Downadup aka Conficker worm is at the moment a hot topic in computer security. This parasite has infected systems all over the world using a variety of methods to spread itself. One of these is a remote procedure call (RPC) exploit against the MS08-067 vulnerability. Using the vulnerability, the worm injects shellcode that connects back to the infecting machine. This is known as a back-connect. The back-connect works via HTTP on a randomly selected port and the infecting machine responds to incoming requests by providing the entire worm file. The shellcode receives this file and executes it on the remote host, causing it to then become infected.
Nowadays, many users have routers and other gateway devices that by default prevent external computers from connecting their home systems in addition to using network address translation (NAT). Normally that makes back-connect establishing fail and that way protect against Downadup infection.
However, this worm is a sneaky one and tries to bypass the issue by taking advantage of Universal Plug and Play (UPnP) protocol. Eric Chien describes in Symantec Security Response Blog entry how that is done.
Wednesday, January 28, 2009
Monday, January 26, 2009
New Rogue: Total Defender
"A new Rogue Antivirus program called Total Defender appeared over the weekend", writes Sean-Paul Correll in PandaLabs blog. Found parasite keeps its home behind Total-Defender. com domain located in Latvia.
"An interesting thing we noticed is that the Rogue did not attempt to scare us into purchasing it, rather telling us that the computer was secure after the scan. The Rogue authors are probably doing this to keep a high amount of Rogue installations active for the purposes of data theft or for hire services", Correll states.
"An interesting thing we noticed is that the Rogue did not attempt to scare us into purchasing it, rather telling us that the computer was secure after the scan. The Rogue authors are probably doing this to keep a high amount of Rogue installations active for the purposes of data theft or for hire services", Correll states.
Thursday, January 22, 2009
Patched Apple QuickTime And Its Component Released
Apple has released a new version for QuickTime player. Version 7.6 fixes seven different vulnerabilities related to handling of audio and video contents. Vulnerabilities make it possibly to cause an unexpected application termination or arbitrary code execution on target machine.
Also, one vulnerability in QuickTime mpeg-2 playback component for Windows -component was fixed. Fixed problem is related to mpeg-2 file handling and makes it possible to cause an unexpected application termination or execute arbitrary code on target machine.
QuickTime 7.6 can be downloaded and installed via Software Update preferences, or from Apple Downloads.
The QuickTime MPEG-2 Playback Component is not installed by default, and is provided separately from QuickTime. Details are available via http://www.apple.com/quicktime/mpeg2.
Also, one vulnerability in QuickTime mpeg-2 playback component for Windows -component was fixed. Fixed problem is related to mpeg-2 file handling and makes it possible to cause an unexpected application termination or execute arbitrary code on target machine.
QuickTime 7.6 can be downloaded and installed via Software Update preferences, or from Apple Downloads.
The QuickTime MPEG-2 Playback Component is not installed by default, and is provided separately from QuickTime. Details are available via http://www.apple.com/quicktime/mpeg2.
Wednesday, January 21, 2009
Rogue Security Program Leaves Russian Systems Alone?
Alex Eckelberry posted to Sunbelt's Blog a snippet of Antivirus 2009 rogue security program. By looking at it seems like the parasite is instructed to not install itself on systems with Russian Windows.
Tuesday, January 20, 2009
Downadup Worm Fooling Vista And Windows 7 Beta
Worm epidemy that has infected over 10,000,000 systems so far doesn't spread using network only. F-Secure warns that Downadup worm uses also sneaky social engineering way to spread itself. Windows Vista and Windows 7 beta users must be careful with removable USB drives now.
F-Secure warns in its blog namely about sneaky USB functionality of Downadup aka Conficker worm. The worm copies autorun.inf file to USB removable drive. If USB drive is plugged into other computer parasite tries to start up from the drive using modified Vista Autoplay notification window.
Normally, when USB drive is plugged in a window opens up asking if user wants to run the program on removable drive. Under that option there's an option that can be used to explore the contents of USB drive. What the worm does is that it modifies the first option. Icon is changed and program name is modified. Instead of showing a question if user really wants to run program named autorun.inf, system shows an icon and name that by first look may fool user to think it's just an option to browse USB memory contents (pic). If user gives permission attacking code on the USB memory will be run.
F-Secure says that it made test on Windows 7 beta and says the trick was successful on it too.
F-Secure warns in its blog namely about sneaky USB functionality of Downadup aka Conficker worm. The worm copies autorun.inf file to USB removable drive. If USB drive is plugged into other computer parasite tries to start up from the drive using modified Vista Autoplay notification window.
Normally, when USB drive is plugged in a window opens up asking if user wants to run the program on removable drive. Under that option there's an option that can be used to explore the contents of USB drive. What the worm does is that it modifies the first option. Icon is changed and program name is modified. Instead of showing a question if user really wants to run program named autorun.inf, system shows an icon and name that by first look may fool user to think it's just an option to browse USB memory contents (pic). If user gives permission attacking code on the USB memory will be run.
F-Secure says that it made test on Windows 7 beta and says the trick was successful on it too.
Saturday, January 17, 2009
Watch Out For Fake Obama Sites
F-Secure warns in its latest blog entry about fake sites trying to cash in with the inauguration of Barack Obama next week.
As an example F-Secure mentions www.superobamaonline.com. All links on that site point to a file named as speech.exe, which is a Waledec malware variant.
Other seen domains are for example:
www.greatobamaguide.com
www.superobamaonline.com
www.greatobamaonline.com
store.superobamadirect.com
store.greatobamaguide.com
As an example F-Secure mentions www.superobamaonline.com. All links on that site point to a file named as speech.exe, which is a Waledec malware variant.
Other seen domains are for example:
www.greatobamaguide.com
www.superobamaonline.com
www.greatobamaonline.com
store.superobamadirect.com
store.greatobamaguide.com
Thursday, January 15, 2009
Oracle Releases Bunch of Updates
Oracle has released updates that contains fixes to 41 different vulnerabilities. The fixes are part of the company's quarterly CPU (critical patch update).
Exact list of the vulnerabilities and instructions how to apply the fixes can be read from Oracle's Critical Patch Update Advisory.
Next critical patch update Oracle plans to release in April 2009.
Exact list of the vulnerabilities and instructions how to apply the fixes can be read from Oracle's Critical Patch Update Advisory.
Next critical patch update Oracle plans to release in April 2009.
Monday, January 12, 2009
Security Update For January 2009 From Microsoft
Microsoft will release tomorrow, 13.1.2009, its monthly security update packet. This month update contains one update. Affected are all supported Windows operating system versions. Vulnerability that will be patched with this update is critical for Windows 2000, XP and Server 2003. For Windows Vista and Server 2008 the vulnerability is categorized as moderate. According to the correspondent security bulletin advance notification update requires a system restart.
New version of Microsoft Windows Malicious Software Removal Tool will be released too.
More information about the update can be read here.
The easist way to get the update is to use Microsoft automatic update service.
New version of Microsoft Windows Malicious Software Removal Tool will be released too.
More information about the update can be read here.
The easist way to get the update is to use Microsoft automatic update service.
Friday, January 9, 2009
Spammers Take Advantage of Google Code Project
"Google’s code-hosting project is the latest free service to be abused by web spammers", writes Chris Barton, McAfee researcher. According to Barton bad guys are creating plenty of new projects with this type of website that redirects user to fake codec download site.
The assault follows a bout of the same kind of abuse against Microsoft's comparable MSN Spaces beta site dating back a year. Barton states that the difference is that Google appears to automatically index code projects.
Barton's blog post can be read here.
The assault follows a bout of the same kind of abuse against Microsoft's comparable MSN Spaces beta site dating back a year. Barton states that the difference is that Google appears to automatically index code projects.
Barton's blog post can be read here.
Tuesday, January 6, 2009
Twitter Warns About Phishing
Twitter warns its users about direct messages and direct message email notifications that redirects to what looks like Twitter.com and which criminals are using trying to steal users' usernames and passwords.
Scam message says something like "hey! check out this funny blog about you..." and provides a link. That link redirects to a site masquerading as the Twitter front page.
Twitter tells that it's proactively resetting the passwords of the accounts.
Scam message says something like "hey! check out this funny blog about you..." and provides a link. That link redirects to a site masquerading as the Twitter front page.
Twitter tells that it's proactively resetting the passwords of the accounts.
Thursday, January 1, 2009
SMS Vulnerability In Symbian S60 smartphones
There's been found a vulnerability in Symbian S60 platform using smartphones. By exploiting the vulnerability an attacker may prevent the target recieve sms and mms messages. That kind of state can be caused by sending one or more specially crafted sms message to the recipient's phone. Part of S60 phones alert of end of memory after recieving enough of these specially crafted text messages. Other part stops recieving the messages immediately.
Symbian OS is operating system used in many mobile devices. It's S60 platform is used by most mobile phone manufacturers like Nokia, Siemens and Sony Ericsson.
Vulnerable S60 series versions are:
-S60 2nd Edition, Feature Pack 2 (s60 2.6)
-S60 2nd Edition, Feature Pack 3 (s60 2.8)
-S60 3rd Edition, Initial Release (s60 3.0)
-S60 3rd Edition, Feature Pack 1 (s60 3.1)
Phones with S60 version higher than 3.1 are not vulnerable.
Mobile phones can be restored from the vulnerability caused state by doing 'factory reset'. This will reset all settings made by user to the default ones.
It's also possible to protect the phone against these crafted messages by installing S60 suitable antivirus software capable of detecting the exploiting messages.
More information can be read from F-Secure's Blog
Symbian OS is operating system used in many mobile devices. It's S60 platform is used by most mobile phone manufacturers like Nokia, Siemens and Sony Ericsson.
Vulnerable S60 series versions are:
-S60 2nd Edition, Feature Pack 2 (s60 2.6)
-S60 2nd Edition, Feature Pack 3 (s60 2.8)
-S60 3rd Edition, Initial Release (s60 3.0)
-S60 3rd Edition, Feature Pack 1 (s60 3.1)
Phones with S60 version higher than 3.1 are not vulnerable.
Mobile phones can be restored from the vulnerability caused state by doing 'factory reset'. This will reset all settings made by user to the default ones.
It's also possible to protect the phone against these crafted messages by installing S60 suitable antivirus software capable of detecting the exploiting messages.
More information can be read from F-Secure's Blog
Subscribe to:
Posts (Atom)