Microsoft Zero-Day DirectX Flaw

Vulnerability Details

Microsoft has reported a critical new vulnerability in Microsoft DirectX affecting older versions of Windows. The vulnerability could allow remote code execution if a user opens a rogue QuickTime media file. Microsoft reports limited, active attacks that use this exploit code.

The vulnerability exists in the way a DirectX application programming interface known as DirectShow handles supported QuickTime files. By manipulating the format, attackers can gain the same system privileges assigned to the logged-in user. The Microsoft Security Advisory states: “If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Affected Software

• Windows 2000 Service Pack 4
• Windows XP
• Windows Server 2003

All versions of Windows Vista, Windows Server 2008, and the beta version of Windows 7 are NOT vulnerable. In addition, Apple’s Quick Time player is NOT affected.

Please consult the official Microsoft Security Advisory for details on workarounds, fixes and patch availability.

Workaround

Microsoft has issued a workaround that disables the automatic QuickTime parsing on machines running Window 2000, Windows XP or Windows Server 2003.

Recommendations

Keep your anti-virus products up-to-date with the current pattern files.

MS08-067 Attacks : Conflicker Worm

MS08-067 worm developments have continued by malicious authors, since Microsoft made this security patch available on October 23, 2008. The latest development ramps up the danger, as this new worm will delete system restore points, creates a backdoor to download more malicious code, and it even patches the RPC vulnerability to further disquise it's presence.

While AV protection and firewalls can mitigate attacks to port 445, the best defense is to ensure all PCs are up-to-date for Microsoft security changes. For example, an unpatched PC might become infected if their firewall fails or isn't active when connected to the Internet. If this worm were present on a laptop, it could infect unpatched corporate web servers and PCs if Intranet firewall controls are missing.

This new worm represents the most advanced MS08-067 attacks to date. As noted in every link, it's important to PATCH NOW if you have any systems that don't have this update.

New malware using an ms08-067 exploit gained momentum
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/
http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/
http://isc.sans.org/diary.html?storyid=5401

QUOTE: First let me say, “PATCH your systems” if you have not done so already! Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

W32/Conficker.worm Detailed Information
http://vil.nai.com/vil/content/v_153464.htm
http://www.f-secure.com/v-descs/worm_w32_downadup_a.shtml
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75911
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EA&VSect=P
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A

Trend - Behavioral Diagram
http://www.trendmicro.com/vinfo/images/blog/DOWNAD123.jpg

PATCH NOW - if there are any servers or PCs that are not update for Microsoft security releases. Home users can employ the Windows Update process. More information can be found in the link below:

MS08-067 Security Patch Information
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Source: Harry Waldron - Corporate and Home Security(Blog)

Computer Malware and Preventive Recommendations

Computer Malware and Preventive Recommendations

It’s often what we don’t know can hurt us the most…

That is the case when it comes to the effects of malware such as computer viruses, worms and Trojans.

Botnets are one of the fastest growing and the most dangerous threat on the Internet today. “Bot” stands for robot, which is a piece of software with some intelligence to perform a task and the “net” stands for network which is the collection of these individual bots under one controlling person called a bot herder.

The interesting thing is not all bots are bad, for example, intelligent software agents used in Microsoft Word or the ones used by search engine sites like Google are here to help the end user, whereas bots such as the Storm and Kragen botnet collection are here to disrupt end user activities.

The bots are small executable files that are very easy to spread. They can be spread through spam, music files located on file sharing systems, various Microsoft vulnerabilities that are not patched and host on a web site that pushes it to visitors in a technique call “drive-by download” (Very nasty and stealthy).

The thing that makes these bots so dangerous is their exponential growth factor. As more systems are infected, they also begin to scan to look for vulnerable system. Since additional computer systems use their recourses to recruit other systems, the growth can be enormous in a short period of time.

My recommendations are:
* Use a Mac OS X based system or even a Linux-based system if possible, if not

1. Make sure you have security controls in place (eg. Firewall, Anti-Virus, Anti-Spyware and IDS)
2. Make user they are licensed and updated regularly
3. Make sure you run them frequently or have them run at a time your computer will be on
4. Do not download free miscellaneous software from the Internet (eg. Screensavers and games)
5. Do not open attachments if you do not know from whom it is from or what the attachment is.
6. Just be smart

For more information on botnets, their effects and detailed recommendation to prevent and remove malware, check out http://www.securityorb.com/

MP3 Files are causing Security Issues for Peer-to-Peer Computer Users

McAfee has reported more than a half million computers have been infected by a Trojan spreading through bogus MP3 files on popular peer-to-peer networks in the past several days. The MP3 files contain the Trojan known as Downloader-UA.h.

McAfee researcher Craig Schmugar reported on the company’s blog “The Trojan is spreading through MP3 and MPG files disguised to look like audio or video recordings. Some of the bogus file names are listed on the McAfee blog. When downloaded, users are directed to a Web site and prompted to download a file called PLAY_MP3.exe”

If you are using Peer-to-Peer Networks, please make sure your virus and spyware related software are up to date.

Is there such a thing as a good worm?

Malware has been an interesting topic to follow, there is something always to report or debate.

An interesting article in eweek reminded me of a conference I attend 4 years ago when a discussion about good virus were discussed. In my opinion, I did not and still do not agree with this concept. Privacy issues & control are violated on the user system, the possibility of the good virus turning bad is another issue and it has occurred (Welchia) and there are some legal and moral issues that can be debated.



Larry Seltzer wrote an interesting article on this topic:
http://www.eweek.com/c/a/Security/Good-Worms-Are-A-Bad-Idea/

Internet Botnets: The Storm Botnet is not the Big Kid on the Block Anymore, Hello Kraken

Internet Botnets: The Storm Botnet is not the Big Kid on the Block Anymore, Hello Kraken

Botnet is a term for a collection of software robots or bots on compromised computer systems called zombie computers. The majority of these computers are running Microsoft Windows operating systems, but other operating systems have been known to be affected as well. A botnet's originator is called "bot herder" and can control the group remotely using IRC to conduct malicious activities.

The Storm botnet once considered the biggest botnet network with capabilities to force entire countries off the Internet as been replace with the Kraken botnet.

Karken Botnet:

As of April 2008, the Kraken botnet is the world's largest botnet, according to researchers at the computer security company Damballa. They state that Kraken has infected machines in at least 50 of the Fortune 500 companies and has reached the size of over 400,000 bots. The Kraken botnet virus may have been designed to evade anti-virus software, and is apparently virtually undetectable to conventional anti-virus software.

A full write on malware and these specific botnets can be located on SecurityOrb.com

Computer Viruses: Malware Analysis

Malware Analysis

Dynamic analysis and static analysis are two approaches to analyzing malware on a comprised system once it has been discovered after a computer related incident. Dynamic analysis consist of examining the inputs and outputs produced by the malware, its interaction on the system as to what files are being read or written to and what effects it is applying to the system . The examiner concern is not with the internals of the malware, but the malware's functionality and behavior. Whereas static analysis being the more difficult of the two analysis approaches consists of extracting and reviewing readable data located in the malware binary and converting machine language to readable source code for analysis. Unlike the dynamic analysis approach which usually requires execution of the malware, the static analysis approach does not making it a safer approach, but much more exhausting process.