Saturday, November 13, 2004

New Spammed Version of MyDoom Does Its Dirty Work with No Email Attachments

The newest version of the MyDoom virus stll misappropriates its victim’s computer, and downloads a malicious program to it which scrapes email addresses from the computer, and then spews spam to those addresses — but it does it all without the telltale email attachment which we have come to associate with email viruses.Far more insidiously, this version of MyDoom simply needs the victim to click on a link contained in the email, and then, exploiting one of the more recently discovered Internet Explorer security holes, the payload program is downloaded from a remote site, triggered by the click on the linke.The email containing the virus-bidding link is making the rounds in various forms, at least one of which appears to be an email from PayPal, and which tells the user ”
Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

Wednesday, November 10, 2004

Firefox 1.0 Is Out. Where's IE 7.0?

Mozilla finally launched its Firefox 1.0 browser. So what's Microsoft got up its sleeve on the Internet Explorer front? Will there be an IE 7.0 (that is independent of Longhorn)?

New Version of MyDoom Worm Maybe Near Us!

Anti-virus companies are reporting a worm that spreads via a new vulnerability in Internet Explorer.
The vulnerability is not present in Windows XP Service Pack 2, but in all earlier versions of Internet Explorer 6, and no patch is available. It involves a buffer overflow triggered by an IFRAME or EMBED tag, which has an oversized SRC or NAME attribute.I don't know how it works exactly but only the worm, known as MyDoom.ag in McAfee's naming, does not have a file attachment, as is typical of mail worms. Instead, it installs a Web server on Port 1639 of the infected system. The e-mails it sends out to spread itself contains a link to the server on the infected computer.

Tuesday, November 09, 2004

Remember TCP 139 or 445

As told before you have to filter these ports.Maybe most of you done by now.But you have solved outside attacks to SMB by filtering on your gateway(router).But what about inside attackers! or dial-up clients who reside inside of your network?
... SMB (Microsoft Server Message Block) which forms the basis of Windows File and Print Sharing is accessible via APIs that can return rich information about windows even to UNAUTHENTICATED users!I have no decide to learn this and you won't see in my entire weblog at all but you should to know anti-attack method.This is a way that I tell to you.
Any way, Do the following:
- For WindowsNT 4.0 and earlier:
1. Open regedt32 and nevigate to HKLM\SYSTEM\CurrentControlSet\Control\LSA
2. Choose Edit Add Value and enter the following data:
Value Name: RestrictAnonymous
Data Type: Reg_DWORD
Value: 1
3. Exit & Restart.
- For Windows2000/XP/.NET:
On the "Security Policy", set for "Additional restrictions for anonymous permissions" to "No access Without Explicit Anonymous Permissions".
There are more configuration for XP/.NET that will tell later.

Internet Could Soon Reach Breaking Point

Vast amounts of data already crosses the internet each day, when you add to that the millions of new users from developing countries we could soon see the internet struggling to keep up with demand.
That's the warning from Pat Gelsinger, chief technology officer at Intel.
"We're running up on some architectural limitations", Mr Gelsinger told delegates at a recent conference. The 30 year old network was never designed to cope with the huge amounts of traffic that we see today, and the situation can only get worse unless action is taken.
Computer chip maker, Intel is researching possible solutions. One idea is to build an overlay, a new network on top of the existing structure. This system would be able to cope with increased traffic and would better defend agains viruses that currenly plague web and email users.
Planet Lab, funded by Intel is a prototype of the new internet and is currently under development. The network connects universities and research labs.

New MyDoom draws on IE flaw to spread

A new version of MyDoom uses an unpatched flaw in Microsoft's Internet Explorer to spread, antivirus companies warned on Monday.
The recently discovered vulnerability in the browser software allows the offshoot to infect a PC after a user clicks on a link, according to advisories from security software makers Symantec and McAfee. The program sneaks past antivirus applications that detect malicious software by scanning e-mail messages with attached programs.
The companies said they had only detected a few instances of the infector, which is labelled MyDoom.AG by McAfee and MyDoom.AH by Symantec.
"We have only received one submission from the field, but the technical aspects of this are concerning," said Craig Schmugar, senior virus research manager at McAfee. "It has all the components there to become a significant virus."

Using Gmail? Read the Small Print if you're a Hacker

If you use your Gmail account to store attachments that contain items typically associated with a hacker's toolbox, be aware that Google may shut down your account. As a thread at addict3d demonstrates, Google will scan your Gmail account for any illeg ...

Monday, November 08, 2004

To Administrators !!!

Just remember block these ports:
TCP 139 & 445
I'll write later about them & the ways that hackers bypass it.But you are won my friends: I'll tell you the complete solution.
--

HackerWatch!

HackerWatch collects data from users regarding hacker attacks and other unwanted traffic. Their main goal is to decrease the number of hackers. But they also help computer users protect themselves. HackerWatch has a test that will probe your computer to test how well it can defend itself from hackers. If you ...

Open Letter to Anti-Virus Software Companies

The following letter was provided to us by Chris Mosby, SMS Administrator and MyITforum Security Message Board Moderator. I think many of us can relate to the grief caused by the virus name game described in his letter. Note these the thoughts and opinions in this letter are those of the author and not necessarily those of the Internet Storm Center or the SANS Insitute. Thanks Chris.
As we are all aware, it was exactly one week ago today that there was an unusual outbreak of not just one; but three globally spreading variants of the Bagle virus. Now that the smoke has cleared, and security professionals around the world have all had time to reflect on the events of the last seven days; I wanted to write to you on behalf of your customers to let you in on a little secret that we already know. The “Virus Name Game” has gotten out of hand. If you are unaware of what I refer to, I will attempt to explain.
Sometime during the Bagle\Netsky war of earlier this year, your virus variant names got out of synch with other anti-virus software companies. We can understand how that could have happened. There were multiple versions of those viruses coming out everyday, with virus writers trying to out do each other in some childish game of hacker supremacy; and you were dealing with the waves of malware as fast as you could.
When the “virus war” slowed down with the arrest of the author of Netsky, your virus variant names stayed out of synch. Your customers were able to “deal with it” as the new viruses trickled in at their normal pace by working together as a community with resources like the Internet Storm Center (http://isc.sans.org/index.php ), Secunia’s Virus Information page (http://secunia.com/virus_information/ ), VGrep Online (http://www.virusbtn.com/resources/vgrep/index.xml ), MyITforum’s Security message boards (http://myitforum.techtarget.com/forums/default.asp?catApp=2 ), and AntiVirus e-mail list (http://myitforum.techtarget.com/articles/14/view.asp?id=1301 ).
This last Bagle virus outbreak reminded us all what a mess we are in. Since your respective companies have adopted an isolationist attitude and don’t usually share information with other anti-virus software companies, your customers were left with a lot of confusion as to exactly what they were dealing with.
While the new Bagle variants were spreading like wildfire, some companies acknowledged the variants existed; but had no details of what these variants did or what to look for. This did not change even after they raised the threat level of these viruses.
Others provided more detail, but did not match the threat level of other companies since the number of submissions they received from their customers were lower. Their virus variant names were different than other companies, so your customers were left in the dark.
Still other companies had only one or two of these variants listed, with various degrees of detail; and again completely different variant names than other companies, since that was all their customers had submitted to them. This left your customers in the dark again.
For those of your customers that use more than one companies anti-virus product, and I know there are plenty out there; that left them with an even bigger mess than just the virus outbreak. With all of this going on your customers “dealt with it” as they usually do, working together as community. We sorted through all the information that trickled down to us, or when you felt like letting us know. As usual, we got through it, with some of us showing a few more gray hairs.
I think I can speak for everyone in the security community when I say; "dealing with it" is not acceptable anymore. As the customers that spend money for your products, we should not have to work so hard to figure out if your products are keeping us protected. We know you can do better, and we challenge you to do so. With the increasing problem of spyware, spam, and patch management, we have enough to deal with.
Along those lines, I have a suggestion. Since your business thrives on competition with the other companies out there, then maybe picking a name for a virus should be played as a competition by anti-virus software companies. First we would need a neutral third party you can send virus information to, like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT, http://www.us-cert.gov/ ).
The competition would be that the first company to send the neutral party detailed and accurate information on a virus before any other would be the one to name the virus. This would be what all other companies would have use in their descriptions from that point on.
However things are fixed might not matter, as long as something is done before things get worse. Work together as a community of security professionals and help out your customers at the same time. With Microsoft soon to be entering the anti-virus software business, we believe it is in your best interest to figure out how to do accomplish this and keep your customers better informed about how they are protected.
Thank you for your time and attention,
Chris MosbySMS AdministratorMyITforum Security Message Board Moderator

Bin Laden video spreads a worm for 'The Hobbit"

Security experts are warning that an email claiming to contain a video of Osama Bin Laden’s reaction to the US election, signed by The Hobbit, contains a worm.Antivirus firm Sophos is warning Internet users not to get duped into opening the attachment because it contains a new variant of the Famus worm.
The Famus worm affects Windows systems and tries to trick users into believing its' attached file contains a file – in this case a video – from events relating to the US military. Previous variants purported to contain a spreadsheet with information from the Pentagon and pictures of the Iraq war.
Graham Cluley, senior technology consultant for Sophos said hackers and virus writers will try all kinds of tricks to entice people into running their malicious code.

The lessons of Software Monoculture and Windows Embedded Security

The lessons of Software Monoculture and Windows Embedded Security
Spotted "The lessons of Software Monoculture" being discussed on the MSTools blog - an article on the SDTimes site that discusses software bugs and hackers from a slightly different perspective - Most discussions around Microsoft software tend to focus on the desktop operating system (no surprise there considering the installed base) - but what about Microsoft "Embedded" operating systems?
Microsoft has two embedded operating systems, Windows CE, and Windows XP Embedded - both have interesting security aspects.
Windows CE - Windows CE is built from the ground up to be a componentized, real-time operating system - the operating system runs on multiple processor cores (x86, MIPS, ARM, SHx) and is built from a totally different code base to the desktop version of Windows. Desktop Windows has three core components, GDI32, User32, and Kernel32 - Windows CE only has two core components, Coredll (can be thought of as "kernel" from the desktop), and GWES (the graphical and Windowing Event Subsystem), this can be thought of as a combination of GDI and USER on the desktop. Let's assume you are running an x86 based Windows CE device and this device doesn't have any security implemented on the platform [more on this later] - would even a simple x86 desktop application like Notepad run on the Windows CE device ? - Answer No, the imports needed to run Notepad do not exist on Windows CE, therefore Notepad won't run - this also means that other desktop applications, worms or viruses also won't run on the Windows CE device.
Is binary incompatibility between the desktop and Windows CE applications sufficient to provide a 'secure' operating system ? - No, there are additional levels of protection, first the operating system is componentized, therefore you only include the operating system technologies that your device needs - if you don't need a web server, DCOM, MSMQ or other technologies then you don't include them into your operating system image - but this still doesn't go far enough, you might want to lock down the operating system image even further, Windows CE exposes a kernel level function called OEMCertifyModule - this function is passed the binary image of all executable code (EXE, DLL, OCX) before the executable code is loaded - this gives an OEM the ability to verify the image and assign a level of trust, verification can be through CRC check, digital signature, or whatever mechanism the OEM wants to implement - there are three levels of trust.
Full Trust - The application/DLL can call protected API's, step into kernel mode etc...
Partial Trust - The application/DLL can only call non-protected API's, the code can't step into kernel mode, alter thread priorities/quantums etc...
No Trust - the application/DLL isn't loaded into memory
Add to this 'physical security', applications running on a device can request user validation before allowing certain pieces of code to run, for example - before connecting to the Internet or making a VPN connection to your corporate network or allowing access to local database information a user would be requested to provide authentication information, through PIN/Password or whatever.
Windows CE 5.0 also ships with tools such as PREfast to analyze your C/C++ source and look for potential coding errors, and runtime tools to examine memory load, memory leaks, GDI and Handle leaks.
Windows XP Embedded - Windows XP Embedded is based on the same binaries as Windows XP on the desktop - right now Windows XP Embedded is at parity with Windows XP Professional SP1, there's also a Tech Preview of Windows XP Embedded SP2 available for download from the Microsoft/Embedded web site.
Since Windows XP Embedded is based on the same binaries as the desktop doesn't this mean that Windows XP Embedded is "as secure" as the desktop operating system ? - There are some aspects of Windows XP Embedded you need to take into account, first Windows XP Embedded is a componentized operating system [there are about 10,000 components in the Windows XP Embedded operating system catalog, approx 8,000 of these components are drivers, the rest of the components are operating system features] - so componentization is the first aspect of making your device secure, if you don't need an Internet Information Server then leave it out, if your application doesn't use RPC or DCOM then don't include the components in your operating system image
[Note that DCOM is an interesting IPC mechanism inside your corporate firewall but is not ideal for "internet" to "coroprate network" communication, DCOM uses a number of ports all of which need to be open on your corporate firewall for this to work - I'd certainly recommend looking at SOAP/Web Services for internet to corporate network communication].
So, a smaller operating system which boots a subset of the desktop services and technologies will offer a smaller surface of attack compared to the desktop version of Windows XP - 3rd parties such as Computer Associates and Trend Micro have anti-virus components for the Windows XP Embedded operating system, add the SP2 Firewall and NX (No eXecute) technologies, and the fact that your device can be locked down to not allow 3rd party applications to be installed and you have a pretty secure device. "NX" is also known as Data Execution Prevention, more information about DEP can be found on the Microsoft Support Site.
Here are some of the updates for Windows XP Embedded SP2
Security and Networking Enhancements—The SP2 Tech Preview includes the new Windows Firewall. This component enables device builders to configure the firewall by opening and closing certain ports (based on the network topology that the device will be deployed to). Additionally, inbound connections are not permitted by default. The Technology Preview also includes a hardened Internet Explorer that enables more reliable browsing through stronger security profiles. Finally, partners such as Computer Associates and Sygate offer supported anti-virus and network protection clients for Windows XP Embedded.
Enterprise-class Manageability—Easily integrate your Windows XP Embedded-based devices into pre-existing network infrastructures, by using Microsoft-wide management technologies such as Software Update Services (SUS) and Systems Management Server 2003 (SMS). SUS enables automatic scanning and deployment of Microsoft-issued security updates on Windows XP Embedded-based devices. SMS enables you to update your line-of-business application. Choose the technology that's right for your device.
New Features for Innovation—Build powerful multimedia appliances using DirectX 9.0c capabilities. Integrate your device into a broader array of networking infrastructures by implementing Bluetooth support. Enable your device to boot quickly using our new faster boot technology.
Want more information about Windows CE and Windows XP Embedded Security ? - Take a look at the Windows Mobile and Embedded Security Site.
Perhaps one of the upcoming "MSDN Get Embedded" article should focus on Windows CE and security - let me know what you think...
- Mike
hackersToday 1:41 AM