August 2009 - Posts
August 2009 - Top MSRT Detections
QUOTE: This month the MMPC added a new threat family, Win32/FakeRean, to the MSRT. You can refer to Hamish’s blog post, “Win32/FakeRean and MSRT” for more details on this fake, or rogue, security software. As of August 24, the MSRT had cleaned FakeRean from 162,328 infected machines. The following table shows data gathered from the MSRT since its August release.
Win32/Taterf noticeably still holds first place in the MSRT’s top detections. This is a family of worms that spread via mapped drives in order to steal login and account details for popular online games. Taterf is closely related to Win32/Frethog, another MSRT family added at the same time as Taterf, and also found in the above list. We believe that the two are based on the same source code due to the similarities between them. Since they were first added, these two families have been ranked near the top and this month is no exception. You can revisit a previous blog post about this threat for more in-depth details.
Family .... Threat .. Machines
Taterf .... 544,662 .. 463,000
Renos ..... 308,789 .. 228,973
Alureon ... 249,101 .. 211,441
FakeRean .. 219,359 .. 162,328
Bancos .... 173,134 .. 158,152
Koobface .. 274,769 .. 134,139
Frethog ... 140,218 .. 132,827
Cutwail ... 166,284 .. 110,840
Rustock ... 98,673 ... 90,788
Tibs ...... 93,175 ... 84,081
I was surprised to see that "A" and "B" variants for the Conficker worm are still thriving in-the-wild. It exploits MS08-067, autorun exposures, and other vulnerabilities on unpatched systems. While the 6 million IP addresses are not the true number of PCs infected, there are still a sizeable number that need patching.
Conficker Still A Big Deal
Conficker Working Group - Current Statistics
Conficker Infection Test - Can you see all 6 images? (if yes your PC is okay)
QUOTE: The Conficker worm outbreak seems so long ago and there's been no news about it for so long, but that doesn't mean it went away.
The Conficker Working Group, a consortium of security and related companies, continues to track the massive botnet created by the outbreak. These days it runs at around 6.2 million unique IP addresses. About 80% of these appear to be Conficker A and B, The C variant was not all that successful, because the avenues for its spread had already been largely cut off.
The fact that the numbers fluctuate within a fairly narrow range means that the botnet is pretty stable, but it's hard to say exactly what's happening. The testing measures IP addresses which means that some systems (notebooks that roam from network to network) are overcounted and some (networks with NAT) are undercounted. I think it all adds up to a very stable network; the systems that got infected in the original outbreaks are, by and large, still infected.
These tables are specifically for the A+B infections.
Day Date Total HTTP Hits Unique IP's
Friday 2009-08-28 329,610,182 5,768,246
Thursday 2009-08-27 369,957,038 5,882,556
Wednesday 2009-08-26 366,973,896 5,864,465
Tuesday 2009-08-25 328,376,902 5,675,661
Monday 2009-08-24 280,028,571 5,726,258
Sunday 2009-08-23 305,703,590 5,157,771
Saturday 2009-08-22 337,360,653 5,263,328
Friday 2009-08-21 334,046,979 5,649,833
Thursday 2009-08-20 347,347,632 5,723,993
AV Vendors are preparing to release their 2010 product versions this Fall. New 2010 rogue variants have already emerged from the Antivirus 2009 family. These fake programs may trick users into believing they are legimate products. Once infected, users will be presented with continuous fake malware popups to convince them to send $39 electronically to the malware authors.
Prepare for the new upcoming 2010 AV products
PC Antispyware 2010 - This fake AV product is malicious
QUOTE: Many major security companies are about to release their new retail product for 2010. Expect some comparative reviews in the next months, check what you need and stay protected. Some ‘2010’ products are already out on the web, but unfortunately most of them are FakeAlert Trojans or Scareware.
Once downloaded, you see pop up windows alerting you about a malware found on your machine and asking you to buy the product. The actual problem is the software you just executed. PC Antispyware 2010 is a perfect example for such a “malicious software disguised as legitimate software”.
What is Rogue Software?
QUOTE: Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing
As the Trend labs article reports, Firefox is becoming a greater target for malware development, as it is a popular browser choice among users. Everyone should continue to be careful no matter what operating system or browser they use.
Firefox Add-on Spies on Google Search Results
Microsoft is in the process of implementing Office Genuine Advantage” (OGA) controls to ensure copies of Office are legitimate. These controls are similiar to the Windows Genuine Advantage (WGA) controls, which have improved from the earlier implementations. Corporate and home users can visit the OGA Home page below for more information or in rare cases where issues may surface on legitimate copies.
Microsoft rolls out next phase of Office Genuine Advantage
QUOTE: Microsoft updates this week will contain code to check for pirated versions of Office XP, Office 2003 and Office 2007. It’s the next phase of the “Office Genuine Advantage” (OGA) program which will throw up a nag screen that says “This copy of Microsoft Office is not genuine” if it finds a pirated version. Theft by software pirates is vast. It was estimated that 41 percent of the software on machines throughout the world in 2008 was pirated – a $50 billion loss to manufacturers and resellers.
Office Genuine Advantage” (OGA) - Home Page
Moving to WPA2 is worthwhile for improved safer wireless security, even if it means purchaing new hardware.
Internet Storm Center -- WPA with TKIP done
QUOTE: Researchers in Japan describe how to perform the Beck-Tews style attack against any WPA-TKIP implementation, in under a minute. The paper and upcoming presentation have already been covered in the mainstream media. If your hardware supports it, time to consider moving to WPA with AES or WPA2.
Full 12 Page Study
A low-tech attack, but one that appears to be socially engineered well enough to deceive folks. Those in the financial services industry should exercise caution as noted below:
Malicious CD ROMs mailed to banks
QUOTE: The National Credit Union Administration (NCUA) published an interesting advisory. Member credit unions evidently are reporting receiving letters which include two CDs. The letters claim to originate form the NCUA and advertises the CDs as training materials. However, it appears that the letter is a fake and the CDs include malware.
This dangerous botnet uses advanced techniques to hide, steal ID/password information, and to spread to other PCs. This was recently highlighted as one of the top 10 threats and it's design is very sophisticated.
All Your Info Are Belong to Us
QUOTE: Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4,000 banking, financial or webmail sites. Ilomo ‘s second source of revenue is selling “anonymity as a service.” Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries.
Ilomo Botnet - Detailed analysis (30 page PDF)
Corporate administrators should apply SP2 to keep WSUS patched to ensure they have the most recent WSUS patches and functions (including future support for Windows 7 and Windows Server 2008 R2)
WSUS 3.0 SP2 released
QUOTE: The most important feature is probably the integration with up and coming versions of Windows like 2008 R2 and Windows 7. Without WSUS support, it would be hard for many organizations to deploy these new Windows versions. One improvement that caught my attention: "Stability and reliability fixes are included for the WSUS server, such as support for IPV6 addresses that are longer than 40 characters."
eWeek shares a good summary of new features that will be coming in Windows 7:
10 Microsoft Windows 7 Features to Anticipate
QUOTE: Microsoft Windows 7, touted as an improvement on both Vista and XP, will include many changes to previous versions of the operating system. In addition to fundamental improvements, such as programming tweaks that increase its overall speed, there will also be funkier adjustments, including eccentric new wallpapers
SUMMARY OF TEN FEATURES FROM EWEEK EVALUATION
1. Less of a Memory Hog - memory management that drives resources only to open windows, meaning that minimized applications no longer drain power like they did with Vista.
2. The Taskbar - reduces your open applications to thumbnail logos—hover your cursor over one of the logos, and tiny preview windows for the application will open.
3. Windows XP Mode - thanks to virtualization, allow old applications to run on Windows XP within a Windows 7 machine
4. Federated Search - allowing users to explore local and network drives on top of intranet storage.
5. Libraries - higher degree of granular control over how they order and store their information
6. User Account Controls - users are able to choose “Never Notify,” “Always Notify” and two options in between whenever a program attempts to make a change
7. Start Menu - more customizable, with users able to adjust how links, icons and menus are displayed and behave.
8. AppLocker - used to lock down certain applications on an administrator level. This granular access control to applications can potentially make lives easier for
9. Chance to Get Rid of Vista and XP - welcome chance for many PC users to finally upgrade their desktop or laptop to a more efficient, 21st century operating system.
10. The Trippy Backgrounds - new wallpapers being offered with Windows 7 are colorful, to say the least
Adobe Flash Cookies - Privacy concerns
As with regular HTML cookies, the special Flash cookies have some potential for misuse. While most sites are safe, clearing both types of cookie files on a periodic basis can be helpful in safeguarding privacy.
Adobe Flash Cookies - Privacy concerns
QUOTE: This is a pilot study of the use of 'Flash cookies' by popular websites. We find that more than 50% of the sites in our sample are using flash cookies to store information about the user. Some are using it to 'respawn' or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.
How to control Flash Cookie and other options
An interesting look at some of the worst recent and historical attacks:
Looking Back: Six Years Since MSBLAST
QUOTE: TrendLabs experts are regularly asked what—in their opinion—are the most dangerous malware of all time.
1. CONFICKER (DOWNAD): Multiple Propagation, Multiple Damage – Found in November 2008, this massive threat took advantage of the MS08-067 vulnerability. It spawned several other variants, each new variant an improvement over the last. It impacted LAN traffic in several corporate networks.
2. KOOBFACE: The Scourge on Social Networks – Initially found in August 2008, KOOBFACE leveraged on the connectivity serviced by social networking sites like Facebook and MySpace.
3. ZBOT: Organized Information Theft – Also known as variants of Zeus malware, ZBOT Trojan spyware are usually delivered via the Web either by email or Web exploits.
4. SQL Slammer: Single-Handed Internet Sabotage – This attack is notorious for drastically slowing down general Internet traffic in the early morning of January 25, 2003 (UTC).
5. VBS_LOVELETTER: Internet Love Bug – This attack with a remarkably simple yet effective social engineering (the string “ILOVEYOU” in the subject heading) that triggered curiosity of recipients first plagued email inboxes in May 4, 2000. It infected 10% of computers worldwide, with each harboring an average of 600 infected files.
6. Melissa Virus – The first mass-mailer (started in March 1999); shut down entire Internet mail systems clogged with infected emails
7. MSBLAST – One of the more memorable network worms to take advantage of system vulnerabilities. It was first triggered around this time in the year 2003.
8. SDBOT/AGOBOT – Pioneered modular IRC-based botnets; current IRC bots still use the same codebase; still alive today
9. Web Toolkits – Collective term for commercial-grade software that aid cybercriminal activity; allegedly responsible for high-profile web compromises like the “Italian Job”
10. ILOMO – Trojans arriving via Web-based exploits that stay active in memory even after the binary has been deleted from the system resulting to multiple, recurring reinfections (first appeared March 2009)
Computerworld recommends Windows 7 was a worthwhile upgrade as noted below:
Review: Windows 7 RTM -- a closer look
QUOTE: Windows 7 is a solid, well-performing operating system, free of many of the glitches that bedeviled the launch of Windows Vista. Speed improvements, interface enhancements and easier ways to manage your documents make this a new operating system in its own right, and one that's well worth the upgrade.
Sunbelt shares this interesting article:
Windows pirates in China get jail, fines
QUOTE: Four software pirates in China were sentenced to several years in prison and fined for running a web site that distributed, FOR FREE, 10 million copies of Windows XP over five years, according to the Shanghai Daily newspaper.
Always avoid falling for these fraudulent scams, as new and improved approaches continue. AVERT Labs (McAfee) shares some of the latest developments:
AVERT Labs - Scammers love your Money
QUOTE: For some individuals, these swindles, called advance fee fraud (also known as 419 fraud) and romance scam, are a primary source of revenue. They also employ lottery and fake price scams.
Usually, the Windows Update process works smoothly for Patch Tuesday security updates. The newer Microsoft Update is a better choice as it includes Office security updates as well. Sometimes, an issue can surface and I've found that searching on the error message code can almost always point out a good solution. You can also contact Microsoft for free support in some cases if there are no documented solutions (e.g., search on "Microsoft PC Safety")
Below is an example of resolving an issue from the important August updates:
Patch Tuesday - Client update issue 0x8DDD0007 Registry error during update
ISSUE ENCOUNTERED - REGISTRY ERROR DURING UPDATE
Read more about steps you can take to resolve this problem (error number 0x8DDD0007) yourself.
SEARCHED ON ERROR MESSAGE
WHAT WORKED FOR ME (solution #1 from KB)
1. Installed all the successful updates
3. Another Microsoft Update (manually invoked)
4. Ran the final update in a standalone mode with no other applications running
6. Invoked Microsoft Update one final time to ensure all updates had been applied
I agree with this recommendation as IE8 offers better security than any past release. As IE6 is on very limited support, some security holes may never be patched. IE8 offers improved protection from spyware, phishing, malformed webpages, and malware attacks. It is more actively maintained by Microsoft and it was better designed from a security perspective.
One issue in upgrading would be a vital website application that does not support IE8. Most webmasters have addressed these issues as IE8 has been out for several months. Even if issues occur, IE8 can safely uninstalled to revert back to IE 6 if needed.
Try it, you'll like it much better than IE6 -- at least I do
Microsoft's IE 8 Effective at Blocking Phishing, Malware, Report Says
QUOTE: Microsoft's Internet Explorer 8 Web browser is effective at blocking both phishing sites and socially engineered malware, according to two new NSS Labs reports. In turn, this has led Microsoft to push for its users to upgrade to the new browser from IE 6 and IE 7, which a significant portion of the community continues to use.
In addition to malware exposures, there's the old axiom of "loose lips sinks ships" applies as well.
U.S. Marines ban Facebook, MySpace, Twitter
QUOTE: A few choice quotes from the Marine Corps order:
* “These internet sites in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries…”
* “The very nature of SNS [social network sites] creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage that puts OPSEC [operational security], COMSEC [communications security], [and] personnel… at an elevated risk of compromise.”
Facebook, MySpace and Twitter have been constant targets for malware attacks that exploit the trusted nature of social networks to lure users into clicking on links to malicious sites.
Koobface is a sophisticated malware and botnet designed to attack social networking environments. Koobface is a backwards spelling of Facebook. As Trend Labs documents it is difficult for botnets to survive for over one year. Users should be careful in these environments and avoid potentially dangerous URLs or files presented to them.
Trend Labs - The Real Face of KOOBFACE
KOOBFACE - Behavioral Analysis diagram
QUOTE: One year after its first discovery, Koobface is still generating a lot of noise, no thanks to its high activity level over the past several weeks. But one year is a long time for a malware to stay alive. Storm didn’t make it out of its first year. Waledac has been around for a while, but it sleeps and wakes up only when it wants to. But Koobface? It has continued to maintain its success and just seems to keep on improving.
Although not as large and widespread compared to Storm or Waledac during their heydays, Koobface is a revolutionary malware in the sense that it is the first Web 2.0 threat to enjoy continuous success, which is significant in a time when social network sites reign supreme.
TREND LABS - In Depth analysis (18 page PDF)
Twitter - DOS attacks linked to hacker in Republic of Georgia
Twitter crashed because of a denial-of-service attack, in which hackers command scores of computers toward a single site at the same time to prevent legitimate traffic from getting through. The attack was targeted at a blogger who goes by "Cyxymu" — the name of a town in Georgia — on several Web sites, including Twitter, Facebook and LiveJournal.
The first was a spam campaign consisting of e-mails with links back to posts by Cyxymu. This drove some traffic to the blogger's postings on various social-networking sites, possibly to disparage him as the source of the spam. The second and more destructive phase consisted of the denial-of-service attack, which attacked the sites' servers by sending it lots of junk requests — presumably to prevent people from reading his viewpoints.
More Posts Next page »