April 2007 - Posts
Large-scale DDoS attacks can overwhelm a website to the point that regular users cannot access these resources. I'm hopeful that the civil unrest will stop and that differences can be worked out more diplomatically.
Update on the Estonian DDoS attacks
http://www.f-secure.com/weblog/archives/archive-042007.html#00001183
Unrest in Estonia
http://www.f-secure.com/weblog/archives/archive-042007.html#00001181
QUOTE:
John, a fellow blogger at My IT Forums recently shared these informative podcasts ...
QUOTE: Describes the best practices and processes Microsoft IT uses to secure its network and provides a brief overview of the many aspects of network security; including some of the technologies used to protect against viruses, unapproved access attempts and malicious attacks. Also describes the threat analysis and business reasons why certain practices and procedures were put into action.
Download Links: here
|
bmo021307.mp3 |
22.8 MB |
Download");
// -->
|
|
bmo021307.wma |
8.4 MB |
Download");
// -->
|
Working exploits have surfaced for a critical security issue related to version CS2 and CS3 for Adobe Photoshop. Users should avoid all untrusted Bitmap files in email or weblinks
Adobe Photoshop - Malicious BMP Files Vulnerability
http://secunia.com/advisories/25023/
QUOTE: Marsu has reported a vulnerability in Adobe Photoshop, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error within the handling of Bitmap files (e.g. .BMP, .DIB, .RLE) and can be exploited to cause a stack-based buffer overflow via a specially crafted Bitmap file. Successful exploitation allows execution of arbitrary code. The vulnerability is reported in Adobe Photoshop CS2 and CS3. Other versions may also be affected.
Some short quotations from the article are noted below.
Top 10 Most Famous Hackers of All Time
http://www.itsecurity.com/features/top-10-famous-hackers-042407/
Black Hat Crackers: The Internet abounds with hackers, known as crackers or "black hats," who work to exploit computer systems. They are the ones you've seen on the news being hauled away for cybercrimes. Some of them do it for fun and curiosity, while others are looking for personal gain. In this section we profile five of the most famous and interesting "black hat" hackers.
1. Jonathan James: James gained notoriety when he became the first juvenile to be sent to prison for hacking. He was sentenced at 16 years old.
2. Adrian Lamo: Lamo's claim to fame is his break-ins at major organizations like The New York Times and Microsoft. Dubbed the "homeless hacker," he used Internet connections at Kinko's, coffee shops and libraries to do his intrusions.
3. Kevin Mitnick: A self-proclaimed "hacker poster boy," Mitnick went through a highly publicized pursuit by authorities. His mischief was hyped by the media but his actual offenses may be less notable than his notoriety suggests.
4. Kevin Poulsen: Also known as Dark Dante, Poulsen gained recognition for his hack of LA radio's KIIS-FM phone lines, which earned him a brand new Porsche, among other items.
5. Robert Tappan Morris: Morris, son of former National Security Agency scientist Robert Morris, is known as the creator of the Morris Worm, the first computer worm to be unleashed on the Internet. As a result of this crime, he was the first person prosecuted under the 1986 Computer Fraud and Abuse Act.
White Hat Hackers: Hackers that use their skills for good are classified as "white hat." These white hats often work as certified "Ethical Hackers," hired by companies to test the integrity of their systems. Others, operate without company permission by bending but not breaking laws and in the process have created some really cool stuff. In this section we profile five white hat hackers and the technologies they have developed.
1. Stephen Wozniak: "Woz" is famous for being the "other Steve" of Apple. Wozniak, along with current Apple CEO Steve Jobs, co-founded Apple Computer. He has been awarded with the National Medal of Technology as well as honorary doctorates from Kettering University and Nova Southeastern University. Additionally, Woz was inducted into the National Inventors Hall of Fame in September 2000.
2. Tim Berners-Lee: Berners-Lee is famed as the inventor of the World Wide Web, the system that we use to access sites, documents and files on the Internet. He has received numerous recognitions, most notably the Millennium Technology Prize.
3. Linus Torvalds: Torvalds fathered Linux, the very popular Unix-based operating system. He calls himself "an engineer," and has said that his aspirations are simple, "I just want to have fun making the best operating system I can."
4. Richard Stallman: Stallman's fame derives from the GNU Project, which he founded to develop a free operating system. For this, he's known as the father of free software. His "Serious Bio" asserts, "Non-free software keeps users divided and helpless, forbidden to share it and unable to change it. A free operating system is essential for people to be able to use computers in freedom."
5. Tsutomu Shimomura: Shimomura reached fame in an unfortunate manner: he was hacked by Kevin Mitnick. Following this personal attack, he made it his cause to help the FBI capture him.
For years, I've found Virus Total to be an excellent service for gauging the near real-time frequency and severity associated with virus attacks. I've often submitted leading edge samples where only just a few AV vendors had coverage.
Over time, I've seen patterns of where a few AV companies have consistantly had protection in place before others. This article encourages corporate users not to rely on this alone in choosing an AV vendor, but to use other criteria and sources for comparions (e.g., VB Bulletin, AV-Comparisons, etc.).
Some key reasons Virus Total should only be seen as a service include:
- Virus Total only uses command line versions of AV products (and the desktop versions are usually more advanced and behave differently).
- Desktop versions may interact with firewall or other security perimeter controls to better mitigate threats.
- Heuristics settings may be more aggressive in the Virus Total environment, as false positives are less of an issue when trying to identify a brand new threat.
Virus Total service should not be used for AV comparisons
http://blog.hispasec.com/virustotal/22
Virus Total.com Home Page
http://www.virustotal.com/en/indexf.html
QUOTE: Virus Total was not designed as a tool to perform AV comparative analyses, but as a tool that checks suspicious samples with several AV programs and helps AV labs by forwarding them the malware they failed to detect. Those who use VirusTotal to perform AV comparative analyses should know that they are making many implicit errors in the methodology.
These special targeted attacks are highly focused and very limited. Still, everyone in sensitive organizational settings (e.g., military, government, etc) should be cautious and look beyond traditional email approaches to safely exchange sensitive information. All users should avoid opening any untrusted attachments or URLs.
Cyberspies exploit Microsoft Office using Targeted Attacks
http://www.usatoday.com/tech/news/computersecurity/2007-04-22-cyberspies-microsoft-office_N.htm
http://isc.sans.org/diary.html?storyid=2688
| Quote: |
Cyberspies have a new secret weapon: tainted Microsoft Office files. A rising number of cyberattacks are taking aim at specific individuals at critical government agencies and corporations — enticing them to unwittingly open a corrupted Word, Excel or PowerPoint file sent as an e-mail attachment.
Clicking on the file relinquishes control of the PC without the user's knowledge. The attacker then uses the compromised PC as a base from which to roam the organization's internal network. Federal agencies and defense and nuclear contractors are under assault. Security firm Message Labs says it has been intercepting a series of attacks from PCs in Taiwan and China since November.
The Office file attacks are "very targeted and very limited," says Mark Miller, Microsoft's director of security response, who called on workers "to absolutely extend extreme caution" when opening Office files in e-mail. |
Testing is always a critical part of any change process. This unanticipated issue led to a much quieter morning for me and millions of other Blackberry users.
System update led to BlackBerry outage
http://www.msnbc.msn.com/id/18229224/
QUOTE: NEW YORK - BlackBerry maker Research in Motion Ltd. said an insufficiently tested software update at the company's network data center was the cause of a service outage this week that left millions of users without wireless e-mail access.
In a statement late Thursday, the company said the outage from Tuesday evening into Wednesday morning was triggered by "the introduction of a new, non-critical system routine" designed to optimize the cache, or temporary holding space, of the system that handles e-mail sent to BlackBerry users. RIM said it didn't expect the update to impact users, "but the pre-testing of the system routine proved to be insufficient."
Unfortunately, some fake donation sites have already surfaced and some of the security sites are working to shut these down. Please be on the lookout for email phishing attacks and contributions should only be sent to the official site below. Virginia Tech Memorial Fund - Official Linkhttp://www.vt.edu/tragedy/memorial_fund.phpI'd like to thank SANS (Internet Storm Center) for highlighting this concern early to discourage fraudulent donations. We need your help - Virginia Tech domainshttp://isc.sans.org/diary.html?storyid=2664
QUOTE: Even faster then for Hurricane Katrina, new domains are registered for the VA Tech shootings. Some of them are used for benevolent purposes. However, a good share of them are parked for auction and even used for fraudulent donations. We setup a page with about 450 different domain names that look suspect. If you have a few minutes, help us to categorize the domains.
Our family lives about 25 miles from the campus, and needless to say this horrific event has taken it's toll on me, my family, co-workers, community, etc. Virginia Tech Tragedy - Personal perspectivehttp://www.dozleng.com/updates/index.php?showtopic=14013
Most likely AV protection will be forthcoming, however most importantly the MS07-017 patch should be promptly applied 
New Variant of ANI exploit emerges http://isc.sans.org/diary.html?storyid=2648
quote:
What a shocker - malware authors are playing cat 'n' mouse with antivirus signatures.
Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site
While this new variant is not widespread, it is important to be careful with website visitation and stay up-to-date with AV signatures, as this can help with protection until this new vulnerability is patched.
CERT: New Rinbot Variant Attempting to Exploit Microsoft Windows DNS RPC Vulnerability
http://www.us-cert.gov/current/current_activity.html#rinbot
QUOTE: US-CERT is aware of a new variant of the Rinbot worm that is currently scanning for port 1025/tcp and attempting to exploit the recent buffer overflow vulnerability in the Microsoft Windows DNS service RPC management interface. Like other variants of Rinbot, this variant is an Internet Relay Chat controlled backdoor that may provide an attacker unauthorized remote access to a compromised machine
McAfeeW32/Nirbot.worm!RpcDns
http://vil.mcafeesecurity.com/vil/content/v_142027.htm
QUOTE: W32/Nirbot.worm!RpcDns is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems. This variant of the W32/Nirbot.worm.gen will also try to exploit the Microsoft DNS Server Service RPC vulnerability on DNS Server.
Trend: VANBOT.GC
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FVANBOT%2EGC
QUOTE: This worm may be dropped on a system by other malware or downloaded unknowingly by a user when visiting malicious Web sites. It may also arrive via network shares. This worm also spreads by taking advantage of the Vulnerability in RPC on Windows DNS Server to propagate across networks.
Symantec: W32.Rinbot.BC
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-041701-3720-99
QUOTE: The worm opens a random port and waits for a connection from shell code. The worm scans network for computers vulnerable to the following vulnerabilities and exploits them:
* The Microsoft DNS Server Service Could Allow Remote Code Execution (BID 23470) on TCP port 1025
* The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409) on TCP port 139
* Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107) on TCP port 2967
MORE INFORMATION: Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/935964.mspx
This new version of the Storm worm is out there, as I'm seeing copies as well. Trend has declared MEDIUM RISK and as the Computer World article shares this multi-threaded spam engine is massively emailing copies out there.
Nuwar.AOP - MEDIUM RISK for new Storm Worm variant
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EAOP
Massive spam shot of 'Storm Trojan' reaches record proportions
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9016420
http://www.avertlabs.com/research/blog/?p=257
| Quote: |
April 12, 2007 (Computerworld) -- A massive spam outbreak that tries to trick recipients into opening a file attachment that can hijack their computers has already broken records, security companies said today.
According to researchers at Postini Inc., the spam run is the largest in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. "We're seeing 50 to 60 times the normal volume of spam," said Adam Swidler, senior manager of solutions marketing at Postini.
Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the "Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers. |
AV protection will improve, but currently there are only a few offering protection currently (based on this submitted sample submitted to VirusTotal.com. All users should stay on the latest DAT files and continue to be extra careful with email.
Complete scanning result of "removal_90237.zip", processed in VirusTotal at
04/13/2007 18:40:16 (CET).
[ file data ]
* name: removal_90237.zip
* size: 39067
* md5.: 94c0057126f9df3a7e5471327c2ad0bc
* sha1: f1ac8734420cdf1093cb331180ef448ca86a8ec7
[ scan result ]
AhnLab-V3 2007.4.14.0/20070413 found nothing
AntiVir 7.3.1.50/20070413 found nothing
Authentium 4.93.8/20070413 found [Not scanned (encrypted)]
Avast 4.7.936.0/20070413 found nothing
AVG 7.5.0.447/20070412 found nothing
BitDefender 7.2/20070413 found nothing
CAT-QuickHeal 9.00/20070413 found nothing
ClamAV devel-20070312/20070413 found [Trojan.Small-zippwd-18]
DrWeb 4.33/20070413 found nothing
eSafe 7.0.15.0/20070412 found [Virus in password protected archive]
eTrust-Vet 30.7.3565/20070413 found nothing
Ewido 4.0/20070413 found nothing
F-Prot 4.3.2.48/20070413 found nothing
F-Secure 6.70.13030.0/20070413 found [Password-protected-EXE]
FileAdvisor 1/20070413 found nothing
Fortinet 2.85.0.0/20070413 found nothing
Ikarus T3.1.1.5/20070413 found nothing
Kaspersky 4.0.2.24/20070413 found [Password-protected-EXE]
McAfee 5009/20070413 found [W32/Nuwar@MM!zip]
Microsoft 1.2405/20070413 found [password protected]
NOD32v2 2187/20070413 found [error - password-protected file]
Norman 5.80.02/20070412 found nothing
Panda 9.0.0.4/20070413 found nothing
Prevx1 V2/20070413 found nothing
Sophos 4.16.0/20070412 found nothing
Sunbelt 2.2.907.0/20070407 found nothing
Symantec 10/20070413 found [Trojan.Peacomm!zip]
TheHacker 6.1.6.088/20070409 found nothing
VBA32 3.11.3/20070413 found nothing
VirusBuster 4.3.7:9/20070413 found nothing
Webwasher-Gateway 6.0.1/20070413 found [Trojan.Zhelatin.ZIP.Gen]
Most viruses are designed to hide on the system, however occasionally a destructive one will surface that will require restoration from backups or a complete rebuild of the PC environment. This new virus is not widespread but folks should always be cautious on attachments and keep up-to-date on AV signatures.
Rabb Worm - Destructive new worm
http://vil.nai.com/vil/content/v_141982.htm
W32/Rabb.worm is a destructive worm that overwrites and replaces executable *.EXE files. It can also make copies onto removable media and mounted network drives. As executable files are overwritten and not infected, affected *.EXE files cannot be repaired and must be restored from backup
A copy of Autorun.inf can be created at the root folder of each infected drive to automatically execute the worm. It may attempt to set the hidden bit in the attributes of these files. Executable files that had been replaced by W32/Rabb will bear an unusual icon (which looks like a rabbit)
More Posts
Next page »