February 2007 - Posts
http://isc.sans.org/diary.html?storyid=2316
http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1
http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/
QUOTE: The worm attempts to log into your systems as the users “lp” or “adm” and execute a bunch of shell commands (some of which are visible in the IDA screen shot below) to set up shop and keep on truckin’. Very old school, reminds me of the old ADM worms I saw back in the late 90’s that got me interested in self-propagating malware in the first place.
This new Trojan from the Storm Worm authors, registers a malicious dll as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer. It can then inject a copy of the malicious code into blog comments automatically from an infected PC.
Please avoid any "fun video links" you may see in a blog post as AV protection is very limited at this point.
Mespam Trojan - New Storm Worm version spreading as blog comments
http://secunia.com/virus_information/35867/spam-mespam/
http://vil.nai.com/vil/content/v_141590.htm
http://www.sophos.com/security/analyses/malcimuza.html
http://securitywatch.eweek.com/exploits_and_attacks/new_storm_worm_spreading_via_blog_posts.html
QUOTE: A Storm worm variant using both e-mail and Web sites to infect Windows-based PCs is injecting itself into the responses people are leaving on blogs. Dmitri Alperovitch, principal research scientist at Secure Computing, told eWEEK that the worm is injecting itself into the operating system as a rootkit and is capable of intercepting Web traffic.
When a user with an infected system visits a bulletin board or posts to a blog, the worm inserts a malware into his or her comments. The line asks readers to look at a fun video and contains a link leading to a Web site where the malware is waiting to reinfect more users.
The worm is taking over PCs, Secure Computing reports, giving the criminal control for multiple purposes: sending spam, launching DDoS attacks and running keyloggers.
Also notable in this worm is that it's using server polymorphism—i.e., it contains self-modifying code that changes automatically every time it is downloaded. This worm form has been around "for ages," Alperovitch said, such as in the Bagle worm. Morphing worms are designed to avoid antivirus signature detection, and so far, Alperovitch said, it's working, as few major antivirus vendors have detected it.
To avoid infection, the advice is to refrain from clicking on the "fun video" link.
This article was Previously posted on Don Hite's Blog
QUOTE: The Fundamental Computer Investigation Guide for Windows available from Microsoft will provide you with information on how to investigate and then handle any suspicious or improper use of your organizations computers and network. This paper was developed by Microsoft’s security experts and customers to provide you with the information and resources you may need in order to pursue any criminal or civil lawsuits.
Fundamental Computer Investigation Guide for Windows Download:
http://go.microsoft.com/fwlink/?linkid=80345
Seven Security issues are addressed in the latest release
http://isc.sans.org/diary.html?storyid=2298
The Mozilla folks have released the long-awaited version 2.0.0.2 of Firefox. The second link below shows that 7 security issues were fixed. One rate critical. Bugs fixed appear to include CVE-2007-1004, CVE-2007-0995, CVE-2007-0981, CVE-2007-0800, CVE-2007-0780, CVE-2007-0779, CVE-2007-0778, CVE-2007-0777, CVE-2007-0776, CVE-2007-0775, CVE-2007-0008, and CVE-2007-0009, among others. This also fixed the issue with the password manager that was exploited late last year, CVE-2006-6077. The bookmarklet vulnerability CVE-2007-1084 does NOT appear to have been addressed.
Release Notes: http://www.mozilla.com/en-US/firefox/2.0.0.2/releasenotes/
Security Issues: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.2
Update: As one of our readers pointed out, the Mozilla folks have also released Firefox 1.5.0.10 and SeaMonkey 1.0.8 and a number of the fixes mentioned above apply to these as well.
SeaMonkey security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.0.8
FF-1.5.0.10 security notes: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.10
This article affirms the need to "trust but verify" as part of the security process:
Corporate Security Controls: Massive Insider Breach At DuPont
http://www.informationweek.com/news/showArticle.jhtml?articleID=197006474
QUOTE: A research chemist who worked for DuPont for 10 years before accepting a job with a competitor downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library.
Gary Min worked as a research chemist for DuPont for 10 years before accepting a job with DuPont competitor Victrex PLC in Asia in October 2005. Between August and December of that year, Min downloaded 22,000 sensitive documents and viewed 16,706 more in the company's electronic library, making him the most active user of that database in the company, according to prosecutors.
It's unclear whether Min's frequent access to that database tipped off an automatic alert to DuPont officials or whether his behavior was discovered by studying database access logs. Regardless, Min left DuPont in December, 2005, and after starting work for Victrex in February, 2006, transferred 180 DuPont documents to a Victrex-owned laptop computer.
After DuPont discovered that Min had helped himself to a large volume of confidential and proprietary DuPont technical information, it notified the FBI and the Commerce Department. Min's Victrex computer was seized on Feb. 8, 2006, while he was at a meeting with Victrex officials in Geneva, Switzerland. The confiscated computer was turned over to DuPont, which in turn gave it to the FBI, according to prosecutors.
This new security vulnerability is rated low-risk and it can only be manipulated by local users (rather than via remote attacks).
Windows XP/Vista/2003 - Local security disclosure vulnerability
http://www.frsirt.com/english/advisories/2007/0701
http://secunia.com/advisories/24245/
QUOTE: A weakness has been identified in Microsoft Windows, which could be exploited by malicious users to disclose sensitive information. This issue is due to an error within the directory-change API that does not properly validate user's permission for child objects when retrieving information regarding objects that they do not have "LIST" permissions for. This could be exploited by local attackers to gather information about protected files (e.g. their names), facilitating further attacks.
CVE ID : CVE-2007-0843
Rated as : Low Risk
Remotely Exploitable : No
Locally Exploitable : Yes
This is an excellent resource and covers virtually all the key threats home users are faced with:
http://www.itsecurity.com/features/20-minute-guide-pc-security-021307/
This new vulnerability is rated as low risk and could be used in phishing or other deceptive schemes by malicious people. Internet Explorer 7 "onunload" Event Spoofing Vulnerability http://secunia.com/advisories/23014/ http://msmvps.com/blogs/spywaresucks/archive/2007/02/23/611544.aspx
quote:
Secunia Research has discovered a vulnerability in Internet Explorer 7, which can be exploited by a malicious website to spoof the address bar. The vulnerability is caused due to an error in Internet Explorer 7's handling of "onunload" events, enabling a malicious website to abort the loading of a new website. This can be exploited to spoof the address bar if e.g. the user enters a new website manually in the address bar, which is commonly exercised as best practice.
This new "network walker" virus is written in VB and affects workstations as they boot up. It disguises copies of itself on the hard drive or network drives as Word documents (using the Word icon).
BootMerlin Virus - Modifies Windows Boot-uphttp://vil.nai.com/vil/content/v_141514.htmhttp://secunia.com/virus_information/36315/bootmerlin/
Key Symptoms include:
1. Wizard animation advocating anti-Microsoft messages in Spanish
2. C:\Boot.ini modified
3. Anti-Windows or Anti-Microsoft messages displayed by Windows Boot Manager at boot up time.
4. Presence of the file on hard drive or network drives where write access is permitted
F-Secure recently conducted an interesting poll and based on 1020 responses, 65% said "No"
http://www.f-secure.com/weblog/archives/archive-022007.html#00001103
http://www.f-secure.com/weblog/archives/archive-022007.html#00001115
QUOTE: A graph of the overall results can be found in the original post. There were 23.8% in favor, 65% against, and 11.2% that were undecided.
Trend Micro has issued updates for newly discovered buffer overflow vulnerabilities in their server and client based AV products.
Trend Micro ServerProtect "StCommon.dll" and "eng50.dll" Buffer Overflow Vulnerabilities
http://www.frsirt.com/english/advisories/2007/0670
http://www.tippingpoint.com/security/advisories/TSRT-07-01.html
http://www.tippingpoint.com/security/advisories/TSRT-07-02.html
QUOTE: Multiple vulnerabilities have been identified in Trend Micro ServerProtect, which could be exploited by remote attackers to take complete control of an affected system. These issues are due to buffer overflow errors in various functions within the "StCommon.dll" and "eng50.dll" libraries, which could be exploited by remote unauthenticated attackers to execute arbitrary commands by sending specially crafted RPC requests to a vulnerable application.
Trend Micro OfficeScan Web Deployment ActiveX Remote Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2007/0638
QUOTE: A vulnerability has been identified in OfficeScan Corporate Edition, which could be exploited by attackers to take complete control of an affected system. This issue is due to a buffer overflow error in the web deployment ActiveX control when handling malformed arguments passed to certain methods, which could be exploited by remote attackers to execute arbitrary commands by tricking a user into visiting a specially crafted web page.
Overview of Microsoft Security Bulletins released on February 13, 2007:
http://www.microsoft.com/technet/security/bulletin/ms07-Feb.mspx
- MS07-005 Step-by-Step Interactive Training (Remote Code Execution)
- MS07-006 Windows Shell (Elevation of Privilege)
- MS07-007 Windows Image Acquisition Service (Elevation of Privilege)
- MS07-008 HTML Help ActiveX Control (Remote Code Execution)
- MS07-009 Microsoft Data Access Components (Remote Code Execution)
- MS07-010 Microsoft Malware Protection Engine (Remote Code Execution)
- MS07-011 Microsoft OLE Dialog Could (Remote Code Execution)
- MS07-012 Microsoft MFC (Remote Code Execution)
- MS07-013 Microsoft RichEdit (Remote Code Execution)
- MS07-014 Microsoft Word (Remote Code Execution)
- MS07-015 Microsoft Office (Remote Code Execution)
- MS07-016 Internet Explorer (Remote Code Execution)
Our privacy is something that we need to safeguard while on the Internet. Many companies will automatically scan in publicly available information from a telephone listing or other sources. You may be able to opt out in some cases, but once something is published to the Internet, it can also be difficult to remove.
You can try some of the following privacy tests for yourself on Google, Yahoo, MSN Live, Switchboard or other search facilities:
1. Your name (with and without spaces) and other family members
http://www.google.com/search?hl=en&q=Harry+Waldron
http://www.google.com/search?hl=en&q=harrywaldron
2. Your telephone number
(format: xxx-xxx-xxxx)
3. Your street address
(street only or full address)
4. Your email address
(full or just the name portion)
5. Your SSN
(with and without dashes - hopefully zero hits)
6. Your birthday MM/DD/YYYY
(most likely you won't get hits on yourself, but it's neat to check for historical events)
More Posts
Next page »