Security Corner


December 30, 2008  8:33 PM

CastleCops Shuts Down Operations

Ken Harthun Ken Harthun Profile: Ken Harthun

CastleCops, the largest and most effective volunteer security community on the Internet, has shut down operations. Their website has this announcement posted:

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

CastleCops, founded by Paul Laudanski in 2002, spent six years investigating malware and phishing scams, working closely with law enforcement and the Internet security community to take down malicious websites. Because of their effectiveness, CastleCops’ websites were often the target of DDoS attacks and other attempts by cybercriminals to discredit them.

The group also ran volunteer training programs and provided assistance in malware cleanup. Some of their most popular resources were the lists of Windows CLSIDs, Startup programs, toolbars and the like that helped people identify and remove malware. I’m glad to see that those resources continue to be maintained by former CastleCops volunteers at the SystemLookup.com website.

They’ll be missed.

December 24, 2008  5:04 PM

Merry Christmas!

Ken Harthun Ken Harthun Profile: Ken Harthun

Christmas Bells

Wishing you all the best for a safe and happy holiday season.

Ken Harthun


December 24, 2008  4:43 PM

Microsoft Releases Security Advisory (961040)

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft’s latest Security Advisory (961040) covers a vulnerability in SQL Server that could allow remote code execution:

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.

Exploit code has been published on the Internet, but Microsoft states that it’s not aware of any active exploits or customer impact at this time. One mitigating factor is that this vulnerability is not exposed anonymously–an attacker would need to authenticate in order to take advantage of the flaw, thus leaving evidence for investigators.

Microsoft has issued tested workarounds for the affected versions. While they don’t repair the underlying vulnerablity, they effectively block the known attack vectors


December 21, 2008  11:19 PM

No More Security Updates for Firefox 2

Ken Harthun Ken Harthun Profile: Ken Harthun

Security Fix reports that on December 16, Mozilla released its final update to Firefox 2, and plans no further updates for this version. From the Firefox 2 Release Notes page:

Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3. Firefox 2.0.0.19 does not include Phishing Protection.

Despite mixed reviews at its initial release, Firefox 3 is now stable and should now be your browser of choice for safe surfing on the web. Besides using far less system memory than previous versions, Firefox 3 “includes strict anti-phishing and anti-malware measures, plus easy ways to tell the good guys from the bad like [the] new one-click site ID info” according to Mozilla.

If you’re not already using it, be sure to install the NoScript add-on. Firefox 3 with NoScript is the simplest, safest browser setup you can get at the moment. And just to be sure, I deliberately went to a really bad site to see what would happen. Firefox delivered. Take a look at the screen shot below.
Attack Site Blocked

So, if you’re still using any earlier version of Firefox. Upgrade now to Firefox 3. And if (heaven forbid!) you’re still using Internet Explorer, stop putting yourself at risk and switch to Firefox 3 now.

Have a safe and happy holiday season, both on and off the web!


December 16, 2008  9:21 PM

Microsoft Announces Out-of-band Patch for Zero-day Flaw

Ken Harthun Ken Harthun Profile: Ken Harthun

Microsoft issued today “Microsoft Security Bulletin Advance Notification for December 2008.” The actual security bulletin will be released on December 17, 2008:

Microsoft Security Bulletin Advance Notification for December 2008
Published: December 16, 2008

Microsoft Security Bulletin Advance Notification issued: December 16, 2008
Microsoft Security Bulletins to be issued: December 17, 2008

This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on December 17, 2008.

This bulletin advance notification will be replaced with the revised December bulletin summary on December 17, 2008. The revised bulletin summary will include the out-of-band security bulletin as well as the security bulletins already released on December 9, 2008.

I don’t have any statistics on how fast they’ve responded to zero-day flaws in the past, but this seems pretty quick to me.


December 12, 2008  9:44 PM

Internet Explorer Targeted by Zero-day Attack

Ken Harthun Ken Harthun Profile: Ken Harthun

Even though Microsoft released the biggest batch of patches ever on Tuesday–28 flaws affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player, 23 of them rated “critical”–there’s no fix for a zero-day XML parser vulnerability that surfaced the same day. This was first reported by Robert McMillan of IDG News and was picked up quickly by other media. According to McMillan:

The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about “one in three times,” Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw. …

In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations.

According to a blog post by Symantec:

The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0x0A0A” value in it,” Elia Florio, a security researcher at Symantec, wrote….

Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 – HTTP MSIE Malformed XML BO to protect users against this exploit.

I recommend that anyone using Symantec’s antivirus or IPS products, immediately perform an update. Furthermore, Symantec recommends blocking the following hosts which are apparently being used by the exploit to download and install other malware:

• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
• oiuytr.net
• laoyang4.cn
• cc4y7.cn

In its security advisory 961051, Microsoft presents the following mitigating factors:

• Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.

•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.

•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

•Currently known attacks cannot exploit this issue automatically through e-mail.

Nevertheless, users should avoid using Internet Explorer and should instead use Firefox with the NoScript extension installed until Microsoft issues a patch. We may see an out-of-cycle patch on this one according to the security advisory:

We are actively investigating the vulnerability these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Well, since I’m forced to use IE for certain applications in my job, this customer needs a patch as quickly as possible.


December 9, 2008  2:33 AM

But Wait! Apple Says it’s Just Kidding About Antivirus

Ken Harthun Ken Harthun Profile: Ken Harthun

If you tried to click through to the link in my December 2d article, you probably saw this page:
Sorry

Apple has taken down their notice recommending that users install multiple antivirus programs on their Mac computers. They said it was “because it was old and inaccurate.”

Could the real reason be that they can’t afford to compromise their expensive ad campaign?

SANS Editor Eugene Schultz says: “Apple needs to quit flipflopping re. whether anti-malware software needs to run on Macs. Many serious malware-related threats against Macs exist. Apple’s waffling with respect to recommending what to do about these threats is a huge disservice to the Mac user community.”

C’mon, Apple. You’ve just lost a ton of credibility with this one.


December 8, 2008  7:49 PM

Secunia Releases Personal Software Inspector 1.0

Ken Harthun Ken Harthun Profile: Ken Harthun

On November 25, 2008, Secunia released the first official version of its Secunia Personal Software Inspector (PSI). The program had been in beta for 17 months. From the Secunia blog:

“Though the PSI so far has been in beta, it has received a huge amount of praising words like these from ZDNet in a review of 10 essential security tools: ‘Number one is the Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine’.

“Version 1.0 of the PSI is somewhat more mature and bug free (as far as we know) compared to the first version, which only ran on XP 32bit. Today, it runs on 2000, XP 32/64bit, and Vista 32/64bit.”

PSI Screen Shot

I’ve been using the PSI in both the online and beta versions since day one and I’m happy to report that all of my systems are 100% patched! However, Secunia’s statistics show that 98 out of 100 PCs have 1 or more insecure programs installed, so this is a tool that everyone should download and install immediately. It’s stable and it’s free, so there’s no reason not to use it.

The thing I like most about the utility–other than its obvious boost to my system’s security–is the toolbox.
PSI Toolbox
Talk about handy: Every action you might need to take on a program is right there, a click away.

I have to agree with the ZDNet review–Secunia Personal Software Inspector has just been put at the top of my security utilities list.


December 2, 2008  9:00 PM

Own a Mac? Get Anti-virus, says Apple

Ken Harthun Ken Harthun Profile: Ken Harthun

The Mac vs. PC ads are always funny, but this one’s even more of a hoot, especially since Apple quietly snuck out an advisory on November 21 that Mac users should use multiple antivirus programs:

“Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”

Needless to say, this is getting a lot of play in the media.

From The Register:

“Long something of a phantom menace, strains of malware capable of infecting Mac machines have gradually been increasing in prevalence over recent months. In addition, VXers are making more use of web-based attack and applications specific vulnerabilities to infect PCs whatever their underlying operating system might be.”

From the Washington Post:

“This is news to me. Just under three months ago, I asked an employee at our local Apple store whether I needed anti-virus for my MacBook, and was told not to bother, that it was not necessary. I wonder if this means Apple will stop running television ads saying Mac users don’t have to worry about malicious software?”

It had to happen sooner or later. The Mac user base may be much smaller than the PC’s, but it’s still significant and enjoyed a 38 percent market share growth, going from 6.4 percent of the market in 2007 to 8.5 percent during the second quarter of 2008. Even more significant is the little known fact that Apple’s market share of the so-called “premium” computer market — machines that cost more than $1,000– hit a whopping 66% in the first quarter of 2008. Maybe, just maybe, people who buy “premium” stuff have more money which can mean a bigger payday for the Internet criminals.

Just my opinion, but if you could steal a Jaguar with no more effort than it takes to steal a Chevy, which would you take?


November 30, 2008  4:21 PM

An MBR Tool to Combat Mebroot

Ken Harthun Ken Harthun Profile: Ken Harthun

Assuming you or your client is not already infected with Mebroot, there’s another tool you can use to easily recover in the event of an infection: MBRtool 2.3 from DIY DataRecovery.

MRBTool is a freeware DOS program designed to backup, restore, and manipulate your hard disk MBR. The latest version includes a boot disk builder that will allow you to create a diskette or bootable CD/DVD, making it ideal for recovering from a Mebroot infection. If you are sure the target machine is clean, or you have a clean image that you can restore, you simply use MBRTool to make a backup of the valid MBR. In the event of infection, use the boot disk to start the machine and restore the valid MBR. Bye, Bye, Mebroot!

Going beyond simple recovery, you could use MBRTool to make a copy of and examine an infected MBR to compare its code against known Mebroot variants. But, be careful: you don’t want that infected MBR to get away from you.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: