New Spam (.ZIP files)

We’ve noticed a new spam method that is coming in. These are .zip files that apparently contain stock quotes. What makes these troublesome is that some spam filters are not recognizing the messages as containing attachments. Spam aside, the greater concern is the method that is being used to send these. If (when really) virus writers figure this out, attacks can be sent to users as .exe’s, .vbs files, or .bat’s. This is huge.

 

We’ll be keeping an eye on this and will update on any findings, should this get worse.

Happy SysAdmin Day

There is a Mother’s Day; a Father’s Day, a Valentine’s Day, and a Sweetest’s day. There is also Secretaries’ Day and a sundry of other Hallmark holidays. It’s time that we Admins be recognized for the daunting tasks we take on to support users that clicked on that email link for the eCards; that installed P2P software on their laptop for music, and brought it to the work network with all that nasty malware; that waited until 4:59 PM on a Friday afternoon to try to print that 154 page proposal!!!  Yes, the job we do gets very little attention; unless something is wrong.

Luckily, someone decided that the time had come to give us the props we deserve, and we get it one day a year. That day is today. Today is SysAdmin Day; the 8th annual.

In honor of the unappreciated

http://flash.revver.com/player/1.0/player.swf

 

Hug an Admin today! Those looking for gift ideas for me can find them here.

Happy SysAdmin Day!

Apples learns about “Glass Houses …”

You’ve seen the commercial about the MAC with PC, discussing the "features" of a MAC vs. the "flaws" of the PC. There’s a bunch of them, including the one where the MAC talks about how much more secure it is over the PC. Apple fans have contended that for years.

Well, we’ve seen allot of hype about the iPhone and the same kind of marketing attacks about Pocket PCs and Blackberries. There’s been so much in-your-face marketing that I’ve been expecting a mobile version of the PC/MAC commercials. But, Apple has been casting so many stones in that glass house, they’ve lost track of where and now find themselves in the vulnerability/exploit Hell; like everyone else.

The first day there were stories about privacy concerns to iPhone users and the information held on the device. There were other concerns about the iPhone MobileSafari browser and a flaw that an attacker to steal "any and all data on the iPhone", according to a story on Security Focus.

In another debacle, the iPhone was found to cause Denial-of-service attacks on Cisco wireless networks, like the one at Duke University.

A single iPhone was powerful enough to cause the problem, and there are 100 to 150 of them registered on the network, Cannon said. Network administrators have noticed the problem nine times in the past week. – Article from Associated Press on Yahoo News.

Cisco released a fix to its products to lessen the condition caused by an iPhone. I’m sure that Apple is looking at their processes as well. But with the iPhone having only been out a very short time, they sure aren’t having a very good go at being different. I’d expect security researches to keep a very close eye on the iPhone, meaning there will be more stories and discoveries like these.

Encryption malware points to need for commercial AND personal backups

I can’t tell you how many people have told me that they don’t care if their PC gets attacked, because they don’t hold any personal information. They say that because of the stereotype that "hacks" steal credit card information. For those of you nodding your heads, I submit that this is a very narrow minded view. Consider this: Your PC is attacked, and now all of your pictures (think kids, grandkids, vacations, etc) are inaccessible to you. The same for your resume, you wedding invitation list, and the work you have done on that thesis for school. Now think of how distraught you would be if you needed them right away; after all, they are yours!!! Well, now you’d be at the mercy of someone else. You’d have to depend on them to live up to their word to get your access back. $300 is a large lesson to learn, but what guarantee do you have that you’d be left alone; that the "fix" file decrypt your files doesn’t open some other door for another attack by someone else; this time wanting $400.

The solution is to backup and/or archive such files to CD/DVDs, backup media, or USB drives. There’s plenty of ways of doing this, but to do nothing is at least a $300 lesson. "One-button" solutions like USB Seagate, Iomega drives, or the likes are worth the money and still cheaper than this lesson. And an even cheaper solution is an imaging product like Acronis True Image.

How much would you pay for access to YOUR files?

$10? $20? $100? Try $300 if you get infected by KOLLAH.F. This malware encrypts files on an infected machine, and all drives attached to it, changes Internet security zones in your browser, and then writes a ransom letter in every folder on the machine. The ransom letter tells the reader that the files have been encrypted and that personal information has been collected. It threatens to share the personal information unless the user arranges for a $300 payment to a contact at a specified email address. And there is a deadline.

Looking into the eye of the Storm

Today, I got the opportunity to look at a Storm infected machine close up. This is only worth mentioning because of something that hasn’t got much press in sites that discuss these kinds of things. Luckily this machine has been powered off sitting on the bench for the past two weeks (I’ve been on vacation and someone wanted "me" to see it).

Anyhow, the user clicked on a link in one of the recent storm spam emails, and realized their mistake after reading a warning message from me about these circulations. The user was in denial for a few days before calling for help. A quick determination revealed what had happened.

Upon inspection today and a connection to a malware/virus sniffing network, Peer-to-Peer connections were discovered, as were a large series of packets aimed at DNS queries; the implication was SPAM. Checking for a mail engine, I found 110 connections to remote SMTP servers!!! And as soon as one dropped, the a new one was created. Additionally, the process ID of the socket connections were all 0! How could that be a Jr, tech heard me ask myself. Using various tools, I was able to trace it back to services.exe.

Not only was I looking into the eye of the "Storm", but right in front of me was a clear example of a zombie PC under, of which someone else was pulling the strings. We get to see these kinds of things pretty frequently, but this one was pretty smooth. I was tempted to image the machine just for the sake of resurrecting it in a VM petry dish when I was bored on a later date.

Anyway, I wanted to share this since we so often talk about what to look out for, to keep the infections/attacks at bay. This was a great story (and reminder) about what to look for to determine that you are infected (or breached).

For those not sure how to determine remote connections to/from your PC, in a command prompt window (Start -> Run -> type CMD, hit enter), type "netstat -ano".  The keys here are the foreign addresses with a port 25 (x.x.x.x:25). Port 25 is a Well Known port for SMTP (Internet email).

UPDATE: I found this article on Bitdefender that describes what I saw pretty well. They have this rated as LOW. I have to disagree considering the the number of Storm emails that were circulating (and this came from Storm).

Just in time for Reboot Wednesday, Adobe Flash updates

Adobe chimes in with their own security bulletins for Photoshop (CS2 and CS3) and Flash. The Photoshop vulnerability requires a specially crafted  BMP, DUB, RLE or PNG to be opened by Photoshop for the attack.

The Flash vulnerability has a greater potential, as the exposure to .swf animations is much more frequent. To exploit this vulnerability, an attacker causes a especially crafted .swf to load on the user’s machine in the Flash player (I.E., flash on a web page). This allows the attacker to take control of the targeted machine.

Adobe recommends users update their player to the most recent version (9.0.47.0 as of today) from their download site.

This exploit has considerable implications; especially when reviewing recent cross scripting attacks. Protect yourself and patch ASAP.

Microsoft released 7 patches for the July release

These are MS07-036 through MS07-041. Three of these have a maximum severity of Critical and should be patched right away. If you have Windows updates to set to automatically download/apply these, chances are you already have them (but check anyway). At the very least, OSG: Bits, Bytes and Packets recommends that Automatic updates be set to NOTIFY of needed updates, and then the user can decide the updates to be downloaded and applied. A better alternative is to let AU download the updates but the user chooses when to install them.

Corporate users should always test updates before deploying them.

We’re back!

For some reason, MS pulled the plug on us. We’re not sure what the deal was, but I got a response to my inquiry about the Space being gone that said that we’re not in non-compliance, so the switch was turned back on. We’re back!

More storm e-cards

In a recent entry, OSG: Bits, Bytes and Packets warned about email messages claiming to be from a family member, friend, coworker, partner, etc. It seems those messages have changed yet again to include social trickery messages like you’re "Virus detected". The message goes on to talk about a process has detected a "abnormal activity" from your IP and provides a link to download a "patch". The link is an IP address is part of a network of zombie PCs that are hosting the executable. Of course, the file isn’t what it claims to be. Instead, it uses P2P methods to provide a back door to your PC; hence joining it to the zombie network.

To avoid this infection, users are always encouraged to

• keep virus definitions up to date,
• never click on links in emails (especially unsolicited ones),
• instead, cut and paste links if you must use a link from an email
• delete messages such as those described here,
• and keep systems patched with Microsoft and other software updates

As we said a week ago, this will not be the end of these types of emails. After all, they are working.