December 2006 - Posts

F-Secure creates Vista compatible version of Blacklight Rootkit detection tool

As a starting point, here's hoping that rootkit detection tools won't be needed for Vista or that the improved security makes this a rare event.  F-Secure''s Blacklight Rootkit detection tool is a great free service offered to users who need assistance in removing Windows based rootkits that hook into the OS in a highly stealth-like manner. 

F-Secure creates Vista compatible version of Blacklight Rootkit detection tool
http://www.f-secure.com/weblog/archives/archive-122006.html#00001062

QUOTE: The same BlackLight executable will work on all supported platforms.You may find it interesting that we're adding support for 64-bit operating systems, even though there are currently no rootkits for them! The reason is that while 32-bit rootkits do not work on 64-bit platforms it is not impossible to create a 64-bit compatible rootkit. It just requires extra effort.

For example, a user-mode rootkit would have to hook 64-bit processes with 64-bit code but also make sure everything is hidden from 32-bit applications running under WOW64 emulation. As the number of computers running 64-bit Windows has remained low, the rootkit authors have not had a reason to spend the extra effort to target those systems. When they do, we hope to be ready

F-Secure has move to medium risk for the new Luder worm circulating.  Several new versions are circulating with different messages also.

Happy New Year email messages - avoid all attachments or links
http://www.incidents.org/diary.php?storyid=1988
http://www.f-secure.com/weblog/archives/archive-122006.html#00001063
http://www.f-secure.com/weblog/archives/archive-122006.html#00001065
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EBH


Subject Line Examples
Annual Fun Forecast!
Baby New Year!
Best Wishes For A Happy New Year!
Fun 2007!
Fun Filled New Year!
Happiness And Continued Success!
Happiness And Success!
Happiness In Everything!
Happy 2007!
Happy New Year!
Happy Times And Happy Memories!
May Your Dreams Come True!
New Hopes And New Beginnings!
New Year... Happy Year!
Promises Of Happy Times!
Raising A Toast To Happy Times!
Scale Greater Heights!
Sparkling Happiness And Good Times!
Warm New Year Hug!
Warmest Wishes For New Year!
Welcome 2007!
Wish You Smiles And Good Cheer!
Wishing You Happiness!
Wishing You Happy New Year!


Attachment Examples
postcard.exe
Postcard.exe
greeting card.exe
Greeting Card.exe
greeting postcard.exe
Greeting Postcard.exe

This new virus infected email message is currently circulating and should be avoided

Luder.A - Happy New Year message with postcard.exe attachment
http://www.f-secure.com/v-descs/luder_a.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EAY
http://www.sophos.com/security/analyses/w32drefu.html
http://www.incidents.org/diary.php?storyid=1987

EMAIL TO AVOID
Subject: Happy New Year!
Message body: {blank}
Attachment: postcard.exe

Recently one of the handlers at SANS shared some great posts related to this open source Intrusion Detection system used to inspect incoming network traffic.

SNORT Intrusion Detection Tool - Some Tips and Techniques

 What is SNORT - Webopedia

Wikipedia - SNORT Intrusion Detection Tool

 

 

In my personal email, I've seen dramatic increases in SPAM and these articles document these trends as well: 

Spam Rates Soar in 2006 due to Botnets
http://www.eweek.com/article2/0,1759,2077665,00.asp

Microsoft sees Botnets as a top threat in 2007
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006818

QUOTE: E-mail security firm Commtouch says 85 percent of today's spam comes from remote-controlled "zombie" computers.  A report on spam by e-mail security firm Commtouch Software dubs 2006 the "Year of the Zombies." The study found that "zombies," the name given computers remote-controlled by hackers, can number up to 8 million hosts globally on a given day.

As a result, spam volume increased by 30 percent in 2006, according to the report.  "Spam outbreaks got bigger, faster and smarter during 2006," Amir Lev, president and chief technical officer for Commtouch, based in Netanya, Israel, said in a statement. "Innovative spammers quickly developed new techniques to bypass common anti-spam technologies and amassed huge zombie botnets. Outbreaks have become so fast, massive and sophisticated that most anti-spam solutions had great difficulty defending against them." 

Some prior links:

Massive surge in spam hits the Internet
http://blogs.techrepublic.com.com/Ou/?p=354

Bot nets likely behind jump in spam
http://www.securityfocus.com/news/11420

Great site to bookmark for SPAM trends (under construction until 12/30/2006) 
http://tqmcube.com/tide.php

This new vulnerability is rated as low-risk can only be exploited by local users.

Microsoft Windows Client Server Run-Time Subsystem Memory Disclosure Vulnerability
http://www.frsirt.com/english/advisories/2006/5197
http://secunia.com/advisories/23491/

QUOTE: A Microsoft Windows vulnerability can be exploited by malicious local users to gain knowledge of sensitive information. The problem is that CSRSS.exe does not properly validate arguments passed via NtRaiseHardError and can be exploited to view the contents of CSRSS process memory. The vulnerability is confirmed on a fully-patched Windows XP SP2 system and reportedly affects Windows 2000 SP4 as well. Other versions may also be affected.

Solution: Allow only trusted users access to the system

F-Secure has published 3 new malware threats that use holiday themes to trick users into opening them:

Stration (Warezov) - Happy New Year
http://www.f-secure.com/weblog/archives/archive-122006.html#00001059

QUOTE: A new Warezov spam run is underway, using a "Happy New Year" postcard as a disguise.

More Christmas-themed malware
http://www.f-secure.com/weblog/archives/archive-122006.html#00001058

QUOTE: Now there's a backdoor called Christmas_Puzzle.exe. This one uses a rootkit to hide it's presence on a system. We detect it as Trojan-Spy.Win32.Ardamax.e. As a decoy, this one shows a Christmas-themed jigsaw puzzle game on screen. And then there's a Powerpoint file called Christmas+Blessing-4.ppt. This one uses MS06-012 or a related vulnerability to drop and execute two embedded programs. As a decoy, the exploit has been embedded in an innocent Christmas-themed PPT slideshow that has been making rounds previously.

Christmas.EXE
http://www.f-secure.com/weblog/archives/archive-122006.html#00001057

QUOTE: When run, this IRCBot variant will try to download various malicious executables from web servers. As a decoy, it shows this Christmas-themed image. Obviously, a gift that keeps on giving. To be avoided.

There is also a POC exploit published for this new vulnerability. 

Windows Workstation Service - New unpatched vulnerability
http://www.frsirt.com/english/advisories/2006/5142

QUOTE: A vulnerability has been identified in Microsoft Windows, which could be exploited by attackers to cause a denial of service. This issue is due to an error in the Workstation Service that does not properly handle specially crafted "NetrWkstaUserEnum()" requests, which could be exploited by attackers to cause a vulnerable service to crash or exhaust all available memory resources, creating a denial of service condition.

Affected Products: Windows XP and 2000

Solution: Block ports 139 and 445 at the firewall.

This recent hacking incident illustrates the need to be fully protected and up-to-date while surfing the Internet.  Kids or Parents might land on this type of site which doing a general Internet search.

Santa Web Site Hacked and may download spyware
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006639

QUOTE: It turned out that Santa's Web site had been hacked. On Friday, the Web site was still downloading malicious software, according to Roger Thompson, chief technology officer with Exploit Prevention Labs Inc. It exploits a bug in Internet Explorer that Microsoft Corp. patched last August, meaning that people running older versions of the browser could be at risk, Thompson said via instant message."The site is hacked," he said. "If you are not patched, it uses an exploit to silently install a huge amount of adware and spyware."

This link provides a good overview of this process:

http://www.f-secure.com/weblog/archives/archive-122006.html#00001055

Security updates have been issued for Firefox, Thunderbird, Seamonkey and other Mozilla products that fix critical security vulnerabilities. These vulnerabilities could be exploited by attackers to take complete control of an affected system or bypass security restrictions. All users should install these udpates as soon as possible.

Mozilla Security Release - New Firefox and Thunderbird versions
http://www.mozilla.com/en-US/firefox/2.0.0.1/releasenotes/
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.1

Fixed in Firefox 2.0.0.1

MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
http://www.mozilla.org/security/announce/2006/mfsa2006-68.html

MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
http://www.mozilla.org/security/announce/2006/mfsa2006-69.html

MFSA 2006-70 Privilege escallation using watch point
http://www.mozilla.org/security/announce/2006/mfsa2006-70.html

MFSA 2006-71 LiveConnect crash finalizing JS objects
http://www.mozilla.org/security/announce/2006/mfsa2006-71.html

MFSA 2006-72 XSS by setting img.src to javascript: URI
http://www.mozilla.org/security/announce/2006/mfsa2006-72.html

MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
http://www.mozilla.org/security/announce/2006/mfsa2006-73.html

MFSA 2006-75 RSS Feed-preview referrer leak
http://www.mozilla.org/security/announce/2006/mfsa2006-75.html

MFSA 2006-76 XSS using outer window's Function object
http://www.mozilla.org/security/announce/2006/mfsa2006-76.html

Mozilla Security Center
http://www.mozilla.org/security/

Internet Storm Center
http://www.incidents.org/diary.php?storyid=1958

CERT
http://www.us-cert.gov/current/current_activity.html#mzsecadv1206

FrSIRT
http://www.frsirt.com/english/advisories/2006/5068

Secunia
http://secunia.com/advisories/23282/

Zero-Day Initiative - Fixing the SVG vulnerability is critical
http://www.zerodayinitiative.com/advisories/ZDI-06-051.html
http://www.mozilla.org/security/announce/2006/mfsa2006-73.html

Firefox Product Page and Download link
(most users should be able to auto-update to the new release)
http://www.mozilla.com/en-US/firefox/

Thunderbird Product Page and Download link
http://www.mozilla.com/en-US/thunderbird/

Seamonkey Product Page and Download link
http://www.mozilla.org/projects/seamonkey/

Jim Allchin provided an EXCELLENT response to Windows Vista and the improved protection from malware based on a recent analysis, which seemed to infer that "Vista offers no more protection than XP".  Technically, this article had some factual information, but it did not tell "the rest of the story".  Users must almost want to purposefully infect their systems, for these attacks to work properly.     

At the end of November, Sophos commented on Vista being suseptible to 3 of the top 10 viruses circulating in-the-wild.  However, Vista users must lower built-in defenses, not run any AV protection at all, plus click on a clearly suspicious email attachment (that most likely would be prefiltered as a suspicious document and classified as spam).  No Operating System's security controls can fully protect a user from themselves.

I didn't have the opportunity to beta test Vista (as my home PCs are too underpowered to support it).  However based on numerous articles and reviews, Vista will clearly offer superior security over Windows XP SP2.  By enhancing Windows XP SP2 with IE 7, MP 11, and a good AV product, users can enjoy a secure environment there as well.  I'm anxious to purchase a new family PC later in 2007 with Vista Ultimate installed for better protection and gain greater knowledge of this environment by actually using it.

The new version of Opera released today offers improvements to help prevent phishing attacks with it's new Fraud Protection facility.    

Opera 9.1 Download site
http://www.opera.com/download/

Opera 9.1 introduces Fraud Protection
http://www.opera.com/docs/fraudprotection/

Changelog for Opera 9.1 for Windows
http://www.opera.com/docs/changelogs/windows/910/

Release Notes and Change Log

This release of Opera introduces Fraud Protection.

User interface

  • Fixed handling of access keys on Web pages with frames.

Mail, messaging, and newsfeeds

  • Fixed an instability connected with delayed entry of the Master password.
  • Deleting of newsfeeds in the panel now both unsubscribes and deletes.

Display and scripting

  • Improved performance for elements with both :focus and :hover.
  • Fixed an issue with opacity on links that have images nested within them.

Security

  • New Fraud Protection feature (a phishing filter).
  • Changed Wand data to a new format. The upgrade to this new format is not reversible.

Miscellaneous

  • Multiple stability issues solved, including crashes on Gmail and Google Maps.
  • Changed the Mozilla User Agent string to include Firefox identification.
  • Improved handling of Web site logins on slow connections.
  • Cancellation of torrent downloads now functions as expected.

Windows-specific changes

  • Multimedia keys now function as expected when Opera has focus.
  • Enabled loading of Windows Media plugins when Java is turned off.

Both of these are rated as low-risk by FrSIRT  
 
Windows Media Player - New Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/5039

QUOTE: A vulnerabilitiy has been identified in Microsoft Windows Media Player, which could be exploited by attackers to cause a denial of service. This issue is due to a division by zero error when handling a specially crafted MIDI file with a header chunk containing malformed fields (i.e. number of tracks and delta time), which could be exploited by attackers to crash a vulnerable application via a specially crafted file.

Microsoft Project Server 2003 File Information Disclosure Vulnerability
http://www.frsirt.com/english/advisories/2006/5038

QUOTE: A vulnerability has been identified in Microsoft Project Server 2003, which could be exploited by malicious users to gain knowledge of sensitive information. This issue is due to an error when handling HTTP POST requests passed to the "logon/pdsrequest.asp" script, which could be exploited by authenticated attackers to disclose the username and password of the "MSProjectUser" SQL account.

Since April 2005, this site has captured summary info for tech and non-tech violations where sensitive information has been exposed and possibly compromised. This is a great site to bookmark (and even share with your IT management so that security remains an important focal point).  

Privacy Rights - Chronology of Data Breaches
http://www.privacyrights.org/ar/ChronDataBreaches.htm
http://www.incidents.org/diary.php?storyid=1942

QUOTE: Some major data breaches announced at UCLA and Boeing put the total number of privacy breaches at privacyrights.org since April 2005 to almost 100 million.

... and on a related note, looks like 3 million folks may need to be added from Russia Sad

Major data leak from Russian banks
http://www.viruslist.com/en/weblog?calendar=2006-12
Note - Please see Dec 13th Weblog entry

More Posts Next page »