Security Newsletter - Issue 1, Wed 25th Jan 2006

[merciarich]

Issue 1, Wednesday 25th Jan 2006

 

Hey everyone and welcome to the first Networking & Security newsletter. As a

qualified PC Technician, I understand what an important part user vigilance is

to the way computers work nowadays. Since security is now such a large issue

within computing, it only seemed right that we do a weekly newsletter on the

forums that all the users are kept up to date with all the latest virus,

vulnerabilities and security news.

 

News In Brief:

 

- FBI publishes 2005 computer crime survey

- The Brain virus turns 20

- Nyxem Worm Marks Files for Deletion (Read Article 2 below)

 

Article 1 : Online Crime

Cybercrime is moving from broad ego-driven outbreaks to much smaller targeted

attacks aimed at stealing sensitive data or extorting money from companies, IBM

stated in its 2005 Global Business Security Index Report released on Monday.

 

The conclusion explains the apparent drop in high-profile attacks in 2005, a

year that saw only moderate threats such as the Zotob worm and the Sober virus.

The company, however, saw a major increase in the number of targeted attacks,

which generally are not well covered by the media. Between two and three

targeted attacks were intercepted each week in 2005, according to a summary of

the IBM report.

 

"IBM believes that the environment has shifted," Cal Slemp, vice president of

IBM's security and privacy services, said in a statement. "With increased

security protection on most systems and stiffer penalties, we are seeing

organized, committed, and tenacious profiteers enter this space. This means that

attacks will be more targeted and potentially damaging."

 

The recent guilty plea by a 20-year-old California man for compromising hundreds

of thousands of computers to create a botnet and then selling access to those

computers underscores the shift in cybercrime towards more profitable activity.

 

Article 2 : Nyxem Worm

Instead of delivering the adult material promised by its subject line, a new

mass-mailing worm is preparing to delete files on infected Windows machines and

shares on a certain date.

 

The cleverly named Nyxem worm lies in wait until the date reaches the 3rd of any

given month (ex: February 3, March 3, and so forth). When the system clock

reaches that day, the worm erases several filetypes on all available drives

including .zip, .doc, .xls, .psd and others.

 

Nyxem searches for email addresses in IE's cache and then forwards itself using

its own mail engine and one of several different subject lines, most of which

hint at adult pictures and videos. It also attaches a .pif executable or a

MIME-encoded equivalent containing .scr files.

 

F-Secure reports that it attempts to copy itself to all shared folders on a

network. Moreover, it targets anti-virus software from several vendors (Norton,

McAfee, Kaspersky, Trend Micro...), erasing their directories.

 

In a new twist, Nyxem.E keeps a tally of the systems it has infected on a

website. By Saturday, the worm's counter logged over half a million infections.

 

Additionally, Nyxem disables scores of other security software by going into the

registry and deleting their startup key values. The long list includes many

popular free and paid anti-malware products. It also targets file-sharing apps,

rendering P2P staples like BearShare, Morpheus and LimeWire ineffective.

 

Sophos senior technology consultant, Graham Cluley, warns that a worker's

curiosity can put the entire company's security at risk.

Cluley offers some common-sense tips for employers, saying, "Companies should

educate their users to practice safe computing - that includes never opening

unsolicited email attachments and discouraging the sending and receiving of joke

files, pornography and funny photographs and screensavers."

 

Article 3 : Windows Wi-Fi Flaw

News of a Windows vulnerability is nothing new. But even the most jaded

of users will sit up and take notice when it affects a widely used and generally

well-liked feature like Wi-Fi networking.

 

Lately, a security researcher's report detailing this "exploit" has stirred up a

bit of a hornet's nest online. And it all rests on how Windows negotiates SSIDs

and manages ad-hoc connections.

 

An advisory from the Nomad Mobile Research Centre (NMRC) authored by Mark

Loveless (aka Simple Nomad) details how XP/2000 machines are susceptible. The

Microsoft Windows Silent Adhoc Network Advertisement exploit carries a severity

rating of "High (albeit lame)"

 

In summary, Windows XP and 2000 systems first attempt to connect to a default or

home AP as configured by a computer's user or administrator. An attacker in

ad-hoc mode can use this behavior, along with the tendency of users to keep

their preferred access point's out-of-the-box SSID unchanged, in the hopes of

luring users into establishing an ad-hoc connection under the guise of their

home network. Others can then pile on in a domino-like fashion as the impostor

SSID is inherited from user to user.

 

Eric Griffith of Wi-Fi Planet sums up the danger as such:

"The real threat is that hackers know many people don't bother to reset their

router/access point SSIDs from the default, and can use this feature of XP to

associate directly with a laptop. It's an "evil twin" attack on automatic, but

instead of mimicking a hotspot's SSID, the attacker looks like your home

network."

He points out, however, that several factors have to fall into place for it to

be successful, reducing the likelihood of this becoming a widespread attack

vector. For example, Windows XP SP2 will alert users when establishing an ad-hoc

connection. Indeed, the NMRC recommends upgrading to SP2 as a measure of

protection.

 

Other recommendations include disabling wireless networking when not in use and

setting the system to connect in infrastructure mode only.

Microsoft, for its part, is looking into limiting the risk and is working on

ways to provide better management over ad-hoc networks.

 

Virus of the Week: PWSteal.Wowcraft.C

 

(PWSteal.Wowcraft.C, no known AKAs)

 

PWSteal.Wowcraft.C is a Trojan horse that attempts to steal sensitive

information related to online games and send it to a remote attacker.

 

Although this virus is low threat, it is causing quite a stir in the

online game world. Read more about this virus (and removal instructions) by

clicking this link:

http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.wowcraft.c.html

-------------------------------------------------------------

 

Thank you for taking the time to read this newsletter. A new issue is posted on the Wednesday of every week!