One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.
Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study (PDF) (http://www.trusteer.com/files/Zeus_and_Antivirus.pdf) released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.
Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.
A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging (http://www.theregister.co.uk/2009/08/27/zeus_adopts_instant_messaging/) programs.
Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date. ®
A highly damaging hack at UK-based web hosting company VAserv has taken a tragic turn for the worse after it was revealed that the boss of the Indian firm whose software was at the centre the attack, has hanged himself.
On Sunday, VAserv suffered a malicious attack on its virtual server infrastructure, which resulted in the deletion of approximately 100,000 sites.
According to the Register, the attackers apparently took advantage of security flaws in a virtualisation software platform called HyperVM, in order to break into the company’s servers and issue commands to erase all of the contents hosted on them. The hackers appeared to have accessed customer credit card data and other information stored on the compromised servers.
VAserv offers low-cost web hosting services using virtualised private servers based on HyperVM. Unfortunately, it appears that many of its customers have irretrievably lost data, as backups do not seem to have being taken.
HyperVM is the virtualisation application made by LXLabs, an Indian based in Bangalore.
In the wake of the exploitation of a critical vulnerability in HyperVM, LXLabs’ boss, K T Ligesh, hanged himself in a case of suspected suicide.
32 year-old Ligesh was found hanged in his Bangalore house on Monday morning, after a late night drinking session. The Times of Indiareports that he was upset with the loss of a recent contract. Ligesh was also still coming to terms with the suicides, also by hanging, of his sister and mother five years ago.
The news is a sobering development, especially as it is not clear whether the servers had been compromised because of vulnerabilities in HyperVM, as VAserv claims, or whether weak administrator passwords were to blame, as posted by the Inquisitr. The site links to a post, ostensibly by someone behind the attack, that talks about it having been facilitated by “excessive passwd reuse.”
“Z3r0 day in hypervm?? plz u give us too much credit,” the poster said, adding that he or she had compromised the VAserv billing system, installed backdoors on it and stolen lots of credit card numbers. “Telling you this cuz we got bored of this ****, it’s just too easy and monotonous.”
“We have been working dilengtly to recover the information that we can. Currently if your VPS is not responding it is best to consider that all data and information is lost,” the note read. “This applies to all VPS and all nodes. We are now working on reprovisining and have approx 250 servers left to provision out and down to 120 support tickets. We are aiming to clear most of the backlog in the next 12 hours.”
Jaikumar Vijayan of Computerworld (US), contributed to this article.
The European Commission is seeking to strengthen cooperation between law enforcement and industry worldwide according to a senior EC official. The commission is also looking to increase penalties for cyber-criminals.
Countries such as Estonia and Lithuania have been victimised by cyberattacks, but officials in those countries have complained they didn’t get support fast enough from other nations, said Radomir Jansky, one of the top cybercrime officials within the Commission’s Directorate-General for Justice, Freedom and Security.
“Large-scale attacks are on the rise, and we need to deal with them,” Jansky said at the Messaging Anti-Abuse Working Group meeting in Amsterdam. The conference is attended by ISPs and industry professionals who discuss issues such as spam, email marketing issues and botnets.
In April and May 2007, Estonian websites fell under denial-of-service attacks after a World War II memorial to Russian soldiers was moved from a public square. Georgia experienced cyberattacks in August 2008 as Russia invaded Georgia’s South Ossetia and Abkhazia regions.
The Commission is updating the Council Framework Decision on Attacks Against Information Systems, which went into force in 2005, Jansky said. European Union countries are not bound by law to abide by the framework, but it is recommended that they follow it.
The update, which has not been published yet, will likely recommend that countries across Europe increase the sentences for those convicted of cybercrime since there doesn’t appear to be much of a deterrent effect now, Jansky said.
Sentences now range from one to three years, but countries such as Estonia, France, Germany and the UK have longer ones, he said.
The updated framework may also recommend that countries respond to a request for help in a cybercrime investigation from other countries faster, such as within eight hours. Now, there is no time limit, Jansky said.
There is also a need for a unified system that enables EU countries to report cyberattacks, prosecutions and other criminal reports. The data would help create a more complete picture on the scope of cybercrime, Jansky said. Countries also need to agree on an acceptable format for reporting that data.
“We need to have more data,” Jansky said.
In March, the Commission published a draft of a second framework under revision, the Council Framework Decision on Combating the Sexual Exploitation of Children and Child Pornography.
That framework is seeking to tackle new scenarios of concern regarding Internet-related child abuse. The framework will likely recommend new criminal offences related to grooming, the viewing of child pornography without downloading images and allowing the use of covert tools during investigations, Jansky said.
The framework will likely be published by the end of the year, as the Council of the European Union is still working out the details, Jansky said.
Some vulnerabilities have been reported in Xvid, which can be exploited by malicious people to potentially compromise an application using the library.
The vulnerabilities are caused due to boundary errors within the “decoder_iframe()”, “decoder_pframe()”, and “decoder_bframe()”
functionsin src/decoder.c. These can be exploited to potentially corrupt memory via specially crafted video files.
Successful exploitation may allow execution of arbitrary code.
The vulnerabilities are reported in versions prior to 1.2.2.
SOLUTION:
Update to version 1.2.2.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits John McDonald and Christopher Valasek of IBM X-Force.
The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
CNET’s Elinor Mills reports that researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
According to a post on the TrendLabs Malware blog, the awakened worm tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity. It then deletes all traces of itself in the host machine, and is scheduled to shut down on May 3.
Mills reports:
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
“After May 3, it shuts down and won’t do any replication,” Perry said. However, infected computers could still be remotely controlled to do something else, he added.
The development was found when Trend Micro researchers noticed a new file in the Windows Temp folder and a large encrypted TCP response from a known Conficker P2P IP node hosted in Korea:
Two things can be summed up from the events that transpired:
1.As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
2.Conficker-Waledac connection? Possible, but we still have to dig deeper into this…
As for the second point, researchers said the worm tries to access a known Waledac domain and download another encrypted file, but they’re still trying to examine the connection.
Conficker April 1 Update Won’t Result In Attack, Experts Say
The Conficker worm is primed and ready for its latest update April 1, but security experts say that a large-scale cyberattack is not likely.
Come April 1, the latest version of Conficker, the malicious computer worm that has infected millions of computers in the creation of a global botnet, is set to launch a new update mechanism that will allow it to communicate unimpeded with its command and control centers for new instructions. Meanwhile, the newest evolution of the worm, known as the Conficker C variant, will come with a changed domain generation algorithm that will open up access to 50,000 newly generated domains.
However, despite the latest evolution of the Conficker worm, security experts don’t anticipate a major Internet meltdown on Wednesday, April 1.
The reason? Creators of the Conficker worm probably don’t want to launch an attack under the watchful gaze of the public, experts say. Instead, it is very likely that Conficker C will conduct its updates in peace on Wednesday and continue to silently incorporate computers into its massive spam-spewing botnet.
“The analysis has shown that Conficker authors have toned down the number of update requests, which they have done so they can fly under the radar. They want to run a botnet, as big as possible and as healthy as possible,” said Wolfgang Kandeck, CTO of security company Qualys. “It’s not in their interest to be visible. It’s not in their interest to annoy you.”
Instead, if there were to be a massive denial-of-service attack, it will likely come unexpectedly, after the publicity has died down, Kandeck said.
Meanwhile, subsequent attacks might be a little bit more difficult now than before, experts say. Over the weekend, security researchers finalized the development of a Conficker scanning tool that has the ability to monitor and remediate the Conficker worm on infected machines.
One of Conficker’s telltale calling cards is its ability to repair its own vulnerability once it has infected a PC — possibly to keep competing worms and malware from occupying the same space. However, the breakthrough tool, developed as part of the German Honeynet Project, relies on a sophisticated fingerprint-scanning technique that is able to distinguish between a regular Microsoft-issued patch, which closes the hole completely, and a Conficker-created patch, which leaves a small opening for itself.
Since the tool’s release over the weekend, numerous vendors, including Qualys, McAfee’s Foundstone Enterprise, Tenable Network Security’s Nessus, open-source Nmap and others with network-scanning programs have offered variations of the tool as a free download available for consumers.
However, Kandeck said that while the tool is a major step in combating the Conficker worm, it will likely be blocked or circumvented by new versions of the worm down the road.
“We will see how long this will hold up,” he said. “The Conficker people, they are smart. If I were them, I would change the way that I do this.”
The Conficker worm first emerged in October when attackers exploited a Microsoft security vulnerability occurring in the way the Server Service handles RPC requests. Shortly thereafter, Microsoft issued an emergency out-of-band patch repairing the glitch, and warned users that the attack was already loose in the wild. However, the fix came a little too late to stop the spread of the Conficker worm, and the malware propagated rapidly via users’ unpatched systems.
Since then, Conficker has evolved to become one of the most sophisticated and evasive botnets in history, with the ability to spread rapidly via peer-to-peer networks and USB drives. The worm also added numerous defensive measures designed to evade detection and removal by disabling Windows Automatic Updates and Windows Security Center. Conficker Version C also has the ability to block access to several security vendors’ Web sites and evading numerous antivirus products.
Despite the severity of the emerging Conficker C variant, Dave Marcus, security research and communications manager for McAfee, said that users can protect themselves by updating their systems with the latest security patch, as well as conducting virus scans that require a reboot and running up-to-date antivirus software.
“Patch out in a reasonable time. People just have to heed the call, especially when there’s a piece of active malware taking advantage of that vulnerability,” Marcus said.
Meanwhile, Marcus said that the high-profile nature of Conficker, along with its speed and sophistication, have underscored the importance of patching systems with the latest security updates.
“Certainly there’s a different process [for different organizations]. That being said, there’s still an onus to get it done in a reasonable period of time,” Marcus said. “People have either heeded the advice or they haven’t. At this point, I don’t think it’s possible for us to put out the message anymore.”
More evidence of Google’s success in organizing the world’s information and making it universally accessible: Payment card details for 19,000 Brits were recently found hosted in the search engine’s web cache.
The details included the names, addresses, card numbers and expiry dates for UK-based holders of Visa, MasterCard and American Express holders, according to news reports. The information was available to anyone who knew the proper search query.
The data was originally posted to a website server located in Vietnam, presumably in error by data thieves who wanted to sell it to other scammers. Even after the site was shuttered in February, the information continued to live on in Google’s web history cache until company employees finally purged it.
Many of the cards that were posted had already been canceled, a spokesman for a bank industry group said. Additional coverage is here (http://www.dailymail.co.uk/news/article-1165447/19-000-UK-credit-card-details-posted-Net–accessible-Google.html#) and here (http://www.upi.com/Top_News/2009/03/28/Brits_credit_card_data_posted_on_Web/UPI-59491238272215/). ®
You have a few hours to work on this and I know you’re going to be vigilant about it. Let’s save what and who we can with our best efforts. Time is of the essence so get to it. I will be a bit busy for the next few hours checking on new vendor signature releases and info about this, dealing with my internal network and doing some last minute checking and changes so please pardon any delays in my responses for a while.
So now that signatures are being released for it is it over?
No it’s not. This is a staged effort. The signatures will be created, disseminated throughout the various security scanners, anti-virus and anti-malware vendor products but then comes the updating and patching of the systems.
If you are running an older version of a vendor product I strongly suggest you upgrade it now.
If you are running any definitions other than March 31st 2009 for your anti-virus and anti-malware solution then you’re not fully protected yet.
If you are still missing Microsoft Windows patches (any and all of them) then there’s still some level of risk for you.
If you’re running vulnerable applications like Adobe Reader, Acrobat, Firefox, iTunes, QuickTime, web browsers, media players and other applications check to make sure you’re not missing any vendor patches. The developers have released secure versions recently.
I still stick to my original take on this which is, if you are already infected just wipe and start over. There’s no real guarantee that you will fully get rid of the infection and the various pieces it comes with. If not, you have a good set of protective layers to work with.
Keep in mind that a signature based solution works off detecting via signature and not anomaly based threats. As Conficker is a blended threat, I expect to see some aspects of it still evading some security solutions if not configured properly for effective use. Some people have their solutions configured with out of the box settings which may not be optimally configured for a critical threat like this with such a rapid change effect rate.
I know this is short timing but it is good timing to get the word out and get people to act quickly. Be kind and help to spread the word to your family, friends, partners, associates, peers and anyone you converse with. This is critical info that needs to be shared.
Let’s get to it people. I’ve been up since Saturday helping people with their systems and talking about this and I plan to get some sleep over the next day or two.
Good luck and please keep me posted on any new developments and happenings around this once April 1st kicks in.
Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines that is easy to detect using a variety of off-the-shelf network scanners.
The finding means that, for the first time, administrators around the world have easy-to-use tools to positively identify machines on their networks that are contaminated by the worm. As of mid-Monday, signatures will be available for at least half a dozen network scanning programs, including the open-source Nmap (http://nmap.org/), McAfee’s Foundstone Enterprise (http://www.mcafee.com/us/enterprise/products/risk_management/foundstone_enterprise.html) and Nessus (http://www.nessus.org/nessus/), made by Tenable Network Security.
Up to now there were only two ways to detect Conficker, and neither was easy. One was to monitor outbound connections for each computer on a network, an effort that had already proved difficult for organizations with machines that count into the hundreds of thousands or millions. With the advent of the Conficker C variant (http://www.theregister.co.uk/2009/03/07/conficker_upgrade/), traffic monitoring became a fruitless endeavour because the malware has been programmed to remain dormant until April 1.
The only other method for identifying Conficker-infected computers was to individually scan each one, another measure that placed onerous requirements on admins.
The discovery of Conficker’s tell-tale heart two days before activation may prove to be an ace up the sleeve of the the white hat security world.
“This is an extraordinarily inexpensive, not-very-time-intensive way of finding machines on your network that are actually running malicious software,” said Dan Kaminsky, one of the three researchers who discovered the Conficker fingerprint. “This is not something we get to do all the time. Most pieces of malicious software are not that easy to find.”
The availability of the new Conficker definitions is the result of the sleuthing and quick response of an industry-wide cast of characters, said Kaminsky, who is director of penetration testing at security company IOActive (http://ioactive.com/).
The finding came Friday afternoon as Kaminsky pored over data that members of the Honeynet Project (http://www.honeynet.org/) had collected on the worm. Along with Honeynet’s Tillmann Werner and Felix Leder, Kaminsky soon noticed that Conficker changes the way a small piece of the Windows operating system acts. The behavior, located in pre-authentication routines before users enter file-sharing passwords, makes easy-to-identify changes to the way machines look on a network.
“Once I heard that Conficker had code running on the anonymous surface, I said ‘Wait, we can fingerprint that,’” Kaminsky said. “If you can get packets to a box, you can find out fairly reliably whether it’s infected with Conficker.”
Kaminsky said he then turned to help from Securosis researcher Rich Mogull, who on Saturday began mobilizing providers of network scanning products to add the Conficker definitions as soon as possible.
“This is the fastest turn-around I’ve ever seen,” Kaminsky said.
Products from Qualys and ncircle are also expected to add anti-Conficker detection signatures. Werner and Leder have developed their own proof-of-concept scanner, which is available here (http://iv.cs.uni-bonn.de/uploads/media/scs.zip).
Since showing up a few days after Microsoft released an emergency patch (http://www.theregister.co.uk/2008/10/23/emergency_windows_update/) for Windows in late October, Conficker has elicited a grudging admiration from security professionals, who can’t help acknowledging the worm’s sophistication. It attacked multiple vectors, was able to crack passwords and spread like wildfire, infecting more than ten million boxes in just a few months’ time, by some estimates.
Conficker’s profile has only grown larger in the past few weeks as the calendar slowly approaches April 1. That’s the day that machines infected with Conficker C will be able to tap into a much larger pool of internet addresses to receive instructions – 50,000 instead of the previous 250.
But it would appear the evil geniuses who spawned the malware made a fatal error that until now had gone unnoticed. Its discovery just a few days before an important deadline could lead to its eradication – but only if network admins worldwide put down what they’re doing and make use of the tools now.
“We have no idea what Conficker is going to do on April 1,” Kaminsky said. “Certainly there is no reason anyone wants to find out on their network. My recommendation is that people run one of the vulnerability scanners on Monday or Tuesday.” ®
Well, it’s simple, you’re SCREWED, so just start the wiping and rebuilding process and don’t waste time trying to clean it up.This is not one of those small time threats that you can clean up and rest well knowing that you’re ok. This is a new level of sophistication that took serious time, effort and though into creating and mapping out its deliverables.
So you scanned your system after hearing all this talk and alerts about this “serious threat” and now you’ve found something suspicious and you’re wondering what to do. Well, it’s not that you had blocked it nor was the system fully patched and the doors closed, it was already on the system and has already done its rounds of spreading and attaching itself to critical areas of the system. This kind of threat isn’t the kind that you can rest comfortably with (well I can’t/don’t) and I wouldn’t feel comfortable knowing that it is on a network of someone I converse with.
I mean, things do happen but there should be due diligence in your system security best practices and how they are handled prior to an issue like this.
Now comes April 1st and you’re wondering, oh my God, what am I going to do?
Well, you’re about to be activated and who know what your command, effects and impact will be.
I hope that this is more of a hoax than what I have concluded from my own personal analysis. Maybe it’s time you start being more proactive than reactive.
We’ll just have to wait and see.
IT Security IS a people problem, not an industry one.
Over the past week I have had so many requests to talk about this worm and why it is so bad and what it really means that I almost convinced myself that it was a brand new threat. Most people are so caught up on it as if it is a new threat but it really isn’t. It’s just a new level of sophistication that warrants the time and attention from the security professionals and vendors to stop whatever possibilities it may bring come April 1st and beyond and for the general public to be aware that these are real life issues here. As I say every day, IT Security is a people problem, not an industry one because the impact and effects are felt in every area of our society and daily lives.
When CBS’s 60 minutes ran the story on Sunday March 29th at 7pm, it’s as if the world woke up to the realization that this is serious. The very same words and things I have been telling people didn’t resonate until they heard and saw it on 60 minutes. Wow, and you wonder why the state of our security is so weak and poor, people don’t know who to listen to nor trust in these matters. So now I am talking to the same people who I talked o a year ago about the importance of properly protecting themselves from these risks and why it is needed today.
One person call me and was saying, “hey Brett, did you watch 60 minutes and see that new worm they are talking about. Man that’s serious isn’t it?”
So now i’m sitting on the other end of the line going, huh, are you serious, this is the same thing I have been talking about for years and trying to get you to understand, this is just a named threat but a threat none the less with a more sophisticated architecture and attack vector. It’s amazing.
I had more people asking which anti-virus software can stop this threat than what is this threat really about. This is one of the issues I have with a scenario like this because people need to take the time to learn and understand more about the threat and how it proliferates so they can better help to prevent the infection or spread even if they have security installed and running on their systems. We need more educated people to help maintain a strong wall of protection against the spread of these threats/risk via the internet today and tomorrow. Learn, get the facts, understand the need and activate the common sense.
Guess what, you’ve been activated. You’re now more alert, more intrigued, more prone to fighting these issues because it is in your backyard and you MUST DEAL WITH IT. How you decide to handle yourself is another issue.
I hosted an IT Security Webcast on March 22nd and 5 people who declined to attend the session via the event invite on Facebook ended up with some form of infection two days later.
When asked how they got it, I was told,
I’m not sure or I don’t know.
The reason for declining my invite was that they have anti-virus on their system to protect them so they are ok and good to go.
What can I say?
Many will fall under these kinds of issues because they think they are good to go and not needing to learn or know more about how to protect themselves online. While they rest assured that they are protected by their AV client they still practice bad browsing, file sharing, file cracking, key generation and illegal software downloads everyday which gives systems access to these hackers via backdoors.
The next time you decide to download a keygen, password generator, cracked file, music from unknown people/sites or browse a website from an IM someone may have sent you, think twice about what you’re doing to your system, yourself and those you share and converse with. Support the developers and buy the apps. Get the real code.
The next time you decide to click ok on that pop up window without reading what it says while browsing, think again and take a minute to read it.
The next time you decide to open that chain mail and click on the link, hey, hey, hey, watch out now. You may know and trust the sender but do you know if he/she really sent it?
When in doubt, reach out.
And so we wait for April 1st to see what Conf*ker will do to those systems already under its control.
I would still encourage all of you to make sure that Acrobat readers in your company are updated with the latest versions from Adobe.These exploits are quite nasty, as some will infect with just a mouse-over on a file.
For those who missed it here it is. Please take a few minutes to watch it. It may not be all that but is still some good facts about the state of IT Security today.
There have been many articles, reviews, information and posting about the Conf*ker as many people have started calling it. Depending on who you talk with you can replace the * with anything that suits your feelings towards it. The most interesting thing about this threat isn’t the fact that it’s neither a new one nor a new attack form, it’s the same old attackers doing the nefarious things they do but with a bit more sophistication. For me as an IT guy looking at all this, i’m getting the wow factor from some of the new developments and traits of the threat. So my take today will not be to overwhelm you with all the techno jargon and high level breakdown of the threat but just to speak on it in the most basic form so that even those who are non technical can grasp the severity of it.
So here goes.
If you get infected with the Conficker worm you’re screwed. Bottom line.
If this is a system that is on a business network it must be removed, quarantined, disinfected by any means necessary. Take no chances with this threat.
Get my drift?
Is this basic enough to understand?
Ok, let’s take it from another angle.
This worm is a blended (virus, worm, rootkit, botnet, adware, malware and the what else factor) threat in a blended threat with blended characteristics. It’s like catching a cold and getting a headache, ear ache, stomach ache, backache and chest pains all in one. It starts with a simple cold but quickly spreads to other critical areas of the body causing serious effects and harm. This threat is in a class by itself as it deploys various additional agents around the system that causes complete successful removal to be unclear.
If you have been infected with the worm you’re only real option is to completely wipe the system. Unplug, power down, power drain, complete power loss to all storage capacities of the system. This is a very serious threat.
As for those who have been asking about which anti-virus solution is best to protect against this, there isn’t one. Anti-Virus alone is not going to protect you from this threat and the blended effects. It will take a number of things to make this happen and here’s my list.
1.System must be fully patched from all angles, the operating system, the applications, services, devices and drivers. When patching the Microsoft Windows operating system many people have auto update enabled but in different settings. Some have alert me of new updates but never apply the new updates. Some have it set to download and wait for my approval and they never approve the installation of the updates. Some have it set to download and install all updates. This is a good option to have. When patching the OS one must be prudent so as not to only apply critical patches but all software, severe and high updates as well. So I recommend if you’re doing the built in auto update please use the download and apply all. If doing it manually do a custom update which will reveal all the patches and updates needed.
2.Anti-Virus alone will not protect you from this worm and most of the new threats in the IT Security Threats Landscape today and tomorrow. The need for an anti-malware solution is critical to combine the protective layers of web/content filtering, IDS/IPS, anomaly/heuristics based detection, network and proactive threat protections. This is a backup to the patching already performed on the system. A fully patched system can still be compromised if a targeted malicious code is allowed to reach it.
3.Common sense if the name of the game and the winner of all security practices. Adding to the patching of the system and having the needed security solution comes the best practice of all, the user’s common sense in using the system effectively. As the person using the system one needs to pay very close attention to details in their messaging, web browsing and IM practices. Opening emails from known and unknown sources requires due diligence in thinking about the nature of the message, the contents and what is its relevance to you. A message from a known source may not have been sent by them but could have been the result of an infection on their system(s). This is the same for email and IMs. There are many IM worms that will hijack your IM client and send out messages to everyone in your contact list pointing them to a website for them to get a drive-by-download. Many people think very little of web based attacks while they are the fastest growing today because of the ease of infection and the delivery of the payload.
4.User education and awareness. This is a very critical issue as many seem to think that these issues are a corporate or industry problem. When a threat like Conficker goes into the wild it is not targeting specific systems in specific industries only, it is doing a general attack across all systems within its path. IT Security is a people problem and we are all in its path whether we like it or not and no matter what OS vendor platform you’re on/running.
5.Enable your built in firewall or get a third party one to put up some form of perimeter defenses.
6.There are security suite solutions that bundles multiple security technologies and features in one suite. That may be a more viable option for you because of the integration and management options.
The fact of the matter is, we have these issues at the level they should have been years ago, in the media and across all industries as a people problem, not an industry one. I take the same approach to Conficker as I do to rogue Anti-Virus 2008/9 threat, if detected, wipe, clean, rebuild, reimage.
This isn’t something to play around with what is or if it is cleaned. The only way to be sure is to wipe it all out.
This page is designed to provide IT Pro customers the information they need to help protect their systems from the Conficker Worm, or to recover systems that have been infected.
On October 23, 2008, Microsoft released a critical security update, MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] , to resolve a vulnerability in the Server service of Windows that, at the time of release, was facing targeted, limited attack. The vulnerability could allow an anonymous attacker to successfully take full control of a vulnerable system through a network-based attack, the sort of vectors typically associated with network “worms.” Since the release of MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] , the Microsoft Malware Protection Center (MMPC) has identified the following variants of Win32/Conficker [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker ] :
·Worm:Win32/Conficker.A [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A ] : identified by the MMPC on November 21, 2008
·Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] : identified by the MMPC on December 29, 2008
·Worm:Win32/Conficker.C [ http://www.microsoft.com/security/portal/Entry.aspx?name=Worm:Win32/Conficker.c ] : identified by the MMPC on February 20, 2009*
·Worm:Win32/Conficker.D [ http://www.microsoft.com/security/portal/Entry.aspx?name=Worm:Win32/Conficker.d ] : identified by the MMPC on March 4, 2009**
*Also known as Conficker B++
**Also known as Conficker.C and Downadup.C
What Happens on April 1, 2009?
Systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. Microsoft has not identified any other actions scheduled to take place on April 1, 2009. It is possible that systems with the latest version of Conficker may be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the “peer-to-peer” updating channel in the latest version of Conficker.
Protecting PCs from Conficker
Apply the security update associated with MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] . View the security bulletin for more information about the vulnerability, affected software, detection and deployment tools and guidance, and security update deployment information.
Make sure you are running up-to-date antivirus software from a trusted vendor, such as Microsoft’s Forefront Client Security [ http://www.microsoft.com/Forefront/clientsecurity/en/us/default.aspx ] or Windows Live OneCare [ http://onecare.live.com/standard/en-us/3/default.htm ] . Antivirus software may also be obtained from trusted third parties such as the members of the Virus Information Alliance.
Check for updated protections for security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. The Microsoft Active Protection Program (MAPP) provides partners with early access to Microsoft vulnerability information. For a list of partners and links to their active protections, please visit the MAPP Partners [ http://www.microsoft.com/security/msrc/mapp/partners.mspx ] page.
Disable the AutoPlay feature through the registry or using Group Policies as discussed in Microsoft Knowledge Base Article 967715 [ http://support.microsoft.com/kb/967715.aspx ] . Microsoft released Security Advisory 967940 [ http://www.microsoft.com/technet/security/advisory/967940.mspx ] to notify users that the updates to allow users to disable AutoPlay/AutoRun capabilities have been deployed via automatic updating channels. NOTE: Windows 2000, Windows XP, and Windows Server 2003 customers must deploy the update associated with Microsoft Knowledge Base Article 967715 [ http://support.microsoft.com/kb/967715.aspx ] to be able to successfully disable the AutoRun feature. Windows Vista and Windows Server 2008 customers must deploy the security update associated with Microsoft Security Bulletin MS08-038 [ http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx ] to be able to successfully disable the AutoRun feature.
Cleaning Systems of Conficker
Manually download the Windows Malicious Software Removal Tool (MSRT) [ http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356 ] onto uninfected PCs and deploy to infected PCs to clean infected systems.
Conficker Timeline
·On November 21, 2008, the MMPC identified Worm:Win32/Conficker.A [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A ] . This worm seeks to propagate itself by exploiting the vulnerability addressed in MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] through network-based attacks. The MMPC added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day.
·On November 25, 2008, the MMPC communicated information about Worm:Win32/Conficker.A [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A ] through their weblog [ http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx ] .
·On December 29, 2008, the MMPC identified the second variant, Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] , and added signatures and detection to Microsoft Forefront, Microsoft OneCare, and the Windows Live OneCare Safety Scanner on the same day. NOTE:Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] can be successful against systems that have applied the security update associated with MS08-067 [ http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx ] .
·On December 31, 2008, the MMPC communicated information about Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] through their weblog [ http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx ] .
·On January 13, 2009, the MMPC included the ability to remove both Worm:Win32/Conficker.A [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.A ] and Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] in the January 2009 release of the Windows Malicious Software Removal Tool [ http://www.microsoft.com/security/malwareremove/default.mspx ] and communicated information about this through their weblog [ http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx ] .
·On January 22, 2009, the MMPC provided consolidated technical information about Worm:Win32/Conficker.B [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.B ] on their weblog [ http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx ] .
·On February 12, 2009, Microsoft announced a U.S. $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet. Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack. Microsoft wants to help the authorities catch the criminals responsible for it. Residents of any country are eligible for the reward, in accordance with the laws of that country, because Internet viruses affect the Internet community worldwide.
·On February 20, 2009, the MMPC provided technical information about Worm:Win32/Conficker.C [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.c ] on their weblog [ http://blogs.technet.com/mmpc/archive/2009/02/20/updated-conficker-functionality.aspx ] .
·On March 27, 2009, the MMPC provided more details about the new P2P functionality in Worm:Win32/Conficker.D [ http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.d ] on their weblog [ http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx ] .
Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, +1-425-706-1111, and an Antivirus Reward Mailbox, avreward@microsoft.com [ mailto://microsoft.com:25/default.aspx ] , where tips can be shared.
This is from an email I sent out to my network distribution list today at 12 noon.
Good day to you,
This is a critical issue that has been highly overlooked and is a bigger problem than most people care to think. For those of us consultants who are responsible for our client’s infrastructure, please help them to understand where these laws apply and how it affects them. I’m bringing in someone from the attorney general’s office to do a presentation on this for us in the coming month. I’m trying to work with their schedule so stay tuned for the date of the meeting.
There are some serious new threats on the loose and the more I look at them is the easier i’m seeing the rate of success in their deliverables. Our organization speaks to these issues and we must understand what they mean for those we’re helping to understand. This new variant of the Conficker worm has some nasty new tricks to it and while following its development and path, i’m more convinced that this is a new level of sophistication way above the rogue Anti-Virus/Anti-Spyware 2008/2009 threat we encountered last year that is still being a major pain point for IT today. Whether this is an April fools days joke or not, as you can see, the financial ramifications of negligence will be heavy.
Get those system (OS, applications, devices) patches updated and current. Most people tend to patch the OS and leave vulnerable applications running with system access to the OS that even fully patched is still vulnerable. Patching is an all round process that applies to the OS, applications running on it and the devices being connected to it. Even the device drivers are a point of entry to a system today so patch them if needed. Check on those security policies and rules and ensure they are up and running. We have a few days before April 1st so talk with your people about this and let them understand the need for being prudent about it.
Make no mistake people, this is a new age where technology rules and the threats are more real than ever before. This is not someone physically walking in and taking your data, this is someone sitting anywhere in the world and having access to it (if allowed).
March 25, 2009 (Computerworld) Cybercrooks have hit on a new twist to their aggressive marketing of fake security software and are duping users into downloading a file utility that holds users’ data for ransom, security researchers warned today.
While so-called scareware has plagued computer users for months, those campaigns have relied on phony antivirus products that pretend to trap malware but actually only exist to pester people into ponying up as much as $50 to stop the bogus warnings.
The new scam takes a different tack: It uses a Trojan horse that’s seeded by tricking users into running a file that poses as something legitimate like a software update. Once on the victim’s PC, the malware swings into action, encrypting a wide variety of document types — ranging from Microsoft Word .doc files to Adobe Reader PDFs — anytime one is opened. It also scrambles the files in Windows’ “My Documents” folder.
When a user tries to open one of the encrypted files, an alert pops up saying that a utility called FileFix Pro 2009 will unscramble the data. The message poses as an semiofficial notice from the operating system. “Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application,” the message reads.
Clicking on the alert downloads and installs FileFix Pro, but the utility is anything but legit. It will decrypt only one of the corrupted files for free, then demands the user purchase the software. Price? $50.
“This does look like a new tactic,” said David Perry, the global director of education at antivirus vendor Trend Micro Inc. “But all online fraud is just minor variations of classic con games. This is just the ‘Bank Examiner’ played out on the Internet.”
That classic con, said Perry, typically involves a swindler posing as an official, a bank examiner or an FBI agent who asks for help in an investigation. The swindler convinces the mark to withdraw money from the bank — it’s needed to catch the nonexistent crook in the act — and promises to return the funds at the end of the case. Of course, the money vanishes, along with the grifter.
On the Web, data-hostage scams like this are called “ransomware” for obvious reasons. This isn’t the first time the tactic has been used, but it is remarkably polished, said Perry. “We’ve not seen ransomware with this level of sophistication,” he said.
Users who have fallen for the FileFix Pro 2009 con do not have to fork over cash to restore their files, according to other researchers, who have figured out how to decrypt the data. The Bleeping Computer site, for instance, has a free program called “Anti FileFix” available for download that unscrambles files corrupted by the Trojan horse. And security company FireEye Inc. has created a free online decrypter that also returns files to their original condition.
Alex Lanstein, a malware researcher at FireEye who blogged about FileFix Pro 2009 last week, called the turn from scareware to ransomware “sobering.”
“Although we broke the encryption, it’s a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom,” Lanstein said. “Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.”
If ransomware follows a similar path as scareware, criminals will be hustling to mimic FileFix Pro. According to some estimates, crooks make as much as $5 million a year pushing fake antivirus software.
Apple Mac users warned of web-based malware threats RSPlug-F Mac Trojan horse distributed via HDTV website
IT security and control firm Sophos is warning Apple Mac users to be on their guard against websites hosting malicious code designed to infect their systems. The advice follows the discovery of a new version of the OSX/RSPlug Trojan horse that is being distributed via a legitimate-looking website offering HDTV software.
“There is much less malware for the Apple Mac than there is for Windows, but that doesn’t mean that Apple fans can hide their head in the sand like ostriches,” said Graham Cluley, senior technology consultant for Sophos. “Mac users are no different to Windows users when it comes to falling for social engineering tricks like this – they are just as likely to install and run this program on their computer if they believe it will help them watch high definition TV.”
Sophos notes that the criminal gang behind this malware attack is targeting Windows computers as well as Mac OS X.
“Windows users shouldn’t be feeling smug about this attack against Mac users. If you visit the website from a Windows computer, it will serve up a malicious Windows executable from the Zlob family of malware rather than the RSPlug-F Mac OS X Trojan horse. By targeting both platforms with their malicious website, the hackers can kill two birds with one stone,” explained Cluley. “Once a piece of malware like this is in place on your computer, it can do whatever the hacker wants it to do. Mac users are gambling with the security of their data if they believe they are somehow magically immune from threats that Windows users have lived with everyday for years.”
Sophos experts have determined that the RSPlug-F Trojan horse changes DNS Settings on Apple Mac computers, meaning users may find they are taken to bogus websites which may attempt to steal personal information, display revenue-generating adverts, or install further malware.
Researchers have demonstrated how to create rootkits that survive hard-disk reformatting by injecting malware into the low-level system instructions of a target computer.
The researchers, from Core Security Technologies, used the techniques to inject rootkits into two computers, one running the OpenBSD operating system and the other Windows. Because the infection lives in the computer’s BIOS, or basic input/output system, it persists even after the operating system is reinstalled or a computer’s hard drive is replaced.
While researchers have focused on BIOS-based rootkits (http://www.theregister.co.uk/2006/01/27/rootkits_bios/) for at least three years, earlier techniques generally attacked specific types of BIOSes, such as those that used ACPI, or Advanced Configuration and Power Interface. The techniques demonstrated by the Core researchers work on virtually all types of systems, they said.
Of course, injecting code into the BIOS is no easy feat. It requires physical access to the machine or an exploit that hands an attacker unfettered root access. But the research, presented at last week’s CanSecWest security conference by Anibal L. Sacco and Alfredo A. Ortega, does demonstrate that infections will only become harder to spot and remove over time. ®
Security Updates available for Adobe Reader and Acrobat
Release date: March 18, 2009
Vulnerability identifier: APSB09-04
CVE number: CVE-2009-0658, CVE-2009-0927
Platform: Windows and Macintosh
Summary
Critical vulnerabilities have been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that one of these issues is being exploited (CVE-2009-0658).
Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users who can’t update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4 and Adobe Reader 7.1.1 updates.
These updates resolve the issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03. Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24.
Affected software versions
Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions
Adobe categorizes this as a critical update and recommends that users apply the update for their product installations.
Details
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat and Adobe Reader update their product installations to versions 9.1, 8.1.4, or 7.1.1 using the instructions above to protect themselves from potential vulnerabilities.
The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve an input validation issue in a JavaScript method that could potentially lead to remote code execution. This issue has already been resolved in Adobe Reader 8.1.3 and Acrobat 8.1.3. (CVE-2009-0927)
The Adobe Reader 7.1.1 and Acrobat 7.1.1 updates resolve issues previously addressed in Adobe Reader and Acrobat 8.1.3 and later, and Adobe Reader and Acrobat 9 and later. (CVE-2008-4814, CVE-2008-4813, CVE-2008-2549)
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers’ security:
Tenable Network Security reported through TippingPoint’s Zero Day Initiative ( CVE-2009-0927)
Doggy: Hi,
Interesting, did you plan to continue this article?
Doggy
Ingedrade: I have been looking at this site and find it to be really helpful. I would greatly appreciate any assistance.
High School: really loved the article added to my favourites
WP Themes: Nice post and this mail helped me alot in my college assignement. Thanks you as your information.
TSwain: Generally I do not post on blogs, but I would like to say that this post really forced me to do so, Excellent post!
GeowsswelaY: The information here is great. I will invite my friends here.
Thanks
distance education: I hope this was a very interesting post thanks for writing it!
Reseller Hosting: Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality [...]
Billy: Good reading,
after readin gcould it be the same of related storys in
avg free
whey.protein.side.effects: Very extraordinary website.
The information here is genuinely valuable.
I will tell my friends.
Cheers
TITSSN ~The IT Security Suite Network~
The IT Security Suite Network ~TITSSN~ is a technology leader specializing in IT services and support across the world. We are a Managed Security Services Provider/Value Added Reseller offering information technology hardware and software sales, services
0
TITSSN ~The IT Security Suite Network~
The IT Security Suite Network ~TITSSN~ is a technology leader specializing in IT services and support across the world. We are a Managed Security Services Provider/Value Added Reseller offering information technology hardware and software sales, services
0
My Wall RSS Feed
Loading ...
Recent Comments