August 2010 - Posts

In recently helping someone recover from a FakeAV attack, I discovered this excellent resource from SunBelt.

Please avoid all security pop-ups that are unfamiliar and state they have found malware -- and want to charge you to clean your system.  These malware agents are among the most difficult to correct  and some of the most popular attacks circulating.  If you see pop-up screens matching any of those in the library, please seek technical help immediately as it's fake security product designed to steal money from your paypal or bank account.

Sunbelt - FakeAV and Security Rogue Library
http://rogueantispyware.blogspot.com/

August was a very important month for security updates and most individuals have most likely applied them.  If you manually update and missed these, please bring your systems up-to-date.  Staying up-to-date on all security patches, moving to IE8, and and building a second Windows account with non-ADMIN rights are all best practices.

In the corporate environment, the LNK vulnerability can provide a malware attack at almost the same level as Conficker, if there are weak internal security settings on workstation or server network shares.  This out-of-band release to better protect Windows was rated as PATCH NOW

Microsoft Security Updates - August 2010
http://blogs.technet.com/b/srd/archive/2010/08/10/assessing-the-risk-of-the-august-security-updates.aspx
http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx

ISC - Excellent analysis of bulletins
http://isc.sans.edu/diary.html?storyid=9361

ISC - Rates LNK security fix as PATCH NOW
http://isc.sans.edu/diary.html?storyid=9313

 

This tool provides a temporary mitigation of risks until a more comprehensive solution emerges

QUOTE: Another option for protecting your systems is to deploy a tool that can help prevent exploitation of this issue. Knowledge Base article 2264107 offers for download a tool that allows customers to selectively change the library loading behavior, either system-wide or for specific applications

The update allows the administrator to define the following on a system-wide or a per-application basis:

* Remove the current working directory from the library search path.
* Prevent an application from loading a library from a WebDAV location.
* Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location.

Microsoft's Mitigation resources and DLL Control tool
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
http://sunbeltblog.blogspot.com/2010/08/microsoft-releases-workaround-tool-for.html

DOWNLOAD FOR SPECIAL TOOL

These advanced wallpaper backgrounds are beautiful and wanted to capture the excellent links shared by fellow MVP Minty White

http://msmvps.com/blogs/mintywhite/archive/2010/08/27/desktop-wallpaper-50-high-resolution-wallpapers-for-windows-linux-mac-set-3.aspx

http://msmvps.com/blogs/mintywhite/archive/2010/08/25/3d-and-abstract-desktop-wallpaper-collection-set-2.aspx

http://msmvps.com/blogs/mintywhite/archive/2010/08/23/3d-and-abstract-desktop-wallpaper-collection-set-1.aspx

Right Hug Right Hug Right Hug As Facebook and other web 2.0 are great resources to keep in touch with family and friends, all users need to be careful of the dangers and avoid clicking on suspicious links, free offers too good to be true, and not disclose private information.

Older adults are flocking to social networks
http://technolog.msnbc.msn.com/_news/2010/08/27/4982716-older-adults-are-flocking-to-social-networks

QUOTE: Social networking use by Internet users ages 50 and older nearly doubled in the past year, going from 22 percent in April 2009 to 42 percent in May 2010, according to the Pew Research Center’s Internet & American Life Project’s new report, "Older Adults and Social Media." While 86 percent of younger Internet users (ages 18 to 29) "continue to be the heaviest users”"of social sites like Facebook, MySpace and LinkedIn, "over the past year, their growth paled in comparison with the gains made by older users," Pew said. One of the main reasons for older adults' increased interest and use of social networking sites: They know Facebook and Twitter are where their kids and grandkids are spending time, and it’s a way to "bridge generational gaps," said Mary Madden, Pew senior research specialist and author of the report.

While DLL vulnerabilities were present over a decade ago, Microsoft created a more secure DLL loading. Recently, new ways of working around these controls have been discovered and malicious exploits are being rapidly developed. In this latest development, an attacker can create an infected file, which when opened by an application (that is vulnerable to loading external libraries insecurely). A malicious library object can then be loaded from the remote location to further compromise the PC. 

This new DLL vulnerability is much like SQL injection in that it may not be entirely within Microsoft's scope to control. Many of the vulnerable applications are non-Microsoft products and they must be eventually strengthened for improved security in the way they load DLLs.  Microsoft will most likely strengthen controls in this area.  It is uncertain whether they can also address all the of the potential concerns related to third parter software.

DLL Hijacking Vulnerability - Over 40 popular applications have exploits built
http://www.computerworld.com/s/article/9181918/Windows_DLL_exploits_boom_hackers_post_attacks_for_40_plus_apps?source=CTWNLE_nlt_virusv_2010-08-26

QUOTE: Some of the world's most popular Windows programs are vulnerable to attacks that exploit a major bug in the way they load critical code libraries, according to sites tracking attack code. Among the Windows applications that are vulnerable to exploits that many have dubbed "DLL load hijacking" are the Firefox, Chrome, Safari and Opera browsers; Microsoft's Word 2007; Adobe's Photoshop; Skype; and the uTorrent BitTorrent client.

"Fast and furious, incredibly fast," said Andrew Storms, director of security operations for nCircle Security, referring to the pace of postings of exploits that target the vulnerability in Windows software. Called "DLL load hijacking" by some, the exploits are dubbed "binary planting" by others. On Monday, Microsoft confirmed reports of unpatched vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. The flaws stem from the way many Windows applications call code libraries -- dubbed "dynamic-link library," or "DLL" -- that give hackers wiggle room they can exploit by tricking an application into loading a malicious file with the same name as a required DLL.

AN UNOFFICIAL INVENTORY OF APPLICATIONS WITH MALICIOUS DLLS DEVELOPED
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/

Microsoft's Mitigation resources and DLL Control tool
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
http://support.microsoft.com/kb/2264107

DLL Hijacking Vulnerability - ADDITIONAL LINKS
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://www.avertlabs.com/research/blog/index.php/2010/08/24/insecure-library-loading-in-os-and-applications/
http://isc.sans.edu/diary.html?storyid=9445
http://www.us-cert.gov/cas/techalerts/TA10-238A.html
http://www.kb.cert.org/vuls/id/707943

Computerworld and Symantec offer additional writeups on this new threat to 64 bit systems, which have highly secure Windows 7 safeguards.  Once the TDL3 dropper agent is installed, there is an immediate reboot of the system.  The rootkit gets installed during a reboot prior to Windows starting by overwriting the MBR area.

TDL3 64 bit Windows Rootkit - Additional Information
http://www.computerworld.com/s/article/9182238/Rootkit_with_Blue_Screen_history_now_targets_64_bit_Windows
http://www.symantec.com/connect/fr/blogs/tidserv-64-bit-goes-hiding
http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99

QUOTE: The new rootkit sidesteps two important anti-rootkit protections Microsoft built into 64-bit Windows: Kernel Mode Code Signing and Kernel Patch Protection, also known as PatchGuard. The pair are designed to make it more difficult for malware to tamper with the operating system's kernel.

"To bypass Kernel Patch Protection and driver signature verification, the rootkit is patching the hard drive's master boot record so that it can intercept Windows' start-up routines, own it and load its driver," Giuliani said. Rootkits that overwrite the hard drive's master boot record (MBR), where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks, are essentially invisible to the operating system and security software.

TDL3 rootkit x64 goes in the wild
http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html

Please ensure your accounts use strong passwords and avoid free offers that appear too good to be true in email or social networking applications.

Facebook and Twitter users - Beware of free iPAD offers
http://www.computerworld.com/s/article/9181958/Scammers_hit_Twitter_Facebook_send_free_iPad_spam

QUOTE: Facebook and Twitter users are complaining about their accounts being compromised and then being used to spam friends with suspicious "free iPad offers." Online marketing programs pay cash for Web traffic, and hackers have found that by phishing victims and then using that information to break into legitimate Twitter and Facebook accounts, they can earn money.

CIO Magazine offers an excellent summary of experiences related to early adopters who have implemented cloud computing applications.

Cloud Computing: Early Adopters Share Five Key Lessons
http://www.cio.com/article/591040/Cloud_Computing_Early_Adopters_Share_Five_Key_Lessons

QUOTE: While some large enterprises have moved their information-technology infrastructure to a third-party managed service to save costs, small firms—especially startups—have come to rely on cloud services to cut initial outlays and help them focus on the core services and products. The cost savings and scalability of infrastructure-as-a-service offerings are well known advantages. Yet, there are others. In interviews, three small companies that use the cloud—and one that does not—share the lessons learned from growing up with cloud infrastructure.

CLOUD COMPUTING - FIVE KEY LESSONS LEARNED
1. From IT management to software development
2. Downtime is low
3. Security is still your headache
4. Your ability to use cloud depends on your customers
5. The cost advantage only lasts so long

Idea CIO magazine shares some usability tips in a seven screen slideshow

Windows 7 - Seven Features users may not be unaware of
http://www.cio.com/article/511117/Seven_Features_in_Windows_7_You_Probably_Don_t_Know_About

 Lightning

TDL3 is the most advanced Windows rootkit developed so far.  This highly technical and informative post from Prevx share another dangerous development, as 64 bit systems are more secure and difficult to manipulate.

TDL3 rootkit x64 goes in the wild
http://www.prevx.com/blog/154/TDL-rootkit-x-goes-in-the-wild.html

QUOTE: It took some time but now x64 Windows operating systems are officially the new target of rootkits. We talked about TDL3 rootkit some months ago as the most advanced rootkit ever seen in the wild. Well, the last version of TDL3 was released months ago and documented as build 3.273. After that, no updates have been released to the rootkit driver. This was pretty suspicious, more so if you've been used to seeing rebuild versions of TDL3 rootkit every few days to defeat security software.

Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system. Still though, the dropper needed administrator rights to install the infection in the system. Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new. They actually built a nice gift for every security vendor, because TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.

Idea This link shares some excellent free PENTEST tools that can help ensure corporate defense systems are actively blocking major threats.

Top Five Free Penetration Testing Tools
http://www.brighthub.com/computing/smb-security/articles/34710.aspx

QUOTE:  Penetration Testing uses a variety of specialized tools to make testing far faster and more effective at discovering vulnerabilities. Five of the top tools are highlighted in this article

1. Metasploit - This is a far more advanced tool than the others on this list, and requires more programming knowlege to run and use. This platform runs payloads, shellcode, and remote shells--you will actually penetrate the target. Servers can and will crash!

2. Nessus - It has long been my favorite vulnerability scanner, due to its speed, accuracy, and depth.

3. Nikto - Nikto is an Open Source web server security scanning tool. Currently at version 2.03, can scan for over 3500 potential vulnerabilities

4. Nmap - Nmap is my Swiss Army Knife for network scanning, port mapping, and OS & application discovery. Somehow it's both the simplest and most flexible tool in my arsenal.

5. Wireshark - Captures wireless network traffic and examines protocols and sessions in depth.

All Adobe Shockwave users should update as automatically prompted to apply these security fixes.

Critical Update Fixes 20 Vulnerabilities in Shockwave
http://blogs.pcmag.com/securitywatch/2010/08/critical_update_fixes_20_vulne.php
http://www.adobe.com/support/security/bulletins/apsb10-20.html

QUOTE: Critical vulnerabilities have been identified in Adobe Shockwave Player 11.5.7.609 and earlier versions on the Windows and Macintosh operating systems. The vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.7.609 and earlier versions update to Adobe Shockwave Player 11.5.8.612, using the instructions provided below.

SHOCKWAVE PLAYER UPDATE SITE
http://get.adobe.com/shockwave/

Individuals who use the Military banking system should be cautious of a new attack designed to capture account details and passwords.  This information can be used to capture information which could lead to fraudulent withdrawals and other monetary losses. It's always good to verify any email claims with the bank itself prior to taking action.

ZeuS Variant Targets U.S. Military Personnel
http://blog.trendmicro.com/zeus-variant-targets-us-military-personnel/

QUOTE: Today, we saw a malware variant created with the well-known ZeuS toolkit that seems to be targeting members of the U.S. military serving overseas. Targets of this scam will receive an email with the following text:

Dear Bank of America Military Bank customer: This letter is to inform you that there is an update required for your Bank of America Military Bank Account, for this reason your account has been flagged. In order to update your account, please follow this link. Thank you for banking with us!  Bank of America Military Bank accounts support.

Should the recipients click the link, they will be brought to a page that is almost identical to the real login page of the bank. However, this fake login page is actually hosted in Russia. An Update Tool must be installed onto his/her system to ensure that his/her account is not locked.

Needless to say UpdateTool.exe is a ZeuS variant detected by Trend Micro as TSPY_ZBOT.BIZ. Unfortunately, most people who fall for this scam will not even be given the opportunity to manually download the executable file, as this attack first runs a whole suite of browser exploits on the target systems first. This leaves manually downloading the file as a last-resort attack vector.

 Lightning

Sunbelt is warning of a new scam that encourages users to send 5 or more copies of spam to their friends in exchange for a gift.  As with most scams, the prize won't be awarded and you will give up your email address and Facebook user name in the process, that will be further misused.  When I first started in the security profession in 1997, I used the phrase there are "no free lunches on the Internet", as scams abounded then.

In 2010, there are great dangers for malware and privacy loss by clicking malicious links.  This week I've tried to help a friend recover from a bad FakeAV attack, who was always careful.  While several malware items have been cleaned, the PC still needs further repair or a complete rebuild.  Facebook is a wonderful place for sharing with friends, but please do carefully.  Just one bad click can require hours of repair time.

Scammers let Facebook users take up the spam reigns
http://sunbeltblog.blogspot.com/2010/08/scammers-let-facebook-users-take-up.html

QUOTE: Here’s an odd collection of websites promising lots of free Facebook goodies, including “Free Texas Holdem Poker Chips” – one million chips, to be exact. Sounds great, doesn’t it? Unfortunately, all we’re left with is proof positive that too many people will click anything put in front of them – no matter how silly the initial promise.   Facebook users are asked to paste a spam message “5 times anywhere on Facebook”. For anyone holding onto the vague hope of chips arriving in your mailbox sometime soon, here is your wake up call. Please don’t get suckered into these kinds of deals – the only person that benefits from all the gruntwork you put in is the site owner themselves.

More Posts Next page »