July 2010 - Posts

Koobface (Facebook spelled backwards) is a common attack in social networks.  It is designed to steal personal information for misuse and resides in a stealth-like manner on infected systems. New variants continue to emerge as documented by AVERT Labs below.  Usually it is spread through invitiations to click on a malicious link (usually video links).  Facebook users should protect their privacy settings and avoid clicking on URLs or accepting folks they don't know as friends.

AVERT LABS - Koobface Going for Broke?

QUOTE: The Koobface worm has been one of the top malicious threats to Facebook users since 2008. Like most threats, Koobface has morphed over time, adding and changing malicious payloads, while maintaining the ability to propagate, or spread, from one system to another.  Several weeks ago Koobface added DNS hijacking functionality that blocks access to security sites, tipping users off to the fact that something might be wrong with their systems. Since then the authors have taken a giant leap toward invasiveness with the installation of a fake anti-virus Trojan. About 10 minutes after the initial infection, users may see the typically fake scanning windows and infection alerts.

AVERT LABS - More Koobface URLs Plague Users

QUOTE: McAfee Labs researchers have seen a noticeable spike in URLs leading to Koobface malware. (Koobface is an anagram of Facebook.) The latest, unexpected Koobface campaign spreads by tricking Facebook users into downloading and running links



ESET has identified two new attacks that exploit the new unpatched Windows Shortcut vulnerability (e.g., malicious LNK files)

Zero Day LNK Vulnerability - ESET identifies two new malware attacks

QUOTE: Having implemented generic detection of the CVE-2010-2568 vulnerability used to propagate the now infamous Win32/Stuxnet, ESET has identified not one but two new malware families that exploit the same vulnerability.  This vulnerability allows code execution through malicious LNK (shortcut) files.

We have identified a new family that exploits this unpatched vulnerability in order to spread, which we have labelled Win32/TrojanDownloader.Chymine.A.  At the time of analysis, this threat downloads and install a key stroke logger which we detect as Win32/Spy.Agent.NSO trojan.  The server used to deliver the components used in this attack is presently located in the US, but the IP is assigned to a customer in China.

Minutes after identifying this new attack, we observed a known threat, Win32/Autorun.VB.RP, which has been updated to include the CVE-2010-2568 exploit as a new propagation vector.  Win32/Autorun.VB.RP seems to download and install additional components on infected machines.

This new development follows a typical path of evolution in malware.  Often there are only days between the initial release of information regarding a critical vulnerability, and the discovery of its exploitation being executed in the wild by malware authors.  It is safe to assume that more malware operators will start using this exploit code in order to infect host systems and increase their revenues.


An excellent article discussing tips and techniques for keeping corporate users safe and responsible in using Social Networks in a business context.

SECURITY - Stay Safe, Productive on Social Networks

QUOTE: The pros of social networking outweigh the security cons, but the risks to corporate image and data are still significant. Keep employees safe while they make use of these valuable collaboration tools.

PART 2 - Discusses Techniques for keeping users safe

1. Strong relevant Corporate policies
2. Security Awareness education
3. Technology - Content Filtering, Publication Gateway devices, etc.

Best practices and technical defenses should be used to avoid new attacks related to malicious spoofed Windows shortcuts.  Currently these zero-day attacks are not circulating extensively, and have only surfaced in limited targeted attacks.  However, this is likely to change as note in articles at bottom, as malicious developers are exploring new conduits for seeding this in-the-wild. 

The danger of these attacks are that spoofed short-cuts can easily trick anyone into selecting them.  Also, automated settings in autorun could lead to completely automatic attacks, when the exploit is circulated using removable devices or unsecure network shares.  

Microsoft releases FixIT for Windows Shortcut zero day attacks

QUOTE: Microsoft has released a “fix-it” tool as a stop-gap to block ongoing zero-day attacks against a new code execution flaw in Windows Shell. The attacks, which incorporate signed drivers from RealTek and JMicron, are spreading locally via malicious USB drives or remotely via network shares and WebDAV.  Microsoft has posted a pre-patch advisory that spells out the problem:

Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution


QUOTE: The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.


Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution

QUOTE: Applying the Fix it will require a restart of the machine. The installation of the Fix it will prompt the user before restarting the system. Enterprise deployments allows for unattended install with the following Display options: Collapse this tableExpand this table

TIP: Always download both the Fixit and Undo Fixit patches, carefully labeling them in separate folders. After a true patch emerges, both temporary Fixit tools will be removed from the kb in favor of the new security bulletin. While the full security release will usually take care of undoing the FixIt, it's good to have the Undo Fixit available just in case it's needed (as corporate inventory systems may not handle temporary fixes accurately).

SPECIAL WARNING: The Internet Storm Center warns Windows 2000 users to be especially careful as there will most likely be no forthcoming patch.

ADDITIONAL PROTECTION TO FIX-IT PATCH: Disabling AUTORUN, keeping AV updated, and best practices are in order for all operating systems


INTERNET STORM CENTER - Windows shortcut dangers


QUOTE:  How widely is the issue being exploited?  . The issue is known to be exploited by malware in the wild. Initial attacks were limited. However, an exploit module in metasploit was published today that uses WebDAV shares as an exploit vector. We expect wider exploitation of this issue. Users should keep their anti-virus software updated with the latest DATs (signatures).

Users should be careful with any unusual or unexpected icons or shortcuts presented to them.  So far these attacks are limited and AV protection is emerging

Malicious Windows shortcut files (LNK extension) used in targeted attacks

QUOTE: (ISC) I've tested the exploit and can confirm that it works in Windows XP, Vista and Windows 7. The exploit uses a specially crafted LNK file. This file allows the attacker to execute an arbitrary file by carefully specifying its location – the LNK file in itself does not exploit any vulnerability such as buffer overflows, for example, so it is a legitimate LNK file. Some things that you should be aware of:

* If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically.

* The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly.

CORPORATE DANGERS: What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example).

Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution

QUOTE: The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.


Automobile Moving to the new engine will happen automatically and transparently for most users through the standard UPDATE process. The engine release is not a new version release of MSE, that users will be prompted to install.  While I have my PCs at home set to update daily, users can update manually by launching MSE from the start menu, selecting the Update tab, and clicking on the UPDATE button.

The virus definitions file created on July 15, 2010 at 10:23 EDT will require a few more minutes to apply as it contains a new anti-malware engine to improve MSE scanning capabilities.  Engine updates are often released by AV vendors to tune up the the product and handle new areas of risk more efficiently.  After applying the updates, a quick scan of the hard drive was performed to test the new release. So far, no issues have been experienced with this update.  Best practices and MSE continue to work well in protecting our family PC.

Use Help and About to show version information.  As of July 16, 2010 they are as follows:  

Microsoft Security Essentials Version:  1.0.1963.0
Antimalware Client Version: 2.1.6805.0
Engine Version: 1.1.6004.0
Antivirus definitions:
Antispyware definitions:

STAYING UP-TO-DATE WITH LATEST RELEASE OF MSE:  If you are not on the 1.0.1963.0 version of MSE, please use the HELP menu option to check your version of MSE.  Click on the small triangle icon to invoke the HELP drop down menu. The HELP facilities has a Upgrade Microsoft Security Essentials option that you should click on and accept the upgrade if you are not on the "1963" version. 

New Antimalware Engine is planned for release on 15 July 2010

Microsoft Security Essentials Home

How to install MSE on your home PC

Please apply these updates as prompted to ensure your system is up-to-date and protected.  There was no need to reboot after these changes. As Windows 2000 support expires today, there were no final W2K updates submited this month:

Microsoft Security Updates - July 2010

QUOTE: Microsoft is releasing the following four new security bulletins for newly discovered vulnerabilities:

Bulletin ID: MS10-042
Bulletin Title: Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows XP and Windows Server 2003.

Bulletin ID: MS10-043
Bulletin Title: Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows 7 for x64-based systems and Windows Server 2008 R2 for x64-based systems.

Bulletin ID: MS10-044
Bulletin Title: Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)
Maximum Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office Access 2003 and Office Access 2007.

Bulletin ID: MS10-045
Bulletin Title: Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)
Maximum Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office Outlook 2002, Office Outlook 2003, and Office Outlook 2007.

There are numerous links providing further information for early testing by corporate professionals

Windows 7 and Windows Server 2008 R2 Service Pack 1 -- EARLY BETA BUILDS

Please Note: This early release of Windows 7 and Windows Server 2008 R2 SP1 Beta is not available for home users. The SP1 Beta does not provide new end-user features, and installation is not supported by Microsoft.

QUOTE: Windows 7 and Windows Server 2008 R2 SP1 Beta helps keep your PCs and servers on the latest support level, provides ongoing improvements to the Windows Operating System (OS), by including previous updates delivered over Windows Update as well as continuing incremental updates to the Windows 7 and Windows Server 2008 R2 platforms based on customer and partner feedback, and is easy for organizations to deploy a single set of updates. Windows 7 and Windows Server 2008 R2 SP1 Beta will help you:

  • Keep your PCs supported and up-to-date
  • Get ongoing updates to the Windows 7 platform
  • Easily deploy cumulative updates at a single time
  • Meet your users' demands for greater business mobility
  • Provide a comprehensive set of virtualization innovations
  • Provide an easier Service Pack deployment model for better IT efficiency

In order to download and install the Windows 7 and Windows Server 2008 R2 SP1 Beta you must currently have a Release to Manufacturing (RTM) version of Windows 7 and Windows Server 2008 R2 already installed. To learn more about piloting, deploying and managing Windows 7, visit the Springboard Series on TechNet. To learn more about SP1 Beta and Windows Server 2008 R2, visit the SP1 Details Page.

Several excellent charts are published which show a continued growth in malware.  Most of these are unique minor variants of a main family of malware.  The growth of malware variants is very challenging for security vendors to keep up with.

McAfee - Mid-year report shows huge growth in malware

QUOTE: Now that we’ve reached the middle of the year, it’s time to take a look at our malware collection. During the first half of the year, 10 million samples entered in our database. That’s certainly no decrease compared with last year.

From these we can see that malware developers have lost their creative spirit. Malware designers create their apps to make money, not for style. Because the old techniques still work, it is not necessary to be inventive, just repetitive. For example, it is not rare to see more than 10,000 Koobface variants in a single month.

Today when we quantify the malware world, the consensus is to use the number of unique files in our collections distinguished by their MD5 hash (or checksum). On June 30, we counted 43,337,677 unique binary files. Perhaps we’ll reach 54 million by the end of December.

Oracle will be release security updates for their products as noted below:

Oracle - 59 security vulnerabilities to be patched on July 13th

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2010, which will be released on Tuesday, July 13, 2010.  While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 59 new security vulnerability fixes across hundreds of Oracle products. 21 out of 59 vulnerabilities are in Solaris product suite. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products.  Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.


Sunbelt shares an interesting analysis of a recent attack that may not be well designed, but it could still impact privacy if one participates.

World Cup Lottery - Poorly designed attack still has dangers

QUOTE:  Is it me or has the quality of trolls sunk to even more amateur levels? And, clicking on the attachment (kids, don’t try this at home) we get: Wow. Word 97! I guess this is a low budget operation. Nelson Mandela hasn’t been president of South Africa for 11 years.  And after fill this information of yours we will officially send you our verification that you are the winning,


Lightning Lightning Lightning After two years, I continue to be amazed as the number of Conficker infections that remain. There are no new reported variants, instead the older ones continue to exist and even thrive due to poor security practices by individuals or even companies.

Microsoft provided the MS08-067 protective patch on October 23, 2008.   Then one month later, the Conficker worm was reverse engineered from the patch.  Conficker provided an important "lessons learned" in the need to apply all security updates the day you are prompted to do so. 

MS08-067 Conficker - Infections are high with sharp spike in June

Password stealers and Conficker top June malware

QUOTE: The month also marked a return engagement of Conficker, this time in the form of a variant called Downadup. Following the path of the original Conficker, the new variant jumps on a weakness in Windows Server that allows code to be executed remotely when file sharing is turned on, according to Sunbelt. This strain also takes advantage of weak administrator passwords to disable certain Windows services and anti-malware protection.

"Although Trojans continue to dominate the top 10, June reveals interesting trends such as a fresh wave of Conficker-based detections, suggesting that this troublesome piece of malware is on its way back," Sunbelt Software research center manager Tom Kelchner said in a statement.

To date, security researchers have discovered the following variants of the worm in the wild.

Win32/Conficker.A was reported to Microsoft on November 21, 2008.
Win32/Conficker.B was reported to Microsoft on December 29, 2008.
Win32/Conficker.C was reported to Microsoft on February 20, 2009.
Win32/Conficker.D was reported to Microsoft on March 4, 2009.
Win32/Conficker.E was reported to Microsoft on April 8, 2009.

Conficker - Other Good Links
including a quick visual chart to see if your system is infected

Key protection became available on October 23, 2008

Conficker - Cleaning Tips


MSE and Forefront users should update their virus scanning engines as prompted next week.

New Antimalware Engine is planned for release on 15 July 2010

QUOTE: As part of regular update of our Antimalware technology to address the latest in the threat landscape, the Microsoft Antimalware Team is planning to release a new antimalware engine on 15 July 2010.

Affected products: 
-- Microsoft Security Essentials (MSE)
-- Forefront Client Security (FCS)

Engine Version will be in the range of 1.1.600X.0

Safety and functionality rather than lightening fast performance are my primary goals in selecting a browser.  While high speed Internet minimizes these differences, good internal performance is certainly desirable.  This article provides an interesting discussion on browser performance. 

I've been testing Safari 5 for XP and have noted excellent performance.  Although Safari's new Reader mode is the best browser innovation I've seen in years (turning web pages into ebook like presentations).  Since IE8 and FF4 are my primary browsers at work and home, providing good functionality and security. 

Firefox 4 improves JavaScript rendering performance by 27%

QUOTE: Firefox 4's first beta is 27% faster than Mozilla Corp.'s more stable browser, Firefox 3.6.6, but it still lags behind some of its rivals, including Chrome, Opera and Safari, benchmark tests show.  Computerworld ran the SunSpider JavaScript benchmark suite in Windows Vista Business three times for each browser, then averaged the scores.

Browser Java Script rendering speed test rankings
1. Safari 5
2. Opera 10.6
3. Chrome 5
4. Firefox 4 b1
5. Firefox 3.6.6
6. Internet Explorer 8

Internet Explorer 8, Microsoft Corp.'s newest production browser, was also tested, but it remained the slowest by far. For all intents and purposes, IE8 isn't even in the JavaScript race.

Firefox may not be the fastest browser, but it's still the second-most-popular browser on the planet. In June, Firefox accounted for 23.8% of all browsers used to reach sites monitored by Web analytics firm Net Applications. Internet Explorer gained ground at a record pace, which is highly unusual, to end the month at 60.3%. Chrome, Safari and Opera held usage shares of 7.2%, 4.9% and 2.3%, respectively.

The ISC is conducting a poll and there is currently a 50% "YES" vote. I would encourage folks to vote their conscious on this and to only vote once. 

VOTE HERE: Microsoft Spurned Researcher Collective - Is it irresponsible?

BACKGROUND:  Recently a security researcher attempted to pressure Microsoft into making changes within a certain timetable, as it was a serious flaw in a rarely used service. While I'm not certain of what was discussed, it appears that the two sides could not agree.

The frustrated researcher then documented proof of concept code publicly to force Microsoft to patch.  Within 2 days dangerous exploits appeared in the wild.  That truly placed pressure on Microsoft to patch this vulnerability and it will be accomplished in the July updates.  While I don't know if the exploit had been used in targeted attacks previously, public disclosure exacerbated the issue.  Some folks got infected through this dangerous exploit, although thankfully it is not widespread.  

I believe that the researcher would have been better served to report the incident and kept the potentially malicious source code private.  If vendors don't respond on a timely basis, the researcher has done their part.  A highly talented individual who provides code publicly that could be easily used by malicious individuals reduces the safety of the Internet. 

Even when a patch might be rushed out the door, an estimated one third of folks don't patch.    While the reseacher and Microsoft both published patches, well over 90% of users did not apply the FixIt solution.  These individuals would be vulnerable if directed to a malicious website or via dangerous P2P sites.   As anti-virus vendors sometimes cover dangerous exploits, that's truly the only protection for most folks.

MSRC is the Microsoft Security Response Center, and this new group spoofs this in their new name.  They are doing so as a parody, in empathy for the researcher, who was critiqued extensively.  Maybe a more appropriate name for the group is the "Malware Seeding Research Center" ;-)

As in most things there are no absolutes and the link below discusses public disclosure. For example, vendors need to invest more in security and improve their timeframe for patching.  Bill Gate's 2002 TWC directive has made a positive difference for Microsoft (and continous improvement is always needed).  The security function is one of safety and I favor all practices that keep potentially malicious code out of the hands of the bad guys:

Security Researchers and Public Disclosure - Pros and Cons

More Posts Next page »