October 2007 - Posts

• Storm Worm - Excellent Powerpoint Presentation from UCSD

  This 1.4M powerpoint presentation contains 60 slides and was recently referenced in Sunbelt and John Levine's blogs. http://weblog.johnlevine.com/Email/storm.html http://sunbeltblog.blogspot.com/2007/10/good-preso-on-storm.html   EXCELLENT Powerpoint Presentation - Download Link  http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt QUOTE: Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year, with both upgrades to the underlying engine and a variety of applications, most of which involve sending spam. Posted Oct 31 2007, 08:21 PM by hwaldron with no comments

• Storm Worm - New Halloween based attacks

  Everyone should avoid e-cards or other "fun links" associated with Halloween.  The Storm Worm has also been adapted to trick folks as noted by Websense.  Clicking on these links could lead to hours of restoration and repair work. Storm Worm - New Halloween based attacks http://www.websense.com/securitylabs/alerts/alert.php?AlertID=814 QUOTE: Websense® Security Labs™ has confirmed that the Storm worm has once again switched lure tactics. The worm has now adopted a Halloween twist in its attempts to infect users with malicious code. The first copies of the new emails began going out just before 9:00am PST on Tuesday, October 30th. As with previous Storm emails, various subjects and bodies will be used. Here is one example email: Example of new Halloween based attacks   Subject:  Nothing is funnier this Halloween Body:    Come watch the little skeleton dance.              (Malicious URL Removed) Posted Oct 31 2007, 04:00 PM by hwaldron with no comments

• An old IE Trick -- Script Obfuscation with null bytes between characters

  This interesting finding could lead to malware possibly being bypassed when processing web pages containing underlying scripts embedded in the HTML.    A000n0000 0000O000l00d00 0I000E000 00T0r0000i0000c000k http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/ http://it.slashdot.org/article.pl?sid=07/10/29/1747237 QUOTE: When I found a malicious script riddled with 0×00 bytes, SANS handler Bojan Zdrnja explained to me that this was an old trick. When rendering an HTML page, Internet Explorer will ignore all zero-bytes (bytes with value zero, 0×00). Malware authors use this to obscure their scripts. But this old trick still packs a punch. When I remove all obscuring zero-bytes from this script, things get better: 25 out of 32 AV products detect it. But what happens when I add more zero-bytes to the script?  Even more AV are fooled! Gradually adding more zero-bytes makes the detection ratio go down. And at 254 zero-bytes between the individual characters of the script, McAfee VirusScan is the only AV to still detect this obscured script. One byte more (255 zero-bytes), and VirusScan doesn’t detect the script anymore.  No AV on VirusTotal detects this malware obscured with 255 zero-bytes (or more). But for IE, this obscured HTML poses no problem, it still renders the page and executes the script. Posted Oct 30 2007, 10:12 PM by hwaldron with no comments

• New Halloween e-card threats

  Websense has warned of a new HTML based e-card in the Spanish language.  It is designed to load a Trojan horse that can steal banking account credentials from the infected PC.  More threats could potentially emerge, so please be careful out there. New Halloween e-card threats http://www.websense.com/securitylabs/alerts/alert.php?AlertID=813 Sample e-card from Websense http://www.websense.com/securitylabs/images/alerts/halloween2007.png QUOTE: Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico.  To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe". It is also poorly detected by anti-virus signatures. Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines. Posted Oct 30 2007, 03:40 PM by hwaldron with no comments

• Trend Micro reports 200% increase in Severe Malware Infections

  This chart denotes that rootkits, botnets, and other advanced attacks have increased two-fold during the past year.  As actual infections took place, it signifies that malware authors are using improved social engineering tactics and technical innovations for malware to slip through defense systems (e.g., massive spam attacks, crafted exploits, etc).  This finding illustrates that it's more important than ever to stay up-to-date with security protection and to exercise caution in email, IM, and website visitations.  Trend Micro reports 200% increase in Severe Malware Infections http://blog.trendmicro.com/200-growth-in-severe-malware-infections/ QUOTE: An infections graph released by the Trend Micro Threat Analytics shows that the growth in severe malware infections grew 200% throughout 2007. Posted Oct 29 2007, 08:12 PM by hwaldron with no comments

• Major Malicious PDF attack underway using Adobe exploit

  Please be very cautious with any PDF files received in EMAIL messages.  If you use Adobe, it's very important to move to the latest version 8.1.1 plus keep AV protection updated. Malicious PDF files being spammed out in volume http://www.f-secure.com/weblog/archives/00001303.html http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml http://www.avertlabs.com/research/blog/index.php/2007/10/24/pdf-mailto-exploit-seen-in-wild-today/ http://blogs.zdnet.com/security/?p=614 http://www.microsoft.com/technet/security/advisory/943521.mspx QUOTE: Malicious PDF file (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf or so) has been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further. The subjects for the spam messages include: Your credit report Your credit points Your balance report Personal Financial Statement Personal Credit Points Personal Balance Report Your Credit File Balance Report Posted Oct 26 2007, 09:11 PM by hwaldron with no comments

• Storm worm strikes back if researchers attempt to discover its origin

  The Storm worm botnet is so well protected that it's central servers and malware authors have remained anonymous.  While it uses fast-flux servers that are ever changing, the Storm worm client can launch a DDoS based attack if researchers try to reverse engineer the code to determine how it works.   Storm worm strikes back if researchers attempt to discover its origin http://www.networkworld.com/news/2007/102407-storm-worm-security.html   The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Corman, host-protection architect for IBM/ISS, who led a session on network threats. A recently discovered capability of Storm is its ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them. Users will see that, say, antivirus is turned on, but it isn’t scan for viruses, or as Corman puts it, it is brain-dead. "It’s running, but it’s not doing anything. Posted Oct 25 2007, 04:42 PM by hwaldron with no comments

• Cyber-Security Month - CIO Magazine Articles

  October is Cyber-Security month and CIO Magazine has published some excellent articles Who's Stealing Your Passwords? Global Hackers Create a New Online Crime Economy http://www.cio.com/article/print/135500 Hacker Economics 2: The Conspiracy of Apathy http://www.cio.com/article/print/135550 Hacker Economics 3: MPACK and the Next Wave of Malware http://www.cio.com/article/print/135551 A Layman's Glossary of Malware Terms http://www.cio.com/article/print/135453 How Gozi's First Second Unfolds http://www.cio.com/article/print/135451 Death by iFrame http://www.cio.com/article/print/135452 Posted Oct 24 2007, 11:34 PM by hwaldron with no comments

• Real Player - Security Release for critical ActiveX vulnerability

  The Real Player security patch was issued promptly by the vendor and should be applied expediently. Real Player - Security Release for critical ActiveX vulnerability http://secunia.com/advisories/27248/ Solution - Apply patch for RealPlayer 10.5 and 11 beta: http://service.real.com/realplayer/security/191007_player/en/securitydb.rnx Posted Oct 22 2007, 02:14 PM by hwaldron with no comments

• Storm Worm - Now infects PC with different file names

  When cleaning Storm worm infections, the file names have changed for newer variants and the most up-to-date standalone cleaner should be used. Storm Worm - Now infects PC with different file names http://www.avertlabs.com/research/blog/index.php/2007/10/21/nuwar-new-file-names/ QUOTE: We all know that Nuwar aka Storm gang has been continuously changing their spam email text, download sites, executables, network traffic patterns etc in their efforts to penetrate through the security defenses at various layers, all throughout this year. I had a chance to briefly look at a ‘fresh’ Nuwar sample this weekend. It is interesting that they have now also changed the names of files Nuwar drops. It now drops noskrnl.exe, noskrnl.sys and noskrnl.config instead of Spooldr.exe, Spooldr.sys, and Spooldr.ini correspondingly. It also tried to actively propagate by coping itself on the floppy drive, which is new. This site is one of my favorite links for locating malware cleaning facilities: GREAT SITE FOR FREE VIRUS REMOVAL TOOLS (see links on left top side -- "Free Protection and Removal Tools") http://www.virusintel.com/tiki-index.php Posted Oct 22 2007, 01:55 PM by hwaldron with no comments

• iPhone unpatched vulnerability and Exploit

  Users should be not open any untrusted TIFF images using iPhone's Safari web browser and watch for available security patches to be released by Apple.  iPhone unpatched vulnerability and Exploit http://isc.sans.org/diary.html?storyid=3517 http://secunia.com/advisories/27213/ http://secunia.com/cve_reference/CVE-2007-5450/ Description: A vulnerability has been reported in Apple iPod touch and Apple iPhone, which potentially can be exploited by malicious people to compromise a vulnerable device. The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari web browser. The vulnerability is reported in iPod touch version 1.1.1 and iPhone version 1.1.1. Other versions may also be affected Solution: Do not browse untrusted web sites and do not open untrusted TIFF images. Posted Oct 19 2007, 09:14 PM by hwaldron with no comments

• Real Player - Zero Day Exploit circulating

  A new zero day Real Player exploit is reported to be actively circulating which uses an ActiveX control vulnerability. Real player users the ActiveX control to determine functionality and the maliciously crafted version can allow malware to be automatically installed. Users should avoid or be careful with all Real player files until this is fixed. A killbit can be set to deactivate the ActiveX control as noted below. Real Player - Zero Day Exploit circulating http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html http://www.avertlabs.com/research/blog/index.php/2007/10/19/realplayer-zero-day-exploit-hits-the-web/ http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043319 http://www.securityfocus.com/bid/26130 QUOTE: Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score.  According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited and malicious code downloaded to any PC that wanders to a specially crafted site. KILLBIT CAN BE SET: The vulnerability lies in a RealPlayer ActiveX control, and can be mitigated by setting the appropriate kill bit via the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} KB Article - How to set Killbit for ActiveX objects http://support.microsoft.com/kb/240797 Posted Oct 19 2007, 07:20 PM by hwaldron with no comments

• Stock spam - New MP3 version will try to talk you into it

  HTML clipboard These email messages should be blocked or deleted if found. The advice is always misleading and folks are better served by researching stock information on legitimate websites.    Stock spam - New MP3 version will try to talk you into it  http://www.gfi.com/news/en/mp3spam.htm  http://www.vnunet.com/vnunet/news/2201466/pump-dump-spammers-tell-users  http://www.symantec.com/enterprise/security_response/weblog/2007/10/mp3_version_of_pumpanddump_sto.html  http://www.google.com/search?hl=en&q=mp3+stock+spam    QUOTE:  MP3 Version of Pump-and-Dump Stock SpamPump-and-dump stock spam is a classic example of sophistication and diversity of spam techniques. Recently the pump-and-dump spammers have started using mp3 files as a new method of spreading stock spam. In the latest observations we’ve seen an mp3 file as an attachment in the body of an email message – without any content – and the subject line usually includes “RE:”, “FW:”, or is sometimes just blank. The “From:” address is usually random. Another feature of this new pump-and-dump stock attack is that the mp3 files have random names, such as the following examples:    "ciara.mp3"  “elvis.mp3"  "crazylady.mp3"  "chrisbrown.mp3  “jillscott.mp3"  "crush.mp3"    The average file size is approximately 63.3 kb, with the garbled stock tip lasting for about 30 seconds. The Audio content sounds something like the below example: “Hello, this is an Investor alert. nnnnn Inc. has announced it is ready to launch its new nnnnn.com Web site. Already a huge success in Canada, we are expecting amazing result in USA. Go read the news and hit on nnnnn that Symbol get it nnnnn Thank you” Posted Oct 19 2007, 05:13 PM by hwaldron with no comments

• Firefox 2.0.0.8 - Security Release

  All Firefox users should move to the latest release for improved security.  Most users will be prompted to autoupdate and these security improvements should be completed as soon as possible. Firefox 2.0.0.8 - Security Release http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.8 Mozilla Foundation Security Advisory - Fixed in Firefox 2.0.0.8 MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows MFSA 2007-35 XPCNativeWrapper pollution using Script object MFSA 2007-34 Possible file stealing through sftp protocol MFSA 2007-33 XUL pages can hide the window titlebar MFSA 2007-32 File input focus stealing vulnerability MFSA 2007-31 Browser digest authentication request splitting MFSA 2007-30 onUnload Tailgating MFSA 2007-29 Crashes with evidence of memory corruption Posted Oct 19 2007, 04:47 PM by hwaldron with no comments

• Oracle Critical Updates - 51 security vulnerabilities to be patched

  Oracle DBAs and system administrators should pilot test and quickly deploy the quarterly security updates as applicable Related Article http://news.yahoo.com/s/pcworld/20071015/tc_pcworld/138431   Oracle - Quarterly Release Links http://www.oracle.com/technology/deploy/security/alerts.htm Oracle - October 2007 Security release details http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html QUOTE: Oracle Corp. will release security updates for its products next week fixing 51 vulnerabilities in its products.  Included in the Critical Patch Update, set to be released Tuesday, will be critical updates for the company's flagship Oracle Database. Twenty-seven database bugs will be fixed, but five of the bugs can be "exploited over a network without the need for a username and password," Oracle said in a note on next week's patches. Posted Oct 19 2007, 03:52 PM by hwaldron with no comments

• Storm Worm - New encrypted packets and I-Frame injection version coming

  Recently, we may have been in "calm before the storm", as e-card attacks have diminished some. These 3 blog posts point to more innovation in new attacks that could be coming soon:    Storm Worm - New encrypted packets and I-Frame injection version coming  http://www.symantec.com/enterprise/security_response/weblog/2007/10/strengthening_storm_almost_hur.html  http://www.secureworks.com/research/blog/index.php/2007/10/15/the-changing-storm/  http://blogs.pcmag.com/securitywatch/2007/10/the_gathering_storm.php     QUOTE:    Strengthening Storm – Almost Hurricane?    The new Storm worm variants being seen these days have yet again evolved and are gaining strength. Well, at least in encryption technology. The P2P UDP packets (made up of the header and payload) are now encrypted using a 40-byte key. As our friends at Secure Works pointed out here, this is definitely good news for network administrators who have to deal with legitimate P2P overnet traffic.    The encryption is trivial and isn't the only new thing found in this variant. It seems to have some new techniques for propagation. Firstly, it is able to scan the file system and drop an executable into any folder with at least one .exe file. Secondly, the worm is able to harvest email addresses from the file system and send spam to those addresses. Lastly, it is able to search for .htm, .html, and .php files and inject malicious IFRAME code into them Posted Oct 18 2007, 06:58 PM by hwaldron with no comments

• Opera 9.24 - Recently released with security improvements

  Opera browser users should upgrade to the latest version, as the following security improvements have been made QUOTE:   Security Fixed an issue where external news readers and e-mail clients could be used to execute arbitrary code, as reported by Michael A. Puls II. See our advisory. Fixed an issue where scripts could overwrite functions on pages from other domains. See the advisory. Issue reported to Opera by David Bloom. Opera 9.24 for Windows is available for download Posted Oct 18 2007, 06:55 PM by hwaldron with no comments

• Storm Worm - Comprehensive Analysis by Cyber-TA

  One of the most technical and in-depth analysis of the Storm Worm botnet can be found in the links below. Every new development should be watched by security professionals, as these constant attacks use convincing and innovative social engineering schemes (e.g., e-cards).  Once a workstation becomes infected, it becomes a member of the botnet consisting of at least 1.6 PCs.  These infections are also difficult to detect and clean as advanced rootkit techniques are used.    Storm Worm - Comprehensive Analysis by Cyber-TA http://www.cyber-ta.org/pubs/StormWorm/ http://www.cyber-ta.org/pubs/StormWorm/report/ http://www.cyber-ta.org/pubs/StormWorm/links.html QUOTE: Since early 2007 a new form of malware has made its presence known on the Internet by its prolific growth rate, its ability to distribute large volumes of spam, and its ability to avoid detection and eradication.  Storm Worm (or W32.Peacomm, Nuwar, Tibs, Zhelatin), as it is known, is a highly prolific new generation of malware that has gained a significant foothold in unsuspecting Microsoft Windows computers across the Internet.  Storm, like all bots, distinguishes itself from other forms of malware by its ability to establish a control channel that allows its infected clients to operate as a coordinated collective, or botnet.  However, even among botnets Storm has further distinguished itself by being among the first to introduce a fully P2P control channel, to utilize fast-flux to hide its binary  distribution points, and to aggressively defend itself from those who would seek  to reverse engineer its logic. Despite all the hype and paranoia surrounding Storm, the inner workings of this botnet largely remain a mystery. Additional Links and Information http://en.wikipedia.org/wiki/Storm_Worm http://www.cyber-ta.org/pubs/StormWorm/links.html Posted Oct 18 2007, 04:43 PM by hwaldron with no comments

• Internet Explorer - Crafted URL strings may bypass security controls for EXE files

  Some recent discoveries have been posted where special strings after the URL address may bypass some of the security checking. As noted in the posts below, a special URL string may be crafted that can bypasses the warning prompt to the user and loads an EXE file automatically. Users should continue to be careful with URLs in email, websites, etc. and keep AV protection updated.  Internet Explorer - Special URL strings may bypass security controls for EXE files  http://aviv.raffon.net/2007/10/15/BackFromTheDead.aspx http://www.securityfocus.com/archive/1/482220/30/0/threaded QUOTE: Sometimes it is nice to see old vulnerabilities come back from the dead. This time I'm referring to a vulnerability in Internet Explorer that was discovered almost 3 years ago by cyber_flash. The vulnerability allows an attacker to bypass the security download warning dialog, and display a regular save file dialog, by manipulating IE into displaying executable file (a file with .exe extension) as a regular html file. While this vulnerability was partially patched by Microsoft in IE7, it was still remained unpactched in IE6 SP2. Posted Oct 16 2007, 06:12 PM by hwaldron with no comments

• New Storm Worm - Kitty Greeting Card

  This new HTML based attack is socially engineered well and may trick folks. It's always a best practice to avoid every URL present in an email message (even to opt out of spam), unless you are absolutely sure it's safe. New Storm Worm - Kitty Greeting Card http://www.websense.com/securitylabs/alerts/alert.php?AlertID=807 http://www.f-secure.com/weblog/archives/00001291.html http://www.avertlabs.com/research/blog/index.php/2007/10/12/no-laughing-matter-or-curiosity-killed-the-cat/ quote: Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. This site poses as a free Ecard Web site. No exploit is on the site itself. However, when users click any of the URLs, they are prompted to download and run a file called "SuperLaugh.exe." This file contains the Storm payload code. Posted Oct 12 2007, 03:55 PM by hwaldron with no comments

• Citrix Internet Gateways - Critical need to lock these down

  Administrators should carefully examine Citrix gateways and implement improved protection.  This includes best practices for the Citrix client and server environment, VPN based access only and special handshaking trusts with port 1494 to ensure this environment is properly secured.      Government News - Lock down those Citrix gateways!  http://www.gcn.com/blogs/tech/45220.html    Citrix Opens Security Holes in Military, Federal Web Sites  http://www.eweek.com/article2/0,1895,2193114,00.asp    CITRIX: Owning the Legitimate Backdoor  http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor/    Hacking CITRIX - the forceful way  http://www.gnucitizen.org/blog/hacking-citrix-the-forceful-way/    Citrix Security Best Practices  http://www.thin-world.com/nfuse.htm  http://www.sessioncomputing.com/security.htm  http://www.google.com/search?hl=en&q=citrix+security+best+practices      QUOTE: The Internet is full of wide open CITRIX gateways. This is madness!. The other day I was performing some CITRIX testing, so I had a lot of fun with hacking into GUIs, which, as most of you probably know, are trivial to break into. I did play around with .ICA files as well, just to make sure that the client is not affected by some obvious client-side vulnerabilities. This exercise led me to reevaluate great many things about ICA (Independent Computing Architecture). When querying Google and Yahoo for public .ICA files, I was presented with tons of wide open services, some of which were located on .gov and .mil domains.   When available over the Internet, such configuration files offer a wealth of information to malicious hackers about the server operating environments of these gateways. Even more troublesome is how the researcher found that, using his own Citrix client software, he was able to access many of these remotely available applications without log-in access.    eWeek covered this problem and attributed the vulnerability less to Citrix’s software itself and more to sysadmin laxness in not properly managing port 1494, the port Citrix software usually deploys to supply applications to end users. "Citrix is able to be secured, but that's like everything else in computing: the admin needs a brain," one security observer noted on a mailing list. Posted Oct 12 2007, 02:36 PM by hwaldron with no comments

• Excel 2007 - Hotfix released to correct calculation bug

  Office 2007 users should patch their systems just in case they may encounter the rare conditions that might trigger this calculation error.  Fortunately, the calculation results are correct, but they will be displayed incorrectly in the cell itself Excel 2007 - Hotfix released to correct calculation bug http://support.microsoft.com/default.aspx/kb/943075/ Excel 2007 Services - Server based release for Sharepoint environment http://support.microsoft.com/default.aspx/kb/943076/ quote: This hotfix package fixes the following issue that was not previously documented in a Microsoft Knowledge Base article: When you perform a calculation in Excel 2007, the following behavior occurs: • The result of the calculation is a number from 65534.99999999995 to 65535. The calculation is performed correctly. However, the result is incorrectly shown as 100000. • The result of the calculation is a number from 65535.99999999995 to 65536. The calculation is performed correctly. However, the result is incorrectly shown as 100001. Posted Oct 11 2007, 03:11 PM by hwaldron with no comments

• Vista - Administrator account and how it differs from XP

  An informative KB article was recently published which discussed some of the new controls Microsoft has implemented to protect this important account. The changes to the built-in administrator account in Windows Vista http://support.microsoft.com/?kbid=942956 QUOTE: By default, the built-in administrator account is named Administrator. Additionally, the built-in administrator account is assigned the relative ID (RID) 500. In Windows Vista, the default user account type is a standard user. A standard user is a user who has limited account rights and limited Windows permissions. The following sections detail how the built-in administrator account has been changed to better reduce the potential attack surface of the built-in user accounts in Windows Vista. Posted Oct 11 2007, 02:24 PM by hwaldron with no comments

• Storm Worm - manipulates invite your friends to YouTube links

  The latest Nuwar variant continues to manipulate popular email techniques in order to further spread and increase the size of the Botnet. Storm Worm - manipulates invite your friends to YouTube links http://msn-cnet.com.com/%27Storm-worm%27-exploits-YouTube/2100-7349_3-6212674.html QUOTE: Spammers are exploiting YouTube's "invite your friends" function to send spam containing a variant of the "Storm worm." Bradley Anstis, director of product management at security firm Marshal, said that spammers are taking advantage of the YouTube function that lets people invite friends to view videos that they have viewed or posted. The function allows someone to e-mail any address from an account. The YouTube help center also advises people to exclude the service@youtube.com e-mail address from spam filtering lists--a fact, Anstis, said spammers are likely aware of. Posted Oct 10 2007, 04:27 PM by hwaldron with no comments

• Adobe Reader and Acrobat - Workaround available for vulnerability

  The official patch is due around month-end according to Adobe. Until then Adobe users should be careful with all PDFs and keep AV protection up-to-date. Corporate technicians may also want to apply the workaround if in-the-wild exposures surface. Adobe Reader and Acrobat - Workaround available for vulnerability http://blogs.pcmag.com/securitywatch/2007/10/adobe_publishes_workaround_for.php  http://www.adobe.com/support/security/advisories/apsa07-04.html CVE number: CVE-2007-5020 Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed quote: To protect Windows XP systems with Internet Explorer 7 installed from this vulnerability, administrators can disable the mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying the application options in the Windows registry. Additionally, these changes can be added to network deployments to Windows systems.  Additional Links http://www.gcn.com/online/vol1_no1/45213-1.html http://www.sans.org/newsletters/risk/display.php?v=7&i=39#widely5 http://www.securityfocus.com/bid/25748 Posted Oct 10 2007, 01:55 PM by hwaldron with no comments

• Storm Worm - Games now offered as malicious URLs

  Daily, I've seen examples of a Nuwar variant that offers games as "bait" in the malicious URLs (which are all numeric in the text based versions).  Folks should avoid clicking on these links as harmful malware can be automatically downloaded and installed on your PC SAMPLE OF GAME BASED VERSION OF STORM WORM BELOW  Date: Mon, 8 Oct 2007 20:23:54 -0600 From: *** EMAIL Address Removed *** To: HARRY Subject: dude, its free     Want to get all the games you want? Want them Free? Check us out. *** MALICIOUS URL REMOVED *** Posted Oct 09 2007, 09:38 PM by hwaldron with no comments

• Microsoft Security - October 2007 Bulletins

  Microsoft has released it's "Patch Tuesday" security updates and these should be applied promptly. Microsoft Security - October 2007 Bulletin Overview http://www.microsoft.com/technet/security/Bulletin/ms07-Oct.mspx   Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810) http://www.microsoft.com/technet/security/Bulletin/ms07-055.mspx   Security Update for Outlook Express and Windows Mail (941202) http://www.microsoft.com/technet/security/Bulletin/ms07-056.mspx   Cumulative Security Update for Internet Explorer (939653) http://www.microsoft.com/technet/security/Bulletin/ms07-057.mspx Vulnerability in RPC Could Allow Denial of Service (933729) http://www.microsoft.com/technet/security/Bulletin/ms07-058.mspx Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017) http://www.microsoft.com/technet/security/Bulletin/ms07-059.msp   Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695) http://www.microsoft.com/technet/security/Bulletin/ms07-060.mspx Posted Oct 09 2007, 06:26 PM by hwaldron with no comments

• Safari 3.0.03 Web Browser - New unpatched vulnerability

  Apple Safari users and Windows beta testers should carefully track developments for any new releases to fix this issue. Zero-day Flaw in Safari 3.0.03 Web Browser for Windows http://blog.trendmicro.com/zero-day-flaw-in-safari-3003-web-browser-for-windows/  QUOTE: A full disclosure report from Insecure.org refers to a flaw in Safari 3.0.3 which allows local zones to access external domains. The Safari 3 Public Beta was released on June 11 for Mac OS X and Windows XP/Vista. This beta version is for trial purposes and intended to gather feedback prior to a full release. True enough, we have found that the Safari version 3.0.3(522.15.5) Web browser for the Windows OS automatically downloads a file referred to in an IFRAME tag used on a certain site ... Unlike IE and Firefox, which displays an alert message like the one below whenever a file is about to be downloaded onto the system, this Safari version does not display any sort of notification. The flaw has potential for misuse and may become a possible source of violations of user rights against entities downloading files on a system without user consent. As of this writing, this bug has also been found to work on iPhone 1.0.2. Posted Oct 09 2007, 02:53 PM by hwaldron with no comments

• Virut File Infector virus - an analysis by Avert Labs

  HTML clipboardFile infector viruses attempt to spread to all EXEs on the system by using Windows services to propogate.  The Virut family is one of the more active threats circulating and users should be cautious when handling any external EXE files on their network and avoid them entirely in email.  AVERT Labs recently documented this virus family as follows:    Virut File Infector virus - an analysis by Avert Labs  http://www.avertlabs.com/research/blog/index.php/2007/10/08/w32virut-evolution-gone-wrong/    QUOTE: An upcoming new kid on the block is W32/Virut - a polymorphic entry-point obscuring virus with IRC bot functionality. Once a machine is infected, it hooks the following APIs (ZwCreateFile, ZwCreateProcess, ZwCreateProcessEx, ZwOpenFile) in ntdll.dll for all running processes, in an attempt to infect .EXE and .SCR files. It then “phones home” to a remote IRC command and control server where it can be instructed to download other malware or be used to perform DDoS attacks. W32/Virut comes with its share of buggy code and as a result it may misinfect or reinfect a significant proportion of executable files leaving them permanently corrupted beyond repair.    Virut.h - Virus Description information  http://vil.nai.com/vil/content/v_143034.htm Posted Oct 09 2007, 01:51 PM by hwaldron with 1 comment(s)

• Paypal Phishing Application - How Gullible are you?

  This phishing attack captures extensive privacy and account information with "one stop" shopping for uninformed users out there.  You'd better know your genealogy well, along with providing SSN, drivers license, bank account, credit card info, etc., in this phishing attack originating out of Denmark.  The graphics and presentation are well done, from a social engineering standpoint.  However, the obvious clue is that amount of sensitive information requested. Continued education and emphasis are needed, so that so that inexperienced users will avoid compromising their privacy and avoid becoming victims of fraud.         F-Secure: How Gullible are you? http://www.f-secure.com/weblog/archives/00001288.html http://www.f-secure.com/weblog/archives/hugepaypal.gif QUOTE: Now, take a look at the list of questions they're asking. It's quite astonishing that anybody would be gullible enough to go through the full form and type in all the required information. Like your e-mail password? Your father's day of birth? Your PIN? Then again… somebody will fall for this. Someone always does. Posted Oct 08 2007, 06:23 PM by hwaldron with no comments