Friday, January 23, 2009

iWork 2009 Trojan building a botnet

This week security researchers reported that pirated copies of iWork 2009 may contain a Trojan horse. Experts note that with Mac OS X threats, you have to be fooled into installing them. In this case, the chance to own iWork 2009 on the cheap is the potential draw. Most antivirus programs for the Mac are capable of stopping this threat.

But hasn't been widely reported is what happens after a machine is infected.

Jose Nazario of Arbor Networks today posted an interesting blog on the iWork Trojan. He found that it's creating a botnet (of course).

Earlier this week I speculated that the Downadup/Conficker worm might be doing the same.

Nazario says, like other botnets, it keeps trying until it connects to the command and control server. "It also grabs a list of seed P2P peers from the file itself by decrypting the running file (thwarting static analysis) and managing the known peers as you would expect. It generates a port to listen on as needed (although it’s not quite clear to me how it would handle being behind a NAT device)…. What’s more is that there is an embedded Lua interpreter, giving a very sophisticated command language some additional structure."

What is this new botnet been up to? So far, Nazario reports it has been creating distributed denial of service (DDoS) attacks.

Thursday, January 22, 2009

Internet Explorer 8 RC 1

A week ago I sat down with Dean Hachamovitch, General Manger of the IE team at Microsoft and we talked about Internet Explorer 8 RC 1. In the video below, he outlines what he believes are the compelling reason to use Internet Explorer 8.

The first reason he mentioned was this is now a stable platform. Developers, he said, should build for IE8 RC 1 knowing that their sites won't have to change when the final release arrives this summer.

The second reason, he said, is that IE 8 won't crash, or crash as often. Dean and his team looked at the Beta 2 data and made a series of improvements. Of course, IE 8 includes "in tab crashing," meaning the other IE tabs will remain up and running if one page suffers a problem. Unlike Firefox, which has session restore and can restore the browser and all its tabs after a crash, the IE browser keeps running and only the one tab displaying that problematic page will crash and restore. Pretty cool, eh?

Microsoft accomplished this by isolating the code for each tab, more or less treating each as a mini browser, something that Firefox does not do. To prove his point, Dean showed me a video that crashed a tab. What was very cool was that the streaming video continued in the background while the tab restored itself so that when the page came up, the video continued where it had left off.

There's also compatibility within IE 8. If a page doesn't render right in IE 8, you have the option of displaying it in IE 7. Weird, but it makes sense.

There are some changes in In Private, Microsoft's "porn browsing mode" where the history won't be stored for sites visited. What I saw involved a visual change in the browser so the user can't be fooled into In Private mode without noticing something's changed.

Finally, Dean suggests looking for some surprises hidden within the Favorites bar.

Throughout our conversation Dean hinted that Microsoft would like to see organizations build on the Internet Explorer platform custom applications for their employees or customers to use. This sounds a lot like the idea behind Google releasing Chrome as an environment for its Google Gadgets. Perhaps Microsoft is heading in the same direction.

Wednesday, January 21, 2009

Apple issues 8 critical QuickTime security updates

Today Apple issued a security update for QuickTime 7.6. The update addresses flaws in both the Mac OS X and Windows XP and Vista implementations of the media viewer.

Specifically, the update fixes flaws CVE-2009-0001 through CVE-2009-0007.

The eight vulnerabilities within QuickTime can all be exploited to cause an unexpected application termination (denial of service) or arbitrary code execution on affect PCs, and therefore this patch should be taken seriously.

Tuesday, January 20, 2009

Heartland data breach could be the largest in US history

Details are emerging on what could well become that largest data breach in US History.

Heartland, a company that processes payments for more than 250,000 businesses, is saying today that up to one million customers may have had their credit information stolen, a number easily eclipsing the 47 million customers potentially at risk of credit fraud from the TJX data breach a few years ago. Heartland has since called U.S. Secret Service and hired two breach forensics teams to investigate.

The breach was discovered late last year as fraud activity from Visa and MasterCard cards began to spike; the affected cards at all been used at establishments serviced by Heartland's credit card processing centers.

Robert Baldwin, Heartland's president and chief financial officer, told the Washington Post that 40 percent of transactions the company processes come from small to mid-sized restaurants across the country. He declined to name a specific restaurant.

Brian Krebs at has the details, as does ComputerWorld.

Monday, January 19, 2009

Is the Downadup/Conficker worm building a new botnet?

There's a new Internet worm spreading that may be comparable to Melissa, Sasser, and Blaster in terms of the number of machines infected.

The worm, Downadup (also known as Win32.Conficker.B or simply "Conficker"), exploits a specially crafted RPC request vulnerability found in unpatched versions of the Windows Server service. Microsoft issued a rare out-of-cycle patch, MS08-67, for this flaw on Oct. 23, 2008.

However, estimates of up to nine million Downadup infections within the last week alone suggest that many systems worldwide haven't been patched. Thus the greatest danger from Downadup is to businesses that have not updated their desktops and servers on a regular basis. Home computers protected by a firewall are less at risk, although an infected laptop from work could nonetheless infect a home network. Microsoft has rated the MS08-067 patch Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.

According to the SAN Internet Storm Center Downadup uses multiple vectors to infect PCs.

1) Computers without the October 2008 patch can be attacked remotely and taken over.

2) Downadup can also "brute force" or guess Administrator passwords on local networks and then spread through ADMIN$ shares.

3) Finally, Downadup can create a special autorun.inf file and include its DLL on an infected removable device, such as a USB or external hard drive.

Once executed, Downadup disables a number of system services, including Windows Security Center, Windows Defender, Windows Automatic Update, and Windows Error Reporting. Downadup then generates a list of possible domains, selects one, and then attempts to connect to a malicious server to download additional malware onto the infected computer.

Given all the secrecy just to download additional malware, I'm thinking this is a botnet-creating worm.

Although Microsoft added Downadup detection to its January 2009 Malicious Software Removal Tool (MSRT), an anti-malware utility distributed to Windows machines via the Windows Update process, experts recommend that users apply the MS08-068 patch from last October if you haven't already done so. Additionally, users may also want to disable Autorun so that an infected USB drive or removable media device won't infect your PC, however, disabling Autorun in Windows involves editing the System Registry and should only be done by experienced personnel.

Tuesday, January 13, 2009

Microsoft SMB patch addresses 3 flaws

Today Microsoft issued a patch that resolves several privately reported vulnerabilities in Microsoft Server Message Block (SMB) Protocol, a protocol used for sharing files, printers, serial ports, and other communications.

MS09-001 is rated by Microsoft as critical, its highest rating, for users running Windows 2000, XP, and Server 2003, and moderate, its second highest rating, for users running Windows Vista and Server 2008. It replaces the SMB patch MS08-063 issued last October. Installation of the patch will require a system restart.

Microsoft says although there are three flaws address, they are unlikely to produce exploitable code because the first two (CVE-2008-4834 and CVE-2008-4835) only allow for one fixed value (zero) to be written and controlling what data is overwritten will also be difficult. The third vulnerability (CVE-2008-4114) affects all Windows systems and allows for a Denial of Service attack.

The patch today is the only one for Microsoft's January 2009 Patch Tuesday release. The patch may be obtained from Windows Updates or via the bulletin itself.

HBGary announces FastDump Pro for physical memory investigations

HBGary, a computer security firm in Scramento, California, today announced FastDump Pro, the first memory acquisition software to offer 32- and 64-bit support for all supported versions of Windows with more than 4 gigabytes of RAM. FastDump Pro allows organizations and investigators to preserve and analyze physical memory snapshots of 32- and 64-bit editions of Windows.

“Based on feedback from Fortune 100 and government customers, computer intrusions into physical memory were one of the top security concerns in 2008," said Greg Hoglund, CEO of HBGary, Inc in a press release. "Some malware is not visible anywhere on the computer but in physical memory."

FastDump was first released as free download in April 2008 for 32-bit systems. The company reports that since its release, several Fortune 100 corporations and 20 of the top 30 government agencies have downloaded the product. The product announced today will be free to HBGary customers with Responder licenses or purchased separately at $100.

Trend Micro and Cisco to monitor all the network aware gadgets in your home

Trend Micro and Cisco today announced a partnership service that offers a way to protect all Internet connected gadgets at home. Called the Home Network Defender, the service uses Linksys routers to monitor the security any IP-enabled device connected to the home network.

Already there have been viruses reported in digital picture frames and if these are connected remotely to the home computer network, they could spread infections in the future. Not only that, smartphones, Apple TV, and even Ninetndo Wii could become vectors.

The service includes many familiar tools, including antivirus software, parental controls, Trend Micro’s Smart Protection Network, Web threat protection, safe Web surfing and various network activity reports.

Basically it performs as a centralized management consol for all devices attached to the home network. For example if a teenager has an iPhone that is connected to the home network, a parent can using the Home Network Defender system could see a report of the sites that the child has connected to. In turn, the Home Network Defender will also protect the iPhone from any malicious activity.

The Home Network Defender service be launched at the end of January.

Thursday, January 8, 2009

One critical patch for Patch Tuesday

Next Microsoft Patch Tuesday, January 13,2009, Microsoft will have only one patch. The patch affects Windows and the vulnerability (or vulnerabilities) could be used for remote code execution.

Microsoft says the patch will be critical, the highest rating, for Windows 2000, XP, and Server 2003 users, and moderate, the second highest rating, for Windows Vista and Server 2008 users.

Monday, January 5, 2009

Report: Data breaches up in 2008

In a report out today from the ID Theft Resource Center (ITRC), the number of data breaches increased 46% in 2008 over the previous year.

Of the five categories monitored by ITRC, only Educational and Military showed a decrease in the last year. Up were Business (reporting the most with 36% of the breaches), Health, Financial services (reporting the least at only 11%).

To prevent data loss, the ITRC issued the following guidelines:

Based on the breach reports from the past 3 years, the ITRC strongly advises all agencies and companies to:
1. Minimize personal with access to personal identifying information.
2. Require all mobile data storage devices that contain identifying information encrypt sensitive data.
3. Limit the number of people who may take information out of the workplace, and set into policy safe procedures for storage and transport.
4. When sending data or back-up records from one location to another, encrypt all data before it leaves the sender and create secure methods for storage of the information, whether electronic or paper.
5. Properly destroy all paper documents prior to disposal. If they are in a storage unit that is relinquished, ensure that all documents are removed.
6. Verify that your server and/or any PC with sensitive information is secure at all times. In addition to physical security, you must update anti-virus, spyware and malware software at least once a week and allow your software to update as necessary in between regular maintenance dates.
7. Train employees on safe information handling until it becomes second nature.

For more information, see the ITRC 2008 Breach List