February 2007 - Posts

• Solaris Telnet based worm seen in the wild

  http://isc.sans.org/diary.html?storyid=2316 http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1 http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/ QUOTE: The worm attempts to log into your systems as the users “lp” or “adm” and execute a bunch of shell commands (some of which are visible in the IDA screen shot below) to set up shop and keep on truckin’. Very old school, reminds me of the old ADM worms I saw back in the late 90’s that got me interested in self-propagating malware in the first place. Posted Feb 28 2007, 07:11 PM by harry with no comments

• Mespam Trojan - New Storm Worm version spreading as blog comments

  This new Trojan from the Storm Worm authors, registers a malicious dll as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer. It can then inject a copy of the malicious code into blog comments automatically from an infected PC.  Please avoid any "fun video links" you may see in a blog post as AV protection is very limited at this point. Mespam Trojan - New Storm Worm version spreading as blog comments http://secunia.com/virus_information/35867/spam-mespam/ http://vil.nai.com/vil/content/v_141590.htm http://www.sophos.com/security/analyses/malcimuza.html Security Watch commentary - New Storm Worm spreading via Blog Posts QUOTE: A Storm worm variant using both e-mail and Web sites to infect Windows-based PCs is injecting itself into the responses people are leaving on blogs.  Dmitri Alperovitch, principal research scientist at Secure Computing, told eWEEK that the worm is injecting itself into the operating system as a rootkit and is capable of intercepting Web traffic. When a user with an infected system visits a bulletin board or posts to a blog, the worm inserts a malware into his or her comments. The line asks readers to look at a fun video and contains a link leading to a Web site where the malware is waiting to reinfect more users. The worm is taking over PCs, Secure Computing reports, giving the criminal control for multiple purposes: sending spam, launching DDoS attacks and running keyloggers. Also notable in this worm is that it's using server polymorphism—i.e., it contains self-modifying code that changes automatically every time it is downloaded. This worm form has been around "for ages," Alperovitch said, such as in the Bagle worm. Morphing worms are designed to avoid antivirus signature detection, and so far, Alperovitch said, it's working, as few major antivirus vendors have detected it. To avoid infection, the advice is to refrain from clicking on the "fun video" link. Posted Feb 28 2007, 05:40 PM by harry with 1 comment(s)

• F-Secure offers video of how Phishing works

  http://www.f-secure.com/weblog/archives/archive-022007.html#00001123 QUOTE: We frequently post on the topic of Phishing. Today we discovered a phishing site that was created two days ago on February 24th.  We are monitoring new domain registrations that include particular keywords, such as eBay and Paypal. We create a list and use it to do a quick audit of URLs. If we find any obvious phishing sites – we get them shut down. Posted Feb 28 2007, 05:32 PM by harry with no comments

• Microsoft Fundamental Computer Investigation Guide for Windows

  This article was Previously posted on Don Hite's Blog QUOTE: The Fundamental Computer Investigation Guide for Windows available from Microsoft will provide you with information on how to investigate and then handle any suspicious or improper use of your organizations computers and network. This paper was developed by Microsoft’s security experts and customers to provide you with the information and resources you may need in order to pursue any criminal or civil lawsuits. Fundamental Computer Investigation Guide for Windows Download: http://go.microsoft.com/fwlink/?linkid=80345 Posted Feb 28 2007, 04:41 PM by harry with no comments

• Firefox 2.0.0.2 security release

  Seven Security issues are addressed in the latest release http://isc.sans.org/diary.html?storyid=2298  The Mozilla folks have released the long-awaited version 2.0.0.2 of Firefox.  The second link below shows that 7 security issues were fixed.  One rate critical.  Bugs fixed appear to include CVE-2007-1004, CVE-2007-0995, CVE-2007-0981, CVE-2007-0800, CVE-2007-0780, CVE-2007-0779, CVE-2007-0778, CVE-2007-0777, CVE-2007-0776, CVE-2007-0775, CVE-2007-0008, and CVE-2007-0009, among others.  This also fixed the issue with the password manager that was exploited late last year, CVE-2006-6077.  The bookmarklet vulnerability CVE-2007-1084 does NOT appear to have been addressed. Release Notes: http://www.mozilla.com/en-US/firefox/2.0.0.2/releasenotes/ Security Issues: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.2 Update: As one of our readers pointed out, the Mozilla folks have also released Firefox 1.5.0.10 and SeaMonkey 1.0.8 and a number of the fixes mentioned above apply to these as well. SeaMonkey security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.0.8 FF-1.5.0.10 security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.10 Posted Feb 24 2007, 02:28 AM by harry with no comments

• Corporate Security Controls: Massive Insider Breach At DuPont

  This article affirms the need to "trust but verify" as part of the security process: Corporate Security Controls: Massive Insider Breach At DuPont http://www.informationweek.com/news/showArticle.jhtml?articleID=197006474 QUOTE: A research chemist who worked for DuPont for 10 years before accepting a job with a competitor downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library. Gary Min worked as a research chemist for DuPont for 10 years before accepting a job with DuPont competitor Victrex PLC in Asia in October 2005. Between August and December of that year, Min downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library, making him the most active user of that database in the company, according to prosecutors. It's unclear whether Min's frequent access to that database tipped off an automatic alert to DuPont officials or whether his behavior was discovered by studying database access logs. Regardless, Min left DuPont in December, 2005, and after starting work for Victrex in February, 2006, transferred 180 DuPont documents to a Victrex-owned laptop computer. After DuPont discovered that Min had helped himself to a large volume of confidential and proprietary DuPont technical information, it notified the FBI and the Commerce Department. Min's Victrex computer was seized on Feb. 8, 2006, while he was at a meeting with Victrex officials in Geneva, Switzerland. The confiscated computer was turned over to DuPont, which in turn gave it to the FBI, according to prosecutors. Posted Feb 23 2007, 07:23 PM by harry with no comments

• Windows XP/Vista/2003 - Local security disclosure vulnerability

  This new security vulnerability is rated low-risk and it can only be manipulated by local users (rather than via remote attacks). Windows XP/Vista/2003 - Local security disclosure vulnerability http://www.frsirt.com/english/advisories/2007/0701 http://secunia.com/advisories/24245/ QUOTE: A weakness has been identified in Microsoft Windows, which could be exploited by malicious users to disclose sensitive information. This issue is due to an error within the directory-change API that does not properly validate user's permission for child objects when retrieving information regarding objects that they do not have "LIST" permissions for.  This could be exploited by local attackers to gather information about protected files (e.g. their names), facilitating further attacks. CVE ID : CVE-2007-0843 Rated as : Low Risk Remotely Exploitable : No Locally Exploitable : Yes Posted Feb 23 2007, 07:07 PM by harry with no comments

• IT Security's 20 minute Guide for PC protection

  This is an excellent resource and covers virtually all the key threats home users are faced with:  http://www.itsecurity.com/features/20-minute-guide-pc-security-021307/ Posted Feb 23 2007, 03:41 PM by harry with no comments

• IE 7 - New address bar spoofing vulnerability

  This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes by malicious people. Internet Explorer 7 "onunload" Event Spoofing Vulnerability http://secunia.com/advisories/23014/ http://msmvps.com/blogs/spywaresucks/archive/2007/02/23/611544.aspx quote: Secunia Research has discovered a vulnerability in Internet Explorer 7, which can be exploited by a malicious website to spoof the address bar. The vulnerability is caused due to an error in Internet Explorer 7's handling of "onunload" events, enabling a malicious website to abort the loading of a new website. This can be exploited to spoof the address bar if e.g. the user enters a new website manually in the address bar, which is commonly exercised as best practice. Posted Feb 23 2007, 02:10 PM by harry with no comments

• BootMerlin Virus - Modifies Windows Boot-up

  This new "network walker" virus is written in VB and affects workstations as they boot up. It disguises copies of itself on the hard drive or network drives as Word documents (using the Word icon). BootMerlin Virus - Modifies Windows Boot-up http://vil.nai.com/vil/content/v_141514.htm http://secunia.com/virus_information/36315/bootmerlin/ Key Symptoms include: 1. Wizard animation advocating anti-Microsoft messages in Spanish 2. C:\Boot.ini modified 3. Anti-Windows or Anti-Microsoft messages displayed by Windows Boot Manager at boot up time. 4. Presence of the file on hard drive or network drives where write access is permitted Posted Feb 22 2007, 07:09 PM by harry with no comments

• Survey - Should the Police be allowed to hack a suspect's computer?

  F-Secure recently conducted an interesting poll and based on 1020 responses, 65% said "No" http://www.f-secure.com/weblog/archives/archive-022007.html#00001103 http://www.f-secure.com/weblog/archives/archive-022007.html#00001115 QUOTE: A graph of the overall results can be found in the original post. There were 23.8% in favor, 65% against, and 11.2% that were undecided. Posted Feb 21 2007, 09:13 PM by harry with no comments

• Trend Micro - Security Patches available for New Buffer Overflow Vulnerabilities

  Trend Micro has issued updates for newly discovered buffer overflow vulnerabilities in their server and client based AV products. Trend Micro ServerProtect "StCommon.dll" and "eng50.dll" Buffer Overflow Vulnerabilities http://www.frsirt.com/english/advisories/2007/0670 http://www.tippingpoint.com/security/advisories/TSRT-07-01.html http://www.tippingpoint.com/security/advisories/TSRT-07-02.html QUOTE: Multiple vulnerabilities have been identified in Trend Micro ServerProtect, which could be exploited by remote attackers to take complete control of an affected system. These issues are due to buffer overflow errors in various functions within the "StCommon.dll" and "eng50.dll" libraries, which could be exploited by remote unauthenticated attackers to execute arbitrary commands by sending specially crafted RPC requests to a vulnerable application. Trend Micro OfficeScan Web Deployment ActiveX Remote Code Execution Vulnerability http://www.frsirt.com/english/advisories/2007/0638 QUOTE: A vulnerability has been identified in OfficeScan Corporate Edition, which could be exploited by attackers to take complete control of an affected system. This issue is due to a buffer overflow error in the web deployment ActiveX control when handling malformed arguments passed to certain methods, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into visiting a specially crafted web page. Posted Feb 21 2007, 07:42 PM by harry with no comments

• Microsoft Security Bulletins - February 2007

  Overview of Microsoft Security Bulletins released on February 13, 2007: http://www.microsoft.com/technet/security/bulletin/ms07-Feb.mspx MS07-005 Step-by-Step Interactive Training (Remote Code Execution) MS07-006 Windows Shell (Elevation of Privilege) MS07-007 Windows Image Acquisition Service (Elevation of Privilege) MS07-008 HTML Help ActiveX Control (Remote Code Execution) MS07-009 Microsoft Data Access Components (Remote Code Execution) MS07-010 Microsoft Malware Protection Engine (Remote Code Execution) MS07-011 Microsoft OLE Dialog Could (Remote Code Execution) MS07-012 Microsoft MFC (Remote Code Execution) MS07-013 Microsoft RichEdit (Remote Code Execution) MS07-014 Microsoft Word (Remote Code Execution) MS07-015 Microsoft Office (Remote Code Execution) MS07-016 Internet Explorer (Remote Code Execution) Posted Feb 21 2007, 07:35 PM by harry with no comments

• NIST releases 3 new updates to security standards

  These 3 documents are in PDF formats:  http://isc.sans.org/diary.html?storyid=2286  The NIST (National Institute of Standards and Technology ) released yesterday 3 new documents: 1. SP 800-45 Version 2, Guidelines on Electronic Mail Security 2. SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS) 3. SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i Posted Feb 21 2007, 07:30 PM by harry with no comments

• Internet Privacy - Information about you may be available online?

  Our privacy is something that we need to safeguard while on the Internet.  Many companies will automatically scan in publicly available information from a telephone listing or other sources.  You may be able to opt out in some cases, but once something is published to the Internet, it can also be difficult to remove. You can try some of the following privacy tests for yourself on Google, Yahoo, MSN Live, Switchboard or other search facilities: 1. Your name (with and without spaces) and other family members http://www.google.com/search?hl=en&q=Harry+Waldron http://www.google.com/search?hl=en&q=harrywaldron 2. Your telephone number (format: xxx-xxx-xxxx) 3. Your street address (street only or full address) 4. Your email address (full or just the name portion) 5. Your SSN (with and without dashes - hopefully zero hits) 6. Your birthday MM/DD/YYYY (most likely you won't get hits on yourself, but it's neat to check for historical events) Posted Feb 21 2007, 12:33 AM by harry with no comments

• Microsoft Security - ISC updates key missing patches

  Brief list shared below: Microsoft Security - ISC updates key missing patches http://isc.sans.org/diary.html?storyid=1940 Word 2000/XP DoS/Remote code Execution CVE-2007-0870 Used in targeted attacks. Internet Explorer msxml3 concurrency problems CVE-2007-0099 Publicly posted exploit Remote DoS / code execution NetrWkstaUserEnum() memory allocation exhaustion CVE-2006-6723 Publicly posted exploit Remote DoS MessageBox() / csrss double free vulnerability CVE-2006-6696 Publicly posted PoC exploits for XP, 2003 and Vista RPC in Windows 2000 SP4 UPnP and SPOOLS CVE-2006-6296, CVE-2006-3644 Multiple publicly available exploits. Microsoft Windows NAT Helper Components CVE-2006-5614  Publicly available exploit. PowerPoint 2003 CVE-2006-5296  Publicly available exploit. Posted Feb 20 2007, 12:42 PM by harry with no comments

• New spam attack in German with URL based malware

  Always avoid clicking on URLs in spam base emails, even to opt out as downloader agents may be present which can infect an unprotected PC. New spam attack in German with URL based malware http://isc.sans.org/diary.html?storyid=2283 QUOTE: We've received a report that a spam is making the rounds, it's in German, has the Subject "Fand ich Sie zufallig!". According to the automated malware analysis we received from Sven Marten, at the link in the email one obtains 2 pieces of malware, the first of which has sporadic AV detection at the moment. Posted Feb 20 2007, 12:34 PM by harry with no comments

• Sun Solaris 10 and 11 - Telenet Security Issue

  For Sun Solaris versions 10 and 11, a serious Telenet issue has surfaced. If run in it's default configuration, it can allow unauthorized users to gain root level access.  It is recommended that Telenet be disabled until a security fix is available.    Sun Solaris 10 and 11 - Telenet Security Issue http://isc.sans.org/diary.html?storyid=2220 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1 http://www.kb.cert.org/vuls/id/881872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0882 QUOTE: There is a major zero day bug announced in solaris 10 and 11 with the telnet and login combination. It has been verified. In my opinion NOBODY be should running telnet open to the internet. Versions of Solaris 9 and lower do not appear to have this vulnerability. The telnet daemon passes switches directly to the login process which looks for a switch that allows root to login to any account without a password. If your telnet daemon is running as root it allows unauthenticated remote logins. Posted Feb 13 2007, 03:16 PM by harry with no comments

• Virus War of 2007 - Authoring groups battle each other

  Not only are the bad guys attacking users, but they are fighting each other with DDoS based attacks from backdoors on infected systems.   Virus War of 2007 - StormWorm vs Warezov  http://www.secureworks.com/research/threats/view.html?threat=storm-worm http://www.f-secure.com/weblog/archives/archive-022007.html#00001109 QUOTE: Interesting developments going on. The P2P botnet created by Storm-Worm variants has been used to launch Distributed Denial-of-Service attacks. Targets include several domains used by the Warezov/Medbot gang Virus War of 2004 - Mydoom vs Netsky http://www.f-secure.com/weblog/archives/archive-042004.html Posted Feb 10 2007, 03:41 PM by harry with no comments

• McAfee Virus Scan 8.5i fails Vista VB100 certification due to update problems

  While under XP, I've had no issues in updating virus signatures or checking the Help/About information to determine the latest signature files installed.  There may be some additional work required though for this process to work more smoothly on Vista?  McAfee Virus Scan 8.5i fails Vista VB100 certification due to update problems http://www.virusbtn.com/news/vb_news/2007/02_06.xml QUOTE: In the wake of the recent VB100 test on the new Windows Vista platform, VB has been in communication with the makers of many of the products tested. The developers of one of those adjudged to have failed the test, McAfee, have insisted that when their VirusScan product is fully updated with the data provided for testing it is capable of detecting the samples missed during our tests. After intensive investigation, VB has found that detection routines for the two malware samples missed were indeed included in the update package provided by McAfee. However, when McAfee's manual update procedure was run it failed to apply the update to the product, despite both on-screen messages and logs stating that the product had been updated successfully. Posted Feb 10 2007, 02:54 PM by harry with 2 comment(s)