October 2008 - Posts

Cake The Morris Internet worm was launched on 11/02/1988 as more of a prank than actual attack.  This first malware attack differs greatly from what we see in today's environment.

Happy 20th birthday, internet worm

QUOTE: This weekend marks the 20th anniversary of the Internet Worm, the first major worm that propagated on the Internet. Even though many years have passed and underlying media has changed, worms are still able to wreak havoc and keep system administrators up at night. Today the damage done by worms is far less visible and far less newsworthy but far more difficult to repair than in the past.

On November 2nd, 1988, Robert Tappan Morris launched an application ostensibly designed to count the number of systems on the Internet. It was designed to propagate across Unix systems by exploiting several vulnerabilities, including a conceptual flaw in how r-services (rlogin, rsh, and rexec) authenticate connections, the archaic remote debug feature in Sendmail, and a buffer overflow in the finger daemon. Due to a flaw in it’s design, the Worm attempted far more propagation attempts than were necessary, causing targeted machines to slow dramatically from resource starvation. Long story short, the then Mr. Morris was caught, found guilty, and sentenced to probation and community service.

Today’s worms, however, feel no need to make themselves known, and their authors don’t want to be visible. The authors want the worms to do one thing only, and that is make money. Modern worm authors will use any underlying transport mechanism that is available, eschewing operating system and programming language religious barriers maintained by more orthodox hackers.

Gift Both of these quizzes are fun to take and some of the results are surprising as there are many unusual things in our world.  Still, one should be careful in what they pass on to others.  I scored 60% on the first quiz and 50% on the second one.

Test Urban Legend knowledge on Photos circulating (50 questions)

Test Your Urban Legends knowledge on emails circulating

Internet Hoaxes - Best Practice of not forwarding email

Email F-Secure is reporting a huge increase in dangerous ZIP file attachments.  Multiple copies of malicious e-tickets and tracking statements have been recieved and all copies should be deleted without opening any attachments or web lines. 

Malicous ZIP attachments increase in email

QUOTE: Over the last 48 hours we've seen a huge increase in zipped malicious email attachments being spammed. The subjects have been:

Your Tracking #xxxxxxxx (where xxxxxxx is a random number)
New Ticket #xxxxx (where xxxxx is a random number)
Accounts Operations Report
Your Statement between 1/1/08 and 10/30/08

QUOTE: The ZIP file typically contains a file that looks like a document (.DOC) but it is really an EXE, there's just a lot of whitespaces between .DOC and .EXE. Some of these ZIP files are protected by a password which makes it more likely to be allowed through an email server. The password is always in the email message so that a user can easily see it. Using email attachments have made a comeback in popularity amongst malware writers during the last few months. We detect this latest batch as variants of the Worm:W32/Autorun family

Star It is important to address the root cause of security issues.  This new program by McAfee targets cyber-criminals and will hopefully improve Internet safety.

McAfee Initiative to Fight Cybercrime

Focus 2008 - McAfee Security Conference

QUOTE: Last week, along with 1,200 attendees from 47 countries, I was in Las Vegas at the FOCUS’08 McAfee Security Conference. On Tuesday, after the welcome session in which McAfee CEO Dave DeWalt announced, among others, the McAfee Initiative to Fight Cybercrime,

I chose to hear my colleagues Toralv Dirro and Pedro Bueno present the state of cybercrime around the globe. In this session, the participants learned the actual methods used by cybercriminals: identity theft, phishing, password-stealing Trojans, virtual money laundering, and botnets.

Sunbelt has issued a warning for Win Defender 2009. Avoid any security related pop-ups unless it is an installed product on your PC.  Use SHIFT + CTRL + ESC to invoke task manager to exit safely out of any unexpected pop-up, as any mouse click may potentially install the malicious agent.

Win Defender 2009 - New Rogue Security Program

Win Defender 2009 - Sunbelt Behavioral Analysis

QUOTE: A Rogue Security Program is software that purports to scan and detect malware or other problems on the computer, but which attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results. Rogue Security Programs typically use aggressive, deceptive advertising and may be installed without adequate notice and consent, often through exploits.

Most Opera users can automatically update after being prompted. The latest version can also be found in the link at the bottom. This update addresses the following issues:

Opera 9.62 Change Log

Opera Download Site

Idea As a best practices, always resist the urge to forward unusual email messages to your friends. Controversial email topics serve as "bait" for hoaxes or seeding malware to others. When in doubt, avoid sending these messages to others and research it more thoroughly if desired. If the email asks you to "pass this on to others" it's likely to be a hoax or it has an agenda behind it.

While a hoax may seem innocent, it can alarm your friends. It will certainly waste someone's time in reading or possibly researching the associated claims. Finally when true information is sent out, the recipient may ignore it thinking it's "yet another hoax".

Internet Hoaxes - Popular email myths continue to circulate

QUOTE: These hoaxes use social engineering to trick people into doing what they otherwise wouldn't do," said Patrick Runald, chief security advisor for F-Secure, an Internet security firm. Graham Cluley, a senior security analyst with Sophos, a London-based security vendor, agreed. "The most successful hoaxes have been the ones that people had a real compulsion to forward. These things can't travel unless humans participate. And, unlike anti-virus software, we haven't found a way to upgrade the human brain," said Cluley.

Seven popular and persistant hoaxes circulating in email
1. Save Amanda Bundy
2. Petition to Ban Religious Broadcasting
3. Bill Gates' Millions Giveaway
4. Good Times Virus
5. The Last Tourist
6. Snowball, the Giant Mutant Cat of Ontario
7. Bigfoot Captured!

Snopes - Top 25 Urban Legends

Brand New Urban Legends being circulated in email

EXCELLENT QUIZ - 50 photos
(are they real or fake - scored 60%)

Research Sites to verify unusual email claims


QUOTE: This is Frequently Asked Questions document about new, recently patched RPC vulnerability in Microsoft Windows. The document describes related Trojan malwares as well.

All home and corporate users should ensure they are up-to-date on Windows security patches. A Windows Update should be performed if it's not an automatic process on your system. This emergency release became available on October 23, 2008.

So far, Troj/Gimmiv.A requires social engineering and some human intervention for the malware agents to load on unpatched Windows workstation and server operating systems. Usually, this requires visiting a malicious website or a mouse click to install the malicious software.

A true worm will infect vulnerable systems that are simply connected to the Internet or a Local Area Network automatically, without any human intervention. Examples of past true worms include: Code Red, Blaster, SQL-Slammer, Sasser, etc. It should also be noted that some of these early variants were buggy and less effective than more steamlined later versions.

It is hopeful that exploits related to MS08-067 will not become wormable. Still users should not take a chance. By patching now, they will prevent infections if a wormable threat materializes later. Information on patching this security vulnerability can be found below:

Microsoft Security Bulletin - MS08-067 Information

Gimmiv.A exploits critical vulnerability (MS08-067)

QUOTE: What needs to be clarified here, is that the exploit MS08-067 used by Gimmiv.A allows remote code execution, which makes it potentially "wormable". Considering that the vector of attack is RPC DCOM and the code is similar to typical RPC DCOM network-aware worms, which is used against other hosts in the network, Gimmiv.A is determined in this post as a worm. However, it could technically be classified as a network-aware trojan that employs functionality of a typical RPC DCOM network-aware worm to attack other hosts in the network

First Glimpse into MS08-067 Exploits In The Wild

Gimmiv - Additional Information Links

Idea I'm hopeful to participate in future beta testing during the coming year.  This article provides some of the first examples of screens in the preview version of Windows 7.

Windows 7 Revealed: 24 Screen Shots Of Microsoft's Next Operating System

Windows 7 Preview - 24 Screen Shots

QUOTE: Microsoft on Tuesday took the wraps of the preview version of Windows 7, which will be the successor to Vista. Julie Larson Green, Microsoft's vice president for Windows experience, hosted a demo in which she walked attendees through the features of the operating system.

At first glance, Windows 7 maintains the streamlined look of Vista, but appears more muted -- even Windows XP-like. Mostly, Microsoft seems to be focusing more on functionality, possibly in a bid to put some distance between Windows 7 and the criticisms which have dogged Vista.

Windows 7 Beta Due In Early 2009

Microsoft issues emergency security patch MS08-067

-- This is especially true if you use XP as there might be a potential for WORMABLE exploits to develop that can take over vulnerable PCs without any user actions (as most exploits require a mouse click or other action)  Blaster and Sasser are examples of past worms that could infect vulnerable systems by simply connecting them to the Internet.  Thankfully, there are no exploits like this currently circulating, but if there's a hole in the roof one should not wait for it to rain.  Hopefully, these concerns won't materialize and it's important to always stay up-to-date on security updates.

Microsoft issues emergency security patch MS08-067

QUOTE: This security update resolves a vulnerability in the Server service that affects all currently supported versions of Windows. Windows XP and older versions are rated as “Critical” while Windows Vista and newer versions are rated as “Important”. Because the vulnerability is potentially wormable on those older versions of Windows, we’re encouraging customers to test and deploy the update as soon as possible.

His biggest fear, he said, is that a worm will be developed to take over vulnerable machines en masse. And he fully expects that to happen. "You're talking about a vulnerability that does not need user interaction," he said. "That's a gold mine if you're trying to build a botnet."

Additional articles and information


While clickjacking is not a new concept, it's gaining popularity as technique used for malicious websites.  As iFrames are logical divisions of a webpage, the approach is to create a "transparent iFrame page" that lines up exactly with the real web page being accessed. The buttons in the "invisible iFrame page" replace the buttons in the real web page.  When the user clicks on the button, they may allow malicious software to be loaded or security at the true site they were trying to access to become compromised.

The Adobe Flash facility is one of the most widely installed software products in the world, as it's used by all major browsers.  Adobe Flash (v9 and lower) is vulnerable to these attacks and it's a popular method now being used to achieve clickjacking.  To stay protected from this threat, users should move to Adobe Flash v10, keeping AV protection updated, keep all O/S and browsers updated, and avoid risky websites.   

Clickjacking - What is it?

QUOTE: Let’s use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via CSS. B will also need to be so big so that the user can click it’s content. The attacker can then place any button to do anything he wants in B. Then the attacker can place some buttons on page A. The location of the buttons in B must match the buttons in A. So when the user clicks on a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML, does not require Javascript, so disabling Javascript will not help.

This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich media internet application today. Adobe has released a security advisory and provided a workaround.

Clickjacking - Adobe recommended workarounds (move to version 10)

Star This new version addresses Flash "clickboard jacking" and other recent security concerns.  It is working well in early testing with XP SP3.  Corporate users should carefully pilot test with their client/server and web applications prior to rolling it out to everyone.

Adobe Flash Version 10 - Security Release Fixes Many Bugs

Adobe Flash - System Requirements

Adobe Security Advisory

Adobe Flash Version 10 - Download Page (carefully follow directions)

QUOTE: New versions of Flash Professional and the Flash Player were released today. The new Flash 10 player implements, among other new features, the ability to turn off clipboard access for Flash programs, and turns on this setting by default. This ability had recently become badly abused by malicious web sites as a cross-platform attack known as "Clipboard-Jacking." In all likelihood it has a new set of vulnerabilities as well.



Star This release is for experienced developers only, as in any beta offering. Pilot test only and don't use for production purposes.

Firefox 3.1 Beta release

US Download link

Time There are definitely lots of important and critical updates to Windows, IE, Office, etc. These updates should be pilot tested and deployed quickly, as some of these vulnerabilities have been exploited in the past.  So far, these updates are working well at both home and work.

MS08-056: Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
Affects: Microsoft Office XP
Link: http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx 

MS08-057: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
Affects: Microsoft Excel 2000/XP/2003/2007, Excel Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Sharepoint Server 2007, Office 2004/2008 for Mac
Link: http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx 

MS08-058: Cumulative Security Update for Internet Explorer (956390)
Affects: Internet Explorer
Link: http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx 

MS08-059: Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
Affects: Host Integration Server 2000/2004/2006
Link: http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx 

MS08-060: Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
Affects: Windows 2000 Server
Link: http://www.microsoft.com/technet/security/bulletin/ms08-060.mspx 

MS08-061: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms08-061.mspx 

MS08-062: Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx 

MS08-063: Vulnerability in SMB Could Allow Remote Code Execution (957095)
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms08-063.mspx 

MS08-064: Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms08-064.mspx 

MS08-065: Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
Affects: Windows 2000 Service Pack 4
Link: http://www.microsoft.com/technet/security/bulletin/ms08-065.mspx 

MS08-066: Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
Affects: Windows XP, Server 2003
Link: http://www.microsoft.com/technet/security/bulletin/ms08-066.mspx

KB956391: Cumulative security update for ActiveX Killbits
Affects: Windows 2000, XP, Server 2003, Vista, Server 2008
Link: http://support.microsoft.com/kb/956391 

Star Additional links below:

Microsoft: http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
ISC: http://isc.sans.org/diary.html?storyid=5180

More Posts Next page »