December 2008 - Posts

While I'm personally anxious to explore Windows 7's new security controls and functionality, these pirated copies of W/7 should be avoided.  Any one interested in exploring this new operating system should patiently wait until a true public offering emerges that would be supported Microsoft's beta program.  According to the article, the first public W/7 beta should emerge in early 2009.

Windows 7 beta leaks to Internet
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9124399

QUOTE: December 27, 2008 (Computerworld)  Pirated copies of a Windows 7 build pegged by many as the beta Microsoft Corp. will release next month have been leaked to the Internet, according to searches at several BitTorrent sites today.  A search on the Pirate Bay BitTorrent site, for example, returned two Windows 7 Build 7000 listings, both of which had been posted Friday.

A new series of rouge programs have been created from the Anti-Virus 2008 series. If you encounter a pop-up message while visiting a website that differs from your current AV protection, use ALT+CRTL+ESC to invoke Task Manager and exit safely from the pop-up Window.

More "Fake AV" Incarnations Making The Rounds
http://isc.sans.org/diary.html?storyid=5584

QUOTE: Using obfuscated javascript techniques, more "Fake Anti Virus" malware is continuing to present itself to unsuspecting Internet users - in the hopes of gaining an installation through the use of rather effective, social engineering methods.

In terms of propagation, getting a "hit" from this malware is as easy as entering a series of search terms on your favorite search engine, and unluckily picking a search result that delivers nothing more than the misleading introductory screen and fake anti-virus pop-up alerts (with their associated "D-level" english grammar).  Should you unfortunately find yourself victim to this, remember to not click anywhere on the screen, but instead use "Task Manager - Applications" to terminate the victimized web browser session.

A few Vista systems have been affected by an issue that's currently being researched.  The links at the bottom can help resolve this issue without having to reload Vista from scratch. Hopefully, this will help impacted users until a more permanent solution is available.

Vista - Mysterious Black Screen of Death
http://blogs.pcmag.com/securitywatch/2008/12/the_mysterious_black_screen_of.php

QUOTE: It goes like this: Your Vista system boots up to a black screen with a mouse cursor. That's it, no rest of the user interface, no nothing to do. This is showing up in sporadic reports since about early November. They call it the blacK Screen Of Death, or KSOD (because BSOD was already taken).

What is causing it? That's unclear for now. But there is a fix, courtesy of Mark from the SBSC & MSP Buzz Blog. He says the problem is related to the RPC service running under the LocalSystem account as opposed to the NT Authority\NetworkService account ...

MVP Susan Bradley shares this post:
http://msmvps.com/blogs/bradley/archive/2008/12/25/vista-black-screen-of-death-we-still-need-a-reason.aspx

QUOTE: The good news is that Mark has a solid workaround that ensures that you don't have to reinstall Vista after it boots to one of these black screen of death issues. The bad news is the underlying trigger is still not known/understood at this time.

How to fix the Vista KSOD (blacK Screen Of Death)
http://www.logicitc.com/blog/?p=102

SBSC - Windows Vista Black Screen with Mouse Cursor Only Issue:
http://sbsc.techcareteam.com/archives/325

Computer New article was published during December and includes a customizable template for documenting applications

Tech Target - Creating comprehensive standards for business continuity documentation

Email Trend is reporting a significant increase in malicious e-cards circulating in email. Users should avoid all e-cards except those from truly legitimate sources. Keeping AV protection up-to-date is also beneficial.

Malware e-card spam attacks increase
http://blog.trendmicro.com/merry-mal...oding-inboxes/

QUOTE: A significant amount of e-card spam has flooded inboxes recently, taking advantage of the upcoming holiday season. Spam mails contain holiday greetings and a short message informing users that they have received an e-card from someone. Also in the email is an embedded URL link where the recipient can view or claim their e-card.

SUBJECT LINES TO AVOID:
A Christmas card from a friend
A special card just for you
Christmas card for you
Christmas Ecard Notification
Christmas Ecard Special Delivery
Christmas greetings e-card is waiting for you
Christmas greetings for you
Christmas greetings from your friend
Christmas Wishes!
Greeting for you!
Happy Christmas!
Have a warm an lovely Christmas!
I made an Ecard for U!
I sent you the ecard
Joyful Christmas!
Merry Christmas 2009!
Merry Christmas card for you!
Merry Christmas e-card is waiting for you
Merry Christmas greetings for you
Merry Christmas ‘N Happy New Year!
Merry Christmas To You!
Merry Christmas wishes just for you
Merry Christmas!
Merry Xmas!
Warmest Wishes For Christmas!
Wish You A Merry Christmas!
Xmas card for you
Xmas card is waiting for you
You have a Christmas Greeting!
You have a greeting card
You Have An E-card Waiting For You!
You have received a Christmas E-card
You have received a Christmas greetings card
You have received an E-card
You Received an Ecard.
You’ve got a Christmas E-card
You’ve got a Christmas greetings card
You’ve got a Merry Christmas E-card
You’ve got a Merry Christmas greeting card
You’ve got a Xmas e-card
You’ve got an e-card

Email AVERT is reporting widespread volume associated with fake "wire transfer" messages.  As e-commerce messages might be expected during the holidays, these realistic appearing messages could trick users into opening them.  ZIP files may not be as well blocked as other attachment types by email filtering.  Finally, each message processed so far is unique as differing packing algorithms are used to evade AV detection.
 
Fake Wire Transfer spam contain Malicious ZIP attachments
http://www.avertlabs.com/research/blog/index.php/2008/12/24/a-new-spam-circulating-fake-wire-transfer-statements/

QUOTE: Today a new downloader trojan is being spammed widely. This spam message arrives as a reply to the victim’s query of asking for the wire transfer.

When users run the file “bank_statement.scr” in the attachment zip file, it downloads the BackDoor-DSG trojan, while in the background it downloads an innocent pdf document from a legit site and opens it for deception. The pdf document, however, is not relevant to the wire transfer.

We see that the trojan file is repacked for each message, thus none of them are identical. In addition to that, this time the malware authors are changing resource sections in those pe files such as Icons, and file properties

 Idea This is an excellent account in removing one of the most popular malware attacks currently circulating.   The use of Ariva's AntiVirus free standalone removal tool on a rescue CD appears to be a good cleaning approach that I discovered in this account.

An early present from the makers of Antivirus 2009!
http://isc.sans.org/diary.html?storyid=5548

Ariva's AntiVirus 200x free rescue CD
http://www.avira.com/en/support/support_downloads.html

QUOTE: Twas five days before Christmas and all through the house, no malware was detected on Windoze or MacOS.  When all of the sudden and to my surprise, my Daughter shouted "Dad!!!!!" with big/frightened eyes!  "I just wanted to play fashion dress-up and powder my virtual nose but when I went to the site, the Internet Explorer froze!  It then launched another window with scantily-clad girls and now nothing works, I can't even change my curls!!  Oh please help me fix this, did I do something bad?  Oh please help me Daddy and please don't get mad."

QUOTE: I've had reports of excellent, free help for removing rogue antivirus from Microsoft's technical support - "Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates".

A new vulnerability has been discovered affecting SQL Server and Microsoft is working on a patch for this issue.  Most SQL Server versions are vulnerable (except 2008 and 2005 SP3). Exploits are also publicly circulating for these less secure implementations of SQL-Server

Direct remote and untrusted connections to SQL-Server should NOT be used for web based applications.  A better design is to use a DMZ server topology for web apps, special trusted port redirects, authorized user accounts, and other more secure techniques.  

AV protection will most likely emerge and it's important to stay up-to-date.  Corporate users should apply any applicable workarounds and monitor for further developments.

Advisory 961040 - New SQL Server remote connections vulnerability
http://isc.sans.org/diary.html?storyid=5545

QUOTE: "Clients and applications that utilize MSDE 2000 or SQL Server 2005 Express are at risk of remote attack if they have modified the default installation to accept remote connections, if they allow untrusted users access to MSDE 2000 or SQL Server 2005 Express, or if an application that uses MSDE 2000 or SQL Server 2005 Express has a SQL Injection vulnerability.

Microsoft Security Advisory (961040)
Vulnerability in SQL Server Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/961040.mspx
http://support.microsoft.com/kb/961040

QUOTE: Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time.

Please see WORKAROUNDS published in the bulletin for ideas on how to mitigate the current public exploit

Travel I've been updating all work and home PCs for the critical Internet Explorer security patch (MS08-078).  During this process, I've encountered a new version of Windows Update which has worked well except for one of my XP systems. 

I have an older Windows 2000 PC that had issues some months ago with Windows update consuming 100% of the CPU cycles.  To revolve this issue, I had set updates to automatic rather than manual.  The system would gradually apply these as available for critical components still being updated for this legacy Operating System.  It was still a very slow process and most of the time required a few sessions to complete.

However I found in updating my XP systems, that a new version of Windows Update was available and I reset the Security Center for manual rather than automatic updates.  This was done to test the new version to see if performance improvements were present.  I was pleased to discover that W/2000 updates seem to now work as well as they did under XP.  I'll continue checking next month to see if this finding continues.  

http://msmvps.com/blogs/harrywaldron/archive/2008/06/11/windows-update-svchost-100-percent-issue-resolved.aspx

My corporate Dell XP SP3 laptop with IE7 updated fine and no issues have been seen so far

Our family Dell XP SP3 Desktop with IE8 b2 consistently terminated with a 0x80072EE2 abend after multiple attempts. As part of the update process, I had to install the new version of WU on one of my PCs that I had not used recently.

What I've usually done to resolve any WU issue is simply enter Windows Update 0x80072EE2 in an Internet search engine (e.g., Google, Live, Yahoo, etc). Searching on error codes usually lands you in at a forum or KB with ideas to try.

After quick Internet search on the error code, I found this helpful KB and tried some of the solutions.

http://support.microsoft.com/default.aspx?scid=836941

I added the revised Windows Update URL to trusted sites and disabled my AV software, but still kept experiencing the 0x80072EE2 abend.

What finally worked for me was to delete all browser cache. In IE8, the "Delete All" tab in the "Delete Browsing History" options can reset the IE8 environment completely. I was then able to successfully update IE8 with the patch

However as the KB notes, 0x80072EE2 is an Internet Timeout issue. Hopefully everyone was updating last night, and Microsoft's Windows Update site may have been saturated at the time. Perhaps in the half hour timeframe of trying solutions, connectivity to the site improved and clearing the prior cache wasn't a factor.

The clearing of browser cache might be an idea to try if all else fails.

Star Most home users are most likely set for automatic updates and should apply this critical security when prompted.  This IE patch will prevent malicious exploits from being installed by simply visiting a website with this attack code present (e.g., this new exploit is automatically invoked with no required action by the user other than visiting the site). 

If you manually download and update patches, the FAQ section of the bulletin recommends that IE be first updated with the latest cumulative patch.

QUOTE FROM FAQ SECTION OF BULLETIN 

Question -- Is this a cumulative security update for Internet Explorer?

Answer -- No. This out-of-band security update is not cumulative. To be fully protected, customers should apply this update after applying the most recent cumulative security update for Internet Explorer. This update, MS08-078, will be included in a future cumulative security update for Internet Explorer.

 

MS08-078 - Special Internet Explorer security release now available
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx

Internet Explorer 960714 is released
http://isc.sans.org/diary.html?storyid=5515

Original Advisory
http://www.microsoft.com/technet/security/advisory/961051.mspx

Idea The detailed test results are interesting.  They point to improvements that all five major browsers should look at in the future.

However, users should avoid storing browser passwords anyway for sensitive sites (esp. e-commerce, banking, etc).  It's a better practice to reenter ID and password credentials each time, in case someone gains access to your PC.  The rentry process also helps in better remembering the password. 

Conversely, financial websites should be programmed to avoid capturing password fields by the browser.  Many sensitive sites are constructed in this manner where passwords are form fields and require multiple screens to enter.  This technique prevents the ID and password from being stored. 

Chapin Information Services - Browser Password Management Tests
http://www.info-svc.com/news/2008/12-12/
http://www.eweek.com/c/a/Security/Google-Chrome-and-Apple-Safari-Lead-Poor-Showing-by-Browsers-in-Password-Management-Test/

QUOTE: The company took a look at all the major browsers: Internet Explorer 7, Opera 9.62, Firefox 3.04, Safari 3.2 and Google Chrome. According to the study, each browser was susceptible to a number of vulnerabilities that could expose password information.

Of the five, Opera Software's Opera and Mozilla Firefox fared the best—meaning they passed seven of the 21 tests. Internet Explorer passed five tests, while Google Chrome and Apple Safari passed only two.

Three issues were cited by CIS as being problems that, when combined, could allow cyber-thieves to steal passwords without a user's knowledge. The first two are whether the browsers check the destination where passwords are sent and the locations where they are requested

The third critical issue is whether the password manager delivers a password using a form that is not visible. If an attacker can put an invisible password form on the page and count on the password manager to fill in the form, it is possible to steal a user's password without the user ever knowing, Chapin explained.

Star SWI, one of the most popular spyware information and removal sites recently lost it's domain name.  Malware has been discovered at the original site of Spyware Info (dot) com.  The new site name should be used instead and re-bookmarked to ensure safety.

SWI - Bookmark for New Location
http://www.spywareinfoforum.info/

SpywareInfo (dot) com BAD NEWS
http://forum.aumha.org/viewtopic.php?f=48&t=37381

QUOTE: GoDaddy just auctioned off Mike Healan's original (please don't go to this site), and what happened to it is what many feared would when they saw how high the price was getting. As of yesterday the new owner had a page up directing people to fake protection programs, some of them being downright malicious. The site is now blocked by OpenDNS and some other DNS servers as malicious.

Star  A zero day vulnerability is being actively exploited in all supported versions of Internet Explorer.  SQL injection techniques are being used to spread dangerous exploit based scripts even on some potentially trusted and respected sites (that may not be programmed as securely as they should be).

While AV protection, best practices, and documented workarounds can help prevent issues; this emergency update is the best form of protection.  Please update tomorrow as prompted to ensure the best levels of protection during the holiday season.

Microsoft will issue emergency Internet Explorer fix on December 17th
http://www.msnbc.msn.com/id/28258894/
http://isc.sans.org/diary.html?storyid=5497
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

QUOTE: REDMOND, Wash. - Microsoft Corp. is taking the unusual step of issuing an emergency fix for a security hole in its Internet Explorer software that has exposed millions of users to having their computers taken over by hackers.

The "zero-day" vulnerability, which came to light last week, allows criminals to take over victims' machines simply by steering them to infected Web sites; users don't have to download anything for their computers to get infected, which makes the flaw in Internet Explorer's programming code so dangerous. Internet Explorer is the world's most widely used Web browser.

Microsoft said it plans to ship a security update, rated "critical," for the browser on Wednesday. People with the Windows Update feature activated on their computers will get the patch automatically.

Thousands of Web sites already have been compromised by criminals looking to exploit the flaw. The bad guys have loaded malicious code onto those sites that automatically infect visitors' machines if they're using Internet Explorer and haven't employed a complicated series of workarounds that Microsoft has suggested.

Microsoft IE Security Advisory
http://www.microsoft.com/technet/security/advisory/961051.mspx

F-Secure: Extremely Dangerous Internet Explorer Security Hole - Beware!
http://www.f-secure.com/weblog/archives/00001561.html

Internet Explorer - New Zero-Day exploit in-the-wild

Please be careful with all websites visited and follow developments closely. While this attack is currently on a limited scale folks should be cautious anyway with all website visitation

Internet Explorer - New Zero-Day exploit in-the-wild
http://isc.sans.org/diary.html?storyid=5458
http://www.microsoft.com/technet/security/advisory/961051.mspx

QUOTE: Microsoft is investigating new public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.

At this time, we are aware only of limited attacks that attempt to use this vulnerability. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory.

More Posts Next page »