June 2009 - Posts
I use Firefox as a complementary browser and the latest new version became available today. The upgrade from 3.0.11 went well and so far there are no issues in using the new version
Firefox 3.5 Home Page
Firefox 3.5 Key Features
Malware writers often use tragic news events to trick users into opening malicious website links, YouTube video links, or attachments. While most AV vendors have coverage in place, please avoid these types of email messages that are now actively circulating.
Malicious SPAM related to passing of Michael Jackson and Farrah Fawcett
QUOTE: michael jackson virus already Well, it didn't take long for the "them" to abuse the situation did it?
The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called Michael.Jackson.videos.scr
Below are some excellent articles and awareness on this popular form of attack. These programs are improving in their methods of emulating Anti-virus programs and should be avoided as they are difficult to clean.
Excellent Article on Scareware and other Rogue security programs
QUOTE: In some cases, the fake software you buy may actually provide you with some nominal protection. But mostly for your $30 to $80 the only thing you get is temporary relief from the obnoxious dialogue boxes, and misleading hard drive scans.
HOW SCAREWARE TRICKERY ENSNARES INTERNET USERS
1 Criminals buy blocks of ad space on websites, intermittently slipping in a tainted ad.
2 Just visiting a webpage with a tainted ad causes a fake warning box to appear.
3 Clicking "OK" or "Cancel" launches the same thing: a "free scan."
4 After you've been lured into a fake "free" scan of your PC:
5 The bogus scan will purport to find a virus infestation.
6 Ensuing boxes steer the user to activate "Personal Antivirus," on left.
7 The activation prompts take the user to a shopping cart.
8 Declining to place an order triggers endless fake scans.
What is Scareware
QUOTE: Scareware is a type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software. Scareware, which generates pop-ups that resemble Windows system messages, usually purports to be antivirus or antispyware software, a firewall application or a registry cleaner. The messages typically say that a large number of problems -- such as infected files -- have been found on the computer and the user is prompted to purchase software to fix the problems. In reality, no problems were detected and the suggested software purchase may actually contain real malware.
Scareware programs produced by those companies include: DriveCleaner, WinAntivirus, ErrorSafe, WinFixer and XP Antivirus
As many folks realize Microsoft does not distribute updates by email. However, Microsoft will alert users who have signed up for Patch Tuesday notifications, that new updates are available.
In the links below, Trend Labs notes a highly deceptive email that contains authentic looking HTML and valid Microsoft site links. Even the wording appears to be legitimate. The email address is also spoofed to appear as if it originated from "Microsoft Customer Support".
Fortunately, spoofed email headers often end up in the spam or bulk mail folders automatically. As Trend Labs notes, a best practice of hovering over email links would reveal a different one than shown in the document.
Finally, when notified of any vendor updates it's always best to go to home site to check directly (rather than using the email link). However, this particular attack could trick some users as it has some resembles to a Microsoft security notification.
Trend Labs - “Critical Update” Leads to Critical Info Theft
Spoofed “Critical Update” appears to originate from Microsoft
QUOTE: Microsoft Corporation regularly issues updates to fix bugs and security vulnerabilities in its software products. These updates are meant to protect its users from different attacks that depend mainly on exploiting these documented bugs. Close to the weekend, we identified spam claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.”
Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here. Note that the said list may be changed at any time.
How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server.
SPAM email should always be deleted without opening it or any accompanying attachments. Daily, I receive numerous copies of dating services and other SPAM in my personal email.
Some key dangers include tricking users to visit malicious websites or to reveal credit card or personal information
Trend Labs shares some dangers in a good awareness article below:
QUOTE: Today we have noticed an increase in the amount of dating spam mails containing phrases such as:
I’m emailing you because I like you
wanted to let you know about my profile
you have been invited to join
The link in the spam points to an adult-dating web page, as well as a profile on the right corner of the screen with a huge clickable ad that says, CLICK HERE TO CHAT FOR FREE.
Following the link opens a page where the visitor is asked to register by providing an email address and password. Afterward the visitor’s browser opens a new site where he/she is prompted to create a preferred chat handle (username). Users tempted to correctly fill up the forms from the shown web pages provide a free service to the cybercriminals as they reveal their valid email addresses, passwords, and credit card information.
Please be careful with website visitations as malicious attacks continue to compromise some sites that may not be locked down well from a security standpoint.
Nine-Ball Mass Injection attack compromises 40,000 Websites
QUOTE: Websense Security Labs has detected another large mass injection attack in the wild after the Beladen and Gumblar attacks. We are calling this mass compromise Nine-Ball because of the final landing site. We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.
After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.
Several reports are circulating in the media for a new Microsoft consumer security product that will soon be announced. As sometimes early reports contain inaccuracies, the official announcements by the company should only be considered at this point.
Hopefully, MSE will successful in providing basic security protection. WGA validation also seems to be a reasonable requirement for the enhanced malware protection this product will offer. Once official Microsoft announcements are published, we'll know more regarding this new product.
Microsoft Security Essentials (MSE) Beta version to be released soon
PC Magazine - Early in-depth evaluation
QUOTE: Microsoft Corp. today said it will release a public beta of its free antimalware software, now called Microsoft Security Essentials, formerly "Morro," next Tuesday for Windows XP, Vista and Windows 7. "This is security you can trust," said Alan Packer, general manager of Microsoft's antimalware team, when asked to define how it differs from rivals, both free and not. "And it's easy to get and easy to use." He stressed the Security Essentials' real-time protection over its scanning functions, which are both integral to any security software worth its weight. "Rather than scan and clean, which it also does, it's trying to keep you from being infected in the first place," Packer said. Microsoft will not give Security Essentials to everyone who wants it, however. PCs running a copy of Windows that Microsoft decides is counterfeit or pirated -- "non-genuine" in its parlance -- cannot download a copy of the security software.
Hopefully, the Twitter site administrators can respond promptly to proof-of-concept vulnerabilities that are crafted by Aviv Raff, a highly experienced security research expert. Users should be alert for any major issues that surface. Most importantly, be careful with all forms of communication keeping a good focus on privacy and security.
Month of Twitter Bugs - July 2009
QUOTE: A well-known security researcher plans to use the month of July to expose serious vulnerabilities in the Twitter ecosystem. The Month of Twitter Bugs, a project which launches on July 1, is the handiwork of Aviv Raff, a researcher known for his work on Web-based security issues. Raff, who previously warned that the Twitter API is ripe for abuse, says the project will disclose a combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws that put Twitter users at risk of malicious hacker attacks.
Microsoft is adjusting Autorun technology for XP to provide the improved safety Vista currently supports. AVERT Labs shares an awareness that any portable storage device (e.g., MP3 player, Digital Picture frame, Digital Camera, etc) may also be vulnerable to Autorun malware attacks. Additionally, these worms often infect unprotected network shares, as well as compromising accounts with weak passwords.
Autorun Worms - Infect more than just USB Flash Drives
QUOTE: Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms?
Answer - Most USB devices that you can plug into your computer that have storage.
How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication. How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.” Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.
In almost all cases, Windows Update (or preferably Microsoft Update) works accurately. I usually update manually right way without waiting on Automated Updates to start. Windows Update can be immediately invoked by selecting the Windows Update option found in the IE8 Safety Shield icon or other methods.
All work PCs were updated without issues for the June 2009 security updates. However, I encountered a rare error on our family PC at home. A total 10 of 11 updates were downloaded and installed properly. After rebooting, security update MS09-025 continued to experience "Download Failed" message. I noted a temporary folder on C: created by the June updates that may have been a factor.
After 3 tries using Windows Update, I then went to Microsoft Download site to manually download the MS09-025 patch. As a starting point, I searched using keyword MS09-025 to locate the specific update that needed to be applied. After locating the XP security patch, I downloaded and installed this patch manually outside of the regular Windows Update process.
Microsoft's Download Site
Search by bulletin or KB # to find a specific security update for your O/S
After successfully installing MS09-025 and rebooting, I reinvoked Windows Update to ensure there are no updates left to be applied. This final step ensured the special manual update process was successful. We are now properly up-to-date at home with these important protective patches.
I've used Opera as a complementary browser since the free "ad-bar" version first surfaced several years ago. Thankfully the ad bar was later removed and Opera has enjoyed a good track record in security, innovation, and web standards support. While less popular than IE or Firefox, it offers a sophisticated and reliable browser environment. It is working well so far in early testing.
Opera 10 Beta - New Innovations
QUOTE: The Opera 10 beta includes new features—including a Turbo mode that aims to speed slow connections—that will likely find their way into rival browsers in the future. Ever wonder what features will be found in the next generation of Web browsers? Well, usually there’s one easy way to find out: Just check out the latest version of Opera. Opera may not be the best known or most used Web browser out there, but, over the years, it has been one of the most innovative. Often, features that become mainstays across browsers appeared first in Opera.
Opera 10 Beta - Features
Opera 10 Beta - Download
Opera 10 Beta - Blog
Opera 10 Beta - New Features
KEY NEW FEATURES
* Opera Turbo Mode
* Automatic updates
* Crash logging
* Inline spelling checker
* 100/100 and pixel-perfect on the Acid3 test
* Significantly improved performance, particularly on CSS/HTML rendering
* Opera Mail HTML Compose support
Every monthly update should be applied as soon as possible. Often we are racing against the clock to patch all systems to make them safer from exploits that will emerge or may already be found in-the-wild.
The June 2009 security release has 10 security updates that cover 31 vulnerabilies that apply to Windows, IE, Office, and IIS. So far these installed updates are working well and without issues on my PCs. As some of patched vulnerabilities have working exploits, it is important for everyone to PATCH NOW
Microsoft Security June 2009 Updates - IMPORTANT Patch Tuesday Updates
MS09-018 - Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
MS09-019 - Cumulative Security Update for Internet Explorer (969897)
MS09-020 - Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
MS09-021 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
MS09-022 - Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
MS09-023 - Vulnerability in Windows Search Could Allow Information Disclosure (963093)
MS09-024 - Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
MS09-025 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
MS09-026 - Vulnerability in RPC Could Allow Elevation of Privilege (970238)
MS09-027 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
Excellent Analysis of updates
Microsoft asking for help with SysInternals Survey
QUOTE: Hands-down the best tools for determining what is going on on a Windows system are Mark Russinovich's and Bryce Cogswell's Sysinternals Tools. Frequent contributor Roseman has pointed out that Microsoft is asking for your help improving the Sysinternals tools. Over at the Microsoft Technet blog they are requesting Sysinternals users to take a short survey.
QUOTE: Sysinternals Customer Survey – We could use your help. We're looking into who uses the Sysinternals tools and what other Microsoft tools you use. Please take this very short questionnaire (7 questions max. depending on how you answer). We won’t ask you who you are, your email or anything that can identify you. - Thanks
Recently, I saw articles stating that the Gumblar website injection attacks were gaining strength and could become worse than Conficker. Gumblar was a very sophisticated malware attack, that took off like wildfire a couple of weeks ago. Thankfully, this new threat has almost faded away, as the malware hosting websites were quickly shutdown by authorities.
Experts: Gumblar attack is alive, worse than Conficker
Gumblar Attacks Dying Off
Conficker is still alive and well, as it continues to infect up to 50,000 PCs daily. Users need to stay up-to-date on all security updates and AV protection. We should follow major evolving threats, as sophisticated stealth attacks continue to circulate.
Conficker still infects approximately 50,000 PCs daily
QUOTE: The worm is infecting about 50,000 new PCs each day, according to researchers at Symantec, who reported Wednesday that the U.S., Brazil and India have been hit the hardest.. "Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide," Symantec said in a blog post.
Malware writes continue to use sophisticated new techniques to hide malware. This new Autorun worm variant can hide inside ZIP archives, which are sometimes difficult for AV products to locate malware infections that are embedded inside.
WORM_AUTORUN.JFZ injects a copy of itself into every ZIP archive
QUOTE: TrendLabs in Europe, has notified us of a worm that has a unique way of hiding: on infection, WORM_AUTORUN.JFZ writes a copy of itself in every ZIP-compressed file it finds on a system.
When WORM_AUTORUN.JFZ places a copy of itself in an archive, it uses double extension by adding .GIF and .SCR. The .GIF extension is used as its social engineering factor. Curious users who still have their default configurations set in Windows Explorer (where the extension of known file types is hidden) may have an unpleasant experience once they double-click on the purported image file. The .SCR extension, on the other hand, makes it an executable file.
Writing in data files is not the only way this worm assures its existence on a system. It also makes use of traditional spreading methods like dropping a copy of itself (which is kkk.exe) in tandem with autorun.inf into all available physical, removable, and shared drives.
The Government military standards for Wireless connectivity and security are very comprehensive. The 19 PDF documents found in the 6MB ZIP file below cover numerous wireless conventions and topics. They provide valuable guidelines for corporate IT in creating wireless security policies. They are an excellent educational resource for improving wireless security as well.
Wireless STIG, Version 6 TIM (UNCLASSIFIED)
TABLE OF CONTENTS FOR PRIMARY DOCUMENT
1.1 Background 13
1.2 Authority ....13
1.3 Scope ...14
1.4 Writing Conventions ....14
1.5 Vulnerability Severity Code Definitions....15
1.6 STIG Distribution...15
1.7 Document Revisions ....15
2. HOW TO PERFORM A WIRELESS REVIEW...17
3. WIRELESS AND HANDHELD SYSTEM REQUIREMENTS...19
3.1 Wireless Policy – APPLICABLE to all Devices ...19
3.2 WLAN Compliance Requirements 19
3.2.1 WLAN Network Devices (WLAN Access Points, Controllers, Authentication Servers, &
3.2.2 WLAN Network Devices (WLAN Bridges) ...20
3.2.3 WLAN Clients .20
3.2.4 Classified WLANs.21
3.3 Wireless Metropolitan Area Network (WMAN) Compliance Requirements..22
3.4 Bluetooth ....23
3.5 Miscellaneous Wireless Networking Systems Compliance Requirements24
3.5.1 RFID Systems..24
3.5.2 Free Space Optic (FSO) Terminal Devices .....24
3.5.3 Wireless VoIP..24
3.5.4 Wireless Keyboards and Mice .25
3.6 PDA, Smartphone, and Non-wireless E-mail device Compliance Requirements .25
3.7 Compliance Requirements for Wireless Remote Access Connections to DoD Networks 26
APPENDIX A. REFERENCES ..29
A.1 Policy References...29
A.2 Technical References ...29
APPENDIX B. VMS PROCEDURES....31
APPENDIX C. LIST OF ACRONYMS.37
APPENDIX D. SRR WORKSHEETS ...43
This new security rogue program is socially engineered to mimic how a true Anti-Virus product would behave. The screens appear authentic and they are professionally done. This program could trick some users, as it's designed to take the user's money without truly cleaning any infections.
Malware Doctor - Another Rogue program to avoid
QUOTE: As do most other rogue security programs, Malware Doctor displays misleading fake alerts to entice users into buying a product to “repair” malware problems.
We also noticed some new features in Malware Doctor. Once installed, it performs a system scan. Users see a message indicating this “unregistered” version of Malware Doctor won’t be able to heal or remove infected files and asking the user to activate it at a cost.
Unlike many rogue security programs, which displays excessive fake alerts, this version of Malware Doctor reports only a few detections so users will not be very suspicious of it. Once this Trojan detects a supposedly malicious file, it will pop up a message. This Trojan even makes use of McAfee’s malware naming convention.
As noted in Sunbelt's log, Rod Trent kindly shared this important tuning guide that can improve performance for corporate AV product implementations
QUOTE: Earlier in the week, I posted a good set of guidelines for enterprise administrators from Microsoft for antivirus exclusions. Unfortunately, the page that I linked to got pulled. However, Rod Trent was kind enough to share the document (see link below):
Anti-Virus Exclusion Guidelines for Microsoft Applications
QUOTE: WHY EXCLUDE -- It is important to achieve a balance between ensuring a secure and virus free server environment while also not interfering with reliability and performance of each server. A lack of exclusions with regards to virus scanning has traditionally been one of the main causes of outages with regards to applications and services. In addition, virus scanning is often a cause of performance issues.
Another excellent illustrated guide by Steve Friedl that describes the value and setup procedures for UAC for the new Windows 7 Operating System.
Steve Friedl - Configuring Windows 7 for a Limited User Account
QUOTE: UAC was introduced with Vista and was widely maligned due to its in-your-faceness, and though it's calmed down some as Vista has been updated, it seems to have really hit its stride in Windows 7. I like UAC a lot. But even in its imperfect form, it was a good idea, attempting to brighten the terribly blurry line between administrative tasks and user tasks that has plagued Windows since the early days.
Table of Contents
* User Account Control explained
* Method 1: Configuring a new install
* Method 2: Demoting an existing install
* Disabling the Administrator account
* Picking a password
* Securing yourself out of your own machine
More Posts Next page »