December 2004 - Posts

• Cabir Phone Virus -- Several new variants emerge

  Several new variants emerged overnight  http://www.f-secure.com/v-descs/_new.shtml --> 2004.12.30 Cabir.K --> 2004.12.30 Cabir.L --> 2004.12.30 Cabir.J --> 2004.12.30 Cabir.G --> 2004.12.30 Cabir.F --> 2004.12.28 Cabir.I --> 2004.12.27 Cabir.H Cabir source code published http://www.viruslist.com/en/weblog Over the last few days we see several versions of Cabir. They are not very different from each other, just in unimportant ways. Today we found out that the source code that these different versions were compiled from was published on the Internet. This means it can be accessed by anyone. As far as we know, until now the Cabir source code was accessible only to a limited number of people, including members of the international virus writing group 29A. It was a 29A member who wrote the original version of Cabir. We think it was planned to publish the source code in the next edition of the group's electronic journal. However, it looks that someone has already got access to the code, and now it's public. This will lead to a lot of new versions of Cabir, which has already been detected in the wild in 7 countries. Posted Dec 30 2004, 09:58 AM by hwaldron with no comments

• Internet Explorer - Quick & Easy Method to improve security

  There are many ways to improve IE security and I found a few links.  I've shared some advice previously, but probably your easiest way of hardening security is: TOOLS ... INTERNET OPTIONS ... SECURITY ... INTERNET ZONE ... CUSTOM LEVEL Then change signed ACTIVE X settings from AUTOMATIC to PROMPT (that change alone gets protected from hijackers, dialers, CWS, etc).  All my settings here are PROMPT or DISABLED.  I stay on MEDIUM settings but you can try HIGH as well (you want to balance things so that IE doesn't become "promptware" but saves you from a highjacking or Cool World Search variant).    I don't go overboard in ramping up IE security, as I mitigate the risk with Firefox and Opera. Finally "don't leave home with your Firewall, AV protection, and best practices" SOME OTHER RELATED LINKS http://www.google.com/search?q=internet+explorer+security http://acd.ucar.edu/~fredrick/win2k/active_scripting/ http://www.jmu.edu/computing/info-security/engineering/issues/ie.shtml http://netsecurity.about.com/cs/tutorials/ht/ht020203.htm http://www.microsoft.com/windows/ie/security/default.mspx Posted Dec 29 2004, 02:02 PM by hwaldron with 5 comment(s)

• TOP VIRUSES OF 2004

  Sophos has published their top 10 list for 2004 as follows: http://news.bbc.co.uk/2/hi/technology/4105007.stm TOP VIRUSES OF 2004 1) Netsky-P 2) Zafi-B 3) Sasser 4) Netsky-B 5) Netsky-D 6) Netsky-Z 7) MyDoom-A 8) Sober-I 9) Netsky-C 10) Bagle-AA Posted Dec 29 2004, 08:13 AM by hwaldron with no comments

• Trojan.Phel.A -- Exploits New Windows Help Vulnerability

  Trojan.Phel.A is a Trojan horse program, which is distributed as an HTML file, and attempts to exploit the Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability (BID 11467). http://www.symantec.com/avcenter/venc/data/trojan.phel.a.html Posted Dec 27 2004, 02:34 PM by hwaldron with no comments

• New Windows Security LoadImage & Help Vulnerabilities

  PLEASE BE VERY CAREFUL WITH ALL WEB SITES AND EMAIL. There are already Proof-of-Concept (POC) exploits circulating in-the-wild related to brand new unpatched flaws in Microsoft Windows. With POC code circulating in the public, this provides the "bad guys" with tools to quickly build viruses, phishing attacks, and spyware around these Windows Security holes. This is called a "Zero Day Attack", where the vendor has yet to patch the security hole and there are exploits circulating in the wild. Do not install HELP FILES and follow further breaking news on what to avoid. Finally, some AV Vendors are offering protection as noted in the McAfee examples below. Please update and protect your PC environment. QUOTE: Because the flaws are in a library used by Windows programs, almost all browsers and e-mail clients are likely affected by the flaws, said Alfred Huger, senior director of engineering at Symantec. New Windows Security LoadImage & Help Vulnerabilities http://isc.sans.org//diary.php?date=2004-12-23 The holiday news continues to be bleak, with a pair of critical vulnerabilities for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited via HTML delivered either via email or a website. This vulnerability can be used to execute code. Secondly, there is a heap overflow in winhlp32.exe while processing help files on Windows, including XP SP2, apparently. Try not to install help files until some Tuesday in, we hope, January. Exploits released for new Windows flaws http://www.dozleng.com/updates/index.php?showtopic=3383 LoadImage API Integer Buffer overflow http://vil.nai.com/vil/content/v_130605.htm This detection covers code attempting to exploit a Microsoft Windows LoadImage API Integer Buffer overflow vulnerability that was announced on December 23, 2004. Reportedly, the vulnerability exists on the following operating systems: * Windows NT4 * Windows 2000 * Windows XP (SP2 is not vulnerable) * Windows 2003 Kernel ANI File Parsing Crash Vulnerability http://vil.nai.com/vil/content/v_130604.htm This detection covers code attempting to exploit a Microsoft Windows Kernel ANI File Parsing Crash Vulnerability that was announced on December 23, 2004. Reportedly, the vulnerability exists on the following operating systems: * Windows NT4 * Windows 2000 * Windows XP (SP2 is not vulnerable) * Windows 2003 PROOF-OF-CONCEPT TESTS & MORE DETAILED INFORMATION I would encourage everyone to be VERY CAREFUL in selecting links to install or test their PCs as these POC tests may crash your PC requiring a reboot and you might even loose information you were working on at the time. Please just read the comments only Windows Issues, original notification http://www.xfocus.net/flashsky/icoExp/index.html Bugtraq Discussion http://www.securityfocus.com/archive/1/385...21/2004-12-27/0 http://www.securityfocus.com/archive/1/385...21/2004-12-27/0 http://www.securityfocus.com/archive/1/385...21/2004-12-27/0 Posted Dec 25 2004, 07:43 AM by hwaldron with no comments

• Santy.B - New PHP Variant found in the wild

  Santy.b was found "in the wild" http://www.viruslist.com/en/weblog December 22, 2004 - New variant of Santy was found some hours ago. We detect it as Net-Worm.Perl.Santy.b. quote: What is worse, we have discovered a new verision of Santy. It seems very likely that some 'script kiddies' have gotten hold of the source code. If this is true, they will create new versions with new features, just like Lovesan. The authour of Lovesan is still free, but several co-authours have been arrested, even though they only changed some text strings in the worm's file. Posted Dec 22 2004, 11:57 AM by hwaldron with no comments

• Santy -- PHP BB Worm in-the-wild

  The Internet Storm Center just issued this alert: phpBB Worm (added Dec 21st 12 pm EST) http://isc.sans.org//diary.php?date=2004-12-21 We just received a number of reports about a new worm that infects web servers running phpBB. Apperently, there is no patch at this point. However, according to viruslist.com, a workaround can be found here: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513 http://vil.nai.com/vil/content/v_130471.htm http://secunia.com/virus_information/14040/santy.a/ http://www.f-secure.com/v-descs/santy_a.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SANTY.A http://www.symantec.com/avcenter/venc/data/perl.santy.html Posted Dec 21 2004, 12:13 PM by hwaldron with no comments

• F-Secure's Annual Virus Report for 2004

  F-Secure has developed a comprehensive summary for 2004 virus activity.  The report describes a year of more sophisticated attacks, increased phishing scams, and major events during the past year. F-Secure's Annual Virus Report for 2004 http://www.f-secure.com/2004/   Posted Dec 18 2004, 07:59 AM by hwaldron with no comments

• New XP SP2 Firewall Patch in Windows Update

  Windows XP SP2 users should perform a Windows Update for December as a critical firewall vulnerability is patched by this update. New XP SP2 Firewall Patch in Windows Update http://isc.sans.org//diary.php?date=2004-12-15 http://support.microsoft.com/kb/886185 After you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet. Posted Dec 18 2004, 07:50 AM by hwaldron with no comments

• Microsoft at Home - AN EXCELLENT SECURITY SITE

  http://www.microsoft.com/athome/security/default.mspx I recommend sharing Microsoft's at Home site with your family and friends.   It is an EXCELLENT home user security site in using basic terminology, an educational format, and promoting best practices.  While I've been working with PCs since 1981 and in the security field since 1996, the training I've recieved helps me stay secure both at home or at work.   However, MOST computer users are not IT professionals including many of our family and friends.  This site might be a valuable point of reference and I plan to use it often in the future.  Posted Dec 16 2004, 08:00 PM by hwaldron with no comments

• Phishing Scams - A comprehensive Guide from Message Labs

  Message Labs provides a comprehensive virus and spam filtering service used by many companies to prevent unwanted documents from reaching corporate email systems.  In their November 2004 newsletter, they offer one of the comprehensive writeups on this subject, I've seen.  This provides excellent security awareness on this method of attack that is now a common threat in email messages or hostile web sites. Comprehensive Article on Phishing TOPICS COVERED  Introduction  Basics of phishing technique  Theme and variations  Who falls for the scam?  Some other telling statistics  So who picks up the bill?  From crude con to sophisticated scam  Virus wars  The brand profile  More recent developments  The money-laundering scam Posted Dec 15 2004, 09:08 AM by hwaldron with no comments

• Zafi.D - Be careful with Holiday E-Cards (HIGH RISK)

  The new "D" variant of the Zafi worm family is an advanced email attack using a well-design social engineering approach. It disquises itself as an e-card which might be accidently opened by a lot of folks. McAfee, F-Secure, and other AV vendors have escalated this to HIGH RISK. Zafi.D - Holiday-E Card Social Engineering http://vil.nai.com/vil/content/v_130371.htm This new variant contains the following characteristics: * contains its own SMTP engine to construct outgoing messages * spoofs the From: address * harvests target email addresses from the victim machine * outgoing email message body is either in Hungarian or English * displays p2p worm behaviour * shuts down security services Secunia escalates to HIGH RISK: http://secunia.com/virus_information/13871/zafi.d/ Posted Dec 15 2004, 05:45 AM by hwaldron with no comments

• My IT Forums - Great Site for supporting Microsoft Technologies

  My 1st post is to simply thank Rod and the many members who participate here in providing a great corporate service for the industry. Many early adopters of SMS relied on the old SYSWNK forums and when My IT Forums emerged, it quickly expanded to security topics and operating systems and many other areas. The user-to-user sharing we have among corporate members is excellent in expanding your knowledge or sharing good solutions to business and technology problems. Better yet, it's free of charge and a great resource for your career. Posted Dec 13 2004, 04:31 PM by hwaldron with no comments