Security Corner


October 17, 2008  1:26 AM

Beware of E-Mail Scam Targeting Microsoft Customers



Posted by: Ken Harthun
E-mail scam, email, Email security, Security, spam, Trojan

The latest e-mail scam targeting Microsoft customers delivers the Backdoor:Win32/Haxdoor trojan as an attachment. The email looks like this:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Anyone reading this can spot the obvious grammar and punctuation mistakes, the first things that should alert them that this is a scam. But, as we know, users blindly click on anything and everything, especially links in official-looking messages.

Please advise your users to immediately delete this message if they receive it, and continue to advise them to NEVER click a link or open an email that they are not sure about. It’s better to err on the side of caution.

By the way, Consumer Reports has an Online Security Guide posted on their website. It’s well worth looking at and certainly good for your non-savvy users as it’s written for, well, consumers.

October 8, 2008  12:26 AM

TCP Vulnerable To Low-bandwidth DoS Attack



Posted by: Ken Harthun
Denial of Service, Networking, Security, Vulnerabilities

There’s already a frenzy of speculation, analysis and, probably, development of malware surrounding the announcement of SockStress–the proof-of-concept program developed by two Dutch researchers to exploit an apparently heretofore unknown vulnerability in the TCP/IP stack. It started when they let the cat out of the bag in an interview that got the attention of Slashdot. I’m not going to dive in and add my opinion to the frenzy; however, this incident reinforces the idea that data and network security require constant vigilance and attention to protecting the data first (See The #1 Security Priority: Protect The Information).

Steve Gibson of Gibson Research Corporation presents a good sampling of the news surrounding this issue. There’s a lot that is (and isn’t) being said. The bottom line is that it’s a nasty vulnerability. It’ll be interesting to see how this develops.


October 2, 2008  8:12 PM

Beware Google AdWords Phishing Attack



Posted by: Ken Harthun
Cybercrime, Malware, Phishing, Rootkit, Security

Criminals are targeting Google AdWords customers with phony emails requesting the victim download a 128-bit SSL certificate. A client received this version (there are quite a few variations):

From: Google Adwords account [mailto:adwordsupdate@google.com]
Sent: Monday, September 29, 2008 8:52 PM
To: <potential victim>
Subject: Google Adwords Alert

Attention GOOGLE ADWORDS Customers!

For certain services, such as our advertising programs, we request 128-bit SSL security information which we maintain in encrypted form on secure servers.
We take appropriate security measures to protect against unauthorized access to our unauthorized alteration, disclosure or destruction of data.
Please download latest SSL protection certificate

Read more>>

Unprotected browsers will not be able to Log in after September 30, 2008
Sincerely, Genaro Escobar.

2008 Google Adwords, Developing new services.

Unsuspecting victims who click on the “Read more” link are taken to a malicious website where their machine is infected with a keylogger rootkit. The URL of the site varies, but is similar to this one:

hxxp://adwords.google.select.starter.signup.privatelogin.6uwwcgx2pxuijw4.siteminderagent.privatelogin.mekefri.com/login.htm?/cfmasternbank/memberverify/OSL.htm?LOB=2418214764&refer=wWCgX2PxUijw4nP

Of course, the actual domain the person arrives at isn’t google.com, but, in this case, mekefri.com.

A good rundown on this attack can be found at: Digital Certificate Spammer Goes for Google Adwords


September 28, 2008  4:39 PM

Clickjacking: The Latest Criminal Tactic



Posted by: Ken Harthun
Browsers, Clickjacking, Cybercrime, Firefox, Internet Explorer, Phishing, Security, Vulnerabilities

According to US-CERT‘s latest alert, “Multiple Web Browsers Affected by Clickjacking,” there’s a new cross-browser exploit technique called “Clickjacking.” One report suggests that, “With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky.” According to the CERT article:

Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page. A separate report indicates that this flaw affects most web browsers and that no fix is available, but that disabling browser scripting and plug-ins may help mitigate some of the risks.

A ZDNet blog posting, Firefox + NoScript vs Clickjacking, The Firefox plugin NoScript, written by Giorgio Maone, is effective against the most dangerous aspects of the exploit. In an email to ZDNet blogger Ryan Naraine, Maone said this about the exploit:

1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid iframe”[options]

Understandably, there’s not much specific information available about the exploit, but most experts agree that there’s no simple fix for it. In his blog post, Naraine said “I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed ‘very, freaking scary’ and ‘near impossible’ to fix properly.”

For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option as noted above. I also recommend that everyone review US-CERT’s article “Securing Your Web Browser” to insure maximum protection against this and other security risks.

I’ll keep you posted on further developments and suggestions for additional protection as the story unfolds.


September 24, 2008  1:12 AM

Software for Secure Computing: Trend Micro’s RUBotted



Posted by: Ken Harthun
Anti-malware, Botnet, IRC bot, Secure Computing, spam, Virus

I stumbled across this nifty free tool when running an online scan at Trend Micro’s HouseCall site. Botnets are a big problem, accounting for most of the spam on the Internet, not to mention their use in stealing financial information and launching denial-of-service (DoS) attacks. RUBotted (Beta) “…monitors your computer for suspicious activities and regularly checks with an online service to identify behavior associated with Bots. Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.” Note that this tool doesn’t clean anything–you still have to use antivirus software. Alternatively, you can take advantage of one of the many online malware scanners.

The tool runs on Windows 2000, Windows XP Home and Professional, Windows 2003 Server, and Windows Vista (32-bit only), providing the latest service packs are installed. There’s one caveat, however:  Trend says, “RUBotted cannot protect computers running Panda Internet Security 2008.”

I hope that this effort by Trend starts a trend (pun intended) of vendors providing similar secure computing software, perhaps incorporating bot removal tools to boot. We’ll see.


September 21, 2008  5:10 PM

Beware of the Fake Video Codec Malware Trick



Posted by: Ken Harthun
Cybercrime, Malware, Security, Social Engineering, Trojan

A variant of Win32/Zlob is being spread by cybercriminals via the fake video codec trick. Through misdirection or outright deception (including social engineering), users are sent to a site that has what appears to be embedded video. When they arrive at the page, there’s a message in the viewer similar to the one shown at “The ZLOB Show: Trojan Poses as Fake Video Codec, Loads More Threats.” If the user falls for the trick, Zlob trojan is downloaded and installed.

The variant, posing as “MediaTubeCodec.1.220.2.exe”–a name that should arouse suspicion in savvy users, but probably looks “official” to the unenlightened–was recently analyzed by Microsoft (see “Another Reason to Avoid Piracy” in their Microsoft Malware Protection Center blog). Microsoft updated its detection signatures to detect this variant as TrojanDownloader:Win32/Zlob.gen!CD. If diagnostics on a user’s PC (netstat, for example) reveal connections to any of the following, assume infection and take appropriate action:

  • hxxp://64.247.39.247
  • hxxp://second-reason.com
  • hxxp://viacodecright2.com

According to the blog, “Only the first two are responding at the time of writing—both appear to be running nginx [pronounced "engine X"] (a lightweight web/mail server), one server is hosted in the USA and the other in China. So please folks—avoid piracy, and be wary when a website insists that you download a new codec in order to watch a video or listen to a song.”


September 21, 2008  2:06 PM

On the Lighter Side of Security



Posted by: Ken Harthun
Humor, Security

Security’s a serious subject sometimes causing us to get a bit too deep in concern over the potential and real threats we face. So, today I’m going to lighten it up with a bit of humor. In the sixties and seventies, it was common to see this sign posted in mainframe computer rooms:

ACHTUNG!

Alle touristen und non-technischen lookenpeepers! Das machine is nicht fur fingerpoken und mittengrabben. Is easy schnappen der springenwerk, blowenfusen und poppencorken mit spitzen sparken. Das machine is diggen by experten only. Is nicht fur gerwerken by das dummkopfen. Das rubbernecken sightseeren keepen das cottenpicken hands in das pockets. Relaxen und watchen das blinkenlights.

I was amused to find that there’s now an Internet version:

Das Internet is nicht fuer gefingerclickend und giffengrabben. Ist easy droppenpacket der Routers und overloaden der Backbone mit der spammen und der me-tooen. Ist nicht fuer gewerken bei die Dummkopfen. Die mausklicken Sightseeren keepen das Bandwidth-spewen Hands in die Pockets muss; relaxen und watchen das cursorblinken.

When I get a round tuit, I’m going to do a security version.


September 19, 2008  1:30 AM

Antivirus XP 2008/2009 Malware Up the Ante



Posted by: Ken Harthun
Anti-malware, Anti-virus, Cybercrime, Malware, Virus

According to US-CERT, the cybercriminals who are foisting fake antivirus programs, such as Antivirus XP 2008 and 2009 off on innocent users, are now doing more than just ripping people off for the purchase price of their worthless programs–they’re going after personal and financial information. “If the user purchases the bogus software, the attacker may be able to obtain personal and credit card information for use in additional scams and fraudulent activity,” US-CERT reports. Their site has some recommendations on preventive measures to take.

US-CERT encourages users to perform the following preventative measures to help mitigate the risks:

  • Install legitimate antivirus software from a trusted vendor, and keep its virus signature files up-to-date.
  • Do not follow unsolicited web links found in email messages or instant messages.
  • Use caution when visiting untrusted websites.
  • Do not install untrusted software.

My bootable linux thumb drive virus scanner will remove this infection, but the best thing is not to get infected in first place.

Be careful out there.


September 15, 2008  3:42 AM

Top Five Security Information Resources



Posted by: Ken Harthun
Security

When I discuss security with people who aren’t security-focused, they often ask where I get my information. I usually generalize, telling them I subscribe to several security newsletters and check the web frequently. I do that to avoid a long-winded discussion of the whys and wherefores of my sources, not to hide them. This post will serve as a good reference for those who are truly interested in learning more about security in general and security issues in particular. So, I present my top five security information resources:

  1. Security Now! podcast produced by Leo Laporte of Twit.tv with Steve Gibson of GRC.com. The longest running security podcast on ‘Net with Episode 161 just released. Thousands of individuals, sys admins, and other security-minded professionals–many of whom have been listening to the podcast since Episode 1– rely on Steve’s unique insight into security issues.
  2. SANS Institute. As their site asserts, and I concur, “SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – Internet Storm Center.”
  3. Dark Reading.com. In-depth security news, analysis, opinion, and product reviews.
  4. The Register–Security. Lots of IT news with an edge. Check it out and you’ll see.
  5. Secunia.com. If not the leading vulnerability intelligence provider and distributor in the world, they’re very close. Their advisories are top notch; their software advisor is a must-use tool.

What sources do you rely on? Comments welcome.


September 13, 2008  6:32 PM

Software for Secure Computing: Microsoft Malicious Software Removal Tool



Posted by: Ken Harthun
Anti-malware, Anti-virus, IRC bot, Malware, Microsoft Windows, Secure Computing, Security

It’s funny how sometimes we take for granted things like Microsoft’s Malicious Software Removal Tool (MSRT). That’s probably because it doesn’t do much to make its presence known. Every month, Microsoft offers MSRT (890830) through automatic updates and on the Windows Update site. Once installed, the tool runs in the background and quietly does its job.  Many people don’t even know that MSRT can be run from the Microsoft.com website or downloaded and run at will.

System administrators and security researchers benefit from the reporting component that MSRT uses to send malware data to Microsoft. The Microsoft Malware Protection Center Threat Research & Response Blog regularly provides reports on the state of security and is an excellent resource for Internet security issues. “Cleaning Over 10 Million IRC Bots,” posted on September 8, 2008, for example, has a graph that clearly shows a general downward trend in IRC bots activity.

No doubt about it: MSRT and the related websites are powerful additions to anyone’s secure computing toolkit.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: