March 2006 - Posts

• DAT 4726 - False Positive Issue with Dollar Revenue detection

  This McAfee AV False Positive Issue was limited in scope, but users could encounter it on a few files and moving to the latest DAT files solves this. DAT 4726 - False Positive Issue with Dollar Revenue detection http://secunia.com/virus_information/27941/dollarrevenue/ The 4726 DAT files contain an incorrect identification on a limited number of executables. This was corrected in the 4727 DAT files. If McAfee users are seeing a Dollar Revenue detection, ensure that you are running the latest DAT files. Posted Mar 30 2006, 02:05 PM by hwaldron with no comments

• CERT 876678 - Microsoft Internet Explorer createTextRange vulnerability

  CERT has issued the following bulletin with information and links related to the new unpatched vulnerabilities recently discovered in Internet Explorer. http://www.kb.cert.org/vuls/id/876678 Disable Active Scripting Known attack vectors for this vulnerability require Active Scripting to be enabled. By disabling Active Scripting, the chances of exploitation are reduced. For instructions on how to disable Active Script in Internet Explorer, please refer to the Internet Explorer section of the Securing Your Web Browser document. Additional workarounds are available in Microsoft Security Advisory 917077. Posted Mar 26 2006, 05:07 PM by hwaldron with no comments

• IE CreateTextRange vulnerability - Trend and Symantec provide generic protection

  Trend and Symantec have added generic detection for the new unpatched vulnerability in Internet Explorer that Microsoft is working on a patch for.  McAfee and other AV vendors have recently added protection and it's beneficial to stay as up-to-date as possible and use the safest practices in email, IM, and web surfing.  Trend's Generic Protection http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=EXPL%5FTXTRANGE%2EA This is Trend Micro's detection for a zero-day exploit that takes advantage of a vulnerability in the createTextRange Method call process in Internet Explorer. Using the aforementioned method enables a user to create a text range within an object. This exploit causes an error in the mentioned text range, which is applied to a radio button control, allowing malicious Web sites to consume a large amount of an affected system's memory and to execute arbitrary codes on the system. It can also download and execute malicious codes on the system. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This poses a threat in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it. Symantec's Generic Protection http://www.sarc.com/avcenter/venc/data/bloodhound.exploit.61.html Bloodhound.Exploit.61 is a heuristic detection for the Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (BID 17196). Posted Mar 26 2006, 03:33 PM by hwaldron with no comments

• IE CreateTextRange vulnerability - Status from Microsoft

  Microsoft is working on a security update targeted for the April updates. Quality and testing are important as IE is a very complex product to patch.  This security patch could be released sooner if needed. IE CreateTextRange vulnerability - Status from Microsoft http://blogs.technet.com/msrc/archive/2006/03/25/423116.aspx Posted Mar 25 2006, 11:23 AM by hwaldron with no comments

• IE CreateTextRange vulnerability - New trojans emerge

  A few overnight developments are summarized below: JS_DLOADER.BXR http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOADER%2EBXR&VSect=T This malicious JavaScript is a zero-day exploit that takes advantage of a vulnerability in the createTextRange Method call process in Internet Explorer. A text range enables a user to modify text within an object. This JavaScript causes an error in the mentioned text range, which is applied to a radio button control, allowing malicious Web sites to consume a large amount of an affected system's memory and this JavaScript to execute arbitrary codes on the machine. It should be noted that zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it. Thus, Trend Micro recommends that users avoid visiting Web sites of questionable origin to help prevent possible infection of this malware. Downloader-AVK - IE CreateTxtRange based trojan http://vil.nai.com/vil/content/v_139048.htm This trojan was discovered in connection with the Exploit-CreateTxtRng trojan .  A hacked webserver contains exploit script, which results in a file named ca.exe being downloaded from another hacked webserver.  ca.exe is Downloader-AVK  This trojan simply attempts to download an execute another trojan calc.exe from the same compromised webserver.  calc.exe is a new password stealing trojan, PWS-PartyPooper . PWS-PartyPooper http://vil.mcafeesecurity.com/vil/content/v_139049.htm This trojan was discovered in connection with the Downloader-AVK trojan , which was installed via the Exploit-CreateTxtRng trojan.  This password stealing trojan scans your system for stored passwords and monitors the websites that you visit for the purpose of sending all this information to the trojan author/distributor. The following is an advisory reflecting the latest information and guidance by Microsoft: Microsoft Security Advisory (917077) -Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/917077.mspx Posted Mar 25 2006, 11:01 AM by hwaldron with no comments

• IE Vulnerability - ISC back to Green and one dozen infected sites reported

  IE Vulnerability - ISC back to Green with 12 sites reported so far http://www.incidents.org/diary.php?storyid=1216 QUOTE: We have decided to return the InfoCon to green for the start of the weekend.  We feel that everyone that is going to has reacted to the latest exploit for IE and wanted to start the weekend in normal mode.  We do want to remind everyone however that this is a serious problem.  We have received information that at least a dozen sites exist out there that are working the exploits.   Posted Mar 24 2006, 07:58 PM by hwaldron with no comments

• Internet Explorer Vulnerability - McAfee has provided enhanced protection

  McAfee and other AV vendors are adding enhanced protection to cover some of the exploits that are begining to emerge in the wild. Internet Explorer Vulnerability - McAfee has provided enhanced protection http://vil.nai.com/vil/content/v_139047.htm Quote: -- Update March 24, 2006 --  The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://news.com.com/Dangerous+code+on+Net+could+be+used+to+exploit+IE+hole/2100-1002_3-6053456.html?tag=cd.top An EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page (the cmd-line scanner / email / gateway restrictions are not present in the extra.dat file. However, scanning for unknown macro and script viruses must be enabled). This detection covers code attempting to exploit a Microsoft Internet Explorer "createTextRange()" Code Execution vulnerability. This exploit was first seen on March 22, 2006 in Denial of Service (DoS) form. On March 23, 2006, code execution exploits began to appear. The 4726 DAT files contain enhanced JS/Exploit-BO.gen detection to cover those code execution exploits. This detection covers code attempting to exploit a Microsoft Internet Explorer "createTextRange()" Code Execution vulnerability. This exploit was first seen on March 22, 2006 in Denial of Service (DoS) form. On March 23, 2006, code execution exploits began to appear. The 4726 DAT files contain enhanced JS/Exploit-BO.gen detection to cover those code execution exploits. Posted Mar 24 2006, 05:33 PM by hwaldron with no comments

• Microsoft Security Advisory 917077 for IE vulnerabilities

  Microsoft issued an advisory last night to respond to the new unpatched Internet Explorer vulnerability and Proof of Code exploit developments.  We should be careful with websites, keep AV protection updated, and watch for an upcoming patch or other solutions. Microsoft Security Advisory (917077) Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/917077.mspx OVERVIEW Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time. WHAT CAUSES THREAT? When Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects, system memory may be corrupted in such a way that an attacker could execute arbitrary code.  Specifically, the public postings discuss a potential behavior in Internet Explorer in the way that HTML objects may handle an unexpected createTextRange() method call to an HTML object. A Web page that is specially crafted to exploit this vulnerability will cause Internet Explorer to fail. As a result of this, system memory may be corrupted in such a way that an attacker could execute arbitrary code. SUGGESTED ACTIONS & WORKAROUNDS * Microsoft encourages users to exercise caution when they open e-mail messages and links in e-mail messages that come from untrusted sources. * Customers are encouraged to keep their antivirus software up to date. * Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet  and Local intranet security zones. * Set Internet and Local intranet security zone settings to "high" to prompt before Active Scripting in these zones. Posted Mar 24 2006, 05:41 AM by hwaldron with 1 comment(s)

• Internet Explorer Exploit in-the-wild - ISC yellow alert

  Due to PoC exploits that can be easily crafted into more dangerous attacks, the Internet Storm Center has declared a Yellow Alert.  Be very cautious with all URLs in emails, IM messages, and on the web. Internet Explorer Exploit in-the-wild - ISC yellow alert http://isc.sans.org/diary.php?storyid=1212 Original Advisory http://secunia.com/advisories/18680/   Posted Mar 23 2006, 04:46 PM by hwaldron with no comments

• Real Player - Critical Security Updates

  If you use Real Player or Rhapsody, there are critical security updates that should be applied as soon as possible. http://service.real.com/realplayer/security/03162006_player/en/ RealNetworks is making available product upgrades that contain security bug fixes. We have received no reports of any machines actually compromised as a result of the now-remedied vulnerabilities. http://secunia.com/advisories/19358/ Some vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system. 1) A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system. 2) A boundary error within the handling of web pages can be exploited via a specially crafted web page on a malicious server to cause a heap-based buffer overflow. This may allow execution of arbitrary code on the user's system. 3) A boundary error in the processing of MBC files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system. Posted Mar 23 2006, 10:23 AM by hwaldron with no comments

• Windows Vista - An inside Look by CNET

  This is one of the best in-depth overviews of what Microsoft's next generation Operating System will reflect.    I'm definitely anxious to try this out in the futre and we're saving up for a new family PC, so that we have the right hardware to enjoy the new graphics and other capabilities that are coming in early 2007.  Windows Vista - An inside Look by CNET Note - There are 4 pages for this in-depth article (use page links at bottom) http://news.com.com/An%2Binside%2Blook%2Bat%2BWindows%2BVista/2100%2D1043_3%2D6051736.html Windows Vista - Security & Networking Overview (page 3) http://news.com.com/An+inside+look+at+Windows+Vista+-+page+3/2100-1043_3-6051736-3.html?tag=st.num Some of the key summariries are quoted below, but the whole article is informative and worthwhile reading: Windows Desktop Manager The next version of Windows brings an end to 20 years of 2D desktop rendering. Windows Aero is actually just a theme, or skin type, used by the Desktop Windows Manager, a new graphical system built into Windows Presentation Foundation. While Windows Vista is Microsoft's DirectX 10 vehicle, the 3D Desktop Windows Manager requires only DirectX 9.0. The switch to 3D rendering means that Windows will now have a use for that fancy $400 graphics card on the desktop. Windows Aero Aero is Microsoft's new default 3D desktop theme. Gone are the bright blues and smooth color gradients of Windows XP. The new transparent Aero theme features subdued colors and unobtrusive, rounded corners ready for the Web 2.0 era. Transparencies and soft fade effects give Aero a polished look. The borders of each window blur objects lying under them, leaving the window you are working on in focus while giving you a hint of what lies beneath. It's all very pretty. Graphics card requirements Windows Vista doesn't have official minimum system requirements yet, but Microsoft has recommended at least 512MB of memory, a "modern" Intel or AMD processor and a DirectX 9.0 graphics card for the current Windows Vista Beta 1. You'll need to have the right hardware to get the full Windows Vista experience. Search Windows Vista was supposed to come with WinFS, a systemwide relational database designed to make file navigation more enjoyable than playing on your Xbox 360. Microsoft had to cut WinFS out of the release in order to meet the launch schedule, but it should be available as a download for both Windows Vista and Windows XP once it's released. A pervasive database lets users and programmers create deep relationships between files. Imagine instead of just finding a folder full of pictures, you could easily find pictures with only you in them, from specific dates, and even certain events--all at the same time. That's what WinFS is supposed to do. Organization Windows Vista will also let you save searches as a virtual folder. When you open the folder, it runs the search to populate the folder with items. By running the search in real-time, the virtual folder will be able to catch and display all the new files that meet the search criteria. Virtual folders don't recopy your files, so you can safely delete the virtual folder without losing any data. Microsoft's new metatag feature will help you better organize your files by allowing you to attach description "tags" to a file to make it easier to find and organize. Explorer Microsoft has overhauled the Windows Start Menu to make it easier to find and access programs. The left side of the menu displays the most recently used programs, and the All Programs menu selection at the bottom now transforms the entire left menu area into a program-navigation menu, instead of opening an unwieldy navigation menu that expands rightward. Security (see page 3 for indepth overview) If you've used Windows XP in the last few years, you know security hasn't exactly been its strong suit. Numerous folks have shown that an unprotected PC with a fresh install of Windows XP can be compromised within minutes of being connected to the Internet. Microsoft has released a series of security updates and service pack releases over the years, but it has been tough keeping up when all the black hats are gunning for you. You can find a plethora of antivirus, antispyware, and malware companies shilling their wares to make up for the inadequacies of the PC operating system. The new OS comes with an upgraded, built-in firewall, new user-access protocols, a more secure version of Internet Explorer, a new version of Windows Defender, and sports new features like parental controls, full-drive encryption, and device-driver blocking. For Windows Vista, Microsoft tweaked the user accounts to offer extra privileges, while reserving critical privileges for special use on the administrator account. Users should now be able to run all programs and change minor settings without being logged in as the administrator. To enhance security further, even if you log in as an administrator, Vista will automatically prompt the user for the proper credentials before continuing with a program's request. Networking Windows Vista will come with a completely reworked networking stack. The next-generation TCP/IP stack will work with IPv4 and IPv6, and will also support auto-tuning and quality-of-service features. Wireless traffic will receive numerous boosts in technology to better accommodate for lost packets, bad signals, and large amounts of electromagnetic interference. All these features boil down to better, more-consistent transfer rates for your existing Internet connection. DirectX 10 Microsoft rebuilt its Direct3D API from scratch for Windows Vista, and Direct3D10 will serve as the base for all future Direct3D innovations throughout the life span of the Windows Vista operating system.  Because the Direct3D10 foundation has to serve game developers through the next decade, Windows Vista will streamline and open up Direct3D with several forward-looking features that will help programmers create better games and get more performance out of PC hardware. Posted Mar 23 2006, 07:17 AM by hwaldron with no comments

• Rootkit.Hearse - New Password Stealing Trojan Horse

  A new password stealing trojan horse has emerged that uses rootkit techniques to hide from AV products and it transmits passwords from websites allowing security to be compromised. The old axiom of "Think before you click" is always important for URLs in email, IM, or when surfing the Internet. Rootkit.Hearse - Article on Dangers http://www.pcadvisor.co.uk/news/index.cfm?newsid=5869 Rootkit.Hearse - Related AV links http://vil.nai.com/vil/content/v_138991.htm http://secunia.com/virus_information/27816/pws-banker.be/ http://www.f-secure.com/v-descs/hearse_a.shtml http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FHEARSE%2EA http://securityresponse.symantec.com/avcenter/venc/data/trojan.goldun.k.html Security researchers at Sana Security are warning of a new type of malicious software designed to steal usernames and passwords from web surfers. The malware, dubbed "rootkit.hearse", uses rootkit-cloaking techniques, making it extremely difficult to detect. To steal information, however, the software must first be downloaded on to a user's system. This can be done by tricking the user into downloading the malicious code, or by infecting a computer with some other form of malware. Once installed, it sends the sensitive information to a server in Russia, that appears to have been in operation since 16 March, Sana said. The software has two components: a Trojan horse application that communicates with the Russian server, as well as rootkit software that cloaks the malicious software from system tools and antivirus programs. Sana has observed the software being downloaded in conjunction with the Win32.Alcra worm. Posted Mar 23 2006, 07:06 AM by hwaldron with no comments

• Gurong.A - New MyDoom variant using Rootkit techniques

  The latest version of the MyDoom virus may now be using rootkit techniques to stay hidden better from AV software.  Developments should be carefully watched. Gurong.A - New MyDoom variant using Rootkit techniques http://www.f-secure.com/v-descs/gurong_a.shtml http://www.f-secure.com/weblog/archives/archive-032006.html#00000838 QUOTE: Yesterday we received an interesting email-worm sample, detected as Gurong.a, that uses rootkit techniques to hide its file, process and launch point in the registry. It is based on the infamous Mydoom code and it is in the wild but currently spreading very slowly. Gurong.a modifies the operating system kernel, specifically the system service table and process object structures, so it is a kernel-mode rootkit. What makes it different from other kernel-mode rootkits we have seen is the way it installs the rootkit payload into kernel. Often malware uses a special purpose driver or the physical memory device to modify the kernel from user mode. F-Secure's Blacklight Tool helps find Rootkits http://www.f-secure.com/blacklight/ Posted Mar 23 2006, 06:26 AM by hwaldron with no comments

• Trojan.Azwiz.F - New trojan horse uses Rootkit approach

  This is one of three new rootkit approaches being documented this morning.  Hopefully, 2006 won't be the year of the Rootkit. Trojan.Azwiz.F - New trojan horse uses Rootkit approach  http://securityresponse.symantec.com/avcenter/venc/data/trojan.abwiz.f.html Trojan.Abwiz.F is a Trojan horse with rootkit abilities that downloads and executes remote files and sends confidential computer information to a remote attacker. The Trojan also allows a remote attacker to perform various unauthorized actions on the compromised computer. Posted Mar 23 2006, 06:21 AM by hwaldron with no comments

• New Internet Explorer Security Issue - create text range vulnerability

  A newly discovered Internet Explorer security issue has surfaced, but so far there are no known exploits.  Everyone should be careful with email links or websites with any browser.  New Internet Explorer Security Issue - create text range vulnerability http://secunia.com/advisories/18680/ http://www.incidents.org/diary.php?storyid=1209 Rating: Highly critical Impact: System access Where: From remote Solution Status: Unpatched  Software: Microsoft Internet Explorer 6.x, 7 preview   Description:  Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap. Successful exploitation allows execution of arbitrary code. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview. Other versions may also be affected. Solution: Do not visit untrusted web sites. Posted Mar 22 2006, 08:20 PM by hwaldron with no comments

• Firefox 2.0 Alpha version (aka Bon Echo) made public for testing

  A new "alpha" version of Firefox 2.0 was made public for testing today.  This is also known as "Bon Echo".   As I enjoy working with any type of computer technology, I had to try this new version.  So far it's been working very smoothly for me, as I had a simplified Firefox 1.5.0.1 environment with no themes or extensions (in fact I use my own menu based web pages in lieu of bookmarks).   Anyone wishing to test this should have a good working knowledge of Firefox and how to resolve any issues, as there is no support for the new alpha version.  This 1st release is intended for IT professionals, web developers, and experienced individuals. Firefox 2.0 alpha set for release http://msn.com.com/2100-3513_22-6052412.html Firefox 2.0 - Recommendations from the Wiki site: http://wiki.mozilla.org/Places#Goals_.26_Objectives Firefox 2.0 - Release notes http://www.mozilla.org/projects/bonecho/releases/2.0a1.html Firefox 2.0 - Download and installation instructions http://www.mozillazine.org/talkback.html?article=8146 Bon Echo Alpha 1 is a developer preview release of our next generation Firefox browser and it is being made available for testing purposes only. Bon Echo Alpha 1 is intended for web application developers and our testing community. Current users of Mozilla Firefox 1.x should not use Bon Echo Alpha 1. Posted Mar 22 2006, 05:36 PM by hwaldron with no comments

• MyDoom.BK - New advanced virus variant

  This is a new variant from one of the most advanced virus families.  Hopefully, it will not spread extensively in the wild. MyDoom.BK - New advanced virus variant http://secunia.com/virus_information/27791/mydoom.bk/ http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYDOOM%2EBK&VSect=T This worm propagates via email using its own SMTP (Simple Mail Transfer Protocol) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications Subject: (Any of the following) • {Random characters} • Greetings! • Hello friend ;) • Hey dear! • Hey! How are you doing bud? • Re: Hello • Re: I got it! Try it now! • Re[2]: wazzup bro • Wazzap bro!! These copies may use any of the following extension names: COM EXE PIF TXT {Spaces}.SCR TXT{Spaces}.EXE TXT{Spaces}.PIF ZIP Posted Mar 21 2006, 07:39 PM by hwaldron with no comments

• Renama.A -- Replies to Outlook email messages and uses ZIP files

  Renama.A can reply to Outlook emails (so it looks more legitimate than regular spam) & it uses ZIP attachments. It can also spread across unprotected network shares.    QUOTE: This new virus goes through the MS Outlook inbox, and replies to any emails found. The email will have the following properties: Subject - One of the following: [NAME], your name is listed in terrorism organisation..!!! [NAME], this file from me (%s) *** Note: [NAME] is taken from the contents of the user's emails. Message - One of the following: 1. if you are not sure, please read attachment bellow, and please reply to me..!!! this message is very urgent..!!!! hope we don't have miss understanding thank's...!!! 2.This attachment contain listname of terrorist..!!! hope you can be carrefull if you find one of them..!!!! or you can reply this email to me after you read the attachment thank's...!!! Attachment: [RANDOM].zip Renama.A: Replies to email & uses ZIP files http://secunia.com/virus_information/27783/renama.a/ http://www.sarc.com/avcenter/venc/data/w32.renama.a@mm.html Posted Mar 21 2006, 01:48 PM by hwaldron with no comments

• Microsoft - How to submit Virus and Spyware samples

  The following links provide instructions on how to submit malware samples to Microsoft.  This also includes emails with hostile URLs, viruses, spyware samples, or anything of a suspicious nature. http://www.incidents.org/diary.php?storyid=1205 If you encounter some nastiness that you'd like to see Microsoft include in their monthly MRT updates send email to the following Microsoft email addresses depending on sample type, Please use the AV industry standard password for malware samples of 'infected' to protect a zip or rar file containing your submitted sample. http://silverstr.ufies.org/blog/archives/000931.html QUOTE: Microsoft has recently streamlined their process for receiving samples of malicious software or spyware ... Samples sent to the following addresses will be automatically processed into the Microsoft Antimalware Team analysis queue: avsubmit@submit.microsoft.com (virus/worm/trojan/etc samples) windefend@submit.microsoft.com (spyware samples) Posted Mar 21 2006, 06:45 AM by hwaldron with no comments

• Sony DRM Rootkit -- Lessons Learned

  An excellent writeup featured at Princeton Universities website. http://itpolicy.princeton.edu/pub/sonydrm-ext.pdf Posted Mar 20 2006, 07:08 PM by hwaldron with no comments

• Macromedia Flash - Important Security Update

  All users who have Macromedia Flash installed should update to the latest version 8.0.24.0, which includes some new security protective patches. CERT: Mulitiple Vulnerabilities in Adobe Macromedia Flash http://www.us-cert.gov/current/current_activity.html#flashvul Flash Security Bulletin http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html Microsoft Security Advisory http://www.microsoft.com/technet/security/advisory/916208.mspx US-CERT is aware of several vulnerabilities in Adobe Macromedia Flash products. A system may be compromised if a user accesses a web page that references a specially crafted Flash (SWF) file. Successful exploitation may allow a remote attacker to execute arbitrary code with the privileges of the user. We are not aware of any public exploits at this time. Adobe recommends all Flash Player 8.0.22.0 and earlier users upgrade to the new version 8.0.24.0, which can be downloaded from the Player Download Center. For customers that cannot upgrade to Flash Player 8, please refer to the Flash Player 7 update TechNote. Posted Mar 20 2006, 07:07 PM by hwaldron with no comments

• phpBB Hack - bot registering user name FuntKlakow

  phpBB site administrators should carefully look for the presence of this user account.  Recently administrators have added percautions, as many sites have also enhanced their registration procedures (e.g., graphical controls).  Potential phpBB Hack Coming? http://www.incidents.org/diary.php?storyid=1201 QUOTE: During the last few days a bot using a name FuntKlakow, has been registering to maybe thousands of phpBB forums. Some speculate that the bot's owners are preparing to exploit an unreported vulnerability Posted Mar 20 2006, 07:07 PM by hwaldron with no comments

• Internet Explorer - New 0 Day Exploit in the wild

  The Internet will never be a trustworthy environment and we always need to be careful with email, IM, and websites.  A new unpatched vulnerability has surfaced when can crash IE and more developments could occur.  Please be careful with all sites you visit. http://www.incidents.org/diary.php?storyid=1198 QUOTE: There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE.  The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag.  This will cause a memory array to write out of bounds and cause an immediate or eventual browser crash.  Both McAfee and Symantec have released signatures to detect this exploit.  While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution. McAfee and other AV vendors are adding detection, so please keep your AV software up-to-date with the latest virus signature files. http://vil.nai.com/vil/content/v_138956.htm http://secunia.com/virus_information/27704/htmlscriptact.a/ QUOTE: This detection covers malicious HTML files/messages that attempt to exploit a 0-day, buffer overflow vulnerability in the MSIE script action handler.  Proof of concept code was posted to the web recently that results in a denial of service attack (crash) against Microsoft Internet Explorer browsers.   Posted Mar 20 2006, 07:06 PM by hwaldron with no comments

• Phishing Messages May Include Highly-Personalized Information

  As shared by the Internet Storm Center, phishing attacks are growing in sophistication. Phishing Messages May Include Highly-Personalized Information http://www.incidents.org/diary.php?storyid=1194 Some ideas to prevent phishing attacks: 1. Treat every piece of email very carefully as if it were a telemarketing call 2. Always keep in mind that banks typically don't notify via email. They'll see a postal letter or call if there are real issues 3. Call someone up at the bank or other firm to see if it's legitimate 4. Avoid sharing any confidential information via email (or even websites - unless you are absolutely certain you're safe) 5. Besides these best practices, keep your technological defenses, (e.g., AV, FW, and Antispyware) fully enabled and up-to-date Posted Mar 17 2006, 05:05 PM by hwaldron with no comments

• MSIL.Cxover.A - New POC worm can infect both PCs and mobile devices

  This particiular version is just a proof-of-concept worm, with no danger in the payload.  Hopefully, this won't be something the bad guys will exploit in the future. MSIL.Cxover.A - New POC worm can infect both PCs and mobile devices http://secunia.com/virus_information/27631/cxover.a/ MSIL.Cxover.A is a proof-of-concept worm written in Microsoft .NET's Microsoft Intermediate Language (MSIL) that can affect both Windows PC and Windows Mobile powered devices that have the .NET framework installed. Trend has a good write-up with diagrams http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FCXOVER%2EA Posted Mar 16 2006, 12:53 PM by hwaldron with no comments

• Today must be the start of phishing season

  Either CA is catching up with in-the-wild threats or there are a bunch of new ones surfacing.  The bottom line is to never "do business", e-commerce transactions , or any updates based on an email message.  http://secunia.com/virus_information/ LIST FROM MARCH 16th .... - HTML/Phishbank.AGM Reported by Computer Associates   - HTML/Phishbank.AGO Reported by Computer Associates   - HTML/Phishbank.AGP Reported by Computer Associates   - HTML/Phishbank.AGN Reported by Computer Associates   - HTML/Phishbank.AGH Reported by Computer Associates   - HTML/Phishbank.AGI Reported by Computer Associates   - HTML/Phishbank.AGL Reported by Computer Associates Posted Mar 16 2006, 07:08 AM by hwaldron with no comments

• New Check is in the Mail scam in local area

  This week, our local warned of new scam that is circulating in our area.  Some folks have already been impacted TECHNIQUE: Victim receives a letter in their postal mail with what appears to be a check receipt in their name for $978.  The letter states that the company needs their bank account info in order to deposit this.  They are provided with a telephone # to call in their banking information.  Most likely the scammers are using anonymous disposable cell phones type with paid up minutes.  This type of fraud occurs regularly and parallels social engineering schemes used by cyber-crooks. Posted Mar 16 2006, 06:53 AM by hwaldron with no comments

• Bank Safe Online - Excellent Security Awareness Site

  This is an excellent site devoted to Internet Safety and best practices in e-commerce.    http://www.banksafeonline.org.uk/ Bank Safe Online sets out simple steps you can take to help keep safe online. We also provide you with updates on the latest scams, and enable you to report any suspicious emails or websites to us direct. Below are some good informational links from this site: Types of scams Spotting scams Protecting yourself Frequently asked questions Helpful sites Tips for staying safe online Additional protective measures for safe online banking... Download our printable guide Top tips for safe online banking and shopping. Posted Mar 11 2006, 08:13 AM by hwaldron with no comments

• McAfee - DAT 4715 False positive fixed with 4716

  DAT 4716 was released to quickly address scanning errors that created false positive issues in release 4715.  The CTX virus was being detected for files that truly aren't infected with a virus. http://www.incidents.org/diary.php?storyid=1179 Posted Mar 10 2006, 08:39 PM by hwaldron with no comments

• Hotmatom Worm - New MSN Hotmail based worm deletes files

  This is a worm written in VB with the following characteristics: 1. The worm attempts to lure victims to follow a URL link, in so doing downloading a copy of it, and infecting themselves. It monitors Internet Explorer windows in order to detect when a new message is being created within MSN Hotmail. 2. The worm monitors browser window to detect when MSN hotmail is being used for sending new mail, and inserts text to such messages, which contains a URL from where the worm is downloaded if the recipient clicks on the link. 3. It deletes files on the root of C: and A:, and copies itself there in place of those files, appending a .EXE file extension[/quote] Hotmatom Worm - New MSN Hotmail based worm deletes files http://secunia.com/virus_information/27456/hotmatom/ http://vil.nai.com/vil/content/v_138829.htm http://www.sarc.com/avcenter/venc/data/w32.hotmatom.html Posted Mar 08 2006, 07:00 AM by hwaldron with no comments