August 2007 - Posts
In reviewing some of the captured SPAM early this morning, this free email offer caught my attention. Spammers try to appeal to our sense of getting something for free or a better bargain. There are no free lunches or even candy bars on the Internet. SPAM should be considered like a telemarketing call out of the blue, and folks should always be careful, even when our favorite temptations like chocolate are offered.
One study cited that 70% of folks would disclose their password for a bar of chocolate. Hopefully, the importance of security has increased for everyone, since the study took place in 2004.
Date: Sun, 31 Aug 2008 14:01:43 +0300
From: "Candy Bar Giveaway"
Subject: Get All the Chocolate Candy Bars You Can Eat!
Get a 24-PACK OF SNICKERS, FREE*!
•SNICKERS King Size or
•SNICKERS Cruncher or
CLICK HERE [URL Removed]
Brings back an old saying from when I first entered the IT field several years ago, "To err is human and to really foul up things takes a computer" This illustrates the need for thorough testing and strong change control procedures. Even then sometimes things might still go "bump in the night".
Recent WGA Validation Issues were a result of human error
Most likely, the 1.7M Botnet will be spamming copies extensively soon
QUOTE: The Nuwar gang are up to no good again. So far we’ve seen a dizzying flurry of malicious ecards, membership themes and YouTube bait over the last couple of weeks from the authors of the Storm worm. The latest spam run calls for beta testers to try out a product in exchange for life time free updates.
Sharing for those who still use IBM mainframe technologies (as we currently do in our companies).
IBM zOS Release - Focus on Security Improvements
It appears that IBM has just introduced a new release of its renowned z/OS mainframe operating system. Because of the mainframe’s place in the heart of a vast portion of the world’s financial services - as well as varied other large businesses, the focus this time round has been on security.
IBM Boosts Mainframe Security
ARMONK, NY - 17 Aug 2007: IBM (NYSE: IBM) today unveiled a new release of its mainframe operating system -- the z/OS -- adding features that increase the software's already fortress-like security for online commerce as well as the next generation of highly secure business transactions. IBM also announced new mainframe software that automates security administration and audit processes.
This new version of the Storm worm is designed to appear as legitimate video links to You Tube's site. Please be careful with all email links as the storm worm attacks continue.
Storm of the Day, Now with YouTube
QUOTE: The latest variation of the Storm worm claims to be a you tube video. The link looks like a link to you tube, but actually points to a "numeric" URL like old storm variants. The downloaded binary is called "video.exe"
SAMPLE COPY - (with malicious content removed)
Subject: how did you get that on film, man?
Date: Sat, 25 Aug 2007 18:18:16 +0530
You can see your face right in the video. its all over the web dude. see for yourself ... (URL REMOVED) ... The link appears to be a valid U-Tube address but is spoofed to directed users to malicious web site)
The ever-changing Storm Worm (a.k.a., Nuwar, Zheltain) has been revamped from plain text to HTML This conversion process allowed the malicious authors to hide the dangerous numeric IP addresses and make it appear as a legitimate e-card site. The latest versions of most browsers (e.g., IE 7, Firefox 2, Opera 9, etc) allow users to "hover over" a URL and see the true address found in links (just be never to click without verfication).
The best practice is to avoid these messages completely, as hostile scripts could be embedded in future iterations of these massively spammed attacks. Clicking on the URL could automatically download and install some of the worst malware circulating in-the-wild. It is very difficult to detect and clean. Folks can save hours of aggravation and possible damage to their systems by being careful and thinking before they click. Finally, all users should keep their Anti-virus protection as up-to-date as possible to avoid these daily changing attacks.
‘Fun World’? Not Really–Part 2
Video - Storm Site
QUOTE: The Zhelatin/Storm Gang has been very busy lately. Their spamming tactics have changed from sending an attachment to sending a link that directs recipients to an IP Address. The HTML used by their sites is variable, and also differs depending on the browser.
EMAIL SAMPLES (with malicious content removed)
Subject: Someone sent you an Ecard
Date: Thu, 23 Aug 2007 23:22:53 -0400
(REMOVED) wants to send you a greeting from greet2k.com.
To get your message, click on this link:
greet2k.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)
Subject: You have an E-Card from...?
Date: Thu, 23 Aug 2007 14:11:32 -0700
Your Brother wants to send you a greeting from mycardmaker.com.
If you would like to read this greeting, follow this link:
mycardmaker.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)
Subject: A Digital Card from someone who cares.
Date: Thu, 23 Aug 2007 16:16:58 -0500
(REMOVED) is delivering you an Ecard from buzzle.com.
To view your card, follow this link:
buzzle.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)
Subject: This is a Card for you.
Your Neighbour asked us to send you this card from dgreetings.com.
To Enjoy your Ecard, follow this link:
dgreetings.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)
The storm worm was named after it's social engineering attempt to capitalize on one of the greatest Winter storms of all time in Europe during early 2007. Folks were invited to click on breaking news items and with the new e-card variants the Nuwar worm has grown to become the most significant email virus of all time (both in terms of email volume and malicious capabilities)
Record-breaking 'Storm' linked to spam surge
Biggest, baddest e-mail malware ever, says researcher
QUOTE: August 14, 2007 (Computerworld) -- Storm, the Trojan horse that collects PCs into hacker-controlled botnets, roared back into life last month in several waves, security researchers said Monday, and has blown by 2005's Sober to become the most prolific e-mail-borne malware ever.
"This is the biggest since Sober in mid-to-late 2005," said Sam Masiello, director of threat research at MX Logic Inc., referring to a long-lasting worm whose variants struck repeatedly in the second half of 2005, often in extremely high numbers. In November 2006, for instance, e-mail filtering companies reported malware-laden e-mail counts spiking 1,500% in a week, and said they were intercepting four times the usual number of infected messages.
According to MX Logic, Storm -- a bot Trojan that collects compromised computers into large networks of ready-to-use PCs -- has broken Sober's records. Thanks to Storm, the Englewood, Colo.-based managed e-mail security vendor tracked a July jump in malicious e-mail of 1,700% over June. Storm, however, is much more malevolent than Sober ever dreamed. "Not only is it designed to propagate more copies of Storm, but it releases huge quantities of spam," said Masiello.
The highly polymorphic storm worm has now been very quickly re-engineered. Messages now attempt to invite folks into various social network clubs found on the Internet This new attack is widespread, as all most 2 million infected users are participating in a HUGE Botnet that spams out countless copies. This new threat is circulating extensively. The 1st sample message is tempting, as I really like cats, but I think I'll decline this invitation
Storm of the Day (Welcome Member)
QUOTE: Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs"
SAMPLES with malicious information removed
Subject: Your Member Info
From: "Cat Lovers" [EMAIL ADDRESS REMOVED]
Date: Tue, 21 Aug 2007 16:01:11 +0800
Subject: Greetings, Welcome To Cat Lovers.
User Number: 93275951895
Temp Login ID: user2686
Password ID: qt379
Please Change your login and change your Login Information.
Click on the secure link or paste it to your browser:
[DANGEROUS NUMERIC URL REMOVED]
Subject: Internal Support
From: [EMAIL ADDRESS REMOVED]
Date: Tue, 21 Aug 2007 03:46:26 -0400
We are glad you joined Ringtone World.
Confirmation Number: 1433249943
Your Temp. Login ID: user9096
Temp Password ID: od872
Your temporary Login Info will expire in 24 hours. Please login and change it.
Use this link to change your Login info:
[DANGEROUS NUMERIC URL REMOVED]
New Member Services
Subject: Membership Details
From: "Internet Dating" [EMAIL ADDRESS REMOVED]
Date: Mon, 20 Aug 2007 19:41:32 -0400
New Member, Here is your membership info for Internet Dating.
User Number: 23913334
Your Login ID: user8588
Temp Password ID: gj779
Please Change your login and change your Login Information.
Follow this link, or paste it in your browser:
[DANGEROUS NUMERIC URL REMOVED]
Membership Support Department
Subject: Welcome Letter
From: "Net Gambler" [EMAIL ADDRESS REMOVED]
Date: Tue, 21 Aug 2007 13:31:41 +0100
Greetings, We are glad you joined Net Gambler.
Account Number: 92687431
Temp Login ID: user1564
Temp Password ID: gf869
Please Change your login and change your Login Information.
Click here to enter our secure server:
[DANGEROUS NUMERIC URL REMOVED]
Laptop security is always a concern and several recommendations can be found in this featured CNET thread:
CNET - My laptop was stolen, what concerns should I have?
QUOTE: My wife and I had two laptops stolen from our room in an upscale hotel in Norfolk, Virginia last Saturday night. My question is somewhat open-ended. Is a concern justified for identity theft from the info available on the machine? Having owned the laptops for 1 to 2 years and using them as the primary home/travel computer, it is safe to say that everything was on the hard drive. Not only the 20GB of pictures, nor the finance stuff, or the research database, or all the cookies, etc.; even the money for the cost of the computers is poof--gone. What is the concern that the community would have for such a loss: identity theft, system hijacking, sleepless nights, having to buy new ones, and so on. In the future, in case of another loss, what are some solid security measures I can use to prevent someone from obtaining what I have on my laptops?
The ever-changing Storm Worm is now circulating new variants. I've personally started receiving copies captured in my spam filters. The new version uses inappropriate subject lines as noted by the ISC below.
Based on samples received these messages contain only URL with only a numeric IP address in the body of the email text. URLs in spam email are usually always dangerous sources of malware (esp. numeric IP addresses).
Users should avoid these new attacks as this virus is very difficult to clean and can affect both the privacy and performance of the PC itself.
MPack is a "malware development package", which allows rapid and easy-to-develop construction of web based attacks (e.g., PHP scripts, exploits). A new version has surfaced which offers increased capabilities as noted by Symantec:
MPack - v0.91 now rated as More Dangerous
Some of the key enhancements in the new version include:
1. The exploits include the existing ones present in v0.84.
2. There have been some changes to the management and reporting interface.
3. Some additional files are a part of the installation to ensure authentication.
4. Mpack has also introduced some more encryption and obfuscation to increase the detection complexity.
5. There are some modifications in the Mpack loading pages (ability to target specific countries)
MPack toolkit v0.91 also comes with a legal disclaimer: Mpack is created solely for test purposes. You are prohibited to use it in conditions violating local or international laws. Authors hold no responsibility for any damage, direct or indirect, caused by usage of this software.
Symantec's analysis of v0.86
What is MPACK?
In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites. A year later, the MPack kit has become an increasingly popular tool, allowing data thieves and bot masters to take control of victims' systems and steal personal information. The MPack infection kit has been blamed for hundreds of thousands of compromised computers. And, it's malicious software with a difference: The creators have offered a year of support to those clients from the Internet underground who purchase the software for anywhere from $700 to $1,000.
New GpCode ransomeware attacks are circulating on a limited basis in the wild and AV vendors are adding protection. These new variants will encrypt several types of data files on a PC, demanding $150 in an online payment for a de-crypting capability
Users should never pay these "ransoms" as the cleaning tool most likely won't arrive and some AV vendors provide de-crypting tools to clean infected systems. Still, this reminds us to periodically take a backup of important files and always avoid untrusted URLs and email attachments.
New GpCode Ransomeware variants have surfaced
This Trojan may arrive as a dropped file or downloaded file of another malware. This Trojan encrypts all files with certain extension names found on any readable and writable drive. As a result, the said files become unreadable. It then drops and opens the file ASAP!!!.TXT on the current user's Desktop folder. The said text file informs the user that the files have been encrypted, and that special software must be purchased to decrypt the files.
Below are recent links on the latest "animated e-card variants". One point of concern comes from AVERT Labs on the constant repackaging of Nuwar to evade AV detections EVERY FEW MINUTES. No wonder AV vendors are in the 30% detection range, as Nuwar is constantly mutating in an automated fashion. A few years ago, security researchers speculated on the "super worm" that would constantly mutate so that AV detection strings couldn't keep pace with in-the-wild copies circulating. Unfortunately, we're getting closer to seeing this prediction come true
AVERT LABS - Keeping up with Nuwar
QUOTE: Well, given that Nuwar is polymorphically repacked every few minutes and a functionally new version is released every day, that was hardly surprising. I zipped the samples up and sent them to our virus researchers to produce detection for them ...
F-Secure - Zhelatin gang changing tactics
QUOTE: Over the last few weeks, we've seen tons of ecard.exe spam, where fake greeting card mails have been spammed out. The messages have not contained an attachment, but just links to web sites that offer a download of one ecard.exe to your machine.Since last night, the messages have changed. You still get the normal greeting card spam. But when you follow the link, the web site now talks about the need for you to install "Microsoft Data Access" to your computer ...
WebSense Alert on new storm worm
I've subscribed to Network World magazine for a number of years and also receive the newsletter. This two part article by Steven Zeligman (with assistance from M. E. Kabay) provides an excellent set of best practices related to e-commerce security.
ARTICLE: Best practices for online shopping
Author: Steven Zeligman, MSIA, MCP, CISSP and M. E. Kabay
From: Network World newsletter
The following guidelines will help you stay safe while shopping online on the Internet:
Best practices for online shopping
Online shopping does pose risks, but the risk can easily be reduced.
1. Eliminate malware
Before shopping online, clean your computers of malware (malware is MALicious softWARE).
2. Shop only at trusted online retailers
Use the same common sense when shopping online that you would use when shopping in the physical world. Be as vigilant when choosing online retailers as when choosing brick-and-mortar merchants. If you are uncertain about a particular Web site, check the Better Business Bureau’s ratings http://www.bbb.org . Reliable online merchants provide a phone number where you can talk to a customer-service representative about security issues. Look for third-party seals of approval such as BizRate http://www.bizrate.com/ , BBSOnLine http://www.bbbonline.org/ , VeriSign Secured https://seal.verisign.com/ , and HackerSAFE https://www.scanalert.com/ . Usually clicking on the symbol will bring you directly to the report for the Web site you are visiting.
3. Look for Web site security indicators
Although the following are by no means absolute indicators of security, they’re a start:
A padlock in the browser window’s status bar (be discriminating - sometimes it’s a false indicator http://www.w3.org/2006/WSC/wiki/PadlockIconMisuse or even just a symbol placed on the Web page itself); URLs that start with “https” instead of just “http”; and The phrase “Secure Sockets Layer (SSL)” in the description of the communications protocol. These are all indications that the online merchant may have taken measures to protect their customers’ private information in transit.
4. Safeguard your own personal information and records
Do not send payment information via e-mail. Unencrypted e-mail is not a secure method of communication. All information transmitted via e-mail is at risk of interception by bad people. Any trustworthy online merchant uses encryption technologies to protect private information during a transaction on their Web site.
Keep records of all transactions, much as you keep paper receipts for physical “brick and mortar” purchases. An easy way to do that if you have full Acrobat is to print to an Acrobat file from your browser; alternatively, you can use the print function of your browser and send to a suitable printer or even take a screenshot and save the image file on disk. [MK adds: I keep records in folders labeled by vendor in a folder called “My Received Files.” I have a folder for software licenses, for example, one for DVDs, one for CDs and so on.]
Other methods of safeguarding e-commerce information include:
* Always conduct online transactions using a Web browser that has all current security patches and uses at least 128-bit encryption.
* Always use strong passwords that contain a combination of uppercase letters, lowercase letters, and special characters for e-commerce accounts.
* Never use obvious passwords such as family names, birthdays, pets’ names, etc. for e-commerce accounts.
* Always use passwords that contain six or more characters.
* Never share user names or passwords with anyone else.
* Never use the “one-click shopping” that stores credit-card information accessible through an online account password.
* Never perform online transactions on public computers.
* If you have an unsecured home computer, do not allow your browser to store user IDs and passwords for the online-shopping sites you use.
For more information on browser security and Web sites, see the following U.S. Computer Emergency Readiness Team (US-CERT) Cyber Security Tips:
ST04-022 -- “Understanding Your Computer: Web Browsers”
ST05-001 -- “Evaluating Your Web Browser’s Security Settings”
ST04-012 -- “Browsing Safely: Understanding Active Content and Cookies”
ST05-010 -- “Understanding Web Site Certificates”
5. Review the Online Merchant’s Privacy Statement
Consumers should also be prudent about what personal and financial information they reveal to conduct an online transaction. It is usually necessary to provide a credit-card number. However, it should never be required to provide bank-account numbers or Social Security Numbers to conduct online shopping transactions. There are many reliable online merchants; if you don’t like a merchant’s policies, choose a different one.
With a few precautions, you can usually take advantage of online shopping conveniences without significant risk. The essential point is that you have to think before you shop - but that’s true in all situations.
AUTHOR: Steven Zeligman, MSIA, MCP, CISSP, is the Network Security Manager at Dataline, Inc., and has more than 15 years of experience in information technology and security. His opinions are entirely his own and do not constitute the opinions of his employer. You are welcome to write to him at: steven.zeligman (at) gmail (dot) com with comments on this article.
Opera 9.23 is now available to address a critical security vulnerability
Opera 9.23 for Windows is available for download.
- Fixed four crash bugs found using Mozilla's jsfunfuzz tool.
- Fixed a stability issue with Speed Dial.
- Scrolling problem with some Microsoft mice fixed on Windows Vista.
Several Microsoft security updates are available to better secure Windows, Internet Explorer, Media Player, Office, and the Virtual PC environment. These should be applied expediently to ensure the best levels of protection.
Microsoft Security Updates - August 2007
August 2007 - Security Patches
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (936227)
Vulnerability in OLE Automation Could Allow Remote Code Execution (921503)
Vulnerability in Microsoft Excel Could Allow Remote Code Execution (940965)
Cumulative Security Update for Internet Explorer (937143)
Vulnerability in GDI Could Allow Remote Code Execution (938829)
Vulnerabilities in Windows Media Player Could Allow Remote Code Execution (936782)
Vulnerabilities in Windows Gadgets Could Allow Remote Code Execution (938123)
Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986)
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (938127)
Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)
The ISC site provides a good resource for tracking installation issues or exploit developments related to these newly released bulletins. Hopefully, this update will go smoothly, as it's working well so far on 2 of my PCs.
Internet Storm Center - Analysis of current bulletins
Below are recent samples (with all URLs made safer) of email that should be deleted or blocked. The numerical links found in these messages may trigger an AUTOMATIC download and install of a very malicious copy of the Nuwar worm. This family of viruses is among the most advanced malware circulating using rootkit, botnet, polymorphism, and other techniques.
AV Protection may or may not be available for these new leading edge variants. It's always advisable to never click on URLs or attachments whenever possible in email messages - even in those which may appear to be safe.
Subject: Movie-quality e-card
Date: Mon, 13 Aug 2007 10:27:08 -0400
Mother() has created Movie-quality e-card for you at perfectgreetings.com.
To see your custom Movie-quality e-card, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):
hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?bd9a4815755ec21d93815f9518b32f6c9fb697
Send a FREE greeting card from perfectgreetings.com whenever you want by visiting us at: hxxp://perfectgreetings.com/
This service is provided and hosted by perfectgreetings.com.
Subject: Animated postcard
Date: Tue, 14 Aug 2007 12:40:40 +0200
School-mate() has created Animated postcard for you at greetingsisland.com.
To see your custom Animated postcard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):
hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?23407b969d2b1d96eb463c6da46ca
Send a FREE greeting card from greetingsisland.com whenever you want by visiting us at: hxxp://greetingsisland.com/
This service is provided and hosted by greetingsisland.com
Subject: Greeting ecard
Date: Tue, 14 Aug 2007 02:53:35 -0400
Uncle() has created Greeting ecard for you at hallmark.com.
To see your custom Greeting ecard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):
hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?42a6de1712445fd9c2b5
Send a FREE greeting card from hallmark.com whenever you want by visiting us at: hxxp://hallmark.com/
This service is provided and hosted by hallmark.com.
More Posts Next page »