June 2009 - Posts

I use Firefox as a complementary browser and the latest new version became available today.  The upgrade from 3.0.11 went well and so far there are no issues in using the new version

Firefox 3.5 Home Page
http://www.mozilla.com/en-US/firefox/

Firefox 3.5 Key Features
http://www.mozilla.com/en-US/firefox/features/

Music Movie  Malware writers often use tragic news events to trick users into opening malicious website links, YouTube video links, or attachments.  While most AV vendors have coverage in place, please avoid these types of email messages that are now actively circulating.

Lightning Malicious SPAM related to passing of Michael Jackson and Farrah Fawcett

http://isc.sans.org/diary.html?storyid=6646

http://isc.sans.org/diary.html?storyid=6658

http://sanesecurity.blogspot.com/2009/06/michael-jackson-virus-already.html

http://www.avertlabs.com/research/blog/index.php/2009/06/25/bad-news-oportunity-to-spread-malware/

http://securitylabs.websense.com/content/Alerts/3426.aspx

http://vil.nai.com/vil/content/v_132277.htm

http://www.avertlabs.com/research/blog/index.php/2009/06/26/michael-jackson-news-affects-web-traffic/

 

 

QUOTE: michael jackson virus already 0  Well, it didn't take long for the "them" to abuse the situation did it? 0

 The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called Michael.Jackson.videos.scr

Scareware and other Rogue security programs

Below are some excellent articles and awareness on this popular form of attack. These programs are improving in their methods of emulating Anti-virus programs and should be avoided as they are difficult to clean.

Excellent Article on Scareware and other Rogue security programs
http://lastwatchdog.com/scareware-attacks-spreading-twitter-google-legit/
http://www.usatoday.com/tech/news/2009-06-09-cybergangs-scareware-hackers_N.htm

QUOTE:  In some cases, the fake software you buy may actually provide you with some nominal protection. But mostly for your $30 to $80 the only thing you get is temporary relief from the obnoxious dialogue boxes, and misleading hard drive scans.

HOW SCAREWARE TRICKERY ENSNARES INTERNET USERS
1 Criminals buy blocks of ad space on websites, intermittently slipping in a tainted ad.
2 Just visiting a webpage with a tainted ad causes a fake warning box to appear.
3 Clicking "OK" or "Cancel" launches the same thing: a "free scan."
4 After you've been lured into a fake "free" scan of your PC:
5 The bogus scan will purport to find a virus infestation.
6 Ensuing boxes steer the user to activate "Personal Antivirus," on left.
7 The activation prompts take the user to a shopping cart.
8 Declining to place an order triggers endless fake scans.

What is Scareware
http://en.wikipedia.org/wiki/Rogue_software
http://whatis.techtarget.com/definition/scareware.html

QUOTE: Scareware is a type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software. Scareware, which generates pop-ups that resemble Windows system messages, usually purports to be antivirus or antispyware software, a firewall application or a registry cleaner. The messages typically say that a large number of problems -- such as infected files -- have been found on the computer and the user is prompted to purchase software to fix the problems. In reality, no problems were detected and the suggested software purchase may actually contain real malware.

Scareware programs produced by those companies include: DriveCleaner, WinAntivirus, ErrorSafe, WinFixer and XP Antivirus

Email As many folks realize Microsoft does not distribute updates by email. However, Microsoft will alert users who have signed up for Patch Tuesday notifications, that new updates are available.

 

In the links below, Trend Labs notes a highly deceptive email that contains authentic looking HTML and valid Microsoft site links.   Even the wording appears to be legitimate.  The email address is also spoofed to appear as if it originated from "Microsoft Customer Support".

 

Fortunately, spoofed email headers often end up in the spam or bulk mail folders automatically.  As Trend Labs notes, a best practice of hovering over email links would reveal a different one than shown in the document.

 

Finally, when notified of any vendor updates it's always best to go to home site to check directly (rather than using the email link).  However, this particular attack could trick some users as it has some resembles to a Microsoft security notification.

 

Trend Labs - “Critical Update” Leads to Critical Info Theft

http://blog.trendmicro.com/critical-update-leads-to-critical-info-theft/

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FZBOT%2EBTS&VSect=T

 

Spoofed “Critical Update” appears to originate from Microsoft

http://www.trendmicro.com/vinfo/images/blog/062209_fig1.gif

 

QUOTE: Microsoft Corporation regularly issues updates to fix bugs and security vulnerabilities in its software products. These updates are meant to protect its users from different attacks that depend mainly on exploiting these documented bugs. Close to the weekend, we identified spam claiming to be a Microsoft Outlook and Outlook Express critical update that “offers the highest levels of stability and security.”

 

A tricky difference here is that all the links in the email (the links to Contact Us, Privacy Statement, Trademarks, and Terms of Use) are legitimate–except one. The URL where the “critical update” may be downloaded looks legitimate, but hovering over the hyperlink (or checking the source code of the mail) reveals a totally different destination.

 

Our engineers confirm that the list was containing several names of banking institutions, among other social networking targets like Facebook and MySpace, and media sites YouTube and Flickr. The list can be viewed here. Note that the said list may be changed at any time.

 

How does the scam work? Whenever the user visits any of the monitored sites, the Trojan starts logging keystrokes. It then saves gathered information (which presumably includes sensitive information like user name and password, credit card information, etc.) in a file and then sends the file to a dedicated server.

Email SPAM email should always be deleted without opening it or any accompanying attachments.  Daily, I receive numerous copies of dating services and other SPAM in my personal email.  

0 Some key dangers include tricking users to visit malicious websites or to reveal credit card or personal information

Trend Labs shares some dangers in a good awareness article below:

Star http://blog.trendmicro.com/deceitful-advertisement-thru-dating-spam/

QUOTE: Today we have noticed an increase in the amount of dating spam mails containing phrases such as:

I’m emailing you because I like you
wanted to let you know about my profile
you have been invited to join

The link in the spam points to an adult-dating web page, as well as a profile on the right corner of the screen with a huge clickable ad that says, CLICK HERE TO CHAT FOR FREE.

Following the link opens a page where the visitor is asked to register by providing an email address and password. Afterward the visitor’s browser opens a new site where he/she is prompted to create a preferred chat handle (username). Users tempted to correctly fill up the forms from the shown web pages provide a free service to the cybercriminals as they reveal their valid email addresses, passwords, and credit card information.

Lightning  Please be careful with website visitations as malicious attacks continue to compromise some sites that may not be locked down well from a security standpoint. 

Nine-Ball Mass Injection attack compromises 40,000 Websites
http://www.eweek.com/c/a/Security/40000-Web-Sites-Compromised-in-Mass-Attack-227486/
http://securitylabs.websense.com/content/Alerts/3421.aspx
http://vil.nai.com/vil/content/v_141590.htm

QUOTE: Websense Security Labs has detected another large mass injection attack in the wild after the Beladen and Gumblar attacks. We are calling this mass compromise Nine-Ball because of the final landing site. We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.

After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.

Several reports are circulating in the media for a new Microsoft consumer security product that will soon be announced.  As sometimes early reports contain inaccuracies, the official announcements by the company should only be considered at this point. 

Hopefully, MSE will successful in providing basic security protection. WGA validation also seems to be a reasonable requirement for the enhanced malware protection this product will offer.  Once official Microsoft announcements are published, we'll know more regarding this new product.

Star Microsoft Security Essentials (MSE) Beta version to be released soon
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=913455
http://www.informationweek.com/news/security/app-security/showArticle.jhtml?articleID=218100195
http://www.pcmag.com/article2/0,2817,2348996,00.asp
http://news.cnet.com/8301-1009_3-10268040-83.html
http://www.windowslive.com/Connect/Post/14eb0c3e-78fc-4e21-8783-c4521a4d83a6
http://blogs.zdnet.com/microsoft/?p=3120
http://blogs.zdnet.com/Bott/?p=1067

PC Magazine - Early in-depth evaluation
http://www.pcmag.com/article2/0,2817,2348998,00.asp

QUOTE: Microsoft Corp. today said it will release a public beta of its free antimalware software, now called Microsoft Security Essentials, formerly "Morro," next Tuesday for Windows XP, Vista and Windows 7. "This is security you can trust," said Alan Packer, general manager of Microsoft's antimalware team, when asked to define how it differs from rivals, both free and not. "And it's easy to get and easy to use." He stressed the Security Essentials' real-time protection over its scanning functions, which are both integral to any security software worth its weight. "Rather than scan and clean, which it also does, it's trying to keep you from being infected in the first place," Packer said.  Microsoft will not give Security Essentials to everyone who wants it, however. PCs running a copy of Windows that Microsoft decides is counterfeit or pirated -- "non-genuine" in its parlance -- cannot download a copy of the security software.

Hopefully, the Twitter site administrators can respond promptly to proof-of-concept vulnerabilities that are crafted by Aviv Raff, a highly experienced security research expert.  Users should be alert for any major issues that surface.  Most importantly, be careful with all forms of communication keeping a good focus on privacy and security.

Month of Twitter Bugs - July 2009
http://blogs.zdnet.com/security/?p=3632

QUOTE: A well-known security researcher plans to use the month of July to expose serious vulnerabilities in the Twitter ecosystem. The Month of Twitter Bugs, a project which launches on July 1, is the handiwork of Aviv Raff, a researcher known for his work on Web-based security issues.  Raff, who previously warned that the Twitter API is ripe for abuse, says the project will disclose a  combination of cross-site scripting (XSS) and cross-site request forgery (CSRF) flaws that put Twitter users at risk of malicious hacker attacks.

Movie Exploits are circulating for this unpatched vulnerability that mainly affects some special options for Quick Time. The FixIt workaround provides an easy-to-use workaround for now and can be easily disabled if it breaks needed Quick Time functionality:

Yes FixIt Registry update can provide protection
(can be enabled/disabled easily)
http://support.microsoft.com/default.aspx/kb/971778

More details can be found in links below:

Lightning DirectShow Exploits circulating in wild
http://myitforum.com/cs2/blogs/cmosby/archive/2009/06/18/directshow-exploit-in-the-wild-symantec-security-response-blog.aspx
https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/vulnerabilities_exploits/article-id/198

Technical Details on current exploit
http://www.symantec.com/security_response/writeup.jsp?docid=2009-061001-1828-99&tabid=2

Star Key Microsoft Links
http://www.microsoft.com/technet/security/advisory/971778.mspx
http://support.microsoft.com/default.aspx/kb/971778
http://blogs.technet.com/msrc/archive/2009/05/28/microsoft-security-advisory-971778-vulnerability-in-microsoft-directshow-released.aspx
http://blogs.technet.com/srd/archive/2009/05/28/new-vulnerability-in-quicktime-parsing.aspx

Star Additional Links
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1537
http://secunia.com/advisories/35268

QUOTE (Secunia): According to Microsoft, the vulnerability is currently being actively exploited.

Music Microsoft is adjusting Autorun technology for XP to provide the improved safety Vista currently supports.  AVERT Labs shares an awareness that any portable storage device (e.g., MP3 player, Digital Picture frame, Digital Camera, etc) may also be vulnerable to Autorun malware attacks. Additionally, these worms often infect unprotected network shares, as well as compromising accounts with weak passwords.

Movie Autorun Worms - Infect more than just USB Flash Drives
http://www.avertlabs.com/research/blog/index.php/2009/06/11/worms-dig-further-than-thumb-drives/

QUOTE:  Here’s a little quiz: Which of the following devices may be susceptible to AutoRun worms? 

Answer - Most USB devices that you can plug into your computer that have storage

How many of you have an MP3 player? How many of you plug the device into more than one computer? Bingo, that’s a vector for replication. How about a digital video camera, or a digital picture frame? Yep, they can also be infected. Just imagine this one: “Here you go grandma, a picture of little Bobby. Oh, and a little surprise to go with it, as well.”  Devices such as MP3 players are just glorified storage drives with additional functions. One unintended aspect of this functionality may be to assist in worm propagation.

Idea In almost all cases, Windows Update (or preferably Microsoft Update) works accurately.  I usually update manually ASAP without waiting on Automated Updates to start.  Windows Update can be immediately invoked by selecting the Windows Update option found in the Safety Shield icon for IE8 or other methods.

All my work PCs were updated without issues for the June 2009 security updates.  However, I encountered a rare error on our family PC at home.  A total 10 of 11 updates downloaded and installed properly.  However after rebooting, security update MS09-025 continued to experience "Download Failed" message.  I noted a temporary folder on C: created by the June updates that may have been a factor.

After 3 tries using Windows Update, I then went to Microsoft Download site to manually update MS09-025.  As a starting point, I searched using keyword MS09-025 to locate the specific update that needed to be applied.  After locating the XP security patch, I downloaded and installed this patch manually outside of the regular Windows Update process.

Star Microsoft's Download Site
Search by bulletin or KB # to find a specific security update for your O/S
http://www.microsoft.com/downloads/en/default.aspx

After successfully installing MS09-025 and rebooting, I reinvoked Windows Update to ensure were no updates left to be applied. This final step ensured the special manual update process was successful and we are now properly up-to-date at home

Star I've used Opera as a complementary browser since the free "ad-bar" version first surfaced several years ago.  Thankfully the ad bar was later removed and Opera has enjoyed a good track record in security, innovation, and web standards support. While less popular than IE or Firefox, it offers a sophisticated and reliable browser environment.  It is working well so far in early testing.

Opera 10 Beta - New Innovations
http://www.eweek.com/c/a/Web-Services-Web-20-and-SOA/Opera-10-Beta-Adds-Turbo-Mode-Makes-Improvements-to-Tabbed-Windows-669426/

QUOTE: The Opera 10 beta includes new features—including a Turbo mode that aims to speed slow connections—that will likely find their way into rival browsers in the future.  Ever wonder what features will be found in the next generation of Web browsers? Well, usually there’s one easy way to find out: Just check out the latest version of Opera.  Opera may not be the best known or most used Web browser out there, but, over the years, it has been one of the most innovative. Often, features that become mainstays across browsers appeared first in Opera.

Opera 10 Beta - Features
http://www.opera.com/browser/next/

Opera 10 Beta - Download
http://www.opera.com/browser/download/?ver=10.00b1

Opera 10 Beta - Blog
http://my.opera.com/desktopteam/blog/

Opera 10 Beta - New Features
http://www.opera.com/docs/changelogs/windows/1000b1/

Idea KEY NEW FEATURES
* Opera Turbo Mode
* Automatic updates
* Crash logging
* Inline spelling checker
* 100/100 and pixel-perfect on the Acid3 test
* Significantly improved performance, particularly on CSS/HTML rendering
* Opera Mail HTML Compose support

Time Every monthly update should be applied as soon as possible.  Often we are racing against the clock to patch all systems to make them safer from exploits that will emerge or may already be found in-the-wild.

Star The June 2009 security release has 10 security updates that cover a wide range of MS Products (e.g., Windows, IE, Office, and IIS).  So far these installed updates are working well and without issues on my PCs.  As some of patched vulnerabilities have working exploits, it is important for everyone to PATCH NOW

Microsoft Security June 2009 Updates - IMPORTANT Patch Tuesday Updates
https://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx

Idea Excellent Analysis of updates
http://isc.sans.org/diary.html?storyid=6538
http://blog.trendmicro.com/june-2009-microsoft-and-adobe-security-updates/

MS09-018 - Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
MS09-019 - Cumulative Security Update for Internet Explorer (969897)
MS09-020 - Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
MS09-021 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
MS09-022 - Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
MS09-023 - Vulnerability in Windows Search Could Allow Information Disclosure (963093)
MS09-024 - Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
MS09-025 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
MS09-026 - Vulnerability in RPC Could Allow Elevation of Privilege (970238)
MS09-027 -  Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)

Microsoft asking for help with SysInternals Survey
http://isc.sans.org/diary.html?storyid=6544

QUOTE: Hands-down the best tools for determining what is going on on a Windows system are Mark Russinovich's and Bryce Cogswell's Sysinternals Tools.  Frequent contributor Roseman has pointed out that Microsoft is asking for your help improving the Sysinternals tools. Over at the Microsoft Technet blog they are requesting Sysinternals users to take a short survey.

http://blogs.technet.com/sysinternals/archive/2009/06/08/short-sysinternals-customer-survey.aspx

QUOTE: Sysinternals Customer Survey – We could use your help.  We're looking into who uses the Sysinternals tools and what other Microsoft tools you use. Please take this very short questionnaire (7 questions max. depending on how you answer). We won’t ask you who you are, your email or anything that can identify you. - Thanks

Storm  Recently, I saw articles stating that the Gumblar website injection attacks were gaining strength and could become worse than Conficker.  Gumblar was a very sophisticated malware attack, that took off like wildfire a couple of weeks ago.  Thankfully, this new threat has almost faded away, as the malware hosting websites were quickly shutdown by authorities.

Experts: Gumblar attack is alive, worse than Conficker
http://news.cnet.com/8301-1009_3-10251779-83.html

Gumblar Attacks Dying Off
http://blogs.pcmag.com/securitywatch/2009/06/gumblar_attacks_dying_off.php

Conficker is still alive and well, as it continues to infect up to 50,000 PCs daily. Users need to stay up-to-date on all security updates and AV protection.  We should follow major evolving threats, as sophisticated stealth attacks continue to circulate.

Conficker still infects approximately 50,000 PCs daily
http://viewfromthebunker.com/2009/05/20/conficker-continues-to-spread/
http://www.networkworld.com/news/2009/052109-conficker-still-infecting-50000-pcs.html

QUOTE: The worm is infecting about 50,000 new PCs each day, according to researchers at Symantec, who reported Wednesday that the U.S., Brazil and India have been hit the hardest.. "Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide," Symantec said in a blog post.

More Posts Next page »