Chris Mosby at myITforum.com

Warezov Domains on All Hallows Eve
Posted by Sean @ 15:39 GMT | Comments

---

Storm seems to have seized the Warezov gang's mojo. They just don't make as much noise as they once did…
But recently they've been noticeable enough to prompt Toni into doing some research on their registered domains. And the results are kind of frightening.

Using his "patented" data mining techniques, Toni turned up 2039 domains connected to the Warezov gang as of 12:00 today.
Of those, 810 domains resolved as a fast flux. 1229 do not currently resolve. They're dead. (Or are they undead?)
These domains are used for both malware downloads and for pushing spam.
The next step is to get them taken down. No small task that.
Download the Lists:
Domains — 2039
Fast Fluxes — 810
Undead — 1229
On a Halloween related note, check out this silly website created by our Swedish office — UnitedViruses.org
And our PR folks have put together a few "costumes" of their own as well.

Source: Warezov Domains on All Hallows Eve - F-Secure Weblog : News from the Lab

Malicious Code:   New Storm Tactic: Halloween Deception

Websense® Security Labs™ has confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Halloween twist in its attempts to infect users with malicious code. The first copies of the new emails began going out just before 9:00am PST on Tuesday, October 30th. As with previous Storm emails, various subjects and bodies will be used. Here is one example email:

Example Subject: Nothing is funnier this Halloween

Example Body:
Come watch the little skeleton dance.
http://<URL Removed>/

Website screenshot:

For more details on the on-going Storm attacks, please see our previous posts:

http://www.websense.com/securitylabs/blog/blog.php?BlogID=141
http://www.websense.com/securitylabs/blog/blog.php?BlogID=147

Source: Websense® - Security Labs Alert: New Storm Tactic: Halloween Deception

Trick or Treat with Stormy Helloween
Posted by Jose @ 19:31 GMT | Comments

---

New tactics from the Storm gang can be seen as they celebrate with Halloween. Below is the look of the latest Storm site:

With an unpatched system, visiting the site will trigger an exploit to automatically download and execute a malicious file. The new filename is halloween.exe. We already detect this as Email-Worm.Win32.Zhelatin.LJ
This may be a Trick, and a bad Treat from the Storm gang so remember to keep your databases updated.

Source: Trick or Treat with Stormy Helloween - F-Secure Weblog : News from the Lab

Symantec Altiris Deployment Solution Directory Traversal and Privilege Escalation

Secunia Advisory:
SA27412

Release Date:
2007-10-31

Critical:

Less critical

Impact:
Exposure of sensitive information
Privilege escalation

Where:
Local system

Solution Status:
Vendor Patch

Software:
Altiris Deployment Solution 6.x

Description:
Two vulnerabilities have been reported in Symantec Altiris Deployment Solution, which can be exploited by malicious, local users to disclose potentially sensitive information and gain escalated privileges.

1) The Aclient process runs with SYSTEM privileges and allows opening and execution of arbitrary files with SYSTEM privileges via the browser option.

2) An input validation error can be exploited to e.g. read privileged system files via directory traversal attacks.

The vulnerabilities are reported in versions 6.x SP2 (#1) and 6.8 SP2 (#2).

Solution:
Update to version 6.8.380.0 (see vendor's advisories for more information).

Provided and/or discovered by:
The vendor credits:
1) Mazin Faour, Information Risk Management
2) Manuel Santamarina Suarez

Original Advisory:
http://securityresponse.symantec.com/avcenter/security/Content/2007.10.31a.html
http://securityresponse.symantec.com/avcenter/security/Content/2007.10.31.html

Source: Symantec Altiris Deployment Solution Directory Traversal and Privilege Escalation - Advisories - Secunia

Unrest in Ukraine
Posted by Mikko @ 05:57 GMT | Comments

---

The website of the Ukrainian President Viktor Yushchenko has been under a DDoS attack for a while. Russian groups are currently being blamed for the attack.

The case has some similarities to the large DDoS attacks in Estonia during the spring.

Source: Unrest in Ukraine - F-Secure Weblog : News from the Lab

October 29, 2007

Malicious Website / Malicious Code:   Halloween Deception: Information Stealing Trojan

Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico.

To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe" and has an MD5 of (65cd5a35bc70075f86cb6404f54d67b8). It is also poorly detected by anti-virus signatures.

Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer.
We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines.

Email screenshot:

Source: Websense® - Security Labs Alert: Halloween Deception: Information Stealing Trojan

Symantec Mail Security for Domino File Parsing Vulnerabilities

Secunia Advisory:
SA27388

Release Date:
2007-10-26

Last Update:
2007-10-29

Critical:

Highly critical

Impact:
DoS
System access

Where:
From remote

Solution Status:
Unpatched

Software:
Symantec Mail Security for Domino 7.x

 

Description:
Multiple vulnerabilities have been discovered in Symantec Mail Security for Domino, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

The vulnerabilities are caused due to various errors within certain third-party file viewers and can be exploited to cause buffer overflows when a specially crafted file is checked.

The vulnerabilities are related to:
SA27304

Successful exploitation allows execution of arbitrary code, but requires that e.g. a policy is setup for scanning the contents of messages.

The vulnerabilities are confirmed in version 7.5.0.19. Other versions may also be affected.

Solution:
Secunia is currently not aware of available patches.

Disable scanning of message content if enabled.

Provided and/or discovered by:
Originally reported in IBM Lotus Notes advisories crediting:
* ZDI
* Tan Chew-Keong

Changelog:
2007-10-29: According to Symantec, only version 7.5 includes the vulnerable files. Removed versions 4.x and 5.x as potentially affected.

Other References:
SA27304:
http://secunia.com/advisories/27304/

Source: Symantec Mail Security for Domino File Parsing Vulnerabilities - Advisories - Secunia

October 29, 2007

 Malicious Code:   World Bank Deception: Trojan Horse

Websense® Security Labs™ has discovered a new Trojan horse using real data from the World Bank. As in past targeted attacks, the samples that we have captured appear to be using names and email addresses taken from the contact pages of the legitimate site. In this case, the email body includes the name of a real World Bank employee.

The message reads:

Subject: WorldBank report
Dear Colleagues,
This three-year Country Partnership Strategy (CPS) builds on Bulgaria's considerable achievements over the last eight years ..
*snipped for brevity*
.. and the surveillance roles played by the International Monetary Fund (IMF) and the EU's Stability and Growth Pact upon Bulgaria's EU accession.
At the following link you'll find our report:
http://<URL REMOVED>/
Thank you!
Best Regards,
Ivelina Taushanova
Associate Professor of Management Science
<USERNAME REMOVED>@worldbank.org
http://WorldBank.org


The link leads to the malicious executable WorldBank_doc_36146.txt.exe, which is displayed with the standard notepad.exe icon. Unless the user has configured Windows to explicitly show the file extension (which most people do not, since it requires changing the default configuration), there is no way to visually tell that this file is actually an executable. When run, the initial executable drops a plain text document with information from a real World Bank document, displayed in IE. Also dropped is a packed Trojan horse (bifrose) whose file name makes it appear to be an MSN Messenger plugin.

When this article was created, no anti-virus vendors detected the initial executable as malicious.

The initial executable downloaded by the victim does not actually make any outbound connection from the victim's desktop to obtain the two dropped files. Because both dropped files are derived from the initial executable, no suspicious network traffic is generated. The dropped Trojan horse (msnmsgr_plugin.exe) maintains a persistent connection to a host name on the dyndns.org domain.

Screenshot of infected desktop:

Source: Websense® - Security Labs Alert: World Bank Deception: Trojan Horse

Symantec Mail Security for Exchange File Parsing Vulnerabilities

Secunia Advisory:
SA27429

Release Date:
2007-10-29

Critical:

Highly critical

Impact:
DoS
System access

Where:
From remote

Solution Status:
Unpatched

Software:
Symantec Mail Security for Exchange 4.x
Symantec Mail Security for Microsoft Exchange 5.x
Symantec Mail Security for Microsoft Exchange 6.x

Description:
Multiple vulnerabilities have been discovered in Symantec Mail Security for Exchange, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.
The vulnerabilities are caused due to various errors within certain third-party file viewers and can be exploited to cause buffer overflows when a specially crafted file is checked.
The vulnerabilities are related to:
SA27304
Successful exploitation allows execution of arbitrary code, but requires that e.g. a policy is setup for scanning the contents of messages.
The vulnerabilities are confirmed in version 5.0.7.373. Other versions may also be affected.
Solution:
Secunia is currently not aware of available patches.
Disable scanning of message content if enabled.
Provided and/or discovered by:
Originally reported in IBM Lotus Notes advisories crediting:
* ZDI
* Tan Chew-Keong
Other References:
SA27304:
http://secunia.com/advisories/27304/

Source: Symantec Mail Security for Exchange File Parsing Vulnerabilities - Advisories - Secunia

Symantec Mail Security for SMTP File Parsing Vulnerabilities

Secunia Advisory:
SA27367

Release Date:
2007-10-26

Critical:

Highly critical

Impact:
DoS
System access

Where:
From remote

Solution Status:
Vendor Patch

Software:
Symantec Mail Security for SMTP 4.x
Symantec Mail Security for SMTP 5.x

 

Description:
Multiple vulnerabilities have been discovered in Symantec Mail Security for SMTP, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

The vulnerabilities are caused due to various errors within certain third-party file viewers and can be exploited to cause buffer overflows when a specially crafted file is checked.

The vulnerabilities are related to:
SA27304

Successful exploitation allows execution of arbitrary code, but requires that e.g. a policy is setup for scanning the contents of messages.

The vulnerabilities are confirmed in Symantec Mail Security for SMTP version 5.0.1 without Patch 181 and 182. Prior versions and other products may also be affected.

Solution:
The vulnerabilities have been silently fixed with Patch 181 and 182 for version 5.0.1.
ftp://ftp.symantec.com/public/english...urity/5.0.1_smtp/updates/patch181.zip
ftp://ftp.symantec.com/public/english...urity/5.0.1_smtp/updates/patch182.zip

Provided and/or discovered by:
Originally reported in IBM Lotus Notes advisories crediting:
* ZDI
* Tan Chew-Keong

Other References:
SA27304:
http://secunia.com/advisories/27304/

Source: Symantec Mail Security for SMTP File Parsing Vulnerabilities - Advisories - Secunia

“Customer Support” is closed today, please leave us your money!

Tuesday October 30, 2007 at 7:09 am CST
Posted by Gaith Taha

Trackback

I came across an interesting website today while doing some analysis on Generic VB.b!e3cf12. In summary, it tried to redirect users trying to visit escrow.com to another spoofed website that is being hosted on the Verio network. To have a full picture of what it does, please review the Virus Information Library page of that trojan.

What I found striking is the fact that the fake and the authentic websites looked almost similar and were hard to distinguish without paying attention to the fine details. Of course, having the same address on the address bar is the main point of deception, but the effort that was put into editing the contents wasn’t negligible either.

A screenshot of the fake website’s main page

The fraudsters behind the fake website made the effort to educate users on “How to Spot a Fraud Site”. Well, not really. They just edited the original page and posted less information If we do a quick comparison between the two versions, we find the important pieces which they’ve omitted:

• Determining the date that a domain name was registered can often give clues that a site is fraudulent. Many fraudulent sites claim that they have been in operation for several years, but their domain names have only been registered for a few days or weeks. To determine the date a domain name was registered, you can use the “whois” tool found at most domain name registrars.
• If a site uses person-to-person money transfers such as Western Union, it is probably fraudulent. See what Western Union says about fraudulent escrow services by clicking here.
• If the escrow site requests payment to an individual (or “agent”) instead of a corporate entity, it is probably fraudulent.
• If the site does not use SSL to protect user sign-in information, it is not a secure site and is most likely fraudulent. Most browsers display a padlock or similar symbol in their status bar to show you when your information is being protected by SSL. However, having a SSL certificate is no evidence that a site is legitimate.
• www.escrow-fraud.com keeps an updated list of the escrow scam sites and legitimate sites. Visiting this site will help you better protect yourself when transacting on the Internet.

A funny comment they forgot to remove (or maybe not!)

• You should call the customer support number (if any) on the site. If there is no phone number on the site, or if you can’t reach the company, it could indicate the site is fraudulent. Consider whether you want to entrust your transaction to a company you can’t reach on the phone.

It’s funny because they removed their non-existing support phone numbers from their website A couple of more things I have spotted while reviewing the fake website is that they did not have any “forgot your password?” feature. The reason is quite understandable. Also, they only accepted credit card payments. No PayPal?!

That one is strange; especially if we knew that the fake website was just a mere interface with no backend and whatever credentials you have supplied, you’ll always end up with an “Invalid Password or Email address!” message.

The worst thing about that service is that their customer support seemed always off duty!

Source: Computer Security Research - McAfee Avert Labs Blog

2008 US election campaign spam

Monday October 29, 2007 at 6:12 am CST
Posted by Chris Barton

Trackback

As a brit I’ve always predicted that with the upcoming US elections the online battle will be the most interesting part for me (aside from the comedy of course). So imagine my surprise when I’m greeted by this lot over the weekend:

Subject: Ron Paul Eliminates The IRS!

Subject: Iraq Scam Exposed, Ron Paul

Subject: IRS Fears Ron Paul?

Subject: Ron Paul Wins GOP Debate!

Subject: Ron Paul Exposes Federal Reserve

Etc.

They all linked YouTube searches for “ron paul” which results in the usual electoral propaganda you’d expect 372 days before an election.

Later in the day it changed however. With the usual addition of bayes poison, randomness in the subject lines and a tinyurl and no doubt some additional sending resources since they just burned a load, this campaign moved up a gear.

Subject: Ron Paul Wins GOP Debate! ydB

Subject: Ron Paul Wins GOP Debate! XZHMuk

Subject: Iraq Scam Exposed, Ron Paul qCnUa

Subject: IRS Fears Ron Paul? edukDy

Subject: Who Is Ron Paul? lyI

Subject: Ron Paul Stops Iraq War! nALGU

This is trivial stuff as I’m sure you can appreciate, but that tinyurl did catch my attention:

tinyurl 345s6g -redirects-> 301 Moved Permanently -to-> http://www.youtube.com/watch?v=AeHWW5gbc0w

“This video has been removed due to terms of use violation.”
Now I have no idea what that video was (and frankly dear, I don’t give a damn!) but what struck me is that this would be a really efficient way to remove your competitions videos from youtube. I’m not picking on YouTube here, I believe almost any social site would do the same.

There are 2 people I feel for in this messy situation: postmaster@*.gov and abuse@youtube.com
You’ll be seeing lots of this stuff in the coming months, the most worrying of which will be the false donation solicitations and finishing with incorrect dates for actual polling day!

I wonder how many candidates have EV certs? or “security logos” on their donation sites.

Source: Computer Security Research - McAfee Avert Labs Blog

Scared of Nuwar? Not so much.

Monday October 29, 2007 at 6:02 am CST
Posted by Allysa Myers

Trackback

There’s been so much contradictory information about Nuwar this week, it’s enough to make a person’s head spin.

Let’s see. We started the week with “Storm Worm now just a squall” saying Nuwar/Storm is blowing itself out - it’s down to about 20,000 active bots. Then 2 days later, Nuwar is “the scariest and most substantial threat” with 6-15 million bots - and researchers are too scared to write about it. Today “We’re not scared of Storm” and we’re writing all about it.

Nuwar is a tricky one to count, no doubt about it. I’m not going to try to weigh in on that one, as I think there’s plenty of opinions out there already. The general consensus industry-wide seems to be that while this family has decreased in prevalence in the last few months, it’s unlikely ever to completely go away.

One thing I can be certain of is that researchers are not scared of this threat. Avert has posted plenty of blogs about Nuwar over the last year, and we’re far from alone in this.

From reading the second article, I assume that perhaps the wording came out a bit sensationalized. There’s a fine line that AV researchers tread, in terms of giving out information which malware authors could use to “improve” their product. I assume this is what Mr. Corman is referring to.

The authors of Nuwar seem to be keenly interested in making their creations more effective, and we have to assume any information that is made publicly available will be used by them. We try to avoid things they could use for improvement, like discussing specifics of how we evade their detection (like Mr. Ramzan eludes to in the 3rd article) or bugs we find in their code. We simply don’t want to make their jobs easier - they can hire their own Quality Assurance department, we’re not going to do it for them.

Source: Computer Security Research - McAfee Avert Labs Blog

More BS from Comcast

Comcast to employees: talking about blocking P2P can get you fired

By Eric Bangeman | Published: October 28, 2007 - 09:46PM CT

In the wake of the discovery that Comcast is blocking some peer-to-peer traffic (and even blocking some Lotus Notes e-mails), the company is attempting to keep the PR machine well-oiled by giving customer tech support reps some talking points. And if they deviate from the script and admit that Comcast has been using Sandvine to send forged TCP reset packets, they're likely to lose their jobs.

Ars has heard from multiple Comcast employees since the story broke, and they're all telling us the same thing. They're supposed to tell customers asking whether Comcast limits access to BitTorrent that the ISP doesn't block access to any application, including BitTorrent. Furthermore, tech support workers are supposed to toe the party line at all times, or they'll be fired. "Management informed anyone that discussed this issue with any customer or press associate that it would lead to termination," an internal tier 2 tech support worker told Ars on the condition of anonymity.

One of the e-mails we saw came from the Manager/IP Support of one of Comcast's regional call centers. "If a customer contacts us to inquire about this, please use the following talking points," reads the e-mail.

"Comcast does not block access to any applications, including BitTorrent," the e-mail continues. "We respect our customers' privacy and we don't monitor specific customer activities on the Internet or track individual online behavior, such as which web sites they visit. Therefore, we do not know whether any individual user is visiting BitTorrent or any other site."

The e-mail continues along that vein, covering the same ground that Comcast spokespeople have used in their dealings with the media. "We have a responsibility to provide all of our customers with a good experience online and we use the latest technologies to manage our network," reads the e-mail. "This is standard practice for ISPs and network operators all over the world."

Another Comcast employee confirmed to Ars that the ISP does use Sandvine to shape traffic. "I believe they implemented Sandvine to conserve bandwidth for many reasons," the employee told Ars on the condition of anonymity. "Number one, to improve the integrity of the network for Comcast Digital Voice call quality and for more HD channels. The second reason is to conserve bandwidth from data providers (Cogent, Level3, and AT&T) and basically to save money."

A number of studies have attempted to quantify the amount of P2P traffic flying across the networks of residential ISPs. A German traffic management firm thinks P2P traffic accounts for anywhere between 50 and 90 percent of all traffic on the Internet. Ellacoya, a player in the deep packet inspection arena, thinks the figure is closer to 37 percent. The numbers may vary, but the consensus is clear: P2P traffic is heavy.

Publicly, all Comcast has admitted to is "delaying" P2P traffic, meaning that the packets are held up for awhile if the ISP believes it is necessary. But Comcast users' experiences with Comcast's traffic shaping is sometimes at odds with what the company is telling them. The internal e-mails Ars has seen and our conversations with Comcast employees paint a picture of a company that is trying to hide the true extent of its activities. Or, as one employee told us, "They did it because they think they can get away with it."

Now that talking points are being distributed, the question around the support center is, "Why else would they go through with all this if they didn't have anything to hide?"

Source: Comcast to employees: talking about blocking P2P can get you fired

Request for info, IPs, exploit examples on PDF mailto documents

Published: 2007-10-26,
Last Updated: 2007-10-26 18:39:54 UTC
by Adrien de Beaupre (Version: 1)

Hi all,

we are looking for examples of the PDFs being sent out, snort signatures, the IP addresses sending them out, the IP addresses they download malware from, and examples of the malware.

Please upload here: http://isc.sans.org/contact.html

Cheers,
Adrien de Beaupré
Bell Canada

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Malicious PDF files being spammed out in volume
Posted by Jusu @ 15:10 GMT | Comments

---

Malicious PDF file (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf or so) has been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further.

The subjects for the spam messages include:
  Your credit report
  Your credit points
  Your balance report
  Personal Financial Statement
  Personal Credit Points
  Personal Balance Report
  Your Credit File
  Balance Report
More information in our full description.
More on the scope of the vulnerability from a ZDNet article.

Source: Malicious PDF files being spammed out in volume - F-Secure Weblog : News from the Lab

We pwn your Desktop!

A couple of weeks ago in this blog entry, we learned how misleading applications advertise themselves on the Web. Now we'll take a closer look at the other side of things to see how misleading applications infiltrate users' machines in order to convince people to download and purchase them.

We are used to seeing malware that uses all sorts of tricks to compromise a user's machine in order to steal valuable information or perform fraudulent activities. The purpose of all of this? Of course! Money! Why else would the miscreants otherwise make the effort of studying new tricks and developing new malware when they can simply convince users to give up their money spontaneously?

This is how it goes with misleading applications. They can appear in several ways, such as in downloaders or simply via browser advertisements: "Your computer is in danger!", "Get a better PC", or "Protect your pc from hackers!" are just a small example of the messages a user could be exposed to. Once the user is tricked into executing an installer, free scanner, or whatever (which can happen with or without the user's consent, by the way) then the show really begins! Any visual means of communication is used to warn the user of the terrible menace pending:

System tray:

Figures 1, 2, and 3: Examples of fraudulent system tray icons and balloons

Active desktop:

Figure 4: The desktop of the machine has been compromised to report threatening messages

Or, a simple message box is displayed:

Figure 5: Misleading applications also use system-like message boxes

Any interaction with these warnings will set off a trigger and some application will be downloaded and installed. The purpose of these applications is to scare the user through convincing messages that his or her machine is in great danger in terms of security, or that the PC has a multitude of errors that are forcing the PC to run slower, etc. These applications are good looking, with lots of "eye candy," flashing icons, nice animations, lots of colors - they do everything they can to appear professional. The life cycle of such applications is almost always the same: they are installed and they automatically start running a "scan."

Figure 6: Once installed, the misleading application performs a scan automatically

Then, they report their findings: lots and lots of critical risks, there may be spyware present, malware, errors, and/or privacy violations. In reality, many of the reported items do not even exist, are not critical, nor are they dangerous at all, but the important thing here is to look scary!

Figure 7: This misleading application reports an overhelming number of “privacy violations”

Panic is the best friend of misleading apps. When a user sees these reports, his or her first thoughts are "my credit card could be stolen!", or "my son's favorite game will be deleted", or "my wife's favorite fashion Web links will be redirected to who knows what horrible Web site!" and so on. Looks like the user is doomed, unless he or she can only fix these risks. Well, there is almost always a big button that will do this! Oh, wait. Surprise!

Figure 8: The usual “pay for fix” message window

If the user wants to save his or her computing life, all that needs to be done is purchase the application. For only a few dollars! It's cheaper than many commercial products, it’s worth the security of the PC! Someone may still be doubting about the application: What is it? Where does it come from? That's why, in order to persuade even the most paranoid users, these days misleading applications look very much like system applications and use names resembling real system components or security applications:

Figure 9: A misleading application with a Windows Vista look

Still: "I don't know, I will ask a friend of mine who is an expert with computers." Well, if you are able to cancel the fix / purchase process, you will still have one last warning:

Figure 10: Trying to halt the application installation will force the pop-up of threatening warnings again and again

Worse still, some applications feature an encore. Even if a user does not want to buy the application, it will keep running, restarting itself when closed, popping up in the middle of user activities with nasty warnings, and so on. In conclusion, this is a case of finding the devil where you might not expect - beware!

Posted by Andrea Lelli on October 26, 2007 05:00 AM

Source: Symantec Security Response Weblog: We pwn your Desktop!

This Bud's for You?
Posted by Mikko @ 06:09 GMT | Comments

---

We've been monitoring some spam runs lately advertising "legal herbs" for smoking purposes.
Here's an example:

This link takes you to a website called thebudshop.hk (not to be mistaken with thebodyshop.com):

Now, it is quite curious that this joint shop is located in Hong Kong (.hk), of all places.
Let's see where the actual server is hosted:

Oh, I see. The address keeps changing every few minutes. And, quite curiously, the IPs point to individual DSL boxes, i.e. home computers. Sounds like a botnet to me.
Lets take a closer look at the WHOIS record of thebudshop.hk:

Boy, don't those nameservers look weird. In fact, we've seen these before. There's a whole range of similar nameservers, including:
  02f3c5e0f.com
  1acca152d7817.com
  2349e44075.com
  38aca76e087.com
  52352a0c60a9c29.com
  6309a46.com
  871235bc.com
  926817a885d86e1.com
  ac8a562.com
  c0fbfef6e372ca34a.com
  e7bec7797.com
All of them are registered to Chinese addresses and they are criss-crossed to provide DNS for earch other.

We've seen Citibank and Myspace phishing sites hosted under these domains before. But this is the first time we've seen a smoke shop hosted there. It's quite likely the whole site is fake and only built to collect credit card numbers.
So, Just Say No.

This Bud's for You? - F-Secure Weblog : News from the Lab

WDS update revision follow - up

Hi Folks - 

I wanted to get back to you with more information and guidance around the Windows Desktop Search (WDS) issue and the results of our investigation today.   

As you know, Windows Desktop Search was published last February 07, as an optional update that was only applicable to systems which had WDS previously installed. Then on Tuesday of this week we revised that update package to be applicable (but still optional) to Windows XP SP2 and Windows Server 2003 SP1+ systems which did not have WDS installed. Unfortunately, in revising this update, the decision to re-use the same update package had unintended consequences to our WSUS customers.  Namely many of you who had approved the initial update package for a limited number of machines, had Tuesdays' WDS revision 105 automatically install on all clients because of the expanded applicability scope and because by default, WSUS is set to automatically approve update revisions.  We sincerely regret the inconvenience this has caused and extend a sincere apology to all impacted customers.

For those of you who want to uninstall the WDS update revision released Tuesday of this week, this can be done via

1.  Add/remove programs

2. Invoking spunisnts: %windir%\$NtUninstallKB917013$\spuninst\spuninst.exe /q /promptrestart

3. Using System Restore on Windows XP (not available on Windows Server 2003). This option will leave some software on the machine, but the invocation effectively removes WDS 3.01.  This should only be used for conditions where the /noback switch was used.

I want you to know we are working now to correct the issue and have temporarily suspended the distribution of the Windows Desktop Search through WSUS.  The current package will remain available through the Microsoft Download Center. We will make a new package available for WSUS in the near future, but not as an update revision, so that you can rely on predictable update behavior with auto-approval settings.   We are also working on improving our internal publishing processes to ensure this does not happen again in the future. 

Again, our sincere apologies for this publishing process error. 

Bobbie Harder

Program Manager, WSUS

Source: WSUS Product Team Blog : WDS update revision follow - up

Hmm, I wonder who that Chris guy is??  ;-)    Seriously, though this is not good news.  Microsoft asking vendors to fix future tools is one thing, but what about all the stuff that is already out there??  I can't see this problem going away very easily, specially since Microsoft has pretty much thrown down the gauntlet to hackers to exploit this.  Firefox, on the other hand looks like to have taken care of this three versions ago

URL Update to Internet Explorer URL Handling Vulnerability

Published: 2007-10-26,
Last Updated: 2007-10-26 02:05:06 UTC
by Johannes Ullrich (Version: 1)

Earlier this month, Microsoft published KB943521. This article acknowledged that third party software had to validate URLs before passing them to Internet Explorer, as Internet Explorer will not validate them. Today, Microsoft published an update to the advisory, suggesting limited exploitation of this vulnerability.

Microsoft does not appear to plan to fix the issue in Internet Explorer. Instead, it asks vendors releasing tools that pass URLs to Internet Explorer to validate them.

 Thanks to Chris and Gilbert to alert us of the update! Let us know if you see an exploit in the wild, or if you encounter any 3rd party applications which are not protecting Internet Explorer.

Links:

www.microsoft.com/technet/security/advisory/943521.mspx

blogs.technet.com/msrc/archive/2007/10/25/ msrc-blog-october-25th-update-to-security-advisory-943521.aspx

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Wildfire Scams

Published: 2007-10-26,
Last Updated: 2007-10-26 00:22:35 UTC
by Johannes Ullrich (Version: 1)

As with any disaster in the past, we expect some scams related to the California wildfires. So far, we are happy to report that we see almost no activity. But if you come across something, please let us know!

Basic tips:

• only donate to charities you know.
• do not respond to donation requests that you may receive via e-mail.
• If in doubt, make your donation via mail or phone using a well published phone number.
• The IRS operates a registry of charities apps.irs.gov/portal/site/pub78

Our best wishes are with the victims of the fire.

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Danger, Will Robinson, Danger!!

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: October 25, 2007

********************************************************************

Security Advisory Updated Today

==============================================

* Microsoft Security Advisory (943521)

- Title: URL Handling Vulnerability in Windows XP and Windows Server 2003 with Windows Internet Explorer 7 Could

Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/943521.mspx

- Revision Note: Advisory updated to reflect elevated threat level

"Microsoft is investigating public reports of a remote code execution vulnerability in supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed. Microsoft is aware of proof of concept code that has been posted publicly and is continuing to investigate public reports. We are also aware of attacks that try to use the reported vulnerability.

This vulnerability does not affect Windows Vista or any supported editions of Windows where Internet Explorer 7 is not installed.

Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

 Well go here for the answer..

http://blogs.technet.com/wsus/archive/2007/10/25/wds-revision-update-expanded-applicability-rules-auto-approve-revisions.aspx

"It's not a bug, it's a feature!!"

Mudslinging Malware
Posted by Sean @ 13:02 GMT | Comments

---

Malware Attempts to Affect Kenyan Elections
Most of the day-to-day malware that we currently analyze has a financial motive. Such malware typically doesn't do anything noticeably malicious as it doesn't want to tip-off the victim.
But every now and then, we see something that's just plain nasty. Yesterday, Marko analyzed such a sample that we now detect as Trojan:W32/Agent.DPL.
This particular piece of malware appears to have a political rather than financial motive. A system infected with Agent.DPL displays the following message when Windows starts:

And it attempts to connect to www.kalonzomusyokaforpresident.com.

The website is the official presidential campaign page of Kenyan politician Stephen Kalonzo Musyoka. He launched his presidential campaign on October 14, 2007. Kenyan elections will be held in December. Note that the malware quotes Francis rather than Stephen.
Agent.DPL hacks the registry so that the user is unable to locate key Windows functions. This image shows the missing Control Panel icon as well as a few other things.

If any Control Panel apps are launched from another location, they'll be shut down by the malware.
Our guess is that by making the computer next to useless, Musyoka's detractors hope to shift the blame to him. But then again we don't know that much about the political situation in Kenya…
Our description — Trojan:W32/Agent.DPL — provides additional details, including an unusually easy way to disable it.

Source: Mudslinging Malware - F-Secure Weblog : News from the Lab

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: October 24, 2007
********************************************************************

Summary
=======
The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS06-067

Bulletin Information:
=====================

* MS06-067

- http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx
- Reason for Revision: Revised to include MS06-065 as a bulletin that is replaced by this bulletin.
- Originally posted: November 14, 2006
- Updated: October 24, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1

PDF mailto Exploit: Seen in wild today!

Wednesday October 24, 2007 at 5:10 am CST
Posted by Vinoo Thomas

Trackback

McAfee Avert Labs today observed e-mail messages with malicious PDF attachments exploiting the critical Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability (CVE-2007-5020) being spammed in the wild. Successful exploitation leads to a batch file being executed on the victim’s machine that disables the built-in windows firewall and then downloads a password stealer from an ip address located on the RBN network.

Malware authors will find this technique of sending exploit-laden PDF files extremely profitable especially in targeted attacks since the Portable Document Format is the de-facto standard for exchanging electronic documents. PDF files have traditionally been unfiltered at the email gateway and until recently were considered risk free in stark contrast to the notorious history associated with Microsoft Office documents.

But with Microsoft making it difficult for attackers by raising the bar for buffer overflow exploits with the release of Windows Vista and Microsoft Office 2007, we expect to see exploit writers target the lower hanging fruit. Abusing exploits in popular applications such as Adobe, Apple, RealPlayer or Antivirus products are proving to be just as advantageous and profitable for the bad guys. McAfee Avert Labs anticipate spammers in collusion with malware authors to continue exploiting popular application flaws and it is imperative that users are educated on how to avoid becoming a victim.

Users running vulnerable versions of Adobe Reader and Acrobat 8.1 or earlier are strongly advised to update them from the Adobe site. McAfee users are pro-actively protected against Exploit-PDF based threats with the latest dat files.

Source: Computer Security Research - McAfee Avert Labs Blog

Vulnerability in JRE VM

Published: 2007-10-23,
Last Updated: 2007-10-23 23:34:55 UTC
by Adrien de Beaupre (Version: 1)

A vulnerability in the Virtual Machine of the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Solution, upgrade.

From the Sun advisory.

Cheers,
Adrien de Beaupré
Bell Canada

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc