Michael Jackson Malware Alert

Michael Jackson Malware Alert

SecurityOrb.com are asking users to beware of any emails regarding the investigation into Michael Jackson's death, for they may be spam messages that infect personal computers with malware able to steal personal information including account numbers and passwords from banks, email and other online accounts.

Expert at SecurityOrb.com have been tracking the celebrity-focused spam attacks since the day after his death was reported.

“We have noticed a trend in recent years… When ever a major event occurs that captures mass media attention, hackers use it to their advantage to help spread their malicious acts.” According to Kellep Charles, SecurityOrb.com’s Chief IT Security Consultant.

One of the more spreading spam reads, "Michael Jackson was killed ... but who killed Michael Jackson."

SecurityOrb.com are asking users to be vigilant when accessing email and opening embedded links or attachments. Also make sure you have the latest anti-virus software and spyware available on your personal computer.

For more information on other security related topics, we ask that you visit: http://www.securityorb.com/

SecurityOrb.com News Updates

1. Mass-compromise attack injects malware into pages and redirects victims to a site that then downloads Trojans and keylogger code

Source: http://www.infoworld.com/d/security-central/nine-ball-attack-strikes-40000-web-sites-882?source=rss_security_central


2. Google is testing using HTTPS by default on all Gmail pages, though the move would likely inhibit performance

Source: http://www.infoworld.com/d/applications/google-try-more-security-gmail-860?source=rss_security_central


3. Researchers at Finjan outlined a sophisticated one-stop show for cyber-criminals buying and trading in infected computers. Called Golden Cash, the network has been linked to the compromises of around 100,000 PCs and FTP credentials.

Source: http://www.eweek.com/c/a/Security/Finjan-Researchers-Uncover-Marketplace-for-Botnets-595200/

Microsoft Zero-Day DirectX Flaw

Vulnerability Details

Microsoft has reported a critical new vulnerability in Microsoft DirectX affecting older versions of Windows. The vulnerability could allow remote code execution if a user opens a rogue QuickTime media file. Microsoft reports limited, active attacks that use this exploit code.

The vulnerability exists in the way a DirectX application programming interface known as DirectShow handles supported QuickTime files. By manipulating the format, attackers can gain the same system privileges assigned to the logged-in user. The Microsoft Security Advisory states: “If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Affected Software

• Windows 2000 Service Pack 4
• Windows XP
• Windows Server 2003

All versions of Windows Vista, Windows Server 2008, and the beta version of Windows 7 are NOT vulnerable. In addition, Apple’s Quick Time player is NOT affected.

Please consult the official Microsoft Security Advisory for details on workarounds, fixes and patch availability.

Workaround

Microsoft has issued a workaround that disables the automatic QuickTime parsing on machines running Window 2000, Windows XP or Windows Server 2003.

Recommendations

Keep your anti-virus products up-to-date with the current pattern files.

Trojan.Bankpatch.D

Trojan.Bankpatch.D
Risk Level 2: Low

Discovered: April 12, 2009
Updated: April 12, 2009 10:50:33 AM
Type: Trojan
Infection Length: 28,880 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Trojan.Bankpatch.D is a Trojan horse that modifies system files and attempts to steal information from the compromised computer.

Protection

* Initial Rapid Release version April 12, 2009 revision 033
* Latest Rapid Release version April 12, 2009 revision 033
* Initial Daily Certified version April 12, 2009 revision 033
* Latest Daily Certified version April 12, 2009 revision 033
* Initial Weekly Certified release date April 15, 2009

Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Medium
* Payload: Modifies system files and steals information from the compromised computer.

Distribution

* Distribution Level: Low

SecurityOrb.com Security Advisory

New malware is popping up all the time, here is another one titled "Trojan.Neprodoor!inf". Information on it can be found below:

Trojan.Neprodoor!inf
Risk Level 1: Very Low

Discovered: March 2, 2009
Updated: March 2, 2009 8:02:14 PM
Type: Trojan
Infection Length: 213, 120 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Trojan.Neprodoor!inf is a detection for infected ndis.sys driver files.

Protection

* Initial Rapid Release version March 2, 2009 revision 032
* Latest Rapid Release version March 2, 2009 revision 032
* Initial Daily Certified version March 2, 2009 revision 035
* Latest Daily Certified version March 2, 2009 revision 035
* Initial Weekly Certified release date March 4, 2009

Threat Assessment
Wild

* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy

Damage

* Damage Level: Low

Distribution

• Distribution Level: Low

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Once the infected driver file executes, it will inject a malicious thread into services.exe process.

The injected malicious thread then creates the following mutex so only one instance of the back door is running:
CTR.[16 HEXADECIMAL DIGITS]

Then the infected driver file may modify the following registry entries:

* HKEY_LOCAL_MACHINE\Software\AGProtect\"Cfg" = "[BINARY DATA]"
* HKEY_CURRENT_USER\Software\AGProtect\"Cfg" = "[BINARY DATA]"



Next, it will attempt to establish a TCP connection with one of the following hosts using port 80:

* 208.43.137.123
* 218.61.7.9
* 218.61.33.117
* 221.12.89.137
* 222.138.109.32
* 222.186.12.227



It uses an encrypted custom protocol to communicate with the remot servers to perform any of the following actions:

* Provide confidential information about the compromised computer.
* Download and execute binary files sent by the remote attacker
* May act as a TCP proxy


The infected driver file includes the functionality to protect the infected ndis.sys from being overwritten. It also presents a non-infected image of ndis.sys to applications that attempt to read the infected file.

SecurityOrb.com Security Bulletin: Adobe Reader PDF Vulnerability

A recently discovered vulnerability in Adobe Reader allows an attacker to compromise the system with the privileges of the user running Reader. The vulnerability occurs because of the way Reader parses PDF files. Opening a malicious PDF file may trigger the bug, causing exploitation.

Attacks using this vulnerability have been seen in the wild. There are reports that adversaries are actively targeting a number of users, for exploitation.

The only known workaround to date is to disable Acrobat JavaScript. Any user can disable Adobe JavaScript by following these simple steps:

1. Start Adobe Reader.

2. Select Edit, then Preferences from the menu. The Preferences dialog box opens.

3. Select JavaScript from the list of Categories to the left.

4. Click to uncheck the option “Enable Acrobat JavaScript.”

5. Click OK.

For more details about this vulnerability and a video demonstration of the steps to disable Adobe JavaScript, please visit the following posting on SecurityOrb.com: http://www.securityorb.com/

Microsoft puts $250,000 bounty on conficker authors

Microsoft 'Posse' puts $250,000 bounty on conficker authors - Creators of Conficker/Downadup worm now carry a price on their heads

Source: Darkreading.com

Valentine's Day Malware Attack

Valentine's Day is not just for lovers; it's for malware writers, too. At the center of the recent surge in spam related to Valentine's Day is the Waledac botnet, successor to the Storm botnet, but other botnets have joined the fray as well, security researchers warn.

Source: eweek.com

McColo Fallout Does Not Stop Spam Levels from Decreasing

Numerous reports have indicated email Spam volumes are increasing again since McColo a rouge hosting company was pulled off the Internet last month. Although there was a major drop in Spam, it seemed to have been short live as many reports are showing an up swing.

SecurityOrb.com consultants predicts, many bot-masters (an individual who is responsible for and maintains a malicious computer bots.) will take a more distributed approach in the future to prevent and defend against acts such as the McColo ISP disconnection.

Firefox Malware - Trojan.PWS.ChromeInject.A

Firefox users are targeted by a new malware named Trojan.PWS.ChromeInject.A, which collects passwords from banking sites.

Researchers at BitDefender have discovered a new type of malicious software that collects passwords for banking sites but targets only Firefox users.

The malware, which BitDefender dubbed "Trojan.PWS.ChromeInject.A" sits in Firefox's add-ons folder, said Viorel Canja, the head of BitDefender's lab. The malware runs when Firefox is started.

The malware uses JavaScript to identify more than 100 financial and money transfer Web sites, including Barclays, Wachovia, Bank of America, and PayPal along with two dozen or so Italian and Spanish banks. When it recognizes a Web site, it will collect logins and passwords, forwarding that information to a server in Russia.

Firefox has been continually gaining market share against main competitor Internet Explorer since its debut four years ago, which may be one reason why malware authors are looking for new avenues to infect computers, Canja said.

Users could be infected with the Trojan either from a drive-by download.

Apple quietly recommends using anti-virus software

Apple quietly recommends using anti-virus software as it gains market share, hackers could increasingly look to exploit the platform particularly if it is perceived as an easier target

Full story at infoworld.com

US Department of Defense's decision to ban the use of USB drives and other removable data storage devices

Classified US Systems Breached: Attacks on US War Zone Computers Prompts Security Crackdown

The Los Angeles Times is reporting that the US Department of Defense's decision to ban the use of USB drives and other removable data storage devices was prompted by a significant attack on combat zone computers and the US Central Command that oversees Iraq and Afghanistan. The attack is believed to have originated in Russia. While no specific details about the attack were provided, it is known that at least one highly protected classified network was affected.

http://www.latimes.com/news/nationworld/nation/la-na-cyberattack28-2008nov28,0,6441140.story

Removable media causes security concerns

Removable media causes security concerns

The proliferation of portable media devices are increasing companies' security risks exponentially. In fact, endpoint security for laptops, PDAs and removable media is one of the most critical security issues facing companies today. USB drives, in particular, have a tremendous amount of private corporate content. To deal with the growing problems, CIOs must set up strict policies for how data on removable media is handled and where they can be taken and where they can't. Employees should also be monitored to some extent, ensuring that employees use removable media only for company-sponsored endeavors. It's also critical to make sure that the USB drives used by your company have appropriate encryption--not something that's standard on all USB drives. The same type of diligence should be applied to other mobile devices such as laptops.

Source: http://www.fiercecio.com/story/removable-media-causes-security-concerns/2007-03-19


Some interesting information pertaining to the security issues with removal drives:

The rise of the mobile data market has been rapid, lucrative and dangerous. Long gone are the days when you needed identical tape drives and software on both computers. The traditional floppy disk market and local tape markets were superseded by the super-floppy and zip drive. Now even they are disappearing as the mobile data storage market evolves.

Thanks to their large capacities, portability, and simplicity, removable media have become one of the most popular types of storage devices around today. You’ve only to go down to one of the big computer shows to be offered a free memory stick as a stand give-away. If you take part in an IT training course, you might be given one with all your computer course notes stored on it. They are so cheap it’s the obvious way to store information, business proposals, accounts, client’s details, marketing plans etc

The arrival of the MP3 music player has had a significant impact on the market. While Apple sees music as the only reason for owning an iPod, their competitors have simply created large USB stores with some built in music software. An increasingly number of people now view the MP3 player as both a data and entertainment tool. The danger here is that as an entertainment device it falls below the radar and with storage capacities set to exceed 80GB by the end of 2005, it is a serious threat to data protection.




http://www.gcn.com/online/vol1_no1/47646-1.html/?s=dailyNL


Pentagon spokesman Brian Whitman confirmed that the Defense Department is battling an ongoing malware attack within DOD's networks. "We are aware of a global virus for which there are some public alerts, and we've seen some of these on our networks, and we are taking steps to identify and mitigate the virus," Whitman said in an official statement Nov. 21.

Last week, Strategic Command's mandated that users of the Global Information Grid not use removable media to prevent further spreading of a virus. Wired Magazine's Danger Room blog reported that an Army email alert had been sent out relaying the instructions from STRATCOM, banning the use of removable media -- thumb drives, external disks, CDs and DVDs -- effective immediately. The e-mail indicated a worm, called Agent.btz, was the cause of the move by STRATCOM and Joint Task Force-Global Network Operations.


http://www.gcn.com/online/vol1_no1/47657-1.html/?s=dailyNL


NASA chief information officer Jonathan Pettus clarified the agency’s policy curbing the use of removable media in the wake of recent security concerns. The policy appeared in an internal memo.

New details about security concerns at NASA, independent of the memo, emerged in a report by BusinessWeek published last weekend. It details a series of significant and costly cyberattacks on NASA systems in the past decade.

The memo from Pettus instructs employees not to use personal USB drives or other removable media on government computer systems. It also directs employees not to use government-owned removable devices on personal machines or machines that do not belong to the agency, department or organization. And it warns employees not to put unknown devices into any systems and to ensure that systems are fully patched and have up-to-date antivirus software.

Pettus also said he is in the process of updating security policies and is “working with center CIOs on additional measures recommended by [the U.S. Computer Emergency Readiness Team] to mitigate removable media risks, including implementation of Federal Desktop Core Configuration settings.”

The directive is not as sweeping as one issued by the Defense Department, which temporarily forbids the use of USB drives and other removable media devices of all types as a step toward mitigating the spread of detected malware.

MS08-067 - Worm is Attacking Windows Security Hole

Security researchers at Microsoft Corp. Tuesday warned of a significant climb in exploits of a Windows bug it patched with an emergency fix last month, confirming earlier reports by Symantec Corp.

Improving Gramm-Leach Bliley Security Compliance - read this white paper.

Microsoft again urged users to apply the MS08-067 patch if they have not already done so.

The new attacks, which Microsoft's Malware Protection Center said began over the weekend but spiked in the past two days, use the same worm Symantec first spotted last Friday.

Dubbed "Conficker.a" by Microsoft and "Downadup" by Symantec, the worm exploits the vulnerability in the Windows Server service, used by all versions of the operating system to connect to file and print servers on a network. Microsoft patched the bug in an out-of-cycle update five weeks ago after it discovered a small number of infected PCs, most of them in Southeast Asia.

Full article at InfoWorld.com

CNN.com Cross-Site Scripting Vulnerability

CNN.com Cross-Site Scripting Vulnerability

I love CNN, so I am not hating on them at all…

Just an FYI - I would probably refrain from browsing CNN for the meantime and definitely don't click on any articles within the My Recently Viewed Pages due to a cross site scripting vulnerability...

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss. (wikipedia.com)


Version Summary:

A cross-site scripting vulnerability exists on CNN.com that could potentially allow unauthenticated, remote attackers to modify content on the website, which could lead to further attacks.

_______________________________________________________________________________________________________________________________________
Description

_______________________________________________________________________________________________________________________________________

CNN.com is susceptible to a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary server-side scripting code.

The vulnerability exists due to an input validation error on certain parameters passed to the server. Attackers could inject arbitrary server-side scripting code into these parameters to perform the attack. The flaw specifically exists within the tracking cookie in the js_memberservices.mrv variable, which is set whenever the user clicks on an article within the My Recently Viewed Pages section. The cookie values are stored in a URI-encoded string, which is not properly filtered. The values accept arbitrary HTML, JavaScript, and double quotes, which allows the attacker to inject server-side scripting code.

While there have been no reported attacks, an exploit could potentially allow the attacker to modify content on CNN.com, such as posting false news stories or performing drive-by download attacks. Attackers could leverage this flaw to aid in spamming and phishing type attacks using CNN.com.

Administrators are advised to review the Cisco Applied Mitigation Bulletin: Understanding Cross-Site Scripting (XSS) Threat Vectors.

Spam drop could boost Trojan attacks

Interesting article from Infoworld.com

After rogue ISP McColo was taken offline global spam was estimated to have dropped from 50 to 80 percent, but spammers are starting to reconstitute botnets elsewhere

You can find the article here.

Computer Malware and Preventive Recommendations

Computer Malware and Preventive Recommendations

It’s often what we don’t know can hurt us the most…

That is the case when it comes to the effects of malware such as computer viruses, worms and Trojans.

Botnets are one of the fastest growing and the most dangerous threat on the Internet today. “Bot” stands for robot, which is a piece of software with some intelligence to perform a task and the “net” stands for network which is the collection of these individual bots under one controlling person called a bot herder.

The interesting thing is not all bots are bad, for example, intelligent software agents used in Microsoft Word or the ones used by search engine sites like Google are here to help the end user, whereas bots such as the Storm and Kragen botnet collection are here to disrupt end user activities.

The bots are small executable files that are very easy to spread. They can be spread through spam, music files located on file sharing systems, various Microsoft vulnerabilities that are not patched and host on a web site that pushes it to visitors in a technique call “drive-by download” (Very nasty and stealthy).

The thing that makes these bots so dangerous is their exponential growth factor. As more systems are infected, they also begin to scan to look for vulnerable system. Since additional computer systems use their recourses to recruit other systems, the growth can be enormous in a short period of time.

My recommendations are:
* Use a Mac OS X based system or even a Linux-based system if possible, if not

1. Make sure you have security controls in place (eg. Firewall, Anti-Virus, Anti-Spyware and IDS)
2. Make user they are licensed and updated regularly
3. Make sure you run them frequently or have them run at a time your computer will be on
4. Do not download free miscellaneous software from the Internet (eg. Screensavers and games)
5. Do not open attachments if you do not know from whom it is from or what the attachment is.
6. Just be smart

For more information on botnets, their effects and detailed recommendation to prevent and remove malware, check out http://www.securityorb.com/

Computer Malware and Preventive Recommendations

It’s often what we don’t know can hurt us the most…

That is the case when it comes to the effects of malware such as computer viruses, worms and Trojans.

Botnets are one of the fastest growing and the most dangerous threat on the Internet today. “Bot” stands for robot, which is a piece of software with some intelligence to perform a task and the “net” stands for network which is the collection of these bots.

Not all bots are bad, for example, intelligent software agents used in Microsoft Word or the ones used by search engine sites like Google are here to help the end user, whereas bots such as the Storm and Kragen botnet collection are here to disrupt end user activities.

The bots are small executable files that are very easy to spread. They can be spread through spam, music files located on file sharing systems, various Microsoft vulnerabilities that are not patched and host on a web site that pushes it to visitors in a technique call “drive-by download” (Very nasty and stealthy).

The thing that makes these bots so dangerous is their exponential growth factor. As more systems are infected, they also begin to scan to look for vulnerable system. Since additional computer systems use their recourses to recruit other systems, the growth can be enormous in a short period of time.

My recommendations are:
* Use a Mac OS X based system or even a Linux-based system if possible, if not

1. Make sure you have security controls in place (eg. Firewall, Anti-Virus, Anti-Spyware and IDS)
2. Make user they are licensed and updated regularly
3. Make sure you run them frequently or have them run at a time your computer will be on
4. Do not download free miscellaneous software from the Internet (eg. Screensavers and games)
5. Do not open attachments if you do not know from whom it is from or what the attachment is.
6. Be smart

For more information on botnets, their effects and detailed recommendation to prevent and remove malware, check out http://www.securityorb.com/

Storm worm exploits U.S., Iran tensions

McAfee warns users to be wary of e-mails with the headers 'The beginning of World War III' and 'USA declares war on Iran'

By Oliver Garnham, IDG News Service
July 10, 2008

The authors of Nuwar -- also known as the Storm worm -- are exploiting the escalating political tensions between the U.S. and Iran to encourage users to download the malware, according to McAfee Avert Labs.

The security firm has warned people to be wary of e-mails with the headers "The beginning of World War III" and "USA declares war on Iran." The e-mails promise to link to a video showing the beginning of World War III, but clicking on the link actually triggers an automatic download of the file iran_occupation.exe, McAfee said.

The Storm worm was first detected in January 2007, but has reappeared in various guises several times over the past 18 months.

The malware has been used in a confirmation spam scam and has been employed in blogs and Web message forums. It also hit the headlines in April when malware makers gave it an April Fool's Day theme.

The Continuing Threat: Identity Theft

Identity Theft is a continuing threat that has brought great inconveniences and expenses to many victims.  Dept of Justice stated Identify Theft is the fastest growing white collared crime in recent the past five years.

The accessibility of the internet has given identity thieves access to a wealth of personal information.  Online brokers gather data such as social security numbers, driving records and employment information from publicly available records, customer provided forms and credit card applications.

Identity thieves purchase reports with stolen credit cards and use the information to obtain phony documents and credit cards.

Furthermore, social engineering, malware infections and dumpster diving has all led to the growing issues of identity theft.