Mark Dormer : Security

Whitepages.com Malware

Mark Dormer — Fri, 24 Aug 2007 06:49:00 GMT

So I went to whitepages.com today and got drive by malware trying to load.

Looks like making money is more important to them than helping me find a number.

I chose cancel then it claims it is analysing my drive and finding porn. Amazing technology as the hard disk wasn't being accessed.

Clicking on No has the same effect as clicking on Yes.

We will cancel the download and OneCare pops up a warning

They should call themselves dvrivebydrivecleaner.com.

I see Sandi has been aware of this for awhile.

Steve Riley Talks at SWIUG on Tuesday 24th April at 6pm 2007

Mark Dormer — Fri, 20 Apr 2007 01:58:00 GMT

If your in Sydney, Australia next Tuesday we have been lucky enough to get Steve Riley from Microsoft giving us a talk on "Attack trends and techniques".

Here is Steves Topic:

Attack trends and techniques

The bad guys just keep getting better! They're constantly changing their tactics and inventing new techniques to cause you harm, damage your data, and make your resources unavailable. Why do they do this? What motivates someone to -- let's call it what it is -- commit computer-related crimes? How have they changed and improved? What kinds of attacks are popular now and why are they so effective? What might we expect to see in the future? Steve Riley will help you understand the latest in attack trends and techniques, so that you can plan appropriately and implement effective processes and technologies to mitigate their threats.

Full Details

Official WMF Exploit Patch Released

Mark Dormer — Thu, 05 Jan 2006 21:26:00 GMT

Microsoft has released the patch earlier than expected.

It became available around 7 am my time on the 6/1/2005 (UTC 8pm 5/1/2006)

Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)

If you have used any of the unofficial patches, remove them before installing the MS patch.

Microsoft AntiSpyware to remove Sony Rootkit

Mark Dormer — Wed, 16 Nov 2005 16:55:00 GMT

Microsoft's security tools will be updated to detect the controversial Sony BMG copy protection software installed on PCs when some audio CDs are played, the software giant said over the weekend.
http://blogs.technet.com/antimalware/archive/2005/11/12/414299.aspx

It seems that the patch to remove the rootkit contains a new security vulnerabilty. http://hack.fi/~muzzy/sony-drm/

And if you think this isn't a widespread issue take a look at the figures on DoxPara

Sony's Web-based unistaller opens a big security hole

Sony BMG suspends copy-protection software

Mark Dormer — Sun, 13 Nov 2005 21:36:00 GMT

In an embarassing turn around, Sony has suspended the root kit it has been installing by stealth onto PC's.

November 11, 2005 - Sony BMG, which faces a number of lawsuits in the US related to the use of the software, acknowledged for the first time that it could render PC users vulnerable to attack.

November 8, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.

So on Nov 8 it didn't affect seciruty but on Nov 11 it does. Come on Sony, stop the bullshit.

Blind Freddy could see it was a security vulnerability fromn the day the app was coded.

Do you love money so much you are willing to lie to your customers. Seems like it.

They have also given removal to AV vendors so they can kill the attack vector.

http://news.ft.com/cms/s/018223e4-52f0-11da-8d05-0000779e2340.html

Security Vulnerabilites in Flash Player

Mark Dormer — Fri, 11 Nov 2005 22:57:00 GMT

Microsoft has issued an advisory http://www.microsoft.com/technet/security/advisory/910550.mspx

Affects

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1

Microsoft Windows XP Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003

Microsoft Windows Server 2003 for Itanium-based Systems

Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Microsoft Windows Server 2003 x64 Edition

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Three companies shut down on spyware charges

Mark Dormer — Fri, 11 Nov 2005 22:54:00 GMT

WASHINGTON (Reuters) - A US court shut down three internet companies for secretly bundling malicious "spyware" with ring tones, music programs and other free high-tech goodies, the US Federal Trade Commission said on Thursday.

http://www.itnews.com.au/newsstory.aspx?CIaNID=20952&eid=3&edate=20051111

Another few hundred and it might make a difference

Malware using EULA to block detection

Mark Dormer — Fri, 11 Nov 2005 22:14:00 GMT

Spotted this at ZDNet http://news.zdnet.com/2100-1009_22-5944208.html

RetroCoder, makers of Spymon are threatening legal action against Sunbelt Software.

The British company wants Sunbelt, maker of CounterSpy, to stop flagging its SpyMon software as spyware.

RetroCoder charges that Sunbelt has violated the terms of the copyright agreement contained in its software, which specifically excludes anti-spyware research. The full EULA

Yeah I laughed my ass off too. If this ever held up in court, hell would freeze over.

So this software may have legitimate uses, but it can be used for illegal purposes. Sounds like P2P sharing! So why isn't anyone going after these guys? Oh there is no money in it!

Check out the Spymon website. Is it just me or is this site bad?

Sony Rootkit

Mark Dormer — Fri, 11 Nov 2005 21:55:00 GMT

Saw this about a week ago. Sony, Rootkits and Digital Rights Management Gone Too Far by Mark Russinovich

I was appalled by Sony including a rootkit on some of it's music CD's. This is going to far. They are out of control.

Is our only purpose in existing to make money? It seems many worship at this alter. Wake up.

There is a lot of anger about this. Just do a little searching on hate + sony
I found loads of sites like this http://sonysux.blogspot.com/

It looks like Sony might have some PR work to do!

Phishy Google Toolbar

Mark Dormer — Fri, 07 Oct 2005 17:04:00 GMT

Facetime's senior researcher Chris Boyd warned that two URL links are in circulation over instant messaging (IM) and internet relay chat (IRC) channels. Both links lead the nave to a page which, among other actions, installs and launches a phony Google toolbar, hijacks the Windows HOSTS file, and adds the anti-spyware program known as "World Antispy". The toolbar, in connection with the rewritten HOSTS file, redirects most Google addresses and pops up a window asking for credit card information.

IMlogic, another IM security vendor, said in its alert that the IM side of the attack was limited to Yahoo Messenger users, and the hack was using some of the same vulnerabilities in Microsoft's Internet Explorer as the infamous CoolWebSearch, the broad name given to a line of sneaky software that has in the past been dubbed "the Ebola of adware". This is the first known instance of a CoolWebSearch-style attack being propagated over an IM network.

October Patches

Mark Dormer — Fri, 07 Oct 2005 16:52:00 GMT

On 11 October 2005 Microsoft is planning to release:

Security Updates

8 Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. Some of these updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA) and the Enterprise Scanning Tool (EST).

1 Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Exchange. The highest Maximum Severity rating for this is Important. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA).

Microsoft will release an updated version of the Microsoft Windows

Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

Note that this tool will NOT be distributed using Software Update Services (SUS).

TechNet Webcast: Information about Microsoft's Security Bulletins

(Level 100) Wednesday, 12 October 11:00 AM (GMT-08:00) Pacific Time (US & Canada)

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032282125&EventCategory=4&culture=en-US&CountryCode=US

Firefox more vulnerable than IE

Mark Dormer — Tue, 20 Sep 2005 23:00:00 GMT

According to Symantec, between Jan and June 2005 FF had 25 confirmed bugs vs IE with 13

Sort of makes you wonder about the advice to use FF because it's more secure.

http://tinyurl.com/b7a6k

WSUS Operations Guide

Mark Dormer — Fri, 02 Sep 2005 02:22:00 GMT

Microsoft have just published a comprehensive guide to WSUS.
You can get it here

http://tinyurl.com/82cx4

Firefox Software Updates

Mark Dormer — Mon, 29 Aug 2005 18:28:00 GMT

Do you use Firefox?

Do you want to help make it better?

Test Firefox Software Update

http://wiki.mozilla.org/Mozilla_QA_Community:Software_Update

Microsoft Releases Zotob Cleaner

Mark Dormer — Fri, 19 Aug 2005 18:14:00 GMT

Microsoft have updated their Malicious Software Removal Tool.
It now removes;
Zotob.A
Zotob.B
Zotob.C
Zotob.D
Zotob.E
Bobax.O
Esbot.A
Rbot.MA
Rbot.MB
Rbot.MC
See the complete list of malicious software cleaned by this tool.

August Security Updates

Mark Dormer — Wed, 10 Aug 2005 16:22:00 GMT

Today's Security Updates and bit of a glitch.

Not long after we released this morning, we found out that many of the digital signatures on some of the IE updates for MS05-038 were corrupted and were preventing install. This only impacts those downloading from the Download Center, not Windows Update, Microsoft Update, SUS, or WSUS. At least now we know what the problem is and it should be fixed soon.

So here is what we cranked out today. You can find all the details on the bulletins here:

MS05-038 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of "Critical."

MS05-039 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of "Critical."

MS05-040 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of "Important."

MS05-041 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of "Moderate."

MS05-042 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of "Moderate."

MS05-043 addresses a vulnerability in Microsoft Windows and has a maximum severity rating of "Critical."

Microsoft Shared Computer Toolkit

Mark Dormer — Thu, 30 Jun 2005 07:25:00 GMT

Microsoft have released a public beta of the shared access toolkit.

While it was designed for machines that have public access, it is a handy tool for home users.

Windows XP Home lacks the ability to edit the local policy, this tool lets you get at a heap of settings that you would only be able to change using registry edits.

Another good tool for doing security lockdowns on XP Home is XP Security Console by Doug Knox

New version of MS AntiSpyware

Mark Dormer — Mon, 27 Jun 2005 16:37:00 GMT

Windows AntiSpyware Beta 1 Build 1.0.613 is the second update since the software debuted in early January.

They did some bug fixes and extended the program's expiration date to 31 December.

If you already have the older version it will download and install the new one.

IF you haven't got it, then get it here http://www.microsoft.com/athome/security/spyware/software/default.mspx

10 Patches for June

Mark Dormer — Sat, 11 Jun 2005 16:23:00 GMT

On 14 June 2005 the Microsoft Security Response Center is planning to release:

Security Updates

- 7 Microsoft Security Bulletins affecting Microsoft Windows. The greatest aggregate, maximum severity rating for these security updates is Critical. Some of these updates will require a restart. 5 of these updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA), 2 of these updates will be detectable using the Enterprise Scanning Tool (EST).

- 1 Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Services for UNIX. The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer (MBSA) and using the Enterprise Scanning Tool (EST).

- 1 Microsoft Security Bulletin affecting Microsoft Exchange. The greatest aggregate, maximum severity rating for this security update is Important. This update will not require a restart. This update will be detectable using the Microsoft Baseline Security Analyzer

(MBSA) and using the Enterprise Scanning Tool (EST).

- 1 Microsoft Security Bulletin affecting Microsoft Internet Security and Acceleration (ISA) Server and Small Business Server.

The greatest aggregate, maximum severity rating for these security updates is Moderate. These updates may require a restart. This update will be detectable using the Enterprise Scanning Tool (EST).

Microsoft Windows Malicious Software Removal Tool

- Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

Note that this tool will NOT be distributed using Software Update Services (SUS).

Microsoft adds Sender ID to Exchange 2003 SP2

Mark Dormer — Thu, 09 Jun 2005 13:07:00 GMT

Features in Exchange SP2