|
Sharing Security Developments, and Best Practices for corporate and home users
February 2007 - Posts
-
-
This new Trojan from the Storm Worm authors, registers a malicious dll as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer. It can then inject a copy of the malicious code into blog comments automatically from an infected PC.
Please avoid any "fun video links" you may see in a blog post as AV protection is very limited at this point.
Mespam Trojan - New Storm Worm version spreading as blog comments
http://secunia.com/virus_information/35867/spam-mespam/
http://vil.nai.com/vil/content/v_141590.htm
http://www.sophos.com/security/analyses/malcimuza.html
http://securitywatch.eweek.com/exploits_and_attacks/new_storm_worm_spreading_via_blog_posts.html
QUOTE: A Storm worm variant using both e-mail and Web sites to infect Windows-based PCs is injecting itself into the responses people are leaving on blogs. Dmitri Alperovitch, principal research scientist at Secure Computing, told eWEEK that the worm is injecting itself into the operating system as a rootkit and is capable of intercepting Web traffic.
When a user with an infected system visits a bulletin board or posts to a blog, the worm inserts a malware into his or her comments. The line asks readers to look at a fun video and contains a link leading to a Web site where the malware is waiting to reinfect more users.
The worm is taking over PCs, Secure Computing reports, giving the criminal control for multiple purposes: sending spam, launching DDoS attacks and running keyloggers.
Also notable in this worm is that it's using server polymorphism—i.e., it contains self-modifying code that changes automatically every time it is downloaded. This worm form has been around "for ages," Alperovitch said, such as in the Bagle worm. Morphing worms are designed to avoid antivirus signature detection, and so far, Alperovitch said, it's working, as few major antivirus vendors have detected it.
To avoid infection, the advice is to refrain from clicking on the "fun video" link.
|
-
-
This article was Previously posted on Don Hite's Blog
QUOTE: The Fundamental Computer Investigation Guide for Windows available from Microsoft will provide you with information on how to investigate and then handle any suspicious or improper use of your organizations computers and network. This paper was developed by Microsoft’s security experts and customers to provide you with the information and resources you may need in order to pursue any criminal or civil lawsuits.
Fundamental Computer Investigation Guide for Windows Download:
http://go.microsoft.com/fwlink/?linkid=80345
|
-
Seven Security issues are addressed in the latest release
http://isc.sans.org/diary.html?storyid=2298
The Mozilla folks have released the long-awaited version 2.0.0.2 of Firefox. The second link below shows that 7 security issues were fixed. One rate critical. Bugs fixed appear to include CVE-2007-1004, CVE-2007-0995, CVE-2007-0981, CVE-2007-0800, CVE-2007-0780, CVE-2007-0779, CVE-2007-0778, CVE-2007-0777, CVE-2007-0776, CVE-2007-0775, CVE-2007-0008, and CVE-2007-0009, among others. This also fixed the issue with the password manager that was exploited late last year, CVE-2006-6077. The bookmarklet vulnerability CVE-2007-1084 does NOT appear to have been addressed.
Release Notes: http://www.mozilla.com/en-US/firefox/2.0.0.2/releasenotes/
Security Issues: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.2
Update: As one of our readers pointed out, the Mozilla folks have also released Firefox 1.5.0.10 and SeaMonkey 1.0.8 and a number of the fixes mentioned above apply to these as well.
SeaMonkey security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.0.8
FF-1.5.0.10 security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.10
|
-
This article affirms the need to "trust but verify" as part of the security process:
Corporate Security Controls: Massive Insider Breach At DuPont
http://www.informationweek.com/news/showArticle.jhtml?articleID=197006474
QUOTE: A research chemist who worked for DuPont for 10 years before accepting a job with a competitor downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library.
Gary Min worked as a research chemist for DuPont for 10 years before accepting a job with DuPont competitor Victrex PLC in Asia in October 2005. Between August and December of that year, Min downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library, making him the most active user of that database in the company, according to prosecutors.
It's unclear whether Min's frequent access to that database tipped off an automatic alert to DuPont officials or whether his behavior was discovered by studying database access logs. Regardless, Min left DuPont in December, 2005, and after starting work for Victrex in February, 2006, transferred 180 DuPont documents to a Victrex-owned laptop computer.
After DuPont discovered that Min had helped himself to a large volume of confidential and proprietary DuPont technical information, it notified the FBI and the Commerce Department. Min's Victrex computer was seized on Feb. 8, 2006, while he was at a meeting with Victrex officials in Geneva, Switzerland. The confiscated computer was turned over to DuPont, which in turn gave it to the FBI, according to prosecutors.
|
-
This new security vulnerability is rated low-risk and it can only be manipulated by local users (rather than via remote attacks).
Windows XP/Vista/2003 - Local security disclosure vulnerability
http://www.frsirt.com/english/advisories/2007/0701
http://secunia.com/advisories/24245/
QUOTE: A weakness has been identified in Microsoft Windows, which could be exploited by malicious users to disclose sensitive information. This issue is due to an error within the directory-change API that does not properly validate user's permission for child objects when retrieving information regarding objects that they do not have "LIST" permissions for. This could be exploited by local attackers to gather information about protected files (e.g. their names), facilitating further attacks.
CVE ID : CVE-2007-0843
Rated as : Low Risk
Remotely Exploitable : No
Locally Exploitable : Yes
|
-
-
This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes by malicious people. Internet Explorer 7 "onunload" Event Spoofing Vulnerability http://secunia.com/advisories/23014/ http://msmvps.com/blogs/spywaresucks/archive/2007/02/23/611544.aspx
quote:
Secunia Research has discovered a vulnerability in Internet Explorer 7, which can be exploited by a malicious website to spoof the address bar. The vulnerability is caused due to an error in Internet Explorer 7's handling of "onunload" events, enabling a malicious website to abort the loading of a new website. This can be exploited to spoof the address bar if e.g. the user enters a new website manually in the address bar, which is commonly exercised as best practice.
|
-
This new "network walker" virus is written in VB and affects workstations as they boot up. It disguises copies of itself on the hard drive or network drives as Word documents (using the Word icon).
BootMerlin Virus - Modifies Windows Boot-uphttp://vil.nai.com/vil/content/v_141514.htmhttp://secunia.com/virus_information/36315/bootmerlin/
Key Symptoms include:
1. Wizard animation advocating anti-Microsoft messages in Spanish
2. C:\Boot.ini modified
3. Anti-Windows or Anti-Microsoft messages displayed by Windows Boot Manager at boot up time.
4. Presence of the file on hard drive or network drives where write access is permitted
|
-
-
Trend Micro has issued updates for newly discovered buffer overflow vulnerabilities in their server and client based AV products.
Trend Micro ServerProtect "StCommon.dll" and "eng50.dll" Buffer Overflow Vulnerabilities
http://www.frsirt.com/english/advisories/2007/0670
http://www.tippingpoint.com/security/advisories/TSRT-07-01.html
http://www.tippingpoint.com/security/advisories/TSRT-07-02.html
QUOTE: Multiple vulnerabilities have been identified in Trend Micro ServerProtect, which could be exploited by remote attackers to take complete control of an affected system. These issues are due to buffer overflow errors in various functions within the "StCommon.dll" and "eng50.dll" libraries, which could be exploited by remote unauthenticated attackers to execute arbitrary commands by sending specially crafted RPC requests to a vulnerable application.
Trend Micro OfficeScan Web Deployment ActiveX Remote Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2007/0638
QUOTE: A vulnerability has been identified in OfficeScan Corporate Edition, which could be exploited by attackers to take complete control of an affected system. This issue is due to a buffer overflow error in the web deployment ActiveX control when handling malformed arguments passed to certain methods, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into visiting a specially crafted web page.
|
-
Overview of Microsoft Security Bulletins released on February 13, 2007:
http://www.microsoft.com/technet/security/bulletin/ms07-Feb.mspx
- MS07-005 Step-by-Step Interactive Training (Remote Code Execution)
- MS07-006 Windows Shell (Elevation of Privilege)
- MS07-007 Windows Image Acquisition Service (Elevation of Privilege)
- MS07-008 HTML Help ActiveX Control (Remote Code Execution)
- MS07-009 Microsoft Data Access Components (Remote Code Execution)
- MS07-010 Microsoft Malware Protection Engine (Remote Code Execution)
- MS07-011 Microsoft OLE Dialog Could (Remote Code Execution)
- MS07-012 Microsoft MFC (Remote Code Execution)
- MS07-013 Microsoft RichEdit (Remote Code Execution)
- MS07-014 Microsoft Word (Remote Code Execution)
- MS07-015 Microsoft Office (Remote Code Execution)
- MS07-016 Internet Explorer (Remote Code Execution)
|
-
-
Our privacy is something that we need to safeguard while on the Internet. Many companies will automatically scan in publicly available information from a telephone listing or other sources. You may be able to opt out in some cases, but once something is published to the Internet, it can also be difficult to remove.
You can try some of the following privacy tests for yourself on Google, Yahoo, MSN Live, Switchboard or other search facilities:
1. Your name (with and without spaces) and other family members
http://www.google.com/search?hl=en&q=Harry+Waldron
http://www.google.com/search?hl=en&q=harrywaldron
2. Your telephone number
(format: xxx-xxx-xxxx)
3. Your street address
(street only or full address)
4. Your email address
(full or just the name portion)
5. Your SSN
(with and without dashes - hopefully zero hits)
6. Your birthday MM/DD/YYYY
(most likely you won't get hits on yourself, but it's neat to check for historical events)
|
-
Brief list shared below:
Microsoft Security - ISC updates key missing patches
http://isc.sans.org/diary.html?storyid=1940
Word 2000/XP DoS/Remote code Execution
CVE-2007-0870 Used in targeted attacks.
Internet Explorer msxml3 concurrency problems
CVE-2007-0099 Publicly posted exploit Remote DoS / code execution
NetrWkstaUserEnum() memory allocation exhaustion
CVE-2006-6723 Publicly posted exploit Remote DoS
MessageBox() / csrss double free vulnerability
CVE-2006-6696 Publicly posted PoC exploits for XP, 2003 and Vista
RPC in Windows 2000 SP4 UPnP and SPOOLS
CVE-2006-6296, CVE-2006-3644 Multiple publicly available exploits.
Microsoft Windows NAT Helper Components
CVE-2006-5614 Publicly available exploit.
PowerPoint 2003
CVE-2006-5296 Publicly available exploit.
|
-
Always avoid clicking on URLs in spam base emails, even to opt out as downloader agents may be present which can infect an unprotected PC.
New spam attack in German with URL based malware
http://isc.sans.org/diary.html?storyid=2283
QUOTE: We've received a report that a spam is making the rounds, it's in German, has the Subject "Fand ich Sie zufallig!". According to the automated malware analysis we received from Sven Marten, at the link in the email one obtains 2 pieces of malware, the first of which has sporadic AV detection at the moment.
|
-
-
-
While under XP, I've had no issues in updating virus signatures or checking the Help/About information to determine the latest signature files installed. There may be some additional work required though for this process to work more smoothly on Vista?
McAfee Virus Scan 8.5i fails Vista VB100 certification due to update problems
http://www.virusbtn.com/news/vb_news/2007/02_06.xml
QUOTE: In the wake of the recent VB100 test on the new Windows Vista platform, VB has been in communication with the makers of many of the products tested. The developers of one of those adjudged to have failed the test, McAfee, have insisted that when their VirusScan product is fully updated with the data provided for testing it is capable of detecting the samples missed during our tests.
After intensive investigation, VB has found that detection routines for the two malware samples missed were indeed included in the update package provided by McAfee. However, when McAfee's manual update procedure was run it failed to apply the update to the product, despite both on-screen messages and logs stating that the product had been updated successfully.
|
-
Several Windows, Office, and other product updates are planned for the Patch Tuesday:
Microsoft Security Bulletin Advance Notification
http://www.microsoft.com/technet/security/bulletin/advance.mspx
On 13 February 2007, Microsoft is planning to release:
5 Bulletins - Windows.
3 Bulletins - Office.
1 Bulletin - Visual Studio.
1 Bulletin - Step-by-Step Interactive Training.
1 Bulletin - Data Access Components.
1 Bulletin - Windows Live OneCare, Antigen, Windows Defender, and ForeFront.
Malicious Software Removal Tool Update
|
-
I agree with many of the constructive points offered here. Firewalls must be bi-direction, easy-to-configure, and each outbound entry should be individually validated as part of the trust process.
I also disagree with some of the harsher criticisms shared, as inbound protection is important even if the outbound part wasn't implemented as well as it should have been. The article notes the potential need for enhancements that might be a good fit for Service Pack 1 in the future.
Vista Firewall Commentary: When is a firewall not a firewall? When it's Vista's built-in firewall
http://blogs.zdnet.com/Berlind/?p=331
QUOTE: In Windows Vista, Microsoft says its new Windows Firewall is now two-way, that it adds outbound protection, but a closer look reveals that this is more deceptive marketing spin. With Windows Vista what you get turns out to be a half-cocked firewall that's hardly worth the upgrade. Vamosi goes onto describe how Vista's personal firewall has the blocking and tackling of outbound connections backwards.
With most personal firewalls (and network firewalls), an outbound connection is only allowed when the firewall wall has been programmed with a rule that allows it. That's good. From the moment such a firewall is installed, nothing is allowed until a user (or network administrator) says it's allowed. The first time after most personal firewalls are installed, those firewalls present users with a rules wizard each time an application on their PC tries to connect to the Internet.
But, with Windows Vista's firewall, it works the other way around. All outbound communications are allowed permanently until a rule has been created to explicitly block it. Despite Vamosi having routinely voiced his concerns about Vista's firewall before Vista shipped.
Configuring Vista's firewall isn't easy. In fact, it's so difficult that the Windows Firewall is actually worse than having no firewall at all. Mere mortals shouldn't bother configuring it.
|
-
Panda has issued an Orange Alert (MEDIUM RISK) for this new email worm that uses the theme of Love in it's subject field. Attachments are EXE files disguised as greeting cards or post cards.
Nurech.A email worm - Panda issues MEDIUM RISK alert
http://www.pandasoftware.com/com/virus_info/encyclopedia/overview.aspx?IdVirus=149000
http://www.pandasoftware.com/about/press/viewNews.htm?noticia=8234
QUOTE: ORANGE VIRUS ALERT The Nurech.A worm spreads rapidly, infecting hundreds of computers - 2/5/2007
This worm has been spreading rapidly over the last few hours, and has infected hundreds of computers. As a result, it is now one of the top ten viruses detected by ActiveScan, Panda Software’s free online solution. Given the situation, and due to the high risk of infection, the company has declared an Orange virus alert status.
This worm reaches computers by email, in a message with variable subjects such as Together You and I, Everyone Needs Someone, Cyber Love, etc. The sender field also varies, although it always contains a woman’s name.The file that contains the worm is an executable file with names such as flash postcard.exe or greeting postcard.exe.
When users run the attached file, Nurech.A installs on the computer. The worm is designed to terminate processes belonging to security tools and to look for addresses to spread to on the affected computer. This worm is particularly dangerous bearing in mind its rootkit features, aimed at hiding processes and making detection more difficult for security tools.
The following are attachments to be avoided in email messages related to a Love or Valentines theme:
FLASH POSTCARD.EXE
GREETING CARD.EXE
GREETING POSTCARD.EXE
POSTCARD.EXE
|
-
Attacks are most likely limited and folks need to keep AV protection updated plus be careful in handling all Office based attachments, as there are mulitple unpatched vulnerabilities.
Excel/Office Document Handling Vulnerability
http://www.microsoft.com/technet/security/advisory/932553.mspx
http://isc.sans.org/diary.html?storyid=2157
http://www.frsirt.com/english/advisories/2007/0463
QUOTE: Microsoft has released an advisory for a remote code execution vulnerability in Microsoft Office. It is currently being reported to target only Microsoft Excel at this point. However according to Microsoft's advisory: "While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable." It has a CVE entry of CVE-2007-0671
This vulnerability is being exploited in the wild. Excel is the current attack vector.
|
-
While most mainstream sites are probably safe, users should be careful when surfing or navigating to websites related to the Superbowl.
Hacking Attacks related to Superbowl web sites
http://www.f-secure.com/weblog/archives/archive-022007.html#00001101
QUOTE: A number of unrelated web sites have been hacked into over the last days. They have been modified by inserting an reference to a script on a Chinese site called <<URL-Removed>> Some of the hacked sites are related to the Super Bowl, being played this weekend.
|
|
|
|