August 2010 - Posts
In recently helping someone recover from a FakeAV attack, I discovered this excellent resource from SunBelt.
Please avoid all security pop-ups that are unfamiliar and state they have found malware -- and want to charge you to clean your system. These malware agents are among the most difficult to correct and some of the most popular attacks circulating. If you see pop-up screens matching any of those in the library, please seek technical help immediately as it's fake security product designed to steal money from your paypal or bank account.
Sunbelt - FakeAV and Security Rogue Library
August was a very important month for security updates and most individuals have most likely applied them. If you manually update and missed these, please bring your systems up-to-date. Staying up-to-date on all security patches, moving to IE8, and and building a second Windows account with non-ADMIN rights are all best practices.
In the corporate environment, the LNK vulnerability can provide a malware attack at almost the same level as Conficker, if there are weak internal security settings on workstation or server network shares. This out-of-band release to better protect Windows was rated as PATCH NOW
Microsoft Security Updates - August 2010
ISC - Excellent analysis of bulletins
ISC - Rates LNK security fix as PATCH NOW
This tool provides a temporary mitigation of risks until a more comprehensive solution emerges
QUOTE: Another option for protecting your systems is to deploy a tool that can help prevent exploitation of this issue. Knowledge Base article 2264107 offers for download a tool that allows customers to selectively change the library loading behavior, either system-wide or for specific applications
The update allows the administrator to define the following on a system-wide or a per-application basis:
* Remove the current working directory from the library search path.
* Prevent an application from loading a library from a WebDAV location.
* Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location.
Microsoft's Mitigation resources and DLL Control tool
DOWNLOAD FOR SPECIAL TOOL
DLL Hijacking Vulnerability - Additional Information
As Facebook and other web 2.0 are great resources to keep in touch with family and friends, all users need to be careful of the dangers and avoid clicking on suspicious links, free offers too good to be true, and not disclose private information.
Older adults are flocking to social networks
QUOTE: Social networking use by Internet users ages 50 and older nearly doubled in the past year, going from 22 percent in April 2009 to 42 percent in May 2010, according to the Pew Research Center’s Internet & American Life Project’s new report, "Older Adults and Social Media." While 86 percent of younger Internet users (ages 18 to 29) "continue to be the heaviest users”"of social sites like Facebook, MySpace and LinkedIn, "over the past year, their growth paled in comparison with the gains made by older users," Pew said. One of the main reasons for older adults' increased interest and use of social networking sites: They know Facebook and Twitter are where their kids and grandkids are spending time, and it’s a way to "bridge generational gaps," said Mary Madden, Pew senior research specialist and author of the report.
While DLL vulnerabilities were present over a decade ago, Microsoft created a more secure DLL loading process. Recently, new ways of working around these controls have been discovered and malicious exploits are being rapidly developed. In this latest development, an attacker can create an infected file, which is opened by an application, vulnerable to loading external libraries insecurely. A malicious library object is then be loaded from the remote location to further compromise the PC.
This new DLL vulnerability is much like SQL injection in that it may not be entirely within Microsoft's scope to control. Just as SQL Injection controls rely on developers using best practices, third party vendors must load their own DLLs more securely. Microsoft will eventually strengthen controls in the operating system and their product families. However, it is uncertain whether they can also address all the of the potential concerns related to third party software.
DLL Hijacking Vulnerability - Over 40 popular applications have exploits built
QUOTE: Some of the world's most popular Windows programs are vulnerable to attacks that exploit a major bug in the way they load critical code libraries, according to sites tracking attack code. Among the Windows applications that are vulnerable to exploits that many have dubbed "DLL load hijacking" are the Firefox, Chrome, Safari and Opera browsers; Microsoft's Word 2007; Adobe's Photoshop; Skype; and the uTorrent BitTorrent client.
"Fast and furious, incredibly fast," said Andrew Storms, director of security operations for nCircle Security, referring to the pace of postings of exploits that target the vulnerability in Windows software. Called "DLL load hijacking" by some, the exploits are dubbed "binary planting" by others. On Monday, Microsoft confirmed reports of unpatched vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. The flaws stem from the way many Windows applications call code libraries -- dubbed "dynamic-link library," or "DLL" -- that give hackers wiggle room they can exploit by tricking an application into loading a malicious file with the same name as a required DLL.
AN UNOFFICIAL INVENTORY OF APPLICATIONS WITH MALICIOUS DLLS DEVELOPED
Microsoft's Mitigation resources and DLL Control tool
DLL Hijacking Vulnerability - ADDITIONAL LINKS
Computerworld and Symantec offer additional writeups on this new threat to 64 bit systems, which have highly secure Windows 7 safeguards. Once the TDL3 dropper agent is installed, there is an immediate reboot of the system. The rootkit gets installed during a reboot prior to Windows starting by overwriting the MBR area.
TDL3 64 bit Windows Rootkit - Additional Information
QUOTE: The new rootkit sidesteps two important anti-rootkit protections Microsoft built into 64-bit Windows: Kernel Mode Code Signing and Kernel Patch Protection, also known as PatchGuard. The pair are designed to make it more difficult for malware to tamper with the operating system's kernel.
"To bypass Kernel Patch Protection and driver signature verification, the rootkit is patching the hard drive's master boot record so that it can intercept Windows' start-up routines, own it and load its driver," Giuliani said. Rootkits that overwrite the hard drive's master boot record (MBR), where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks, are essentially invisible to the operating system and security software.
TDL3 rootkit x64 goes in the wild
Please ensure your accounts use strong passwords and avoid free offers that appear too good to be true in email or social networking applications.
Facebook and Twitter users - Beware of free iPAD offers
QUOTE: Facebook and Twitter users are complaining about their accounts being compromised and then being used to spam friends with suspicious "free iPad offers." Online marketing programs pay cash for Web traffic, and hackers have found that by phishing victims and then using that information to break into legitimate Twitter and Facebook accounts, they can earn money.
CIO Magazine offers an excellent summary of experiences related to early adopters who have implemented cloud computing applications.
Cloud Computing: Early Adopters Share Five Key Lessons
QUOTE: While some large enterprises have moved their information-technology infrastructure to a third-party managed service to save costs, small firms—especially startups—have come to rely on cloud services to cut initial outlays and help them focus on the core services and products. The cost savings and scalability of infrastructure-as-a-service offerings are well known advantages. Yet, there are others. In interviews, three small companies that use the cloud—and one that does not—share the lessons learned from growing up with cloud infrastructure.
CLOUD COMPUTING - FIVE KEY LESSONS LEARNED
1. From IT management to software development
2. Downtime is low
3. Security is still your headache
4. Your ability to use cloud depends on your customers
5. The cost advantage only lasts so long
CIO magazine shares some usability tips in a seven screen slideshow
Windows 7 - Seven Features users may not be unaware of
TDL3 is the most advanced Windows rootkit developed so far. This highly technical and informative post from Prevx share another dangerous development, as 64 bit systems are more secure and difficult to manipulate.
TDL3 rootkit x64 goes in the wild
QUOTE: It took some time but now x64 Windows operating systems are officially the new target of rootkits. We talked about TDL3 rootkit some months ago as the most advanced rootkit ever seen in the wild. Well, the last version of TDL3 was released months ago and documented as build 3.273. After that, no updates have been released to the rootkit driver. This was pretty suspicious, more so if you've been used to seeing rebuild versions of TDL3 rootkit every few days to defeat security software.
Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system. Still though, the dropper needed administrator rights to install the infection in the system. Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new. They actually built a nice gift for every security vendor, because TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.
This link shares some excellent free PENTEST tools that can help ensure corporate defense systems are actively blocking protecting against major external threats.
Top Five Free Penetration Testing Tools
QUOTE: Penetration Testing uses a variety of specialized tools to make testing far faster and more effective at discovering vulnerabilities. Five of the top tools are highlighted in this article
1. Metasploit - This is a far more advanced tool than the others on this list, and requires more programming knowlege to run and use. This platform runs payloads, shellcode, and remote shells--you will actually penetrate the target. Servers can and will crash!
2. Nessus - It has long been my favorite vulnerability scanner, due to its speed, accuracy, and depth.
3. Nikto - Nikto is an Open Source web server security scanning tool. Currently at version 2.03, can scan for over 3500 potential vulnerabilities
4. Nmap - Nmap is my Swiss Army Knife for network scanning, port mapping, and OS & application discovery. Somehow it's both the simplest and most flexible tool in my arsenal.
5. Wireshark - Captures wireless network traffic and examines protocols and sessions in depth.
All Adobe Shockwave users should update as automatically prompted to apply these security fixes.
Critical Update Fixes 20 Vulnerabilities in Shockwave
QUOTE: Critical vulnerabilities have been identified in Adobe Shockwave Player 18.104.22.1689 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 22.214.171.1249 and earlier versions update to Adobe Shockwave Player 126.96.36.1992, using the instructions provided below.
SHOCKWAVE PLAYER UPDATE SITE
Individuals who use the Military banking system should be cautious of a new attack designed to capture account details and passwords. This information can be used to capture information which could lead to fraudulent withdrawals and other monetary losses. It's always good to verify any email claims with the bank itself prior to taking action.
ZeuS Variant Targets U.S. Military Personnel
QUOTE: Today, we saw a malware variant created with the well-known ZeuS toolkit that seems to be targeting members of the U.S. military serving overseas. Targets of this scam will receive an email with the following text:
Dear Bank of America Military Bank customer: This letter is to inform you that there is an update required for your Bank of America Military Bank Account, for this reason your account has been flagged. In order to update your account, please follow this link. Thank you for banking with us! Bank of America Military Bank accounts support.
Should the recipients click the link, they will be brought to a page that is almost identical to the real login page of the bank. However, this fake login page is actually hosted in Russia. An Update Tool must be installed onto his/her system to ensure that his/her account is not locked.
Needless to say UpdateTool.exe is a ZeuS variant detected by Trend Micro as TSPY_ZBOT.BIZ. Unfortunately, most people who fall for this scam will not even be given the opportunity to manually download the executable file, as this attack first runs a whole suite of browser exploits on the target systems first. This leaves manually downloading the file as a last-resort attack vector.
Sunbelt is warning of a new scam that encourages users to send 5 or more copies of spam to their friends in exchange for a gift. As with most scams, the prize won't be awarded and you will give up your email address and Facebook user name in the process, that will be further misused. When I first started in the security profession in 1997, I used the phrase there are "no free lunches on the Internet", as scams abounded then.
In 2010, there are great dangers for malware and privacy loss by clicking malicious links. This week I've tried to help a friend recover from a bad FakeAV attack, who was always careful. While several malware items have been cleaned, the PC still needs further repair or a complete rebuild. Facebook is a wonderful place for sharing with friends, but please do carefully. Just one bad click can require hours of repair time.
Scammers let Facebook users take up the spam reigns
QUOTE: Here’s an odd collection of websites promising lots of free Facebook goodies, including “Free Texas Holdem Poker Chips” – one million chips, to be exact. Sounds great, doesn’t it? Unfortunately, all we’re left with is proof positive that too many people will click anything put in front of them – no matter how silly the initial promise. Facebook users are asked to paste a spam message “5 times anywhere on Facebook”. For anyone holding onto the vague hope of chips arriving in your mailbox sometime soon, here is your wake up call. Please don’t get suckered into these kinds of deals – the only person that benefits from all the gruntwork you put in is the site owner themselves.
During July 2010, the market share for Windows 7 surpassed that of Vista. While XP is still more established, it's install base has declined some. Windows 7 is more functional and secure, especially for new 64 bit systems which are the future for computing.
Windows 7 Passes Vista in Users, XP Still King
QUOTE: Windows 7’s market share for July reached 14.46 percent, according to the firm, compared to 14.34 percent for Windows Vista. That represents a significant change from October 2009, when Windows 7 was released into a market where Vista ran on 18.83 percent of personal computers. Net Applications noted, however, that “Windows XP is still the leading operating system by far, with double share of Vista and 7 combined.” The firm estimated Windows XP’s market share at 61.87 percent.
Sunbelt is warning users to be careful when visiting risky sites, as some of these offer Facebook links that request you to login, but to a fake page that is identical in everyway except the URL.
Facebook - Login Phishing may be used on risky websites
QUOTE: It might look like the Facebook login page, but, check out the URL. I don’t think you want to log in to Facebook there.
In Facebook, clickjacking attacks continue to circulate using the "Like" or "Share" buttons that will surreptitiously link you to malicious websites. Always be careful with all links or any buttons offered to you. As the old saying goes, "Think before you click" or you may be spending hours repairing your PC. Always be careful in sharing any personal information in social networking applications.
Facebook Clickjacking Attack Spreading Through Share Button
QUOTE: Facebook users came under attack from a new clickjacking scam that could result in lost money as well as aggravation, spread by the social networking site's Share button. Those behind this latest Share button scam want Facebook users to answer a few questions within a simple survey; one blank is the request for a cell phone number. By providing their cell phone number without reading the fine print, users are subscribing to a paid-phone, automatically renewing service that charges $5 per week via the cell phone bill. "Unfortunately, most people won't read the fine print and will willingly hand over the information and likely won't notice the charges until the end of the month,"
PREVENTION: AVOID accessing “Top 10 Funny T-Shirt Fails ROFL.” link and filling out "verification page" requesting your cellphone. "Funny T-Shirt Fails" scam costs victims a $5 weekly charge on their cell phone bill, finds Sophos.
Likejacking Worm - Dangers of selecting "Like" button on malicious pages
QUOTE: The technique is exactly as Graham describes - when you “Click here to continue” you’re in fact clicking an invisible link (detected as Troj/Iframe-ET) which marks the website as one that you “like” in Facebook. This of course posts a message to your newsfeed, your friends see it and click on it, and so it spreads
As Facebook is one of the most popular resources on the web, it is important to protect your privacy settings. A social networking facility is designed to share information and to locate individuals who may have accounts. Conceptually, this is the opposite of privacy. One good technique is to think of “friends” as "contacts". Even though almost all of my own Facebook contracts are truly friends, the future behavior by an individual may require you to "unfriend" them later.
Computerworld shares some valuable tips and links in this recent article:
Facebook - Five More Tips to protect your privacy
QUOTE: Privacy and security problems have plagued Facebook and its more than 500 million users -- a lot -- over the past several months. Much of the most recent turmoil was kicked up this past April when Facebook unveiled a list of new tools that allow user information to be easily shared with third-party Web sites.
1. Understand Facebook's security settings and use them - users need to find out where the security settings are on Facebook and take the time to learn how to use them to control what information is shared with people, applications and Web sites.
2. Who is your Friend -- This is not high school and Facebook isn't a popularity contest. You don't need to be "friends" with everyone.
3. Beware of those applications - a Facebook application can give broad permission for whoever developed that application to access your data and your friends' data. Go to the bottom of Facebook's Privacy Settings page to find the "Applications and Websites" link. There, they can click on the "Remove unwanted or spammy applications" option.
4. Think before you type -- You have to protect yourself and think through every post that you put online. The golden rule, say several analysts, is to think about whether you want your mother, your boss (and any potential future bosses) and your significant other to read what you're about to write. If you don't want any of them to see it, don't post it.
5. Malicious eyes - Sit down and closely look at your Facebook page and consider what a malicious person could do with any of the information you've posted. Avoid listing your birth date, home address, children's names, phone numbers and social security numbers.
FACEBOOK - PRACTICAL SAFETY AND PRIVACY TIPS
EXCELLENT SLIDE SHOW -- HOW TO IMPROVE FACEBOOK PRIVACY SETTINGS
(click on RED ARROW on right side of each slide to advance to the next frame)
While I actively use several versions of Office, the latest release offers improved security. For example, when you open Word or Excel documents from external sources, you are often presented with a protected view which can keep any embedded malware from starting until you enable the document for use.
Microsoft Office 2010 - Improved Security Features
1. Message Bar alerts for potential content threats
2. Protected View allows viewing of potentially dangerous documents
3. File Block prevents files created from older versions of Office from being opened automatically
4. Data Execution Prevention (DEP) stops the execution of add-in code that does not meet safety standards
5. Trust Center - allows security and privacy tailoring
More Posts Next page »