November 2008 - Posts

Gift The first Monday following Thanksgiving is desinated as "Cyber-Monday".  Many firms will lower prices to encourage e-commerce transactions and it's important to shop as safely as possible while online.  Five key tips include:

1. Does your employer permit this?
2. Be cautious with all links and email messages
3. Conduct e-commerce with mainstream sites that use secure server technology
4. Use credit card rather than debit card,
5. Maintain your privacy at all times

Cyber Monday - Tips for shopping safely online

Cyber Monday - Home Page

Cyber Monday - FAQs

The GpCode family is a dangerous form of malware which can permanently destroy files by encyrpting them.  The capability for AV products to de-crypt files vary and can't be relied on in all cases, especially when complex encryption techniques are used. 

Based on past ransomware threats, users should avoid paying the ransom of £200 (US$307).  The folks on the other end are not trustworthy (e.g., decoding key may not be received, credit card info may be further misused, etc).  

It is better to recover from backup in a worse case scenario. This threat illustrates the need to have a good backup of all important files to offline media (e.g., backup tapes, CD-R, DVD, USB drives, etc).

New GPcode Trojan Holds Victim’s Files Hostage

QUOTE: It searches and encrypts files found on any readable and writable drive on the system, rendering them inaccessible (without the encryption key). It also changes the file name of the encrypted files, by adding the .XNC extension.

It also drops the file READ THIS.TXT in each folder that contains an encrypted file. This file informs the victim that the files have been encrypted, and that a decrypting tool must be purchased to decrypt the files. Email addresses are also included in the text file, which the victim must contact to obtain the decryption tool.

Accordingly, the perpetrator of this crime demands £200 (US$307) for the decryption services.  Users are strongly advised to back up their files so as not to be victimized by ransomware.

What is Ransomeware?

Yes The Secunia Personal Software Inspector (PSI) tool is a highly recommended for home users to evaluate if they are up-to-date on security updates. While many vendors automatically update their software, most users will still have a few updates that are required.  PSI is a beneficial tool to provide a fast and comprehensive evaluation of any needed security patches for your entire system.

Star Secunia Personal Software Inspector (PSI) 1.0 released

QUOTE: Though the PSI so far has been in beta, it has received a huge amount of praising words like these from ZDNet in a review of 10 essential security tools: “Number one is the Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine”.

Version 1.0 of the PSI is somewhat more mature and bug free (as far as we know) compared to the first version, which only ran on XP 32bit. Today, it runs on 2000, XP 32/64bit, and Vista 32/64bit.

Download site - Personal Use only

Release version: (Final)

Last release: 25th Nov. 2008

File size: 532,688 bytes

Fake Housecall Online Scanner circulating

Trend Micro is warning that a rouge version of Housecall is circulating.  This popular free on-line virus detection and cleaning facility has been offered for years.  A rouge version is circulating that appears to work almost exactly as as the official tool.  It is best to use the link below or go directly to Trend Micro's site for the proper link.

Bogus ‘HouseCall’ Search Results Lead to Adware

QUOTE: Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat.

Trend Micro - Official Housecall Link

Lightning MS08-067 worm developments have continued by malicious authors, since Microsoft made this security patch available on October 23, 2008.  The latest development ramps up the danger, as this new worm will delete system restore points, creates a backdoor to download more malicious code, and it even patches the RPC vulnerability to further disquise it's presence.  

While AV protection and firewalls can mitigate attacks to port 445, the best defense is to ensure all PCs are up-to-date for Microsoft security changes.  For example, an unpatched PC might become infected if their firewall fails or isn't active when connected to the Internet.  If this worm were present on a laptop, it could infect unpatched corporate web servers and PCs if Intranet firewall controls are missing.

This new worm represents the most advanced MS08-067 attacks to date.  As noted in every link, it's important to PATCH NOW if you have any systems that don't have this update. 

New malware using an ms08-067 exploit gained momentum

QUOTE: First let me say, “PATCH your systems” if you have not done so already! Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

W32/Conficker.worm Detailed Information

Trend - Behavioral Diagram

Time PATCH NOW - if there are any servers or PCs that are not update for Microsoft security releases.  Home users can employ the Windows Update process.  More information can be found in the link below:

MS08-067 Security Patch Information

Gift I received a copy of this email chain letter circulating and initially thought it was a wonderful idea. When I saw the "Pass it on" phrase, I automatically check Snopes to be sure it was true and was surprised to discover these cards would not be delivered randomly to our wounded service men and women (as the Red Cross has a better solution noted below).

Security concerns are the key reason this email approach won't work. The US Post Office will NOT accept mail addressed to "Any Soldier". They feel random mail of this nature could be potentially misused to cause further harm for our troops.

A copy of this email message is noted below:

SUBJECT: A Great Idea

EMAIL TEXT: GREAT IDEA!! When doing your Christmas cards this year, take one card and send it to this address. If we pass this on and everyone sends one card, think of how many cards these wonderful special people who have sacrificed so much would get.

When you are making out your Christmas card list this year, please include the following:

A Recovering American Soldier
c/o Walter Reed Army Medical Center
6900 Georgia Avenue,NW
Washington,D.C. 20307-5001

If you approve, please pass it on.

However, there is REAL and SAFE way we can show our concerns and appreciation:

Holiday Mail for Heroes

Please follow these guidelines when mailing a card to ensure that your card will quickly reach service members, veterans and their families:

Holiday Mail for Heroes
PO Box 5456
Capitol Heights, MD 20791-5456

Card Guidelines -- Every card received will first be screened for hazardous materials by Pitney Bowes and then reviewed by Red Cross volunteers working in one of 16 sorting stations around the country.

-- All cards must be postmarked no later than Wednesday, December 10, 2008. Cards sent after this date will be returned to sender.
-- Participants are encouraged to limit the number of cards they submit to 25 from any one person or 50 from any one class or group. If you are mailing a larger quantity, please bundle the cards and place them in large mailing envelopes. Each card does not need its own envelope or postage.
-- Please ensure that all cards are signed.
-- Please use generic salutations such as “Dear Service Member.” Cards addressed to specific individuals can not be delivered through this program.
-- Please send cards as opposed to long letters which delay a quick review process.
-- Please do not include email or home addresses on the cards, as the program is not meant to foster pen pal relationships.
-- Please do not include inserts of any kind, including photos, as these items will be removed during the reviewing process.
-- All cards received may be used in program publicity efforts, including appearing in broadcast, print or online mediums.

Smile Thanks Microsoft for adding this to Malicious Software Removal Tool (MSRT).  This AV family is prevalent in-the-wild.  Due to SQL-Injection and Flash based exploits, AntiVirus 2008 malware advertisements can sometimes be found even on relatively safe and trusted sites.

CLOSE ENCOUNTERS OF THE MALWARE KIND: On Monday, I cleaned multiple variants from one a family member's new Dell Vista system.  The 90 day Norton Internet suite (NIS) had expired and there was no active protection.  This led to having no firewall, AV protection, etc. To solve this issue, I uninstalled NIS and added back the free Vista version of Avast.  Every aspect of the Vista Security Center was returned "green" again, after a full scan of the hard drive.

Microsoft MSRT - Detection for AntiVirus 2008 family added in November

QUOTE: Rouge is software tells you that your system is crawling with bad stuff (for free!) and then offers to remove it for you (that’ll cost you). Of course the stuff they report is completely bogus; they are incapable of finding any real malware. What’s more they can be very insistent, repeatedly displaying popup warnings that make it virtually impossible to use your machine unless you pay to “register” the program. Apart from extorting money from innocent people, which is bad enough, this behaviour adds to the amount of FUD (fear, uncertainty and doubt) in the online community.

AVERT Labs (McAfee) has highlighted an increase in malware dangers associated with infected USB based media. Be careful of any device you plug into your PC and ensure it is first free of viruses (especially if others use your PC and plug devices into it)

USB Media - Major Increase in Autorun based malware

QUOTE: Over the years, floppy disks have since been replaced by thumb drives, portable hard drives, flash media cards and other forms of removable data storage. These removable devices of today can hold 10,000 times more data than yesteryears floppy disks. Not only can they store more data, today’s removal storage devices are smart with the ability to run portable software programs or boot an entire operating system.

Given the popularity of removable storage media, virus authors were quick to realize the potential of using this as an infection vector. And they are greatly aided by a convenience feature in operating systems called “AutoPlay” that exists to automagically launch the content in a removable disk without any user interaction.

Another related article:

Under Worm Attacks, US Army Bans USB Drives

QUOTE: Under sustained attack from what is described as a rapidly spreading network worm, the U.S. army has banned the use of USB sticks, CDs, flash media cards, and all other removable data storage devices

On Monday, I got some good experience myself as I cleaned multiple copies of AntiVirus 2008 from my sister's new Vista PC (which come with a 90 day copy of Norton's Internet Suite, that had expired and was no longer effective).  As I installed the free version of Avast in it's place, I was only prompted a couple of times by UAC for the uninstall/reinstall process.  This was all accomplished on my lunch hour and it ended up being a good experience.  These fake (aka "rouge") security programs are definitely are out there in the wild. 

Be careful with any website you visit and use CTRL + SHIFT + ESC to invoke Windows Task manager for safely exiting any attacks you encounter in the future.

New Malicious Advertisements circulating

QUOTE: Maybe things aren't really any worse than they've been in the past, but I've been seeing a lot of reports of malicious web advertisements on legitimate sites lately. Many have come from the Spyware Sucks blog, a worthy addition to any RSS reader ...

The use of URL Scan v3.0 in a standalone mode or using this built in facility within IIS can help mitigate attacks until web applications are strengthened to properly check objects being input for SQL-Injection scripts.  There are also some good non-Microsoft filtering systems that can help block these automated attacks.

Large quantity SQL Injection mitigation

As botnets and other automated tools are hammering at websites trying to exploit SQL injection vulnerabilities, site operators are trying hard at defending their websites.  ASProx and other botnets were hitting hard at the ASP + MS SQL platform, millions of websites fell victims to the SQL injection vulnerabilities already. Although there has been a decline of wild SQL scanning by ASPRox type of botnet, we are still not in the clear yet. The unauthenticated portion of some sites might be secure, but the authenticated portion might be totally vulnerable.

A short term remediation to SQL injection can be web application firewall. Web application firewall (WAF)  is similar to a network firewall except it also inspect the application layer information, such as cookies, form fields and HTTP headers. With Microsoft IIS as web server, one of the quickest and easiest WAF solution maybe Microsoft's Urlscan, it is an addon to IIS5 and built-in for later versions of IIS. Urlscan runs as an ISAPI filter, so it can be easily deployed and removed.

The AntiVirus 2008 family has been used as a model for numerous "scareware" attacks.  These fraudulent products generate fake security messages to convince users to purchase their "cleaning tools". These products are not true security packages and mainly are designed to take money from any victims that participate. 

Sunbelt is warning of new attacks from a rouge product called "Virus Trigger". These attacks are usually experienced by visiting a compromised website.  If you encounter security pop-ups from a rouge program, use CTRL + SHIFT + ESC to close the pop-up dialog using Task Manager.

SUNBELT - New rogue: Virus Trigger

QUOTE: Virus Trigger is a new rogue security product and a near clone of VirusResponse Lab 2009.

VirusResponse Lab 2009 - Virus Trigger is similar to this threat

Star The article below notes that FUD (Fear, Uncertainty, and Doubt) may be used to "sell the need for security" to home users or even in some organizations. FUD means that exaggerated claims are used to alarm folks into making security decisions.  However, I believe most corporate security professionals (as least those I've worked with) thoroughly research options and present as much factual information as possible to IT management. 

Corporate security is a business requirement.  Granted, it's sometimes difficult to ascertain and quantify in real dollar terms.  It entails risk management to address potential losses in a cost effective manner.  The potential consequences of not acting to address true exposures should be shared in a professional manner without the use of FUD.        

In some respects, it's important to occasionally "cry wolf" when major exposures surface.  However, as the article notes, It's important to be factual and "to keep the powder dry" in over-alerting folks to maintain credibility. 

If there's a strong potential of attacks for a highly vulnerable exposure, IT Security needs to be alert all affected areas to work pro-actively in preventing it. You always want to "patch the roof before it rains", which could be immediately or several weeks away.

I agree with some of the constructive criticism noted in the article.  Security professionals need to apply due diligence in properly researching solutions.  The use of facts rather than FUD over time will improve management's perception of IT security as the critical business resource it has become.

Security Reference Guide - Three Reasons Why Users Won't Buy Into Security

QUOTE: As if to bolster the viewpoint that the security community only has fear to offer their users, when was the last time you every heard anything good about a security solution or process. For example, have you ever seen the headline "XYZ Firewall Prevent Hackers from Blowing Up a Power Plant!?" Unlikely. Instead, security related news that does make it to the general community deals with viruses, malicious hackers, and scary scenarios that paint a really bad picture of the digital world. Ultimately, it is fairly obvious that FUD tactics are the primary method by which the security industry obtains and maintains their consumers.

A malware package orginating from China now offers an exploit for the Windows MS08-067 security vulnerability patched during a special October emergency release. This product is sold in the underground markets for around $37.80, although the license notes this tool is for pen-testing only. 

All corporate and home users must stay up-to-date on security patches, as some vulnerabilities are being actively exploited.

MS08-067 Exploit - Featured in Chinese commercial malware kit

QUOTE: Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.

Both kits offers a free version, and a commercial version with enhanced features including:

• Kernel rootkit.
• Anti-virus software termination.
• Weekly anti-virus detection monitoring and evasion service.
• Web DDOS attack option

New versions of Firefox, Thunderbird and Seamonkey have just been released to resolve security issues.  Most users will be prompted by the automatic update process.  After saving any critical work in process, they should move to the latest versions as prompted.

Firefox 2 Security Advisories: 

Firefox 3 Security Advisories:

Thunderbird Security Advisories:

SeaMonkey Security Advisories:

Firefox 3.0.4 Download Site:

Firefox Download Site:

Thunderbird Download Site:

SeaMonkey Download Site:

Cloud Computing - Seven Key Concerns Highlighted

Storm Cloud Computing is a growing trend in the industry and this article from Computerworld provides a good overview of concerns.  This computing approach uses hosted applications from a provider over the Internet as the networking backbone.  While the article touches on security issues, any cloud computing solution must consider security as a prominent issue as well. 

Lightning Stormy weather: 7 gotchas in cloud computing

QUOTE: Here are seven turbulent areas where current and potential users of cloud computing need to be particularly wary:

1. Costs, Part I: Cloud Infrastructure Providers
2. Costs, Part II: Cloud Storage Providers
3. Sudden Code Changes 
4. Service Disruptions
5. Vendor Expertise
6. Global Concerns
7. Non-native Applications

Cloud Computing - Additional Information

More Posts Next page »