December 2004 - Posts
Several new variants emerged overnight
--> 2004.12.30 Cabir.K
--> 2004.12.30 Cabir.L
--> 2004.12.30 Cabir.J
--> 2004.12.30 Cabir.G
--> 2004.12.30 Cabir.F
--> 2004.12.28 Cabir.I
--> 2004.12.27 Cabir.H
Cabir source code published
Over the last few days we see several versions of Cabir. They are not very different from each other, just in unimportant ways. Today we found out that the source code that these different versions were compiled from was published on the Internet. This means it can be accessed by anyone.
As far as we know, until now the Cabir source code was accessible only to a limited number of people, including members of the international virus writing group 29A. It was a 29A member who wrote the original version of Cabir. We think it was planned to publish the source code in the next edition of the group's electronic journal.
However, it looks that someone has already got access to the code, and now it's public. This will lead to a lot of new versions of Cabir, which has already been detected in the wild in 7 countries.
There are many ways to improve IE security and I found a few links. I've shared some advice previously, but probably your easiest way of hardening security is:
TOOLS ... INTERNET OPTIONS ... SECURITY ... INTERNET ZONE ... CUSTOM LEVEL
Then change signed ACTIVE X settings from AUTOMATIC to PROMPT (that change alone gets protected from hijackers, dialers, CWS, etc). All my settings here are PROMPT or DISABLED.
I stay on MEDIUM settings but you can try HIGH as well (you want to balance things so that IE doesn't become "promptware" but saves you from a highjacking or Cool World Search variant).
I don't go overboard in ramping up IE security, as I mitigate the risk with Firefox and Opera. Finally "don't leave home with your Firewall, AV protection, and best practices"
SOME OTHER RELATED LINKS
Sophos has published their top 10 list for 2004 as follows:
TOP VIRUSES OF 2004
PLEASE BE VERY CAREFUL WITH ALL WEB SITES AND EMAIL. There are already Proof-of-Concept (POC) exploits circulating in-the-wild related to brand new unpatched flaws in Microsoft Windows. With POC code circulating in the public, this provides the "bad guys" with tools to quickly build viruses, phishing attacks, and spyware around these Windows Security holes.
This is called a "Zero Day Attack", where the vendor has yet to patch the security hole and there are exploits circulating in the wild. Do not install HELP FILES and follow further breaking news on what to avoid. Finally, some AV Vendors are offering protection as noted in the McAfee examples below. Please update and protect your PC environment.
QUOTE: Because the flaws are in a library used by Windows programs, almost all browsers and e-mail clients are likely affected by the flaws, said Alfred Huger, senior director of engineering at Symantec.
New Windows Security LoadImage & Help Vulnerabilities
The holiday news continues to be bleak, with a pair of critical vulnerabilities for Windows NT/2000/2003/XP. First, unless you're running XP SP2, there is a buffer overflow in the LoadImage API, resulting in bitmaps, icons, and animated cursor data files (.bmp, .cur, .ico, and .ani) that can be exploited via HTML delivered either via email or a website. This vulnerability can be used to execute code. Secondly, there is a heap overflow in winhlp32.exe while processing help files on Windows, including XP SP2, apparently. Try not to install help files until some Tuesday in, we hope, January.
Exploits released for new Windows flaws
LoadImage API Integer Buffer overflow
This detection covers code attempting to exploit a Microsoft Windows LoadImage API Integer Buffer overflow vulnerability that was announced on December 23, 2004. Reportedly, the vulnerability exists on the following operating systems:
* Windows NT4
* Windows 2000
* Windows XP (SP2 is not vulnerable)
* Windows 2003
Kernel ANI File Parsing Crash Vulnerability
This detection covers code attempting to exploit a Microsoft Windows Kernel ANI File Parsing Crash Vulnerability that was announced on December 23, 2004. Reportedly, the vulnerability exists on the following operating systems:
* Windows NT4
* Windows 2000
* Windows XP (SP2 is not vulnerable)
* Windows 2003
PROOF-OF-CONCEPT TESTS & MORE DETAILED INFORMATION
I would encourage everyone to be VERY CAREFUL in selecting links to install or test their PCs as these POC tests may crash your PC requiring a reboot and you might even loose information you were working on at the time. Please just read the comments only
Windows Issues, original notification
Santy.b was found "in the wild"
December 22, 2004 - New variant of Santy was found some hours ago. We detect it as Net-Worm.Perl.Santy.b.
quote: What is worse, we have discovered a new verision of Santy. It seems very likely that some 'script kiddies' have gotten hold of the source code. If this is true, they will create new versions with new features, just like Lovesan. The authour of Lovesan is still free, but several co-authours have been arrested, even though they only changed some text strings in the worm's file.
F-Secure has developed a comprehensive summary for 2004 virus activity. The report describes a year of more sophisticated attacks, increased phishing scams, and major events during the past year.
F-Secure's Annual Virus Report for 2004
Windows XP SP2 users should perform a Windows Update for December as a critical firewall vulnerability is patched by this update.
New XP SP2 Firewall Patch in Windows Update
After you set up Microsoft Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2), you may discover that your computer can be accessed by anyone on the Internet when you use a dial-up connection to connect to the Internet.
I recommend sharing Microsoft's at Home site with your family and friends. It is an EXCELLENT home user security site in using basic terminology, an educational format, and promoting best practices.
While I've been working with PCs since 1981 and in the security field since 1996, the training I've recieved helps me stay secure both at home or at work. However, MOST computer users are not IT professionals including many of our family and friends. This site might be a valuable point of reference and I plan to use it often in the future.
Message Labs provides a comprehensive virus and spam filtering service used by many companies to prevent unwanted documents from reaching corporate email systems. In their November 2004 newsletter, they offer one of the comprehensive writeups on this subject, I've seen. This provides excellent security awareness on this method of attack that is now a common threat in email messages or hostile web sites.
Comprehensive Article on Phishing
Basics of phishing technique
Theme and variations
Who falls for the scam?
Some other telling statistics
So who picks up the bill?
From crude con to sophisticated scam
The brand profile
More recent developments
The money-laundering scam
The new "D" variant of the Zafi worm family is an advanced email attack using a well-design social engineering approach. It disquises itself as an e-card which might be accidently opened by a lot of folks. McAfee, F-Secure, and other AV vendors have escalated this to HIGH RISK.
Zafi.D - Holiday-E Card Social Engineering
This new variant contains the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* spoofs the From: address
* harvests target email addresses from the victim machine
* outgoing email message body is either in Hungarian or English
* displays p2p worm behaviour
* shuts down security services
Secunia escalates to HIGH RISK:
My 1st post is to simply thank Rod and the many members who participate here in providing a great corporate service for the industry. Many early adopters of SMS relied on the old SYSWNK forums and when My IT Forums emerged, it quickly expanded to security topics and operating systems and many other areas. The user-to-user sharing we have among corporate members is excellent in expanding your knowledge or sharing good solutions to business and technology problems. Better yet, it's free of charge and a great resource for your career.