August 2006 - Posts
The Spybot family is one of the popular and adaptable (i.e. easy to create new variants) malware attack programs circulating in-the-wild. The latest adaptation now includes the MS06-040 exploit along with the capability to download and install a rootkit.
Spybot - New Variant includes MS06-040 Exploit plus Rootkit http://vil.mcafeesecurity.com/vil/content/v_135336.htm Quote: The worm opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting MS06-040 vulnerability. TCP port 443 is normally used for https protocol but this worm uses it for IRC. W32/Spybot.worm.gen.p is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.
Actions that the worm may perform on receiving appropriate commands include:
* Enumerate active process and threads on infected computer
* Start, stop and hide processes and threads
* Modify Microsoft Internet Explorer's start page
* Open a local web server
* Port scan IP addresses in a specified subnet to identify possible targets for infection
* Open backdoor at a specified port
* Transfer files
* Spread via MIRC
* Update itself
* Restart infected machine
* Flush ARP and DNS caches
* Sniff network traffic
* Create, delete and try to spread via network shares
* Spread via AOL Instant Messenger
* Download files from a specified URL
This blog entry discusses "little Johnnie and Susie" returning to school and the need to careful with the PC environment (e.g., web searches, email, Instant Messaging, etc) ... Indeed, parents have to teach their children well, and these good principles apply to everyone when it comes to Internet safety.
AVERT Labs - Security begins at home
http://www.avertlabs.com/research/blog/?p=76
McAfee Security Tips
http://www.mcafee.com/us/threat_center/tips.html
AVERT Labs - Security and Children's Web Sites
http://www.avertlabs.com/research/blog/?p=22
QUOTE: There are two basic things which will have the biggest effect on the security of any desktop/laptop machine:
(1) Application/OS vulnerabilities
No OS is completely immune from application or OS vulnerabilities. The response of the vendor is the biggest consideration and arguably at this point the major players aren’t leaving actively attacked holes open for extended periods of time. With a firewall and anti-virus software in place, the average user will be reasonably safe. (If your machine should be armored like Fort Knox, obviously “reasonably safe” won’t be sufficient, but that’s another story)
(2) Social engineering
So, what’s left at that point is social engineering. No amount of OS security or security products will prevent you from putting your home address, phone number, credit card information, etc. out on a website if you’re truly determined. Malware does not have to be prevalent to be dangerous - if you’re the only person in the world who got targeted and your machine is compromised in some way, it’s still a big deal to you personally. People still need to be aware and proceed carefully regardless of what kind of machine they’re using.
While this statistic seems high, there's a definite increased trend for keyloggers, password stealers, backdoors, phishing attacks, etc. Malware writers are more inclined to steal from folks in a stealth-like manner, than to launch the destructive payloads we used to see in the past.
Panda Labs - 88% of New malware in 2nd quarter related to Cybercrime
http://www.pandasoftware.com/about/press/viewNews.htm?noticia=7719
QUOTE: According to Luis Corrons, director of PandaLabs: “the results show how malware creators are concentrating on profiting from their efforts, creating increasing numbers of Trojans and bots. The greatest danger lies in the fact that they are installed and operate silently without users noticing any of the typical symptoms of infection and therefore victims are unaware that their computers are being used to steal from them or even from third-parties. This false sense of security works in favor of the attackers.”
Kaspersky Labs documents the usage of GIF animation in spam messages that are designed to bypass content filtering controls.
See August 30th entry - "An animated August"
http://www.viruslist.com/en/weblog?calendar=2006-08
Example of "Hot Stocks" SPAM using GIF animation
http://www.viruslist.com/en/imagesen/pictures/vlweblog-196822919.gif
QUOTE: We've recently detected yet another new trick being used by spammers. Spam now isn’t just being sent as a static graphical image in an attachment, but as an animated image. Spammers are using GIF animation which will be recognized and displayed by all popular browsers. Spammers are always developing new technologies in order to evade spam filters. Whether or not animation will make spam more difficult to detect isn't yet clear. It's true that a lot of spam filters don't analyze the actual graphics in spam.
Most exploit attacks have recently been the spammed trojan horse variety. This new MS06-001 WMF-exploit based attack is a true worm that can replicate among vulnerable PCs if the user clicks on the infected attachments.
MS06-001: Womble Worm - WMF Exploit
http://vil.nai.com/vil/content/v_140497.htm
http://www.sophos.com/security/analyses/w32womblea.html
W32/Womble@MM is a mass mailing worm which uses Exploit-WMF to spread. It may arrive as a ZIP archive or as a file using the following file extension: JPG.WMF. W32/Womble@MM uses it's own SMTP engine to send out the messages.
It generates the email as follows:
---- EMAIL TO BLOCK OR AVOID ----
From: (Spoofed email sender)
Subject: Uses any one of the following: info, Incredible!!, Hi, important, !!, Look at this!!!, FIFA, pic, private, Beauty, Re: Private, Olympus, Bush, Kiss, Paula, Miss Khan, ect.
Attachment: firefox_update.pif.zip, congratulations.jpg.zip, your_friends.wmf.zip, some_info.wmf, your_friends.jpg
Files with .ZIP extensions are just the copy of the worm itself. Those files with wither .JPG and .WMF extensions contain the Exploit-WMF as well as the worm
This trojan horse provides an example of a well done social engineering approach, designed to deceive users into opening the ZIP based attachment. The appearance, message, and wording are realistic. Users should always be cautious and avoid taking action based on email messages alone.
Clagger.E - New Realistic Paypal based scam
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCLAGGER%2EE
Clagger.E - Behavioral Diagram
http://www.trendmicro.com/vinfo/images/TROJ_CLAGGER_E2_BD.gif
EMAIL MESSAGE TO BLOCK OR AVOID
http://www.trendmicro.com/vinfo/images/TROJ_CLAGGER_E2_img.gif
CERT has issued an advisory and Microsoft has updated their advisory regarding long URL strings that can a buffer overflow condition. The August 22nd release was postponed, so that QA issues could be fully resolved.
CERT - Microsoft Internet Explorer long URL buffer overflow
http://www.kb.cert.org/vuls/id/821156
QUOTE: Microsoft Internet Explorer 6 Service Pack 1 on Windows 2000 and Windows XP SP1 contains a vulnerability when viewing a web site using the HTTP 1.1 protocol. If the web site uses HTTP 1.1 compression and contains an overly long URL, a buffer overflow can occur. Note that this vulnerability was introduced with the first release of the MS06-042 updates on August 8, 2006.
MS06-042 Re-release postponed to ensure Quality
http://blogs.technet.com/msrc/archive/2006/08/22/448689.aspx
QUOTE: On August 15, 2006 Microsoft announced that it would be re-releasing MS06-042 Tuesday, August 22, 2006 to address an issue affecting Internet Explorer 6 Service Pack 1 customers discussed in Microsoft Knowledge Base Article 923762. Due to an issue discovered in final testing, Microsoft will not be re-releasing MS06-042 today. This update will be re-released for Internet Explorer 6 Service Pack 1 when it meets an appropriate level of quality for broad distribution.
Additional Links:
Microsoft Security Advisory (923762)
http://www.microsoft.com/technet/security/advisory/923762.mspx
Secunia
http://secunia.com/advisories/21557/
FrSIRT
http://www.frsirt.com/english/advisories/2006/3356
Security Focus
http://www.securityfocus.com/news/11408
This article from Network World was highlighted in the morning email and documents some of the key changes associated with the new airline restrictions.
Article: That won't fly, how new airplane rules could affect you
By: M. E. Kabay
As readers will no doubt be aware, on Aug. 10, British police arrested 21 people suspected of plotting to blow up planes flying from the U.K. to the U.S.
http://news.bbc.co.uk/2/hi/uk_news/4778575.stm
In the wake of these police actions, the U.K. Department of Transport issued new, stricter regulations limiting what passengers can take into aircraft cabins.
The press release of Aug. 10
http://news.bbc.co.uk/2/hi/uk_news/4778615.stm
This specifically allows only the following - and everything must be placed in a transparent plastic bag, not in pockets (quoting exactly):
* Pocket-size wallets and pocket-size purses plus contents (for example money, credit cards, identity cards etc (not handbags)
* Travel documents essential for the journey (for example passports and travel tickets)
* Prescription medicines and medical items sufficient and essential for the flight (e.g., diabetic kit), except in liquid form unless verified as authentic
* Spectacles and sunglasses, without cases
* Contact lens holders, without bottles of solution
* For those traveling with an infant: baby food, milk (the contents of each bottle must be tasted by the accompanying passenger) and sanitary items sufficient and essential for the flight (nappies, wipes, creams and nappy disposal bags)
* Female sanitary items sufficient and essential for the flight, if unboxed (e.g. tampons, pads, towels and wipes)
* Tissues (unboxed) and/or handkerchiefs
* Keys (but no electrical key fobs).
All other belongings must be stowed in checked luggage.
As I read these rules, business travelers, such as the readers of this column, who may need to fly to the U.K. and back from the U.S. will have to consider some information security issues.
First of all, nobody is going to be bringing laptop computers, cell phones, PDAs or even watches onto the aircraft. That restriction means that confidential information stored on such devices may now be exposed to greater threat than if the devices were kept with the passenger. Anyone planning to allow baggage handlers to have access to laptop computers and such would do well to act on security experts' repeated pleas to use disk encryption.
On a personal note, my PDA uses strong encryption for confidential data, and my watch has a password on the "Note" section where I store such things as bank account numbers.
Not having your computer with you on a transatlantic flight may change your perspective on the productivity costs of international travel. I recommend you bring a good book, because you sure aren't going to be answering e-mail, writing that management report you intended to finish, or even watching DVDs or listening to CDs or your iPod. And forget the sound suppressing earphones: I don't see those on the approved list, either.
It is possible that we will see an increase in the relative value of electronic conferencing, perhaps including Web-camera feeds for videoconferencing in lieu of physical transatlantic meetings. If similar restrictions come to be applied in the U.S., the same cost/benefit calculations may reduce business air travel and increase virtual meetings. We will have to pay better attention to the security of such communications; VPNs will become standard operating procedures for any kind of confidential information interchange at such meetings.
While the VA has had at least two major incidents, it is truly a wise move for any company to encrypt hard drives and other media for better levels of physical security.
VA Secretary Unveils Data Security Encryption Program
http://www1.va.gov/opa/pressrel/pressrelease.cfm?id=1169
Microsoft has recently established a Blog for commentary regarding security topics for it's new Windows Vista Operating System:
http://blogs.msdn.com/windowsvistasecurity/
F-Secure has escalated this new variant of Haxdoor to MEDIUM RISK as it represents about 60% of their reported infections.
Haxdoor.KI - Rootkit attack spreading in Europe
http://www.f-secure.com/weblog/archives/archive-082006.html
http://www.f-secure.com/weblog/archives/europe.jpg
http://www.f-secure.com/v-descs/haxdoor_ki.shtml
Haxdoor.KI - On the 17th of August 2006 we received numerous reports of a new Haxdoor backdoor variant being spammed as an e-mail attachment to a large amount of people. The backdoor was spammed inside an archive named rakningen.zip. The backdoor's file, located inside the archive, is named rakningen.exe. (Swedish) We also have a report that it was spammed inside an archive named rechnung.zip as rechnung.exe. (German)
Haxdoor is a powerful backdoor with rootkit and spying capabilities. It can hide its presence, processes and files, on an infected system. So when it is active, it can only be detected by anti-virus programs that use kernel drivers and by rootkit detectors such as our F-Secure BlackLight. It can also be detected by F-Secure products that have a built-in anti-rootkit engine such as our F-Secure Internet Security 2006.
MS06-051 is an important one to have installed for protection.
MS06-051: MoBB - Putting the fun in browser fun
http://metasploit.blogspot.com/2006/08/putting-fun-in-browser-fun.html
QUOTE: The important take away is that the use of this
technique means that all of the otherwise
non-exploitable issues reported in H D's postings can
potentially be exploited in a reliable fashion through
the use of this technique. However, it will only work
on machines that are not patched with the latest
critical updates since this issue has now been
addressed by the patch that was created for MS06-051.
At any rate, it would be interesting to know what
other applications might be vulnerable to this type of
attack as well as other interesting ways to achieve it
in Internet Explorer.
http://browserfun.blogspot.com/
QUOTE: Matt Miller posted to the Metasploit Blog about
a technique that allows arbitrary code execution in
Internet Explorer using any fatal unhandled exception.
Every Internet Explorer denial of service flaw is
exploitable if MS06-051 has not been installed. More
information can be found in the Uninformed Journal
article.
Exploiting the Otherwise Non-exploitable on Windows
http://uninformed.org/index.cgi?v=4&a=5
Even though Vista and IE 7 represent better security than XP SP2 or IE 6 SP1 respectively -- they will require patching, as no software product is perfect or bulletproof.
Windows Vista - First security patch issued
http://www.informationweek.com/news/showArticle.jhtml?articleID=192201435
QUOTE: Microsoft confirmed Tuesday that two of the 12 security bulletins issued last week affect Windows Vista Beta 2, the widely-used preview, and posted download instructions for the first security updates to its next-generation operating system.
"We are committed to releasing Windows Vista updates for all MSRC critical class issues that may arise during the beta testing period," wrote Alex Heaton, product manager for the Windows Vista security team, on the group's blog.
Out of the dozen bulletins released Aug. 8, two -- [MS06-042 and MS06-051 -- impact Vista Beta 2." Of the seven critical Windows updates released in August, only 2 also affect Windows Vista Beta 2 or later," said Heaton.
MS06-042 is a cumulative security update for Internet Explorer that included patches for 8 different vulnerabilities; MS06-051 detailed a fix for a flaw in the Windows kernel that might let attackers hijack PCs by drawing users to malicious Web sites.
On August 22, 2006, Microsoft will be releasing MS06-042 with the integrated Hot Fix, so it's available with Windows Update.
MS06-042 and IE 6.0 SP1 Issues - New Windows Update release by August 22nd
http://blogs.technet.com/msrc/archive/2006/08/16/447023.aspx
http://www.incidents.org/diary.php?storyid=1604
MS06-042 - Hot Fix information
http://support.microsoft.com/kb/923762/
QUOTE: A new version of security update 918899 is currently in development and will be released to all Microsoft Internet Explorer 6 Service Pack 1 customers by August 22, 2006. The new update will be available on the Microsoft Download Center and by using Windows Update. Customers who are using any version of Internet Explorer other than Internet Explorer 6 Service Pack 1 together with any Windows version are not affected by this release and do not have to take any action.
W32.Toyep.A - New EMAIL worm uses ZIP extensions
http://secunia.com/virus_information/31444/toyep/
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-081615-5719-99
QUOTE: It gathers email addresses from the compromised computer and use its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics. The main danger is secondary EXE based virus attack downloaded from a hostile website.
EMAIL TO AVOID
From: [Spoofed]
Subject: [varies]
Attachment: message.zip, data.zip, logfile.zip
More Posts
Next page »