IBM Does Not launch DOS offensive against Spammers

http://www.securitypipeline.com/news/159904380

I posted a story I caught on CNN this pask week. There are now reports that the technology was misunderstood and that a DOS attack is simply not true.

Comments on Browser debate at myITforum.com/blog

When I posted information related to the mozilla vulnerability, I wanted first and foremost to make Mozilla users aware, so they could take proper action.

With that said, I secretly thought it might get Rod fired up after all of his previous posts. I had no idea it would get Chris' attention. I have used most of the well known browsers including Internet explorer (Cant help but to use that one), FireFox, Avant, and Opera. I must say that I do like tabbed browsing, and I wish that FireFox opened new windows tabbed. From a security standpoint, I do not like the idea of people claiming that FireFox is the “secure browser”. That would be like Harley Davidson saying they have the “Safe Motorcycle”. You have the potential to get injured on all motorcycles, just like you have the potential to be affected by vulnerabilities associated with all browsers.

Here are vulnerability lists from Secunia for several browsers:

Mozilla

Avant

Opera

Internet Explorer

I like motorcycles, so that is why I am using them as an example. One might argue that motorcycle X is involved in fewer accidents that all of the rest, therefore motorcycle X is the safest. I’m willing to bet that someone is going to say that browser X has a lower number of vulnerabilities and is more secure. If you jump to that conclusion, you are missing my point. There is a potential for accidents to occur on all motorcycles, just as there is a potential that your system could be compromised while using any internet browser. I think it is irresponsible to bill a browser as the “safe browser”.

There is another issue I am concerned with. I am a firm believer of the KISS principle. (Keep It Simple Stoopid, for those that are not on the same planet as us) The more services running on a system, the higher the probability is that your system is vulnerable to attack. I think the same goes for adding a second browser. You now have two browsers (Internet Explorer, which is embedded in the OS, and the second browser you added) that you have to worry about having potential security issues with. You now have two browsers to patch when a security vulnerability is discovered.

Adding to the conflict, from an administration standpoint in an enterprise environment, I have not seen a product to manage the other browsers from a central location. For Internet Explorer, as least you can use Group Policy to adjust settings for the browser.

I recommend that home users use whatever browser they like best, but be sure to update both.

I recommend that enterprise administrators consider manageability, and the fact that there is an inherent risk associated with using any Internet Browser, when making decisions on which browser is right for your organization.

Anyway, thats my two cents.

P.S. I hope Rod doesnt have me down as a marked man now ; )

Mozilla Foundation GIF Overflow (Mozilla web browsers and thunderbird mail client)

https://www.it-isac.org/postings/cyber/alertdetail.php?id=2837

IBM launches a DOS offensive against spammers

IBM to offer service to bounce unwanted e-mail back to the computers that sent them.

IMany security experts in the past have objected to legitimate companies doing denial of service attacks against spammers. Lycos attempt with the use of a screensaver that created a DOS attack against spammers last fall failed and lycos decided not to use the technology. I am sure this will create more debate on the subject.

Antivirus Product Vulnerabilities

McAfee made the cut on the ISS X-force site today. Systems running the latest engine, which is 4400 (issued November 2004), are not affected. Also, protection was added to the 4.0.4436 DAT files, which were released March 1, 2005. If your engine is older, but your dats are up to date, relax, and deploy the updated engine as soon as you can.

The following are the ISS advisories issued so far, it looks as if they have been working on all of the major antivirus vendors products.

McAfee AntiVirus Library Stack Overflow - ( March 17, 2005)

Trend Micro AntiVirus Library Heap Overflow - ( February 24, 2005)

F-Secure AntiVirus Library Heap Overflow - ( February 10, 2005)

Symantec AntiVirus Library Heap Overflow - ( February 08, 2005)

AOL Instant messenger users 'waive right to privacy'

http://www.pcpro.co.uk/news/70262/aol-instant-messenger-users-waive-right-to-privacy.html

“Under the terms, while AOL concedes that AOL users own the content they may post via the service, AOL has the right to make use of that content in 'any compilation, collective work or other derivative work created by AOL using or incorporating this Content'. In addition, by agreeing to the licence AOL and its subsidiaries uses grant the rights to the company to 'reproduce, display, perform, distribute, adapt and promote this Content in any medium'. Neither is the content owner allowed to inspect or approve the uses to which that content might be made.”

There's just something about a chainsaw

This afternoon, I had to cut up a tree that fell down. Now, before I get a hundred emails from tree lovers, let me say on record that I love trees more than you can imagine. To this day, I still boycott Pep boy’s auto parts for cutting down several very old and large oak trees to build a store. I also left the decaying trees that were next to it alone. I know the wood peckers are going to be happy about that.

Anyway, back to the story. No matter how low your testosterone levels get, when you fire up that chainsaw and get to cutin', you feel like a brand new man. I wasn’t out there but for an hour, but I feel great. I came into the house sweaty, dirty, and smelling like freshly cut wood. I got a hot shower and cracked a cold beer. MAN, I FEEL GREAT!

P.S. I promised that my blog would be about viruses, so here ya go.

http://securityresponse.symantec.com/avcenter/venc/data/w32.chainsaw.worm.html

Latest Virus Techniques 3-11-2005

A new virus that replicates via multimedia messaging services (MMS) on Symbian Series 60 cell phones
 
MMS lets users send messages that contain pictures or video or audio clips. The virus, dubbed CommonWarrior.A, appears to be the first to use MMS as a vector.

http://vil.mcafeesecurity.com/vil/content/v_132238.htm

A virus that tries to evade malware analysis

W32.Toxbot

Checks for the presence of the virtual infrastructure software VMware by searching for the registry subkey HKEY_LOCAL_MACHINE\Software\VMware. The worm will not run on computers running this software.

This is interesting because there are many people theat use VMware to analyze malware. This appears to be an attempt to elude virus analysis.

*Note- this malware also tries to load in safe mode to prevent removal.

http://securityresponse.symantec.com/avcenter/venc/data/w32.toxbot.html

Trojan horse program that modifies DNS settings on the compromised computer

A malicious DNS server could report a fake IP address, directing your browser to a fake website. The concept of using a malicious DNS server isn’t new, but I could see where the use of this method could increase as phishers look for more ways to get unsuspecting users to their spoofed websites.

http://www.sarc.com/avcenter/venc/data/trojan.flush.b.html

Latest Virus Techniques 3-7-2005

I wanted to create a section of my blog dedicated to tracking new techniques implemented by virus writers. This section will be called “Latest Virus Techniques” and will be updated as new methods are used in viruses.

Client – Server Architecture

There has been a ton of virus activity on the internet in the last few weeks. There have been several variants of the Bagle virus being spammed out. The latest threats of this virus consisted of a sophisticated spam campaign. The virus was spammed out across the internet. Once it infects a system, the virus uses a Client - Server architecture. Previous variants would harvest addresses from the infected computer. These new variants connect to a web back-end. The back-end server will then return 50 unique email addresses that it generates using directory harvest techniques. Also, new variants are sequentially released as antivirus companies release virus definition files to protect against previous variants.

http://www.f-secure.com/weblog/#00000487

Safe Mode Service Start

The Bagle variants are also not the only new concept we noticed. There was a variant of the SDBOT virus that created a service on the infected computer and dropped registry entries in order to start the virus in SAFE MODE. When cleaning viruses, you often have to clean the system in safe mode to prevent a malware service from starting. This method makes cleaning infected systems more difficult.

It creates and starts the following service:

Wireless Zero Daemon

The following registry keys are created:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WZDSVC   DisplayName = "Wireless Zero Daemon"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WZDSVC   ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WZDSVC   Description = "Provides automatic configuration for the 802.11 adapters"

It also creates the following registry keys so its service starts in Safe Mode :

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\WZDSVC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WZDSVC

 http://vil.mcafeesecurity.com/vil/content/v_132095.htm

Once infected Harden Security to prevent, umm, Infection.

This past weekend, the W32.Kobot.L emerged which opens a backdoor on a computer, which allows for manipulation via an IRC channel. It changes computer settings to harden security and even downloads patches from windows update to prevent the system from being compromised by another virus or hacker.

http://www.myitforum.com/blog/cmosby/archive/2005/03/07/3785.aspx

McAfee Anti-Spyware Enterprise Released

McAfee released the anti-spyware module for VirusScan Enterprise.  The module is a plugin for VirusScan Enterprise and the updates for detection are included in the DAT files. This product will detect a fair amount of spyware right now, but it is expected to get better in time as spyware is submitted to Avert for inclusion in the Daily DAT files. You can check out the datasheet here. The great benefit here is that the product will tie into your existing VirusScan software which can be manged by ePolicy Orchastrator or Protection Pilot.

Documentation

Intel demonstrates their technology to thwart viruses

Intel demonstrated how their Active Management Technology (AMT) and Virtualization Technology (VT) can be used to protect users from downtime associated with a virus infection.

“He simulated the effects of a virus outbreak on two systems, one without AMT and VT, and one with the features.”

“The system without the technologies was forced to disconnect from the network once the virus appeared on the system, and was offline for an extended period of time while operating system updates were uploaded to that machine. However, a machine with both VT and AMT was able to create a protected virtual operating system that could download the updates and keep the user going with only a slight interruption in connectivity, Gelsinger said.”

W32/Bagle.dldr has been Upgraded to Medium due to prevalence