|
Sharing Security Developments, and Best Practices for corporate and home users
July 2006 - Posts
-
Kaspersky Labs shares an excellent commentary on why it's difficult to remember and manage Passwords, esp. in systems where password complexity is a a requirement.
JUL 28th Entry -- When your brain runs out of memory
http://www.viruslist.com/en/weblog?calendar=2006-07
QUOTE: Back in the Middle Ages, a password was exactly what it said: a simple word that could be used to gain access to a castle, a secret meeting or any other closed area. These days it’s less likely to be a word, but rather a string of characters like “hTfd4Xz”.
There are situations where passwords don't need to be very complex, since the user will be forced to wait a couple of seconds after each attempt (e.g. when logging on to a server), or because the system will block further attempts after a wrong password has been entered several times (e.g. ATMs). This means that simply trying all possible variants (a brute force attack) isn’t going to be very useful.
However, the story’s very different for encrypted data devices – if they fall into the wrong hands, an attacker can just plug them into his computer and try out all passwords without any limitations.
|
-
 More info on the new SMB based vulnerability and exploit which could create blue screen crashes for 2000, 2003, and XP.
MSRC Blog entry
http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx
Windows Unpatched SMB DoS Vulnerability and Exploit
http://www.frsirt.com/english/advisories/2006/3037
Advisory ID : FrSIRT/ADV-2006-3037
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-28
Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to cause a denial of service. This flaw is due to NULL pointer dereference error in the server driver (srv.sys) when handling specially crafted SMB (Server Message Block) packets, which could be exploited by a remote unauthenticated attackers to cause a vulnerable system to crash or display a blue screen, creating a denial of service condition.
Note : A fully functional exploit has been published.
Solution: Restrict access to ports 135, 139 and 445.
|
-
This is only a proof-of-concept script and could run in the XP, W/2003, and Vista environments.
MSH/Cibyz - Windows Powershell Proof-of-concept worm
http://vil.nai.com/vil/content/v_140292.htm
QUOTE: MSH/Cibyz!p2p is a proof of concept worm written in Windows Powershell script. It attempts to spread via the popular peer to peer application KaZaa by dropping a copy of itself in its shared folders. Windows Powershell is a command line shell and scripting language for Microsoft Windows that runs on Windows XP, Windows Server 2003, Windows Vista and Windows Longhorn.
|
-
I definitely appreciate all the hard work our crew at work does in supporting the security, development, and business environment Often times, it's behind the scenes with limited credit for the hard work performed -- so they do deserve a day of recognition.
http://www.sysadminday.com/
|
-
Over one million users were recently impacted by the Flash based worm stored on MySpace pages. The site is now requiring the latest version of Flash to prevent future occurrences.
MySpace Worm Attack - Analysis by ISC
http://www.incidents.org/diary.php?storyid=1510
http://www.avertlabs.com/research/blog/?p=59
http://forums.mcafeehelp.com/viewtopic.php?t=83945
QUOTE: An unusual aspect of this worm was that it resided purely on MySpace pages, rather than installing itself on personal computers of its victims. The essential component of the worm, which Symantec called ACTS.Spaceflash, was a Flash object that was embedded in the victims' profile pages on MySpace. The offending code resided in the redirect.swf file
|
-
 A new vulnerability for the Opera browser has been identified. Opera users should look for an upcoming update, as the folks from Norway will most likely fix this promptly.
Opera 9.0 - New HTTPS vulnerability
http://www.frsirt.com/english/advisories/2006/2987
http://browserfun.blogspot.com/2006/07/mobb-26-opera-css-background.html
Advisory ID : FrSIRT/ADV-2006-2987
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-26
Technical Description: A vulnerability has been identified in Opera, which could be exploited by remote attackers to crash a vulnerable browser or potentially take complete control of an affected system. This flaw is due to a memory corruption error when processing a CSS "background" property containing an overly HTTPS URI, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a specially crafted Web page.
Affected Products: Opera version 9
|
-
-
Microsoft and other vendors do not issue security updates using email messages, even though this new spoofed version appears to be realistic.
Microsoft Security Updates - Spoofing Attack
http://www.f-secure.com/weblog/archives/archive-072006.html#00000926
Copy of EMAIL message - HTML coding looks realistic
http://www.f-secure.com/weblog/archives/chto.gif
QUOTE: We've received several reports of a mass mailing that's going around. The messages have been spoofed to look like they are from Microsoft and arrive with title "Warning! New Virus On The Internet! Update Now!". The link in the mail goes to <<<URL REMOVED>>> and downloads an IRC backdoor. The downloaded file is detected as W32/FakeMSUpdate by our latest update
|
-
 FormSpy (aka FireSpy) is a new spyware program designed to integrate into the Mozilla browser environment. It is being spread by spam email spoofed to appear as a billing issue from Walwart, launched on July 24th. The attachment contains a downloader malware agent that can install FormSpy as a Firefox plugin. This new threat can be avoided easily by users avoiding spam email and attachments.
FormSpy - Spyware program hooks into Mozilla Firefox
http://www.avertlabs.com/research/blog/?p=62
http://vil.nai.com/vil/content/v_140256.htm
QUOTE: Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit card numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.
FireSpy - Sophos Writeup
http://www.sophos.com/security/analyses/trojfirespya.html
QUOTE: Troj/FireSpy-A will then attempt to register the dropped component as a Firefox plugin and begin monitoring the user's browsing habits, stealing information including monitoring and logging information from Web forms
----- EMAIL TO AVOID -----
Downloader-AXM - Massively spammed on 07/24/2006
http://vil.nai.com/vil/content/v_140257.htm
From: billing support [mailto:info@walmart.com]
Subject: Your order information WC2905036
Message: Dear Sir/Madam, Thank you for shopping with our internet shop. Your order, WC2905036,has been received. Summary of your order you can see in the attachment
file.
Attachment: wc2905036.exe
|
-
All corporate and home users should ensure they are up-to-date on the latest security patches offered by Microsoft as three new exploits have recently surfaced.
MS06-034, MS06-035, and MS06-036 Exploits surface
http://www.incidents.org/diary.php?storyid=1509
http://www.frsirt.com/english/threats/
QUOTE: Exploit code has been published for critical vulnerabilities in Microsoft Windows (SRV.SYS Driver Mailslot Overflow and DHCP Client Service Overflow), and for a less serious flaw in Microsoft Internet Information Services (IIS). These vulnerabilities were recently patched with MS06-034, MS06-035, and MS06-036. Administrators and users are urged to apply the appropriate vendor patches.
|
-
Haxdoor is one of the most popular and dangerous Windows based rootkits. Users should continue to be cautious with all suspicious email messages.
Haxdoor.CP - Spammed email with Rootkit
http://www.incidents.org/diary.php?storyid=1508
http://secunia.com/virus_information/30929/haxdoor-cp/
http://www.sophos.com/security/analyses/trojhaxdoorcp.html
QUOTE: Troj/Haxdoor-CP is a Trojan for the Windows platform. Troj/Haxdoor-CP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. Troj/Haxdoor-CP includes functionality to: - stealth its files, processes, registry entries and services - prevent itself being terminated...
Email to avoid:
Subject line: Confirmation for Order WC2905036
Message text: Dear Sir/Madam, Thank you for shopping with our internet shop. Your order, WC2905036, has been received. Summary of your order you can see in the attachment file.
|
-
The ISO and NRG extensions used for CD imaging capabilities may need to be added to AV file extention lists
Bahisho Worm - Spreads to ISO/NRG imaging file extensions
http://secunia.com/virus_information/30924/bahisho.a/
QUOTE: This worm propagates by searching for images with .ISO and .NRG file extensions in random folders. When the said image files are found, it drops its copy into the folder where the image files are located. In effect, when an optical disk image or an .NRG image file is burned, this worm copies itself into the CD or CD-ROM. ISO images (.ISO) are optical disk or Universal Disk Format (UDF) image files, while .NRG files are image files associated with the application Nero.
|
-
The new ProtectionBar adware program issues false security warnings that can alarm users into purchasing a license. Users are better served by using a mainstream anti-spyware product (e.g., Webroot, McAfee, Defender, etc), rather than using toolbars or "free" plug-ins that may not provide good security protection.
ProtectionBar - Panda warns on new adware program designed to trick users
http://www.pandasoftware.com/about/press/viewNews.htm?noticia=7619
QUOTE: Panda Software warns of a new adware program called ProtectionBar, which tries to trick users by installing false security programs on their computers. These programs inform users that their computer is infected by threats that do not exist or show fictitious errors. Then, they threaten users so that they buy the license in order to delete the malware supposedly detected. The aim of this system is to earn a profit for the developers of these programs, who will share it with the creators of ProtectionBar
|
-
F-Secure shares an interesting development on how the bad guys are timing exploits to surface right after patch Tuesday. Thankfully, the unpatched Office vulnerabilities have been rare in the wild. Users should continue keep up-to-date on AV protection plus exercise caution when they receive any email with Office related attachments.
Exploit Wednesday -- the day after Patch Tuesday
http://www.f-secure.com/weblog/archives/archive-072006.html#00000922
QUOTE: The bad guys are taking advantage of three things:
1. The first is the patch cycle itself. These new exploits are being released after the second Tuesday of each month to maximize its lifespan.
2. The second is the common day-to-day routine of receiving Office files. There haven't been any new macro viruses to speak of for some time and so Office files (doc/xml/ppt) easily pass through corporate firewalls and people don't think twice about clicking on them. This avenue of attack is currently under the radar and is not perceived as a danger by end users.
3. And the third advantage is that the companies exploited don't want to talk about it. They dread the negative publicity as a victim of espionage. That's why the public doesn't know the name of last month's Excel exploit victim. Such hush-hush may be keeping some of these exploits from being reported.
|
-
-
-
This new social engineering scheme goes even a step further than phishing in trying to create a means to steal credit card, bank account, or other information. When it comes to any email message requesting any unusual actions or sensitive information, never take action, as banks and most companies don't operate in that manner. The following is more information on Vishing from an email message I received today.
QUOTE: Experts are warning against the latest Internet scam: "vishing.”
Vishing, or voice phishing, occurs when a scammer sends you an e-mail hoping to get victims to telephone a voice mail box to disclose sensitive financial and personal information.
Many computer users are already aware of so-called "phishing e-mails" linking to counterfeit Web sites that ask computer users to enter account numbers or other personal information.
Many of these scam e-mails look like they were sent from companies like American Express, Bank of America, and other major companies, informing customers they need to update their records.
When they do so, the customer unwittingly provides some criminal enterprise their most sensitive financial and personal information.
Already such phishing scams cost consumers an estimated $929 million. However, new tools – including software that helps locate phony Web sites – have made the scam more difficult to pull off. But the new "vishing" scam gets around computer safeguards by using the telephone instead.
In a typical case of vishing, customers of a California bank received e-mails informing them that their online banking accounts had been disabled because the bank detected unauthorized access, according to The Wall Street Journal.
The customers were told to dial a telephone number with a local area code, where an automated voice asked them to enter their account numbers, personal-access codes, and other information.
Armed with that data, vishing scammers could access the online accounts and transfer money, or make fraudulent purchases with a stolen credit card number.
These schemes are made possible by Internet telephone services, "which allow computer users to quickly establish phone numbers, often without undergoing some of the verification checks used by traditional telephone companies,” the Journal reports.
"Also, Internet phone companies dole out numbers with a choice of area code, regardless of where in the country – or world – the user is located, which makes it difficult to locate the scammers.”
What’s more, automated voice prompts have become common on customer service lines, "and many people have become accustomed to keying in their account information and other details before being able to speak to a representative,” Adam O’Donnell, a senior research scientist at the online security firm Cloudmark Inc., told the Journal.
The bottom line: Experts stress that customers should never turn over private information based on an e-mail request.
|
-
-
Microsoft is releasing the following security bulletins for newly discovered vulnerabilities:
• Important MS06-033 Microsoft .NET Framework 2.0 Information Disclosure
• Important MS06-034 Microsoft (IIS) Remote Code Execution
• Critical MS06-035 Microsoft Windows Remote Code Execution
• Critical MS06-036 Microsoft Windows Remote Code Execution
• Critical MS06-037 Microsoft Excel Remote Code Execution
• Critical MS06-038 Microsoft Office Remote Code Execution
• Critical MS06-039 Microsoft Office Remote Code Execution
I would encourage everyone to quickly apply the July updates, especially in light of MS06-035 and it's potential to become wormable for W/2000.
Microsoft July Update Overall Summary
http://www.microsoft.com/technet/security/...n/ms06-Jul.mspx
ISC Detailed Analysis
http://www.incidents.org/diary.php?storyid=1470
SPECIAL WARNING: MS06-035 - Patch now!
http://www.incidents.org/diary.php?storyid=1471
|
-
Rather than the launch of widescale email attacks, virus writers are choosing more sleath-like approaches to quietly infect PCs. Keeping AV protection up-to-date and performing periodic scans are important to ensure a system is free of malware.
Panda - Posts Top 10 viruses for first half of 2006
http://www.pandasoftware.com/about/press/viewNews.htm?noticia=7570
QUOTE: With the absence of widespread virus alerts, the first six months of 2006 has seemingly been a relatively quiet period. Yet this apparent calm is the result of the drive of malware creators to infect computers silently, ensuring their malicious code can operate undetected for a long as possible. An indication that they are still as busy as ever is the 19,367 new viruses detected over the last six months, only slightly less than for the same period in 2005
|
-
A proof of concept exploit has been released for this new Office vulnerability. Specially crafted malformed Word documents could trigger this new vulnerability. Be careful with all suspicious documents and keep your AV protection as up-to-date as possible
Microsoft Office Object Library "LsCreateLine" Improper Memory Access Vulnerability
http://www.frsirt.com/english/advisories/2006/2720
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-09
Description: A vulnerability has been identified in Microsoft Office, which could be exploited by attackers to cause a denial of service or potentially take complete control of an affected system. This flaw is due to a memory access error in the "mso.dll" library when handling a malformed document, which could be exploited by attackers to crash a vulnerable application or execute arbitrary commands by convincing a user to open a specially crafted Word document.
|
-
Those of us in the IT security profession prefer the reporting of vulnerabilities and sharing of POC exploit code in a private manner with the vendor. While sharing these findings in a public forum may result in prompt accelerated actions by the vendors, these MoBB flaws could become new areas for spyware, virus, and worm development.
We are indeed seeing at least 1 per day and security firms like Secunia and FrSIRT may lag a little in testing and subsequently reporting these findings. The site below is worthwhile to monitor for continuing developments.
MoBB Project - Official Site to track developments
Please be careful and avoid experimenting with any POC exploit code
http://browserfun.blogspot.com/
TEN VULNERABILITIES SO FAR
MoBB #10: Object.Microsoft.DXTFilter Enabled
MoBB #9: DirectAnimation.DAUserData Data
MoBB #8: RDS.DataControl URL
MoBB #7: Table.Frameset
MoBB #6: StructuredGraphicsControl SourceURL
MoBB #5: DHTML setAttributeNode()
MoBB #4: Mozilla Firefox DesignMode
MoBB #3: OutlookExpress.AddressBook
MoBB #2: Internet.HHCtrl Image Property
MoBB #1: ADODB.Recordset Filter Property
|
-
 Virus writers use social engineering tricks to temp email recipients into opening attachments. There are no free lunches from Internt spam email and all attachments and URLs should be avoided.
Jalabed.B - pretends to offer World Cup Soccer FIFA Tickets
http://secunia.com/virus_information/30586/jalabed.b/
http://www.sarc.com/avcenter/venc/data/w32.jalabed.b@mm.html
Block or Delete all attachments with the following characteristics:
From: Varies
Subject: Im the winner of 2 FIFA tickets
Message Body: You wont believe it but im the winner of 2 tickets for FIFA 2006 in Germany,if you want a ticket read attackment ;)
Attachment: FIFA 2006 Ticket.doc.exe
|
-
Virus writers use social engineering tricks to temp email recipients into opening attachments. There are no free lunches from Internt spam email and all attachments and URLs should be avoided.
Jalabed.B - pretends to offer World Cup Soccer FIFA Tickets
http://secunia.com/virus_information/30586/jalabed.b/
http://www.sarc.com/avcenter/venc/data/w32.jalabed.b@mm.html
Block or Delete all attachments with the following characteristics:
From: Varies
Subject: Im the winner of 2 FIFA tickets
Message Body: You wont believe it but im the winner of 2 tickets for FIFA 2006 in Germany,if you want a ticket read attackment ;)
Attachment: FIFA 2006 Ticket.doc.exe
|
-
As I receive several free industry magazines, I found this article interesting and an informative update from an IT perspective
CIO Magazine - Is Sarbanes-Oxley Working?
http://www.cioinsight.com/article2/0,1540,1975512,00.asp
Quote: Learning to Live With SOX -- It seems like a straightforward enough question: is SOX working? Two years after the Sarbanes-Oxley Act (also called the Public Company Accounting Reform and Investor Protection Act of 2002) went into effect, there is a mounting supply of data on hand to throw at the query. But like so many seemingly simple questions, this one isn't. There are a lot of layers to peel back before any serious answer can be reached. The question invites more questions, such as, "What does 'working' mean?" "Working for whom?" ...
While searching for the electronic edition, I found this older 2004 article entitled the "SOX Conspiracy Compliance" which I'll share as bonus reading material ... It's an interesting read on the struggles for control between IT and accounting
CIO Magazine - The SOX Conspiracy - Compliance"
http://www.cio.com/archive/070104/sarbox.html
Quote: Sarbanes-Oxley compliance efforts are eating up CIO time and budgets. Worse, CIOs are being relegated to a purely tactical role. And that may be the CFO's plan.
|
-
 The July Technet newsletter highlights a new site devoted to assisting companies in research efforts toward compliance related to five primary regulatory standards, (including SOX). This new site should be used as a complimentary resource with precedence to the official sites first
Microsoft TechNet - New Regulatory Compliance Site
Regulations and Standards. This section provides an overview of the five major regulations and standards that this guide discusses:
• Sarbanes-Oxley Act (SOX)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• European Union Data Protection Directive (EUDPD)
• ISO 17799:2005 Code of Practice for Information Security Management (ISO 17799)
IT Controls. This section discusses the various types of IT controls, how these controls work in combination, and why they are important components that your organization can use to help meet its regulatory compliance obligations.
IT Audit Process. This section provides an overview of the IT audit process that auditors use to assess regulatory compliance for most organizations.
Business Drivers. This section discusses the business drivers for regulatory compliance that include challenges concerning regulatory environment complexity, achieving and maintaining compliance, and the consequences of noncompliance. It also discusses opportunities to establish and improve process, gain competitive advantage, and increase ROI for your organization through time and cost savings.
|
-
 July will represent another important month for security updates
Microsoft July Updates - Info for Patch Tuesday
http://www.microsoft.com/technet/security/bulletin/advance.mspx
QUOTE: On 11 July 2006 Microsoft is planning to release:
• Four Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
• Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
|
-
This is not an active threat and it illustrates that development and testing of potential MS Office exploits continues.
TROJ_NANISTYL.A - New Excel POC impacting Japanese/Chinese versions
http://secunia.com/virus_information/30540/trojnanistyl.a/
QUOTE: This Trojan is a proof-of-concept exploit that takes advantage of an unknown remote code execution vulnerability, which causes Japanese and Chinese versions of Microsoft Excel 2000 to crash on affected systems. Currently, however, this Trojan sample does not have a shell code. It runs on Windows XP and Server 2003.
|
-
The use of the IDC file extension type as a means to spread viruses may not be that common and may need to be added to the blocking list if further developments occur.
W32.Gatt - Uses IDC file extension type
http://www.sarc.com/avcenter/venc/data/w32.gatt.html
W32.Gatt is a polymorphic entry point-obscuring infector of .IDC files. .IDC files are scripts for the Interactive Disassembler application. The virus is a proof of concept malware and does nothing but replicate. Whenever an infected IDC file is executed, the virus will create a randomly-named .EXE file in the current directory, and execute that file. This newly created .EXE file will infect all .IDC files in the current directory and all subdirectories.
|
-
 These are brand new vulnerabilities for Internet Explorer risk" and proof-of-concept exploits have been developed.
Microsoft Internet Explorer HTML Help Control "HHCtrl" Memory Corruption Vulnerability
http://www.frsirt.com/english/advisories/2006/2635
Advisory ID : FrSIRT/ADV-2006-2635
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-03
Technical Description: A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to crash a vulnerable browser or potentially take complete control of an affected system. This flaw is due to a memory corruption error in the HTML Help Control "HHCtrl" when processing a specially crafted property, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a specially crafted Web page.
Microsoft Internet Explorer Data Access ActiveX Remote Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/2634
Advisory ID : FrSIRT/ADV-2006-2634
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-03
Technical Description: A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to cause a denial of service. This flaw is due to a NULL pointer dereference error in the Microsoft Data Access ActiveX "msado15.dll" object when handling a specially crafted property, which could be exploited by attackers to crash a vulnerable browser by tricking a user into visiting a malicious web page.
There may be developments as the ISC documents one site plans to discover and publish a new browser bug each day during July according to the blog entry.
Internet Storm Center Commentary - Browser Bug of Month Club
http://www.incidents.org/diary.php?storyid=1459
|
More Posts Next page »
|
|
|