Microsoft security updates for March 2009
Learn about and download the latest computer security updates for March 2009. Read tips on protecting your computer by using anti-spyware and anti-spam programs.
Update on Conficker.D
By MSRCTEAM
We’ve received a lot of questions from customers about April 1, 2009 and the latest Conficker variant discovered earlier this month, Worm:Win32/Conficker.D (also known as Conficker.C or Downadup.C by some other companies). I wanted to let you know that we’ve put some new information up about Conficker.D today from our work with our partners in the Conficker Working Group.
We hope this new information helps you better understand the current situation. While any malware attack is cause for concern, customers who continue to follow the guidance we’ve always given, such as: apply security updates, update security software signatures and clean infected systems, should look at the latest version of Conficker like other malware attacks: a manageable cause for concern.
Since we announced our work with the Conficker Working Group and the $250,000 reward, a new version of Conficker was released, Conficker.D. Systems infected with Conficker.D are systems that were once infected with Worm:Win32/Conficker.B. This new version, Conficker.D, does not spread by attacking new systems.
The April 1, 2009 date that has been talked about recently refers to the date when these systems infected with Conficker.D will start trying to contact domains on the Internet, presumably for new instructions. This is identical behavior to what these systems did when they were infected with Conficker.B. What’s different between Conficker.B and Conficker.D is that the domain generation algorithm that I talked about in my February 12, 2009 posting has been changed. The new algorithm generates a larger pool of possible domains than the original one. You can get more details on this over at the Microsoft Malware Protection Center (MMPC) weblog.
While Conficker.D will start trying to contact a new pool of possible domains on April 1, 2009, we at Microsoft and our colleagues in the Conficker Working Group will continue doing what we’ve been doing throughout: working together on a daily basis to share information and take coordinated actions to help disrupt Conficker. In fact, we’ve already been taking actions against Conficker.D like we have against Conficker.B.
Just like we’re staying constant and focused in our actions against Conficker, all of us encourage customers to stay constant and focused in their actions: ensure your systems are updated with MS08-067, keep your security software signatures updated, and clean any systems you identify that are infected with any version of Conficker.
My colleagues over in the Microsoft Malware Protection Center (MMPC) have more detailed information on Conficker.D on their weblog. Also, some of our partners in the Conficker Working Group have posted some information about Conficker.D and the importance of staying constant and focused in combating it. A sampling of some of the information our partners have posted includes:
· F-Secure
We’ll all be here working to protect customers from Conficker and other threats on April 1, 2009, just like we are today, and we will continue to be here after April 1, 2009. And of course, we’ll update our weblog as we have new information and our partners will do the same.
Thanks.
Christopher
*This posting is provided "AS IS" with no warranties, and confers no rights.*
UK Parliament Conficked!
By Rik Ferguson on worm_downad
According to blogger Dizzy Thinks, the UK Parliament has become the latest institution to fall victim to the spread of Downad/Conficker. In an internal memo, which was subsequently leaked, network users were advised the following: To: All users connecting directly to the Parliamentary Network The Parliamentary Network has been affected by a virus known as conficker. This [...]
Downad/Conficker, who’s the April Fool?By Rik Ferguson on worm_downad
A brief outline of the story so far with WORM_DOWNAD and some thoughts about the April 1st “activation date”. “This could well be very big, but it will also be very quiet.” I’m beginning to get a little exercised by many of the verbs I am seeing attached to this malware in recent commentary; words like “virus set to explode”, [...]
HackersBlog Call It a Day (invoke Jim Morrison)By Rik Ferguson on Hacking
The Romanian “white-hat” hacker group known as HackersBlog have posted a notice on their site, explaining that they are disbanding the collective. The group, responsible for many high profile intrusions over the past few months, are calling an end to their team activity for reasons of boredom! In their own words: “we’ve gotten to that point where most [...]
Cybercriminal Call Centres?By Rik Ferguson on telephone
As the cybercrime economy matures so does the range of services being offered. We are familiar with seeing cybercriminals offering the resources at their disposal to carry out Distributed Denial of Service attacks (DDoS) against IP addresses. Imagine though, how much more effective an attack against your fiercest competitor could be if you could take out their [...]
Dial 0308-PHISHBy Rik Ferguson on telephone
I’m working from home today and I just received a phone call on my land line. Not in itself unusual, but the call was… The number that was calling me was 030811111110 , when I answered the call it immediately connected to an outbound ringback service, so I heard the ringing tone as if I had initiated [...]
Pwn2Own 2009 Result…By Rik Ferguson on compromise
A quick note. This just in, reports are coming in from CanSecWest that the Mac was the first to fall again, with a Safari zero-day vulnerability being succesfully exploited by Charlie Miller (again) just seconds after the contest opened, claiming the $10,000.00 prize money and the MacBook. The sponsors, TippingPoint will work with Apple to make sure [...]
Government Party Like It’s 1984By Rik Ferguson on snooping
It occurs to me that the British Government must have been singularly unimpressed with the lack of fuss that their implementation of the EU Data Retention Directive caused among internet users in the UK. I covered the implementation of the directive in a blog post on Monday, but in a nutshell it obliges ISPs to keep records [...]
TweetFollow your way to infectionBy Rik Ferguson on malware
TweetFollow is an iPhone application available from http://www.b1te.com/tweetfollow/ Unfortunately for the application vendors though, tweetfollow.com (DON’T GO THERE) is also a domain that is hosting malicious JavaScripts that redirect the visitor to download malware. In a textbook example of cybersquatting and trend surfing, these cybercriminals are banking on the popularity of both Twitter and the iPhone to maximise [...]
Waledac: Reuters Video News Social EngineeringBy Rik Ferguson on waledac
This attack is covered in detail over on the TrendLabs Malware Blog Coupons & Barack Obama in January, Valentines in February and now video news in March. Waledac has once again reinvented itself. The creators have moved on from their coupon related campaign and are now using fake big news events with associated video content to fool [...]
Every Breath You TakeBy Rik Ferguson on snooping
When you send an email, it feels like such an ethereal thing, effective, cheap, convenient and relatively instant, yes, but it has none of the permanence of physical postal mail does it? Does it? From today Internet Service Providers in the UK, and soon enough throughout Europe will be obliged to keep a log of every [...]
An interview with HackersBlogBy Rik Ferguson on SQL Injection
UPDATE: A couple of days after this interview, HackersBlog released the details of their latest succesful compromise, Tiscali UK. Once again, access to user data, including username, firstname, surname, company, telephone, regdate, lastlogin, email and hashed password. After many high profile compromises over the past few months, the Romanian hacking project HackersBlog United is rapidly gaining visibility [...]
New Rootkit Attack Hard To KillResearchers demonstrate BIOS-based rootkit injection that evades antivirus software
Notorious Conficker Worm Still Alive And Infecting Unpatched PCsWily worm stays alive despite bounty on its creators
Deblaze - Remote Method Enumeration Tool For Flex ServersBy Darknet on web-application-security
Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods...
Read the full post at darknet.org.uk
Posted by InfoSec News on Mar 27
http://www.cqpolitics.com/wmspage.cfm?docID=news-000003084854
By Tim Starks
CQ Politics
March 25, 2009
The head of the Senate Intelligence Committee signed on to a letter late
last week questioning whether a former CIA director appointed by the
nation’s spy chief should be allowed to...
Posted by InfoSec News on Mar 27
http://www.brisbanetimes.com.au/national/tapping-hacking-and-leaking-20090326-9ceo.html
By Jacob Saulwick
Brisbane Times
March 26, 2009
THE mission statement says a lot: "Reveal their secrets … Protect our
own".
And the nature of its work means that when the Defence Signals
...
Posted by InfoSec News on Mar 27
http://news.cnet.com/8301-13578_3-10203622-38.html
By Stephanie Condon
Politics and Law
CNET News
March 26, 2009
The comprehensive cybersecurity legislation currently in development in
the Senate aims to bring high-level government attention to the serious
problem of cybersecurity by...
Posted by InfoSec News on Mar 27
http://www.theregister.co.uk/2009/03/26/new_firefox_exploit/
By Dan Goodin in San Francisco
The Register
26th March 2009
Mozilla's security team is rushing out a fix for its flagship Mozilla
browser following the public release of attack code that targets a
previously unknown...
Posted by InfoSec News on Mar 27
http://www.dailytimes.com.pk/default.asp?page=2009\03\27\story_27-3-2009_pg7_45
Daily Times
March 27, 2009
LAHORE: The Indian military fears a ‘Chinese aggression’ in less than a
decade, the Hindustan Times has reported, and claimed that a secret
exercise – called ‘Divine Matrix’...
Posted by InfoSec News on Mar 27
http://www.reporternews.com/news/2009/mar/26/acu-says-computer-server-hacked/
By Brian Bethel
Abilene Reporter-News
March 26, 2009
An Abilene Christian University computer server was hacked near the end
of February, but university officials do not at this point believe any
personal...
Spoofing the unspoofable
Websites that use an enhanced form of digital authentication remain just as vulnerable to a common form of spoofing attack as those that use less costly certificates, two researchers have found.…
Interweb Chuck Norris infiltrates Netflix, TivoCSRF has two speeds: Hack and Kill
Researcher Lance James has been busy devising ways to play tricks on some of the world's bigger websites using an exotic attack known as CSRF, or cross site request forgery. While his exploits amount to little more than pranks, they point to the very sobering realization that the net isn't a very secure place.…
'Cybercrime exceeds drug trade' myth explodedAT&T feeds Congress trillion-dollar FUD
A leading security researcher has unpicked the origins of the myth that revenues from cybercrime exceeds those from the global drug trade, regurgitated by a senior security officer at AT&T before Congress last week.…
Leaked memo says Conficker pwns Parliament
House of Commons systems borked
Updated The House of Commons IT systems has reportedly been infected by the infamous Conficker superworm, which has previously infected millions of Windows PCs and affected the operation of hospitals, military and large corporate systems.…
Cisco patch bundle lances multiple DoS flawsUpdates tackle router crash risks
Cisco has released a bundle of security updates, designed to fix a variety of flaws in its core IOS networking software.…
Tool: XSS RaysBy Robert A. on XSS
"I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web...
Watcher: a free web-app security testing and compliance auditing toolBy Robert A. on Tools
"Watcher is designed as a Fiddler plugin that passively monitors HTTP/S traffic for vulnerabilities. It gives pen-testers hot-spot detection for user-controlled inputs, open redirects, and other issues, and it gives auditors an easy way to find PCI compliance and other organizational issues. Here’s some of the issues Watcher has checks for...
More companies seek third-party Web app code review, survey findsBy Robert A. on Metrics
"The OWASP Security Spending Benchmark Report surveyed about 50 organizations to determine their spending on secure coding; OWASP found that 61% of those surveyed had an independent third-party security review of software code to find flaws before Web applications are used live. The percentage surprised Boaz Gelbord, executive director of information...
Another day hunting malware…By Pedro Bueno on Malware Research
Don’t you like when legit obfuscated javascript is mixed with the malicious one? Also, don’t you like when the malicious one is linked with several redirection, referrals, exploits and other malwares? So, here is the story… Once upon a time a user was checking for a service on google and found one that fits the need… The site is [...]
More Comments Regarding ConfickerBy Kevin Beets and Karthik Raman on Vulnerability Research
A lot has been published about Conficker already–this blog is an addendum to our previously published “W32/Conficker: Much Ado About Nothing.” Here we offer some Conficker snippets, if you will. First off, you may be confused by the differences between the a, b, and c variants. Let’s clear this up a bit. The Conficker.worm.a and Conficker.worm.b [...]
W32/Conficker: Much Ado About Nothing?By Vinoo Thomas on Stinger
In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we [...]
Brief: Conficker's capabilities worry researchersConficker's capabilities worry researchers
Economy fuels malware, spamBy Robert Westervelt
Dave Marcus of McAfee's Avert Labs, breaks down the threat landscape and explains why spam numbers are rising and malware writers are taking advantage of the down economy.
Adobe Reader, IE 7 Holes Under AttackIf you were an Internet crook, the following item would be music to your ears: A zero-day flaw--a security hole with no fix available before attacks could be launched--exists in Adobe Reader and Acrobat, and can be exploited by a poisoned PDF file in an attempt to take over a vulnerable computer.
Will Tracker Tools for Your Cell Phone Give You Away?Cell phone apps like Loopt and the new Google Latitude allow you to track your friends' physical locations, and be tracked in return. That can be a huge boon for meeting up on a Friday night-and a real nightmare for privacy if proper safeguards aren't in place. (Read more on cell phone privacy.)
Firefox patches zero-day, hacking contest bugsJust days after a hacker released code that could be used to attack the Firefox browser, Mozilla developers have a fix.
Google plays down security concerns over DocsGoogle Docs users shouldn't lose sleep over the security concerns a security analyst has raised about the hosted suite of office productivity applications, Google said late Friday.
Fears of a Conficker meltdown greatly exaggeratedWorries that the notorious Conficker worm will somehow rise up and devastate the Internet on April 1 are misplaced, security experts said Friday.
Users spurn latest Adobe PDF patches, says researcherAlthough Adobe spent much of March releasing fixes for a PDF bug that hackers have been exploiting for more than three months, users are in no hurry to patch, a security company said Friday.
Creation of White House cybersecurity office still uncertainIt's unclear whether a report being prepared for President Barack Obama on federal information security preparedness will support recent calls for the creation of a new cybersecurity office within the White House, two lawmakers said Thursday.
Hack contest sponsor confirms IE8 bug in final codeThe final version of Microsoft's Internet Explorer 8 (IE8) does contain the vulnerability used to hack a preview of the browser at last week's Pwn2Own, the contest's sponsor confirmed Friday.
Firefox likely to win race to fix PWN2OWN contest bugUnless its two biggest rivals take extraordinary steps, Mozilla will be the first browser maker to patch a critical vulnerability used a week ago to win $5,000 in a hacking contest.
Study: Security, Not Environment, Drives E-waste DisposalIT managers are concerned about where their electronic equipment is going after disposal because they are worried about sensitive data loss, not the environment, according to a new survey.
Mafiaboy to headline IT 360As a 15-year-old, he brought down some of the highest profile sites on the Web. Eight months of detention and eight years of silence later, Michael Calce discusses what the good guys can learn from the black hats.
Facebook glitch hands off control of corporate PagesFacebook inadvertently handed over administrative control for about 17 Facebook Pages on Wednesday, including pages for Microsoft and several airlines.
Use OpenDNS To Protect Your Business Network
If you aren't using OpenDNS to protect your small business network, now is the time to take the few minutes to set it up. It is well worth the investment, it is free, and it will protect you from any number of issues in the future. And you might get better browsing performance as a result that your users will thank you for.
New Zealand telco denies hiring botnet operator
One of New Zealand's largest telecommunications companies is downplaying reports that it hired as a security consultant a teenager who was arrested in 2007 after an FBI-led investigation fingered him as the operator of a massive international botnet operation.
Researchers can ID anonymous Twitterers
Web sites that strip personally identifiable information about their users and then share that data may be compromising their users' privacy, according to researchers at the University of Texas at Austin.
Jeffrey Carr: Act Locally, Pwn Globally
Act Locally, Pwn Globally
Network Security Monitoring LivesBy Richard Bejtlich
Every once in a while I will post examples of why Network Security Monitoring works in a world where Webbed, Virtual, Fluffy Clouds abound and people who pay attention to network traffic are considered stupid network security geeks.
One of the best posts I've seen on the worm-of-the-week, Conficker, is Risk, Group Think and the Conficker Worm by the Verizon Security Blog. The post says:
With the exception of new customers who have engaged our Incident Response team specifically in response to a Conficker infection, Verizon Business customers have reported only isolated or anecdotal Conficker infections with little or no broad impact on operations. A very large proportion of systems we have studied, which were infected with Conficker in enterprises, were “unknown or unmanaged” devices. Infected systems were not part of those enterprise’s configuration, maintenance, or patch processes.
In one study a large proportion of infected machines were simply discarded because a current user of the machines did not exist. This corroborates data from our DBIR which showed that a significant majority of large impact data breaches also involved “unknown, unknown” network, systems, or data.
This my friends is the reality for anyone who defends a live network, rather than those who break them, dream up new applications for them, or simply talks about them. If a "very large proportion of systems" that are compromised are beyond the reach of the IT team to even know about them, what can be done? The answer is fairly straightforward: watch the network for them. How can you do that? Use NSM.
Generate and collect alert, statistical, session, and full content data. I've also started using the term transaction data to mean data which is application-specific but captured from the network, like DNS requests and replies, HTTP requests and replies, and so on. These five forms of data can tell you what systems live on the network and what they are doing. It is low-cost compared to the variety of alternatives (manual, physical asset control; network access control; scanning; etc.). Once a sensor is deployed in the proper place you can perform self-reliant (i.e., without the interference of other groups) NSM, on a persistent and consistent basis.
Where should you monitor? Watch at your trust boundaries. The best place to start is where you connect to the Internet. Make sure you can see the true source IP (e.g., a desktop's real IP address) and the true destination IP (e.g., a botnet C&C server). If that requires tapping two locations, do it. If you can approximate one or the other location using logs (proxy, NAT, firewall, whatever), consider that, but don't rely only on logs.
NSM lives, and it is working right now
Langevin Speaks in Support of White House-based Cyber Security Leadership (March 24, 2009)
US Representative Jim Langevin (D-R...
A Federal CIO Perspective On NIST 800-53 and the Twenty Most Important Security Controls (CAG) (March 26, 2009)Dan Mintz just retired from the CIO position at the US Department of Transportation...
China's Defense Spending is Way Up (March 26 & 27, 2009)According to the Pentagon's annual report, "Military Power of the People's Republic of China (PRC) 2009," China's defense spending is significantly higher than that of other countries in the same region...
High Court of England Allows Data to be Transferred to US for Madoff Investigation (March 26, 2009)The High Court of England and Wales has ruled that data pertinent to the Bernard Madoff investigation may be transferred to the US...
Man Involved in AOL Card Fraud Sentenced (March 24 & 25, 2009)Charlie Blount Jr...
Senator Seeks Details About Support for DHS National Cyber Security Center (March 25, 2009)Senator Susan Collins (R-Maine), ranking member of the Senate Committee of Homeland Security and Governmental Affairs, has sent a letter to DHS Secretary Janet Napolitano asking for details on how US $6 million allocated for the DHS National Cyber Security Center (NCSC) was spent...
Overflow Flaws in Sun Java Runtime Environment Unpacking Utility (March 26, 2009)Integer and buffer overflow vulnerabilities in Sun Microsystems' Java Runtime Environment (JRE) "unpack200" JAR unpacking utility could be exploited to gain elevated privileges on vulnerable systems and to inject and execute arbitrary code...
Firefox Update Slated for Next Week (March 26, 2009)Mozilla plans to release Firefox version 3...
Cisco Updates Address 11 Vulnerabilities in IOS (March 25 & 26, 2009)Cisco has released eight updates to address 11 security flaws in its Internet Operating System (IOS) software...
Adobe Updates Fix Code Injection Flaw in Linux Versions of Reader and Acrobat (March 25, 2009)Adobe has released updates to address a critical security flaw in Adobe Reader and Acrobat for UNIX and Linux...
Conficker Update Slated for April 1 (March 23, 25 & 26, 2009)April 1, 2009 marks a significant shift for the Conficker botnet, but researchers are at a loss to determine what is going to happen...
Ransomware Scheme Incorporates Phony Antivirus Program (March 25, 2009)A sophisticated form of ransomware is spreading on the Internet...
Penetration Testing SummitWhere else can you find the best speakers from other hacker conferences all at one program: HD Moore on the future of Metasploit; Joshua Wright on evolving wireless attacks; Jeremiah Grossman on the Top Ten Web Hacking Techniques; Robert "rSnake" Hansen on web app vulnerabilities; Paul Asadoorian on late-breaking pen test techniques; Larry Pesce on using document metadata in pen tests; Jason Ostrum on VoIP pen testing; Ed Skoudis on secrets of pen testing?
The Summit is June 1 and 2 in Las Vegas...
Learn from actual users which application security tools and processes work best and participate in establishing requirements that may be used for large scale procurement of these tools across government...
New Beta release of Nmap, (Sat, Mar 28th)It appears Fyodor and company are getting close to the first major release of nmap since 4.76 over 6 ...(more)...
Firefox 3.0.8 Released, (Fri, Mar 27th)Gilbert wrote in to let us know that Mozilla has released Firefox 3.0 ...(more)...
Bad Symantec Virus Defintions Update, (Fri, Mar 27th)We had a report earlier today about problems with non-malicious PDF files getting flagged by the Sym ...(more)...
Firefox and Seamonkey Vulnerabilities, (Fri, Mar 27th)In addition to the pwn2own vulnerability used at CanSecWest last week in order to compro ...(more)...
There is some SMiShing going on in the EU, (Fri, Mar 27th)We've had a few reports so far where people receive an SMS which asks them to check out a part ...(more)...
Help File: Combating Conficker; Relighting a Dim Laptop Screen (Washington Post) (Yahoo News)
Giant Internet worm set to change tactics April 1 (AP) (Yahoo Security)
How Much is Conficker Really Impacting Enterprises? (E-Week Security)
Conficker Unlikely To Trigger Doomsday on April 1 (NewsFactor) (Yahoo Security)
Conficker: Doomsday, or the World's Longest Rickroll? (SecurityFix Blog)
Hackers Deface Aussie Censorship Board's Website
By David Kravets
Hackers deface an Australian government website to protest the nation's move to censor thousands of pages from the internet. A message decrying the Classification Board's mission was both chilling and humorous, saying "opposers" of censorship must be killed with "large melons."
Australian classification board website gets hacked
By segphault@arstechnica.com (Ryan Paul) on Porn
The Australian government agency charged with classifying movies and video games has reportedly been hacked in protest of the nation's controversial ISP-level Internet filtering scheme. The culprits replaced the website's introductory text with a comical message which characterizes the government's censorship program as an attempt to "control and sheepify the nation."
In the all-important war against pictures of boobies on the Internet, the government of Australia has spared no expense. In 2006, after conducting a study which determined that ISP-level filtering was not feasible, the nation spent $116 million to develop Internet filtering software that parents could install on computers. When this software was easily circumvented by children, the government decided to try again with an $89 million ISP-level filtering scheme based on a blacklist devised by the Australian Communication and Media Authority (ACMA).
Report: IT not scrimping on security during recession
By jhruska@arstechnica.com (Joel Hruska) on server
IT news might be bad in almost every corner of the industry, but one industry segment seems better fit to ride out the recession than most. Sales of security appliances to various business sectors in Western Europe grew revenue a total of 14.4 percent in 2008 as compared to 2007, but that growth slacked off a bit in the fourth quarter; sales rose only 10.1 percent. Those are solid numbers in any economic climate, and particularly in this one.
The increase in total revenue was not spread evenly across the top five vendors. Fortinet reported 29.5 percent revenue growth from 2007-2008, followed by Cisco (20.5 percent) and "other" (18.7 percent). Nokia and Secure Computing eked out smaller gains of 6.6 percent and 2.3 percent, respectively, while Juniper fell off a cliff. Company revenue dropped 17 percent year-on-year, which helps explain why everyone else grew at such a high rate.
Google Plays Down Security Concerns Over Docs
It says the issues raised by a security analyst aren't 'significant'
Firefox Patches Zero-day, Hacking Contest Bugs
The update fixes a bug used to win the Pwn2Own hacking contest
Fears of a Conficker Meltdown Greatly Exaggerated
With 60 Minutes airing a report on Sunday, some people are panicking, but researchers don't expect anything dramatic
Chrome Skunks Hackers in Vulnerability Contest
Analysis: Firefox, Internet Explorer, and Safari browsers don't fare as well.
April Fool's Conficker Threat is Likely Hype
Despite warnings of digital Armageddon come April 1, experts say you can probably breathe easy.
Security Analyst Spots Three Flaws in Google Docs
Google denies problems, but finds could raise more questions over the safety of storing data in the cloud
Posts
No comments:
Post a Comment