|
|
06-28-2009
Registered User
26,240,
27
Weekly Summary of the "DHS Daily Open Source Infrastructure Report"
The DHS Daily Open SourceInfrastructure Report covers the publicly reported material for the precedingday(s) not previously covered. This weekly summary provides a selectionof those items of greatest significance to the InfoSec professional.
Areyou ready to adopt a Microsoft antivirus service - It is free?
37. June 18, CNET News - (International) Microsoft'sfree antimalware beta on the way. Microsoft will launch a public beta ofits anti-malware service, Microsoft Security Essentials, on June 23 as itphases out its Live OneCare suite in favor of a simpler free consumer securityoffering. Microsoft Security Essentials, which will run on Windows XP, Vista,and Windows 7, will be available in the U.S., Brazil, and Israel in English andBrazilian Portuguese. A public beta version for Simplified Chinese will beavailable later in the year. The service works like traditional antivirusproducts in which client software monitors programs on a PC. When somethingchanges on the computer, such as files being downloaded or copied or softwaretrying to modify files, the system checks against a set of malware signaturesin the client program to see if the code matches the signature for knownmalware. If so, it blocks it from getting downloaded. If no signature match isfound, the system will ping the server-based Dynamic Signature Service to seeif any new signatures are available and, if so, it removes the malware. If itappears to be new malware, the Dynamic Signature Service may request a sampleof the code in order to create a new signature. The service updates itsanti-malware database constantly and publishes new antivirus signatures toMicrosoft Update three times a day, the general manager of Microsoft'sAnti-Malware team said in an interview on June 18. Source: http://news.cnet.com/8301-1009_3-10268040-83.html
It looks like Google may be on ourside!
30. June 19, Baltimore Examiner - (International) Google'sonline security helps fight malware. Google's online security recentlystarted to identify web pages that infect computers via drive-by downloads,i.e. web pages that attempt to exploit their visitors by installing and runningmalware automatically. During that time they have investigated billions of URLsand found more than three million unique URLs on over 180,000 web sitesautomatically installing malware. Third-party content is one avenue for maliciousactivity. Today, a lot of third-party content is due to advertising. InGoogle's analysis, they found that on average 2 percent of malicious web siteswere delivering malware via advertising. The underlying problem is thatadvertising space is often syndicated to other parties who are not known to theweb site owner. In addition, Google's security team also investigated thestructural properties of malware distribution sites. Some malware distributionsites had as many as 21,000 regular web sites pointing to them. It was alsofound that the majority of malware was hosted on web servers located in China.Interestingly, Chinese malware distribution sites are mostly pointed to byChinese web servers. Google says they are constantly scanning their index forpotentially dangerous sites. Their automated search systems found more than4,000 different sites that appeared to be set up for distributing malware bymassively compromising popular web sites. Source: http://www.examiner.com/x-11905-SF-Cybercrime-Examiner~y2009m6d19-Googles-online-security-helps-fight-malware
Isthere a “Gumblar” in your future?
32. June 2, CNET News - (International) Thoughtthe Conficker virus was bad? Gumblar is even worse. ScanSafe, a computersecurity firm, has been tracking the progress of the worm since its arrival onthe scene in March, according to CNET. Originally, the attack spread throughinfectious code that was planted in hacked Web sites and then downloadedmalware from the gumblar.cn domain on to victims' computers. But that was justthe opening salvo. As Web site operators cleaned their pages of the code,Gumblar replaced the original material with dynamically generated Javascript(Web site code that is created on the spot instead of being completelydetermined beforehand - a key element of Web apps like Gmail) that is muchharder for security software to detect and remove. The evolved version alsowent about adding new domains to the list of sources for downloading itsmalware payload, including liteautotop.cn and autobestwestern.cn, and beganexploiting security holes in Flash and Adobe Reader. The worm also searches outcredentials for FTP servers (a method for uploading files to a Web site) on avictim's computer, using them to infect additional Web sites. It is not clear howmany sites Gumblar has infected, but security firms seem to agree that itaccounts for about 40 percent of all new malware infections right now.According to ScanSafe in just the first two weeks of May over 3,000 Web siteswere compromised and spreading the worm. Most sites have been quick to clean upthe infections as best they can, but, even if all the infected pages wereremoved, Gumblar would still have an army of infected PCs to inflict furtherdamage. Source: http://www.switched.com/2009/06/02/t...-meet-gumblar/
Are you prepared for exploits of theMicrosoft “DirectShow” bug?
33. June 22, Computerworld - (International) Exploitsof unpatched Windows bug will jump, says Symantec. An exploit of astill-unpatched vulnerability in Microsoft Windows XP and Server 2003 has beenadded to a multi-strike attack toolkit, Symantec said recently, a move that maymean attacks will increase soon. According to Symantec, an in-the-wild exploitof the DirectShow bug, which Microsoft acknowledged a month ago, has been addedto at least one Web-based attack kit. “This will likely lead to wide-spread usein a short time,” said a researcher with Symantec's security response group, inan entry posted to the company's blog on June 19. Microsoft has not yet issueda fix for the DirectShow bug, which affects Windows 2000, XP and Server 2003,but not the newer Windows Vista or Server 2008. The flaw also does not affectthe not-yet-released Windows 7. However, attacks leveraging the bug have beentracked since May, when Microsoft issued a security advisory and confirmed ithad evidence of “limited, active attacks.” Unlike other recent exploits ofMicrosoft zero-days, vulnerabilities that have not been patched by the timeattack code surfaces, the DirectShow attacks are not targeting specificindividuals or organizations. “This is not a targeted attack, but is one oflimited distribution,” a senior research manager with Symantec, said in atelephone interview. What caught researchers' attention, added the manager, wasthat the DirectShow exploit piggybacked on a run-of-the-mill phishing attack.It is becoming more common that a phishing site, in this case a bogus log-inpage for Microsoft's Windows Live software, also hosts malware that tries tohijack PCs. Source: http://www.computerworld.com/action/...icleId=9134645
Something we have known fordecades. Why can't we convince seniormanagement?
35. June 24, MXLogic - (International) CISOs seeinsiders as greatest ‘human threat' to data security. The vast majority ofchief information security officers surveyed at a CISO summit in June said thatinsiders are the greatest human threat to data security, while only 18 saidthey are concerned about threats from external sources such as cybercriminalsand corporate spies. The survey by NetWitness Corporation and MIS TrainingInstitute revealed that 80 percent of CISOs and CSOs feel insiders are thegreatest human threat. A conference director at MIS Training Institute said thesurvey findings are “alarming,” in that there is a “misperception thattraditional security approaches alone can protect against information leaks andthat some CISOs were not sure what they need for data protection or were notplanning to focus any money in that area this year.” Although CISOs are atleast thinking about insider threats, another recent survey of businessmanagers found that executives seemingly do not think about insider threats todata security from ex-employees. A Courion Corporation survey revealed that 93percent of business managers are confident that terminated employees pose norisk to their network security, even though many have limited knowledge of thesystems to which their employees have access. Source: http://www.mxlogic.com/securitynews/...ecurity132.cfm
Aninnovative virus distribution mechanism. Are you blocking it?
28. June 23, Red Condor - (International) RedCondor's Spam Trip Wire detects new virus. Red Condor's Spam Trip Wirefeature instantly detected and blocked a new email virus campaign designed toscare email users with bogus legal action for activities including illegalmusic downloads. The virus campaign detected on June 22 calls attention tousers' supposed recent activity at sites commonly used to share and downloadcopyrighted movies, music and software. The email content threatens recipientswith legal action and includes a link to a “log report” that is actually avirus executable. Red Condor created a filtering rule and distributed the addedsecurity to its security appliance and hosted service customers around theworld. Source: http://www.enterprise-security-today...story_id=67361
Note: The DHS only maintains the last ten daysof their reports online. To obtain copies of earlier reports or completesummaries, go to:
More...
Areyou ready to adopt a Microsoft antivirus service - It is free?
37. June 18, CNET News - (International) Microsoft'sfree antimalware beta on the way. Microsoft will launch a public beta ofits anti-malware service, Microsoft Security Essentials, on June 23 as itphases out its Live OneCare suite in favor of a simpler free consumer securityoffering. Microsoft Security Essentials, which will run on Windows XP, Vista,and Windows 7, will be available in the U.S., Brazil, and Israel in English andBrazilian Portuguese. A public beta version for Simplified Chinese will beavailable later in the year. The service works like traditional antivirusproducts in which client software monitors programs on a PC. When somethingchanges on the computer, such as files being downloaded or copied or softwaretrying to modify files, the system checks against a set of malware signaturesin the client program to see if the code matches the signature for knownmalware. If so, it blocks it from getting downloaded. If no signature match isfound, the system will ping the server-based Dynamic Signature Service to seeif any new signatures are available and, if so, it removes the malware. If itappears to be new malware, the Dynamic Signature Service may request a sampleof the code in order to create a new signature. The service updates itsanti-malware database constantly and publishes new antivirus signatures toMicrosoft Update three times a day, the general manager of Microsoft'sAnti-Malware team said in an interview on June 18. Source: http://news.cnet.com/8301-1009_3-10268040-83.html
It looks like Google may be on ourside!
30. June 19, Baltimore Examiner - (International) Google'sonline security helps fight malware. Google's online security recentlystarted to identify web pages that infect computers via drive-by downloads,i.e. web pages that attempt to exploit their visitors by installing and runningmalware automatically. During that time they have investigated billions of URLsand found more than three million unique URLs on over 180,000 web sitesautomatically installing malware. Third-party content is one avenue for maliciousactivity. Today, a lot of third-party content is due to advertising. InGoogle's analysis, they found that on average 2 percent of malicious web siteswere delivering malware via advertising. The underlying problem is thatadvertising space is often syndicated to other parties who are not known to theweb site owner. In addition, Google's security team also investigated thestructural properties of malware distribution sites. Some malware distributionsites had as many as 21,000 regular web sites pointing to them. It was alsofound that the majority of malware was hosted on web servers located in China.Interestingly, Chinese malware distribution sites are mostly pointed to byChinese web servers. Google says they are constantly scanning their index forpotentially dangerous sites. Their automated search systems found more than4,000 different sites that appeared to be set up for distributing malware bymassively compromising popular web sites. Source: http://www.examiner.com/x-11905-SF-Cybercrime-Examiner~y2009m6d19-Googles-online-security-helps-fight-malware
Isthere a “Gumblar” in your future?
32. June 2, CNET News - (International) Thoughtthe Conficker virus was bad? Gumblar is even worse. ScanSafe, a computersecurity firm, has been tracking the progress of the worm since its arrival onthe scene in March, according to CNET. Originally, the attack spread throughinfectious code that was planted in hacked Web sites and then downloadedmalware from the gumblar.cn domain on to victims' computers. But that was justthe opening salvo. As Web site operators cleaned their pages of the code,Gumblar replaced the original material with dynamically generated Javascript(Web site code that is created on the spot instead of being completelydetermined beforehand - a key element of Web apps like Gmail) that is muchharder for security software to detect and remove. The evolved version alsowent about adding new domains to the list of sources for downloading itsmalware payload, including liteautotop.cn and autobestwestern.cn, and beganexploiting security holes in Flash and Adobe Reader. The worm also searches outcredentials for FTP servers (a method for uploading files to a Web site) on avictim's computer, using them to infect additional Web sites. It is not clear howmany sites Gumblar has infected, but security firms seem to agree that itaccounts for about 40 percent of all new malware infections right now.According to ScanSafe in just the first two weeks of May over 3,000 Web siteswere compromised and spreading the worm. Most sites have been quick to clean upthe infections as best they can, but, even if all the infected pages wereremoved, Gumblar would still have an army of infected PCs to inflict furtherdamage. Source: http://www.switched.com/2009/06/02/t...-meet-gumblar/
Are you prepared for exploits of theMicrosoft “DirectShow” bug?
33. June 22, Computerworld - (International) Exploitsof unpatched Windows bug will jump, says Symantec. An exploit of astill-unpatched vulnerability in Microsoft Windows XP and Server 2003 has beenadded to a multi-strike attack toolkit, Symantec said recently, a move that maymean attacks will increase soon. According to Symantec, an in-the-wild exploitof the DirectShow bug, which Microsoft acknowledged a month ago, has been addedto at least one Web-based attack kit. “This will likely lead to wide-spread usein a short time,” said a researcher with Symantec's security response group, inan entry posted to the company's blog on June 19. Microsoft has not yet issueda fix for the DirectShow bug, which affects Windows 2000, XP and Server 2003,but not the newer Windows Vista or Server 2008. The flaw also does not affectthe not-yet-released Windows 7. However, attacks leveraging the bug have beentracked since May, when Microsoft issued a security advisory and confirmed ithad evidence of “limited, active attacks.” Unlike other recent exploits ofMicrosoft zero-days, vulnerabilities that have not been patched by the timeattack code surfaces, the DirectShow attacks are not targeting specificindividuals or organizations. “This is not a targeted attack, but is one oflimited distribution,” a senior research manager with Symantec, said in atelephone interview. What caught researchers' attention, added the manager, wasthat the DirectShow exploit piggybacked on a run-of-the-mill phishing attack.It is becoming more common that a phishing site, in this case a bogus log-inpage for Microsoft's Windows Live software, also hosts malware that tries tohijack PCs. Source: http://www.computerworld.com/action/...icleId=9134645
Something we have known fordecades. Why can't we convince seniormanagement?
35. June 24, MXLogic - (International) CISOs seeinsiders as greatest ‘human threat' to data security. The vast majority ofchief information security officers surveyed at a CISO summit in June said thatinsiders are the greatest human threat to data security, while only 18 saidthey are concerned about threats from external sources such as cybercriminalsand corporate spies. The survey by NetWitness Corporation and MIS TrainingInstitute revealed that 80 percent of CISOs and CSOs feel insiders are thegreatest human threat. A conference director at MIS Training Institute said thesurvey findings are “alarming,” in that there is a “misperception thattraditional security approaches alone can protect against information leaks andthat some CISOs were not sure what they need for data protection or were notplanning to focus any money in that area this year.” Although CISOs are atleast thinking about insider threats, another recent survey of businessmanagers found that executives seemingly do not think about insider threats todata security from ex-employees. A Courion Corporation survey revealed that 93percent of business managers are confident that terminated employees pose norisk to their network security, even though many have limited knowledge of thesystems to which their employees have access. Source: http://www.mxlogic.com/securitynews/...ecurity132.cfm
Aninnovative virus distribution mechanism. Are you blocking it?
28. June 23, Red Condor - (International) RedCondor's Spam Trip Wire detects new virus. Red Condor's Spam Trip Wirefeature instantly detected and blocked a new email virus campaign designed toscare email users with bogus legal action for activities including illegalmusic downloads. The virus campaign detected on June 22 calls attention tousers' supposed recent activity at sites commonly used to share and downloadcopyrighted movies, music and software. The email content threatens recipientswith legal action and includes a link to a “log report” that is actually avirus executable. Red Condor created a filtering rule and distributed the addedsecurity to its security appliance and hosted service customers around theworld. Source: http://www.enterprise-security-today...story_id=67361
Note: The DHS only maintains the last ten daysof their reports online. To obtain copies of earlier reports or completesummaries, go to:
More...