October 2006 - Posts

Sharing an article on Stration, which is on the watchlist for developments, as it's now one of the leading email worms.

Stration Worm -- Tricky new malware unnerves security vendors
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004601

quote:  October 30, 2006  (IDG News Service) -- A tricky malicious program has become more prevalent in spam, but experts don't know what its creators plan to do with it.  Many vendors are rating the malware -- called "Warezov," "Stration" and "Stratio" -- as a low risk. But they also say that it is tricky to deal with.

The malware is a mass-mailing worm that affects machines running Microsoft Corp.'s Windows OS. When the malware infects a computer -- usually after the user has opened an attachment containing the worm in a spam e-mail -- it sends itself out again to other e-mail addresses found on the computer. The code is then capable of downloading new versions of itself as frequently as every 30 minutes from a batch of Web sites, said Mikko Hypponen, chief research officer at F-Secure Corp., a security company in Helsinki.

Those new versions are created by a program on a server controlled by the hacker, Hypponen said.  In the past, malware has been known to create variations of itself, but the code to create those variations was contained inside the malware. So when a sample was obtained, security analysts could study it and identify potential new versions, he said.

Coincidently, I just got a leading edge Stration variant where McAfee, Symantec, and Microsoft didn't detect this (as of 2pm EDT)

EMAIL SUBJECT TITLE: This is not shown on TV.
ATTACHMENT: picture0000.zip (0000=number)


quote:  Complete scanning result of "picture1656.zip", processed in VirusTotal
at 10/31/2006 19:37:49 (CET).

[ file data ]
* name: picture1656.zip
* size: 13321
* md5.: 17653f8f867ef7a6f5b9dd4be2f55902
* sha1: c0c70aead05814cb35097fc2358615868fd67f42

[ scan result ]
AntiVir 7.2.0.34/20061031 found [TR/Dldr.Stration.C.6]
Authentium 4.93.8/20061031 found [W32/Warezov.GA]
Avast 4.7.892.0/20061031 found [Win32:Warezov-MF]
AVG 386/20061031 found [I-Worm/Stration]
BitDefender 7.2/20061031 found [Win32.Warezov.EW@mm]
CAT-QuickHeal 8.00/20061031 found [I-Worm.Warezov.ev]
ClamAV devel-20060426/20061031 found [Worm.Stration.YY]
DrWeb 4.33/20061031 found [Win32.HLLM.Limar.based]
eTrust-InoculateIT 23.73.41/20061031 found
[Win32/Stration.Variant!Worm]
eTrust-Vet 30.3.3170/20061031 found nothing
Ewido 4.0/20061031 found nothing
F-Prot 3.16f/20061031 found [W32/Warezov.GA]
F-Prot4 4.2.1.29/20061031 found [W32/Warezov.GA]
Fortinet 2.82.0.0/20061031 found [W32/Stration.DU@mm]
Ikarus 0.2.65.0/20061031 found [Email-Worm.Win32.Warezov.gen]
Kaspersky 4.0.2.24/20061031 found [Email-Worm.Win32.Warezov.ev]
McAfee 4884/20061030 found nothing
Microsoft 1.1609 /20061031 found nothing
NOD32v2 1.1845/20061031 found [a variant of Win32/Stration]
Norman 5.80.02/20061031 found [W32/Stration.AOH]
Panda 9.0.0.4/20061031 found nothing
Sophos 4.10.0/20061026 found nothing
TheHacker 6.0.1.109/20061030 found [W32/Generic!zip-dobleextension]
UNA 1.83/20061031 found nothing
VBA32 3.11.1/20061031 found [MalwareScope.Worm.Warezov.1]
VirusBuster 4.3.15:9/20061031 found [Trojan.Opnis.Gen.14]

Many projects, including those centered around security, have failed due to folks not listening properly.  It's an important skill to always keep in mind when gathering input, coordinating tasks, or in simply reading our email.

Listening - One of the most important communication skills
http://blogs.techrepublic.com.com/tech-manager/?p=213

QUOTE: Failure to listen is the first step in miscommunication. Technical folks, even technical project managers, are not always the best communicators. If we do not listen, and listen carefully, to one another things get lost. More importantly, other successful people who share that crazy spark which keeps us going, feel the lack of attention. They start to feel ignored, undervalued, and unappreciated.

So, what's a poor listener to do? In my case I ask myself four questions before I go into a conversation. These questions have become my mantra, something I repeat over and over again throughout the day.
 
1. Who am I really going to listen to, the person or my own inner voice?
2. What can I learn from this person by being brave enough to listen?
3. When will I need to accept help from this person again?
4. How can I tell this person that I believe in them as much as they believe in themselves?

My settings are a little more secure than the IE 7 defaults.  So far, IE 7 has passed 2 of the 3 tests noted for IE 7 at Secunia.  The one area related to an Outlook Express vulnerability is not in the wild and would be mitigated through phishing controls and best practices. 

Secunia: Internet Explorer 7 Window Injection Vulnerability
http://secunia.com/advisories/22628/

QUOTE: A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites.  The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

TEST for vulnerabilities
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

MORE INFORMATION
http://msmvps.com/blogs/spywaresucks/archive/2006/10/30/228561.aspx

This new blog resource evaluates SOX IT requirements and has several informative posts:

Sarbanes Oxley Blackbelt 404 - Excellent Blog Resource
http://www.sarbox404.com/

Below are additional links to follow-up on the earlier good info Bill and Richard shared with us over the weekend.

Microsoft Windows NAT Helper Components DNS Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/4248

QUOTE: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to cause a denial of service. This flaw is due to a NULL pointer dereference error in the NAT Helper Components ("ipnathlp.dll") when processing requests via the "DnsProcessQueryMessage()" and "NatCreateRedirect()" functions, which could be exploited by attackers on the LAN to crash the Service Host Process by sending a specially crafted DNS request to a vulnerable system with Internet Connection Sharing enabled.

Note : A proof of concept exploit has been published.

ISC: Remote DoS released targets Windows Firewall/Internet Connection Sharing (ICS) service component
http://www.incidents.org/diary.php?storyid=1809

Microsoft ICS DoS FAQ
http://blog.ncircle.com/archives/2006/10/microsoft_ics_d.htm

Am I vulnerable Checklist:
1) Are you running Windows XP
2) Are you sharing your internet connection?

If the answer is yes to both of those, then you are vulnerable.

Mitigation:
1) Disable Internet Connection Sharing.
2) Block UDP port 53 (DNS) on the computer that is sharing the internet, manually set the DNS Server to your ISPs DNS address.

While this is humorous, there are some good tips in better IT security controls for organizations

Halloween: User Tricks and Security Treats
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004538

QUOTE: Thirteen malevolent spirits may haunt the halls and cubicles of your company, and if you're going to scare them into security compliance, you may need to get a little bit spooky yourself. Have a few treats up your sleeve to return for these goblins' sinister tricks.

ID Thefts Slam Online Brokers
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=270665

QUOTE: Two of the top online stock brokerages in the U.S. disclosed that overseas hackers broke into some of their customer accounts during the past three months, resulting in combined losses of at least $22 million and leading both firms to take steps to bolster their security measures.

All WinAmp users should update to the latest WinAmp release to correct two critical security issues

WinAmp Media Player - Critical Security Update
http://www.kb.cert.org/vuls/id/449092
http://www.winamp.com/player/version_history.php#5.31
http://secunia.com/advisories/22580/

Two vulnerabilities have been reported in Winamp, which can be exploited by malicious people to compromise a user's system.

1) An error in the Ultravox protocol handler during processing of the "ultravox-max-msg" header can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI.

2) An error during the parsing of certain Lyrics3 tags can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI.

The vulnerabilities are reported in versions 2.666 through 5.3.

SOLUTION -- Update to version 5.31
http://www.winamp.com/player/

I've found George Ou to provide some good technical writing for Tech Republic.  He also shares that IE 7 is a "must have" upgrade and positive comments from a security perspective.

George Ou - Bottom line on IE7
http://blogs.techrepublic.com.com/Ou/?p=349

QUOTE: So what does IE7 really mean to individuals and companies?  If you're using IE6 as your primary browser, IE7 is a must have.  For IE6 users, IE7 will offer a huge improvement in the user interface though it is highly recommended that you follow the welcome tutorial to get acquainted with it.  The UI is much more streamlined and the traditional file-edit-view menu is always hidden though you can still make it show up by hitting the ALT key.  You will still have compatibility with IE-only webpages but the browser is also a lot more compatible with the web standards. Everyone one of my friends I've talked to has had a very positive experience with IE7 and we can thank Firefox for forcing Microsoft to deliver IE7 on Windows XP for free.

From a security standpoint, IE7 offers a huge improvement over IE6.  The two most recent zero-day exploits from last month for example only affected IE6 and not IE7 because the code auditing on IE7 was rigorous.  The ActiveX footprint in IE7 is about 90% smaller than IE6 because almost all of the ActiveX controls were completely disabled by default and only the most critical ActiveX controls for things like Media Player and Adobe Flash were kept on.  Even if you're running an alternative browser like Firefox, you're still going to want to get rid of IE6 by installing IE7 if you ever need to use IE for anything.

Currently most malicious software is designed to hide silently on infected PCs.  This study discusses findings from a recent study by Microsoft.

Microsoft MSRT Study on Malicious Software hiding in PCs
http://articles.techrepublic.com.com/2100-1009_11-6129235.html

QUOTE:  More than 43,000 new variants of such insidious software were found in the first half of 2006, making them the most active category of malicious software, Microsoft said in a Security Intelligence Report published Monday. In June Microsoft also flagged zombies as the most prevalent threat to Windows PCs.

"Attackers, with financial gain in mind, are clearly concentrating a significant amount of development focus on this category of malware," Microsoft said in the report.

Of 4 million Windows PCs found to be infected with some kind of malicious software in the first half of this year, about 2 million were running malicious remote control software, Microsoft said. The data is collected by Microsoft's free Windows Malicious Software Removal Tool, which runs when security updates are installed on Windows PCs.

While the number is high, it is actually a decrease from the second half of 2005, when Microsoft found that 68 percent of infected PCs contained a backdoor Trojan. Meanwhile, hackers are trying harder to make their networks of hijacked computers go unnoticed by moving to new Web-based techniques.

Below are two recent reviews: 

Review: Firefox 2.0 first impressions
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004398

Review: With Firefox 2, Mozilla touts security and speed
http://articles.techrepublic.com.com/2100-3513_11-6129141.html

QUOTE: The revamped Firefox includes a new interface theme and more security protection such as built-in phishing protection. It also has session memory, which, when the browser is re-opened, brings back the set of Web pages that were in use when it was last closed. Changes have also been made in the technology to import RSS feeds, which now offers a feed list view with title and first lines.

Final Review: The Lowdown on Office 2007
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003994

QUOTE: Simplify, simplify, simplify. The challenge for Microsoft in revamping Office was to better organize all the options available without negatively impacting productivity. For new users, that's a particularly important goal, since the menus and toolbars in current versions may appear to be a mishmash.

The overriding design goal for the new user interface, Microsoft says, is to make it easier for users "to find and use the full range of features these applications provide" while preserving "an uncluttered workspace that reduces distraction for users so they can spend more time and energy focused on their work." The redesign makes most Office 2007 applications look completely fresh, clean, new -- and more colorful. From Ribbons that offer clearly labeled buttons to thumbnail previews of most graphic features, the applications bear only a slight resemblance to their former selves.

A positive review on IE 7 from both a security and functional standpoint.  The just say "YES" encourages users to accept this when it is offered to them via Microsoft Updates in November.

Review: Just Say Yes to Internet Explorer 7
(see page 4 for a positive review on security)

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004205

QUOTE: IE7 is a considerable improvement over IE6, and with new features such as tabbed browsing, RSS support, improved security and an integrated search box, it's well worth the upgrade.

This information is preliminary and based on the SP Roadmap.   

Article: Windows XP SP3 Pushed to 2008
http://www.betanews.com/article/Windows_XP_SP3_Pushed_to_2008/1161282900

QUOTE: Windows XP SP3 will be the first major upgrade to the operating system since XP SP2 debuted in August 2004. SP2 was an extensive upgrade, bringing a new security center and improvements in wireless networking and Internet Explorer. However, with SP3 arriving three years later, the update will focus security patches and bug fixes rather than feature enhancements.

Microsoft's SP Roadmap
http://www.microsoft.com/windows/lifecycle/servicepacks.mspx

QUOTE: SP3 for Windows XP Professional is currently planned for 1H CY2008. This date is preliminary.

A browser is simply a processor of web objects and does what's asked of it while visiting a website.  Thankfully IE 7 has far better security than version 6.  This potential issue is minor and would be used for phishing attacks primarily.  In my own testing, this did not work in IE 7, Firefox 3.0a, or Opera 9.02.  Still, folks always need to be careful when visiting websites as no browser can protect you from all the risks out there.


ISC: IE 7 - Popup Address Bar Spoofing Vulnerability
http://www.incidents.org/diary.php?storyid=1804

Secunia
http://secunia.com/advisories/22542/

Browser Test Site for this new issue
http://secunia.com/internet_explorer_7_popup_address_bar_spoofing_test/

More Posts Next page »