Security Newsletter - Issue 2, Wed 1st Feb 2006

[merciarich]

Welcome to Issue 2 of the security newsletter, dated Wed 1st Feb 2006.

 

There is now a new section to the weekly newsletter called "Focus of the Week" where I will take a major security issue and explain exactly what it is and how it can affect you and your business.

 

----------------------------------------------------------------------------------------

 

Focus of the Week:

 

Phishing

 

Phishing is the act of tricking someone into giving them confidential information or tricking them into doing something that they normally wouldn’t do or shouldn’t do. For example: sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

 

There is a neat way of checking if a website is genuine or not. Paste this into your browser address bar:

 

javascript:alert("actual web address:" + location.protocol + "//" + location.hostname + "/");

A box will appear giving you the actual web address - a good way of checking for copycat sites!

 

Ok, so how do you avoid phishing? Don't visit your online bank using a link in an email. Your bank WILL NEVER CONTACT YOU BY EMAIL, as they have no need to. They will send you letters through the post. Use a Favorite or type the web address into the browser. Banks never email their customers and ask for PINs so if you receive a suspicious email, do not enter sensitive information. If your bank is aware of a scam, there will be a warning on its real website so check there. You should also keep an eye on http://www.antiphishing.org, a news site dedicated to exposing similar scams.

 

 

News In Brief:

- Winamp exploit poses hacker risk (See Article 1)

- Yahoo issue major phishing warning on their servers

- Good Worms on the agenda (See Article 3)

 

Article 1 - Winamp exploit poses hacker risk

Hackers have created an exploit targeting a serious security vulnerability in Winamp, the popular media player. Users are strongly urged to update their software to Winamp version 5.13 to guard against attack.

 

A remotely exploitable buffer overflow bug in version 5.12 of Winamp creates a means for hackers to take over machines running the vulnerable software, providing they can trick users into visiting maliciously constructed websites. A malformed playlist file, containing a filename starting with an overly long computer name, would be automatically downloaded and opened in Winamp because of the security bug. Winamp version 5.12 is confirmed as vulnerable and older versions may also be susceptible to attack.

 

Article 2 - Police catch AOL Scammer

A California man who allegedly duped AOL users into handing over credit card details to a fraudulent website has been arrested in the US. Police charged Jeffrey Brett Goodin, 46, of Azusa, with wire fraud and other charges over allegations he masterminded an aggressive phishing scam.

 

Goodin allegedly sent thousands of emails that posed as messages from AOL's billing department warning customers needed to update their payment information or risk losing access to their accounts. Prospective marks were directed towards a fraudulent website and invited to hand over sensitive personal details including credit and debit card information that Goodin allegedly used to make fraudulent purchases.

 

Phishing frauds are becoming an increasingly popular scam. According to the latest available figures from the Anti-Phishing Working Group, 17,000 such fraudulent attacks were launched in November alone.

 

Article 3 - Good Worms on the agenda

A researcher has reopened the subject of beneficial worms, arguing that the capabilities of self-spreading code could perform better penetration testing inside networks, turning vulnerable systems into distributed scanners.

 

The worms, dubbed nematodes after the parasitic worm used to kill pests in gardens, could give security administrators the ability to scan machines inside a corporate network but beyond a local subnet, David Aitel, principal researcher of security firm Immunity, said at the Black Hat Federal conference.

 

"Rather than buy a scanning system for every segment of your network, you can use nematodes to turn every host into a scanner," he said during an interview with SecurityFocus. "You'll be able to see into the shadow organisation of a network - you find worms on machines and you don't know how they got there."

 

The topic of whether self-propagating code can have a good use has cropped up occasionally among researchers in the security community. In 1994, a paper written by antivirus researcher Vesselin Bontchev concluded that 'good' viruses are possible, but the safeguards and limitations on the programs would mean that the resulting code would not resemble what most people considered a virus.

 

Later attempts at creating 'good' worms have failed, however, mainly because the writers have not adopted many of the safeguards outlined in the Bontchev paper. The Welchia worm - a variant of the MSBlast, or Blaster, worm - had apparently been created to fix the vulnerability exploited by the MSBlast worm, but had serious programming errors that caused the program to scan so aggressively for new hosts, it effectively shut down many corporate networks.

 

Immunity's research is the latest attempt to create a more rigorously conceived framework for creating worms that could spread across specific networks to find and report vulnerabilities. The research essentially offers two advances, a strategy for the controlled propagation of worms and a framework in which reliable worms could be created quickly, Aitel said.

 

"History has repeatedly shown us that people who write worms by hand make mistakes," he said. "Worms are difficult to build and very difficult to test."

 

The nematode worms would have to get permission to spread by querying a central server for a specific digital token, which Aitel dubbed a nematoken, before spreading to a particular machine. Another version of the software would use a whitelist to spread among only the company's computers.

 

Because the worms would be limited to spreading in a specific company's network, they would be completely legal, said Aitel. He noted that penetration testers today are given the right by a company to exploit systems on that company's networks. The distributed nature of the worms do make ascertaining permission more difficult, he acknowledged.

 

Aitel's idea is a new twist on an old concept. An author using the name MidNyte wrote a response to Bontchev's paper in 1999 arguing that a 'good' virus that kept information on the last 100 hosts to which it spread could help defend against bad viruses.

 

However, Aitel also argues that, in today's complex networks, nematodes could significantly reduce the cost of scanning a large network, by bringing the advantages of peer-to-peer concepts to penetration testing and network scanning. Rather than buying a new sensor for each subnet in a company, the nematode could spread using existing pathways to enumerate any computers with a given set of vulnerabilities. Moreover, the technology could be used to move search agents across a network to find specific files or to push intelligence to all desktops without a specific client.

 

On the other hand, the dangers inherent in self-propagating code are hard to overcome, said Jose Nazario, senior security and software engineer for network defense firm Arbor Networks.

 

"I still have my doubts that the controls he described are effective enough," Nazario said. "He addressed how you shut the nematodes down and how you make sure they don't infect other networks, but he hasn't addressed machine instability and the danger when people carry laptops across network boundaries."

 

Nazario, the author of Defense and Detection Strategies Against Internet Worms, believes the best way to find vulnerabilities on a large network is to use dedicated sensors, an approach used by Arbor Networks.

 

"There are a number of ways of finding those vulnerabilities in the network without the inherent risks involved in self-propagating code," he said.

 

This article courtesy of SecurityFocus.

 

Virus of the week

 

BlackWorm, AKA BlackMal, Nyxem, MyWife, Tearec

 

Over the last week, "Blackworm" infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This worm is different and more serious than other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

 

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.

 

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

 

If you have this virus, it is likely that you will have to do a full reinstall of Windows. Obtaining good backups is critical!

 

Update your anti virus software immediately

 

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

 

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

 

--------------------------------------------------------------------------------------------------

 

Thankyou for reading! Issue 3 out next Wednesday, 8th Feb 2006!