RDKsoftware (webmaster)

This little gem is probably one of those diagnostic tools that -- like BackOrifice and Metasploit Framework -- in the right hands is a good diagnostic tool and in the wrong hands is a bad diagnostic tool:

http://www.serversniff.net/index.php

“ServerSniff.net - Your free "Swiss Army Knife" for networking, serverchecks and routing with many many little toys and tools for administrators, webmasters, developers, powerusers und security-aware users.

“Tools for webmasters and developers:

“Benchmarks and informations about servers, routing, IP-Stacks, encryption, security, nameservers and domains.

“Tools for powerusers:

“For powerusers ServerSniff.net offers computing Hashes for strings and files and simply a lot of information about servers, ssl-encryption, domains etc.

“ServerSniff.net gathers only public information about servers and networks from publicly available sources or from asking the servers directly.”

It doesn’t exactly build confidence when you find that the ServerSniff "terms of use and acceptable use policy" is a dead link: http://beta.serversniff.net/terms_of_use




Thanks Alex.

Tom Kelchner

Update 03/11:

Alert reader "Guest" pointed out a link where terms of use are available: http://beta.serversniff.de/terms_of_use. Looks like it might have been a typo.

Microsoft Updates for Multiple Vulnerabilities

Vulnerability Summary for the Week of March 1, 2010

Vulnerability Summary for the Week of February 22, 2010

Malicious Activity Associated with "Aurora" Internet Explorer Exploit

Vulnerability Summary for the Week of February 15, 2010

Vulnerability Summary for the Week of February 8, 2010

Microsoft Updates for Multiple Vulnerabilities

Vulnerability Summary for the Week of February 1, 2010

Microsoft Internet Explorer Vulnerabilities

Vulnerability Summary for the Week of January 11, 2010

Twust and Safetwy

Del Harvey who leads Twitter’s Trust and Safety team blogged yesterday that the social networking/micro-blogging service has begun filtering all links in Twitter Direct Messages to stop phishing:

“Since these attacks occur primarily on Direct Messages and email notifications about Direct Messages, this is where we have focused our initial efforts. For the most part, you will not notice this feature because it works behind the scenes but you may notice links shortened to twt.tl in Direct Messages and email notifications.”

Twitter blog piece here.

Tom Kelchner

Be on the lookout for websites offering up “free applications” which come with a nasty sting in the tail. Here’s a typical example: Appzkeygen(dot)com

If you like videogame consoles, you may be a fan of emulators (programs that ape long dead consoles, allowing you to play old games on your PC – we’ll avoid the murky legal minefield that comes with this practice and instead focus on the malware).

Below is a Playstation 2 emulator – no really, it is. Would they lie to you?



Probably best not to answer that question.

Download and run any of the above files - all hosted at movieutilitesonline(dot)com - and you’ll probably be wondering where the alleged emulator is that is “by far superior to all other PS2 Emulators released before it.”

A pair of files will be dropped onto your PC, including a randomly named executable in the Windows directory and xpysys.dll in your System32 Folder. You’ve actually wound up with Trojan-Downloader.Win32.CodecPack.2GCash.Gen, which is – as you’ve probably guessed from the name - a Trojan downloader.

In some cases, people have reported this particular attack resulting in rogue antivirus appearing on the compromised system – however, during testing nothing was downloaded onto the PC. This doesn’t mean it won’t happen, of course – and you’ll still have the downloader onboard. Trojan-Downloader.Win32.CodecPack.2GCash.Gen has been used in everything from fake codec scams to rogue AV hijacks in previous months, and is probably going to stick around for quite some time.

Paper Ghost

The number of serious zero-day vulnerabilities and potential exploits discovered in recent days is higher than normal. This can enable cybercriminals to gain more leverage in their attacks, allowing them to target a considerably large number of users while these vulnerabilities remain unpatched.

As part of its regular Patch Tuesday schedule, Microsoft released two security fixes to address vulnerabilities found in certain versions of Windows Movie Maker and Office Excel. This is the first time in almost two years that Microsoft did not include any critical patch in its release.

Both vulnerabilities allow remote code execution when a user opens a specially crafted Movie Maker or Microsoft Producer project file and a specially crafted Excel file. More information on the security advisories can be found in this Trend Micro Security Advisory page.

While this may be good news, this was somewhat balanced out by the discovery of a new zero-day exploit found in Internet Explorer (IE). This exploit is the second found in the last 60 days. The previous one was discovered in January. This exploit takes advantage of an invalid pointer reference vulnerability to execute arbitrary code. Only IE 6 and 7 are vulnerable. Users of IE 8 are safe from this threat.  

The exploit code is now available publicly and some related attacks are being tracked. 

But Microsoft is not alone in being hit by vulnerabilities this week.

Alternate browser, Opera, was also found to have a flaw in the way it handles the Content-Length HTTP header. At the very least, this can cause the browser to crash.

Server applications also came under fire. The popular spam blocker, SpamAssassin, was also found to have a security flaw. This flaw can allow code contained in a specially crafted email that was processed by the application to be executed with administrative privileges on an email server. However, as the specially crafted email would have an invalid recipient, it is unclear if properly configured servers are also vulnerable.

Patching vulnerable applications sounds like a solution but that may not be ideal, particularly for enterprise users. Restarting servers is often not as simple for them as it is for home users. In addition, some individuals who discover vulnerabilities believe, wrongly or not, that software vendors take a long time to issue patches as well as downplay the severity of any known flaw. Because of this, some prefer to reveal the flaws publicly to force vendors to release patches as soon as possible.

Trend Micro advises users to keep their security programs up to date and to immediately apply patches once they are released by their vendors. Users can download this month’s Microsoft patches from the official Microsoft Security Bulletin page or run Windows Update to automatically download and apply the patches.

For business users, Trend Micro Deep Security™ and Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in can be shielded from vulnerabilities, often even before vendor patches are available.

Post from: TrendLabs | Malware Blog - by Trend Micro

Multiple Vendors Affected By New Vulnerabilities

April 3 cannot come soon enough for those who are eager to get their hands on the iPad. If anything, Apple’s recent announcement that the gadget will soon be available in the United States only added to the excitement over the much-talked-about gadget. Unfortunately, spammers are using the current enthusiasm over the iPad to their advantage as well.

In fact, Trend Micro anti-spam research engineers have already seen a number of spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities.

The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities. As Trend Micro anti-spam research engineer, Argie Gallego, recommends, “Users should be suspicious of any freebies offered online, particularly those requiring sensitive personal information such as full name and contact numbers. We have only seen a number of iPad-related spam so far but we expect the numbers to rise as April 3 draws near.”

This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks as seen in the past. Interestingly, Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click.

Trend Micro™ Smart Protection Network™ prevents spammed messages from reaching users’ inboxes via the Web reputation service.

Non-Trend Micro product users can also stay protected by using eMail ID, which prevents fake messages from reaching their inboxes. It also helps users quickly find legitimate messages.

Post from: TrendLabs | Malware Blog - by Trend Micro

iPad Giveaway Gives Users’ Identities Away

LifeLock, Inc., the company that GUARANTEED it would prevent customers’ identities from being stolen (for $10 per month) has agreed to pay fines totaling $12 million because the claims it made to promote its protection services were false, according to the U.S. Federal Trade Commission.

The company will pay $11 million to the FTC and $1 million to the attorneys general of 35 states. It is one of the largest FTC-state coordinated settlements, the commission said. The FTC will use the $11 million from the settlement and make refunds to consumers.

The FTC said in its release:

“The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

“New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.”

The FTC also said the LifeLock told customers that their personal data that it held was stored securely and encrypted, but it wasn’t.

FTC release here.

A federal judge ruled against LifeLock in a court action in California last year after credit reporting agency Experian sued them. Credit customers can place a free 90-day credit alert on their accounts through credit agencies. LifeLock was charging their customers $10 per month to place the alerts – which cost Experian huge amounts of money.

Story here.

Tom Kelchner

MS10-016: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)

MS10-017: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)

http://www.microsoft.com/technet/security/current.aspx

Tom Kelchner

It seems that fans around the world are not the only ones who are hooked on the Oscars. Just a day after this year’s Academy Awards, Trend Micro threat researchers found FAKEAV variants topbilling the search pages.

This time around, users searching for news on the Oscars fell prey to the latest blackhat search engine optimization (SEO) attack that uses the search terms “oscar winners 2010 live.” Almost 80 percent of the results on the first page alone leads to the download of a FAKEAV binary detected by Trend Micro as TROJ_FAKEAV.ZZH.

The said variant has been observed to connect to a remote website to send and receive information. It is also able to download other malware, including Mal_Xed-22 and TROJ_VUNDO.SMAT.

With the continued proliferation of blackhat SEO attacks leading to FAKEAV, it is apparent that cybercriminals intend to continue riding on top Web searches. Users are thus reminded to exercise extreme caution when visiting sites, especially with the Oscar fever still running high.

Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of TROJ_FAKEAV.ZZH, Mal_Xed-22, and TROJ_VUNDO.SMAT via the file reputation service.

Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.

Post from: TrendLabs | Malware Blog - by Trend Micro

Oscars 2010 Awards Users with FAKEAV

The United States Computer Emergency Readiness Team (US-CERT) issued a new vulnerability note. However, this particular “vulnerability” concerns a rather unusual product—a USB charger for rechargeable batteries.

The Energizer DUO is a charger for two AA or AAA batteries that can be plugged into USB ports. While no software is needed to use the charger, Energizer did provide an application that would display the charge level of the batteries inserted into the charger.

However, the said application goes far beyond that. It also includes a backdoor detected by Trend Micro as BKDR_ARUGIZER.A. This particular backdoor opens port 7777 to incoming connections, allowing it to receive various commands from remote users. Among the possible commands are to:

• Download and execute files
• Delete files on affected systems
• Upload files from affected systems to a server

While this backdoor does have routines that could cause significant problems, it is not yet clear if these were actually used. Energizer already released an official statement on the issue, announcing the discontinued sale of the charger in question. It is likewise currently working with the US-CERT and U.S. government officials to understand how the code was inserted into the software.

Trend Micro™ Smart Protection Network™ already protects product users from these threats by detecting and preventing the file’s execution on affected systems via the file reputation service.

Non-Trend Micro product users, on the other hand, can use free tools like Housecall, which identifies and removes various viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems.

Post from: TrendLabs | Malware Blog - by Trend Micro

USB Battery Chargers with Malware?