June 2007 - Posts

Lightning Please carefully process any e-cards and if you don't see a named sender specified it is unsafe.  Never click on numerical IP addresses found URLs as malware can be automatically downloaded and installed from unsafe sites. Nuwar (aka Storm Worm) is very difficult to clean. 

The wave continues - Subject line variation
http://isc.sans.org/diary.html?storyid=3072

QUOTE: In a followup to our previous story about the e-card exploit, we have received an unconfirmed report from one of our readers that the subject lines have begun to change. At this point in time, the reader has reported us the following variations:

You've received [a|n] [greeting|] [postcard|ecard] from a [admirer|class-mate|colleague|family member|friend|mate|neighbor|neighbour|partner|school friend|school mate|school-mate|worshipper]!

Lightning Example of the new Storm Worm variant from my in-box ... Please do not click on the numerical IP addresses found in the URL or you will get a malware infection that is very difficult to clean.

 ISC: Riding out yet Another Storm Wave
http://isc.sans.org/diary.html?storyid=3063 

Email  EXAMPLE OF COPY BLOCKED FROM IN-BOX (red text below)


 From: "americangreetings.com" [REMOVED]
 
 
To:
harry@....
 
 
Subject:
You've received a postcard from a family member!
 
 
Date:
Thu, 28 Jun 2007 20:40:01 -0700
 
 Good day.
 
 Your family member has sent you an ecard from americangreetings.com.
 Send free ecards from americangreetings.com with your choice of colors, words and music.
 
 Your ecard will be available with us for the next 30 days. If you wish to keep the ecard longer, you may save it on your computer or take a print.
 
 To view your ecard, choose from any of the following options:
 
 --------
 OPTION 1
 --------
 
 Click on the following Internet address or copy & paste it into your browser's address box.
 
 http://REMOVED/?ee7c634591933434671c16a2e59b1
 
 --------
 OPTION 2
 --------
 
 Copy & paste the ecard number in the "View Your Card" box at
 
 http://REMOVED/
 
 Your ecard number is ee7c634591933434671c16a2e59b1
 
 Best wishes,
 
 Postmaster,
 
 americangreetings.com
 

PDFs are being used to bypass Anti-Spam and Anti-Virus detections.  I'm seeing stock related PDF spam daily and users should avoid opening all untrusted email, attachments, or URLs.

PDF Spam Outbreak
http://www.avertlabs.com/research/blog/index.php/2007/06/26/pdf-spam-outbreak/

QUOTE: A large “pump-and-dump” stock spam campaign is underway, but rather than including the content of the spam in an image file, this campaign includes the spam content within a .PDF file. The stock spam is believed to be sent from Stration infected computers, as this spam campaign closely followed a new W32/Stration worm mass-mailing which contained a number of .PDF files, and Stration has been associated with pump and dump spam in the past.

 ISC - Pump and dump scams now in PDF
http://isc.sans.org/diary.html?storyid=3012

QUOTE: Apparently the groups behind what we know as pump and dump spam have found a new way to bypass spam filters. As of yesterday, we’ve been observing e-mails with bogus text, often in german, each with a PDF in attachment.  These PDFs purport to be stock information, and are usually titled ‘German Stock Insider’. They contain much more detail on stock than we’re used to from previous dump and pump scams and include images for added realism.


Kaspersky - Warezov.iq downloader includes PDFs
http://www.viruslist.com/en/viruses/encyclopedia?virusid=147295
http://www.viruslist.com/en/weblog?calendar=2007-06

QUOTE: Earlier today we intercepted a number of mailings with a new Warezov downloader. The good news is that it's already detected as Email-Worm.Win32.Warezov.pk, which we added to our database two days ago. What's interesting about the mails is that along with the usual executable (which in this case is called "access.exe") the messages have a couple of PDFs attached.


Unfortunately, Spam based email continues to increase worldwide:

http://www.postini.com/stats
http://spamcop.net/spamgraph.shtml?spamstats
http://www.messagelabs.com/intelligence.asp

A new exploit has been found on a website related to the Microsoft security updates for June 2007. This is an example of why users should apply patches promptly during the second Tuesday of each month.  

MS07-033: Internet Explorer based Exploit found in the wild
http://isc.sans.org/diary.html?storyid=3036
http://www.symantec.com/enterprise/security_response/weblog/2007/06/deepsight_honeynet_detects_obf.html

QUOTE: Symantec identified a website exploiting a bug from the June Microsoft patches, specifically the Microsoft Internet Explorer Speech API 4 COM Object Instantiation Buffer Overflow Vulnerability.

Lightning Lightning Lightning A new Storm (aka Nuwar, Tibs) email variant has started circulating.  

This virus family can generate significant volumes of SPAM with URLs that can automatically download and install malware

ISC: Riding out yet Another Storm Wave
http://isc.sans.org/diary.html?storyid=3063

quote:

Email Sadly you won't need a surf board for this one. Just to give you a heads up, there is a new round of emails with malicious links that is making its way to the inbox of many folks.  If you haven't gotten one yet, just give it time.



 VERY LIMITED PROTECTION: AV vendors are adding this new variant Lightning

========================
SAMPLE OF EMAIL MESSAGE
========================
Subject: You've received a postcard from a family member!
Message: May have following text with hostile URLs
--------
OPTION 1
--------
Click on the following Internet address or copy & paste it into your browser's address box.  <URL removed>
--------
OPTION 2
--------
Copy & paste the ecard number in the "View Your Card" box at <URL removed>

  Below are both positive and negative security speculations regarding Apple's new iPhone.  Until, this product emerges with more details, it's too early to truly evaluate security in both the home and corporate environments. 

Any popular wireless device with Internet access and built-in data storage could become a target.  In personally beta testing Apple's new Safari for Windows browser, I have seen them fix security issues expediently.  Hopefully, a secure architecture has been designed into these new devices. 

Still, folks purchasing this device should "think security" (and I'm hopeful that Apple has done that as well in it's design). We should know more next week.

The pros and cons of iPhone security
http://news.com.com/2008-1029_3-6193430.html

quote:

Overall, Mehta thinks the iPhone's security will be better than other smart phones on the market, and he credits the lack of a software developer kit (SDK) from Apple as a definite positive. The absence of an SDK will make writing malware much more challenging, he said, and inexperienced criminals will be scared off. "It doesn't make it impossible," Mehta said, "just harder." Mehta thinks the iPhone will attract a more sophisticated criminal who's attracted to the challenge of hacking a complex system. Also, with Symbian OS-enabled phones currently occupying 40 to 50 percent of the world market, most petty thieves will still be drawn to the lower-hanging fruit.



Analysts: iPhone Has Neither Security nor Relevance
http://www.eweek.com/article2/0,1759,2149610,00.asp

quote:

The iPhone won't go on sale until June 29. Up until now, and probably until it hits retail shelves, Apple has given next to nil information regarding the security features its first smart phone will have, making security analysis little better than conjecture. The few pieces of security background analysts have to go on include these tidbits: 1) The iPhone will run on Mac OS X and 2) the iPhone will run Apple's Safari browser.



Is The iPhone Insecure?
http://www.forbes.com/security/2007/06/19/iphone-security-risk-tech-security-cx_ag_0619iphonesecurity.html

quote:

The iPhone is capable of many of the same smart phone applications as business devices like Research In Motion's (nasdaq: RIMM - news - people ) BlackBerries. But unlike BlackBerries, Storms says, iPhones are unlikely to have a remote "lock and wipe" function that erases the device's data in the event that it's lost. The phone will use an operating system and a Web browser that have already been available in some form for years, so hackers will have a head start in finding entry points to exploit even before the phone is released. And the iPhone's "closed" operating system makes it impossible to install protection software from security companies like McAfee or Symantec.



The iPhone - Our new Security Nightmare
http://blog.ncircle.com/blogs/sync/archives/2007/06/the_iphone_our_new_security_ni.html

quote:

Questions for Apple regarding the iPhone:

  • Is data encrypted while in transit?
  • Is data encrypted on the device?
  • Is data encrypted on removable memory?
  • Is data removed if the device hasn't checked in centrally, hasn't received a policy update within a time window or if battery power is too low?
  • Is there S/MIME support?
  • Is there PGP support?
  • Are there electromagnetic analysis countermeasures?
  • Are there DRM applications? (Ability to read, but not forward data)
  • Is there user authentication by means of password, passphrase or smart card?
  • Does the device automatically lock and requires authentication to unlock?
  • Are the encryption keys stored on the devices and are they also encrypted?
  • Do the network devices have firewalls?
  • Are the network interfaces disabled by default and does the user has ability to disable at will?
  • Is there the ability to remotely lock and disable the device?
  • Is there the ability to remotely wipe and backup data?
  • Is there the ability to centrally develop and enforce policy settings?
  • Is there centralized reporting of all device events - calls made, data transferred, usage statistics?
  • As I use Excel extensively at work.  About a month ago, I discovered this free forum that allows you to ask questions and get answers by experts.  I've learned so much recently, that previously labourious research and financial reconcilation in Excel have been made much easier and enjoyable (e.g., Pivoting Tables, Advanced Formulas, Table matching, etc). 

    The Forum posts are also mapped to the microsoft.public.excel.* newsgroups 

     http://www.excelforum.com/showthread.php?t=584092

    This new threat requires the popular Japanese archive utility Lhaca to be installed in order to associate the extension and capitalize on the vulnerability.  This may be need to be added to the blocking lists where it is pertinent. 

    LhDropper - uses LHZ archive file extension
    http://www.symantec.com/enterprise/security_response/weblog/2007/06/beware_of_lzh.html
    http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-062506-5500-99

    QUOTE: Trojan.Lhdropper is a Trojan horse that drops malicious files by exploiting a vulnerability in Lhaca, a freeware application that can compress and decompress LZH archive files.

    Computer  I liked this new set of security guidelines recently shared in the DSL forums.  This is educational and provides an excellent set of best practices for home users.

     QUOTE:

    How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach: (#8463)

    This may not have been sensitive content, but still any compromises to a sensitive site should be evaluated and prevented in the future.

    Pentagon e-mail system hacked
    http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025442
    http://www.defenselink.mil/transcripts/transcript.aspx?transcriptid=3996

    QUOTE: A hacker infiltrated the e-mail system at the Pentagon, forcing Defense Department officials to take about 1,500 unclassified e-mail accounts offline this week.

    Users should be careful with any of these files found in email (or potentially posted in an untrusted website). Most likely the virus is an EXE and prepends to each infected damaging dozens or even hundreds of files that may be on the hard drive.  Please be careful with all attachments and stay up-to-date on AV protection.   McAfee, Microsoft, Kapersky, Sanda, Sophos, and others have protection now. 

    W32/Zaflen.a - Infects DOC, RTF, JPG, GIF, and PNG files
    http://vil.nai.com/vil/content/v_142474.htm

    QUOTE: This detection is for a parasitic file infector, which infects the files with extensions "doc, rtf, jpg, gif and png" by prepending itself to these files. This also uses a mass mailing component for spreading via e-mail.  It searches all drives for these file types and changes the icon of the infected files to M.S.Word icon and the extension to scr or exe. It also appends 35 bytes to the end of file along with the extension of the original file.

    Aliases: Worm.Win32.VB.gr  (Kaspersky) Worm:Win32/Zaflen.A@mm  (Microsoft) W32.SillyFDC  (Symantec) W32/Nedro.C.worm  (Panda) W32/Lovelet-AD  (Sophos)

    This list of questions is comprehensive in examining HIPAA controls which was used to help safeguard the confidentiality of patient medical records.  They also provide an excellent list for an company to inspect their controls whether they are in the health insurance profession or not.  Many of these questions are common for IT controls or possibly SOX audits as well. 

    HIPAA audit: The 42 questions HHS might ask
    http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253

    QUOTE:   June 19, 2007  (Computerworld) -- In March, Atlanta's Piedmont Hospital became the first institution in the country to be audited for compliance with the security rules of the Health Insurance Portability and Accountability Act (HIPAA).  The audit was conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and is being seen by some in the health care industry as a precursor of similar audits to come at other institutions.

      PART ONE - HIPAA AUDIT QUESTIONS

       1. Establishing and terminating users' access to systems housing electronic patient health information (ePHI).
       2. Emergency access to electronic information systems.
       3. Inactive computer sessions (periods of inactivity).
       4. Recording and examining activity in information systems that contain or use ePHI.
       5. Risk assessments and analyses of relevant information systems that house or process ePHI data.
       6. Employee violations (sanctions).
       7. Electronically transmitting ePHI.
       8. Preventing, detecting, containing and correcting security violations (incident reports).
       9. Regularly reviewing records of information system activity, such as audit logs, access reports and security incident tracking reports.
      10. Creating, documenting and reviewing exception reports or logs. Please provide a list of examples of security violation logging and monitoring.
      11. Monitoring systems and the network, including a listing of all network perimeter devices, i.e. firewalls and routers.
      12. Physical access to electronic information systems and the facility in which they are housed.
      13. Establishing security access controls; (what types of security access controls are currently implemented or installed in hospitals' databases that house ePHI data?).
      14. Remote access activity i.e. network infrastructure, platform, access servers, authentication, and encryption software.
      15. Internet usage.
      16. Wireless security (transmission and usage).
      17. Firewalls, routers and switches.
      18. Maintenance and repairs of hardware, walls, doors, and locks in sensitive areas.
      19. Terminating an electronic session and encrypting and decrypting ePHI.
      20. Transmitting ePHI.
      21. Password and server configurations.
      22. Anti-virus software.
      23. Network remote access.
      24. Computer patch management.


      PART TWO - HIPAA AUDIT QUESTIONS

       1. Please provide a list of all information systems that house ePHI data, as well as network diagrams, including all hardware and software that are used to collect, store, process or transmit ePHI.
       2. Please provide a list of terminated employees.
       3. Please provide a list of all new hires.
       4. Please provide a list of encryption mechanisms use for ePHI.
       5. Please provide a list of authentication methods used to identify users authorized to access ePHI.
       6. Please provide a list of outsourced individuals and contractors with access to ePHI data, if applicable. Please include a copy of the contract for these individuals.
       7. Please provide a list of transmission methods used to transmit ePHI over an electronic communications network.
       8. Please provide organizational charts that include names and titles for the management information system and information system security departments.
       9. Please provide entity wide security program plans (e.g System Security Plan).
      10. Please provide a list of all users with access to ePHI data. Please identify each user's access rights and privileges.
      11. Please provide a list of systems administrators, backup operators and users.
      12. Please include a list of antivirus servers, installed, including their versions.
      13. Please provide a list of software used to manage and control access to the Internet.
      14. Please provide the antivirus software used for desktop and other devices, including their versions.
      15. Please provide a list of users with remote access capabilities.
      16. Please provide a list of database security requirements and settings.
      17. Please provide a list of all Primary Domain Controllers (PDC) and servers (including Unix, Apple, Linux and Windows). Please identify whether these servers are used for processing, maintaining, updating, and sorting ePHI.
      18. Please provide a list of authentication approaches used to verify a person has been authorized for specific access privileges to information and information systems.

    Numerous web site attacks have occurred, particularly in Europe    Web site administrators should ensure their security and infrastructure software is up-to-date and lock down PHP security appropriately.  

    Massive MPACK Compromise
    http://isc.sans.org/diary.html?storyid=2991

    QUOTE: MPACK is a tool that was first discovered in December of 2006 by Panda Labs.  Its an PHP based application designed to run on a server.  With it comes several different exploits (you can buy new ones to add on) which can be used to compromise a user's system based on what they are running.  There are different methods to get a user to access the compromised server.  One of the more popular methods being used right now is an IFRAME.  Websites are compromised and IFRAMES are placed on the sites pointing to the MPACK server. Another interesting characteristic of this tool is the fact it has a database backend. Right now its being reported by Websense that there are over 10,000 compromised systems all with IFRAMES pointing to the MPACK server.

      For more information:

    WebSense - Shows chart of countries impacted
    http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782

    Panda Labs - Analysis of Current Attacks
    http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/05/11/MPack-uncovered_2100_.aspx

    Panda Labs - DETAILED REPORT (28 Pages - PDF)
    http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack.pdf

    McAfee Detection of MPACK hacking tool
    http://secunia.com/virus_information/39351/htool-mpack/
    http://vil.nai.com/vil/content/v_142501.htm

    QUOTE: MPack is a Web Attack Tool which we are seeing deployed in wild on a few web servers. This tool is an application designed to serve malicious content to users accessing compromised websites. We have seen several thousands of website URLs that are compromised and have a hidden IFRAME inserted to redirect unsuspecting users to malicious site hosting the MPack toolkit. The toolkit stores statistical information like Geo Location, Browser Type and Operating System info relating to users accessing bait websites.

    Numerous tips on functionality and security can be found in this 10 page article:

    Infoweek Vista Guide Chapter 15 - How to use Internet Explorer 7

     

     

    Email The ISC is reporting that executives are being selected and sent email with malicious agents embedded in WORD documents.  While AV scanners can detect these, a narrowly targeted attack may be well tested by the senders to ensure it gets past AV software.  Additionally, many companies may not be blocking either ZIP or DOC based attachments.

    Person Corporate executives would always be concerned over any "official looking" email from the IRS, Better Business Bureau, Federal Trade Commission, etc.   The well socially engineered attack is not prevelant in-the-wild, but it is a growing concern.  The main goal could be to gain confidential information, passwords, or even scam the company potentially. 

    Lightning All untrusted documents or web links must be avoided.  Malware authors can copy true HTML from the website (or email) and create a document appears genuine in every respect.  Sometimes they can't spell and that's a clue, but lately many items I've seen are very official looking. 

    Cake PERSONAL EXAMPLE: I recently received in my bulk mail filters, a hallmark greeting card invitation that was so authentic, that I felt it was truly a congratulatory e-card from a friend.  Having developed web pages for over a decade, I explored the underlying code.  Everything was geniune, except for the main link with pointed to a numerical IP address.  There was also a malicious POSTCARD.EXE downloader trojan horse as part of the web address.  I closed out of the HTML edit session and browser and deleted this one immediately.  

    Idea RECOMMENDATION: As a counter-measure, everyone should cross-check email messages from the IRS, government authorities, banks, credit card agencies, stockbrokers, billing entities, software vendors, etc. directly by phone or otherwise.  Never take action on an email message alone and always be very careful to avoid any attachment or web links that might be present in unexpected or suspicious documents.   

    Corporate Executives targeted in Focused Security Attacks
    http://isc.sans.org/diary.html?storyid=2979

    QUOTE: This is another word “document” with a malicious embedded object similar to the BBB, IRS, FTC and other targeted trojan “documents”.  A word of caution: Do NOT open strange documents or run untrusted binaries on a machine you don’t wish to format and reinstall the OS on!

    More Posts Next page »