December 2008 - Posts
While I'm personally anxious to explore Windows 7's new security controls and functionality, these pirated copies of W/7 should be avoided. Any one interested in exploring this new operating system should patiently wait until a true public offering emerges that would be supported Microsoft's beta program. According to the article, the first public W/7 beta should emerge in early 2009.
Windows 7 beta leaks to Internet
QUOTE: December 27, 2008 (Computerworld) Pirated copies of a Windows 7 build pegged by many as the beta Microsoft Corp. will release next month have been leaked to the Internet, according to searches at several BitTorrent sites today. A search on the Pirate Bay BitTorrent site, for example, returned two Windows 7 Build 7000 listings, both of which had been posted Friday.
A new series of rouge programs have been created from the Anti-Virus 2008 series. If you encounter a pop-up message while visiting a website that differs from your current AV protection, use ALT+CRTL+ESC to invoke Task Manager and exit safely from the pop-up Window.
More "Fake AV" Incarnations Making The Rounds
In terms of propagation, getting a "hit" from this malware is as easy as entering a series of search terms on your favorite search engine, and unluckily picking a search result that delivers nothing more than the misleading introductory screen and fake anti-virus pop-up alerts (with their associated "D-level" english grammar). Should you unfortunately find yourself victim to this, remember to not click anywhere on the screen, but instead use "Task Manager - Applications" to terminate the victimized web browser session.
A few Vista systems have been affected by an issue that's currently being researched. The links at the bottom can help resolve this issue without having to reload Vista from scratch. Hopefully, this will help impacted users until a more permanent solution is available.
Vista - Mysterious Black Screen of Death
QUOTE: It goes like this: Your Vista system boots up to a black screen with a mouse cursor. That's it, no rest of the user interface, no nothing to do. This is showing up in sporadic reports since about early November. They call it the blacK Screen Of Death, or KSOD (because BSOD was already taken).
What is causing it? That's unclear for now. But there is a fix, courtesy of Mark from the SBSC & MSP Buzz Blog. He says the problem is related to the RPC service running under the LocalSystem account as opposed to the NT Authority\NetworkService account ...
MVP Susan Bradley shares this post:
QUOTE: The good news is that Mark has a solid workaround that ensures that you don't have to reinstall Vista after it boots to one of these black screen of death issues. The bad news is the underlying trigger is still not known/understood at this time.
How to fix the Vista KSOD (blacK Screen Of Death)
SBSC - Windows Vista Black Screen with Mouse Cursor Only Issue:
New article was published during December and includes a customizable template for documenting applications
Tech Target - Creating comprehensive standards for business continuity documentation
Trend is reporting a significant increase in malicious e-cards circulating in email. Users should avoid all e-cards except those from truly legitimate sources. Keeping AV protection up-to-date is also beneficial.
Malware e-card spam attacks increase
QUOTE: A significant amount of e-card spam has flooded inboxes recently, taking advantage of the upcoming holiday season. Spam mails contain holiday greetings and a short message informing users that they have received an e-card from someone. Also in the email is an embedded URL link where the recipient can view or claim their e-card.
SUBJECT LINES TO AVOID:
A Christmas card from a friend
A special card just for you
Christmas card for you
Christmas Ecard Notification
Christmas Ecard Special Delivery
Christmas greetings e-card is waiting for you
Christmas greetings for you
Christmas greetings from your friend
Greeting for you!
Have a warm an lovely Christmas!
I made an Ecard for U!
I sent you the ecard
Merry Christmas 2009!
Merry Christmas card for you!
Merry Christmas e-card is waiting for you
Merry Christmas greetings for you
Merry Christmas ‘N Happy New Year!
Merry Christmas To You!
Merry Christmas wishes just for you
Warmest Wishes For Christmas!
Wish You A Merry Christmas!
Xmas card for you
Xmas card is waiting for you
You have a Christmas Greeting!
You have a greeting card
You Have An E-card Waiting For You!
You have received a Christmas E-card
You have received a Christmas greetings card
You have received an E-card
You Received an Ecard.
You’ve got a Christmas E-card
You’ve got a Christmas greetings card
You’ve got a Merry Christmas E-card
You’ve got a Merry Christmas greeting card
You’ve got a Xmas e-card
You’ve got an e-card
AVERT is reporting widespread volume associated with fake "wire transfer" messages. As e-commerce messages might be expected during the holidays, these realistic appearing messages
could trick users into opening them. ZIP files may not be as well
blocked as other attachment types by email filtering. Finally, each
message processed so far is unique as differing packing algorithms are
used to evade AV detection.
Fake Wire Transfer spam contain Malicious ZIP attachments
QUOTE: Today a new downloader trojan is being spammed widely.
This spam message arrives as a reply to the victim’s query of asking
for the wire transfer.
When users run the file “bank_statement.scr” in the attachment zip
file, it downloads the BackDoor-DSG trojan, while in the background it
downloads an innocent pdf document from a legit site and opens it for
deception. The pdf document, however, is not relevant to the wire
We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties
This is an excellent account in removing one of the most popular malware attacks currently circulating. The use of Ariva's AntiVirus free standalone removal tool on a rescue CD appears to be a good cleaning resource that I discovered in this account.
An early present from the makers of Antivirus 2009!
Ariva's AntiVirus 200x free rescue CD
QUOTE: Twas five days before Christmas and all through the house, no malware was detected on Windoze or MacOS. When all of the sudden and to my surprise, my Daughter shouted "Dad!!!!!" with big/frightened eyes! "I just wanted to play fashion dress-up and powder my virtual nose but when I went to the site, the Internet Explorer froze! It then launched another window with scantily-clad girls and now nothing works, I can't even change my curls!! Oh please help me fix this, did I do something bad? Oh please help me Daddy and please don't get mad."
QUOTE: I've had reports of excellent, free help for removing rogue antivirus from Microsoft's technical support - "Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates".
A new vulnerability has been discovered affecting SQL Server and Microsoft is working on a patch for this issue. Most SQL Server versions are vulnerable (except 2008 and 2005 SP3). Exploits are also publicly circulating for these less secure implementations of SQL-Server
Direct remote and untrusted connections to SQL-Server should NOT be used for web based applications. A better design is to use a DMZ server topology for web apps, special trusted port redirects, authorized user accounts, and other more secure techniques.
AV protection will most likely emerge and it's important to stay up-to-date. Corporate users should apply any applicable workarounds and monitor for further developments.
Advisory 961040 - New SQL Server remote connections vulnerability
QUOTE: "Clients and applications that utilize MSDE 2000 or SQL Server 2005 Express are at risk of remote attack if they have modified the default installation to accept remote connections, if they allow untrusted users access to MSDE 2000 or SQL Server 2005 Express, or if an application that uses MSDE 2000 or SQL Server 2005 Express has a SQL Injection vulnerability.
Microsoft Security Advisory (961040)
Vulnerability in SQL Server Could Allow Remote Code Execution
QUOTE: Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time.
Please see WORKAROUNDS published in the bulletin for ideas on how to mitigate the current public exploit
I've been updating all work and home PCs for the critical Internet Explorer security patch (MS08-078). During this process, I've encountered a new version of Windows Update which has worked well except for one of my XP systems.
I have an older Windows 2000 PC that had issues some months ago with Windows update consuming 100% of the CPU cycles. To revolve this issue, I had set updates to automatic rather than manual. The system would gradually apply these as available for critical components still being updated for this legacy Operating System. It was still a very slow process and most of the time required a few sessions to complete.
However I found in updating my XP systems, that a new version of Windows Update was available and I reset the Security Center for manual rather than automatic updates. This was done to test the new version to see if performance improvements were present. I was pleased to discover that W/2000 updates seem to now work as well as they did under XP. I'll continue checking next month to see if this finding continues.
My corporate Dell XP SP3 laptop with IE7 updated fine and no issues have been seen so far
Our family Dell XP SP3 Desktop with IE8 b2 consistently terminated with a 0x80072EE2 abend after multiple attempts. As part of the update process, I had to install the new version of WU on one of my PCs that I had not used recently.
What I've usually done to resolve any WU issue is simply enter Windows Update 0x80072EE2 in an Internet search engine (e.g., Google, Live, Yahoo, etc). Searching on error codes usually lands you in at a forum or KB with ideas to try.
After quick Internet search on the error code, I found this helpful KB and tried some of the solutions.
I added the revised Windows Update URL to trusted sites and disabled my AV software, but still kept experiencing the 0x80072EE2 abend.
What finally worked for me was to delete all browser cache. In IE8, the "Delete All" tab in the "Delete Browsing History" options can reset the IE8 environment completely. I was then able to successfully update IE8 with the patch
However as the KB notes, 0x80072EE2 is an Internet Timeout issue. Hopefully everyone was updating last night, and Microsoft's Windows Update site may have been saturated at the time. Perhaps in the half hour timeframe of trying solutions, connectivity to the site improved and clearing the prior cache wasn't a factor.
The clearing of browser cache might be an idea to try if all else fails.
The detailed test results are interesting. They point to improvements that all five major browsers should look at in the future.
However, users should avoid storing browser passwords anyway for sensitive sites (esp. e-commerce, banking, etc). It's a better practice to reenter ID and password credentials each time, in case someone gains access to your PC. The rentry process also helps in better remembering the password.
Conversely, financial websites should be programmed to avoid capturing password fields by the browser. Many sensitive sites are constructed in this manner where passwords are form fields and require multiple screens to enter. This technique prevents the ID and password from being stored.
Chapin Information Services - Browser Password Management Tests
QUOTE: The company took a look at all the major browsers: Internet Explorer 7, Opera 9.62, Firefox 3.04, Safari 3.2 and Google Chrome. According to the study, each browser was susceptible to a number of vulnerabilities that could expose password information.
Of the five, Opera Software's Opera and Mozilla Firefox fared the best—meaning they passed seven of the 21 tests. Internet Explorer passed five tests, while Google Chrome and Apple Safari passed only two.
Three issues were cited by CIS as being problems that, when combined, could allow cyber-thieves to steal passwords without a user's knowledge. The first two are whether the browsers check the destination where passwords are sent and the locations where they are requested
The third critical issue is whether the password manager delivers a password using a form that is not visible. If an attacker can put an invisible password form on the page and count on the password manager to fill in the form, it is possible to steal a user's password without the user ever knowing, Chapin explained.
Most home users are set for automatic updates and should apply this critical security when prompted. This IE patch will prevent malicious exploits from being installed by simply visiting a website with this attack code present. This new dangerous exploit is automatically invoked with no required action by the user other than visiting the site.
If you manually download and update patches, the FAQ section of the bulletin recommends that IE be first updated with the latest cumulative patchas noted in the FAQ section of the MS08-078 bulletin below:
Question -- Is this a cumulative security update for Internet Explorer?
Answer -- No. This out-of-band security update is not cumulative. To be fully protected, customers should apply this update after applying the most recent cumulative security update for Internet Explorer. This update, MS08-078, will be included in a future cumulative security update for Internet Explorer.
MS08-078 - Special Internet Explorer security release now available
Internet Explorer 960714 is released
SWI, one of the most popular spyware information and removal sites recently lost it's domain name. Malware has been discovered at the original site of Spyware Info (dot) com. The new site name should be used instead and re-bookmarked to ensure safety.
SWI - Bookmark for New Location
SpywareInfo (dot) com - BAD NEWS
QUOTE: GoDaddy just auctioned off Mike Healan's original (please don't go to this site), and what happened to it is what many feared would when they saw how high the price was getting. As of yesterday the new owner had a page up directing people to fake protection programs, some of them being downright malicious. The site is now blocked by OpenDNS and some other DNS servers as malicious.
A zero day vulnerability is being actively exploited in all supported versions of Internet Explorer. SQL injection techniques are being used to spread dangerous exploit based scripts even on some potentially trusted and respected sites (that may not be programmed as securely as they should be).
While AV protection, best practices, and documented workarounds can help prevent issues; this emergency update is the best form of protection. Please update tomorrow as prompted to ensure the best levels of protection during the holiday season.
Microsoft will issue emergency Internet Explorer fix on December 17th
QUOTE: REDMOND, Wash. - Microsoft Corp. is taking the unusual step of issuing an emergency fix for a security hole in its Internet Explorer software that has exposed millions of users to having their computers taken over by hackers.
The "zero-day" vulnerability, which came to light last week, allows criminals to take over victims' machines simply by steering them to infected Web sites; users don't have to download anything for their computers to get infected, which makes the flaw in Internet Explorer's programming code so dangerous. Internet Explorer is the world's most widely used Web browser.
Microsoft said it plans to ship a security update, rated "critical," for the browser on Wednesday. People with the Windows Update feature activated on their computers will get the patch automatically.
Thousands of Web sites already have been compromised by criminals looking to exploit the flaw. The bad guys have loaded malicious code onto those sites that automatically infect visitors' machines if they're using Internet Explorer and haven't employed a complicated series of workarounds that Microsoft has suggested.
More good links here:
ALERT: Out of band security patch to be released tomorrow, 17 December at 10.00am Pacific time
Microsoft IE Security Advisory
F-Secure: Extremely Dangerous Internet Explorer Security Hole - Beware!
Please be careful with all websites visited and follow developments closely. While this attack is currently on a limited scale folks should be cautious anyway with all website visitation
Internet Explorer - New Zero-Day exploit in-the-wild
QUOTE: Microsoft is investigating new public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.
At this time, we are aware only of limited attacks that attempt to use this vulnerability. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory.
During Christmas, Hanukkah, and other holidays an extensive amount of e-commerce takes place. Just as in any public setting, there are folks who want to steal using deceptive practices. This high volume of transactions during the holiday season presents one of the best opportunties for tricky fraudulent scams to surface. These can deceive new users and the best of these can impact experienced users as well.
Malicious e-cards, email attachments, and web links may be used as bait. While AV protection helps, your best defense is to be viligent and use avoidance where possible. This includes avoiding "fun links" or suspicious items even from friends or family (as it may be coming from their infected PCs).
It's always best to avoid any risk that might create hours of unnecessary repairs or permanent loss of information or $$$. Always evaluate any link or attachment thoroughly before you click. As a 35 year IT veteran, I've almost been tricked a few times myself.
Click The Link Below: The Bad Habits That Create New Victims Of Online Fraud
QUOTE: Many of us consider the Internet community to be a collective conscience, and consider the dirty schemes that tricked us once upon a time to now be common sense no-nos. Unfortunately, newcomers to the Internet community do not (yet) have a means of digitally absorbing all of the wisdom we’ve learned as web-surfing veterans. While today, you’re likely to look at someone who’s never been on the Internet as an alien life form, many new users are surprisingly logging on for the first time. Even in the US, the advent of cheap broadband is leading more schools, offices, and households to incorporate the Internet as an everyday way of life, and with that come a lot of nuances. In addition to this, scammers are getting smarter and finding new ways to trick seasoned Internet users.
SIX DANGER SIGNS TO WATCH FOR FROM ARTICLE
Click This Link
Paste This Link
Multiple Sign-On Domains
Multiple Sign-On Pages
Log In To Verify Your Account
Over 200,000 victims of Online Fraud
Avoid this free promotional from Coke and McDonalds sent in a ZIP file as these companies would not sent out offers in this manner. The email HTML is very realistic. Email links can also be dangerous and should be carefully checked in any message. No email offer can be relied on, when it comes unexpectedly in email. I'm careful even with legitimate offers from Staples, Dell, or others. Please be extra careful in handling email attachments and web links during the holiday season.
Many email, website, and popup attacks are well disguised. As Trend Micro warns, this realistic email can invade computers in 4 different ways to gain entry and it will download additional other malicious attacks once the PC is infected. It's better to always avoid a free offer than risk loss of information and many hours of repair work. This dangerous deceptive worm has power to spread rapidly by email, P2P, network, and USB -- especially in a large group of vulnerable users.
Avoidance and staying updated on AV protection is your best defense as attacks during the holidays are likely to increase.
MYDOOM.CG Worm - Dangerous and realistic holiday email promotion
Infection Channel 1 : Propagates via email
Infection Channel 2 : Propagates via peer-to-peer networks
Infection Channel 3 : Propagates via removable drives
Infection Channel 4 : Copies itself in all available physical drives
During the Holiday season, this is a very worthwhile list of social engineering schemes to be on the lookout for:
QUOTE: Cyber criminals use different social engineering techniques to lure victims into performing activities that they would not normally do, like clicking links in spammed messages, downloading files, or filling out forms with confidential personal information.
This latest development is troubling in that many folks still are not staying up-to-date on Microsoft security changes. Botnets turn infected PCs into "zombies" which can be controlled remotely by the bad guys. While the half million potential PCs is a guess, this new botnet is indeed growing very rapidly. Stay safe by always applying ANY security fix promptly.
Conflicker Worm - Exploiting MS08-067 building massive botnet
QUOTE: December 1, 2008 (Computerworld) The worm exploiting a critical Windows bug that Microsoft Corp. patched with an emergency fix in late October is being used to build a new botnet, a security researcher said today. ... it's called "Conficker.a" by Microsoft and is a key component in a new botnet that criminals are creating.
We think 500,000 is a ball park figure," said Macalintal when asked the size of the new botnet. "That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's still starting to grow.
However, the new worm is a global threat, said Macalintal. "This has real potential to do damage," he said. Trend Micro has spotted infected IP addresses on the networks of Internet service providers (ISPs) in the U.S., China, India, the Middle East, Europe and Latin America. The worm first appeared about a week and a half ago, and began spreading in earnest just before Thanksgiving, he added.
Conflicker Worm - More Potent MS08-067 attacks to unpatched systems
Several security updates will be available on "Patch Tuesday". This includes critical updates for Windows, IE, Office, VB and Sharepoint
Microsoft Security Bulletins - December 2008
More Posts Next page »