January 2008 - Posts

E] As noted in this post, scammers are attempting to trick individuals during the tax season to reveal sensitive information so that it can be misused for privacy or fraudulent reasons.  Never take action from the IRS, banks, or other agencies simply based on an email message.  Always check these out with the source first.

The HTML and other aspects of this email look legitimate and these messages should be deleted as they are fake.

From: "Internal Revenue Service U.S.A" <refund@usa.gov>
Subject: Important Message From IRS
Date: Thu, 31 Jan 2008


After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $93.60. Please submit the tax refund request and allow us 6-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access your tax refund online, please click here (Malicious Numeric IP address in URL Removed)

Internal Revenue Service



As we are entering into a new tax reporting season, scammers are already trying to take advantage of individuals   Folks should be careful of all email messages as they appear to be authentic, but the IRS never contacts folks in that manner. 
Also, phone scammers are asking for SSN and other privacy information, that IRS should already have on file anyway. If folks share sensitive information, it can be used by identity thieves to impersonate the victim and obtain money.  Always check any request for information with the source when in doubt. 
Tis the Season for Tax Return Scams

QUOTE: A new wave of "phishing" e-mails making the rounds, claiming to be from the IRS, may be the work of scammers trying to capitalize on an economic stimulus package under consideration by Congress, an IRS spokesman said Monday.

"The IRS never sends unsolicited initial e-mails," IRS spokesman Bill Steiner said. Nor does it ever ask for detailed personal and financial information, personal identification numbers, passwords or similar access information for credit cards, banks or other financial accounts, the men said.

Phone scammers are also manipulate individuals

QUOTE: Scammers, pretending to be IRS agents, are calling unsuspecting people, asking for Social Security numbers and other personal information so a refund check can be sent.

IRS Warning and Recommendations

QUOTE: A new variation of the refund scheme may be directed toward organizations that distribute funds to other organizations or individuals. In an attempt to seem legitimate, the scam e-mail claims to be sent by, and contains the name and supposed signature of, the Director of the IRS Exempt Organizations area of the IRS. The e-mail asks recipients to click on a link to access a form for a tax refund. In reality, taxpayers claim their tax refunds through the filing of an annual tax return, not a separate application form.

RECOMMENDATION: These e-mail messages can be forwarded to: phishing@irs.gov
Tax Notification
Internal Revenue Service (IRS)

United States Department of the Treasury
Date:  01/28/2008
After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $134.80.

Please submit the tax refund request and allow us
6-9 days in order to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.

To access the form for your tax refund, click here


Internal Revenue Service
Document Reference: (92054568).


Firefox users should watch for an important update that addresses a serious security vulnerability.  The Mozilla foundation has escalated a serious security vulnerability and version 2.0.12 will be pushed out soon, according to the developers blog.  Most users will automatically update to the latest version, when it becomes available. 

Mozilla ups unpatched Firefox flaw to high severity

* The chrome library protocol handling issue is proof-of-concept only (no in-the-wild attacks noted so far)

* An attacker can use this vulnerability to collect session information, including session cookies and session history.

* Firefox 2.0.12 is being prioritized and will be pushed out soon  


* Firefox is not vulnerable by default, however many users install add-ins (long list in link below)

Firefox Vulnerable Add-ins

* The most current version and release information can be obtained at:

Mozilla Firefox Home Page

Lightning During the past two years, we have gradually moved from computer virus attacks to more uniquely packaged trojan horse attacks that are being massively spammed.  For example, the Storm worm is highly polymorphic and can change it's signature pattern (as measured by MD5 hash totals) on an hourly basis.  AV vendors are struggling to handle these constantly changing conditions, as a unique malware agent can be created for each spam run.

Over Five Million unique malware types weren created in 2007

QUOTE: Experts at AV-Test, an independent testing organization, also reported skyrocketing incidence of malware yesterday. After a detailed count, the organization said it identified nearly 5.5 million different malware files in 2007 -- more than five times as many as in 2006.

Year # of unique samples (MD5) - note these are not cummulative
1985 564
1986 910
1987 389
1988 1,738
1989 2,604
1990 9,044
1991 18,384
1992 36,822
1993 12,287
1994 28,613
1995 15,988
1996 36,816
1997 137,716
1998 177,615
1999 98,428
2000 176,329
2001 155,528
2002 199,049
2003 178,825
2004 142,321
2005 333,425
2006 972,606
2007 5,490,960

What are MD5 Hash Totals?

Storm During January 2007, one of Europe's worst Winter storms was used as a means to get folks to view a "news release" being circulated in email.  While the headlines were legitimate, many individuals became infected in a new P2P based botnet that featured fast flux server techniques (where clients and servers change roles so rapidly that the true master servers cannot be found).

While most malware attacks recirculate older techniques or ideas, the Nuwar malware authors have been innovative in some of the technical aspects of the design (e.g., fast flux servers, rootkit infections, P2P based botnet, etc).  Each storm worm attack should be carefully watched, including e-card attacks that may surface during Valentine's Days or other holidays later this year. 

Thanks to Microsoft's MSRT tool that's part of the Patch Tuesday updates, the size of the botnet has been reduced as thousands of PCs have been cleaned.  Still, it's envisioned that Storm worm will continue to be active for the foreseeable future. 

Lightning Storm Worm - Launched one year ago

Storm Worm overview

QUOTE: The Storm Worm malware (more properly known as a Trojan) strain first surfaced on 17 January 2007, in emails attempting to trick users into visiting maliciously-constructed websites under the guise of messages offering information about the storms ravaging Europe at the time.

Compromised machines, however they are infected, become zombie clients under the control of hackers. The Storm Worm was the first botnet client to be based on a peer-to-peer (P2P) command and control protocol, an approach that makes networks of compromised PCs far more difficult to shut down. Over the last year, the Storm Worm has infected millions of Windows machines around the world.

Lightning The Storm worm with it's fast flux server techniques and other malware are abusing the 5 day grace period associated with registering a new website name.  Based on recent trends, millions of domain names are being allocated and then deleted each month.  This is why folks need to be careful in going to sites questionable sites based on IP numerical addresses or unusually named sites.


QUOTE: When a registrar registers a domain name, there is a five-day Add Grace Period (AGP) where he may cancel his request and receive a full credit for the registration fee from the registry. This trend has been gaining popularity since mid 2005, and although it was originally set up for avoiding mistakes, the practice now is frequently abused.

Beside the fact that some domainers use it to track names with a high potential to generate traffic and thus pay-per-click revenues, people who use the fast-flux and rockphish techniques, which we have already discussed here in detail, now use it in proportions that would be interesting to measure. Domain Tasting involves registering names only to release them very quickly and without paying for them. This practice exploded in 2007, and an incredible number of temporary domain names, having definitely been used to carry out malicious activities, were deleted at the end of this add-grace period.


 If confirmed, this represents the greatest fraud scandal by a single individual of all time. The key issues were too much trust and the lack of checks and balances. While most folks are ethical and trustworthy, companies always need compensating controls that "trust but verify" that all is going well.
 Most likely large financial institutions will be looking at their controls even more closely after this scandal. This includes improving classical audit controls like: separations of duties, checks-and-balances, and autonomy levels. These controls are also beneficial to detect and prevent accidental errors as well.
 French bank blames trader for $7 billion fraud
 Societe Generale to seek new capital; swindle is one of history’s biggest
 QUOTE: PARIS - French bank Societe Generale said Thursday it has uncovered a $7.14 billion fraudone of history’s biggest — by a single futures trader who orchestrated a series of bogus transactions. The fraud destabilized a major bank already exposed to the subprime crisis. France’s second largest bank by market value said it must seek 5.5 billion euros ($8.02 billion) in new capital, and the chief executive offered to resign.
 The trader at SocGen was responsible for basic futures hedging on European equity market indices, the company said, making bets on how the markets would perform at a future date. Futures trading began with selling commodities like sugar or oil to be delivered at a specified date. The practice has expanded enormously in recent years to include extremely complex financial instruments, but the company statement said the trader was involved in the more basic forms of hedging.
 If confirmed, the fraud would far outstrip the Nick Leeson trading scandal in 1995 that bankrupted British bank Barings. Barings collapsed after Leeson, the bank’s Singapore general manager of futures trading, lost 860 million pounds — then worth $1.38 billion — on Asian futures markets, wiping out the bank’s cash reserves. The company had been in business for more than 230 years.

Storm As previously noted, a new Valentines theme emerged from the Storm worm Botnet last week and copies were received as noted. This may have been a "test run" to be used closer to Valentine's Day when e-cards might be more prevelant.  Further samples haven't been encountered since last week. Users should always avoid all email attachments and links where possible. The Storm worm serves up advanced malware from fast-flux servers (meaning they constantly change), that is difficult to detect and clean

 Date: Thu, 17 Jan 2008 13:12:04 +0400
 From: [Sender Removed]
 To: Harry
 Subject: Words in my Heart
 You're In My Thoughts
 [Malicious URL using numeric IP address removed]
 - - - - - - - - - - - - - - - -
 Date: Thu, 17 Jan 2008 19:11:17 +0200
 From: [Sender Removed]
 To: Harry
 Subject: Eternity of Your Love
 A Dream is a Wish
 [Malicious URL using numeric IP address removed]

Cake I started using Mozilla and Opera browsers around 2001, when I started experimenting with Linux as a secondary workstation at work, to learn more about this environment.  I started with the full Mozilla suite, which included email client capabilities.  Later in 2002, I discovered the Windows beta versions of Mozilla, including Phoenix 0.3 browser (which was installable only in a zip build configuration). Later Firefox, Thunderbird, Seamonkey, and other products emerged from developers.  The competition between Firefox and Internet Explorer has led to improvements in functionality and security for both browsers.

Below are links related to Netscape's creation of the Mozilla initiative, which later led to Mozilla becoming the leading open-source technology for web browsers. Personally, I like IE 7, Firefox 3, and Opera 9.  Hopefully, innovation and protection  will continue for all these products in the future. 

Happy Birthday Mozilla!

QUOTE: Let's just all thank Mozilla for the wonderful browser and market they have created.  I've always said diversity is key.  It's great that I have been to hundreds of organizations and I can honestly say that each one has had Firefox installed.  Maybe not the default browser, but at least had it installed.

January 22, 1998 -- the Beginning of Mozilla


QUOTE:  MOUNTAIN VIEW, Calif. (January 22, 1998) -- Netscape Communications Corporation (NASDAQ: NSCP) today announced bold plans to make the source code for the next generation of its highly popular Netscape Communicator client software available for free licensing on the Internet. The company plans to post the source code beginning with the first Netscape Communicator 5.0 developer release, expected by the end of the first quarter of 1998. This aggressive move will enable Netscape to harness the creative power of thousands of programmers on the Internet by incorporating their best enhancements into future versions of Netscape's software. This strategy is designed to accelerate development and free distribution by Netscape of future high-quality versions of Netscape Communicator to business customers and individuals, further seeding the market for Netscape's enterprise solutions and Netcenter business.

The alarming statistics noted in this article may be true unfortunately. Some system administrators or DBAs may favor application stability over security risks.  These security fixes may seem remote as the firewall or other controls help keep many external risks contained.  Still, what if an relational data base attack could trigged from the inside, by a malicious agent found in an email message or by visiting a malicious website. This was highlighted in today's SSWUG newsletter and the good advice offered by the editor is also included below.

Two-thirds of Oracle DBAs don't apply security patches

QUOTE: Complexity of task makes admins not want to bother -- Oracle Corp. issues dozens of security patches every quarter, but that doesn't mean database administrators are necessarily implementing them. In fact, a good two-thirds of all Oracle DBAs appear not to be installing Oracle's security patches at all, no matter how critical the vulnerabilities may be, according to survey results from Sentrigo Inc., a Woburn, Mass.-based vendor of database security products.

SSWUG Newsletter - Two-Thirds Do Not Apply Service Packs... WHAT?!

QUOTE: I don't know if you saw it, but there is a study out in Computer World that says that 66% of Oracle DBAs don't apply service packs to their systems. I'm not about to suggest that the percentage is different for SQL Server DBAs, but if it is, or isn't - what's up with that?!

If it's true, it means that DBAs have a short attention span when it comes to remembering slammer and other issues with SQL Server that should never really have happened - things prevented by service packs, but that flourished because service packs weren't installed.

At the time, the issues revolved around the fact that testing and making sure service packs were ready for installation took a long time to deploy. Now, though, things are much better - perhaps not completely a non-issue, but better. Are we still faced with not installing service packs and updates until a system breaks? I hope this isn't the case, but I have a feeling it probably is. I think once systems go behind firewalls, get stable and function that many avoid touching them. It's the old "if it ain't broke, don't fix it."

But... it's not "right." If this is you - perhaps set up a schedule to review and deploy updates - just pick a period of time, like every 6 months, that you can use. Then, you know when that reminder comes up that you need to review the updates, get them tested and applied. Don't just ignore until it breaks, I think we're just collectively asking for trouble if we take that approach.

Storm Users should beware of email or e-card Valentine's Day type themes as these are already circulating.   

Avoid these emails and stay up-to-date on AV protection.

Storm Worm - Gearing up for Valentines Day

Lightning QUOTE:  With Christmas and New Year behind us, it’s not only shops getting ready for Valentine’s Day but Nuwar (a.k.a. Storm) as well. You may receive a Valentine-themed E-mail with subject like “I Dream of you”, “For You….My Love”, “Sending You My Love”, etc. etc. and the body text prompting you to click on a typical Nuwar-style numeric IP address link.

Idea This post from Sean Earp highlights 25 top blog sites found on TechNet and MSDN. I appreciate Rod Trent, My IT Forums, for highlighting this excellent resource.
 Microsoft IT Resources - Top 25 blog links on TechNet and MSDN
 TechNet - List of Top Blog Sites
 MSDN - List of Top Blog Sites

Idea  Microsoft Windows Home Server was announced during CES 2007 just over one year ago. Windows Home Server is designed as a home user server operating system supporting file sharing, back automation and remote access. It is dervied from Windows Server 2003 SP2 and requires a dedicated server PC. It offers good security and functionality for advanced home network users.

This six page article, along with the links below offer good advice on how to get started:

Microsoft Windows Home Server - How to get started

QUOTE: The question for you is, do you have a home network that connects several PCs, but no backups of all the important data on those PCs? The odds are you do. If so, Windows Home Server may be just the solution you need. This extremely smart server application will back up all those PCs as safely as you want, provide easy access to the files you want to share on your network (like music and media files), and even give you remote access to your files and computers across the Internet.

That may all sound too good to be true, but believe it. Windows Home Server is a great application. It does have what you might consider a downside: you have to dedicate a PC to running it. But while you might think of laying out for another computer as a problem, to Microsoft that's an opportunity. In fact, Microsoft thinks there are perhaps as many as 40 million people just like you out there, which is its estimate of the market for its Window Home Server product.

(it's always good to try to double these if possible)

The following minimum specs are needed:

-- 1.0 GHz Intel Pentium 3 (or equivalent) processor
-- 512 MB RAM
-- 80 GB internal hard drive as primary drive
-- 100 Mbit/s wired Ethernet
-- Bootable DVD drive
-- Display
-- Keyboard and mouse


1. Determine your needs in home networking multiple PCs together and devote a PC for the Windows Home Server environment

2. Determine backup and access usages for all computers and devices (e.g., printers) accessing this environment

3. Because Home Server has to make a wired connection to your router, the physical installation must be nearby and may be an issue if there is limited space.

4. Home Server works automatically only with Windows PCs that you can install the client software on. Linux boxes and Macs can access and save files to the server's shared folders, but Home Server won't automatically back them up.

5. The more intensively you use Home Server, the more you'll find that your network's speed can be a bottleneck. Basic 802.11b/g wireless is OK for doing backups of a couple of PCs, but if you get into using Home Server as a media server, or even backing up significant volumes of frequently changing data

6. Home Server by itself isn't a complete backup strategy. Getting your data backed up to a different computer onsite is good. Better would be to back it up offsite.

Idea Additional resources can be found here:

Microsoft's Windows Home Server - Home Page

Microsoft's Windows Home Server - Key Features

Windows Home Server - Technet Blog Home Page

What's Hot from WinHEC - Windows Home Server

Microsoft Windows Home Server - Wikipedia information and links

Storm F-Secure shares an analysis of how the Storm Worm botnet might be used in hosting a phishing attack to gain sensitive privacy or bank account information.

Storm Worm - Phishing attacks from the Botnet

Lightning QUOTE: Last night there was a phishing run. The IP address of the site was changing every second or so. The server was an active fast flux site and was hosted within a botnet.  Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar (e.g., hellosanta2008 and postcards-2008). 

This sounds like Storm. So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before. October brought evidence of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing "space for rent". It looks as if the Storm gang is preparing to sell access to their botnet.

As I've been using SQL-Server since it came out in 1994, the SSWUG community is an excellent resource, I've been a member of for years.  In today's newsletter, they are highlighting a major new attack that may have affected up to 70,000 servers and 94,000 unique web addresses   It is vital to stay up-to-date on patches and AV protection.  More importantly the use firewalls, web security techniques, and security testing are all important in ensuring these malicious injection attacks are properly blocked.

SSWUG.ORG Newsletter - (SQL-Server Users Group)

QUOTE: Injection again ... I don't know if you've seen the reports, but there is a "mass attack" (my term) that has been going on with an automated SQL Injection engine of sorts that's out looking to find login and registration systems, then attempt SQL injection against the site. 

What's unique about this is that it's a very broad attack, not a hacker trying to breach a system on a system-by-system basis as has traditionally been the case.  This means that to turn this thing loose on all types of sites is "just" a matter of replicating the engine and letting it run amuck.  You can see that this could be a (rather successful) test brute-force approach to trying out just about every other attack that has, to-date at least, been based on a person doing the work.  Traditional injection is about interpreting results, seeing what's returned by the site or application and tweaking your approach.  With this approach - a forced and automated one - the possibility for coming in on multiple attack vectors simultaneously is very possible.

If you're not testing your systems, I highly recommend you consider it.  There are some solid tools and services out there that can help you learn a lot about what vulnerabilities you may have, and they generally help you understand both how they work and how to prevent them.  With this go-round on the hacker attacks on injection, I've seen reports of as many as 70,000 servers infected.  That's a big number and the infections are not passive - they're malicious injection of javascript code.  Take the steps now to learn what can be done to and for your systems.

Additional links are noted below:

Mass exploits with SQL Injection

QUOTE: It turned out that there is an automated script or a bot exploiting SQL injection attacks in vulnerable web applications. I remembered that I saw the very same attack appearing back in November last year but it was not this wide spread – it appears that the attacker improved the crawling/attacking function of his bot so he managed to compromise more web sites.

Mass hack infects tens of thousands of sites

QUOTE: On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass hack," said Thompson, in a post to his blog. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared." ... However, many of those sites -- which as of this morning numbered more than 93,000, according to a quick Google search -- had not been cleaned.

Register Article

QUOTE: At time of writing, more than 94,000 URLs had been infected by the fast-moving exploit, which redirects users to the malicious domain

Additional References

More Posts Next page »