February 2005 - Posts
This article shares a number of ideas, shortcuts, and approaches to help in managing the complex and challenging environment related to IT security.
Article - Keeping your Organization's Security Current
http://www.windowsecurity.com/articles/Organizations-Security-Current.html
Key points covered in the article
Reexamine security philosophy
Check Your Network for Known Weaknesses
Attend A Security Training Event
Key Shortcuts to make the job easier
This new email threat could be highly disruptive in a network of unpatched Windows workstations or servers. It is a two part virus that spreads first by email using the MyDoom virus and then launches a Spybot variant in the internal network that would try to spread by the MS04-011 LSASS exploit on port 435.
Mytob A/B/C variants - MyDoom and Spybot combination
http://www.sarc.com/avcenter/venc/data/w32.mytob@mm.html
http://www.sarc.com/avcenter/venc/data/w32.mytob.b@mm.html
http://www.sarc.com/avcenter/venc/data/w32.mytob.c@mm.html
W32.Mytob.@mm is a mass-mailing worm that uses it own SMTP engine to send an email to addresses that it gathers from the Windows Address Book on the compromised computer. The worm also has the ability to open a back door and spread through the network by exploiting the Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
EMAIL FORMAT
From: Spoofed
Subject of email:
hello
hi
error
status
test
Mail Transaction Failed
Mail Delivery System
SERVER REPORT
(No Subject)
(random alphabets)
Name of attachment:
Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension
So far, this new virus is not widespread and it's easy to avoid through best practices. Microsoft never sends updates by email as users must download them from their website. Attachments should never be opened unless you are certain they are safe. 
Elitper.A - Pretends to be a patch from Microsoft http://www.symantec.com/avcenter/venc/data/w32.elitper.a@mm.html
W32.Elitper.A@mm is a mass-mailing worm that spreads using MAPI and through file-sharing networks. It also lowers Windows security settings by altering the Hosts file to prevent access to antivirus-related Web sites.
FORMAT OF EMAIL TO AVOID From: <spoofed>
Subject: Fwd:None
Message Body: Microsoft(c) Lastest Update For CD-ROM
Attachment:
Firewall.exe Size of attachment: 9,392 bytes
The Internet Storm Center shares that February 2005 was a very active month for new variants and worm developments. Almost 100 new viruses were categorized as “2“ or higher by Symantec
http://isc.sans.org//diary.php?date=2005-02-26
http://securityresponse.symantec.com/avcenter/vinfodb.html
Quote: This has been a record week for new virus discovery - at least for me. We yet again saw an infiltration of new activity at one location here in our local area. In looking at todays list on Symantec's web site, in the last week there have been 24 new entries that are rated as a Level 2. In the last month there have been close to 100 new entries with the majority being Level 2 and one of them being Level 3.
Symantec, F-Secure, and now Trend have issued patches for the new archieved zip file vulnerabilities, which could be exploited in the future. All corporate and consumer based Trend products should be updated as soon as possible.
Trend Micro - Critical Bulletin
Firefox 1.01 has been released to address several security issues. Users should unistall the prior version, backup/delete existing profiles, and then install FF 1.01.
Security Vulnerabilities Fixed in Firefox 1.0.1
Here's what's new in Firefox 1.0.1:
- Improved stability
- International Domain Names are now displayed as punycode. (To show International Domain Names in Unicode, set the "network.IDN_show_punycode" preference to false.)
- Several security fixes.
MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing
MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files
MFSA 2005-27 Plugins can be used to load privileged content
MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab
MFSA 2005-25 Image drag and drop executable spoofing
MFSA 2005-24 HTTP auth prompt tab spoofing
MFSA 2005-23 Download dialog source spoofing
MFSA 2005-22 Download dialog spoofing using Content-Disposition header
MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice
MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
MFSA 2005-19 Autocomplete data leak
MFSA 2005-18 Memory overwrite in string library
MFSA 2005-17 Install source spoofing with user:pass@host
MFSA 2005-16 Spoofing download and security dialogs with overlapping windows
MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
MFSA 2005-14 SSL "secure site" indicator spoofing
MFSA 2005-13 Window Injection Spoofing
http://www.mozillazine.org/talkback.html?article=6129
Mozilla Firefox 1.0.1 Released
Thursday February 24th, 2005 -- Mozilla Firefox 1.0.1 has just been released. A minor update, this version fixes a few security holes and some other bugs. If you're using Firefox 1.0, you want this release. The
Firefox Release Notes have also been updated and
The Burning Edge has an
unofficial Firefox 1.0.1 changelog. Download links can be found on the
official Firefox product page.
BUG WHEN MANUALLY KEYING URLs: If you are experiencing a crash when entering text into the address bar, you can correct the problem by removing the autocomplete.xpt file from your Firefox components directory, for example C:\Program Files\Mozilla Firefox\components. To avoid this crash, do not install a new installer package on top of an older zipped package.
HOW TO INSTALL (use this approach even if you are on version 1.0)
http://forums.mozillazine.org/viewtopic.php?t=158083
CLICK ON EITHER LINK TO DOWNLOAD
Download
I thought the report format and detailed assessments were very well done by Canada's IT audit team. This is one of the best recent assessments I've seen. It's worth speed reading through for anyone involved in IT security.
http://www.oag-bvg.gc.ca/domino/reports.nsf/html/20050201ce.html
Quote: Despite encouraging signs of improvement, the government has made unsatisfactory progress in strengthening information technology (IT) security since our audit in 2002. It has laid a foundation by developing IT security policies and standards, and lead agencies and departments are more involved and committed to IT security. However, two and a half years after revising its Government Security Policy, the government has much work to do to translate its policies and standards into consistent, cost-effective practices that will result in a more secure IT environment in departments and agencies
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
RootkitRevealer is an advanced root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys).
E-mails purporting to come from FBI are phony. The FBI takes this matter seriously and is investigating. Users receiving e-mails of this nature are encouraged to report it to the Internet Crime Complaint Center via http://www.ic3.gov.
http://www.fbi.gov/pressrel/pressrel05/022205.htm
I think the virus author used the wrong social engineering scheme, as the FBI is actively investigating this new virus. Microsoft is also referenced by the latest version of the Sober email worm as well.
Sober.K - New variant to watch
http://secunia.com/virus_information/15563/
http://vil.nai.com/vil/content/v_131869.htm
http://www.symantec.com/avcenter/venc/data/w32.sober.k@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EK
WASHINGTON (AP) — The FBI warned Tuesday that a computer virus is being spread through unsolicited e-mails that purport to come from the FBI. ...
FBI issues warning about computer virus USA Today
FBI Warns of E-Mail Virus LinuxInsider.com
Virus Masquerades as FBI Warning TechNewsWorld
FBI Email Is Fake, Contains Virus Boost Marketing
Dear Sir/Madam, we have logged your IP-address on more than 40 illegal Websites. Important: Please answer our questions! The list of questions are attached.
Yours faithfully,
M. John Stellford
++-++ Federal Bureau of Investigation -FBI-
++-++ 935 Pennsylvania Avenue, NW, Room 2130
++-++ Washington, DC 20535
++-++ (202) 324-3000
ATTENTION! Antivirus vendors are warning of a new variant of the Sober virus discovered today that can delete the hard disk. Protection: Download and read the zipped patch. It's very easy to install! Thanks for your cooperation!
--- (c)2005 Microsoft Corporation. All rights reserved
--- Microsoft Corporation
--- One Microsoft Way
--- Redmond, Washington 98052-6399
This is the best overall checklist I've seen for keeping your computer both secure and optimized for performance.
Murray State's recommended 10 step Maintenance Checklist
http://campus.murraystate.edu/technical/maintenance/ten_steps.htm
February 2005's Security Tip of the month is Excellent
Making Web Browsing More Secure
http://www.microsoft.com/technet/community/columns/sectip/st0205.mspx
You can make Web browsing more secure by doing a few simple things:
| • |
Make sure that Windows XP Service Pack 2 is installed. This service pack increases the security of Microsoft Internet Explorer with pop-up blocking and add-on management. |
| • |
Configure your browser’s security settings for safer browsing. |
| • |
Configure your browser’s privacy settings to avoid unwanted cookies and pop-up ads. |
| • |
Be careful about which Web sites you visit. Sites devoted to illegal or questionable subjects, such as hacker sites, sites for downloading pirated music or software, and pornographic sites are most likely to contain malicious code. |
| • |
Enable checking of digital signatures on drivers and other programs you download. |
| • |
Do not conduct financial transactions or send private information over the Web unless the site is secure. A secure site is usually indicated by a dialog box or a “lock” icon in the browser’s status or address bar. |
| • |
Configure your browser so that it does not automatically download ActiveX controls or run scripts, Java applets, or other code. If you want to be able to run code on some sites, configure the browser to prompt you before doing so. |
A member in MyITForums ask for general guidelines in composing virus alert messages to be sent to all employees for a rapidly spreading virus.
Occasionally viruses will get into the corporate email system before AV protection is in place. The "rules" below represent some of the factors I have learned after years of doing this.
Rule #1 - KEEP IT SIMPLE for the users to promote understanding by non-technical folks
Rule #2 - KEEP IT SHORT as you want it to be read quickly plus it saves bandwidth and space on your email servers.
Rule #3 - TELL THEM WHAT TO AVOID and promote good security awareness along the way in a simple way
Rule #4 - ASK THEM TO REPORT INFECTIONS to the Help Desk, Security department, or Techs rather than trying to clean the virus themselves.
Rule #5 - SHARE LINKS TO MORE INFO on your Intranet based Security Awareness sites. Hopefully, you have an Intranet Security site (and if not build one as it's one of your best tools)
Here's an example of a format I'd recommend changing the word EXAMPLE to the specifics relevant for the particular virus:
quote:
To: ALL EMPLOYEES
Subject: Virus Alert: W/32.EXAMPLE.A (avoid EXAMPLE.ZIP attachments)
Some of our professionals have found copies of W/32.EXAMPLE.A in their email accounts. We have protection from AV-VENDOR in place to now block this rapidly spreading virus.
Please report all suspicious email attachments to our Help Desk. The attachment to avoid is EXAMPLE.ZIP. If you have accidently selected this, please contact our Help Desk at 999-HELP so we can check your system
MORE INFORMATION CAN BE FOUND HERE:
infosecurity.companyintranet.com/ExampleA.htm
PLEASE PROTECT YOUR COMPANY AND HOME PC THRU BEST PRACTICES:
infosecurity.companyintranet.com/Virusprevention.htm
More Posts
Next page »