August 2009 - Posts
August 2009 - Top MSRT Detections
http://blogs.technet.com/mmpc/archive/2009/08/27/msrt-august-top-detection-reports.aspx
http://blogs.pcmag.com/securitywatch/2009/08/microsoft_lists_top_10_windows.php
QUOTE: This month the MMPC added a new threat family, Win32/FakeRean, to the MSRT. You can refer to Hamish’s blog post, “Win32/FakeRean and MSRT” for more details on this fake, or rogue, security software. As of August 24, the MSRT had cleaned FakeRean from 162,328 infected machines. The following table shows data gathered from the MSRT since its August release.
Win32/Taterf noticeably still holds first place in the MSRT’s top detections. This is a family of worms that spread via mapped drives in order to steal login and account details for popular online games. Taterf is closely related to Win32/Frethog, another MSRT family added at the same time as Taterf, and also found in the above list. We believe that the two are based on the same source code due to the similarities between them. Since they were first added, these two families have been ranked near the top and this month is no exception. You can revisit a previous blog post about this threat for more in-depth details.
-----------------------------------------------
Family .... Threat .. Machines
-----------------------------------------------
Taterf .... 544,662 .. 463,000
Renos ..... 308,789 .. 228,973
Alureon ... 249,101 .. 211,441
FakeRean .. 219,359 .. 162,328
Bancos .... 173,134 .. 158,152
Koobface .. 274,769 .. 134,139
Frethog ... 140,218 .. 132,827
Cutwail ... 166,284 .. 110,840
Rustock ... 98,673 ... 90,788
Tibs ...... 93,175 ... 84,081
I was surprised to see that "A" and "B" variants for the Conficker worm (exploits MS08-067, autorun exposures, and other vulnerabilities). While the close to 6 million IP addresses is not the true number of PCs infected, there are still a considerable number that need patching.
Conficker Still A Big Deal
http://blogs.pcmag.com/securitywatch/2009/08/conficker_still_a_big_deal.php
Conficker Working Group - Current Statistics
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking
Conficker Infection Test - Can you see all 6 images? (if yes your PC is okay)
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
QUOTE: The Conficker worm outbreak seems so long ago and there's been no news about it for so long, but that doesn't mean it went away.
The Conficker Working Group, a consortium of security and related companies, continues to track the massive botnet created by the outbreak. These days it runs at around 6.2 million unique IP addresses. About 80% of these appear to be Conficker A and B, The C variant was not all that successful, because the avenues for its spread had already been largely cut off.
The fact that the numbers fluctuate within a fairly narrow range means that the botnet is pretty stable, but it's hard to say exactly what's happening. The testing measures IP addresses which means that some systems (notebooks that roam from network to network) are overcounted and some (networks with NAT) are undercounted. I think it all adds up to a very stable network; the systems that got infected in the original outbreaks are, by and large, still infected.
These tables are specifically for the A+B infections.
-----------------------------------------------------
Day Date Total HTTP Hits Unique IP's
-----------------------------------------------------
Friday 2009-08-28 329,610,182 5,768,246
Thursday 2009-08-27 369,957,038 5,882,556
Wednesday 2009-08-26 366,973,896 5,864,465
Tuesday 2009-08-25 328,376,902 5,675,661
Monday 2009-08-24 280,028,571 5,726,258
Sunday 2009-08-23 305,703,590 5,157,771
Saturday 2009-08-22 337,360,653 5,263,328
Friday 2009-08-21 334,046,979 5,649,833
Thursday 2009-08-20 347,347,632 5,723,993
AV Vendors are preparing to release their 2010 product versions this Fall. New 2010 rogue variants have already emerged from the Antivirus 2009 family. These fake programs may trick users into believing they are legimate products. Once infected, users will be presented with continuous fake malware popups to convince them to send $39 electronically to the malware authors.
Prepare for the new upcoming 2010 AV products
http://www.avertlabs.com/research/blog/index.php/2009/08/28/prepare-for-the-new-upcoming-2010-av-products/
PC Antispyware 2010 - This fake AV product is malicious
http://vil.nai.com/images/090828DKoPCAS1l.jpg
QUOTE: Many major security companies are about to release their new retail product for 2010. Expect some comparative reviews in the next months, check what you need and stay protected. Some ‘2010’ products are already out on the web, but unfortunately most of them are FakeAlert Trojans or Scareware.
Once downloaded, you see pop up windows alerting you about a malware found on your machine and asking you to buy the product. The actual problem is the software you just executed. PC Antispyware 2010 is a perfect example for such a “malicious software disguised as legitimate software”.
What is Rogue Software?
http://en.wikipedia.org/wiki/Rogue_software
QUOTE: Rogue security software is a form of computer malware that deceives or misleads users into paying for the fake or simulated removal of malware. Rogue security software, in recent years, has become a growing and serious security threat in desktop computing
As the Trend labs article reports, Firefox is becoming a greater target for malware development, as it is a popular browser choice among users. Everyone should continue to be careful no matter what operating system or browser they use.
Firefox Add-on Spies on Google Search Results
http://blog.trendmicro.com/firefox-addo-spies-on-google-search-results/
QUOTE: Trend Micro threat analysts were alerted to the discovery of a spyware (detected as TSPY_EBOD.A) purporting to be an Adobe Flash Player update. Upon execution, the spyware creates a Firefox add-on called “Adobe Flash Player 0.2,” the installer of which uses JavaScript (detected as JS_EBOD.A) and appears to spread via forum posts
Microsoft is in the process of implementing Office Genuine Advantage” (OGA) controls to ensure copies of Office are legitimate. These controls are similiar to the Windows Genuine Advantage (WGA) controls, which have improved from the earlier implementations. Corporate and home users can visit the OGA Home page below for more information or in rare cases where issues may surface on legitimate copies.
Microsoft rolls out next phase of Office Genuine Advantage
http://sunbeltblog.blogspot.com/2009/08/microsoft-rolls-out-next-phase-of.html
QUOTE: Microsoft updates this week will contain code to check for pirated versions of Office XP, Office 2003 and Office 2007. It’s the next phase of the “Office Genuine Advantage” (OGA) program which will throw up a nag screen that says “This copy of Microsoft Office is not genuine” if it finds a pirated version. Theft by software pirates is vast. It was estimated that 41 percent of the software on machines throughout the world in 2008 was pirated – a $50 billion loss to manufacturers and resellers.
Office Genuine Advantage” (OGA) - Home Page
http://www.microsoft.com/genuine/office/AboutNotifications.aspx
Moving to WPA2 is worthwhile for improved safer wireless security, even if it means purchaing new hardware.
Internet Storm Center -- WPA with TKIP done
http://isc.sans.org/diary.html?storyid=7027
QUOTE: Researchers in Japan describe how to perform the Beck-Tews style attack against any WPA-TKIP implementation, in under a minute. The paper and upcoming presentation have already been covered in the mainstream media. If your hardware supports it, time to consider moving to WPA with AES or WPA2.
Full 12 Page Study
http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf
Those in the financial services industry should exercise caution as noted below:
Malicious CD ROMs mailed to banks
http://isc.sans.org/diary.html?storyid=7024
http://www.ncua.gov/news/press_releases/2009/MR09-0825a.htm
QUOTE: The National Credit Union Administration (NCUA) published an interesting advisory. Member credit unions evidently are reporting receiving letters which include two CDs. The letters claim to originate form the NCUA and advertises the CDs as training materials. However, it appears that the letter is a fake and the CDs include malware.
[l] This dangerous botnet uses advanced techniques to hide, steal ID/password information, and to spread to other PCs. This was recently highlighted as one of the top 10 threats and it's design is very sophisticated.
All Your Info Are Belong to Us
http://blog.trendmicro.com/all-your-info-are-belong-to-us/
QUOTE: Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4,000 banking, financial or webmail sites. Ilomo ‘s second source of revenue is selling “anonymity as a service.” Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries.
Ilomo Botnet - Detailed analysis (30 page PDF)
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf
Corporate administrators should apply SP2 to keep WSUS patched to ensure they have the most recent WSUS patches and functions (including future support for Windows 7 and Windows Server 2008 R2)
WSUS 3.0 SP2 released
http://isc.sans.org/diary.html?storyid=7018
http://support.microsoft.com/kb/972455
QUOTE: The most important feature is probably the integration with up and coming versions of Windows like 2008 R2 and Windows 7. Without WSUS support, it would be hard for many organizations to deploy these new Windows versions. One improvement that caught my attention: "Stability and reliability fixes are included for the WSUS server, such as support for IPV6 addresses that are longer than 40 characters."
Eweek shares a good summary of new features that will be coming in Windows 7:
10 Microsoft Windows 7 Features to Anticipate
http://www.eweek.com/c/a/Windows/10-Microsoft-Windows-7-Features-to-Anticipate-233813/
Microsoft Windows 7, touted as an improvement on both Vista and XP, will include many changes to previous versions of the operating system. In addition to fundamental improvements, such as programming tweaks that increase its overall speed, there will also be funkier adjustments, including eccentric new wallpapers
SUMMARY OF TEN FEATURES FROM EWEEK EVALUATION
1. Less of a Memory Hog - memory management that drives resources only to open windows, meaning that minimized applications no longer drain power like they did with Vista.
2. The Taskbar - reduces your open applications to thumbnail logos—hover your cursor over one of the logos, and tiny preview windows for the application will open.
3. Windows XP Mode - thanks to virtualization, allow old applications to run on Windows XP within a Windows 7 machine
4. Federated Search - allowing users to explore local and network drives on top of intranet storage.
5. Libraries - higher degree of granular control over how they order and store their information
6. User Account Controls - users are able to choose “Never Notify,” “Always Notify” and two options in between whenever a program attempts to make a change
7. Start Menu - more customizable, with users able to adjust how links, icons and menus are displayed and behave.
8. AppLocker - used to lock down certain applications on an administrator level. This granular access control to applications can potentially make lives easier for
9. Chance to Get Rid of Vista and XP - welcome chance for many PC users to finally upgrade their desktop or laptop to a more efficient, 21st century operating system.
10. The Trippy Backgrounds - new wallpapers being offered with Windows 7 are colorful, to say the least
Adobe Flash Cookies - Privacy concerns
As with regular HTML cookies, the special Flash cookies have some potential for misuse. While most sites are safe, clearing both types of cookie files on a periodic basis can be helpful in safeguarding privacy.
Adobe Flash Cookies - Privacy concerns
http://blogs.pcmag.com/securitywatch/2009/08/flash_cookies_are_tracking_you.php
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862
QUOTE: This is a pilot study of the use of 'Flash cookies' by popular websites. We find that more than 50% of the sites in our sample are using flash cookies to store information about the user. Some are using it to 'respawn' or re-instantiate HTTP cookies deleted by the user. Flash cookies often share the same values as HTTP cookies, and are even used on government websites to assign unique values to users. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.
How to control Flash Cookie and other options
http://www.macromedia.com/support/documentation/en/flashplayer/help/help02.html
An interesting look at some of the worst recent and historical attacks:
Looking Back: Six Years Since MSBLAST
http://blog.trendmicro.com/looking-back-six-years-since-msblast/
QUOTE: TrendLabs experts are regularly asked what—in their opinion—are the most dangerous malware of all time.
1. CONFICKER (DOWNAD): Multiple Propagation, Multiple Damage – Found in November 2008, this massive threat took advantage of the MS08-067 vulnerability. It spawned several other variants, each new variant an improvement over the last. It impacted LAN traffic in several corporate networks.
2. KOOBFACE: The Scourge on Social Networks – Initially found in August 2008, KOOBFACE leveraged on the connectivity serviced by social networking sites like Facebook and MySpace.
3. ZBOT: Organized Information Theft – Also known as variants of Zeus malware, ZBOT Trojan spyware are usually delivered via the Web either by email or Web exploits.
4. SQL Slammer: Single-Handed Internet Sabotage – This attack is notorious for drastically slowing down general Internet traffic in the early morning of January 25, 2003 (UTC).
5. VBS_LOVELETTER: Internet Love Bug – This attack with a remarkably simple yet effective social engineering (the string “ILOVEYOU” in the subject heading) that triggered curiosity of recipients first plagued email inboxes in May 4, 2000. It infected 10% of computers worldwide, with each harboring an average of 600 infected files.
6. Melissa Virus – The first mass-mailer (started in March 1999); shut down entire Internet mail systems clogged with infected emails
7. MSBLAST – One of the more memorable network worms to take advantage of system vulnerabilities. It was first triggered around this time in the year 2003.
8. SDBOT/AGOBOT – Pioneered modular IRC-based botnets; current IRC bots still use the same codebase; still alive today
9. Web Toolkits – Collective term for commercial-grade software that aid cybercriminal activity; allegedly responsible for high-profile web compromises like the “Italian Job”
10. ILOMO – Trojans arriving via Web-based exploits that stay active in memory even after the binary has been deleted from the system resulting to multiple, recurring reinfections (first appeared March 2009)
Computerworld recommends Windows 7 was a worthwhile upgrade as noted below:
Review: Windows 7 RTM -- a closer look
http://www.computerworld.com/s/article/9136500/Review_Windows_7_RTM_a_closer_look
QUOTE: Windows 7 is a solid, well-performing operating system, free of many of the glitches that bedeviled the launch of Windows Vista. Speed improvements, interface enhancements and easier ways to manage your documents make this a new operating system in its own right, and one that's well worth the upgrade.
Sunbelt shares this interesting article:
Windows pirates in China get jail, fines
http://sunbeltblog.blogspot.com/2009/08/windows-pirates-in-china-get-jail-fines.html
http://www.shanghaidaily.com/sp/article/2009/200908/20090821/article_411358.htm
http://www.computerworld.com/s/article/9136959/Chinese_Windows_XP_software_pirates_get_jail_terms
QUOTE: Four software pirates in China were sentenced to several years in prison and fined for running a web site that distributed, FOR FREE, 10 million copies of Windows XP over five years, according to the Shanghai Daily newspaper.
Always avoid falling for these fraudulent scams, as new and improved approaches continue. AVERT Labs (McAfee) shares some of the latest developments:
AVERT Labs - Scammers love your Money
http://www.avertlabs.com/research/blog/index.php/2009/08/17/scammers-love-your-money/
QUOTE: For some individuals, these swindles, called advance fee fraud (also known as 419 fraud) and romance scam, are a primary source of revenue. They also employ lottery and fake price scams.
More Posts
Next page »