|
|
07-18-2009
Registered User
26,240,
27
Weekly Summary of the "DHS Daily Open Source Infrastructure Report"
This week's set of DHS reports makes it clear to me that information security professionals worldwide should be reading the report every day or the synopsis published at http://dhs-daily-report.blogspot.com/. Should you have your doubts, read the following weekly summary and determine whether you are up-to-date on each of the items discussed.
The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered. This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.
Do you allow Twitter? If you do, you should read the following!
42. July 10, IDG News Service - (International) Twitter suspends accounts of users with infected computers. Twitter is suspending the accounts of some users whose computers have fallen victim to a well-known piece of malicious software that has targeted other sites such as Facebook and MySpace. The malware, Koobface, is designed to spread itself by checking to see if person is logged into a social network. It will then post fraudulent messages on the person's Twitter account trying to entice friends to click the link, which then leads to a malicious Web site that tries to infect the PC. The popular microblogging service has had a strong impact as a new communication platform. Bis also being targeted by fraudsters and hackers, who are using it as a way to infect people's PCs with malicious software. Twitter is the latest site to be targeted by a Koobface variant, said a senior security advisor for Trend Micro. Other sites have included Bebo, Hi5, Friendster and LiveJournal, according to the U.S. Computer Emergency Readiness Team. Source: http://www.pcworld.com/businesscente...computers.html
Have you applied Microsoft's July patches? No! Perhaps you should reconsider.
40. July 13, Computerworld - (International) Researcher says IE bug could spread quickly. A critical ActiveX vulnerability used by hackers to exploit Microsoft Corp.'s Internet Explorer browser is a prime candidate for another Conficker-scale attack, security experts said. On July 6, just hours after security companies reported that thousands of compromised sites were serving up exploits, Microsoft acknowledged the flaw in the ActiveX control that can be accessed using IE. The bug has been used by hackers since at least June 9. Microsoft said it will issue a patch for the flaw on July 14. The vulnerability “exposes the whole world and can be exploited through the firewall,” said the chief research officer at security software vendor AVG Technologies USA Inc. “That's better than Conficker, which mostly did its damage once it got inside a network.” Conficker exploited a Windows flaw that Microsoft had thought dire enough to fix outside its usual update schedule in October 2008. The worm exploded into prominence in January, when a variant infected millions of machines that remained unpatched. Microsoft confirmed the latest flaw shortly after security researchers at Danish firms CSIS Security Group AS and Secunia said that thousands of hacks of legitimate Web sites over the July 4 weekend had exploited the bug. The hackers took advantage of the bug to reroute users to a malicious site, which in turn downloads and launches a multiexploit hacker tool kit. Source: http://www.computerworld.com/s/artic...?taxonomyId=17
Could a similar attack be successful in the private sector?
28. July 13, Softpedia - (International) DDoS worm starts damaging infected systems. The malware responsible for the recent denial of service attacks against many U.S. and South Korean government and commercial websites has received an update to damage the computers it infected. Starting with July 10, the worm began to rewrite HDD Master Boot Records (MBR), leaving the zombie computers unbootable. Recently, it was reported that serious distributed denial of service (DDoS) attacks had affected the stability of many websites operated by large organizations or the governments of United States and South Korea. Experts later concluded that a botnet of over 60,000 computers, infected with an updated Mydoom variant, had been used to launch the attacks. Security researchers from FireEye warn that, even though the DDoS has stopped, the impact of this malware might prove to be a lot bigger. Everything started with a DDoS component being shipped to computers infected with a particular strain of Mydoom, a worm dating back to the beginning of 2004. The attackers planned for the DDoS to start on July 4 (Independence Day) and to end on July 10. The worm drops a file called mstimer.dll and loads it as a windows service named “MS Timer Service.” The purpose of this component is to check the date and if it matches July 10 to execute yet another file, called wversion.exe. Originally, wversion.exe contained instructions to uninstall the timer service, suggesting that its authors intended for it to self-destroy. However, a malware researcher at FireEye explains that another, much more destructive version of wversion.exe was deployed shortly before July 10. The new version features a three-step plan to destroy data on the infected computers. First, it rewrites 512 bytes of every hard disk in the system, not only the one used to boot from. The first 512 bytes of a hard disk are used to store the Master Boot Record and Volume Boot Record, which are employed to store information about the file system and partitions. The new data written over the MBR and VBR includes a string reading “Memory of the Independence Day.” The second destructive step targets the personal files and documents stored on the hard disks. The component searches for files with one of 37 extensions, including .pdf, .doc, .ppt, and proceeds to compressing and password-protecting every one of them. Source: http://news.softpedia.com/news/DDoS-...s-116551.shtml
And, just how safe is your BlackBerry today?
38. July 14, The Register - (International) BlackBerry update bursting with spyware. An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life. Sent out as a WAP Push message, the update installs a Java file that one curious customer decided to take a closer look at, only to discover an application intended to intercept both email and text messages, sending a copy to an Etisalat server without the user being aware of anything beyond a slightly excessive battery drain. It was, it seems, the battery issue that alerted users to something being wrong. Closer examination seems to indicate that all instances of the application were expected to register with a central server, which could not cope with the traffic - thus forcing all the instances to repeatedly attempt to connect while draining the battery. A more phased reporting system might have escaped detection completely. The update is labelled: “Etisalat network upgrade for BlackBerry service. Please download to ensure continuous service quality.” The signed JAR file, when opened, reveals an application housed in a directory named “/com/ss8/interceptor/app”, which conforms to the Java standard for application trees to be named the reverse of the author's URL. No one from Etisalat, RIM, or SS8 is saying anything about the issue, despite the fact that the application appears remarkably difficult to remove. Source: http://www.theregister.co.uk/2009/07...erry_snooping/
Have you applied the latest Microsolf patches? If no, perhaps you should!
39. July 15, Enterprise Security Today - (International) Researchers rate all six Microsoft patches as critical. Microsoft on July 14 released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical. The CTO of Qualys said Microsoft's advisories should be addressed immediately because they allow an attacker to take complete control of a victim's computer. Microsoft proxy server ISA 2006 has a vulnerability rated as important that allows remote unauthenticated users to access the server. However, paired with a knowledge of the administrator's username, attackers can take full control of the server. Because administrator usernames are often easy to guess, the CTO said, this vulnerability deserves special attention if IT organizations are using ISA with the Radius configuration. Likewise, MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite rated as important, but can be used to take full control of a system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as critical as well, the CTO said. Source: http://www.enterprise-security-today...story_id=67785
Note: The DHS only maintains the last ten days of their reports online. To obtain copies of earlier reports or complete summaries, go to:
More...
The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered. This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.
Week Ending: Friday, July 17, 2009
Do you allow Twitter? If you do, you should read the following!
42. July 10, IDG News Service - (International) Twitter suspends accounts of users with infected computers. Twitter is suspending the accounts of some users whose computers have fallen victim to a well-known piece of malicious software that has targeted other sites such as Facebook and MySpace. The malware, Koobface, is designed to spread itself by checking to see if person is logged into a social network. It will then post fraudulent messages on the person's Twitter account trying to entice friends to click the link, which then leads to a malicious Web site that tries to infect the PC. The popular microblogging service has had a strong impact as a new communication platform. Bis also being targeted by fraudsters and hackers, who are using it as a way to infect people's PCs with malicious software. Twitter is the latest site to be targeted by a Koobface variant, said a senior security advisor for Trend Micro. Other sites have included Bebo, Hi5, Friendster and LiveJournal, according to the U.S. Computer Emergency Readiness Team. Source: http://www.pcworld.com/businesscente...computers.html
Have you applied Microsoft's July patches? No! Perhaps you should reconsider.
40. July 13, Computerworld - (International) Researcher says IE bug could spread quickly. A critical ActiveX vulnerability used by hackers to exploit Microsoft Corp.'s Internet Explorer browser is a prime candidate for another Conficker-scale attack, security experts said. On July 6, just hours after security companies reported that thousands of compromised sites were serving up exploits, Microsoft acknowledged the flaw in the ActiveX control that can be accessed using IE. The bug has been used by hackers since at least June 9. Microsoft said it will issue a patch for the flaw on July 14. The vulnerability “exposes the whole world and can be exploited through the firewall,” said the chief research officer at security software vendor AVG Technologies USA Inc. “That's better than Conficker, which mostly did its damage once it got inside a network.” Conficker exploited a Windows flaw that Microsoft had thought dire enough to fix outside its usual update schedule in October 2008. The worm exploded into prominence in January, when a variant infected millions of machines that remained unpatched. Microsoft confirmed the latest flaw shortly after security researchers at Danish firms CSIS Security Group AS and Secunia said that thousands of hacks of legitimate Web sites over the July 4 weekend had exploited the bug. The hackers took advantage of the bug to reroute users to a malicious site, which in turn downloads and launches a multiexploit hacker tool kit. Source: http://www.computerworld.com/s/artic...?taxonomyId=17
Could a similar attack be successful in the private sector?
28. July 13, Softpedia - (International) DDoS worm starts damaging infected systems. The malware responsible for the recent denial of service attacks against many U.S. and South Korean government and commercial websites has received an update to damage the computers it infected. Starting with July 10, the worm began to rewrite HDD Master Boot Records (MBR), leaving the zombie computers unbootable. Recently, it was reported that serious distributed denial of service (DDoS) attacks had affected the stability of many websites operated by large organizations or the governments of United States and South Korea. Experts later concluded that a botnet of over 60,000 computers, infected with an updated Mydoom variant, had been used to launch the attacks. Security researchers from FireEye warn that, even though the DDoS has stopped, the impact of this malware might prove to be a lot bigger. Everything started with a DDoS component being shipped to computers infected with a particular strain of Mydoom, a worm dating back to the beginning of 2004. The attackers planned for the DDoS to start on July 4 (Independence Day) and to end on July 10. The worm drops a file called mstimer.dll and loads it as a windows service named “MS Timer Service.” The purpose of this component is to check the date and if it matches July 10 to execute yet another file, called wversion.exe. Originally, wversion.exe contained instructions to uninstall the timer service, suggesting that its authors intended for it to self-destroy. However, a malware researcher at FireEye explains that another, much more destructive version of wversion.exe was deployed shortly before July 10. The new version features a three-step plan to destroy data on the infected computers. First, it rewrites 512 bytes of every hard disk in the system, not only the one used to boot from. The first 512 bytes of a hard disk are used to store the Master Boot Record and Volume Boot Record, which are employed to store information about the file system and partitions. The new data written over the MBR and VBR includes a string reading “Memory of the Independence Day.” The second destructive step targets the personal files and documents stored on the hard disks. The component searches for files with one of 37 extensions, including .pdf, .doc, .ppt, and proceeds to compressing and password-protecting every one of them. Source: http://news.softpedia.com/news/DDoS-...s-116551.shtml
And, just how safe is your BlackBerry today?
38. July 14, The Register - (International) BlackBerry update bursting with spyware. An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life. Sent out as a WAP Push message, the update installs a Java file that one curious customer decided to take a closer look at, only to discover an application intended to intercept both email and text messages, sending a copy to an Etisalat server without the user being aware of anything beyond a slightly excessive battery drain. It was, it seems, the battery issue that alerted users to something being wrong. Closer examination seems to indicate that all instances of the application were expected to register with a central server, which could not cope with the traffic - thus forcing all the instances to repeatedly attempt to connect while draining the battery. A more phased reporting system might have escaped detection completely. The update is labelled: “Etisalat network upgrade for BlackBerry service. Please download to ensure continuous service quality.” The signed JAR file, when opened, reveals an application housed in a directory named “/com/ss8/interceptor/app”, which conforms to the Java standard for application trees to be named the reverse of the author's URL. No one from Etisalat, RIM, or SS8 is saying anything about the issue, despite the fact that the application appears remarkably difficult to remove. Source: http://www.theregister.co.uk/2009/07...erry_snooping/
Have you applied the latest Microsolf patches? If no, perhaps you should!
39. July 15, Enterprise Security Today - (International) Researchers rate all six Microsoft patches as critical. Microsoft on July 14 released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical. The CTO of Qualys said Microsoft's advisories should be addressed immediately because they allow an attacker to take complete control of a victim's computer. Microsoft proxy server ISA 2006 has a vulnerability rated as important that allows remote unauthenticated users to access the server. However, paired with a knowledge of the administrator's username, attackers can take full control of the server. Because administrator usernames are often easy to guess, the CTO said, this vulnerability deserves special attention if IT organizations are using ISA with the Radius configuration. Likewise, MS09-030 is an advisory for the Publisher component in the MS Office 2007 suite rated as important, but can be used to take full control of a system if the victim is logged in as administrator. If an organization uses Publisher or has it installed as part of Office 2007, this should be treated as critical as well, the CTO said. Source: http://www.enterprise-security-today...story_id=67785
Note: The DHS only maintains the last ten days of their reports online. To obtain copies of earlier reports or complete summaries, go to:
More...