|
Sharing Security Developments, and Best Practices for corporate and home users
April 2005 - Posts
-
 A new vulnerability was discovered in Netscape this week. Netscape incorrectly handles GIF files, that could lead to a buffer overflow which is remotely exploitable through a specially generated GIF file.
http://secunia.com/advisories/15103/
Secunia Advisory: SA15103
Release Date: 2005-04-26
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Netscape 6.x Netscape 7.x
|
-
 I heard this interesting account on Paul Harvey's news summary a couple of days ago  SUMMARY: A hacker was trying to get back at a forum moderator after being kicked out for misbehaving. He needed the IP address to enter into his hack-tool, so the forum moderator cooperated and gave him an IP# -- the hacker's own IP address ... He entered the IP# in his hacking software ... He then disappeared off the Internet and hasn't been heard from since ... Darwin Award goes to a young Hacker http://isc.sans.org/diary.php?date=2005-04-29 Darwin Was Right. For those who don't hang out on Slashdot, there is a very amusing story going around about a young hacker who tried to raid an opponent's computer after being kicked out of a chat channel. Even Paul Harvey mentioned it today in his radio show. Note -- Due to inappropriate language, the actual detailed account wasn't shared. It can be found in the ISC link above.
|
-
 This new virus is also destructive as it will damage Windows Repair files
MS04-011 Banish.A Worm
This worm may propagate by taking advantage of the LSASS vulnerability. Information on this exploit can be found from the following link: Microsoft Security Bulletin MS04-011
It also propagates via email using the following details:
Subject: (Any of the following)
• Here are the details.
• Ok. Read the attached instructions to solve the problem.
• Re: Thank you for your choice.
• Thank you for shopping. This mail contains your invoice.
• Thank you. Your credit card was processed successfully.
Attachment: ZIP extension {File name taken from files found in the Windows recent documents folder}
It deletes files found in the Windows repair folder.
|
-
Hopefully, this malicious website will be shutdown by authorities soon
Dangerous website -- Please don't mispell Google
http://www.f-secure.com/v-descs/googkle.shtml
F-Secure staff has found a malicious website that utilizes a spelling error when typing the name of the popular search engine - 'Google.com'. If a user opens a malicious website, his/her computer gets hijacked - a lot of different malware gets automatically downloaded and installed: trojan droppers, trojan downloaders, backdoors, a proxy trojan and a spying trojan. Also a few adware-related files are installed.
The name of the malicious website is 'Googkle.com'. PLEASE DO NOT GO TO THIS WEBSITE! Otherwise your computer will get infected! We have reported the case to the authorities.
|
-
Windows XP x64 debuted on April 25, 2005. There is still much work ahead before the Windows 64 bit environment becomes mainstream, but it's now a product available for x64 PCs. Hardware vendors will need to write 64 bit APIs and applications must be reengineered to take advantage of the native architecture. Still, this is a noteworthy advancement by Microsoft and provides a promise for the future for PCs built areound AMD 64 and Intel 64 technologies. Microsoft is also offering a free upgrade to existing XP users on the x64 PC platforms, which is good through July 2005.
 Windows XP x64 - Home Page
http://www.microsoft.com/windowsxp/64bit/default.mspx
Free Upgrade for x64 PCs
http://www.microsoft.com/windowsxp/64bit/upgrade/default.mspx
Top 5 Reasons to get XP 64
http://www.microsoft.com/windowsxp/64bit/evaluation/top5.mspx
 |
High performance platform for the next generation of applications
Windows XP Professional x64 Edition is a rich platform that enables the next generation of high-performance computing. 64-bit native applications can deliver more data per clock cycle, making them run faster and more efficiently. |
 |
Large memory support
Windows XP Professional x64 Edition supports up to 128 gigabytes (GB) of RAM and 16 terabytes of virtual memory, enabling applications to run faster when working with large data sets. Applications can preload substantially more data into virtual memory, allowing rapid access by the 64-bit processor. |
 |
Flexibility
Windows XP Professional x64 Edition provides a rich platform to integrate 64-bit applications and existing 32-bit applications using the Windows on Windows 64 (WOW64) x86 emulation layer, providing customers with the ability to move to 64-bit computing without having to sacrifice their existing investment in 32-bit software and Windows expertise. |
 |
Multiprocessing and multicore
Windows XP Professional x64 Edition is designed to support up to two single or multicore x64 processors for maximum performance and scalability. |
 |
Same programming model
Developers with 32-bit skills will be comfortable and quickly productive in the 64-bit Windows environment, finding it virtually identical to the development environment for 32-bit Windows. |
WEBCAST: Windows XP 64
Thursday, April 28, 2005: 10:00 AM Pacific time
http://support.microsoft.com/kb/896031
In this WebCast, Microsoft MVP Charlie Russel describes Microsoft Windows XP Professional x64 Edition and the hardware that supports it. Microsoft experts will participate in the WebCast to help answer questions. Charlie will also tell you where to turn in the online community when you need help and have more questions about Windows XP Professional x64 Edition.
|
-
-
-
-
 Most Sober variants can spread quickly, as the social engineering plus technical characteristics are advanced for this family of viruses
http://secunia.com/virus_information/17277/sober.n/
http://secunia.com/virus_information/16824/win32.sober.m/
W32.Sober.N@mm is a mass-mailing worm that uses its own SMTP engine to spread. It sends itself as an email attachment to addresses gathered from the compromised computer. The email may be in either English or German.
Subject of email: FwD: Ich bin's nochmal or I've_got your EMail on my_account!
Name of attachment: Private-Texte.zip or your_text.zip
Size of attachment: 73,541 bytes
Ports: TCP port 21
Compromises security settings: Attempts to terminate security-related processes.
| Quote: |
EMAIL Format -- German version
From: <Spoofed>
Subject: FwD: Ich bin's nochmal
Message: Verdammt,,,,ich hatte vergessen Dir meinen Text mitzuschicken.Aber bitte nicht woanders darueber Reden, ich wuerde mich dann zu Tode blamieren! Ich melde mich. Bis bald 
Attachment: Private-Texte.zip |
| Quote: |
EMAIL Format -- English version
From: <Spoofed>
Subject: I've_got your EMail on my_account!
Message: Hello, First, Very Sorry for my bad English. Someone is sending your private e-mails on my address. It's probably an e-mail provider error! At time, I've got over 10 mails on my account, but the recipient are you. I have copied all the mail text in the windows text-editor for you & zipped then. Make sure, that this mails don't come in my mail-box again. bye
Attachment: your_text.zip |
|
-
-
Mozilla has released new versions of Firefox and the Suite to fix several security vulnerabilies, including the Java Script engine flaw.
Mozilla Firefox 1.0.3 released for several security issues
http://www.eweek.com/article2/0,1759,1787270,00.asp
Users who are upgrading from prior versions of Firefox or the Mozilla Suite should uninstall and reload according to the “Clean Installation“ instructions link below. This will ensure existing bookmarks and settings are preseved in the Mozilla profile folders.
Mozilla Home Page - Download Links for new versions
http://www.mozilla.org/
Instructions for the "Clean Installation" process to remove older versions
http://forums.mozillazine.org/viewtopic.php?t=251238
|
-
 This new variant emerged over the weekend and the Tooso trojan that is dropped will block AV and other security repairs making this virus even more difficult to clean.  Beagle.BN Description
Tooso - Security Blocking Trojan dropped by Beagle.BN EMAIL TO AVOID/BLOCK Attempts to email a copy of Trojan.Tooso.G to the email addresses contained in the downloaded file. The email has the following characteristics: From: <Spoofed> Subject: <Blank> Message: The password is; Password: Attachment:
Make.zip
Price.zip
Forest.zip
Verses.zip
Fairy_tale.zip
It_about_you.zip
I_know_you.zip Additional attachment: An *.rar file contains an executable file named 123456.exe which is a copy of Trojan.Tooso.G. This is the executable that is responsible for downloading the mailer component.
|
-
-
MS05-020: DHTML Proof of Concept Exploit Developed
http://isc.sans.org/diary.php?date=2005-04-12
MS05-020 - Cumulative Security Update for Internet Explorer. This aggregate patch addresses several vulnerabilities in Internet Explorer that could lead to remote code execution:
* DHTML Object Memory Corruption Vulnerability (CAN-2005-0553)
* URL Parsing Memory Corruption Vulnerability (CAN-2005-0554)
* Content Advisor Memory Corruption Vulnerability (CAN-2005-0555)
Special note: A proof-of-concept exploit for this vulnerability is already publicly available from FrSIRT. The availability of the exploit is likely to increase the severity of this patch for most organizations.
French Security Incident Response Team
http://www.frsirt.com/english/
Microsoft Internet Explorer DHTML Object handling Exploit (MS05-020) - Please be careful as actual POC code is present in this link
http://www.frsirt.com/exploits/20050412.InternetExploiter2.php
|
-
This virus family continues to be actively developed. This advanced virus can spread by email or through unpatched Windows systems. It is spoofed to appear to be an undeliverable message issue.
|
-
Microsoft has promptly rolled out protective security updates for Windows 98, ME, and other older Operating Systems. This includes protection for security exposures found in both Windows and Internet Explorer. I successfully updated our older W/98 family PC and this process worked well.
 Microsoft Security Bulletins - April 2005
http://www.microsoft.com/technet/security/Bulletin/ms05-apr.mspx
|
-
-
 About one dozen new variants of Mytob emerged over the past weekend. This virus spreads by email and exploitation of unpatched Windows systems (MS03-026 and MS04-011). This family of viruses is apparently easy to clone and it may become the next Spybot or Agobot when it comes to active development of new variants.
http://www.trendmicro.com/vinfo/
http://www.symantec.com/avcenter/vinfodb.html
Six of the Latest Variants
This worm also takes advantage of the following Windows vulnerabilities to propagate:
- RPC/DCOM vulnerability
- LSASS vulnerability
For more information about these vulnerabilities, please refer to the following Microsoft Web pages:
Modifies files: Modifies the Hosts file.
Compromises security settings: Blocks access to several security-related web sites.
Name of attachment: Varies with a .bat, .cmd, .exe, .pif, .scr, or .zip file extension.
Ports: 10087
FORMAT OF EMAIL MESSAGE
Subject: (One of the following)
Good day
hello
Mail Delivery System
Mail Transaction Failed
Server Report
Status
Error
Message: (One of the following)
* Here are your banks documents.
* The original message was included as an attachment.
* The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
* The message contains Unicode characters and has been sent as a binary attachment.
* Mail transaction failed. Partial message is available.
Attachment: (One of the following)
document
readme
doc
text
file
data
test
message
body
Extensions: pif, scr, exe, bat, cmd, zip
|
-
-
 Microsoft has released advanced warning about the bulletins it will be releasing next Tuesday.
http://www.microsoft.com/technet/security/bulletin/advance.mspx
* 5 Security Bulletins for Windows, maximum level Critical
* 1 Security Bulletin for Office, level Critical
* 1 Security Bulletin for MSN Messenger, level Critical
* 1 Security Bulletin for Exchange, level Critical
|
-
DSN Poisoning - An Explaination by Kaspersky
http://www.viruslist.com/en/weblog?calendar=2005-04
We've had a few queries from readers asking what DNS poisoning actually is. As stated yesterday, DNS poisoning is the manipulation of an IP address for a certain DNS entry So what does that really mean? To fully understand this, first you need to know some basics about how addresses work.
There are a few very big DNS servers which provide other, smaller, DNS servers with DNS/I.P. entries. These entries get stored in the cache of the smaller DNS servers. It's not the big servers, but the smaller ones that are being poisoned. Poisoning only lasts until the DNS server rechecks the entries with a large DNS server, so you may also hear this called DNS cache poisoning.
So, if you enter www.kaspersky.com in your browser, the DNS server is queried for the IP address assigned to this DNS name. (DNS names are mainly to make our lives easier). In this case the DNS server will respond with the IP address 81.176.69.70.
So the goal of DNS poisoning is to make the (small) DNS server say that another IP address (one of a site containing malicious content) is assigned to a certain DNS name.
How exactly can servers be poisoned? Well, DNS servers need to run an operating system and software to perform their tasks. Insecure settings and/or vulnerabilities in either of these can lead to the DNS server being poisoned, usually by malformed packets being sent to the server.
How can you protect yourself? This is a tricky question, because as a (DNS) client there is not that much you can do. For example, with modified hosts files, it's a local issue. But in this case the issue isn't local - it's up to your ISP or system administrator to make sure that everything is secure.
When DNS servers are poisoned so that users are directed to clones of legitimate sites, if the poisoning is done correctly, and the cloned sites are carefully constructed, the user won't notice anything unusual.
And I for one don't know many people who know the real IP addresses of the sites they visit.
|
-
This is a new technology initiative for Mozilla that will eventually work with Windows CE and portable versions of Linux (GPE). This scaled down browser will be used for PDAs and other portable devices.
http://www.mozilla.org/projects/minimo/
|
-
-
 The Internet Storm Center has a comprehensive report available which decribes the recent DSN Cache posioning attacks. This is where an infected server redirects user queries to hostile sites and malware (e.g., viruses, spyware, backdoors) can be loaded automatically if the PC is vulnerable.
Click here for: DSN Cache Posioning Attack report
Table of Contents:
1. How can others help?
2. How do I recover from a DNS cache poisoning attack?
3. What software is vulnerable?
4. I am a dial-up/DSL/cable modem user -- am I vulnerable?
5. Where can I test my site to see if I am vulnerable?
6. What exactly is DNS cache poisoning?
7. What was the motivation for this type of attack?
8. Weren't DNS cache poisoning attacks squashed around 8 years ago?
9. What was the trigger for the attack?
10. How exactly did this DNS cache poisoning attack work?
11. What domain names were being hijacked?
12. What were the victim sites?
13. What malware was placed on my machine if I visited the evil servers?
14. Got packets?
15. Got snort?
|
-
-
 Microsoft has released Service Pack 1 for Windows 2003 Server and the home page link plus 10 reasons to install are noted below:
Click Here: Windows 2003 Server Service Pack 1
Top 10 Reasons to Install Windows Server 2003 SP1
 |
Reduce your server's attack surface.
Security Configuration Wizard (SCW), one of the new features added to Windows Server 2003 in Service Pack 1 (SP1), uses an intuitive, role-based process to guide administrators through reducing the attack surface. With SCW you can disable unused services easily and quickly, block unnecessary ports, modify registry values, and configure audit settings. |
 |
Help protect newly installed servers.
In today's security environment there is a continual search for new and potentially exploitable system vulnerabilities. Post-Setup Security Updates (PSSU), another new feature of Windows Server 2003 SP1, blocks all incoming traffic to newly installed servers until the latest patches to Windows Server 2003 are downloaded and applied. PSSU also guides configuration of Automatic Updates when you first log on. |
 |
Get firewall protection from startup to shutdown.
Windows Firewall, the same core firewall technology in Windows XP Service Pack 2, is built into Windows Server 2003 SP1. Windows Firewall in Windows Server 2003 SP1 allows granular control over server and client computers through the use of Group Policy. Moreover, Windows Firewall provides boot-time protection, lowering the risk of attack just after a server is started up and while it is shutting down. |
 |
Bolster your defenses with "no execute" hardware support and software.
Data execution prevention (DEP) is a set of hardware and software technologies that performs additional checks on memory to help protect against exploitation of your system by malicious code. Windows Server 2003 SP1 fully utilizes the DEP capabilities built into servers by many manufacturers and further augments those capabilities with DEP software of its own. |
 |
Help protect your system services with stronger default settings and reduced privileges.
Services such as remote procedure call (RPC) and DCOM are integral to Windows Server 2003 and make an attractive target for hackers. By requiring greater authentication for calls of these services, Windows Server 2003 Service Pack 1 helps establish a minimum threshold of security for all applications that use these services, even if they possess little or no inherent security. |
 |
Isolate out-of-date virtual private network (VPN) assets.
VPN Quarantine automatically provides the means for limiting network access for machines on virtual private networks that are not current with regards to security updates. This prevents you from having to write your own ad hoc scripts to affect this facet of sound network security. |
 |
Monitor and audit your Internet Information Services (IIS) configuration settings.
The metabase is the XML-based, hierarchical store of configuration information for Internet Information Services 6.0. The ability to audit this store allows network administrators to track what, when, who and how a metabase change has been made. |
 |
Windows Firewall Policy Management.
Windows Server 2003 SP1 includes new Group Policies that help IT professionals centralize client and server firewall management, including application rules, port rules, and firewall logging at the client and server to help improve security in the enterprise while maintaining centralized configuration and deployment. |
 |
Help secure Internet Explorer.
Internet Explorer now contains many enhancements to help secure Windows Server 2003. For example, Internet Explorer now more effectively stops downloads of spurious files and prevents Web pages from accessing cached objects. |
 |
Avoid potentially unsafe e-mail.
Windows Server 2003 SP1 includes additional refinements to help protect the network. With Outlook Express you can now open mail in plain-text mode, preventing HTML messages from running malicious code. Outlook Express prevents e-mail from downloading external content, stopping a means by which spam senders can validate your e-mail address. Outlook Express also checks e-mail attachments with Attachment Manager, eliminating the need for your own custom code to do so. | |
|
|
|
|