April 2009 - Posts
It is beneficial for Office 2007 users to update to the new SP2 release to enjoy functional improvements. They should keep in mind that the service pack is fairly large (up to 290mb).
Office 2007 SP2 released
http://www.microsoft.com/downloads/details.aspx?FamilyId=B444BF18-79EA-46C6-8A81-9DB49B4AB6E5&displaylang=en
KB953195 Office 2007 SP2 - product-specific changes described
http://support.microsoft.com/default.aspx/kb/953195
QUOTE: The 2007 Microsoft Office Suite Service Pack 2 (SP2) provides customers with the latest updates to the 2007 Office suite (the products that are affected by this update are listed below). This download includes:
* Previously unreleased fixes that were made specifically for this service pack.
* In addition to general product fixes, this includes improvements in stability, performance, and security.
* All of the Public Updates, Security Updates, Cumulative Updates, and Hotfixes released through February 2009.
Numerous web sites are being registered and many of these will be used for legitimate purposes. However, some sites could be used for future phishing attacks or to seed malware. Please be careful with both email and websites that you might encounter related to this topic.
Extensive Registrations of Swine Flu Websites
(some of these site names could be used in future attacks)
http://isc.sans.org/diary.html?storyid=6280
http://www.f-secure.com/weblog/archives/00001668.html
http://www.f-secure.com/weblog/archives/swineflu_domains.txt
Spam messages are circulating that should be avoided, as they could contain malicious links 
Swine Flu Spam
http://www.avertlabs.com/research/blog/index.php/2009/04/27/swine-flue-spam/
http://blog.trendmicro.com/swine-flu-outbreak-hits-the-web-through-spam/
QUOTE: Subject Lines:
First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!
During March, research on Ethics was conducted, which resulted in the following three newsletters that circulated to all members of the Blue Ridge CPCU chapter:
CPCU Research Project - Role of Ethics in Insurance
Microsoft has published a study of infections by Operating System based on recent MSRT cleaning statistics. While MSRT cleans only the most major malware incidents, this study helps confirm that Vista's out-of-the-box settings and architecture clearly provide security benefits.
Malware on Vista rare compared with XP
http://blogs.pcmag.com/securitywatch/2009/04/malware_on_vista_rare_accordin.php
Microsoft Security Intelligence Report Volume 6
http://www.microsoft.com/security/portal/sir.aspx
QUOTE: Comparing the latest service packs for each version, the infection rate of Windows Vista SP1 is 60.6 percent less than that of Windows XP SP3.
Adobe's Acrobat reader is the world's most established PDF reader. It's popularity has created a target for attack and malicious authors have been active in creating exploits. At RSA conference, alternative PDF readers were recommended to reduce PDF risks, as most of the current exploits are specifically written for Adobe.
As security can be improved through obsurity, vulnerabilities in other PDF readers might not explored as deeply. Adobe is frequently fixing these security holes. Users who prefer it should stay patched and use the latest version.
All users should avoid unusual PDFs and process them with up-to-date anti-virus software prior to opening them. Finally, use best practices and be careful with any PDF file you receive. If it's an unusual message containing a PDF attachment, always avoid opening it.
Article - Ditch Adobe Reader for Better Security
http://tech.yahoo.com/news/pcworld/20090421/tc_pcworld/ditchadobereaderforbettersecurity
QUOTE: The popular Adobe Reader is a favorite target of online crooks, according to Mikko Hypponen, chief research officer with antivirus company F-Secure. And for better security you should ditch Reader and go with a free alternative, he says.
Malware-pushing bad guys increasingly target Adobe Reader flaws, Hypponen says. In 2008, from Jan. 1 through April 16, F-Secure saw PDFs used in 128 dangerous drive-by attacks. This year, during the same time frame, the company has seen 2,305 drive-by's using PDFs. Such attacks go after a vulnerable Reader browser plugin, Hypponen says. Poisoned PDFs are also often used as part of a customized, targeted attack, he says, when they're sent to a specifically selected recipient attached to a well-crafted e-mail.
Hypponen didn't recommend any particular alternative program, but suggested heading to pdfreaders.org for a list of free apps. He did point out that at the time of IE 6's security infamy, many switched over to using Firefox. And as that browser gained significant market share, it also drew the hacker's eye. His hope, he says, is that people use a variety of alternate PDF readers and thereby fly under the bad guys' radar.
Mebroot (StealthMBR) is one of the most advanced rootkits circulating. New variants show even more advancements in hooking into the Windows OS kernel. AV detection has emerged to detect, eradicate, and repair MBR damages. Always use safe practices in handling media, files, and URLs.
Mebroot Rootkit - New Variants more advanced and difficult to detect
http://www.avertlabs.com/research/blog/index.php/2009/04/19/stealthmbr-gets-a-makeover/
http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html
QUOTE: StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter out access to the master boot record and prevent detection and repair.
A total of 43 security patches are available for Oracle's product lines. These should be tested and deployed expediently to keep critical data bases and tools secure.
Oracle Critical Patch Update Advisory - April 2009
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
QUOTE: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 43 new security fixes across all products.
Hospitals that run 24x7 have difficulties in finding time to reboot. Still, 700 is too many with the patch being out now for 6 months and the past awareness. This worm is very stealth and well written. The university seemed to contain and clean it up fairly well based on the account.
Conficker.E Attacks 700 University of Utah PCs
http://www.eweek.com/c/a/Security/Conficker-Attacks-700-University-of-Utah-PCs-835179/
The dreaded Conficker worm made an appearance at the University of Utah heading into the weekend, attaching more than 700 computers and spreading its malware to the university’s three hospitals.
A spokesperson for the university insisted that patient records remain unaffected. According to a report by the Associated Press, campus IT cut off online access for up to 6 hours on April 10, in a bid to isolate Conficker before it could cause further damage.
Conficker was first detected on campus on Thursday, April 9. In addition to infecting hospital computers, Conficker also infiltrated systems in the medical school and the colleges of nursing, pharmacy and health.
Administrators had informed staff and students on the best practices for scrubbing Conficker from computers and auxiliary devices such as smartphones.
The April updates are worth emphasizing this month. Applying Automatic Updates or performing this manually soon, would better protect your system. The ISC provides a good summary. They have three rated as "patch now" for exploits circulating in-the-wild.
MS Patch Tuesday Updates for April 2009
http://isc.sans.org/diary.html?storyid=6193
Microsoft Security Updates - April 2009 Patch Now
https://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx
So far so good in applying these updates to my own systems.
Users should exit out of these programs carefully. Use CTRL+SHIFT+ESC to invoke the Windows Task manager and close out without clicking on any buttons. Always avoid purchasing or using this software, as it is not a true security product, but one to trick folks out of money (usually $49).
PAntispyware 09 - New Rogue variant of Antivirus 2009
http://sunbeltblog.blogspot.com/2009/04/new-rogue-p-antispyware-09.html
QUOTE: PAntispyware 09 is yet another rogue from WinSpywareProtect family of rogue security products.
F-Secure reports that the new Twitter worm is designed to infect as many folks as possible in spreading without a damaging payload. The capability to harm systems could change and hopefully these attacks will be stopped. For protection, update AV signatures and avoid any message containing the keyword "Stalkdaily" (and don't go to the website) as noted below.
Ongoing problems at Twitter
http://www.f-secure.com/weblog/archives/00001654.html
Twitter Worm Outbreak during Easter
http://www.f-secure.com/weblog/archives/00001653.html
QUOTE: Twitter administrators don't seem to be able to shut down the various XSS / CSRF worms that have been plaguing the service over the weekend. The actual problems to end users haven't been devastating - so far. Most of the Twitter worms simply modify people's profiles to infect more users. However, attacks like these could be much worse if the attackers would incorporate nastier attacks, such as browser exploits.
Wily Weekend Worms
http://blog.twitter.com/2009/04/wily-weekend-worms.html
QUOTE: On a weekend normally reserved for bunnies, a worm took center stage. A computer worm is a self-replicating computer program sometimes introduced by folks with malicious intent to do some harm to a network. Please note that no passwords, phone numbers, or other sensitive information was compromised as part of these attacks.
McAfee - Twettir Worm (move to DAT 5583)
http://vil.nai.com/vil/content/v_154580.htm
QUOTE: S/Twettir is the detection for a JavaScript that exploits a cross site scripting vulnerability in Twitter to infect other user profiles. This worm sends messages to all contacts containing any of the following strings:
AVOID THESE MESSAGES
* Dude, www.StalkDaily.com is awesome. What's the fuss?
* Join www.StalkDaily.com everyone!
* Woooo, www.StalkDaily.com :)
* Virus!? What? www.StalkDaily.com is legit!
* Wow...www.StalkDaily.com
* @twitter www.StalkDaily.com
* Twitter has been hacked !!!
* Twitter worm, read here
* StalkDaily worm on Twitter, more info
* HOWTO: Remove StalkDaily.com Auto-Tweets From Your Infected Twitter Profile | Twittercism
* #Stalkdaily virus runs riots on twitter. Learn how to remove it
The Microsoft Malware Protection Center has developed a comprehensive analysis of "E":
Microsoft Malware Protection Center - Conficker.E
http://blogs.technet.com/mmpc/archive/2009/04/09/win32-conficker-variants-update.aspx
QUOTE: However, deeper analysis shows the following (reminder, we are continuing to research this, but the differences are significant enough that we will be designating this new variant as Conficker.E):
* Exploits MS08-067
* Contains code to spread via network shares
* Drops a driver similar to early variants, using the same mechanisms as Conficker.B.
* Opens a web listener on a pseudo-random port between 1024 and 9999 based on the volume serial number of the system drive.
* Appears to appends a stream of randomly generated garbage to itself before offering itself for further propagation. (This will result in untrustworthy file identification information like the ones I use above to inform other researchers as to the specific variant I am talking about; but our community can work its way around that.)
* Contains some of the same IP-filtering used in Conficker.D (Don’t go to certain IP ranges)
* Periodically connect to the following URLs to check for internet connectivity:
* Periodically connect to one of the following sites (at random) to determine its external IP address:
* Deletes itself on and after May 3rd 2009
* Uses SSDP to find Internet gateway devices (i.e. routers) and issues a SOAP command on the device to open an external TCP port and redirect it to an internal IP:port.
* Drops a DLL component that contains P2P functionality
* A very key difference between the .E variant and previous A-D variants. The .E variant executes simultaneous to the existing Conficker.D already on that infected machine.
More details have surfaced from F-Secure's blog ...
Conficker.E - Additional information on new Variant
http://www.f-secure.com/weblog/archives/00001652.html
QUOTE: A new variant of Conficker was found yesterday. We're still investigating the files but here's what we know so far.
• On April 8th a new update was made available to Conficker.C infected machines via the P2P network
• The new file, which we call Conficker.E, is executed and co-exists alongside the old infection
• It re-introduces spreading via the MS08-067 vulnerability. Spreading functionality was removed in Conficker.C and the gang behind this maybe realized they made a mistake and added it again.
• There's a possible connection to Waledac, a spambot. Some Conficker.C infected computers connected to a well known Waledac domain and downloaded Waledac from there.
• There's also a connection to rogue anti-virus products as we've seen it end up on Conficker.C infected machines. The rogue product was Spyware Guard 2008.
• Conficker.E deletes itself if the date is May 3, 2009 or later.
Snort is an open source tool to evaluate network traffic. The latest version uses a new simplified rules approach as noted below.
Snort 2.8.4 upgrade is out -- Upgrade now!
http://isc.sans.org/diary.html?storyid=6151
Snort Intrusion Detection Monitoring
http://www.sourcefire.com/products/snort/
QUOTE: The wide availability of open source Snort brings many advantages.
• Because the source code is open, development can occur at a markedly accelerated pace compared to proprietary models
• A vast community of security experts that continually reviews, tests and proposes improvements to the code
• Security engineers and specialists the world over write Snort rules for new and evolving threats every hour of the day, often in record time.
CONFICKER DETECTION SIMPLIFIED FROM 168 RULES TO 2 -- For awhile now, a lot of netbios flow tracking has been done with our rules language. This results in 100's of rules to do flow tracking for a particular exploit. For example, the rules that detect the exploit that Confiker uses (MS08-067), before the preprocessor, there were 168 rules. Introduced in 2.8.4 is a new target based DCE/RPC preprocessor, called "DCE/RPC2". This preprocessor provides a bunch of the flow tracking internally and provides rule options that rule writers can call. So, after the new netbios rules go out (in the next few days, according to Snort.org), the number of MS08-067 rules will be reduced to 2.
http://www.microsoft.com/technet/security/Bulletin/ms09-apr.mspx
|
Windows 1
|
Critical
Remote Code Execution
|
Requires restart
|
Microsoft Windows, Microsoft Office
|
|
Windows 2
|
Critical
Remote Code Execution
|
Requires restart
|
Microsoft Windows
|
|
Windows 3
|
Critical
Remote Code Execution
|
May require restart
|
Microsoft Windows
|
|
IE
|
Critical
Remote Code Execution
|
Requires restart
|
Microsoft Windows, Internet Explorer
|
|
Excel
|
Critical
Remote Code Execution
|
May require restart
|
Microsoft Office
|
|
Windows 4
|
Important
Elevation of Privilege
|
Requires restart
|
Microsoft Windows
|
|
ISA
|
Important
Denial of Service
|
Requires restart
|
Microsoft Forefront Edge Security
|
|
Windows 5
|
Moderate
Elevation of Privilege
|
Requires restart
|
Microsoft Windows
|
Trend is calling the latest variant Conficker "E". As expected it's updating using P2P techniques rather than the 50,000 websites that the CWG has been deactivating.
Conficker.E - P2P Updates Have Started for new variant
http://blogs.zdnet.com/BTL/?p=16082
http://isc.sans.org/diary.html?storyid=6157
http://news.cnet.com/8301-1009_3-10215678-83.html
QUOTE: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday. The update may include a keylogger and other code to exfiltrate data. The update is delivered using the P2P mechanism and not the (disfunct) web sites.
Conficker.E - Trend Micro Information
http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
http://blog.trendmicro.com/a-look-inside-conficker-p2p-traffic/
Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:
-- (Un)Trigger Date – May 3, 2009, it will stop running
-- Runs in random file name and random service name
-- Deletes this dropped component afterwards
-- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
-- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
-- Connects to the following sites: Myspace.com, msn.com, ebay.com, cnn.com, aol.com
-- It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc
McAfee information as AVERT labs has also documented this new threat:
DAT release 5579 or higher provides protection.
McAfee information
http://www.avertlabs.com/research/blog/index.php/2009/04/09/new-conficker-variant/
McAfee - Conficker Resource Center
http://www.mcafee.com/us/threat_center/conficker.html
McAfee Stinger - Can now clean latest variant
http://vil.nai.com/vil/stinger/
ISC is reporting this resource is now offline ... Not sure if it's related to new variant?
Conficker Working Group site down
http://isc.sans.org/diary.html?storyid=6163
Conficker Instant Test for infections (offline currently)
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
Sunbelt has documented an unusally crafted "419" scheme. All "419" scams should be deleted without reading. Unfortantely a very small percentage of folks will want to believe these scams are true. Unfortunately, they end up compromising their identity and even paying these folks in advance for the prospects of getting rich.
Bizarre 419 scam letter
http://sunbeltblog.blogspot.com/2009/04/bizarre-419-letter.html
QUOTE: The Federal Bureau of Investigation (F.B.I) write to you in correspondence to the meeting we recently had with the Federal Republic of Nigeria Government on the ERADICATION of SCAMS on the internet ... our Global intelligence monitoring network that you presently have a transaction with the Central Bank of Nigeria (CBN) as regards to your over-due contract payment which was fully endorsed in your favor accordingly.
What is a 419 email scheme?
http://en.wikipedia.org/wiki/419_Advanced_Fee_Schemes
IT Professionals - Ten Tips on How to Communicate Better
http://isc.sans.org/diary.html?storyid=6133
QUOTE: How do you garner the support of colleagues who are difficult to reach? How do you get your message heard? Here are my 10 tips:
1. Have a message that's worth being heard.
2. Consider concerns and language of the recipient.
3. Speak up! But don't be too loud.
4. Understand when to say it.
5. Switch the medium.
6. Don't overwhelm with choices.
7. Be brief.
8. Follow up.
9. Find an ally.
10. Give first, without expecting to receive.
More Posts
Next page »