myITforum.com, Inc.

Welcome to myITforum.com, Inc. Sign in | Join | Help
in Search

Harry Waldron - My IT Forums Blog

Sharing Security Developments, and Best Practices for corporate and home users

March 2006 - Posts

  • DAT 4726 - False Positive Issue with Dollar Revenue detection

    This McAfee AV False Positive Issue was limited in scope, but users could encounter it on a few files and moving to the latest DAT files solves this.

    DAT 4726 - False Positive Issue with Dollar Revenue detection
    http://secunia.com/virus_information/27941/dollarrevenue/

    The 4726 DAT files contain an incorrect identification on a limited number of executables. This was corrected in the 4727 DAT files. If McAfee users are seeing a Dollar Revenue detection, ensure that you are running the latest DAT files.

  • CERT 876678 - Microsoft Internet Explorer createTextRange vulnerability

      CERT has issued the following bulletin with information and links related to the new unpatched vulnerabilities recently discovered in Internet Explorer.

    http://www.kb.cert.org/vuls/id/876678

    Disable Active Scripting

    Known attack vectors for this vulnerability require Active Scripting to be enabled. By disabling Active Scripting, the chances of exploitation are reduced. For instructions on how to disable Active Script in Internet Explorer, please refer to the Internet Explorer section of the Securing Your Web Browser document.

    Additional workarounds are available in Microsoft Security Advisory 917077.

  • IE CreateTextRange vulnerability - Trend and Symantec provide generic protection

      Trend and Symantec have added generic detection for the new unpatched vulnerability in Internet Explorer that Microsoft is working on a patch for.  McAfee and other AV vendors have recently added protection and it's beneficial to stay as up-to-date as possible and use the safest practices in email, IM, and web surfing. 

    Trend's Generic Protection

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=EXPL%5FTXTRANGE%2EA

    This is Trend Micro's detection for a zero-day exploit that takes advantage of a vulnerability in the createTextRange Method call process in Internet Explorer. Using the aforementioned method enables a user to create a text range within an object.

    This exploit causes an error in the mentioned text range, which is applied to a radio button control, allowing malicious Web sites to consume a large amount of an affected system's memory and to execute arbitrary codes on the system. It can also download and execute malicious codes on the system.

    Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This poses a threat in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

    Symantec's Generic Protection
    http://www.sarc.com/avcenter/venc/data/bloodhound.exploit.61.html

    Bloodhound.Exploit.61 is a heuristic detection for the Microsoft Internet Explorer CreateTextRange Remote Code Execution Vulnerability (BID 17196).

  • IE CreateTextRange vulnerability - Status from Microsoft

      Microsoft is working on a security update targeted for the April updates. Quality and testing are important as IE is a very complex product to patch.  This security patch could be released sooner if needed.

    IE CreateTextRange vulnerability - Status from Microsoft
    http://blogs.technet.com/msrc/archive/2006/03/25/423116.aspx

  • IE CreateTextRange vulnerability - New trojans emerge

    A few overnight developments are summarized below:

    JS_DLOADER.BXR
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOADER%2EBXR&VSect=T

    This malicious JavaScript is a zero-day exploit that takes advantage of a vulnerability in the createTextRange Method call process in Internet Explorer. A text range enables a user to modify text within an object. This JavaScript causes an error in the mentioned text range, which is applied to a radio button control, allowing malicious Web sites to consume a large amount of an affected system's memory and this JavaScript to execute arbitrary codes on the machine.

    It should be noted that zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it. Thus, Trend Micro recommends that users avoid visiting Web sites of questionable origin to help prevent possible infection of this malware.

    Downloader-AVK - IE CreateTxtRange based trojan
    http://vil.nai.com/vil/content/v_139048.htm

    This trojan was discovered in connection with the Exploit-CreateTxtRng trojan .  A hacked webserver contains exploit script, which results in a file named ca.exe being downloaded from another hacked webserver.  ca.exe is Downloader-AVK  This trojan simply attempts to download an execute another trojan calc.exe from the same compromised webserver.  calc.exe is a new password stealing trojan, PWS-PartyPooper .

    PWS-PartyPooper
    http://vil.mcafeesecurity.com/vil/content/v_139049.htm

    This trojan was discovered in connection with the Downloader-AVK trojan , which was installed via the Exploit-CreateTxtRng trojan.  This password stealing trojan scans your system for stored passwords and monitors the websites that you visit for the purpose of sending all this information to the trojan author/distributor.

    The following is an advisory reflecting the latest information and guidance by Microsoft:

    Microsoft Security Advisory (917077) -Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/advisory/917077.mspx

  • IE Vulnerability - ISC back to Green and one dozen infected sites reported

    IE Vulnerability - ISC back to Green with 12 sites reported so far
    http://www.incidents.org/diary.php?storyid=1216

    QUOTE: We have decided to return the InfoCon to green for the start of the weekend.  We feel that everyone that is going to has reacted to the latest exploit for IE and wanted to start the weekend in normal mode. 

    We do want to remind everyone however that this is a serious problem.  We have received information that at least a dozen sites exist out there that are working the exploits.

     

  • Internet Explorer Vulnerability - McAfee has provided enhanced protection

      McAfee and other AV vendors are adding enhanced protection to cover some of the exploits that are begining to emerge in the wild.

    Internet Explorer Vulnerability - McAfee has provided enhanced protection
    http://vil.nai.com/vil/content/v_139047.htm

    Quote: -- Update March 24, 2006 --  The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

    http://news.com.com/Dangerous+code+on+Net+could+be+used+to+exploit+IE+hole/2100-1002_3-6053456.html?tag=cd.top

    An EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page (the cmd-line scanner / email / gateway restrictions are not present in the extra.dat file. However, scanning for unknown macro and script viruses must be enabled).

    This detection covers code attempting to exploit a Microsoft Internet Explorer "createTextRange()" Code Execution vulnerability. This exploit was first seen on March 22, 2006 in Denial of Service (DoS) form. On March 23, 2006, code execution exploits began to appear. The 4726 DAT files contain enhanced JS/Exploit-BO.gen detection to cover those code execution exploits.

    This detection covers code attempting to exploit a Microsoft Internet Explorer "createTextRange()" Code Execution vulnerability. This exploit was first seen on March 22, 2006 in Denial of Service (DoS) form. On March 23, 2006, code execution exploits began to appear. The 4726 DAT files contain enhanced JS/Exploit-BO.gen detection to cover those code execution exploits.

  • Microsoft Security Advisory 917077 for IE vulnerabilities

      Microsoft issued an advisory last night to respond to the new unpatched Internet Explorer vulnerability and Proof of Code exploit developments.  We should be careful with websites, keep AV protection updated, and watch for an upcoming patch or other solutions.

    Microsoft Security Advisory (917077)
    Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/advisory/917077.mspx

    OVERVIEW

    Microsoft has confirmed new public reports of a vulnerability in Microsoft Internet Explorer. Based on our investigation, this vulnerability could allow an attacker to execute arbitrary code on the user's system in the security context of the logged-on user. We have seen examples of proof of concept code but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

    WHAT CAUSES THREAT?

    When Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects, system memory may be corrupted in such a way that an attacker could execute arbitrary code.  Specifically, the public postings discuss a potential behavior in Internet Explorer in the way that HTML objects may handle an unexpected createTextRange() method call to an HTML object. A Web page that is specially crafted to exploit this vulnerability will cause Internet Explorer to fail. As a result of this, system memory may be corrupted in such a way that an attacker could execute arbitrary code.

    SUGGESTED ACTIONS & WORKAROUNDS

    * Microsoft encourages users to exercise caution when they open e-mail messages and links in e-mail messages that come from untrusted sources.

    * Customers are encouraged to keep their antivirus software up to date.

    * Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet  and Local intranet security zones.

    * Set Internet and Local intranet security zone settings to "high" to prompt before Active Scripting in these zones.

  • Internet Explorer Exploit in-the-wild - ISC yellow alert

    Due to PoC exploits that can be easily crafted into more dangerous attacks, the Internet Storm Center has declared a Yellow Alert.  Be very cautious with all URLs in emails, IM messages, and on the web.

    Internet Explorer Exploit in-the-wild - ISC yellow alert
    http://isc.sans.org/diary.php?storyid=1212

    Original Advisory
    http://secunia.com/advisories/18680/

     

  • Real Player - Critical Security Updates

    Real Customer Support  If you use Real Player or Rhapsody, there are critical security updates that should be applied as soon as possible.

    http://service.real.com/realplayer/security/03162006_player/en/

    RealNetworks is making available product upgrades that contain security bug fixes. We have received no reports of any machines actually compromised as a result of the now-remedied vulnerabilities.

    http://secunia.com/advisories/19358/

    Some vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user's system.

    1) A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system.

    2) A boundary error within the handling of web pages can be exploited via a specially crafted web page on a malicious server to cause a heap-based buffer overflow. This may allow execution of arbitrary code on the user's system.

    3) A boundary error in the processing of MBC files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system.

  • Windows Vista - An inside Look by CNET

    This is one of the best in-depth overviews of what Microsoft's next generation Operating System will reflect.    I'm definitely anxious to try this out in the futre and we're saving up for a new family PC, so that we have the right hardware to enjoy the new graphics and other capabilities that are coming in early 2007. 

    Windows Vista - An inside Look by CNET
    Note - There are 4 pages for this in-depth article (use page links at bottom)
    http://news.com.com/An%2Binside%2Blook%2Bat%2BWindows%2BVista/2100%2D1043_3%2D6051736.html

    Windows Vista - Security & Networking Overview (page 3)
    http://news.com.com/An+inside+look+at+Windows+Vista+-+page+3/2100-1043_3-6051736-3.html?tag=st.num

    Some of the key summariries are quoted below, but the whole article is informative and worthwhile reading:

    Windows Desktop Manager
    The next version of Windows brings an end to 20 years of 2D desktop rendering. Windows Aero is actually just a theme, or skin type, used by the Desktop Windows Manager, a new graphical system built into Windows Presentation Foundation. While Windows Vista is Microsoft's DirectX 10 vehicle, the 3D Desktop Windows Manager requires only DirectX 9.0. The switch to 3D rendering means that Windows will now have a use for that fancy $400 graphics card on the desktop.

    Windows Aero
    Aero is Microsoft's new default 3D desktop theme. Gone are the bright blues and smooth color gradients of Windows XP. The new transparent Aero theme features subdued colors and unobtrusive, rounded corners ready for the Web 2.0 era. Transparencies and soft fade effects give Aero a polished look. The borders of each window blur objects lying under them, leaving the window you are working on in focus while giving you a hint of what lies beneath. It's all very pretty.

    Graphics card requirements
    Windows Vista doesn't have official minimum system requirements yet, but Microsoft has recommended at least 512MB of memory, a "modern" Intel or AMD processor and a DirectX 9.0 graphics card for the current Windows Vista Beta 1. You'll need to have the right hardware to get the full Windows Vista experience.

    Search
    Windows Vista was supposed to come with WinFS, a systemwide relational database designed to make file navigation more enjoyable than playing on your Xbox 360. Microsoft had to cut WinFS out of the release in order to meet the launch schedule, but it should be available as a download for both Windows Vista and Windows XP once it's released. A pervasive database lets users and programmers create deep relationships between files. Imagine instead of just finding a folder full of pictures, you could easily find pictures with only you in them, from specific dates, and even certain events--all at the same time. That's what WinFS is supposed to do.

    Organization
    Windows Vista will also let you save searches as a virtual folder. When you open the folder, it runs the search to populate the folder with items. By running the search in real-time, the virtual folder will be able to catch and display all the new files that meet the search criteria. Virtual folders don't recopy your files, so you can safely delete the virtual folder without losing any data. Microsoft's new metatag feature will help you better organize your files by allowing you to attach description "tags" to a file to make it easier to find and organize.

    Explorer
    Microsoft has overhauled the Windows Start Menu to make it easier to find and access programs. The left side of the menu displays the most recently used programs, and the All Programs menu selection at the bottom now transforms the entire left menu area into a program-navigation menu, instead of opening an unwieldy navigation menu that expands rightward.

    Security (see page 3 for indepth overview)
    If you've used Windows XP in the last few years, you know security hasn't exactly been its strong suit. Numerous folks have shown that an unprotected PC with a fresh install of Windows XP can be compromised within minutes of being connected to the Internet. Microsoft has released a series of security updates and service pack releases over the years, but it has been tough keeping up when all the black hats are gunning for you. You can find a plethora of antivirus, antispyware, and malware companies shilling their wares to make up for the inadequacies of the PC operating system.

    The new OS comes with an upgraded, built-in firewall, new user-access protocols, a more secure version of Internet Explorer, a new version of Windows Defender, and sports new features like parental controls, full-drive encryption, and device-driver blocking.

    For Windows Vista, Microsoft tweaked the user accounts to offer extra privileges, while reserving critical privileges for special use on the administrator account. Users should now be able to run all programs and change minor settings without being logged in as the administrator. To enhance security further, even if you log in as an administrator, Vista will automatically prompt the user for the proper credentials before continuing with a program's request.

    Networking
    Windows Vista will come with a completely reworked networking stack. The next-generation TCP/IP stack will work with IPv4 and IPv6, and will also support auto-tuning and quality-of-service features. Wireless traffic will receive numerous boosts in technology to better accommodate for lost packets, bad signals, and large amounts of electromagnetic interference. All these features boil down to better, more-consistent transfer rates for your existing Internet connection.

    DirectX 10
    Microsoft rebuilt its Direct3D API from scratch for Windows Vista, and Direct3D10 will serve as the base for all future Direct3D innovations throughout the life span of the Windows Vista operating system.  Because the Direct3D10 foundation has to serve game developers through the next decade, Windows Vista will streamline and open up Direct3D with several forward-looking features that will help programmers create better games and get more performance out of PC hardware.

  • Rootkit.Hearse - New Password Stealing Trojan Horse

    A new password stealing trojan horse has emerged that uses rootkit techniques to hide from AV products and it transmits passwords from websites allowing security to be compromised. The old axiom of "Think before you click" is always important for URLs in email, IM, or when surfing the Internet.

    Rootkit.Hearse - Article on Dangers
    http://www.pcadvisor.co.uk/news/index.cfm?newsid=5869

    Rootkit.Hearse - Related AV links
    http://vil.nai.com/vil/content/v_138991.htm
    http://secunia.com/virus_information/27816/pws-banker.be/
    http://www.f-secure.com/v-descs/hearse_a.shtml
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FHEARSE%2EA
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.goldun.k.html

    Security researchers at Sana Security are warning of a new type of malicious software designed to steal usernames and passwords from web surfers. The malware, dubbed "rootkit.hearse", uses rootkit-cloaking techniques, making it extremely difficult to detect.

    To steal information, however, the software must first be downloaded on to a user's system. This can be done by tricking the user into downloading the malicious code, or by infecting a computer with some other form of malware. Once installed, it sends the sensitive information to a server in Russia, that appears to have been in operation since 16 March, Sana said.

    The software has two components: a Trojan horse application that communicates with the Russian server, as well as rootkit software that cloaks the malicious software from system tools and antivirus programs. Sana has observed the software being downloaded in conjunction with the Win32.Alcra worm.

  • Gurong.A - New MyDoom variant using Rootkit techniques

    The latest version of the MyDoom virus may now be using rootkit techniques to stay hidden better from AV software.  Developments should be carefully watched.

    Gurong.A - New MyDoom variant using Rootkit techniques
    http://www.f-secure.com/v-descs/gurong_a.shtml
    http://www.f-secure.com/weblog/archives/archive-032006.html#00000838

    QUOTE: Yesterday we received an interesting email-worm sample, detected as Gurong.a, that uses rootkit techniques to hide its file, process and launch point in the registry. It is based on the infamous Mydoom code and it is in the wild but currently spreading very slowly.

    Gurong.a modifies the operating system kernel, specifically the system service table and process object structures, so it is a kernel-mode rootkit. What makes it different from other kernel-mode rootkits we have seen is the way it installs the rootkit payload into kernel. Often malware uses a special purpose driver or the physical memory device to modify the kernel from user mode.

    F-Secure's Blacklight Tool helps find Rootkits
    http://www.f-secure.com/blacklight/

  • Trojan.Azwiz.F - New trojan horse uses Rootkit approach

    This is one of three new rootkit approaches being documented this morning.  Hopefully, 2006 won't be the year of the Rootkit.

    Trojan.Azwiz.F - New trojan horse uses Rootkit approach 
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.abwiz.f.html

    Trojan.Abwiz.F is a Trojan horse with rootkit abilities that downloads and executes remote files and sends confidential computer information to a remote attacker. The Trojan also allows a remote attacker to perform various unauthorized actions on the compromised computer.

  • New Internet Explorer Security Issue - create text range vulnerability

      A newly discovered Internet Explorer security issue has surfaced, but so far there are no known exploits.  Everyone should be careful with email links or websites with any browser. 

    New Internet Explorer Security Issue - create text range vulnerability
    http://secunia.com/advisories/18680/
    http://www.incidents.org/diary.php?storyid=1209

    Rating: Highly critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched 
    Software: Microsoft Internet Explorer 6.x, 7 preview

     
    Description:  Secunia Research has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of the "createTextRange()" method call applied on a radio button control. This can be exploited by e.g. a malicious web site to corrupt memory in a way, which allows the program flow to be redirected to the heap.

    Successful exploitation allows execution of arbitrary code. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview. Other versions may also be affected.

    Solution: Do not visit untrusted web sites.

  • Firefox 2.0 Alpha version (aka Bon Echo) made public for testing

      A new "alpha" version of Firefox 2.0 was made public for testing today.  This is also known as "Bon Echo".   As I enjoy working with any type of computer technology, I had to try this new version.  So far it's been working very smoothly for me, as I had a simplified Firefox 1.5.0.1 environment with no themes or extensions (in fact I use my own menu based web pages in lieu of bookmarks).  

    Anyone wishing to test this should have a good working knowledge of Firefox and how to resolve any issues, as there is no support for the new alpha version.  This 1st release is intended for IT professionals, web developers, and experienced individuals.

    Firefox 2.0 alpha set for release
    http://msn.com.com/2100-3513_22-6052412.html

    Firefox 2.0 - Recommendations from the Wiki site:
    http://wiki.mozilla.org/Places#Goals_.26_Objectives

    Firefox 2.0 - Release notes
    http://www.mozilla.org/projects/bonecho/releases/2.0a1.html

    Firefox 2.0 - Download and installation instructions
    http://www.mozillazine.org/talkback.html?article=8146

    Bon Echo Alpha 1 is a developer preview release of our next generation Firefox browser and it is being made available for testing purposes only. Bon Echo Alpha 1 is intended for web application developers and our testing community. Current users of Mozilla Firefox 1.x should not use Bon Echo Alpha 1.

  • MyDoom.BK - New advanced virus variant

    This is a new variant from one of the most advanced virus families.  Hopefully, it will not spread extensively in the wild.

    MyDoom.BK - New advanced virus variant
    http://secunia.com/virus_information/27791/mydoom.bk/
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMYDOOM%2EBK&VSect=T

    This worm propagates via email using its own SMTP (Simple Mail Transfer Protocol) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications

    Subject: (Any of the following)
    • {Random characters}
    • Greetings!
    • Hello friend ;)
    • Hey dear!
    • Hey! How are you doing bud?
    • Re: Hello
    • Re: I got it! Try it now!
    • Re[2]: wazzup bro
    • Wazzap bro!!

    These copies may use any of the following extension names:

    COM
    EXE
    PIF
    TXT {Spaces}.SCR
    TXT{Spaces}.EXE
    TXT{Spaces}.PIF
    ZIP

  • Renama.A -- Replies to Outlook email messages and uses ZIP files

     Renama.A can reply to Outlook emails (so it looks more legitimate than regular spam) & it uses ZIP attachments. It can also spread across unprotected network shares.   

    QUOTE: This new virus goes through the MS Outlook inbox, and replies to any emails found. The email will have the following properties:

    Subject - One of the following:

    [NAME], your name is listed in terrorism organisation..!!!
    [NAME], this file from me (%s)
    *** Note: [NAME] is taken from the contents of the user's emails.


    Message - One of the following:

    1. if you are not sure, please read attachment bellow, and please reply to me..!!! this message is very urgent..!!!! hope we don't have miss understanding thank's...!!!

    2.This attachment contain listname of terrorist..!!! hope you can be carrefull if you find one of them..!!!! or you can reply this email to me after you read the attachment thank's...!!!


    Attachment: [RANDOM].zip

    Renama.A: Replies to email & uses ZIP files
    http://secunia.com/virus_information/27783/renama.a/
    http://www.sarc.com/avcenter/venc/data/w32.renama.a@mm.html

  • Microsoft - How to submit Virus and Spyware samples

    The following links provide instructions on how to submit malware samples to Microsoft.  This also includes emails with hostile URLs, viruses, spyware samples, or anything of a suspicious nature.

    http://www.incidents.org/diary.php?storyid=1205

    If you encounter some nastiness that you'd like to see Microsoft include in their monthly MRT updates send email to the following Microsoft email addresses depending on sample type, Please use the AV industry standard password for malware samples of 'infected' to protect a zip or rar file containing your submitted sample.

    http://silverstr.ufies.org/blog/archives/000931.html

    QUOTE: Microsoft has recently streamlined their process for receiving samples of malicious software or spyware ... Samples sent to the following addresses will be automatically processed into the Microsoft Antimalware Team analysis queue:

  • Sony DRM Rootkit -- Lessons Learned

    An excellent writeup featured at Princeton Universities website.

    http://itpolicy.princeton.edu/pub/sonydrm-ext.pdf

  • Macromedia Flash - Important Security Update

    All users who have Macromedia Flash installed should update to the latest version 8.0.24.0, which includes some new security protective patches.

    CERT: Mulitiple Vulnerabilities in Adobe Macromedia Flash
    http://www.us-cert.gov/current/current_activity.html#flashvul

    Flash Security Bulletin
    http://www.macromedia.com/devnet/security/security_zone/apsb06-03.html

    Microsoft Security Advisory
    http://www.microsoft.com/technet/security/advisory/916208.mspx

    US-CERT is aware of several vulnerabilities in Adobe Macromedia Flash products. A system may be compromised if a user accesses a web page that references a specially crafted Flash (SWF) file. Successful exploitation may allow a remote attacker to execute arbitrary code with the privileges of the user. We are not aware of any public exploits at this time.

    Adobe recommends all Flash Player 8.0.22.0 and earlier users upgrade to the new version 8.0.24.0, which can be downloaded from the Player Download Center. For customers that cannot upgrade to Flash Player 8, please refer to the Flash Player 7 update TechNote.

  • phpBB Hack - bot registering user name FuntKlakow

    phpBB site administrators should carefully look for the presence of this user account.  Recently administrators have added percautions, as many sites have also enhanced their registration procedures (e.g., graphical controls). 

    Potential phpBB Hack Coming?
    http://www.incidents.org/diary.php?storyid=1201

    QUOTE: During the last few days a bot using a name FuntKlakow, has been registering to maybe thousands of phpBB forums. Some speculate that the bot's owners are preparing to exploit an unreported vulnerability

  • Internet Explorer - New 0 Day Exploit in the wild

    The Internet will never be a trustworthy environment and we always need to be careful with email, IM, and websites.  A new unpatched vulnerability has surfaced when can crash IE and more developments could occur.  Please be careful with all sites you visit.

    http://www.incidents.org/diary.php?storyid=1198

    QUOTE: There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE.  The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag.  This will cause a memory array to write out of bounds and cause an immediate or eventual browser crash.  Both McAfee and Symantec have released signatures to detect this exploit.  While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.

    McAfee and other AV vendors are adding detection, so please keep your AV software up-to-date with the latest virus signature files.

    http://vil.nai.com/vil/content/v_138956.htm

    http://secunia.com/virus_information/27704/htmlscriptact.a/

    QUOTE: This detection covers malicious HTML files/messages that attempt to exploit a 0-day, buffer overflow vulnerability in the MSIE script action handler.  Proof of concept code was posted to the web recently that results in a denial of service attack (crash) against Microsoft Internet Explorer browsers.

     

  • Phishing Messages May Include Highly-Personalized Information

    As shared by the Internet Storm Center, phishing attacks are growing in sophistication.

    Phishing Messages May Include Highly-Personalized Information
    http://www.incidents.org/diary.php?storyid=1194

    Some ideas to prevent phishing attacks:

    1. Treat every piece of email very carefully as if it were a telemarketing call
    2. Always keep in mind that banks typically don't notify via email. They'll see a postal letter or call if there are real issues
    3. Call someone up at the bank or other firm to see if it's legitimate
    4. Avoid sharing any confidential information via email (or even websites - unless you are absolutely certain you're safe)
    5. Besides these best practices, keep your technological defenses, (e.g., AV, FW, and Antispyware) fully enabled and up-to-date

  • MSIL.Cxover.A - New POC worm can infect both PCs and mobile devices

    This particiular version is just a proof-of-concept worm, with no danger in the payload.  Hopefully, this won't be something the bad guys will exploit in the future.

    MSIL.Cxover.A - New POC worm can infect both PCs and mobile devices
    http://secunia.com/virus_information/27631/cxover.a/

    MSIL.Cxover.A is a proof-of-concept worm written in Microsoft .NET's Microsoft Intermediate Language (MSIL) that can affect both Windows PC and Windows Mobile powered devices that have the .NET framework installed.

    Trend has a good write-up with diagrams
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FCXOVER%2EA

  • Today must be the start of phishing season

    Either CA is catching up with in-the-wild threats or there are a bunch of new ones surfacing.  The bottom line is to never "do business", e-commerce transactions , or any updates based on an email message. 

    http://secunia.com/virus_information/

    LIST FROM MARCH 16th ....

    - HTML/Phishbank.AGM Reported by Computer Associates
     
    - HTML/Phishbank.AGO Reported by Computer Associates
     
    - HTML/Phishbank.AGP Reported by Computer Associates
     
    - HTML/Phishbank.AGN Reported by Computer Associates
     
    - HTML/Phishbank.AGH Reported by Computer Associates
     
    - HTML/Phishbank.AGI Reported by Computer Associates
     
    - HTML/Phishbank.AGL Reported by Computer Associates

  • New Check is in the Mail scam in local area

    This week, our local warned of new scam that is circulating in our area.  Some folks have already been impacted

    TECHNIQUE: Victim receives a letter in their postal mail with what appears to be a check receipt in their name for $978.  The letter states that the company needs their bank account info in order to deposit this.  They are provided with a telephone # to call in their banking information.  Most likely the scammers are using anonymous disposable cell phones type with paid up minutes.  This type of fraud occurs regularly and parallels social engineering schemes used by cyber-crooks.
  • Bank Safe Online - Excellent Security Awareness Site

    APACS - the UK payments association  This is an excellent site devoted to Internet Safety and best practices in e-commerce.   

    http://www.banksafeonline.org.uk/

    Bank Safe Online sets out simple steps you can take to help keep safe online. We also provide you with updates on the latest scams, and enable you to report any suspicious emails or websites to us direct.

    Below are some good informational links from this site:

  • Types of scams
  • Spotting scams
  • Protecting yourself
  • Frequently asked questions
  • Helpful sites
  • Tips for staying safe online
    Additional protective measures for safe online banking...

    Download our printable guide
    Top tips for safe online banking and shopping.

  • McAfee - DAT 4715 False positive fixed with 4716

    DAT 4716 was released to quickly address scanning errors that created false positive issues in release 4715.  The CTX virus was being detected for files that truly aren't infected with a virus.

    http://www.incidents.org/diary.php?storyid=1179

  • Hotmatom Worm - New MSN Hotmail based worm deletes files

    This is a worm written in VB with the following characteristics:

    1. The worm attempts to lure victims to follow a URL link, in so doing downloading a copy of it, and infecting themselves. It monitors Internet Explorer windows in order to detect when a new message is being created within MSN Hotmail.

    2. The worm monitors browser window to detect when MSN hotmail is being used for sending new mail, and inserts text to such messages, which contains a URL from where the worm is downloaded if the recipient clicks on the link.

    3. It deletes files on the root of C: and A:, and copies itself there in place of those files, appending a .EXE file extension[/quote]

    Hotmatom Worm - New MSN Hotmail based worm deletes files
    http://secunia.com/virus_information/27456/hotmatom/
    http://vil.nai.com/vil/content/v_138829.htm
    http://www.sarc.com/avcenter/venc/data/w32.hotmatom.html

More Posts Next page »
Powered by Community Server (Commercial Edition), by Telligent Systems