Another seasonal virus (postcard.exe)

Trend Micro is warning about a new virus that is circulating by email. The worm, called Nuwar.ay, arrives with the subject "Happy New Year" and is part of mass-mailed messages. It drops a copy of itself in the windows system folder. Like many of the successful viruses, it has its own email engine, meaning infected machines have no idea they are infected, as sent messages do not show up in their email software (I.E., Outlook, Outlook Express).

Once running, the virus

• terminates various processes that used for detection and prevention of infection,
• steals addresses from the infected machines Windows Address Book
• sends out emails with spoofed addresses, bearing a fixed set of common names
• makes registry modifications to disable Internet Connection Sharing and Windows Firewall service
• makes registry modifications to add the infection executable to start every time the machine starts

Anti-Virus company Sophos adds the information that the variant that they’ve observed

"includes functionality to access the internet and communicate with a remote server via HTTP."

This has additional infection implications.

Some Anti-virus companies have been pretty quick to post new definitions, but I worry about all those brand new Christmas PCs that may fall prey because they don’t have their anti-Virus configured, even though most new PCs come with some sort of trial anti-virus.

We’ll keep an eye on this, as there is an expectation that infection rates will be pretty high.

Public Exploit Code for Windows Workstation

It was bound to happen very soon. It has. A few days ago, we mentioned that MS was watching new vulnerabilities in Windows (just in time for Christmas) because of published Proof-of-Concept code. This potentially affects all current versions of Windows, including VISTA. Ack! MS enacted their Emergency Response Process and vowed to keep an eye on this.

Unfortunately, another vulnerability has been brought to light, with the public posting of an exploit. This vulnerability will provide a Denial of Service (DoS) from a buffer overflow Workstation service. An attacker, sending specific data, an attacker can affect currently patched Windows XP and 2000 operating systems. At present, this looks to only provide a DoS.

No word from MS on this vulnerability, but since these require access to TCP ports 139 and 445, it is thought a response will be slow. Traditionally, security sources recommend blocking these ports at a firewall.

More attacks on MySpace users

Get this: There’s allot of emails being circulated with links to objects on MySpace. But before getting there, you are prompted to "confirm your password". Thinking the session has just been "dropped", you enter your password again. You’ve just fell prey to the most recent phishing scam.

"One recent scam works this way: A spammer posts a number of phony profiles featuring pictures of cute women, often promising nude photos. A "friend request" with the woman’s photo is sent to hundreds of users.

Once the fake profile loads, a blue screen descends, saying the profile is protected by the "MySpace Adult Content Viewer." Unsuspecting users who try to download the viewer instead get a worm that installs adware on their computers." – MSNBC

These programs are not only dumping spyware/malware, but they are also stealing passwords. And with that, they are stealing everything you (and your friends) have shared with MySpace "friends".

OSG Recommendations: Always treat emails with links carefully; even if they come from a "friend". This type of social engineering is way too common. And always be careful when publishing your private information on the Internet. It’s called "private information" for a reason :o)

That may not be a present wrapped in your email

This time of year tends to make us less suspicious about the people out there that may intend to harm us. After all, this is the season of "giving". Well, be careful about what someone may be giving you…

This is from F-Prot:

We’ve just received a sample of something that’s called CHRISTMAS.EXE. When run, this IRCBot variant will try to download various malicious executables from web servers at waiguadown.008.net and user.free.77169.net.

There’s also a ppt file floating around that is virus infected as well.

Both of these are relatively new. Many of the Anti-virus vendors were seemingly caught with their eggnog. Most are not detecting these.

Microsoft activates their “Emergency Response Process”

Responding to a publicly posted proof of concept vulnerability of currently supported versions Windows systems (Win2k, XP, Win2k3, and Vista), MS has circled the wagons to find out exact what this means. At first look, MS indicates that in order to take advantage of this vulnerability, an attacker would first have to be authenticated. Once so, privileges can be elevated. It should be pointed out that thus far, it only looks as if this is local to the system. The impacts on domains and shared network authentication could be serious if an attack was successful. MS is quick to point out that there are no known exploits (yet), but assures that they are keeping a watchful eye on this regardless of this being a holiday season.

RECOMMENDATIONS: OSG recommends the use of strong passwords; even for your home PCs. Furthermore, several layers of protection are necessary (software firewalls, hardware firewalls/routers, anti-virus with CURRENT definitions, anti-spyware with CURRENT definitions).

New Mozilla Advisories

Late yesterday, Mozilla Foundation released 9 security advisories about vulnerabilities for all products based on Mozilla. These are MFSA 2006-68 through MFSA 2006-76. Most of these vulnerabilities have a critical impact that may allow execution of code (including software installation) without the permission and potentially without knowledge of the user. Other potential impacts can be crashes. Affected software includes (but not limited to) the popular Firefox and Thunderbird browsers. CERT recommends upgrading to the newest version to patch the vulnerabilities, or implementing workarounds described by Mozilla. We think it’s just best to upgrade. The newest version of Firefox is 2.0.0.1. For Thunderbird, it’s v1.5.0.9.

See http://www.mozilla.org/security/ for more information.

Skype attack

Websense has posted information relative to a Trojan that is attacking Skype. Originally, they thought this was based on a whole in Skype, but it turns out that the Trojan code is accessing the Skype API as expected. Websense has corrected their post, but this is still a threat to users. It looks though that this requires user intervention to deliver the Trojan and execute it.

The OSG Take: As always, we encourage users to be sure that files coming to them from any method (web page, email, chat/IM/Voice programs, etc) are ones that are intended, and from someone they know.

Apple’s Turn

Apple has released a security update for QuickTime for Java and Quartz Composer. This is a completely different problem with the one involving the media files on MySpace.

Hackers taking personal info from Universities

Students, applicants, and faculty alike have been latest victims as a result of successful hack attacks against several universities in the U.S., with the latest being UCLA. According to a report by the Associated Press, this breach went undetected for over a year. Other schools mentioned as having detected breaches were University of Texas, Georgetown University, Ohio University, University of Alaska, and Western Illinois University. It was suggested there were others. You can see a recent FBI release here.

UCLA has notified those persons recorded in their databases, since they were potentially exposed to the identity theft. Although they have notified the FBI, don’t assume that anyone is watching or will catch identify fraud involving your data. It would be prudent for YOU to take every measure possible to protect yourself.

If you think you have been a victim of this (or any kind of) "cyber crime" anywhere, you can make a report at the Internet Crime Complaint Center (IC3), a joint venture of the FBI and the National White Collar Crime Center.

Oops. Symantec exploit causing havoc

Windows versions of Symantec Antivirus 10.0 and 10.1 and Symantec Client Security 3.0 and 3.1 are being exploited again; and this time it’s huge. Some history: In May, 2006, a remote vulnerability was discovered by eEye. Symantec released a patch almost 3 weeks later. It probably would have stopped there, but as late as late November, 2006, a sample worm was discovered that exploited this vulnerability capable of self propagation. There were many warnings about this (including by us), yet there’s still a bunch of unpatched versions out there. As recent as yesterday, eEye has "detected a new worm that is actively exploiting a remote Symantec vulnerability".

 

Looking at the analysis, it looks as if the the first thing the worm does is disable MS updates. It then replaces the DLL for MS updates with its own version. Among some other (technical) things, the worm then connects to IRC (Internet Relay Chat) channels and waits for commands to execute. One of the observations that has been observed is it downloads executables from an FTP site. The first executables that come to mind here are processes that:

• implanting other nefarious systems
• turning your PC into a computer "zombie" to spam/attack anyone they want; as you!
• stealing your personal information (email addresses, passwords, bank account info, etc)
• recording information you type
• searches of other vulnerable machines to exploit
• literally whatever they want to do as if they are sitting at your desk

EEye’s research methods have discovered over 71,000 accesses to the FTP site in a 24 hour period, suggesting a pretty wide infection already. Sans.org has noticed a major increase in port access attempts on one of the ports used by the worm.

A noteworthy observation is that many of the other popular anti-virus products (including my favorite!!!!!) fail to recognize this for what it is, according to SANS.org. I should point out though that a machine with these other anti-virus products aren’t going to also have Symantec Anti-Virus. Nonetheless, I’d expect to see most of anti-virus vendors updating their definitions soon.

Symantec’s suggestion to all this is to patch the vulnerable Symantec software ASAP. Click here.