September 2009 - Posts
Microsoft is offering this new anti-virus product free to home users. It's a basic product lacking some of the advanced features found in paid subscription AV products. However, in past reviews it seemed to do a good job in detecting malware. I personally tested with a CD of 15 older viruses, and it was 15 out 15 in detecting them.
It requires WGA activation, agreement to the EULA terms, and sufficient minimum hardware on XP, Vista, or Windows 7 home systems. I've been beta testing on our family PC since its introduction. Overall, I like the performance and user interface for this product in providing basic protection (it's a keeper for me). The upgrade from beta to version 1.0 went smoothly and without issues.
Some key links are noted below, including how to install on a PC not connected to Internet:
MSE PRESS RELEASE
http://www.microsoft.com/presspass/press/2009/sep09/09-28securityessentialspr.mspx
MSE HOME PAGE (AND DOWNLOAD LINK)
http://www.microsoft.com/security_essentials/
MSE SUPPORT
http://www.microsoft.com/security_essentials/support.aspx
http://answers.microsoft.com/en-us/protect/default.aspx
MSE FORUMS (Great Resource)
http://social.answers.microsoft.com/Forums/en-US/category/mse
MSE Manual DAT Update link
http://support.microsoft.com/kb/971606
MSE - HOW TO INSTALL AND UPDATE PC NOT CONNECTED TO INTERNET
http://social.answers.microsoft.com/Forums/en-US/mseupdate/thread/334bce61-a6ae-42bd-96ff-355bc4bee53b
HOW TO INSTALL MSE ON PC NOT CONNECTED TO INTERNET
1. Download MSE client from PC connected to high-speed Internet
2. Download Manual A/V signature file: http://support.microsoft.com/kb/971606
3. Copy both files to folder on target PC (USB flash drive)
4. Uninstall prior AV product and rebooted
5. Install MSE
6. Installed Manual AV Updates downloaded earlier
7. Review and Tailor MSE settings in each tab
8. Reboot to ensure MSE starts properly
9. Full baseline scan of entire system
10. Goal - Keep systray icon GREEN (i.e., it turns red if start-up issues occur; orange if A/V signatures are out of date or you haven't scanned system in a while)
These 77 tips will enhance security, performance, and functionality for this new operating system which will debut on October 22, 2009
77 Windows 7 Tips
http://technet.microsoft.com/en-us/magazine/2009.10.77windows.aspx
QUOTE: Windows 7 may be Microsoft’s most anticipated product ever. It builds on Windows Vista’s positives, and eliminates many of that OS’s negatives. It adds new functionality, too—all in a package that is less resource-hungry than its predecessor.
At a Glance:
■ Make Windows 7 faster
■ Get more done with Windows 7
■ The best Windows 7 shortcuts
■ Securing Windows 7
Trend Labs offers advice on how to better protect removable drivers from the increased risks of malware currently manipulating these devices
USB Removable Drives - Locking down security to improve malware protection
http://blog.trendmicro.com/how-to-maximize-the-malware-protection-of-your-removable-drives/
QUOTE: Removable drives are one of the most common infection vectors for malware today. Worms propagate via these vectors to proliferate their payload and ultimately, infect more users. Users need to perform some countermeasures to secure their systems. One way of doing this is to protect removable drives against worms using the Autorun feature.
Users who keep their Anti-virus, Windows and Office products properly patched can avoid this latest round of Powerpoint based attacks.
New Targeted Attacks using Powerpoint
http://www.avertlabs.com/research/blog/index.php/2009/09/25/blast-from-the-past-fresh-wave-of-targeted-attacks-using-powerpoint/
QUOTE: Lately, we have observed an increase in the number of OLE files being used as targeted attacks against various high profile users. The malicious PPT file is exploiting an older vulnerability which was patched by Microsoft in ms06-028 bulletin. This attack is detected with the current DATS as Exploit-PPT.h and the dropped malicious executable is detected as BackDoor-EFB.
The utilities on this CD might be useful in troubleshooting issues:
F-Secure Linux Rescue CD - New Version 3.11
http://www.f-secure.com/linux-weblog/2009/09/22/rescue-cd-311/
http://www.f-secure.com/linux-weblog/files/f-secure-rescue-cd-3.11.23804-release-notes.txt
QUOTE: The new utilities on the CD are:
* PhotoRec is a tool that can be used to recover data that has been accidentally deleted or lost due to a corrupted file system on a disk.
* TestDisk is another data recovery tool that can be used to recover a lost partition, for example.
* Smartmontools contain utilities that can be used to inspect S.M.A.R.T. values of hard disks. By analyzing these numbers you may get a hint if your hard disk is starting to show signs of breaking down.
Patch management is one of the most important elements of security protection. Yet many individuals and even companies don't always do the best job in this area. After almost a year, Conficker is alive and well on numerous unpatched systems around the world.
Conficker MS08-067 Worm - Continues to Impact Networks
http://isc.sans.org/diary.html?storyid=7189
http://www.abc.net.au/news/stories/2009/09/23/2694401.htm
QUOTE: Almost a year after it was first detected, the Conficker computer virus is still baffling security experts who say it poses the largest threat of cyber crime. They admit they are no closer to finding a cure or who is behind it, and Microsoft continues to offer a $300,000 reward for anyone who can help.
More than 5 million computers worldwide have been infected by the worm since it was discovered late last year. Rodney Joffe, the director of US communications company Neustar, says the virus is nearly impossible to remove from infected computers.
He said the virus creates cryptographic links between infected computers which are controlled by an equally malicious and distant server. "We've not been able to crack that, and in fact it's using the very latest cryptographic techniques, something called MD6, which is something that we don't expect to be able to crack for many years," Mr Joffe said.
Conficker Worm - Spread rapidly world-wide on unpatched systems
www.f-secure.com/weblog/archives/00001646.html
Conficker Worm - How to test your system
(Do you see all 6 images?)
www.confickerworkinggroup.org/infection_test/cfeyechart.html
Blog sites using older and out-dated versions of Word Press may be potentially exposed to a new security worm. Depending on security controls, this malicious agent can register as a new blog user, become an ADMIN, and secretly insert SPAM throughout the blog. If you're on an older version, please PATCH NOW. As Word Press reflects, removing spam for all the posts could become very laborious.
Word Press - New Worm attacks older versions
http://www.theregister.co.uk/2009/09/07/wordpress_worm/
QUOTE: Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
Word Press - Security Bulletin
http://wordpress.org/development/2009/09/keep-wordpress-secure/
Word Press - Hacked Blogs may be tedious to correct
http://codex.wordpress.org/FAQ_My_site_was_hacked
Word Press - Upgrade available
http://codex.wordpress.org/Upgrading_WordPress
This article shares good advice regarding the migration from 32 bit to 64 bit drivers to take advantage of improved addressability and performance in the Windows 7 environment. This advice particularly applies for systems with more than 3GB of RAM. It's important to research special devices to see if the vendors offer 64 bit versions on older hardware.
Windows 7 Survival Guide: From 32 To 64 Bit
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=219401497
QUOTE: Your old hardware isn't doomed. Here's how to migrate 32-bit printers and scanners onto your 64-bit version of the Windows 7 operating system.
Windows as a whole -- Windows XP, Vista, Windows 7 and the operating system's server editions -- has been shipping in both 32- and 64-bit editions for some time now. That's more than long enough for hardware manufacturers to get on the ball and supply 32/64-bit device drivers for everything they sell.
Why 64-bit, Anyway? -- Why use 64-bit Windows in the first place? Desktop machines that ship with more than 3GB of RAM also come with 64-bit Windows installed by default. It's the best possible way to make use of all that memory efficiently. Individual 32-bit apps may only be able to use so much of that memory at once, but those of us who run a lot of apps side-by-side get a boost from it. Also, applications that perform certain kinds of processing -- encryption, for instance -- run markedly faster as 64-bit binaries.
PC Magazine offered the following evaluation for Zone Alarm's new security suite:
ZoneAlarm Extreme Security 2010
http://www.pcmag.com/article2/0,2817,2353127,00.asp
QUOTE: ZoneAlarm Extreme Security 2010 boasts impressive features, including full-disk encryption. But it slows performance, installing it is torture, and its anti-malware scores are only so-so. It's still a good product, but I'm not quite as thrilled with it as I was last year.
PROS - Full-disk encryption. Online backup. System tune-up. Advanced scan of downloads. Comprehensive, accurate antispam component. Effective antiphishing protection. Credit monitoring and identity theft recovery. Browser virtualization. Private browsing. Blocks keyloggers and screengrabbers.
CONS - Has serious problems installing on malware-infested systems. Slowed boot time and system performance. Rudimentary parental controls. So-so malware removal.
ZoneAlarm Extreme Security 2010 - Full Review
http://www.pcmag.com/article2/0,2817,2353131,00.asp
Please be careful in using Twitter and carefully check spellings on URLs. Many fake sites are being created that very closely ressemble the true site.
Mass-Generating Fake Twitter Accounts for Profit
http://www.f-secure.com/weblog/archives/00001773.html
QUOTE: We're seeing more and more fake Twitter accounts being auto-generated by the bad boys. The profiles look real. They have variable account and user names (often German) and different locations (US cities). They even upload different Twitter wallpapers automatically. All the tweets sent by these accounts are auto-generated, either by picking up keywords from Twitter trends or by repeating real tweets sent by humans.
And where do all the links eventually end up to? Of course, they lead to fake websites trying to scare you into purchasing a product you don't need. Be careful out there.
This new fake security offering is designed to trick users into purchasing it (usually $39). These infections are difficult to clean as constant pop-ups may occur. Always avoid these fake offerings and use a good standalone remover to clean them, rather than paying someone - as the money will never be refunded.
http://www.avertlabs.com/research/blog/index.php/2009/09/16/fakealert-malware-disguises-as-mcafee-product/
QUOTE: It is easy for less- computer-savvy users to trust that a program is legitimate based on visible features of a file, such as its icon or file properties. Its a nice facade for malware to slip through. We recently came across a FakeAlert threat that attempts to disguise itself as a McAfee product using a spoofed McAfee icon. Perhaps FakeAlert malware authors are taking notice of McAfee as one of the world’s most trusted security companies.
Call it social engineering or just another sneaky attempt to get by. The bottom line is, looks are deceptive so don’t trust everything you see whether its a resource icon or company information in the file properties. This FakeAlert malware that brands itself as “AntiVirus Pro 2010” is all but a spin off of FakeAlert-XPSecCenter (aka WinreAnimator amongst its many re-branded names).
PC Magazine shares an interesting post from a security testing site. IT security may not improve all that greatly in the future?
What Star Trek Predicts About The Future of Information Security
http://blogs.pcmag.com/securitywatch/2009/09/what_star_trek_predicts_about.php
QUOTE: Science fiction usually has little to say about information security. As in the real world, it too often gets in the way of getting work done. Star Trek is no exception, as explored in this posting
"What Star Trek Predicts About The Future of Information Security"
http://ha.ckers.org/blog/20090918/what-star-trek-predicts-about-the-future-of-information-security/
• Physical security will always be a problem
• They don't use money in the future. Probably because consumers are so sick of having their credit cards stolen
• Why they didn't bother to root-kit [Lt. Data], I'll never know.
• I can't even tell you how many times the Enterprise has managed to damage the one and only di-lithium crystal that they have on the whole ship.... Why wouldn't you just bite the bullet and pay to have two on board?
• the vast majority of times someone has entered in a password on the show (which incidentally is almost never - giving you an idea about how lax security will be in the future) it has been by saying it out loud
• PCI doesn’t stop hackers, now or ever
• Individuals will almost completely give up on the idea of protecting their privacy
For several years, Sysinternals has published some of the most helpful troubleshooting tools to assist in locating Windows services that might be malware oriented.
Sysinternals - New Version releases
http://isc.sans.org/diary.html?storyid=7153
QUOTE: Once again Mark Russinovitch and company have made updates to some of the SysInternals tools. There are new versions of Process Monitor (v2.7), procdump (v1.5), VMMap (v2.3), and Autoruns (v9.54).
Always avoid clicking on potentially malicious ads. A new botnet has surfaced that is masking it's true source and appears to be a legitimate source of search advertising traffic.
Bahama Botnet Discovered as Source of Click Fraud Surge
http://www.eweek.com/c/a/Security/Botnet-Discovered-as-Source-of-Click-Fraud-Surge-496555/
QUOTE: Click Forensics has found an unusually large spike in click fraud traffic coming from a new botnet apparently eluding the filters of search engines, publishers and ad networks alike.
Dubbed the "Bahama botnet," the network of compromised computers is distributing malware while masking itself as a legitimate source of search advertising traffic. According to Click Forensics, links to the malware behind the Bahama botnet were found in Google search results for "Facebook Fan Check virus."
Recent analysis by SANS reveals users and IT ADMINS need to do their part in patching promptly. The Conficker worm is a prime recent example of the failure to patch.
Fixing Security Flaws Isn't Just Microsoft's Responsibility
http://www.eweek.com/c/a/Security/Fixing-Security-Flaws-Isnt-Just-Microsofts-Responsibility-777852/
QUOTE: News Analysis: Microsoft gets hit hard with criticisms of its inability to adequately protect its users. But a recent study from the SANS Institute indicates users and software developers may also be at fault. It's time for IT managers and individual users to take responsibility for updating and patching all their applications and operating systems in a timely manner.
AVERT Labs shares a good analysis on why many rogue security products are successful in tricking users
Why is Rogue/Fake AV so successful?
http://isc.sans.org/diary.html?storyid=7144
QUOTE: It is obvious that the bad guys are making (serious?) money with this scamming scheme. There are couple of things interesting about rogue AV programs. First, the bad guys here do not use (in most cases) any sophisticated attacks on clients. They instead rely on visitors to wittingly install their "AV program". How do they do this? Through social engineering – they create web pages which are very authentic copy of legitimate screens in Windows operating systems. These web pages make visitors believe that their machine is infected with several malicious programs and that the offered "AV program" can help them clean it
Malware attacks have surfaced as spammers are using the passing of Patrick Swayze to redirect users to malicious web sites. Please avoid these emails in your inbox. Instead use mainstream news links as a source of information.
http://www.avertlabs.com/research/blog/index.php/2009/09/16/searches-for-patrick-swayze-info-could-lead-to-malware/
http://www.f-secure.com/weblog/archives/00001769.html
http://www.f-secure.com/weblog/archives/00001770.html
QUOTE: Within hours of the reported death of movie star Patrick Swayze, our Web Analysts saw the first wave of spam related to the event.
The Internet Storm Center has issued an excellent and up-to-date study on key dangers related to the web and email.
SANS - New Cyber Security Risk Report
http://isc.sans.org/diary.html?storyid=7129
QUOTE: Some of the key findings include that operating systems are for the large part less and less of a problem. There are few attacks against the operating system itself, and patching has become pretty robust when it comes to the operating system and its core components. However, third party applications (think Adobe, Java, Quicktime) are a big problem, and they are usually not well covered by existing controls.
On the server side, web applications are of course the big entry point for an attacker. In particular the combination of vulnerable web applications and vulnerable client software is frequently used to inject a client exploit into a web application in order to pivot and attack inside the attacked network.
DETAILED REPORT - As of September 2009
http://www.sans.org/top-cyber-security-risks/
The Internet Storm Center is warning about new spam related to the recent Health Care address by our President. Malicious attackers use major news events to trick users and always be careful of email or websites when they contain these types of subjects.
Healthcare Spam
http://isc.sans.org/diary.html?storyid=7111
QUOTE: Shorty after President Obama finished his speech about healthcare earlier tonight, our reader Roy received an email advising him to sign up for a "Low Income Healthcare Enrollment". If you see something similar, let us know. The possibilities for phishing, malware and other scams are endless with current events like this. As usual, you will not receive an e-mail from a government agency asking you to divulge your private information on a random website.
At home, I have both DSL for our best PC and dial-one for an older "cash for clunkers" family PC. It still runs XP SP3 fairly well and it's used mainly for browing, email, and posting to some of the security forums I belong to. We plan to upgrade later in the Fall with a new Windows 7 PC when this becomes available.
Usually on the dial-up PC, I'll choose Custom, select all items, and let it run in an unattended and standalone mode. Right after our President's address on Wednesday, I started the Microsoft Update process and watched the Yankess v. Rays on ESPN. After a busy day at work, I fell asleep.
After waking up hours later, I found that my updates had not started. I had missed an EULA was presented for the new Office Genuine Advantage (OGA) facility which will be used to validate Office (in the a similar fashion as WGA validates Windows authenticity.
I comply with these anti-piracy programs. WGA has been improved since it's initial introduction. I then selected OGA standalone, accepted the EULA, and applied it. I then restarted the Microsoft Update process to ensure it would complete well unattended. Each user can decide whether to opt in or out of OGA, but it's an added item to consider this month.
As Jerry Bryant's MSRC write up describes, there are 2 highly critical items that make September's update a PATCH NOW priority. The updates and OGA are all working well on my home and work PCs
Microsoft September 2009 Security Updates
http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx
http://isc.sans.org/diary.html?storyid=7099
http://blogs.technet.com/msrc/archive/2009/09/08/september-2009-security-bulletin-release.aspx
QUOTE: As you can see, we give MS09-045 and MS09-047 the highest deployment priority mainly due to these being browse and own attack scenarios and a high exploitability index rating. Exploits for MS09-047 can also be created through specially crafted files such as ASF and MP3 audio files. These files could then be sent via email.
More Posts
Next page »