August 2005 - Posts

 Since 2000, I've been using Yahoo's free email facilities, as they offer integrated Norton Anti-virus and excellent SPAM protection controls to complement my use of corporate McAfee VS 8.0i.  I recieve a number of virus infected emails, phishing attacks, and spam daily. 

Today, I received a large number of repetitive phishing messages that appear to be from PayPal, requesting that I update and verify my account information, even though I don't have an account established.   It's always important to pay attention to email messages as they can appear legitimate and you can enter information that may be used for identity theft or fraud.  

update@paypal.com - Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com - Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com - Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com - Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com - Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com - Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com - Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com - Update and Verify Your PayPal account*** Wed 08/31 8k
update@paypal.com - Update and Verify Your PayPal account*** Wed 08/31 8k

  Viruses are new to mobile phone technology and they are some circulating in-the-wild.  To date most infections have been with single individuals becoming infected.  F-Secure briefly documents how a company's address book is most likely used to spread this to dozens of individuals in a company.  At least 20 true infections resulted that required cleaning and removal of the mobile phone virus.

F-Secure reports 1st Medium-scale phone virus infection

Commwarrior incident - F-Secure Weblog

August 27, 2005 -- We've now seen the first medium-scale internal infection of a company that was caused by a mobile virus.  On Wednesday this week, we were working on a case where a single company had a serious run-in with the Commwarrior.B virus. Several dozens of employees of the company received Bluetooth or MMS transmission of the virus during the day-long outbreak and over twenty of them actually opened the message on their phones and got infected with it.

  The attached article discusses the potential for microcode based viruses that could potentially flash the BIOS and make the PC completely unusable.  This type of attack occurred on a limited basis in 1998 with the CIH virus and here's hoping this type of highly destructive attack won't be forthcoming. 

Article: Potential for Destructive PC Microcode or BIOS Virus

Awaiting the PC Killers

AUGUST 22, 2005 (COMPUTERWORLD) - The malicious code enters your network undetected, rapidly infecting more than 100 machines. But this is no ordinary virus. Your antivirus and disk recovery tools can't help, because the disk drives won't spin up at all. The drives are toast. The PCs are completely inoperable. The era of microcode attacks has begun.

Could viruses really attack the low-level microcode that makes disk drives run? It's entirely possible, disk technology experts say. Dimitri Postrigan knows how such a virus might be created -- but he's not telling. Postrigan reverse-engineers and programs hard disk drives at ActionFront Data Recovery Labs.

He says each disk drive has its own internal operating system that enables the device to start up. The operating system microcode resides in a special system area of the disk. "A virus could be written which would destroy the whole system area on a drive. This will make the drive and data almost unrecoverable," Postrigan says.

ISC LogoFor the past 2 days, the Internet Storm Center (ISC) shared a warning on long registry key values that can be made hidden from REGEDIT by malware making removal more complicated than in the past. 

The ISC is offering a free Registry Search Tool.  This neat new tool will locate the registry key values greater than 255 characters in length.

Windows Registry - Nasty Games of Hide & Seek
http://isc.sans.org/diary.php?date=2005-08-24
http://isc.sans.org/diary.php?date=2005-08-25

ISC Registry Search tool -- locates long key values
http://isc.sans.org/LVNSearch.exe

QUOTE: We have started to see some possible reports of malware which utilizes this concealment technique in the wild.  Products that have been reported to be able to query/report/delete/etc these keys:

AppSense Environment Manager
HiJackThis v1.99.1 (SCAN function)
HiJackThis v1.99.2 (in development)
Stillsecure SafeAccess
Sysinternals Autoruns (mixed reports)
Regedt32 (Win2k)

Message on Financial Times website

Two Arrests have been made related to Zotob worm outbreak

A neat "behind the scenes" of what MSRC was doing during the MS05-039 worm attacks: 

MSRC: Inside Microsoft's Zotob Situation Room

QUOTE: In the wee hours of Sunday morning, an enterprise customer contacted the MSRC with the first positive identification of what would become the Zotob attack. Toulouse declined to name the customer.

"They came to us with a sample of a new attack that they believed was exploiting the Plug and Play vulnerability," he said. "We took the code and started our own investigation. We also passed it to our VIA [Virus Information Alliance] partners to make sure everyone can get their signatures updated to provide protection."

The MSRC's investigation confirmed that an actual attack exploiting MS05-039 was under way and would only get worse.

"Early Sunday morning, our investigators tell us to get started on our process. We weren't seeing a widespread attack, and the anti-virus vendors weren't seeing anything major yet. But, with everything we knew, we decided to activate our security response process."

By 10 a.m. Sunday, pagers started buzzing. The Situation Room was set up in Building 27 at Microsoft's Redmond campus.

....

  This is an awesome resource for understanding the technical architecture of the IPSec environment from a very talented Microsoft MVP. 

Unixwiz.net Tech Tip: An Illustrated Guide to IPSec

QUOTE: IPSec is a suite of protocols for securing network connections, but the details and many variations quickly become overwhelming. This is particularly the case when trying to interoperate between disparate systems, causing more than one engineer to just mindlessly turn the knobs when attempting to bring up a new connection.

The MS05-039 based Bozori worm impacted a number of major businesses yet it didn't impact Internet users as extensively as the Blaster and Sasser worm did in 2003 and 2004 respectively.  This most likely is due to the vulnerability being in W/2000 and the random IP generation design which might make it spread faster on the inside of the network.  Kaspersky in this article discusses the potential for virus writers to target vulnerable businesses who may have difficulty keeping up each month with security patches.  

MS05-039 Bozori worm - Rise of the business worm?

QUOTES: There's no question that this worm is spreading. However, it seems to be confined to localized 'explosions' inside large corporations. These organizations, typically made up of 'small internets' behind heavily defended Internet gateways, have experienced infection.

The Bozori incident suggests that we're on the threshold of a new era, in which 'business worms' will cause 'local network outbreaks' in large corporations, but will have little effect on the Internet as a whole.

Microsoft has issued a new advisory that Windows XP SP1 PCs with lowered security settings are also vulnerable to MS05-039 worm attacks similar to the ones that hit Windows 2000 systems. The Forced Guest account and open file sharing increase security risks anyway and they allow the worm to infect XP systems which were thought to be safe from this W/2000 based attack.  Microsoft noted that these particular settings are not often used.

Microsoft Security Advisory (906574) - Clarification of Simple File Sharing and ForceGuest

  Microsoft has issued this Security Advisory to clarify information of the issue addressed in Security Bulletin MS05-039 for non-default configurations of Windows XP Service Pack 1. This feature is known as “Simple File Sharing and ForceGuest.”

If you are using Windows XP Service Pack 2, enabling Simple File Sharing and ForceGuest does not increase your level of exposure to the MS05-039 security vulnerability. Also, customers that have applied the security update included with MS05-039 are not impacted by this issue.

We recommend that customers continue to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.

  That was a fascinating read, as I also learned more about the "dark side of the force".  It's clear that it's still too easy to get credit on a fraudulent basis. It also affirms that ads promoting work-at-home opportunities should be carefully reviewed.  

CyberMules -- Crooks lure citizens into international crime

Apple released it's seventh security update for the OS/X operating system last week.  This update protects the operating system and supporting products.  This update provides protection from buffer overflows, arbitrary code execution, and other security vulnerabilities.  Macintosh users should quickly patch their systems to ensure the greatest level of protection.

Apple OS X patches released last week
http://isc.sans.org/diary.php?date=2005-08-18

Apple OS X - Security Update 2005-007
http://docs.info.apple.com/article.html?artnum=302163

Macintosh OS X - Home Page
http://www.apple.com/macosx/

Microsoft is initiating a new campaign to search for malicious websites with it's new HoneyMonkey project.

QUOTE: Strider HoneyMonkey is a Microsoft Research project to detect and analyze Web sites hosting malicious code. The intent is to help stop attacks that use Web servers to exploit unpatched browser vulnerabilities and install malware on the PCs of unsuspecting users. Such attacks have become one of the most vexing issues confronting Internet security experts. Strider HoneyMonkey is a project of the Cybersecurity and Systems Management group in Microsoft Research.

 

  F-Secure provides an updated list of links related to the MSDDS exploit.

The Msdds.dll component is not installed by default with Windows, but might come with several other Microsoft applications. A vulnerability on it allows for malicious exploitation upon visiting a website.

The following links provide extended information:

Internet Storm Center
Secunia
FrSIRT
SecurityFocus
SecurityTracker
ISS
US-CERT
Microsoft advisory

Dominic White's blog entry provides an excellent summary of MS05-039 developments: 

MS05-039 and the Zotob summary

  About a year ago, the authors of Netsky/Bagle/MyDoom virus variants were engaged in a “virus war“ where they deleted existing copies of competing viruses when infecting a suseptible PC.  Similarly, the virus writers who have created Zobot, Bozori, IRCBot, and other MS05-039 variants have in a competitive effort to be the top worm creating MS05-039 based infections.  

F-Secure Weblog: August 17, 2005 "This is not a viruswar, this is a botwar!"

QUOTE: Here is a status update on the malware using the Plug-and-Play vulnerability (MS05-039). For the last four days we got 11 different samples of malware using this vulnerability. Currently there are three Zotob variants (.A, .B and .C), one Rbot (.YK), one Sdbot (.ADB), one CodBot, three IRCbots (.ES, .ET and .EX) and two variants of Bozori (.A, .B).

Variants from both IRCBot and Bozori families are deleting competing PnP bots. It seems there are two groups that are fighting: IRCBot and Bozori vs Zotobs and the other Bots.

See our high-tech illustration for details.

More Posts Next page »