Chris Mosby at myITforum.com

Oct29

Popular Mexican News Anchor Died!

by Aljerro Gabon (Anti-spam Research Engineer)

At least that’s what a new spam run tells you.

Email messages claiming to be from Esmas, the largest television network in Mexico and also the world’s largest producer of Spanish language media, inform users that Joaquín López-Dóriga has died in an automobile accident. López-Dóriga is one of the more popular news anchors in Mexico. Here’s a screenshot of a spammed message:

Figure 1. Sample email message.

This same message also informs users that they can download a news video regarding the accident by clicking on the link provided in the message. By clicking on the link, however, users are unknowingly downloading a malicious executable named videoDoriga.exe instead of an actual video:

Figure 2. Users download an .EXE file instead of a video footage.

Trend Micro detects file as TROJ_CHOST.E. Deaths of prominent personalities are a common technique used by spammers to lure users into clicking links in email messages. Shocked perhaps at the unexpected news, users may want to find out more. Since the links promise more details, users are most often tricked into clicking them.

Incidentally, another celebrity was reported dead by spammers last week, in what was a phishing operation. Other spamming operations related to famous individuals include:

• FARC Leader Killing Leads to Farce Email Messages
• Cuba’s Castro: Critical Condition to Concocted Casualty

These spammed email messages are already blocked by the Trend Micro Smart Protection Network. The same technology also detects the Trojan on the desktop level, and provides solutions for its removal. Users are advised to refrain from clicking links in unsolicited messages. News websites remain the best avenues for checking facts.

We are seeing the first Proof of Concept binaries that target the MS08-067 vulnerability on the following English localized systems:

Windows XP Service Pack 2
Windows XP Service Pack 3
Windows 2003 Service Pack 2

The payload is encrypted as normal. It's function is to add the guest account to the administrators group, thus allowing unlimited access to the machine. We detect the binaries as follows:

Backdoor:W32/Agent.DIN
Backdoor:W32/Agent.DIO
Backdoor:W32/Agent.DIP

We'll continue to keep an eye on the events.

Statements, reports, tracking numbers and tickets
Posted by Patrik @ 16:02 GMT | Comments

Over the last 48 hours we've seen a huge increase in ZIP'd malicious email attachments being spammed. The subjects have been:
Your Tracking #xxxxxxxx (where xxxxxxx is a random number)
New Ticket #xxxxx (where xxxxx is a random number)
Accounts Operations Report
Your Statement between 1/1/08 and 10/30/08

The ZIP file typically contains a file that looks like a document (.DOC) but it is really an EXE, there's just a lot of whitespaces between .DOC and .EXE.

Some of these ZIP files are protected by a password which makes it more likely to be allowed through an email server. The password is always in the email message so that a user can easily see it.

Using email attachments have made a comback in popularity amongst malware writers during the last few months. We detect this latest batch as variants of the Worm:W32/Autorun family.

VMWare ESX security patches

Published: 2008-10-31,
Last Updated: 2008-10-31 07:55:40 UTC
by Stephen Hall (Version: 1)

0 comment(s)

VMWare have released a new security advisory, and has updated two previously announced advisories.

Details are available via the VMWare web site:

- VMSA-2008-0017 (new advisory)
http://lists.vmware.com/pipermail/security-announce/2008/000039.html

Summary : A denial of service flaw was found in the way libxml2 processes certain content. If an application that is linked against libxml2 processes malformed XML content, the XML content might cause the application to stop responding.

CVE Reference: CVE-2008-3281

Summary: A flaw was found in the way ucd-snmp checks an SNMPv3 packet's Keyed-Hash Message Authentication Code. An attacker could use this flaw to spoof an authenticated SNMPv3 packet.

CVE Reference: CVE-2008-0960

Summary: Multiple uses of uninitialized values were discovered in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked with libtiff to crash or, possibly, execute arbitrary code.

CVE Reference: CVE-2008-2327
- VMSA-2008-0014.3 (updated advisory)
http://lists.vmware.com/pipermail/security-announce/2008/000040.html

This is an updated advisory which impacts a wide range of VMWare products (both desktop and server), and covers 16 CVE's.
- VMSA-2008-0011.3 (updated advisory)
http://lists.vmware.com/pipermail/security-announce/2008/000041.html

This is an updated advisory which ESX products only, but covers 9 CVE's
These advisories list security issues that have been fixed in the patches for ESX 2.5.4, ESX 2.5.5., ESX 3.0.2 and ESX 3.0.3 released on 30th October.

ICANN Gives Notorious Internet Registrar Stay of Execution - for the Moment

EstDomains is a domain registrar operating from Estonia. They've been on our map for years as they've been the largest registrar used by online criminals for their domain name registration needs.



Yesterday we received good news.

ICANN has (finally!) pulled the plug on EstDomains, and is removing EstDomains from the list of ICANN-accredited registrars.

See below for the official letter.





We probably first ran into EstDomains in 2005, when investigating the infamous WMF vulnerability. Initially the main site distributing malicious WMF files, unionseek.com, was registered via this new Estonian registrar.

Since then, tens of thousands of malicious domains have been registered with EstDomains. These include drive-by-download sites, botnet command-and-control servers, spammed domains and so on.



Many of the recent fake antivirus tools as well as rogue codecs have been running via EstDomains.

In fact, EstDomains is among the largest registrars in the world and they've registered over 280,000 domains. Not all of them are bad, of course. But a big part of them are.



The EstDomains operation is run by Mr. Vladimir Tšaštšin, from the EstDomains office in downtown Tartu.



Vladimir Tšaštšin (aka "SCR") was sentenced earlier this year to six months of jail for credit card fraud, money laundering, and related charges.



Mr. Tšaštšin is also the CEO and largest owner of Rove Digital. Rove generates revenues of several million Euros a year, as shown in this listing of TOP Estonian IT companies by the Äripäev magazine:



And EstDomains is just a small part of a larger picture, outlined here by the researchers at Hostexploit.com.



For more on Atrivo and EstDomains, see this article at Security Fix.

Thank you ICANN, for doing the right thing.

Howard University Site Compromise

Date:10.29.2008

Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ ThreatSeeker™ Network has discovered that the official Web site of Howard University has been compromised with malicious code. The Howard University Web site is currently experiencing a large number of visitors, as it is the home page for Howard University students.

Malicious JavaScript code has been inserted into the Student Health page of the site. Browsers that load the site will execute a script from an exploit toolkit known as Neosploit, using known vulnerabilities such as those found in MSXML2.XMLHTTP, ADODB.Stream, and WScript.Shell—each of which downloads and executes a malicious executable file.

We have notified the owner of the site, but the site was still compromised at the time of this alert.

Site screenshot:
 

Site source screenshot:
 

Websense Messaging and Web Security Customers are protected against this threat.

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: October 29, 2008

********************************************************************

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS08-062 - Important

* MS08-059 - Critical

* MS08-057 - Critical

* MS08-052 - Critical

Bulletin Information:

=====================

* MS08-062 - Important

- http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx

- Reason for Revision: V2.2 (October 29, 2008): Revised entries in the section, Frequently Asked Questions (FAQ) Related to This Security Update, and in the Microsoft Baseline Security Analyzer (MBSA) and Systems Management Server (SMS) detection and deployment tables in the section, Detection and Deployment Tools and Guidance, to notify customers that the update packages for Windows Server 2008 for Itanium-based Systems and all supported editions of Windows Vista have now been made available on Windows Update, Microsoft Update, Windows Software Update Services (WSUS), Systems Management Server, and System Center Configuration Manager.

- Originally posted: October 14, 2008

- Updated: October 29, 2008

- Bulletin Severity Rating: Important

- Version: 2.2

* MS08-059 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx

- Reason for Revision: V1.2 (October 29, 2008): Corrected the impact of the workaround that deals with disabling the SNA RPC Service.

- Originally posted: October 14, 2008

- Updated: October 29, 2008

- Bulletin Severity Rating: Critical

- Version: 1.2

* MS08-057 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx

- Reason for Revision: V1.2 (October 29, 2008): Added entry to the section, Frequently Asked Questions (FAQ) Related to This Security Update, to explain any additional security features included in this update for Microsoft Office 2003 Service Pack 2. Added missing entries for Excel 2003 Service Pack 3 to the section, Detection and Deployment Tools and Guidance. Finally, corrected references to Windows Installer Redistributable in the section, Security Update Deployment.

This is an informational change only. There were no changes to the security update binaries.

- Originally posted: October 14, 2008

- Updated: October 29, 2008

- Bulletin Severity Rating: Critical

- Version: 1.2

* MS08-052 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx

- Reason for Revision: V2.2 (October 29, 2008): Added an FAQ entry concerning a printing issue with Microsoft SQL Server 2005 Reporting Services and removed Visio Viewer from Affected Software, including other minor changes. For more details, please see the entry in the Frequently Asked Questions (FAQ) Related to this Security Update section.

- Originally posted: September 9, 2008

- Updated: October 29, 2008

- Bulletin Severity Rating: Critical

- Version: 2.2

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: October 29, 2008

********************************************************************

Security Advisories Updated or Released Today ==============================================

* Microsoft Security Advisory (956391)

- Title: Cumulative Security Update of ActiveX Kill Bits

- http://www.microsoft.com/technet/security/advisory/956391.mspx

- Revision Note: October 29, 2008: Added Frequently Asked Questions entry to communicate the availability of an update for a control that was kill bitted.

Microsoft Security Advisory (958963)

Exploit Code Published Affecting the Server Service

Microsoft is aware that detailed exploit code demonstrating code execution has been published on the Internet for the vulnerability that is addressed by security update MS08-067. This exploit code demonstrates code execution on Windows 2000, Windows XP, and Windows Server 2003. Microsoft is aware of limited, targeted active attacks that use this exploit code. At this time, there are no self-replicating attacks associated with this vulnerability. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue.

Our investigation of this exploit code has verified that it does not affect customers who have installed the updates detailed in MS08-067 on their computers.  Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows.

We continue to work with our Microsoft Security Response Alliance (MSRA) and Microsoft Active Protections Program (MAPP) partners so that their products can provide additional protections for customers. We have updated our Windows Live Safety Scanner, Windows Live One Care, and Forefront security products with protections for customers. We have also been working with our partners in the Global Infrastructure Alliance for Internet Safety (GIAIS) program to take steps to help keep attacks from spreading.

Customers who believe they are affected can contact Customer Service and Support. Contact CSS in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers may request help by using any method found at this location: http://www.microsoft.com/protect/support/default.mspx (click on the select your region hyperlink in the first paragraph).

Mitigating Factors:

Brian Krebs on Computer Security

Java Update Promises to Remove Older Versions

Sun Microsystems has released another version of its Java software client. The update, JRE6 Update 10, contains no new security fixes to the most recent version, JRE6 Update 7, but it does appear to fulfill a promise the company made long ago to stop littering users' PCs with outdated, insecure versions of the software.

Readers of this blog know I am no fan of Java. It's a huge, extremely powerful program that frequently needs updating to protect users from evil sites that might wish to leverage the program's interactivity and power to do bad things. Another reason I've railed against Java is that Sun's updates don't remove old versions. As a result, if you've been keeping up with the Java security updates, chances are you have at least three or four previous versions of Java on your system -- each taking up more than 100MB worth of disk space.

While there's no sign Java users will need to update less frequently, Update 10 now claims to include "patch in place" capability, meaning future updates will remove older versions upon install.

It's nice that Sun has finally heeded the calls from its user base, but since we don't have an Update 11 yet, it's hard to tell how well this patch in place process will work. What's more, while Update 10 promises to remove itself whenever Sun ships the next post-Update 10 release, it doesn't remove any pre-Update 10 versions hanging around the user's system.

Who cares about a few older versions of Java hanging around in this age of 500GB hard drives, you ask? In previous updates, Sun has acknowledged that it would be possible for Web sites to invoke older, insecure versions of the software still present on the user's machine, even if the latest, patched version was installed and set as the authoritative version to be used by both the operating system and the user's default Web browser.

Sun subsequently implemented technology to block sites from invoking older, insecure versions of Java. But then in July, security researcher John Heasman outlined a method by which attackers could bypass that protection.

One final note: When I went to test this new version, I realized that I haven't had Java installed on my Windows Vista machine since I bought it several months ago. Apparently, I haven't needed the program since then either.

By Brian Krebs |  October 27, 2008; 7:05 AM ET New Patches , From the Bunker , Misc. , Safety Tips
Previous: Data-Stealing Trojan Exploiting Just-Patched Windows Flaw |

MS08-067 RPC Vulnerability FAQ

Published: 2008-10-26,
Last Updated: 2008-10-26 00:31:38 UTC
by Rick Wanner (Version: 1)

0 comment(s)

Our old friend Juha-Matti Laurio has created a FAQ on the MS08-067 RPC vulnerability. The FAQ goes a long way to clearing up some of the disinformation circulating about this vulnerability and the associated malware.

The FAQ can be found over at the SecuriTeam blog.

-- Rick Wanner rwanner at isc dot sans dot org