July 2006 - Posts
Kaspersky Labs shares an excellent commentary on why it's difficult to remember and manage Passwords, esp. in systems where password complexity is a a requirement.
JUL 28th Entry -- When your brain runs out of memory
http://www.viruslist.com/en/weblog?calendar=2006-07
QUOTE: Back in the Middle Ages, a password was exactly what it said: a simple word that could be used to gain access to a castle, a secret meeting or any other closed area. These days it’s less likely to be a word, but rather a string of characters like “hTfd4Xz”.
There are situations where passwords don't need to be very complex, since the user will be forced to wait a couple of seconds after each attempt (e.g. when logging on to a server), or because the system will block further attempts after a wrong password has been entered several times (e.g. ATMs). This means that simply trying all possible variants (a brute force attack) isn’t going to be very useful.
However, the story’s very different for encrypted data devices – if they fall into the wrong hands, an attacker can just plug them into his computer and try out all passwords without any limitations.
More info on the new SMB based vulnerability and exploit which could create blue screen crashes for 2000, 2003, and XP.
MSRC Blog entry
http://blogs.technet.com/msrc/archive/2006/07/28/443837.aspx
Windows Unpatched SMB DoS Vulnerability and Exploit
http://www.frsirt.com/english/advisories/2006/3037
Advisory ID : FrSIRT/ADV-2006-3037
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-28
Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to cause a denial of service. This flaw is due to NULL pointer dereference error in the server driver (srv.sys) when handling specially crafted SMB (Server Message Block) packets, which could be exploited by a remote unauthenticated attackers to cause a vulnerable system to crash or display a blue screen, creating a denial of service condition.
Note : A fully functional exploit has been published.
Solution: Restrict access to ports 135, 139 and 445.
This is only a proof-of-concept script and could run in the XP, W/2003, and Vista environments.
MSH/Cibyz - Windows Powershell Proof-of-concept worm
http://vil.nai.com/vil/content/v_140292.htm
QUOTE: MSH/Cibyz!p2p is a proof of concept worm written in Windows Powershell script. It attempts to spread via the popular peer to peer application KaZaa by dropping a copy of itself in its shared folders. Windows Powershell is a command line shell and scripting language for Microsoft Windows that runs on Windows XP, Windows Server 2003, Windows Vista and Windows Longhorn.
I definitely appreciate all the hard work our crew at work does in supporting the security, development, and business environment Often times, it's behind the scenes with limited credit for the hard work performed -- so they do deserve a day of recognition.
http://www.sysadminday.com/
Over one million users were recently impacted by the Flash based worm stored on MySpace pages. The site is now requiring the latest version of Flash to prevent future occurrences.
MySpace Worm Attack - Analysis by ISC
http://www.incidents.org/diary.php?storyid=1510
http://www.avertlabs.com/research/blog/?p=59
http://forums.mcafeehelp.com/viewtopic.php?t=83945
QUOTE: An unusual aspect of this worm was that it resided purely on MySpace pages, rather than installing itself on personal computers of its victims. The essential component of the worm, which Symantec called ACTS.Spaceflash, was a Flash object that was embedded in the victims' profile pages on MySpace. The offending code resided in the redirect.swf file
A new vulnerability for the Opera browser has been identified. Opera users should look for an upcoming update, as the folks from Norway will most likely fix this promptly.
Opera 9.0 - New HTTPS vulnerability
http://www.frsirt.com/english/advisories/2006/2987
http://browserfun.blogspot.com/2006/07/mobb-26-opera-css-background.html
Advisory ID : FrSIRT/ADV-2006-2987
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-07-26
Technical Description: A vulnerability has been identified in Opera, which could be exploited by remote attackers to crash a vulnerable browser or potentially take complete control of an affected system. This flaw is due to a memory corruption error when processing a CSS "background" property containing an overly HTTPS URI, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a specially crafted Web page.
Affected Products: Opera version 9
These are mostly being spammed by email and should not be prevelant in the wild. Users should be cautious with all Powerpoint documents recieved in email.
Powerpoint unpatched vulnerability - new variant
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FMDROPPER%2EAY
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-072712-3824-99
QUOTE: When executed, it exploits a vulnerability in Microsoft Powerpoint wherein a specially crafted document can cause the application to drop and execute an embedded EXE file in the Windows folder. Once it successfully exploits the mentioned vulnerability, it is able to execute a shell code which, in turn, runs the embedded .EXE file. This .EXE file is detected by Trend Micro as TROJ_AGENT.CZW.
Also, Trend has added detection today for a new Powerpoint POC crash exploit that's most likely related to this overall vulnerability:
New PowerPoint POC Crash exploit
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPPCRASH%2EA
Microsoft and other vendors do not issue security updates using email messages, even though this new spoofed version appears to be realistic.
Microsoft Security Updates - Spoofing Attack
http://www.f-secure.com/weblog/archives/archive-072006.html#00000926
Copy of EMAIL message - HTML coding looks realistic
http://www.f-secure.com/weblog/archives/chto.gif
QUOTE: We've received several reports of a mass mailing that's going around. The messages have been spoofed to look like they are from Microsoft and arrive with title "Warning! New Virus On The Internet! Update Now!". The link in the mail goes to <<<URL REMOVED>>> and downloads an IRC backdoor. The downloaded file is detected as W32/FakeMSUpdate by our latest update
FormSpy (aka FireSpy) is a new spyware program designed to integrate into the Mozilla browser environment. It is being spread by spam email spoofed to appear as a billing issue from Walwart, launched on July 24th. The attachment contains a downloader malware agent that can install FormSpy as a Firefox plugin. This new threat can be avoided easily by users avoiding spam email and attachments.
FormSpy - Spyware program hooks into Mozilla Firefox
http://www.avertlabs.com/research/blog/?p=62
http://vil.nai.com/vil/content/v_140256.htm
QUOTE: Upon execution, it registers Mozilla event listeners to the malware and sends information submitted by the victim in the web browser to a malicious website. These information can include, but is not limited to, credit card numbers, passwords, e-banking pin numbers etc. The main executable is also capable of sniffing passwords from ICQ, FTP, IMAP and POP3 traffic.
FireSpy - Sophos Writeup
http://www.sophos.com/security/analyses/trojfirespya.html
QUOTE: Troj/FireSpy-A will then attempt to register the dropped component as a Firefox plugin and begin monitoring the user's browsing habits, stealing information including monitoring and logging information from Web forms
----- EMAIL TO AVOID -----
Downloader-AXM - Massively spammed on 07/24/2006
http://vil.nai.com/vil/content/v_140257.htm
From: billing support [mailto:info@walmart.com]
Subject: Your order information WC2905036
Message: Dear Sir/Madam, Thank you for shopping with our internet shop. Your order, WC2905036,has been received. Summary of your order you can see in the attachment
file.
Attachment: wc2905036.exe
All corporate and home users should ensure they are up-to-date on the latest security patches offered by Microsoft as three new exploits have recently surfaced.
MS06-034, MS06-035, and MS06-036 Exploits surface
http://www.incidents.org/diary.php?storyid=1509
http://www.frsirt.com/english/threats/
QUOTE: Exploit code has been published for critical vulnerabilities in Microsoft Windows (SRV.SYS Driver Mailslot Overflow and DHCP Client Service Overflow), and for a less serious flaw in Microsoft Internet Information Services (IIS). These vulnerabilities were recently patched with MS06-034, MS06-035, and MS06-036. Administrators and users are urged to apply the appropriate vendor patches.
Haxdoor is one of the most popular and dangerous Windows based rootkits. Users should continue to be cautious with all suspicious email messages.
Haxdoor.CP - Spammed email with Rootkit
http://www.incidents.org/diary.php?storyid=1508
http://secunia.com/virus_information/30929/haxdoor-cp/
http://www.sophos.com/security/analyses/trojhaxdoorcp.html
QUOTE: Troj/Haxdoor-CP is a Trojan for the Windows platform. Troj/Haxdoor-CP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. Troj/Haxdoor-CP includes functionality to: - stealth its files, processes, registry entries and services - prevent itself being terminated...
Email to avoid:
Subject line: Confirmation for Order WC2905036
Message text: Dear Sir/Madam, Thank you for shopping with our internet shop. Your order, WC2905036, has been received. Summary of your order you can see in the attachment file.
The ISO and NRG extensions used for CD imaging capabilities may need to be added to AV file extention lists
Bahisho Worm - Spreads to ISO/NRG imaging file extensions
http://secunia.com/virus_information/30924/bahisho.a/
QUOTE: This worm propagates by searching for images with .ISO and .NRG file extensions in random folders. When the said image files are found, it drops its copy into the folder where the image files are located. In effect, when an optical disk image or an .NRG image file is burned, this worm copies itself into the CD or CD-ROM. ISO images (.ISO) are optical disk or Universal Disk Format (UDF) image files, while .NRG files are image files associated with the application Nero.
The new ProtectionBar adware program issues false security warnings that can alarm users into purchasing a license. Users are better served by using a mainstream anti-spyware product (e.g., Webroot, McAfee, Defender, etc), rather than using toolbars or "free" plug-ins that may not provide good security protection.
ProtectionBar - Panda warns on new adware program designed to trick users
http://www.pandasoftware.com/about/press/viewNews.htm?noticia=7619
QUOTE: Panda Software warns of a new adware program called ProtectionBar, which tries to trick users by installing false security programs on their computers. These programs inform users that their computer is infected by threats that do not exist or show fictitious errors. Then, they threaten users so that they buy the license in order to delete the malware supposedly detected. The aim of this system is to earn a profit for the developers of these programs, who will share it with the creators of ProtectionBar
F-Secure shares an interesting development on how the bad guys are timing exploits to surface right after patch Tuesday. Thankfully, the unpatched Office vulnerabilities have been rare in the wild. Users should continue keep up-to-date on AV protection plus exercise caution when they receive any email with Office related attachments.
Exploit Wednesday -- the day after Patch Tuesday
http://www.f-secure.com/weblog/archives/archive-072006.html#00000922
QUOTE: The bad guys are taking advantage of three things:
1. The first is the patch cycle itself. These new exploits are being released after the second Tuesday of each month to maximize its lifespan.
2. The second is the common day-to-day routine of receiving Office files. There haven't been any new macro viruses to speak of for some time and so Office files (doc/xml/ppt) easily pass through corporate firewalls and people don't think twice about clicking on them. This avenue of attack is currently under the radar and is not perceived as a danger by end users.
3. And the third advantage is that the companies exploited don't want to talk about it. They dread the negative publicity as a victim of espionage. That's why the public doesn't know the name of last month's Excel exploit victim. Such hush-hush may be keeping some of these exploits from being reported.
An important security release to patch vulnerabilities has just been released. This should be quickly lab tested and applied in production.
Oracle - Critical Security Release for July 2006
More Posts
Next page »