February 2008 - Posts

Email A new series of targeted attacks have been spammed that appear as official government business. These new attacks will even download actual PDF forms from the government site to make them appear more legitimate. Users should delete these messages and particularly avoid opening any attachments as AV protection may not be fully available in all cases.

More Targeted attacks - Disguised as official government emails

QUOTE: McAfee Avert Labs has seen multiple large spam runs of Spy-Agent.cf.  The attachment callled complaint.zip is malicious.  Upon execution the trojan connects to malicious web sites. It also downloads legitimate PDF files probably to decieve the user that it is a legitimate application. This variant of trojan also has capability to download other trojans and malware on the system, for that it may contact the following website ...

This is not a major concern, except that AV detection is almost non-existant for anyone who might be careless in these environments 0

EnergyMech IRC Bot - ported to Mac, Linux, and FreeBSD

QUOTE: Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc). After initial analysis I found out that it's nothing special – just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway.





Cake Security forums are a valuable resource for emerging developments, best practices, and technical assistance in cleaning malware infections.  Castlecops is one of the more established forums as they now celebrate their 6th year.  They provide a public service in capturing and fighting phishing attacks (PIRT) and are a valuable participant in the security community.

Mobile computing devices like the iPhone or Windows Mobile Pocket PC should be periodically checked for updates and AV protection may also be desired. More importantly, users should be careful in sites visited and particularly with any new software they install on their systems.
WinCE/InfoJack - New Trojan impacts Windows Mobile PocketPC
QUOTE: A Window Mobile PocketPC trojan that disables Windows Mobile application installation security has been discovered in China. WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning. The trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.

Idea There is speculation among some of the technology watch groups that the first beta for IE 8 may be released in the near future.  IE 8 will feature improved compatibility with some of the industry standards, including the Acid2 test. This new browser environment will be interesting to both test and explore when it debuts. 

IE 8 Beta 1 may be offered to developers soon

QUOTE: According to the invitation, Microsoft is planning to make IE 8 Beta 1 available to the general public, as well. But before that happens, an invitation-only test program will be conducted. The invitation describes IE 8 Beta 1 being focused on developers.

IE 8 Beta - Passes Acid2 test

QUOTE: As a team, we’ve spent the last year heads down working hard on IE8. Last week, we achieved an important milestone that should interest web developers.

Watch for official news that might be posted on Microsoft's IE blog:


Idea It is always beneficial when standards and best approaches are shared between vendors, as security, interoperability, and efficiencies improve.

Microsoft Announcement - Offers greater interoperability with 3rd parties

QUOTE: Microsoft today announced a set of broad-reaching changes to its technology and business practices to increase the openness of its products and drive greater interoperability, opportunity and choice. These changes are codified into four new interoperability principles and corresponding actions: 1) ensuring open connections; 2) promoting data portability; 3) enhancing support for industry standards; and 4) fostering more open engagement with customers and the industry, including open source communities.

This is a case about a hacker who stole sensitive pre-announcement information from a company with weak security controls.  The hacker invested on the likelihood that the stock prices would tumble and made close to $300,000 in the process.  The courts ruled in favor of the hacker allowing him to keep the money and since he's in the Ukraine he probably won't be proscecuted.

I feel the judge made an error, in evaluating the case.  Most likely the ruling was based on the wording, rather than the spirit of the law.  Whether sensitive stock valuation information is shared or stolen in an unauthorized manner -- it still violates laws applicable for insider trading. The SEC should strengthen applicable wording to prevent re-occurrences in the future.     

SEC looses insider trading computer hacking case

Automobile Based on ZDNet lab tests, Vista SP1 provides equal and in some cases better performance than Windows XP SP2. It's always tough to benchmark different operating systems, as various settings may need to be adjusted so that there is equal footing for performance testing.  In earlier tests, there was a very slight advantage for XP SP2, so YMMV but not substantially enough to make that a point of differientiation in selecting which OS you may want to use.

Vista SP1 verses XP SP2 performance benchmarks

QUOTE: The first rule of benchmarking is: Your mileage may vary. On Ed Bott's test bed, with one exception, Vista SP1 was consistently as fast as or faster than XP SP2. Why the difference from Adrian Kingsley-Hughes' experience? Ed has a few theories.

Earlier tests

Email  Based on testing and extrapolation of spam sampling results, this new 35,000 member botnet may be generating up to 30% of the spam email sent world-wide. While the Storm Worm still has far more spam producing capabilities, it can fall into periods of silence based on controls issued by the malware authors. This botnet should be followed closely as it's most likely in second place when it comes to world wide spam generation. 
Ozdok/Mega-D Botnet - May be generating 30% of all spam world-wide
QUOTE: Last week the TRACE research team at Marshal put forth some statistics regarding spam activity from botnets. The statistics pointed to a botnet dubbed "Mega-D" as the new leader of the spambot pack, spewing 32% of the world's spam according to Marshal's spamtraps. This set off a firestorm of speculation: what family of malware was behind this previously unknown botnet? How had it emerged to challenge Storm with hardly a mention in any research articles or press?
Based on the number of bots connecting to mail servers we monitor, we estimate that Mega-D consists of around 35,000 infected machines worldwide. This is a very strong botnet, but hardly a challenger to Storm. Even though Storm has waned to around 85,000 bots, it still holds far more spamming capacity. 
Most AV Vendors ae currently detect the Ozdok Botnet

Star Companies should perform vulnerability and penetration testing assessments on a regular basis.  This best practice is valuable for IT security professionals to perform on a quarterly basis to assess security defense weaknesses. There is also a signficant educational value, as security team members will increase their knowledge and better protect the company's informational assets.

The vulnerability assessment is the analysis of the entire network and human control systems, in looking for any design weaknesses in the security architecture.  Penetration testing involves using network scanning tools to locate hidden weaknesses in the technical safeguards protecting the company.     

Many basic security concerns can be checked with commercial and even freely available scanning tools.  Annually, a more comprehensive test can be performed by an external consulting firm specializing in this process.  Companies that are not evaluating or testing their controls could encounter unexpected weaknesses in controls (e.g., test server settings, admins not completely locking down servers, etc)

Doing an audit/pentest or other assessment?

QUOTE: Audit, Security Assessments, Penetration testing and its little sister vulnerability scanning are useful tools to get an idea of the weaknesses in your network.  It is important enough for standards such as PCI-DSS, ISO/IEC 27001, SOX and others to insist on it and many governments around the world insist on it for their agencies.

What is Network Penetration Testing?

Network Penetration Testing - Best Practices

Malware authors are attempting to trick folks in this disguised email message currently circulating during our election season

Virus found in Hillary Clinton video circulating by email 

QUOTE: Malware is being distributed disguised as a video of her. First, an e-mail with the subject line "Hillary Clinton Full Video !!!" arrives advertising a video of her speaking to supporters in Virginia. The link goes through a redirect on Google (a common technique these days) and downloads a file mpg.exe, a trojan downloader which downloads a file named inst241.exe. This file (detected by Symantec as Trojan.Srizbi). So far the volume appears to be low.

Trojan.Srizbi Description

The Mozilla foundation has released the 3rd beta for Firefox version 3, which contains some new security and functional features. This new beta version is mainly targeted for IT professionals rather than users.  So far in early testing, it is reliable, performs well, and provides significant improvements from the second beta version

Firefox Version 3 Beta 3 - New Security and Functional Features emerge

QUOTE: With the release today of Beta 3 of Firefox 3, we are definitely getting closer to the final release of Mozilla's open-source Web browser. But for a third beta, this version of Firefox 3 includes some fairly significant changes from the previous betas, including changes to the main user interface of the browser.
New features and changes in this milestone that require feedback include:

-- Improved security features such as: better presentation of website identity and security including support for Extended Validation (EV) SSL certificates, malware protection, stricter SSL error pages, anti-virus integration in the download manager.

-- Improved ease of use through: easier add-on discovery and installation, improved download manager search and progress indication in the status bar, resumable downloading, full page zoom, and better integration with Windows Vista, Mac OS X and Linux.

-- Richer personalization through: one-click bookmarking, smart bookmark folders, location bar that uses an algorithm based on site visit recency and frequency (called “frecency”) to provide better matches against your history and bookmarks for URLs and page titles, ability to register web applications as protocol handlers, and better customization of download actions for file types.

-- Improved platform features such as: new graphics and font rendering architecture, JavaScript 1.8, major changes to the HTML rendering engine to provide better CSS, float-, and table layout support, native web page form controls, colour profile management, and offline application support.

-- Performance improvements such as: better data reliability for user profiles, architectural improvements to speed up page rendering, over 350 memory leak fixes, a new XPCOM cycle collector to reduce entire classes of leaks, and reductions in the memory footprint.

Firefox download site for all world-wide versions

Lightning After some "test runs" in early February, new waves of the Storm worm are now surfacing using Valentine's Day themes. These spammed email messages are designed to trick individuals into visiting the malicious websites (uses numeric IP addresses and lacks more detailed personalization that one would find in true e-cards sent this time of year). 
If the associated EXE file lurking on the website is opened, the malware can automatically install silently on the system. This new wave of attacks is not well detected by AV products, as the malware agent is being constantly changed each hour automatically.
 Avoid these emails completely, so you don't end up broken-hearted on Valentine's Day Broken Heart Broken Heart Broken Heart
 Storm Storm Worm - Valentines Day e-card Attacks
QUOTE: With Valentine’s Day coming this week, we have seen a new wave of Nuwar spamming this Monday evening, amounting to more than 20 variants in a couple of hours. Detection for these variants from major AV vendors was near nonexistent, as the Nuwar writer is using a new compiler this time to bypass detection. 
While we saw the Valentine’s day campaign start in January, it’s morphed. This time using the following approaches (some old, some new)
 -- raw IP addresses in the spam lures
 -- the filename is now “valentine.exe”, using a redirect and a clickable link
 -- much more simple HTML websites
 -- subjects include “Blind Love”, “Just You” and other warm fuzzy subjects
 -- rapidly changing MD5 hashes
 -- poor AV detection 
 Subject: Sweetest Things Aren't Things!
 Date: Mon, 11 Feb 2008 13:13:58 +0900
 To: Susan
 Text: Love Poem: (Malicous Numeric IP address removed)

Star Below are several links related to Vista SP1 that can help in planning for this important update, once it becomes more publicly available.

Vista Blog - RTM announcements

Vista SP1 - FAQ

Vista SP1 - The promised performance gains are here

Vista SP1 - Rolls up 551 bug fixes

Microsoft Vista SP1 - Notable changes

Microsoft Vista SP1 - Release notes

Microsoft - Vista Home Page

Overview of Windows Vista Service Pack 1

When will SP1 be available?

* Mid-March: Release to Windows Update (in English, French, Spanish, German and Japanese) and to the download center on microsoft.com.
* Mid-April: Begin delivery to to Windows Vista customers who have chosen to have updates downloaded automatically.
* April: Remaining languages RTM.

Star There are a "bumper crop" of important security updates for Windows, MS/Office, and IE this month.   I've installed these at work and so far so good.  The ISC link should be monitored for any developments of exploits or installation issues related to these important updates.


Microsoft is releasing the following eleven new security bulletins for newly discovered vulnerabilities:

Bulletin Number: MS08-003
Maximum Severity: Important
Affected Products: Windows 2000, Windows XP, Windows Server 2003
Impact: Denial of Service

Bulletin Number: MS08-004
Maximum Severity: Important
Affected Products: Windows Vista
Impact: Denial of Service

Bulletin Number: MS08-005
Maximum Severity: Important
Affected Products: Windows 2000, Windows XP, Windows Server 2003,
 Windows Vista
Impact: Elevation of Privilege

Bulletin Number: MS08-006
Maximum Severity: Important
Affected Products: Windows XP, Windows Server 2003
Impact: Remote Code Execution

Bulletin Number: MS08-007
Maximum Severity: Critical
Affected Products: Windows XP, Windows Server 2003, Windows Vista
Impact: Remote Code Execution
Bulletin Number: MS08-008
Maximum Severity: Critical
Affected Products: Windows 2000, Windows XP, Windows Server 2003,
 Windows Vista, Office 2004 for Mac, and Visual Basic 6.0
Impact: Remote Code Execution
Bulletin Number: MS08-009
Maximum Severity: Critical
Affected Products: Office 2000 SP3, Office XP SP3, Office 2003 SP2
Impact: Remote Code Execution
Bulletin Number: MS08-010
Maximum Severity: Critical
Affected Products: All IE on Windows 2000, Windows XP, Windows Server
 2003, and Windows Vista
Impact: Remote Code Execution
Bulletin Number: MS08-011
Maximum Severity: Important
Affected Products: Office 2003 SP2, Office 2003 SP3, Works 8.0, and
 Works Suite 2005
Impact: Remote Code Execution
Bulletin Number: MS08-012
Maximum Severity: Critical
Affected Products: Office 2000 SP3, Office XP SP3, and Office 2003 SP2
Impact: Remote Code Execution

Bulletin Number: MS08-013
Maximum Severity: Critical
Affected Products: Office 2000 SP3, Office XP SP3, and Office 2003 SP2,
 Office 2004 for Mac
Impact: Remote Code Execution

More Posts Next page »