirus vendors have detected it.
To avoid infection, the advice is to refrain from clicking on the "fun video" link.
This article was Previously posted on Don Hite's Blog
QUOTE: The Fundamental Computer Investigation Guide for Windows available from Microsoft will provide you with information on how to investigate and then handle any suspicious or improper use of your organizations computers and network. This paper was developed by Microsoft’s security experts and customers to provide you with the information and resources you may need in order to pursue any criminal or civil lawsuits.
Fundamental Computer Investigation Guide for Windows Download:
Seven Security issues are addressed in the latest release
The Mozilla folks have released the long-awaited version 188.8.131.52 of Firefox. The second link below shows that 7 security issues were fixed. One rate critical. Bugs fixed appear to include CVE-2007-1004, CVE-2007-0995, CVE-2007-0981, CVE-2007-0800, CVE-2007-0780, CVE-2007-0779, CVE-2007-0778, CVE-2007-0777, CVE-2007-0776, CVE-2007-0775, CVE-2007-0008, and CVE-2007-0009, among others. This also fixed the issue with the password manager that was exploited late last year, CVE-2006-6077. The bookmarklet vulnerability CVE-2007-1084 does NOT appear to have been addressed.
Release Notes: http://www.mozilla.com/en-US/firefox/184.108.40.206/releasenotes/
Security Issues: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox220.127.116.11
Update: As one of our readers pointed out, the Mozilla folks have also released Firefox 18.104.22.168 and SeaMonkey 1.0.8 and a number of the fixes mentioned above apply to these as well.
SeaMonkey security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.0.8
FF-22.214.171.124 security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox126.96.36.199
This article affirms the need to "trust but verify" as part of the security process:
Corporate Security Controls: Massive Insider Breach At DuPont
QUOTE: A research chemist who worked for DuPont for 10 years before accepting a job with a competitor downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library.
Gary Min worked as a research chemist for DuPont for 10 years before accepting a job with DuPont competitor Victrex PLC in Asia in October 2005. Between August and December of that year, Min downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library, making him the most active user of that database in the company, according to prosecutors.
It's unclear whether Min's frequent access to that database tipped off an automatic alert to DuPont officials or whether his behavior was discovered by studying database access logs. Regardless, Min left DuPont in December, 2005, and after starting work for Victrex in February, 2006, transferred 180 DuPont documents to a Victrex-owned laptop computer.
After DuPont discovered that Min had helped himself to a large volume of confidential and proprietary DuPont technical information, it notified the FBI and the Commerce Department. Min's Victrex computer was seized on Feb. 8, 2006, while he was at a meeting with Victrex officials in Geneva, Switzerland. The confiscated computer was turned over to DuPont, which in turn gave it to the FBI, according to prosecutors.
This new security vulnerability is rated low-risk and it can only be manipulated by local users (rather than via remote attacks).
Windows XP/Vista/2003 - Local security disclosure vulnerability
QUOTE: A weakness has been identified in Microsoft Windows, which could be exploited by malicious users to disclose sensitive information. This issue is due to an error within the directory-change API that does not properly validate user's permission for child objects when retrieving information regarding objects that they do not have "LIST" permissions for. This could be exploited by local attackers to gather information about protected files (e.g. their names), facilitating further attacks.
CVE ID : CVE-2007-0843
Rated as : Low Risk
Remotely Exploitable : No
Locally Exploitable : Yes
This is an excellent resource and covers virtually all the key threats home users are faced with:
This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes by malicious people. Internet Explorer 7 "onunload" Event Spoofing Vulnerability http://secunia.com/advisories/23014/ http://msmvps.com/blogs/spywaresucks/archive/2007/02/23/611544.aspx
Secunia Research has discovered a vulnerability in Internet Explorer 7, which can be exploited by a malicious website to spoof the address bar. The vulnerability is caused due to an error in Internet Explorer 7's handling of "onunload" events, enabling a malicious website to abort the loading of a new website. This can be exploited to spoof the address bar if e.g. the user enters a new website manually in the address bar, which is commonly exercised as best practice.
This new "network walker" virus is written in VB and affects workstations as they boot up. It disguises copies of itself on the hard drive or network drives as Word documents (using the Word icon).
BootMerlin Virus - Modifies Windows Boot-uphttp://vil.nai.com/vil/content/v_141514.htmhttp://secunia.com/virus_information/36315/bootmerlin/
Key Symptoms include:
1. Wizard animation advocating anti-Microsoft messages in Spanish
2. C:\Boot.ini modified
3. Anti-Windows or Anti-Microsoft messages displayed by Windows Boot Manager at boot up time.
4. Presence of the file on hard drive or network drives where write access is permitted
F-Secure recently conducted an interesting poll and based on 1020 responses, 65% said "No"
QUOTE: A graph of the overall results can be found in the original post. There were 23.8% in favor, 65% against, and 11.2% that were undecided.
Trend Micro has issued updates for newly discovered buffer overflow vulnerabilities in their server and client based AV products.
Trend Micro ServerProtect "StCommon.dll" and "eng50.dll" Buffer Overflow Vulnerabilities
QUOTE: Multiple vulnerabilities have been identified in Trend Micro ServerProtect, which could be exploited by remote attackers to take complete control of an affected system. These issues are due to buffer overflow errors in various functions within the "StCommon.dll" and "eng50.dll" libraries, which could be exploited by remote unauthenticated attackers to execute arbitrary commands by sending specially crafted RPC requests to a vulnerable application.
Trend Micro OfficeScan Web Deployment ActiveX Remote Code Execution Vulnerability
QUOTE: A vulnerability has been identified in OfficeScan Corporate Edition, which could be exploited by attackers to take complete control of an affected system. This issue is due to a buffer overflow error in the web deployment ActiveX control when handling malformed arguments passed to certain methods, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into visiting a specially crafted web page.
Overview of Microsoft Security Bulletins released on February 13, 2007:
- MS07-005 Step-by-Step Interactive Training (Remote Code Execution)
- MS07-006 Windows Shell (Elevation of Privilege)
- MS07-007 Windows Image Acquisition Service (Elevation of Privilege)
- MS07-008 HTML Help ActiveX Control (Remote Code Execution)
- MS07-009 Microsoft Data Access Components (Remote Code Execution)
- MS07-010 Microsoft Malware Protection Engine (Remote Code Execution)
- MS07-011 Microsoft OLE Dialog Could (Remote Code Execution)
- MS07-012 Microsoft MFC (Remote Code Execution)
- MS07-013 Microsoft RichEdit (Remote Code Execution)
- MS07-014 Microsoft Word (Remote Code Execution)
- MS07-015 Microsoft Office (Remote Code Execution)
- MS07-016 Internet Explorer (Remote Code Execution)
Our privacy is something that we need to safeguard while on the Internet. Many companies will automatically scan in publicly available information from a telephone listing or other sources. You may be able to opt out in some cases, but once something is published to the Internet, it can also be difficult to remove.
You can try some of the following privacy tests for yourself on Google, Yahoo, MSN Live, Switchboard or other search facilities:
1. Your name (with and without spaces) and other family members
2. Your telephone number
3. Your street address
(street only or full address)
4. Your email address
(full or just the name portion)
5. Your SSN
(with and without dashes - hopefully zero hits)
6. Your birthday MM/DD/YYYY
(most likely you won't get hits on yourself, but it's neat to check for historical events)
Brief list shared below:
Microsoft Security - ISC updates key missing patches
Word 2000/XP DoS/Remote code Execution
CVE-2007-0870 Used in targeted attacks.
Internet Explorer msxml3 concurrency problems
CVE-2007-0099 Publicly posted exploit Remote DoS / code execution
NetrWkstaUserEnum() memory allocation exhaustion
CVE-2006-6723 Publicly posted exploit Remote DoS
MessageBox() / csrss double free vulnerability
CVE-2006-6696 Publicly posted PoC exploits for XP, 2003 and Vista
RPC in Windows 2000 SP4 UPnP and SPOOLS
CVE-2006-6296, CVE-2006-3644 Multiple publicly available exploits.
Microsoft Windows NAT Helper Components
CVE-2006-5614 Publicly available exploit.
CVE-2006-5296 Publicly available exploit.
Always avoid clicking on URLs in spam base emails, even to opt out as downloader agents may be present which can infect an unprotected PC.
New spam attack in German with URL based malware
QUOTE: We've received a report that a spam is making the rounds, it's in German, has the Subject "Fand ich Sie zufallig!". According to the automated malware analysis we received from Sven Marten, at the link in the email one obtains 2 pieces of malware, the first of which has sporadic AV detection at the moment.
For Sun Solaris versions 10 and 11, a serious Telenet issue has surfaced. If run in it's default configuration, it can allow unauthorized users to gain root level access. It is recommended that Telenet be disabled until a security fix is available.
Sun Solaris 10 and 11 - Telenet Security Issue
QUOTE: There is a major zero day bug announced in solaris 10 and 11 with the telnet and login combination. It has been verified. In my opinion NOBODY be should running telnet open to the internet. Versions of Solaris 9 and lower do not appear to have this vulnerability. The telnet daemon passes switches directly to the login process which looks for a switch that allows root to login to any account without a password. If your telnet daemon is running as root it allows unauthenticated remote logins.
Not only are the bad guys attacking users, but they are fighting each other with DDoS based attacks from backdoors on infected systems.
Virus War of 2007 - StormWorm vs Warezov
QUOTE: Interesting developments going on. The P2P botnet created by Storm-Worm variants has been used to launch Distributed Denial-of-Service attacks. Targets include several domains used by the Warezov/Medbot gang
Virus War of 2004 - Mydoom vs Netsky
While under XP, I've had no issues in updating virus signatures or checking the Help/About information to determine the latest signature files installed. There may be some additional work required though for this process to work more smoothly on Vista?
McAfee Virus Scan 8.5i fails Vista VB100 certification due to update problems
QUOTE: In the wake of the recent VB100 test on the new Windows Vista platform, VB has been in communication with the makers of many of the products tested. The developers of one of those adjudged to have failed the test, McAfee, have insisted that when their VirusScan product is fully updated with the data provided for testing it is capable of detecting the samples missed during our tests.
After intensive investigation, VB has found that detection routines for the two malware samples missed were indeed included in the update package provided by McAfee. However, when McAfee's manual update procedure was run it failed to apply the update to the product, despite both on-screen messages and logs stating that the product had been updated successfully.
More Posts Next page »