September 2007 - Posts
As noted in this earlier entry, the Windows Update process may stop working after performing an XP repair mode restoration from the original CD. Microsoft has just released KB 943144 with instructions on how to register the new Windows Update DLLs to Windows in order to allow the PC to process the 80 or more updates since XP SP2.
Latest Microsoft KB on registering WU process
http://support.microsoft.com/kb/943144
Some additional blog entries are noted here:
Issues installing updates after repairing XP:
http://blogs.technet.com/mu/archive/2007/09/28/issues-installing-updates-after-repairing-xp.aspx
Addressing a Windows Update failure after repairing from XP CD:
http://windowsvistablog.com/blogs/windowsvista/archive/2007/09/27/addressing-windows-update-failure-after-repairing-from-xp-cd.aspx
Microsoft recently introduced improvements to Windows Update and this appears to be working well, except in cases where a PC becomes unusable and the "repair mode" process is used. After restoring XP to an earlier state, there is a glitch between the old and new versions of Windows Update. The Windows Secrets article below is excellent and outlines steps that corporate users can employ now, until Microsoft corrects this issue. The links and key quotes from the article are noted below:
Stealth Windows update prevents XP repair Printable version
http://windowssecrets.com/2007/09/27/03-Stealth-Windows-update-prevents-XP-repair
QUOTE:
Repaired installations of XP can't be updated
The trouble occurs when users reinstall XP's system files using the repair capability found on genuine XP CD-ROMs. (The feature is not present on "Restore CDs.") The repair option, which is typically employed when XP for some reason becomes unbootable, rolls many aspects of XP back to a pristine state. It wipes out many updates and patches and sets Internet Explorer back to the version that originally shipped with the operating system.
However, after using the repair option from an XP CD-ROM, Windows Update now downloads and installs the new 7.0.600.381 executable files. Some WU executables aren't registered with the operating system, preventing Windows Update from working as intended. This, in turn, prevents Microsoft's 80 latest patches from installing — even if the patches successfully downloaded to the PC.
Manually registering files solves the problem
If you find that Windows Update refuses to install most patches, you can register its missing DLLs yourself. This can be accomplished by manually entering seven commands (shown in Step 2, below) at a command prompt. If you need to run the fix on multiple machines, it's easiest to use a batch file, as Steps 1 through 5 explain:
Step 1. Open Notepad (or any text editor).
Step 2. Copy and paste the following command lines into the Notepad window (the /s switch runs the commands silently, freeing you from having to press Enter after each line):
regsvr32 /s wuapi.dll
regsvr32 /s wuaueng1.dll
regsvr32 /s wuaueng.dll
regsvr32 /s wucltui.dll
regsvr32 /s wups2.dll
regsvr32 /s wups.dll
regsvr32 /s wuweb.dll
Step 3. Save the file to your desktop, using a .bat or .cmd extension.
Step 4. Double-click the icon of the .bat or .cmd file.
Step 5. A command window will open, run the commands, and then close.
The next time you visit the Windows Update site, you should not have any problem installing the latest patches.
I just received this example of the latest IRS phishing attack. The HTML graphics are well-done and this message appears to be almost authentic. Responding to these email messages could cost money, as the scammers will have access to freely use the credit card. These can be safely deleted and ignored, as the IRS uses primarily US postal mail or phone calls to contact us.
IRS based Phishing attacks - Example
To: Harry
From: service @ irs . gov <<< Spoofed email address
Subject: IRS Notification - Fiscal Activity (Internal Revenue Service)
Date: Thu, 27 Sep 2007 00:33:15 +0530
After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $268.32.
Please submit the tax refund request and allow us 3-6 days in order to
process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here <<< Dangerous URL
Note: For security reasons, we will record your ip-address, the date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Regards,
Internal Revenue Service
This particular phishing scheme is well done from an HTML standpoint. In almost all cases, the IRS, banks, and financial institutions notify folks by regular postal mail or a phone call.
Email is usually an unsecure channel for communicating sensitive information like this. Even if someone were working with the IRS or bank directly by email, they should contact the nearest office to validate any unexpected e-commerce transaction. Double checking can save dozens of hours of aggrevation in restoring lost funds or a person's identity after these types of attacks.
IRS Phishing Scam - $109.32 Refund offered
http://www.avertlabs.com/research/blog/index.php/2007/09/24/10930-in-2-minutes-irs-refunds-attack/
QUOTE: Phishers today are targeting the IRS with a large phish attack. So far it is spread over 25 domains. The phish offers victims $109.30 refund directly to their credit card for filling in an online form. How convenient.
While the unwanted email threat called "spam" dates back to 1978, there were tempting message solicitations sent back in the late 1800's by telegraph. These email messages are no different than junk faxes, telemarketing calls, or junk postal mail from the past.
Today, it is estimated that 70-80% of all email sent is spam. These messages can range from safe sales solicititions to messages that contain dangerous malware infected attachments or URLs. The best advice is always delete any unwanted email message without opening it. If the offer seems too good to be true, in almost all cases it will be 
History of Spam
http://en.wikipedia.org/wiki/History_of_spamming
Early "Telegram" Spam sample - Doc Brown's Elixir of Vitality 50% off
http://en.wikipedia.org/wiki/Image:Telegraphspam.png
QUOTE: In the late 19th Century Western Union allowed telegraphic messages on its network to be sent to multiple destinations. Up until the Great Depression wealthy North American residents would be deluged with nebulous investment offers. This problem never fully emerged in Europe to the degree that it did in the Americas, because telegraphy was regulated by national post offices in the European region.
Earliest electronic spam sent in 1978 by DEC Marketer
http://www.templetons.com/brad/spam/spam25.html
http://www.templetons.com/brad/spamreact.html
QUOTE: That first spam was sent by a marketer for DEC - Digital Equipment Corporation. Today, you may not know DEC, since it was bought by Compaq and is now a unit of HP, but in those days it was the leading minicomputer maker, and its computers provided the platform for the development of Unix, C and much of the internet, to cite just a few minor events.
Spam - The current threat
http://www.postini.com/stats/index.php
http://www.messagelabs.com/intelligence.aspx
http://en.wikipedia.org/wiki/E-mail_spam
An interesting security audit and testing tool was highlighted by the ISC. I downloaded the latest version of Firecat 1.2 and tested a few of the capabilities. This fairly large extension set offers a set of over 60 security tools for examining the underlying HTML code and web site security.
ISC: Firefox as the weapon of choice?
http://isc.sans.org/diary.html?storyid=3417
QUOTE: Most application security testers are already using some Firefox plug-ins to assist in their testing. These plug-ins are usually very helpful in getting some quick and easy test tools directly from within the browser. The folks from security-database.com has compiled a catalog of the security plug-ins in Firefox, called FireCAT. I would suggest taking a look at their catalog and load up your Firefox browser with some of the security tools. Although most of these plug-ins would not be considered best of breed tools in their respective area, the ability to use them from within the browser usually makes them very accessible and easy to use. You might also want to know that these tools would not only benefit the application testers but also the infrastructure testers and most other security professionals as well.
Firecat 1.2 Home Page
http://www.security-database.com/toolswatch/FireCAT-Firefox-Catalog-of,232.html
SEP 2007 : FireCAT (Firefox Catalog of Auditing exTensions) version 1.2 released
This test covers a wide range of security concepts and practices. While a few of the questions or answers may have been worded a little better, I saw this is a good resource to assess your knowledge of IT Security concepts.
http://www.agnitum.com/vote/stquiz/start.php
Users of Yahoo's IM software should be careful with all files or URLs offered. Using IE 7 or ramping up security for IE 6 can help. It's been a while for me on IE 6, but one quick fix is to go into Advanced mode and change many of the settings for installing items on your PC from Automatic to Prompt.
Article: Yahoo messenger hit with ninth zero-Day exploit of the year
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9037766
QUOTE: September 19, 2007 (Computerworld) -- Attack code that targets Yahoo Messenger has been published on the Internet, a security researcher warned today, marking the ninth exploit aimed at the popular instant messaging software so far this year.
According to an e-mail alert from nCircle Network Security Inc., hackers armed with the exploit could force-feed malware such as a Trojan horse to vulnerable users. It was nCircle that pegged the latest zero-day threat against Messenger as No. 9 for the year. IE's security, however, can mitigate an attack. Users running the newer IE 7 with default security settings will probably be protected.
This new security could be exploited for DoS or other attacks. This new exposure should be followed for further developments.
Researchers warn of new Microsoft Windows security flaw
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1272760,00.html
Microsoft Windows CFileFind Class "FindFile()" Buffer Overflow
http://www.frsirt.com/english/advisories/2007/3182
http://secunia.com/advisories/26800/
QUOTE: The following products are currently known to have vectors allowing exploitation:
* HP All-in-One Series Web Release software/driver installer version 2.1.0
* HP Photo & Imaging Gallery version 1.1
After downloading 3 updates (e.g., Office Pro, Visio, Project) related to the SP3 release, I kept everything closed to avoid any potential conflicts as Office updates are complex and can touch other environments (e.g., IE, Snag-it, and other apps can be setup to have integration with Office).
So far, everything appears to work well for all 3 major environments, after some quick testing. The Office Pro update is lengthy (about 10 min, including Front Page). However, the other two updates are quick and require about a minute each. Ten minutes of patience in applying these updates standalone can replace hours worth of fixing later 
Microsoft Office 2003 SP3 Released
http://www.informationweek.com/news/showArticle.jhtml?articleID=201807224
Microsoft Download Home Page - search to find applicable Office SP3 download(s)
http://www.microsoft.com/downloads/Search.aspx?displaylang=en
QUOTE: "Microsoft Office 2003 Service Pack 3 is the culmination of several years of improvements in the product suite," the company said in a Microsoft white paper issued upon the service pack's release. "SP3 improves the productivity and user experience of home and office users, strengthens defenses against malicious software, and helps IT administrators comply with regulations and protect confidential information."
Security is clearly job number one for Office 2003 SP3, as the service pack contains a laundry list of security patches and upgrades. For example, instead of letting in macros willy-nilly in Excel, SP3 instead lets users control which macros run in legacy Excel files, potentially blocking malicious code. Of course, as is the case in most service packs, SP3 also patches known security holes.
Microsoft has also worked to improve Office 2003's compatibility with Windows Vista, Internet Explorer 7, and Office 2007. Project 2003, for example, can now read Project 2007 files. InfoPath allows auto-complete in Internet Explorer 7 when running on Windows Vista. OneNote 2003 works better with Internet Explorer 7 than it did previously.
This is more a novelty than true threat, as this 13 year old virus is easily detected and most likely will not impact Vista booting or other operations. The German manufacturer has taken quick action to contain and remendy the issues.
Still, some key lessons include:
* OEM vendors always need to ensure a pristine and "malware free" environment
* Some old viruses that I felt were extinct may still be out there (this 13 year old thread had been taken out of "the Wild list")
* Accidents will happen (we're all human) and companies need to respond promptly as Medion did upon discovery
BLOGS: Stoned.Angelina virus from 1994 found on Medion Laptops
http://www.avertlabs.com/research/blog/index.php/2007/09/13/boot-virus-stonedangelina-on-medion-laptops-sold-at-food-discounter-aldi/
http://sunbeltblog.blogspot.com/2007/09/update-on-stoned-virus-infection-of.html
http://blogs.pcworld.com/staffblog/archives/005427.html
LINKS: Medion sells laptops with 13 year-old virus
http://www.vnunet.com/vnunet/news/2198692/vendor-includes-old-virus
http://www.first.org/newsroom/globalsecurity/150727.html
http://blogs.securiteam.com/?p=998
AV information
http://www.symantec.com/security_response/writeup.jsp?docid=2000-121811-2556-99
http://www.f-secure.com/v-descs/angelina.shtml
Below is the primary link for the Microsoft Security updates for September. This is a lighter month overall and the updates went well for my corporate laptop and desktop systems
Microsoft Security Bulletins - September 2007
http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx
ISC Analysis
http://isc.sans.org/diary.html?storyid=3367
-------------------------
Bulletin Number: MS07-051
Maximum Severity: Critical
Affected Products: Microsoft Windows 2000
Impact: Remote Code Execution
-------------------------
Bulletin Number: MS07-052
Maximum Severity: Important
Affected Products: Microsoft Visual Studio
Impact: Remote Code Execution
-------------------------
Bulletin Number: MS07-053
Maximum Severity: Important
Affected Products: Windows Services for UNIX, Subsystem for UNIX-based
Applications
Impact: Elevation of Privilege
-------------------------
Bulletin Number: MS07-054
Maximum Severity: Important
Affected Products: MSN Messenger, Windows Live Messenger
Impact: Remote Code Execution
=======================================
Microsoft Windows Malicious Software Removal Tool
=======================================
Microsoft is releasing an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Server Update Services (WSUS),
Windows Update (WU) and the Download Center. Note that this tool will
NOT be distributed using Software Update Services (SUS). Information on
the Microsoft Windows Malicious Software Removal Tool can be located
here: http://go.microsoft.com/fwlink/?LinkId=40573
=======================================
High-Priority Non-Security Updates
=======================================
High priority non-security updates Microsoft releases to be available
on Microsoft Update (MU), Windows Update (WU) or Windows Server Update
Services (WSUS) will be detailed in the following KB Article:
http://support.microsoft.com/?id=894199
All Skype users should be careful with any URL offered while in the chat mode. Most AV products have coverage now and staying up-to-date can help folks stay protected.
PC World - Skype Warns Users of P-to-P Worm
http://www.pcworld.com/article/id,137007-c,worms/article.html
quote:
Skype users are under attack from a new worm that spreads through the peer-to-peer Internet phone application's chat feature. The attack begins when a user receives an instant message containing a link from someone in their contact list or an unknown Skype user
ISC - Skype worm
http://isc.sans.org/diary.html?storyid=3363
quote:
A worm is currently spreading which is specifically aimed at Skype users. Known as Ramex, Skipi or Pykspa, it abuses the chat function of Skype to send a short message containing a link to a seemingly benign JPEG file to other users. Users that click on the link will download and run a copy of the worm, and start to infect others.
Additional links below:
Skype's official security warning
http://heartbeat.skype.com/2007/09/the_worm_that_affects_skype_fo.html
Computerworld article
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9035198
Pykse.b - McAfee information
http://vil.nai.com/vil/content/v_143083.htm
This 4 page Computerworld article highlights 8 areas that could potentially compromise security is misused in the corporate environment. This includes:
1. Instant messaging
2. Web mail (non-corporate email accounts)
3. Portable storage devices (flash drives)
4. PDAs and smart phones
5. Camera phones
6. Consumer based VoIP services
7. Downloadable widgets
8. Virtual worlds (role-playing environments)
Corporate Security - Eight dangerous consumer technologies
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9034278
The latest variant has been massively spammed and I'm personally received copies. It is designed to trick folks into thinking they are downloading TOR or other free privacy software (i.e., packages designed to communicate anonymously over the Internet). However, clicking on the malicious website link will have the opposite effect as infected PCs will give up privacy and start participating in a huge 1.7M botnet.
F-Secure: sTORm Worm
http://www.f-secure.com/weblog/archives/archive-092007.html#00001272
quote:
A new round of storm worm attacks are playing on people's paranoia against being watched online. This time the lure leads users to a "TOR download" page, which is… surprise, surprise… fake.
Trend - Nuwar poses as TOR Proxy
http://blog.trendmicro.com/nuwar-poses-as-tor-proxy/
Trend: Nuwar.AQL Information
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EAQL&VSect=P
EMAIL EXAMPLE:
quote:
From: (REMOVED)
To: Harry
Subject: Your Privacy is being violated
Date: Thu, 6 Sep 2007 16:31:45 +0200
Whenever you are downloading things, they are watching you. RIAA is going after everyone they can. They can't trace you if you use our new software. This software is made available free, so we can keep the internet free and private: (MALICIOUS URL REMOVED)
This recently discovered botnet affecting eBay is highly sophisticated. eBay users should use strong passwords and carefully monitor their accounts for any unusual activity.
PC World Article: Botnet Steals eBay Accounts
http://www.pcworld.com/article/id,136729-c,onlinesecurity/article.html
QUOTE: Identity thieves armed with a bruteforce botnet are uncovering valid eBay account data, a security firm says. The resulting botnet is being used to call an eBay application programming interface (API) with pairs of possible usernames and passwords, said Elzam. The API allows the Trojan horseinfected PC -- the bot -- to communicate directly with the eBay database using XML-formatted code. If the database contains the usernamepassword pair, it responds, which the Trojan horse notes, then later transmits to a hacker controlled server. With enough usernamepassword combinations -- the bruteforce part of the attack -- the criminals can uncovering a limited number of real credentials.
McAfee W/32 Ebbot information
http://vil.nai.com/vil/content/v_143063.htm
QUOTE: W32/Ebbot is a bot with password stealing capabilities designed to perform fraudolent activity aimed at eBay customers. When started, the malware will immediately create a monitoring thread to be able to spoof user information. When correctly instructed, the malware will use the information gathered from the user in order to take advantage of the eBay developer API and retrieve the user token.
This article found on IT Security's site discusses the use of biometrics for security authentication purposes. As discussed in the article, some firms are using both traditional and biometric security approaches in a complementary fashion.
Article: Biometrics - Security Fad or Serious Tool?
http://www.itsecurity.com/features/biometrics-fad-or-tool-082807/
QUOTE: The biometrics concept — using a fingerprint,a hand shape, an eye structure, a voice pattern or another physical characteristic as an identification token— has been kicking around for several decades, especially in older science fiction. But the approach is now gaining traction, as successful biometric systems become cheaper and easier to use and as the need for enhanced security continues to grow.
Since both biometrics and conventional security methodologies remain imperfect, a growing number of security experts suggest using biometrics to complement and enhance existing security approaches rather than replace them.
These are software/hardware independent guidelines written for Service Oriented Architecture (SOA) based web applications.
NIST issues guidelines on securing Web services
http://www.gcn.com/online/vol1_no1/44962-1.html
NIST - 128 page guideline for Securing Web servers
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf
QUOTE: The National Institute of Standards and Technology has released a 128-page guide to help organizations understand the security challenges of Web services in service-oriented architecture. NIST Special Publication 800-95, “Guide to Secure Web Services,” provides practical guidance on current and emerging standards applicable to Web services in addition to background information on the most common security threats to SOAs based on Web services. The guidelines are hardware and software independent and do not address perimeter security devices such as firewalls or access control tools.
The e-card attacks continue and users should avoid all untrusted e-card and other links.
Latest Storm Worm e-card attack wishes a Happy Labor Day
http://www.avertlabs.com/research/blog/index.php/2007/09/04/labor-day-gift-from-nuwar/
quote:
In addition to the usual Microsoft exploits, QuickTime and WinZip buffer overflow exploits are also attempted on a user’s machine. Given the slim likelihood of vulnerable third party applications being up to date on a user’s machine, it increases the attacker’s chances of a successful exploitation.
Example:
To: Harry
Subject: Happy Labor Day
From: (REMOVED)
Date: Tue, 4 Sep 2007 16:23:27 +0200
Here is a special greeting, to see it, click here:
hxxp://ecards.com/funcard/Lday?fj02rx6l4zvugtzfkqub8tc
(spoofed and points to a numeric IP address embedded within the HTML)
More Posts
Next page »