January 2011 - Posts

Numerous security updates were released for Oracle data bases and business products recently:

Oracle Critical Patch Update Advisory - January 2011

QUOTE: Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

19 April 2011
19 July 2011
18 October 2011
17 January 2012

Lightning The Microsoft Malware Protection Center has identified a new trojan which blocks cloud based AV technologies.  While these attacks are centered in China currently, these concepts could surface in other future malware attacks.

Storm Bohu Trojan - New Anti-Cloud Malware

QUOTE: The Microsoft Malware Protection Center has been tracking a recent threat that attacks cloud-based antivirus technology provided by popular major antivirus software vendors in China. The malware is named Win32/Bohu (TrojanDropper:Win32/Bohu.A)..  The Bohu malware is native to the China region. Bohu attracts user installation by social engineering techniques, for example, using attractive file names and dropping a fake video player named “Bohu high-definition video player”. The more interesting part of Bohu is that the malware blocks cloud-based services now commonly featured in major Chinese antivirus products. Specifically, Bohu uses a number of different techniques in order to attempt to thwart Cloud-based AV technologies.

Storm Bohu Trojan - Technical Description

QUOTE: Win32/Bohu.A is a trojan that drops Trojan:Win32/Bohu.A!Installer - a trojan that filters an affected computer's network traffic in order to stop malware-related data from being sent to information-gathering networks that belong to particular AV companies in China. It has been distributed in the wild with the file name "Bohu high-definition video player.exe" or similar.


Master Boot Record - Importance of protecting against malware

The MBR area can be altered by malware so that Windows systems cannot boot properly. It is important to keep this area protected and clean as noted below:

Master Boot Record - Importance of protecting against malware

QUOTE: It is that time of the year again to start anew. In terms of personal computers, the act of restarting the machine is called a reboot – an action that triggers execution of code from a special part of the disk called the Master Boot Record (a.k.a. MBR). As the year 2010 ended, I looked at some of the threats targeting the MBR.   The MBR, the most important data structure on the disk, is created when the disk is partitioned. The MBR contains a small amount of executable code called the master boot code, the disk signature, and the partition table for the disk.
The master boot code performs the following activities:

1. Scans the partition table for the active partition.
2. Finds the starting sector of the active partition.
3. Loads a copy of the boot sector from the active partition into memory.
4. Transfers control to the executable code in the boot sector.”


Below is an interesting survey of mistakes made during prospective interviews:

Job Interviews - CareerBuilder lists Worst Mistakes

QUOTE: When asked what the most outrageous blunders they had encountered interviewing candidates were, hiring managers reported the following:

* Provided a detailed listing of how previous employer made them mad.
* Hugged hiring manager at the end of the interview.
* Ate all the candy from the candy bowl while trying to answer questions.
* Constantly bad mouthed spouse.
* Blew her nose and lined up the used tissues on the table in front of her.
* Brought a copy of their college diploma that had obviously been white-outed and their name added.
* Wore a hat that said “take this job and shove it.”
* Talked about how an affair cost him a previous job.
* Threw his beer can in the outside trashcan before coming into the reception office.
* Had a friend come in and ask “HOW MUCH LONGER?”

Right Hug In addition to the most unusual gaffes, employers shared the most common mistakes candidates made during an interview:

* Answering a cell phone or texting during the interview – 71 percent
* Dressing inappropriately – 69 percent
* Appearing disinterested – 69 percent
* Appearing arrogant – 66 percent
* Speaking negatively about a current or previous employer – 63 percent
* Chewing gum – 59 percent
* Not providing specific answers – 35 percent
* Not asking good questions – 32 percent

Star Microsoft's Secure Developer Tools

QUOTE: During Blackhat DC, Microsoft released some updates to its secure development tools. Microsoft did some very nice work with these tools. While these tools are not necessarily limited to .Net, I highly recommend that .Net developers take a look at them.

Star http://www.microsoft.com/security/sdl/getstarted/tools.aspx
Star  http://blogs.msdn.com/b/sdl/archive/2011/01/17/announcing-attack-surface-analyzer.aspx

Many malware attacks are so sophisticated, that they even include protective capabilities for source code to ensure it is not used by other authors.  These techniques also create difficulties for security vendors as they attempt to research the underlying functionality of malware.

Malware Writers - Using Copy Protection Techniques

QUOTE: Malware writers are lifting anti-piracy technology embedded in some of the world's most popular software to protect their own work, according to Symantec. The antivirus company said writers of complex malware toolkits can embed measures to prevent users from stealing their work. "They are using the same Digital Rights Management (DRM) technology as major software," said Craig Scroggie, managing director of Symantec Pacific. "They will build their own DRM, steal it from the big names or cobble it together."

Most would-be buyers of the toolkits lack the technical understanding to reverse-engineer the DRM measures. The price of a malware toolkit has risen substantially, Scroggie said, from about $15 in 2006 to more than $8000 today. "The premium is because of the success rate," Scroggie said.

Please avoid suspicious Tweets and especially URLs that may be potentially malicious

New Twitter worm - Redirects Google to push fake anti-virus attacks

QUOTE:  A fast-moving Twitter worm is in circulation, using Google redirection service to push unsuspecting users to a notorious scareware (fake anti-virus) malware campaign. At 8:45 a.m EST today, this Twitter search shows thousands of Twitter messages continuing to spread the worm.

Malware attacks continued to grow in sophistication during the past year as noted by Trend Labs:

2010 in Review: 10 Most Remarkable Malware in 2010

QUOTE: This is my list of the top 10 most remarkable malware families that surfaced in 2010:

1. STUXNET. It was remarkable because of its sophistication and use for espionage. It was thought to have been programmed to halt Iran’s nuclear program.
2. Aurora. It hit Google and other big software companies last Christmas and it was remarkable because it managed to steal sensitive information from these giants.
3. ZeuS. It’s a Do-It-Yourself (DIY) botnet toolkit that has become very popular in the underground.
4. SpyEye. Touted as ZeuS’s successor, recent accounts tell how it will carry ZeuS’s source code into a more sophisticated code base.
5. KOOBFACE. It was remarkable because it spread through social networks from Facebook to Twitter.
6. BREDOLAB. A botnet that was used to spread other malware, acting as some sort of malware-deploying platform.
7. TDSS/Allurion. It has one of the most complex rootkit components ever seen
8. Mebroot. A spamming botnet that used a rootkit that could survive Windows re-installation.
9. FAKEAV. It’s the scam of choice of most of modern malware so all infections have a fake antivirus scam as a visible payload
10. Boonana. The Mac version of KOOBFACE

Right Hug During 2010 Facebook became the most popular Internet site for USA surfers. While it provides a neat way of staying in touch with family and friends, this highly popular site also attracts bad guys who wish to take advantage of others or to seed malware. 

Person During the coming year, some Best Practices for Facebook safety include:

1. Use a "text only" type approach, by avoiding suspicious links or potentially malicious applications that are constantly circulating
2. Users should also safeguard their privacy by locking down key Privacy control settings
3. Users should avoid storing or posting sensitive information.
4. Check out a new "Friend" request by examining their profile thoroughly before accepting them
5. Ensure a complex password is set which differs from the email address used to register the account (and change it at least annually)

Person Facebook passes Google as most visited site of 2010

QUOTE: For the first time ever, U.S. Web surfers visited the social networking site more than any other site in 2010, beating out Internet behemoth Google, according to a report from Hitwise, an Internet analytics firm. Facebook, which had a flood of good and bad publicity last year, grabbed 8.93% of all U.S. visits between January and November 2010. Google, which had been in the top spot in 2009, slipped to the No. 2 position with 7.19% of all visits, Hitwise said.  The analytics firm also reported that Yahoo! Mail came ranked third with 3.52% of all visits, while the main Yahoo! site was fourth with 3.3%. YouTube rounded out the top five with 2.65% of all site visits.

Lightning Lightning Lightning Please avoid all untrusted Happy New Year e-card links.  The Shadowserver Foundation is warning of a new malicious and advanced botnet that has just been discovered and ressembles the Storm Worm designs.

New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?

Those of us here at Shadowserver hope you're having a wonderful holiday season and are ready to bring in the new year. We were trying to relax and enjoy relatively quiet times until we noticed a new spam campaign that recently started. At first it looked like your regular old holiday e-card scams that have been around for years.

However, upon closer inspection it looks like we could be dealing with the next generation of Storm Worm or Waledac. If you consider Waledac to be Storm Worm 2.0, this looks like it could be version 3.0 or at least Waledac 2.0. There are no real version numbers of course, but we don't have anything else to call it yet. What's it involve you ask?

Storm Well here's the list of what we've seen so far:

* Large scale Spam campaigns sending out e-mails with links
* New malicious domains that are fast flux! (TTL of 0 and name servers that frequently update IPs)
* Links are to several hacked websites hosting HTML pages that refresh to new malicious domains
* Links are also directly to new malicious domains
* Malicious domains hosting links to fake flash player and refreshes to exploit pages
* Malware installs that begin beaching to several hosts over HTTP (what we dubbed HTTP2p with Waledac)
* Malware that's been updated to look a bit more like legitimate than past variants
* A very buggy network that is not often available (upstream devices not available)
* Changing/Updated binaries

Storm  AVOID THESE E-CARD MESSAGES: Let's start with the Spam Campaign. We've seen a multitude of subject lines and bodies. Below you'll find a list of subjects we've seen and an example e-mail message. These are coming from all over the Internet with spoofed sender addresses.

 Greeting for you!
 Greeting you with heartiest New Year wishes
 Greetings to You
 Happy New Year greetings e-card is waiting for you
 Happy New Year greetings for you
 Happy New Year greetings from your friend
 Have a happy and colorful New Year!
 l want to share Greeting with you
 New Year 2011 greetings for you
 You have a greeting card
 You have a New Year Greeting!
 You have received a greetings card
 You've got a Happy New Year Greeting Card!

More Posts « Previous page