Internet Insecurity

Current Virus Threats

2006-08-08T09:27:00.000-04:00

This week's report from Panda Software on viruses and intruders clearly reflects the new dynamic influencing malware creators. The three examples of malicious code detailed in the report are aimed at spying, hijacking computers and stealing bank details.

Firstly, RuSpy.A is a Trojan that obtains user names and passwords for a range of programs including ICQ, Internet Explorer, Mozilla, Outlook and The Bat!. This information is then sent to the creator in an email message.

To avoid detection, it tries to terminate several processes belonging to security tools (antivirus programs and files). This however is not effective against Panda Software's TruPrevent(tm) Technologies and the auto-protection systems of Panda solutions.

As well as sending out the information mentioned before, it tries to download the file XINCH.EXE from a web page and creates shortcuts to several websites (all with Russian "ru" domains), and alters the Internet home page on the infected system.

Another widespread fraud technique is to hijack computers. This is what the Tervserv.A backdoor Trojan does. It connects to a website in order to receive remote commands, such as instructions to download and run files that give the attacker complete control over the compromised computer.

Tervserv.A can also be instructed to send information about files on the computer as well as update or uninstall itself.

Finally, this week's report looks at Banker.DZO. This is a Trojan that monitors Internet traffic generated when a user accesses the web pages of Banco de Brasil, Bradesco, CEF, GERENCIADOR, Itau and Brad.Juridico.

When an infected user opens one of these pages, Banker.DZO displays a false login page in order to obtain the user name and password for accessing accounts. This information is then sent to the creator in an email message. The information compiled is quite extensive, ranging from the particular bank or branch of the user to the password or even the secret password reminder question.

Fake Google Toolbar Download Page

2006-07-22T10:17:00.000-04:00

Scammers have set up an exact copy of the download page for Google's Toolbar plug-in in an attempt to lure users to download a Trojan backdoor.

Reported by security outfit Surfcontrol, some versions of the scam even spoof the correct Google Toolbar web address for Internet Explorer, using Google's own redirection service in an attempt to hide the real, non-Google address.

The Trojan itself--W32.Ranky.FW--is designed to turn the PC into a bot zombie, and is spread using the conventional technique of asking recipients of a spam e-mail to follow an embedded link.

According to Surfcontrol, the version detected by the company fails because of poor programming of defective compilation, but it remains a proof-of-concept in how to attack users using a simple combination of convincing elements.

Clever Combination

Outwardly simple, the scam has a clever combination of tricks. Although using parts of established Web sites is standard in phishing scams, it is relatively unusual to go to the length of reproducing en entire page precisely, in combination with a convincingly-spoofed web address.

The fact that the spammed e-mail appears to come from Google could convince recipients to follow the link.

Assuming that a re-engineered version appears--highly likely--once infected, users will notice nothing untoward, although their PCs will have become part of a bot-controlled network.

Google has been attacked in similar way before. Last September, scammers faked the Google search page itself in order to aid the spread of a worm.

More recently, a Trojan attacked the company's adsense advertisements, replacing them, in-browser, with fake ones on any PC infected with the malware.

Microsoft Office Vulnerability

2006-07-12T11:08:00.000-04:00

A vulnerability has been reported in Microsoft
Office, which could allow a remote attacker to run arbitrary code on the
target system.

According to http://www.frsirt.com/english/advisories/2006/2720 and
http://www.securitytracker.com/alerts/2006/Jul/1016453.html, a remote
user could create a specially crafted Word file which, when loaded by
the target user, could cause a memory access error in the LsCreateLine()
function in the mso.dll file, and allow arbitrary code to be run.

This could result in a denial of service situation, however, if the
attack is successfully carried out, the code will be run with the
privileges of the target user. Also, proof-of-concept code has been
published. Oxygen3 advises users to treat with caution possible
malicious files that could try to reproduce this attack, and not to open
Office files received from unreliable sources.

Current Virus Threats

2006-07-12T11:07:00.000-04:00

The Oscarbot.IV, Peerbot.B and Netsad.B worms are the subject of this week's PandaLabs report.

Oscarbot.IV is a worm that opens several communication ports on infected computers, allowing attackers to access the system remotely. It also drops the Protestor.A Trojan on the system, which can capture screenshots and steal user data. Oscarbot.IV spreads via America On Line Instant Messenger, sending messages to all active user contacts. When run, it is installed on the system as a service called "Windows Genuine Advantage Validation Notification", trying to pass itself off as a Microsoft antipiracy service and ensuring it is run on every system startup.

Peerbot.B can open a backdoor to receive commands from an attacker via IRC. It can also steal data from SQL Server or Mysql databases on the computer, which it then sends out via email. When run, the worm creates several files on the system, such as Taskdrv.exe (a copy of the worm itself) and Libmysql.dll, a library belonging to the Mysql database. Peerbot.B can spread using email or P2P file-sharing programs. It creates numerous files in the shared folders in P2P programs under names that refer to cracks for well-known applications and games. When other users of the P2P program run a search, they could find the infected files of the initial victim among the results. To avoid detection, Peerbot.B terminates a long list of processes related mainly with security tools, firewalls or even other malware. It also modifies the hosts file to block access to web pages related with security products.

Netsad.B is a worm that spreads as an email attachment, using messages such as "sharing files is the essence of living". It also uses several P2P applications, including Kazaa or Emule, creating copies of itself in shared folders so that it can be downloaded by other users. Netsad.B can only operate if the computer has Microsoft .NET framework 2.0. When run, it creates a copy of itself called winservices.cab.bak.exe in the Windows system folder. It also creates copies of itself with a variety of names, including some related to antiviruses, in the other system drives. In order to remain hidden, the worm terminates a series of security-related processes, leaving the computer vulnerable to further attack.

Open Office Vulnerability

2006-06-30T15:09:00.000-04:00

Open Office Vulnerability - The new version of OpenOffice.org 2.0.3 corrects
three vulnerabilities. Although no attacks have yet been detected that
exploit these vulnerabilities, users of this office suite are advised to
install it as soon as possible.

The first of these flaws could allow certain Java applets to break
through the "sandbox" and therefore have full access to system resources
with current user privileges. The malicious Applets could, among other
things, modify or destroy files and read or send private data.
The second problem corrected is the possibility to inject macro code
into documents which is executed transparently when opening the
document, without notifying or consulting the user. The security
consequences are similar to those of the first vulnerability.

Finally, a vulnerability has been corrected in the processing of XML
documents that could cause a buffer overflow. Exploiting this problem
could lead to the application blocking and, possibly, command execution
in the context of the current user.

All the vulnerabilities affect OpenOffice.org 1.1.5 and 2.0.x. In the
latter case, users are advised to update to OpenOffice 2.0.3, while
patches are due to be released shortly for version 1.1.5.

More information is available in the security bulletin at:
http://www.openoffice.org/

Current Virus & Trojan Threats

2006-06-30T15:07:00.000-04:00

The Kelvir.EO worm, the virus Kukudro.A and the Downloader.JIH Trojan are the subject of this week's report.

Kelvir.EO is a worm with backdoor functions. It spreads by exploiting certain Windows vulnerabilities in the LSASS, RPC DCOM, Workstation Service and Plug and Play services, and then transfers a copy of itself using its own FTP server. Once it has infected a computer it installs a rootkit, detected as Ruffle.A, in order to disguise its actions. The worm connects to an IRC server which, in turn, connects to a certain channel in order to run commands that, among other things, can obtain passwords stored in Protected Storage, which contains the passwords for programs including Outlook and Internet Explorer. Kelvir.EO also allows attackers to terminate processes, get data about the infected system, and update or eliminate the worm's code.

Kukudro.A is a macro virus that drops the Downloader.JIH Trojan on infected computers, creating a file called 66INSE_1.EXE, a copy of the Trojan, in the hard disk root directory. It does this using an old vulnerability, described in bulletin MS01-34, to avoid the security warning about macros included in Word documents and run its own code automatically. Kukudro.A cannot propagate automatically by itself and therefore needs user interaction in order to spread. The virus spreads in emails with an attachment called My_notebook.doc. This file includes the specifications of a range of different laptop computers.

Finally, Downloader.JIH is a Trojan that downloads the Sality.S virus onto computers. This virus infects executable files and can terminate security processes and capture system information. Once the Trojan is run, it connects to a series of web pages to download an executable file which it then saves on the infected computer under a random name. Downloader.JIH cannot spread by itself, but has to be dropped by other malware, in this case Kukudro.A, or executed by users as an email attachment or a file downloaded from the Internet or P2P networks.

Current Viruses

2006-06-24T13:00:00.000-04:00

The Bagle.JP, Bagle.JQ and Sixem.A worms, the Downloader.JFN Trojan, the backdoor Trojan Breplibot.R, the spyware Browsezilla, and the vulnerability discovered in HLINK.DLL, are the subject of this week's report.

Bagle.JP and Bagle.JQ are worms from the Bagle family, whose first variants
appeared in the year 2004. A prime characteristic of this family of worms
has been the ability to spread massively by email and the large number of
variants launched by the creators. The new Bagle.JP and Bagle.JQ variants
spread in a password-protected .zip file attached to an email, which also
includes a .gif image with the password needed to open the file. The
infection occurs if the user opens the .zip file with the password provided
and then runs the file. Both worms collect email addresses from the infected
computer in order to spread to other users and have rootkit options to hide
their files, processes and registry entries. In addition, they disable a
series of processes related with security tools such as antiviruses and
firewalls.

Sixem.A is an email worm that uses the subject of the FIFA World Cup as
bait. When run, it downloads the Downloader.JGP Trojan onto computers. Among
other tactics, it tries to encourage users to open an image supposedly
relating to a 'nudist world cup', although this is really an executable file
with a double extension. To avoid detection, Sixem.A disables a series of
processes related to system security, including antivirus programs and
firewalls.

Downloader.JFN is a Trojan that exploits a currently unpatched vulnerability
detected in Microsoft Excel that could allow arbitrary code to be run on the
computer. The Trojan infects systems through an Excel file created
especially to exploit this vulnerability. On opening the malicious Excel
file, Downloader.JFN is injected in the Internet Explorer process and then
downloads and runs another Trojan. The Trojan cannot spread itself, and
requires user interaction in order to infect a computer (e.g. opening an
email attachment or file downloaded from a website).

Breplibot.R is a backdoor Trojan that opens a communication port on
computers and connects to an IRC server to receive commands that allow
remote control over the infected computer. It makes a call to the netsh
command to prevent being blocked by the firewall. Breplibot.R also requires
user intervention in order to spread, (e.g. opening an email attachment or
file downloaded from a website or P2P networks). This worm has been detected
attached to messages that refer to an alleged oil fraud involving George W.
Bush and Tony Blair.

Browsezilla is an Internet browser that can be downloaded from numerous web
pages. When installed, it installs the adware PicsPlace on computers, which
in turn connects users, without their knowledge, to certain adult content
web pages. This generates an artificial number of hits on these websites,
with the consequent financial benefits to the owners of the websites and the
creators of Browsezilla. The consequences for users that install this
browser are primarily unnecessary bandwidth usage caused by the hidden
connection to these web pages. In addition, users could find themselves
unjustly accused of visiting these pornographic websites.

PandaLabs has also warned this week of a vulnerability discovered in
HLINK.DL, a library used by several Microsoft Office programs, such as
Microsoft Excel. Exploits of this vulnerability have been detected that can
infect computers using a specially-crafted Excel file. This document could
be distributed by email or downloaded from a website. There is currently no
patch available for this vulnerability, and users are therefore advised to
treat all Excel files received with caution, regardless of their origin.

Sixem.A Virus Alert

2006-06-22T16:44:00.000-04:00

PandaLabs, Panda Software's anti-malware
laboratory, is warning users of the appearance of Sixem.A, an e-mail
worm using social engineering to trick users, including subjects related
to the World Cup such as 'Naked World Cup game set'. In the message text
users are offered the chance to attend a "nudist world cup".

Sixem.A also uses other bait, such as a link to a website showing images
of football hooliganism.

The email attachment is an executable file that appears to be an image
but which actually has a double extension. This means that the real
nature of the file is not apparent to users whose systems are set to
hide the extension of known file types. Once executed, the worm connects
to a web page and tries to download the Downloader.JGP Trojan.

In addition, this new worm collects email addresses from the user's
computer which it then sends itself out to. Sixem.A also terminates a
series of processes related to antivirus software to prevent it from
being detected and neutralized. This action also makes the computer
vulnerable to further attacks.

This new worm has been detected and neutralized proactively by
TruPreventTM Technologies without having a previous identification of
it. Users of Panda Software have therefore been protected from the
outset against this new threat.

According to Luis Corrons, director of PandaLabs: "Events such as the
football World Cup force us to pay special attention to possible
security risk, as one of the most difficult factors to control is human
action. The excitement created by the World Cup combined with a bit of
cheek on the part of malware creators can be enough to produce an
effective form of spreading malware. Users are advised to be wary of any
email from unknown sources and to take precautions before downloading
files from websites. To prevent the potentially damaging effects of this
kind of malware users should make sure they have an up-to-date antivirus
with technologies capable of detecting new threats."

New MS Excel Vulnerability

2006-06-20T15:30:00.000-04:00

PandaLabs has discovered a malicious code that takes advantage of an Excel vulnerability. This flaw causes an unknown error and could allow an attacker to download and run code.

To do this, the attacker sends the target user an Excel file that runs the exploit code and downloads a Trojan, detected as Trj/Downloader.JFN, which in turn tries to download another file.

This vulnerability can be used in the future to download any other executable file. As there is no documentation or security patch to fix this flaw, it is possible that other malicious code may appear in the next few days that takes advantage of this vulnerability.

Virus Report

2006-06-16T17:28:00.000-04:00

This week's virus report focuses on the BlackAngel.B worm, the Trojans Banker.DJH and Xorpix.O, the Detnat.A virus and twelve vulnerabilities reported by Microsoft -MS06-21, MS06-22, MS06-23, MS06-24 MS06-25, MS06-26 MS06-27, MS06-28 MS06-29, MS06-30, MS06-31 and MS06-32.

BlackAngel.B is a worm that spreads through the instant messaging program MSN Messenger. To do this, it sends a message with the text "jaja look a that" and a link to file called 'fantasma.zip', which passes itself off as a Windows Media Player file. The file has a double extension, which is hidden from users if the option to hide the extension of known file types is enabled.

When this file is run, the worm ends a series of processes related to antivirus and firewall tools, leaving the computer vulnerable to other attacks. It also disables access to operating system administration tools, such as Control Panel, Registry Editor, Task Manager and System Restore. Finally, BlackAngel.B shuts down the affected computer, resulting in the loss of any information that had not been saved.

Banker.DJH is a Trojan that steals confidential information from affected computers. To do this, it monitors the web pages accessed by users and if it detects that they access web pages of certain banking entities, it collects the data entered. What's more, it steals information about the email accounts on the computer.

In order to hide its actions, this Trojan disables the Windows file protection feature and modifies the files userinit.exe and sfc_os.dll. Banker.DJH cannot spread through its own means, but requires the user to open an infected file received via email, downloaded from a web page, or through instant messaging programs or P2P networks.

Xorpix.O is a Trojan that converts the affected computer into a proxy server. What's more, it opens a random port to notify the attacker that the computer is available. It cannot spread through it own means, but requires the user to carry out an action in order to spread, such as opening a file attached to an email or running infected files downloaded from the Internet, FTP servers or P2P networks.

When it is run, Xorpix.O injects itself into the system process winlogon.exe and creates a process called iexplore.exe to pass itself off as an instance of Internet Explorer. Similarly, it creates a series of entries in the Registry to ensure it is run whenever the operating system starts up.

Detnat.A is a virus that infects PE (Portable executable) files that are not compressed. It uses a packed algorithm so that the infected file maintains its original size and a polymorphic routine to encrypt the data differently in each infection. Detnat.A spreads across the shared network resources to which it gains access. Similarly, it requires user intervention to infect computers, such as opening files attached to email messages or downloaded from the Internet or other means.

This week, Microsoft has published 12 security bulletins about a series of vulnerabilities, of which 8 are classified as critical, detected in different applications and components of its operating system: MS06-21, MS06-22, MS06-23, MS06-24 MS06-25, MS06-26 MS06-27, MS06-28 MS06-29, MS06-30, MS06-31 and MS06-32.

The affected programs include Internet Explorer, Windows Media Player and several versions of Microsoft Word and PowerPoint. If these vulnerabilities are exploited successfully, a remote attacker could gain total control of the affected computer.

For this reason, it is recommendable to download the security patches that fix these vulnerabilities from Microsoft's website.

Computer Security Tips

12 Microsoft Security Patches Released

2006-06-14T12:55:00.000-04:00

Yesterday, like every second Tuesday of each
month, Microsoft published a set of security bulletins and patches which
it has rated as "Critical", "Important", and "Moderate".

The critical bulletins are those from MS06-021 to MS06-28. The content
of these bulletins is the following:

- Cumulative security update for Internet Explorer, which resolves eight
newly discovered vulnerabilities in the Microsoft browser.
- Fixed a vulnerability in ART Image Rendering for Windows Server 2003,
XP, 98 and Millennium Edition.
- Fixed a vulnerability in Microsoft Jscript, affecting Windows 2000,
Server 2003, XP, 98 and ME.
- Security update for Microsoft Windows Media Player. For Windows Media
Player 9, 10 and Windows Media Player for Windows XP.
- Fixed two vulnerabilities in the Routing and Remote Access service in
Windows 2000, Server 2003 and XP.
- Security update for the graphics rendering engine in Windows 2000,
Server 2003 and XP.
- Fixed a vulnerability regarding remote code execution in Microsoft
Word versions 2000, 2002 and 2003.
- Fixed a vulnerability regarding remote code execution in PowerPoint
versions 2000, 2002 y 2003.

Microsoft rates as "Important" bulletins MS06-029, MS06-030 and
MS06-032:

- Security update for Microsoft Exchange Server running Outlook Web
Access for Exchange 2000 and Server 2003.
- Fixed two vulnerabilities in Server Message Block (SMB) for Windows
2000, Server 2003 and XP.
- Security update for a vulnerability in TCP/IP in Windows 2000, Server
2003 and XP.

Finally, bulletin MS06-031 is categorized as "Moderate"

- Fixed a vulnerability in the Windows 2000 RPC service that could allow
spoofing

We can't underline enough the seriousness of these problems, and reminds users
that they should install the updates as soon as possible. In this case,
it is particularly important, because by allowing programs to be
installed, these vulnerabilities are the perfect scenario for falling
victim to new malware dedicated to cyber-crime.

You can find all the information about these bulletins at:
http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx

Computer Security Tips

Black Angel Worm - New MSN Virus Variant

2006-06-13T11:51:00.000-04:00

PandaLabs reports about the new BlackAngel.B worm variant.

It's a worm that spreads via Microsoft MSN Messenger, and has been detected today, 6/13/2006. Its main features are:

- File name: fantasma.avi.exe.
- Icon: uses the same icon that Windows Media Player.
- Size: 385,024 bytes.
- Programmed with Visual Basic.

It sends one of the following messages to all Messenger contacts:

"jaja look a that http://<>/fantasma.zip"
"mira este video http://<>/fantasma.zip jaja"

PandaLabs has already detected some incidences caused by BlackAngel.B and warns about the danger of this worm.

Apart from sending copies, it stops security programs and deletes certain files from the operating system.

Computer Security Alert

Computer Virus Alert

Multiple Browser Vulnerability

2006-06-07T20:52:00.000-04:00

FrSIRT has reported a vulnerability in the most widely used browsers, which could be exploited by remote attackers to gain unauthorized access to arbitrary files.

The flaw stems from a design error that allows keystroke events to be cancelled through JavaScript code, which could be exploited by remote attackers to make users upload arbitrary files inadvertently from a vulnerable system to a malicious host.

To do this, it is necessary to trick target users into visiting a maliciously crafted web page and carry out certain actions (like typing a text in a text field), which will cause an arbitrary file to be uploaded automatically.

Rather unusually, this flaw does not affect a single browser, but several: Mozilla Firefox 1.5.0.4 and prior versions, Mozilla SeaMonkey 1.0.2 and prior versions, Netscape 8.1 and prior versions, Mozilla Suite 1.7.13 and prior versions, and Internet Explorer 6 and 5.01.

Also, a demo exploit has been published as proof of concept for this flaw.

Multiple Browser Vulnerability

Computer Security

http://www.technorati.com/tags/multiple+browser+vulnerability

Current Virus Threats

2006-06-04T11:42:00.000-04:00

Trojans Briz.I and Mitglieder.IZ, worms Bagle.JG and BlackAngel.A and the spyware DigiKeyGen are the subject of this week's report.

Briz.I is a Trojan used in a criminal scam to steal confidential data, such as banking data or passwords. It needs user intervention to spread, such as opening email attachments or downloading files from the Internet or P2P networks.

It has also been found in certain web pages, mainly with illegal or pornographic contents, which redirect targeted users to another page that downloads the malicious file automatically through exploits.

Once on the system, Briz.I takes the name "iexplore.exe", trying to pass itself off as the Internet Explorer process.

Then, it disables the Windows security services (firewall) and modifies the "hosts" file in order to prevent access to websites of antivirus companies.

It finally downloads another component onto the affected computer and deletes itself. This component sends the attacker information from the target system, including IP address and country of origin.

It also installs a plug-in to capture data entered by the user in Internet Explorer forms, like passwords or banking data.

Briz.I also allows the infected computer to be used as a gateway to access other websites, masking the attacker, and grants access to files in the affected system.

Mitglieder.IZ is a Trojan dropped into systems by the worm Bagle.JG, which attempts to download other files, probably worm updates, to the target system. To do this, it connects to several websites in order to search for eDonkey network servers, and copy itself to the network.

Also, Mitglieder.IZ attempts to download other files that try to pass themselves off as JPG or PHP files, but are actually updates of Bagle.JG.

The Trojan copies itself to the affected system under the name Mdelk.exe and creates a Registry key (Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run) pointing to mdelk.exe, in order to ensure it is run on every system startup.

Bagle.JG is a worm that drops the Trojan detected as Mitglieder.IZ onto systems. It also tries to reduce the security of the infected computer by finishing services related to security tools, including antiviruses and firewalls.

Bagle.JG spreads through the P2P eDonkey program, by copying itself under P2P file and server names obtained by Mitglieder.IZ, so that users download it thinking it is a useful file.

It inserts an entry in the Windows Registry to ensure it is run on every system startup, and another one in Hkey_Current_User\ Software\FirstrRun to mark the computer to know if it is has been infected or not.

BlackAngel.A is worm that tries to end processes associated to security tools, such as antivirus programs or firewalls. Also, it prevents certain Windows tools from running on infected computers, like the Registry editor and the Task Manager.

It spreads through MSN Messenger, by passing itself off as a Windows Media Player file with a double extension, which, once run, displays an error message on the screen and sends a copy of the worm to all of the user's currently active contacts.

The worm's most destructive action consists of deleting a series of critical Windows Registry entries, which prevents the operating system from being booted.

DigiKeyGen is an adware hosted on several web pages that lures users by offering them passwords for free access to pornographic contents.

Once run, it drops a code called SpywareQuake onto the system, together with an anti-spyware application with the same name.

The anti-spyware then blackmails users by informing them that their computer is infected, and telling them that the only way to clean their computer is to buy the program license.

DigiKeyGen can be downloaded from several web sites with adult contents, as well as from the program's official web page.

Finally, the adware creates a file called eregperf.exe in the affected computer's Windows folder, together with a file that counts the times that the program has been run.

It also enters a key in the Hkey_Local_Machine\Software\Microsoft\Windows\Currentversion\ Policies\Explorer\ Run Registry entry to make manual disinfection more difficult.

More On The iexplore.exe Trojan

2006-06-02T09:17:00.000-04:00

PandaLabs has detected a data theft scam using the new I variant of the Briz Trojan. According to data obtained by PandaLabs from the page the attackers used to control the network, some 2,700 computers spread across more than 120 countries were infected.
The creator -or creators- of this newly uncovered network have been distributing Briz.I from certain web pages, mostly related with illegal or pornographic content. PandaLabs is working alongside other security companies to identify and close down each of the websites related to this network and prevent the threat from spreading.

The emergence of Briz.I could be the consequence of the scam for creating and selling customized versions of Briz, recently discovered by PandaLabs.

According to Luis Corrons, director of PandaLabs: "It is possible that the creator of the original Trojan has decided to profit directly using the same Trojans that were sold before, alternatively, Briz.I could be a new version of one of the examples that was sold while the previous scam was still in operation ".

Briz.I infiltrates infected systems under the name "iexplore.exe", simulating an Internet Explorer process. Once on the system, it downloads a file that sends information -including the IP address or country of the infected computer- to the attacker's website.

Another of its components integrates in Internet Explorer capturing all information entered by users in online forms, such as e-mail passwords or details for entering online banking services.

This malware allows the computer to be used as a gateway for connecting to other pages and masking the identity of the attacker, who can also remotely access files on the local computer.

Briz.I is specifically designed to go unnoticed by both users and security companies. It does this by covering its tracks once each of the components has carried out the task. It also modifies the "hosts" file in Windows to prevent users from accessing web pages of security companies and it disables the Windows firewall.

rel="tag">Computer Security Threats

"The current objective of malware developers is to profit from their creations, and so they are concentrating on introducing malware surreptitiously, and, as in this case, trying to capture data and login details in order to commit fraud ", explains Luis Corrons.

"Traditional signature-based detection technologies are proving to be insufficient to combat these threats. To prevent this silent epidemic, they need to be complemented with proactive technologies such as TruPreventTM which can detect malware without having previously identified it."

In order to check if a computer is free from all types of threats, including Briz.I, Panda ActiveScanTM is available to users free of charge (http://www.activescan.com)

Three New IE6 Vulnerabilities

2006-06-01T13:16:00.000-04:00

Several new vulnerabilities have been announced in Internet Explorer 6, which could cause the popular Microsoft browser to crash.

The first of these problems concerns a vulnerability on trying to obtain the value pointed to by a null pointer causing the browser to crash.

When creating an empty applet tag prior to any other HTML tag without closing it, Internet Explorer will have a Null Pointer result and, without closing the tag, will crash.

A second problem has been announced, which occurs when trying to enter an infinite loop. This causes Internet Explorer to close and display an "unknown software exception".

Finally, a denial of service problem has been announced when a frame with certain conditions is created and the user clicks on the frame.

Computer Security

AW Stats Vulnerability

2006-05-30T10:26:00.000-04:00

Once more, we are confronted with the fact that any point in a system can become a weak point if not managed properly. This time, danger stems from a tool seemingly as harmless, but also as essential, as a log file analyzer and web statistics generator.

The vulnerable product is AWStats 6.5 (and prior versions), a well-known log file analyzer for generation of web, streaming, ftp or mail server access statistics, graphically.

This vulnerability could be used by an attacker to bypass security restrictions and run commands on the affected system.

The flaw is caused by incorrect input validation in the "awstats.pl"script, which cannot validate parameters "configdir" and "config" before being used to load a configuration file.

This could be exploited by an attacker to upload an arbitrary file to inject and run arbitrary shellc ommands through the "LogFile" configuration directive.

More information about this flaw is available at: http://www.frsirt.com/english/advisories/2006/1998

Current Virus & Trojan Threats

2006-05-26T10:26:00.000-04:00

Trojan 1Table.A and backdoor Trojans Gusi.A and Gusi.B are the subject of this week's report:

1Table.A is a Trojan that takes advantage of a critical vulnerability found in the latest Microsoft Word versions, for which there is no security patch yet.

The Trojan reaches computers as a legitimate Word document, or any other Microsoft Office document with an embedded Word document.

When the document is opened, the Trojan triggers a buffer overflow in the application, allowing an attacker to run arbitrary code with the same privileges as the logged in user; if the user has administrators' rights, the attacker could gain total control over the target computer.

Also, the Trojan exploits the vulnerability to drop a Gusi backdoor Trojan variant (Gusi.A or Gusi.B) on the affected system.

1Table.A does not spread automatically, it needs some action from the user to reach a vulnerable system and take advantage of the vulnerability. These actions include opening email attachments, downloading files from the Internet or P2P networks, etc.

Gusi.A is a backdoor Trojan that cannot reach computer by its own means, but needs to be dropped by another malware, such as 1Table.A for example.

Once on the system, it injects itself in Internet Explorer, and hooks certain API functions in order to go unnoticed by users.

Once installed, it sends out information about the compromised computer, awaiting commands including opening the Windows console (cmd.exe) from a remote attacker.

The worm creates file Winguis.dll in the Windows System subfolder, files Etport.sys, Ispubdrv.sys and Rvdport.sys in the Drivers subfolder and file 20060424.bak, which has the following icon:

Also, it copies itself to the AppInit_DLLs entry in the Windows Registry to ensure it is run every time the operating system starts up.

Gusi.B is a variant of Gusi.A which is dropped onto the system by another Trojan, like 1Table.A, by taking advantage of a critical, undocumented Microsoft Word vulnerability.

A clear symptom is an Internet Explorer run error if it cannot find an open Internet connection. Once in the affected computer, it opens a series of consecutive ports, starting from 1032, in order to send out information about the infected computer and receive commands to carry out actions on the system.

Then, it injects code in Internet Explorer and connects to the IP address 222.9.X.X. It uses rootkit techniques to hide its files. This backdoor Trojan creates files Zsydll.Dll and Zsyhide.Dll in the target computer's Windows system subfolder.

It also creates a file called 20060426.bak, with the following icon:

To ensure it is run every time Windows starts up, Gusi.B creates a Registry entry in key AppInit_DLLs and several entries in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\Windows NT\ CurrentVersion\ Winlogon\ Notify\ zsydll

Serious Microsoft WORD Vulnerability

2006-05-22T11:28:00.000-04:00

A buffer overflow vulnerability has been reported in Microsoft Word that could allow an attacker to run code on affected systems.

This is a serious problem, rapidly reported by the CERT, (http://www.us-cert.gov/cas/techalerts/TA06-139A.html) as opening a specially-crafted Word document could lead to exploitation of the flaw.

This includes documents hosted on websites or email attachments. Office documents can contain embedded objects.

For example, a Word document could be embedded in an Excel or PowerPoint document. As a result, any Office document could be used to launch an attack.

This vulnerability has been confirmed in Microsoft Word 2003 and Microsoft Word XP (2002), on totally updated systems. Until the necessary update has been published, we recommend that you not open Office documents coming from unfamiliar sources, as well as keeping your antivirus completely updated.

Latest Wave Of Viruses & Trojans

2006-05-15T12:30:00.000-04:00

The Nabload.CW Trojan and the latest vulnerabilities reported by Microsoft -MS06-18, MS06-19 and MS06-20-, are the basis of this week's report.

Nabload.CW is a Trojan that cannot spread by itself and therefore needs to be activated by a user. It tries to download and run another Trojan called Bancos.MO.

It simulates a Windows Media Player file called Video [1].exe, which when run, displays a window with a GIF animation imitating the Windows player. It then displays a message saying it is necessary to download a codec to play the file.

If the prompt is accepted, it downloads trj/Bancos.MO. If Video[1].exe is run again, a message appears warning of a corrupt file. The Trojan creates a file in the system folder called ffyt66555.KO, in order to know that the system is infected, and another belonging to Trj/Bancos.MO called Svchost.Exe in the Temporary Internet Files.

It also creates the following registry entry: Hkey_Local_Machine\Software\Microsoft\Downloadmanager.

Over the last week, several critical vulnerabilities have been reported in Microsoft products or those associated with its operating systems:MS06-018 is a non-critical vulnerability in MSDTC (Microsoft Distributed Transaction Coordinator) detected in Windows XP/2000 and Server 2003 that could allow DoS (denial of service) attacks against vulnerable computers.

If the attack is successful, the computer could block and cease to respond. The vulnerability can be exploited by sending a specially-crafted packet to the victim computer across a local network or the Internet.

Use of a firewall can prevent these attacks.MS06-019 is a critical vulnerability discovered by Microsoft in Exchange Server 2000/2003 that allows a user to take control of a computer with the same privileges as the logged in user.

If the user has administrator rights, the vulnerability could allow an attacker to take complete control of the computer. The flaw is due to an error in the interaction between iCal (Internet Calendar) and vCal (Virtual Calendar) and Exchange.

An attempt to exploit the vulnerability begins with a specially-packaged message sent to the Exchange server.

MS06-020 is a set of critical vulnerabilities discovered in versions of Macromedia Flash Player included in Microsoft Windows XP/Me/98, which could allow code to be run remotely on vulnerable systems.

The possibility of an attack is due to the existence of an unchecked buffer during the execution of flash files. A successful attack could allow access to the computer with the same rights as the current session.

If the account has administrator rights, an attacker could take complete control of a system. The vulnerability is exploited through a specially-crafted file with an SWF extension, which could be sent by mail or downloaded from a website.

Malware Threat Report For Q1 2006

2006-05-08T10:17:00.000-04:00

Seventy percent of malware detected during thefirst quarter of 2006 was related to cyber crime and more specifically,to generating financial returns.

This is one of the conclusions of the newly published PandaLabs report, which offers a global vision ofmalware activity over the first three months of the year.

Similarly, the report offers a day by day analysis of the most important events in this area. This report can be downloaded, free of charge, from: http://www.pandasoftware.com/pandalabsQ12006/

One of the principal conclusions of the report is the confirmation of the new malware dynamic, in which financial profit has become a priority.

The figures speak for themselves: of all malware detected bythe Panda ActiveScan free online scanner between March and January 2006, some 40 percent was spyware, a type of malicious code used specifically for financial gain, primarily through the collection of data regarding users' Internet movements.

On the other hand, Trojans, including BankerTrojans that steal confidential data related to bank services, and Droppers or Downloaders that download all types of malicious applications onto systems, account for 17 percent of the total.

Dialers-malicious code that dials up premium-rate numbers without a user's knowledge- were responsible for 8 percent of the total, while bots -a type of malware used in an elaborate business model involving the sale or rental of networks of infected computers- accounted for four percent of the total.

Another statistic that confirms this new dynamic is that the traditional e-mail worm, until recently the major player on the Internet threat scene, made up only four percent of the total.

According to LuisCorrons, director of PandaLabs: "Epidemics caused by e-mail worms stirup too much publicity and are therefore no use when it comes to generating profits.

Currently, the types of malware we are seeing more of are those such as spyware, Trojans and bots, which can be installed silently and remain hidden on systems while they operate maliciously.

With respect to new examples of malware discovered in the first three months of 2006, Trojans have been the most prolific, in particular Downloaders and Bankers, and have accounted for some 47 percent of the total.

" Trojans are extremely versatile, as they are a type of malware that can be used for a wide range of actions. For this reason it is not surprising that malware creators have relied so heavily on them when designing new specimens," adds Luis Corrons.

Second in the list come bots, underlining the growing interest that cyber-crooks have in this particular type of malicious code.

The PandaLabs report also looks at a series of other equally important events occurred during the first quarter. It offers a complete report on the WMF vulnerability in Windows, which has been widely used by malware writers to distribute their creations, or the appearance of the Sober.A Hand Kamasutra worms among others.

MySQL Vulnerabilities Patched

2006-05-07T10:10:00.000-04:00

Several vulnerabilities have been reported in theMySQL database manager, which could be exploited by attackers toc ompromise a vulnerable system or obtain sensitive information.

The first flaw is caused by a buffer overflow in script "sql_base.cc", which cannot handle specially crafted "COM_TABLE_DUMP" packets properly. This could be exploited by authenticated attackers to run arbitrarycommands.

The second vulnerability stems from an input validation error in file "sql_parse.cc", which fails to validate "COM_TABLE_DUMP" packets. This could be exploited by an attacker to have portions of memory disclosed in error messages.

Finally, the third vulnerability, which could also lead to portions ofthe memory to be disclosed in error messages, is due to an inputvalidation error in script "sql_parse.cc" which cannot handle malformed login packets properly.

Affected users are advised to upgrade their products to MySQL version 5.0.21, available at http://dev.mysql.com/downloads/.

The originalsecurity advisory can be found athttp://www.frsirt.com/english/advisories/2006/1633.

Current Virus Threats

2006-05-06T08:38:00.000-04:00

A worm, Nugache.A, the backdoor Trojan Hiviti.Aand the Banker.CTD Trojan are the focus of this week's report.

Nugache.A can spread in three different ways: exploiting the LSSAS andRPC DCOM known software vulnerabilities, through the popular MSNMessenger application, or via email.

When installed on a computer, Nugache.A creates a copy of itself in theWindows system directory, in a file with the name MSTC.EXE.

In addition, it generates several Windows registry entries. Having done this, itopens several communication ports to connect to a series of IP addressesfrom which it receives remote instructions across P2P networks, allowingan attacker to take malicious action on the affected system.

Hiviti.A is a backdoor Trojan that cannot spread on its own, butrequires the intervention a malicious user. When it is installed on acomputer, it creates a copy of itself under the name LOADCNTR.EXE, itmakes new entries in the Windows registry, and injects itself in theexplorer.exe process so that it is not noticed by users.

In this way,the Trojan waits to log keystrokes made by the user, thereby accessingall types of confidential information, such as user names, passwords,etc. The data collected is then sent to certain predetermined emailaddresses.

We finish this week's report with Banker.CTD, a new banker Trojan, i.e.designed to steal confidential data related to online banking services. Banker.CTD waits for the user to access web pages belonging to certain banks, including Banking, Bradesco, NetBanking, Santander and Sudameris, in order to log the data entered by the user.

It then sends the data toa certain email address. Banker.CTD requires the intervention of an attacker in order to reach computers. The means of distribution used vary and include floppy disks,CD-ROMs, email messages with attachments, Internet download, files transferred via FTP, IRC channels, P2P file sharing networks, etc.

April Top 10 Viruses

2006-05-03T08:50:00.000-04:00

April could be described as a calm month withrespect to virus epidemics, but appearances can deceive.

Thousands of malicious codes are awaiting the opportunity to install themselves onthe computers of unwary users.

This relative calm is what the creators of malware are looking for, as they are now driven by the potential of financial return and are well aware that clamorous epidemics do not serve their objectives.

For this reason, they try to insert their creations on users' computers as discreetly as possible.

In April, Sdbot.ftp once again occupied first place in the ranking. This is a script used by the Sdbot family of worms to download themselves onto computers via FTP.

After this, the next most frequently detected malicious code was Nestky.P, which has figured in the ranking for the last two years.

Exploit/Metafile was in third place. This is the detection of an exploit of the vulnerability in the processing of WMF files in Windows.

From this it can be deduced that despite not having been used to cause massive epidemics, malware creators view this security problem as a good way to insert their creations on users' computers, and for this reason they have been using it assiduously.

Other malicious code in the list include the Lowzones.RI Trojan, theTearec.A worm -also called Kamasutra- and the Qhost and Torpig.AY Trojans.

April's ranking is completed by the Parite.B worm -another habitual offender in the list of frequently detected viruses-, the Torpig.AZ Trojan and the generic detection for members of the numerous Gaobotf amily of worms.

Malware % frequency
W32/Sdbot.ftp 2.10
W32/Netsky.P.worm 1.07
Exploit/Metafile 0.79
Trj/LowZones.RI 0.64
W32/Tearec.A 0.62
Trj/Qhost.gen 0.51
Trj/Torpig.AY 0.51
W32/Parite.B 0.50
Trj/Torpig.AZ 0.48
W32/Gaobot.gen.worm 0.48

The most notable feature of this ranking is the presence of malicious code that uses vulnerabilities to install itself on systems.

This would suggest that there are numerous computers that have not been updated and which could therefore become a breeding ground for the distribution ofmalware. Users need to stay informed about the discovery of new vulnerabilities affecting software and to install the necessary patches to correct them.

Virus Threats

2006-04-29T11:31:00.000-04:00

This week's report looks at four new IT security threats: The LootSeek.AU and Briz.F Trojans, the CrazyFrog.A worm and the Matlab/Lagob virus.

LootSeek.AU is a Trojan which in turn downloads another Trojan - detected as Rizalof.BL - onto the compromised computer. It also uses an anonymous proxy server for mass-mailing new malware.

In addition, it finalizes several processes corresponding to security tools and Windows updates.

This Trojan, like many others, cannot spread automatically using its own means and therefore, needs an attacker to distribute it.

The Briz.F Trojan is designed to steal data related to online bank services. This new threat uses the lure of pornographic web pages to install itself on users' computers.

The emergence of Briz.F is a consequence of the scam for creating and selling customized versions of Briz, recently discovered and dismantled by authorities. The web pages hosting Briz.F are designed to automatically download the malicious code onto the computers of users visiting these pages by exploiting several software vulnerabilities.

The modus operandi of Briz.F is complex and elaborate. The attack begins with the installation of a file called iexplore.exe, which really serves to prepare the ground, detecting whether there is an Internet connection. If this is the case, it connects to a certain web page in order to download another file called ieschedule.exe.

Finally, iexplore.exe disables the Windows Security Center services and shared access to the Internet. Then, ieschedule.exe sends the information about the infected computer (name, IP address, location, etc.) to a predetermined address.

It also downloads other files, including one called smss.exe, which modifies the hosts file to prevent access to websites related with security products, and another called ieredir.exe, which redirects users to spoof web pages when they try to connect to certain online services, mainly those related to online banks.

CrazyFrog.A is a worm that spreads through the MSN instant messaging system and is designed to steal both access passwords to this application and bank details of the affected user.

It does this by monitoring network traffic and checking if the user accesses web pages with certain text strings - related to online banking services - in their address. If the user accesses one of these, Crazyfrog.A installs a banker Trojan which captures the bank details entered by the user.

Finally, Matlab/Lagob is a virus that can infect files with the M extension -corresponding to the popular Matlab application for resolving mathematical problems - directory as the virus is run. When it runs the virus adds its code to the beginning of the file.

Firefox Remote Attacker Vulnerability Reported

2006-04-28T14:27:00.000-04:00

SecurityTracker has reported, at http://securitytracker.com/alerts/2006/Aug/1015981.html, a vulnerability in the increasingly popular Firefox browser which could allow a remote attacker to run arbitrary code.

A remote user could create HTML code which, when loaded by the victim's browser, would cause a buffer overflow with the possibility of crashing the browser or even remotely running code on the affected system.

The problem lies in the js320.dll and xpcom_core.dll due to the fact that the browser does not correctly handle the Javascript code included in the iframe.contentWindow.focus() function.

A demo exploit for this vulnerability has been published which means real world exploits are not far behind.

Cisco Advisories

2006-04-25T12:12:00.000-04:00

Cisco has released two security advisoriesinforming of several vulnerabilities in systems with Cisco IOS XR and inCiscoWorks Wireless LAN Solution Engine (WLSE).

There are three vulnerabilities in Multiple Multi Protocol LabelSwitching (MPLS) in systems running Cisco IOS XR, which are only foundin CRS-1 and Cisco 12000 series routers.

Only systems running Cisco IOSXR and configured for MPLS are affected by these vulnerabilities. An attacker that successfully exploited any of these vulnerabilities could cause a denial of service in compromised systems.

Cisco has released the corresponding patches for these vulnerabilities, and it is advisable to refer to the advisory at:http://www.cisco.com/warp/public/707/cisco-sa-20060419-xr.shtml.

On the other hand, two vulnerabilities have been confirmed in CiscoWorks Wireless LAN Solution Engine (WLSE).

The first of these refers to across-site scripting problem, while the second involves privilege escalation.

Cisco has published the updates for these vulnerabilities at: http://www.cisco.com/cgi-bin/tablebuild.pl/wlan-sol-eng.

The secondCisco warning is available at: http://www.cisco.com/warp/public/707/cisco-sa-20060419-wlse.shtml

Current Virus Threats

2006-04-24T09:46:00.000-04:00

Here's our report on the most significant threats in the current malware panorama. This week's report includes two new codes that, although they have different functions and characteristics, share the same aim: steal user data.

A clear example of the new cyber-crime tendency is the Goldun.IL Trojan, which is a password stealer that tries to capture the e-gold payment details of the affected user.

To do this, it goes memory resident on computers without carry out any actions until it detects that the user has accessed the e-gold web page. When this happens, it captures the passwords typed and sends them to another computer.

The author of this code can collect the details from this computer and carry out operations with the user's account. Goldun.IL has been spread through spamming techniques. It has been mass-mailed in a file attached to an email message.

The message carrying the malicious file containing Goldun.IL encourages the user to install a Service Pack that supposedly blocks Trojans that try to steal e-gold details.

This week's report also refers to another Trojan called HarBag.A, whose basic mission is to collect email address to which to send the Bagle worm. To do this, it looks for 28 types of files and scans them for email addresses.

These file types are files that usually contain email addresses, such as the Windows Address Book, database, temporary Internet files, etc.After collecting the addresses, it sends them to a server where all the information is centralized.

A curious feature of HarBag.A is that it only runs once on each computer, so that the hacker that receives the email addresses collected does not receive the same addresses twice.

Finally, PandaLabs includes information about a false virus for blogs that is starting to generate confusion in the blogosphere. This is simply a joke created by a Dutch author which suggests inserting an animated graphic in blogs. The graphic is a picture of a virus that makes a series of comments, such as how it intends to infect blogs around the world.

False Blog Virus Does Indicate Blogging Threat

2006-04-21T11:25:00.000-04:00

There is a false virus for blogs which is beginning to cause confusion among blog writers and readers.

This supposed 'malicious code', discovered last January, is simply a joke created by a Dutch author which suggests inserting an animated graphic in blogs.

The graphic is a picture of a virus that makes a series of comments, such as how it intends to dominate the blogs around the world.

PandaLabs reminds users that even though this 'virus' poses no threat, there is a possibility that by exploiting the impact of this joke on many blogs, the same technique might be used to spread genuinely damaging malicious code.

To avoid such possible problems, PandaLabs advises users not to insert references to third-party code on personal web pages, even if they are simply jokes.

For those who want to insert items from other sites, it is important to ensure that no calls are made to remote servers and that the content is hosted on the author's server.

According to Luis Corrons, "the malware situation is currently quite delicate, as complex social engineering techniques are frequently used and it is possible that malicious code could be spread involuntarily among circles of blog writers exchanging information."

Apple OS X Java VM Security Update

2006-04-20T11:11:00.000-04:00

Apple has released Java 2 Standard Edition (J2SE) Release 4 for Mac OS X v10.4.5. As well as the performance and compatibility improvements it includes, this update also resolves several vulnerabilities in the virtual Java machine.

One of the advantages of Java applets is that they are multi-platform, as their precompiled code is parsed by the virtual machine, independently from the hardware or operating system used.

What's more, to prevent damaging or unsolicited actions, the virtual Java machine establishes a closed environment, known as a 'sandbox' that blocks indirect and indiscriminate access to system resources, such as arbitrary writing to files.

The vulnerability corrected by this update could allow an untrusted Java applet to elevate its privileges, carrying out actions that is should not be able to carry out, such as reading and writing to files or executing local applications.

Sun Microsystems has publish an alert notification about these vulnerabilities, which is available at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

The new version J2SE 5.0 Release 4, which corrects the problems in Mac OS X v10.4.5 has been published by Apple and can be downloaded from http://www.apple.com/support/downloads/

Oracle Fixs 30 Security Flaws

2006-04-19T16:35:00.000-04:00

In line with its policy to release updates every quarter, Oracle offers several updates that resolve multiple vulnerabilities in its products.According to the advisory released by Oracle, the updates correct over 30 security flaws in the products in the Oracle range.

The full list of products affected by the security problems and additional information are available in the advisory published by Oracle at http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html

Many of the security problems are critical, as they could allow access and modification of confidential data or control of the system.

According to Oracle, certain conditions, such as run permissions or a valid session, are required in order to successfully exploit many of these vulnerabilities.

Due to the high number of security flaws resolved and the severity of some of these vulnerabilities, we recommend all users of affected products to refer to the Oracle advisory and install the corresponding updates as soon as possible.

Military Secrets For Sale In Afghan Bazaar

2006-04-18T09:20:00.000-04:00

Stolen computer drives containing classified military assessments of enemy targets, names of corrupt Afghan officialsand descriptions of American defenses are on sale a local bazaar in Bagram, according to information provided by www.latimes.com.

The owners of the shops claims that Afghan cleaners, garbage collectors and workers from a military base offer them a wide range of goods, flashmemory included.

These drives are sold as second-hand goods. The drivesc ould include data on military actions, Social Security numbers and other military personnel information.

As portable storage devices are particularly susceptible to loss or theft, we recommend that all sensitive information should be encrypted or stored in other storage devices with greater security.

Zone Alarm by Zone Labs

2006-04-17T13:08:00.000-04:00

Zone Alarm Overview

Zone Alarm by Zone Labs is the top-rated personal firewall. Zone Alarm has consistently won every top award from PC Magazine, CNET, PC World, Wired Magazine and others since 2000.

Zone Alarm Pro is their top of the line firewall offering.

Zone Alarm Pro provides complete PC security to novice and experienced users alike.Zone Labs offers a free version of ZoneAlarm as well as the Pro version.

There is also a Zone Alarm Security Suite that includes anti-virus protection and addditional system security features and capabilities.

You can also purchase other security products from Zone Labs such as Pest Patrol or Cloudmark's SpamNet offerings. Special Zone Alarm Pro bundles include substantial discounts or rebates on the additional products and on Zone Alarm Pro itself.

At various times, Zone Labs offers special promotional discounts on Zone Alarm Pro.

The standard price of $49.95 may be reduced by $10, $20 or even as much as $30.

The best way to search for these special rebates on Zone Alarm Pro is to check a non-menu page at Zone Labs that lists all the current special promos.

Click here to browse all the Zone Alarm specials.

Adware Removal Tips

2006-04-16T10:52:00.000-04:00

Adware Removal Tips

The key to adware removal is using a quality program with updated definition files.

Adware removal is difficult if you're using a free software download that doesn't include all the latest threats. At present, there are more than 67,000 adware removal definitions in the top programs.

Most of the free downloads have search files with roughly 30,000 definitions.If you're serious about removing ad-ware and spyware, then you want the best adware removal program, not a free download.

The best product for ad-ware removal is No Adware.

Important features in tools for ad-ware removal include:
Automatic update of pest control definition files
Scheduled scans for adware removal
Scan on the fly - search files or downloads for hidden pests
Free trial download - Try it out for freeNo Adware has these features and more, plus you can try it for free.

Click here for Adware removal.

Use the free trial option to see how effective No Adware is at removing every type of ad-ware pest. No Adware really is the best tool for ad-ware or spyware removal. Try it for free and see for yourself right now.

Click here for Free Adware Removal.

Here's a quick recap of the ad-ware removal features:
Largest definition file - Keeps you safe
Automatic updates - Keeps you current
Auto scan option - Set and forget - No worries
Custom scan option - Search entire drive or just a folder
Automatic backups - Allows full system restore if needed
Extensive customer support - Help is always available

You know you need a good ad-ware removal solution.You can try No Adware for free. Go ahead and try it.

Decide for yourself if it's what you need.

Click here for the best Adware solution.

Current Viruses and Intrusions

2006-04-15T19:28:00.000-04:00

Weekly report summarizing the most significant events in the world of computer viruses and intrusions.

This week's report examines a malicious code that can infect both Linux and Windows platforms, as well as the vulnerabilities corrected by Microsoft in its latest security bulletins.

The malicious code called Biwili.A stands out for its ability to infect both Linux and Windows platforms. D

espite claims in the media to the contrary, this capability is not entirely new, as in 2001 a malicious code called "ELF/Winux.2784" appeared which was also able to infect both platforms.

Biwili.A is no normal malicious code, as it falls into the category of "proof of concept".

This means that it is really a test so that other malicious code can be created using the techniques employed to craft BiWili.A. This malicious code infects PE (Portable Executable) and ELF (Executable and Linking Format) files in the directory in which it is located.

Interestingly, PandaLabs has explained that this is a virus of the 'old school', unlike the Trojans or worms that are frequently seen nowadays, as in order to spread it infects executable files adding its code behind the file header, a typical trait of classic viruses.

Fortunately, Biwili.A has no destructive effects and merely serves to demonstrate its capabilities.

It is a proof of concept highlighting the fact that it is possible to create a virus that can affect both Linux and Windows platforms.

Nevertheless, it is possible that in the future we will see malicious code based on the concept of Biwili.A.

On the other hand, Panda Software's weekly report on viruses and intruders also looks at the security bulletins released by Microsoft. These bulletins offer five updates for the company's products.

The first of these (bulletin MS06-013) is the much-awaited update for Internet Explorer to correct serious vulnerabilities through which an attacker could take control of a compromised system. An attacker could therefore, install programs with serious consequences or carry out any task without the user realizing.

The second, in bulletin MS06-013, corrects an error in MDAC (Microsoft Data Access Components), and can also allow a user to run code on affected systems (Microsoft Data Access Components, Microsoft Windows 2000, Windows Server 2003 y Windows XP).

A third vulnerability, also critical as it allows the remote execution of code, affects Windows Explorer and is described in "Microsoft Security Bulletin MS06-015".

It affects Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows 98 and Windows ME.Other vulnerabilities, less serious according to Microsoft, affect Outlook Express (described in bulletin MS06-015) and FrontPage Server extensions (in bulletin MS06-017).

Free PC Security eBook

2006-04-14T11:02:00.000-04:00

Good info on how to protect your PC from viruses, adware, spyware, phishing attacks, spam, and browser hijacks.

Plus it's free!

http://www.spamvirushelp.com/free-ebook.html

PHPList Vulnerability

2006-04-13T13:19:00.000-04:00

critical vulnerability has been detected in PHPlist (http://tincan.co.uk/phplist), a double opt-in newsletter manager, which could allow a remote attacker to execute arbitrary code and compromise system security.

The problem stems from a lack of validation or normalization of data gathered through several entry parameters.

This is a typical and well-known vulnerability in Web applications and is exploited, for example, using SQL injection in online forms.

In the case we are looking at here, the affected parameters are "database_module" and "language_module".

If the "register_globals" option is enabled, a remote user could construct a URL to execute arbitrary code in the server hosting the vulnerable PHPlist application.

According to the original advisory, the vulnerability would affect PHPlist versions 2.10.2 and earlier.

Until a new version or official patch is available to correct the problem, users are advised to disable the "registers_globals" option or modify the code to properly filter the affected parameters.

Five New Microsoft Security Patches

2006-04-12T09:48:00.000-04:00

Microsoft has released five updates for its products.

The first of these, according to "Microsoft Security Bulletin MS06-013", is the much-awaited update for Internet Explorer to correct serious vulnerabilities through which an attacker could take control of a compromised system, installing programs with serious consequences or launching tasks without the system owner realizing.

The second, in bulletin MS06-013, corrects an error in MDAC (Microsoft Data Access Components), and can also allow a user to run code on affected systems (Microsoft Data Access Components, Microsoft Windows 2000, Windows Server 2003 y Windows XP).

A third vulnerability, also critical as it allows the remote execution of code, affects Windows Explorer and is described in "Microsoft Security Bulletin MS06-015".

It affects Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows 98 and Windows ME.Other vulnerabilities, less serious according to Microsoft, affect Outlook Express (described in bulletin MS06-015) and FrontPage Server extensions (in bulletin MS06-017).

We would like to draw readers' attention to the seriousness of these problems and remind them to install updates as soon as possible. In this case it is particularly important, as by allowing the installation of programs, these vulnerabilities create the perfect environment for the entry of new malware used inside cyber-crime.

Further information about these bulletins is available at: http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx

Current Virus & Trojan Attacks

2006-04-09T23:29:00.000-04:00

This week's report about viruses and intruders is a reflection of the current trend of criminalization of malware.

The creators of malicious code, bored perhaps with the futility of their craft, have opted to concentrate their efforts on digital theft.

The first example, the Banbra.BZY Trojan, searches Internet Explorer screens for certain texts, to see if the user is accessing certain online banking services.

If they are, users will see a web page identical to the one they were trying to access and which asks them to enter their data.

In this way, the creator of the malicious code can obtain the information needed to access the bank account as if they were the legitimate account holder.

Banbra.BZY does not spread automatically under its own steam, in the way that worms or traditional viruses do, but needs to be installed deliberately on the system.

This technique can be highly dangerous, as it is possible for a criminal to take advantage of a user (or company) using this code, thereby clearly entering the category of targeted attack.

Panda Software has created an animation to highlight the dangers of this type of attack and which is available at: http://www.pandasoftware.es/descargas/presentacionataques.

The next example of malware we are looking at in this week's Panda Software report is Mytob.NP.

This worm, once installed on a computer, connects to another system to receive commands through which an attacker could take complete control of the compromised computer.

To avoid detection, Mytob.NP terminates certain security processes, including those belonging to antivirus and firewall applications.

Mytob.NP reaches computers in a message that appears to come from the security department of the domain of the mail account of the target user.

This false message tries to get users to go to a website, apparently inoffensive, that really points to web page from which the malicious code will be downloaded.

Finally, this week's report looks at data provided by PandaLabs on KurtAgent.A, a password-stealer Trojan.

This Trojan logs users' keystrokes and can therefore record passwords entered. It also obtains other type of information, such as the addresses of websites visited, email accounts, etc.

KurtAgent.A also uses other malicious code to obtain information. KurtAgent.A needs to be spread by an attacker as it cannot spread itself automatically.

Apple OS X Security Update

2006-04-07T09:29:00.000-04:00

Apple has released a security update for Mac OS X to correct a series of problems and vulnerabilities and include improvements. These updates are available at http://www.apple.com/support/downloads/

It is recommended to install the Mac OS X Server 10.4.6 Server Update on all servers as it includes general operating system fixes and improvements and updates for applications, services and technologies.

The operating system security flaw that has been corrected is related to the firmware password, which can be bypassed on Intel-based Macintosh computers.

The updates and improvements include updates of access controls, authentication and login in Open Directory and Active Directory environments; stability of NFS services; memory leakage during heavy FTP use; improved printed quotas; a problem with launchd that prevents periodic scripts from running at the wrong time or at all, etc.

We recommend users to update their systems, taking the appropriate measures to prevent malfunctioning due to incorrect installation of the updates.

All the information released by Apple about this update is available at http://docs.info.apple.com/article.html?artnum=303567 and http://docs.info.apple.com/article.html?artnum=303160.

Information about Mac OS X 10.4.6 Update for Intel-based Macs and PowerPC-based Macs at: http://docs.info.apple.com/article.html?artnum=303411

Back From Vacation

2006-04-05T00:02:00.000-04:00

Back from a weeks vacation in beautiful Wilmington NC

Time to get back to work again.

That's alwasy a hrad grind after overeating, getting sunburned, and drinking too much beer.

Gotta get to work with these dieting tips and get rid of the old spare tire before summer hits.

later...

2006-03-24T19:22:00.000-05:00

RealNetworks has published updates to fix several vulnerabilities found in its multimedia players.

Even though they claim not to have received any actual reports of incidents related to these security flaws yet, we recommend all affected users apply these patches.

The first one of the flaws solved could allow a local user to extend their privileges, whereas the three others are related to buffer overruns in players when processing different types of files.

We recommend users of RealPlayer, RealOnePlayer, Rhapsody and Helix Player to check availability of updates, with the exception of users of versions for Nokia Series60 and Palm, which are not vulnerable.

The whole list of vulnerable products and download and installation instructions (for Windows, Mac and Linux) are detailed in the RealNetworks official notification, at http://www.service.real.com/realplayer/security/03162006_player/en/

Sendmail Critical Vulnerability

2006-03-23T11:26:00.000-05:00

The new version of Sendmail, 8.13.6, corrects a critical vulnerability that could allow an attacker to gain control of affected systems and access the email messages in the mailboxes hostedon the server.

Sendmail is one of the most popular MTAs (Mail Transfer Agent) and usedwidely in Internet mail servers, especially in UNIX environments, but there is also a version for Windows.

The vulnerability has been detected in version 8; or more precisely, versions prior to 8.13.6.

This problem would allow an attacker to run arbitrary code and totally compromise affected servers.

Sendmail versions for Windows are not vulnerable.

The Sendmail Consortium urges all users to upgrade to Sendmail 8.13.6.

If this is not possible, specific patches to correct the vulnerability in versions 8.12 and 8.13 are also available.

More information about the vulnerability, upgrade and patches is available in the original advisory at:http://www.sendmail.org/8.13.6.html

BEA WebLogic Vulnerabilities Patched

2006-03-21T12:59:00.000-05:00

BEA has has released six bulletins warning of vulnerabilities affecting WebLogic Server 6.1, 7.0, 8.1 and WebLogic Portal 8.1 which could allow access to sensitive information, enable security restrictions to be avoided or cause denial of services.

- Bulletin BEA06-105.1 reports that specially crafted HTTP requests may be used to launch HTTP Request Smuggling attacks on the server. This affects WebLogic Server 8.1, 7.0 and 6.1. The bulletin is available at: http://dev2dev.bea.com/pub/advisory/177

- Bulletin BEA06-107.01 refers to the fact that an attacker is allowed too many invalid login attempts. This affects WebLogic Server 8.1 and 7.0. The bulletin is available at: http://dev2dev.bea.com/pub/advisory/178

- Bulletin BEA06-111.01 warns that the server log could be viewed remotely. This affects WebLogic Server 8.1, 7.0 and 6.1. The bulletin is available at:
http://dev2dev.bea.com/pub/advisory/179

- Bulletin BEA06-120.00 describes an internal servlet that allows access to the Windows local file system. This affects WebLogic Server 6.1. http://dev2dev.bea.com/pub/advisory/180

- Bulletin BEA06-122.00 reports an unauthorized access vulnerability in WebLogic Portal 8.1 sites using Portlets JSR-168. http://dev2dev.bea.com/pub/advisory/182

-Bulletin BEA06-123.00 concerns a denial of service vulnerability due to consumption of all memory resources on parsing malicious XML documents. This affects WebLogic Server 8.1, 7.0 and 6.1. The bulletin is available at: http://dev2dev.bea.com/pub/advisory/183

Users affected by the problems in WebLogic Server and WebLogic Portal should refer to the BEA bulletins -available from http://dev2dev.bea.com/advisoriesnotifications/-, and take the security measures indicated.

Online Security: New Viruses & Trojans

2006-03-20T08:47:00.000-05:00

MADRID, March 19, 2006 - Panda Software has published its report that itprepares every week on the most significant viruses and intrusions.

Based on the information compiled by PandaLabs, this week three Trojans with very different functions stand out: CXOver.A, Banker.CHG and Cryzip.A.

CXOver.A is a malicious code that spreads using ActiveSync connections between computers with the .NET platform installed and mobile devices, such as PDAs or cell phones.

When it is run, it checks if the computer is connected to a mobile device through ActiveSync and creates a copy ofitself on the device.

Then, if the affected mobile device is connected to another computer through Activesync, CXOver.A will sent a copy ofitself to that computer.

CXOver.A deletes the files from the My Documents folder on the mobile device.

The other malicious codes in today's report are other examples of the new dynamic used by malware writers.

The first, Banker.CHG, is anothermember of the Banker family, specialized in theft of passwords foraccessing online banking systems. This Trojan goes memory resident,checking the pages accessed by the user.

When the page viewed in the browser coincides with one of the URLs thatBanker.CHG has stored in its code, it redirects the user to another site with the same appearance, but controlled by a hacker.

Banker.CHG cannot spread automatically using its own means and therefore, needs an attacker to distribute it.

Finally, we have a clear example of hackers' interest in defrauding users. PandaLabs has reported the appearance of Cryzip.A., a Trojan that compresses files with a many different of extensions, including CGI,DBX, DOC, DSW, JPG, MDB, PDF, TXT, XLS, etc. in a ZIP file and password protects them.

Users cannot open the files until they get the passwordby following the instructions left by Cryzip.A in a text file. If this Trojan has infected your computer, the password for decompressing the files is C:\Program Files\Microsoft Visual Studio\VC98.

As well as these malicious codes, PandaLabs has warned users of two vulnerabilities that have been corrected by Microsoft.

The first, as reported in Microsoft Security Bulletin MS06-011, corrects an error that could allow an attacker to gain control of the affected system.

An attacker could therefore, install programs with serious consequences or carry out any task without the user realizing.

The systems affected are Microsoft Windows XP Service Pack 1 andMicrosoft Windows Server 2003 (also the version for Itanium systems). More information and the updates that fix the error are available at http://www.microsoft.com/technet/security/Bulletin/ms06-011.mspx.

The second update, reported in the bulletin MS06-012, corrects a similar error to the aforementioned error, as it could also allow an attacker to gain control of the system, if users log on as the system administrator.

According to the second bulletin, the systems affected are Office 2000SP 3, Office XP SP 3, Office 2003 SP 1 or 2 and Microsoft Works Suites, versions 2000 to 2006.

Office for Mac (versions X and 2004) is also affected.

PandaLabs has stressed the severity of these security problems. It also reminds users to install the updates as soon as possible. In this case, it is particularly important, because by allowing programs to be installed, these vulnerabilities are the perfect scenario for falling victim to new malware dedicated to cyber-crime.

AIM Virus Removal

2006-03-18T11:31:00.000-05:00

AIM Profile Virus - Manual Removal Instructions:

Press the CTRL, ALT, and DEL keys at the same time to bring up the task manager.
Click on the processes tab (windows 2000/XP), and find 'b.exe', 'bbb.exe' or 'av.exe' and kill the process.
Go to C:Windows and delete 'b.exe' and 'bbb.exe' or 'av.exe' (or do a search for the virus: click Start > Search > look up each virus individually) Delete these files when you find them.
Click Start, then click on Run, type in "Msconfig" in the box and press ENTER.. When the box comes up, click on the "startup" tab and look for "b.exe", "bbb.exe" or "av.exe" listed (possibly listed under"antivirus") then uncheck the box to the left. (Windows 98/XP only)
Clear your profile (or make a new one) and restart.
When the msconfig box comes up after restart just check the box telling it not to come up again.

AIM Virus Removal - Automated
How to automatically remove an AOL Profile Virus:

Run the RSA AOL Profile Fix Tool.
Open & run the fix tool.
Choose to open the file, NOT save.
If you are running Windows 95/98/ME, you need to be in Safe Mode.
Save the above file to a disk and run it from safe mode.
Edit Your AIM Profile - Change your profile back to what you want. Make sure you delete the link from your AIM profile or your friends will get infected!

Homeland Security A Computer Security Failure

2006-03-17T13:31:00.000-05:00

U.S. cyber-security dismal: House report
Many federal agencies received low marks from a congressional committee Thursday on their cyber-security.

The 24 agencies were assessed on their levels of compliance with a federal computer system security act. Alan Paller, director of research for the Bethesda, Md.-based SANS Institute told GovExec.com that agencies spend all their computer security funding producing reports mandated under the law and don't have the money necessary to secure their computer systems.

The 24 agencies graded by the U.S. House Government Reform Committee for their compliance with the 2002 Federal Information Security Management Act fell largely in either the lowest or highest categories, with the government earning an overall grade of D+, the same mark as last year.

Eight agencies received Fs: the departments of Agriculture, Defense, Energy, Health and Human Services, Homeland Security, Interior, State and Veterans Affairs.

Another five agencies received Ds: the Nuclear Regulatory Commission and the departments of Commerce, Housing and Urban Development, Justice and Treasury, GovExec.com said.

Five agencies were awarded A+ grades: the Agency for International Development, Environmental Protection Agency, Labor Department, Office of Personnel Management and Social Security Administration.

But Bruce Brody, vice president of information security at INPUT, a Reston, Va.-based government market analysis firm, told GovExec.com the cyber-security grades were "much ado about nothing."

Well versed in government blame-shifting techniques, Brody recently left the chief information security office position at the Energy Department.

"You can get a good FISMA grade with a lot of paperwork, but that doesn't mean you are secure," Brody said.

"FISMA has done a really good job in focusing attention and getting people at the more senior levels aware of information security, but it needs to evolve to where it is more than a paperwork exercise."

Guess while he was Chief Information Security Officer at Energy that he never heard of documenting the network, intrusion detection, and a number of other vest practices.

That's OK though, because now he's consulting with other agencies on how to do things at the failing grade level (Energy received an "F").

Microsoft Patches Windows XP (Again)

2006-03-16T08:37:00.000-05:00

Microsoft has published two updates for its products. The first of these, according to "Microsoft Security BulletinMS06-011", corrects an error through which an attacker could take control of the affected system.

The attacker could install programs with serious consequences, or carry out any type of task without the owner of the system realizing. The systems affected are Microsoft Windows XP Service Pack 1 andMicrosoft Windows Server 2003 (including the version for Itaniumsystems).

The updates to correct the error, along with further information, can be found at:http://www.microsoft.com/technet/security/Bulletin/ms06-011.mspx.

The second update, in bulletin MS06-012, corrects an error similar to the previous one, as it can also allow an attacker to take control of the system, in this case if the user starts a session as the administrator.

According to this second bulletin, the affected systems are Office 2000SP 3, Office XP SP 3, Office 2003 SP 1 or 2 and Microsoft Works Suites, from version 2000 to 2006. In addition, Office for Mac (Versiones X and2004) is affected.

Microsoft offers more information at:http://www.microsoft.com/technet/security/Bulletin/ms06-012.mspx.

We are stressing the seriousness of these problems, and reminding users that they should install the update as soon as possible. It is particularly important in this case, as by allowing the installation of programs, these vulnerabilities are the perfect scenario for the entry of new malware used in cyber-crime.

50% of AOL Users Don't Protect Their PC

2006-03-14T09:32:00.000-05:00

A survey of AOL users in the UK shows that less than 50 percent of users deployed some kind of Internet security protection,whereas the rest do not mind leaving their computers exposed to attack and all types of malware.

In spite of this apparent lack of concern by a large number of users, the survey also revealed that 86 percent of users are informed and concerned about IT security.

However, not all of them were keen totranslate that to protecting solutions.

One in seven of those surveyed had never heard of phishing. This comes as a surprise, as AOL users are among the main target of phishing gangs.

The conclusions of the survey call for increased awareness of antivirus protection, content security and anti-phishing mechanisms, due to the new dynamic of malware focused on financial theft and cyber-crime.

Wekly Virus & Trojan Report

2006-03-12T09:21:00.000-05:00

This week's report from Panda Software on themalicious code that has attracted most attention during the week focuseson three radically different examples of malware. One is a Trojan andthe other two are worms, although with markedly different characteristics.

The first of these is the Saros.C worm, which, like others of its kind,causes security programs installed on systems to stop. This technique, by preventing antiviruses, firewalls and other security programs from operating, allows the malicious code to carry out its actions. It also prevents users from connecting to web pages (including those of antivirus companies).

In order to spread, Saros.C uses the now classic system of sending itself out by email; as well as using P2P file-sharing programs and the mIRC chat program. It can also spread across computer networks, which represents an additional risk for companies without protection in workstations and for the ever-increasing number of home networks.

The second malicious code in today's report, another worm, is called ComWar.M. This code is designed to spread via cell phones, although only those using the Symbian 60 series operating system.

To spread from phone to phone, ComWar.M uses MMS messages. Unlike the SMS system (which only uses text), MMS can be used to transmit multimedia files, such as images, text messages, videos, etc.

In this case, this feature is exploited to attach and resend the infected file. Another system used by ComWar.M is transmission via Bluetooth, taking advantage of the direct connection between two phones. Propagation of ComWar.M is very limited, as in order to receive the infected messages, users have to voluntarily accept them.

This security measure is implemented in Symbian 60 series to prevent the spread of possible malicious code and therefore the classic precaution for PCs of not opening files from unknown or unreliable sources is particularly relevant for cell phones.

Finally, today's report looks at the Banking.G Trojan, which opens and listens on a random communication port. It also logs user keystrokes.

The potential consequences of these actions are extremely serious, as Banking.G could enable the details that the victim uses to access online banking services to fall into the hands of hackers. All passwords (and other information, such as email addresses, IP addresses, etc) collected are sent to different servers for the hackers to collect.

This malware is yet another example of the danger inherent in the new types of malware, which are directly related to the world of cyber-crime. Hackers are no longer content with intruding on computers or deleting information, but are now engrossed in illicit use of IT resources.

Weekly Antivrus & Trojan Alert

2006-03-04T11:21:00.000-05:00

This week's report looks at a peculiar Trojan: RedBrowser.A. This Trojan combines two trends that would seem to be establishing themselves in 2006: malicious code for cell phones and themalware-based business model.

As announced by PandaLabs in its reports on viral trends (available at www.pandasoftware.com/pandalabsreport), we are now witnessing a new trend in malicious codes. In place of traditional actions such as deleting files, hackers are out to get financial returns from their creations.

With this in mind, the creator of RedBrowser.A has designed an application that simulates access to WAP pages through free SMS messages.

What really happens though is that a message is sent through the Short Message Service (SMS) to the number 1615. Sending a message to this number is charged at a premium-rate number in Russia, providing succulent returns for the service provider.

However, before sending the message, the user is asked for confirmation, thereby greatly reducing the potential danger of RedBowser.A.

Inaddition, it is easy for users to recognize the Trojan, as it reaches the phone in a file normally called REDBROWSER.JAR, and displays anon-screen image.

Another clear example of the malware business model are the Nabload.BR and Banker.CDV Trojans.

Nabload.BR is a Trojan which, avoiding the firewall in Windows XP, accesses the Internet without restrictions in order to take actions including downloading Banker.CDV.

This password-stealing Trojan monitors whether users access web pages belonging to several online services, such as banks and mail services in English and German.

In this way, it gets passwords, security data, information about the user and other confidential data. Then, it sends the information gathered to a certain web page.

Apple Patches Mac OS X Security Holes

2006-03-03T12:23:00.000-05:00

Apple has issued a security update for Mac OS X to fix up to 15 different vulnerabilities. Those fixes are available at http://www.apple.com/support/downloads/

Many of them solve problems that may cause different security problems, such as denial of services, arbitrary code execution, arbitrary files overwriting with "root" privileges, buffer overflows, etc.

The patches are applied to several locations, including the PHP Apache module, IPSecservices, WebKit and Safari.

We suggest to readers to update their systems, but taking the correct protective backup measures to avoid malfunctions that could cause an incorrect patch application.

The full information disclosed by Apple is available at http://docs.info.apple.com/article.html?artnum=303382

Top Ten Viruses in February

2006-03-02T09:00:00.000-05:00

For the ninth month running, Sdbot.ftp was the malware most frequently detected by the free, online antivirus PandaActiveScan (www.activescan.com) in the computers of users around the world.

Similarly, there has been a significant number of defections of Netsky.P, one of the oldest examples of malware in the ranking.

Amongthe rest of the threats detected, the third place occupied by Metafile confirms how the vulnerability in the processing of WMF files is being actively exploited.

Meanwhile, Tearec.A remains in fourth place, after the commotion caused last month by its activation on the third of every month.

During February, Sdbot.ftp was responsible for 2.48 percent of infections. Then came the veteran Netsky.P (1.28%), followed by other more recent threats such as Metafile (1.24%), Tearec.A (0.95%), Sober.AH(0.85%) or Bagle.GS (0.84%).

Finally, with less significant frequency rates, came Qhost.gen, Gaobot.gen, Alcan.A and Parite.B.

The continuing rising trend of worms is of particular significance int his month's Top Ten.

While in December, six out of ten of the threats most frequently detected by Panda ActiveScan were worms, this rose in January to seven out of ten and now in February eight out of ten.

The clearest example of the success of worms is Tearec.A (CME-24), also known as Kamasutra, which spread widely using, as is common with this type of threat, social engineering techniques, in this case the lure of e-mails with erotic content.

And once again social engineering is the main factor behind the persistence of Sober.AH, a worm that caused an Orange Alert status at the end of November, and comes in the guise of, among other things, a warning from the FBI.

Another code that stands out is Metafile, an exploit or code written especially to take advantage of a security hole in GDI32.DLL. It's used by programs such as Windows Picture and Fax Viewer, affecting the following Windows platforms: 98, Millennium Edition (ME), 2000, XP and Server 2003.

This confirms that malware creators are taking advantage of the latest vulnerabilities - in this case one affecting processing of WMF files - in order to spread their creations.

DOE Employee Pleads Guilty To Hacking

2006-03-01T18:08:00.000-05:00

Kenneth Kwak, 34, of Chantilly, Va., pleaded guilty today in the District of Columbia federal court before U.S. District Judge Royce Lamberth to a one-count information charging him with unauthorized access to a protected computer in furtherance of a criminal or tortious act, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney Kenneth L. Wainstein for the District of Columbia announced today.

According to a statement of facts filed with the guilty plea, Kwak was a system auditor working on federal information security management audits as a member of the Department of Education's Office of Inspector General.

Kwak placed software on his supervisor's computer which enabled him to access the computer's storage at will.

He later used that access on numerous occasions to view his supervisor's e-mail and Internet activity as well as other communications, and to share those communications with others in his office.

Kwak carried out his crime and invaded his supervisor's privacy for personal entertainment; there is no indication he profited financially from his actions.

"This case is an example of our zero-tolerance approach to public corruption and computer hacking, and highlights the excellent working relationship between our office and the Computer Crime and Intellectual Property Section of the Criminal Division," said U.S. Attorney Wainstein.

Kwak faces a maximum penalty of five years in prison and a fine of $250,000 for the crimes to which he pleaded guilty. A sentencing date has been set for May 12, 2006.

The matter was investigated by the Computer Crime Investigations Division of the Department of Education's Inspector General's Office.

The case was prosecuted by Senior Counsel William Yurek (cross-designated as a Special Assistant U.S. Attorney in the D.C. U.S. Attorney's Office), along with assistance by Trial Attorney Howard Cox, both of the Computer Crime and Intellectual Property Section in the DOJ Criminal Division.

The prosecution was part of the "zero-tolerance policy" recently adopted by the U.S. Attorney's office regarding intrusions into U.S. government computer systems.

Ernst& Young Loses Laptops With Client Data

2006-02-28T15:17:00.000-05:00

Once again, Ernst and Young have admitted to losing laptops containing sensitive client information.

On this occasion, four laptops were lost or stolen when a group of Ernst and Young employees left a client's offices to go to lunch on February 9, leaving their laptops in the company's conference rooms.

According to reports, minutes later two men entered the rooms, and carried off the four Dell computers valued at around 7,000 euros.

This kind of theft is of serious concern, as the consultancy's employees' laptops often contain confidential client information, such as Social Security numbers or other personal information, as in the previous case in which a laptop was stolen from an Ernst and Young employees' car.

In this case, one of the affected clients was Scott McNealy, CEO of Sun Microsystems, whose Social Security number was compromised in this incident.

It is not known what type of security Ernst & Young had implemented on the four missing laptops, although it maintains that the laptop in the previous case (with McNealy's information) was password protected.

In the event of the computers being recovered in this type of incident, it is important to run a full scan of the software as it could easily have been infected with malware.

Moreover, some type of unknown software could have been installed and therefore before using the computer, it should be scanned with a proactive system for detecting new malicious software.

Weekly Virus Threat Report

2006-02-26T14:06:00.000-05:00

This week's report focuses on four malicious codes. The first of these, following in the wake of the code that was reported last week for Mac OS/X, is Inqtana.A. We're also looking at the bot SpyBot.AAV and the Trojan Torpig.AE, both of which are designed forstealing confidential information, as is Briz.A, which has led to the uncovering of a complex network for creating data-stealing Trojans.

Inqtana.A is a worm that only affects computers with the operating system Mac OS X 10.4 installed, although it has no destructive effects, it only spreads itself (via Bluetooth) in order to affect as many computers as possible. If the affected user accepts it or the system is configured to accept requests without the user's approval, Inqtana.A copies its files in thedefault file exchange directory.

If the computer also has the CAN-2005-1333 vulnerability, Inqtana.A copies its files in a special folder of the operating system. In this way, the worm ensures that it is run whenever the computer is started.

SpyBot.AAV and Torpig.AE collect a range of information from computers, such as the IP address, free memory space, operating system, RAM, microprocessor speed, etc. They then send this information back to their creators so they can install more trojans to hijack data, reroute browsers and trigger ads from which they benefit.

However, the most notable code this week is Trj/Briz.A, not so much for the code itself, but for the network of crimeware that has been discovered thanks to this Trojan. The code collects information about passwords and activity on the computer that it has infected.

The designers of Briz.A are part of the new business model arising among the creators of malware. Instead of creating code purely for fun they are now doing so for financial gain, both through selling the code (acustomized version of Briz.A is on offer for $990) or by fraudulently using the data obtained.

Everynon needs to make sure there computer is secure. Use the menu links to access free tools for protecting your PC or to compare the top protection programs.

Trojan Briz.A Steals Web Form Data & Hides As iexplore.exe

2006-02-24T16:54:00.000-05:00

PandaLabs has detected a new Trojan called Trj/Briz.A, whose main aim is to steal personal user data from affected computers. This code stands out because it specializes in stealing bank details and data from web forms and that its author customizes the code for hackers.

The code creation system gives hackers the option to generate a Trojan that cannot be detected by any antivirus protection, as the author checks it every day.

In spite of this, TruPrevent(tm) Technologies incorporated in Panda Software's solutions have detected this code without needing to be able to identify it first.

Apart from the code, cyber-crooks that buy this crimeware also get a complex system for controlling the status of the infection caused by the custom Trojan.

This allows the client to get a list containing a large quantity of data about the infected computers: IP addresses, passwords and even the physical location of the computers.

In this way, the cyber-crooks can always have their malicious activity under control. PandaLabs is working, along with other companies to analyze and close all the sites related to this Trojan.

The file that causes the Trj/Briz.A infection is called "iexplore.exe" It uses this name to pass itself off as Internet Explorer.

When it is run, it downloads different files and stops and deactivates Windows Security Center services and Shared Internet Access. It also collects information on programs like Outlook, Eudora and The Bat, which it sends to the attacker.

To make it difficult to detect and disinfect the Trojan, it alsomodifies the hosts file to prevent access to websites related to antivirus products. This Trojan is the most complex example of the business network based onmalware.

Where as hackers used to create malicious code to simply have fun, they now have direct financial goals, designing their creations based on a criminal business model.

This data is reflected in the annual report published by PandaLabs, which is available at http://www.pandasoftware.com/NR/rdonlyres/ADF8E433-3BC3-46A2-AF57-9710CFAF9181/7274/02_Annual_Report_PL_2005.zip .

Luis Corrons, director of PandaLabs, explains that "as authors of Internet threats have changed their objective, which is now financial gain, they have also changed the way they design their threats. Therefore, they try to ensure that their creations go unnoticed, to both users and security companies, for as long as possible.

"For users to protect their computers against these codes, "they need technologies like TruPrevent(tm), with which we have been able to detect a code like Trj/Briz.A, which would otherwise have been very difficult to find," says Corrons.

Adware Is More Than Just Annoying

2006-02-24T10:08:00.000-05:00

Common adware features:

Drive-by downloads without your permission.
Corrupts the integrity of your computer.
Redirection of Web links without asking.
Use of HTTP protocol to spy on you.
Use of cookies to store and pass on your personal data.
Capture of authentication data from your PC.

Ads are often tailored based on your surfing habits or closely matched to the website you are visiting at the time.

If you think about ad ware in the context of TV viewing, it's as if the TV was observing your lifestyle and displaying ads based on what it observed about you as you watched TV.

For example, your TV ad might be for a competing beverage or snack aimed at convincing you to switch brands.

Adware smacks of invasion of personal privacy and sometimes borders on theft of personal information. You are much better off without all of your online activities being reported back to various companies, most of whom you've never done business with in the first place.

Read more about adware removal

Apple Safari Browser Vulnerability Reported

2006-02-22T09:06:00.000-05:00

A critical vulnerability has been reported in the Safari browser shipped with Mac OS X, which could allow an attacker to automatically run scripts when a user visited a malicious website.

The flaw affects how MAC OS X determines which program must run to open certain types of files. If a Unix shell script is renamed with a Safari extension, it is considered 'safe'.

If the '#!' sequence is omitted and it is compressed in ZIP, Safari can be tricked into downloading the script, decompressing it and assuming that it 'safe', then passing it to the Mac OS X Terminal application to run.

This could allow an attacker to use ascript to delete data or programs, damage the configuration or obtain personal user information. Apple is working on an update that resolves this problem, known as a 'zero day exploit'.

In the meantime, Safari users can disable the option"Open 'safe' files after downloading" in the General panel in the browser preferences. This option is disabled by default in new installations of Mac OS X 10.4.5, but enabled by default in old systems or in systems that have upgraded to Mac OS X 10.4.5.

Free Adware Remover

2006-02-19T12:29:00.000-05:00

Need help removing spyware, malware, and other pests?

Doing adware removal manually is annoying. Many of these ad-ware pests are very hard to remove. Pest programs that make their removal difficult usually fall into the malware category.

These type of pests often take control of the search function of your browser - returning false results and taking you to sites you had no intention of visiting. You'll end up at pages with nothing but ads and no way to leave them except by clicking on some stupid ad.

Even worse, without it being removed, this type of spyware will track your surfing habits and report that back to hidden third parties. Some of these programs steal passwords and other financial information. If you do your taxes on your computer, you definitely need to clean these pest programs off your PC.

Some adware makes removal difficult as it goes to great lengths to prevent you from successfully removing it. For example, Cool Web Search spyware contains 17 separate components.

Leave any single component on your PC and Cool Web Search automatically re-installs itself!

Important features in tools for adware removal include:

Automatic update of pest control definition files
Scheduled scans for automatic adware removal
Scan on the fly - search files or downloads for hidden pests
Free trial download - Try it out for free

The best product for easy removal is No Adware. It does all those things and more. You can even try it for free. Click here for more information on the top Adware Remover.

Use the free trial option to see how effective No Adware is at removing these junk programs that slow down your PC, trigger popup ads, and steal important data from your computer.

No Adware really is the best tool for removal of spyware and malware. Try it for free and see for yourself right now.

Click here for Free Trial of Adware Removal.

Bagle.GZ Virus & New Mac OSX Oomp.A Trojan

2006-02-17T10:12:00.000-05:00

This week's report focuses on the updates released by Microsoft to correct several errors. As well as the W32/Bagle.GZ.worm, we can also highlight the appearance of OSX/Oomp.A, a worm that affects Mac OSX.

On February 14, Microsoft published seven updates for Windows and Office, two of which are classified as critical. The first update, MS06-004, is applied to fix a critical vulnerability in the Graphics Rendering Engine (generally exploited using an WMF) in computers running Windows 2003/XP/2000/Me/98.

This flaw allows remote execution ofarbitrary code on vulnerable systems. The second critical update, MS06-005, corrects problems in Windows MediaPlayer in computers running Windows 2003/XP/2000/Me/98.

This flaw also allows remote execution of arbitrary code on vulnerable computers. Successful exploitation of these vulnerabilities allows hackers to gain remote control of the affected computer, with the same privileges as the logged on user.

If this user has administrator rights, the hacker would have complete control of the system, which puts the computer at serious risk.

As well as these two updates, Microsoft has also release five otherupdates, which are not classified as critical.

The first malicious code in today's report is Bagle.GZ, a worm thatdrops the Downloader.HRV Trojan on affected computer, which access several web pages to display advertising.

In order to spread Bagle.GZ sends an email message that tries to get the user's attention by referring to the Winter Olympics being held in Turinuntil February 26. When the user opens the file attached to the message,it displays a message to trick the user into thinking that a systemerror has occurred, while it makes several copies of itself in thesystem folders.

The Trojan Banbra.BTM is used to steal the passwords of users of the NetEmpresa service belonging to the Brazilian bank Bradesco. As well as passwords, this Trojan steals the digital certificates (files with a CRTextension) and keys (files with a KEY extension) used by users to access their current accounts through their computers.

Thanks to the work of PandaLabs, this worm has been deactivated, as the website housing the malicious code has been closed. To download the code, an email message has been mass-mailed that claims to come from an employee of Brandesco Net Empresa, which prompts the user to download the code.

Finally, we will look at a worm called OSX/Oomp.A. This malicious code is developed for the MacOS/X operating system, which replaces other programs in the copy with a copy of itself which includes the original program among its resources.

When it is run, this replacement file runs the malicious code and then tries to execute the original program.

However, due to programming errors, the original program is not launched correctly. This worm spreads via instant messaging in a file called 'latestpics.tgz'.

Spyware Exploits Found on 1.5% of Web Pages

2006-02-16T08:43:00.000-05:00

"Drive-by" Spyware Downloads Attack You From 1.5% of Web Pages

The Internet is becoming increasingly risky for novice users. You have to protect your PC and browser from "drive-by malware downloads" because so many sites automatically exploit the gaping security holes in Internet Explorer.

A study recently published by a group of researchers at the Department of Computer Science and Engineering at theUniversity of Washington has found that 1.5 percent of the URLs studied exploited flaws in Internet Explorer to install spyware without the user's permission.

Although 1.5 percent may seem it a very small percentage, it means that one in every 67 web pages analyzed included malicious content to exploit vulnerabilities in the browser.

The study, available at http://www.cs.washington.edu/homes/gribble/papers/spycrawler.pdf, examined 18 million URLs in May and October last year, which also allowed the evolution over time to be studied.

This study is particularly interesting because of the diversity of the data it offers, analyzing many websites by category and type of executable file downloaded (keyloggers, dialers, Trojans, adware or browser hijackers).

The study also shows that a large number of the executable files downloaded contained various attack functions. In May of last year, the most common attack was adware, whereas in October this attack dropped compared to browser hijackers, which were the most common with 85 percent of detections.

Cyber Fraud - Bot Networks Churn Out Adware

2006-02-15T09:44:00.000-05:00

Adware Bot Network Churns Out Big Profits

The end of the 90s saw the famous 'dotcom' boom, a period which moved enormous amounts of money into the Internet. But it didn't last long. The bubble burst as quickly as it was formed.

However, the Internet is still a good source of income for many cyber-criminals who take advantage of the Internet and its users to commit fraud, theft and other crimes.

A clear example is Jeanson James Ancheta. After creating a network of bots (computers infected with a code that obeys external commands) that infected 40,000 computers, he installed adware on them without the users realizing it.

The network of bots started to generate income for the creator. Unaware to users, by showing advertisements for which Jeanson James Ancheta received considerable payments, he received up to $60,000 from single companies in some cases.

We urge all of our readers to check their computers for malicious code that their current antivirus solution has not detected.

The danger of forming part of a fraud network is not just theoretical, but, as seen here, very real. A simple code can turn computers into zombies and make them part of fraud scams or simply, allow user information (including bank account access details) to be stolen.

Check your computer for adware and malware with the free tools listed in our resource links.

Microsoft Patches Windows Media Player

2006-02-14T12:40:00.000-05:00

Critical Security Patch Released For Windows Media Player

Microsoft has announced a new collection of updates for today. Some of the problems corrected are considered critical, i.e. they could seriously affect the security or stability of systems.

The first update applies to Microsoft Windows Media Player and is one of those described as critical. In order not to divulge information about this vulnerability, Microsoft has treated it discreetly. For Microsoft Windows there are four updates, one of them critical.

Microsoft has not revealed too much information in this case either. The other two corrections apply to Windows and Office (classified as "important").

The reduced amount of information about these corrections is no doubt part of an attempt to avoid "zero day exploits".

These exploits are generated the same day as the vulnerability appears and so users are unable to update systems in time and could become victims of the exploit.

To avoid this type of threat, computers need to have intelligent protection installed to detect unknown malicious code, such as zero day exploits.

Currently, the danger of these exploits does not lie in actions such as deleting files typically associated with older malicious code. There is now an increasing amount of threats designed to return financial gains at the cost of the unprotected users, either through the installation of adware and spyware or by directly stealing bank details.

Weekly Virus & Trojan Report

2006-02-10T08:35:00.000-05:00

In this week's report we look at three new Trojans, Diamin.DU, Banker.CAB and PGPCoder.D.

Diamin.DU is designed to establish phone connections with premium-rate numbers, with potentially serious financial consequences for the affected user. However, it can only affect computers that use a modem to connect to the Internet, as it modifies the dial-up network access settings.

Diamin.DU is easy to recognize, as when it is run, it displays several windows in Italian. As with most Trojans, Diamin.DU does not spread automatically using its own means.

It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, e-mail messages with attached files, Internet downloads, etc.

Banker.CAB is a Trojan designed to affect users of certain Brazilian banking services. It monitors if the user accesses websites belonging to these banks, in order to obtain passwords.

Then, it sends the data it has gathered to certain email addresses where hackers can collect them and use them fraudulently.

PGPCoder.D is a Trojan that encrypts all the files with a wide range of extensions. The user will not be able to open those files until they are decrypted by a specific application for which they, needless to say, have to pay.

In order to inform users how to buy this application, PGPCoder.D creates texts files in the computer with an email address to contact.

That's it for this week's virus and trojan recap. Let's be careful out there!

Denial of Service Attack Nets 2-Year Prison Sentence

2006-02-09T13:43:00.000-05:00

Madrid, February 9, 2006 - According to several publications in Spain, the author of a distributed denial of service attack (DDoS) that affected over three million Internet users has been sentenced to two years in prison and also faces a fine of 1.4 million euros.

This was the sentence received by a twenty-six year old Spanish man who, after being expelled from the "Hispano" IRC chatroom for disobeying rules, created a worm aimed at collapsing that network through distributed denial-of-service attacks.

The attacks spread for several months, affecting Internet service providers like Wanadoo, ONO or Lleida Net, as well as IRC-Hispano.

Several spokespeople have highlighted that this one of the first sentences related to this type of criminal activity in Europe and the most significant crime of this type committed in Spain, affecting 33 percent of Internet users.

Microsoft Patches XP ACL Vulnerability

2006-02-08T15:27:00.000-05:00

Microsoft has released a security bulletin reporting a vulnerability that can be exploited to gain privilege escalation in Windows XP SP1 and Windows Server 2003.

Access Control List (ACL) is an IT security concept used to refer to access rights for a certain object. In Windows, for example, we can set the read or write privileges of a user for a certain file.

The vulnerability reported in the Microsoft security bulletin could allow an authenticated user to carry out a privilege escalation attack.

This would allow the attacker to gain privileges for objects, which in theory, that user should not be able to access.

Microsoft confirms that the vulnerability does not affect Windows XP with Service Pack 2 and Windows Server 2003 with Service Pack 1.

Therefore, users are recommended to install the latest service packs and security patch to mitigate this and other potential risks.

The security bulletin also includes details of how to modify the ACLs in affected services to mitigate possible attacks on potentially vulnerable systems. Y

ou can get full details at:http://www.microsoft.com/technet/security/advisory/914457.mspx

FireFox Patches Critical Security Hole

2006-02-06T08:26:00.000-05:00

The Mozilla Foundation has published a security update that prevents eight vulnerabilities in version 1.5 of the popular browser Firefox.

Mozilla has assigned one of the vulnerabilities a critical severity rating, whereas three of them are considered moderate and four of them low.

The critical flaw allows an attacker to inject XML code in the localstore.rdf file, which makes the browser carry out tasks without the user's authorization at startup, allowing total control of the system.

The vulnerabilities considered moderate allow arbitrary code to be run. One of these flaws is an integer overflow in E4X, SVG and Canvas. There is also a code execution problem when dynamically changing the style of an element from position:relative to position:static.

A corrected denial of service problem could be used by a malicious user to render an application unusable using a malicious website with a long title. The browser of a user that visited this website would close whenever the user tried to access it.

The updates can be downloaded using the automatic update feature in the browser or directly from the Mozilla website at http://www.mozilla.com/firefox/

The information published by Mozilla Foundation about the flaws is available at http://www.mozilla.org/security/announce/

Spyware Removal - Free Spyware Download

2006-02-05T13:11:00.000-05:00

Spyware Removal - Free Spyware Download: You'll be amazed at the amount of adware and spyware that infests your PC. Adware gets added by dozens of programs like Kazaa, Morpheus, Bonzi Buddy, and others of the same ilk.

Spyware is secretly placed on your computer without your consent or knowledge by unscrupulous websites and dangerous downloads.

You're not safe online without spyware detection and removal. But, to actually be safe from then on, you need a spyware blocker to prevent its return.

Many programs detect and remove spyware, but very few include the necessary blocking capability.

In this article, we're covering the top three commercial spyware removers on the market. We've analyzed the test results and are ranking those top three as good, better, and best. "

Click the link above to read the rest of this article...

AIM Virus - AOL IM Virus Removal - AIM Profile Virus Remover

2006-02-03T09:35:00.000-05:00

AIM Virus - AOL IM Virus Removal - AIM Profile Virus Remover: "AIM Profile Virus Removal
Manual Removal Instructions:

Press the CTRL, ALT, and DEL keys at the same time to bring up the task manager.

Click on the processes tab (windows 2000/XP), and find 'b.exe', 'bbb.exe' or 'av.exe' and kill the process.

Go to C:Windows and delete 'b.exe' and 'bbb.exe' or 'av.exe' (or do a search for the virus: click Start > Search > look up each virus individually) Delete these files when you find them.

Click Start, then click on Run, type in 'Msconfig' in the box and press ENTER.. When the box comes up, click on the 'startup' tab and look for 'b.exe', 'bbb.exe' or 'av.exe' listed (possibly listed under'antivirus') then uncheck the box to the left. (Windows 98/XP only)

Clear your profile (or make a new one) and restart.

When the msconfig box comes up after restart just check the box telling it not to come up again."

Tearec.A Blackworm Does Little Damage So Far

2006-02-03T09:06:00.000-05:00

Blackmal computer timebomb causes little damage

AMSTERDAM (Reuters) - A computer virus that was designed to start its malicious work on Friday did not cause the mayhem that was anticipated, computer security firms said.

The worm, known as "Blackmal" and "Kama Sutra," hides inside email attachments and contains a time-activated payload due to execute on the third day of each month, first occurring on Friday.

Once activated, the worm will try to spread itself, attempt to stop anti-worm software from running and try to delete all Word, Excel, PowerPoint and PDF file types from an infected PC.

Rather than disabling up to 500,000 PCs that were expected to be infected, the virus had hit only a few thousand computers by midday in continental Europe, mostly from individual consumers, according to several computer security firms.

Advance warnings by virus security firms and enterprises to their customers and employees appeared to have worked.

"This is certainly not a disaster," said technical consultant Graham Cluley at British virus fighter firm Sophos.

Rival security software firm Symantec confirmed "the worm is not spreading wildly and infections are relatively low."

The virus is also known as "Nyxem," "MyWife," and "Tearec."

180 Solutions Sued Over Adware Tactics

2006-02-02T11:10:00.000-05:00

In a 91-page federal complaint fairly quivering with frustration, the Center for Democracy and Technology last week took on 180solutions, accusing the adware company of acting in a "brazenly reckless" manner in getting its software on desktops.

The consumer advocates at CDT allege that 180solutions consistently ignores the fact that partner after partner uses 180solutions' adware to install pop-up ads on the computers of users who haven't given their informed consent.

While the complaint filed with the Federal Trade Commission last week concedes that 180solutions has responded to some concerns, the main problem appears to be that it does so only when it is pressured.

New problems continue to arise because the fundamental business model doesn't discourage bad installations -- at least according to the CDT and consultants like Eric Howes, who runs the anti-spyware Web site SpywareWarrior.com.

The CDT's move also raises questions about the future of adware. Some observers, like Howes and adware consultant Ben Edelman, maintain that few consumers want adware on their computers.

Therefore, they say, companies like 180solutions are forced into a business model that at least tacitly rewards trickery.

"The only way they can get it on computers, so they can make money, is to sneak it on," Howes said.
www.cdt.org

BlackWorm (Tearec.A) Attacks Friday Feb 3rd

2006-02-01T15:15:00.000-05:00

Threat Level: HIGH

PandaLabs has detected that all computers infected with BlackWorm will encounter widespread damage this Friday, Feburary 3.

BlackWorm, also known as "Tearec.A", "Mywife.E" and "KamaSutra" will corrupt all Microsoft Word, Microsoft Excel or Microsoft PowerPoint files on infected computers.

Don't wait to check if your computer contains Blackworm.

Panda Software recommends running an online virus scan immediately.

FREE VIRUS SCAN:Scan your computer for Blackworm.http://www.ActiveScan.com

Network Security: Spyware & Patch Management

2006-02-01T10:10:00.000-05:00

Windows IT Pro Whitepapers: "Spyware and Patch Management: An Integrated Approach to Network Security

Exploiting security vulnerabilities in order to install spyware is the norm, not the exception. Yet nearly all spyware solutions treat the symptom without addressing the cause.

By viewing these issues together, spyware and patch management, IT professionals stand a better chance of maximizing network security against Spyware and other threats. This white paper addresses the need to manage threats and vulnerabilities in one console as a comprehensive security solution.

The impact of spyware on the enterprise is severe: surging bandwidth consumption, system instability, overwhelmed help desks, and lost user productivity are just a few of the unwelcome side effects. Unauthorized applications can even result in non-compliance with regulatory requirements. Even worse, much of today's spyware install keyloggers and backdoors that compromise security and lead to financial risk.

Today's solutions are largely desktop-based and nearly all treat the symptom without addressing the cause. Many of these malware irritants take advantage of unpatched flaws in the OS or browser to install their tools.

Removing the spyware, and malware is the first step to securing the system, but enterprise anti-spyware tactics are only successful when combined with system updates that prevent re-infestation. Remediate spyware and install patches with Shavlik NetChk Protect for a complete security solution. "

WinAmp Security Flaw Upgrade Fix Available

2006-01-31T13:05:00.000-05:00

WinAmp has a major security flaw. The new version, 5.13, of Winamp, an MP3 and multimedia player used worldwide, is now available. As the new version fixes a critical security flaw, we recommend Winamp users install this update immediately.

The vulnerability lies in a buffer overflow, which occurs when processing over-long .PLS file names. This flaw could allow a remote user to run arbitrary code and therefore, compromise the security of affected systems.

What's more, an exploit (*) has been published, which increases the risk of attacks that take advantage of this vulnerability.

The vulnerability has been confirmed in Winamp 5.12, but previous versions could also be affected. Users of Winamp are advised to install version 5.13, which is available at: http://www.winamp.com/player/

(*) Exploit: technique or program that exploits a security flaw- a vulnerability- in a certain communication protocol, operating system or IT tool.

Google's New Badware Site Is Lame

2006-01-30T12:14:00.000-05:00

New York Newsday Article: "Though it was overshadowed last week by news that Google is going to censor its Chinese search engine and protect the privacy of pedophiles in the United States, another bit of Googlish news caught my eye: The company is funding a big, new academic effort at Harvard and Cambridge to combat spyware and adware, which the new organization has decided to call 'badware.' Read about it at the new Web site, stopbadware.org.

According to the site, 'StopBadware.org is a 'Neighborhood Watch' campaign aimed at fighting badware.' It says the organization 'will seek to provide reliable, objective information about downloadable applications in order to help consumers make better choices about what they download onto their computers. We aim to become a central clearinghouse for research on badware and the bad actors who spread it, and become a focal point for developing collaborative, community-minded approaches to stopping badware.'"

Hacker Arrested in AOL Phishing Scam

2006-01-29T10:09:00.000-05:00

Arrest Made in AOL Phishing Scheme

A 45-year-old California man was arrested Jan. 25 and charged with operating an online phishing scheme that targeted America Online customers.

Jeffrey Brett Goodin of Azusa, Calif., was arrested and charged with wire fraud and unauthorized use of a credit card. He could face 30 years in prison if convicted of both offenses.

Goodin is alleged to have sent e-mail messages to thousands of AOL users to entice them to visit fraudulent Web sites he set up to collect personal information.

Goodin allegedly used the information he gathered to make purchases with the credit cards, according to a statement from Debra Yang, U.S. Attorney for the Central District of California.
Goodin was arrested following an investigation by the U.S. Secret Service, FBI and the Ontario, Canada, Police Department.

He is scheduled to be arraigned Jan. 28 in U.S. District Court.

Weekly Virus Threat Report

2006-01-27T11:46:00.000-05:00

This week's report looks at a Trojan -Mitglieder.HJ-, and two worms, Mytob.MU and Feebs.E.

Mitglieder.HJ cannot spread using its own means but needs to be distributed manually by third-parties (via email, Internet downloads, file transfers via FTP or other means). Nevertheless, if it receives the corresponding command, it can send a copy of itself via email using a certain SMTP server.

The action that Mitglieder.HJ takes on infected computers includes the following:
- Opening port 33322 and acting as a proxy server. It also waits for remote control orders to carry out on the PC -such as starting an SMTP server-, or updating itself.
- It tries to download, from several web pages, a text file containing a list of IP addresses.
- It creates a mutex -called 555-, to ensure that there is only one copy of itself running at any time.

The first worm that we are looking at today is Mytob.MU, which spreads via email in a variable message with a ZIP file attachment. When the file is run, the worm infects the computer and searches for email addresses to which to send itself using its own SMTP engine.

Mytob.MU connects to an IRC to receive remote control orders, which it executes on the computer that it has installed itself on. It also terminates processes belonging to several security tools - such as antivirus programs and firewalls- along with those belonging to certain other specimens of malware.

Similarly, it prevents users from accessing certain web pages, notably those belonging to antivirus companies. In computers with Windows XP, it disables the Internet connection firewall (ICF) and the Internet connection sharing (ICS) features.

The third threat in today's report is Feebs.E, a worm that spreads through P2P file-sharing programs and email.

One of the methods used to spread by email is to monitor network traffic to detect if any message is being sent with an attachment and MIME format. In this case it attaches itself to the message. By doing this, it passes itself off as coming from a reliable source, so recipients are more liable to open and run it.

After installing itself on a computer, Feebs.E opens several ports to receive remote control orders and uses rootkit techniques (to hide its files and Windows registry entries and the ports it has opened). In addition, this worm disables several security programs, leaving the computer vulnerable to attacks from other malware.

Kama Sutra Worm Malware Attack Due February 3

2006-01-26T17:11:00.000-05:00

Security Experts Warn of Kama Sutra Worm
To address what is so far the most expansive malware attack in 2006, speculation among security vendors and researchers has focused on the destructive nature of the worm. Unlike most viruses currently in the wild, the Kama Sutra code is not intended to reap the code writer a windfall of ill-gotten gains.

Security analysts are warning computer users about a new and potentially destructive Internet worm that can obliterate important documents. The worm, called Kama Sutra, is making the rounds now, but is scheduled to execute its first massive attack on February 3.

Detected last week, the malicious worm targets computers running Windows and spreads primarily by copying itself to shared network locations and then sending itself to e-mail addresses found on afflicted computers. With subject lines that read "the best videoclip ever," "give me a kiss," and "school girl fantasies gone bad," the worm entices computer users to open the attached file.

"This worm feeds on people's willingness to receive salacious content on their desktop computer, but they could be putting their entire company's data at risk," said Graham Cluley, senior technology consultant at Sophos.

According to Sophos, on the third of each month, the worm will attempt to disable existing antivirus and firewall software and also will delete specific files, such as Microsoft Office documents.

Waxing or Waning Threat
The worm -- also known as Blackworm, Nyxem-D, and W32.Blackmail.E, among others -- was said by Sophos to be the most frequently sighted e-mail worm last week. Sophos statistics indicate that, within the last 24 hours alone, the worm has accounted for some 23 percent of all virus reports.

There are disagreements in the security industry about the severity of the worm, with Symantec and F-Secure taking different positions on the issue. Controversy stems from interpreting one of the worm's most intriguing features: a Web counter. Once the worm infects a new computer, it accesses a Web page on which there is a counter. The counter number increases whenever the Web page is accessed.

Andrew Jaquith, a Yankee Group senior analyst, said that most reports indicate that the counter had risen already to 700,000, which could indicate that nearly a million computers are infected.

Much of the speculation in the industry about the potential for damage done by the Kama Sutra worm centers on the counter number -- which might represent unique machines or accesses to the counter page by the same machine more than once. One of the things that is "sorely lacking" with mass outbreak malware like the Kama Sutra worm, Jaquith said, is any real sense of how many machines are compromised.

"We still don't know, for example, how many machines were really affected by the WMF vulnerability," he explained. "The antivirus vendors don't seem to know either, or are unwilling to divulge much -- possibly because it would expose gaps in their signature coverage."

Back to Old-School
To address what is so far the most expansive malware attack in 2006, speculation among security vendors and researchers has focused on the destructive nature of the worm. Unlike most viruses currently in the wild, the Kama Sutra code is not intended to reap the code writer a windfall of ill-gotten gains. The hacker designed the worm to create mayhem by destroying documents.

"The reason why experts at Sophos believe the worm is likely to have been written by an old-school hacker rather than an organized criminal is its destructive payload," Cluley explained. "That kind of destructive behavior is not typical of financially motivated worms because the damage is too obvious to the end user."

Frost & Sullivan analyst Rob Ayoub said he is not convinced that the worm represents the work of an old-school hacker. This worm is something that the industry has not seen in about a year. "This is just something we haven't seen in a while. It's not a botnet or a zombie. It's a throwback to malware that only seeks to create havoc."

ActiveX Controls
Of greater concern, said Ayoub, is the worm's ability to deceive Windows into receiving a malicious ActiveX control by providing a phony digital signature. Discovered originally by Fortinet, the worm apparently adds some 18 entries to the Windows Registry, allowing it to insert an ActiveX control that can circumvent Windows' defense mechanisms.

The development is interesting, Ayoub said, because, heretofore, the assumption has been that if a piece of software has a digital signature, then it is safe. Ayoub said Microsoft will need to take a serious look at digital-signature technologies.

"In the past, it has always been if the company signs it, then it must be authentic," Ayoub said. "Microsoft needs to look at the digital signing process or else we will see more things like this and that is pretty dangerous because that gets around some of the safeguards that are supposed to keep these things out."

Analysts are urging computer users, especially home users, to make sure that they have up-to-date antivirus software installed on their machines. "There should be no excuse for any data being lost on February 3 by this worm, but there is always the danger that some home users will not have heard that warning," Cluley said.

Notre Dame Reports Donor Database Hack

2006-01-24T16:30:00.000-05:00

Notre Dame investigating computer hack

The University of Notre Dame was investigating apparent computer hacking that might have gained access to images of checks sent to the university by donors.Security software discovered the intrusion on a server housing donor data on Jan. 13, university spokeswoman Hilary Crnkovich said.

The hacking occurred Jan. 13. Crnkovich said checks received between Nov. 22 and Jan. 12 might have been viewed by outsiders because of the breach, but declined to say how many donors may have been affected.

``There was potential -- and this is what one can never quantify -- this information was accessed by an intruder,'' Crnkovich said. ``We don't know if someone who took a look at the information on the server used that information.''

The university sent letters and e-mails to donors whose personal information may have been accessed.

The university set up a Web site offering tips to donors who may have been affected at www.nd.edu/support andstarted a toll-free hot line at (866) 640-7118.

Several donors have already contacted the university after receiving the e-mail, but no one has reported their financial records had been affected, Crnkovich said.

FBI Pegs Cyber-crime Cost at $67 Billion

2006-01-24T16:22:00.000-05:00

Last year, cyber-crime caused $67 billion in damages in the US alone, as revealed in a report carried out by the FBI, which is reported in several publications including Vnunet.com and Government Technology.

The findings of the study carried out by the FBI were based on a poll of 2,066 organizations.

Nearly 90 percent of these organizations confirmed that they had experienced a security incident in the last twelve months and 20 percent of them have suffered 20 attacks or more.

As regards the financial impact of these incidents, 64 percent of respondents incurred average losses of 24,000 dollars per case.

The list of most common attacks is headed by viruses (83.7%), followed by spyware (79.5%). Over one in five of the organizations interviewed confirmed that they had suffered from port scan incidents and data sabotage.

Forty-four percent of intrusions reported by the companies interviewed by the FBI came from within the organization, which demonstrates the need to pay attention to the security of internal networks.

Botnet Hacker Sentenced to 4 Years In Prison

2006-01-23T17:03:00.000-05:00

California Man Pleads Guilty to Felony Hacking
A 20-year-old hacker pleaded guilty Monday to surreptitiously seizing control of hundreds of thousands of Internet-connected computers, using the zombie network to serve pop-up ads and renting it to people who mounted attacks on Web sites and sent out spam.

Jeanson James Ancheta, of Downey, Calif., pleaded guilty in Los Angeles federal court to four felony charges for crimes, including infecting machines at two U.S. military sites, that earned him more than $61,000, said federal prosecutor James Aquilina said.

Under a plea agreement, which still must be approved by a judge, Ancheta will receive from 4 years to 6 years in prison, forfeit a 1993 BMW and more than $58,000 in profit and pay $19,000 in restitution to the federal government, according to court documents. He is to be sentenced May 1.

Prosecutors called the case the first to target profits derived from use of "botnets," large numbers of computers that hackers commandeer and marshal for various nefarious deeds, their owners unaware that parasitic programs have been installed are being run by remote control.

Botnets are being used increasingly to overwhelm Web sites with streams of data, often by extortionists. They feed off of vulnerabilities in computers that run Microsoft Corp.'s Windows operating system, typically machines whose owners haven't bothered to install security patches.
A November indictment charged Ancheta with 17 counts of conspiracy, fraud and other crimes connected to a 14-month hacking spree that started in June 2004 and that authorities say continued even after FBI agents raided his house the following December.

"Part of what's most troubling about those who commit these kinds of offenses is they think they'll never be caught," said Aquilina, who spent more than a year investigating Ancheta and several of Ancheta's online associates who remain uncharged co-conspirators.

Ancheta's attorney, federal public defender Greg Wesley, did not immediately return phone calls seeking comment.

The guilty plea comes less than a week after the FBI released a report that estimates viruses, worms and Trojan horse programs like the ones Ancheta employed cost U.S. organizations $11.9 billion each year.

November's 52-page indictment, along with papers filed last week, offer an unusually detailed glimpse into a shadowy world where hackers, often not old enough to vote, brag in online chat groups about their prowess in taking over vast numbers of computers and herding them into large armies of junk mail robots and arsenals for so-called denial of service attacks on Web sites.
Ancheta one-upped his hacking peers by advertising his network of "bots," short for robots, on Internet chat channels.

A Web site Ancheta maintained included a schedule of prices he charged people who wanted to rent out the machines, along with guidelines on how many bots were required to bring down a particular type of Web site.

In July 2004, he told one chat partner he had more than 40,000 machines available, "more than I can handle," according to the indictment. A month later, Ancheta told another person he controlled at least 100,000 bots, and that his network had added another 10,000 machines in a week and a half.

In a three-month span starting in June 2004, Ancheta rented out or sold bots to at least 10 "different nefarious computers users," according to the plea agreement. He pocketed $3,000 in the process by accepting payments through the online PayPal service, prosecutors said.

Starting in August 2004, Ancheta turned to a new, more lucrative method to profit from his botnets, prosecutors said. Working with a juvenile in Boca Raton, Fla., whom prosecutors identified by his Internet nickname "SoBe," Ancheta infected more than 400,000 computers.

Ancheta and SoBe signed up as affiliates in programs maintained by online advertising companies that pay people each time they get a computer user to install software that displays ads and collects information about the sites a user visits.

Prosecutors say Ancheta and SoBe then installed the ad software from the two companies — Gamma Entertainment of Montreal, Quebec, and Loudcash, whose parent company was acquired last year by 180Solutions of Bellevue, Wash. — on the bots they controlled, pocketing more than $58,000 in 13 months.

"It's immoral, but the money makes it right," Ancheta told SoBe during one online chat, according to the indictment.

"I just hope this (Loudcash) stuff lasts a while so I don't have to get a job right away," SoBe told Ancheta during a different conversation.

Aquilina, the assistant U.S. attorney prosecuting the case, wouldn't say whether authorities plan to charge SoBe or any of the people accused of renting out Ancheta's bots, many of whom are described as "unindicted co-conspirators."

During the course of their scheme, Ancheta and SoBe infected U.S. military computers at the China Lake Naval Air Facility and the Defense Information System Agency headquartered in Falls Church, Va., according to a sworn declaration signed by Ancheta.

Copyright © 2006 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.

Trojan Horse Viruses Attack Cell Phones

2006-01-23T17:00:00.000-05:00

pzaerkjNew Trojan Horses Threaten Cell Phones
Three new malicious programs are hitting certain mobile phones, antivirus companies have warned. The Trojan horses, or programs that are disguised as legitimate applications, spread via Bluetooth or multimedia messages and can affect phones running the Symbian operating system.

The infection rate so far from the new malware is low, Symantec reported in threat warnings issued last week.

The Bootton.E Trojan horse was spotted last week by F-Secure and Symantec and is perhaps the most potentially crippling of the three to those infected. The program restarts the mobile device but it also releases corrupted components that cause the reboot to fail, leaving the device unusable.

The Pbstealer.D Trojan sends an infected user's contact list, notepad, and calendar to-do list to other nearby users via Bluetooth. The third Trojan, Sendtool.A, sends malicious programs such as the Pbstealer Trojan to other devices via Bluetooth.

Symantec and F-Secure both admit that these Trojans are unlikely to spread very widely.

"They don't spread quickly because they're not purely autonomous," says Ollie Whitehause, a researcher with Symantec. Unlike worms on computers that spread without users knowing, the Trojan horses hitting cell phones spread as attachments that require users to download them.

In the Works?

So far, worms haven't hit mobile phones but it's very likely that people who write viruses are working on them, says Anton Von Trover, marketing manager for F-Secure.

Because current threats are caused by what David Wood, executive vice president of research at Symbian, calls user weakness, antivirus software for mobile devices isn't necessary. "Unlike the case on desktop PCs where you need to have a firewall and antivirus software and you have to keep them up to date, that's not necessary on phones," says Wood.

But with the looming threat of vulnerabilities being found by malicious code writers, enterprises should do a better job preparing for the future, says Rob Bamforth, an analyst with Quocirca. His research shows that enterprises are much more lax about securing mobile handheld devices than laptops.

He advises enterprises to create a policy around securing such devices. Currently, that policy might not include antivirus software because the incidence of viruses seems to be low.

"But there will be a problem so they have to take the issue seriously while not necessarily taking every announcement seriously," Bamforth says. He cautions that historically, most reports of viruses on handheld devices have come from antivirus software firms and not end users, an indication that infection rates are probably quite low.

Malware Threat Percentages For 2005

2006-01-21T10:15:00.000-05:00

2005 saw the decline of IT viruses, in favor of other threats such as Trojans or worms.

The data shows that in 2005:

Viruses - 1%
Trojans - 42%
Bots - 26%
Backdoor Trojans - 11%
Dialers - 8%
Worms - 6%
Adware/Spyware - 3%

Malware aims to exploit security flaws for commercial gain. Keep your computer secure with a multi-layered defense:

Firewall
Antivirus
Spyware Remover
Spam Blocker
Browser Lockdowns

Don't go online without protection!

Weekly Virus Threat Report

2006-01-20T10:16:00.000-05:00

This week's report looks at two worms -Tearec.A and Mytob.MM -, and a Trojan -Banbra.BQT.

During this week, Tearec.A hit computers around the world, becoming the malware most frequently detected by Panda ActiveScan, a free online scanner.

Tearec.A is a worm that spreads across computer networks and via email. The subject, text and attachment name of the emails it spreads in are variable and chosen at random from a long list of options.

Nevertheless, all the messages have a common feature: erotic references in order to trick recipients. If a user runs the attached file, the worm uses its own SMTP engine to send itself out by email.

Tearac.A also takes a series of actions on the affected computer including: If it detects that any one of several antivirus programs specified in its code are installed on the computer, it terminates and disables them, displaying the text "Update Please wait" in the taskbar.

If it does not detect any antivirus program installed, it opens a compressed file called SAMPLE.ZIP, which is empty.

It tries to delete files belonging to several antivirus programs, P2Pfile-sharing programs and other Internet applications, preventing them from working. In order to obtain passwords, it monitors network traffic on certain connections related with antivirus programs and mail services.

The second worm we're looking at today is Mytob.MM, which spreads via email in a message with a .ZIP attachment. Once it is installed on a computer, Mytob.MM connects to an IRC Serverto receive remote control orders to carry out on the affected computer.

It also terminates processes belonging to certain security tools such as antivirus products and firewalls, and prevents users from accessing certain pages. In particular, those belonging to antivirus companies. Similarly, Mytob.MM terminates processes belonging to other malware.

We end today's report with the Banbra.BQT Trojan, which needs the intervention of third-parties in order to spread (using email, Internet downloads, FTP file transfers or other means). Once installed on acomputer, it monitors users' Internet movements to see if they access certain banking web pages in order to steal the passwords and then it sends this data to an email address.

Federal Inmate Runs Identity Theft Scam

2006-01-19T08:48:00.000-05:00

Prisoner indicted in identity-theft scam

A prisoner who won an abuse case before the Supreme Court a decade ago was indicted yesterday by a federal grand jury in Baltimore in an identity-theft scam.

The indictment alleges Dee Deidre Farmer, also known as Douglas C. Farmer, sent out fake court subpoenas and searched the Internet seeking out personal information on potential victims.

The data was used to impersonate dozens of people and open credit accounts in their names, according to federal prosecutors.

The 40-year-old from Baltimore was charged with five counts of mail fraud and two counts of aggravated identity theft.

More than $50,000 in money and property was obtained through the fraudulent accounts, according to the indictment.

In June 1994, the Supreme Court unanimously ruled that Farmer, a transsexual, was entitled to a full trial over her accusations that prison officials failed to protect her from a rape by other prisoners at a federal facility in Indiana. Farmer eventually lost the case.

Yesterday's indictment says that an investigation led by the U.S. Secret Service and the Maryland Transportation Authority.

Police found that Farmer sent fraudulent U.S. District Court subpoenas to the motor vehicle agency in Virginia and a motel in North Carolina last year seeking identity information about dozens of clients.

Tearec.A Virus Spreads Using Adult Content

2006-01-18T14:21:00.000-05:00

PandaLabs has detected the appearance of Tearec.A, an e-mail worm that uses messages with erotic content to trick users. This malicious code has high distribution potential and, according to PandaLabs, has already infected users around the world.

It is currently one of the viruses most frequently detected by the Panda ActiveScan free, online antivirus. Panda Software's TruPreventTM proactive protection technologies have detected and blocked Tearec.A with no need for previous updates, so computers with these technologies have been protected from the moment this malicious code appeared.

The e-mail messages that Tearec.A uses to spread have variable characteristics, as the subject, text and attachment name are chosen from a long list of options. Some of the options are as follows:

Subjects *Hot Movie*, Arab sex DSC-00465.jpg, Fw: SeX.mpg, Fw: Sexy, Fwd: Crazy illegal Sex!Text body: Fuckin Kama Sutra pics, Note: forwarded message attached. You Must View This Videoclip!. Attachment: Adults_9,zip.sCR, Photos,zip.sCR, SeX,zip.scR, Sex.mim.

The full list of options is available in Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=105192&sind=0"

Malicious code alluding to erotic content continue to spread successfully. In fact, it is still the number one topic for social engineering. Epidemics such as those caused by the Kournikova, Nakedwoman or Hybris worms provide good examples of this.

The best way to avoid these problems is to scan all e-mail before opening it with a reliable and up-to-date antivirus", explains Luis Corrons, director of PandaLabs.

If a user runs the message attachment, the worm sends itself out by e-mail using its own SMTP engine and creates several files on the computer with copies of itself. At the same time, it tries to delete certain files related to security tools which it may find on the system.

Moreover, on a computer in a network, it will try to delete files it finds in directories related to security applications not just on the affected computer but also on other networked computers which it is able to access. It also makes several Windows registry entries, both to disable security applications and also to ensure it runs on every system start-up.

According to Luis Corrons: " Cases such as this worm, which can spread rapidly, highlight the need for having proactive technologies installed on computers. This prevents the chance of infection during the so-called "vulnerability window", the time it takes after the appearance of a new threat for traditional antiviruses to include the corresponding update."

Phishing Attacks Increasingly Smarter

2006-01-18T11:45:00.000-05:00

Phishers casts their nets wider- UK hit hard as attacks grow

The Anti-Phishing Working Group (APWG) has reported a sharp rise in the number of phishing attacks, combined with an increased sophistication among attackers.

In its monthly report for November 2005 the APWG said that reported attacks grew to 16,882 from 15,820, the third month of growth after a slowdown over the summer.

The UK and Europe were particularly hard hit as phishers looked for new targets outside the US.

The bulk of targets are still financial companies at nearly 95 per cent of attacks in November, up from 86 per cent in October.

There is also evidence that phishers are refining their targets lists, since the number of brands attacked has fallen despite the overall increase in activity.

Almost a third of all phishing sites are hosted in the US. South Korea is the second most popular host at 11.34 per cent, reflecting the country's high levels of broadband penetration.

There is also worrying evidence that attacks are getting smarter. The APWG noted an increase in legitimate sites being cracked and used to spread malware.

"A good example of this scheme was exhibited by an attack on the ShangHai Huizhong Automotive Manufacturing Company, one of the largest car manufacturers in China," the report said.

"Crackers programmed the site to deliver key-loggers to the PCs of consumers visiting the ShangHai Huizhong site, installing a system that attempted to load and run malicious code on the visitors' PCs."

The APWG also found a much higher percentage of domain name server redirections using Trojan software.

One example occurred when a "security tool" was emailed out claiming to be from PayPal which, once executed, automatically redirected any attempt to access PayPal to a phishing site hosted in India.

There is also little sign that website hosting companies are getting any better at shutting down phishing sites once they are discovered. The average time such a site stayed up was 5.5 days, unchanged from October.

Hackers Penetrate US Navy Nuclear Sub Shipyard

2006-01-17T15:25:00.000-05:00

Computer hacker arrests for compromising the security of U.S. Navy

An alleged computer hacker was detained by Spanish police on Monday on suspicion of having compromised the security of a U.S. Navy yard used in the maintenance of nuclear submarines, the Spanish government said.

The alleged hacker used the internet to penetrate a U.S. Defense Department computer in the Point Loma naval base in San Diego, the Interior Ministry said in a statement.

The security breach was detected by US Navy computer experts, who alerted the National Criminal Intelligence Service, who in turn traced the infringement to a computer in Spain.

Details of the computer break-in were communicated to the cyber-terrorism unit of the Spanish Civil Guard, who then uncovered a group of people involved in internet computer hacking.

The investigation led to a computer operator in the Mediterranean port city of Malaga in southern Spain, who had interfered with a computer linked to a dry dock in Point Loma, which is used to maintain nuclear submarines.

Four other members of the hacking group were detained. Police suspect the group may have caused security breaches in over 100 computer systems around the world, reports the Associated Press.

Computer Security - Online Security - Secure Your Windows PC

2006-01-16T09:00:00.000-05:00

Computer Security - Online Security - Secure Your Windows PC: Computer Security Tips
Computer security is a goal to which we all aspire. However, Windows security is often an oxymoron - a contradiction in terms.

If you want computer security on a Windows platform, you have your work cut out for you. This article discusses three things you must do to build a strong security foundation.

- Apply all Windows security patches
- Tighten Internet Explorer security
- Create a multi-layered defense

Top Three Current Computer Security Threats

2006-01-15T09:30:00.000-05:00

Today's report looks at three security problems affecting several Microsoft products and which could allow anattacker to take control of vulnerable systems, two Trojans-Mitglieder.HE and Spymaster.A-, and a worm -Mytob.ML-.

The first security problem that we are looking at affects Office 2000SP3, Office XP SP3, Office 2003 SP1 and SP2, and Exchange Server. It stems from the way in which Outlook and Exchange Server encrypt email messages using the TNEF (Transport Neutral Encapsulation Format)protocol.

The second vulnerability in today's report affects Windows2003/XP/2000/Me/98, and stems from the way Windows processes malformed embedded Web fonts. This can be exploited by an attacker by hosting malicious web font on a specially created web page and enticing users to visit it, or sending an email message containing malicious Web font.

The third and last security problem we're looking at today lies in theGraphics Rendering Engine, in computers running Windows 2003/XP/2000,and could allow arbitrary code to be run on vulnerable systems. This could be exploited by an attacker hosting a WMF (Windows MetaFile) imageon a specially crafted website, and convincing users to visit it, ors ending an email message containing the WMF image.

Microsoft has released three security bulletins -MS06-003, MS06-002 andMS06-001-, announcing the availability of patches to resolve these three vulnerabilities, and users of affected systems are advised to install them.

The first Trojan in today's report is Mitglieder.HE, which needs to be spread manually by an attacker, although it can also start an SMTP server and send a copy of itself by email.

Mitglieder.HE opens port 9031 on infected computers and acts as a proxy server. In addition, it awaits remote control commands, such as downloading and running files, starting an SMTP server, changing the access port or updating itself.

The next Trojan in today's report is Spymaster.A. Like the Trojan described above, it does not spread automatically and requires the intervention of an attacker. It is normally spread via email in a message with an attachment called SERVER.EXE.

Spymaster.A logs keystrokes entered by the user in order to obtain passwords and other confidential information, and monitors web pages visited. At the same time, it can see the programs running and the files created, modified or deleted by the user. The information it compiles is saved to a file which is sent to an FTP server.

Spymaster.A also uses as pecial stealth system to pass itself off as MSN messenger, so that users are unaware of its presence.

We end today's report with Mytob.ML, a worm that spreads via email in a message containing a link. Once it has infected a computer, it connects to an IRC server and awaits remote control commands. It also terminates processes belonging to other types of malware and to certain securityprograms, such as firewalls, and prevents access to certain web pages, mostly those of antivirus companies.

Make sure your antivirus software is up to date and your computer is protected by a personal firewall. See the Resources listings at lower left for links to free versions.

Indian Call Center Workers Sell Customer Data For Pennies

2006-01-14T12:07:00.000-05:00

British banks will not face any action over an alleged data breach in an Indian call center last year, the U.K.'s data protection watchdog has said.

In the breach, an undercover newspaper reporter was allegedly able to buy the bank account, credit card, passport and driving license details of 1,000 British bank customers for just 4.25 pounds ($7.50) each from a New Delhi call center worker who was said to have promised to supply confidential data from 200,000 accounts per month.

The Information Commissioner, the U.K.'s data protection agency, warned at the time that the banks could face prosecution for a criminal breach of the country's Data Protection Act.

But the IC said on Friday that it will not be taking action against any of the banks involved in the newspaper sting. Following an investigation, there was no evidence that any personal information was compromised, it said.

An IC official told Silicon.com: "We have no evidence to go on at the moment, and we are not in a position to take further action."

He said the investigation also found the security procedures at the Indian call center involved in the data leak to be "robust."

The City of London police force has said from the outset that it was unable to deal with the allegations because it has no jurisdiction outside of the U.K.

The Financial Services Authority, which oversees British banking, also showed little enthusiasm for an investigation, saying at the time: "Our concerns are whether adequate security controls were in place, but a determined fraudster is always going to get through."

Apple Adds Spyware To iTunes

2006-01-14T11:04:00.000-05:00

A new version of Apple Computer's popular iTunes software is prompting complaints from privacy advocates for sending information about computer users' playlists back to Apple.

The new music software includes a "MiniStore" window, which provides recommended links to Apple's music download service when listeners click on songs in their personal playlist, including songs that haven't been purchased from the iTunes store.

To provide those recommendations, the software sends information about the selected song, such as artist, title and genre, back to Apple. But the software also transmits a string of data that is linked to a computer user's unique iTunes account ID, computer experts have found. Because iTunes users typically sign up for the music store with an e-mail address and a credit card number, the account ID number could in theory be linked to that information as well as a customer's purchase history.

Apple also warned about serious security flaws in QuickTime, saying that vulnerabilities in the media player put computers running Windows and Mac OS X at risk of being commandeered by an outsider. An attacker could exploit the flaws by tricking the user into opening a malicious file.
Apple released QuickTime 7.0.4 to address the vulnerabilities. The French Security Incident Response Team, a commercial security monitoring and research outfit, described the problems as "critical," its highest risk rating.

Meanwhile, Symantec released an update to its popular Norton SystemWorks to fix a security problem that could be abused by cybercriminals to hide malicious software. In the PC-tuning application, a feature called the Norton Protected Recycle Bin creates a hidden directory on Windows systems. The feature is meant to help people restore modified or deleted files, but the hidden folder might not be scanned during scheduled or manual virus scans.

Symantec's alert has echoes of Sony BMG Music Entertainment's recent PC security fiasco. The record label was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology also offered a hiding place for malicious software.

Apple Patches QuickTime Vulnerability

2006-01-12T16:20:00.000-05:00

Apple has released version 7.0.4 of QuickTime to resolve several vulnerabilities that could be exploited to provoke denial of service or execute arbitrary code on affected systems.

The security problems are related with buffer overflows when processing graphic and multimedia files. An attacker could cause arbitrary code to be executed when viewing GIG, TIFF, TGA or QTIF files or specially crafted multimedia files.

Users of QuickTime on Windows 2000, Windows XP, Mac OS X (version 10.3.9 and later) are advised to install the update provided by Apple, which can be downloaded from: http://www.apple.com/quicktime/download/standalone.html

More information about the vulnerabilities and the update are available in the Apple advisory at: http://docs.info.apple.com/article.html?artnum=303101

Windows XP and Microsoft Office Patches Released

2006-01-11T14:45:00.000-05:00

Microsoft has published two security bulletins- MS06-002 and MS06-003-, reporting the availability of updates to resolve several vulnerabilities in Windows, Office and Exchange Server.

Bulletin MS06-002: offers information about an update resolving avulnerability allowing remote execution of code in Windows because of the way that it handles malformed embedded Web fonts. This security problem affects Windows 2000, Windows XP, Windows Server 2003, Windows 98 and Windows ME.

More information at: http://www.microsoft.com/technet/security/bulletin/ms06-002.mspx-

Bulletin MS06-003: refers to a remote code execution vulnerability in Microsoft Outlook and Microsoft Exchange Server because of the way that it decodes the TNEF MIME attachment. This could allow an attacker to take complete control of the system. It affects Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, and Exchange Server.

More information at: http://www.microsoft.com/technet/security/bulletin/ms06-003.mspx

In addition, Microsoft published bulletin MS06-001 last Thursday, which refers to an update to resolve a problem in the processing of certain graphic files.

This bulletin is available at: http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

iTunes Security Vulnerability Uncovered

2006-01-11T13:41:00.000-05:00

eEye Digital Security®, the leading developer of endpoint security and vulnerability management software solutions, as well as the industry's foremost contributor to security research and education, today announced the discovery of four critical security vulnerabilities related to Apple Computer® and the company's QuickTime® software, as well as the download application for its iTunes® music store.

These flaws have the potential to inflict serious damage, as they allow an attacker to take complete control of an affected system and execute harmful action remotely, including installing programs, viewing, changing or deleting data.

Enterprise networks are particularly vulnerable and organizations should take immediate action to identify affected machines, as the likelihood that the immensely popular QuickTime and iTunes applications are installed on their network is extremely high.

To give an indication of the scope of this issue, the iTunes music download service has distributed 850 million songs since its introduction and is often used in conjunction with the equally popular iPod® personal music system, of which 42 million have been sold since the device's inception.

"Most IT departments probably saw Apple's security update and thought 'that's a consumer application, I don't have to worry about security policies for that.' Those IT departments would be mistaken," said Marc Maiffret, eEye's co-founder and chief hacking officer.

"There are few people that have not seen a co-worker with an iPod wandering the halls of their organization, and those iPods probably mean iTunes is on your network. These flaws highlight the need for rigorous security policies and their enforcement via network security scanning and comprehensive endpoint security that will allow enterprises to mitigate this growing threat."

eEye strongly recommends that IT departments implement tools to enforce security policies that properly manage the installation of potentially vulnerable applications such as iTunes and QuickTime.

Those organizations that are utilizing eEye's Retina® Network Security Scanner can immediately scan for affected systems running these applications. Organizations that have deployed the Blink® Endpoint Intrusion Prevention System have been protected against these vulnerabilities since their discovery several months ago and can postpone patching to regularly scheduled maintenance cycles.

Unlike signature-based technologies, such as anti-virus or behavior-based solutions, current Blink customers aren't required to do anything to realize protection from this flaw, as no updates or policy changes are required. For those interested in protecting corporate systems with Blink, an evaluation version is available for download on eEye's website: http://www.eEye.com/Blink.

Although these security flaws were initially found in the QuickTime application, because the popular iTunes application is so closely integrated with QuickTime, all of these security issues are also exploitable via the iTunes software.

All systems running Windows 2000, Windows XP and Apple Mac OS X are vulnerable to these issues. Apple has released a solution to these issues in the form of a new version of the QuickTime player software -- QuickTime 7.0.4. Additional information on all of the security flaws announced by Apple yesterday can be found here: www.eEye.com/html/research.

Microsoft Warns of Critical Security Flaws

2006-01-10T19:23:00.000-05:00

Microsoft Corp. on Tuesday warned users of its Windows operating system of two "critical" security flaws in its software that could allow attackers to take complete control of a computer.

The world's largest software maker issued patches to fix the problems as part of its monthly security bulletin. The problem mainly affects the Windows operating system.

The warning came after the company last week made a patch available earlier than expected to fix a different critical flaw in the Windows operating system.

"People should always be vigilant about not opening unexpected attachments or following links to Web sites that arrive via e-mail or instant messages," said Oliver Friedrichs, a senior manager at Symantec Corp.

"Increasingly, criminals are delivering crimeware -- such as bots, Trojans, and spyware onto unsuspecting users' computers through spammed messages."

Computer security experts and Microsoft urged users to download and install the patch available at www.microsoft.com/security.

Microsoft defines a flaw as "critical" when the vulnerability could allow a damaging Internet worm to replicate without the user doing anything to the machine.

For more than three years, Microsoft has been working to improve the security and reliability of its software as more and more malicious software targets weaknesses in Windows and other Microsoft software.

More than 90 percent of the world's personal computers run on the Windows operating system.

PC Vulnerabilities Increase in 2005

2006-01-10T11:52:00.000-05:00

Computer Emergency Response Team/CoordinationCenter (CERT/CC) has released statistics on the vulnerabilities reported since it was founded in 1995 and on the vulnerability notes and other documents it has published since then.

The data - available athttp://www.cert.org/stats/cert_stats.html - includes a significant increase in the number of security problems registered last year.

According to CERT/CC, in 2005, 5,990 vulnerabilities were reported compared to 3,780 in 2004.

What's more, last year it published 285 vulnerability notes and handled 624,634 email messages. It also published 104 National Cyber Alert System documents.

In total, since CERT/CC was set up in 1995 to 2005, it has reported 25,590 vulnerabilities.

Since last year, the advisories, incident notes and summaries published by CERT/CC are incorporated in National Cyber Alert System documents.

The 5 viruses most frequently detected by Panda ActiveScan, PandaSoftware's free online scanner:

1) Sober.AH
2) Metafile
3) Paytime.D
4) Sober.AH
5) Netsky.P

2006-01-09T12:13:00.000-05:00

Your IM Buddy, Or A Hacker? It's Getting Harder To Tell

Just before New Year's, some Europeans received a link from the buddy list in their MSN Instant Messenger software to a purported funny Christmas picture. The joke was on them. Clicking on the link let in a worm that exploited the recent Windows Meta File vulnerability, giving hackers access to their PCs.

That's just one example--out of a few thousand--of how hackers used IM to attack computers in the past year. Instant-messaging security vendors FaceTime Communications Inc. and IMlogic Inc. reported last week that malware delivered over instant-message clients has skyrocketed in recent months.

FaceTime cites a more than 20-fold increase in the number of reported IM worm and virus variants since 2004. And in a sign that larger security companies are taking IM threats seriously, Symantec Corp. said last week that it will acquire IMlogic for an undisclosed sum.

In addition to FaceTime and IMlogic, vendors such as Akonix Systems Inc. and MessageLabs Ltd. offer software and hardware to manage enterprise instant messaging and protect networks from attack. According to the Radicati Group, 85% of businesses of all sizes say instant messaging is taking place on their networks.

And, as Gartner analyst Andrew Jacquith puts it, "There's always going to be some dope who clicks on a message, no matter how robotic or obviously fake it looks."

IM client software is pervasive within businesses and can serve as a powerful business tool, so companies should have a plan for dealing with it. Education is key, but so is proper management.
Energy brokerage firm Amerex Energy tracks about 150 IM users in its Houston corporate offices. It bought IMlogic's IM Manager to archive chats when brokers started closing deals via instant messages, but CIO Brian Trudeau says it also offers security. "It gives us the capability to control IMs a little bit more," he says. Using IM Manager, Amerex blocks all file uploads to IM clients and can specify who uses instant messaging and when.

Just Like E-Mail Attacks
IM attacks usually look and feel like E-mail attacks: They try to get targeted users to either download an infected file or click on a link that sends them to a Web site where they'll be infected with a virus. "A lot of the things that you thought about in the last decade about managing your E-mail can be applied to instant messaging," IMlogic CEO Francis DeSouza says.

Like the broader security-software community, vendors specializing in IM have antivirus capabilities and software that lets companies block downloads and blacklist certain Web sites and can log and archive all chats.

But IM attacks are getting more devious. Just last week, FaceTime found one on AOL Instant Messenger. The company quickly contacted AOL, as well as Microsoft and Yahoo, since many attacks are cross-platform.

Tens of thousands of AOL client machines were unknowingly infected with BitTorrent, a peer-to-peer downloading program often used to download copyrighted material. With this installed, hackers could upload a movie to a victim's hard drive and use the PC as a vehicle for sharing the content with others.

Virus attacks are getting more complex, too, moving away from the simple social engineering that might spur someone to send money to a Nigerian "prince" or click the link for a picture of Osama bin Laden.

Late last month, security vendors started seeing malicious code that went beyond a link or file and created automated responses to victim's queries. So a victim might ask his IM "buddy" if the file was safe, and the malicious bot would respond that it was.

IMlogic discovered a bot that responded six different ways, depending on the question a victim asked.

No attack has hit millions of users--yet. But since people often read and respond to IMs more quickly than E-mail, a virus could broadside a company in a matter of minutes.

2006-01-09T12:10:00.000-05:00

IM Worm Makes New Use Of Old Techniques

The Sober virus was not the only worm to make its run on Friday. FaceTime Communications reported the discovery of a new worm transmitted via instant messaging.

The new worm targets PCs that have been infected with the lockx.exe or palsp.exe viruses and uses Internet Relay Chat-enabled malware to connect the host to a server for further infection through a series of commands.

One of those commands has the ability to control the AIM client on the infected PC and send a message containing links to the host's buddy list. When recipients click on the link, they become infected with new variants of the IRC-enabled malware along with an installation of "creame.exe," which delivers multiple adware payloads.

This type of new worm illustrates the need for companies to have a solution in place that specifically protects IM applications, said Brian Moody, vice president of sales and development for solution provider Computer Media Technologies, San Jose, Calif. The big problem is that traditional antivirus software will not scan for these types of worms, Moody said.

"The issue to safeguard from this has been to disallow the use of IM, but IM can be an incredible productivity tool," Moody said.

Incorporating security applications in existing antispyware and antivirus programs that deal specifically with IM applications is something that customers are demanding, Moody said, and it validates Symantec’s recent acquisition of IMlogic.

The best way for users to protect themselves from this type of worm is to be careful about clicking on links within an IM, said Tyler Wells, senior director of research and development for FaceTime Communications, Foster City, Calif.

"The worm is relatively simple, but it works well because of the speed of IM. Companies need to take a proactive approach and bring in a solution that deals with these types of attacks," Wells said.