Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

September 2010 - Posts

Facebook - Beware of numerous scam messages circulating

Facebook is one of the most popular sites on the Internet and Symantec shares caution in selecting links, the LIKE button, or clicking on other dangerous objects.

Social Network Flooded with Scam Messages
http://www.symantec.com/connect/blogs/social-network-flooded-scam-messages

Facebook now has over 500 million registered users, which makes this social network (like many other social networks) a very attractive “fishing pool” for attackers. There are so many potential victims that could easily fall for any of the scattered bait. So, it does not come as a surprise that we see another scam campaign launched nearly every week.

Even though it might appear that one of your friends has shared this link, he or she most likely did not do it knowingly. This is because whenever someone follows one of these malicious links, he or she ends up at an intermediate site on Facebook that will then load an “iframe” from a remote site. In this particular case, the remote site hosted four more scams targeting Facebook, each with different themes. The iframe loads an Uncle Sam image from a free image-hosting site and then asks the user to click on some part of the image.

However, what the user doesn’t see is that the attacker has also loaded a Facebook site, but has modified it to be invisible. The hidden page that is loaded is the Facebook “Like button” page, which is conveniently placed under the mouse pointer of the user. Hence, when the user clicks on the colored bars of the image, he or she is actually clicking on the invisible Like button and consequently shares the attacker’s link with all of his or her friends on Facebook. (The same trick is attempted with an invisible “Share” button.)

ZoneAlarm Firewall - Your PC may be in Danger popups have been turned off

The free version of the ZoneAlarm Firewall recently implemented some new popup warning messages, which stated “Global virus alert. Your PC may be in danger!” and then sharing an example from the advanced Zeus trojan family. 

While Zone Alarm has an excellent leakproof and award winning bi-directional Firewall for several years, this advertising approach was not well received. In fact, the message even resembles some of the Rogue and FakeAV scareware tactics (which uses the fear factor to motivate users).

The vendor quickly retracted this popup alert, as sometimes marketing ideas will not go as well as planned.  They will most likely never use this form of advertising to upsell users again to the paid version. Still, it's better to market security products based on the quality of protection.       

CheckPoint: ZoneAlarm Is No Rogue
http://blogs.pcmag.com/securitywatch/2010/09/checkpoint_zonealarm_is_no_rog.php#more
http://news.techworld.com/security/3240418/zonealarm-angers-users-with-virus-scare-pop-up/
http://forums.zonealarm.com/showthread.php?t=75332

QUOTE: Users of ZoneAlarm Free Firewall 9.2 PCMag's Editors' Choice for free firewall, were treated to a similar message this morning. Some of my colleagues feel this alert goes too far; Check Point says they were only trying to help.
 
As you can see, it doesn't actually say that your PC is infested with ZeuS.Zbot.aoaq, just that it "may be in danger". If you click the link to "See Threat Details" you come to a page of statistics purporting to show that only ZoneAlarm Internet Security Suite can protect you - not Norton, not Trend Micro, not any of several free antivirus solutions. Problem is, the source of those statistics repudiates their use here, saying "virustotal is NOT meant for AV comparatives".

Check Point responded: "The popup message in ZoneAlarm Free Firewall was intended as an alert to a virus our technology discovered. We wanted to proactively let our users know that ZoneAlarm Free Firewall and other AV products do not fully protect from this virus. It was never our intent to lead customers to believe they have a virus on their computer. This was purely an informative message about a legitimate and serious virus that also included information about the differences in protection of various products, and how to get protection against it. ZoneAlarm is committed to providing our customers with the best protection and considers it our job to proactively alert users whenever a potential risk is looming rather than wait for the damage to be done."

I'm afraid I don't buy it. The popup message is a clear and simple attempt to scare users of the free ZoneAlarm Firewall into purchasing a paid ZoneAlarm product. While it's not as pushy as the actual rogue products, I do see it as misleading. The fact that it links to misleading statistics is another nail in the coffin. CheckPoint may have inspired a few users to buy an upgraded product, but I'm sure many others are left with a lasting bad impression. The net effect of this initiative is decidedly negative.

October is Cybersecurity Awareness Month

http://www.whitehouse.gov/blog/National-Cybersecurity-Awareness-Month/

QUOTE: Today, per a Presidential Proclamation and a Senate Resolution, marks the start of the sixth annual National Cybersecurity Awareness Month. As stated in the President’s Cyberspace Policy Review, cybersecurity is a national priority and is vital to our economy and the security of our nation. The financial industry, our government networks, and your home computers are under continual attack from a variety of malicious actors, including domestic hackers, international organized crime rings, and foreign intelligence agencies. They are stealing your identities and financial information, sensitive government data, and proprietary industry information. As President Obama stated in his May 29th speech, "America's economic prosperity in the 21st century will depend on cybersecurity."

Microsoft Security Updates - Out-of-Band release on September 28th

Microsoft has just released an out-of-band security update early this afternoon. Please apply this promptly.  So far, this new update is working well in early testing.

Microsoft Security Updates - Out-of-Band release on September 28th
http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx
http://isc.sans.edu/diary.html?storyid=9619
http://www.microsoft.com/technet/security/advisory/2416728.mspx
http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx
http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx

QUOTE: Microsoft is going to release an Out-of-Band Security bulletin tomorrow, 28 September 2010, which will address a security vulnerability in ASP.Net affecting all current versions of Windows.

 

New Azvhan Botnet Family emerges

Trend labs shares an informative writeup on a new botnet family which is impacting users in Asia currently.

New Azvhan Bot Family Revealed
http://blog.trendmicro.com/new-azvhan-bot-family-revealed/
http://asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=Mal_Scar-1

QUOTE: A new bot family was found in the wild around April this year. This family was named “Avzhan.” Avzhan malware, detected by Trend Micro as Mal_Scar-1, mostly affected Asia where most of the affected users resided. Avzhan bots install themselves onto the Windows system directory using the file name  {six random lower-case letters}.exe. After installation, it deletes its original copy then executes the copy it installed. It registers itself as a service to run at every system startup, as shown by the service named Q MUSCIC below.

As is typical of botnet zombies, Mal_Scar-1 can execute various commands received from its command-and-control (C&C) servers, including downloading and executing potentially malicious files. This also allows complete takeover of users’ systems. In addition, it also steals certain information about users’ systems. This stolen information is part of the data sent back to the botnet’s servers, which includes the following:

• Computer name
• CPU speed
• Language used
• Memory size
• Windows version

Halo Reach - Beware of scams and malicious links

Sunbelt Security is warning of at least three separate forms of attack on this highly popular game.  Avoid free downloads that promise success, be careful with Internet searches, and avoid handing over your account credentials to others.

Sunbelt Blogs: Halo Reach: Scams Galore
http://sunbeltblog.blogspot.com/2010/09/halo-reach-scams-galore.html

QUOTE: Halo Reach has been doing rather well since the game was launched last week. Of course, this means scammers have marked it as a target for shenanigans. I thought it would be a good idea to have a quick look at some of the most common pitfalls to avoid. I haven’t touched phishing, as Bungie (the Halo developers) have covered that one nicel

Halo Reach - Very popular (70 million times played)
http://www.eurogamer.net/articles/2010-09-24-halo-reach-played-70-million-times

(1) Free generators. It doesn’t matter whether they’re offering up free armour downloads, extra weaponry or, er, “flaming helmets” – you can bet hard cash that whatever they’re offering will not work. Many of these sites lurk on free blog hosting, advertised via Youtube

(2) Something else gamers should be wary of is stumbling onto infected sites that through accident or design (in the form of Blackhat SEO) are touting all manner of Malware. One little letter missing, and the end-user would be stumbling onto a URL flagged with the “This site may harm your computer” warning from Google Search.

(3) Modding / hacking XBox accounts for cash, buying high level profiles, giving control of your account to strangers to let them increase your score. All of the above are bad ideas – modding accounts can easily be detected, and the banhammer is probably going to fall on your head shortly afterwards.

Finally, it goes without saying that you should never hand over login details to “helpful” gamers who want to increase your score – things will go wrong in a hurry.  There will probably be many more scams related to Halo Reach over the coming months, but the above list hopefully gives you an idea of what the most common ones will be.

Microsoft Security Essentials - Recent Engine update performed

All MSE and Forefront users should ensure they are up-to-date for virus signature files.  On September 16, 2010, Microsoft included an engine update which will enhance detection capabilities to better meet constantly changing security requirements.  

http://blogs.technet.com/b/enginenotifications/archive/2010/09/16/antimalware-engine-1-1-6201-0-was-released-to-customers-on-16-september-2010.aspx

QUOTE: Antimalware Engine 1.1.6201.0 is released to all MSE and FCS customers on 16 September 2010. Signature package 1.91.0.0 is the first that contains this engine.

Affected products: Microsoft Security Essentials (MSE), Forefront Client Security (FCS)

Engine Version will be in the range of 1.1.620X.0

Microsoft Hotmail - Security Enhancements will be implemented this week

Microsoft will be strengthening security controls for it's free Hotmail service this week.

Microsoft Hotmail Security Enhancements Coming
http://www.eweek.com/c/a/Security/Microsoft-Hotmail-Security-Enhancements-Coming-313851/

QUOTE: Microsoft said it is delivering security changes to Hotmail users this week, including new user identity proofs and detection capabilities meant to thwart account hijacking. Microsoft has begun rolling out new security features for Hotmail users today centered around preventing and detecting account compromises. Once they arrive, the changes will include both new proofs for user authentication as well as detection capabilities meant to identify hijacked accounts.

In the area of proofs, users will be able to add a “Trusted PC” to associate with their Hotmail account. If an account is compromised, all a victim needs to do to reclaim their account is to login from their trusted machine. Cell phones can be used as proofs as well, with Microsoft sending a code via SMS message to allow users to reset their passwords.  “Account proofs are like a spare key to your account,” Lewis said. “If you set them up in advance, in the unlikely event that you forget your password or someone hijacks your account you can use them to “prove” that you are the rightful owner and kick out the hijacker.”

Malicious PDF Analysis - Free E-book

This is an excellent technical resource on how PDFs operate and how they can be manipulated by malicious individuals

Malicious PDF Analysis - Free E-book
http://isc.sans.edu/diary.html?storyid=9613
http://blog.didierstevens.com/2010/09/26/free-malicious-pdf-analysis-e-book/

QUOTE: Didier Stevens has published a 23-page paper on how to analyze nasty PDFs. While the content is a bit dated and the attackers have added more insidious exploit obfuscation to their arsenal since, the document explains all the concepts that are still valid and useful whenever you encounter a suspicious PDF today.  If you're into PDF analysis (and even if you aren't), this is a must-read.

Stuxnet worm - Advanced malware could impact industrial control systems for unpatched systems

AVERT Labs provides an informative update on highly advanced malware that could impact automation found in industrial control systems. These firms should thoroughly patch all software and scan for the presence of malware. 

MS10-046: Stuxnet Advanced Malware that could impact energy firms for unpatched Windows
http://www.avertlabs.com/research/blog/index.php/2010/09/24/stuxnet-update/
http://siblog.mcafee.com/critical_infrastructure/stuxnet-a-view-from-an-energy-perspective/
http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=268468

QUOTE: Stuxnet is a highly complex virus targeting Siemens’ SCADA software.  The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729).  It also utilizes a rootkit to conceal its presence, as well as 2 different stolen digital certificates.

Stuxnet infects Windows systems in its search for industrial control systems, often generically (but incorrectly) known as SCADA systems. Industrial control systems consist of Programmable Logic Controllers (PLCs), which can be thought of as mini-computers that can be programmed from a Windows system. These PLCs contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Programmers use software (e.g., on a Windows PC) to create code and then upload their code to the PLCs.

Windows Shell (LNK) Vulnerability - Patch by performing Windows update
http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Facebook - Avoid downloads that offer to customize your Facebook profile

Please avoid suspicious downloads or email messages that might offer a customizable profile setting.  Instead lock down your privacy and security settings directly within Facebook, as well as selecting other preferable settings

Facebook - Avoid downloads that offer to customize your Facebook profile
http://www.facebook.com/security

QUOTE: Take care when downloading programs or browser extensions that offer to “customize” your Facebook Profile. These products are not built or sanctioned by Facebook and may leave you vulnerable to security threats.

Facebook - New attacks where email message are similar to Facebook notifications

Please be careful not to select links from suspicious messages that appear to come from Facebook. Instead, log into FB and check for new messages there.

Facebook - New attacks where email messages are similar to Facebook notifications
http://www.facebook.com/security

QUOTE: We've received reports of a new malware campaign using emails made to look like they're from Facebook. Scammers sometimes pose as friends or popular websites in order to trick people into installing malware or providing personal information. Stay vigilant, and remember that Facebook won't send you emails with attachments. If an email looks suspicious, delete it and warn your friends.

Facebook - Be careful with the LIKE button on URLs

One popular trend that is increasing in Facebook is for a one line statement (that is hyperlinked) for a popular or religious phrase to be show up under the NewsFeed that a FRIEND has selected (with the LIKE button available). 

In early usage of Facebook, I had even even selected a few of these.  Later, I discovered they are difficult to remove from LIKE lists later on.  While these links may or may not be malicious, the linked sites can contain extensive advertising rather than supporting the theme noted by the link. I've stopped selecting these a while back and the Internet Storm center also recently noted caution as noted below.

Facebook - Be careful with the LIKE button on URLs
http://isc.sans.edu/diary.html?storyid=9556

QUOTE:  I am seeing a trend on Facebook recently, and I am not sure what to make of it. As we all know just too well, Facebook has a "Like" feature. This feature, a little button associated with a post, allows you to show agreement with a post.  Lately however, I am seeing more and more posts like the following: (a hyperlinked phrase with a button)

Nobody has seen anything malicious from these URLs yet, so it appears to be just "Spam", maybe search engine optimization techniques to get these pages linked and ranked higher. A couple readers noted that unlike a regular "like", it is not so easy to remove these notes from your profile. You need to go to your "wall" page and remove them. You can not remove them like normal "Likes" from your "Newsfeed".

Internet Explorer 9 Beta - Available for Windows 7 and Vista

Individuals with advanced technical skills are the best candidates for testing this first beta version of Internet Explorer 9.

Internet Explorer 9 Beta - Home Page
http://www.beautyoftheweb.com/

Internet Explorer 9 Beta - Key Features
http://www.beautyoftheweb.com/#/highlights/all-around-fast
http://www.beautyoftheweb.com/#/productguide

QUOTE: The wait is over for the newest beta version of Microsoft’s browser, Internet Explorer 9.  Starting on September 15, 2010 (PDT), users will be invited to download this newest test version.

Internet Explorer 9 offers substantial improvements the current version including: a streamlined interface, full hardware-accelerated HTML5, modern SVG and native JavaScript integration, support for the Web Open Font Format as well as faster overall performance. The new Internet Explorer 9 Beta provides a more secure, stable and fast browsing experience. 

Internet Explorer 9 Beta is compatible with Windows Vista SP2 and Windows 7 PCs. It is not available for earlier versions of Windows Vista or with PCs running Windows XP.

Microsoft Security Updates - September 2010

Microsoft released several critical security updates during September as noted in links below. Please install these promptly to ensure your systems are properly protected.

Microsoft Security Updates - September 2010
http://www.microsoft.com/technet/security/bulletin/MS10-sep.mspx
http://blogs.technet.com/b/msrc/archive/2010/09/13/september-2010-security-bulletin-release.aspx

ISC Patch Tuesday Summary (always an excellent resource)
http://isc.sans.edu/diary.html?storyid=9547

Harrisburg University of Science and Technology bans Web 2.0 apps for one week

Documentation of an interesting experiment where all students were requested to avoid using Facebook and Twitter for one week. They will be later surveyed and reflect upon their experiences without these web 2.0 resources.

Harrisburg University of Science and Technology bans Web2.0 apps for one week
http://technolog.msnbc.msn.com/_news/2010/09/13/5101516-university-bans-facebook-twitter-for-one-week

QUOTE: If you pass through Pennsylvania's Harrisburg University of Science and Technology this week and see some glassy-eyed, numbed and twitching students walking around, they aren't stressed from an early onslaught of all-nighters.

They're probably dealing with withdrawal from a week-long ban on Facebook, Twitter and IM's imposed campus-wide by Provost Eric Darr, who is conducting the experiment as an exercise that will culminate in a survey and students writing essays about their experience. Faculty and staff won't have access either, at least not through the campus system.

One thing is for sure: the experiment is inspiring a lot of chatter on those networks. It's already burning up on Twitter. In an interview this morning, Darr told me that this experiment is not a criticism of social media, but about observing habits and behaviors in the way we use technology.

Abobe Acrobat - Zero Day security warning

While this issue will most likely be fixed soon, please be careful of any suspicious PDF documents you see in email or from websites.

Adobe Acrobat/Reader 0-day in Wild, Adobe Issues Advisory
http://www.adobe.com/support/security/advisories/apsa10-02.html
http://isc.sans.edu/diary.html?storyid=9523
http://secunia.com/advisories/41340

QUOTE: A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

Microsoft Security Updates - Nine bulletins September 2010

Microsoft will perform a large and important security release for Windows and Office on Patch Tuesday

Microsoft Security Updates - Nine bulletins September 2010
http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx
http://sunbeltblog.blogspot.com/2010/09/microsoft-patch-tuesday-nine-bulletins.html

QUOTE: Microsoft has announced that it will release nine bulletins for the September “Patch Tuesday” next week. The updates will fix seven vulnerabilities in Windows and Office that could allow remote execution of code and two that could permit elevation of privileges.

Here-you-have virus spread rapidly but has been contained

Lightning Lightning Lightning   This new virus attack was massively spammed via email but appears to be contained, as the malicious links have been deactivated.  Please always be careful with email attachments and URLs.

'Here You Have' Email Virus

http://isc.sans.edu/diary.html?storyid=9529

http://www.f-secure.com/weblog/archives/00002027.html

http://blog.trendmicro.com/old-malware-out-of-its-shell/

http://blogs.pcmag.com/securitywatch/2010/09/here_you_have_incompetence.php

http://abcnews.go.com/Technology/virus-mail-spreads-online/story?id=11596433&page=1

http://www.symantec.com/connect/blogs/here-you-have-mass-mailing-virus-returns-old-school-tactics

http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/

 

QUOTE: There are several good write ups on the behavior of this malware see some of the references below.  The spam contains a link to a document.  The link looks like it is to a PDF, but is, in fact, to a .SCR file and served from a different domain from what the link appears to point to.  The original file seems to have been removed, so further infections from the initial variant should not occur, but new variants may well follow.  The .SCR when executed downloads a number of additional tools, one of which appears to attempt to check in with a potential controller.  The name associated the controller has been sink-holed.  The malware attempts to deactivate most anti-virus packages and uses the infected user's Outlook to send out its spam.

 

EMAIL MESSAGES TO AVOID

(Please do not click on the URL link as that's the primary danger as new variants could appear later)

 

Subject(s): Here you have -- or -- Just For you

Body:  Hello, This is The Document I told you about,you can find it Here.  Please check it and reply as soon as possible.

PC Magazine - New Anti-Virus Product Reviews for 2011 versions

Usually in the early fall, new annual version releases for many AV product families occurr. While not all products were reviewed, many AV Product reviews are included in the link below.  Webroot was rated as one of the best subscription product and Panda's Cloud AV product as best of the free products.

PC Magazine 2011 Anti-Virus Product Reviews - So far
http://www.pcmag.com/article2/0,2817,2368554,00.asp

QUOTE: The summer of 2010 isn't even over yet, but the 2011 antivirus utilities are pouring in already. Significant players are still waiting in the wings, it's true. Norton's 2011 product releases are imminent, as are Trend Micro's. Spyware Doctor and others won't be far behind. But quite a few of 2011's antivirus apps, both commercial and free, have already sprung up. Among others, Bit Defender Antivirus Pro 2011, Kaspersky Anti-Virus 2011, and Panda Antivirus Pro 2011 and Webroot AntiVirus with Spy Sweeper 2011 are all available and have already been through my testing. If you're looking to buy antivirus, today, the results show that there are already some solid choices available.

More Posts Next page »