October 2008 - Posts
The Morris Internet worm was launched on 11/02/1988 as more of a prank than actual attack. This first malware attack differs greatly from what we see in today's environment.
Happy 20th birthday, internet worm
http://blogs.zdnet.com/security/?p=2096
QUOTE: This weekend marks the 20th anniversary of the Internet Worm, the first major worm that propagated on the Internet. Even though many years have passed and underlying media has changed, worms are still able to wreak havoc and keep system administrators up at night. Today the damage done by worms is far less visible and far less newsworthy but far more difficult to repair than in the past.
On November 2nd, 1988, Robert Tappan Morris launched an application ostensibly designed to count the number of systems on the Internet. It was designed to propagate across Unix systems by exploiting several vulnerabilities, including a conceptual flaw in how r-services (rlogin, rsh, and rexec) authenticate connections, the archaic remote debug feature in Sendmail, and a buffer overflow in the finger daemon. Due to a flaw in it’s design, the Worm attempted far more propagation attempts than were necessary, causing targeted machines to slow dramatically from resource starvation. Long story short, the then Mr. Morris was caught, found guilty, and sentenced to probation and community service.
Today’s worms, however, feel no need to make themselves known, and their authors don’t want to be visible. The authors want the worms to do one thing only, and that is make money. Modern worm authors will use any underlying transport mechanism that is available, eschewing operating system and programming language religious barriers maintained by more orthodox hackers.
Both of these quizes are fun to take and some of the results are surprising as there are many unusual things in our world. Still, one should be careful in what they pass on to others. I scored 60% on the first quiz and 50% on the second one.
Test Urban Legend knowledge on Photos circulating (50 questions)
http://urbanlegends.about.com/library/bl_image_quiz.htm
Test Your Urban Legends knowledge on emails circulating
http://urbanlegends.about.com/library/bl_quiz1.htm
Internet Hoaxes - Best Practice of not forwarding email
http://msmvps.com/blogs/harrywaldron/archive/2008/10/30/internet-hoaxes-best-practice-of-not-forwarding-email.aspx
F-Secure is reporting a huge increase in dangerous ZIP file attachments. Multiple copies of malicious e-tickets and tracking statements have been recieved and all copies should be deleted without opening any attachments or web lines.
Malicous ZIP attachments increase in email
http://www.f-secure.com/weblog/archives/00001524.html
QUOTE: Over the last 48 hours we've seen a huge increase in zipped malicious email attachments being spammed. The subjects have been:
SUBJECT LINES TO AVOID
Your Tracking #xxxxxxxx (where xxxxxxx is a random number)
New Ticket #xxxxx (where xxxxx is a random number)
Accounts Operations Report
Your Statement between 1/1/08 and 10/30/08
QUOTE: The ZIP file typically contains a file that looks like a document (.DOC) but it is really an EXE, there's just a lot of whitespaces between .DOC and .EXE. Some of these ZIP files are protected by a password which makes it more likely to be allowed through an email server. The password is always in the email message so that a user can easily see it. Using email attachments have made a comeback in popularity amongst malware writers during the last few months. We detect this latest batch as variants of the Worm:W32/Autorun family
It is important to address the root cause of security issues. This new program by McAfee targets cyber-criminals and will hopefully improve Internet safety.
McAfee Initiative to Fight Cybercrime
http://www.mcafee.com/us/about/corporate/fight_cybercrime/index.html
Focus 2008 - McAfee Security Conference
http://www.avertlabs.com/research/blog/index.php/2008/10/27/souvenir-of-las-vegas/
QUOTE: Last week, along with 1,200 attendees from 47 countries, I was in Las Vegas at the FOCUS’08 McAfee Security Conference. On Tuesday, after the welcome session in which McAfee CEO Dave DeWalt announced, among others, the McAfee Initiative to Fight Cybercrime,
I chose to hear my colleagues Toralv Dirro and Pedro Bueno present the state of cybercrime around the globe. In this session, the participants learned the actual methods used by cybercriminals: identity theft, phishing, password-stealing Trojans, virtual money laundering, and botnets.
Sunbelt has issued a warning for Win Defender 2009. Avoid any security related pop-ups unless it is an installed product on your PC. Use SHIFT + CTRL + ESC to invoke task manager to exit safely out of any unexpected pop-up, as any mouse click may potentially install the malicious agent.
Win Defender 2009 - New Rogue Security Program
http://sunbeltblog.blogspot.com/2008/10/new-rogue-win-defender-2009.html
Win Defender 2009 - Sunbelt Behavioral Analysis
http://research.sunbelt-software.com/threatdisplay.aspx?threatid=396823
http://research.sunbelt-software.com/threatdisplay.aspx?threatid=174153
QUOTE: A Rogue Security Program is software that purports to scan and detect malware or other problems on the computer, but which attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results. Rogue Security Programs typically use aggressive, deceptive advertising and may be installed without adequate notice and consent, often through exploits.
Most Opera users can automatically update after being prompted. The latest version can also be found in the link at the bottom. This update addresses the following issues:
Opera 9.62 Change Log
http://www.opera.com/docs/changelogs/windows/962/
http://www.opera.com/support/search/view/906/
http://www.opera.com/support/search/view/907/
Opera Download Site
http://www.opera.com/download/
As a best practices, always resist the urge to forward unusual email messages to your friends. Controversial email topics serve as "bait" for hoaxes or seeding malware to others. When in doubt, avoid sending these messages to others and research it more thoroughly if desired. If the email asks you to "pass this on to others" it's likely to be a hoax or it has an agenda behind it.
While a hoax may seem innocent, it can alarm your friends. It will certainly waste someone's time in reading or possibly researching the associated claims. Finally when true information is sent out, the recipient may ignore it thinking it's "yet another hoax".
Internet Hoaxes - Popular email myths continue to circulate
http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=211300532
QUOTE: These hoaxes use social engineering to trick people into doing what they otherwise wouldn't do," said Patrick Runald, chief security advisor for F-Secure, an Internet security firm. Graham Cluley, a senior security analyst with Sophos, a London-based security vendor, agreed. "The most successful hoaxes have been the ones that people had a real compulsion to forward. These things can't travel unless humans participate. And, unlike anti-virus software, we haven't found a way to upgrade the human brain," said Cluley.
Seven popular and persistant hoaxes circulating in email
1. Save Amanda Bundy
2. Petition to Ban Religious Broadcasting
3. Bill Gates' Millions Giveaway
4. Good Times Virus
5. The Last Tourist
6. Snowball, the Giant Mutant Cat of Ontario
7. Bigfoot Captured!
Snopes - Top 25 Urban Legends
http://www.snopes.com/info/top25uls.asp
Brand New Urban Legends being circulated in email
http://urbanlegends.about.com/od/reference/a/new_uls.htm
EXCELLENT QUIZ - 50 photos
(are they real or fake - scored 60%)
http://urbanlegends.about.com/library/bl_image_quiz.htm
Research Sites to verify unusual email claims
http://urbanlegends.about.com/
http://www.hoaxbusters.org/
http://www.snopes.com/
http://blogs.securiteam.com/index.php/archives/1150
QUOTE: This is Frequently Asked Questions document about new, recently patched RPC vulnerability in Microsoft Windows. The document describes related Trojan malwares as well.
All home and corporate users should ensure they are up-to-date on Windows security patches. A Windows Update should be performed if it's not an automatic process on your system. This emergency release became available on October 23, 2008.
So far, Troj/Gimmiv.A requires social engineering and some human intervention for the malware agents to load on unpatched Windows workstation and server operating systems. Usually, this requires visiting a malicious website or a mouse click to install the malicious software.
A true worm will infect vulnerable systems that are simply connected to the Internet or a Local Area Network automatically, without any human intervention. Examples of past true worms include: Code Red, Blaster, SQL-Slammer, Sasser, etc. It should also be noted that some of these early variants were buggy and less effective than more steamlined later versions.
It is hopeful that exploits related to MS08-067 will not become wormable. Still users should not take a chance. By patching now, they will prevent infections if a wormable threat materializes later. Information on patching this security vulnerability can be found below:
Microsoft Security Bulletin - MS08-067 Information
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Gimmiv.A exploits critical vulnerability (MS08-067)
http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html
QUOTE: What needs to be clarified here, is that the exploit MS08-067 used by Gimmiv.A allows remote code execution, which makes it potentially "wormable". Considering that the vector of attack is RPC DCOM and the code is similar to typical RPC DCOM network-aware worms, which is used against other hosts in the network, Gimmiv.A is determined in this post as a worm. However, it could technically be classified as a network-aware trojan that employs functionality of a typical RPC DCOM network-aware worm to attack other hosts in the network
First Glimpse into MS08-067 Exploits In The Wild
http://www.avertlabs.com/research/blog/index.php/2008/10/24/first-glimpse-into-ms08-067-exploits-in-the-wild/
Gimmiv - Additional Information Links
http://vil.nai.com/vil/content/v_152898.htm
http://community.ca.com/blogs/securityadvisor/archive/2008/10/27/ms08-067-wormable-vulnerability-patched.aspx
http://www.prevx.com/blog/101/MS--GimmivA-exploits-Windows-bug.html
http://security.blogs.techtarget.com/2008/10/24/worm-exploiting-ms08-067-rpc-vulnerability/
https://forums.symantec.com/syment/blog/article?blog.id=vulnerabilities_exploits&thread.id=174
http://www.networkworld.com/community/node/34429
http://www.precisesecurity.com/threats/trojangimmiva/
http://www.csoonline.com/article/456980/Gimmiv_Worm_Feeds_on_Latest_Microsoft_Bug
http://www.sophos.com/security/analyses/viruses-and-spyware/trojgimmiva.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=74604
http://www.threatexpert.com/reports.aspx?find=gimmiv
http://www.frsirt.com/english/virus/2008/06423
I'm hopeful to participate in future beta testing during the coming year. This article provides some of the first examples of screens in the preview version of Windows 7.
Windows 7 Revealed: 24 Screen Shots Of Microsoft's Next Operating System
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=211601289
Windows 7 Preview - 24 Screen Shots
http://www.informationweek.com/galleries/showImage.jhtml?galleryID=268&articleID=211601289
QUOTE: Microsoft on Tuesday took the wraps of the preview version of Windows 7, which will be the successor to Vista. Julie Larson Green, Microsoft's vice president for Windows experience, hosted a demo in which she walked attendees through the features of the operating system.
At first glance, Windows 7 maintains the streamlined look of Vista, but appears more muted -- even Windows XP-like. Mostly, Microsoft seems to be focusing more on functionality, possibly in a bid to put some distance between Windows 7 and the criticisms which have dogged Vista.
Windows 7 Beta Due In Early 2009
Microsoft issues emergency security patch MS08-067
PATCH NOW -- This is especially true if you use XP as there might be a potential for WORMABLE exploits to develop that can take over vulnerable PCs without any user actions (as most exploits require a mouse click or other action) 
Blaster and Sasser are examples of past worms that could infect vulnerable systems by simply connecting them to the Internet. Thankfully, there are no exploits like this currently circulating, but if there's a hole in the roof one should not wait for it to rain. Hopefully, these concerns won't materialize and it's important to always stay up-to-date on security updates.
Microsoft issues emergency security patch MS08-067
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
QUOTE: This security update resolves a vulnerability in the Server service that affects all currently supported versions of Windows. Windows XP and older versions are rated as “Critical” while Windows Vista and newer versions are rated as “Important”. Because the vulnerability is potentially wormable on those older versions of Windows, we’re encouraging customers to test and deploy the update as soon as possible.
His biggest fear, he said, is that a worm will be developed to take over vulnerable machines en masse. And he fully expects that to happen. "You're talking about a vulnerability that does not need user interaction," he said. "That's a gold mine if you're trying to build a botnet."
Additional articles and information
http://isc.sans.org/diary.html?storyid=5227
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=211600270
http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx
The Firefox NoScript extension was recently updated to add a new protective feature called ClearClick. It is designed to detect the clicking of any hidden objects that might be found on a malicious webpage.
NoScript upgrade stops clickjacking attacks in Firefox
http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=105510&pn=2
QUOTE: NoScript, the security add-on for Firefox, has been upgraded to protect against clickjacking. The new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the web page. It then displays a warning message asking the user if they still want to click on it. Maone said ClearClick will likely stop all clickjacking attempts.
While clickjacking is not a new concept, it's gaining popularity as technique used for malicious websites. As iFrames are logical divisions of a webpage, the approach is to create a "transparent iFrame page" that lines up exactly with the real web page being accessed. The buttons in the "invisible iFrame page" replace the buttons in the real web page. When the user clicks on the button, they may allow malicious software to be downloaded or security at the true site they were trying to access to become compromised.
The Adobe Flash facility is one of the most widely installed software products in the world, as it's used by all major browsers. Adobe Flash (v9 and lower) is vulnerable to these attacks and it's a popular method now being used to achieve clickjacking. To stay protected from this threat, users should move to Adobe Flash v10, keep AV protection updated, keep all O/S and browsers updated, and avoid risky websites.
Clickjacking - What is it?
http://www.avertlabs.com/research/blog/index.php/2008/10/15/clickjacking/
http://en.wikipedia.org/wiki/Clickjacking
http://www.mxlogic.com/itsecurityblog/1/2008/10/What-is-ClickJacking.cfm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115818
http://blogs.zdnet.com/security/?p=1972
http://www.securityfocus.com/news/11534?ref=rss
http://www.schneier.com/blog/archives/2008/10/clickjacking.html
QUOTE: Let’s use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via CSS. B will also need to be so big so that the user can click it’s content. The attacker can then place any button to do anything he wants in B. Then the attacker can place some buttons on page A. The location of the buttons in B must match the buttons in A. So when the user clicks on a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML, does not require Javascript, so disabling Javascript will not help.
This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich media internet application today. Adobe has released a security advisory and provided a workaround.
Clickjacking - Adobe recommended workarounds (move to version 10)
http://msmvps.com/blogs/harrywaldron/archive/2008/10/16/adobe-flash-version-10-security-release-fixes-many-bugs.aspx
http://www.adobe.com/support/security/advisories/apsa08-08.html
http://www.adobe.com/support/security/bulletins/apsb08-18.html
This new version addresses Flash "clipboard jacking" and other recent security concerns. It is working well in early testing with XP SP3. Corporate users should carefully pilot test with their client/server and web applications prior to rolling it out to everyone.
Adobe Flash Version 10 - Security Release Fixes Many Bugs
http://blogs.pcmag.com/securitywatch/2008/10/flash_updates_fix_many_bugs.php
Adobe Flash 10.0.12.36 - System Requirements
http://www.adobe.com/products/flashplayer/systemreqs/
Adobe Security Advisory
http://www.adobe.com/support/security/advisories/apsa08-09.html
Adobe Flash Version 10 - Download Page (carefully follow directions)
http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
QUOTE: New versions of Flash Professional and the Flash Player were released today. The new Flash 10 player implements, among other new features, the ability to turn off clipboard access for Flash programs, and turns on this setting by default. This ability had recently become badly abused by malicious web sites as a cross-platform attack known as "Clipboard-Jacking." In all likelihood it has a new set of vulnerabilities as well.
ADDITIONAL LINKS
http://msmvps.com/blogs/spywaresucks/archive/2008/10/16/1650962.aspx
http://blogs.pcmag.com/securitywatch/2008/09/adobe_to_plug_clipboardjacking.php
http://blogs.adobe.com/psirt/2008/10/security_bulletin_for_flash_pl.html
This release is for experienced developers only, as in any beta offering. Pilot test only and don't use for production purposes.
Firefox 3.1 Beta release
http://www.mozilla.com/en-US/firefox/all-beta.html
Firefox 3.1 Beta Release Notes
http://www.mozilla.com/en-US/firefox/3.1b1/releasenotes/
US Download link
http://www.mozilla.com/en-US/products/download.html?product=firefox-3.1b1&os=win&lang=en-US
Note - Please be careful during the install, as FF 3.1b can become your default browser if you don't see and uncheck the default. If desired, IE 7/8 can be reset back as the default browser, as follows:
Tools >> Internet Options >> Programs >> Default Web Browser
There are definitely lots of important and critical updates to Windows, IE, Office, etc. These updates should be pilot tested and deployed quickly, as some of these vulnerabilities have been exploited in the past. So far, these updates are working well at both home and work.
MS08-056: Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
Affects: Microsoft Office XP
Link: http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx
MS08-057: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
Affects: Microsoft Excel 2000/XP/2003/2007, Excel Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Sharepoint Server 2007, Office 2004/2008 for Mac
Link: http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx
MS08-058: Cumulative Security Update for Internet Explorer (956390)
Affects: Internet Explorer
Link: http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx
MS08-059: Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
Affects: Host Integration Server 2000/2004/2006
Link: http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx
MS08-060: Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
Affects: Windows 2000 Server
Link: http://www.microsoft.com/technet/security/bulletin/ms08-060.mspx
MS08-061: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms08-061.mspx
MS08-062: Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
MS08-063: Vulnerability in SMB Could Allow Remote Code Execution (957095)
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms08-063.mspx
MS08-064: Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms08-064.mspx
MS08-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
Affects: Windows 2000 Service Pack 4
Link: http://www.microsoft.com/technet/security/bulletin/ms08-065.mspx
MS08-066: Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
Affects: Windows XP, Server 2003
Link: http://www.microsoft.com/technet/security/bulletin/ms08-066.mspx
KB956391: Cumulative security update for ActiveX Killbits
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://support.microsoft.com/kb/956391
Additional links below:
Microsoft: http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
ISC: http://isc.sans.org/diary.html?storyid=5180
Sunbelt is continuing to warn on three brand new variants from the AntiVirus 2009 family. These products try to simulate legitimate security products and will infect vulnerable systems.
Antivirus 2010 and other fake security products continue
http://sunbeltblog.blogspot.com/2008/10/new-rogue-antivirus-2010.html
http://sunbeltblog.blogspot.com/2008/10/new-rogue-rapid-antivirus.html
http://sunbeltblog.blogspot.com/2008/10/new-rogue-xp-antispyware-2009.html
QUOTE: Antivirus 2010 is a new rogue security product. This rogue is a clone evolved from IEdefender that begat XP Antivirus, that begat Antivirus 2008, that then begat Antispyware 2009
Trend Micro is continuing to see more variants of Antivirus 2009 in the wild using these tactics to frighten users (i.e., new term of "scareware" was been introduced). Unfortunately, inexperienced users may feel it's their true AV system that's creating these messages. They may become infected by following "the yellow brick road" of prompts that eventually load these malicious agents.
Keeping AV protection updated is important. However, the malware agent is constantly changing with new variant to avoid AV detection (e.g., Packing algorithms, MD5 hash total changes, HTML changes, etc).
Please be careful with all email and websites.
AntiVirus 2009 - BSODs and Fake Reboot continue in new variants
http://blog.trendmicro.com/rogue-av-tactics-continue-to-threaten/
QUOTE: October has just begun and Trend Micro threat researchers keep seeing more and more — slightly different, but yet increasingly more annoying — variations to the set of rogue AV infection signals we have been documenting on this blog.
This variant is an ongoing iteration of the Antivirus 2009 campaign and is detected as TROJ_FAKEAV.SV. It is nice to see Microsoft and the State of Washington going after scareware purveyors. We completely support efforts to bring these criminals to justice.
Some Past references
http://blog.trendmicro.com/rogue-av-theatrics-on-extended-run/
http://blog.trendmicro.com/a-million-search-strings-to-get-infected/
Use of Task Manager to close pop-up messages more safely
http://msmvps.com/blogs/harrywaldron/archive/2008/08/22/malware-close-encounters-close-pop-ups-using-task-manager-to-safely-exit.aspx
PC Magazine's security blog notes that new documenation has been released for Microsoft's security update facilities.
Staying up-to-date on Microsoft and ALL other software is essential in staying secure 
All About Windows Update
http://blogs.pcmag.com/securitywatch/2008/10/all_about_windows_update.php
PC Magazine's Security Blog
http://blogs.pcmag.com/securitywatch/
QUOTE: Microsoft has released a paper entitled "Windows Update Explained". It talks about what Windows Update is and how it works. There are no big surprises here for those already fairly familiar with the various Microsoft updating technologies, but it's good to have one simply-written description of what their various updating technologies are and what the important points are of how they work.
For instance, it talks about what the important default settings are, there's a brief description of WSUS (Windows Software Update Services) is and why you might want it, what the difference is between Windows Update and Microsoft Update, and some things you might expect to see in Windows Update over time, such as updates to the updating software itself.
More Posts
Next page »