Discovered: March 30, 2009
Updated: March 30, 2009 5:45:58 AM
Type: Worm
Infection Length: 26,624 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.SillyFDC.BBM is a worm that spreads by copying itself to removable drives.
Protection
* Initial Rapid Release version March 29, 2009 revision 055
* Latest Rapid Release version March 29, 2009 revision 055
* Initial Daily Certified version March 30, 2009 revision 002
* Latest Daily Certified version March 30, 2009 revision 002
* Initial Weekly Certified release date April 1, 2009
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
* Distribution Level: Medium
* Target of Infection: Removable drives
Monday, March 30, 2009
Thursday, March 26, 2009
Linux Desktop News from Google
| Red Hat CEO sees no need for Linux desktop today TechSpot - USA But its desktop and hardware support (of certain things) is just so crap. What I actually do these days is run a linux virtual machine inside vmware, ... See all stories on this topic | ||
| Novell's SUSE Linux Enterprise Desktop 11: A true Windows replacement Computerworld - Framingham,MA,USA If you're looking for a practical business desktop replacement for Windows, your best choice is the latest version of SUSE Linux Enterprise Desktop. ... See all stories on this topic | ||
Computerworld - Framingham,MA,USA SLED 11 comes with OpenOffice, which has no trouble reading or writing any Microsoft Office document's format. "A few days ago, Steve Ballmer stirred up a ... See all stories on this topic | ||
| Htop, a tip-top ncurses interactive tool for system monitoring ... Free Software Magazine - USA ... to use this dinky interactive application to manage running applications and processes on your desktop. All GNU/Linux distros come with top installed. ... See all stories on this topic | ||
| Full version of Windows 7 on Samsung Netbooks? Maybe CNET News - San Francisco,CA,USA ... OS onto a desktop or laptop as opposed to buying a seperate OS from Microsoft. Also, netbooks with Linux/Android will just increase in capability making ... See all stories on this topic | ||
| Does Linux Need A Desktop To Realize Its Potential? InformationWeek - Manhasset,NY,USA Word from an open source conference this week is that some key Linux proponents don't see the need for a desktop product. I'm not certain how it realizes ... See all stories on this topic | ||
| Aussies! Grab a sub $200 Linux desktop - today only! iTWire - Australia You need to supply your own monitor, keyboard and mouse - but to get a fully working and relatively modern Ubuntu Linux desktop computer sent direct for ... See all stories on this topic | ||
| Novell Desktop Linux Ready for Enterprise, but Lacks Some Features eWeek - New York, NY By Jason Brooks With its SUSE Linux Enterprise Desktop 11, Novell is backing up its claim that the Linux distribution is ready for businesses to use. ... See all stories on this topic | ||
| Red Hat CEO questions desktop's relevance in Linux debate InfoWorld - San Francisco,CA,USA There is some money in the Linux desktop, but not much, Whitehurst said. "We do have a desktop [version of Linux], but we typically sell it to big server ... See all stories on this topic | ||
| Launching a Linux Startup: No Funny Business LinuxInsider.com - Encino,CA,USA Yeah, Linux on the desktop has some issues, but the serious demand for Linux sysadmins creates demand for those skills. Surely, I thought, creating an ... See all stories on this topic |
Monday, March 23, 2009
Guide to Integrating Forensic Techniques into Incident Responses
Digital forensics is the science of discovering and retrieving digital information from digital devices about an event in such a way to make it admissible in court to either prove culpability or innocent.
The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
Forensic investigators typically follow a standard set of procedures: After physically isolating the computer in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the hard drive. Once the original hard drive has been copied, it is locked in a safe or other secure storage facility to maintain its pristine condition. All investigation is done on the digital copy.
The National Institute of Standards and Technology "Guide to Integrating Forensic Techniques into Incident Responses" covers four phases, which are briefly summarized below. For the complete 121-page NIST publication, download draft SP 800-86 at http://csrc.nist.gov/publications/nistpubs.
1 - Collection: Identify, label, record and acquire data from possible sources, while preserving the integrity of the data.
2 - Examination: Use manual and automated methods to assess and extract data of particular interest, while preserving the integrity of the data.
3 - Analysis: Use legally justifiable methods and techniques to derive useful information.
4 - Reporting: Describe actions used, explain how tools and procedures were selected, determine what other actions need to be performed, including forensic examination of additional data sources, securing identified vulnerabilities and improving existing security controls. Recommend improvements to policies, guidelines, procedures, tools and other aspects of the forensic process.
The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
Forensic investigators typically follow a standard set of procedures: After physically isolating the computer in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the hard drive. Once the original hard drive has been copied, it is locked in a safe or other secure storage facility to maintain its pristine condition. All investigation is done on the digital copy.
The National Institute of Standards and Technology "Guide to Integrating Forensic Techniques into Incident Responses" covers four phases, which are briefly summarized below. For the complete 121-page NIST publication, download draft SP 800-86 at http://csrc.nist.gov/publications/nistpubs.
1 - Collection: Identify, label, record and acquire data from possible sources, while preserving the integrity of the data.
2 - Examination: Use manual and automated methods to assess and extract data of particular interest, while preserving the integrity of the data.
3 - Analysis: Use legally justifiable methods and techniques to derive useful information.
4 - Reporting: Describe actions used, explain how tools and procedures were selected, determine what other actions need to be performed, including forensic examination of additional data sources, securing identified vulnerabilities and improving existing security controls. Recommend improvements to policies, guidelines, procedures, tools and other aspects of the forensic process.
Wednesday, March 18, 2009
BBC Purchase Botnet from Hackers, It is illegal, Unethical or OK?
BBC's technology program "Click" purchased a botnet recently as part of an experiment meant to show how botnets can do damage. But by putting money in the hands of hackers, did BBC's program do more harm than good?
Sources:
http://www.eweek.com/c/a/Security/BBC-Program-Purchases-Botnet-Touches-off-Ethical-Debate-859181/
http://www.informationweek.com/blog/main/archives/2009/03/bbc_botnet_expe.html
Sources:
http://www.eweek.com/c/a/Security/BBC-Program-Purchases-Botnet-Touches-off-Ethical-Debate-859181/
http://www.informationweek.com/blog/main/archives/2009/03/bbc_botnet_expe.html
Rod Beckstrom resigns after 12 months as U.S. National Cyber Security Chief
Beckstrom stated in his resignation letter that the National Security Agency unfairly dominates cyber-policy and that the Bush administration failed to adequately fund the NCSC. Other recent Cyber Security Chiefs who has left this post are Greg Garcia, Howard Schmidt, Richard Clarke and Amit Yoran.
President Obama is conducting a review of our national security policy.
Sources:
• http://www.forbes.com/2009/03/09/rod-beckstrom-security-technology-security-beckstrom.html
• http://www.nydailynews.com/news/politics/2009/03/10/2009-03-10_obamas_cybersecurity_chief_rod_beckstrom.html
• http://www.reuters.com/article/domesticNews/idUSTRE5260I620090307
• http://www.eweek.com/c/a/Security/After-Only-12-Months-Another-US-Cyber-Chief-Resigns/
President Obama is conducting a review of our national security policy.
Sources:
• http://www.forbes.com/2009/03/09/rod-beckstrom-security-technology-security-beckstrom.html
• http://www.nydailynews.com/news/politics/2009/03/10/2009-03-10_obamas_cybersecurity_chief_rod_beckstrom.html
• http://www.reuters.com/article/domesticNews/idUSTRE5260I620090307
• http://www.eweek.com/c/a/Security/After-Only-12-Months-Another-US-Cyber-Chief-Resigns/
Monday, March 16, 2009
The SecurityOrb.com Article Submission Guidelines
SecurityOrb.com welcomes submissions by information technology and security professionals that will inform and educate their peers about issues and trends in the industry. SecurityOrb.com receives approximately 3000 hits per days from interested users all over the world. This will be a great opportunity to share your ideas, company product or concerns with the industry.
Articles are reviewed on the basis of relevance (suitability for our readership), timeliness (how in sync with the industry it is), utility (how directly useful it is), credibility (citations, scholarly awareness), and innovation (how uncommon the topic is).
An excellent article
– Is relevant to a security practitioner, our chief audience
– Is related to current trends, technologies and industry issues
– Leans toward practical insights rather than general perspectives
– Carefully cites sources and shows knowledge of the work of industry thinkers
– Covers subject matter that catches the curiosity of our readers
Please adhere to the following guidelines:
1. All articles must be the original work of the author, you will be asked to sign an affidavit to that effect.
2. All articles become the property of SecurityOrb.com for a period of 12 months, after which copyright reverts to the author.
3. Articles run between 500 and 2,000 words, unless otherwise specified by the editor.
4. Articles will be peer-reviewed by a panel of experts in the security field to insure the quality, accuracy, and relevance of the work.
5. All accepted manuscripts are edited for adherence to SecurityOrb.com's format and style, clarity, succinctness, syntax and punctuation. Please write clearly and concisely.
6. Authors are encouraged to supply relevant artwork (charts, diagrams and maps) that helps to clarify points in the article. Please include the artwork as separate .tif, .jpg or .eps files (300 dpi @ 100% or greater resolution).
7. SecurityOrb.com requires proper references so readers can locate the key information sources used when writing the article.
8. It is SecurityOrb.com's policy to include the author's email address so that readers may contact him or her directly with questions or comments. If this is a problem, please contact the editor.
9. Please include a short biography at the end of your article – just a couple of lines saying who you are and what you do is fine.
10. Please send articles via attached files to the editor at editor@securityorb.com. Microsoft Word is best. Please do not send article in PDF Format.
Articles are reviewed on the basis of relevance (suitability for our readership), timeliness (how in sync with the industry it is), utility (how directly useful it is), credibility (citations, scholarly awareness), and innovation (how uncommon the topic is).
An excellent article
– Is relevant to a security practitioner, our chief audience
– Is related to current trends, technologies and industry issues
– Leans toward practical insights rather than general perspectives
– Carefully cites sources and shows knowledge of the work of industry thinkers
– Covers subject matter that catches the curiosity of our readers
Please adhere to the following guidelines:
1. All articles must be the original work of the author, you will be asked to sign an affidavit to that effect.
2. All articles become the property of SecurityOrb.com for a period of 12 months, after which copyright reverts to the author.
3. Articles run between 500 and 2,000 words, unless otherwise specified by the editor.
4. Articles will be peer-reviewed by a panel of experts in the security field to insure the quality, accuracy, and relevance of the work.
5. All accepted manuscripts are edited for adherence to SecurityOrb.com's format and style, clarity, succinctness, syntax and punctuation. Please write clearly and concisely.
6. Authors are encouraged to supply relevant artwork (charts, diagrams and maps) that helps to clarify points in the article. Please include the artwork as separate .tif, .jpg or .eps files (300 dpi @ 100% or greater resolution).
7. SecurityOrb.com requires proper references so readers can locate the key information sources used when writing the article.
8. It is SecurityOrb.com's policy to include the author's email address so that readers may contact him or her directly with questions or comments. If this is a problem, please contact the editor.
9. Please include a short biography at the end of your article – just a couple of lines saying who you are and what you do is fine.
10. Please send articles via attached files to the editor at editor@securityorb.com. Microsoft Word is best. Please do not send article in PDF Format.
Sunday, March 15, 2009
Trojan.Wincod
Discovered: March 7, 2009
Updated: March 8, 2009 9:37:02 AM
Also Known As: Troj/FakeVir-LC [Sophos]
Type: Trojan
Infection Length: 57,344 bytes
Systems Affected: Windows XP, Windows Vista, Windows Server 2003, Windows 2000
Trojan.Wincod is a Trojan horse that displays message boxes and modifies settings on the compromised computer.Protection
- Initial Rapid Release version March 7, 2009 revision 016
- Latest Rapid Release version March 7, 2009 revision 018
- Initial Daily Certified version March 7, 2009 revision 022
- Latest Daily Certified version March 7, 2009 revision 022
- Initial Weekly Certified release date March 11, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 0 - 49
- Number of Sites: 0 - 2
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Easy
Damage
- Damage Level: Low
- Payload: Displays message boxes and modifies settings on the compromised computer.
Distribution
- Distribution Level: Low
Saturday, March 14, 2009
SecurityOrb.com Security Advisory - W32.Downadup.C
Discovered: March 6, 2009
Updated: March 11, 2009 4:12:59 PM
Also Known As: Mal/Conficker-B [Sophos], Worm:W32/Downadup.DY [F-Secure]
Type: Trojan, Worm
Infection Length: 88,576 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
W32.Downadup.C is a threat that is downloaded on to the compromised computer by the W32.Downadup family of worms.Note: Some vendors have detected W32.Downadup samples as Conficker.C or Downadup.B++. Symantec's W32.Downadup.C is a different detection and is not to be confused with these Conficker.C and Downadup.B++ detections.
For more information, please read the following:
W32.Downadup.C Digs in Deeper
Protection
- Initial Rapid Release version March 6, 2009 revision 036
- Latest Rapid Release version March 13, 2009 revision 064
- Initial Daily Certified version March 6, 2009 revision 037
- Latest Daily Certified version March 14, 2009 revision 003
- Initial Weekly Certified release date March 11, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 0 - 49
- Number of Sites: 0 - 2
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Easy
Damage
- Damage Level: High
- Payload Trigger: File downloading is triggered after 1st April 2009.
- Payload: Attempts to download files from a predetermined list of addresses. Also attempts to intercept and redirect DNS requests to prevent access to certain Web sites.
- Compromises Security Settings: Stops certain Windows services and security related processes.
Distribution
- Distribution Level: Low
- Target of Infection: Computers already infected by earlier variants of the W32.Downadup family of worms.
Friday, March 13, 2009
Security Job Posing - Security Analyst - Durham, NC
Please contact Bikram Singh at:
bikram@pyramidci.com
(212) 381-1120 Ext.524
Pyramid Consulting
11100 Atlantis Place
Alpharetta, GA 30022
Fax: 678-840-2109
www.pyramidci.com
bikram@pyramidci.com
(212) 381-1120 Ext.524
Pyramid Consulting
11100 Atlantis Place
Alpharetta, GA 30022
Fax: 678-840-2109
www.pyramidci.com
If you are a current Pyramid employee, or are working at a Pyramid client site, please ignore this message.
The opportunity is a Security Analyst contract in Durham, NC and is funded for 12 months (contract to hire)
To qualify the ideal candidate will have [key skills, experiences].
Job Description: Responsible for supporting and monitoring clients network security infrastructure.The candidate will be responsible for validating attacks against clients networks and assessing the impact. If any countermeasures are required, the candidate is responsible for making the appropriate recommendation and implementing the resolution. Ultimately responsible for defining, tracking and maintaining the standard baselines and configuration sets of all managed and/or monitored security devices and implementing industry best practices with regards to firewall, IDS/IPS, VPN and network configurations. Candidate must also spend a proportion of his/her time keeping up with current vulnerabilities, attacks and appropriate countermeasures.May interface with other stakeholders including vendors, application development and technical support staff, and clients. Additionally will provide advanced technical support to Security Engineers in the Security Operations Center. 1) Intrusion Detection Expert Required
Skills Inventory
2) Firewalls Expert Required
3) TCP/IP Expert Required
4) System Admin Intermediate Desired
5) Routing/Switching Intermediate Desired
6) IP Packet Analysis Expert Required
If you are interested, please forward an updated resume and contact information as soon as possible. If you are already engaged please drop us a line and let us know what your current status is.
And as always, please forward this to anyone you feel would be a good match.
For further details please contact me ASAP.
Sincerely yours,
Bikram Singh
bikram@pyramidci.com
(212) 381-1120 Ext.524
Pyramid Consulting
11100 Atlantis Place
Alpharetta, GA 30022
Fax: 678-840-2109
www.pyramidci.com
Thursday, March 12, 2009
FBI raids office of D.C. CTO, Obama appointee
Federal agents this morning are searching the office Washington, D.C.’s Chief Technology Officer.
The search is part of “an ongoing investigation,” said a spokeswoman for the FBI’s D.C. Field Office, Lindsay Gotwin, said. She declined to comment further on the raid of office, at 1 Judiciary Square.
The outgoing Chief Technology Officer, Vivek Kundra, was appointed last week Chief Information Officer by the Obama administration. His last day at the city government office was February 4, a spokeswoman for D.C. Mayor Adrian Fenty, Leslie Kershaw, said. He was appointed to the Washington post in 2007.
“We know the FBI is over there but that’s all we know,” said a staffer in the D.C. CTO’s office, Mario Field, who was working from a separate location. Another source familiar with the raid said the FBI had sent all staffers other than senior executives home for the day. WTOP Radio reported that agents are searching the 9th and 10th floors of the building.
A White House spokesman had no immediate comment.
D.C. mayor’s spokeswoman Kershaw said, “Our office has been alerted of FBI’s being at CTO office, but we cannot comment until it’s over and we get more details.”
Credit Due:
http://www.politico.com/blogs/bensmith/0309/FBI_raids_office_of_DC_CTO_Obama_appointee.html
The search is part of “an ongoing investigation,” said a spokeswoman for the FBI’s D.C. Field Office, Lindsay Gotwin, said. She declined to comment further on the raid of office, at 1 Judiciary Square.
The outgoing Chief Technology Officer, Vivek Kundra, was appointed last week Chief Information Officer by the Obama administration. His last day at the city government office was February 4, a spokeswoman for D.C. Mayor Adrian Fenty, Leslie Kershaw, said. He was appointed to the Washington post in 2007.
“We know the FBI is over there but that’s all we know,” said a staffer in the D.C. CTO’s office, Mario Field, who was working from a separate location. Another source familiar with the raid said the FBI had sent all staffers other than senior executives home for the day. WTOP Radio reported that agents are searching the 9th and 10th floors of the building.
A White House spokesman had no immediate comment.
D.C. mayor’s spokeswoman Kershaw said, “Our office has been alerted of FBI’s being at CTO office, but we cannot comment until it’s over and we get more details.”
Credit Due:
http://www.politico.com/blogs/bensmith/0309/FBI_raids_office_of_DC_CTO_Obama_appointee.html
Wednesday, March 11, 2009
Palin E-Mail Hacker Faces Additional Charges
David Kernell, accused of stealing Alaska Gov. Sarah Palin's password and posting her e-mail during the presidential campaign, faces new federal charges. The added counts came after records were deleted from Kernell's laptop. The University of Tennessee student has pleaded not guilty in the Palin case and faces up to 20 years in jail.
Source: NewsFactor.com
Source: NewsFactor.com
Gmail down; Outage could last 36 hours for some
Looks like recommending gmail may not be such that good of a solution.Actually, the failure analysis is an interesting case study in Disaster Recovery.
Source: ComputerWorld.com
Tuesday, March 3, 2009
Backtrack 4 Beta Has Been Released...
The beta release of Backtrack 4 has been released, it looks pretty good. Check out the link…
Monday, March 2, 2009
SecurityOrb.com Security Advisory
New malware is popping up all the time, here is another one titled "Trojan.Neprodoor!inf". Information on it can be found below:
Trojan.Neprodoor!inf
Risk Level 1: Very Low
Discovered: March 2, 2009
Updated: March 2, 2009 8:02:14 PM
Type: Trojan
Infection Length: 213, 120 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Trojan.Neprodoor!inf is a detection for infected ndis.sys driver files.
Protection
* Initial Rapid Release version March 2, 2009 revision 032
* Latest Rapid Release version March 2, 2009 revision 032
* Initial Daily Certified version March 2, 2009 revision 035
* Latest Daily Certified version March 2, 2009 revision 035
* Initial Weekly Certified release date March 4, 2009
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
• Distribution Level: Low
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Once the infected driver file executes, it will inject a malicious thread into services.exe process.
The injected malicious thread then creates the following mutex so only one instance of the back door is running:
CTR.[16 HEXADECIMAL DIGITS]
Then the infected driver file may modify the following registry entries:
* HKEY_LOCAL_MACHINE\Software\AGProtect\"Cfg" = "[BINARY DATA]"
* HKEY_CURRENT_USER\Software\AGProtect\"Cfg" = "[BINARY DATA]"
Next, it will attempt to establish a TCP connection with one of the following hosts using port 80:
* 208.43.137.123
* 218.61.7.9
* 218.61.33.117
* 221.12.89.137
* 222.138.109.32
* 222.186.12.227
It uses an encrypted custom protocol to communicate with the remot servers to perform any of the following actions:
* Provide confidential information about the compromised computer.
* Download and execute binary files sent by the remote attacker
* May act as a TCP proxy
The infected driver file includes the functionality to protect the infected ndis.sys from being overwritten. It also presents a non-infected image of ndis.sys to applications that attempt to read the infected file.
Trojan.Neprodoor!inf
Risk Level 1: Very Low
Discovered: March 2, 2009
Updated: March 2, 2009 8:02:14 PM
Type: Trojan
Infection Length: 213, 120 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Trojan.Neprodoor!inf is a detection for infected ndis.sys driver files.
Protection
* Initial Rapid Release version March 2, 2009 revision 032
* Latest Rapid Release version March 2, 2009 revision 032
* Initial Daily Certified version March 2, 2009 revision 035
* Latest Daily Certified version March 2, 2009 revision 035
* Initial Weekly Certified release date March 4, 2009
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
• Distribution Level: Low
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Once the infected driver file executes, it will inject a malicious thread into services.exe process.
The injected malicious thread then creates the following mutex so only one instance of the back door is running:
CTR.[16 HEXADECIMAL DIGITS]
Then the infected driver file may modify the following registry entries:
* HKEY_LOCAL_MACHINE\Software\AGProtect\"Cfg" = "[BINARY DATA]"
* HKEY_CURRENT_USER\Software\AGProtect\"Cfg" = "[BINARY DATA]"
Next, it will attempt to establish a TCP connection with one of the following hosts using port 80:
* 208.43.137.123
* 218.61.7.9
* 218.61.33.117
* 221.12.89.137
* 222.138.109.32
* 222.186.12.227
It uses an encrypted custom protocol to communicate with the remot servers to perform any of the following actions:
* Provide confidential information about the compromised computer.
* Download and execute binary files sent by the remote attacker
* May act as a TCP proxy
The infected driver file includes the functionality to protect the infected ndis.sys from being overwritten. It also presents a non-infected image of ndis.sys to applications that attempt to read the infected file.
Subscribe to:
Posts (Atom)
Posts
