March 2009 - Posts

Hopefully, as F-Secure notes, nothing major will most likely occur on April 1st and much is still unknown regarding the new P2P update routines. 

http://www.f-secure.com/weblog/archives/00001636.html

Star Recently, Chrome was to only browser to survive recent the Pwn2Own security testing contest.  The code quality, sandbox isolation design, relative newness, and lack of major security testing were all contributing factors. Chrome is also a relatively simple browser lacking many advanced features.  Sometimes less flexibility means less manipulation.

I've been beta testing Chrome since it's introduction and like the speed and even the simplicity of design.  Still based on this test I'm not going discard IE8 or Firefox 3 as they offer good defense systems. They have stood fairly well from constant attacks and they are patched promptly when issues surface.

PERSONAL COMMENTS ON GOOGLE CHROME'S SECURITY

-- The sandbox isolation design is indeed beneficial from a security perspective
-- Chrome is among the newest browsers written from the ground up and avoids a lot of the legacy issues for W/2000 and supporting prior browser versions (like IE has to do for compatibility)
-- Chrome is somewhat untested in-the-wild.  Firefox, IE, Opera, and Safari have been available longer
-- Google has been previously ranked as one of worst companies when it comes to privacy concerns (e.g., their sharing of IP addresses from searches)
-- Chrome has been patched along the way for security issues.
-- Most likely Chrome has been fuzz tested extensively given Google's extensive resources and the code is probably high quality. 
-- Still "code is code" and no software product is totally invincible
-- A browser can't save users from themselves (so "think before you click")
  

Google Chrome - Only browser to survive recent Pwn2Own contest
http://arstechnica.com/security/news/2009/03/chrome-is-the-only-browser-left-standing-in-pwn2own-contest.ars
http://i.gizmodo.com/5177067/chrome-is-the-last-browser-standing-at-pwn2own-hacking-competition

QUOTE: Only Chrome was able to withstand the first day of the event thanks, in large part, to its innovative sandbox feature

Google Sandbox Design contributed to safety
http://google-chrome-browser.com/new-approach-browser-security-google-chrome-sandbox

These updates should be applied promptly, as there have been PDF based attacks in the wild involving JavaScript vulnerabilities.

http://www.adobe.com/support/security/bulletins/apsb09-04.html

QUOTE: Critical vulnerabilities have been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that one of these issues is being exploited (CVE-2009-0658).

Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users who can’t update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4 and Adobe Reader 7.1.1 updates.

These updates resolve the issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03. Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. As of March 24, Adobe has also made available the Adobe Reader 9.1 and Adobe Reader 8.1.4 updates for Unix

Vundo is one of the most frequent viruses encountered in-the-wild.  A new version will encrypt all data file types on a PC and try to pay users pay to restore them.  Symantec offers a free cleaning tool as noted at the bottom that will unencrypt these files.

Vundo - New Ransomware Version encrypts files
https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/255


QUOTE: Symantec received news of a new twist in the behavior of Trojan.Vundo. Instead of simply pushing misleading applications and other threats onto the infected computers, it seems the authors of Vundo have taken a more direct hand in revenue generation. Rather than just frightening you into believing that you may have problems or threats present on your computer, Vundo now drops a file named fpfstb.dll that attempts to make sure that you do encounter problems on your computer.

Once the files are encrypted, it starts to display messages stating that certain files on the computer are corrupted. If the user attempts to open any of the encrypted files, a message will also appear saying that the file is corrupt. In both windows, a repair option is available.

If the user clicks on repair, a browser window will open to the domain filefixpro.com (now offline). This site offers a program named FileFix Professional (detected as FileFixProfessional), which is supposed to repair the corrupted files. Of course, FileFixPro is not a free application, so you are expected to pay in order to license it for use. FileFix Professional is obviously not what it is cracked up to be—it is, in fact, just another part of this whole scam—it only decrypts the files that its partner in crime (Trojan.Xrupter) has encrypted.

Symantec's free cleaning and decryption tool to restore encrypted files
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixXrupter.exe

 

Gift Conficker.c - April 1st payload still a mystery to researchers
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130228

QUOTE: PCs infected with Conficker.c, the third version of the worm that first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware. The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said Stewart.

"So far, we haven't seen any evidence [on those machines] of what it will do April 1," added Stewart, although that's to be expected. "It's not April 1 yet, so they're not going to put something online, where it might be found. In fact, it's almost a little risky for us to try to look for those sites, since it might give away that we have some bots in their network."  Symantec Corp.'s Vincent Weafer, vice president of the company's security response group, agreed with Stewart that it's impossible to know ahead of time what stunt Conficker's controllers will pull next week. "Nobody has any real idea," said Weafer. "There's no indication of what it will do April 1."

Weafer characterized the Conficker.c update as one to "armor and harden the existing infections," and noted that the variant, unlike its predecessors, cannot spread to other PCs. "This variant is very defensive-oriented," said Weafer, "to make it less visible and more resilient." Like Weafer, Stewart sees Conficker.c as a move by the worm's maker or makers to consolidate what's already infected. "The big question is what's the end game?" he said. "Is it just as big as they want it to get?"

Time Hopefully, Conficker.C won't affect as many people as in the past when more unpatched systems were present.  Still on April 1st, a much more robust version of Conficker will become active from its current dormant "sleep" mode.  In preparation for this expected outbreak, the Internet Storm Center has updated their excellent list of cleaning and informational resources

ISC - Updated Conficker Resource Center
http://isc.sans.org/diary.html?storyid=5860

QUOTE: I am hoping that this will allow you to pick and choose the information, removal tool, and more importantly your own path when mitigating Conficker.

Idea This advice differs from most articles.  It focuses on internal self improvement and ideas that can help indirectly.  These actions may also help relieve some of the job search stress during these difficult times.

Five Things To Do If You Lose Your IT Job
http://www.informationweek.com/news/showArticle.jhtml?articleID=215900165

QUOTE: Laid off. Downsized. Words that are heard often these days. That you would devote a significant amount of your time to finding another job -- as Fleming did -- is a given. But even the most aggressive job hunt won't take all your waking hours. There are only so many jobs ads to answer on Monster.com and Craigslist. Only so many recruiters who will take your calls. So to ward off what Fleming calls "the utter crazies," most unemployed IT workers are finding other outlets for their physical, intellectual, and emotional energy.

KEY SELF IMPROVEMENT TIPS WHILE SEEKING NEW JOB
1. Get Smart: Learn New Skills
2. Jumpstart A New Venture
3. Get In Shape (Physically Fit)
4. Spend More Time With Friends, Family
5. Volunteer To Help Others

You Tube has been actively cleaning malware that poses as complex video clips or games.  These posts have links and a message that states "Note, you may need to turn off your Anti-Virus?".  This is a dangerous option to take in letting down defenses just to see a video clip and users should avoid these schemes.

Malware asks users to turn off Anti-Virus protection
http://www.f-secure.com/weblog/archives/00001628.html

QUOTE: Today we took another look and found some more videos to flag. This video links to a file called Nintendo_Wii_Points_v2.exe. Wait, what does it say underneath the tooltip?  Note, you may need to turn off your Anti-Virus? Right… that doesn't sound at all suspicious.

Time The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users.  A new "C" variant has been developed that's even more potent and stealthier than the two prior variants.  It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant. 

If it establishes a foothold anywhere in the network, it can even spread to systems with the MS08-067, in they are insecure in other areas, as it uses multiple attack methods.  Please take precautions now, as this one will be even more difficult than "B" to clean.   

Conficker.C Worm - Major Attack targeted for April Fools Day
http://techfragments.com/news/629/Software/Downadup_Win32Conficker-C_Worm_Revving_Up_to_Spread.html
http://arstechnica.com/security/news/2009/03/confickerc-primed-for-april-fools-activation.ars
http://www.maximumpc.com/article/news/this_no_joke_confickerc_strike_april_fools_day
http://news.cnet.com/8301-1009_3-10196122-83.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976

QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:

Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.

Lightning Conficker.C's payload makes it harder than ever to recover from being infected:

Deactivates Windows Security Center notifications
Prevents restart in Safe Mode
Prevents Windows Defender from running at system startup
Deletes all system restore points
Disables various error-reporting and security services
Terminates over twenty security-related processes
Blocks DNS queries
Blocks access to security and antivirus websites
• And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

Conficker.C - Detailed Evaluation by SRI
http://mtc.sri.com/Conficker/addendumC/

QUOTE: Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008.   C distinguishes itself as a significant revision to Conficker B.  In fact, we estimate that C  leaves as little as 15% of the original B code base untouched

Idea Below are some resources for information and cleaning tools for the Conficker worm:

Conficker - Cleaning tips for corporate users
http://msmvps.com/blogs/harrywaldron/archive/2009/01/27/conficker-cleaning-tips-for-corporate-users.aspx

Internet Storm Center - Conficker Resource Center
http://isc.sans.org/diary.html?storyid=5860

Microsoft Resources
http://support.microsoft.com/kb/962007
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

PWN2OWN Contest - Fully patched MAC owned in 10 seconds
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129978
http://blogs.zdnet.com/security/?p=2917

QUOTE: "I can't talk about the details of the vulnerability, but it was a Mac, fully patched, with Safari, fully patched," said Miller on Wednesday, not long after he had won the prize. "It probably took five or 10 seconds." He confirmed that he had researched and written the exploit before he arrived at the challenge.

The PWN2OWN rules stated that the researcher could provide a URL that hosted his exploit, replicating the common hacker tactic of enticing users to malicious sites where they are infected with malware. "I gave them the link, they clicked on it, and that was it," said Miller. "I did a few things to show that I had full control of the Mac."

At noon EDT, Microsoft will initially offer the official production version of IE8.  It represents a further improvement of it's browser technology in terms of security and functionality. A couple of precautions include:

-- Read all dialogs and option selections carefully, instead of simply pressing next

-- Be patient in trying to download this during the next couple days, as the site will most likely be saturated with users

-- Experienced users should download this version initially, in case any technical issues surface that might require recovery. It will later be available to everyone through Windows Update.

-- Corporate users may need to wait for official approval, in case there might be incompatible web applications or software.  It's always beneficial to lab test any new software release to ensure all applications are certified 

However, based on my own beta testing for several months, this new version will most likely be a quality product and I'm anxious to install it later today. 

Microsoft's IE8 - Final version available for download today
http://www.eweek.com/c/a/Windows/Microsoft-Ships-Internet-Explorer-8-Browser-184414/

Microsoft's IE8 browser offers cool features, better security, and improved performance.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129906

QUOTE:  Internet Explorer 8 has shipped in its final version and is ready to take on its rivals. This latest version of Microsoft's browser leapfrogs its closest competition, Firefox 3, for basic browsing and productivity features -- it has better tab handling, a niftier search bar, a more useful address bar, and new tools that deliver information directly from other Web pages and services. IE8 has also been tweaked for security and includes a privacy mode, new anti-malware protection, and better ways to protect your privacy.

CORPORATE USERS -- IEAK allows an enterprise to configure the browser to meet the company's default settings

Internet Explorer Administration Kit 8
http://technet.microsoft.com/en-us/library/cc817437.aspx

Microsoft Download Site
http://www.microsoft.com/windows/Internet-explorer/download-ie.aspx

TinyURLs allow a lengthly URL to be abbreviated. They are being used by malware writers to make links appear less suspicious. Always be careful with any link you click on, as malware can be automatically downloaded from a malicious website to vulnerable systems.

TinyURL usage becoming more common in Phishing and IM Attacks
http://blog.trendmicro.com/tinyurl-phishing-becoming-popular/
http://blog.trendmicro.com/tinyurl-now-used-in-im-phishing/

QUOTE: As TinyURLs become more and more popular, phishers are also exploiting the URL shortening service this said tool provides. They do this make phishing URLs less suspicious and less obvious than using the exact URL, which could be long and totally unrelated to the site a spammed message purports to be from.

AVERT labs shares a brief article on how malware can add start-up entries to the Windows registry, allowing it to operate even in SAFE MODE.  Malware infections that impact the Safe Mode environment are a growing trend.

Windows Safe Mode - How Malware can add start-up entries
http://www.avertlabs.com/research/blog/index.php/2009/03/12/safe-mode-a-misnomer/

QUOTE: If malware gains control of the system, it can add its entry under the above keys to load during a Safe Mode boot. This type of malware is difficult to remove manually; you’ll need an anti-virus product to detect and clean such malware.

These patches are working well on my home and work PCs.  MS09-006 is rated as critical and these important updates should be promptly applied. 


MS09-006 - Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)

Affects: Windows 2000/XP/Server 2003/Vista/Server 2008
Link: http://www.microsoft.com/technet/security/Bulletin/MS09-006.mspx 


MS09-007 - Vulnerability in SChannel Could Allow Spoofing (960225)

Affects: Windows 2000/XP/Server 2003/Vista/Server 2008
Link: http://www.microsoft.com/technet/security/bulletin/ms09-007.mspx


MS09-008 - Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)

Affects: WINS and DNS (Server 2000/2003/2008)
Link: http://www.microsoft.com/technet/security/bulletin/MS09-008.mspx

ISC: http://isc.sans.org/diary.html?storyid=5995

Microsoft: http://www.microsoft.com/technet/security/bulletin/ms09-mar.mspx

Secunia: 
MS09-008: http://secunia.com/advisories/34215/ 
MS09-007: http://secunia.com/advisories/34217/ 
MS09-006: http://secunia.com/advisories/34117/  

 

Users should apply these beneficial security changes:

Firefox 3.0.7 security and stability release now available
http://www.mozilla.com/en-US/firefox/3.0.7/releasenotes/
http://blog.mozilla.com/blog/2009/03/04/firefox-307-security-and-stability-release-now-available/

SECURITY ISSUES ADDRESSED BY v3.0.7
MFSA 2009-11  URL spoofing with invisible control characters
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-08 Mozilla Firefox XUL Linked Clones Double Free Vulnerability
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7) 

 

More Posts Next page »