CastleCops, the largest and most effective volunteer security community on the Internet, has shut down operations. Their website has this announcement posted:
You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.
CastleCops, founded by Paul Laudanski in 2002, spent six years investigating malware and phishing scams, working closely with law enforcement and the Internet security community to take down malicious websites. Because of their effectiveness, CastleCops’ websites were often the target of DDoS attacks and other attempts by cybercriminals to discredit them.
The group also ran volunteer training programs and provided assistance in malware cleanup. Some of their most popular resources were the lists of Windows CLSIDs, Startup programs, toolbars and the like that helped people identify and remove malware. I’m glad to see that those resources continue to be maintained by former CastleCops volunteers at the SystemLookup.com website.
They’ll be missed.
Wishing you all the best for a safe and happy holiday season.
Microsoft’s latest Security Advisory (961040) covers a vulnerability in SQL Server that could allow remote code execution:
Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.
Exploit code has been published on the Internet, but Microsoft states that it’s not aware of any active exploits or customer impact at this time. One mitigating factor is that this vulnerability is not exposed anonymously–an attacker would need to authenticate in order to take advantage of the flaw, thus leaving evidence for investigators.
Microsoft has issued tested workarounds for the affected versions. While they don’t repair the underlying vulnerablity, they effectively block the known attack vectors
Note: This is the last planned release of Firefox 2. All users are encouraged to upgrade to Firefox 3. Firefox 220.127.116.11 does not include Phishing Protection.
Despite mixed reviews at its initial release, Firefox 3 is now stable and should now be your browser of choice for safe surfing on the web. Besides using far less system memory than previous versions, Firefox 3 “includes strict anti-phishing and anti-malware measures, plus easy ways to tell the good guys from the bad like [the] new one-click site ID info” according to Mozilla.
If you’re not already using it, be sure to install the NoScript add-on. Firefox 3 with NoScript is the simplest, safest browser setup you can get at the moment. And just to be sure, I deliberately went to a really bad site to see what would happen. Firefox delivered. Take a look at the screen shot below.
So, if you’re still using any earlier version of Firefox. Upgrade now to Firefox 3. And if (heaven forbid!) you’re still using Internet Explorer, stop putting yourself at risk and switch to Firefox 3 now.
Have a safe and happy holiday season, both on and off the web!
Microsoft issued today “Microsoft Security Bulletin Advance Notification for December 2008.” The actual security bulletin will be released on December 17, 2008:
Microsoft Security Bulletin Advance Notification for December 2008
Published: December 16, 2008
Microsoft Security Bulletin Advance Notification issued: December 16, 2008
Microsoft Security Bulletins to be issued: December 17, 2008
This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on December 17, 2008.
This bulletin advance notification will be replaced with the revised December bulletin summary on December 17, 2008. The revised bulletin summary will include the out-of-band security bulletin as well as the security bulletins already released on December 9, 2008.
I don’t have any statistics on how fast they’ve responded to zero-day flaws in the past, but this seems pretty quick to me.
Even though Microsoft released the biggest batch of patches ever on Tuesday–28 flaws affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player, 23 of them rated “critical”–there’s no fix for a zero-day XML parser vulnerability that surfaced the same day. This was first reported by Robert McMillan of IDG News and was picked up quickly by other media. According to McMillan:
In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations.
According to a blog post by Symantec:
The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0x0A0A” value in it,” Elia Florio, a security researcher at Symantec, wrote….
Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 – HTTP MSIE Malformed XML BO to protect users against this exploit.
I recommend that anyone using Symantec’s antivirus or IPS products, immediately perform an update. Furthermore, Symantec recommends blocking the following hosts which are apparently being used by the exploit to download and install other malware:
In its security advisory 961051, Microsoft presents the following mitigating factors:
• Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.
•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
•Currently known attacks cannot exploit this issue automatically through e-mail.
Nevertheless, users should avoid using Internet Explorer and should instead use Firefox with the NoScript extension installed until Microsoft issues a patch. We may see an out-of-cycle patch on this one according to the security advisory:
We are actively investigating the vulnerability these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
Well, since I’m forced to use IE for certain applications in my job, this customer needs a patch as quickly as possible.
If you tried to click through to the link in my December 2d article, you probably saw this page:
Apple has taken down their notice recommending that users install multiple antivirus programs on their Mac computers. They said it was “because it was old and inaccurate.”
Could the real reason be that they can’t afford to compromise their expensive ad campaign?
SANS Editor Eugene Schultz says: “Apple needs to quit flipflopping re. whether anti-malware software needs to run on Macs. Many serious malware-related threats against Macs exist. Apple’s waffling with respect to recommending what to do about these threats is a huge disservice to the Mac user community.”
C’mon, Apple. You’ve just lost a ton of credibility with this one.
On November 25, 2008, Secunia released the first official version of its Secunia Personal Software Inspector (PSI). The program had been in beta for 17 months. From the Secunia blog:
“Though the PSI so far has been in beta, it has received a huge amount of praising words like these from ZDNet in a review of 10 essential security tools: ‘Number one is the Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine’.
“Version 1.0 of the PSI is somewhat more mature and bug free (as far as we know) compared to the first version, which only ran on XP 32bit. Today, it runs on 2000, XP 32/64bit, and Vista 32/64bit.”
I’ve been using the PSI in both the online and beta versions since day one and I’m happy to report that all of my systems are 100% patched! However, Secunia’s statistics show that 98 out of 100 PCs have 1 or more insecure programs installed, so this is a tool that everyone should download and install immediately. It’s stable and it’s free, so there’s no reason not to use it.
The thing I like most about the utility–other than its obvious boost to my system’s security–is the toolbox.
Talk about handy: Every action you might need to take on a program is right there, a click away.
I have to agree with the ZDNet review–Secunia Personal Software Inspector has just been put at the top of my security utilities list.
“Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”
Needless to say, this is getting a lot of play in the media.
From The Register:
“Long something of a phantom menace, strains of malware capable of infecting Mac machines have gradually been increasing in prevalence over recent months. In addition, VXers are making more use of web-based attack and applications specific vulnerabilities to infect PCs whatever their underlying operating system might be.”
From the Washington Post:
“This is news to me. Just under three months ago, I asked an employee at our local Apple store whether I needed anti-virus for my MacBook, and was told not to bother, that it was not necessary. I wonder if this means Apple will stop running television ads saying Mac users don’t have to worry about malicious software?”
It had to happen sooner or later. The Mac user base may be much smaller than the PC’s, but it’s still significant and enjoyed a 38 percent market share growth, going from 6.4 percent of the market in 2007 to 8.5 percent during the second quarter of 2008. Even more significant is the little known fact that Apple’s market share of the so-called “premium” computer market — machines that cost more than $1,000– hit a whopping 66% in the first quarter of 2008. Maybe, just maybe, people who buy “premium” stuff have more money which can mean a bigger payday for the Internet criminals.
Just my opinion, but if you could steal a Jaguar with no more effort than it takes to steal a Chevy, which would you take?
Assuming you or your client is not already infected with Mebroot, there’s another tool you can use to easily recover in the event of an infection: MBRtool 2.3 from DIY DataRecovery.
MRBTool is a freeware DOS program designed to backup, restore, and manipulate your hard disk MBR. The latest version includes a boot disk builder that will allow you to create a diskette or bootable CD/DVD, making it ideal for recovering from a Mebroot infection. If you are sure the target machine is clean, or you have a clean image that you can restore, you simply use MBRTool to make a backup of the valid MBR. In the event of infection, use the boot disk to start the machine and restore the valid MBR. Bye, Bye, Mebroot!
Going beyond simple recovery, you could use MBRTool to make a copy of and examine an infected MBR to compare its code against known Mebroot variants. But, be careful: you don’t want that infected MBR to get away from you.