December 2006 - Posts

F-Secure creates Vista compatible version of Blacklight Rootkit detection tool

As a starting point, here's hoping that rootkit detection tools won't be needed for Vista or that the improved security makes this a rare event.  F-Secure''s Blacklight Rootkit detection tool is a great free service offered to users who need assistance in removing Windows based rootkits that hook into the OS in a highly stealth-like manner. 

F-Secure creates Vista compatible version of Blacklight Rootkit detection tool

QUOTE: The same BlackLight executable will work on all supported platforms.You may find it interesting that we're adding support for 64-bit operating systems, even though there are currently no rootkits for them! The reason is that while 32-bit rootkits do not work on 64-bit platforms it is not impossible to create a 64-bit compatible rootkit. It just requires extra effort.

For example, a user-mode rootkit would have to hook 64-bit processes with 64-bit code but also make sure everything is hidden from 32-bit applications running under WOW64 emulation. As the number of computers running 64-bit Windows has remained low, the rootkit authors have not had a reason to spend the extra effort to target those systems. When they do, we hope to be ready

F-Secure has move to medium risk for the new Luder worm circulating.  Several new versions are circulating with different messages also.

Happy New Year email messages - avoid all attachments or links

Subject Line Examples
Annual Fun Forecast!
Baby New Year!
Best Wishes For A Happy New Year!
Fun 2007!
Fun Filled New Year!
Happiness And Continued Success!
Happiness And Success!
Happiness In Everything!
Happy 2007!
Happy New Year!
Happy Times And Happy Memories!
May Your Dreams Come True!
New Hopes And New Beginnings!
New Year... Happy Year!
Promises Of Happy Times!
Raising A Toast To Happy Times!
Scale Greater Heights!
Sparkling Happiness And Good Times!
Warm New Year Hug!
Warmest Wishes For New Year!
Welcome 2007!
Wish You Smiles And Good Cheer!
Wishing You Happiness!
Wishing You Happy New Year!

Attachment Examples
greeting card.exe
Greeting Card.exe
greeting postcard.exe
Greeting Postcard.exe

This new virus infected email message is currently circulating and should be avoided

Luder.A - Happy New Year message with postcard.exe attachment

Subject: Happy New Year!
Message body: {blank}
Attachment: postcard.exe

Recently one of the handlers at SANS shared some great posts related to this open source Intrusion Detection system used to inspect incoming network traffic.

SNORT Intrusion Detection Tool - Some Tips and Techniques

 What is SNORT - Webopedia

Wikipedia - SNORT Intrusion Detection Tool



In my personal email, I've seen dramatic increases in SPAM and these articles document these trends as well: 

Spam Rates Soar in 2006 due to Botnets,1759,2077665,00.asp

Microsoft sees Botnets as a top threat in 2007

QUOTE: E-mail security firm Commtouch says 85 percent of today's spam comes from remote-controlled "zombie" computers.  A report on spam by e-mail security firm Commtouch Software dubs 2006 the "Year of the Zombies." The study found that "zombies," the name given computers remote-controlled by hackers, can number up to 8 million hosts globally on a given day.

As a result, spam volume increased by 30 percent in 2006, according to the report.  "Spam outbreaks got bigger, faster and smarter during 2006," Amir Lev, president and chief technical officer for Commtouch, based in Netanya, Israel, said in a statement. "Innovative spammers quickly developed new techniques to bypass common anti-spam technologies and amassed huge zombie botnets. Outbreaks have become so fast, massive and sophisticated that most anti-spam solutions had great difficulty defending against them." 

Some prior links:

Massive surge in spam hits the Internet

Bot nets likely behind jump in spam

Great site to bookmark for SPAM trends (under construction until 12/30/2006)

This new vulnerability is rated as low-risk can only be exploited by local users.

Microsoft Windows Client Server Run-Time Subsystem Memory Disclosure Vulnerability

QUOTE: A Microsoft Windows vulnerability can be exploited by malicious local users to gain knowledge of sensitive information. The problem is that CSRSS.exe does not properly validate arguments passed via NtRaiseHardError and can be exploited to view the contents of CSRSS process memory. The vulnerability is confirmed on a fully-patched Windows XP SP2 system and reportedly affects Windows 2000 SP4 as well. Other versions may also be affected.

Solution: Allow only trusted users access to the system

F-Secure has published 3 new malware threats that use holiday themes to trick users into opening them:

Stration (Warezov) - Happy New Year

QUOTE: A new Warezov spam run is underway, using a "Happy New Year" postcard as a disguise.

More Christmas-themed malware

QUOTE: Now there's a backdoor called Christmas_Puzzle.exe. This one uses a rootkit to hide it's presence on a system. We detect it as Trojan-Spy.Win32.Ardamax.e. As a decoy, this one shows a Christmas-themed jigsaw puzzle game on screen. And then there's a Powerpoint file called Christmas+Blessing-4.ppt. This one uses MS06-012 or a related vulnerability to drop and execute two embedded programs. As a decoy, the exploit has been embedded in an innocent Christmas-themed PPT slideshow that has been making rounds previously.


QUOTE: When run, this IRCBot variant will try to download various malicious executables from web servers. As a decoy, it shows this Christmas-themed image. Obviously, a gift that keeps on giving. To be avoided.

There is also a POC exploit published for this new vulnerability. 

Windows Workstation Service - New unpatched vulnerability

QUOTE: A vulnerability has been identified in Microsoft Windows, which could be exploited by attackers to cause a denial of service. This issue is due to an error in the Workstation Service that does not properly handle specially crafted "NetrWkstaUserEnum()" requests, which could be exploited by attackers to cause a vulnerable service to crash or exhaust all available memory resources, creating a denial of service condition.

Affected Products: Windows XP and 2000

Solution: Block ports 139 and 445 at the firewall.

This recent hacking incident illustrates the need to be fully protected and up-to-date while surfing the Internet.  Kids or Parents might land on this type of site which doing a general Internet search.

Santa Web Site Hacked and may download spyware

QUOTE: It turned out that Santa's Web site had been hacked. On Friday, the Web site was still downloading malicious software, according to Roger Thompson, chief technology officer with Exploit Prevention Labs Inc. It exploits a bug in Internet Explorer that Microsoft Corp. patched last August, meaning that people running older versions of the browser could be at risk, Thompson said via instant message."The site is hacked," he said. "If you are not patched, it uses an exploit to silently install a huge amount of adware and spyware."

This link provides a good overview of this process:

Security updates have been issued for Firefox, Thunderbird, Seamonkey and other Mozilla products that fix critical security vulnerabilities. These vulnerabilities could be exploited by attackers to take complete control of an affected system or bypass security restrictions. All users should install these udpates as soon as possible.

Mozilla Security Release - New Firefox and Thunderbird versions

Fixed in Firefox

MFSA 2006-68 Crashes with evidence of memory corruption (rv:

MFSA 2006-69 CSS cursor image buffer overflow (Windows only)

MFSA 2006-70 Privilege escallation using watch point

MFSA 2006-71 LiveConnect crash finalizing JS objects

MFSA 2006-72 XSS by setting img.src to javascript: URI

MFSA 2006-73 Mozilla SVG Processing Remote Code Execution

MFSA 2006-75 RSS Feed-preview referrer leak

MFSA 2006-76 XSS using outer window's Function object

Mozilla Security Center

Internet Storm Center




Zero-Day Initiative - Fixing the SVG vulnerability is critical

Firefox Product Page and Download link
(most users should be able to auto-update to the new release)

Thunderbird Product Page and Download link

Seamonkey Product Page and Download link

Jim Allchin provided an EXCELLENT response to Windows Vista and the improved protection from malware based on a recent analysis, which seemed to infer that "Vista offers no more protection than XP".  Technically, this article had some factual information, but it did not tell "the rest of the story".  Users must almost want to purposefully infect their systems, for these attacks to work properly.     

At the end of November, Sophos commented on Vista being suseptible to 3 of the top 10 viruses circulating in-the-wild.  However, Vista users must lower built-in defenses, not run any AV protection at all, plus click on a clearly suspicious email attachment (that most likely would be prefiltered as a suspicious document and classified as spam).  No Operating System's security controls can fully protect a user from themselves.

I didn't have the opportunity to beta test Vista (as my home PCs are too underpowered to support it).  However based on numerous articles and reviews, Vista will clearly offer superior security over Windows XP SP2.  By enhancing Windows XP SP2 with IE 7, MP 11, and a good AV product, users can enjoy a secure environment there as well.  I'm anxious to purchase a new family PC later in 2007 with Vista Ultimate installed for better protection and gain greater knowledge of this environment by actually using it.

The new version of Opera released today offers improvements to help prevent phishing attacks with it's new Fraud Protection facility.    

Opera 9.1 Download site

Opera 9.1 introduces Fraud Protection

Changelog for Opera 9.1 for Windows

Release Notes and Change Log

This release of Opera introduces Fraud Protection.

User interface

  • Fixed handling of access keys on Web pages with frames.

Mail, messaging, and newsfeeds

  • Fixed an instability connected with delayed entry of the Master password.
  • Deleting of newsfeeds in the panel now both unsubscribes and deletes.

Display and scripting

  • Improved performance for elements with both :focus and :hover.
  • Fixed an issue with opacity on links that have images nested within them.


  • New Fraud Protection feature (a phishing filter).
  • Changed Wand data to a new format. The upgrade to this new format is not reversible.


  • Multiple stability issues solved, including crashes on Gmail and Google Maps.
  • Changed the Mozilla User Agent string to include Firefox identification.
  • Improved handling of Web site logins on slow connections.
  • Cancellation of torrent downloads now functions as expected.

Windows-specific changes

  • Multimedia keys now function as expected when Opera has focus.
  • Enabled loading of Windows Media plugins when Java is turned off.

Both of these are rated as low-risk by FrSIRT  
Windows Media Player - New Denial of Service Vulnerability

QUOTE: A vulnerabilitiy has been identified in Microsoft Windows Media Player, which could be exploited by attackers to cause a denial of service. This issue is due to a division by zero error when handling a specially crafted MIDI file with a header chunk containing malformed fields (i.e. number of tracks and delta time), which could be exploited by attackers to crash a vulnerable application via a specially crafted file.

Microsoft Project Server 2003 File Information Disclosure Vulnerability

QUOTE: A vulnerability has been identified in Microsoft Project Server 2003, which could be exploited by malicious users to gain knowledge of sensitive information. This issue is due to an error when handling HTTP POST requests passed to the "logon/pdsrequest.asp" script, which could be exploited by authenticated attackers to disclose the username and password of the "MSProjectUser" SQL account.

Since April 2005, this site has captured summary info for tech and non-tech violations where sensitive information has been exposed and possibly compromised. This is a great site to bookmark (and even share with your IT management so that security remains an important focal point).  

Privacy Rights - Chronology of Data Breaches

QUOTE: Some major data breaches announced at UCLA and Boeing put the total number of privacy breaches at since April 2005 to almost 100 million.

... and on a related note, looks like 3 million folks may need to be added from Russia Sad

Major data leak from Russian banks
Note - Please see Dec 13th Weblog entry

More Posts Next page »