January 2009 - Posts
Many current malware attacks are sophisticated and can greatly compromise security on your PC. When repairing a compromised system, it's always a best practice to change your Windows and Internet passwords.
One reason is that sometimes backdoors or keyloggers may have disclosed passwords and phoned them home to the bad guys. Secondly, most folks don't change their passwords often enough and what better time to do so.
Always use COMPLEX passwords with upper/lower case along with letters/numbers. Examples: Red01Sox ChocBar99, Mt11Dew22, etc. You can also use special characters (although that can add difficulty in remembering them. If you have to write down or store passwords, always keep it both secure and up-to-date.
I've just learned of this Search engine, which originates from a company located in Holland. While I'll continue to use Google, MS Live, MSN, Yahoo, etc., their emphasis on privacy is beneficial to users.
IXQuick promotes privacy by not storing IP address information when searches are conducted. While Google and other search engine providers capture IP addresses, this information is usually sold to interested parties on an aggregate basis, (e.g., where all users are bundled together without reporting specific user information). Although most of my searches would be boring to someone analyzing them, privacy is important to safeguard in all Internet activities.
IX QUICK HOME PAGE
HOW TO CUSTOMIZE SEARCHES (Good content filtering controls)
IXQUICK - New Privacy Policies
IXQUICK - January 28, 2009 Press release of Privacy changes
Sunbelt has issued the following warning on this new rogue program, that ressembles the AntiVirus 2009 family.
QUOTE: IE Security is a new rogue security application from the IEDefender family. IE Security replaces Win Defender 2009
This is an excellent approach to use in handling email:
AVERT LABS - Hoax or Not, Treat It the Same
QUOTE: Late last year, my sister forwarded to me an email that foretold of great evil and destruction should anyone open an email with a “Happy New Year” greeting for a subject. The email begged us to save the world by forwarding it to everyone we know. She wanted to know if she should believe it.
More recently I got something similar, this one warning that a deadly email will have a subject concerning President Barack Obama’s acceptance speech. This one added an air of authenticity by claiming that a popular hoax-tracking site has verified the details to be true. Hoax or not, I rarely read past the subject line of these types of emails, and I never forward them to others.
HOW TO CLEAN CONFICKER INFECTIONS IN THE CORPORATE ENVIRONMENT
1. Research the malware threat thoroughly. Determine how it attacks systems and the best approach for cleaning. Check several sources to learn as much as possible prior to cleaning. Conficker will actually apply the MS08-067 patch in MEMORY ONLY, so the best way to find infected PC/Servers is to look for high port 445 activity with a sniffer
2. Corporately, and even for home users it's always a good practice to SHUT DOWN the infected system, unplug it from the network, and stop using it completely.
3. Instead, work with the system while it is off the network. It's recommend to burn a CD or DVD from a clean non-infected source or use a lab environment that's isolated from main network. Cleaning tools that can be used include MS08-067 patch and multiple standalone cleaners (F-Secure, MSRT, other tools). A CD is safer than USB due to the AUTORUN risks.
4. Bring the system back online after it's isolated from the main network. Then use up-to-date Anti-Virus software to scan for additional malware. If the AV Product doesn't offer good rootkit detection capabilities consider downloading F-Secure's Blacklight RK detector or other similar tools. Anti-Spyware and other malware detection products should be run to ensure the system is as clean as possible.
5. If you find additional malware, evaluate it thoroughly. While a Conficker infection alone can be cleaned without the need to rebuild the system, additional malware infections received while the system was infected need to be evaluated in terms or damages and how successfully they can be cleaned. In some cases, it may be beneficial to rebuild
6. After cleaning Conficker, install the MS08-067 patch before returning the PC or Server online.
7. After installing the MS08-067 patch, it's critical to REBOOT the system, so that the patch becomes operational prior to bringing the PC or server back to the network environment.
8. Finally, if you have weak passwords, open network shares, or the AUTORUN issues with removable media - it's important to strengthen these areas to prevent future attacks. Otherwise, Conficker or other malware could continue to reinfect vulnerable servers/PCs until the root cause is properly addressed.
9. Log all infected servers and workstations that were cleaned for future reference
10. Re-evaluate the formally infected systems periodically to ensure their defenses are holding up. Use network sniffers, IDS, AV software and other tools to carefully monitor inbound and outbound traffic.
As of January 19th, F-Secure updated it's free cleaning and removal tools offered to the public. If you are using an earlier version, this latest version should be used.
ISTP and F-Downadup Removal Tool
F-Secure decription of Conficker (aka Downadup)
F-Downadup Removal Tool - Download from here
F-Downadup Removal Tool - Instructions
Microsoft Help and Support - Knowledge Base Article 962007
provides numerous details for manual disinfection of Conficker.B (alias Downadup).
Please check your credit card statements over the coming months.
Today, I heard a good related point that the "bad guys" will try some very small $1 charges at first to see if it works and has some limits still left. If they're successful, then it's "katie bar the door" as they will then take the card to the limit and you'll become a victim of identity theft.
Based on current trends, several emerging developments should be followed closely in the coming year.
AVERT Labs - McAfee 2009 Threat Predictions
Some areas highlighted for 2009
1. Threats Hide in the Cloud
2. Personalized Threats Speak Your Language
3. Malware Targets Consumer Devices
4. The Rogue Web and Malvertising
5. McColo: The Effects of a Spam Network Takedown
More in-depth 10 page report (PDF)
Informative article on what corporate IT security departments should have in place to prevent the current 3-pronged attacks:
-- Patch Management (patching plus testing to ensure everything is up-to-date)
-- Reduce/Eliminate Autorun for removable devices and wide-open network shares
-- Test/Strengthen passwords
Trend Blog - Good Corporate Security Policies can prevent Conficker infections
Sunbelt is reporting focused attacks for advertisers as noted below. Any business email received should always be carefully examined to ensure links or attachments are genuine.
Phishers target Yahoo advertisers
QUOTE: New run, targets Yahoo advertisers (Yahoo’s service is similar Adwords
New Google Adwords - Phishing Run
QUOTE: Google Adwords phishes have been quiet for a while, but now they’re back. Unlike most of the other Google Adwords runs, these use new TLDs, like Belgium and EU (.be and .eu)
This attack uses false sensationalized messages and a botnet design similar to Storm worm's for spreading. Messages and websites should be avoided.
Dangerous Email claims Obama refuses to become President
QUOTE: In less than four days the inauguration of President-Elect Barack Obama will make headlines. At McAfee, we expect cybercriminals to use this event to conduct their typical attacks like they do when the news gives them such opportunity.
Unfortunately, we were right and some sites have already started to circulate fake information on this subject to lure in the crowds in an attempt to infect their computers. Here is one of them we recently discovered. As you can see for yourself this author does not hesitate to make use of sensationalism:
Let me add that if you are lured into this trap and are using an incorrectly protected PC that you will be infected by malware we detect as W32/Waledac.gen.b. This website was not created by a joker. It is very professionally done. It is protected by a botnet bringing into play the fast-flux technique.
If you have friends or family who might not be versed in applying Windows Updates, you may want to share with them how they can become safe from this rapidly spreading attack.
Calculating the Size of the Downadup Outbreak
QUOTE: The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing.
Microsoft - Windows Update Web Site
Microsoft - Security at Home (learn security basics)
My corporate Blackberry phone is being called 2X or 3X weekly with a pre-recorded message. On our local radio station it was noted to avoid this scam, as coverage will not provided properly for those who sign up. As our 1994 Mazda MVP Van is not covered under warranty, that provides another clue to avoid this scam. Always be cautious with phone calls, emails, etc. Sometimes they could have relevancy, as with folks whose factory warranty is expiring. Further research and safe commerce practices are always a good to validate (e.g., send in writing or go to local business).
While I plan to register at the Do Not Call website, I read in some of the forums that this may be honored.
MESSAGE BEGINS: This is the second notice that the factory warranty on your vehicle is expiring
//UPDATE on May 21, 2009
FTC shuts down massive robocall scam
QUOTE: We spend so much time worrying about Internet fraud. But it’s easy to forget that many con artists still make their living the old-fashioned way: dialing for dollars. Last week, the Federal Trade Commission shut down one of the biggest and most flagrant telemarketing scams ever. The automated calls (known as robocalls) pitched extended car warranties. They went to phones across the country, including cell phones and home phones on the national Do Not Call Registry. Federal law prohibits such calls.
By using special Metasploit routines, the Conficker worm can determine precisely which operating system and service pack to infect systems more effectively. This may be contributing to it's ability to spread rapidly.
AVERT Labs - Conficker Worm using Metasploit payload to spread
QUOTE: Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself.
Metasploit also provides the “smb_fingerprint” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading.
Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing.
An estimated 33% of users are not up-to-date on security patches, as noted in the Computerworld article. Staying up-to-date on security patches and AV updates can provide protection. These latest MS08-067 attacks have been more potent, so please research the links at the bottom to ensure you are up-to-date.
COMPUTERWORLD: 1 in 3 Windows PCs vulnerable to worm attack
QUOTE: January 15, 2009 (Computerworld) The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft Corp. rolled out an emergency fix, a security expert said today.
Microsoft - Windows Update Web Site
Microsoft - Security at Home (learn security basics)
Secunia PSI - Can check your system for missing updates
The latest variants of Conficker has spread to over 3 million PCs and Servers worldwide as it uses multiple techniques to spread to vulnerable systems. The MS08-067 patch must be applied to help prevent infections, along with keeping removable media unplugged until needed in transferring information. Corporate security administrators should ensure network shares and passwords are properly locked down as well
How Big is Downadup? Very Big.
QUOTE: Today's total infection count is an estimated 3,521,230 infections worldwide
Conficker's autorun and social engineering
Very Deceptive AUTORUN.INF tactics are used
QUOTE: F-Secure posted some interesting information about the number of infections which is almost certainly in millions (and who knows how many machines will stay infected as the owners will not even notice anything). One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors:
1.It exploits the MS08-067 vulnerability
2.It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares
3.It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.
More on MS08-067 Worm developments
Techniques for disabling AUTORUN for USB plug-in devices
MS08-067 Conficker worm - F-Secure offers free removal tools
PATCH NOW - if there are any servers or PCs that need this critical update. Home users can employ the Windows Update process. More information can be found in the link below:
MS08-067 Security Patch Information
A great check list in five categories representing best practices for the corporate IT security area.
Corporate IT Security - Avoid these mistakes
QUOTE: The following list presents common information security mistakes and misconceptions, so you can avoid making them.
FIVE BROAD CATEGORIES COVERED
Security Policy and Compliance
More Posts Next page »