|
ASK
Technologies, Inc.
Technical
Alerts
........................................................................
New
security defeated by old attacks
from weblog.infoworld.com/securityadvisor
October
3, 2008
The
best new anti-malware software is no match for users of un-patched
systems who can't be taught to avoid risky on-line behavior.
Today, 99 percent of malicious risk comes to users through their Internet
browser. Email threats are quickly being replaced by Web site malware,
often coming from legitimate but infected sites. The malware scans the
visiting user's system for un-patched application software, so it can
initiate a "silent install" or prompts the user to install
some "needed" component.
How many of us have environments where all users are trained well enough
to never be tricked into installing socially engineered malware? Gone
are the days when you could spot malware by its horrible grammar, misspelled
words, and strange wording. Today's malware phishing attack looks as
good as a professional advertising campaign.
The truth is that, in most environments, it is very difficult to educate
everyone. There will always be a few people who will click on and install
anything. And once they are infiltrated, your network is essentially
owned. The trick is how to identify who in your environment really needs
the training? Some people you know you can trust. Others ... not so much.
(If
you can) prevent end-users from installing things they shouldn't, you
will have significantly reduced the risk of malicious exploitation
in
your
environment.
Add to this recommendation using strong passwords, running users as
non-admins, basic system hardening, and other normal anti-malware defenses,
and you've accomplished what a whole lot of companies have not.
Back
to Top
........................................................................
Vendor
of “AntiVirus XP” badware sued
from blogs.zdnet.com/security
September
30, 2008
The
software purveyor behind AntiVirus XP, a fake anti-virus package, has
been sued and will hopefully be put out of business.
There
has been plenty of information available on this organization for some
time, yet unsuspecting consumers continue to hand over their
own money for what amounts to malware.
Evaluating the quality of security products is incredibly difficult.
Even independent agencies find it challenging to determine the relative
effectiveness of different anti-virus products. The sad fact is that
the only individuals who stand a chance of acquiring security software
based upon merit alone are those of us who are in the security industry.
The remainder are forced to rely upon word of mouth and marketing, and
that leaves an inherent gap for badware vendors.
For those of you who have either bought AntiVirus XP or know someone
who has, remove it immediately and install a real anti-virus package
from any number of reputable firms, such as Norton (Symantec), McAfee,
AVG, Kaspersky, Sunbelt, Panda, and the like.
Back
to Top
........................................................................
Google
Chrome vulnerable to carpet-bombing flaw
from ZDnet.com
September
2, 2008
Google’s shiny new
Web browser is vulnerable to a carpet-bombing vulnerability that could
expose Windows users to malicious hacker attacks.
Just hours after the release of Google Chrome, researcher Aviv Raff discovered
that he could combine two vulnerabilities — a flaw in Apple Safari
(WebKit) and a Java bug discussed at this year’s Black Hat conference — to
trick users into launching executables direct from the new browser.
Raff has cooked up a harmless demo of the attack in action, showing how
a Google Chrome users can be lured into downloading and launching a JAR
(Java Archive) file that gets executed without warning.
In the proof-of-concept, Raff’s code shows how a malicious hacker
can use a clever social engineering lure — it requires two mouse
clicks — to plant malware on Windows desktops.
The Google Chrome user-agent shows that Chrome is actually WebKit 525.13
(Safari 3.1), which is an outdated/vulnerable version of that browser.
Apple patched the carpet-bombing issue with Safari v3.1.2.
Some Google Chrome early adopters using Windows Vista are reporting
that files downloaded from the Internet are automatically dropped on
the desktop, setting up a scenario where a combo-attack using this unpatched
IE flaw could be used in attacks.
Back
to Top
........................................................................
Cracked:
Shadow botnet
from zdnet.co.uk
August
14, 2008
In
a joint operation, the FBI and the Dutch High Tech Crime Unit have
cracked the Shadow botnet--thought to contain 100,000 PCs worldwide.
Two men have been arrested in connection with the botnet: a 19-year-old
Dutch man who sold the software; and his Brazilian buyer.
Antivirus company Kaspersky Lab has been assisting in taking
down the botnet by helping affected PC owners remove the malware from
their machines.
Victims of the Shadow botnet are directed to a Kaspersky
page containing instructions on how to fix their machines, as well as
a website giving details on how to file a complaint
with the police.
However, Kaspersky's page on the botnet only tells users how to strip
out the software that creates the botnet, and not any other malicious
programs that the botnet could have downloaded to victims' machines.
Those who may be affected are, as usual, reminded to run a full virus
scan to detect any additional malware.
Back
to Top
........................................................................
11
Patches From Microsoft
from blogs.pcmag.com
August
12, 2008
Microsoft released 11 security bulletins today along with updates to
address the vulnerabilities described in them. Various versions of Windows
and Office are affected. The Advance Notification indicated that there
would be a 7th critical update; this appears to have been removed at
the last minute.
• MS08-041 Vulnerability in the ActiveX Control for the Snapshot Viewer
for Microsoft Access Could Allow Remote Code Execution (Critical): A
critical remote code execution vulnerability exists in Access 2000, 2002
and 2003 and the Snapshot Viewer for Microsoft Access. An attacker could
use this vulnerability to effect remote code execution and, in some cases,
take over the system.
• MS08-042 Vulnerability in Microsoft Word Could Allow Remote Code Execution
(Important): A remote code execution vulnerability exists in Word 2002
(Office XP) and Word 2003.
•
MS08-043 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
(Critical): Four different vulnerabilities exist in various versions
of Excel. The only critical vulnerabilities are in Excel 2000, all the
rest being rated as "Important".
• MS08-044 Vulnerabilities in Microsoft Office Filters Could Allow Remote
Code Execution (Critical): Office 2000, XP, 2003, as well as the Office
Converter Pack and Works 8 are all affected by 5 related file import
vulnerabilities. The vulnerabilities are rated critical only on Office
2000; all are ranked Important on all other products.
• MS08-045 Cumulative Security Update for Internet Explorer (Critical):
5 different vulnerabilities are fixed in this cumulative update. All
current versions of IE are affected and at least one vulnerability is
critical on all platforms, including the most recent versions of Vista
and Windows Server 2008. Four of the 5 are memory-corruption vulnerabilities,
generally involving code accessing uninitialized memory.
• MS08-046 Vulnerability in Microsoft Windows Image Color Management System
Could Allow Remote Code Execution (Critical): A vulnerability in ICM
makes it possible for an attacker to cause remote code execution on a
Windows client system running Windows 2000, Windows XP or Windows Server
2003.
• MS08-047 Vulnerability in IPsec Policy Processing Could Allow Information
Disclosure (Important): An information disclosure vulnerability in Windows
Vista and Windows Server 2008 could cause systems to ignore IPsec policies
and transmit network traffic in clear text.
• MS08-048 Security Update for Outlook Express and Windows Mail (Important):
A malicious web site could cause Outlook Express or Windows Mail to disclose
information through a malicious MHTML link that could bypass IE security
zone restrictions.
• MS08-049 Vulnerabilities in Event System Could Allow Remote Code Execution
(Important): 2 vulnerabilities in the Windows event subsystem affect
all versions of Windows. The subsystem does not properly validate input,
potentially leading to remote code execution.
• MS08-050 Vulnerability in Windows Messenger Could Allow Information Disclosure
(Important): An information disclosure vulnerability in most versions
of Windows Messanger could allow an attacker to change state, get contact
information, and initiate audio and video chat sessions without the knowledge
of the logged-on user.
• MS08-051 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code
Execution (Critical): 3 vulnerabilities in all versions of PowerPoint
are fixed in this update. One, a code execution vulnerability, affects
all versions but is rated Critical only on PowerPoint 2000. The other
2 are rated Important and affect only PowerPoint Viewer 2003.
All updates are available through Windows Update and all the other
usual avenues.
Back
to Top
........................................................................
Final
days for Windows XP
itweb.com, July
1, 2008
Microsoft Windows XP has reached end-of-sale. However, according to
Windows business group lead Colin Erasmus, the product has not reached
end-of-life.
“As of 30 June, we are
no longer selling the product through the original equipment manufacturers
(OEMs) and through the volume licence
process. We will still provide critical support until the end of April
2014.”
He says the mainstream support will end around two months before that.
However, users still wanting
to use Windows XP will have the opportunity to downgrade existing Windows
Vista licences. “Customers who have
bought licences for Windows Vista Ultimate, Enterprise and Business can
override with XP legally.”
The life expectancy of XP
has been extended for what Microsoft calls nettop and netbook devices.
These are low-cost PCs and notebooks, which
Erasmus says will be available with XP until 2010. “These machines
will need to have very specific specifications.”
Vista trials
Since its release in January
2007, Windows Vista has been met with reluctance and compatibility
complaints. However, Erasmus says XP was greeted similarly
at its launch. “Most of the problems users experienced with Vista
have been tackled in service pack one (SP1).”
He says customers' complaints
focused on driver and device compatibility, which Microsoft has improved
in SP1. “Vista is now compatible with
77 000 devices, which is more than XP supported,” he adds.
The company says there are still application compatibility issues, and
several OEMs are selling Vista on hardware that is not compatible.
Microsoft is adamant that
shipments of Windows Vista increased after the release of SP1. “We can't give you localised figures, since
all our information is global. However, 80% to 90% of all machines being
sold to OEMs now are being shipped with Vista,” notes Erasmus.
Back
to Top
........................................................................
Adobe
Patches Critical Acrobat and Acrobat Readers Vulnerability
blogs.pcmag.com, June
24th, 2008
Adobe has issued patches for a critical vulnerability in Acrobat and
the Acrobat Reader. According to the security bulletin issued by Adobe,
there are reports that the issue is being exploited in the wild.
The vulnerability is an input validation error in Javascript, which
Acrobat can contain, and can lead to the program crashing or remote code
execution.
Reader updates are available for Windows and for the Mac. Or run Help-Cehck
for Updates. These updates are entitled the 8.1.2 Security Update 1.
The security bulletin has links to other downloads, such as for Acrobat
itself. If you're running Acrobat or Reader 7 or earlier, Adobe long-ago
stopped issuing updates for them and recommended moving on to version
8.
Back
to Top
........................................................................
HSBC's
e-banking customers vulnerable!
xssed.com, June
21th, 2008
HSBC web sites are open to critical XSS attacks. Warning to customers!
Written by Dimitris Pagkalos
Saturday, 21 June 2008
Evidently, major unwanted consequences could be a result of multiple
cross-site scripting vulnerabilities affecting bank web sites. XSS must
be considered as the phishers' future weapon by all people working in
the security industry.
Scammers can register domains and set up fake bank web sites in a few
minutes. With the help of bulk e-mailers they can phish personal sensitive
data from thousands of unsuspecting web users.
If they want to own HSBC's
e-banking customers, all they have to do is to register a "suspicious" looking
domain like hscsbc.com which is currently available and then serve
a phishing page.
Even better, they can exploit a cross-site scripting vuln on hsbc.com,
obfuscate the attack vector and significantly increase their phishing
success rate!
Updated: 23/06/08:
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.hsbc.com.sv XSS notified by sl4xUz
www.hsbc.com XSS notified by Airrox
-
www.hsbc.co.uk XSS notified by PaPPy / unfixed
www.hsbc.com.tr XSS notified by DaiMon / unfixed since 26/05/2008
www.hbeu1.hsbc.com XSS notified by DaiMon / unfixed since 26/05/2008
www.hsbc.com.tr XSS notified by Babaconda / unfixed since 25/05/2008
www.hsbcprivatebankfrance.com XSS notified by ironzorg / unfixed since
25/04/2008
www.hsbc.fi.cr XSS notified by Venom23 / unfixed since 26/02/2008
www.hsbc.com XSS notified by Darkster / published on 26/07/2007 - fixed
on 12/09/2007
monavenir.hsbc.fr XSS notified by takethis /published on 01/04/2007 -
fixed on 21/08/2007
Protect your customers' privacy and security now! Leaving site-specific
vulnerabilities open for days, weeks or months, can lead to substantial
financial losses!
Back
to Top
........................................................................ Gpcode:
the return of the file encryptor
viruslist.com, June
5th, 2008
We've detected a new variant of Gpcode – a dangerous
file-encryptor. It encrypts a whole variety of user files, targeting
files with extensions
such as DOC, TXT, PDF, XLS, JPG, PNG, CPP, H etc. If you're a regular
visitor to Viruslist, you might remember reading about Gpcode a couple
of years ago.
We recently started getting reports from infected victims, analysed a
sample, and added detection for Gpcode.ak to our antivirus databases
yesterday, on June 4th. However, although we detect the virus itself,
we can't currently decrypt files encrypted by Gpcode.ak – the RSA
encryption implemented in the malware uses a very strong, 1024 bit key.
The RSA encryption algorithm uses two keys: a public
key and a private key. Messages can be encrypted using the public key,
but can only be
decrypted using the private key. And this is how Gpcode works: it encrypts
files on victim machines using the public key which is coded into its
body. Once encrypted, files can only be decrypted by someone who has
the private key – in this case, the author or the owner of the
malicious program.
As I've said above, we've come across Gpcode before (see
Blackmailer for the full story). Two years ago we were able to get
the private key
by detailed analysis of the data at our disposal. However, the maximum
RSA key length we've been able to ‘crack’ to date is 660
bits. We were able to do this as the author had made some mistakes when
implementing the encryption algorithm.
The author has bided his time, waiting almost two years
before creating a new, improved variant of this file encryptor. Gpcode.ak
doesn't not
repeat the errors found in previous versions of the virus. Back in 2006
when we detected the first versions of Gpcode to use RSA, this sounded
an alarm: we warned that we wouldn't be able to help decrypt encrypted
files if the virus writer implemented the RSA encryption algorithm correctly.
It would be a case for law enforcement; encrypting files in this way
is tantamount to a cybercriminal copying user files to his own machine,
and deleting them from the user's infected machine without consent – an
illegal action.
Once the virus has encrypted a user's files, it leaves the following
text message along with the files it has encrypted:
Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********@yahoo.com»
Unfortunately, at the time of writing it's still not clear how the virus
spreads. To protect your machine, you should enable all components of
whatever anti-malware protection that you have installed.
Back
to Top ........................................................................
Adobe
Flash zero-day exploit in the wild
blogs.zdnet.com/security/, May
27th, 2008
Posted by Ryan Naraine @ 11:19 am
Malware hunters have spotted
a previously unknown — and unpatched — Adobe
Flash vulnerability being exploited in the wild.
The zero-day flaw has been added to the Chinese version of the MPack
exploit kit and there are signs that the exploits are being injected
into third-party sites to redirect targets to malware-laden servers.
Technical details on the vulnerability
are not yet available. Adobe’s
product security incident response team is investigating.
This SecurityFocus advisory warns:
Adobe Flash Player is prone to an unspecified remote code-execution
vulnerability.
An attacker may exploit this issue to execute arbitrary code in the
context of the affected application. Failed exploit attempts will likely
result in denial-of-service conditions.
Adobe Flash Player 9.0.115.0 and 9.0.124.0 are vulnerable; other versions
may also be affected.
I’ve independently verified
that redirection scripts have been posted on at least two Chinese-language
Web sites to launch drive-by
downloads of malware. When the exploit fires, it checks the Flash version
on the vulnerable computer and, depending on the result, it uses a different
.SWF (shockwave) file to take complete control of the machine.
This threat should be considered very serious because of the widespread
distribution that Adobe Flash enjoys on the Windows ecosystem. If this
exploit gets seeded on high-traffic Web sites, we could be in for a long
clean-up operation.
[ UPDATE: Continued investigation reveals this issue is fairly widespread.
Malicious code is being injected into other third-party domains (approximately
20,000 web pages) most likely through SQL-injection attacks. The code
then redirects users to sites hosting malicious Flash files exploiting
this issue.]
Back
to Top
........................................................................
Malware
shipped with Firefox 2 language pack
blogs.zdnet.com/security/, May
8th, 2008
Posted by Larry Dignan @ 6:18 am
Categories: Browsers, Exploit code, Mozilla Firefox, Malware, Mozilla
Firefox 2.0, Mozilla Corp., Language, Virus, Cyberthreats, Web Browsers,
Viruses And Worms, Security
Mozilla is warning that a Vietnamese language pack for Firefox 2 is
carrying malware.
In her blog, Mozilla security chief Window Snyder writes: The
Vietnamese language pack for Firefox 2 contains inserted code to load
remote content. This code is the result of a virus infection, but
does not contain the virus itself. This usually results in the user seeing
unwanted ads, but may be used for more malicious actions.
Everyone who downloaded the most recent Vietnamese language pack since
February 18, 2008 got an infected copy. While we cannot determine the
exact number of compromised downloads, there have been 16,667 total downloads
of the Vietnamese language pack since November 2007, so we anticipate
the impact on users to be limited.
Snyder also noted that Mozilla
scans for viruses at upload time, but the scanner didn’t catch this problem “until several months
after the upload.” Mozilla is adding additional virus scans to
catch these issues in the future. Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet
sister site TechRepublic.
Back
to Top
........................................................................
USB
sticks with malware
ZDNet News: Apr 9, 2008
Hewlett-Packard has released a batch of USB keys for numerous Proliant
server models which contain malware that could allow an attacker to take
over an infected system.
The worms contained on the 256KB and 1GB USB drives have been identified
as W32.Fakerecy and W32.SillyFDC. The worms spread by copying themselves
to removable or mapped drives and affect systems running Windows 98,
Windows 95, Windows XP, Windows Me, Windows NT and Windows 2000, according
to AusCERT.
HP's Software Security Response Team issued a warning to AusCERT this
week after discovering the worms on the USB drives and has also provided
a list of affected servers to the security response organization.
To find out whether a drive is infected, HP recommends inserting it
into a system with up-to-date antivirus software. Systems with up-to-date
antivirus should be protected from the threat, according to HP.
John Bambenek, a researcher at the security organization Sans Internet
Storm Center, has said that because the infected USBs only affect Proliant
servers, a targeted attack cannot be ruled out.
However, the threat
risk from the worms is considered to be low. "This
is probably not going to escalate into a widepread epidemic," Nishad
Herath, senior research scientist at McAfee Avert Labs, told ZDNet.com.au. "But
I would most definitely urge users to perform a virus scan of any media--including
any new blank drives--you receive from vendors prior to installing/using
them as slip-ups like this have been known to happen in the past."
HP claims the worm-infected USBs will have only affected a small number
of customers.
"HP takes all quality issues very seriously. Because the keys involved
are used to install optional floppy-disk drives, this only affects the
USB Floppy Drive Key kit which is a very low volume option and impacts
a very small percentage of our ProLiant customer base. We've determined
root cause and are fully confident that we have resolved this event.
To date, no customers have reported this issue," a spokesperson
for HP told ZDNet.com.au.
HP has provided an advisory page for customers with affected USB keys.
To find out whether a drive is infected, HP recommends inserting it
into a system with up-to-date antivirus software. Systems with up-to-date
antivirus should be protected from the threat, according to HP.
John Bambenek, a researcher at the security organization Sans Internet
Storm Center, has said that because the infected USBs only affect Proliant
servers, a targeted attack cannot be ruled out.
Back
to Top
........................................................................
Security
vendor F-Secure has warned of multiple critical vulnerabilities in
its own and other vendors' products.
news.zdnet.com,
March 19, 2008
Security
vendor F-Secure has warned of multiple critical vulnerabilities in its
own and other vendors' products. The
vulnerabilities exist in the way the products respond to malformed archive
files, and were discovered by researchers at the University of
Oulu in Finland.
"The Secure Programming Group at Oulu University has created a
collection of malformed archive files," wrote F-Secure director
of antivirus research, Mikko Hyppönen, in a blog post on Monday. "These
archive files break and crash products from at least 40 vendors--including
several antivirus vendors… including us."
F-Secure products affected include F-Secure Internet Security 2008,
F-Secure Anti-Virus 2008, F-Secure Mobile Anti-Virus for Windows Mobile
2003/5.0/6, and F-Secure Anti-Virus for Linux 4.65 and earlier versions,
according to an F-Secure security bulletin. Successful exploitation of
the vulnerabilities could result in remote code execution.
Other software affected includes Debian libarchive1, FreeBSD libarchive
3, Gentoo app-arch/libarchive and Suse libarchive, according to an advisory
from the Finnish computer emergency response team, CERT-FI.
The University of Oulu researchers
discovered the vulnerabilities in various archive file formats, including
ZIP, as part of their Protos
Genome Project. The project tested malformed archive protocols inputted
into archive file formats. The research identified that "most implementations
evaluated failed to perform in a robust manner", according to the
CERT-FI advisory.
Back
to Top
........................................................................
Spam,
Virus Attacks to Get More Clever
www.eweek.com,
March 10, 2008
Social
engineering techniques are evolving to challenge businesses and security
software providers,
according to a new report released by Google's Postini team.
The report, released March 6 after Google's Postini team commissioned
the study to survey 575 IT professionals, found that Postini data centers
recorded 57 percent more spam and virus attacks in 2007 compared to 2006.
The size of spam e-mails also increased considerably as spammers included
images, .pdf files, documents, spreadsheets and even multimedia files
to spoof spam filters, according to report author Adam Swidler, senior
solutions marketing manager for Postini.
The social engineering techniques try to circumvent computer and network
security by manipulating users into performing actions that divulge confidential
data. Identity theft attacks will be launched from user-generated Web
sites, such as social networks, blogs and auction sites.
Attacks will take the form of sneaky viruses that will blend with spam,
leveraging specific current events, such as the Super Bowl or the Summer
Olympic Games. Moreover, virus attacks will target executives at companies
whose intellectual property is deemed valuable on the black market.
These attacks will masquerade as legitimate business agencies, such
as the Internal Revenue Service, the Better Business Bureau and the Securities
and Exchange Commission.
While most of these targets may miss their mark, Swidler said there
will be high-profile data breaches at enterprises and government agencies,
forcing companies to modify their e-mail practices, such as eliminating
hot links in customer e-mail communications.
Businesses will also place increased emphasis on outbound security policies
and content encryption. More states will revise rules governing civil
procedure for state courts, so organizations will need to put in place
a litigation readiness plan supported by digital message archiving and
discovery.
Enterprises must also define e-mail usage policies, including how to
handle attachments such as executables, scripts and multimedia files,
identify sensitive content contained in inbound and outbound e-mail messages
and create policies that address these messages, and educate users about
threats and internal company policies regarding the use of e-mail.
Back
to Top
........................................................................
|
