January 2011 - Posts
Symantec warns to be careful of potentially malicious email and websites
Chinese New Year of the Rabbit - Avoid Spam and Malware
QUOTE: Giving gifts for Chinese New Year is a traditional custom, not only for families but also for businesses to show their gratitude to customers. While everyone is ready to welcome the Year of the Rabbit, spammers have already provided many holiday surprises for them. Chinese New Year is on February 3 this year, about half a month earlier than last couple of years. Spammers have also adjusted their attack schedule for the upcoming festival. Product and business promotion spam have been observed since last December. Most attacks have customized the ‘From’ line alias and use promotional ‘Subject’ lines related to Chinese New Year
While the MHTML protocol is not often seen, it could be used in new attacks until this vulnerability is patched. Please be careful if you encounter this and ensure there is a legitimate and safe use of this special protocol.
Microsoft Warns of Windows Script Injection Vulnerability
QUOTE: Microsoft tonight released a security advisory for a publicly-disclosed vulnerability in all versions of Windows. Security Advisory 2501696 describes a bug in the MHTML handler in Windows which could lead to information disclosure. MHTML (MIME Encapsulation of Aggregate HTML) encapsulates HTML in a MIME structure. MIME (Multipurpose Internet Mail Extensions) is a data format for encapsulating more complex binary structures in a text-only format. Windows includes a pluggable protocol handler (MHTML:) that allows applications to render MHTML structures. Internet Explorer is one of these and it can be abused to exploit the bug in the context of a web page, causing script to be executed. The user would have click a link to an MHTML:// document.
Malware toolkits have grown more expensive (some costing up to $8,000 or more) as cybercrime continues to grow and become more sophisticated. Trend shares an interesting perspective on what these kits contain and how they are used by malicious criminals.
Trend Labs - Do it yourself Crimeware Kits
QUOTE: This post is the first of a two-part report about how cybercrime kits such as exploit toolkits enable even the less technical of cybercriminals to build botnets and conduct malicious attacks.
Large-scale botnets that compromise hundreds of thousands of systems around the world receive plenty of attention and deservedly so. However, there are many smaller botnets that often escape such scrutiny. The tools and services required to create, maintain, and profit from a botnet are widely available in the cybercrime underground for a price. These do-it-yourself (DIY) cybercrime kits enable those with limited technical skills to create botnets of their own.
The tools available include exploit kits that attempt to deliver various exploits to a visitor’s system based on the availability of vulnerable software on the said system as well as on the traffic direction systems that divert visitors to other websites or that direct them to download additional malware.
Trend is warning that messages are being spammed to users, requesting that they log into a site that resembles the Facebook security home page. Please always be careful with any email messages claiming that they originate from Facebook. In this case avoid email messages stating your account has been blocked - instead log into Facebook and verify the status of your account directly.
Facebook Security Spoofed, Used for Phishing
Facebook's True Security Page
(which if you LIKE will provide critical warnings)
QUOTE: Facebook Security is the official Facebook page that the site uses to provide user-friendly security information that is particularly relevant to its users. However, it is now being used in phishing attacks. Spammed messages purportedly from Facebook Security are being sent to Facebook users. According to the message, the user’s account has been found to be suspicious and has been blocked. Facebook Security’s account was either accessed from an unknown location or was abused. The message then asks the user to verify and unblock the account by going to a site that turned out to be a phishing page.
Facebook's new SSL based capabilities are a welcome improvement. As this popular site attracts malicious attackers best practices also complement this new protective approach (e.g., avoid potentially malicious links or applications, locking down privacy, careful approval of friend requests, limited Windows account, using latest version of browser, up-to-date AV protection, etc.)
Facebook Now Officially Supports HTTPS for Users
QUOTE: In line with Data Privacy Day this Friday, Facebook announced its rollout of Secure Sockets Layer (SSL) capability for all of its services. Facebook has taken some heat for its lack of SSL support, especially with the release of FireSheep, which we covered here. Facebook does warn that encrypted pages will take slightly longer to load, which is a small price to pay for the added security. According to the official Facebook post, there should soon be a check box titled Secure Browsing (https) under the Account Security section of Account Settings. This setting specifies that all future connections be redirected to HTTPS. It should be noted that this rollout has just begun and that this option is not yet available to everyone. It may take some time before this option is made available to everyone.
During 2010, authors continue to innovate so that many malicious attacks sent a unique sample each time to evade detection. Command-and-control botnets, targeted attacks, and highly polymorphic malware families resulted in millions of unique samples captured by AV-Test during the past year.
AV-TEST reports MILLIONS of unique Malware samples during 2010
AV-Test HOME PAGE
QUOTE: Andreas Marx at AV-Test has shared some more information which highlights the significance of the malware problem. The numbers are staggering — AV-Test processed an average of 54k samples per day in 2010, up from an average of 33k in 2009 — and up from 426 samples per day just a decade ago.
Below are links for this excellent corporate PENTEST tool. Architecturally, the new version uses a subroutine approach for specialized analysis to ensure the main engine stays efficient.
PENTEST Tool -- Nmap 5.50 Released
Nmap 5.50 Documentation
Nmap 5.50 Change Log
Nmap 5.50 Download (about 19MB)
QUOTE: A new update of one of the handlers' favourite tool was released today. A primary focus of this release is the Nmap Scripting Engine, which has allowed Nmap to expand up the protocol stack and take network discovery to the next level. Nmap can now query all sorts of application protocols, including web servers, databases, DNS servers, FTP, and now even Gopher servers! Remember those? These capabilities are in self-contained libraries and scripts to avoid bloating Nmap's core engine.
This fake attack prompts users renew their 2-factor token devices and in sharing sensitive information.
Massive Phishing Attacks Strike Bank of China Users
QUOTE: We have noticed a lot of SMS-based web-phishing attacks in China targeting the Bank of China’s online users. They received a phishing SMS that is designed to look like it was sent by the bank as a reminder to its customers: “Dear user, your token has expired, please visit to reactivate your token.” The URL is similar to the bank’s official website but points to a phishing site that looks almost like the original bank website.
Data Privacy Day is January 28, 2011
QUOTE: Despite all of the benefits of these technologies, doubts and worries persist about just how much personal information is collected, stored, used, and shared to provide these convenient and pervasive tools and services.
Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it? Most of all, individuals are asking ‘How can I protect my information from being misused?’ These are reasonable questions to ask – we should all want to know the answers.
Some excellent Windows Update tips and techniques recently published
Servicing related questions I have seen this week - Ramblings of a Support Engineer
This is a very useful table of Windows Update result codes noted in the above link:
Appendix G: Windows Update Agent Result Codes
PC Magazine has published a review of the new version. MSE offers good basic protection when complimented with best practices.
Microsoft Security Essentials 2.0 -- PC Magazine Review
QUOTE: Technically the product name is still just Microsoft Security Essentials, but the About box clearly shows a version number beginning with 2.0. This version has a few new features. It can automatically ensure firewall protection by enabling Windows Firewall if necessary. In Windows Vista and Windows 7, Microsoft Security Essentials' new network inspection system adds specific protection against network-based attacks. The app also claims better malware-fighting skills, though in my testing it seemed little improved.
* Pros -- Simple user interface. Insulates user from confusing details, while making details available if desired. Good ratings from independent labs. Free.
* Cons -- Protection weaker under Windows XP. Mediocre results in hands-on malware blocking and malware removal tests. Left some threats running after alleged removal.
* Bottom Line -- If using a Microsoft product gives you a warm, safe feeling you may consider relying on Microsoft Security Essentials for antivirus protection. The independent labs give it good ratings, for the most part. In my own testing, though, it didn't shine. Other free products offer better protection.
The ISC shares an interesting account of how Chrome may prefetch DSN info when web addresses are entered into the browser. This option can be turned off if desired, but may slow browser performance a little.
Google Chrome - Prefetching DNS requests
QUOTE: Thomas, wrote about weird DNS requests that he is seeing coming from his machine. After spending some time he found out that Chrome is sending those requests that he could not explain every time it is started. Since I spent some time on this (long) time ago, I decided to pay more attention to Chrome’s DNS request.
So, in order to speed up browsing Google Chrome does a lot of DNS requests in advance (DNS prefetching – this can be even turned on and off in Chrome’s options). When Chrome is started it will lookup domain names for previously opened web pages early in the startup process so if the user clicks on one of those links Chrome can connect to the target site immediately.
How bad is this? Well, it’s not too bad but it is certainly causing some extra traffic, especially since it depends on caching of (mostly) negative answers. Now, good thing for those wanting a bit more privacy is that you can turn of DNS prefetching in Chrome’s Options menu so it won’t try to resolve domain names as you type
MORE INFORMATION - Chrome - Prefetching DNS requests
Human Resource departments usually process many job applications and resumes from the general public. They should always be alert for malware and made technically secure, as many documents are received from non-secure sources. They avoid all suspicious documents, as targeted attacks to specific companies are circulating.
Targeted Attacks emailed to Human Resource departments
QUOTE: The IC3 (Internet Crime Complaint Center) is reporting that businesses are receiving fake job applications in e-mail with malicious attachments. The malware is a Bredolab variant, connected with the Zeus/Zbot botnet. "Recent FBI analysis reveals that cyber criminals engaging in ACH/wire transfer fraud have targeted businesses by responding via e-mail to employment opportunities posted online," IC3 said in a news release. In this case the attachment is actually an executable file, svrwsc.exe, which means that many security and e-mail systems would strip it out on that basis alone. Outlook, for example, strips .EXE attachments by default.
The first computer virus appeared short after the advent of the first IBM PC and was relatively harmless and they spread via infected floppy disks as this was prior to the Internet and infections via email.
What would you ask from the creators of the very first PC virus?
QUOTE: It's now January 2011. Which means the Brain virus is now 25 years old. Brain, spreading on 5.25" floppy disks was the first PC virus. Which means that the PC virus is now 25 years old.
F-Secure -- Brain Virus Decription
QUOTE: Virus:Boot/Brain is possibly the oldest virus known on the DOS platform, as it first detected in January '86. Several variants of this virus are known, but most of them are fairly harmless. One harmful variant has been reported, which was designed to attack on May 5. 1992. This virus is rather large and most of it is located in sectors that are marked as "bad" in the FAT. One of the most interesting details regarding the Brain virus is the following text, which appears inside it:
• Welcome to the Dungeon
(c) 1986 Basit & Amjad (pvt) Ltd.
BRAIN COMPUTER SERVICES
730 NIZAB BLOCK ALLAMA IQBAL TOWN
Beware of this VIRUS....
Contact us for vaccination...
Sunbelt Security continues to highlight the danger of clicking potentially malicious links. This includes photo links offered by malicious applications, which can compromise your Facebook account or even your PC:
Phony Facebook Photos lead to malware
QUOTE: This latest Facebook scam seems to have been rattling around for a few weeks now, directing you to malware from hacked websites hosting the rogue files. There also appear to be various Facebook application pages offering up the same dubious content. Not a lot of sophistication there, but it doesn’t really take much to get people clicking. Downloading the file and running it will result in you sending your friends more "Foto" related spam and the whole process begins again.
Some users report the messages appearing on their walls, while others have screenshots of messages popping up in their chat applications. Either way, regardless of how the link is delivered the end-user will find themselves on a page containing nothing but a tantalising message regarding their photo hunt.
Numerous security updates were released for Oracle data bases and business products recently:
Oracle Critical Patch Update Advisory - January 2011
QUOTE: Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
19 April 2011
19 July 2011
18 October 2011
17 January 2012
The Microsoft Malware Protection Center has identified a new trojan which blocks cloud based AV technologies. While these attacks are centered in China currently, these concepts could surface in other future malware attacks.
Bohu Trojan - New Anti-Cloud Malware
QUOTE: The Microsoft Malware Protection Center has been tracking a recent threat that attacks cloud-based antivirus technology provided by popular major antivirus software vendors in China. The malware is named Win32/Bohu (TrojanDropper:Win32/Bohu.A).. The Bohu malware is native to the China region. Bohu attracts user installation by social engineering techniques, for example, using attractive file names and dropping a fake video player named “Bohu high-definition video player”. The more interesting part of Bohu is that the malware blocks cloud-based services now commonly featured in major Chinese antivirus products. Specifically, Bohu uses a number of different techniques in order to attempt to thwart Cloud-based AV technologies.
Bohu Trojan - Technical Description
QUOTE: Win32/Bohu.A is a trojan that drops Trojan:Win32/Bohu.A!Installer - a trojan that filters an affected computer's network traffic in order to stop malware-related data from being sent to information-gathering networks that belong to particular AV companies in China. It has been distributed in the wild with the file name "Bohu high-definition video player.exe" or similar.
Master Boot Record - Importance of protecting against malware
The MBR area can be altered by malware so that Windows systems cannot boot properly. It is important to keep this area protected and clean as noted below:
Master Boot Record - Importance of protecting against malware
QUOTE: It is that time of the year again to start anew. In terms of personal computers, the act of restarting the machine is called a reboot – an action that triggers execution of code from a special part of the disk called the Master Boot Record (a.k.a. MBR). As the year 2010 ended, I looked at some of the threats targeting the MBR. The MBR, the most important data structure on the disk, is created when the disk is partitioned. The MBR contains a small amount of executable code called the master boot code, the disk signature, and the partition table for the disk.
The master boot code performs the following activities:
1. Scans the partition table for the active partition.
2. Finds the starting sector of the active partition.
3. Loads a copy of the boot sector from the active partition into memory.
4. Transfers control to the executable code in the boot sector.”
HOW TO FIX A DAMAGED MBR
Below is an interesting survey of mistakes made during prospective interviews:
Job Interviews - CareerBuilder lists Worst Mistakes
QUOTE: When asked what the most outrageous blunders they had encountered interviewing candidates were, hiring managers reported the following:
* Provided a detailed listing of how previous employer made them mad.
* Hugged hiring manager at the end of the interview.
* Ate all the candy from the candy bowl while trying to answer questions.
* Constantly bad mouthed spouse.
* Blew her nose and lined up the used tissues on the table in front of her.
* Brought a copy of their college diploma that had obviously been white-outed and their name added.
* Wore a hat that said “take this job and shove it.”
* Talked about how an affair cost him a previous job.
* Threw his beer can in the outside trashcan before coming into the reception office.
* Had a friend come in and ask “HOW MUCH LONGER?”
In addition to the most unusual gaffes, employers shared the most common mistakes candidates made during an interview:
* Answering a cell phone or texting during the interview – 71 percent
* Dressing inappropriately – 69 percent
* Appearing disinterested – 69 percent
* Appearing arrogant – 66 percent
* Speaking negatively about a current or previous employer – 63 percent
* Chewing gum – 59 percent
* Not providing specific answers – 35 percent
* Not asking good questions – 32 percent
Microsoft's Secure Developer Tools
QUOTE: During Blackhat DC, Microsoft released some updates to its secure development tools. Microsoft did some very nice work with these tools. While these tools are not necessarily limited to .Net, I highly recommend that .Net developers take a look at them.
More Posts Next page »