January 2005 - Posts
As noted in the article, only certified patches from Microsoft should be installed as it could create issues and conflicts later with future security updates.
Russian Security Firm finds XP SP2 Vulnerable & issues patch
http://www.techweb.com/wire/security/59200229
A little-known Russian security firm claimed Monday that it's spotted vulnerabilities in Microsoft Windows XP SP2, and has taken the unusual step of producing its own patch for the bug.
Researchers at Moscow-based Positive Technologies said that they uncovered the flaws in Windows XP SP2's DEP (Data Execution Mechanism) back in early October, and reported it to Microsoft more than a month ago. When it didn't receive a response, Positive released details of the vulnerability on its Web site, and posted a patch that supposedly temporarily fixes the problem.
Firefox 1.1's Release Pushed Back To June
http://www.techweb.com/wire/software/59200178
The next version of the popular open-source Firefox will likely show up in June of 2005, not March as earlier expected, the browser's lead engineer wrote this weekend in his blog. "In a move that I would hope should surprise exactly nobody, we're pushing back 1.1 by a little bit because of the realities of the work remaining to be done," wrote Ben Goodger. The updated road map for Firefox 1.1 noted that beta should ship in early April, with a final edition to follow in June. The next major revision, dubbed 2.0, is still on track for release sometime during 2005, according to the road map.
http://vil.nai.com/vil/content/v_131355.htm
-- Update January 31st 2005 -- Due to increased prevalence, the risk assessment of this threat has been increased to medium. The 4424 DAT files will be released early to address this threat. In the meantime, the following EXTRA.DAT packages are available.
This is EXCELLENT advice on how to donate to relief and charity organizations online.
Microsoft At-home Security: "Give with Care" and safely
http://www.microsoft.com/athome/security/email/donations.mspx
QUOTE: In times of crisis, people increasingly use the Internet to contribute money quickly to aid organizations such as Red Cross/Red Crescent, Mercy Corps, UNICEF, and many others that provide relief to victims worldwide.
Unfortunately, while it has made donating easier, the Web has also led to an increase in online donation scams that play on our conscience. In our effort to lend aid quickly, many of us set aside our cynicism and become more susceptible to these false solicitations. In addition to conning givers out of their money, donation fraud also takes its toll on legitimate groups, denying them funds for relief efforts and cheating real disaster victims.
TIPS ON HOW TO AVOID ONLINE SCAMS
• Improve your computer's security and use current technology to help block spam.
• Be on guard if you receive an unsolicited e-mail from a charitable organization asking for money. Don't be too quick to click any links or enter any personal information.
• Instead of responding to solicitations, proactively contact well-known and established charity agencies that you or people you trust have used before.
• If you do receive an e-mail request from a charity you'd like to support, go to their Web site or call them personally for verification and to find out how to contribute.
• While online, manually type in the aid organization's address into your Internet browser.
• Double-check the spelling of the organization's Web site, and get in the habit of always looking at the actual Internet address, for example, "http://www.redcross.org before you continue browsing a Web site. Spoofed Web sites often use deliberate, easily overlooked misspellings to deceive users.
• Be wary of e-mails from strangers or unknown sources, especially those claiming to have attached photos of disaster victims or areas—these attachments could be infected with computer viruses or worse.
• If you provide your credit card number or personal information to a charity-related Web site, make sure current encryption technology is used and that there is a written policy about protecting personal information.
• Keep up to date on the latest online scams through trusted technology news providers, government agencies, and other professional sources.
Almost every variant of the Sober worm has went medium, so we should watch developments carefully, as it's a highly advanced virus. The social engineering approach used here could cause this virus to spread. Sober.J - New variant for the watchlist http://secunia.com/virus_information/15006/sober-j/ http://www.f-secure.com/v-descs/sober_j.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EJ http://www.sophos.com/virusinfo/analyses/w32soberj.html FORMAT OF INFECTED EMAIL MESSAGES Subject: I've got YOUR email on my account!!
Body: Hello, First, Sorry for my very bad English! Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but in the mail-text is a name & adress. I think it's your name and adress. The sender of this mails is in the text file, too. In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. lol OK, I've copied all email text in the Windows Text-Editor and i've zipped the text file with WinZip.
Attachment: email_text.zip
http://www.symantec.com/avcenter/venc/data/vbs.gormlez@mm.html
VBS.Gormlez@mm is a mass-mailing worm that sends a copy of itself to all email addresses in the Windows Address Book and attempts to spread through file-sharing networks. The worm deletes files with a .dll, .vbs, .exe, or .wsh extension
EMAIL FORMAT:
Subject: Re: Hello
Message Body: Hey There :-)
Attachment: Hello.vbs
Message after infection:
Shutdown.vbs, Version 1.00
VBS.G0mez Is here :-p
Usage: CSCRIPT SHUTDOWN.VBS [ computer_name ]
!!!"!!!" SHUTDOWN!
G0mez will now shutdown the computer! :-)
hehehe
A highly critical POC exploit has been released that can compromise Windows security on an infected media file. Please update to Winamp 5.08c. This process worked well for me in upgrading from 5.07.
Winamp 5.08c - Security Update for New Critical Exploit
http://secunia.com/advisories/13781/
WimAmp 5.08c - Security Update
http://www.winamp.com/player/
Opera 8.0 will provide Voice command support
http://news.bbc.co.uk/2/hi/technology/4208751.stm
Net browser Opera 8.0, due for official release at the end of next month, will be "the most accessible browser on the market", according to its authors. The latest version of the net browser can be controlled by voice command and will read pages aloud.
The voice features, based on IBM technology, are currently only available in the Windows version. Around 50 voice commands are available and users will have to wear a headset which incorporates a microphone.
Opera is free to download but a paid-for version comes without an ad banner in the top right hand corner and with extra support. Its browser is used by an estimated 10 million people on a variety of operating systems and a number of different platforms.
System OS X Security Update 2005-001 is now available:
http://docs.info.apple.com/article.html?artnum=300770
http://docs.info.apple.com/article.html?artnum=106704
Security Update 2005-001
* at commands - local privilege escalation
* ColorSync - heap overflow fixed though malformed input files
* libxml2 - potentially exploitable buffer overflows
* Mail - strange one: CAN-2005-0127: Message-ID info leak
* PHP – multiple known vulnerabilities
* Safari - pop-ups (when not blocked) can mislead users
* SquirrelMail - CSS vulnerability fixed
Three new Bagle variants are circulating in-the-wild and they all are very closely related. They are in essence the same virus repackaged with different compression algorithms to bypass AV scanners. Avoid all attachments in email, especially suspicious ones.
http://secunia.com/virus_information/12174/beagle.ba/
http://vil.nai.com/vil/content/v_131353.htm
http://www.sarc.com/avcenter/venc/data/w32.beagle.ba@mm.html
http://www.f-secure.com/v-descs/bagle_ba.shtml
This variant is a repacked version of W32/Bagle.bk@MM variant. It arrives in emails with variable subjects and attachments, has Peer-to-Peer spreading capabilities and contains a backdoor that listens on TCP port 81.
This is a mass-mailing worm with the following characteristics:
* contains its own SMTP engine to construct outgoing messages
* harvests email addresses from the victim machine
* the From: address of messages is spoofed
* contains a remote access component (notification is sent to hacker)
* copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
EMAIL FORMAT BELOW:
From : (address is spoofed)
Subject :
Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active
Body Text:
Thanks for use of our software.
Before use read the help
Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)
wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03
http://www.f-secure.com/weblog/
Today we published a new disinfection tool for Symbian series 60 phones that is capable of disinfecting SymbOS/Skulls trojan variants from a phone, even if user has rebooted the phone.
Previously disinfecting Skulls infected phone was difficult if not impossible, especially with later variants that killed popular file managers. Basically the only way to disinfect the phone was to use Epocware PC file manager that, which unfortunately did not work with most phones. Or reformat the phone, which of course destroyed all data in the phone.
F-Skulls FTP Link to Download Free Phone Cleaning Tool
This tool is able to disinfect phone even if the Skulls has locked the phone completely. The disinfection is done by installing the F-Skulls into a memory card with a clean phone. And then inserting the card with F-Skulls into infected phone and booting, during boot up the F-Skulls frees the critical system files so that use can access menu again and install an Anti-Virus for full disinfection.
So the disinfection still requires help of a clean phone, but is much preferable compared to having to reformat the phone.
An update of the new MySQL Bot attack:
http://isc.sans.org//diary.php?date=2005-01-27
MySQL Bot
A "bot", exploiting vulnerable MySQL installs on Windows systems, has been spotted. It infected a few thousand systems so far. Like typical for bots, infected systems will connect to an IRC server. The IRC server will instruct them to scan various networks for other vulnerable mysql servers.
http://www.spywaremanagement.org/index.php
Charter: The SpywareManagement forum provides an area dedicated to the discussion of spyware management topics. This forum discusses the how-to's and why's of security spyware management across a broad spectrum of Operating Systems, Applications, and Network Devices. This forum is meant as an aid to network and systems administrators and security professionals who are responsible for maintaining the security posture of their hosts and applications.
SpywareManagement.org is hosted by Shavlik Technologies, LLC.
More Posts
Next page »