October 2007 - Posts
This 1.4M powerpoint presentation contains 60 slides and was recently referenced in Sunbelt and John Levine's blogs.
http://weblog.johnlevine.com/Email/storm.html
http://sunbeltblog.blogspot.com/2007/10/good-preso-on-storm.html
EXCELLENT Powerpoint Presentation - Download Link
http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt
QUOTE: Last weekend, Brandon Enright of UC San Diego gave a informal talk at the Toorcon conference in which he reported on his analysis of the Storm botnet. According to his quite informative slides, Storm has evolved quite a lot over the past year, with both upgrades to the underlying engine and a variety of applications, most of which involve sending spam.
This interesting finding could lead to malware possibly being bypassed when processing web pages containing underlying scripts embedded in the HTML.
A000n0000 0000O000l00d00 0I000E000 00T0r0000i0000c000k
http://blog.didierstevens.com/2007/10/23/a000n0000-0000o000l00d00-0i000e000-00t0r0000i0000c000k/
http://it.slashdot.org/article.pl?sid=07/10/29/1747237
QUOTE: When I found a malicious script riddled with 0×00 bytes, SANS handler Bojan Zdrnja explained to me that this was an old trick. When rendering an HTML page, Internet Explorer will ignore all zero-bytes (bytes with value zero, 0×00). Malware authors use this to obscure their scripts. But this old trick still packs a punch.
When I remove all obscuring zero-bytes from this script, things get better: 25 out of 32 AV products detect it. But what happens when I add more zero-bytes to the script? Even more AV are fooled! Gradually adding more zero-bytes makes the detection ratio go down.
And at 254 zero-bytes between the individual characters of the script, McAfee VirusScan is the only AV to still detect this obscured script. One byte more (255 zero-bytes), and VirusScan doesn’t detect the script anymore. No AV on VirusTotal detects this malware obscured with 255 zero-bytes (or more). But for IE, this obscured HTML poses no problem, it still renders the page and executes the script.
Websense has warned of a new HTML based e-card in the Spanish language. It is designed to load a Trojan horse that can steal banking account credentials from the infected PC. More threats could potentially emerge, so please be careful out there.
New Halloween e-card threats
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=813
Sample e-card from Websense
http://www.websense.com/securitylabs/images/alerts/halloween2007.png
QUOTE: Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico. To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe". It is also poorly detected by anti-virus signatures.
Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines.
This chart denotes that rootkits, botnets, and other advanced attacks have increased two-fold during the past year. As actual infections took place, it signifies that malware authors are using improved social engineering tactics and technical innovations for malware to slip through defense systems (e.g., massive spam attacks, crafted exploits, etc).
This finding illustrates that it's more important than ever to stay up-to-date with security protection and to exercise caution in email, IM, and website visitations.
Trend Micro reports 200% increase in Severe Malware Infections
http://blog.trendmicro.com/200-growth-in-severe-malware-infections/
QUOTE: An infections graph released by the Trend Micro Threat Analytics shows that the growth in severe malware infections grew 200% throughout 2007.
Please be very cautious with any PDF files received in EMAIL messages. If you use Adobe, it's very important to move to the latest version 8.1.1 plus keep AV protection updated.
Malicious PDF files being spammed out in volume
http://www.f-secure.com/weblog/archives/00001303.html
http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml
http://www.avertlabs.com/research/blog/index.php/2007/10/24/pdf-mailto-exploit-seen-in-wild-today/
http://blogs.zdnet.com/security/?p=614
http://www.microsoft.com/technet/security/advisory/943521.mspx
QUOTE: Malicious PDF file (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf or so) has been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further.
The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report
The Storm worm botnet is so well protected that it's central servers and malware authors have remained anonymous. While it uses fast-flux servers that are ever changing, the Storm worm client can launch a DDoS based attack if researchers try to reverse engineer the code to determine how it works.
Storm worm strikes back if researchers attempt to discover its origin
http://www.networkworld.com/news/2007/102407-storm-worm-security.html
The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday. The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them, shutting down their Internet access for days, says Josh Corman, host-protection architect for IBM/ISS, who led a session on network threats.
A recently discovered capability of Storm is its ability to interrupt applications as they boot up and either shut them down or allow them to appear to boot, but disable them. Users will see that, say, antivirus is turned on, but it isn’t scan for viruses, or as Corman puts it, it is brain-dead. "It’s running, but it’s not doing anything.
October is Cyber-Security month and CIO Magazine has published some excellent articles
Who's Stealing Your Passwords? Global Hackers Create a New Online Crime Economy
http://www.cio.com/article/print/135500
Hacker Economics 2: The Conspiracy of Apathy
http://www.cio.com/article/print/135550
Hacker Economics 3: MPACK and the Next Wave of Malware
http://www.cio.com/article/print/135551
A Layman's Glossary of Malware Terms
http://www.cio.com/article/print/135453
How Gozi's First Second Unfolds
http://www.cio.com/article/print/135451
Death by iFrame
http://www.cio.com/article/print/135452
The Real Player security patch was issued promptly by the vendor and should be applied expediently.
Real Player - Security Release for critical ActiveX vulnerability
http://secunia.com/advisories/27248/
Solution - Apply patch for RealPlayer 10.5 and 11 beta:
http://service.real.com/realplayer/security/191007_player/en/securitydb.rnx
When cleaning Storm worm infections, the file names have changed for newer variants and the most up-to-date standalone cleaner should be used.
Storm Worm - Now infects PC with different file names
http://www.avertlabs.com/research/blog/index.php/2007/10/21/nuwar-new-file-names/
QUOTE: We all know that Nuwar aka Storm gang has been continuously changing their spam email text, download sites, executables, network traffic patterns etc in their efforts to penetrate through the security defenses at various layers, all throughout this year. I had a chance to briefly look at a ‘fresh’ Nuwar sample this weekend. It is interesting that they have now also changed the names of files Nuwar drops. It now drops noskrnl.exe, noskrnl.sys and noskrnl.config instead of Spooldr.exe, Spooldr.sys, and Spooldr.ini correspondingly. It also tried to actively propagate by coping itself on the floppy drive, which is new.
This site is one of my favorite links for locating malware cleaning facilities:
GREAT SITE FOR FREE VIRUS REMOVAL TOOLS
(see links on left top side -- "Free Protection and Removal Tools")
http://www.virusintel.com/tiki-index.php
A new zero day Real Player exploit is reported to be actively circulating which uses an ActiveX control vulnerability. Real player users the ActiveX control to determine functionality and the maliciously crafted version can allow malware to be automatically installed. Users should avoid or be careful with all Real player files until this is fixed. A killbit can be set to deactivate the ActiveX control as noted below.
Real Player - Zero Day Exploit circulating
http://www.symantec.com/enterprise/security_response/weblog/2007/10/realplayer_exploit_on_the_loos.html
http://www.avertlabs.com/research/blog/index.php/2007/10/19/realplayer-zero-day-exploit-hits-the-web/
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043319
http://www.securityfocus.com/bid/26130
QUOTE: Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score. According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited and malicious code downloaded to any PC that wanders to a specially crafted site.
KILLBIT CAN BE SET: The vulnerability lies in a RealPlayer ActiveX control, and can be mitigated by setting the appropriate kill bit via the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
KB Article - How to set Killbit for ActiveX objects
http://support.microsoft.com/kb/240797
HTML clipboard
These email messages should be blocked or deleted if found. The advice
is always misleading and folks are better served by researching stock
information on legitimate websites.
Stock spam - New MP3 version will try to talk you into it
http://www.gfi.com/news/en/mp3spam.htm
http://www.vnunet.com/vnunet/news/2201466/pump-dump-spammers-tell-users
http://www.symantec.com/enterprise/security_response/weblog/2007/10/mp3_version_of_pumpanddump_sto.html
http://www.google.com/search?hl=en&q=mp3+stock+spam
QUOTE: MP3 Version of Pump-and-Dump Stock SpamPump-and-dump
stock spam is a classic example of sophistication and diversity of spam
techniques. Recently the pump-and-dump spammers have started using mp3 files as
a new method of spreading stock spam. In the latest observations we’ve seen an
mp3 file as an attachment in the body of an
email message – without any content – and the subject line usually includes
“RE:”, “FW:”, or is sometimes just blank. The “From:” address is usually random.
Another feature of this new pump-and-dump stock attack is that the mp3 files
have random names, such as the following examples:
"ciara.mp3"
“elvis.mp3"
"crazylady.mp3"
"chrisbrown.mp3
“jillscott.mp3"
"crush.mp3"
The average file size is approximately 63.3 kb,
with the garbled stock tip lasting for about 30 seconds. The Audio content
sounds something like the below example: “Hello, this
is an Investor alert. nnnnn Inc. has announced it is ready to launch its new
nnnnn.com Web site. Already a huge success in Canada, we are expecting amazing
result in USA. Go read the news and hit on nnnnn that Symbol get it nnnnn Thank
you”
All Firefox users should move to the latest release for improved
security. Most users will be prompted to autoupdate and these security
improvements should be completed as soon as possible.
Firefox 2.0.0.8 - Security Release
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.8
Mozilla Foundation Security Advisory - Fixed in Firefox 2.0.0.8
MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35 XPCNativeWrapper pollution using Script object
MFSA 2007-34 Possible file stealing through sftp protocol
MFSA 2007-33 XUL pages can hide the window titlebar
MFSA 2007-32 File input focus stealing vulnerability
MFSA 2007-31 Browser digest authentication request splitting
MFSA 2007-30 onUnload Tailgating
MFSA 2007-29 Crashes with evidence of memory corruption
Oracle DBAs and system administrators should pilot test and quickly deploy the quarterly security updates as applicable
Related Article
http://news.yahoo.com/s/pcworld/20071015/tc_pcworld/138431
Oracle - Quarterly Release Links
http://www.oracle.com/technology/deploy/security/alerts.htm
Oracle - October 2007 Security release details
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html
QUOTE: Oracle Corp. will release security updates for its
products next week fixing 51 vulnerabilities in its products. Included
in the Critical Patch Update, set to be released Tuesday, will be
critical updates for the company's flagship Oracle Database.
Twenty-seven
database bugs will be fixed, but five of the bugs can be "exploited
over a network without the need for a username and password," Oracle said in a note on next week's patches.
More Posts
Next page »