November 2008 - Posts
The first Monday following Thanksgiving is desinated as "Cyber-Monday". Many firms will lower prices to encourage e-commerce transactions and it's important to shop as safely as possible while online. Five key tips include:
1. Does your employer permit this?
2. Be cautious with all links and email messages
3. Conduct e-commerce with mainstream sites that use secure server technology
4. Use credit card rather than debit card,
5. Maintain your privacy at all times
Cyber Monday - Tips for shopping safely online
Cyber Monday - Home Page
Cyber Monday - FAQs
The GpCode family is a dangerous form of malware which can permanently destroy files by encyrpting them. The capability for AV products to de-crypt files vary and can't be relied on in all cases, especially when complex encryption techniques are used.
Based on past ransomware threats, users should avoid paying the ransom of £200 (US$307). The folks on the other end are not trustworthy (e.g., decoding key may not be received, credit card info may be further misused, etc).
It is better to recover from backup in a worse case scenario. This threat illustrates the need to have a good backup of all important files to offline media (e.g., backup tapes, CD-R, DVD, USB drives, etc).
New GPcode Trojan Holds Victim’s Files Hostage
QUOTE: It searches and encrypts files found on any readable and writable drive on the system, rendering them inaccessible (without the encryption key). It also changes the file name of the encrypted files, by adding the .XNC extension.
It also drops the file READ THIS.TXT in each folder that contains an encrypted file. This file informs the victim that the files have been encrypted, and that a decrypting tool must be purchased to decrypt the files. Email addresses are also included in the text file, which the victim must contact to obtain the decryption tool.
Accordingly, the perpetrator of this crime demands £200 (US$307) for the decryption services. Users are strongly advised to back up their files so as not to be victimized by ransomware.
What is Ransomeware?
The Secunia Personal Software Inspector (PSI) tool is highly recommended for home users. This FREE product evaluates all major software components on a PC, to ensure they are up-to-date on security patches. While many vendors automatically update their software, most users will almost always have a few updates that are required. PSI is a beneficial tool to provide a fast and comprehensive evaluation of any needed security patches.
Secunia Personal Software Inspector (PSI) 1.0 released
QUOTE: Though the PSI so far has been in beta, it has received a huge amount of praising words like these from ZDNet in a review of 10 essential security tools: “Number one is the Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine”.
Version 1.0 of the PSI is somewhat more mature and bug free (as far as we know) compared to the first version, which only ran on XP 32bit. Today, it runs on 2000, XP 32/64bit, and Vista 32/64bit.
Download site - Personal Use only
Release version: 22.214.171.124 (Final)
Last release: 25th Nov. 2008
File size: 532,688 bytes
Trend Micro is warning that a rouge version of Housecall is circulating. This popular free on-line virus detection and cleaning facility has been offered for years. A rouge version is circulating that appears to work almost exactly as as the official tool. It is best to use the link below or go directly to Trend Micro's site for the proper link.
Bogus ‘HouseCall’ Search Results Lead to Adware
QUOTE: Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat.
Trend Micro - Official Housecall Link
MS08-067 worm developments have continued by malicious authors, since Microsoft made this security patch available on October 23, 2008. The latest development ramps up the danger, as this new worm will delete system restore points, creates a backdoor to download more malicious code, and it even patches the RPC vulnerability to further disquise it's presence.
While AV protection and firewalls can mitigate attacks to port 445, the best defense is to ensure all PCs are up-to-date for Microsoft security changes. For example, an unpatched PC might become infected if their firewall fails or isn't active when connected to the Internet. If this worm were present on a laptop, it could infect unpatched corporate web servers and PCs if Intranet firewall controls are missing.
This new worm represents the most advanced MS08-067 attacks to date. As noted in every link, it's important to PATCH NOW if you have any systems that don't have this update.
New malware using an ms08-067 exploit gained momentum
QUOTE: First let me say, “PATCH your systems” if you have not done so already! Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!
According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet.
The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.
W32/Conficker.worm Detailed Information
Trend - Behavioral Diagram
PATCH NOW - if there are any servers or PCs that are not update for Microsoft security releases. Home users can employ the Windows Update process. More information can be found in the link below:
MS08-067 Security Patch Information
I received a copy of this email chain letter circulating and initially thought it was a wonderful idea. When I saw the "Pass it on" phrase, I checked Snopes to be sure it was true and was surprised to discover these cards would not be delivered randomly to our wounded service men and women. However the Red Cross has a better solution noted in green below.
Security concerns are the key reason this email approach won't work. The US Post Office will NOT accept mail addressed to "Any Soldier". They feel random mail of this nature could be potentially misused to cause further harm for our troops.
Email Hoaxes - Christmas cards to Anonymous Soliders
A copy of this email message is noted below:
SUBJECT: A Great Idea
EMAIL TEXT: GREAT IDEA!! When doing your Christmas cards this year, take one card and send it to this address. If we pass this on and everyone sends one card, think of how many cards these wonderful special people who have sacrificed so much would get.
When you are making out your Christmas card list this year, please include the following:
A Recovering American Soldier
c/o Walter Reed Army Medical Center
6900 Georgia Avenue,NW
If you approve, please pass it on.
However, there is a REAL and SAFE way we can show our concerns and appreciation:
Holiday Mail for Heroes
Please follow these guidelines when mailing a card to ensure that your card will quickly reach service members, veterans and their families:
Holiday Mail for Heroes
PO Box 5456
Capitol Heights, MD 20791-5456
Card Guidelines -- Every card received will first be screened for hazardous materials by Pitney Bowes and then reviewed by Red Cross volunteers working in one of 16 sorting stations around the country.
-- All cards must be postmarked no later than Wednesday, December 10, 2008. Cards sent after this date will be returned to sender.
-- Participants are encouraged to limit the number of cards they submit to 25 from any one person or 50 from any one class or group. If you are mailing a larger quantity, please bundle the cards and place them in large mailing envelopes. Each card does not need its own envelope or postage.
-- Please ensure that all cards are signed.
-- Please use generic salutations such as “Dear Service Member.” Cards addressed to specific individuals can not be delivered through this program.
-- Please send cards as opposed to long letters which delay a quick review process.
-- Please do not include email or home addresses on the cards, as the program is not meant to foster pen pal relationships.
-- Please do not include inserts of any kind, including photos, as these items will be removed during the reviewing process.
-- All cards received may be used in program publicity efforts, including appearing in broadcast, print or online mediums.
Thanks Microsoft for adding this to Malicious Software Removal Tool (MSRT). This AV family is prevalent in-the-wild. Due to SQL-Injection and Flash based exploits, AntiVirus 2008 malware advertisements can sometimes be found even on relatively safe and trusted sites.
CLOSE ENCOUNTERS OF THE MALWARE KIND: On Monday, I cleaned multiple variants from one a family member's new Dell Vista system. The 90 day Norton Internet suite (NIS) had expired and there was no active protection. This led to having no firewall, AV protection, etc. To solve this issue, I uninstalled NIS and added back the free Vista version of Avast. Every aspect of the Vista Security Center was returned "green" again, after a full scan of the hard drive.
Microsoft MSRT - Detection for AntiVirus 2008 family added in November
QUOTE: Rouge is software tells you that your system is crawling with bad stuff (for free!) and then offers to remove it for you (that’ll cost you). Of course the stuff they report is completely bogus; they are incapable of finding any real malware. What’s more they can be very insistent, repeatedly displaying popup warnings that make it virtually impossible to use your machine unless you pay to “register” the program. Apart from extorting money from innocent people, which is bad enough, this behaviour adds to the amount of FUD (fear, uncertainty and doubt) in the online community.
AVERT Labs (McAfee) has highlighted an increase in malware dangers associated with infected USB based media. Be careful of any device you plug into your PC and ensure it is first free of viruses (especially if others use your PC and plug devices into it)
USB Media - Major Increase in Autorun based malware
QUOTE: Over the years, floppy disks have since been replaced by thumb drives, portable hard drives, flash media cards and other forms of removable data storage. These removable devices of today can hold 10,000 times more data than yesteryears floppy disks. Not only can they store more data, today’s removal storage devices are smart with the ability to run portable software programs or boot an entire operating system.
Given the popularity of removable storage media, virus authors were quick to realize the potential of using this as an infection vector. And they are greatly aided by a convenience feature in operating systems called “AutoPlay” that exists to automagically launch the content in a removable disk without any user interaction.
Another related article:
Under Worm Attacks, US Army Bans USB Drives
QUOTE: Under sustained attack from what is described as a rapidly spreading network worm, the U.S. army has banned the use of USB sticks, CDs, flash media cards, and all other removable data storage devices
The use of URL Scan v3.0 in a standalone mode or using this built in facility within IIS can help mitigate attacks until web applications are strengthened to properly check objects being input for SQL-Injection scripts. There are also some good non-Microsoft filtering systems that can help block these automated attacks.
Large quantity SQL Injection mitigation
As botnets and other automated tools are hammering at websites trying to exploit SQL injection vulnerabilities, site operators are trying hard at defending their websites. ASProx and other botnets were hitting hard at the ASP + MS SQL platform, millions of websites fell victims to the SQL injection vulnerabilities already. Although there has been a decline of wild SQL scanning by ASPRox type of botnet, we are still not in the clear yet. The unauthenticated portion of some sites might be secure, but the authenticated portion might be totally vulnerable.
A short term remediation to SQL injection can be web application firewall. Web application firewall (WAF) is similar to a network firewall except it also inspect the application layer information, such as cookies, form fields and HTTP headers. With Microsoft IIS as web server, one of the quickest and easiest WAF solution maybe Microsoft's Urlscan, it is an addon to IIS5 and built-in for later versions of IIS. Urlscan runs as an ISAPI filter, so it can be easily deployed and removed.
The AntiVirus 2008 family has been used as a model for numerous "scareware" attacks. These fraudulent products generate fake security messages to convince users to purchase their "cleaning tools". These products are not true security packages and mainly are designed to take money from any victims that participate.
Sunbelt is warning of new attacks from a rouge product called "Virus Trigger". These attacks are usually experienced by visiting a compromised website. If you encounter security pop-ups from a rouge program, use CTRL + SHIFT + ESC to close the pop-up dialog using Task Manager.
SUNBELT - New rogue: Virus Trigger
QUOTE: Virus Trigger is a new rogue security product and a near clone of VirusResponse Lab 2009.
VirusResponse Lab 2009 - Virus Trigger is similar to this threat
The article below notes that FUD (Fear, Uncertainty, and Doubt) may be used to "sell the need for security" to home users or even in some organizations. FUD means that exaggerated claims are used to alarm folks into making security decisions. However, I believe most corporate security professionals (as least those I've worked with) thoroughly research options and present as much factual information as possible to IT management.
Corporate security is a business requirement. Granted, it's sometimes difficult to ascertain and quantify in real dollar terms. It entails risk management to address potential losses in a cost effective manner. The potential consequences of not acting to address true exposures should be shared in a professional manner without the use of FUD.
In some respects, it's important to occasionally "cry wolf" when major exposures surface. However, as the article notes, It's important to be factual and "to keep the powder dry" in over-alerting folks to maintain credibility.
If there's a strong potential of attacks for a highly vulnerable exposure, IT Security needs to be alert all affected areas to work pro-actively in preventing it. You always want to "patch the roof before it rains", which could be immediately or several weeks away.
I agree with some of the constructive criticism noted in the article. Security professionals need to apply due diligence in properly researching solutions. The use of facts rather than FUD over time will improve management's perception of IT security as the critical business resource it has become.
Security Reference Guide - Three Reasons Why Users Won't Buy Into Security
QUOTE: As if to bolster the viewpoint that the security community only has fear to offer their users, when was the last time you every heard anything good about a security solution or process. For example, have you ever seen the headline "XYZ Firewall Prevent Hackers from Blowing Up a Power Plant!?" Unlikely. Instead, security related news that does make it to the general community deals with viruses, malicious hackers, and scary scenarios that paint a really bad picture of the digital world. Ultimately, it is fairly obvious that FUD tactics are the primary method by which the security industry obtains and maintains their consumers.
A malware package orginating from China now offers an exploit for the Windows MS08-067 security vulnerability patched during a special October emergency release. This product is sold in the underground markets for around $37.80, although the license notes this tool is for pen-testing only.
All corporate and home users must stay up-to-date on security patches, as some vulnerabilities are being actively exploited. MS08-067 Exploit - Featured in Chinese commercial malware kit http://www.avertlabs.com/research/blog/index.php/2008/11/14/exploit-ms08-067-bundled-in-commercial-malware-kit/ QUOTE:
Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.
Both kits offers a free version, and a commercial version with enhanced features including:
• Kernel rootkit.
• Anti-virus software termination.
• Weekly anti-virus detection monitoring and evasion service.
• Web DDOS attack option
Cloud Computing is a growing trend in the industry and this article from Computerworld provides a good overview of concerns. This computing approach uses hosted applications from a provider over the Internet as the networking backbone. While the article touches on security issues, any cloud computing solution must consider security as a prominent issue as well.
Stormy weather: 7 gotchas in cloud computing
QUOTE: Here are seven turbulent areas where current and potential users of cloud computing need to be particularly wary:
1. Costs, Part I: Cloud Infrastructure Providers
2. Costs, Part II: Cloud Storage Providers
3. Sudden Code Changes
4. Service Disruptions
5. Vendor Expertise
6. Global Concerns
7. Non-native Applications
Cloud Computing - Additional Information
Some early reviews of Windows 7, which is slated to become Microsoft's future client Operating Sytem.
Windows 7 Preview - In-depth review by ZDNet
QUOTE: Excerpts below from this review are noted below:
INSTALLATION -- Installing Windows 7 is quick … very quick! I managed to get Windows 7 installed and ready to go in under 15 minutes on one system - a time that makes Vista seem like a lumbering dinosaur. Beyond the speed boost, the setup process for Windows 7 Build 1601 is pretty much the same as for Vista.
PERFORMANCE -- Once I’d recovered from shock of the speed of the install (I’d set aside 45 minutes, and was done in 15!), I was next struck by how fast Windows 7 is. There’s none of the sluggishness and lag that I remember with early builds of Vista and XP. Everything is snappy and responsive … Start Menu, Control Panel applets, applications … everything.
SECURITY IMPROVEMENTS -- It seems that Microsoft has taken on board the constructive criticism it received over User Account Control (UAC) and provided users with setting to make it less annoying. Windows 7 provides four settings, ranging from “Always notify” to “Never notify.” The default setting is “Only notify me when programs try to make changes to my computer,” which seems to offer a happy middle ground. Windows Update now more clearly shows patches to be installed.
UI IMPROVEMENTS -- The UI is also cleaner, and little tweaks such as clicking in the bottom right hand corner of the taskbar to get to the desktop makes more sense than having a separate icon and so on. Little things like this make the UI cleaner and ultimately easier to use. If there’s one word to describe the Windows 7 UI it’s this - Unfinished! In fact, using Windows 7 puts you in a wierd wonderland of Vista mixed in changes for Windows 7.
The recent Adobe 8 PDF vulnerability is being exploited in-the-wild. Please PATCH NOW, as early AV detection is non-existent -- although it's being added now based on these new attacks. The patch required a 46MB download and after installation a reboot is required.
Adobe 8 PDF Vulnerability exploited in-the-wild
QUOTE: One of our readers, Wayne Dilly, sent couple of malicious PDF documents to us. Wayne noticed that some machines got infected and wondered if the PDF documents exploited the vulnerability patched by Adobe couple of days ago (CVE-2008-2992).
And indeed – at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad.
Adobe Security Bulletin directory
Adobe 8 - Updates now available
Please avoid any links or videos related to this historic speech and only view this as desired from a trusted website source and not from an email link:
President-Elect Obama Video - Malware version in-the-wild
QUOTE: Less than twelve hours after President-Elect Obama's historic acceptance speech, computer criminals have already crafted a malware attack based on the speech. The UAB Spam Data Mine has observed more than 300 spam messages which invite email readers to view the speech with a spam message ...
SUBJECT LINES TO AVOID:
A new president, a new congress ...
Barack Obama wins
Can Obama win popular vote but lose election?
Did Obama Win Yet?
Election 2008: Time lapse of U.S. counties
Election Center 2008 - Election Results
Election Night Results
Fear of a Black President
Obama win an Electoral College majority
Obama win Defined by Race
Obama win preferred in world poll
Obama win sets stage for showdown
Obama Wouldnt Be First Black President
Obama's Win Reshapes the Race
Priorities for the New President
Priorities for the New President - TIME
The new President's cabinet?
USA Election 2008 Results
Will American Voters Elect a Black President
World Welcomes Obama's Win
SENDER NAME spoofed as:
news @ cnn.com
news @ usatoday.com
news @ online.com
news @ c18-ss-1-lb.cnet.com
news @ president.com
news @ unitedstates.com
news @ bbc.com
More evidence that the initial buggy and trojan horse based attacks are being refined by the bad guys into a true Internet based worm. If you haven't performed a Windows Update since October 23rd, it's important to do so immediately.
MS08-067 - First Worm Exploiting unpatched systems in the Wild
QUOTE: Code building on the proof of concept binaries that were mentioned last week has moved into the wild. We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi.
The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration. he worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.
Users should ensure their AV protection is up-to-date, as a new variant of this highly stealth rootkit was launched during late October. Approximately 510,000 bank and credit card accounts have been impacted based on analysis so far. Removal of MBR based malware is always difficult and may ultimately require a complete reformatting of the hard drive and reinstallation of all software. It appears to spread through web based exploits, and users should be cautious with weblinks in email or sites that they visit.
Win32/Sinowal - MBR Rootkit with Password stealer impacts 500,000 accounts
QUOTE: A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today. The discovery is among the largest stolen data caches ever recovered.
HOW IT SPREADS: When an unsuspecting Windows user visits one of these sites, the code left on the site tries to install the Trojan using one of several known Web browser security holes, such as vulnerabilities found in popular video and music player plug-ins like Macromedia Flash and Apple's QuickTime player.
IMPACT: RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks
REMOVAL IS COMPLEX: Sinowal also is unique in that hides in the deepest recesses of a host computer, an area known as the "Master Boot Record." The MBR is akin to a computer's table of contents, a file system that loads even before the operating system boots up. According to security experts, many anti-virus programs will remain oblivious to such a fundamental compromise. What's more, completely removing the Trojan from an infected machine often requires reformatting the system and wiping any data stored on it.
Additional information below:
Win32/Sinowal - Rootkit based Password stealer
QUOTE: Win32/Sinowal is a family of password-stealing and backdoor trojans. These trojans may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions. Some Win32/Sinowal components may also use advanced stealth functionality, or try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls
More Posts Next page »