July 2007 - Posts
Stock Spammers are massively spamming PDF, XLS, GIF, and now ZIP based attachments to distribute stock spam. The senders are trying to circumvent filtering controls. I've received a # of these and an analysis of one sample sent to Virus Total is attached below. It's not malicious, but any untrusted attachment should not be opened.
FORMAT OF ZIP STOCK SPAM: As an example, the subject line might appear as "OFFER" or "DOC". There is no text in the message body (blank message). There is only a single attachment (usually named like the subject line, e.g., "OFFER.ZIP", DOC.ZIP").
Stock Spammers - Now using ZIP files
http://isc.sans.org/diary.html?storyid=3206
QUOTE: We have received numerous emails today regarding yet another round of spam hitting the cyberwaves. This spam is nothing more than a new twist on the pump and dump stock market emails. It appears that these emails include a zip or RAR file for an attachment. Once opened, these contain nothing more than the get rich quick stock market info. There appears to be nothing malicious other than an attempt to sway the market.
VIRUS TOTAL RESULTS BELOW:
Complete scanning result of "doc.zip", processed in VirusTotal at
07/31/2007 19:59:03 (CET).
[ file data ]
* name: doc.zip
* size: 6833
* md5.: d45288a2ea0dcebf97d5b51d918bcb70
* sha1: f13217295155a214facce79bae4b503e11b45b23
[ scan result ]
AhnLab-V3 2007.7.31.1/20070731 found nothing
AntiVir 7.4.0.54/20070731 found nothing
Authentium 4.93.8/20070731 found nothing
Avast 4.7.1029.0/20070731 found nothing
AVG 7.5.0.476/20070730 found nothing
BitDefender 7.2/20070731 found nothing
CAT-QuickHeal 9.00/20070731 found nothing
ClamAV 0.91/20070731 found nothing
DrWeb 4.33/20070731 found nothing
eSafe 7.0.15.0/20070731 found nothing
eTrust-Vet 31.1.5019/20070731 found nothing
Ewido 4.0/20070731 found nothing
F-Prot 4.3.2.48/20070730 found nothing
F-Secure 6.70.13030.0/20070731 found nothing
FileAdvisor 1/20070731 found nothing
Fortinet 2.91.0.0/20070731 found nothing
Ikarus T3.1.1.8/20070731 found nothing
Kaspersky 4.0.2.24/20070731 found nothing
McAfee 5087/20070731 found nothing
Microsoft 1.2704/20070731 found nothing
NOD32v2 2430/20070731 found nothing
Norman 5.80.02/20070731 found nothing
Panda 9.0.0.4/20070731 found nothing
Prevx1 V2/20070731 found nothing
Rising 19.34.12.00/20070731 found nothing
Sophos 4.19.0/20070726 found nothing
Sunbelt 2.2.907.0/20070731 found nothing
Symantec 10/20070731 found nothing
TheHacker 6.1.7.159/20070731 found nothing
VBA32 3.12.2.2/20070730 found nothing
VirusBuster 4.3.26:9/20070731 found nothing
Webwasher-Gateway 6.0.1/20070731 found nothing
A new version of Firefox has been released to address URI handler security issues.
http://developer.mozilla.org/devnews/index.php/2007/07/30/firefox-2006-security-update/
http://en-us.www.mozilla.com/en-US/firefox/2.0.0.6/releasenotes/
http://en-us.www.mozilla.com/en-US/firefox/2.0.0.6/releasenotes/#whatsnew
Download Site - All versions
(although based on default update settings FF may update to latest version automatically)
http://en-us.www.mozilla.com/en-US/firefox/all.html
Fixed in Firefox 2.0.0.6
MFSA 2007-27 Unescaped URIs passed to external programs
MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows
This new threat is easy to avoid and free games should only be downloaded from safe trusted sites.
Romario - Email worm disquised as Super Mario game
http://vil.nai.com/vil/content/v_142851.htm
http://www.theregister.co.uk/2007/07/30/mario_worm/
http://www.sophos.com/security/analyses/w32romarioa.html
QUOTE: W32/Romario@M is worm that masquerades to be a copy of the popular Super Mario Brothers game. It spreads by mailing itself using Outlook and also copies itself to removable devices and open shares on a network. Since the subject is from a previous mail, this technique is highly successful into tricking people that the mail is genuine.
Romario-A is the latest in a series of malware packages that pose as computer games or that actually run real games to disguise the damage they inflict. The trick has been employed several times in the past by malware authors, notes anti-virus firm Sophos. Most notable are the Bagle-U worm, which attempts to start the Microsoft Hearts game, the Coconut-A virus, which urged infected users to throw coconuts at pictures of Sophos's Graham Cluley, and the Gonori-A Trojan, which plays Minesweeper when run.
Opera 9.22 is available for improved security and Windows Vista support. In using this as a complementary browser with IE 7 and Firefox, no issues have been encountered so far.
Opera 9.22 for Windows is available for download.
Changes Since Opera 9.21
User Interface
- Fix to allow toolbars to use bold fonts again.
- Tabs can be dragged between windows using the Windows panel again.
- Info panel title now correctly displays Web page title and mail subjects that contain HTML.
Miscellaneous
- Scripting and display fixes for the Silverlight plug-in.
- Multiple stability fixes.
- Improved stability and performance of BitTorrent.
Security
- Fixed an issue that could occur when removing a specially prepared torrent transfer, as reported by iDefense. See the advisory.
- Prevented an issue where data URLs could be used to display the wrong address in the address bar. See the advisory.
- Improved the display of long domain names in authentication dialogs. Long domain names will now scroll instead of using ellipsis. See the advisory.
- Added Trustcenter class 3 G2 root certificate.
- Fixes for a problem with certificate import from PKCS #7 Signed and Netscape Multicert files.
Windows specific
- Fix for accessing certain Web sites using Windows Vista.
Below are results from a submission this morning of the AGENT.BRK trojan horse from a copy received in my personal email. AV protection is improving and hopefully will be now found in some of the companies missing protection earlier today.
Complete scanning result of "fungame.zip", processed in VirusTotal at
07/30/2007 15:08:24 (CET).
[ file data ]
* name: fungame.zip
* size: 19363
* md5.: e32407039e10ab1be6e639e6fe4c9ee9
* sha1: 166733488b62628278ada4a8b29954c097f42af9
[ scan result ]
AhnLab-V3 2007.7.28.0/20070730 found nothing
AntiVir 7.4.0.50/20070730 found [Worm/Nuj.A.124]
Authentium 4.93.8/20070727 found [W32/Downldr2.AOUA]
Avast 4.7.997.0/20070730 found [Win32:Agent-JSL]
AVG 7.5.0.476/20070730 found [Downloader.Agent.OGE]
BitDefender 7.2/20070730 found [Trojan.Kobcka.A]
CAT-QuickHeal 9.00/20070728 found nothing
ClamAV 0.91/20070730 found [Trojan.Downloader-12017]
DrWeb 4.33/20070730 found [BackDoor.Bulknet]
eSafe 7.0.15.0/20070729 found [Win32.Agent.brk]
eTrust-Vet 31.1.5016/20070730 found [Win32/Cutwail.T]
Ewido 4.0/20070730 found nothing
F-Prot 4.3.2.48/20070727 found [W32/Downldr2.AOUA]
F-Secure 6.70.13030.0/20070730 found
[Trojan-Downloader.Win32.Agent.brk]
FileAdvisor 1/20070730 found nothing
Fortinet 2.91.0.0/20070730 found [W32/Agent.AUH!tr]
Ikarus T3.1.1.8/20070730 found nothing
Kaspersky 4.0.2.24/20070730 found [Trojan-Downloader.Win32.Agent.brk]
McAfee 5085/20070727 found nothing
Microsoft 1.2704/20070730 found [Worm:Win32/Nuwar.JU]
NOD32v2 2429/20070730 found [Win32/TrojanDownloader.Agent.BRK]
Norman 5.80.02/20070730 found nothing
Panda 9.0.0.4/20070729 found nothing
Prevx1 V2/20070730 found nothing
Rising 19.34.02.00/20070730 found nothing
Sophos 4.19.0/20070726 found nothing
Sunbelt 2.2.907.0/20070728 found nothing
Symantec 10/20070730 found [Trojan.Pandex]
TheHacker 6.1.7.158/20070730 found [Trojan/Downloader.Agent.brk]
VBA32 3.12.2.1/20070730 found [Trojan.Win32.Agent.auh]
VirusBuster 4.3.26:9/20070730 found [Trojan.DL.Agent.Gen.8]
Webwasher-Gateway 6.0.1/20070730 found [Worm.Nuj.A.124]
McAfee has completed it's beta testing for it's new Rootkit Detective tool. The new RKD 1.0 product will be offered as a free standalone detection and cleaning tool. McAfee notes that over 7,325 new rootkit variants have been emerged this year and folks should always be careful with any web links or file attachments they may encounter as we have been in a period of high malicious activity recently.
McAfee offers free Rootkit Detective cleaner
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027948
quote:
On July 26, McAfee will begin offering a new application called Rootkit Detective, designed to detect and remove dangerous rootkit attacks. The software will also help end users ward off the threats, as well as funnel new intelligence into the company's ongoing research operations. The freeware program promises the ability to find and remove rootkits -- self-cloaking malware attacks that install themselves as kernel modules or drivers and are most often used to hide other types of threats such as keyword-logging programs -- and send data about the attacks that are discovered back to McAfee.
McAfee Rootkit Detective - Press Release
http://www.mcafee.com/us/about/press/corporate/2007/20070726_182000_r.html
quote:
Cybercrooks use rootkits to hide other nefarious programs on compromised PCs. Last year the number of rootkits hit 3,284 and has already more than doubled in the first half this year to 7,325. Since the initial trial release of Rootkit Detective in January, the application has been downloaded over 110,000 times. "Rootkit Detective offers the most comprehensive rootkit detection capabilities available today," said Ahmed Sallam, lead research architect at McAfee®. "We have achieved extremely high levels of accuracy, using various techniques to find anything that hides itself on a computer."
McAfee Rootkit Detective 1.0 - Home Page
http://vil.nai.com/vil/stinger/rkstinger.aspx
quote:
McAfee Rootkit Detective 1.0 is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system. McAfee Rootkit Detective should only be used by knowledgeable individuals at the direction of, and with the support of, a representative from McAfee Avert Labs or McAfee Technical Support. Improper usage of this tool could result in damage to your applications or operating system.
An interesting article by AVERT where they "took the bait" and tracked developments where someone was trying to scam folks using the Nigerian 419 approach. Unfortunately, a few folks still want to believe that money sometimes falls from the sky (e.g., and this would never occur from a random email message). These scams still represent some of the largest dollar losses per incident
Nigerian 419 Scams - A fool and their money are soon parted
http://www.avertlabs.com/research/blog/index.php/2007/07/26/a-fool-and-their-money-are-soon-parted/
QUOTE: The amazing thing is that thousands of people don’t. In 2006 the highest dollar loss per incident reported to the Internet Crime Complaint Center was the Nigerian Scam with a median loss of $5,100. I’m amazed that so many people can fall for this well known scam that has been around, in various forms for a long time.
Nigerian 419 Coalition Website
http://home.rica.net/alphae/419coal/
QUOTE: A Five Billion US$ (as of 1996, much more now) worldwide Scam which has run since the early 1980's under Successive Governments of Nigeria. It is also referred to as "Advance Fee Fraud", "419 Fraud" (Four-One-Nine) after a formerly relevant section of the Criminal Code of Nigeria, and "The Nigerian Connection" (mostly in Europe). However, it is usually called plain old "419" even by the Nigerians themselves. In brief, 419 is a sub-classification of Advance Fee Fraud crime in which the perpetrators are West Africans, primarily Nigerians, operating globally from Nigeria and elsewhere.
Internet Crime Complaint Center
http://www.ic3.gov/
http://www.ic3.gov/crimeschemes.aspx#item-13
QUOTE: Named for the violation of Section 419 of the Nigerian Criminal Code, the 419 scam combines the threat of impersonation fraud with a variation of an advance fee scheme in which a letter, email, or fax is received by the potential victim. The communication from individuals representing themselves as Nigerian or foreign government officials offers the recipient the "opportunity" to share in a percentage of millions of dollars, soliciting for help in placing large sums of money in overseas bank accounts. Payment of taxes, bribes to government officials, and legal fees are often described in great detail with the promise that all expenses will be reimbursed as soon as the funds are out of the country.
Wikipedia - Nigerian 419 Overview
http://en.wikipedia.org/wiki/Nigerian_419
This is shared due to prevelance, as another major seeding of a new Agent downloader/rootkit variant has taken place. These may be showing up in our spam filters or in-boxes soon 
Agent.BRK - Avoid attachment BSAVER.ZIP
http://www.f-secure.com/weblog/archives/archive-072007.html#00001236
http://www.f-secure.com/v-descs/trojan-downloader_w32_agent_brk.shtml
quote:
Trojan-Downloader:W32/Agent.BRK attempts to download and install other malware onto the affected system. The file is replaced with a copy of Rootkit.Win32.Agent.dp Furthermore, Trojan-Downloader:W32/Agent.BRK launches an instance of Microsoft Internet Explorer as a hidden process with its code injected into the process. This time the e-mail attachment is named as bsaver.zip.
While I've never been a fan of toolbars of any kind, the critical security issue for the Linked In IE tool bar is now fixed
LinkedIn IE Toolbar - Critical Security Update Available
http://www.scmagazine.com/us/news/article/673669/linkedin-fixes-critical-bug/
QUOTE: "Business networking site LinkedIn has remedied a dangerous zero-day vulnerability in its Internet Explorer toolbar, one day after researchers went public with the exploit code. The mandatory fix "was pushed out to all of our users" on Wednesday, Mario Sundar, community evangelist at LinkedIn, told SCMagazine.com today. "The fix is required for users; otherwise the toolbar shuts down"..."
LinkedIn IE Toolbar - Critical Security Issue
http://secunia.com/advisories/26181/
The Storm worm (aka Nuwar) is one of the worst threats out there as it contains some of the latest advancements in malware techniques (including very realistic social engineering on it's latest e-card versions). While most users don't run Virtual Machine environments, one variant seems to be searching for it to possibly hide better or even damage other logical partitions 
Latest Storm Worm - Is it a VMware or Virtual PC hopper?
http://isc.sans.org/diary.html?storyid=3190
QUOTE: While the Storm worm hasn’t brought anything really new, the authors definitely went a step further – the Storm worm’s code looks much better than a lot of malware we’ve seen. And besides that, you have a custom packer that makes analysis and detection more difficult, rootkit capabilities so it’s completely hidden, P2P botnet control and so on.
While analyzing one sample I noticed that the Storm worm tries to detect if it’s running in a virtual environment. This became pretty popular with malware writers lately. The main reason their doing this is (presumably) to make analysis more difficult. The first step in malware analysis today is typically to run it in an isolated environment and to monitor its behavior.
This one has been massively spammed and is out there, as I'm receiving copies in my in-box now
Win32.Agent.brk Trojan - Avoid Funny.ZIP attachment
http://www.f-secure.com/weblog/archives/archive-072007.html#00001234
QUOTE: There's a fairly large seeding of Trojan-Downloader.Win32.Agent.brk going on.
Very few AV companies have coverage based on the sample sent to Virus Total:
Complete scanning result of "funny.zip", processed in VirusTotal at
07/25/2007 15:10:16 (CET).
[ file data ]
* name: funny.zip
* size: 19250
* md5.: e370545d893c2e35bf1b41be3bda45fe
* sha1: f456d384504b9f04faf9f552bbb46ed77ceaa2fd
[ scan result ]
AhnLab-V3 2007.7.25.0/20070725 found nothing
AntiVir 7.4.0.44/20070725 found nothing
Authentium 4.93.8/20070725 found nothing
Avast 4.7.997.0/20070725 found nothing
AVG 7.5.0.476/20070725 found nothing
BitDefender 7.2/20070725 found [Trojan.Downloader.Agent.YJF]
CAT-QuickHeal 9.00/20070724 found nothing
ClamAV 0.91/20070725 found [Trojan.Downloader-11827]
DrWeb 4.33/20070725 found [Trojan.MulDrop.7173]
eSafe 7.0.15.0/20070724 found nothing
eTrust-Vet 31.1.5004/20070725 found nothing
Ewido 4.0/20070725 found nothing
F-Prot 4.3.2.48/20070725 found [W32/Downldr2.ANWJ]
F-Secure 6.70.13030.0/20070725 found
[Trojan-Downloader.Win32.Agent.brk]
FileAdvisor 1/20070725 found nothing
Fortinet 2.91.0.0/20070725 found nothing
Ikarus T3.1.1.8/20070725 found [Trojan-Downloader.Win32.Agent.brk]
Kaspersky 4.0.2.24/20070725 found [Trojan-Downloader.Win32.Agent.brk]
McAfee 5081/20070724 found nothing
Microsoft 1.2704/20070725 found nothing
NOD32v2 2418/20070725 found [Win32/TrojanDownloader.Agent.NPW]
Norman 5.80.02/20070725 found nothing
Panda 9.0.0.4/20070724 found nothing
Sophos 4.19.0/20070717 found nothing
Sunbelt 2.2.907.0/20070725 found nothing
Symantec 10/20070725 found [Trojan.Pandex]
TheHacker 6.1.7.152/20070723 found nothing
VBA32 3.12.2.1/20070724 found nothing
VirusBuster 4.3.26:9/20070724 found nothing
Webwasher-Gateway 6.0.1/20070725 found nothing
Daily, I'm continuing to receive several PDF based stock messages that are being massively spammed. Both the ISC and Avert labs are warning that Excel document types commonly used in the business environment are now being used. AVERT suggests that Word and other Office formats might also be used in the future to circumvent corporate attachment blocking rules.
Stock Spammers now sending Excel documents
http://isc.sans.org/diary.html?storyid=3177
http://www.avertlabs.com/research/blog/index.php/2007/07/24/pdf-spammers-already-moving-on-to-other-filetypes-currently-xls/
QUOTE: PDF spam has continued to increase during the last 3 weeks and has moved from ‘pump and dump’ stocks to other types of spam such as pharmacy spam. The spammers responsible for the recent .PDF based ‘pump and dump’ stock spam have also started to send pump and dump spam containing Microsoft Excel .XLS documents
Microsoft - Security Contact Pages
The links at the bottom are useful to bookmark as a resource pertinent to Microsoft Security:
Microsoft - Security Contact Pages
http://isc.sans.org/diary.html?storyid=3171
QUOTE: In an earlier diary, we included a link to Microsoft's security web site that did not work. Based on input from our readers we updated the link to one that seemed to work. Microsoft told us today that there are two more URLs they would prefer that you use:
Microsoft Security Contact Pages - Home users:
http://support.microsoft.com/securityhome
Microsoft Security Contact Pages - IT professionals:
http://support.microsoft.com/gp/securityitpro
Administrators should apply the quarterly security update promptly to ensure the best levels of protection for information resident in the Oracle environment.
Oracle Quarterly Update - 45 security updates for all products
http://isc.sans.org/diary.html?storyid=3164
http://secunia.com/advisories/26114/
http://www.kb.cert.org/vuls/id/322460
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html
QUOTE: Oracle released its quarterly Critical Patch Update today. This quarterly update contains 45 new security fixes that range across many of their products. The ISC strongly recommends that these updates be applied in a timely manner as the risks posed by attackers compromising sensitive data contained in your database products.
While Apple will most likely patch security issues that are discovered promptly, iPhone users should carefully monitor developments
NY Times reports Serious iPhone security issue
http://www.nytimes.com/2007/07/23/technology/23iphone.html
QUOTE: A team of computer security consultants say they have found a flaw in Apple’s wildly popular iPhone that allows them to take control of the device. The researchers, working for Independent Security Evaluators, a company that tests its clients’ computer security by hacking it, said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code. The hack, the first reported, allowed them to tap the wealth of personal information the phones contain.
Although Apple built considerable security measures into its device, said Charles A. Miller, the principal security analyst for the firm, “Once you did manage to find a hole, you were in complete control.” The firm, based in Baltimore, alerted Apple about the vulnerability this week and recommended a software patch that could solve the problem.
Several recent examples of phishing attempts can be found in the following link. Folks should delete these emails, plus avoid any URLs or attachments.
AVERT Labs - Several screenshots of EMAIL Phishing attacks
http://www.avertlabs.com/research/blog/index.php/2007/07/19/multitasking-fraudsters/
Unfortunately major tragedies can be used by the bad guys for social engineering purposes to scam folks in a fradulent manner. Always be careful with email or websites and always go to mainstream sites (e.g., Red Cross) to ensure these worthwhile contributions are made safely and securely
Hackers use Brazilian plane crash to push malware
http://www.networkworld.com/news/2007/071807-hackers-use-brazilian-plane-crash.html
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=788
McAfee - PWS-Banker.gen.ac (DAT 5075)
http://vil.nai.com/vil/content/v_139526.htm
QUOTE: Hackers haven't wasted any time exploiting the airplane crash in Sao Paulo, Brazil that claimed nearly 190 deaths Tuesday, a U.S. security company said Wednesday. An e-mail campaign is using the tragedy to lure readers to a malicious Web site, reported Websense in an alert. According to Websense, the e-mail, written in Portuguese, includes details of the TAM airlines flight that crashed after trying to land at the notoriously dangerous Congonhas Airport, which is located in the middle of Sao Paulo.
Code Red - Sixth Anniversary of Internet worm attacks
The Code Red attacks in July and August of 2001 represent one of the first completely automated major security attacks for Windows servers that were not completely up-to-date on security patches.
A critical security patch was issued by Microsoft on June 18, 2001 and the 1st Code Red worm surfaced about one month later on July 13, 2001. It was essentially a reverse engineering of the MS01-033 security patch to automatically manipulate the Windows NT and 2000 Index Server environment used by IIS 4 and 5. The peak number of infections was around 359,000 by July 19, 2001.
Code Red II was a much more potent attack launched on August 4, 2001. It was not just another variant of Code Red, as it was a complete redesign and rewrite of the original attack. Code Red II had a more sophisticated design for randomly calculating IP addresses.
The paradigmn presented by both Code Red and Nimda got administrators into the mode of applying patches expeditiously, at least for servers. Still, more lessons were learned about workstation patching when the Blaster worm surfaced in August 2003.
Hopefully, history will not repeat itself where you simply plug a PC/server into the Internet and you get zapped. One of Microsoft's TWC improvements helps here with XP SP2 and Vista's firewalls that help protect against potentially malicious traffic that constantly surfaces on inbound TCP/IP ports.
A key lesson learned is to constantly monitor the changing landscape associated with security risks. Something that's completely safe today may not be tomorrow. Finally I believe even after six years, that Code Red I or II may still yet reside in limited circulation on some of the unpatched servers out there.
Wiki Links for Code Red I and II
http://en.wikipedia.org/wiki/Code_Red_%28computer_worm%29
http://en.wikipedia.org/wiki/Code_Red_II_%28computer_worm%29
http://en.wikipedia.org/wiki/Notable_computer_viruses_and_worms#2001
MS01-033 - The key security bulletin exploited by these attacks
http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx
Microsoft MVP Steve Friedl's Excellent Analysis
http://www.unixwiz.net/techtips/CodeRedII.html
This is installed on my work PCs and the update went well. There was an option to install the Google toolbar that occurred. Folks should carefully read EULAs and other options presented carefully as they update any software.
Java Runtime Environment - Critical Security Patch
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102934-1
http://www.f-secure.com/weblog/archives/archive-072007.html#00001231
QUOTE: A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.
More Posts
Next page »