Sunbelt is continuing to warn on three brand new variants from the AntiVirus 2009 family. These products try to simulate legitimate security products and will infect vulnerable systems.   

Antivirus 2010 and other fake security products continue
http://sunbeltblog.blogspot.com/2008/10/new-rogue-antivirus-2010.html
http://sunbeltblog.blogspot.com/2008/10/new-rogue-rapid-antivirus.html
http://sunbeltblog.blogspot.com/2008/10/new-rogue-xp-antispyware-2009.html

QUOTE: Antivirus 2010 is a new rogue security product. This rogue is a clone evolved from IEdefender that begat XP Antivirus, that begat Antivirus 2008, that then begat Antispyware 2009

Trend Micro is continuing to see more variants of Antivirus 2009 in the wild using these tactics to frighten users (i.e., new term of "scareware" was been introduced).  Unfortunately, inexperienced users may feel it's their true AV system that's creating these messages.  They may become infected by following "the yellow brick road" of prompts that eventually load these malicious agents. 

Keeping AV protection updated is important.  However, the malware agent is constantly changing with new variant to avoid AV detection (e.g., Packing algorithms, MD5 hash total changes, HTML changes, etc).

Please be careful with all email and websites.

AntiVirus 2009 - BSODs and Fake Reboot continue in new variants
http://blog.trendmicro.com/rogue-av-tactics-continue-to-threaten/

QUOTE: October has just begun and Trend Micro threat researchers keep seeing more and more — slightly different, but yet increasingly more annoying — variations to the set of rogue AV infection signals we have been documenting on this blog.

This variant is an ongoing iteration of the Antivirus 2009 campaign and is detected as TROJ_FAKEAV.SV.  It is nice to see Microsoft and the State of Washington going after scareware purveyors. We completely support efforts to bring these criminals to justice.

Some Past references
http://blog.trendmicro.com/rogue-av-theatrics-on-extended-run/
http://blog.trendmicro.com/a-million-search-strings-to-get-infected/

Use of Task Manager to close pop-up messages more safely
http://msmvps.com/blogs/harrywaldron/archive/2008/08/22/malware-close-encounters-close-pop-ups-using-task-manager-to-safely-exit.aspx

PC Magazine's security blog notes that new documenation has been released for Microsoft's security update facilities. 

Staying up-to-date on Microsoft and ALL other software is essential in staying secure

All About Windows Update
http://blogs.pcmag.com/securitywatch/2008/10/all_about_windows_update.php

PC Magazine's Security Blog
http://blogs.pcmag.com/securitywatch/

QUOTE:  Microsoft has released a paper entitled "Windows Update Explained". It talks about what Windows Update is and how it works. There are no big surprises here for those already fairly familiar with the various Microsoft updating technologies, but it's good to have one simply-written description of what their various updating technologies are and what the important points are of how they work.

For instance, it talks about what the important default settings are, there's a brief description of WSUS (Windows Software Update Services) is and why you might want it, what the difference is between Windows Update and Microsoft Update, and some things you might expect to see in Windows Update over time, such as updates to the updating software itself.

  This new version of standards is important for all companies who support credit card processing in their e-commerce applications.

Summary of changes:
https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf

FULL PDF VERSION   
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
 
FULL WORD VERSION  
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.doc

As a safe practice, folks should always avoid responding to spammers. This includes even opting out of spam as any request to do so would be ignored.  In fact by doing so, they would know they have a valid and active email address to use and send to even more spammers.

Trend Micro is warning about a new spamming technique, where automatic delivery receipts may be used to validate whether email messages are valid.  Unless, automatic delivery receipts are needed, they should be turned off to avoid providing spammers with valid address information.

SPAM EMAIL - Avoid setting delivery receipt requests to automatic
http://blog.trendmicro.com/spam-using-e-mail-delivery-notifications-to-verify-valid-addresses/

QUOTE: Advanced Threats Researcher Paul Ferguson recently reported of spammers using a feature called ‘delivery receipt request’ to verify if a certain email address exists. Delivery receipts are messages sent to the original sender of an email message to verify that the sent message has been delivered to the intended recipient.

While message delivery receipt acknowledgment is indeed available in popular desktop mail clients (such as Microsoft Outlook), and can be selectively ignored, most Web email platforms automatically send a delivery receipt when requested to do so if the targeted account exists. It may be beneficial to set this off and information on MS Outlook can be found below:

Microsoft Outlook Controls (for setting this on/off)
http://support.microsoft.com/kb/192929

The Internet Storm Center is a favorite site that I check frequently for new attacks, breaking news, and best practices. While most participants on the Internet are good people, there are some who will attack or commit fraud against others.

Anyone who ignores security risks has a good chance of suffering consequences later. Infections are becoming so stealth-like that users can go weeks without suspecting anything. The bait being used is realistic HTML from the true websites, and it's copied to make fake email or websites seem genuine and trustworthy.

Actually EVERY DAY is security awareness day, and I'm glad a month was selected to highlight this need. The changing landscape of security requires daily vigilance, not just in October.

Security is more than settings, tools, or avoidance. It is a process that includes comprehensive technical shields plus good behavior by the users.

I'm looking forward to reading these 31 best practices and like last year and hopeful for a summary of links on the last date.

October is Cyber Security Awareness Month
http://isc.sans.org/

QUOTE:

Day 1 - Preparation: Policies, Management Support, and User Awareness

October is Cyber Security Awareness Month and as we announced earlier we are going to use this month to solicit tips for proper incident handling. The SANS Institute teaches a six-step process:

ISC COMPUTER SECURITY INCIDENT HANDLING

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

October 2007 - COLLECTION OF 31 BEST PRACTICES FROM LAST YEAR
http://www.myitforum.com/forums/ISC_-_Collection_of_31_Best_Practices_for_Cyber-Security_Awareness/m_167627/tm.htm

Sunbelt is warning that a new variant of the Fake Antivirus 2008 family has emerged. Please be careful of any pop-up message you might receive and keep AV protection updated.

eAntiVirusPro - New Fake AntiVirus pop-up variant emerges
http://sunbeltblog.blogspot.com/2008/09/rogue-mania.html

QUOTE: eAntivirusPro is a new clone of Antivirus XP 2008 rogue security product.

Microsoft has announced the the next version of its development platform as Visual Studio 2010 and .NET Framework 4.0.  Some preliminary features are noted in the links below:

Microsoft Announces Visual Studio 2010 and .NET Framework 4.0
http://www.eweek.com/c/a/Application-Development/Microsoft-Announces-Visual-Studio-2010-and-NET-Framework-40/
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=210604432

QUOTE: Microsoft announces Visual Studio 2010 and .NET Framework 4.0, and says the overall development strategy revolves around five pillars. The first pillar involves the Visual Studio Team System (VSTS) 2010, formerly codenamed “Rosario.”  In the announcement on Sept. 29, Microsoft also described the next release through the following five focus areas:

1. Riding the next-generation platform wave
2. Inspiring developer delight
3. Powering breakthrough departmental applications
4. Enabling emerging trends such as cloud computing
5. Democratizing ALM (application life-cycle management)

This article promotes the need for users to block all pop-out messages by using the latest version of browser software. However, even then sometimes pop-up dialogs can be successfully launched.  When this occurs, it is a best practice to always read these carefully and safely exit out.  One good approach for safely exit pop-ups is noted below.  Finally, most users are not "idiots" as noted in the referenced link, but at times they may be unaware of the risks or careless in their behaviors.  

NC State tests students on how they react to pop-up messages
http://arstechnica.com/news.ars/post/20080923-study-confirms-users-are-idiots.html

Examples of pop-up messages
http://arstechnica.com/news.media/FakeDialog.png
http://media.arstechnica.com/news.media/malware_warning.png

QUOTE: The authors, who work in the Psychology Department of North Carolina State University, crafted a set of four fake dialog boxes. All of them contained the following warning: "The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Click OK to terminate program." One of the warnings was indistinguishable from the standard Windows XP system dialog, but the remaining three were had a number of warning signs that should tip off users to potential malware.

In all cases, mousing over the "OK" button would cause the cursor to turn into a hand button, behavior more typical of a browser control; all dialogs also had minimize and maximize buttons, while a second added a browser status bar to the bottom of the window. Finally, the most blatant one alternated between black text and a white background and a white-on-black theme. All of these should metaphorically scream, "This is not safe!"

Use of Task Manager to close pop-up messages more safely
http://msmvps.com/blogs/harrywaldron/archive/2008/08/22/malware-close-encounters-close-pop-ups-using-task-manager-to-safely-exit.aspx

Computer security has become more important than ever at both home or work.  Security products, promptly applying security patches, and the user's actions are all vital.  Years ago, many malware writers acted more as pranksters writing software to delete files or make the PC inoperable.  The goal today is to trick users with highly realistic email or websites and then to hide on the PC in order to gain highly sensitive or confidential information over time.   

Many attacks user social and technical engineering approaches that can deceive even highly experienced users.  For example, malware authors use embed actual HTML from the real websites or simulate Windows dialog boxes (as noted in the article below). Security is so vital today, that it cannot be ignored.

For example, companies MUST have an active awareness program. It's true that some users will march to the beat of a different drum and ignore advice.  Still, security awareness cannot be totally ignored.  A good program would include:

1. User responsibilities, as most companies have "business use" and "information protection" policies.  Users need to know what they can and cannot do at work.

2. Some general training on avoiding malware attacks is helpful in case innovative malware slips past the technical defenses. For example, the Help Desk should be contacted if there are questionable items. 

3. Users must know their vital role in safeguarding customer and corporate information.  Their laptops, passwords, and other resources could be compromised if safe practices are not followed.

4. Occasional brief all-employee bulletins and an Intranet website can help communicate and promote user responsibilities in the process    

Security evangelism is achieved one step at a time and companies won't see immediate results.  However, these small differences will add up over time.  A train the trainer model may emerge, as technically savy users gain knowledgeable and act as leads in their departments or offices.    

The tone and communications make all the difference in the world. While security sometimes requires a "thou shalt not" approach, it shouldn't be the primary theme.  A more positive tone of "how to be safe at work and home" may help users become more receptive to learning the principles of protection. 

Home and corporate users cannot be expected to become security experts.  Conversely if someone totally ignores the many dangerous security exposures, they will most likely experience technical issues with their PC or they could even become a victum of fraud. Instead, users should be taught the basic principles of risk avoidance and where to go to for help.

Office 2003 SP3 has been reliable on all home and work PCs, as it installed as soon as it became available one year ago. Anyone on SP2 or earlier releases should update their systems to the latest version for improved security and to remain on active support.

Office 2003 - Move to Service Pack 3 as SP2 Support has ended
http://blogs.technet.com/office_sust...ack-2-sp2.aspx
http://blogs.pcmag.com/securitywatch...oaching_en.php

Office 2003 - SP3 Home and Download Site (118MB)
http://www.microsoft.com/downloads/d...displaylang=en

QUOTE: Microsoft® Office 2003 Service Pack 3 (SP3) represents a major evolution in security for Office 2003. It further hardens the Office suite against potential attacks and other security threats. This service pack also includes fixes that have been previously released as separate updates for Office 2003.

Trend Micro has documented a new bank phishing attack that appears to be a realistic message.  This new attack may appear as a Wachovia (latest version) or Bank of America "connection or security update".  It warns the user that they will loose their online banking privileges if this agent is not installed. 

If users follow these directions, a rootkit will be installed.  This is one of the worst forms of malware circulating, as it alters Windows settings so that it becomes completely hidden except by the best rootkit detection tools. 

Please always avoid taking any direct actions from ANY email message that you may receive.  Always confirm by phone or other more trustworthy sources to ensure any messages that might happen match your circumstances are truly legitimate.  These attacks are so well done, that they can deceive experienced users.  

Fake Wachovia Security Update installs Rootkit
http://blog.trendmicro.com/wachovia-security-certificate-installs-rootkit/

QUOTE: At 4:18 PM PST yesterday, Advanced Threats Researcher Ivan Macalintal discovered a spy-phishing scheme targeting the Fortune 500 company and 4th largest banking chain in the US, Wachovia Bank (NYSE: WB). This attack ends in the execution of a rootkit, TROJ_ROOTKIT.FX, which is a file that hides files and processes, allowing malicious attacks to run entirely beneath the radar.

Malicious rootkits are especially sneaky because they can hide processes and files from even tech-savvy users. This means entire attacks can transpire without the victim even guessing that there is something wrong with the PC. Malicious rootkits are often associated with information theft, and given that this spam appears to target Wachovia subscribers means that malware writers are counting on the chances that the victim’s PC contains critical financial information they can then siphon for their own use.

AVOID EMAIL MESSAGES WITH THESE SUBJECT LINES:
Wachovia Connection Update Alert.
Wachovia Connection Customer Support - Security Updates.
Wachovia Connection upgrade warning.
Wachovia Connection Emergency Alert System.

Sample email message currently circulating
http://www.trendmicro.com/vinfo/images/blog/wachovia_2.gif

Example of Fake Wachovia site can be found here
http://blog.trendmicro.com/phishers-hit-multiple-banks-with-one-stone/

Good article noting that laptops are highly subject to theft or get misplaced by users like car keys do for some of us older professionals

Users need awareness and training on how to properly safeguard laptops while traveling. More importantly, companies need to look at fully encrypting laptops to ensure any sensitive information is protected.

Why Your Laptop Is Definitely Lost
http://www.avertlabs.com/research/blog/index.php/2008/09/19/why-your-laptop-is-definitively-lost/

QUOTE: Laptop and notebook theft is a major problem; it rates at between 3 percent to 7 percent of reported thefts, according to experts. In 2006, a company making computer-tracking products estimated 750,000 pieces of equipment a year were being stolen.

 For public email accounts like Hotmail, Yahoo, or Gmail, below are some safety tips:

1. Always be careful of what you say when it comes to email. Think of it as a permanent record even if you delete it.  Finally "it's always good to be careful in what you say, and twice so in what you write".

2. Never store any sensitive email in a public facility where security could be compromised.  As a better practice, any sensitive message should be copied to your hard drive and deleted from potential public access.

3. Security questions are your MOST IMPORTANT safeguard in any web based facility where a password can be mailed back.  If the 3 questions are easy to guess, any unauthorized person could gain entry (e.g., family member, friend, or criminal). When it comes to security questions, it's good to be "less forthcoming" by misspelling or using incorrect answers.  As a best practice, ensure that only you know the answers to the password-reset questions.

4. Complex and difficult-to-guess passwords are mandatory for any Internet site (letters, numbers, case, etc)

5. It is a good practice to change passwords on a regular basis

6. Don't use the same password for every website or email account

7. You may also want to write down the security questions/answers in case of future account lockout issues.  If you create a special file containing password or secret question information, keep it in a confidential and offline location.     

How Sarah Palin's Yahoo email was Hacked
http://www.eweek.com/c/a/Security/Sarah-Palin-Hack-an-Example-of-Password-Recovery-Backfire/
http://www.mtv.com/news/articles/1595343/20080922/story.jhtml
http://isc.sans.org/diary.html?storyid=5068
http://www.usnews.com/blogs/paper-trail/2008/09/22/tennessee-student-is-focus-of-palin-e-mail-hack-investigation.html
http://news.slashdot.org/article.pl?sid=08/09/21/160222
http://itmanagement.earthweb.com/secu/article.php/3772981/The+Security+Lesson+in+the+Sarah+Palin+Email+Hack.htm
http://garwarner.blogspot.com/2008/09/governor-palins-email-security.html

QUOTE: The ease with which Republican vice presidential candidate Sarah Palin's e-mail was hacked is striking and underscores the importance of improving privacy questions for password recovery. A person claiming responsibility for the hack posted details of what he did Wednesday on a 4chan.org message board. The handle of the poster has been linked to the 20-year-old son of Tennessee Democrat Mike Kernell.

Yahoo required the user provide Palin’s birthday and zip code, which the hacker said he found through Wikipedia and Google. The final security measure required him to answer a question regarding where Palin met her spouse; another Google search turned up the answer.

This free PCI/DSS training course was downloaded and installed.  So far in a brief review, it offers great advice for developers in creating more compliant and secure e-commerce applications.     

Free Computer Based Traing class - PCI DSS for Developers (38MB download)
https://www.foundstone.com/us/resources/downloads/pci_compliance_developers.zip

QUOTE: Foundstone Professional Services, a Division of McAfee, has recently released a free 2-hour computer based training entitled "PCI DSS v1.1 Compliance for Developers."  This hype-free CBT focuses on the PCI DSS requirements and sub-requirements that are most relevant to software developers and offers developer-to-developer technical advice to help achieve compliance.  Software security best practices are also stressed throughout the presentation.  This is not an advertisement for McAfee products or Foundstone services, just solid information that will help your development teams create more secure software.

During our tough economic times, fraudulent scams are at all-time high now. While this highly informative article discusses primary mail and phone scams, these soliciations are also being spammed by email as well.  It is important to validate any potential contract and to use only major trustworthy firms for any type of financing or sale.  

MILLIONS AT RISK OF FORECLOSURE FRAUD
http://redtape.msnbc.com/2008/09/post.html

QUOTE: There are many variations on the scams, but they all boil down to two types. There’s a simple fee-based racket, in which the criminal offers to help the homeowner stave off foreclosure, collects an up-front fee and then disappears. But the more lucrative scam involves seducing homeowners into complicated transactions that allow con artists to steal equity in the house or walk away from the closing table after netting thousands in phony payouts.

Consumers facing foreclosure can get help, but they should be very careful where they look. Experts recommend ignoring unexpected solicitations, whether through the mail, by phone or in person. Instead, enlist the help of a HUD-certified counselor. A state-by-state list is available at HUD’s Web site

A new exploit for the latest version of Apple's Quicktime and iTunes products has been publicly published. So far, this exploit is minor in scope, as it can only alter cookie files and cause the new product version to crash. Users should follow further developments and ensure the music and media files they are using are safe.  AV protection is also emerging for this new exploit.

New QuickTime 7.5.5 and iTunes 8 Exploits
http://www.avertlabs.com/research/blog/index.php/2008/09/18/the-true-of-recent-0day-for-quicktime755itunes80/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114999

QUOTE: A 0day exploit for the latest Quicktime7.5.5/Itunes8.0 was released yesterday. The exploit author announced this as a Remote Heap Overflow so we decided to take a look and analyze it. After our research, we found that this is actually an off-by-one stack overflow. Some noteworthy points are:

1. QuickTime has the /GS switch option enabled, hence a cookie is put into the stack.

2. Since this is an off-by-one stack overflow, the attacker can just overwrite one byte of the cookie. The Check_stack_cookie function is called when the function returns, If the Check_stack_cookie found out that the cookie is not matched, then the program exits. This results in the crash of QuickTime/Itunes application.

Hence, it is unlikely that code execution via this attack vector would be feasible. Users of these apps however should take them seriously and look at appropriate defenses.

Another variant of the shipping invoice attacks has emerged and should be avoided. AV protection is improving and folks expecting actual shipments should always use the phone instead email for contacting their shipping company, if there are any issues.

More Fake UPS Invoice Attacks
http://isc.sans.org/diary.html?storyid=5051

We received two reports of fake UPS invoice tracking Trojan zip files. This is similar to other invoice Trojans we have seen. This appears to be a two way conversation it was really just the spammer who created the whole thing.


EXAMPLE OF EMAIL TO AVOID

To: victims @ email.address
Subject: Re: missing package
From: John Henry <johnhenry.support @ ups.com>
Reply-To: johnhenry.support @ ups.com


Mr./Mrs. Victims First and Last name

I am sorry for this late reply, but we have good news.

We managed to track your package, and we have attached the
invoice you asked for to this reply.

The invoice contains the correct tracking# , since the one
you gave us was invalid.

You can use it on the ups website to track your shipment.

Thank you
John Henry
UPS Customer Care Department

ATTACHMENT:  invoice.zip <--- Do not open this file

One might assume a prestigous site like Business Week would always be completely safe.  However, a weakness in their website security was discovered by malicious individuals which allowed SQL Injection. These SQL Injection attacks would secretly route user requests or information back to fake sites hosted in Russia. However, these fake websites are currently offline.   

SQL-Injection attacks are usually more of a weakness in programming rather than a security flaw in the supporting website software. While I'm certain Business Week will take measures to correct this issue, this example illustrates the need for all of us to be cautious when surfing the Internet.  McAfee, Sophos, and other vendors have also added AV protection.

Business Week website attacked by new SQL Injection attack
http://www.net-security.org/malware_news.php?id=990
http://vil.nai.com/vil/content/v_150261.htm
http://www.theregister.co.uk/2008/09/16/businessweek_hacked/

QUOTE: Folks from Sophos have discovered that the website of BusinessWeek, the world famous weekly magazine, has been attacked by hackers in an attempt to infect its readership with malware.

Hundreds of webpages in a section of BusinessWeek’s website which offers information about where MBA students might find future employers have been affected.  According to Sophos, hackers used an SQL injection attack - where a vulnerability is exploited in order to insert malicious code into the site's underlying database - to pepper pages with code that tries to download malware from a Russian web server.

At the time of writing, the code injected into BusinessWeek’s website points to a Russian website that is currently down and not delivering further malicious code.  However, it could be revived at any time, infecting hundreds of MBA students looking for high-earning jobs.  Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site.

A home based wireless LAN (WLAN) can provide convenient and easy access to the Internet for all family members.  However, if it is not locked down properly, it provides access to anyone who is in reception range.  Most "visitors" would access a non-secured WLAN for free Internet connectivity.  However, there are dangers where private information on the WLAN hard drive could be discovered or these visitors may access to highly inappropriate sites.   

Likewise, a business must protect the privacy of their customer information. If a WLAN is setup, there is a need to use the latest equipment, safest security protocols, and take time to learn the key elements of wireless security.  As the article from AVERT labs reflect, it's too dangerous to leave unsecured.     

Wireless Security - Too Dangerous to ignore
http://www.avertlabs.com/research/blog/index.php/2008/09/15/the-perils-of-leaving-wi-fi-networks-unsecured/

QUOTE: People don’t seem to seriously care about Wi-Fi security yet. Inspite of oft-repeated warnings, ignorant folks with unlimited bandwidth plans believe that they are doing a social service by allowing neighbors to leach their Wi-Fi freely. What they fail to understand is that by doing so, they can become an unwitting accessory to cyber crime.

Instead of scouring for anonymous proxies to stay faceless on the internet, cyber criminals are increasingly targeting unsecured Wi-FI networks to get the job done. A combination of war driving tools such as NetStumbler along with a listing of default router usernames and passwords is all it takes to freely connect to unsecured Wi-FI networks. Especially since most Wi-Fi routers use default security settings that come pre-installed by the vendor rather than it having being configured by the end user.

Additional links and resources are noted below:

Example of failure that may cost $1 billion in Financial damages
http://blogs.zdnet.com/Ou/?p=485

How to Secure a Wireless LAN
http://www.dailywireless.com/features/secure-wireless-lan-021507/

Windows XP - Use WPA2 protocol (never use WEP)
http://en.wikipedia.org/wiki/WPA2

Wireless Security - 10 tips to secure your laptop
http://www.informationweek.com/news/showArticle.jhtml?articleID=203102748

George Ou - More on Wireless LAN security
http://blogs.techrepublic.com.com/Ou/?p=404

Simple Advice for Wireless Home Networking
http://blogs.techrepublic.com.com/Ou/?p=42
http://blogs.techrepublic.com.com/Ou/?p=43