April 2007 - Posts

• WSUS 3.0 has been released

  WSUS 3.0 has been released Posted Apr 30 2007, 05:31 PM by hwaldron with no comments

• Estonian government - Major DDoS website attacks

  Large-scale DDoS attacks can overwhelm a website to the point that regular users cannot access these resources.  I'm hopeful that the civil unrest will stop and that differences can be worked out more diplomatically.   Update on the Estonian DDoS attacks http://www.f-secure.com/weblog/archives/archive-042007.html#00001183  Unrest in Estonia http://www.f-secure.com/weblog/archives/archive-042007.html#00001181  QUOTE:  For the past days, there's been unrest and rioting in Estonia.  We're now seeing large attacks against websites run by Estonian goverment. Some of the sites are unreachable. Others are up, but do not allow any traffic from foreign IP addresses. Quoting CNN: "Police arrested 600 people and 96 were injured in a second night of clashes in Estonia's capital over the removal of a disputed World War Two Red Army monument ... Russia has reacted furiously to the moving of the monument ... Estonia has said the monument had become a public order menace as a focus for Estonian and Russian nationalists." Posted Apr 30 2007, 01:51 PM by hwaldron with no comments

• Podcasts: Information Security at Microsoft Overview

  John, a fellow blogger at My IT Forums recently shared these informative podcasts ... QUOTE:  Describes the best practices and processes Microsoft IT uses to secure its network and provides a brief overview of the many aspects of network security; including some of the technologies used to protect against viruses, unapproved access attempts and malicious attacks. Also describes the threat analysis and business reasons why certain practices and procedures were put into action. Download Links:  here bmo021307.mp3 22.8 MB Download"); // --> bmo021307.wma 8.4 MB Download"); // --> Posted Apr 30 2007, 01:07 PM by hwaldron with no comments

• Adobe Photoshop - Malicious BMP Files Vulnerability

  Working exploits have surfaced for a critical security issue related to version CS2 and CS3 for Adobe Photoshop.  Users should avoid all untrusted Bitmap files in email or weblinks Adobe Photoshop - Malicious BMP Files Vulnerability http://secunia.com/advisories/25023/ QUOTE: Marsu has reported a vulnerability in Adobe Photoshop, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error within the handling of Bitmap files (e.g. .BMP, .DIB, .RLE) and can be exploited to cause a stack-based buffer overflow via a specially crafted Bitmap file. Successful exploitation allows execution of arbitrary code.  The vulnerability is reported in Adobe Photoshop CS2 and CS3. Other versions may also be affected. Posted Apr 26 2007, 01:39 PM by hwaldron with no comments

• Microsoft launches New Security Portal beta

  Looks good to me http://www.microsoft.com/security/portal/ Posted Apr 26 2007, 01:16 PM by hwaldron with no comments

• Top 10 Most Famous Hackers of All Time

  Some short quotations from the article are noted below. Top 10 Most Famous Hackers of All Time http://www.itsecurity.com/features/top-10-famous-hackers-042407/ Black Hat Crackers: The Internet abounds with hackers, known as crackers or "black hats," who work to exploit computer systems. They are the ones you've seen on the news being hauled away for cybercrimes. Some of them do it for fun and curiosity, while others are looking for personal gain. In this section we profile five of the most famous and interesting "black hat" hackers. 1. Jonathan James: James gained notoriety when he became the first juvenile to be sent to prison for hacking. He was sentenced at 16 years old. 2. Adrian Lamo: Lamo's claim to fame is his break-ins at major organizations like The New York Times and Microsoft. Dubbed the "homeless hacker," he used Internet connections at Kinko's, coffee shops and libraries to do his intrusions. 3. Kevin Mitnick: A self-proclaimed "hacker poster boy," Mitnick went through a highly publicized pursuit by authorities. His mischief was hyped by the media but his actual offenses may be less notable than his notoriety suggests. 4. Kevin Poulsen: Also known as Dark Dante, Poulsen gained recognition for his hack of LA radio's KIIS-FM phone lines, which earned him a brand new Porsche, among other items. 5. Robert Tappan Morris: Morris, son of former National Security Agency scientist Robert Morris, is known as the creator of the Morris Worm, the first computer worm to be unleashed on the Internet. As a result of this crime, he was the first person prosecuted under the 1986 Computer Fraud and Abuse Act. White Hat Hackers: Hackers that use their skills for good are classified as "white hat." These white hats often work as certified "Ethical Hackers," hired by companies to test the integrity of their systems. Others, operate without company permission by bending but not breaking laws and in the process have created some really cool stuff. In this section we profile five white hat hackers and the technologies they have developed. 1. Stephen Wozniak: "Woz" is famous for being the "other Steve" of Apple. Wozniak, along with current Apple CEO Steve Jobs, co-founded Apple Computer. He has been awarded with the National Medal of Technology as well as honorary doctorates from Kettering University and Nova Southeastern University. Additionally, Woz was inducted into the National Inventors Hall of Fame in September 2000. 2. Tim Berners-Lee: Berners-Lee is famed as the inventor of the World Wide Web, the system that we use to access sites, documents and files on the Internet. He has received numerous recognitions, most notably the Millennium Technology Prize. 3. Linus Torvalds: Torvalds fathered Linux, the very popular Unix-based operating system. He calls himself "an engineer," and has said that his aspirations are simple, "I just want to have fun making the best operating system I can." 4. Richard Stallman: Stallman's fame derives from the GNU Project, which he founded to develop a free operating system. For this, he's known as the father of free software. His "Serious Bio" asserts, "Non-free software keeps users divided and helpless, forbidden to share it and unable to change it. A free operating system is essential for people to be able to use computers in freedom." 5. Tsutomu Shimomura: Shimomura reached fame in an unfortunate manner: he was hacked by Kevin Mitnick. Following this personal attack, he made it his cause to help the FBI capture him. Posted Apr 25 2007, 08:12 PM by hwaldron with no comments

• Virus Total service should not be used for AV comparisons

  For years, I've found Virus Total to be an excellent service for gauging the near real-time frequency and severity associated with virus attacks.  I've often submitted leading edge samples where only just a few AV vendors had coverage.  Over time, I've seen patterns of where a few AV companies have consistantly had protection in place before others.  This article encourages corporate users not to rely on this alone in choosing an AV vendor, but to use other criteria  and sources for comparions (e.g., VB Bulletin, AV-Comparisons, etc.).  Some key reasons Virus Total should only be seen as a service include: - Virus Total only uses command line versions of AV products (and the desktop versions are usually more advanced and behave differently). - Desktop versions may interact with firewall or other security perimeter controls to better mitigate threats. - Heuristics settings may be more aggressive in the Virus Total environment, as false positives are less of an issue when trying to identify a brand new threat. Virus Total service should not be used for AV comparisons http://blog.hispasec.com/virustotal/22 Virus Total.com Home Page http://www.virustotal.com/en/indexf.html QUOTE: Virus Total was not designed as a tool to perform AV comparative analyses, but as a tool that checks suspicious samples with several AV programs and helps AV labs by forwarding them the malware they failed to detect. Those who use VirusTotal to perform AV comparative analyses should know that they are making many implicit errors in the methodology. Posted Apr 25 2007, 07:05 PM by hwaldron with no comments

• Cyberspies exploit Microsoft Office using Targeted Attacks

  These special targeted attacks are highly focused and very limited. Still, everyone in sensitive organizational settings (e.g., military, government, etc) should be cautious and look beyond traditional email approaches to safely exchange sensitive information. All users should avoid opening any untrusted attachments or URLs. Cyberspies exploit Microsoft Office using Targeted Attacks http://www.usatoday.com/tech/news/computersecurity/2007-04-22-cyberspies-microsoft-office_N.htm http://isc.sans.org/diary.html?storyid=2688 Quote: Cyberspies have a new secret weapon: tainted Microsoft Office files. A rising number of cyberattacks are taking aim at specific individuals at critical government agencies and corporations — enticing them to unwittingly open a corrupted Word, Excel or PowerPoint file sent as an e-mail attachment. Clicking on the file relinquishes control of the PC without the user's knowledge. The attacker then uses the compromised PC as a base from which to roam the organization's internal network. Federal agencies and defense and nuclear contractors are under assault. Security firm Message Labs says it has been intercepting a series of attacks from PCs in Taiwan and China since November. The Office file attacks are "very targeted and very limited," says Mark Miller, Microsoft's director of security response, who called on workers "to absolutely extend extreme caution" when opening Office files in e-mail. Posted Apr 25 2007, 03:50 PM by hwaldron with no comments

• Blackberry Outage - Untested System Update leads to outage

  Testing is always a critical part of any change process.  This unanticipated issue led to a much quieter morning for me and millions of other Blackberry users. System update led to BlackBerry outage http://www.msnbc.msn.com/id/18229224/ QUOTE: NEW YORK - BlackBerry maker Research in Motion Ltd. said an insufficiently tested software update at the company's network data center was the cause of a service outage this week that left millions of users without wireless e-mail access. In a statement late Thursday, the company said the outage from Tuesday evening into Wednesday morning was triggered by "the introduction of a new, non-critical system routine" designed to optimize the cache, or temporary holding space, of the system that handles e-mail sent to BlackBerry users.  RIM said it didn't expect the update to impact users, "but the pre-testing of the system routine proved to be insufficient." Posted Apr 20 2007, 08:02 PM by hwaldron with no comments

• Virginia Tech Tragedy - Fake Donation Sites are Surfacing

  Unfortunately, some fake donation sites have already surfaced and some of the security sites are working to shut these down. Please be on the lookout for email phishing attacks and contributions should only be sent to the official site below. Virginia Tech Memorial Fund - Official Link http://www.vt.edu/tragedy/memorial_fund.php I'd like to thank SANS (Internet Storm Center) for highlighting this concern early to discourage fraudulent donations. We need your help - Virginia Tech domains http://isc.sans.org/diary.html?storyid=2664 QUOTE: Even faster then for Hurricane Katrina, new domains are registered for the VA Tech shootings. Some of them are used for benevolent purposes. However, a good share of them are parked for auction and even used for fraudulent donations. We setup a page with about 450 different domain names that look suspect. If you have a few minutes, help us to categorize the domains. Our family lives about 25 miles from the campus, and needless to say this horrific event has taken it's toll on me, my family, co-workers, community, etc. Virginia Tech Tragedy - Personal perspective http://www.dozleng.com/updates/index.php?showtopic=14013 Posted Apr 19 2007, 04:52 PM by hwaldron with no comments

• New Variant of ANI exploit emerges

  Most likely AV protection will be forthcoming, however most importantly the MS07-017 patch should be promptly applied New Variant of ANI exploit emerges http://isc.sans.org/diary.html?storyid=2648 quote: What a shocker - malware authors are playing cat 'n' mouse with antivirus signatures. Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site   Posted Apr 18 2007, 07:39 PM by hwaldron with no comments

• New Rinbot variant - IRC worm exploits unpatched DSN RPC vulnerability

  While this new variant is not widespread, it is important to be careful with website visitation and stay up-to-date with AV signatures, as this can help with protection until this new vulnerability is patched. CERT: New Rinbot Variant Attempting to Exploit Microsoft Windows DNS RPC Vulnerability http://www.us-cert.gov/current/current_activity.html#rinbot QUOTE: US-CERT is aware of a new variant of the Rinbot worm that is currently scanning for port 1025/tcp and attempting to exploit the recent buffer overflow vulnerability in the Microsoft Windows DNS service RPC management interface. Like other variants of Rinbot, this variant is an Internet Relay Chat controlled backdoor that may provide an attacker unauthorized remote access to a compromised machine McAfeeW32/Nirbot.worm!RpcDns http://vil.mcafeesecurity.com/vil/content/v_142027.htm QUOTE: W32/Nirbot.worm!RpcDns is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems. This variant of the W32/Nirbot.worm.gen will also try to exploit the Microsoft DNS Server Service RPC vulnerability on DNS Server. Trend: VANBOT.GC http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FVANBOT%2EGC QUOTE: This worm may be dropped on a system by other malware or downloaded unknowingly by a user when visiting malicious Web sites. It may also arrive via network shares.  This worm also spreads by taking advantage of the Vulnerability in RPC on Windows DNS Server to propagate across networks. Symantec: W32.Rinbot.BC http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-041701-3720-99 QUOTE: The worm opens a random port and waits for a connection from shell code. The worm scans network for computers vulnerable to the following vulnerabilities and exploits them: * The Microsoft DNS Server Service Could Allow Remote Code Execution (BID 23470) on TCP port 1025 * The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409) on TCP port 139 * Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107) on TCP port 2967 MORE INFORMATION: Microsoft Security Advisory (935964) Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution http://www.microsoft.com/technet/security/advisory/935964.mspx Posted Apr 17 2007, 08:58 PM by hwaldron with no comments

• Nuwar.AOP - MEDIUM RISK for new Storm Worm variant

  This new version of the Storm worm is out there, as I'm seeing copies as well. Trend has declared MEDIUM RISK and as the Computer World article shares this multi-threaded spam engine is massively emailing copies out there. Nuwar.AOP - MEDIUM RISK for new Storm Worm variant http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EAOP Massive spam shot of 'Storm Trojan' reaches record proportions http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9016420 http://www.avertlabs.com/research/blog/?p=257 Quote: April 12, 2007 (Computerworld) -- A massive spam outbreak that tries to trick recipients into opening a file attachment that can hijack their computers has already broken records, security companies said today. According to researchers at Postini Inc., the spam run is the largest in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. "We're seeing 50 to 60 times the normal volume of spam," said Adam Swidler, senior manager of solutions marketing at Postini. Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the "Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers. Posted Apr 13 2007, 07:33 PM by hwaldron with no comments

• New Storm Worm Attack - Limited AV protection currently

  AV protection will improve, but currently there are only a few offering protection currently (based on this submitted sample submitted to VirusTotal.com.  All users should stay on the latest DAT files and continue to be extra careful with email. Complete scanning result of "removal_90237.zip", processed in VirusTotal at 04/13/2007 18:40:16 (CET). [ file data ] * name: removal_90237.zip * size: 39067 * md5.: 94c0057126f9df3a7e5471327c2ad0bc * sha1: f1ac8734420cdf1093cb331180ef448ca86a8ec7 [ scan result ]  AhnLab-V3 2007.4.14.0/20070413 found nothing AntiVir 7.3.1.50/20070413 found nothing Authentium 4.93.8/20070413 found [Not scanned (encrypted)] Avast 4.7.936.0/20070413 found nothing AVG 7.5.0.447/20070412 found nothing BitDefender 7.2/20070413 found nothing CAT-QuickHeal 9.00/20070413 found nothing ClamAV devel-20070312/20070413 found [Trojan.Small-zippwd-18] DrWeb 4.33/20070413 found nothing eSafe 7.0.15.0/20070412 found [Virus in password protected archive] eTrust-Vet 30.7.3565/20070413 found nothing Ewido 4.0/20070413 found nothing F-Prot 4.3.2.48/20070413 found nothing F-Secure 6.70.13030.0/20070413 found [Password-protected-EXE] FileAdvisor 1/20070413 found nothing Fortinet 2.85.0.0/20070413 found nothing Ikarus T3.1.1.5/20070413 found nothing Kaspersky 4.0.2.24/20070413 found [Password-protected-EXE] McAfee 5009/20070413 found [W32/Nuwar@MM!zip] Microsoft 1.2405/20070413 found [password protected] NOD32v2 2187/20070413 found [error - password-protected file] Norman 5.80.02/20070412 found nothing Panda 9.0.0.4/20070413 found nothing Prevx1 V2/20070413 found nothing Sophos 4.16.0/20070412 found nothing Sunbelt 2.2.907.0/20070407 found nothing Symantec 10/20070413 found [Trojan.Peacomm!zip] TheHacker 6.1.6.088/20070409 found nothing VBA32 3.11.3/20070413 found nothing VirusBuster 4.3.7:9/20070413 found nothing Webwasher-Gateway 6.0.1/20070413 found [Trojan.Zhelatin.ZIP.Gen] Posted Apr 13 2007, 07:32 PM by hwaldron with no comments

• Rabb Worm - Destructive new worm

  Most viruses are designed to hide on the system, however occasionally a destructive one will surface that will require restoration from backups or a complete rebuild of the PC environment.  This new virus is not widespread but folks should always be cautious on attachments and keep up-to-date on AV signatures.   Rabb Worm - Destructive new worm http://vil.nai.com/vil/content/v_141982.htm W32/Rabb.worm is a destructive worm that overwrites and replaces executable *.EXE files. It can also make copies onto removable media and mounted network drives. As executable files are overwritten and not infected, affected *.EXE files cannot be repaired and must be restored from backup A copy of Autorun.inf can be created at the root folder of each infected drive to automatically execute the worm. It may attempt to set the hidden bit in the attributes of these files. Executable files that had been replaced by W32/Rabb will bear an unusual icon (which looks like a rabbit) Posted Apr 12 2007, 08:00 PM by hwaldron with no comments

• Opera 9.20 - Security Release

  QUOTE: Key security changes * Fix for character encoding inheritance issue with frames, which could enable cross-site scripting. See the advisory. * Fixed an issue regarding handling of FTP PASV response, as reported by Mark at bindshell.net * XMLHttpRequest now treats separate ports on the same server as a different server. Issue reported by Egmont Koblinger. * Fixed an issue where scripts could continue to run after leaving the page, as reported by Herrmann Manuel. * Skandiabanken.no's message about successful certificate installation is now shown. So far, so good with my personal update ... I use all 3 major browsers to test newly developed web pages and for complimentary functionality Opera 9.20 - Security Release http://isc.sans.org/diary.html?storyid=2606 http://www.opera.com/docs/changelogs/windows/920/ http://www.opera.com/download/ Posted Apr 12 2007, 04:55 PM by hwaldron with no comments

• Microsoft Security Bulletins - April 2007

  Almost all are critical and it's important to patch promptly: Microsoft Security Bulletins - April 2007 http://www.microsoft.com/technet/security/bulletin/ms07-Apr.mspx Quote: Microsoft is releasing the following security bulletins for newly discovered vulnerabilities: Bulletin Number -------------------------------------------------------------- MS07-018 (Critical) Content Management Server 2001 and 2002 [Remote Code Execution] MS07-019 (Critical) Windows XP [Remote Code Execution] MS07-020 (Critical) Windows 2000, Windows XP, Windows Server 2003 [Remote Code Execution] MS07-021 (Critical) All current versions of Microsoft Windows [Remote Code Execution] MS07-022 (Important) Windows 2000, Windows XP, Windows Server 2003 [Elevation of Privilege] The ISC also offers a good analysis each month http://isc.sans.org/diary.html?storyid=2598 Also, these updates went well on my home and work PCs ... So far, so good. Posted Apr 11 2007, 07:24 PM by hwaldron with no comments

• Sober.AA and Bagle.HR - New Variants emerge

  While these are among the oldest virus families circulating, the authors continue to develop new variants and even innovate occassionally. Developments for either of these 2 variants should be watched. Sober.AA - Spammed in German and English versions http://secunia.com/virus_information/37435/email-wormw32sober.aa/ http://www.f-secure.com/v-descs/email-worm_w32_sober_aa.shtml Quote: EMAIL to Avoid These e-mail messages may appear to come from the following senders: Admin, Hostmaster, Postmaster, Webmaster Body: Your eMail has occurred an unknown error on our Server. Please read your mail and check the text. The full email is attached! Attachment: Mail_Data.zip Bagle.HR - New downloader installs Rootkit http://secunia.com/virus_information/37422/email-wormw32bagle.hr/ Quote: Email-Worm:W32/Bagle.HR is a trojan-downloader with rootkit technology Posted Apr 11 2007, 07:23 PM by hwaldron with no comments

• Nuwar Mass Mailer - Avoid Missile Strike/Political emails

  This new mass mailer email worm is circulating extensively and is a sophisticated attack (includes rootkit concepts, downloading of additional malware agents, and setting up it's own network of infected users). I have seen a few copies in my personal email, so this new attack is out there and is being circulated extensively. Some links include: ISC: Avoid Missile Strike/War Themed emails http://isc.sans.org/diary.html?storyid=2586 McAfee: Nuwar Variant - DAT 5005 offers best protection http://vil.nai.com/vil/content/v_140835.htm Trend Micro: WORM_NUWAR.AOK http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNUWAR%2EAOK&VSect=T F-Secure: Zhelatin.CQ http://www.f-secure.com/v-descs/email-worm_w32_zhelatin_cq.shtml W32.Mixor.AR http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-040904-0940-99&tabid=2 Sophos - W32/Dref-AF http://www.sophos.com/security/analyses/w32drefaf.html MAIL TO BLOCK OR AVOID: Subject: • Iran Just Have Started World War III • Israel Just Have Started World War III • Missle Strike: The USA kills more then 1000 Iranian citizens • Missle Strike: The USA kills more then 10000 Iranian citizens • Missle Strike: The USA kills more then 20000 Iranian citizens • USA Declares War on Iran • USA Just Have Started World War III • USA Missle Strike: Iran War just have started Message body: {blank} Attachment: • Click Here.exe • Click Me.exe • More.exe • Movie.exe • News.exe • Read Me.exe • Read More.exe • Video.exe Posted Apr 09 2007, 02:09 PM by hwaldron with no comments

• New Spam Agent - Secretly gathers valid email addresses

  Please delete and avoid opening any emails with the following characteristics: New Spam Agent - Gathers valid email addresses http://www.avertlabs.com/research/blog/?p=247 quote: A new spam campaign doing the rounds looks fairly innocent but its sole purpose is to verify that your email address is active. This will inevitably lead to your email address being added to multiple spam lists. The main problem with this particular spam is that the email is hard to spot and simply opening it will quietly alert the spammer your email address is active. From: “Web Useds” From: “Web Services” From: “Web Help” From: “Support Services” From: “Sales Depot” From: “Digital Plaza” From: “Digital Locker” From: “Customer Support” From: “Buy now” From: “Web Depot” From: “Ref Depot” And the subject of the email is usually one of these with random numbers in square brackets: Subject: [635] Important info regarding your Order Subject: [7738] Your Order Subject: [4241] Support Request SUbject; "your email address in the subject line" Posted Apr 06 2007, 03:26 PM by hwaldron with no comments

• Virus Total - ANI exploits rank #1

  Virus Total also now ranks ANI exploits as #1 (was #7 yesterday). This is spreading some, not like a mass mailer. Still these are out there, as I found some trapped in my email spam. This one of the most important Patches in months, as this new threat can hide easily in HTML. Virus Total - ANI exploits rank #1 http://www.virustotal.com/en/indexf.html   Posted Apr 03 2007, 11:28 PM by hwaldron with no comments

• Microsoft Security Bulletins - April 2007 (ANI patch)

  Patch is now available although it may not be completed mirrored yet ... The ANI patch is a 1.7MB download and requires a reboot. Web apps I've tested so far seem to working okay. Microsoft Security Bulletin MS07-017 Vulnerabilities in GDI Could Allow Remote Code Execution (925902) http://www.microsoft.com/technet/security/bulletin/ms07-017.mspx Posted Apr 03 2007, 06:43 PM by hwaldron with no comments

• ZERT - Technical details on how ANI Exploits work

  This is an interesting read (PDF) from the ZERT site on how the ANI exploit works. While highly technical, it's well explained by comments and diagrams. ZERT - Technical details on how ANI Exploits work page in-depth analysis from their site (PDF) http://zert.isotf.org/papers/ani-notes.pdf Posted Apr 03 2007, 04:41 PM by hwaldron with no comments

• WOVB - Week of Vista bugs is a hoax

  I agree with the Internet Storm Center commentary, that private disclosure on vulnerabilities keeps the general public a lot safer. WOVB - Week of Vista bugs is a hoax http://isc.sans.org/diary.html?storyid=2561 QUOTE: Month (or weeks) of bugs: We try to give them as little publicity as possible in order to discourage the behavior and encourage a bit more responsibility than to disclose vulnerability details in a blog. Posted Apr 03 2007, 03:55 PM by hwaldron with no comments

• ANI Exploits - Microsoft releasing emergency patch on April 3rd

  HTML is now a little more dangerous due to an unpatched issue discovered over the weekend. Microsoft has been working around the clock according to security sites and will be issuing a patch tomorrow. The Internet storm center has went yellow (1st time in many months), so please be careful. Microsoft Security Advisory - Please see Advice & Workarounds  http://www.microsoft.com/technet/security/advisory/935423.mspx  Internet Storm Center - Yellow Alert http://isc.sans.org/ I'd suggest the following: * Make sure anti-virus is on the latest definitions on servers and clients * Avoid the eEye and ZERT patches in favor of the official patch * Look at mitigating factors documented in the MS advisory * Pilot test and roll the official patch out promptly * All HTML code is now a little more dangerous and folks should be extra careful with email and website visitations. ANI Exploits - Microsoft releasing emergency patch on April 3rd http://www.microsoft.com/technet/sec...n/advance.mspx http://isc.sans.org/diary.html?storyid=2555 MORE INFO IN LINKS BELOW: http://msmvps.com/blogs/harrywaldron...ail-worms.aspx http://msmvps.com/blogs/harrywaldron...-handling.aspx Posted Apr 02 2007, 02:31 PM by hwaldron with no comments

• ANI Exploit - New Email Worms

  The ANI exploit can be embedded and completely hidden in malicious HTML pages.  Users can be easily become infected, usually by silently linking to a malicious website.  HTML will remain more dangerous until an official patch is in place. Please be extra careful with email.  Even plain text processing by some email clients may not be safe until Microsoft issues a new patch.  Untrusted websites might also contain this new threat.  AV protection can help as well as recommendations shared in the Microsoft security advisory. Below are new worms that have recently surfaced (and the list may be added to if more surface):    Anito.A - New Email Worm using new ANI Exploit http://www.f-secure.com/v-descs/anito_a.shtml QUOTE: The Email-Worm: W32/Anito.A is an e-mail worm. It sends out e-mail messages with a URL to a malicious file that contains the recently discovered ANI exploit. The worm also drops another malware, a worm and trojan downloader that we detect as 'Worm:W32/Anito.A'. This worm is similar to the one, that we detect as 'Trojan-Downloader.Win32.Agent.bky' and 'Worm.Win32.Diska.c'.  Agent.BKY - New ANI downloader worm http://www.f-secure.com/v-descs/agent_bky.shtml QUOTE: Agent.BKY is a worm and a trojan downloader. It infects html files with a small script that downloads a file with a recently discovered ANI exploit. The worm also spreads to remote drives, modifies HOSTS file and downloads more malicious files onto an infected computer. This worm is dropped by the e-mail worm that we detect as 'Email-Worm:W32/Anito.A'.  W32/Fujacks.aa - Spammed with unusual messages http://vil.mcafeesecurity.com/vil/content/v_141877.htm QUOTE: Instead of the usual W32/Fujacks strings used in earlier variants, inside the virus body of each variant contain one or more of these silly messages: "I Hate AVP!!" "Well, Boss will come in !!" "I will by one BMW this year!"The W32/Fujacks.aa thread in notepad.exe then prepends itself to Win32 PE files. It may also create a copy of itself in A:\tools.exe and A:\autorun.inf to autostart itself.   ============================================= ADDITIONAL LINKS: Microsoft Security Advisory - Please see Advice & Workarounds  http://www.microsoft.com/technet/security/advisory/935423.mspx  Internet Storm Center - Declares Yellow Alert http://isc.sans.org/diary.html?n&storyid=2542 Chinese Internet Security Response Team Reports ANI Worm http://isc.sans.org/diary.html?storyid=2550 CERT http://www.kb.cert.org/vuls/id/191609 ANI 0-Day Exploit Info http://vil.nai.com/vil/content/v_vul28505.htm MSRC http://blogs.technet.com/msrc/archive/2007/03/29/microsoft-security-advisory-935423-posted.aspx Microsoft Windows Animated Cursor Handling Vulnerability http://secunia.com/advisories/24659/ Posted Apr 01 2007, 07:09 PM by hwaldron with no comments

• Internet Storm Center - Declares Yellow Alert

  The Internet Storm Center has declared a Yellow Alert to emphasize an increased risk in HTML based email and malicious websites that could contain the new ANI exploits Internet Storm Center - Declares Yellow Alert http://isc.sans.org/diary.html?n&storyid=2542 Posted Apr 01 2007, 06:56 PM by hwaldron with no comments