July 2007 - Posts
A new variant of the Bagle family has been discovered. McAfee users should move to DAT 5076.
New Bagle Downloader - Adobe Audition EXE
QUOTE: The trojan pretended to be a software crack for Adobe Audition 3.02 and came with the filename: ClickFix_for_Adobe_Audition_3.02.exe. Manually executing an infected binary will infect the local system, which is then will be used to download other W32/Bagle viruses.
The 10 question quiz only takes a minute or two and some of these are tricky (e.g., I missed a couple myself). I've always found these as neat ways to promote security awareness and the analysis of answers afterwards is well done also.
McAfee SiteAdvisor - Phishing Quiz Available
McAfee SiteAdvisor - The actual Quiz of 10 Questions
QUOTE: YOU ANSWERED 8 OF 10 QUESTIONS CORRECTLY
Rating: Safety Guru -- Nice work! Your practically clairvoyant knowledge of the Web allows you to spot even the most realistic looking spoofed sites. We're impressed! But remember that even one misstep on a deceptive Web site can put your personal information at risk which could lead to identity theft or financial losses. Don't let scammers fool you! SiteAdvisor can help protect your identity by warning you before you visit a risky site.
For most users the flash player is an integral part of their browser environment (e.g., Internet Explorer, Mozilla Firefox, Opera, etc). While no in-the-wild risks have emerged a serious security risk has been fixed and users should quickly move to the latest version. Since this special update may not part of Windows Update or other browser automatic updates, it is important to manually update the Flash player to ensure browser safety in the future.
Flash Player Browser plug-in - Critical Update to v9.0.47
QUOTE: An input validation error has been identified in Flash Player 220.127.116.11 and earlier versions that could lead to the potential execution of arbitrary code. This vulnerability could be accessed through content delivered from a remote location via the user’s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2007-3456). There are no reported in-the-wild exploits yet, but we might see some soon as enough technical information required to build an exploit has been released publicly for at least a few of these vulnerabilities
Flash Player Version 9.0.47 - Download Site
Note - You may want to uncheck the installation of the Google Toolbar
This family of virus takes information found in the infected PC and presents it to the user as a serious violation of privacy The user is then blackmailed into paying $300 or all private information will be destroyed or disclosed
As Kaspersky notes, actual payment should not be rendered as AV companies work to decrypt any encrypted files and one can never trust that the persons behind these malicious attacks will honor any payments
GPcode.ai - New Ransomware threat
QUOTE: Some of our non-Russian users told us their documents, photos, archive files etc had turned into a bunch of junk data, and a file called read_me.txt had appeared on their systems. Sadly, the contents of this file were all too familiar: But in the meantime, we'd just like to remind you – if you've fallen victim to Gpcode or any other type of ransomware, you should never pay up under any circumstances. Always contact your antivirus provider and make sure you back up your data on a regular basis.
COPY OF RANSOMWARE INFORMATION
Hello, your files are encrypted with RSA-4096 algorithm
You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300.
To buy our software please contact us at: [REMOVED] and provide us your personal code [REMOVED]. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system.
If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.
AV coverage is present and parasitic PE based threats have been present for years. The interesting development for this new virus was the activity log file. It writes to it as scans the system for vulnerabilities or as it actually infects it.
PE based infectors can spread rapidly to all EXE files where network shares and folders aren't locked down. These "network walkers" can infect dozens and even 00's of files on a PC if shares were publicly open and the virus was able to seed.
This virus could originate as a trojan horse email, website EXE download, or any other method where an EXE file could be shared. I've not seen a virus that keeps a sophisticated log file of all of it's activity like this one. It might be further used by malicious individuals to research any security weaknesses?
W32/Kespo - Parasitic Infector keeps a detailed activity log
QUOTE: W32/Kespo infects windows executables parasitically, prepending its code to existing files. The DLL and EXE files are pure viral code. The DLL file is injected into the memory space of Explorer. The virus replicates by infecting executable files on local and shared/remote drives.
EXAMPLES OF LOG FILE MAINTAINED BY VIRUS:
The non-executable files are data files or link files. The data files track what the virus has done, and can have content like the following:
3/30/2006 1:03:40 PM - Guardian process started
3/30/2006 1:05:12 PM - Virus service terminated, try to restore it
3/30/2006 1:05:12 PM - Restoring virus service file
3/30/2006 1:05:12 PM - Virus service file restored
3/30/2006 1:05:13 PM - Restarting virus service
3/30/2006 1:03:34 PM - K Print Spooler Service starting...
3/30/2006 1:03:35 PM - Scanner for drive C has been created and started
3/30/2006 1:03:35 PM - Scanner for drive D has been created and started
3/30/2006 1:03:35 PM - Mencari di folder D:\
3/30/2006 1:03:36 PM - Scanner for drive E has been created and started
3/30/2006 1:03:36 PM - Scanner for drive F has been created and started
3/30/2006 1:03:36 PM - Scanner for drive G has been created and started
3/30/2006 1:03:36 PM - K Print Spooler Service started
3/30/2006 1:03:38 PM - Mencari di folder D:\System Volume Information
3/30/2006 1:03:39 PM - Guardian process not exists, try create it
3/30/2006 1:03:39 PM - Explorer found (HWND: 65646) injecting it
3/30/2006 1:03:39 PM - Mencari di folder D:\
3/30/2006 1:03:40 PM - Guardian process created
Microsoft has recently released important updates for this month which should be applied promptly. Some spotty issues have surfaced with MS07-040 as noted in the last link:
Microsoft Security Updates - July 2007
MS07-036 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)
Affected Software: Microsoft Excel
MS07-037 - Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (936548)
Affected Software: Publisher 2007
MS07-038 - Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)
Affected Software: Windows Vista
MS07-039 - Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122)
Affected Software: Microsoft Windows Server
MS07-040 - Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212)
Affected Software: Microsoft Windows
MS07-041 - Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)
Affected Software: Windows XP Professional Service Pack 2
So far, this month's updates have went well on my home and work PCs. Some additional links are noted below. The ISC analysis is always a good one to track for any undocumented features or exploit developments:
Some issues have been reported for the Framework update
MS07-040 Issues have been reported
This is an excellent resource for Microsoft Security information:
It was truly an honor and pleasure working with Microsoft's Tech Net publishing team. In the July 2007 newletter, some ideas based on past experience were shared. Hopefully some of these ideas with help others in better protecting their corporate security environments.
Microsoft Security Newsletter - July 2007
Article: Security is a business requirement
Microsoft Security Newsletter - How to sign-up for future editions
This highly destructive virus damages the Windows environment extensively and infected users may need to rebuild their PC This virus uses Microsoft Text-To-Speech (TTS) technology to repeatedly tell users their files are being deleted, which creates extra anxiety. Thankfully, this new trojan horse is not prevelant in the wild. Best practices and up-to-date AV protection will help ensure protection.
Botvoice Trojan - Computerworld Article
The program, called the BotVoice.A Trojan, was first spotted by security vendor Panda last week. It is a Trojan horse program, which the victim must download first. But once installed, it gets nasty. The Trojan soon sets to work trying to delete everything from the victim's hard drive, while at the same time endlessly repeating an audible message, apparently designed to taunt the victim. "You have been infected. I repeat, you have been infected, and your system files have been deleted. Sorry. Have a nice day and bye-bye," the Trojan says.
It does this by using a text-reading program that is part of the Windows operating system, Panda said. Users of Windows 2003, XP, 2000, NT, ME, 98 and 95 are all at risk. Unlike a virus, BotVoice.A does not jump from computer to computer on its own, but spreads via peer-to-peer networks or storage devices such as CD-ROMs or USB (Universal Serial Bus) memory drives. The Trojan is unusual because unlike most malware written these days, it appears to be designed to perform mindless vandalism
Additional Information on this new threat can be found in the links below:
McAfee Information (DAT 5067 or higher)
Trend Behavior Diagram
iPhone users should track developments closely, as hackers and crackers are actively exploring security developments to discover weaknesses.
Hackers gain shell-level access on iPhone
QUOTE: Well, that didn't take long -- the hacker crew of IRC channel #iPhone has managed to enable shell access to the iPhone just a week after its release. There's not a lot to the hack -- the iPhone's 30-pin dock connector features the same pinouts as the iPod, so creating a serial connection simply involved connecting up a resistor, ground, and RS-232 level converter and running a few commands from iphoneinterface. The resulting shell is pretty basic, but features a TFTP client -- meaning that we should see a flood of attempts to open the iPhone up in the coming weeks (as if we wouldn't anyway).
Yet another wave of email with dangerous URLs from the Storm Worm (aka Nuwar) family
New Storm Worm - Warns of Virus, Spyware, Malware
QUOTE: The Storm virus from the last week or so (greeting cards) has morphed into this new version. Nothing new, the texts has changed somewhat and the subject line is different. By en large it is still the same attempt to get people to download an exe file. Auscert has put out an alert on this as there have been an increase of these messages in the region. A reader suggested a few keywords that could be used to identify the messages: robot, account will be blocked, also look for epidemic near the word worm.
RECOMMENDATIONS: As per usual discourage users from blindly clicking links in emails. Educate them on your corporate AV and AS practices so they will know that the message is not legit and even if you do block all these messages maybe raise awareness with staff so they don't fall for these types of messages at home. Blocking downloads of exe files is also a good start.
This new attack isn't circulating extensively at this point and folks should stay up-to-date on AV protection plus watch for any unusual activity in Internet usage or in their free email services.
Hotlan Trojan defeats captcha
A new Trojan horse that sends spam through Hotmail and Yahoo email accounts has antivirus companies worried that the commonly used "captcha" system, used to prove new members are real people, may have been compromised. Captcha systems typically use a selection of alphanumeric characters that have been distorted and presented in a graphic with other elements designed to confuse character-recognition software. The idea is that, as only a person can read it and type in the correct sequence, spam bots and other malware can be stopped from automatically setting up accounts. The new threat was highlighted on Thursday by BitDefender Labs, which has dubbed it Trojan.Spammer.HotLan.A.
McAfee - Spam-HotLan - DAT 5070 offers detection/protection
This is a spam trojan which downloads a remote script to log into various free webmail accounts, in order to send spam. The script then tries to contact a second site, which contains details about the spam emails to send. At the time of writing, this second site returned nothing. This trojan does not install itself to the local system - once a system is rebooted, it will not restart itself.
BitDefender - Trojan.Spammer.HotLan.A
There aren't any obvious symptoms of this malware, except increased internet activity
They are all truly critical in keeping your systems operating safely:
1 - Microsoft Excel
1 - Mirossoft .Net Framework
1 - Microsoft Windows
1 - Microsoft Windows
1 - Microsoft Publisher
1 - Windows Vista
Microsoft Security Updates planned for 7/10/2007
Even more reasons to be careful with web links or surfing
Mpack installs ultra-invisible Srizbi Trojan
QUOTE: July 05, 2007 (Computerworld) -- The notorious Mpack hacker tool kit is installing malware that carries out all its chores -- including spewing spam -- from within the Windows kernel, making it extremely difficult for some security software to detect, Symantec Corp. said today.
The Trojan horse that Symantec has dubbed "Srizbi" is being dropped onto some PCs by the multi-exploit Mpack, a ready-to-use attack application that until recently has been selling for around $1,000. Responsibility for a large-scale attack launched from thousands of hijacked Web sites last month was pinned on Mpack, as was a follow-up campaign waged from compromised Internet porn sites.
Although Mpack can force-feed any malicious code to a commandeered PC, Symantec researchers said Srizbi stands out. Rather than follow the current practice of hiding only some activities with rootkit cloaking technologies, Srizbi goes completely undercover. The new Trojan, said Symantec, works without any user-mode payload and does everything from kernel-mode, including its main task: sending spam
USB based worm attacks are growing extensively in popularity
They work in a similar to the floppy worms years ago in automatically spreading. As a best practice, users should lock down CD, DVD, and USB devices so that they don't automatically run content where applicable. Keeping AV protection up-to-date is also needed based on the increased levels of attacks which are surfacing.
Harry Potter worm - New USB based Worm spreading
QUOTE: Hackers are attempting to exploit Potter-mania with the release of a worm that attempts to infect USB memory drives. The Hairy-A worm poses as a file containing a copy of Harry Potter and the Deathly Hallows, the eagerly-anticipated final novel in the Harry Potter series, due out on 21 July. The infected file normally comes on infected USB drives. If users plug these drives into their Windows PCs they are liable to infect their machines, especially if they have allowed USB drives to "auto-run".
Hairy.A Worm - Sophos Press Release and Virus Info
QUOTE: With just weeks remaining until the release of the last ever Harry Potter novel, and the imminent premiere of the fifth movie in the franchise, Sophos has warned of a new computer worm exploiting Potter-mania around the world. The W32/Hairy-A worm can automatically infect a PC when users plug-in USB drives, which carry a file posing as a copy of the eagerly anticipated novel, "Harry Potter and the Deathly Hallows". If the users have allowed USB drives to 'auto-run' they will see a file called HarryPotter-TheDeathlyHallows.doc. Inside this Word document file is the simple phrase "Harry Potter is dead." The worm then looks for other removable drives to infect.
W32/Autorun.worm.g (Move to DAT 5067 or higher)
QUOTE: This detection is for a worm which attempts to spread to removable drives by creating an Autorun.inf file, which will run the worm automatically, if systems which use the removable drive are set to Autorun.
Hairy.A Worm - F-Secure information
QUOTE: This malware was written in AutoIt scripting. It uses an icon of MS Winword.
Hairy.A Worm - Trend Virus Description & Behavior Diagram
QUOTE: This worm arrives as a dropped file through removable drives. It spreads by dropping copies of itself in all physical, removable, and floppy drives. It also drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
Numerous additional references
AV vendors are starting to post updated virus signature information as follows:
F-Secure - HTML Postcards.N Information
QUOTE: Files that are detected as HTML/Postcard.N@troj are EML files that state that the recipient has received a greeting card from a friend, relative, or classmate. The recipient is encouraged to click on a link or to visit a website and enter their eCard number to view the message. When the user click this link, another page will appear stating that a new browser feature is currently being tested. The recipient is asked to click another link pointing to a file, usually named ECARD.EXE. We are detecting these files as Email-Worm.Win32.Zhelatin.
Trend - NUWAR.GU Information
Trend - NUWAR.GU Behavioral Diagram
There are additional new subject lines circulating which are part of the 4th of July theme attacks
The e-card link is the dangerous part of these massively spammed emails. These messages should be deleted to avoid a virus that can be downloaded and installed automatically from malicious websites (by just clicking on the URL).
An example that has been made safe from the inbox ... Please keep your AV protection as up-to-date as possible and most importantly use avoidance on all suspicious attachments and URLs.
Please be careful out there
AN EXAMPLE MADE SAFE BELOW:
Subject: Fireworks on The 4th
Date: Wed, 4 Jul 2007 20:44:42 +0900
Hi. School-mate has sent you an ecard. See your card as often as you wish during the next 15 days.
SEEING YOUR CARD
If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:
http://[NUMERIC IP ADDRESS REMOVED FOR SAFETY]/?076a3db573383e1a7a85955
Or copy and paste it into your browser's "Location" box (where Internet addresses go).
By accessing your card you agree we have no liability. If you don't know the person sending the card or don't wish to see the card, please disregard this Announcement.
We hope you enjoy your awesome card.
Wishing you the best,
Another new variant of the Storm worm to avoid:
New Storm worm -- 4th of July subject lines
EMAIL SUBJECT LINES TO AVOID:
Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th
Happy Birthday America
Independence Day Celebration
Celebrate Your Nation
America's 231 Birthday
This sensitive information was sold to direct marketing firms, which differs from some of the past events involving break-ins, stolen laptops or lost files. Firms have a fiduciary responsibility to protect sensitive information of this nature. Even though one of their own employees was responsible for disclosing this sensitive data, better controls are required to help prevent these situations.
Privacy Issue - 2.3 million consumer financial records stolen
QUOTE: JACKSONVILLE, Fla. - Fidelity National Information Services, a financial processing company, said Tuesday a worker at one of its subsidiaries stole 2.3 million consumer records containing credit card, bank account and other personal information. The employee sold the information to an unidentified data broker who sold it to several direct marketing companies, but the data were not used in identity theft or other fraudulent financial activity, Fidelity said in a statement. About 2.2 million records stolen from Certegy Check Services Inc. contained bank account information and 99,000 contained credit card information, Fidelity said.
The article in MarketWatch below is excellent, as it shares strategies on how to stay safer online and otherwise.
Expert advice - Tech-industry experts tell how they avoid ID theft and other online threats
More Posts « Previous page
- Next page »